* [PATCH 01/24] Update .gitignore
2008-03-04 15:51 ` Jan Engelhardt
@ 2008-03-04 15:52 ` Jan Engelhardt
2008-03-04 15:52 ` [PATCH 02/24] Fix compilation of iptables-static build Jan Engelhardt
` (41 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:52 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
[ What I noticed during svn->git conversion is that [PATCH] prefixes
were not removed :( -- anyway, I fixed that up in the git repo. ]
===
commit 6615605552d60c9f4c39b68a151804b8824f32fc
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 02:12:55 2008 +0100
Update .gitignore
---
.gitignore | 43 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 43 insertions(+), 0 deletions(-)
create mode 100644 .gitignore
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ec15363
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,43 @@
+.*.d
+.*.dd
+*.a
+*.oo
+*.so
+*.o
+.deps
+.dirstamp
+Makefile
+Makefile.in
+
+/extensions/GNUmakefile
+/extensions/initext?.c
+/extensions/matches?.man
+/extensions/targets?.man
+
+/aclocal.m4
+/autom4te*.cache
+/compile
+/config.guess
+/config.h*
+/config.log
+/config.status
+/config.sub
+/configure
+/depcomp
+/install-sh
+/libtool
+/ltmain.sh
+/missing
+/stamp-h1
+
+/ip6tables
+/ip6tables.8
+/ip6tables-multi
+/ip6tables-save
+/ip6tables-restore
+/iptables
+/iptables.8
+/iptables-multi
+/iptables-save
+/iptables-restore
+/iptables-xml
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 02/24] Fix compilation of iptables-static build
2008-03-04 15:51 ` Jan Engelhardt
2008-03-04 15:52 ` [PATCH 01/24] Update .gitignore Jan Engelhardt
@ 2008-03-04 15:52 ` Jan Engelhardt
2008-03-04 15:53 ` [PATCH 03/24] Correct the family member value of libxt_mark revision 1 Jan Engelhardt
` (40 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:52 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit bd5b0f3157ebbf607971d170508748d76ef6c39c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:29:36 2008 +0100
Fix compilation of iptables-static build
Adjust the _INIT macro and thus fix the build/linking procedure of
the monolithic do-it-all binary (iptables-static).
---
extensions/GNUmakefile.in | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 155703d..3d9eb24 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -104,7 +104,7 @@ lib%.so: lib%.oo
${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
lib%.oo: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
#
@@ -115,7 +115,7 @@ lib%.oo: ${srcdir}/lib%.c
# handling code in the Makefiles.
#
lib%.o: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+ ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
libext4.a: initext4.o ${libext4_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 03/24] Correct the family member value of libxt_mark revision 1
2008-03-04 15:51 ` Jan Engelhardt
2008-03-04 15:52 ` [PATCH 01/24] Update .gitignore Jan Engelhardt
2008-03-04 15:52 ` [PATCH 02/24] Fix compilation of iptables-static build Jan Engelhardt
@ 2008-03-04 15:53 ` Jan Engelhardt
2008-03-04 15:53 ` [PATCH 04/24] Makefile: add a "tarball" target Jan Engelhardt
` (39 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:53 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit f9dac58a3eda2c4c1783f670865ff64dabdb97b7
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 02:10:34 2008 +0100
Correct the family member value of libxt_mark revision 1
libxt_mark rev1 used AF_INET6 in the class structure where it should
have used AF_INET.
---
extensions/libxt_mark.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index 1dfcc58..af7f844 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -182,7 +182,7 @@ static struct xtables_match mark_mt_reg = {
.version = IPTABLES_VERSION,
.name = "mark",
.revision = 1,
- .family = AF_INET6,
+ .family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.help = mark_mt_help,
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 04/24] Makefile: add a "tarball" target
2008-03-04 15:51 ` Jan Engelhardt
` (2 preceding siblings ...)
2008-03-04 15:53 ` [PATCH 03/24] Correct the family member value of libxt_mark revision 1 Jan Engelhardt
@ 2008-03-04 15:53 ` Jan Engelhardt
2008-03-04 15:54 ` [PATCH 05/24] Drop -W from CFLAGS and some tiny code cleanups Jan Engelhardt
` (38 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:53 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 64b1ca517e1773cc0f42a6cd0a1a5f0a4be267c7
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Mar 3 13:04:07 2008 +0100
Makefile: add a "tarball" target
---
Makefile.am | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index a0f33c6..5240635 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -93,3 +93,11 @@ ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets
extensions/%:
${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+
+.PHONY: tarball
+tarball:
+ rm -Rf /tmp/xtables-${PACKAGE_VERSION};
+ pushd ${top_srcdir} && git-archive --prefix=xtables-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
+ pushd /tmp/xtables-${PACKAGE_VERSION} && ./autogen.sh && popd;
+ tar -C /tmp -cjf xtables-${PACKAGE_VERSION}.tar.bz2 xtables-${PACKAGE_VERSION}/;
+ rm -Rf /tmp/xtables-${PACKAGE_VERSION};
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 05/24] Drop -W from CFLAGS and some tiny code cleanups
2008-03-04 15:51 ` Jan Engelhardt
` (3 preceding siblings ...)
2008-03-04 15:53 ` [PATCH 04/24] Makefile: add a "tarball" target Jan Engelhardt
@ 2008-03-04 15:54 ` Jan Engelhardt
2008-03-04 15:55 ` [PATCH 06/24] Fix -Wshadow warnings and clean up xt_sctp.h Jan Engelhardt
` (37 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:54 UTC (permalink / raw)
To: Patrick McHardy
Cc: Netfilter Developer Mailing List, Linux Kernel Mailing List
-W turns on some of the deeply-nitpicky (IMO) warnings like
signed-vs-unsigned, so I judged it was better to remove it,
and be good developers instead.
===
commit 5d60776717f011fbd019a268a3193040aa9ddd4c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Mar 3 12:30:41 2008 +0100
Drop -W from CFLAGS and some tiny code cleanups
- change "unsigned" to explicit "unsigned int"
- remove some casts
---
configure.ac | 2 +-
extensions/dscp_helper.c | 2 +-
extensions/libip6t_dst.c | 2 +-
extensions/libip6t_hbh.c | 2 +-
extensions/libip6t_rt.c | 2 +-
extensions/libipt_SAME.c | 6 +++---
extensions/libxt_TCPOPTSTRIP.c | 2 +-
extensions/libxt_quota.c | 2 +-
iptables-xml.c | 14 +++++++-------
xtables.c | 2 +-
10 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/configure.ac b/configure.ac
index a435ae4..004a517 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
- -D_REENTRANT -W -Wall -Waggregate-return -Wmissing-declarations \
+ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
diff --git a/extensions/dscp_helper.c b/extensions/dscp_helper.c
index 9e9a163..217df09 100644
--- a/extensions/dscp_helper.c
+++ b/extensions/dscp_helper.c
@@ -49,7 +49,7 @@ static const struct ds_class
static unsigned int
class_to_dscp(const char *name)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
if (!strncasecmp(name, ds_classes[i].name,
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 9e4d870..5b06033 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -168,7 +168,7 @@ static int dst_parse(int c, char **argv, int invert, unsigned int *flags,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 1052575..ad12547 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -162,7 +162,7 @@ static int hbh_parse(int c, char **argv, int invert, unsigned int *flags,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index a9ced6a..e2ae09f 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -255,7 +255,7 @@ print_nums(const char *name, u_int32_t min, u_int32_t max,
}
static void
-print_addresses(unsigned addrnr, struct in6_addr *addrp)
+print_addresses(unsigned int addrnr, struct in6_addr *addrp)
{
unsigned int i;
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index e03ae80..d1e6903 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -90,7 +90,7 @@ static int SAME_parse(int c, char **argv, int invert, unsigned int *flags,
{
struct ipt_same_info *mr
= (struct ipt_same_info *)(*target)->data;
- unsigned count;
+ unsigned int count;
switch (c) {
case '1':
@@ -146,7 +146,7 @@ static void SAME_check(unsigned int flags)
static void SAME_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
@@ -180,7 +180,7 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void SAME_save(const void *ip, const struct xt_entry_target *target)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index df107f4..bd66435 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -22,7 +22,7 @@ enum {
struct tcp_optionmap {
const char *name, *desc;
- const unsigned option;
+ const unsigned int option;
};
static const struct option tcpoptstrip_tg_opts[] = {
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index 57050f2..b4fb78b 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -43,7 +43,7 @@ quota_save(const void *ip, const struct xt_entry_match *match)
static int
parse_quota(const char *s, u_int64_t * quota)
{
- *quota = strtoull(s, (char **) NULL, 10);
+ *quota = strtoull(s, NULL, 10);
#ifdef DEBUG_XT_QUOTA
printf("Quota: %llu\n", *quota);
diff --git a/iptables-xml.c b/iptables-xml.c
index 087b7c7..404d020 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -85,10 +85,10 @@ parse_counters(char *string, struct ipt_counters *ctr)
/* global new argv and argc */
static char *newargv[255];
-static unsigned newargc = 0;
+static unsigned int newargc = 0;
static char *oldargv[255];
-static unsigned oldargc = 0;
+static unsigned int oldargc = 0;
/* arg meta data, were they quoted, frinstance */
static int newargvattr[255];
@@ -129,7 +129,7 @@ add_argv(char *what, int quoted)
static void
free_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < newargc; i++) {
free(newargv[i]);
@@ -149,7 +149,7 @@ free_argv(void)
static void
save_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < oldargc; i++)
free(oldargv[i]);
@@ -545,8 +545,8 @@ compareRules(void)
is the case when processing the ACTUAL output of actual iptables-save
rather than a file merely in a compatable format */
- unsigned old = 0;
- unsigned new = 0;
+ unsigned int old = 0;
+ unsigned int new = 0;
int compare = 0;
@@ -748,7 +748,7 @@ main(int argc, char *argv[])
ret = 1;
} else if (curTable[0]) {
- unsigned a;
+ unsigned int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
diff --git a/xtables.c b/xtables.c
index af4d3dc..dba9081 100644
--- a/xtables.c
+++ b/xtables.c
@@ -257,7 +257,7 @@ int service_to_port(const char *name, const char *proto)
u_int16_t parse_port(const char *port, const char *proto)
{
- unsigned portnum;
+ unsigned int portnum;
if ((string_to_number(port, 0, 65535, &portnum)) != -1 ||
(portnum = service_to_port(port, proto)) != (unsigned)-1)
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 06/24] Fix -Wshadow warnings and clean up xt_sctp.h
2008-03-04 15:51 ` Jan Engelhardt
` (4 preceding siblings ...)
2008-03-04 15:54 ` [PATCH 05/24] Drop -W from CFLAGS and some tiny code cleanups Jan Engelhardt
@ 2008-03-04 15:55 ` Jan Engelhardt
2008-03-04 15:55 ` [PATCH 07/24] Fix all remaining warnings (missing declarations, missing prototypes) Jan Engelhardt
` (36 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit b46c8a29033ae010d3232dd22b52856319e61387
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:33:30 2008 +0100
Fix -Wshadow warnings and clean up xt_sctp.h
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
---
configure.ac | 3 +-
extensions/libipt_SAME.c | 12 ++--
extensions/libipt_addrtype.c | 4 +-
extensions/libxt_RATEEST.c | 12 ++--
extensions/libxt_conntrack.c | 28 +++++-----
extensions/libxt_hashlimit.c | 4 +-
extensions/libxt_state.c | 12 ++--
extensions/libxt_statistic.c | 23 +++++---
include/linux/netfilter/xt_sctp.h | 87 ++++++++++++----------------
include/xtables.h | 4 +-
ip6tables-save.c | 10 ++--
ip6tables.c | 12 ++--
iptables-save.c | 10 ++--
iptables-xml.c | 7 +-
iptables.c | 12 ++--
libiptc/libiptc.c | 49 +++++++---------
xtables.c | 4 +-
17 files changed, 140 insertions(+), 153 deletions(-)
diff --git a/configure.ac b/configure.ac
index 004a517..87fca6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,8 +46,7 @@ kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
# Remove workarounds soon
regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
-Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter \
- -Wno-shadow -Wno-inline"
+ -Wno-unused-parameter"
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index d1e6903..f7c737c 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -149,7 +149,7 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
printf("same:");
@@ -167,13 +167,13 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("nodst ");
- if (random)
+ if (random_selection)
printf("random ");
}
@@ -183,7 +183,7 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
for (count = 0; count < mr->rangesize; count++) {
struct ip_nat_range *r = &mr->range[count];
@@ -198,13 +198,13 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("--nodst ");
- if (random)
+ if (random_selection)
printf("--random ");
}
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 5557af2..7db9dce 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -49,12 +49,12 @@ static void addrtype_help(void)
}
static int
-parse_type(const char *name, size_t strlen, u_int16_t *mask)
+parse_type(const char *name, size_t len, u_int16_t *mask)
{
int i;
for (i = 0; rtn_names[i]; i++)
- if (strncasecmp(name, rtn_names[i], strlen) == 0) {
+ if (strncasecmp(name, rtn_names[i], len) == 0) {
/* build up bitmask for kernel module */
*mask |= (1 << i);
return 1;
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 1871657..4f52c2e 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -177,17 +177,17 @@ static void
__RATEEST_print(const struct xt_entry_target *target, const char *prefix)
{
struct xt_rateest_target_info *info = (void *)target->data;
- unsigned int interval;
- unsigned int ewma_log;
+ unsigned int local_interval;
+ unsigned int local_ewma_log;
- interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
- ewma_log = interval * (1 << (info->ewma_log));
+ local_interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
+ local_ewma_log = local_interval * (1 << (info->ewma_log));
printf("%sname %s ", prefix, info->name);
printf("%sinterval ", prefix);
- RATEEST_print_time(interval);
+ RATEEST_print_time(local_interval);
printf("%sewmalog ", prefix);
- RATEEST_print_time(ewma_log);
+ RATEEST_print_time(local_ewma_log);
}
static void
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index d1c0aa0..e3e29f0 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -78,21 +78,21 @@ static const struct option conntrack_mt_opts[] = {
};
static int
-parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
- else if (strncasecmp(state, "SNAT", strlen) == 0)
+ else if (strncasecmp(state, "SNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
- else if (strncasecmp(state, "DNAT", strlen) == 0)
+ else if (strncasecmp(state, "DNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
else
return 0;
@@ -154,18 +154,18 @@ conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
}
static int
-parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(status, "NONE", strlen) == 0)
+ if (strncasecmp(status, "NONE", len) == 0)
sinfo->statusmask |= 0;
- else if (strncasecmp(status, "EXPECTED", strlen) == 0)
+ else if (strncasecmp(status, "EXPECTED", len) == 0)
sinfo->statusmask |= IPS_EXPECTED;
- else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
+ else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
sinfo->statusmask |= IPS_SEEN_REPLY;
- else if (strncasecmp(status, "ASSURED", strlen) == 0)
+ else if (strncasecmp(status, "ASSURED", len) == 0)
sinfo->statusmask |= IPS_ASSURED;
#ifdef IPS_CONFIRMED
- else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+ else if (strncasecmp(status, "CONFIRMED", len) == 0)
sinfo->statusmask |= IPS_CONFIRMED;
#endif
else
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index d8a0035..00b0304 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -106,10 +106,10 @@ static void hashlimit_init(struct xt_entry_match *m)
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *optarg)
+static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
{
char *tok;
- char *arg = strdup(optarg);
+ char *arg = strdup(option_arg);
if (!arg)
return -1;
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index 68f5280..5b8beea 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -29,17 +29,17 @@ static const struct option state_opts[] = {
};
static int
-state_parse_state(const char *state, size_t strlen, struct xt_state_info *sinfo)
+state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_STATE_UNTRACKED;
else
return 0;
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 19bb121..ebb4e91 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -30,16 +30,20 @@ static const struct option statistic_opts[] = {
{ .name = NULL }
};
-static struct xt_statistic_info *info;
+static struct xt_statistic_info *global_info;
+
+static void statistic_mt_init(struct xt_entry_match *match)
+{
+ global_info = (void *)match->data;
+}
static int
statistic_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
+ struct xt_statistic_info *info = (void *)(*match)->data;
double prob;
- info = (void *)(*match)->data;
-
if (invert)
info->flags |= XT_STATISTIC_INVERT;
@@ -100,25 +104,26 @@ static void statistic_check(unsigned int flags)
if ((flags & 0x2) && (flags & (0x4 | 0x8)))
exit_error(PARAMETER_PROBLEM,
"both nth and random parameters given");
- if (flags & 0x2 && info->mode != XT_STATISTIC_MODE_RANDOM)
+ if (flags & 0x2 && global_info->mode != XT_STATISTIC_MODE_RANDOM)
exit_error(PARAMETER_PROBLEM,
"--probability can only be used in random mode");
- if (flags & 0x4 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x4 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--every can only be used in nth mode");
- if (flags & 0x8 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x8 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--packet can only be used in nth mode");
if ((flags & 0x8) && !(flags & 0x4))
exit_error(PARAMETER_PROBLEM,
"--packet can only be used with --every");
/* at this point, info->u.nth.every have been decreased. */
- if (info->u.nth.packet > info->u.nth.every)
+ if (global_info->u.nth.packet > global_info->u.nth.every)
exit_error(PARAMETER_PROBLEM,
"the --packet p must be 0 <= p <= n-1");
- info->u.nth.count = info->u.nth.every - info->u.nth.packet;
+ global_info->u.nth.count = global_info->u.nth.every -
+ global_info->u.nth.packet;
}
/* Prints out the matchinfo. */
@@ -164,6 +169,7 @@ static struct xtables_match statistic_match = {
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
@@ -178,6 +184,7 @@ static struct xtables_match statistic_match6 = {
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index b157897..62ffdcb 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -7,7 +7,8 @@
#define XT_SCTP_VALID_FLAGS 0x07
-#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+/* temporary */
+#define SCTP_ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
struct xt_sctp_flag_info {
@@ -40,68 +41,54 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] |= \
+ (chunkmap)[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] &= \
+ (chunkmap)[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
- (chunkmap[type / bytes (u_int32_t)] & \
+ ((chunkmap)[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+ memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+ memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+ memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+ __sctp_chunkmap_is_clear((chunkmap), SCTP_ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i])
+ return false;
+ return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i] != ~0U)
+ return false;
+ return true;
+}
#endif /* _XT_SCTP_H_ */
diff --git a/include/xtables.h b/include/xtables.h
index 484e436..4b75e2c 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -176,7 +176,7 @@ extern char *lib_dir;
extern void *fw_calloc(size_t count, size_t size);
extern void *fw_malloc(size_t size);
-extern const char *modprobe;
+extern const char *modprobe_program;
extern int xtables_insmod(const char *modname, const char *modprobe, int quiet);
extern int load_xtables_ko(const char *modprobe, int quiet);
@@ -230,7 +230,7 @@ enum exittype {
/* this is a special 64bit data type that is 8-byte aligned */
#define aligned_u64 u_int64_t __attribute__((aligned(8)))
-int check_inverse(const char option[], int *invert, int *optind, int argc);
+int check_inverse(const char option[], int *invert, int *my_optind, int argc);
void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
format(printf,2,3)));
extern void param_act(unsigned int, const char *, ...);
diff --git a/ip6tables-save.c b/ip6tables-save.c
index fe57cfd..c73d354 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -21,7 +21,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -264,7 +264,7 @@ static int do_output(const char *tablename)
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
ip6tc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
@@ -297,7 +297,7 @@ static int do_output(const char *tablename)
/* Dump out rules */
e = ip6tc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = ip6tc_next_rule(e, &h);
}
}
@@ -342,11 +342,11 @@ int main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
diff --git a/ip6tables.c b/ip6tables.c
index c542377..4b517e5 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -440,16 +440,16 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1492,7 +1492,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1673,7 +1673,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
*handle = ip6tc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = ip6tc_init(*table);
if (!*handle)
diff --git a/iptables-save.c b/iptables-save.c
index f8a61c2..f82c8a7 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -20,7 +20,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -287,7 +287,7 @@ static int do_output(const char *tablename)
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
iptc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by iptables-save v%s on %s",
@@ -320,7 +320,7 @@ static int do_output(const char *tablename)
/* Dump out rules */
e = iptc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = iptc_next_rule(e, &h);
}
}
@@ -367,11 +367,11 @@ main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
diff --git a/iptables-xml.c b/iptables-xml.c
index 404d020..94f2e39 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -99,16 +99,15 @@ char closeRuleTag[IPT_TABLE_MAXNAMELEN + 1];
char curTable[IPT_TABLE_MAXNAMELEN + 1];
char curChain[IPT_CHAIN_MAXNAMELEN + 1];
-typedef struct chain
-{
+struct chain {
char *chain;
char *policy;
struct ipt_counters count;
int created;
-} chain;
+};
#define maxChains 10240 /* max chains per table */
-static chain chains[maxChains];
+static struct chain chains[maxChains];
static int nextChain = 0;
/* funCtion adding one argument to newargv, updating newargc
diff --git a/iptables.c b/iptables.c
index 43e3653..0363aba 100644
--- a/iptables.c
+++ b/iptables.c
@@ -447,16 +447,16 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1529,7 +1529,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1712,7 +1712,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
*handle = iptc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = iptc_init(*table);
if (!*handle)
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index b7bf785..113c250 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -317,7 +317,7 @@ static inline unsigned int iptcc_is_builtin(struct chain_head *c);
* is sorted by name.
*/
static struct list_head *
-iptcc_bsearch_chain_index(const char *name, unsigned int *index, TC_HANDLE_T handle)
+iptcc_bsearch_chain_index(const char *name, unsigned int *idx, TC_HANDLE_T handle)
{
unsigned int pos, end;
int res;
@@ -346,7 +346,7 @@ iptcc_bsearch_chain_index(const char *name, unsigned int *index, TC_HANDLE_T han
res = strcmp(name, handle->chain_index[pos]->name);
list_pos = &handle->chain_index[pos]->list;
- (*index)=pos;
+ *idx = pos;
debug("bsearch Index[%d] name:%s res:%d ",
pos, handle->chain_index[pos]->name, res);
@@ -536,9 +536,9 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h)
{
struct list_head *index_ptr, *index_ptr2, *next;
struct chain_head *c2;
- unsigned int index, index2;
+ unsigned int idx, idx2;
- index_ptr = iptcc_bsearch_chain_index(c->name, &index, h);
+ index_ptr = iptcc_bsearch_chain_index(c->name, &idx, h);
debug("Del chain[%s] c->list:%p index_ptr:%p\n",
c->name, &c->list, index_ptr);
@@ -554,15 +554,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h)
* is located in the same index bucket.
*/
c2 = list_entry(next, struct chain_head, list);
- index_ptr2 = iptcc_bsearch_chain_index(c2->name, &index2, h);
- if (index != index2) {
+ index_ptr2 = iptcc_bsearch_chain_index(c2->name, &idx2, h);
+ if (idx != idx2) {
/* Rebuild needed */
return iptcc_chain_index_rebuild(h);
} else {
/* Avoiding rebuild */
debug("Update cindex[%d] with next ptr name:[%s]\n",
- index, c2->name);
- h->chain_index[index]=c2;
+ idx, c2->name);
+ h->chain_index[idx]=c2;
return 0;
}
}
@@ -962,18 +962,18 @@ static int parse_table(TC_HANDLE_T h)
list_for_each_entry(c, &h->chains, list) {
struct rule_head *r;
list_for_each_entry(r, &c->rules, list) {
- struct chain_head *c;
+ struct chain_head *lc;
STRUCT_STANDARD_TARGET *t;
if (r->type != IPTCC_R_JUMP)
continue;
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
- c = iptcc_find_chain_by_offset(h, t->verdict);
- if (!c)
+ lc = iptcc_find_chain_by_offset(h, t->verdict);
+ if (!lc)
return -1;
- r->jump = c;
- c->references++;
+ r->jump = lc;
+ lc->references++;
}
}
@@ -2395,16 +2395,14 @@ subtract_counters(STRUCT_COUNTERS *answer,
}
-static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index)
+static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters, unsigned int idx)
{
- newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
+ newcounters->counters[idx] = ((STRUCT_COUNTERS) { 0, 0});
DEBUGP_C("NOMAP => zero\n");
}
static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
+ STRUCT_REPLACE *repl, unsigned int idx,
unsigned int mappos)
{
/* Original read: X.
@@ -2414,15 +2412,13 @@ static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
* => Add in X + Y
* => Add in replacement read.
*/
- newcounters->counters[index] = repl->counters[mappos];
+ newcounters->counters[idx] = repl->counters[mappos];
DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
}
static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
- unsigned int mappos,
- STRUCT_COUNTERS *counters)
+ STRUCT_REPLACE *repl, unsigned int idx,
+ unsigned int mappos, STRUCT_COUNTERS *counters)
{
/* Original read: X.
* Atomic read on replacement: X + Y.
@@ -2431,19 +2427,18 @@ static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
* => Add in Y.
* => Add in (replacement read - original read).
*/
- subtract_counters(&newcounters->counters[index],
+ subtract_counters(&newcounters->counters[idx],
&repl->counters[mappos],
counters);
DEBUGP_C("ZEROED => mappos %u\n", mappos);
}
static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index,
- STRUCT_COUNTERS *counters)
+ unsigned int idx, STRUCT_COUNTERS *counters)
{
/* Want to set counter (iptables-restore) */
- memcpy(&newcounters->counters[index], counters,
+ memcpy(&newcounters->counters[idx], counters,
sizeof(STRUCT_COUNTERS));
DEBUGP_C("SET\n");
diff --git a/xtables.c b/xtables.c
index dba9081..89863d7 100644
--- a/xtables.c
+++ b/xtables.c
@@ -46,7 +46,7 @@
char *lib_dir;
/* the path to command to load kernel module */
-const char *modprobe = NULL;
+const char *modprobe_program = NULL;
/* Keeping track of external matches and targets: linked lists. */
struct xtables_match *xtables_matches;
@@ -488,7 +488,7 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
exit(1);
}
- load_xtables_ko(modprobe, 1);
+ load_xtables_ko(modprobe_program, 1);
strcpy(rev.name, name);
rev.revision = revision;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 07/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-03-04 15:51 ` Jan Engelhardt
` (5 preceding siblings ...)
2008-03-04 15:55 ` [PATCH 06/24] Fix -Wshadow warnings and clean up xt_sctp.h Jan Engelhardt
@ 2008-03-04 15:55 ` Jan Engelhardt
2008-03-04 15:57 ` [PATCH 08/24] Add support for xt_hashlimit match revision 1 Jan Engelhardt
` (35 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit aa67ae160fbfa3787d6a26763d5417f92f1c9b2f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:54:00 2008 +0100
Fix all remaining warnings (missing declarations, missing prototypes)
---
configure.ac | 5 -----
extensions/GNUmakefile.in | 2 ++
extensions/libip6t_HL.c | 1 +
extensions/libip6t_LOG.c | 1 +
extensions/libip6t_REJECT.c | 1 +
extensions/libip6t_ah.c | 4 ++--
extensions/libip6t_condition.c | 5 ++---
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_eui64.c | 1 +
extensions/libip6t_frag.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 2 +-
extensions/libip6t_icmp6.c | 1 +
| 1 +
extensions/libip6t_mh.c | 1 +
extensions/libip6t_policy.c | 6 +-----
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 1 +
extensions/libipt_DNAT.c | 1 +
extensions/libipt_ECN.c | 1 +
extensions/libipt_LOG.c | 1 +
extensions/libipt_MASQUERADE.c | 1 +
extensions/libipt_MIRROR.c | 1 +
extensions/libipt_NETMAP.c | 1 +
extensions/libipt_REDIRECT.c | 1 +
extensions/libipt_REJECT.c | 1 +
extensions/libipt_SAME.c | 1 +
extensions/libipt_SET.c | 1 +
extensions/libipt_SNAT.c | 1 +
extensions/libipt_TTL.c | 1 +
extensions/libipt_ULOG.c | 3 ++-
extensions/libipt_addrtype.c | 2 +-
extensions/libipt_ah.c | 4 ++--
extensions/libipt_condition.c | 5 ++---
extensions/libipt_ecn.c | 1 +
extensions/libipt_icmp.c | 1 +
extensions/libipt_policy.c | 1 +
extensions/libipt_realm.c | 1 +
extensions/libipt_recent.c | 1 +
extensions/libipt_set.c | 1 +
extensions/libipt_ttl.c | 2 +-
extensions/libipt_unclean.c | 1 +
extensions/libxt_CLASSIFY.c | 1 +
extensions/libxt_CONNMARK.c | 1 +
extensions/libxt_CONNSECMARK.c | 1 +
extensions/libxt_DSCP.c | 1 +
extensions/libxt_MARK.c | 1 +
extensions/libxt_NFLOG.c | 1 +
extensions/libxt_NFQUEUE.c | 1 +
extensions/libxt_NOTRACK.c | 1 +
extensions/libxt_RATEEST.c | 1 +
extensions/libxt_SECMARK.c | 1 +
extensions/libxt_TCPMSS.c | 1 +
extensions/libxt_TCPOPTSTRIP.c | 1 +
extensions/libxt_TOS.c | 1 +
extensions/libxt_TRACE.c | 1 +
| 1 +
extensions/libxt_connbytes.c | 1 +
extensions/libxt_connlimit.c | 1 +
extensions/libxt_connmark.c | 1 +
extensions/libxt_conntrack.c | 1 +
extensions/libxt_dccp.c | 1 +
extensions/libxt_dscp.c | 1 +
extensions/libxt_esp.c | 4 ++--
extensions/libxt_hashlimit.c | 1 +
extensions/libxt_helper.c | 1 +
extensions/libxt_iprange.c | 1 +
extensions/libxt_length.c | 1 +
extensions/libxt_limit.c | 1 +
extensions/libxt_mac.c | 1 +
extensions/libxt_mark.c | 1 +
extensions/libxt_multiport.c | 4 ++--
extensions/libxt_owner.c | 1 +
extensions/libxt_physdev.c | 1 +
extensions/libxt_pkttype.c | 1 +
extensions/libxt_quota.c | 4 ++--
extensions/libxt_rateest.c | 1 +
extensions/libxt_sctp.c | 1 +
extensions/libxt_standard.c | 1 +
extensions/libxt_state.c | 1 +
extensions/libxt_statistic.c | 1 +
extensions/libxt_string.c | 1 +
extensions/libxt_tcp.c | 4 ++--
extensions/libxt_tcpmss.c | 1 +
extensions/libxt_time.c | 1 +
extensions/libxt_tos.c | 1 +
extensions/libxt_u32.c | 1 +
extensions/libxt_udp.c | 4 ++--
include/iptables.h | 2 --
include/libiptc/libip6tc.h | 2 ++
include/libiptc/libiptc.h | 2 ++
include/xtables.h | 3 +++
ip6tables-multi.h | 8 ++++++++
ip6tables-restore.c | 4 +++-
ip6tables-save.c | 1 +
ip6tables-standalone.c | 1 +
ip6tables.c | 6 ++----
iptables-multi.h | 9 +++++++++
iptables-restore.c | 3 ++-
iptables-save.c | 1 +
iptables-standalone.c | 1 +
iptables-xml.c | 1 +
iptables.c | 4 +---
libiptc/libiptc.c | 9 ++++-----
104 files changed, 143 insertions(+), 58 deletions(-)
create mode 100644 ip6tables-multi.h
create mode 100644 iptables-multi.h
diff --git a/configure.ac b/configure.ac
index 87fca6c..29f54dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,11 +43,6 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
-# Remove workarounds soon
-regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
- -Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter"
-
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 3d9eb24..c6c181a 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -143,6 +143,7 @@ initext4.c: .initext4.dd
for i in ${initext_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
@@ -157,6 +158,7 @@ initext6.c: .initext6.dd
for i in ${initext6_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext6_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
index c20147b..3104285 100644
--- a/extensions/libip6t_HL.c
+++ b/extensions/libip6t_HL.c
@@ -152,6 +152,7 @@ static struct ip6tables_target hl_target6 = {
.extra_opts = HL_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&hl_target6);
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 6fd4c0b..e8de148 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -269,6 +269,7 @@ static struct ip6tables_target log_target6 = {
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&log_target6);
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index 000096e..9445534 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -151,6 +151,7 @@ static struct ip6tables_target reject_target6 = {
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&reject_target6);
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index 46469ea..afebdb1 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -206,8 +206,8 @@ static struct ip6tables_match ah_match6 = {
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&ah_match6);
}
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
index 03e2722..56793b2 100644
--- a/extensions/libip6t_condition.c
+++ b/extensions/libip6t_condition.c
@@ -87,9 +87,8 @@ static struct ip6tables_match condition_match6 = {
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&condition_match6);
}
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 5b06033..1333418 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -240,8 +240,8 @@ static struct ip6tables_match dst_match6 = {
.extra_opts = dst_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&dst_match6);
}
diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c
index 45988c4..7739e30 100644
--- a/extensions/libip6t_eui64.c
+++ b/extensions/libip6t_eui64.c
@@ -38,6 +38,7 @@ static struct ip6tables_match eui64_target6 = {
.parse = eui64_parse,
};
+void _init(void);
void _init(void)
{
register_match6(&eui64_target6);
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 86f40f4..834dd06 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -251,8 +251,8 @@ static struct ip6tables_match frag_match6 = {
.extra_opts = frag_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&frag_match6);
}
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index ad12547..7ca2b69 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -227,8 +227,8 @@ static struct ip6tables_match hbh_match6 = {
.extra_opts = hbh_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&hbh_match6);
}
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c
index 7f99598..d2616b8 100644
--- a/extensions/libip6t_hl.c
+++ b/extensions/libip6t_hl.c
@@ -138,7 +138,7 @@ static struct ip6tables_match hl_match6 = {
.extra_opts = hl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match6(&hl_match6);
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index 8c9653f..d9bc785 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -265,6 +265,7 @@ static struct ip6tables_match icmp6_match6 = {
.extra_opts = icmp6_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&icmp6_match6);
--git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index c20fb94..05835ac 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -300,6 +300,7 @@ static struct ip6tables_match ipv6header_match6 = {
.extra_opts = ipv6header_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&ipv6header_match6);
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index dd0da2b..fd3f452 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -236,6 +236,7 @@ static struct ip6tables_match mh_match6 = {
.extra_opts = mh_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&mh_match6);
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index f706f98..4c2f405 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -126,11 +126,6 @@ mask_to_numeric(const struct in6_addr *addrp)
return buf;
}
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-
-/* End duplicated code from ip6tables.c */
-
static int parse_direction(char *s)
{
if (strcmp(s, "in") == 0)
@@ -461,6 +456,7 @@ static struct ip6tables_match policy_match6 = {
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&policy_match6);
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index e2ae09f..33d282f 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -342,8 +342,8 @@ static struct ip6tables_match rt_match6 = {
.extra_opts = rt_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&rt_match6);
}
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index fdeae86..2314185 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -248,6 +248,7 @@ static struct iptables_target clusterip_target = {
.extra_opts = CLUSTERIP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&clusterip_target);
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 3ad412b..a0dbfc5 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -256,6 +256,7 @@ static struct iptables_target dnat_target = {
.extra_opts = DNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&dnat_target);
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 1523b2d..8335cca 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -166,6 +166,7 @@ static struct iptables_target ecn_target = {
.extra_opts = ECN_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ecn_target);
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 6b08f58..8287d95 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -271,6 +271,7 @@ static struct iptables_target log_target = {
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&log_target);
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index fc914c5..c0c519d 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -164,6 +164,7 @@ static struct iptables_target masquerade_target = {
.extra_opts = MASQUERADE_opts,
};
+void _init(void);
void _init(void)
{
register_target(&masquerade_target);
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index 83397fe..8506eff 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -34,6 +34,7 @@ static struct iptables_target mirror_target = {
.save = NULL,
};
+void _init(void);
void _init(void)
{
register_target(&mirror_target);
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index da0e5f4..0043cca 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -184,6 +184,7 @@ static struct iptables_target netmap_target = {
.extra_opts = NETMAP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&netmap_target);
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 1918df8..0bcc9dd 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -170,6 +170,7 @@ static struct iptables_target redirect_target = {
.extra_opts = REDIRECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&redirect_target);
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 5901a5e..aa139fd 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -170,6 +170,7 @@ static struct iptables_target reject_target = {
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&reject_target);
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index f7c737c..9d58bf0 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -222,6 +222,7 @@ static struct iptables_target same_target = {
.extra_opts = SAME_opts,
};
+void _init(void);
void _init(void)
{
register_target(&same_target);
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
index dd42867..91ab488 100644
--- a/extensions/libipt_SET.c
+++ b/extensions/libipt_SET.c
@@ -168,6 +168,7 @@ static struct iptables_target set_target = {
.extra_opts = SET_opts,
};
+void _init(void);
void _init(void)
{
register_target(&set_target);
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 7b9e176..9a553cd 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -257,6 +257,7 @@ static struct iptables_target snat_target = {
.extra_opts = SNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&snat_target);
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index b5a32c4..e19c3a0 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -153,6 +153,7 @@ static struct iptables_target ttl_target = {
.extra_opts = TTL_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ttl_target);
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 6fb2c66..10301f0 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -21,7 +21,7 @@
#include "../include/linux/netfilter_ipv4/ipt_ULOG.h"
-void print_groups(unsigned int gmask)
+static void print_groups(unsigned int gmask)
{
int b;
unsigned int test;
@@ -199,6 +199,7 @@ static struct iptables_target ulog_target = {
.extra_opts = ULOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ulog_target);
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 7db9dce..02752d3 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -196,7 +196,7 @@ static struct iptables_match addrtype_match = {
.extra_opts = addrtype_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&addrtype_match);
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index 2555b5d..5d9ab6c 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -169,8 +169,8 @@ static struct iptables_match ah_match = {
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&ah_match);
}
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
index 4a98dd8..5bd1c44 100644
--- a/extensions/libipt_condition.c
+++ b/extensions/libipt_condition.c
@@ -86,9 +86,8 @@ static struct iptables_match condition_match = {
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&condition_match);
}
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 9c07eab..5c0428d 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -157,6 +157,7 @@ static struct iptables_match ecn_match = {
.extra_opts = ecn_opts,
};
+void _init(void);
void _init(void)
{
register_match(&ecn_match);
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index b1fccbf..df57a5e 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -287,6 +287,7 @@ static struct iptables_match icmp_match = {
.extra_opts = icmp_opts,
};
+void _init(void);
void _init(void)
{
register_match(&icmp_match);
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index 48b96be..cdef750 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -421,6 +421,7 @@ static struct iptables_match policy_match = {
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match(&policy_match);
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 7026fc2..73444de 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -256,6 +256,7 @@ static struct iptables_match realm_match = {
.extra_opts = realm_opts,
};
+void _init(void);
void _init(void)
{
register_match(&realm_match);
diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index ace778e..d82b026 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -224,6 +224,7 @@ static struct iptables_match recent_match = {
.extra_opts = recent_opts,
};
+void _init(void);
void _init(void)
{
register_match(&recent_match);
diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
index 932008b..78a02b5 100644
--- a/extensions/libipt_set.c
+++ b/extensions/libipt_set.c
@@ -155,6 +155,7 @@ static struct iptables_match set_match = {
.extra_opts = set_opts,
};
+void _init(void);
void _init(void)
{
register_match(&set_match);
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index d7820f1..d358dfc 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -161,7 +161,7 @@ static struct iptables_match ttl_match = {
.extra_opts = ttl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&ttl_match);
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index 648d098..9956c1a 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -29,6 +29,7 @@ static struct iptables_match unclean_match = {
.parse = unclean_parse,
};
+void _init(void);
void _init(void)
{
register_match(&unclean_match);
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index e39367a..ea6cdbe 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -130,6 +130,7 @@ static struct xtables_target classify_target6 = {
.extra_opts = CLASSIFY_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&classify_target);
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 9e8013a..73f8214 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -470,6 +470,7 @@ static struct xtables_target connmark_tg6_reg = {
.extra_opts = connmark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connmark_target);
diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
index e8d0a5e..779594f 100644
--- a/extensions/libxt_CONNSECMARK.c
+++ b/extensions/libxt_CONNSECMARK.c
@@ -138,6 +138,7 @@ static struct xtables_target connsecmark_target6 = {
.extra_opts = CONNSECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connsecmark_target);
diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
index c15f0e1..3a99b33 100644
--- a/extensions/libxt_DSCP.c
+++ b/extensions/libxt_DSCP.c
@@ -160,6 +160,7 @@ static struct xtables_target dscp_target6 = {
.extra_opts = DSCP_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&dscp_target);
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 569d2e8..2994e75 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -359,6 +359,7 @@ static struct xtables_target mark_tg6_reg_v2 = {
.extra_opts = mark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&mark_target_v0);
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index d4dc971..4b6c5a9 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -167,6 +167,7 @@ static struct xtables_target nflog_target6 = {
.extra_opts = NFLOG_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nflog_target);
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index b1c5ef3..287c1c8 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -106,6 +106,7 @@ static struct xtables_target nfqueue_target6 = {
.extra_opts = NFQUEUE_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nfqueue_target);
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
index 18ad5e1..cb6bd1e 100644
--- a/extensions/libxt_NOTRACK.c
+++ b/extensions/libxt_NOTRACK.c
@@ -44,6 +44,7 @@ static struct xtables_target notrack_target6 = {
.parse = NOTRACK_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(¬rack_target);
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 4f52c2e..df16581 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -233,6 +233,7 @@ static struct xtables_target rateest_target6 = {
.extra_opts = RATEEST_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&rateest_target4);
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index b794e7d..5dfd21e 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -129,6 +129,7 @@ static struct xtables_target secmark_target6 = {
.extra_opts = SECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&secmark_target);
diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c
index 9ab69bf..f4a45c3 100644
--- a/extensions/libxt_TCPMSS.c
+++ b/extensions/libxt_TCPMSS.c
@@ -151,6 +151,7 @@ static struct xtables_target tcpmss_target6 = {
.extra_opts = TCPMSS_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpmss_target);
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index bd66435..22e921a 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -205,6 +205,7 @@ static struct xtables_target tcpoptstrip_tg6_reg = {
.extra_opts = tcpoptstrip_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpoptstrip_tg_reg);
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c
index 777d7cf..dfc7af7 100644
--- a/extensions/libxt_TOS.c
+++ b/extensions/libxt_TOS.c
@@ -249,6 +249,7 @@ static struct xtables_target tos_tg6_reg = {
.extra_opts = tos_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tos_tg_reg_v0);
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index c70df6a..f1d2d94 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -43,6 +43,7 @@ static struct xtables_target trace_target6 = {
.parse = TRACE_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&trace_target);
--git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 20277d4..8ae77fc 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -121,6 +121,7 @@ static struct xtables_match comment_match6 = {
.extra_opts = comment_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&comment_match);
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index e6cb1f4..9fd5a47 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -213,6 +213,7 @@ static struct xtables_match connbytes_match6 = {
.extra_opts = connbytes_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connbytes_match);
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 9e2137a..2b4d3d5 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -208,6 +208,7 @@ static struct xtables_match connlimit_match6 = {
.extra_opts = connlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connlimit_match);
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
index 1e38f7c..dd43359 100644
--- a/extensions/libxt_connmark.c
+++ b/extensions/libxt_connmark.c
@@ -228,6 +228,7 @@ static struct xtables_match connmark_mt6_reg = {
.extra_opts = connmark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connmark_mt_reg_v0);
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index e3e29f0..d5f1be7 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1061,6 +1061,7 @@ static struct xtables_match conntrack_mt6_reg = {
.extra_opts = conntrack_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&conntrack_match);
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 467a695..d21de16 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -367,6 +367,7 @@ static struct xtables_match dccp_match6 = {
.extra_opts = dccp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dccp_match);
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index a28af09..75941ab 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -174,6 +174,7 @@ static struct xtables_match dscp_match6 = {
.extra_opts = dscp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dscp_match);
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index f37c088..b20999d 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -181,8 +181,8 @@ static struct xtables_match esp_match6 = {
.extra_opts = esp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&esp_match);
xtables_register_match(&esp_match6);
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 00b0304..a19ab8f 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -390,6 +390,7 @@ static struct xtables_match hashlimit_match6 = {
.extra_opts = hashlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 31ae4fc..4ce1d4b 100644
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -102,6 +102,7 @@ static struct xtables_match helper_match6 = {
.extra_opts = helper_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&helper_match);
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 51b35f8..54d7d9c 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -383,6 +383,7 @@ static struct xtables_match iprange_mt6_reg = {
.extra_opts = iprange_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&iprange_match);
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index b812b67..8fb2150 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -152,6 +152,7 @@ static struct xtables_match length_match6 = {
.extra_opts = length_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&length_match);
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index 65a8df3..e93388b 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -192,6 +192,7 @@ static struct xtables_match limit_match6 = {
.extra_opts = limit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&limit_match);
diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
index 2284d2a..112ac5b 100644
--- a/extensions/libxt_mac.c
+++ b/extensions/libxt_mac.c
@@ -143,6 +143,7 @@ static struct xtables_match mac_match6 = {
.extra_opts = mac_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mac_match);
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index af7f844..1e07736 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -208,6 +208,7 @@ static struct xtables_match mark_mt6_reg = {
.extra_opts = mark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mark_match);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 6de7bc1..7b96e6c 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -569,8 +569,8 @@ static struct xtables_match multiport_match6_v1 = {
.extra_opts = multiport_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&multiport_match);
xtables_register_match(&multiport_match6);
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index ea86f99..18f3d9a 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -591,6 +591,7 @@ static struct xtables_match owner_mt6_reg = {
.extra_opts = owner_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&owner_mt_reg_v0);
diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
index e971d1e..6b5fe20 100644
--- a/extensions/libxt_physdev.c
+++ b/extensions/libxt_physdev.c
@@ -190,6 +190,7 @@ static struct xtables_match physdev_match6 = {
.extra_opts = physdev_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&physdev_match);
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index 75194fc..893fe43 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -174,6 +174,7 @@ static struct xtables_match pkttype_match6 = {
.extra_opts = pkttype_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&pkttype_match);
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index b4fb78b..9ce350d 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -103,8 +103,8 @@ struct xtables_match quota_match6 = {
.extra_opts = quota_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match("a_match);
xtables_register_match("a_match6);
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 5f13340..0771fcd 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -454,6 +454,7 @@ static struct xtables_match rateest_match6 = {
.extra_opts = rateest_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&rateest_match4);
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 2ca1572..af6faba 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -539,6 +539,7 @@ static struct xtables_match sctp_match6 = {
.extra_opts = sctp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&sctp_match);
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index eef9369..2417f09 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -43,6 +43,7 @@ static struct xtables_target standard_target6 = {
.parse = standard_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&standard_target);
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index 5b8beea..cbc8419 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -170,6 +170,7 @@ static struct xtables_match state_match6 = {
.extra_opts = state_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&state_match);
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index ebb4e91..5ac77b6 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -193,6 +193,7 @@ static struct xtables_match statistic_match6 = {
.extra_opts = statistic_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&statistic_match);
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index f1030bb..5be14ef 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -356,6 +356,7 @@ static struct xtables_match string_match6 = {
.extra_opts = string_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&string_match);
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 3274f08..2026368 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -411,8 +411,8 @@ static struct xtables_match tcp_match6 = {
.extra_opts = tcp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&tcp_match);
xtables_register_match(&tcp_match6);
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index 7a026bf..36d445c 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -153,6 +153,7 @@ static struct xtables_match tcpmss_match6 = {
.extra_opts = tcpmss_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tcpmss_match);
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index c39ab1a..3efc727 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -492,6 +492,7 @@ static struct xtables_match time_match6 = {
.extra_opts = time_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&time_match);
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index 16a90ef..cd21560 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -182,6 +182,7 @@ static struct xtables_match tos_mt6_reg = {
.extra_opts = tos_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tos_mt_reg_v0);
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 251b2d4..1e79c57 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -296,6 +296,7 @@ static struct xtables_match u32_match6 = {
.extra_opts = u32_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&u32_match);
diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
index 4e83ae8..2ba781e 100644
--- a/extensions/libxt_udp.c
+++ b/extensions/libxt_udp.c
@@ -224,8 +224,8 @@ static struct xtables_match udp_match6 = {
.extra_opts = udp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&udp_match);
xtables_register_match(&udp_match6);
diff --git a/include/iptables.h b/include/iptables.h
index f39410c..7ce9080 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -24,8 +24,6 @@ extern int line;
extern void register_match(struct iptables_match *me);
extern void register_target(struct iptables_target *me);
-extern u_int16_t parse_protocol(const char *s);
-
extern int do_command(int argc, char *argv[], char **table,
iptc_handle_t *handle);
extern int delete_chain(const ipt_chainlabel chain, int verbose,
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 5069689..6e8a565 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -152,4 +152,6 @@ const char *ip6tc_strerror(int err);
/* Return prefix length, or -1 if not contiguous */
int ipv6_prefix_length(const struct in6_addr *a);
+extern void dump_entries6(const ip6tc_handle_t);
+
#endif /* _LIBIP6TC_H */
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 30f5b7d..1f6f95d 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -159,6 +159,8 @@ int iptc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *iptc_strerror(int err);
+extern void dump_entries(const iptc_handle_t);
+
#ifdef __cplusplus
}
#endif
diff --git a/include/xtables.h b/include/xtables.h
index 4b75e2c..f2bcb44 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -267,4 +267,7 @@ extern void save_string(const char *value);
# define _init __attribute__((constructor)) _INIT
#endif
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
#endif /* _XTABLES_H */
diff --git a/ip6tables-multi.h b/ip6tables-multi.h
new file mode 100644
index 0000000..551029a
--- /dev/null
+++ b/ip6tables-multi.h
@@ -0,0 +1,8 @@
+#ifndef _IP6TABLES_MULTI_H
+#define _IP6TABLES_MULTI_H 1
+
+extern int ip6tables_main(int, char **);
+extern int ip6tables_save_main(int, char **);
+extern int ip6tables_restore_main(int, char **);
+
+#endif /* _IP6TABLES_MULTI_H */
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 570bd51..e9cc0ff 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -18,6 +18,7 @@
#include "ip6tables.h"
#include "xtables.h"
#include "libiptc/libip6tc.h"
+#include "ip6tables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -55,7 +56,8 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
+static ip6tc_handle_t create_handle(const char *tablename,
+ const char *modprobe)
{
ip6tc_handle_t handle;
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c73d354..e7eade1 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -16,6 +16,7 @@
#include <arpa/inet.h>
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
+#include "ip6tables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index b7dfd17..4029c1f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -35,6 +35,7 @@
#include <stdlib.h>
#include <errno.h>
#include <ip6tables.h>
+#include "ip6tables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/ip6tables.c b/ip6tables.c
index 4b517e5..e5602f7 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include "ip6tables-multi.h"
#ifndef TRUE
#define TRUE 1
@@ -186,9 +187,6 @@ static int inverse_for_options[NUMBER_OF_OPT] =
const char *program_version;
const char *program_name;
-/* Extra debugging from libiptc */
-extern void dump_entries6(const ip6tc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1140,7 +1138,7 @@ generate_entry(const struct ip6t_entry *fw,
return e;
}
-void clear_rule_matches(struct ip6tables_rule_match **matches)
+static void clear_rule_matches(struct ip6tables_rule_match **matches)
{
struct ip6tables_rule_match *matchp, *tmp;
diff --git a/iptables-multi.h b/iptables-multi.h
new file mode 100644
index 0000000..a9912b0
--- /dev/null
+++ b/iptables-multi.h
@@ -0,0 +1,9 @@
+#ifndef _IPTABLES_MULTI_H
+#define _IPTABLES_MULTI_H 1
+
+extern int iptables_main(int, char **);
+extern int iptables_save_main(int, char **);
+extern int iptables_restore_main(int, char **);
+extern int iptables_xml_main(int, char **);
+
+#endif /* _IPTABLES_MULTI_H */
diff --git a/iptables-restore.c b/iptables-restore.c
index 44263ce..b751d2c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -15,6 +15,7 @@
#include "iptables.h"
#include "xtables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -54,7 +55,7 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-iptc_handle_t create_handle(const char *tablename, const char* modprobe )
+static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
{
iptc_handle_t handle;
diff --git a/iptables-save.c b/iptables-save.c
index f82c8a7..c0c37ed 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -15,6 +15,7 @@
#include <netdb.h>
#include "libiptc/libiptc.h"
#include "iptables.h"
+#include "iptables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/iptables-standalone.c b/iptables-standalone.c
index e5c7841..55c7ce9 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -36,6 +36,7 @@
#include <errno.h>
#include <string.h>
#include <iptables.h>
+#include "iptables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/iptables-xml.c b/iptables-xml.c
index 94f2e39..d922efe 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -16,6 +16,7 @@
#include <stdarg.h>
#include "iptables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
diff --git a/iptables.c b/iptables.c
index 0363aba..b2a4b53 100644
--- a/iptables.c
+++ b/iptables.c
@@ -190,8 +190,6 @@ const char *program_name;
int kernel_version;
-extern void dump_entries(const iptc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1143,7 +1141,7 @@ generate_entry(const struct ipt_entry *fw,
return e;
}
-void clear_rule_matches(struct iptables_rule_match **matches)
+static void clear_rule_matches(struct iptables_rule_match **matches)
{
struct iptables_rule_match *matchp, *tmp;
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 113c250..e8f14fc 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1471,7 +1471,7 @@ TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
}
/* How many rules in this chain? */
-unsigned int
+static unsigned int
TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
{
struct chain_head *c;
@@ -1487,9 +1487,8 @@ TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
return c->num_rules;
}
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
+static const STRUCT_ENTRY *
+TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
{
struct chain_head *c;
struct rule_head *r;
@@ -1511,7 +1510,7 @@ const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
}
/* Returns a pointer to the target name of this position. */
-const char *standard_target_map(int verdict)
+static const char *standard_target_map(int verdict)
{
switch (verdict) {
case RETURN:
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 08/24] Add support for xt_hashlimit match revision 1
2008-03-04 15:51 ` Jan Engelhardt
` (6 preceding siblings ...)
2008-03-04 15:55 ` [PATCH 07/24] Fix all remaining warnings (missing declarations, missing prototypes) Jan Engelhardt
@ 2008-03-04 15:57 ` Jan Engelhardt
2008-03-04 15:57 ` [PATCH 09/24] Update the libxt_owner manpage with the UID/GID-range feature Jan Engelhardt
` (34 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:57 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
This iptables patch already uses the .h file without the
redundant member (this linux-kernel commit).
[origin davem-net-26/master
commit 7d9904c2604ce091c97c225b5e2f92f3e7cc2e3a
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue Feb 19 17:19:44 2008 -0800
[NETFILTER]: xt_hashlimit: remove unneeded struct member
]
===
commit a34fb28418f2e1da7d5d394af43838adba678c91
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:55:33 2008 +0100
Add support for xt_hashlimit match revision 1
---
extensions/libxt_hashlimit.c | 398 ++++++++++++++++++++++--
extensions/libxt_hashlimit.man | 86 ++++--
include/linux/netfilter/xt_hashlimit.h | 38 ++-
3 files changed, 458 insertions(+), 64 deletions(-)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index a19ab8f..e430f93 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -10,7 +10,7 @@
*
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
-
+#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -45,6 +45,27 @@ static void hashlimit_help(void)
"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
}
+static void hashlimit_mt_help(void)
+{
+ printf(
+"hashlimit match options:\n"
+" --hashlimit-upto <avg> max average match rate\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+" --hashlimit-above <avg> min average match rate\n"
+" --hashlimit-mode <mode> mode is a comma-separated list of\n"
+" dstip,srcip,dstport,srcport (or none)\n"
+" --hashlimit-srcmask <length> source address grouping prefix length\n"
+" --hashlimit-dstmask <length> destination address grouping prefix length\n"
+" --hashlimit-name <name> name for /proc/net/ipt_hashlimit\n"
+" --hashlimit-burst <num> number to match in a burst, default %u\n"
+" --hashlimit-htable-size <num> number of hashtable buckets\n"
+" --hashlimit-htable-max <num> number of hashtable entries\n"
+" --hashlimit-htable-gcinterval interval between garbage collection runs\n"
+" --hashlimit-htable-expire after which time are idle entries expired?\n"
+"\n", XT_HASHLIMIT_BURST);
+}
+
static const struct option hashlimit_opts[] = {
{ "hashlimit", 1, NULL, '%' },
{ "hashlimit-burst", 1, NULL, '$' },
@@ -57,6 +78,22 @@ static const struct option hashlimit_opts[] = {
{ .name = NULL }
};
+static const struct option hashlimit_mt_opts[] = {
+ {.name = "hashlimit-upto", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-above", .has_arg = true, .val = '^'},
+ {.name = "hashlimit", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-srcmask", .has_arg = true, .val = '<'},
+ {.name = "hashlimit-dstmask", .has_arg = true, .val = '>'},
+ {.name = "hashlimit-burst", .has_arg = true, .val = '$'},
+ {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'},
+ {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'},
+ {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('},
+ {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'},
+ {.name = "hashlimit-mode", .has_arg = true, .val = '_'},
+ {.name = "hashlimit-name", .has_arg = true, .val = '"'},
+ {},
+};
+
static
int parse_rate(const char *rate, u_int32_t *val)
{
@@ -98,15 +135,39 @@ static void hashlimit_init(struct xt_entry_match *m)
{
struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
+ r->cfg.mode = 0;
r->cfg.burst = XT_HASHLIMIT_BURST;
r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
r->cfg.expire = XT_HASHLIMIT_EXPIRE;
}
+static void hashlimit_mt4_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 32;
+ info->cfg.dstmask = 32;
+}
+
+static void hashlimit_mt6_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 128;
+ info->cfg.dstmask = 128;
+}
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
+static int parse_mode(uint32_t *mode, char *option_arg)
{
char *tok;
char *arg = strdup(option_arg);
@@ -114,19 +175,17 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
if (!arg)
return -1;
- r->cfg.mode = 0;
-
for (tok = strtok(arg, ",|");
tok;
tok = strtok(NULL, ",|")) {
if (!strcmp(tok, "dstip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DIP;
+ *mode |= XT_HASHLIMIT_HASH_DIP;
else if (!strcmp(tok, "srcip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SIP;
+ *mode |= XT_HASHLIMIT_HASH_SIP;
else if (!strcmp(tok, "srcport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SPT;
+ *mode |= XT_HASHLIMIT_HASH_SPT;
else if (!strcmp(tok, "dstport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DPT;
+ *mode |= XT_HASHLIMIT_HASH_DPT;
else {
free(arg);
return -1;
@@ -136,14 +195,18 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
return 0;
}
-#define PARAM_LIMIT 0x00000001
-#define PARAM_BURST 0x00000002
-#define PARAM_MODE 0x00000004
-#define PARAM_NAME 0x00000008
-#define PARAM_SIZE 0x00000010
-#define PARAM_MAX 0x00000020
-#define PARAM_GCINTERVAL 0x00000040
-#define PARAM_EXPIRE 0x00000080
+enum {
+ PARAM_LIMIT = 1 << 0,
+ PARAM_BURST = 1 << 1,
+ PARAM_MODE = 1 << 2,
+ PARAM_NAME = 1 << 3,
+ PARAM_SIZE = 1 << 4,
+ PARAM_MAX = 1 << 5,
+ PARAM_GCINTERVAL = 1 << 6,
+ PARAM_EXPIRE = 1 << 7,
+ PARAM_SRCMASK = 1 << 8,
+ PARAM_DSTMASK = 1 << 9,
+};
/* Function which parses command options; returns true if it
ate an option */
@@ -224,7 +287,7 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
*flags & PARAM_MODE);
if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (parse_mode(r, optarg) < 0)
+ if (parse_mode(&r->cfg.mode, optarg) < 0)
exit_error(PARAMETER_PROBLEM,
"bad --hashlimit-mode: `%s'\n", optarg);
*flags |= PARAM_MODE;
@@ -249,6 +312,146 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
return 1;
}
+static int
+hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags,
+ int c, int invert, unsigned int maxmask)
+{
+ unsigned int num;
+
+ switch(c) {
+ case '%': /* --hashlimit / --hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-upto",
+ *flags & PARAM_LIMIT);
+ if (invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-upto", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '^': /* --hashlimit-above == !--hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-above",
+ *flags & PARAM_LIMIT);
+ if (!invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-above", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '$': /* --hashlimit-burst */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+ *flags & PARAM_BURST);
+ if (!strtonum(optarg, NULL, &num, 0, 10000))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-burst", optarg);
+ info->cfg.burst = num;
+ *flags |= PARAM_BURST;
+ return true;
+
+ case '&': /* --hashlimit-htable-size */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+ *flags & PARAM_SIZE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-size", optarg);
+ info->cfg.size = num;
+ *flags |= PARAM_SIZE;
+ return true;
+
+ case '*': /* --hashlimit-htable-max */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+ *flags & PARAM_MAX);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-max", optarg);
+ info->cfg.max = num;
+ *flags |= PARAM_MAX;
+ return true;
+
+ case '(': /* --hashlimit-htable-gcinterval */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-gcinterval",
+ *flags & PARAM_GCINTERVAL);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-gcinterval", optarg);
+ /* FIXME: not HZ dependent!! */
+ info->cfg.gc_interval = num;
+ *flags |= PARAM_GCINTERVAL;
+ return true;
+
+ case ')': /* --hashlimit-htable-expire */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-expire", optarg);
+ /* FIXME: not HZ dependent */
+ info->cfg.expire = num;
+ *flags |= PARAM_EXPIRE;
+ return true;
+
+ case '_':
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+ *flags & PARAM_MODE);
+ if (parse_mode(&info->cfg.mode, optarg) < 0)
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-mode", optarg);
+ *flags |= PARAM_MODE;
+ return true;
+
+ case '"': /* --hashlimit-name */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+ *flags & PARAM_NAME);
+ if (strlen(optarg) == 0)
+ exit_error(PARAMETER_PROBLEM, "Zero-length name?");
+ strncpy(info->name, optarg, sizeof(info->name));
+ info->name[sizeof(info->name)-1] = '\0';
+ *flags |= PARAM_NAME;
+ return true;
+
+ case '<': /* --hashlimit-srcmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask",
+ *flags & PARAM_SRCMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-srcmask", optarg);
+ info->cfg.srcmask = num;
+ *flags |= PARAM_SRCMASK;
+ return true;
+
+ case '>': /* --hashlimit-dstmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask",
+ *flags & PARAM_DSTMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-dstmask", optarg);
+ info->cfg.dstmask = num;
+ *flags |= PARAM_DSTMASK;
+ return true;
+ }
+ return false;
+}
+
+static int
+hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 32);
+}
+
+static int
+hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 128);
+}
+
/* Final check; nothing. */
static void hashlimit_check(unsigned int flags)
{
@@ -263,6 +466,16 @@ static void hashlimit_check(unsigned int flags)
"You have to specify --hashlimit-name");
}
+static void hashlimit_mt_check(unsigned int flags)
+{
+ if (!(flags & PARAM_LIMIT))
+ exit_error(PARAMETER_PROBLEM, "You have to specify "
+ "--hashlimit-upto or --hashlimit-above");
+ if (!(flags & PARAM_NAME))
+ exit_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-name");
+}
+
static const struct rates
{
const char *name;
@@ -285,29 +498,27 @@ static void print_rate(u_int32_t period)
printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
}
-static void print_mode(const struct xt_hashlimit_info *r, char separator)
+static void print_mode(unsigned int mode, char separator)
{
- int prevmode = 0;
+ bool prevmode = false;
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
- if (prevmode)
- putchar(separator);
+ if (mode & XT_HASHLIMIT_HASH_SIP) {
fputs("srcip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SPT) {
+ if (mode & XT_HASHLIMIT_HASH_SPT) {
if (prevmode)
putchar(separator);
fputs("srcport", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
+ if (mode & XT_HASHLIMIT_HASH_DIP) {
if (prevmode)
putchar(separator);
fputs("dstip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DPT) {
+ if (mode & XT_HASHLIMIT_HASH_DPT) {
if (prevmode)
putchar(separator);
fputs("dstport", stdout);
@@ -324,7 +535,7 @@ static void hashlimit_print(const void *ip,
fputs("limit: avg ", stdout); print_rate(r->cfg.avg);
printf("burst %u ", r->cfg.burst);
fputs("mode ", stdout);
- print_mode(r, '-');
+ print_mode(r->cfg.mode, '-');
if (r->cfg.size)
printf("htable-size %u ", r->cfg.size);
if (r->cfg.max)
@@ -335,6 +546,53 @@ static void hashlimit_print(const void *ip,
printf("htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("limit: above ", stdout);
+ else
+ fputs("limit: up to ", stdout);
+ print_rate(info->cfg.avg);
+ printf("burst %u ", info->cfg.burst);
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("mode ", stdout);
+ print_mode(info->cfg.mode, '-');
+ }
+ if (info->cfg.size != 0)
+ printf("htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("htable-gcinterval %u ", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 32);
+}
+
+static void
+hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 128);
+}
+
/* FIXME: Make minimalist: only print rate if not default --RR */
static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
{
@@ -346,7 +604,7 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
printf("--hashlimit-burst %u ", r->cfg.burst);
fputs("--hashlimit-mode ", stdout);
- print_mode(r, ',');
+ print_mode(r->cfg.mode, ',');
printf("--hashlimit-name %s ", r->name);
@@ -360,10 +618,61 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
printf("--hashlimit-htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("--hashlimit-above ", stdout);
+ else
+ fputs("--hashlimit-upto ", stdout);
+ print_rate(info->cfg.avg);
+ if (info->cfg.burst != XT_HASHLIMIT_BURST)
+ printf("--hashlimit-burst %u ", info->cfg.burst);
+
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("--hashlimit-mode ", stdout);
+ print_mode(info->cfg.mode, ',');
+ }
+
+ printf("--hashlimit-name %s ", info->name);
+
+ if (info->cfg.size != 0)
+ printf("--hashlimit-htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("--hashlimit-htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("--hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("--hashlimit-htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("--hashlimit-srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("--hashlimit-dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 32);
+}
+
+static void
+hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 128);
+}
+
static struct xtables_match hashlimit_match = {
.family = AF_INET,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -379,6 +688,7 @@ static struct xtables_match hashlimit_match6 = {
.family = AF_INET6,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -390,9 +700,43 @@ static struct xtables_match hashlimit_match6 = {
.extra_opts = hashlimit_opts,
};
+static struct xtables_match hashlimit_mt_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt4_init,
+ .parse = hashlimit_mt4_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt4_print,
+ .save = hashlimit_mt4_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
+static struct xtables_match hashlimit_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt6_init,
+ .parse = hashlimit_mt6_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt6_print,
+ .save = hashlimit_mt6_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
xtables_register_match(&hashlimit_match6);
+ xtables_register_match(&hashlimit_mt_reg);
+ xtables_register_match(&hashlimit_mt6_reg);
}
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index c8128ec..e74aedf 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -1,35 +1,59 @@
-This patch adds a new match called 'hashlimit'.
-The idea is to have something like 'limit', but either per
-destination-ip or per (destip,destport) tuple.
-
-It gives you the ability to express
-.IP
- '1000 packets per second for every host in 192.168.0.0/16'
-.IP
- '100 packets per second for every service of 192.168.1.1'
-.P
-with a single iptables rule.
-.TP
-.BI "--hashlimit " "rate"
-A rate just like the limit match
-.TP
-.BI "--hashlimit-burst " "num"
-Burst value, just like limit match
-.TP
-.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport"
-A comma-separated list of objects to take into consideration
-.TP
-.BI "--hashlimit-name " "foo"
-The name for the /proc/net/ipt_hashlimit/foo entry
-.TP
-.BI "--hashlimit-htable-size " "num"
+\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
+\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
+rule. Grouping can be done per-hostgroup (source and/or destination address)
+and/or per-port. It gives you the ability to express "\fIN\fR packets per time
+quantum per group":
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16"
+.TP
+matching on source prot
+"100 packets per second for every service of 192.168.1.1"
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+.PP
+A hash limit option (\fB--hashlimit-upto\fR, \fB--hashlimit-above\fR) and
+\fB--hashlimit-name\fR are required.
+.TP
+\fB--hashlimit-upto\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
+a number, with an optional time quantum suffix; the default is 3/hour.
+.TP
+\fB--hashlimit-above\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is above \fIamount\fR/quantum.
+.TP
+\fB--hashlimit-burst\fR \fIamount\fR
+Maximum initial number of packets to match: this number gets recharged by one
+every time the limit specified above is not reached, up to this number; the
+default is 5.
+.TP
+\fB--hashlimit-mode\fR [\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR[\fB,\fR...]]
+A comma-separated list of objects to take into consideration. If no
+--hashlimit-mode option is given, hashlimit acts like limit, but at the
+expensive of doing the hash housekeeping.
+.TP
+\fB--hashlimit-srcmask\fR \fIprefix\fR
+When --hashlimit-mode srcip is used, all source addresses encountered will be
+grouped according to the given prefix length and the so-created subnet will be
+subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
+that --hashlimit-srcmask 0 is basically doing the same thing as not specifying
+srcip for --hashlimit-mode, but is technically more expensive.
+.TP
+\fB--hashlimit-dstmask\fR \fIprefix\fR
+Like --hashlimit-srcmask, but for destination addresses.
+.TP
+\fB--hashlimit-name\fR \fIfoo\fR
+The name for the /proc/net/ipt_hashlimit/foo entry.
+.TP
+\fB--hashlimit-htable-size\fR \fIbuckets\fR
The number of buckets of the hash table
.TP
-.BI "--hashlimit-htable-max " "num"
-Maximum entries in the hash
+\fB--hashlimit-htable-max\fR \fIentries\fR
+Maximum entries in the hash.
.TP
-.BI "--hashlimit-htable-expire " "num"
-After how many miliseconds do hash entries expire
+\fB--hashlimit-htable-expire\fR \fImsec\fR
+After how many miliseconds do hash entries expire.
.TP
-.BI "--hashlimit-htable-gcinterval " "num"
-How many miliseconds between garbage collection intervals
+\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
+How many miliseconds between garbage collection intervals.
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b4556b8..51b18d8 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
-#define XT_HASHLIMIT_HASH_DIP 0x0001
-#define XT_HASHLIMIT_HASH_DPT 0x0002
-#define XT_HASHLIMIT_HASH_SIP 0x0004
-#define XT_HASHLIMIT_HASH_SPT 0x0008
+enum {
+ XT_HASHLIMIT_HASH_DIP = 1 << 0,
+ XT_HASHLIMIT_HASH_DPT = 1 << 1,
+ XT_HASHLIMIT_HASH_SIP = 1 << 2,
+ XT_HASHLIMIT_HASH_SPT = 1 << 3,
+ XT_HASHLIMIT_INVERT = 1 << 4,
+};
struct hashlimit_cfg {
- u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
@@ -29,12 +32,35 @@ struct hashlimit_cfg {
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
- struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo;
union {
void *ptr;
struct xt_hashlimit_info *master;
} u;
};
+
+struct hashlimit_cfg1 {
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
+ u_int32_t avg; /* Average secs between packets * scale */
+ u_int32_t burst; /* Period multiplier for upper limit. */
+
+ /* user specified */
+ u_int32_t size; /* how many buckets */
+ u_int32_t max; /* max number of entries */
+ u_int32_t gc_interval; /* gc interval */
+ u_int32_t expire; /* when do entries expire? */
+
+ u_int8_t srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+ char name[IFNAMSIZ];
+ struct hashlimit_cfg1 cfg;
+
+ /* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
#endif /*_XT_HASHLIMIT_H*/
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 09/24] Update the libxt_owner manpage with the UID/GID-range feature
2008-03-04 15:51 ` Jan Engelhardt
` (7 preceding siblings ...)
2008-03-04 15:57 ` [PATCH 08/24] Add support for xt_hashlimit match revision 1 Jan Engelhardt
@ 2008-03-04 15:57 ` Jan Engelhardt
2008-03-04 15:57 ` [PATCH 10/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
` (33 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:57 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit eac317510606d3673fd2e65c3917f72e9010ca33
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:57:18 2008 +0100
Update the libxt_owner manpage with the UID/GID-range feature
---
extensions/libxt_owner.man | 15 +++++++++------
1 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
index add2369..344ce2e 100644
--- a/extensions/libxt_owner.man
+++ b/extensions/libxt_owner.man
@@ -3,14 +3,17 @@ for locally generated packets. This match is only valid in the OUTPUT and
POSTROUTING chains. Forwarded packets do not have any socket associated with
them. Packets from kernel threads do have a socket, but usually no owner.
.TP
-\fB--uid-owner\fR \fIuserid\fR
+\fB--uid-owner\fR \fIusername\fR
+.TP
+\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
Matches if the packet socket's file structure (if it has one) is owned by the
-given user ID. A user name may be specified in place of \fIuserid\fR, in which
-case iptables will try to look it up.
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+\fB--gid-owner\fR \fIgroupname\fR
.TP
-\fB--gid-owner\fR \fIgroupid\fR
-Matches if the packet socket's file structure is owned by the given group ID.
-A group name may be specified in place of \fIgroupid\fR.
+\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
.TP
\fB--socket-exists\fR
Matches if the packet is associated with a socket.
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 10/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
2008-03-04 15:51 ` Jan Engelhardt
` (8 preceding siblings ...)
2008-03-04 15:57 ` [PATCH 09/24] Update the libxt_owner manpage with the UID/GID-range feature Jan Engelhardt
@ 2008-03-04 15:57 ` Jan Engelhardt
2008-03-04 15:58 ` [PATCH 11/24] Move libipt_recent to libxt_recent Jan Engelhardt
` (32 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:57 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit a200f1acee54cd6489e145be4d0375110f3c726d
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 01:02:00 2008 +0100
Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
iptables and ip6tables will now recognize the XTABLES_LIBDIR environment
variable for extensions to look in before going to the (old) IPT_LIB_DIR
or IP6T_LIB_DIR (depending on program!) or the default location (/usr..).
XTABLES_LIBDIR can also take multiple directories (like PATH, separated
by colon).
---
configure.ac | 12 +++---
extensions/GNUmakefile.in | 6 +-
include/ip6tables.h | 4 --
include/iptables.h | 4 --
include/xtables.h | 4 --
ip6tables-restore.c | 11 +++-
ip6tables-save.c | 11 +++-
ip6tables-standalone.c | 11 +++-
iptables-restore.c | 11 +++-
iptables-save.c | 11 +++-
iptables-standalone.c | 11 +++-
libiptc/libiptc.c | 4 --
xtables.c | 86 ++++++++++++++++++------------------
13 files changed, 100 insertions(+), 86 deletions(-)
diff --git a/configure.ac b/configure.ac
index 29f54dc..79775ad 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,11 +22,11 @@ AC_ARG_WITH([ksource],
AS_HELP_STRING([--with-ksource=PATH],
[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
[ksourcedir="$withval"])
-AC_ARG_WITH([iptdir],
- AS_HELP_STRING([--with-iptdir=PATH],
+AC_ARG_WITH([xtlibdir],
+ AS_HELP_STRING([--with-xtlibdir=PATH],
[Path to iptables modules [[LIBEXECDIR/iptables]]]),
- [iptdir="$withval"],
- [iptdir="${libexecdir}/iptables"])
+ [xtlibdir="$withval"],
+ [xtlibdir="${libexecdir}/iptables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
[Build and install development files (libipq, libipq-devel, iptables-devel)]))
@@ -40,11 +40,11 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
- -DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
+ -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
-AC_SUBST([iptdir])
+AC_SUBST([xtlibdir])
AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index c6c181a..b7edce4 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -7,7 +7,7 @@ prefix := @prefix@
exec_prefix := @exec_prefix@
libdir := @libdir@
libexecdir := @libexecdir@
-iptdir := @iptdir@
+xtlibdir := @xtlibdir@
CC := @CC@
CCLD := ${CC}
@@ -82,8 +82,8 @@ targets_install :=
all: ${targets}
install: ${targets_install}
- @mkdir -p "${DESTDIR}${iptdir}";
- install -pm0755 $^ "${DESTDIR}${iptdir}/";
+ @mkdir -p "${DESTDIR}${xtlibdir}";
+ install -pm0755 $^ "${DESTDIR}${xtlibdir}/";
clean:
rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
diff --git a/include/ip6tables.h b/include/ip6tables.h
index 4a511b7..e1539eb 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -5,10 +5,6 @@
#include "libiptc/libip6tc.h"
-#ifndef IP6T_LIB_DIR
-#define IP6T_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IP6T_SO_GET_REVISION_MATCH 68
#define IP6T_SO_GET_REVISION_TARGET 69
diff --git a/include/iptables.h b/include/iptables.h
index 7ce9080..094c64e 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -4,10 +4,6 @@
#include "xtables.h"
#include "libiptc/libiptc.h"
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
diff --git a/include/xtables.h b/include/xtables.h
index f2bcb44..408d199 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -7,10 +7,6 @@
#include <libiptc/libxtc.h>
#include <stdbool.h>
-#ifndef XT_LIB_DIR
-#define XT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index e9cc0ff..2c3e95d 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -131,9 +131,14 @@ int main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e7eade1..e440887 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -332,9 +332,14 @@ int main(int argc, char *argv[])
program_name = "ip6tables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 4029c1f..1bb81bc 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -52,9 +52,14 @@ main(int argc, char *argv[])
program_name = "ip6tables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-restore.c b/iptables-restore.c
index b751d2c..f556fa5 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -132,9 +132,14 @@ main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-save.c b/iptables-save.c
index c0c37ed..1ce2090 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -357,9 +357,14 @@ main(int argc, char *argv[])
program_name = "iptables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 55c7ce9..369adaf 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -53,9 +53,14 @@ main(int argc, char *argv[])
program_name = "iptables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e8f14fc..ca95748 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -46,10 +46,6 @@
#define debug(x, args...)
#endif
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
static int sockfd = -1;
static int sockfd_use = 0;
static void *iptc_fn = NULL;
diff --git a/xtables.c b/xtables.c
index 89863d7..0405e3e 100644
--- a/xtables.c
+++ b/xtables.c
@@ -305,12 +305,50 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
}
}
+static void *load_extension(const char *search_path, const char *prefix,
+ const char *name)
+{
+ const char *dir = search_path, *next;
+ void *ptr = NULL;
+ struct stat sb;
+ char path[256];
+
+ do {
+ next = strchr(dir, ':');
+ if (next == NULL)
+ next = dir + strlen(dir);
+ snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
+ next - dir, dir, name);
+
+ if (dlopen(path, RTLD_NOW) != NULL)
+ /* Found library. If it didn't register itself,
+ maybe they specified target as match. */
+ ptr = find_match(name, DONT_LOAD, NULL);
+ else if (stat(path, &sb) == 0)
+ fprintf(stderr, "%s: %s\n", path, dlerror());
+
+ if (ptr != NULL)
+ return ptr;
+
+ snprintf(path, sizeof(path), "%.*s/%s%s.so",
+ next - dir, dir, prefix, name);
+ if (dlopen(path, RTLD_NOW) != NULL)
+ ptr = find_match(name, DONT_LOAD, NULL);
+ else if (stat(path, &sb) == 0)
+ fprintf(stderr, "%s: %s\n", path, dlerror());
+
+ if (ptr != NULL)
+ return ptr;
+
+ dir = next + 1;
+ } while (*next != '\0');
+
+ return NULL;
+}
+
struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
struct xtables_rule_match **matches)
{
-#ifndef NO_SHARED_LIBS
- struct stat sb;
-#endif
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
@@ -343,25 +381,7 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- char path[strlen(lib_dir) + sizeof("/.so")
- + strlen(afinfo.libprefix) + strlen(name)];
-
- sprintf(path, "%s/libxt_%s.so", lib_dir, name);
- if (dlopen(path, RTLD_NOW) != NULL)
- /* Found library. If it didn't register itself,
- maybe they specified target as match. */
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
-
- if (ptr == NULL) {
- sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
- name);
- if (dlopen(path, RTLD_NOW) != NULL)
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
- }
+ ptr = load_extension(lib_dir, afinfo.libprefix, name);
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
@@ -403,9 +423,6 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
{
-#ifndef NO_SHARED_LIBS
- struct stat sb;
-#endif
struct xtables_target *ptr;
/* Standard target? */
@@ -423,25 +440,8 @@ struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- char path[strlen(lib_dir) + sizeof("/.so")
- + strlen(afinfo.libprefix) + strlen(name)];
-
- sprintf(path, "%s/libxt_%s.so", lib_dir, name);
- if (dlopen(path, RTLD_NOW) != NULL)
- /* Found library. If it didn't register itself,
- maybe they specified match as a target. */
- ptr = find_target(name, DONT_LOAD);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
+ ptr = load_extension(lib_dir, afinfo.libprefix, name);
- if (ptr == NULL) {
- sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
- name);
- if (dlopen(path, RTLD_NOW) != NULL)
- ptr = find_target(name, DONT_LOAD);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
- }
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
"Couldn't load target `%s':%s\n",
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 11/24] Move libipt_recent to libxt_recent
2008-03-04 15:51 ` Jan Engelhardt
` (9 preceding siblings ...)
2008-03-04 15:57 ` [PATCH 10/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
@ 2008-03-04 15:58 ` Jan Engelhardt
2008-03-04 16:02 ` [PATCH 12/24] Add IPv6 support " Jan Engelhardt
` (31 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 15:58 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 4da4f2484110642adc3cbb8ce944f1ca3beb4592
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 01:06:31 2008 +0100
Move libipt_recent to libxt_recent
---
extensions/{libipt_recent.c => libxt_recent.c} | 122 ++++++------
extensions/{libipt_recent.man => libxt_recent.man} | 2 +-
include/linux/netfilter/xt_recent.h | 26 +++
include/linux/netfilter_ipv4/ipt_recent.h | 27 ---
4 files changed, 88 insertions(+), 89 deletions(-)
rename extensions/{libipt_recent.c => libxt_recent.c} (67%)
rename extensions/{libipt_recent.man => libxt_recent.man} (99%)
create mode 100644 include/linux/netfilter/xt_recent.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h
diff --git a/extensions/libipt_recent.c b/extensions/libxt_recent.c
similarity index 67%
rename from extensions/libipt_recent.c
rename to extensions/libxt_recent.c
index d82b026..5b26015 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libxt_recent.c
@@ -5,28 +5,15 @@
#include <stdlib.h>
#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
-
-/* Need these in order to not fail when compiling against an older kernel. */
-#ifndef RECENT_NAME
-#define RECENT_NAME "ipt_recent"
-#endif /* RECENT_NAME */
-
-#ifndef RECENT_VER
-#define RECENT_VER "unknown"
-#endif /* RECENT_VER */
-
-#ifndef IPT_RECENT_NAME_LEN
-#define IPT_RECENT_NAME_LEN 200
-#endif /* IPT_RECENT_NAME_LEN */
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
/* Options for this module */
static const struct option recent_opts[] = {
- { .name = "set", .has_arg = 0, .val = 201 },
- { .name = "rcheck", .has_arg = 0, .val = 202 },
+ { .name = "set", .has_arg = 0, .val = 201 },
+ { .name = "rcheck", .has_arg = 0, .val = 202 },
{ .name = "update", .has_arg = 0, .val = 203 },
- { .name = "seconds", .has_arg = 1, .val = 204 },
+ { .name = "seconds", .has_arg = 1, .val = 204 },
{ .name = "hitcount", .has_arg = 1, .val = 205 },
{ .name = "remove", .has_arg = 0, .val = 206 },
{ .name = "rttl", .has_arg = 0, .val = 207 },
@@ -40,7 +27,7 @@ static const struct option recent_opts[] = {
static void recent_help(void)
{
printf(
-"recent v%s options:\n"
+"\"recent\" match options:\n"
"[!] --set Add source address to list, always matches.\n"
"[!] --rcheck Match if source address in list.\n"
"[!] --update Match if source address in list, also update last-seen time.\n"
@@ -59,23 +46,20 @@ static void recent_help(void)
" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
" --rdest Match/Save the destination address of each packet in the recent list table.\n"
-RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
-,
-IPTABLES_VERSION);
-
+"ipt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
+);
}
-
+
/* Initialize the match. */
static void recent_init(struct xt_entry_match *match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
-
+ struct xt_recent_mtinfo *info = (void *)(match)->data;
- strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
- /* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
+ strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+ /* even though XT_RECENT_NAME_LEN is currently defined as 200,
* better be safe, than sorry */
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
- info->side = IPT_RECENT_SOURCE;
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ info->side = XT_RECENT_SOURCE;
}
/* Function which parses command options; returns true if it
@@ -83,24 +67,25 @@ static void recent_init(struct xt_entry_match *match)
static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
+ struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
switch (c) {
case 201:
if (*flags) exit_error(PARAMETER_PROBLEM,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_SET;
+ info->check_set |= XT_RECENT_SET;
if (invert) info->invert = 1;
*flags = 1;
break;
-
+
case 202:
if (*flags) exit_error(PARAMETER_PROBLEM,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_CHECK;
+ info->check_set |= XT_RECENT_CHECK;
if(invert) info->invert = 1;
*flags = 1;
break;
@@ -110,7 +95,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_UPDATE;
+ info->check_set |= XT_RECENT_UPDATE;
if (invert) info->invert = 1;
*flags = 1;
break;
@@ -120,7 +105,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_REMOVE;
+ info->check_set |= XT_RECENT_REMOVE;
if (invert) info->invert = 1;
*flags = 1;
break;
@@ -134,20 +119,20 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case 207:
- info->check_set |= IPT_RECENT_TTL;
+ info->check_set |= XT_RECENT_TTL;
break;
case 208:
- strncpy(info->name,optarg,IPT_RECENT_NAME_LEN);
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
+ strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
break;
case 209:
- info->side = IPT_RECENT_SOURCE;
+ info->side = XT_RECENT_SOURCE;
break;
case 210:
- info->side = IPT_RECENT_DEST;
+ info->side = XT_RECENT_DEST;
break;
default:
@@ -171,50 +156,65 @@ static void recent_check(unsigned int flags)
static void recent_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
if (info->invert)
fputc('!', stdout);
printf("recent: ");
- if(info->check_set & IPT_RECENT_SET) printf("SET ");
- if(info->check_set & IPT_RECENT_CHECK) printf("CHECK ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE ");
+ if (info->check_set & XT_RECENT_SET)
+ printf("SET ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("CHECK ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("UPDATE ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("REMOVE ");
if(info->seconds) printf("seconds: %d ",info->seconds);
if(info->hit_count) printf("hit_count: %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match ");
+ if (info->check_set & XT_RECENT_TTL)
+ printf("TTL-Match ");
if(info->name) printf("name: %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("side: source ");
- if(info->side == IPT_RECENT_DEST) printf("side: dest");
+ if (info->side == XT_RECENT_SOURCE)
+ printf("side: source ");
+ if (info->side == XT_RECENT_DEST)
+ printf("side: dest");
}
/* Saves the union ipt_matchinfo in parsable form to stdout. */
static void recent_save(const void *ip, const struct xt_entry_match *match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
if (info->invert)
printf("! ");
- if(info->check_set & IPT_RECENT_SET) printf("--set ");
- if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
+ if (info->check_set & XT_RECENT_SET)
+ printf("--set ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("--rcheck ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("--update ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("--remove ");
if(info->seconds) printf("--seconds %d ",info->seconds);
if(info->hit_count) printf("--hitcount %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
+ if (info->check_set & XT_RECENT_TTL)
+ printf("--rttl ");
if(info->name) printf("--name %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
- if(info->side == IPT_RECENT_DEST) printf("--rdest ");
+ if (info->side == XT_RECENT_SOURCE)
+ printf("--rsource ");
+ if (info->side == XT_RECENT_DEST)
+ printf("--rdest ");
}
/* Structure for iptables to use to communicate with module */
-static struct iptables_match recent_match = {
+static struct xtables_match recent_match = {
.name = "recent",
.version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_recent_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)),
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
.help = recent_help,
.init = recent_init,
.parse = recent_parse,
@@ -227,5 +227,5 @@ static struct iptables_match recent_match = {
void _init(void);
void _init(void)
{
- register_match(&recent_match);
+ xtables_register_match(&recent_match);
}
diff --git a/extensions/libipt_recent.man b/extensions/libxt_recent.man
similarity index 99%
rename from extensions/libipt_recent.man
rename to extensions/libxt_recent.man
index bf5d710..25be677 100644
--- a/extensions/libipt_recent.man
+++ b/extensions/libxt_recent.man
@@ -60,7 +60,7 @@ Examples:
Official website (http://snowman.net/projects/ipt_recent/) also has
some examples of usage.
-/proc/net/ipt_recent/* are the current lists of addresses and information
+/proc/net/ipt_recent/* are the current lists of addresses and information
about each entry of each list.
Each file in /proc/net/ipt_recent/ can be read from to see the current list
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+ XT_RECENT_CHECK = 1 << 0,
+ XT_RECENT_SET = 1 << 1,
+ XT_RECENT_UPDATE = 1 << 2,
+ XT_RECENT_REMOVE = 1 << 3,
+ XT_RECENT_TTL = 1 << 4,
+
+ XT_RECENT_SOURCE = 0,
+ XT_RECENT_DEST = 1,
+
+ XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+ u_int32_t seconds;
+ u_int32_t hit_count;
+ u_int8_t check_set;
+ u_int8_t invert;
+ char name[XT_RECENT_NAME_LEN];
+ u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
deleted file mode 100644
index 6508a45..0000000
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
-
-#define IPT_RECENT_CHECK 1
-#define IPT_RECENT_SET 2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL 16
-
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST 1
-
-#define IPT_RECENT_NAME_LEN 200
-
-struct ipt_recent_info {
- u_int32_t seconds;
- u_int32_t hit_count;
- u_int8_t check_set;
- u_int8_t invert;
- char name[IPT_RECENT_NAME_LEN];
- u_int8_t side;
-};
-
-#endif /*_IPT_RECENT_H*/
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 12/24] Add IPv6 support to libxt_recent
2008-03-04 15:51 ` Jan Engelhardt
` (10 preceding siblings ...)
2008-03-04 15:58 ` [PATCH 11/24] Move libipt_recent to libxt_recent Jan Engelhardt
@ 2008-03-04 16:02 ` Jan Engelhardt
2008-03-04 16:02 ` [PATCH 13/24] Add all necessary header files - compilation fix for various cases Jan Engelhardt
` (30 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:02 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 77ce39a4d9fd84a921dda2eca7391038dded2929
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 01:13:31 2008 +0100
Add IPv6 support to libxt_recent
---
extensions/libxt_recent.c | 17 +++++
extensions/libxt_recent.man | 119 +++++++++++++++++------------------
2 files changed, 76 insertions(+), 60 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 5b26015..5b0112f 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -224,8 +224,25 @@ static struct xtables_match recent_match = {
.extra_opts = recent_opts,
};
+static struct xtables_match recent_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init,
+ .parse = recent_parse,
+ .final_check = recent_check,
+ .print = recent_print,
+ .save = recent_save,
+ .extra_opts = recent_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&recent_match);
+ xtables_register_match(&recent_mt6_reg);
}
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 25be677..f0dc3f4 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -1,93 +1,92 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
+Allows you to dynamically create a list of IP addresses and then match against
+that list in a few different ways.
+.PP
+For example, you can create a "badguy" list out of people attempting to connect
+to port 139 on your firewall and then DROP all future packets from them without
+considering them.
.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
+\fB--name\fR \fIname\fR
+Specify the list to use for the commands. If no name is given then
+\fBDEFAULT\fR will be used.
.TP
[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
+This will add the source address of the packet to the list. If the source
+address is already in the list, this will update the existing entry. This will
+always return success (or failure if \fB!\fR is passed in).
.TP
[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
+Check if the source address of the packet is currently in the list.
.TP
[\fB!\fR] \fB--update\fR
Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
matches.
.TP
[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
+Check if the source address of the packet is currently in the list and if so
+that address will be removed from the list and the rule will return true. If
+the address is not found, false is returned.
.TP
[\fB!\fR] \fB--seconds \fIseconds\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and was seen within the last given number of seconds.
.TP
[\fB!\fR] \fB--hitcount \fIhits\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and packets had been received greater than or equal to
+the given value. This option may be used along with \fB--seconds\fR to create
+an even narrower match requiring a certain number of hits within a specific
+time frame.
.TP
\fB--rttl\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and the TTL of the current packet matches that of the
+packet which hit the \fB--set\fR rule. This may be useful if you have problems
+with people faking their source address in order to DoS you via this module by
+disallowing others access to your site by sending bogus packets to you.
+.PP
Examples:
.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
+iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+.IP
+iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.PP
+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
+.PP
+\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information
about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
+.PP
+Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current
+list or written two using the following commands to modify the list:
.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
+\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to add \fIaddr\fR to the DEFAULT list
.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
+\fBecho -\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to remove \fIaddr\fR from the DEFAULT list
.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
+\fBecho / >/proc/net/xt_recent/DEFAULT\fR
+to flush the DEFAULT list (remove all entries).
+.PP
The module itself accepts parameters, defaults shown:
.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
+\fBip_list_tot\fR=\fI100\fR
+Number of addresses remembered per table.
+.TP
+\fBip_pkt_list_tot\fR=\fI20\fR
+Number of packets per address remembered.
.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
+\fBip_list_hash_size\fR=\fI0\fR
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+\fBip_list_perms\fR=\fI0644\fR
+Permissions for /proc/net/xt_recent/* files.
.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
+\fBip_list_uid\fR=\fI0\fR
+Numerical UID for ownership of /proc/net/xt_recent/* files.
.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
+\fBip_list_gid\fR=\fI0\fR
+Numerical GID for ownership of /proc/net/xt_recent/* files.
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 13/24] Add all necessary header files - compilation fix for various cases
2008-03-04 15:51 ` Jan Engelhardt
` (11 preceding siblings ...)
2008-03-04 16:02 ` [PATCH 12/24] Add IPv6 support " Jan Engelhardt
@ 2008-03-04 16:02 ` Jan Engelhardt
2008-03-04 16:18 ` [PATCH 13/24] --- " Jan Engelhardt
2008-03-04 16:04 ` [PATCH 14/24] Update package name (Xtables) and documentation Jan Engelhardt
` (29 subsequent siblings)
42 siblings, 1 reply; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:02 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 08d78242d410bf83d18618b589f78880bb3aa83d
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 01:23:01 2008 +0100
Add all necessary header files - compilation fix for various cases
Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
---
configure.ac | 10 +-
include/linux/compiler.h | 179 +++++++++++++++++++++
include/linux/netfilter.h | 2 +
include/linux/netfilter/xt_SECMARK.h | 26 +++
include/linux/netfilter_ipv4/ipt_DSCP.h | 18 ++
include/linux/netfilter_ipv4/ipt_LOG.h | 18 ++
include/linux/netfilter_ipv4/ipt_REJECT.h | 20 +++
include/linux/netfilter_ipv4/ipt_TOS.h | 12 ++
include/linux/netfilter_ipv4/ipt_dscp.h | 21 +++
include/linux/netfilter_ipv4/ipt_owner.h | 20 +++
include/linux/netfilter_ipv4/ipt_tos.h | 13 ++
include/linux/netfilter_ipv6/ip6t_LOG.h | 18 ++
12 files changed, 354 insertions(+), 3 deletions(-)
create mode 100644 include/linux/compiler.h
create mode 100644 include/linux/netfilter/xt_SECMARK.h
create mode 100644 include/linux/netfilter_ipv4/ipt_DSCP.h
create mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
create mode 100644 include/linux/netfilter_ipv4/ipt_REJECT.h
create mode 100644 include/linux/netfilter_ipv4/ipt_TOS.h
create mode 100644 include/linux/netfilter_ipv4/ipt_dscp.h
create mode 100644 include/linux/netfilter_ipv4/ipt_owner.h
create mode 100644 include/linux/netfilter_ipv4/ipt_tos.h
create mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h
diff --git a/configure.ac b/configure.ac
index 79775ad..4c18cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,8 +8,6 @@ AM_PROG_CC_C_O
AC_DISABLE_STATIC
AC_PROG_LIBTOOL
-kbuilddir="/lib/modules/$(uname -r)/build";
-ksourcedir="/lib/modules/$(uname -r)/source";
AC_ARG_WITH([kernel],
AS_HELP_STRING([--with-kernel=PATH],
[Path to kernel source/build directory]),
@@ -41,7 +39,13 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
+kinclude_CFLAGS="";
+if [[ -n "$kbuilddir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+fi;
+if [[ -n "$ksourcedir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+fi;
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
new file mode 100644
index 0000000..d0e17e1
--- /dev/null
+++ b/include/linux/compiler.h
@@ -0,0 +1,179 @@
+#ifndef __LINUX_COMPILER_H
+#define __LINUX_COMPILER_H
+
+#ifndef __ASSEMBLY__
+
+#ifdef __CHECKER__
+# define __user __attribute__((noderef, address_space(1)))
+# define __kernel /* default address space */
+# define __safe __attribute__((safe))
+# define __force __attribute__((force))
+# define __nocast __attribute__((nocast))
+# define __iomem __attribute__((noderef, address_space(2)))
+# define __acquires(x) __attribute__((context(x,0,1)))
+# define __releases(x) __attribute__((context(x,1,0)))
+# define __acquire(x) __context__(x,1)
+# define __release(x) __context__(x,-1)
+# define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
+extern void __chk_user_ptr(const volatile void __user *);
+extern void __chk_io_ptr(const volatile void __iomem *);
+#else
+# define __user
+# define __kernel
+# define __safe
+# define __force
+# define __nocast
+# define __iomem
+# define __chk_user_ptr(x) (void)0
+# define __chk_io_ptr(x) (void)0
+# define __builtin_warning(x, y...) (1)
+# define __acquires(x)
+# define __releases(x)
+# define __acquire(x) (void)0
+# define __release(x) (void)0
+# define __cond_lock(x,c) (c)
+#endif
+
+#ifdef __KERNEL__
+
+#if __GNUC__ >= 4
+# include <linux/compiler-gcc4.h>
+#elif __GNUC__ == 3 && __GNUC_MINOR__ >= 2
+# include <linux/compiler-gcc3.h>
+#else
+# error Sorry, your compiler is too old/not recognized.
+#endif
+
+/* Intel compiler defines __GNUC__. So we will overwrite implementations
+ * coming from above header files here
+ */
+#ifdef __INTEL_COMPILER
+# include <linux/compiler-intel.h>
+#endif
+
+/*
+ * Generic compiler-dependent macros required for kernel
+ * build go below this comment. Actual compiler/compiler version
+ * specific implementations come from the above header files
+ */
+
+#define likely(x) __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
+/* Optimization barrier */
+#ifndef barrier
+# define barrier() __memory_barrier()
+#endif
+
+#ifndef RELOC_HIDE
+# define RELOC_HIDE(ptr, off) \
+ ({ unsigned long __ptr; \
+ __ptr = (unsigned long) (ptr); \
+ (typeof(ptr)) (__ptr + (off)); })
+#endif
+
+#endif /* __KERNEL__ */
+
+#endif /* __ASSEMBLY__ */
+
+#ifdef __KERNEL__
+/*
+ * Allow us to mark functions as 'deprecated' and have gcc emit a nice
+ * warning for each use, in hopes of speeding the functions removal.
+ * Usage is:
+ * int __deprecated foo(void)
+ */
+#ifndef __deprecated
+# define __deprecated /* unimplemented */
+#endif
+
+#ifdef MODULE
+#define __deprecated_for_modules __deprecated
+#else
+#define __deprecated_for_modules
+#endif
+
+#ifndef __must_check
+#define __must_check
+#endif
+
+#ifndef CONFIG_ENABLE_MUST_CHECK
+#undef __must_check
+#define __must_check
+#endif
+#ifndef CONFIG_ENABLE_WARN_DEPRECATED
+#undef __deprecated
+#undef __deprecated_for_modules
+#define __deprecated
+#define __deprecated_for_modules
+#endif
+
+/*
+ * Allow us to avoid 'defined but not used' warnings on functions and data,
+ * as well as force them to be emitted to the assembly file.
+ *
+ * As of gcc 3.4, static functions that are not marked with attribute((used))
+ * may be elided from the assembly file. As of gcc 3.4, static data not so
+ * marked will not be elided, but this may change in a future gcc version.
+ *
+ * NOTE: Because distributions shipped with a backported unit-at-a-time
+ * compiler in gcc 3.3, we must define __used to be __attribute__((used))
+ * for gcc >=3.3 instead of 3.4.
+ *
+ * In prior versions of gcc, such functions and data would be emitted, but
+ * would be warned about except with attribute((unused)).
+ *
+ * Mark functions that are referenced only in inline assembly as __used so
+ * the code is emitted even though it appears to be unreferenced.
+ */
+#ifndef __used
+# define __used /* unimplemented */
+#endif
+
+#ifndef __maybe_unused
+# define __maybe_unused /* unimplemented */
+#endif
+
+#ifndef noinline
+#define noinline
+#endif
+
+#ifndef __always_inline
+#define __always_inline inline
+#endif
+
+#endif /* __KERNEL__ */
+
+/*
+ * From the GCC manual:
+ *
+ * Many functions do not examine any values except their arguments,
+ * and have no effects except the return value. Basically this is
+ * just slightly more strict class than the `pure' attribute above,
+ * since function is not allowed to read global memory.
+ *
+ * Note that a function that has pointer arguments and examines the
+ * data pointed to must _not_ be declared `const'. Likewise, a
+ * function that calls a non-`const' function usually must not be
+ * `const'. It does not make sense for a `const' function to return
+ * `void'.
+ */
+#ifndef __attribute_const__
+# define __attribute_const__ /* unimplemented */
+#endif
+
+/*
+ * Tell gcc if a function is cold. The compiler will assume any path
+ * directly leading to the call is unlikely.
+ */
+
+#ifndef __cold
+#define __cold
+#endif
+
+/* Simple shorthand for a section definition */
+#ifndef __section
+# define __section(S) __attribute__ ((__section__(#S)))
+#endif
+
+#endif /* __LINUX_COMPILER_H */
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3c5b889..0d1ba11 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -1,6 +1,8 @@
#ifndef __LINUX_NETFILTER_H
#define __LINUX_NETFILTER_H
+#include <linux/compiler.h>
+
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 0000000..c53fbff
--- /dev/null
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SELCTX_MAX 256
+
+struct xt_secmark_target_selinux_info {
+ u_int32_t selsid;
+ char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+ u_int8_t mode;
+ union {
+ struct xt_secmark_target_selinux_info sel;
+ } u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff --git a/include/linux/netfilter_ipv4/ipt_DSCP.h b/include/linux/netfilter_ipv4/ipt_DSCP.h
new file mode 100644
index 0000000..3491e52
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_DSCP.h
@@ -0,0 +1,18 @@
+/* iptables module for setting the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _IPT_DSCP_TARGET_H
+#define _IPT_DSCP_TARGET_H
+#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define ipt_DSCP_info xt_DSCP_info
+
+#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 0000000..90fa652
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IPT_LOG_IPOPT 0x04 /* Log IP options */
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define IPT_LOG_MASK 0x1f
+
+struct ipt_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 0000000..4293a1a
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+ IPT_ICMP_NET_UNREACHABLE,
+ IPT_ICMP_HOST_UNREACHABLE,
+ IPT_ICMP_PROT_UNREACHABLE,
+ IPT_ICMP_PORT_UNREACHABLE,
+ IPT_ICMP_ECHOREPLY,
+ IPT_ICMP_NET_PROHIBITED,
+ IPT_ICMP_HOST_PROHIBITED,
+ IPT_TCP_RESET,
+ IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+ enum ipt_reject_with with; /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
new file mode 100644
index 0000000..6bf9e1f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_TOS_H_target
+#define _IPT_TOS_H_target
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+struct ipt_tos_target_info {
+ u_int8_t tos;
+};
+
+#endif /*_IPT_TOS_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_dscp.h
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_dscp.h
@@ -0,0 +1,21 @@
+/* iptables module for matching the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _IPT_DSCP_H
+#define _IPT_DSCP_H
+
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_DSCP_MASK XT_DSCP_MASK
+#define IPT_DSCP_SHIFT XT_DSCP_SHIFT
+#define IPT_DSCP_MAX XT_DSCP_MAX
+
+#define ipt_dscp_info xt_dscp_info
+
+#endif /* _IPT_DSCP_H */
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
new file mode 100644
index 0000000..92f4bda
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_owner.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_OWNER_H
+#define _IPT_OWNER_H
+
+/* match and invert flags */
+#define IPT_OWNER_UID 0x01
+#define IPT_OWNER_GID 0x02
+#define IPT_OWNER_PID 0x04
+#define IPT_OWNER_SID 0x08
+#define IPT_OWNER_COMM 0x10
+
+struct ipt_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
new file mode 100644
index 0000000..a21f5df
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _IPT_TOS_H
+#define _IPT_TOS_H
+
+struct ipt_tos_info {
+ u_int8_t tos;
+ u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+#endif /*_IPT_TOS_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 0000000..0d0119b
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IP6T_LOG_H
+#define _IP6T_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
+#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
+#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
+#define IP6T_LOG_MASK 0x1f
+
+struct ip6t_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 14/24] Update package name (Xtables) and documentation
2008-03-04 15:51 ` Jan Engelhardt
` (12 preceding siblings ...)
2008-03-04 16:02 ` [PATCH 13/24] Add all necessary header files - compilation fix for various cases Jan Engelhardt
@ 2008-03-04 16:04 ` Jan Engelhardt
2008-03-04 16:04 ` [PATCH 15/24] configure: split --enable-libipq from --enable-devel Jan Engelhardt
` (28 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:04 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit a4611e2d805be5d75fa2224a838f70fb14410cb9
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 14:11:14 2008 +0100
Update package name (Xtables) and documentation
---
INSTALL | 90 +++++++++++++++++++++++++++++++-------------------
configure.ac | 6 ++--
2 files changed, 59 insertions(+), 37 deletions(-)
diff --git a/INSTALL b/INSTALL
index a41e0cc..7b4cb9b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,52 +1,74 @@
-FOLLOW THESE STEPS:
+Installation instructions for Xtables
+=====================================
-0) There may be some outstanding bugfixes or tweaks which are not yet
- in the official kernel. Those are now (as of iptables-1.2.7) kept
- in a seperate package, called patch-o-matic. It is available from
- ftp://ftp.netfilter.org/pub/patch-o-matic/
+Xtables uses the well-known configure(autotools) infrastructure.
-1) Next, make the package. If you use a standard distribution kernel,
- just run ./configure.
+ $ ./configure
+ $ make
+ # make install
- If you want to build against an own kernel tree:
- $ ./configure --with-kernel=/home/jengelh/mykernel
+Prerequisites
+=============
- or whereever you put it. If you are using a dedicated kernel build
- directory, you use:
+ * no other packages required
+ (well, you obviously need the basics like a compiler)
- $ ./configure --with-kbuild=<<where-built>> --with-ksource=<<source>>
-2) Finally, you need to install the binaries and shared libraries:
+Configuring and compiling
+=========================
- # make install
+./configure [options]
-That's it!
-================================================================
-PROBLEMS YOU MAY ENCOUNTER:
+--prefix=
-1) This package requires a 2.4.4 kernel, or above.
+ The prefix to put all installed files under. It defaults to
+ /usr/local, so the binaries will go into /usr/local/bin, sbin,
+ manpages into /usr/local/share/man, etc.
-2) If you get the kernel directory wrong, you may get compile failures.
+--xtlibdir=
-3) If you want to specify alternate directories for installation
-(instead of /usr/local/ bin lib man), do this:
+ The path to where Xtables extensions should be installed to. It
+ defaults to ${prefix}/libexec/xtables.
- $ ./configure --prefix=/usr
- $ make
- # make install
+--enable-devel
+
+ This causes development files to be installed to
+ ${prefix}/include. (By default, no headers and libraries are
+ installed.)
+
+ This is needed for building additional packages,
+ such as Xtables-addons or other 3rd-party extensions.
+
+--enable-static
+
+ Enable building single standalone multipurpose binaries,
+ (iptables-static and ip6tables-static), which contain every
+ extension compiled-in (and does not support additional
+ extensions).
+
+--with-ksource=
+
+ Xtables does not depend on kernel headers anymore, but you can
+ optionally specify a search path to include anyway. This is
+ probably only useful for development.
+
+If you want to enable debugging, use
+
+ ./configure CFLAGS="-ggdb3 -O0"
-4) The make process will automatically build a multipurpose binary under the
- names iptables-multi and ip6tables-multi.
+(-O0 is used to turn off instruction reordering, which makes debugging
+much easier.)
-5) If you want to build a statically linked version of the iptables binary,
- without the need for loading the plugins at runtime (e.g. for an embedded
- device or router-on-a-disk), please use
- $ ./configure --enable-static
+Other notes
+===========
- which will build both a semi-static multi binary (iptables-mtss, uses
- libc but not plugins) and a fully static multi binary (iptables-static).
+The make process will automatically build multipurpose binaries.
+These have the core (iptables), -save, -restore and -xml code
+compiled into one binary, but extensions remain as modules.
-6) If you want to install libipq (old interface), add --enable-devel to
- ./configure.
+If you want to build a statically linked version of the iptables binary,
+without the need for loading the plugins at runtime (e.g. for an
+embedded device or router-on-a-disk), you can use the --enable-static
+configure flag.
diff --git a/configure.ac b/configure.ac
index 4c18cb0..261356f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,12 +22,12 @@ AC_ARG_WITH([ksource],
[ksourcedir="$withval"])
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
- [Path to iptables modules [[LIBEXECDIR/iptables]]]),
+ [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
[xtlibdir="$withval"],
- [xtlibdir="${libexecdir}/iptables"])
+ [xtlibdir="${libexecdir}/xtables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
- [Build and install development files (libipq, libipq-devel, iptables-devel)]))
+ [Build and install development files (libipq, libipq-devel, xtables-devel)]))
AC_CHECK_HEADER([netinet/ip6.h], [], [AC_MSG_ERROR(but we need that for IPv6)])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" == "yes"])
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 15/24] configure: split --enable-libipq from --enable-devel
2008-03-04 15:51 ` Jan Engelhardt
` (13 preceding siblings ...)
2008-03-04 16:04 ` [PATCH 14/24] Update package name (Xtables) and documentation Jan Engelhardt
@ 2008-03-04 16:04 ` Jan Engelhardt
2008-03-04 16:06 ` [PATCH 16/24] Install libiptc header files because xtables.h depends on it Jan Engelhardt
` (27 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:04 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 5fbe0ae09d30f8e32f3631b8c615200bbec89174
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 15:01:03 2008 +0100
configure: split --enable-libipq from --enable-devel
---
Makefile.am | 2 +-
configure.ac | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 5240635..811eb62 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,7 @@ regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
SUBDIRS := extensions
-if ENABLE_DEVEL
+if ENABLE_LIBIPQ
SUBDIRS += libipq
endif
diff --git a/configure.ac b/configure.ac
index 261356f..4025e0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,13 +26,16 @@ AC_ARG_WITH([xtlibdir],
[xtlibdir="$withval"],
[xtlibdir="${libexecdir}/xtables"])
AC_ARG_ENABLE([devel],
- AS_HELP_STRING([--enable-devel],
- [Build and install development files (libipq, libipq-devel, xtables-devel)]))
+ AS_HELP_STRING([--enable-devel], [Install Xtables headers]),
+ [enable_devel="$enableval"], [enable_devel="yes"])
+AC_ARG_ENABLE([libipq],
+ AS_HELP_STRING([--enable-libipq], [Build and install libipq]))
AC_CHECK_HEADER([netinet/ip6.h], [], [AC_MSG_ERROR(but we need that for IPv6)])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" == "yes"])
AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
+AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 16/24] Install libiptc header files because xtables.h depends on it
2008-03-04 15:51 ` Jan Engelhardt
` (14 preceding siblings ...)
2008-03-04 16:04 ` [PATCH 15/24] configure: split --enable-libipq from --enable-devel Jan Engelhardt
@ 2008-03-04 16:06 ` Jan Engelhardt
2008-03-04 16:10 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
` (26 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:06 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
BTW, having xtables.h in /usr/include allows to build extensions (think
POM or Xtables-addons) without having to patch iptables/xtables itself,
IMHO a really good thing.
===
commit 077ad64c9f3de90b94fb44964377cca77dc60400
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 15:48:51 2008 +0100
Install libiptc header files because xtables.h depends on it
---
Makefile.am | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 811eb62..80ef3a0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -75,6 +75,9 @@ man_MANS := iptables.8 iptables-restore.8 iptables-save.8 \
CLEANFILES := iptables.8 ip6tables.8
if ENABLE_DEVEL
include_HEADERS := include/xtables.h include/iptables.h include/ip6tables.h
+iptcdir := ${includedir}/libiptc
+iptc_HEADERS := include/libiptc/libxtc.h \
+ include/libiptc/ipt_kernel_headers.h
endif
if ENABLE_STATIC
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 17/24] Remove support for compilation of conditional extensions
2008-03-04 15:51 ` Jan Engelhardt
` (15 preceding siblings ...)
2008-03-04 16:06 ` [PATCH 16/24] Install libiptc header files because xtables.h depends on it Jan Engelhardt
@ 2008-03-04 16:10 ` Jan Engelhardt
2008-03-04 22:29 ` Massimiliano Hofer
2008-03-05 9:14 ` Jozsef Kadlecsik
2008-03-04 16:11 ` [PATCH 18/24] Combine ipt and ip6t manpages Jan Engelhardt
` (25 subsequent siblings)
42 siblings, 2 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:10 UTC (permalink / raw)
To: Patrick McHardy
Cc: Netfilter Developer Mailing List, Jozsef Kadlecsik,
Massimiliano Hofer
This has previously come up on the mailing list; I henceforth decided to
nuke it.
Jozsef, Massimiliano: Feel free to either (a) get xt_condition and
xt_ipset into the kernel, then can readd to xtables or (b) get
xt_condition and xt_ipset into xtables-addons.
===
commit 8de1f0ca5175d07ea467462814c61c5519903c90
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Wed Feb 13 21:35:59 2008 +0100
Remove support for compilation of conditional extensions
---
extensions/.condition-test | 4 -
extensions/.condition-test6 | 4 -
extensions/.set-test | 4 -
extensions/GNUmakefile.in | 27 +----
extensions/libip6t_condition.c | 94 ----------------
extensions/libip6t_condition.man | 4 -
extensions/libipt_SET.c | 175 ------------------------------
extensions/libipt_SET.man | 16 ---
extensions/libipt_condition.c | 93 ----------------
extensions/libipt_condition.man | 4 -
extensions/libipt_set.c | 162 ---------------------------
extensions/libipt_set.h | 104 ------------------
extensions/libipt_set.man | 17 ---
13 files changed, 3 insertions(+), 705 deletions(-)
delete mode 100755 extensions/.condition-test
delete mode 100755 extensions/.condition-test6
delete mode 100755 extensions/.set-test
delete mode 100644 extensions/libip6t_condition.c
delete mode 100644 extensions/libip6t_condition.man
delete mode 100644 extensions/libipt_SET.c
delete mode 100644 extensions/libipt_SET.man
delete mode 100644 extensions/libipt_condition.c
delete mode 100644 extensions/libipt_condition.man
delete mode 100644 extensions/libipt_set.c
delete mode 100644 extensions/libipt_set.h
delete mode 100644 extensions/libipt_set.man
diff --git a/extensions/.condition-test b/extensions/.condition-test
deleted file mode 100755
index 2470a18..0000000
--- a/extensions/.condition-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.condition-test6 b/extensions/.condition-test6
deleted file mode 100755
index 15a0f04..0000000
--- a/extensions/.condition-test6
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.set-test b/extensions/.set-test
deleted file mode 100755
index 754abfd..0000000
--- a/extensions/.set-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#! /bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h" ] && \
-echo "set SET";
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index b7edce4..1282a33 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -32,30 +32,9 @@ endif
#
# Wildcard module list
#
-pfx_all_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
-pf4_all_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
-pf6_all_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
-
-#
-# Conditional module list
-#
-pfx_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf4_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf6_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-
-#
-# Conditional modules to build
-#
-pfx_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf4_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf6_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-
-#
-# Total list of modules to build
-#
-pfx_build_mod := $(filter-out ${pfx_cond_mod},${pfx_all_mod}) ${pfx_bc_mod}
-pf4_build_mod := $(filter-out ${pf4_cond_mod},${pf4_all_mod}) ${pf4_bc_mod}
-pf6_build_mod := $(filter-out ${pf6_cond_mod},${pf6_all_mod}) ${pf6_bc_mod}
+pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
deleted file mode 100644
index 56793b2..0000000
--- a/extensions/libip6t_condition.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* Shared library add-on to ip6tables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <ip6tables.h>
-
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int
-condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition6_info *info =
- (struct condition6_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct ip6tables_match condition_match6 = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct condition6_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match6(&condition_match6);
-}
diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man
deleted file mode 100644
index e0bba75..0000000
--- a/extensions/libip6t_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
deleted file mode 100644
index 91ab488..0000000
--- a/extensions/libipt_SET.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set mangling target. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void SET_help(void)
-{
- printf("SET v%s options:\n"
- " --add-set name flags\n"
- " --del-set name flags\n"
- " add/del src/dst IP/port from/to named sets,\n"
- " where flags are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option SET_opts[] = {
- {"add-set", 1, 0, '1'},
- {"del-set", 1, 0, '2'},
- {0}
-};
-
-/* Initialize the target. */
-static void SET_init(struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- memset(info, 0, sizeof(struct ipt_set_info_target));
- info->add_set.index =
- info->del_set.index = IP_SET_INVALID_ID;
-
-}
-
-static void
-parse_target(char **argv, int invert, unsigned int *flags,
- struct ipt_set_info *info, const char *what)
-{
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--%s can be specified only once", what);
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
- if (!argv[optind]
- || argv[optind][0] == '-' || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--%s requires two args.", what);
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- optind++;
-
- *flags = 1;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int SET_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
-{
- struct ipt_set_info_target *myinfo =
- (struct ipt_set_info_target *) (*target)->data;
-
- switch (c) {
- case '1': /* --add-set <set> <flags> */
- parse_target(argv, invert, flags,
- &myinfo->add_set, "add-set");
- break;
- case '2': /* --del-set <set>[:<flags>] <flags> */
- parse_target(argv, invert, flags,
- &myinfo->del_set, "del-set");
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; must specify at least one. */
-static void SET_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify either `--add-set' or `--del-set'");
-}
-
-static void
-print_target(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- if (info->index == IP_SET_INVALID_ID)
- return;
- get_set_byid(setname, info->index);
- printf("%s %s", prefix, setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the targinfo. */
-static void SET_print(const void *ip, const struct xt_entry_target *target,
- int numeric)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("add-set", &info->add_set);
- print_target("del-set", &info->del_set);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void SET_save(const void *ip, const struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("--add-set", &info->add_set);
- print_target("--del-set", &info->del_set);
-}
-
-static struct iptables_target set_target = {
- .name = "SET",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .help = SET_help,
- .init = SET_init,
- .parse = SET_parse,
- .final_check = SET_check,
- .print = SET_print,
- .save = SET_save,
- .extra_opts = SET_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_target(&set_target);
-}
diff --git a/extensions/libipt_SET.man b/extensions/libipt_SET.man
deleted file mode 100644
index 8f25bea..0000000
--- a/extensions/libipt_SET.man
+++ /dev/null
@@ -1,16 +0,0 @@
-This modules adds and/or deletes entries from IP sets which can be defined
-by ipset(8).
-.TP
-.BR "--add-set " "setname flag[,flag...]"
-add the address(es)/port(s) of the packet to the sets
-.TP
-.BR "--del-set " "setname flag[,flag...]"
-delete the address(es)/port(s) of the packet from the sets,
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them.
-.TP
-The bindings to follow must previously be defined in order to use
-multilevel adding/deleting by the SET target.
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
deleted file mode 100644
index 5bd1c44..0000000
--- a/extensions/libipt_condition.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* Shared library add-on to iptables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition_info *info =
- (struct condition_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct iptables_match condition_match = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct condition_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct condition_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match(&condition_match);
-}
diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man
deleted file mode 100644
index ce2aa95..0000000
--- a/extensions/libipt_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
deleted file mode 100644
index 78a02b5..0000000
--- a/extensions/libipt_set.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set matching. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void set_help(void)
-{
- printf("set v%s options:\n"
- " [!] --set name flags\n"
- " 'name' is the set name from to match,\n"
- " 'flags' are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option set_opts[] = {
- {"set", 1, 0, '1'},
- {0}
-};
-
-/* Initialize the match. */
-static void set_init(struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
-
- memset(info, 0, sizeof(struct ipt_set_info_match));
-
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int set_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct ipt_set_info_match *myinfo =
- (struct ipt_set_info_match *) (*match)->data;
- struct ipt_set_info *info = &myinfo->match_set;
-
- switch (c) {
- case '1': /* --set <set> <flag>[,<flag> */
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--set can be specified only once");
-
- check_inverse(optarg, &invert, &optind, 0);
- if (invert)
- info->flags[0] |= IPSET_MATCH_INV;
-
- if (!argv[optind]
- || argv[optind][0] == '-'
- || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--set requires two args.");
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- DEBUGP("parse: set index %u\n", info->index);
- optind++;
-
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --set. */
-static void set_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify `--set' with proper arguments");
- DEBUGP("final check OK\n");
-}
-
-static void
-print_match(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- get_set_byid(setname, info->index);
- printf("%s%s %s",
- (info->flags[0] & IPSET_MATCH_INV) ? "! " : "",
- prefix,
- setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the matchinfo. */
-static void set_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("set", &info->match_set);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void set_save(const void *ip, const struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("--set", &info->match_set);
-}
-
-static struct iptables_match set_match = {
- .name = "set",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .help = set_help,
- .init = set_init,
- .parse = set_parse,
- .final_check = set_check,
- .print = set_print,
- .save = set_save,
- .extra_opts = set_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match(&set_match);
-}
diff --git a/extensions/libipt_set.h b/extensions/libipt_set.h
deleted file mode 100644
index 02de0fa..0000000
--- a/extensions/libipt_set.h
+++ /dev/null
@@ -1,104 +0,0 @@
-#ifndef _LIBIPT_SET_H
-#define _LIBIPT_SET_H
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <errno.h>
-
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
-static void
-parse_bindings(const char *optarg, struct ipt_set_info *info)
-{
- char *saved = strdup(optarg);
- char *ptr, *tmp = saved;
- int i = 0;
-
- while (i < (IP_SET_MAX_BINDINGS - 1) && tmp != NULL) {
- ptr = strsep(&tmp, ",");
- if (strncmp(ptr, "src", 3) == 0)
- info->flags[i++] |= IPSET_SRC;
- else if (strncmp(ptr, "dst", 3) == 0)
- info->flags[i++] |= IPSET_DST;
- else
- exit_error(PARAMETER_PROBLEM,
- "You must spefify (the comma separated list of) 'src' or 'dst'.");
- }
-
- if (tmp)
- exit_error(PARAMETER_PROBLEM,
- "Can't follow bindings deeper than %i.",
- IP_SET_MAX_BINDINGS - 1);
-
- free(saved);
-}
-
-static int get_set_getsockopt(void *data, socklen_t * size)
-{
- int sockfd = -1;
- sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- exit_error(OTHER_PROBLEM,
- "Can't open socket to ipset.\n");
- /* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-}
-
-static void get_set_byname(const char *setname, struct ipt_set_info *info)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYNAME;
- req.version = IP_SET_PROTOCOL_VERSION;
- strncpy(req.set.name, setname, IP_SET_MAXNAMELEN);
- req.set.name[IP_SET_MAXNAMELEN - 1] = '\0';
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.index == IP_SET_INVALID_ID)
- exit_error(PARAMETER_PROBLEM,
- "Set %s doesn't exist.\n", setname);
-
- info->index = req.set.index;
-}
-
-static void get_set_byid(char * setname, ip_set_id_t index)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYINDEX;
- req.version = IP_SET_PROTOCOL_VERSION;
- req.set.index = index;
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.name[0] == '\0')
- exit_error(PARAMETER_PROBLEM,
- "Set id %i in kernel doesn't exist.\n", index);
-
- strncpy(setname, req.set.name, IP_SET_MAXNAMELEN);
-}
-
-#endif /*_LIBIPT_SET_H*/
diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man
deleted file mode 100644
index d280577..0000000
--- a/extensions/libipt_set.man
+++ /dev/null
@@ -1,17 +0,0 @@
-This modules macthes IP sets which can be defined by ipset(8).
-.TP
-.BR "--set " "setname flag[,flag...]"
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them. Hence the command
-.nf
- iptables -A FORWARD -m set --set test src,dst
-.fi
-will match packets, for which (depending on the type of the set) the source
-address or port number of the packet can be found in the specified set. If
-there is a binding belonging to the mached set element or there is a default
-binding for the given set, then the rule will match the packet only if
-additionally (depending on the type of the set) the destination address or
-port number of the packet can be found in the set according to the binding.
^ permalink raw reply related [flat|nested] 51+ messages in thread* Re: [PATCH 17/24] Remove support for compilation of conditional extensions
2008-03-04 16:10 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
@ 2008-03-04 22:29 ` Massimiliano Hofer
2008-03-05 9:14 ` Jozsef Kadlecsik
1 sibling, 0 replies; 51+ messages in thread
From: Massimiliano Hofer @ 2008-03-04 22:29 UTC (permalink / raw)
To: Jan Engelhardt
Cc: Patrick McHardy, Netfilter Developer Mailing List,
Jozsef Kadlecsik
On Tuesday 4 March 2008, Jan Engelhardt wrote:
> This has previously come up on the mailing list; I henceforth decided to
> nuke it.
>
> Jozsef, Massimiliano: Feel free to either (a) get xt_condition and
> xt_ipset into the kernel, then can readd to xtables or (b) get
> xt_condition and xt_ipset into xtables-addons.
OK. I know I've fallen behind with my work lately. I can produce a set of
patches against the current net-2.6 git by next week (give or take a few
days).
As discussed with Patrick, I'll need some API adjustments. If you can accept
them and xt_condition, I'll be happy to comply and support it afterwards.
--
Bye,
Massimiliano Hofer
Nucleus
^ permalink raw reply [flat|nested] 51+ messages in thread* Re: [PATCH 17/24] Remove support for compilation of conditional extensions
2008-03-04 16:10 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
2008-03-04 22:29 ` Massimiliano Hofer
@ 2008-03-05 9:14 ` Jozsef Kadlecsik
1 sibling, 0 replies; 51+ messages in thread
From: Jozsef Kadlecsik @ 2008-03-05 9:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, Netfilter Developer Mailing List
Hi Jan,
On Tue, 4 Mar 2008, Jan Engelhardt wrote:
> Jozsef, Massimiliano: Feel free to either (a) get xt_condition and
> xt_ipset into the kernel, then can readd to xtables or (b) get
> xt_condition and xt_ipset into xtables-addons.
I still do not want stubbornly (i.e. foolisly :-) to submit ipset into the
kernel so option b) remains. But as nfset (ipset-ng) is under the way and
I do like to submit it, so b) will be "transformed" hopefully to a) in a
short time.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 51+ messages in thread
* [PATCH 18/24] Combine ipt and ip6t manpages
2008-03-04 15:51 ` Jan Engelhardt
` (16 preceding siblings ...)
2008-03-04 16:10 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
@ 2008-03-04 16:11 ` Jan Engelhardt
2008-03-04 16:12 ` [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
` (24 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:11 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 12c2ea7de631d24821c2c988cc3c55d9aa03aaab
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 03:02:55 2008 +0100
Combine ipt and ip6t manpages
---
extensions/libip6t_TCPMSS.man | 42 -----------
extensions/libip6t_connlimit.man | 27 -------
extensions/libip6t_length.man | 4 -
extensions/libip6t_multiport.man | 20 -----
extensions/libip6t_tcp.man | 45 ------------
extensions/libipt_TRACE.man | 10 ---
extensions/libipt_length.man | 4 -
extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} | 8 ++-
extensions/{libip6t_TRACE.man => libxt_TRACE.man} | 3 +-
.../{libipt_connlimit.man => libxt_connlimit.man} | 0
extensions/libxt_length.man | 5 ++
.../{libipt_multiport.man => libxt_multiport.man} | 0
extensions/{libipt_tcp.man => libxt_tcp.man} | 0
13 files changed, 12 insertions(+), 156 deletions(-)
delete mode 100644 extensions/libip6t_TCPMSS.man
delete mode 100644 extensions/libip6t_connlimit.man
delete mode 100644 extensions/libip6t_length.man
delete mode 100644 extensions/libip6t_multiport.man
delete mode 100644 extensions/libip6t_tcp.man
delete mode 100644 extensions/libipt_TRACE.man
delete mode 100644 extensions/libipt_length.man
rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
create mode 100644 extensions/libxt_length.man
rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man
deleted file mode 100644
index b4c357e..0000000
--- a/extensions/libip6t_TCPMSS.man
+++ /dev/null
@@ -1,42 +0,0 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 60). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-It is only valid in the
-.BR mangle
-table.
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMPv6 Packet Too Big packets or are unable to send them.
-The symptoms of this problem are that everything works fine from your
-Linux firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 60).
-.TP
-These options are mutually exclusive.
-
diff --git a/extensions/libip6t_connlimit.man b/extensions/libip6t_connlimit.man
deleted file mode 100644
index d1a4447..0000000
--- a/extensions/libip6t_connlimit.man
+++ /dev/null
@@ -1,27 +0,0 @@
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-Match if the number of existing connections is (not) above \fIn\fR.
-.TP
-\fB--connlimit-mask\fR \fIprefix_length\fR
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
-ip6tables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
-(ipv6)
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
-16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man
deleted file mode 100644
index d781a04..0000000
--- a/extensions/libip6t_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of the IPv6 payload in octets, or range of it.
-IPv6 header itself isn't counted.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man
deleted file mode 100644
index 6f75a6e..0000000
--- a/extensions/libip6t_multiport.man
+++ /dev/null
@@ -1,20 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction
-with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
deleted file mode 100644
index 41b89a4..0000000
--- a/extensions/libip6t_tcp.man
+++ /dev/null
@@ -1,45 +0,0 @@
-These extensions can be used if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 7fbe8e7..0000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,10 +0,0 @@
-This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ipt_LOG module
-is required for the logging.) The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man
deleted file mode 100644
index 43bbdcf..0000000
--- a/extensions/libipt_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_TCPMSS.man b/extensions/libxt_TCPMSS.man
similarity index 77%
rename from extensions/libipt_TCPMSS.man
rename to extensions/libxt_TCPMSS.man
index 30668b0..82f93e0 100644
--- a/extensions/libipt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -1,6 +1,7 @@
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
+Of course, it can only be used
in conjunction with
.BR "-p tcp" .
It is only valid in the
@@ -8,7 +9,8 @@ It is only valid in the
table.
.br
This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
+packets. The symptoms of this
problem are that everything works fine from your Linux
firewall/router, but machines behind it can never exchange large
packets:
@@ -36,6 +38,6 @@ configuration like:
Explicitly set MSS option to specified value.
.TP
.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
+Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).
.TP
These options are mutually exclusive.
diff --git a/extensions/libip6t_TRACE.man b/extensions/libxt_TRACE.man
similarity index 94%
rename from extensions/libip6t_TRACE.man
rename to extensions/libxt_TRACE.man
index ca3895a..d28c3a0 100644
--- a/extensions/libip6t_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,5 +1,6 @@
This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ip6t_LOG module
+the packets as those traverse the tables, chains, rules. (The ipt_LOG or
+ip6t_LOG module
is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
plain rule, "return" for implicit rule at the end of a user defined chain
diff --git a/extensions/libipt_connlimit.man b/extensions/libxt_connlimit.man
similarity index 100%
rename from extensions/libipt_connlimit.man
rename to extensions/libxt_connlimit.man
diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man
new file mode 100644
index 0000000..5a8198b
--- /dev/null
+++ b/extensions/libxt_length.man
@@ -0,0 +1,5 @@
+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
+f a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_multiport.man b/extensions/libxt_multiport.man
similarity index 100%
rename from extensions/libipt_multiport.man
rename to extensions/libxt_multiport.man
diff --git a/extensions/libipt_tcp.man b/extensions/libxt_tcp.man
similarity index 100%
rename from extensions/libipt_tcp.man
rename to extensions/libxt_tcp.man
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions
2008-03-04 15:51 ` Jan Engelhardt
` (17 preceding siblings ...)
2008-03-04 16:11 ` [PATCH 18/24] Combine ipt and ip6t manpages Jan Engelhardt
@ 2008-03-04 16:12 ` Jan Engelhardt
2008-03-04 16:19 ` [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION Jan Engelhardt
` (23 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:12 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
This is independent from the AF_UNSPEC patches I send in for the linux
kernel.
===
commit def94a790c6c55ce6c96683f2eb60a0c2f99ac87
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 04:23:04 2008 +0100
Implement AF_UNSPEC as a wildcard for extensions
When a match or target is registered using
xtables_register_{match,target}, xtables.c will consider AF_UNSPEC as
a wildcard when specified as the .family member. Rules between
two competing matches/targets are:
- higher revision (if usable in kernel) wins over lower revision
- in case of same revision: generic AF_UNSPEC loses to specific AF_...
---
extensions/libxt_CLASSIFY.c | 17 +---------------
extensions/libxt_MARK.c | 18 +----------------
extensions/libxt_RATEEST.c | 22 ++-----------------
extensions/libxt_SECMARK.c | 18 +----------------
extensions/libxt_TRACE.c | 13 +-----------
extensions/libxt_length.c | 17 +---------------
extensions/libxt_limit.c | 17 +---------------
extensions/libxt_mark.c | 36 +--------------------------------
extensions/libxt_pkttype.c | 17 +---------------
extensions/libxt_quota.c | 16 +--------------
extensions/libxt_rateest.c | 21 ++-----------------
extensions/libxt_standard.c | 13 +-----------
extensions/libxt_statistic.c | 18 +----------------
extensions/libxt_string.c | 19 +-----------------
extensions/libxt_time.c | 17 +---------------
extensions/libxt_u32.c | 17 +---------------
xtables.c | 22 +++++++++++++++-----
17 files changed, 37 insertions(+), 281 deletions(-)
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index ea6cdbe..1bf9494 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -103,21 +103,7 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target classify_target = {
- .family = AF_INET,
- .name = "CLASSIFY",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .help = CLASSIFY_help,
- .parse = CLASSIFY_parse,
- .final_check = CLASSIFY_final_check,
- .print = CLASSIFY_print,
- .save = CLASSIFY_save,
- .extra_opts = CLASSIFY_opts,
-};
-
-static struct xtables_target classify_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "CLASSIFY",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
@@ -134,5 +120,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&classify_target);
- xtables_register_target(&classify_target6);
}
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 2994e75..4003d26 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -333,22 +333,7 @@ static struct xtables_target mark_tg_reg_v2 = {
.version = IPTABLES_VERSION,
.name = "MARK",
.revision = 2,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .help = mark_tg_help,
- .parse = mark_tg_parse,
- .final_check = mark_tg_check,
- .print = mark_tg_print,
- .save = mark_tg_save,
- .extra_opts = mark_tg_opts,
-};
-
-static struct xtables_target mark_tg6_reg_v2 = {
- .version = IPTABLES_VERSION,
- .name = "MARK",
- .revision = 2,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.help = mark_tg_help,
@@ -366,5 +351,4 @@ void _init(void)
xtables_register_target(&mark_target_v1);
xtables_register_target(&mark_target6_v0);
xtables_register_target(&mark_tg_reg_v2);
- xtables_register_target(&mark_tg6_reg_v2);
}
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index df16581..6918f76 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -203,23 +203,8 @@ RATEEST_save(const void *ip, const struct xt_entry_target *target)
__RATEEST_print(target, "--rateest-");
}
-static struct xtables_target rateest_target4 = {
- .family = AF_INET,
- .name = "RATEEST",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .help = RATEEST_help,
- .init = RATEEST_init,
- .parse = RATEEST_parse,
- .final_check = RATEEST_final_check,
- .print = RATEEST_print,
- .save = RATEEST_save,
- .extra_opts = RATEEST_opts,
-};
-
-static struct xtables_target rateest_target6 = {
- .family = AF_INET6,
+static struct xtables_target rateest_tg_reg = {
+ .family = AF_UNSPEC,
.name = "RATEEST",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
@@ -236,6 +221,5 @@ static struct xtables_target rateest_target6 = {
void _init(void);
void _init(void)
{
- xtables_register_target(&rateest_target4);
- xtables_register_target(&rateest_target6);
+ xtables_register_target(&rateest_tg_reg);
}
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 5dfd21e..d143037 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -100,22 +100,7 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target secmark_target = {
- .family = AF_INET,
- .name = "SECMARK",
- .version = IPTABLES_VERSION,
- .revision = 0,
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .help = SECMARK_help,
- .parse = SECMARK_parse,
- .final_check = SECMARK_check,
- .print = SECMARK_print,
- .save = SECMARK_save,
- .extra_opts = SECMARK_opts,
-};
-
-static struct xtables_target secmark_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "SECMARK",
.version = IPTABLES_VERSION,
.revision = 0,
@@ -133,5 +118,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&secmark_target);
- xtables_register_target(&secmark_target6);
}
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index f1d2d94..7241f2b 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -24,17 +24,7 @@ static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target trace_target = {
- .family = AF_INET,
- .name = "TRACE",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
- .help = TRACE_help,
- .parse = TRACE_parse,
-};
-
-static struct xtables_target trace_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "TRACE",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(0),
@@ -47,5 +37,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&trace_target);
- xtables_register_target(&trace_target6);
}
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index 8fb2150..136034c 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -125,21 +125,7 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match length_match = {
- .family = AF_INET,
- .name = "length",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_length_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
- .help = length_help,
- .parse = length_parse,
- .final_check = length_check,
- .print = length_print,
- .save = length_save,
- .extra_opts = length_opts,
-};
-
-static struct xtables_match length_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "length",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_length_info)),
@@ -156,5 +142,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&length_match);
- xtables_register_match(&length_match6);
}
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index e93388b..da64750 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -165,21 +165,7 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match limit_match = {
- .family = AF_INET,
- .name = "limit",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateinfo)),
- .userspacesize = offsetof(struct xt_rateinfo, prev),
- .help = limit_help,
- .init = limit_init,
- .parse = limit_parse,
- .print = limit_print,
- .save = limit_save,
- .extra_opts = limit_opts,
-};
-
-static struct xtables_match limit_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "limit",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
@@ -196,5 +182,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&limit_match);
- xtables_register_match(&limit_match6);
}
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index 1e07736..e805a2b 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -149,22 +149,7 @@ mark_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match mark_match = {
- .family = AF_INET,
- .name = "mark",
- .revision = 0,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_mark_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
- .help = mark_mt_help,
- .parse = mark_parse,
- .final_check = mark_mt_check,
- .print = mark_print,
- .save = mark_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "mark",
.revision = 0,
.version = IPTABLES_VERSION,
@@ -182,22 +167,7 @@ static struct xtables_match mark_mt_reg = {
.version = IPTABLES_VERSION,
.name = "mark",
.revision = 1,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .help = mark_mt_help,
- .parse = mark_mt_parse,
- .final_check = mark_mt_check,
- .print = mark_mt_print,
- .save = mark_mt_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_mt6_reg = {
- .version = IPTABLES_VERSION,
- .name = "mark",
- .revision = 1,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.help = mark_mt_help,
@@ -212,7 +182,5 @@ void _init(void);
void _init(void)
{
xtables_register_match(&mark_match);
- xtables_register_match(&mark_match6);
xtables_register_match(&mark_mt_reg);
- xtables_register_match(&mark_mt6_reg);
}
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index 893fe43..a5cf90a 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -147,21 +147,7 @@ static void pkttype_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match pkttype_match = {
- .family = AF_INET,
- .name = "pkttype",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .help = pkttype_help,
- .parse = pkttype_parse,
- .final_check = pkttype_check,
- .print = pkttype_print,
- .save = pkttype_save,
- .extra_opts = pkttype_opts,
-};
-
-static struct xtables_match pkttype_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "pkttype",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
@@ -178,5 +164,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&pkttype_match);
- xtables_register_match(&pkttype_match6);
}
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index 9ce350d..f73089d 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -78,20 +78,7 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
}
struct xtables_match quota_match = {
- .family = AF_INET,
- .name = "quota",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof (struct xt_quota_info)),
- .userspacesize = offsetof(struct xt_quota_info, quota),
- .help = quota_help,
- .parse = quota_parse,
- .print = quota_print,
- .save = quota_save,
- .extra_opts = quota_opts,
-};
-
-struct xtables_match quota_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "quota",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_info)),
@@ -107,5 +94,4 @@ void _init(void);
void _init(void)
{
xtables_register_match("a_match);
- xtables_register_match("a_match6);
}
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 0771fcd..69edaba 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -426,22 +426,8 @@ rateest_save(const void *ip, const struct xt_entry_match *match)
}
}
-static struct xtables_match rateest_match4 = {
- .family = AF_INET,
- .name = "rateest",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
- .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
- .help = rateest_help,
- .parse = rateest_parse,
- .final_check = rateest_final_check,
- .print = rateest_print,
- .save = rateest_save,
- .extra_opts = rateest_opts,
-};
-
-static struct xtables_match rateest_match6 = {
- .family = AF_INET6,
+static struct xtables_match rateest_mt_reg = {
+ .family = AF_UNSPEC,
.name = "rateest",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
@@ -457,6 +443,5 @@ static struct xtables_match rateest_match6 = {
void _init(void);
void _init(void)
{
- xtables_register_match(&rateest_match4);
- xtables_register_match(&rateest_match6);
+ xtables_register_match(&rateest_mt_reg);
}
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index 2417f09..68bf16d 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -24,17 +24,7 @@ static int standard_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target standard_target = {
- .family = AF_INET,
- .name = "standard",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(int)),
- .userspacesize = XT_ALIGN(sizeof(int)),
- .help = standard_help,
- .parse = standard_parse,
-};
-
-static struct xtables_target standard_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "standard",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(int)),
@@ -47,5 +37,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&standard_target);
- xtables_register_target(&standard_target6);
}
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 5ac77b6..67cf9e3 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -164,22 +164,7 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match statistic_match = {
- .family = AF_INET,
- .name = "statistic",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_statistic_info)),
- .userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
- .init = statistic_mt_init,
- .help = statistic_help,
- .parse = statistic_parse,
- .final_check = statistic_check,
- .print = statistic_print,
- .save = statistic_save,
- .extra_opts = statistic_opts,
-};
-
-static struct xtables_match statistic_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "statistic",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
@@ -197,5 +182,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&statistic_match);
- xtables_register_match(&statistic_match6);
}
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 5be14ef..182d474 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -327,23 +327,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match string_match = {
.name = "string",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_string_info)),
- .userspacesize = offsetof(struct xt_string_info, config),
- .help = string_help,
- .init = string_init,
- .parse = string_parse,
- .final_check = string_check,
- .print = string_print,
- .save = string_save,
- .extra_opts = string_opts,
-};
-
-
-static struct xtables_match string_match6 = {
- .name = "string",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_string_info)),
.userspacesize = offsetof(struct xt_string_info, config),
@@ -360,5 +344,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&string_match);
- xtables_register_match(&string_match6);
}
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 3efc727..3a9ccd6 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -466,21 +466,7 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match time_match = {
.name = "time",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_time_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
- .help = time_help,
- .init = time_init,
- .parse = time_parse,
- .print = time_print,
- .save = time_save,
- .extra_opts = time_opts,
-};
-
-static struct xtables_match time_match6 = {
- .name = "time",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_time_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
@@ -496,5 +482,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&time_match);
- xtables_register_match(&time_match6);
}
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 1e79c57..2dff28f 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -272,20 +272,7 @@ static void u32_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match u32_match = {
.name = "u32",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_u32)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
- .help = u32_help,
- .parse = u32_parse,
- .print = u32_print,
- .save = u32_save,
- .extra_opts = u32_opts,
-};
-
-static struct xtables_match u32_match6 = {
- .name = "u32",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_u32)),
.userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
@@ -300,6 +287,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&u32_match);
- xtables_register_match(&u32_match6);
- return;
}
diff --git a/xtables.c b/xtables.c
index 0405e3e..1ff76f2 100644
--- a/xtables.c
+++ b/xtables.c
@@ -549,12 +549,13 @@ void xtables_register_match(struct xtables_match *me)
}
/* ignore not interested match */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_match(me->name, DURING_LOAD, NULL);
if (old) {
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: match `%s' already registered.\n",
program_name, me->name);
@@ -566,10 +567,14 @@ void xtables_register_match(struct xtables_match *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new match can be used. */
if (!compatible_match_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_matches; *i!=old; i = &(*i)->next);
*i = old->next;
@@ -615,14 +620,15 @@ void xtables_register_target(struct xtables_target *me)
}
/* ignore not interested target */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_target(me->name, DURING_LOAD);
if (old) {
struct xtables_target **i;
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: target `%s' already registered.\n",
program_name, me->name);
@@ -634,10 +640,14 @@ void xtables_register_target(struct xtables_target *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new target can be used. */
if (!compatible_target_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_targets; *i!=old; i = &(*i)->next);
*i = old->next;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION
2008-03-04 15:51 ` Jan Engelhardt
` (18 preceding siblings ...)
2008-03-04 16:12 ` [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
@ 2008-03-04 16:19 ` Jan Engelhardt
2008-03-04 16:21 ` [PATCH 21/24] Update spelling and grammar in manpages Jan Engelhardt
` (22 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:19 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
Has the aforementioned GNUmakefile.in and Makefile.am changes that
should have been in p13 instead.
===
commit d369c0ffd0cf91b719188334f5c0ad31a94d81ad
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 18 12:20:21 2008 +0100
Change IPTABLES_VERSION to XTABLES_VERSION
---
configure.ac | 2 +-
extensions/GNUmakefile.in | 4 +++-
extensions/libip6t_HL.c | 4 ++--
extensions/libip6t_LOG.c | 4 ++--
extensions/libip6t_REJECT.c | 2 +-
extensions/libip6t_ah.c | 4 ++--
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_eui64.c | 4 ++--
extensions/libip6t_frag.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 4 ++--
extensions/libip6t_icmp6.c | 4 ++--
| 4 ++--
extensions/libip6t_mh.c | 4 ++--
extensions/libip6t_policy.c | 4 ++--
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 4 ++--
extensions/libipt_DNAT.c | 4 ++--
extensions/libipt_ECN.c | 4 ++--
extensions/libipt_LOG.c | 4 ++--
extensions/libipt_MASQUERADE.c | 4 ++--
extensions/libipt_MIRROR.c | 4 ++--
extensions/libipt_NETMAP.c | 4 ++--
extensions/libipt_REDIRECT.c | 4 ++--
extensions/libipt_REJECT.c | 2 +-
extensions/libipt_SAME.c | 4 ++--
extensions/libipt_SNAT.c | 4 ++--
extensions/libipt_TTL.c | 4 ++--
extensions/libipt_ULOG.c | 4 ++--
extensions/libipt_addrtype.c | 4 ++--
extensions/libipt_ah.c | 4 ++--
extensions/libipt_ecn.c | 4 ++--
extensions/libipt_icmp.c | 4 ++--
extensions/libipt_policy.c | 4 ++--
extensions/libipt_realm.c | 4 ++--
extensions/libipt_ttl.c | 4 ++--
extensions/libipt_unclean.c | 4 ++--
extensions/libxt_CLASSIFY.c | 4 ++--
extensions/libxt_CONNMARK.c | 10 +++++-----
extensions/libxt_CONNSECMARK.c | 6 +++---
extensions/libxt_DSCP.c | 4 ++--
extensions/libxt_MARK.c | 10 +++++-----
extensions/libxt_NFLOG.c | 6 +++---
extensions/libxt_NFQUEUE.c | 4 ++--
extensions/libxt_NOTRACK.c | 6 +++---
extensions/libxt_RATEEST.c | 4 ++--
extensions/libxt_SECMARK.c | 4 ++--
extensions/libxt_TCPMSS.c | 6 +++---
extensions/libxt_TCPOPTSTRIP.c | 4 ++--
extensions/libxt_TOS.c | 8 ++++----
extensions/libxt_TRACE.c | 4 ++--
| 4 ++--
extensions/libxt_connbytes.c | 6 +++---
extensions/libxt_connlimit.c | 6 +++---
extensions/libxt_connmark.c | 8 ++++----
extensions/libxt_conntrack.c | 6 +++---
extensions/libxt_dccp.c | 6 +++---
extensions/libxt_dscp.c | 6 +++---
extensions/libxt_esp.c | 6 +++---
extensions/libxt_hashlimit.c | 10 +++++-----
extensions/libxt_helper.c | 6 +++---
extensions/libxt_iprange.c | 6 +++---
extensions/libxt_length.c | 4 ++--
extensions/libxt_limit.c | 4 ++--
extensions/libxt_mac.c | 6 +++---
extensions/libxt_mark.c | 4 ++--
extensions/libxt_multiport.c | 12 ++++++------
extensions/libxt_owner.c | 8 ++++----
extensions/libxt_physdev.c | 6 +++---
extensions/libxt_pkttype.c | 2 +-
extensions/libxt_quota.c | 2 +-
extensions/libxt_rateest.c | 4 ++--
extensions/libxt_recent.c | 4 ++--
extensions/libxt_sctp.c | 6 +++---
extensions/libxt_standard.c | 4 ++--
extensions/libxt_state.c | 6 +++---
extensions/libxt_statistic.c | 4 ++--
extensions/libxt_string.c | 4 ++--
extensions/libxt_tcp.c | 6 +++---
extensions/libxt_tcpmss.c | 6 +++---
extensions/libxt_time.c | 4 ++--
extensions/libxt_tos.c | 6 +++---
extensions/libxt_u32.c | 4 ++--
extensions/libxt_udp.c | 6 +++---
ip6tables-restore.c | 4 ++--
ip6tables-save.c | 4 ++--
ip6tables-standalone.c | 2 +-
iptables-restore.c | 4 ++--
iptables-save.c | 4 ++--
iptables-standalone.c | 2 +-
iptables-xml.c | 4 ++--
libipq/Makefile.am | 2 +-
libiptc/libiptc.c | 3 ++-
93 files changed, 218 insertions(+), 215 deletions(-)
diff --git a/configure.ac b/configure.ac
index 4025e0e..b4bd5c0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -40,7 +40,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
- -Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
+ -Winline -pipe -DXTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="";
if [[ -n "$kbuilddir" ]]; then
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 1282a33..2f2c364 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -1,5 +1,7 @@
# -*- Makefile -*-
+top_builddir := @top_builddir@
+builddir := @builddir@
top_srcdir := @top_srcdir@
srcdir := @srcdir@
ksourcedir := @ksourcedir@
@@ -16,7 +18,7 @@ LDFLAGS := @LDFLAGS@
regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS := ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS := ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
ifeq (${V},)
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
index 3104285..f2b5861 100644
--- a/extensions/libip6t_HL.c
+++ b/extensions/libip6t_HL.c
@@ -23,7 +23,7 @@ static void HL_help(void)
" --hl-set value Set HL to <value 0-255>\n"
" --hl-dec value Decrement HL by <value 1-255>\n"
" --hl-inc value Increment HL by <value 1-255>\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int HL_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -141,7 +141,7 @@ static const struct option HL_opts[] = {
static struct ip6tables_target hl_target6 = {
.name = "HL",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_HL_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_HL_info)),
.help = HL_help,
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index e8de148..76a7e53 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -28,7 +28,7 @@ static void LOG_help(void)
" --log-tcp-options Log TCP options.\n\n"
" --log-ip-options Log IP options.\n\n"
" --log-uid Log UID owning the local socket.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option LOG_opts[] = {
@@ -258,7 +258,7 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
static struct ip6tables_target log_target6 = {
.name = "LOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_log_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_log_info)),
.help = LOG_help,
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index 9445534..067f2a5 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -140,7 +140,7 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
static struct ip6tables_target reject_target6 = {
.name = "REJECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_reject_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_reject_info)),
.help = REJECT_help,
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index afebdb1..110b1fe 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -16,7 +16,7 @@ static void ah_help(void)
" --ahspi [!] spi[:spi] match spi (range)\n"
" --ahlen [!] length total length of this header\n"
" --ahres check the reserved filed, too\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option ah_opts[] = {
@@ -195,7 +195,7 @@ static void ah_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match ah_match6 = {
.name = "ah",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_ah)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ah)),
.help = ah_help,
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 1333418..6cbf9cd 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -19,7 +19,7 @@ static void dst_help(void)
" --dst-len [!] length total length of this header\n"
" --dst-opts TYPE[:LEN][,TYPE[:LEN]...]\n"
" Options and its length (list, max: %d)\n",
-IPTABLES_VERSION, IP6T_OPTS_OPTSNR);
+XTABLES_VERSION, IP6T_OPTS_OPTSNR);
}
static const struct option dst_opts[] = {
@@ -229,7 +229,7 @@ static void dst_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match dst_match6 = {
.name = "dst",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.help = dst_help,
diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c
index 7739e30..51bbaf8 100644
--- a/extensions/libip6t_eui64.c
+++ b/extensions/libip6t_eui64.c
@@ -18,7 +18,7 @@ static void eui64_help(void)
"eui64 v%s options:\n"
" This module hasn't got any option\n"
" This module checks for EUI64 IPv6 addresses\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -31,7 +31,7 @@ static int eui64_parse(int c, char **argv, int invert, unsigned int *flags,
static struct ip6tables_match eui64_target6 = {
.name = "eui64",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(int)),
.userspacesize = IP6T_ALIGN(sizeof(int)),
.help = eui64_help,
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 834dd06..8ed20d9 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -19,7 +19,7 @@ static void frag_help(void)
" --fragfirst matches on the first fragment\n"
" [--fragmore|--fraglast] there are more fragments or this\n"
" is the last one\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option frag_opts[] = {
@@ -240,7 +240,7 @@ static void frag_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match frag_match6 = {
.name = "frag",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_frag)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_frag)),
.help = frag_help,
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 7ca2b69..ac837ac 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -22,7 +22,7 @@ static void hbh_help(void)
" --hbh-len [!] length total length of this header\n"
" --hbh-opts TYPE[:LEN][,TYPE[:LEN]...] \n"
" Options and its length (list, max: %d)\n",
-IPTABLES_VERSION, IP6T_OPTS_OPTSNR);
+XTABLES_VERSION, IP6T_OPTS_OPTSNR);
}
static const struct option hbh_opts[] = {
@@ -216,7 +216,7 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match hbh_match6 = {
.name = "hbh",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.help = hbh_help,
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c
index d2616b8..02c980d 100644
--- a/extensions/libip6t_hl.c
+++ b/extensions/libip6t_hl.c
@@ -22,7 +22,7 @@ static void hl_help(void)
" --hl-eq [!] value Match hop limit value\n"
" --hl-lt value Match HL < value\n"
" --hl-gt value Match HL > value\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int hl_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -127,7 +127,7 @@ static const struct option hl_opts[] = {
static struct ip6tables_match hl_match6 = {
.name = "hl",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
.help = hl_help,
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index d9bc785..3e8cc37 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -80,7 +80,7 @@ static void icmp6_help(void)
"ICMPv6 v%s options:\n"
" --icmpv6-type [!] typename match icmpv6 type\n"
" (or numeric type or type/code)\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
print_icmpv6types();
}
@@ -253,7 +253,7 @@ static void icmp6_check(unsigned int flags)
static struct ip6tables_match icmp6_match6 = {
.name = "icmp6",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
.help = icmp6_help,
--git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index 05835ac..7ca50ad 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -144,7 +144,7 @@ static void ipv6header_help(void)
" ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
" numbers: 0,60,43,44,51,50,59\n"
"--soft The header CONTAINS the specified extensions\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ipv6header_opts[] = {
@@ -288,7 +288,7 @@ static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match ipv6header_match6 = {
.name = "ipv6header",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
.help = ipv6header_help,
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index fd3f452..e91a5ad 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -63,7 +63,7 @@ static void mh_help(void)
printf(
"MH v%s options:\n"
" --mh-type [!] type[:type] match mh type\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
print_types_all();
}
@@ -225,7 +225,7 @@ static const struct option mh_opts[] = {
static struct ip6tables_match mh_match6 = {
.name = "mh",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_mh)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mh)),
.help = mh_help,
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 4c2f405..6cf987d 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -38,7 +38,7 @@ static void policy_help(void)
"[!] --tunnel-src addr/masklen match tunnel source\n"
"[!] --tunnel-dst addr/masklen match tunnel destination\n"
" --next begin next element in policy\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option policy_opts[] =
@@ -445,7 +445,7 @@ static void policy_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match policy_match6 = {
.name = "policy",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
.help = policy_help,
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 33d282f..d33e76d 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -25,7 +25,7 @@ static void rt_help(void)
" --rt-0-res check the reserved filed, too (type 0)\n"
" --rt-0-addrs ADDR[,ADDR...] Type=0 addresses (list, max: %d)\n"
" --rt-0-not-strict List of Type=0 addresses not a strict list\n",
-IPTABLES_VERSION, IP6T_RT_HOPS);
+XTABLES_VERSION, IP6T_RT_HOPS);
}
static const struct option rt_opts[] = {
@@ -331,7 +331,7 @@ static void rt_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match rt_match6 = {
.name = "rt",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_rt)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rt)),
.help = rt_help,
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index 2314185..dca9a86 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -33,7 +33,7 @@ static void CLUSTERIP_help(void)
" --local-node <num> Set the local node number\n"
" --hash-init <num> Set init value of the Jenkins hash\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
#define PARAM_NEW 0x0001
@@ -237,7 +237,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target clusterip_target = {
.name = "CLUSTERIP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
.userspacesize = offsetof(struct ipt_clusterip_tgt_info, config),
.help = CLUSTERIP_help,
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index a0dbfc5..a98a875 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -28,7 +28,7 @@ static void DNAT_help(void)
" Address to map destination to.\n"
"[--random]\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option DNAT_opts[] = {
@@ -245,7 +245,7 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target dnat_target = {
.name = "DNAT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = DNAT_help,
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 8335cca..b216307 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -22,7 +22,7 @@ static void ECN_help(void)
printf(
"ECN target v%s options\n"
" --ecn-tcp-remove Remove all ECN bits from TCP header\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
#if 0
@@ -155,7 +155,7 @@ static void ECN_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target ecn_target = {
.name = "ECN",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ECN_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ECN_info)),
.help = ECN_help,
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 8287d95..d59d22b 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -28,7 +28,7 @@ static void LOG_help(void)
" --log-tcp-options Log TCP options.\n\n"
" --log-ip-options Log IP options.\n\n"
" --log-uid Log UID owning the local socket.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option LOG_opts[] = {
@@ -260,7 +260,7 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target log_target = {
.name = "LOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_log_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_log_info)),
.help = LOG_help,
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index c0c519d..671e278 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -19,7 +19,7 @@ static void MASQUERADE_help(void)
" Randomize source port.\n"
"\n"
,
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option MASQUERADE_opts[] = {
@@ -153,7 +153,7 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target masquerade_target = {
.name = "MASQUERADE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = MASQUERADE_help,
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index 8506eff..cde04a4 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -12,7 +12,7 @@ static void MIRROR_help(void)
{
printf(
"MIRROR target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -25,7 +25,7 @@ static int MIRROR_parse(int c, char **argv, int invert, unsigned int *flags,
static struct iptables_target mirror_target = {
.name = "MIRROR",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(0),
.userspacesize = IPT_ALIGN(0),
.help = MIRROR_help,
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index 0043cca..9bf779d 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -24,7 +24,7 @@ static void NETMAP_help(void)
printf(MODULENAME" v%s options:\n"
" --%s address[/mask]\n"
" Network address to map to.\n\n",
- IPTABLES_VERSION, NETMAP_opts[0].name);
+ XTABLES_VERSION, NETMAP_opts[0].name);
}
static u_int32_t
@@ -172,7 +172,7 @@ static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target netmap_target = {
.name = MODULENAME,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = NETMAP_help,
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 0bcc9dd..116b577 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -18,7 +18,7 @@ static void REDIRECT_help(void)
"REDIRECT v%s options:\n"
" --to-ports <port>[-<port>]\n"
" Port (range) to map to.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option REDIRECT_opts[] = {
@@ -159,7 +159,7 @@ static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target redirect_target = {
.name = "REDIRECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = REDIRECT_help,
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index aa139fd..2824a1a 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -159,7 +159,7 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target reject_target = {
.name = "REJECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_reject_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_reject_info)),
.help = REJECT_help,
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index 9d58bf0..226cecf 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -25,7 +25,7 @@ static void SAME_help(void)
" --random\n"
" Randomize source port\n"
,
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SAME_opts[] = {
@@ -210,7 +210,7 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target same_target = {
.name = "SAME",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_same_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_same_info)),
.help = SAME_help,
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 9a553cd..ea998c2 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -28,7 +28,7 @@ static void SNAT_help(void)
" Address to map source to.\n"
"[--random]\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SNAT_opts[] = {
@@ -246,7 +246,7 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target snat_target = {
.name = "SNAT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = SNAT_help,
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index e19c3a0..34991cf 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -23,7 +23,7 @@ static void TTL_help(void)
" --ttl-set value Set TTL to <value 0-255>\n"
" --ttl-dec value Decrement TTL by <value 1-255>\n"
" --ttl-inc value Increment TTL by <value 1-255>\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int TTL_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -142,7 +142,7 @@ static const struct option TTL_opts[] = {
static struct iptables_target ttl_target = {
.next = NULL,
.name = "TTL",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_TTL_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_TTL_info)),
.help = TTL_help,
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 10301f0..925d62b 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -41,7 +41,7 @@ static void ULOG_help(void)
" --ulog-cprange size Bytes of each packet to be passed\n"
" --ulog-qthreshold Threshold of in-kernel queue\n"
" --ulog-prefix prefix Prefix log messages with this prefix.\n\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ULOG_opts[] = {
@@ -188,7 +188,7 @@ static void ULOG_print(const void *ip, const struct xt_entry_target *target,
static struct iptables_target ulog_target = {
.name = "ULOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ulog_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ulog_info)),
.help = ULOG_help,
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 02752d3..388467f 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -44,7 +44,7 @@ static void addrtype_help(void)
" [!] --dst-type type[,...] Match destination address type\n"
"\n"
"Valid types: \n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
addrtype_help_types();
}
@@ -185,7 +185,7 @@ static const struct option addrtype_opts[] = {
static struct iptables_match addrtype_match = {
.name = "addrtype",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
.help = addrtype_help,
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index 5d9ab6c..92e412f 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -15,7 +15,7 @@ static void ah_help(void)
"AH v%s options:\n"
" --ahspi [!] spi[:spi]\n"
" match spi (range)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option ah_opts[] = {
@@ -158,7 +158,7 @@ static void ah_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match ah_match = {
.name = "ah",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ah)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ah)),
.help = ah_help,
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 5c0428d..44a3c22 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -23,7 +23,7 @@ static void ecn_help(void)
"[!] --ecn-tcp-cwr Match CWR bit of TCP header\n"
"[!] --ecn-tcp-ece Match ECE bit of TCP header\n"
"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4 header\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ecn_opts[] = {
@@ -146,7 +146,7 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match ecn_match = {
.name = "ecn",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
.help = ecn_help,
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index df57a5e..69c0347 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -104,7 +104,7 @@ static void icmp_help(void)
"ICMP v%s options:\n"
" --icmp-type [!] typename match icmp type\n"
" (or numeric type or type/code)\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
print_icmptypes();
}
@@ -276,7 +276,7 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match icmp_match = {
.name = "icmp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_icmp)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_icmp)),
.help = icmp_help,
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index cdef750..e320017 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -37,7 +37,7 @@ static void policy_help(void)
"[!] --tunnel-src addr/mask match tunnel source\n"
"[!] --tunnel-dst addr/mask match tunnel destination\n"
" --next begin next element in policy\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option policy_opts[] =
@@ -410,7 +410,7 @@ static void policy_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match policy_match = {
.name = "policy",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_policy_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_policy_info)),
.help = policy_help,
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 73444de..6795dd4 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -21,7 +21,7 @@ static void realm_help(void)
"realm v%s options:\n"
" --realm [!] value[/mask]\n"
" Match realm\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option realm_opts[] = {
@@ -245,7 +245,7 @@ static void realm_check(unsigned int flags)
static struct iptables_match realm_match = {
.name = "realm",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_realm_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_realm_info)),
.help = realm_help,
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index d358dfc..feee70b 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -21,7 +21,7 @@ static void ttl_help(void)
" --ttl-eq value Match time to live value\n"
" --ttl-lt value Match TTL < value\n"
" --ttl-gt value Match TTL > value\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int ttl_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -150,7 +150,7 @@ static const struct option ttl_opts[] = {
static struct iptables_match ttl_match = {
.name = "ttl",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ttl_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ttl_info)),
.help = ttl_help,
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index 9956c1a..b15d62f 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -9,7 +9,7 @@ static void unclean_help(void)
{
printf(
"unclean v%s takes no options\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -22,7 +22,7 @@ static int unclean_parse(int c, char **argv, int invert, unsigned int *flags,
static struct iptables_match unclean_match = {
.name = "unclean",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(0),
.userspacesize = IPT_ALIGN(0),
.help = unclean_help,
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index 1bf9494..e8506fe 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -18,7 +18,7 @@ CLASSIFY_help(void)
"CLASSIFY target v%s options:\n"
" --set-class [MAJOR:MINOR] Set skb->priority value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CLASSIFY_opts[] = {
@@ -105,7 +105,7 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target classify_target = {
.family = AF_UNSPEC,
.name = "CLASSIFY",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
.help = CLASSIFY_help,
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 73f8214..a064d72 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -42,7 +42,7 @@ static void CONNMARK_help(void)
" --save-mark [--mask mask] Save the packet nfmark in the connection\n"
" --restore-mark [--mask mask] Restore saved nfmark value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CONNMARK_opts[] = {
@@ -410,7 +410,7 @@ static struct xtables_target connmark_target = {
.family = AF_INET,
.name = "CONNMARK",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.help = CONNMARK_help,
@@ -426,7 +426,7 @@ static struct xtables_target connmark_target6 = {
.family = AF_INET6,
.name = "CONNMARK",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.help = CONNMARK_help,
@@ -439,7 +439,7 @@ static struct xtables_target connmark_target6 = {
};
static struct xtables_target connmark_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "CONNMARK",
.revision = 1,
.family = AF_INET,
@@ -455,7 +455,7 @@ static struct xtables_target connmark_tg_reg = {
};
static struct xtables_target connmark_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "CONNMARK",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
index 779594f..4d9a682 100644
--- a/extensions/libxt_CONNSECMARK.c
+++ b/extensions/libxt_CONNSECMARK.c
@@ -21,7 +21,7 @@ static void CONNSECMARK_help(void)
" --save Copy security mark from packet to conntrack\n"
" --restore Copy security mark from connection to packet\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CONNSECMARK_opts[] = {
@@ -111,7 +111,7 @@ CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target connsecmark_target = {
.family = AF_INET,
.name = "CONNSECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
@@ -126,7 +126,7 @@ static struct xtables_target connsecmark_target = {
static struct xtables_target connsecmark_target6 = {
.family = AF_INET6,
.name = "CONNSECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
index 3a99b33..7012647 100644
--- a/extensions/libxt_DSCP.c
+++ b/extensions/libxt_DSCP.c
@@ -135,7 +135,7 @@ static void DSCP_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target dscp_target = {
.family = AF_INET,
.name = "DSCP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.help = DSCP_help,
@@ -149,7 +149,7 @@ static struct xtables_target dscp_target = {
static struct xtables_target dscp_target6 = {
.family = AF_INET6,
.name = "DSCP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.help = DSCP_help,
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 4003d26..167db21 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -22,7 +22,7 @@ static void MARK_help(void)
" --and-mark value Binary AND the nfmark with value\n"
" --or-mark value Binary OR the nfmark with value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option MARK_opts[] = {
@@ -287,7 +287,7 @@ static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target mark_target_v0 = {
.family = AF_INET,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)),
@@ -302,7 +302,7 @@ static struct xtables_target mark_target_v0 = {
static struct xtables_target mark_target_v1 = {
.family = AF_INET,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
@@ -317,7 +317,7 @@ static struct xtables_target mark_target_v1 = {
static struct xtables_target mark_target6_v0 = {
.family = AF_INET6,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)),
@@ -330,7 +330,7 @@ static struct xtables_target mark_target6_v0 = {
};
static struct xtables_target mark_tg_reg_v2 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "MARK",
.revision = 2,
.family = AF_UNSPEC,
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index 4b6c5a9..e343ee6 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -29,7 +29,7 @@ static void NFLOG_help(void)
" --nflog-range NUM Number of byte to copy\n"
" --nflog-threshold NUM Message threshold of in-kernel queue\n"
" --nflog-prefix STRING Prefix string for log messages\n\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static void NFLOG_init(struct xt_entry_target *t)
@@ -142,7 +142,7 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target nflog_target = {
.family = AF_INET,
.name = "NFLOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nflog_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
.help = NFLOG_help,
@@ -156,7 +156,7 @@ static struct xtables_target nflog_target = {
static struct xtables_target nflog_target6 = {
.family = AF_INET6,
.name = "NFLOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nflog_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
.help = NFLOG_help,
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 287c1c8..58fb881 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -83,7 +83,7 @@ static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target nfqueue_target = {
.family = AF_INET,
.name = "NFQUEUE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.help = NFQUEUE_help,
@@ -96,7 +96,7 @@ static struct xtables_target nfqueue_target = {
static struct xtables_target nfqueue_target6 = {
.family = AF_INET6,
.name = "NFQUEUE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.help = NFQUEUE_help,
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
index cb6bd1e..f613369 100644
--- a/extensions/libxt_NOTRACK.c
+++ b/extensions/libxt_NOTRACK.c
@@ -12,7 +12,7 @@ static void NOTRACK_help(void)
{
printf(
"NOTRACK target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -27,7 +27,7 @@ NOTRACK_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target notrack_target = {
.family = AF_INET,
.name = "NOTRACK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = NOTRACK_help,
@@ -37,7 +37,7 @@ static struct xtables_target notrack_target = {
static struct xtables_target notrack_target6 = {
.family = AF_INET6,
.name = "NOTRACK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = NOTRACK_help,
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 6918f76..cee9c82 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -23,7 +23,7 @@ RATEEST_help(void)
" --rateest-interval sec Rate measurement interval in seconds\n"
" --rateest-ewmalog value Rate measurement averaging time constant\n"
"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
enum RATEEST_options {
@@ -206,7 +206,7 @@ RATEEST_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target rateest_tg_reg = {
.family = AF_UNSPEC,
.name = "RATEEST",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
.help = RATEEST_help,
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index d143037..a71d028 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -20,7 +20,7 @@ static void SECMARK_help(void)
"SECMARK target v%s options:\n"
" --selctx value Set the SELinux security context\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SECMARK_opts[] = {
@@ -102,7 +102,7 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target secmark_target = {
.family = AF_UNSPEC,
.name = "SECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c
index f4a45c3..9b9602b 100644
--- a/extensions/libxt_TCPMSS.c
+++ b/extensions/libxt_TCPMSS.c
@@ -23,7 +23,7 @@ static void __TCPMSS_help(int hdrsize)
"TCPMSS target v%s mutually-exclusive options:\n"
" --set-mss value explicitly set MSS option to specified value\n"
" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - %d)\n",
-IPTABLES_VERSION, hdrsize);
+XTABLES_VERSION, hdrsize);
}
static void TCPMSS_help(void)
@@ -126,7 +126,7 @@ static void TCPMSS_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target tcpmss_target = {
.family = AF_INET,
.name = "TCPMSS",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.help = TCPMSS_help,
@@ -140,7 +140,7 @@ static struct xtables_target tcpmss_target = {
static struct xtables_target tcpmss_target6 = {
.family = AF_INET6,
.name = "TCPMSS",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.help = TCPMSS_help6,
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index 22e921a..0318421 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -176,7 +176,7 @@ tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target tcpoptstrip_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TCPOPTSTRIP",
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
@@ -191,7 +191,7 @@ static struct xtables_target tcpoptstrip_tg_reg = {
};
static struct xtables_target tcpoptstrip_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TCPOPTSTRIP",
.family = AF_INET6,
.size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c
index dfc7af7..bf94916 100644
--- a/extensions/libxt_TOS.c
+++ b/extensions/libxt_TOS.c
@@ -59,7 +59,7 @@ static void tos_tg_help(void)
" --set-tos symbol Set TOS field (IPv4 only) by symbol\n"
" (this zeroes the 4-bit Precedence part!)\n"
" Accepted symbolic names for value are:\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
printf(" (0x%02x) %2u %s\n",
@@ -205,7 +205,7 @@ static void tos_tg_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target tos_tg_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.revision = 0,
.family = AF_INET,
@@ -220,7 +220,7 @@ static struct xtables_target tos_tg_reg_v0 = {
};
static struct xtables_target tos_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.revision = 1,
.family = AF_INET,
@@ -235,7 +235,7 @@ static struct xtables_target tos_tg_reg = {
};
static struct xtables_target tos_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.family = AF_INET6,
.revision = 1,
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index 7241f2b..4b13ed4 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -12,7 +12,7 @@ static void TRACE_help(void)
{
printf(
"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -26,7 +26,7 @@ static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target trace_target = {
.family = AF_UNSPEC,
.name = "TRACE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = TRACE_help,
--git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 8ae77fc..b16c721 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -96,7 +96,7 @@ comment_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match comment_match = {
.family = AF_INET,
.name = "comment",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_comment_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)),
.help = comment_help,
@@ -110,7 +110,7 @@ static struct xtables_match comment_match = {
static struct xtables_match comment_match6 = {
.family = AF_INET6,
.name = "comment",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_comment_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)),
.help = comment_help,
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index 9fd5a47..f0e0152 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -16,7 +16,7 @@ static void connbytes_help(void)
" [!] --connbytes from:[to]\n"
" --connbytes-dir [original, reply, both]\n"
" --connbytes-mode [packets, bytes, avgpkt]\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option connbytes_opts[] = {
@@ -188,7 +188,7 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match connbytes_match = {
.family = AF_INET,
.name = "connbytes",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.help = connbytes_help,
@@ -202,7 +202,7 @@ static struct xtables_match connbytes_match = {
static struct xtables_match connbytes_match6 = {
.family = AF_INET6,
.name = "connbytes",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.help = connbytes_help,
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 2b4d3d5..19f46a7 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -15,7 +15,7 @@ static void connlimit_help(void)
"[!] --connlimit-above n match if the number of existing "
" connections is (not) above n\n"
" --connlimit-mask n group hosts using mask\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option connlimit_opts[] = {
@@ -181,7 +181,7 @@ static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
static struct xtables_match connlimit_match = {
.name = "connlimit",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
.userspacesize = offsetof(struct xt_connlimit_info, data),
.help = connlimit_help,
@@ -196,7 +196,7 @@ static struct xtables_match connlimit_match = {
static struct xtables_match connlimit_match6 = {
.name = "connlimit",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
.userspacesize = offsetof(struct xt_connlimit_info, data),
.help = connlimit_help,
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
index dd43359..912f053 100644
--- a/extensions/libxt_connmark.c
+++ b/extensions/libxt_connmark.c
@@ -172,7 +172,7 @@ static struct xtables_match connmark_mt_reg_v0 = {
.family = AF_INET,
.name = "connmark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)),
.help = connmark_mt_help,
@@ -187,7 +187,7 @@ static struct xtables_match connmark_mt6_reg_v0 = {
.family = AF_INET6,
.name = "connmark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)),
.help = connmark_mt_help,
@@ -199,7 +199,7 @@ static struct xtables_match connmark_mt6_reg_v0 = {
};
static struct xtables_match connmark_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "connmark",
.revision = 1,
.family = AF_INET,
@@ -214,7 +214,7 @@ static struct xtables_match connmark_mt_reg = {
};
static struct xtables_match connmark_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "connmark",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index d5f1be7..fc2ba42 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1017,7 +1017,7 @@ static void conntrack_mt6_save(const void *ip,
}
static struct xtables_match conntrack_match = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 0,
.family = AF_INET,
@@ -1032,7 +1032,7 @@ static struct xtables_match conntrack_match = {
};
static struct xtables_match conntrack_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 1,
.family = AF_INET,
@@ -1047,7 +1047,7 @@ static struct xtables_match conntrack_mt_reg = {
};
static struct xtables_match conntrack_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index d21de16..97daf4a 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -41,7 +41,7 @@ static void dccp_help(void)
" --destination-port [!] port[:port] match destination port(s)\n"
" --dport ...\n"
,
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option dccp_opts[] = {
@@ -342,7 +342,7 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match dccp_match = {
.name = "dccp",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dccp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)),
.help = dccp_help,
@@ -356,7 +356,7 @@ static struct xtables_match dccp_match = {
static struct xtables_match dccp_match6 = {
.name = "dccp",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dccp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)),
.help = dccp_help,
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 75941ab..97dafac 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -35,7 +35,7 @@ static void dscp_help(void)
" be any of the BE,EF, AFxx or CSx classes\n"
"\n"
" These two options are mutually exclusive !\n"
- , IPTABLES_VERSION
+ , XTABLES_VERSION
);
}
@@ -149,7 +149,7 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match dscp_match = {
.family = AF_INET,
.name = "dscp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dscp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
.help = dscp_help,
@@ -163,7 +163,7 @@ static struct xtables_match dscp_match = {
static struct xtables_match dscp_match6 = {
.family = AF_INET6,
.name = "dscp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dscp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
.help = dscp_help,
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index b20999d..45b2c8b 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -15,7 +15,7 @@ static void esp_help(void)
"ESP v%s options:\n"
" --espspi [!] spi[:spi]\n"
" match spi (range)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option esp_opts[] = {
@@ -156,7 +156,7 @@ static void esp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match esp_match = {
.family = AF_INET,
.name = "esp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_esp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
.help = esp_help,
@@ -170,7 +170,7 @@ static struct xtables_match esp_match = {
static struct xtables_match esp_match6 = {
.family = AF_INET6,
.name = "esp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_esp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
.help = esp_help,
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index e430f93..3445c9d 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -42,7 +42,7 @@ static void hashlimit_help(void)
"[--hashlimit-htable-max <num>] number of hashtable entries\n"
"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n"
"[--hashlimit-htable-expire] after which time are idle entries expired?\n"
-"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
+"\n", XTABLES_VERSION, XT_HASHLIMIT_BURST);
}
static void hashlimit_mt_help(void)
@@ -671,7 +671,7 @@ hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match hashlimit_match = {
.family = AF_INET,
.name = "hashlimit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
@@ -687,7 +687,7 @@ static struct xtables_match hashlimit_match = {
static struct xtables_match hashlimit_match6 = {
.family = AF_INET6,
.name = "hashlimit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
@@ -701,7 +701,7 @@ static struct xtables_match hashlimit_match6 = {
};
static struct xtables_match hashlimit_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "hashlimit",
.revision = 1,
.family = AF_INET,
@@ -717,7 +717,7 @@ static struct xtables_match hashlimit_mt_reg = {
};
static struct xtables_match hashlimit_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "hashlimit",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 4ce1d4b..a028bbc 100644
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -15,7 +15,7 @@ static void helper_help(void)
"helper match v%s options:\n"
"[!] --helper string Match helper identified by string\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option helper_opts[] = {
@@ -79,7 +79,7 @@ static void helper_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match helper_match = {
.family = AF_INET,
.name = "helper",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_helper_info)),
.help = helper_help,
.parse = helper_parse,
@@ -92,7 +92,7 @@ static struct xtables_match helper_match = {
static struct xtables_match helper_match6 = {
.family = AF_INET6,
.name = "helper",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_helper_info)),
.help = helper_help,
.parse = helper_parse,
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 54d7d9c..f0c4f5b 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -339,7 +339,7 @@ static void iprange_mt6_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match iprange_match = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 0,
.family = AF_INET,
@@ -354,7 +354,7 @@ static struct xtables_match iprange_match = {
};
static struct xtables_match iprange_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 1,
.family = AF_INET,
@@ -369,7 +369,7 @@ static struct xtables_match iprange_mt_reg = {
};
static struct xtables_match iprange_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index 136034c..ae64942 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -15,7 +15,7 @@ static void length_help(void)
"length v%s options:\n"
"[!] --length length[:length] Match packet length against value or range\n"
" of values (inclusive)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
@@ -127,7 +127,7 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match length_match = {
.family = AF_UNSPEC,
.name = "length",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_length_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
.help = length_help,
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index da64750..6898758 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -26,7 +26,7 @@ static void limit_help(void)
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
-"\n", IPTABLES_VERSION, XT_LIMIT_BURST);
+"\n", XTABLES_VERSION, XT_LIMIT_BURST);
}
static const struct option limit_opts[] = {
@@ -167,7 +167,7 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match limit_match = {
.family = AF_UNSPEC,
.name = "limit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
.userspacesize = offsetof(struct xt_rateinfo, prev),
.help = limit_help,
diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
index 112ac5b..9b76a9a 100644
--- a/extensions/libxt_mac.c
+++ b/extensions/libxt_mac.c
@@ -19,7 +19,7 @@ static void mac_help(void)
"MAC v%s options:\n"
" --mac-source [!] XX:XX:XX:XX:XX:XX\n"
" Match source MAC address\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option mac_opts[] = {
@@ -118,7 +118,7 @@ static void mac_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match mac_match = {
.family = AF_INET,
.name = "mac",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mac_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)),
.help = mac_help,
@@ -132,7 +132,7 @@ static struct xtables_match mac_match = {
static struct xtables_match mac_match6 = {
.family = AF_INET6,
.name = "mac",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mac_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)),
.help = mac_help,
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index e805a2b..be66169 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -152,7 +152,7 @@ static struct xtables_match mark_match = {
.family = AF_UNSPEC,
.name = "mark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
.help = mark_mt_help,
@@ -164,7 +164,7 @@ static struct xtables_match mark_match = {
};
static struct xtables_match mark_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "mark",
.revision = 1,
.family = AF_UNSPEC,
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 7b96e6c..7d3c122 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -25,7 +25,7 @@ static void multiport_help(void)
" --ports port[,port,port]\n"
" match both source and destination port(s)\n"
" NOTE: this kernel does not support port ranges in multiport.\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static void multiport_help_v1(void)
@@ -40,7 +40,7 @@ static void multiport_help_v1(void)
" match destination port(s)\n"
" --ports [!] port[,port:port,port]\n"
" match both source and destination port(s)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option multiport_opts[] = {
@@ -513,7 +513,7 @@ static struct xtables_match multiport_match = {
.family = AF_INET,
.name = "multiport",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_multiport)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
.help = multiport_help,
@@ -528,7 +528,7 @@ static struct xtables_match multiport_match6 = {
.family = AF_INET6,
.name = "multiport",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_multiport)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
.help = multiport_help,
@@ -542,7 +542,7 @@ static struct xtables_match multiport_match6 = {
static struct xtables_match multiport_match_v1 = {
.family = AF_INET,
.name = "multiport",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
@@ -557,7 +557,7 @@ static struct xtables_match multiport_match_v1 = {
static struct xtables_match multiport_match6_v1 = {
.family = AF_INET6,
.name = "multiport",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index 18f3d9a..221fdaf 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -532,7 +532,7 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match owner_mt_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 0,
.family = AF_INET,
@@ -547,7 +547,7 @@ static struct xtables_match owner_mt_reg_v0 = {
};
static struct xtables_match owner_mt6_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 0,
.family = AF_INET6,
@@ -562,7 +562,7 @@ static struct xtables_match owner_mt6_reg_v0 = {
};
static struct xtables_match owner_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 1,
.family = AF_INET,
@@ -577,7 +577,7 @@ static struct xtables_match owner_mt_reg = {
};
static struct xtables_match owner_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
index 6b5fe20..ceb42a7 100644
--- a/extensions/libxt_physdev.c
+++ b/extensions/libxt_physdev.c
@@ -21,7 +21,7 @@ static void physdev_help(void)
" [!] --physdev-is-in arrived on a bridge device\n"
" [!] --physdev-is-out will leave on a bridge device\n"
" [!] --physdev-is-bridged it's a bridged packet\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option physdev_opts[] = {
@@ -165,7 +165,7 @@ static void physdev_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match physdev_match = {
.family = AF_INET,
.name = "physdev",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_physdev_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
.help = physdev_help,
@@ -179,7 +179,7 @@ static struct xtables_match physdev_match = {
static struct xtables_match physdev_match6 = {
.family = AF_INET6,
.name = "physdev",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_physdev_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
.help = physdev_help,
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index a5cf90a..ab41867 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -149,7 +149,7 @@ static void pkttype_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match pkttype_match = {
.family = AF_UNSPEC,
.name = "pkttype",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
.help = pkttype_help,
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index f73089d..1482dd9 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -80,7 +80,7 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
struct xtables_match quota_match = {
.family = AF_UNSPEC,
.name = "quota",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_info)),
.userspacesize = offsetof(struct xt_quota_info, quota),
.help = quota_help,
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 69edaba..d959899 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -25,7 +25,7 @@ static void rateest_help(void)
" [!] --rateest-gt Match if rate is greater than given rate/estimator\n"
" [!] --rateest-eq Match if rate is equal to given rate/estimator\n"
"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
enum rateest_options {
@@ -429,7 +429,7 @@ rateest_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match rateest_mt_reg = {
.family = AF_UNSPEC,
.name = "rateest",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
.userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
.help = rateest_help,
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 5b0112f..391a32f 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -211,7 +211,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
/* Structure for iptables to use to communicate with module */
static struct xtables_match recent_match = {
.name = "recent",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
@@ -225,7 +225,7 @@ static struct xtables_match recent_match = {
};
static struct xtables_match recent_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "recent",
.revision = 0,
.family = AF_INET6,
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index af6faba..4ab6aab 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -64,7 +64,7 @@ static void sctp_help(void)
" --chunk-types [!] (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
" chunktypes are present\n"
"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option sctp_opts[] = {
@@ -514,7 +514,7 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match sctp_match = {
.name = "sctp",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_sctp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
.help = sctp_help,
@@ -528,7 +528,7 @@ static struct xtables_match sctp_match = {
static struct xtables_match sctp_match6 = {
.name = "sctp",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_sctp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
.help = sctp_help,
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index 68bf16d..b78fa25 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -12,7 +12,7 @@ static void standard_help(void)
{
printf(
"Standard v%s options:\n"
-"(If target is DROP, ACCEPT, RETURN or nothing)\n", IPTABLES_VERSION);
+"(If target is DROP, ACCEPT, RETURN or nothing)\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -26,7 +26,7 @@ static int standard_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target standard_target = {
.family = AF_UNSPEC,
.name = "standard",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(int)),
.userspacesize = XT_ALIGN(sizeof(int)),
.help = standard_help,
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index cbc8419..0640544 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -20,7 +20,7 @@ state_help(void)
"state v%s options:\n"
" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
" State(s) to match\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option state_opts[] = {
@@ -145,7 +145,7 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match state_match = {
.family = AF_INET,
.name = "state",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_state_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
.help = state_help,
@@ -159,7 +159,7 @@ static struct xtables_match state_match = {
static struct xtables_match state_match6 = {
.family = AF_INET6,
.name = "state",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_state_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
.help = state_help,
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 67cf9e3..c2a921e 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -19,7 +19,7 @@ static void statistic_help(void)
" --every n Match every nth packet\n"
" --packet p Initial counter value (0 <= p <= n-1, default 0)\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option statistic_opts[] = {
@@ -166,7 +166,7 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match statistic_match = {
.family = AF_UNSPEC,
.name = "statistic",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
.init = statistic_mt_init,
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 182d474..1482614 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -40,7 +40,7 @@ static void string_help(void)
"--algo Algorithm\n"
"--string [!] string Match a string in a packet\n"
"--hex-string [!] string Match a hex string in a packet\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option string_opts[] = {
@@ -328,7 +328,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match string_match = {
.name = "string",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_string_info)),
.userspacesize = offsetof(struct xt_string_info, config),
.help = string_help,
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 2026368..18b8eb9 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -23,7 +23,7 @@ static void tcp_help(void)
" --dport ...\n"
" match destination port(s)\n"
" --tcp-option [!] number match if TCP option set\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option tcp_opts[] = {
@@ -386,7 +386,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match tcp_match = {
.family = AF_INET,
.name = "tcp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcp)),
.help = tcp_help,
@@ -400,7 +400,7 @@ static struct xtables_match tcp_match = {
static struct xtables_match tcp_match6 = {
.family = AF_INET6,
.name = "tcp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcp)),
.help = tcp_help,
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index 36d445c..d90dbbb 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -15,7 +15,7 @@ static void tcpmss_help(void)
"tcpmss match v%s options:\n"
"[!] --mss value[:value] Match TCP MSS range.\n"
" (only valid for TCP SYN or SYN/ACK packets)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option tcpmss_opts[] = {
@@ -128,7 +128,7 @@ static void tcpmss_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match tcpmss_match = {
.family = AF_INET,
.name = "tcpmss",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.help = tcpmss_help,
@@ -142,7 +142,7 @@ static struct xtables_match tcpmss_match = {
static struct xtables_match tcpmss_match6 = {
.family = AF_INET6,
.name = "tcpmss",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.help = tcpmss_help,
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 3a9ccd6..b682705 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -61,7 +61,7 @@ static void time_help(void)
" (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
" Defaults to all weekdays.)\n"
" --localtz/--utc Time is interpreted as UTC/local time\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static void time_init(struct xt_entry_match *m)
@@ -467,7 +467,7 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match time_match = {
.name = "time",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_time_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
.help = time_help,
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index cd21560..f0d1635 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -138,7 +138,7 @@ static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match tos_mt_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET,
.revision = 0,
@@ -153,7 +153,7 @@ static struct xtables_match tos_mt_reg_v0 = {
};
static struct xtables_match tos_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET,
.revision = 1,
@@ -168,7 +168,7 @@ static struct xtables_match tos_mt_reg = {
};
static struct xtables_match tos_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET6,
.revision = 1,
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 2dff28f..c692e21 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -37,7 +37,7 @@ static void u32_help(void)
"\t\t""range := number | number \":\" number\n"
"\t\t""location := number | location operator number\n"
"\t\t""operator := \"&\" | \"<<\" | \">>\" | \"@\"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
return;
}
@@ -273,7 +273,7 @@ static void u32_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match u32_match = {
.name = "u32",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_u32)),
.userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
.help = u32_help,
diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
index 2ba781e..45af4ab 100644
--- a/extensions/libxt_udp.c
+++ b/extensions/libxt_udp.c
@@ -18,7 +18,7 @@ static void udp_help(void)
" --destination-port [!] port[:port]\n"
" --dport ...\n"
" match destination port(s)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option udp_opts[] = {
@@ -199,7 +199,7 @@ static void udp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match udp_match = {
.family = AF_INET,
.name = "udp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_udp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
.help = udp_help,
@@ -213,7 +213,7 @@ static struct xtables_match udp_match = {
static struct xtables_match udp_match6 = {
.family = AF_INET6,
.name = "udp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_udp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
.help = udp_help,
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 2c3e95d..e28f649 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -128,7 +128,7 @@ int main(int argc, char *argv[])
int in_table = 0, testing = 0;
program_name = "ip6tables-restore";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
lib_dir = getenv("XTABLES_LIBDIR");
@@ -160,7 +160,7 @@ int main(int argc, char *argv[])
break;
case 'h':
print_usage("ip6tables-restore",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
break;
case 'n':
noflush = 1;
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e440887..3c72cfd 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -269,7 +269,7 @@ static int do_output(const char *tablename)
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
+ XTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
@@ -330,7 +330,7 @@ int main(int argc, char *argv[])
int c;
program_name = "ip6tables-save";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 1bb81bc..5bdcd4f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -50,7 +50,7 @@ main(int argc, char *argv[])
ip6tc_handle_t handle = NULL;
program_name = "ip6tables";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-restore.c b/iptables-restore.c
index f556fa5..26f7e2f 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -129,7 +129,7 @@ main(int argc, char *argv[])
const char *tablename = 0;
program_name = "iptables-restore";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
lib_dir = getenv("XTABLES_LIBDIR");
@@ -161,7 +161,7 @@ main(int argc, char *argv[])
break;
case 'h':
print_usage("iptables-restore",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
break;
case 'n':
noflush = 1;
diff --git a/iptables-save.c b/iptables-save.c
index 1ce2090..4f31aee 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -292,7 +292,7 @@ static int do_output(const char *tablename)
time_t now = time(NULL);
printf("# Generated by iptables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
+ XTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
@@ -355,7 +355,7 @@ main(int argc, char *argv[])
int c;
program_name = "iptables-save";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 369adaf..55d9bbe 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -51,7 +51,7 @@ main(int argc, char *argv[])
iptc_handle_t handle = NULL;
program_name = "iptables";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-xml.c b/iptables-xml.c
index d922efe..fea63ef 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -645,7 +645,7 @@ main(int argc, char *argv[])
FILE *in;
program_name = "iptables-xml";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
while ((c = getopt_long(argc, argv, "cvh", options, NULL)) != -1) {
@@ -658,7 +658,7 @@ main(int argc, char *argv[])
verbose = 1;
break;
case 'h':
- print_usage("iptables-xml", IPTABLES_VERSION);
+ print_usage("iptables-xml", XTABLES_VERSION);
break;
}
}
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 942a874..d4245e7 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -1,6 +1,6 @@
# -*- Makefile -*-
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
libipq_a_SOURCES = libipq.c
lib_LIBRARIES = libipq.a
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index ca95748..b638dc9 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -26,6 +26,7 @@
*/
#include <sys/types.h>
#include <sys/socket.h>
+#include <xtables.h>
#include "linux_list.h"
@@ -1323,7 +1324,7 @@ TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
CHECK(handle);
printf("libiptc v%s. %u bytes.\n",
- IPTABLES_VERSION, handle->entries->size);
+ XTABLES_VERSION, handle->entries->size);
printf("Table `%s'\n", handle->info.name);
printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
handle->info.hook_entry[HOOK_PRE_ROUTING],
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 21/24] Update spelling and grammar in manpages
2008-03-04 15:51 ` Jan Engelhardt
` (19 preceding siblings ...)
2008-03-04 16:19 ` [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION Jan Engelhardt
@ 2008-03-04 16:21 ` Jan Engelhardt
2008-03-04 16:21 ` [PATCH 22/24] Fix broken markup " Jan Engelhardt
` (21 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
(invalidated, needs a fine refinement. Oh yeah, posting is good. More
eyeballs, I know :-)
===
commit 73d1d7b7441d44b1daa6b057772466955c4bc83b
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Feb 29 01:08:58 2008 +0100
Update spelling and grammar in manpages
---
extensions/libip6t_HL.man | 6 +++---
extensions/libip6t_eui64.man | 4 ++--
extensions/libip6t_frag.man | 2 +-
extensions/libipt_SAME.man | 2 +-
extensions/libxt_NFQUEUE.man | 2 +-
extensions/libxt_connbytes.man | 6 +++---
extensions/libxt_dccp.man | 2 +-
extensions/libxt_dscp.man | 2 +-
extensions/libxt_hashlimit.man | 4 ++--
ip6tables.8.in | 2 +-
iptables.8.in | 10 +++++-----
11 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/extensions/libip6t_HL.man b/extensions/libip6t_HL.man
index bf46881..fd5c7be 100644
--- a/extensions/libip6t_HL.man
+++ b/extensions/libip6t_HL.man
@@ -1,7 +1,7 @@
This is used to modify the Hop Limit field in IPv6 header. The Hop Limit field
is similar to what is known as TTL value in IPv4. Setting or incrementing the
Hop Limit field can potentially be very dangerous, so it should be avoided at
-any cost. This target is only valid in
+any cost. This target is only valid in the
.B mangle
table.
.TP
@@ -11,7 +11,7 @@ table.
Set the Hop Limit to `value'.
.TP
.BI "--hl-dec " "value"
-Decrement the Hop Limit `value' times.
+Decrement the Hop Limit by \fIvalue\fR.
.TP
.BI "--hl-inc " "value"
-Increment the Hop Limit `value' times.
+Increment the Hop Limit by \fIvalue\fR.
diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man
index cd80b98..b5c70a7 100644
--- a/extensions/libip6t_eui64.man
+++ b/extensions/libip6t_eui64.man
@@ -1,6 +1,6 @@
-This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
+This module matches the EUI-64 part of a stateless auto-configured IPv6 address.
It compares the EUI-64 derived from the source MAC address in Ethernet frame
-with the lower 64 bits of the IPv6 source address. But "Universal/Local"
+with the lower 64 bits of the IPv6 source address, but the "Universal/Local"
bit is not compared. This module doesn't match other link layer frame, and
is only valid in the
.BR PREROUTING ,
diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
index 5ac13a4..8937b55 100644
--- a/extensions/libip6t_frag.man
+++ b/extensions/libip6t_frag.man
@@ -17,4 +17,4 @@ Matches on the first fragment.
Matches if there are more fragments.
.TP
.BR "[--fraglast]"
-Matches if this is the last fragement.
+Matches if this is the last fragment.
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index 4e88d48..d038615 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -11,5 +11,5 @@ Don't use the destination-ip in the calculations when selecting the
new source-ip
.TP
.B "--random"
-Port mapping will be forcely randomized to avoid attacks based on
+Port mapping will be forcibly randomized to avoid attacks based on
port prediction (kernel >= 2.6.21).
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index c4e9d11..090a136 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -3,7 +3,7 @@ you to put a packet into any specific queue, identified by its 16-bit queue
number.
.TP
.BR "--queue-num " "\fIvalue"
-This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
+This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
.TP
It can only be used with Kernel versions 2.6.14 or later, since it requires
the
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
index ce7b665..5b9c251 100644
--- a/extensions/libxt_connbytes.man
+++ b/extensions/libxt_connbytes.man
@@ -1,5 +1,5 @@
Match by how many bytes or packets a connection (or one of the two
-flows constituting the connection) have tranferred so far, or by
+flows constituting the connection) have transferred so far, or by
average bytes per packet.
The counters are 64bit and are thus not expected to overflow ;)
@@ -7,8 +7,8 @@ The counters are 64bit and are thus not expected to overflow ;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
-The transfered bytes per connection can also be viewed through
-/proc/net/ip_conntrack and accessed via ctnetlink
+The transferred bytes per connection can also be viewed through
+/proc/net/nf_conntrack and accessed via ctnetlink
.TP
[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
match packets from a connection whose packets/bytes/average packet
diff --git a/extensions/libxt_dccp.man b/extensions/libxt_dccp.man
index 6443ec3..d716b81 100644
--- a/extensions/libxt_dccp.man
+++ b/extensions/libxt_dccp.man
@@ -9,4 +9,4 @@ list of packet types. Packet types are:
.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
.TP
\fB--dccp-option\fR [\fB!\fR\] \fInumber\fP
-Match if DCP option set.
+Match if DCCP option set.
diff --git a/extensions/libxt_dscp.man b/extensions/libxt_dscp.man
index cb0b6f3..29ff3b2 100644
--- a/extensions/libxt_dscp.man
+++ b/extensions/libxt_dscp.man
@@ -7,4 +7,4 @@ Match against a numeric (decimal or hex) value [0-63].
.BI "--dscp-class " "\fIDiffServ Class\fP"
Match the DiffServ class. This value may be any of the
BE, EF, AFxx or CSx classes. It will then be converted
-into it's according numeric value.
+into its according numeric value.
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index e74aedf..e449406 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -53,7 +53,7 @@ The number of buckets of the hash table
Maximum entries in the hash.
.TP
\fB--hashlimit-htable-expire\fR \fImsec\fR
-After how many miliseconds do hash entries expire.
+After how many milliseconds do hash entries expire.
.TP
\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
-How many miliseconds between garbage collection intervals.
+How many milliseconds between garbage collection intervals.
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 8528b8e..f103363 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -478,7 +478,7 @@ James Morris wrote the TOS target, and tos match.
.PP
Jozsef Kadlecsik wrote the REJECT target.
.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
.PP
The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
diff --git a/iptables.8.in b/iptables.8.in
index 9904c48..4024027 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -55,7 +55,7 @@ a `target', which may be a jump to a user-defined chain in the same
table.
.SH TARGETS
-A firewall rule specifies criteria for a packet, and a target. If the
+A firewall rule specifies criteria for a packet and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the
target, which can be the name of a user-defined chain or one of the
@@ -155,9 +155,9 @@ The options that are recognized by
.B iptables
can be divided into several different groups.
.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
+These options specify the action to perform. Only one of them
+can be specified on the command line unless otherwise stated
+below. For long versions of the command and option names, you
need to use only enough letters to ensure that
.B iptables
can differentiate it from all other options.
@@ -188,7 +188,7 @@ fail. Rules are numbered starting at 1.
.TP
.BR "-L, --list " "[\fIchain\fP]"
List all rules in the selected chain. If no chain is selected, all
-chains are listed. As every other iptables command, it applies to the
+chains are listed. Like every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
.nf
iptables -t nat -n -L
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 22/24] Fix broken markup in manpages
2008-03-04 15:51 ` Jan Engelhardt
` (20 preceding siblings ...)
2008-03-04 16:21 ` [PATCH 21/24] Update spelling and grammar in manpages Jan Engelhardt
@ 2008-03-04 16:21 ` Jan Engelhardt
2008-03-04 16:21 ` [PATCH 23/24] Clarify prerequisites of Xtables and update option notes Jan Engelhardt
` (20 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 138304554be256872d3b68a70720635a353475e6
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Feb 29 01:05:25 2008 +0100
Fix broken markup in manpages
---
extensions/libip6t_ah.man | 2 +-
extensions/libip6t_dst.man | 2 +-
extensions/libxt_NFQUEUE.man | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man
index 09d00fd..807f9e3 100644
--- a/extensions/libip6t_ah.man
+++ b/extensions/libip6t_ah.man
@@ -3,7 +3,7 @@ This module matches the parameters in Authentication header of IPsec packets.
.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
Matches SPI.
.TP
-.BR "--ahlen " "[!] \fIlength"
+[\fB!\fP] \fB--ahlen\fP \fIlength\fP
Total length of this header in octets.
.TP
.BI "--ahres"
diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man
index f42d822..d895a0e 100644
--- a/extensions/libip6t_dst.man
+++ b/extensions/libip6t_dst.man
@@ -1,6 +1,6 @@
This module matches the parameters in Destination Options header
.TP
-.BR "--dst-len " "[!] \fIlength"
+[\fB!\fP] \fB--dst-len\fP \fIlength\fP
Total length of this header in octets.
.TP
.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 090a136..acd45e9 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -2,7 +2,7 @@ This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
you to put a packet into any specific queue, identified by its 16-bit queue
number.
.TP
-.BR "--queue-num " "\fIvalue"
+\fB--queue-num\fP \fIvalue\fP
This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
.TP
It can only be used with Kernel versions 2.6.14 or later, since it requires
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 23/24] Clarify prerequisites of Xtables and update option notes
2008-03-04 15:51 ` Jan Engelhardt
` (21 preceding siblings ...)
2008-03-04 16:21 ` [PATCH 22/24] Fix broken markup " Jan Engelhardt
@ 2008-03-04 16:21 ` Jan Engelhardt
2008-03-04 16:22 ` [PATCH 24/24] v1.5.2 Jan Engelhardt
` (19 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit a2f4f8e88552d9505fe22c7246e236d9635d4084
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Mar 3 00:34:48 2008 +0100
Clarify prerequisites of Xtables and update option notes
---
INSTALL | 26 ++++++++++++++++----------
Makefile.am | 2 +-
configure.ac | 6 +++---
include/{xtables.h => xtables.h.in} | 2 ++
4 files changed, 22 insertions(+), 14 deletions(-)
rename include/{xtables.h => xtables.h.in} (99%)
diff --git a/INSTALL b/INSTALL
index 7b4cb9b..dfac3af 100644
--- a/INSTALL
+++ b/INSTALL
@@ -11,8 +11,10 @@ Xtables uses the well-known configure(autotools) infrastructure.
Prerequisites
=============
- * no other packages required
- (well, you obviously need the basics like a compiler)
+ * no kernel-source required
+
+ * but obviously a compiler, glibc-devel and linux-kernel-headers
+ (/usr/include/linux)
Configuring and compiling
@@ -26,20 +28,24 @@ Configuring and compiling
/usr/local, so the binaries will go into /usr/local/bin, sbin,
manpages into /usr/local/share/man, etc.
---xtlibdir=
+--with-xtlibdir=
The path to where Xtables extensions should be installed to. It
defaults to ${prefix}/libexec/xtables.
---enable-devel
-
- This causes development files to be installed to
- ${prefix}/include. (By default, no headers and libraries are
- installed.)
+--enable-devel (or --disable-devel)
- This is needed for building additional packages,
+ This option causes development files to be installed to
+ ${includedir}, which is needed for building additional packages,
such as Xtables-addons or other 3rd-party extensions.
+ It is enabled by default.
+
+--enable-libipq
+
+ This option causes libipq to be installed into ${libdir} and
+ ${includedir}.
+
--enable-static
Enable building single standalone multipurpose binaries,
@@ -51,7 +57,7 @@ Configuring and compiling
Xtables does not depend on kernel headers anymore, but you can
optionally specify a search path to include anyway. This is
- probably only useful for development.
+ probably only useful for development and cross-compiling.
If you want to enable debugging, use
diff --git a/Makefile.am b/Makefile.am
index 80ef3a0..e9448c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign subdir-objects
regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
SUBDIRS := extensions
if ENABLE_LIBIPQ
SUBDIRS += libipq
diff --git a/configure.ac b/configure.ac
index b4bd5c0..829027e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -40,8 +40,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
- -Winline -pipe -DXTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
- -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+ -Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="";
if [[ -n "$kbuilddir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
@@ -54,4 +53,5 @@ AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
+AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile
+ include/xtables.h])
diff --git a/include/xtables.h b/include/xtables.h.in
similarity index 99%
rename from include/xtables.h
rename to include/xtables.h.in
index 408d199..02fb7a0 100644
--- a/include/xtables.h
+++ b/include/xtables.h.in
@@ -7,6 +7,8 @@
#include <libiptc/libxtc.h>
#include <stdbool.h>
+#define XTABLES_VERSION "@PACKAGE_VERSION@"
+
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 24/24] v1.5.2
2008-03-04 15:51 ` Jan Engelhardt
` (22 preceding siblings ...)
2008-03-04 16:21 ` [PATCH 23/24] Clarify prerequisites of Xtables and update option notes Jan Engelhardt
@ 2008-03-04 16:22 ` Jan Engelhardt
2008-03-04 16:30 ` [PATCH 01/19] [NETFILTER]: xt_sctp: simplify xt_sctp.h Jan Engelhardt
` (18 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:22 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
It's just here for completeness. :-)
===
commit b567100706830bb8917220d81350edc6623e8189
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue Mar 4 04:50:11 2008 +0100
Xtables 1.5.2
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 829027e..2fdec4a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
-AC_INIT([iptables], [1.4.1])
+AC_INIT([xtables], [1.5.2])
AC_CONFIG_HEADERS([config.h])
AC_PROG_INSTALL
AM_INIT_AUTOMAKE
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 01/19] [NETFILTER]: xt_sctp: simplify xt_sctp.h
2008-03-04 15:51 ` Jan Engelhardt
` (23 preceding siblings ...)
2008-03-04 16:22 ` [PATCH 24/24] v1.5.2 Jan Engelhardt
@ 2008-03-04 16:30 ` Jan Engelhardt
2008-03-04 16:30 ` [PATCH 02/19] [NETFILTER]: annotate xtables targets with const and remove casts Jan Engelhardt
` (17 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List, netdev
Is this transformation ok this way? Eyeballs please :)
===
commit c95858194ffe1fbe19fa99287c78c10046bb188b
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Tue Jan 29 16:53:31 2008 +0100
[NETFILTER]: xt_sctp: simplify xt_sctp.h
The use of xt_sctp.h flagged up -Wshadow warnings in userspace, which
prompted me to look at it and clean it up. Basic operations have been
directly replaced by library calls (memcpy, memset is both available
in the kernel and userspace, and usually faster than a self-made
loop). The is_set and is_clear functions now use a processing time
shortcut, too.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_sctp.h | 84 ++++++++++++-----------------
1 files changed, 35 insertions(+), 49 deletions(-)
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index dd5a4fd..32000ba 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -37,68 +37,54 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] |= \
+ (chunkmap)[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] &= \
+ (chunkmap)[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
- (chunkmap[type / bytes (u_int32_t)] & \
+ ((chunkmap)[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ARRAY_SIZE(srcmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+ memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+ memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+ memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i])
+ return false;
+ return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i] != ~0U)
+ return false;
+ return true;
+}
#endif /* _XT_SCTP_H_ */
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 02/19] [NETFILTER]: annotate xtables targets with const and remove casts
2008-03-04 15:51 ` Jan Engelhardt
` (24 preceding siblings ...)
2008-03-04 16:30 ` [PATCH 01/19] [NETFILTER]: xt_sctp: simplify xt_sctp.h Jan Engelhardt
@ 2008-03-04 16:30 ` Jan Engelhardt
2008-03-04 16:30 ` [PATCH 03/19] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const Jan Engelhardt
` (16 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 30e2d2490d4c473242420f26e02c0bf0b1b8e29c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate xtables targets with const and remove casts
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 12 ++++++------
net/ipv4/netfilter/ipt_ECN.c | 2 +-
net/ipv4/netfilter/ipt_LOG.c | 3 ++-
net/ipv4/netfilter/ipt_REJECT.c | 6 ++++--
net/ipv4/netfilter/ipt_recent.c | 6 +++---
net/ipv4/netfilter/nf_nat_rule.c | 4 ++--
net/ipv6/netfilter/ip6t_REJECT.c | 3 ++-
| 3 ++-
net/ipv6/netfilter/ip6t_rt.c | 3 ++-
net/netfilter/xt_CONNSECMARK.c | 2 +-
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_connlimit.c | 6 +++---
net/netfilter/xt_dccp.c | 3 ++-
net/netfilter/xt_esp.c | 3 ++-
net/netfilter/xt_multiport.c | 6 ++++--
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_rateest.c | 4 ++--
net/netfilter/xt_sctp.c | 6 ++++--
net/netfilter/xt_tcpmss.c | 6 ++++--
net/netfilter/xt_tcpudp.c | 9 ++++++---
net/netfilter/xt_time.c | 2 +-
21 files changed, 55 insertions(+), 38 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index c6cf84c..b8c793c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -142,7 +142,7 @@ clusterip_config_init_nodelist(struct clusterip_config *c,
}
static struct clusterip_config *
-clusterip_config_init(struct ipt_clusterip_tgt_info *i, __be32 ip,
+clusterip_config_init(const struct ipt_clusterip_tgt_info *i, __be32 ip,
struct net_device *dev)
{
struct clusterip_config *c;
@@ -417,7 +417,7 @@ clusterip_tg_check(const char *tablename, const void *e_void,
/* drop reference count of cluster config when rule is deleted */
static void clusterip_tg_destroy(const struct xt_target *target, void *targinfo)
{
- struct ipt_clusterip_tgt_info *cipinfo = targinfo;
+ const struct ipt_clusterip_tgt_info *cipinfo = targinfo;
/* if no more entries are referencing the config, remove it
* from the list and destroy the proc entry */
@@ -566,7 +566,7 @@ struct clusterip_seq_position {
static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
{
- struct proc_dir_entry *pde = s->private;
+ const struct proc_dir_entry *pde = s->private;
struct clusterip_config *c = pde->data;
unsigned int weight;
u_int32_t local_nodes;
@@ -593,7 +593,7 @@ static void *clusterip_seq_start(struct seq_file *s, loff_t *pos)
static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
*pos = ++idx->pos;
if (*pos >= idx->weight) {
@@ -612,7 +612,7 @@ static void clusterip_seq_stop(struct seq_file *s, void *v)
static int clusterip_seq_show(struct seq_file *s, void *v)
{
- struct clusterip_seq_position *idx = (struct clusterip_seq_position *)v;
+ struct clusterip_seq_position *idx = v;
if (idx->pos != 0)
seq_putc(s, ',');
@@ -668,7 +668,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
{
#define PROC_WRITELEN 10
char buffer[PROC_WRITELEN+1];
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct clusterip_config *c = pde->data;
unsigned long nodenum;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 21395bc..d60139c 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -100,7 +100,7 @@ ecn_tg_check(const char *tablename, const void *e_void,
const struct xt_target *target, void *targinfo,
unsigned int hook_mask)
{
- const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
+ const struct ipt_ECN_info *einfo = targinfo;
const struct ipt_entry *e = e_void;
if (einfo->operation & IPT_ECN_OP_MASK) {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index b38d785..77300e9 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -76,7 +76,8 @@ static void dump_packet(const struct nf_loginfo *info,
if ((logflags & IPT_LOG_IPOPT)
&& ih->ihl * 4 > sizeof(struct iphdr)) {
- unsigned char _opt[4 * 15 - sizeof(struct iphdr)], *op;
+ const unsigned char *op;
+ unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
unsigned int i, optsize;
optsize = ih->ihl * 4 - sizeof(struct iphdr);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 22606e2..2639872 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -35,8 +35,10 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv4");
static void send_reset(struct sk_buff *oldskb, int hook)
{
struct sk_buff *nskb;
- struct iphdr *oiph, *niph;
- struct tcphdr _otcph, *oth, *tcph;
+ const struct iphdr *oiph;
+ struct iphdr *niph;
+ const struct tcphdr *oth;
+ struct tcphdr _otcph, *tcph;
unsigned int addr_type;
/* IP header checks: fragment. */
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 68cbe3c..f2142b7 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -339,7 +339,7 @@ static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
- struct recent_table *t = st->table;
+ const struct recent_table *t = st->table;
struct recent_entry *e = v;
struct list_head *head = e->list.next;
@@ -360,7 +360,7 @@ static void recent_seq_stop(struct seq_file *s, void *v)
static int recent_seq_show(struct seq_file *seq, void *v)
{
- struct recent_entry *e = v;
+ const struct recent_entry *e = v;
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
@@ -395,7 +395,7 @@ static int recent_seq_open(struct inode *inode, struct file *file)
static ssize_t recent_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
{
- struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+ const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
char buf[sizeof("+255.255.255.255")], *c = buf;
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index f8fda57..600f6d7 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -143,7 +143,7 @@ static bool ipt_snat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
@@ -159,7 +159,7 @@ static bool ipt_dnat_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct nf_nat_multi_range_compat *mr = targinfo;
+ const struct nf_nat_multi_range_compat *mr = targinfo;
/* Must be a valid range */
if (mr->rangesize != 1) {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index b23baa6..c779d76 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -41,7 +41,8 @@ static void send_reset(struct sk_buff *oldskb)
struct tcphdr otcph, *tcph;
unsigned int otcplen, hh_len;
int tcphoff, needs_ack;
- struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+ const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+ struct ipv6hdr *ip6h;
struct dst_entry *dst = NULL;
u8 proto;
struct flowi fl;
--git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3a94017..317a896 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -49,7 +49,8 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
temp = 0;
while (ip6t_ext_hdr(nexthdr)) {
- struct ipv6_opt_hdr _hdr, *hp;
+ const struct ipv6_opt_hdr *hp;
+ struct ipv6_opt_hdr _hdr;
int hdrlen;
/* Is there enough space for the next ext header? */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 12a9efe..81aaf7a 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -110,7 +110,8 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
if (ret && (rtinfo->flags & IP6T_RT_RES)) {
- u_int32_t *rp, _reserved;
+ const u_int32_t *rp;
+ u_int32_t _reserved;
rp = skb_header_pointer(skb,
ptr + offsetof(struct rt0_hdr,
reserved),
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 1faa913..211189e 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -55,7 +55,7 @@ static void secmark_save(const struct sk_buff *skb)
static void secmark_restore(struct sk_buff *skb)
{
if (!skb->secmark) {
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 24c73ba..64d6ad3 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -96,7 +96,7 @@ xt_rateest_tg_checkentry(const char *tablename,
void *targinfo,
unsigned int hook_mask)
{
- struct xt_rateest_target_info *info = (void *)targinfo;
+ struct xt_rateest_target_info *info = targinfo;
struct xt_rateest *est;
struct {
struct nlattr opt;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b01119..0ca9fe9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -106,10 +106,10 @@ static int count_them(struct xt_connlimit_data *data,
const union nf_inet_addr *mask,
const struct xt_match *match)
{
- struct nf_conntrack_tuple_hash *found;
+ const struct nf_conntrack_tuple_hash *found;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
- struct nf_conn *found_ct;
+ const struct nf_conn *found_ct;
struct list_head *hash;
bool addit = true;
int matches = 0;
@@ -256,7 +256,7 @@ connlimit_mt_check(const char *tablename, const void *ip,
static void
connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- struct xt_connlimit_info *info = matchinfo;
+ const struct xt_connlimit_info *info = matchinfo;
struct xt_connlimit_conn *conn;
struct xt_connlimit_conn *tmp;
struct list_head *hash = info->data->iphash;
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 667f45e..8b65221 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -98,7 +98,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_dccp_info *info = matchinfo;
- struct dccp_hdr _dh, *dh;
+ const struct dccp_hdr *dh;
+ struct dccp_hdr _dh;
if (offset)
return false;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 71c7c37..a133eb9 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -47,7 +47,8 @@ esp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct ip_esp_hdr _esp, *eh;
+ const struct ip_esp_hdr *eh;
+ struct ip_esp_hdr _esp;
const struct xt_esp *espinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 31daa81..fd88c48 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,7 +100,8 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport *multiinfo = matchinfo;
if (offset)
@@ -126,7 +127,8 @@ multiport_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- __be16 _ports[2], *pptr;
+ const __be16 *pptr;
+ __be16 _ports[2];
const struct xt_multiport_v1 *multiinfo = matchinfo;
if (offset)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 9e918ad..d351582 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -136,7 +136,7 @@ policy_mt_check(const char *tablename, const void *ip_void,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_policy_info *info = matchinfo;
+ const struct xt_policy_info *info = matchinfo;
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "xt_policy: neither incoming nor "
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index fdb86a5..ebd84f1 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -86,7 +86,7 @@ static bool xt_rateest_mt_checkentry(const char *tablename,
void *matchinfo,
unsigned int hook_mask)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
struct xt_rateest *est1, *est2;
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
@@ -130,7 +130,7 @@ err1:
static void xt_rateest_mt_destroy(const struct xt_match *match,
void *matchinfo)
{
- struct xt_rateest_match_info *info = (void *)matchinfo;
+ struct xt_rateest_match_info *info = matchinfo;
xt_rateest_put(info->est1);
if (info->est2)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b718ec6..e6e4681 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -46,7 +46,8 @@ match_packet(const struct sk_buff *skb,
bool *hotdrop)
{
u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
- sctp_chunkhdr_t _sch, *sch;
+ const sctp_chunkhdr_t *sch;
+ sctp_chunkhdr_t _sch;
int chunk_match_type = info->chunk_match_type;
const struct xt_sctp_flag_info *flag_info = info->flag_info;
int flag_count = info->flag_count;
@@ -121,7 +122,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
const struct xt_sctp_info *info = matchinfo;
- sctp_sctphdr_t _sh, *sh;
+ const sctp_sctphdr_t *sh;
+ sctp_sctphdr_t _sh;
if (offset) {
duprintf("Dropping non-first fragment.. FIXME\n");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index d7a5b27..6771bf0 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -31,9 +31,11 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
bool *hotdrop)
{
const struct xt_tcpmss_match_info *info = matchinfo;
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u8 _opt[15 * 4 - sizeof(_tcph)], *op;
+ const u_int8_t *op;
+ u8 _opt[15 * 4 - sizeof(_tcph)];
unsigned int i, optlen;
/* If we don't have the whole header, drop packet. */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 4fa3b66..951b06b 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -42,7 +42,8 @@ tcp_find_option(u_int8_t option,
bool *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
+ const u_int8_t *op;
+ u_int8_t _opt[60 - sizeof(struct tcphdr)];
unsigned int i;
duprintf("tcp_match: finding option\n");
@@ -72,7 +73,8 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct tcphdr _tcph, *th;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
const struct xt_tcp *tcpinfo = matchinfo;
if (offset) {
@@ -144,7 +146,8 @@ udp_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
{
- struct udphdr _udph, *uh;
+ const struct udphdr *uh;
+ struct udphdr _udph;
const struct xt_udp *udpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index e9a8794..41297d0 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -220,7 +220,7 @@ time_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- struct xt_time_info *info = matchinfo;
+ const struct xt_time_info *info = matchinfo;
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 03/19] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const
2008-03-04 15:51 ` Jan Engelhardt
` (25 preceding siblings ...)
2008-03-04 16:30 ` [PATCH 02/19] [NETFILTER]: annotate xtables targets with const and remove casts Jan Engelhardt
@ 2008-03-04 16:30 ` Jan Engelhardt
2008-03-04 16:30 ` [PATCH 04/19] [NETFILTER]: annotate rest of nf_conntrack_* " Jan Engelhardt
` (15 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit b5ee37d4825c664d5560acf785ae97ec207c761c
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate {arp,ip,ip6,x}tables with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/x_tables.h | 4 +-
net/ipv4/netfilter/arp_tables.c | 33 ++++++++++++++-------------
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/ip_tables.c | 31 +++++++++++++------------
net/ipv6/netfilter/ip6_tables.c | 29 ++++++++++++-----------
net/netfilter/x_tables.c | 18 +++++++-------
6 files changed, 60 insertions(+), 57 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index b2c62cc..2326296 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -430,13 +430,13 @@ extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
extern void xt_compat_flush_offsets(int af);
extern short xt_compat_calc_jump(int af, unsigned int offset);
-extern int xt_compat_match_offset(struct xt_match *match);
+extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
void **dstptr, unsigned int *size);
extern int xt_compat_match_to_user(struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
-extern int xt_compat_target_offset(struct xt_target *target);
+extern int xt_compat_target_offset(const struct xt_target *target);
extern void xt_compat_target_from_user(struct xt_entry_target *t,
void **dstptr, unsigned int *size);
extern int xt_compat_target_to_user(struct xt_entry_target *t,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index a7591ce..4191588 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -59,7 +59,7 @@ do { \
#endif
static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
- char *hdr_addr, int len)
+ const char *hdr_addr, int len)
{
int i, ret;
@@ -80,8 +80,8 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
const char *outdev,
const struct arpt_arp *arpinfo)
{
- char *arpptr = (char *)(arphdr + 1);
- char *src_devaddr, *tgt_devaddr;
+ const char *arpptr = (char *)(arphdr + 1);
+ const char *src_devaddr, *tgt_devaddr;
__be32 src_ipaddr, tgt_ipaddr;
int i, ret;
@@ -226,12 +226,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
- struct arphdr *arp;
+ const struct arphdr *arp;
bool hotdrop = false;
struct arpt_entry *e, *back;
- const char *indev, *outdev;
+ const const char *indev, *outdev;
void *table_base;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
/* ARP header, plus 2 device addresses, plus 2 IP addresses. */
if (!pskb_may_pull(skb, (sizeof(struct arphdr) +
@@ -355,7 +355,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
e->counters.pcnt = pos;
for (;;) {
- struct arpt_standard_target *t
+ const struct arpt_standard_target *t
= (void *)arpt_get_target(e);
int visited = e->comefrom & (1 << hook);
@@ -440,7 +440,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
static inline int check_entry(struct arpt_entry *e, const char *name)
{
- struct arpt_entry_target *t;
+ const struct arpt_entry_target *t;
if (!arp_checkentry(&e->arp)) {
duprintf("arp_tables: arp check failed %p %s.\n", e, name);
@@ -713,7 +713,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
* (other than comefrom, which userspace doesn't care
@@ -740,7 +740,7 @@ static int copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct arpt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
void *loc_cpu_entry;
@@ -875,7 +875,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -930,7 +930,8 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
+
duprintf("t->private->number = %u\n",
private->number);
if (get.size == private->size)
@@ -1090,11 +1091,11 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct arpt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1561,7 +1562,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
@@ -1612,7 +1613,7 @@ static int compat_get_entries(struct net *net,
xt_compat_lock(NF_ARP);
t = xt_find_table_lock(net, NF_ARP, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 3f4222b..3e732c8 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -15,7 +15,7 @@ target(struct sk_buff *skb,
const void *targinfo)
{
const struct arpt_mangle *mangle = targinfo;
- struct arphdr *arp;
+ const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 600737f..eb3ec74 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -296,7 +296,7 @@ static void trace_packet(struct sk_buff *skb,
struct ipt_entry *e)
{
void *table_base;
- struct ipt_entry *root;
+ const struct ipt_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -327,7 +327,7 @@ ipt_do_table(struct sk_buff *skb,
{
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
u_int16_t offset;
- struct iphdr *ip;
+ const struct iphdr *ip;
u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
@@ -926,7 +926,7 @@ static struct xt_counters * alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -953,9 +953,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ipt_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -975,8 +975,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ipt_entry_match *m;
- struct ipt_entry_target *t;
+ const struct ipt_entry_match *m;
+ const struct ipt_entry_target *t;
e = (struct ipt_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1116,7 +1116,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"iptable_%s", name);
if (t && !IS_ERR(t)) {
struct ipt_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1172,7 +1172,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, int *len)
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
duprintf("t->private->number = %u\n", private->number);
if (get.size == private->size)
ret = copy_entries_to_user(private->size,
@@ -1337,11 +1337,11 @@ do_add_counters(struct net *net, void __user *user, unsigned int len, int compat
struct xt_counters_info tmp;
struct xt_counters *paddc;
unsigned int num_counters;
- char *name;
+ const char *name;
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
@@ -1878,11 +1878,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1929,7 +1929,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
xt_compat_lock(AF_INET);
t = xt_find_table_lock(net, AF_INET, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2130,7 +2130,8 @@ icmp_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmphdr _icmph, *ic;
+ const struct icmphdr *ic;
+ struct icmphdr _icmph;
const struct ipt_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index bf9bb6e..743b108 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
struct ip6t_entry *e)
{
void *table_base;
- struct ip6t_entry *root;
+ const struct ip6t_entry *root;
char *hookname, *chainname, *comment;
unsigned int rulenum = 0;
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
/* We need atomic snapshot of counters: rest doesn't change
(other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
unsigned int off, num;
struct ip6t_entry *e;
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
counters = alloc_counters(table);
if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
/* ... then go back and fix counters and names */
for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
unsigned int i;
- struct ip6t_entry_match *m;
- struct ip6t_entry_target *t;
+ const struct ip6t_entry_match *m;
+ const struct ip6t_entry_target *t;
e = (struct ip6t_entry *)(loc_cpu_entry + off);
if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
"ip6table_%s", name);
if (t && !IS_ERR(t)) {
struct ip6t_getinfo info;
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
#ifdef CONFIG_COMPAT
if (compat) {
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
struct xt_table *t;
struct xt_table_info *oldinfo;
struct xt_counters *counters;
- void *loc_cpu_old_entry;
+ const void *loc_cpu_old_entry;
ret = 0;
counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
int size;
void *ptmp;
struct xt_table *t;
- struct xt_table_info *private;
+ const struct xt_table_info *private;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
#ifdef CONFIG_COMPAT
struct compat_xt_counters_info compat_tmp;
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
- struct xt_table_info *private = table->private;
+ const struct xt_table_info *private = table->private;
void __user *pos;
unsigned int size;
int ret = 0;
- void *loc_cpu_entry;
+ const void *loc_cpu_entry;
unsigned int i = 0;
counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
xt_compat_lock(AF_INET6);
t = xt_find_table_lock(net, AF_INET6, get.name);
if (t && !IS_ERR(t)) {
- struct xt_table_info *private = t->private;
+ const struct xt_table_info *private = t->private;
struct xt_table_info info;
duprintf("t->private->number = %u\n", private->number);
ret = compat_table_info(private, &info);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
unsigned int protoff,
bool *hotdrop)
{
- struct icmp6hdr _icmph, *ic;
+ const struct icmp6hdr *ic;
+ struct icmp6hdr _icmph;
const struct ip6t_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a679208..4d74dff 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
#define duprintf(format, args...)
#endif
-static const char *xt_prefix[NPROTO] = {
+static const char *const xt_prefix[NPROTO] = {
[AF_INET] = "ip",
[AF_INET6] = "ip6",
[NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
static int match_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_match *m;
+ const struct xt_match *m;
int have_rev = 0;
list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
static int target_revfn(int af, const char *name, u8 revision, int *bestp)
{
- struct xt_target *t;
+ const struct xt_target *t;
int have_rev = 0;
list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
}
EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
-int xt_compat_match_offset(struct xt_match *match)
+int xt_compat_match_offset(const struct xt_match *match)
{
u_int16_t csize = match->compatsize ? : match->matchsize;
return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
int pad, off = xt_compat_match_offset(match);
u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
unsigned int *size)
{
- struct xt_match *match = m->u.kernel.match;
+ const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match __user *cm = *dstptr;
int off = xt_compat_match_offset(match);
u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
EXPORT_SYMBOL_GPL(xt_check_target);
#ifdef CONFIG_COMPAT
-int xt_compat_target_offset(struct xt_target *target)
+int xt_compat_target_offset(const struct xt_target *target)
{
u_int16_t csize = target->compatsize ? : target->targetsize;
return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
int pad, off = xt_compat_target_offset(target);
u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
unsigned int *size)
{
- struct xt_target *target = t->u.kernel.target;
+ const struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target __user *ct = *dstptr;
int off = xt_compat_target_offset(target);
u_int16_t tsize = t->u.user.target_size - off;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 04/19] [NETFILTER]: annotate rest of nf_conntrack_* with const
2008-03-04 15:51 ` Jan Engelhardt
` (26 preceding siblings ...)
2008-03-04 16:30 ` [PATCH 03/19] [NETFILTER]: annotate {arp,ip,ip6,x}tables with const Jan Engelhardt
@ 2008-03-04 16:30 ` Jan Engelhardt
2008-03-04 16:31 ` [PATCH 05/19] [NETFILTER]: annotate rest of nf_nat_* " Jan Engelhardt
` (14 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 18f903b716553f4dda61cc5f936323698b98e29b
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate rest of nf_conntrack_* with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 8 ++++----
net/netfilter/nf_conntrack_amanda.c | 2 +-
net/netfilter/nf_conntrack_ftp.c | 5 +++--
net/netfilter/nf_conntrack_helper.c | 2 +-
net/netfilter/nf_conntrack_irc.c | 14 ++++++++------
5 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a0d698..d4a42f0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -103,8 +103,8 @@ struct ctl_table nf_ct_ipv6_sysctl_table[] = {
};
#endif
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
- struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+ const struct in6_addr *daddr)
{
u32 a, b, c;
@@ -132,7 +132,7 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
static unsigned int nf_hashfn(struct inet_frag_queue *q)
{
- struct nf_ct_frag6_queue *nq;
+ const struct nf_ct_frag6_queue *nq;
nq = container_of(q, struct nf_ct_frag6_queue, q);
return ip6qhashfn(nq->id, &nq->saddr, &nq->daddr);
@@ -220,7 +220,7 @@ oom:
static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
- struct frag_hdr *fhdr, int nhoff)
+ const struct frag_hdr *fhdr, int nhoff)
{
struct sk_buff *prev, *next;
int offset, end;
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 7b8239c..572eedf 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -53,7 +53,7 @@ enum amanda_strings {
};
static struct {
- char *string;
+ const char *string;
size_t len;
struct ts_config *ts;
} search[] __read_mostly = {
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6770baf..e0a2877 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -350,8 +350,9 @@ static int help(struct sk_buff *skb,
enum ip_conntrack_info ctinfo)
{
unsigned int dataoff, datalen;
- struct tcphdr _tcph, *th;
- char *fb_ptr;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *fb_ptr;
int ret;
u32 seq;
int dir = CTINFO2DIR(ctinfo);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index b1fd21c..367e23c 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -125,7 +125,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_expect *exp;
- struct hlist_node *n, *next;
+ const struct hlist_node *n, *next;
unsigned int i;
mutex_lock(&nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index c336b07..37a5ae5 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -50,7 +50,7 @@ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
module_param(dcc_timeout, uint, 0400);
MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
-static const char *dccprotos[] = {
+static const char *const dccprotos[] = {
"SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT "
};
@@ -65,7 +65,7 @@ static const char *dccprotos[] = {
* ad_beg_p returns pointer to first byte of addr data
* ad_end_p returns pointer to last byte of addr data
*/
-static int parse_dcc(char *data, char *data_end, u_int32_t *ip,
+static int parse_dcc(char *data, const char *data_end, u_int32_t *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,9 +93,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{
unsigned int dataoff;
- struct iphdr *iph;
- struct tcphdr _tcph, *th;
- char *data, *data_limit, *ib_ptr;
+ const struct iphdr *iph;
+ const struct tcphdr *th;
+ struct tcphdr _tcph;
+ const char *data_limit;
+ char *data, *ib_ptr;
int dir = CTINFO2DIR(ctinfo);
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
@@ -159,7 +161,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
/* we have at least
* (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
* data left (== 14/13 bytes) */
- if (parse_dcc((char *)data, data_limit, &dcc_ip,
+ if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
continue;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 05/19] [NETFILTER]: annotate rest of nf_nat_* with const
2008-03-04 15:51 ` Jan Engelhardt
` (27 preceding siblings ...)
2008-03-04 16:30 ` [PATCH 04/19] [NETFILTER]: annotate rest of nf_conntrack_* " Jan Engelhardt
@ 2008-03-04 16:31 ` Jan Engelhardt
2008-03-04 16:31 ` [PATCH 06/19] [NETFILTER]: Use unsigned types for hooknum and pf vars Jan Engelhardt
` (13 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:31 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 72d8922ae0cd24c9f5a998b6de2723cd27d07fce
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri Jan 25 20:52:56 2008 +0100
[NETFILTER]: annotate rest of nf_nat_* with const
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv4/netfilter/nf_nat_core.c | 8 ++++----
net/ipv4/netfilter/nf_nat_snmp_basic.c | 17 ++++++++---------
net/ipv4/netfilter/nf_nat_standalone.c | 8 ++++----
3 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 0d5fa3a..9c8aa8d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -150,9 +150,9 @@ find_appropriate_src(const struct nf_conntrack_tuple *tuple,
const struct nf_nat_range *range)
{
unsigned int h = hash_by_src(tuple);
- struct nf_conn_nat *nat;
- struct nf_conn *ct;
- struct hlist_node *n;
+ const struct nf_conn_nat *nat;
+ const struct nf_conn *ct;
+ const struct hlist_node *n;
rcu_read_lock();
hlist_for_each_entry_rcu(nat, n, &bysource[h], bysource) {
@@ -426,7 +426,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
struct icmphdr icmp;
struct iphdr ip;
} *inside;
- struct nf_conntrack_l4proto *l4proto;
+ const struct nf_conntrack_l4proto *l4proto;
struct nf_conntrack_tuple inner, target;
int hdrlen = ip_hdrlen(skb);
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 540ce6a..0c695c0 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -219,7 +219,7 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
if (ch < 0x80)
*len = ch;
else {
- cnt = (unsigned char) (ch & 0x7F);
+ cnt = ch & 0x7F;
*len = 0;
while (cnt > 0) {
@@ -617,8 +617,7 @@ struct snmp_cnv
int syntax;
};
-static struct snmp_cnv snmp_conv [] =
-{
+static const struct snmp_cnv snmp_conv[] = {
{ASN1_UNI, ASN1_NUL, SNMP_NULL},
{ASN1_UNI, ASN1_INT, SNMP_INTEGER},
{ASN1_UNI, ASN1_OTS, SNMP_OCTETSTR},
@@ -643,7 +642,7 @@ static unsigned char snmp_tag_cls2syntax(unsigned int tag,
unsigned int cls,
unsigned short *syntax)
{
- struct snmp_cnv *cnv;
+ const struct snmp_cnv *cnv;
cnv = snmp_conv;
@@ -903,7 +902,7 @@ static inline void mangle_address(unsigned char *begin,
u_int32_t old;
if (debug)
- memcpy(&old, (unsigned char *)addr, sizeof(old));
+ memcpy(&old, addr, sizeof(old));
*addr = map->to;
@@ -998,7 +997,7 @@ err_id_free:
*
*****************************************************************************/
-static void hex_dump(unsigned char *buf, size_t len)
+static void hex_dump(const unsigned char *buf, size_t len)
{
size_t i;
@@ -1079,7 +1078,7 @@ static int snmp_parse_mangle(unsigned char *msg,
if (cls != ASN1_CTX || con != ASN1_CON)
return 0;
if (debug > 1) {
- unsigned char *pdus[] = {
+ static const unsigned char *const pdus[] = {
[SNMP_PDU_GET] = "get",
[SNMP_PDU_NEXT] = "get-next",
[SNMP_PDU_RESPONSE] = "response",
@@ -1231,8 +1230,8 @@ static int help(struct sk_buff *skb, unsigned int protoff,
{
int dir = CTINFO2DIR(ctinfo);
unsigned int ret;
- struct iphdr *iph = ip_hdr(skb);
- struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
+ const struct iphdr *iph = ip_hdr(skb);
+ const struct udphdr *udph = (struct udphdr *)((__be32 *)iph + iph->ihl);
/* SNMP replies and originating SNMP traps get mangled */
if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 99b2c78..9fba42d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -30,8 +30,8 @@
#ifdef CONFIG_XFRM
static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
{
- struct nf_conn *ct;
- struct nf_conntrack_tuple *t;
+ const struct nf_conn *ct;
+ const struct nf_conntrack_tuple *t;
enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir;
unsigned long statusbit;
@@ -189,7 +189,7 @@ nf_nat_out(unsigned int hooknum,
int (*okfn)(struct sk_buff *))
{
#ifdef CONFIG_XFRM
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
#endif
unsigned int ret;
@@ -223,7 +223,7 @@ nf_nat_local_fn(unsigned int hooknum,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
- struct nf_conn *ct;
+ const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
unsigned int ret;
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 06/19] [NETFILTER]: Use unsigned types for hooknum and pf vars
2008-03-04 15:51 ` Jan Engelhardt
` (28 preceding siblings ...)
2008-03-04 16:31 ` [PATCH 05/19] [NETFILTER]: annotate rest of nf_nat_* " Jan Engelhardt
@ 2008-03-04 16:31 ` Jan Engelhardt
2008-03-04 16:32 ` [PATCH 07/19] [NETFILTER]: remove arpt_table indirection macro Jan Engelhardt
` (12 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:31 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 3cdcc1e09fd80752b18ca333243ed4dd484f9278
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Jan 26 21:41:28 2008 +0100
[NETFILTER]: Use unsigned types for hooknum and pf vars
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter.h | 54 ++++++++-------
include/linux/netfilter/x_tables.h | 33 +++++----
include/net/netfilter/nf_conntrack_core.h | 2 +-
include/net/netfilter/nf_conntrack_expect.h | 2 +-
include/net/netfilter/nf_conntrack_l4proto.h | 4 +-
include/net/netfilter/nf_log.h | 6 +-
include/net/netfilter/nf_queue.h | 6 +-
net/bridge/br_netfilter.c | 4 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 5 +-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 5 +-
net/netfilter/core.c | 4 +-
net/netfilter/nf_conntrack_amanda.c | 2 +-
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_h323_main.c | 7 +-
net/netfilter/nf_conntrack_proto_generic.c | 2 +-
net/netfilter/nf_conntrack_proto_gre.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 2 +-
net/netfilter/nf_conntrack_proto_tcp.c | 6 +-
net/netfilter/nf_conntrack_proto_udp.c | 4 +-
net/netfilter/nf_conntrack_proto_udplite.c | 4 +-
net/netfilter/nf_conntrack_sane.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 6 +-
net/netfilter/nf_conntrack_tftp.c | 2 +-
net/netfilter/nf_internals.h | 4 +-
net/netfilter/nf_log.c | 6 +-
net/netfilter/nf_queue.c | 12 ++--
net/netfilter/nf_sockopt.c | 15 ++--
net/netfilter/x_tables.c | 52 ++++++++-------
29 files changed, 138 insertions(+), 119 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index f0680c2..e658502 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -82,8 +82,8 @@ struct nf_hook_ops
/* User fills in from here down. */
nf_hookfn *hook;
struct module *owner;
- int pf;
- int hooknum;
+ unsigned int pf;
+ unsigned int hooknum;
/* Hooks are ordered in ascending priority. */
int priority;
};
@@ -92,7 +92,7 @@ struct nf_sockopt_ops
{
struct list_head list;
- int pf;
+ unsigned int pf;
/* Non-inclusive ranges: use 0/0/NULL to never get called. */
int set_optmin;
@@ -130,7 +130,7 @@ extern struct ctl_path nf_net_ipv4_netfilter_sysctl_path[];
extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
-int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
+int nf_hook_slow(unsigned int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev, struct net_device *outdev,
int (*okfn)(struct sk_buff *), int thresh);
@@ -141,12 +141,10 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
* okfn must be invoked by the caller in this case. Any other return
* value indicates the packet has been consumed by the hook.
*/
-static inline int nf_hook_thresh(int pf, unsigned int hook,
- struct sk_buff *skb,
- struct net_device *indev,
- struct net_device *outdev,
- int (*okfn)(struct sk_buff *), int thresh,
- int cond)
+static inline int
+nf_hook_thresh(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *), int thresh, int cond)
{
if (!cond)
return 1;
@@ -157,9 +155,10 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
return nf_hook_slow(pf, hook, skb, indev, outdev, okfn, thresh);
}
-static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
- struct net_device *indev, struct net_device *outdev,
- int (*okfn)(struct sk_buff *))
+static inline int
+nf_hook(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *))
{
return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
}
@@ -202,14 +201,14 @@ __ret;})
NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
/* Call setsockopt() */
-int nf_setsockopt(struct sock *sk, int pf, int optval, char __user *opt,
- int len);
-int nf_getsockopt(struct sock *sk, int pf, int optval, char __user *opt,
- int *len);
+int nf_setsockopt(struct sock *sk, unsigned int pf, int optval,
+ char __user *opt, int len);
+int nf_getsockopt(struct sock *sk, unsigned int pf, int optval,
+ char __user *opt, int *len);
-int compat_nf_setsockopt(struct sock *sk, int pf, int optval,
+int compat_nf_setsockopt(struct sock *sk, unsigned int pf, int optval,
char __user *opt, int len);
-int compat_nf_getsockopt(struct sock *sk, int pf, int optval,
+int compat_nf_getsockopt(struct sock *sk, unsigned int pf, int optval,
char __user *opt, int *len);
/* Call this before modifying an existing packet: ensures it is
@@ -260,7 +259,8 @@ extern void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
static inline void
-nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl,
+ unsigned int family)
{
#ifdef CONFIG_NF_NAT_NEEDED
void (*decodefn)(struct sk_buff *, struct flowi *);
@@ -283,7 +283,7 @@ extern struct proc_dir_entry *proc_net_netfilter;
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
-static inline int nf_hook_thresh(int pf, unsigned int hook,
+static inline int nf_hook_thresh(unsigned int pf, unsigned int hook,
struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
@@ -292,15 +292,19 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
{
return okfn(skb);
}
-static inline int nf_hook(int pf, unsigned int hook, struct sk_buff *skb,
- struct net_device *indev, struct net_device *outdev,
- int (*okfn)(struct sk_buff *))
+static inline int
+nf_hook(unsigned int pf, unsigned int hook, struct sk_buff *skb,
+ struct net_device *indev, struct net_device *outdev,
+ int (*okfn)(struct sk_buff *))
{
return 1;
}
struct flowi;
static inline void
-nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl,
+ unsigned int family)
+{
+}
#endif /*CONFIG_NETFILTER*/
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 2326296..89103e7 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -292,7 +292,7 @@ struct xt_table
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
- int af; /* address/protocol family */
+ unsigned int af; /* address/protocol family */
};
#include <linux/netfilter_ipv4.h>
@@ -346,19 +346,21 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
struct xt_table_info *newinfo,
int *error);
-extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
-extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
-extern struct xt_target *xt_request_find_target(int af, const char *name,
- u8 revision);
-extern int xt_find_revision(int af, const char *name, u8 revision, int target,
- int *err);
+extern struct xt_match *
+xt_find_match(unsigned int af, const char *name, u8 revision);
+extern struct xt_target *
+xt_find_target(unsigned int af, const char *name, u8 revision);
+extern struct xt_target *
+xt_request_find_target(unsigned int af, const char *name, u8 revision);
+extern int xt_find_revision(unsigned int af, const char *name, u8 revision,
+ int target, int *err);
-extern struct xt_table *xt_find_table_lock(struct net *net, int af,
+extern struct xt_table *xt_find_table_lock(struct net *net, unsigned int af,
const char *name);
extern void xt_table_unlock(struct xt_table *t);
-extern int xt_proto_init(struct net *net, int af);
-extern void xt_proto_fini(struct net *net, int af);
+extern int xt_proto_init(struct net *net, unsigned int af);
+extern void xt_proto_fini(struct net *net, unsigned int af);
extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
extern void xt_free_table_info(struct xt_table_info *info);
@@ -423,12 +425,13 @@ struct compat_xt_counters_info
#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
& ~(__alignof__(struct compat_xt_counters)-1))
-extern void xt_compat_lock(int af);
-extern void xt_compat_unlock(int af);
+extern void xt_compat_lock(unsigned int af);
+extern void xt_compat_unlock(unsigned int af);
-extern int xt_compat_add_offset(int af, unsigned int offset, short delta);
-extern void xt_compat_flush_offsets(int af);
-extern short xt_compat_calc_jump(int af, unsigned int offset);
+extern int xt_compat_add_offset(unsigned int af, unsigned int offset,
+ short delta);
+extern void xt_compat_flush_offsets(unsigned int af);
+extern short xt_compat_calc_jump(unsigned int af, unsigned int offset);
extern int xt_compat_match_offset(const struct xt_match *match);
extern int xt_compat_match_from_user(struct xt_entry_match *m,
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 9ee2646..74d7a01 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -20,7 +20,7 @@
/* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use
of connection tracking. */
-extern unsigned int nf_conntrack_in(int pf,
+extern unsigned int nf_conntrack_in(unsigned int pf,
unsigned int hooknum,
struct sk_buff *skb);
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index cb608a1..aaf20c0 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -74,7 +74,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
/* Allocate space for an expectation: this is mandatory before calling
nf_ct_expect_related. You will have to call put afterwards. */
struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
-void nf_ct_expect_init(struct nf_conntrack_expect *, int,
+void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int,
union nf_inet_addr *,
union nf_inet_addr *,
u_int8_t, __be16 *, __be16 *);
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index efc16ec..1d2f8fd 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -40,7 +40,7 @@ struct nf_conntrack_l4proto
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum);
/* Called when a new connection for this protocol found;
@@ -53,7 +53,7 @@ struct nf_conntrack_l4proto
int (*error)(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf, unsigned int hooknum);
+ unsigned int pf, unsigned int hooknum);
/* Print out the per-protocol part of the tuple. Return like seq_* */
int (*print_tuple)(struct seq_file *s,
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 8c6b5ae..0c910de 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -43,12 +43,12 @@ struct nf_logger {
};
/* Function to register/unregister log function. */
-int nf_log_register(int pf, const struct nf_logger *logger);
+int nf_log_register(unsigned int pf, const struct nf_logger *logger);
void nf_log_unregister(const struct nf_logger *logger);
-void nf_log_unregister_pf(int pf);
+void nf_log_unregister_pf(unsigned int pf);
/* Calls the registered backend logging function */
-void nf_log_packet(int pf,
+void nf_log_packet(unsigned int pf,
unsigned int hooknum,
const struct sk_buff *skb,
const struct net_device *in,
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index d030044..00497f0 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -8,7 +8,7 @@ struct nf_queue_entry {
unsigned int id;
struct nf_hook_ops *elem;
- int pf;
+ unsigned int pf;
unsigned int hook;
struct net_device *indev;
struct net_device *outdev;
@@ -24,9 +24,9 @@ struct nf_queue_handler {
char *name;
};
-extern int nf_register_queue_handler(int pf,
+extern int nf_register_queue_handler(unsigned int pf,
const struct nf_queue_handler *qh);
-extern int nf_unregister_queue_handler(int pf,
+extern int nf_unregister_queue_handler(unsigned int pf,
const struct nf_queue_handler *qh);
extern void nf_unregister_queue_handlers(const struct nf_queue_handler *qh);
extern void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 1c0efd8..b36b294 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -649,7 +649,7 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
{
struct nf_bridge_info *nf_bridge;
struct net_device *parent;
- int pf;
+ unsigned int pf;
if (!skb->nf_bridge)
return NF_ACCEPT;
@@ -783,7 +783,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
{
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
struct net_device *realoutdev = bridge_parent(skb->dev);
- int pf;
+ unsigned int pf;
#ifdef CONFIG_NETFILTER_DEBUG
/* Be very paranoid. This probably won't happen anymore, but let's
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 6873fdd..999f305 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -80,7 +80,7 @@ static int icmp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* Try to delete connection immediately after all replies:
@@ -175,7 +175,8 @@ icmp_error_message(struct sk_buff *skb,
/* Small and modified version of icmp_rcv */
static int
icmp_error(struct sk_buff *skb, unsigned int dataoff,
- enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
+ enum ip_conntrack_info *ctinfo, unsigned int pf,
+ unsigned int hooknum)
{
const struct icmphdr *icmph;
struct icmphdr _ih;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0897d0f..a7551ad 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -81,7 +81,7 @@ static int icmpv6_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* Try to delete connection immediately after all replies:
@@ -175,7 +175,8 @@ icmpv6_error_message(struct sk_buff *skb,
static int
icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
- enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
+ enum ip_conntrack_info *ctinfo, unsigned int pf,
+ unsigned int hooknum)
{
const struct icmp6hdr *icmp6h;
struct icmp6hdr _ih;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index c4065b8..9a77bf0 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -113,7 +113,7 @@ EXPORT_SYMBOL(nf_unregister_hooks);
unsigned int nf_iterate(struct list_head *head,
struct sk_buff *skb,
- int hook,
+ unsigned int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct list_head **i,
@@ -155,7 +155,7 @@ unsigned int nf_iterate(struct list_head *head,
/* Returns 1 if okfn() needs to be executed by the caller,
* -EPERM for NF_DROP, 0 otherwise. */
-int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
+int nf_hook_slow(unsigned int pf, unsigned int hook, struct sk_buff *skb,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 572eedf..2118330 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -91,7 +91,7 @@ static int amanda_help(struct sk_buff *skb,
char pbuf[sizeof("65535")], *tmp;
u_int16_t len;
__be16 port;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int ret = NF_ACCEPT;
typeof(nf_nat_amanda_hook) nf_nat_amanda;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index b77eb56..2c4eaff 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -665,7 +665,7 @@ resolve_normal_ct(struct sk_buff *skb,
}
unsigned int
-nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff *skb)
+nf_conntrack_in(unsigned int pf, unsigned int hooknum, struct sk_buff *skb)
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e06bf00..1d09ca3 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -228,7 +228,7 @@ struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
}
EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
-void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
+void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int family,
union nf_inet_addr *saddr,
union nf_inet_addr *daddr,
u_int8_t proto, __be16 *src, __be16 *dst)
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6213787..293826a 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -218,7 +218,7 @@ static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
union nf_inet_addr *addr, __be16 *port)
{
const unsigned char *p;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int len;
if (taddr->choice != eH245_TransportAddress_unicastAddress)
@@ -627,7 +627,7 @@ int get_h225_addr(struct nf_conn *ct, unsigned char *data,
union nf_inet_addr *addr, __be16 *port)
{
const unsigned char *p;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int len;
switch (taddr->choice) {
@@ -706,7 +706,8 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
/* If the calling party is on the same side of the forward-to party,
* we don't need to track the second call */
static int callforward_do_filter(const union nf_inet_addr *src,
- const union nf_inet_addr *dst, int family)
+ const union nf_inet_addr *dst,
+ unsigned int family)
{
const struct nf_afinfo *afinfo;
struct flowi fl1, fl2;
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 5545891..6470194 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -45,7 +45,7 @@ static int packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_generic_timeout);
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index e10024a..e85096e 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -216,7 +216,7 @@ static int gre_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is a GRE connection.
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index f9a0837..d61f83e 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -287,7 +287,7 @@ static int sctp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
enum sctp_conntrack new_state, old_state;
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6256795..b3e557d 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -485,7 +485,7 @@ static int tcp_in_window(const struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
const struct tcphdr *tcph,
- int pf)
+ unsigned int pf)
{
struct ip_ct_tcp_state *sender = &state->seen[dir];
struct ip_ct_tcp_state *receiver = &state->seen[!dir];
@@ -744,7 +744,7 @@ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
static int tcp_error(struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
const struct tcphdr *th;
@@ -799,7 +799,7 @@ static int tcp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
struct nf_conntrack_tuple *tuple;
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index b8a35cc..f86aba3 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -66,7 +66,7 @@ static int udp_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is some kind of UDP
@@ -91,7 +91,7 @@ static int udp_new(struct nf_conn *ct, const struct sk_buff *skb,
static int udp_error(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
unsigned int udplen = skb->len - dataoff;
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 9dd03c7..2bf4cf0 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -65,7 +65,7 @@ static int udplite_packet(struct nf_conn *ct,
const struct sk_buff *skb,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
/* If we've seen traffic both ways, this is some kind of UDP
@@ -91,7 +91,7 @@ static int udplite_new(struct nf_conn *ct, const struct sk_buff *skb,
static int udplite_error(struct sk_buff *skb, unsigned int dataoff,
enum ip_conntrack_info *ctinfo,
- int pf,
+ unsigned int pf,
unsigned int hooknum)
{
unsigned int udplen = skb->len - dataoff;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index a70051d..1e7e8a1 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -72,7 +72,7 @@ static int help(struct sk_buff *skb,
struct nf_conntrack_tuple *tuple;
struct sane_request *req;
struct sane_reply_net_start *reply;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
/* Until there's been traffic both ways, don't look in packets. */
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c521c89..402fb77 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -251,7 +251,7 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
const char *limit)
{
const char *end;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
int ret = 0;
switch (family) {
@@ -373,7 +373,7 @@ static int set_expected_rtp(struct sk_buff *skb,
{
struct nf_conntrack_expect *exp;
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
- int family = ct->tuplehash[!dir].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[!dir].tuple.src.l3num;
int ret;
typeof(nf_nat_sdp_hook) nf_nat_sdp;
@@ -403,7 +403,7 @@ static int sip_help(struct sk_buff *skb,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo)
{
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
union nf_inet_addr addr;
unsigned int dataoff, datalen;
const char *dptr;
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index bd2e800..572c0f9 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -44,7 +44,7 @@ static int tftp_help(struct sk_buff *skb,
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
unsigned int ret = NF_ACCEPT;
- int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
+ unsigned int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
typeof(nf_nat_tftp_hook) nf_nat_tftp;
tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr),
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index 196269c..0c3fcd6 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -15,7 +15,7 @@
/* core.c */
extern unsigned int nf_iterate(struct list_head *head,
struct sk_buff *skb,
- int hook,
+ unsigned int hook,
const struct net_device *indev,
const struct net_device *outdev,
struct list_head **i,
@@ -25,7 +25,7 @@ extern unsigned int nf_iterate(struct list_head *head,
/* nf_queue.c */
extern int nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index cec9976..f1e858b 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -20,7 +20,7 @@ static DEFINE_MUTEX(nf_log_mutex);
/* return EBUSY if somebody else is registered, EEXIST if the same logger
* is registred, 0 on success. */
-int nf_log_register(int pf, const struct nf_logger *logger)
+int nf_log_register(unsigned int pf, const struct nf_logger *logger)
{
int ret;
@@ -45,7 +45,7 @@ int nf_log_register(int pf, const struct nf_logger *logger)
}
EXPORT_SYMBOL(nf_log_register);
-void nf_log_unregister_pf(int pf)
+void nf_log_unregister_pf(unsigned int pf)
{
if (pf >= NPROTO)
return;
@@ -73,7 +73,7 @@ void nf_log_unregister(const struct nf_logger *logger)
}
EXPORT_SYMBOL(nf_log_unregister);
-void nf_log_packet(int pf,
+void nf_log_packet(unsigned int pf,
unsigned int hooknum,
const struct sk_buff *skb,
const struct net_device *in,
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bfc2928..1be152e 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -22,7 +22,8 @@ static DEFINE_MUTEX(queue_handler_mutex);
/* return EBUSY when somebody else is registered, return EEXIST if the
* same handler is registered, return 0 in case of success. */
-int nf_register_queue_handler(int pf, const struct nf_queue_handler *qh)
+int nf_register_queue_handler(unsigned int pf,
+ const struct nf_queue_handler *qh)
{
int ret;
@@ -45,7 +46,8 @@ int nf_register_queue_handler(int pf, const struct nf_queue_handler *qh)
EXPORT_SYMBOL(nf_register_queue_handler);
/* The caller must flush their queue before this */
-int nf_unregister_queue_handler(int pf, const struct nf_queue_handler *qh)
+int nf_unregister_queue_handler(unsigned int pf,
+ const struct nf_queue_handler *qh)
{
if (pf >= NPROTO)
return -EINVAL;
@@ -67,7 +69,7 @@ EXPORT_SYMBOL(nf_unregister_queue_handler);
void nf_unregister_queue_handlers(const struct nf_queue_handler *qh)
{
- int pf;
+ unsigned int pf;
mutex_lock(&queue_handler_mutex);
for (pf = 0; pf < NPROTO; pf++) {
@@ -107,7 +109,7 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
*/
static int __nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
@@ -191,7 +193,7 @@ err:
int nf_queue(struct sk_buff *skb,
struct list_head *elem,
- int pf, unsigned int hook,
+ unsigned int pf, unsigned int hook,
struct net_device *indev,
struct net_device *outdev,
int (*okfn)(struct sk_buff *),
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index 3dd4b3c..170521d 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -60,7 +60,7 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
}
EXPORT_SYMBOL(nf_unregister_sockopt);
-static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, int pf,
+static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, unsigned int pf,
int val, int get)
{
struct nf_sockopt_ops *ops;
@@ -96,7 +96,7 @@ out:
}
/* Call get/setsockopt() */
-static int nf_sockopt(struct sock *sk, int pf, int val,
+static int nf_sockopt(struct sock *sk, unsigned int pf, int val,
char __user *opt, int *len, int get)
{
struct nf_sockopt_ops *ops;
@@ -115,21 +115,22 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
return ret;
}
-int nf_setsockopt(struct sock *sk, int pf, int val, char __user *opt,
+int nf_setsockopt(struct sock *sk, unsigned int pf, int val, char __user *opt,
int len)
{
return nf_sockopt(sk, pf, val, opt, &len, 0);
}
EXPORT_SYMBOL(nf_setsockopt);
-int nf_getsockopt(struct sock *sk, int pf, int val, char __user *opt, int *len)
+int nf_getsockopt(struct sock *sk, unsigned int pf, int val,
+ char __user *opt, int *len)
{
return nf_sockopt(sk, pf, val, opt, len, 1);
}
EXPORT_SYMBOL(nf_getsockopt);
#ifdef CONFIG_COMPAT
-static int compat_nf_sockopt(struct sock *sk, int pf, int val,
+static int compat_nf_sockopt(struct sock *sk, unsigned int pf, int val,
char __user *opt, int *len, int get)
{
struct nf_sockopt_ops *ops;
@@ -155,14 +156,14 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val,
return ret;
}
-int compat_nf_setsockopt(struct sock *sk, int pf,
+int compat_nf_setsockopt(struct sock *sk, unsigned int pf,
int val, char __user *opt, int len)
{
return compat_nf_sockopt(sk, pf, val, opt, &len, 0);
}
EXPORT_SYMBOL(compat_nf_setsockopt);
-int compat_nf_getsockopt(struct sock *sk, int pf,
+int compat_nf_getsockopt(struct sock *sk, unsigned int pf,
int val, char __user *opt, int *len)
{
return compat_nf_sockopt(sk, pf, val, opt, len, 1);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4d74dff..78877d5 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -68,7 +68,8 @@ static const char *const xt_prefix[NPROTO] = {
int
xt_register_target(struct xt_target *target)
{
- int ret, af = target->family;
+ unsigned int af = target->family;
+ int ret;
ret = mutex_lock_interruptible(&xt[af].mutex);
if (ret != 0)
@@ -82,7 +83,7 @@ EXPORT_SYMBOL(xt_register_target);
void
xt_unregister_target(struct xt_target *target)
{
- int af = target->family;
+ unsigned int af = target->family;
mutex_lock(&xt[af].mutex);
list_del(&target->list);
@@ -123,7 +124,8 @@ EXPORT_SYMBOL(xt_unregister_targets);
int
xt_register_match(struct xt_match *match)
{
- int ret, af = match->family;
+ unsigned int af = match->family;
+ int ret;
ret = mutex_lock_interruptible(&xt[af].mutex);
if (ret != 0)
@@ -139,7 +141,7 @@ EXPORT_SYMBOL(xt_register_match);
void
xt_unregister_match(struct xt_match *match)
{
- int af = match->family;
+ unsigned int af = match->family;
mutex_lock(&xt[af].mutex);
list_del(&match->list);
@@ -185,7 +187,7 @@ EXPORT_SYMBOL(xt_unregister_matches);
*/
/* Find match, grabs ref. Returns ERR_PTR() on error. */
-struct xt_match *xt_find_match(int af, const char *name, u8 revision)
+struct xt_match *xt_find_match(unsigned int af, const char *name, u8 revision)
{
struct xt_match *m;
int err = 0;
@@ -210,7 +212,7 @@ struct xt_match *xt_find_match(int af, const char *name, u8 revision)
EXPORT_SYMBOL(xt_find_match);
/* Find target, grabs ref. Returns ERR_PTR() on error. */
-struct xt_target *xt_find_target(int af, const char *name, u8 revision)
+struct xt_target *xt_find_target(unsigned int af, const char *name, u8 revision)
{
struct xt_target *t;
int err = 0;
@@ -234,7 +236,8 @@ struct xt_target *xt_find_target(int af, const char *name, u8 revision)
}
EXPORT_SYMBOL(xt_find_target);
-struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
+struct xt_target *xt_request_find_target(unsigned int af, const char *name,
+ u8 revision)
{
struct xt_target *target;
@@ -246,7 +249,8 @@ struct xt_target *xt_request_find_target(int af, const char *name, u8 revision)
}
EXPORT_SYMBOL_GPL(xt_request_find_target);
-static int match_revfn(int af, const char *name, u8 revision, int *bestp)
+static int match_revfn(unsigned int af, const char *name, u8 revision,
+ int *bestp)
{
const struct xt_match *m;
int have_rev = 0;
@@ -262,7 +266,8 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
return have_rev;
}
-static int target_revfn(int af, const char *name, u8 revision, int *bestp)
+static int target_revfn(unsigned int af, const char *name, u8 revision,
+ int *bestp)
{
const struct xt_target *t;
int have_rev = 0;
@@ -279,8 +284,8 @@ static int target_revfn(int af, const char *name, u8 revision, int *bestp)
}
/* Returns true or false (if no such extension at all) */
-int xt_find_revision(int af, const char *name, u8 revision, int target,
- int *err)
+int xt_find_revision(unsigned int af, const char *name, u8 revision,
+ int target, int *err)
{
int have_rev, best = -1;
@@ -337,7 +342,7 @@ int xt_check_match(const struct xt_match *match, unsigned short family,
EXPORT_SYMBOL_GPL(xt_check_match);
#ifdef CONFIG_COMPAT
-int xt_compat_add_offset(int af, unsigned int offset, short delta)
+int xt_compat_add_offset(unsigned int af, unsigned int offset, short delta)
{
struct compat_delta *tmp;
@@ -359,7 +364,7 @@ int xt_compat_add_offset(int af, unsigned int offset, short delta)
}
EXPORT_SYMBOL_GPL(xt_compat_add_offset);
-void xt_compat_flush_offsets(int af)
+void xt_compat_flush_offsets(unsigned int af)
{
struct compat_delta *tmp, *next;
@@ -373,7 +378,7 @@ void xt_compat_flush_offsets(int af)
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
-short xt_compat_calc_jump(int af, unsigned int offset)
+short xt_compat_calc_jump(unsigned int af, unsigned int offset)
{
struct compat_delta *tmp;
short delta;
@@ -590,7 +595,8 @@ void xt_free_table_info(struct xt_table_info *info)
EXPORT_SYMBOL(xt_free_table_info);
/* Find table by name, grabs mutex & ref. Returns ERR_PTR() on error. */
-struct xt_table *xt_find_table_lock(struct net *net, int af, const char *name)
+struct xt_table *xt_find_table_lock(struct net *net, unsigned int af,
+ const char *name)
{
struct xt_table *t;
@@ -612,13 +618,13 @@ void xt_table_unlock(struct xt_table *table)
EXPORT_SYMBOL_GPL(xt_table_unlock);
#ifdef CONFIG_COMPAT
-void xt_compat_lock(int af)
+void xt_compat_lock(unsigned int af)
{
mutex_lock(&xt[af].compat_mutex);
}
EXPORT_SYMBOL_GPL(xt_compat_lock);
-void xt_compat_unlock(int af)
+void xt_compat_unlock(unsigned int af)
{
mutex_unlock(&xt[af].compat_mutex);
}
@@ -722,13 +728,13 @@ EXPORT_SYMBOL_GPL(xt_unregister_table);
#ifdef CONFIG_PROC_FS
struct xt_names_priv {
struct seq_net_private p;
- int af;
+ unsigned int af;
};
static void *xt_table_seq_start(struct seq_file *seq, loff_t *pos)
{
struct xt_names_priv *priv = seq->private;
struct net *net = priv->p.net;
- int af = priv->af;
+ unsigned int af = priv->af;
mutex_lock(&xt[af].mutex);
return seq_list_start(&net->xt.tables[af], *pos);
@@ -738,7 +744,7 @@ static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct xt_names_priv *priv = seq->private;
struct net *net = priv->p.net;
- int af = priv->af;
+ unsigned int af = priv->af;
return seq_list_next(v, &net->xt.tables[af], pos);
}
@@ -746,7 +752,7 @@ static void *xt_table_seq_next(struct seq_file *seq, void *v, loff_t *pos)
static void xt_table_seq_stop(struct seq_file *seq, void *v)
{
struct xt_names_priv *priv = seq->private;
- int af = priv->af;
+ unsigned int af = priv->af;
mutex_unlock(&xt[af].mutex);
}
@@ -922,7 +928,7 @@ static const struct file_operations xt_target_ops = {
#endif /* CONFIG_PROC_FS */
-int xt_proto_init(struct net *net, int af)
+int xt_proto_init(struct net *net, unsigned int af)
{
#ifdef CONFIG_PROC_FS
char buf[XT_FUNCTION_MAXNAMELEN];
@@ -975,7 +981,7 @@ out:
}
EXPORT_SYMBOL_GPL(xt_proto_init);
-void xt_proto_fini(struct net *net, int af)
+void xt_proto_fini(struct net *net, unsigned int af)
{
#ifdef CONFIG_PROC_FS
char buf[XT_FUNCTION_MAXNAMELEN];
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 07/19] [NETFILTER]: remove arpt_table indirection macro
2008-03-04 15:51 ` Jan Engelhardt
` (29 preceding siblings ...)
2008-03-04 16:31 ` [PATCH 06/19] [NETFILTER]: Use unsigned types for hooknum and pf vars Jan Engelhardt
@ 2008-03-04 16:32 ` Jan Engelhardt
2008-03-04 16:33 ` [PATCH 08/19] [NETFILTER]: remove arpt_target " Jan Engelhardt
` (11 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:32 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit c52cd61eef530d5c63d4d3f6cdcc429d2fc5d4dd
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove arpt_table indirection macro
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 11 ++++-----
net/ipv4/netfilter/arp_tables.c | 25 ++++++++++-----------
net/ipv4/netfilter/arptable_filter.c | 2 +-
3 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index db223ca..b61f044 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -24,7 +24,6 @@
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
#define arpt_target xt_target
-#define arpt_table xt_table
#define ARPT_DEV_ADDR_LEN_MAX 16
@@ -271,15 +270,15 @@ struct arpt_error
xt_register_target(tgt); })
#define arpt_unregister_target(tgt) xt_unregister_target(tgt)
-extern struct arpt_table *arpt_register_table(struct net *net,
- struct arpt_table *table,
- const struct arpt_replace *repl);
-extern void arpt_unregister_table(struct arpt_table *table);
+extern struct xt_table *
+arpt_register_table(struct net *net, struct xt_table *table,
+ const struct arpt_replace *repl);
+extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
- struct arpt_table *table);
+ struct xt_table *table);
#define ARPT_ALIGN(s) XT_ALIGN(s)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 4191588..d3f4eb6 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -222,7 +222,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
unsigned int hook,
const struct net_device *in,
const struct net_device *out,
- struct arpt_table *table)
+ struct xt_table *table)
{
static const char nulldevname[IFNAMSIZ];
unsigned int verdict = NF_DROP;
@@ -709,7 +709,7 @@ static void get_counters(const struct xt_table_info *t,
}
}
-static inline struct xt_counters *alloc_counters(struct arpt_table *table)
+static inline struct xt_counters *alloc_counters(struct xt_table *table)
{
unsigned int countersize;
struct xt_counters *counters;
@@ -734,7 +734,7 @@ static inline struct xt_counters *alloc_counters(struct arpt_table *table)
}
static int copy_entries_to_user(unsigned int total_size,
- struct arpt_table *table,
+ struct xt_table *table,
void __user *userptr)
{
unsigned int off, num;
@@ -854,7 +854,7 @@ static int compat_table_info(const struct xt_table_info *info,
static int get_info(struct net *net, void __user *user, int *len, int compat)
{
char name[ARPT_TABLE_MAXNAMELEN];
- struct arpt_table *t;
+ struct xt_table *t;
int ret;
if (*len != sizeof(struct arpt_getinfo)) {
@@ -914,7 +914,7 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
{
int ret;
struct arpt_get_entries get;
- struct arpt_table *t;
+ struct xt_table *t;
if (*len < sizeof(get)) {
duprintf("get_entries: %u < %Zu\n", *len, sizeof(get));
@@ -957,7 +957,7 @@ static int __do_replace(struct net *net, const char *name,
void __user *counters_ptr)
{
int ret;
- struct arpt_table *t;
+ struct xt_table *t;
struct xt_table_info *oldinfo;
struct xt_counters *counters;
void *loc_cpu_old_entry;
@@ -1094,7 +1094,7 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
const char *name;
int size;
void *ptmp;
- struct arpt_table *t;
+ struct xt_table *t;
const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
@@ -1558,7 +1558,7 @@ out:
}
static int compat_copy_entries_to_user(unsigned int total_size,
- struct arpt_table *table,
+ const struct xt_table *table,
void __user *userptr)
{
struct xt_counters *counters;
@@ -1596,7 +1596,7 @@ static int compat_get_entries(struct net *net,
{
int ret;
struct compat_arpt_get_entries get;
- struct arpt_table *t;
+ const struct xt_table *t;
if (*len < sizeof(get)) {
duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
@@ -1726,9 +1726,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}
-struct arpt_table *arpt_register_table(struct net *net,
- struct arpt_table *table,
- const struct arpt_replace *repl)
+struct xt_table *arpt_register_table(struct net *net, struct xt_table *table,
+ const struct arpt_replace *repl)
{
int ret;
struct xt_table_info *newinfo;
@@ -1770,7 +1769,7 @@ out:
return ERR_PTR(ret);
}
-void arpt_unregister_table(struct arpt_table *table)
+void arpt_unregister_table(struct xt_table *table)
{
struct xt_table_info *private;
void *loc_cpu_entry;
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 4e9c496..2ed7d72 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};
-static struct arpt_table packet_filter = {
+static struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.lock = RW_LOCK_UNLOCKED,
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 08/19] [NETFILTER]: remove arpt_target indirection macro
2008-03-04 15:51 ` Jan Engelhardt
` (30 preceding siblings ...)
2008-03-04 16:32 ` [PATCH 07/19] [NETFILTER]: remove arpt_table indirection macro Jan Engelhardt
@ 2008-03-04 16:33 ` Jan Engelhardt
2008-03-04 16:33 ` [PATCH 09/19] [NETFILTER]: remove ARPT_{STANDARD,ERROR}_TARGET " Jan Engelhardt
` (10 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:33 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 3ae5fb14df1c2dcd945441b4cf34db3892f9346f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove arpt_target indirection macro
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 1 -
net/ipv4/netfilter/arp_tables.c | 8 ++++----
net/ipv4/netfilter/arpt_mangle.c | 2 +-
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index b61f044..4aed7c4 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -23,7 +23,6 @@
#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define arpt_target xt_target
#define ARPT_DEV_ADDR_LEN_MAX 16
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d3f4eb6..d399725 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -460,7 +460,7 @@ static inline int check_entry(struct arpt_entry *e, const char *name)
static inline int check_target(struct arpt_entry *e, const char *name)
{
struct arpt_entry_target *t;
- struct arpt_target *target;
+ struct xt_target *target;
int ret;
t = arpt_get_target(e);
@@ -483,7 +483,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
unsigned int *i)
{
struct arpt_entry_target *t;
- struct arpt_target *target;
+ struct xt_target *target;
int ret;
ret = check_entry(e, name);
@@ -1787,7 +1787,7 @@ void arpt_unregister_table(struct xt_table *table)
}
/* The built-in targets: standard (NULL) and error. */
-static struct arpt_target arpt_standard_target __read_mostly = {
+static struct xt_target arpt_standard_target __read_mostly = {
.name = ARPT_STANDARD_TARGET,
.targetsize = sizeof(int),
.family = NF_ARP,
@@ -1798,7 +1798,7 @@ static struct arpt_target arpt_standard_target __read_mostly = {
#endif
};
-static struct arpt_target arpt_error_target __read_mostly = {
+static struct xt_target arpt_error_target __read_mostly = {
.name = ARPT_ERROR_TARGET,
.target = arpt_error,
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 3e732c8..f9c102a 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -73,7 +73,7 @@ checkentry(const char *tablename, const void *e, const struct xt_target *target,
return true;
}
-static struct arpt_target arpt_mangle_reg __read_mostly = {
+static struct xt_target arpt_mangle_reg __read_mostly = {
.name = "mangle",
.target = target,
.targetsize = sizeof(struct arpt_mangle),
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 09/19] [NETFILTER]: remove ARPT_{STANDARD,ERROR}_TARGET indirection macro
2008-03-04 15:51 ` Jan Engelhardt
` (31 preceding siblings ...)
2008-03-04 16:33 ` [PATCH 08/19] [NETFILTER]: remove arpt_target " Jan Engelhardt
@ 2008-03-04 16:33 ` Jan Engelhardt
2008-03-04 16:33 ` [PATCH 10/19] [NETFILTER]: remove unused ARPT_ALIGN indirection macros Jan Engelhardt
` (9 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:33 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit b365f5267f249216f680989cf9e16ea92e4df5e3
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove ARPT_{STANDARD,ERROR}_TARGET indirection macro
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 9 ++-------
net/ipv4/netfilter/arp_tables.c | 8 ++++----
2 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 4aed7c4..0e6b5e1 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -203,11 +203,6 @@ struct arpt_get_entries
struct arpt_entry entrytable[0];
};
-/* Standard return verdict, or do jump. */
-#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define ARPT_ERROR_TARGET XT_ERROR_TARGET
-
/* Helper functions */
static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
{
@@ -251,7 +246,7 @@ struct arpt_error
#define ARPT_STANDARD_INIT(__verdict) \
{ \
.entry = ARPT_ENTRY_INIT(sizeof(struct arpt_standard)), \
- .target = XT_TARGET_INIT(ARPT_STANDARD_TARGET, \
+ .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
sizeof(struct arpt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
@@ -259,7 +254,7 @@ struct arpt_error
#define ARPT_ERROR_INIT \
{ \
.entry = ARPT_ENTRY_INIT(sizeof(struct arpt_error)), \
- .target = XT_TARGET_INIT(ARPT_ERROR_TARGET, \
+ .target = XT_TARGET_INIT(XT_ERROR_TARGET, \
sizeof(struct arpt_error_target)), \
.target.errorname = "ERROR", \
}
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d399725..3c89d66 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -370,7 +370,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
/* Unconditional return/END. */
if ((e->target_offset == sizeof(struct arpt_entry)
&& (strcmp(t->target.u.user.name,
- ARPT_STANDARD_TARGET) == 0)
+ XT_STANDARD_TARGET) == 0)
&& t->verdict < 0
&& unconditional(&e->arp)) || visited) {
unsigned int oldpos, size;
@@ -409,7 +409,7 @@ static int mark_source_chains(struct xt_table_info *newinfo,
int newpos = t->verdict;
if (strcmp(t->target.u.user.name,
- ARPT_STANDARD_TARGET) == 0
+ XT_STANDARD_TARGET) == 0
&& newpos >= 0) {
if (newpos > newinfo->size -
sizeof(struct arpt_entry)) {
@@ -1788,7 +1788,7 @@ void arpt_unregister_table(struct xt_table *table)
/* The built-in targets: standard (NULL) and error. */
static struct xt_target arpt_standard_target __read_mostly = {
- .name = ARPT_STANDARD_TARGET,
+ .name = XT_STANDARD_TARGET,
.targetsize = sizeof(int),
.family = NF_ARP,
#ifdef CONFIG_COMPAT
@@ -1799,7 +1799,7 @@ static struct xt_target arpt_standard_target __read_mostly = {
};
static struct xt_target arpt_error_target __read_mostly = {
- .name = ARPT_ERROR_TARGET,
+ .name = XT_ERROR_TARGET,
.target = arpt_error,
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
.family = NF_ARP,
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 10/19] [NETFILTER]: remove unused ARPT_ALIGN indirection macros
2008-03-04 15:51 ` Jan Engelhardt
` (32 preceding siblings ...)
2008-03-04 16:33 ` [PATCH 09/19] [NETFILTER]: remove ARPT_{STANDARD,ERROR}_TARGET " Jan Engelhardt
@ 2008-03-04 16:33 ` Jan Engelhardt
2008-03-04 16:34 ` [PATCH 11/21] [NETFILTER]: remove arpt_(un)register_target " Jan Engelhardt
` (8 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:33 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit ac5544297553bc0caa32489e0028ed6cce60a29f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove unused ARPT_ALIGN indirection macros
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 0e6b5e1..1cb698b 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -274,8 +274,6 @@ extern unsigned int arpt_do_table(struct sk_buff *skb,
const struct net_device *out,
struct xt_table *table);
-#define ARPT_ALIGN(s) XT_ALIGN(s)
-
#ifdef CONFIG_COMPAT
#include <net/compat.h>
@@ -295,8 +293,6 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
return (void *)e + e->target_offset;
}
-#define COMPAT_ARPT_ALIGN(s) COMPAT_XT_ALIGN(s)
-
/* fn returns 0 to continue iteration */
#define COMPAT_ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct compat_arpt_entry, entries, size, fn, ## args)
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 11/21] [NETFILTER]: remove arpt_(un)register_target indirection macros
2008-03-04 15:51 ` Jan Engelhardt
` (33 preceding siblings ...)
2008-03-04 16:33 ` [PATCH 10/19] [NETFILTER]: remove unused ARPT_ALIGN indirection macros Jan Engelhardt
@ 2008-03-04 16:34 ` Jan Engelhardt
2008-03-04 16:34 ` [PATCH 12/19] [NETFILTER]: remove ARPT_{CONTINUE,RETURN} " Jan Engelhardt
` (7 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:34 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 2db5fb8a2523983a12f2193f620208cc83d87c46
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove arpt_(un)register_target indirection macros
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 5 -----
net/ipv4/netfilter/arpt_mangle.c | 8 +++-----
2 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 1cb698b..493dcd2 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -259,11 +259,6 @@ struct arpt_error
.target.errorname = "ERROR", \
}
-#define arpt_register_target(tgt) \
-({ (tgt)->family = NF_ARP; \
- xt_register_target(tgt); })
-#define arpt_unregister_target(tgt) xt_unregister_target(tgt)
-
extern struct xt_table *
arpt_register_table(struct net *net, struct xt_table *table,
const struct arpt_replace *repl);
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index f9c102a..a385959 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -75,6 +75,7 @@ checkentry(const char *tablename, const void *e, const struct xt_target *target,
static struct xt_target arpt_mangle_reg __read_mostly = {
.name = "mangle",
+ .family = NF_ARP,
.target = target,
.targetsize = sizeof(struct arpt_mangle),
.checkentry = checkentry,
@@ -83,15 +84,12 @@ static struct xt_target arpt_mangle_reg __read_mostly = {
static int __init arpt_mangle_init(void)
{
- if (arpt_register_target(&arpt_mangle_reg))
- return -EINVAL;
-
- return 0;
+ return xt_register_target(&arpt_mangle_reg);
}
static void __exit arpt_mangle_fini(void)
{
- arpt_unregister_target(&arpt_mangle_reg);
+ xt_unregister_target(&arpt_mangle_reg);
}
module_init(arpt_mangle_init);
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 12/19] [NETFILTER]: remove ARPT_{CONTINUE,RETURN} indirection macros
2008-03-04 15:51 ` Jan Engelhardt
` (34 preceding siblings ...)
2008-03-04 16:34 ` [PATCH 11/21] [NETFILTER]: remove arpt_(un)register_target " Jan Engelhardt
@ 2008-03-04 16:34 ` Jan Engelhardt
2008-03-04 16:36 ` [PATCH 13/19] [NETFILTER]: remove xt_counters* " Jan Engelhardt
` (6 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:34 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 7e0eee1c5180c61d764e475fcc841fd00de7dc99
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove ARPT_{CONTINUE,RETURN} indirection macros
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 6 ------
net/ipv4/netfilter/arp_tables.c | 6 +++---
net/ipv4/netfilter/arpt_mangle.c | 2 +-
3 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 493dcd2..2cdcc0c 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -125,12 +125,6 @@ struct arpt_entry
#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3)
#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET)
-/* CONTINUE verdict for targets */
-#define ARPT_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define ARPT_RETURN XT_RETURN
-
/* The argument to ARPT_SO_GET_INFO */
struct arpt_getinfo
{
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 3c89d66..31598cc 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -267,7 +267,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
v = ((struct arpt_standard_target *)t)->verdict;
if (v < 0) {
/* Pop from stack? */
- if (v != ARPT_RETURN) {
+ if (v != XT_RETURN) {
verdict = (unsigned)(-v) - 1;
break;
}
@@ -302,7 +302,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
/* Target might have changed stuff. */
arp = arp_hdr(skb);
- if (verdict == ARPT_CONTINUE)
+ if (verdict == XT_CONTINUE)
e = (void *)e + e->next_offset;
else
/* Verdict */
@@ -545,7 +545,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
}
/* FIXME: underflows must be unconditional, standard verdicts
- < 0 (not ARPT_RETURN). --RR */
+ < 0 (not XT_RETURN). --RR */
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a385959..6cccaab 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -68,7 +68,7 @@ checkentry(const char *tablename, const void *e, const struct xt_target *target,
return false;
if (mangle->target != NF_DROP && mangle->target != NF_ACCEPT &&
- mangle->target != ARPT_CONTINUE)
+ mangle->target != XT_CONTINUE)
return false;
return true;
}
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 13/19] [NETFILTER]: remove xt_counters* indirection macros
2008-03-04 15:51 ` Jan Engelhardt
` (35 preceding siblings ...)
2008-03-04 16:34 ` [PATCH 12/19] [NETFILTER]: remove ARPT_{CONTINUE,RETURN} " Jan Engelhardt
@ 2008-03-04 16:36 ` Jan Engelhardt
2008-03-04 16:36 ` [PATCH 14/19] [NETFILTER]: rename NF_ARP to AF_ARP and assign a non-clashing value Jan Engelhardt
` (5 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:36 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
Wrong commit message in commit... dang!
[NETFILTER]: remove xt_counters* indirection macros
===
commit 6a54084aa882f20ca5588cf93854285ea5c3d0ca
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: remove ARPT_{CONTINUE,RETURN} indirection macros
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp/arp_tables.h | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index 2cdcc0c..f701e36 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -180,10 +180,6 @@ struct arpt_replace
struct arpt_entry entries[0];
};
-/* The argument to ARPT_SO_ADD_COUNTERS. */
-#define arpt_counters_info xt_counters_info
-#define arpt_counters xt_counters
-
/* The argument to ARPT_SO_GET_ENTRIES. */
struct arpt_get_entries
{
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 14/19] [NETFILTER]: rename NF_ARP to AF_ARP and assign a non-clashing value
2008-03-04 15:51 ` Jan Engelhardt
` (36 preceding siblings ...)
2008-03-04 16:36 ` [PATCH 13/19] [NETFILTER]: remove xt_counters* " Jan Engelhardt
@ 2008-03-04 16:36 ` Jan Engelhardt
2008-03-04 16:37 ` [PATCH 15/19] [NETFILTER]: Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
` (4 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:36 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 0c5a2872c9443dc787152d41bb6cb00b728a6533
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Sat Feb 9 00:45:44 2008 +0100
[NETFILTER]: rename NF_ARP to AF_ARP and assign a non-clashing value
For coming Xtables patches, we want to use AF_UNSPEC, but NF_ARP
currently evaluates to the same value so it gets changed.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter_arp.h | 3 -
include/linux/socket.h | 1 +
net/bridge/br_netfilter.c | 2 +-
net/ipv4/arp.c | 4 +-
net/ipv4/netfilter/arp_tables.c | 56 +++++++++++++-------------
net/ipv4/netfilter/arpt_mangle.c | 2 +-
net/ipv4/netfilter/arptable_filter.c | 8 ++--
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
10 files changed, 40 insertions(+), 42 deletions(-)
diff --git a/include/linux/netfilter_arp.h b/include/linux/netfilter_arp.h
index 92bc6dd..ca3360a 100644
--- a/include/linux/netfilter_arp.h
+++ b/include/linux/netfilter_arp.h
@@ -7,9 +7,6 @@
#include <linux/netfilter.h>
-/* There is no PF_ARP. */
-#define NF_ARP 0
-
/* ARP Hooks */
#define NF_ARP_IN 0
#define NF_ARP_OUT 1
diff --git a/include/linux/socket.h b/include/linux/socket.h
index bd2b30a..bc37fd7 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -179,6 +179,7 @@ struct ucred {
#define AF_ASH 18 /* Ash */
#define AF_ECONET 19 /* Acorn Econet */
#define AF_ATMSVC 20 /* ATM SVCs */
+#define AF_ARP 21 /* Address Resolution for IPv4 */
#define AF_SNA 22 /* Linux SNA Project (nutters!) */
#define AF_IRDA 23 /* IRDA sockets */
#define AF_PPPOX 24 /* PPPoX sockets */
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index b36b294..6fda728 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -711,7 +711,7 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
return NF_ACCEPT;
}
*d = (struct net_device *)in;
- NF_HOOK(NF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
+ NF_HOOK(AF_ARP, NF_ARP_FORWARD, skb, (struct net_device *)in,
(struct net_device *)out, br_nf_forward_finish);
return NF_STOLEN;
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 8e17f65..65f4a00 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -665,7 +665,7 @@ out:
void arp_xmit(struct sk_buff *skb)
{
/* Send it off, maybe filter it using firewalling first. */
- NF_HOOK(NF_ARP, NF_ARP_OUT, skb, NULL, skb->dev, dev_queue_xmit);
+ NF_HOOK(AF_ARP, NF_ARP_OUT, skb, NULL, skb->dev, dev_queue_xmit);
}
/*
@@ -934,7 +934,7 @@ static int arp_rcv(struct sk_buff *skb, struct net_device *dev,
memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
- return NF_HOOK(NF_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);
+ return NF_HOOK(AF_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);
freeskb:
kfree_skb(skb);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 31598cc..b0c8d59 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -466,7 +466,7 @@ static inline int check_target(struct arpt_entry *e, const char *name)
t = arpt_get_target(e);
target = t->u.kernel.target;
- ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+ ret = xt_check_target(target, AF_ARP, t->u.target_size - sizeof(*t),
name, e->comefrom, 0, 0);
if (!ret && t->u.kernel.target->checkentry
&& !t->u.kernel.target->checkentry(name, e, target, t->data,
@@ -491,7 +491,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
return ret;
t = arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
+ target = try_then_request_module(xt_find_target(AF_ARP, t->u.user.name,
t->u.user.revision),
"arpt_%s", t->u.user.name);
if (IS_ERR(target) || !target) {
@@ -791,7 +791,7 @@ static void compat_standard_from_user(void *dst, void *src)
int v = *(compat_int_t *)src;
if (v > 0)
- v += xt_compat_calc_jump(NF_ARP, v);
+ v += xt_compat_calc_jump(AF_ARP, v);
memcpy(dst, &v, sizeof(v));
}
@@ -800,7 +800,7 @@ static int compat_standard_to_user(void __user *dst, void *src)
compat_int_t cv = *(int *)src;
if (cv > 0)
- cv -= xt_compat_calc_jump(NF_ARP, cv);
+ cv -= xt_compat_calc_jump(AF_ARP, cv);
return copy_to_user(dst, &cv, sizeof(cv)) ? -EFAULT : 0;
}
@@ -818,7 +818,7 @@ static int compat_calc_entry(struct arpt_entry *e,
t = arpt_get_target(e);
off += xt_compat_target_offset(t->u.kernel.target);
newinfo->size -= off;
- ret = xt_compat_add_offset(NF_ARP, entry_offset, off);
+ ret = xt_compat_add_offset(AF_ARP, entry_offset, off);
if (ret)
return ret;
@@ -869,9 +869,9 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
name[ARPT_TABLE_MAXNAMELEN-1] = '\0';
#ifdef CONFIG_COMPAT
if (compat)
- xt_compat_lock(NF_ARP);
+ xt_compat_lock(AF_ARP);
#endif
- t = try_then_request_module(xt_find_table_lock(net, NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_ARP, name),
"arptable_%s", name);
if (t && !IS_ERR(t)) {
struct arpt_getinfo info;
@@ -881,7 +881,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
if (compat) {
struct xt_table_info tmp;
ret = compat_table_info(private, &tmp);
- xt_compat_flush_offsets(NF_ARP);
+ xt_compat_flush_offsets(AF_ARP);
private = &tmp;
}
#endif
@@ -904,7 +904,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
ret = t ? PTR_ERR(t) : -ENOENT;
#ifdef CONFIG_COMPAT
if (compat)
- xt_compat_unlock(NF_ARP);
+ xt_compat_unlock(AF_ARP);
#endif
return ret;
}
@@ -928,7 +928,7 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr,
return -EINVAL;
}
- t = xt_find_table_lock(net, NF_ARP, get.name);
+ t = xt_find_table_lock(net, AF_ARP, get.name);
if (t && !IS_ERR(t)) {
const struct xt_table_info *private = t->private;
@@ -970,7 +970,7 @@ static int __do_replace(struct net *net, const char *name,
goto out;
}
- t = try_then_request_module(xt_find_table_lock(net, NF_ARP, name),
+ t = try_then_request_module(xt_find_table_lock(net, AF_ARP, name),
"arptable_%s", name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1137,7 +1137,7 @@ static int do_add_counters(struct net *net, void __user *user, unsigned int len,
goto free;
}
- t = xt_find_table_lock(net, NF_ARP, name);
+ t = xt_find_table_lock(net, AF_ARP, name);
if (!t || IS_ERR(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1221,7 +1221,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
entry_offset = (void *)e - (void *)base;
t = compat_arpt_get_target(e);
- target = try_then_request_module(xt_find_target(NF_ARP,
+ target = try_then_request_module(xt_find_target(AF_ARP,
t->u.user.name,
t->u.user.revision),
"arpt_%s", t->u.user.name);
@@ -1235,7 +1235,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
off += xt_compat_target_offset(target);
*size += off;
- ret = xt_compat_add_offset(NF_ARP, entry_offset, off);
+ ret = xt_compat_add_offset(AF_ARP, entry_offset, off);
if (ret)
goto release_target;
@@ -1336,7 +1336,7 @@ static int translate_compat_table(const char *name,
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
- xt_compat_lock(NF_ARP);
+ xt_compat_lock(AF_ARP);
/* Walk through entries, checking offsets. */
ret = COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size,
check_compat_entry_size_and_hooks,
@@ -1386,8 +1386,8 @@ static int translate_compat_table(const char *name,
ret = COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size,
compat_copy_entry_from_user,
&pos, &size, name, newinfo, entry1);
- xt_compat_flush_offsets(NF_ARP);
- xt_compat_unlock(NF_ARP);
+ xt_compat_flush_offsets(AF_ARP);
+ xt_compat_unlock(AF_ARP);
if (ret)
goto free_newinfo;
@@ -1423,8 +1423,8 @@ out:
COMPAT_ARPT_ENTRY_ITERATE(entry0, total_size, compat_release_entry, &j);
return ret;
out_unlock:
- xt_compat_flush_offsets(NF_ARP);
- xt_compat_unlock(NF_ARP);
+ xt_compat_flush_offsets(AF_ARP);
+ xt_compat_unlock(AF_ARP);
goto out;
}
@@ -1610,8 +1610,8 @@ static int compat_get_entries(struct net *net,
return -EINVAL;
}
- xt_compat_lock(NF_ARP);
- t = xt_find_table_lock(net, NF_ARP, get.name);
+ xt_compat_lock(AF_ARP);
+ t = xt_find_table_lock(net, AF_ARP, get.name);
if (t && !IS_ERR(t)) {
const struct xt_table_info *private = t->private;
struct xt_table_info info;
@@ -1626,13 +1626,13 @@ static int compat_get_entries(struct net *net,
private->size, get.size);
ret = -EINVAL;
}
- xt_compat_flush_offsets(NF_ARP);
+ xt_compat_flush_offsets(AF_ARP);
module_put(t->me);
xt_table_unlock(t);
} else
ret = t ? PTR_ERR(t) : -ENOENT;
- xt_compat_unlock(NF_ARP);
+ xt_compat_unlock(AF_ARP);
return ret;
}
@@ -1712,7 +1712,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
break;
}
- try_then_request_module(xt_find_revision(NF_ARP, rev.name,
+ try_then_request_module(xt_find_revision(AF_ARP, rev.name,
rev.revision, 1, &ret),
"arpt_%s", rev.name);
break;
@@ -1790,7 +1790,7 @@ void arpt_unregister_table(struct xt_table *table)
static struct xt_target arpt_standard_target __read_mostly = {
.name = XT_STANDARD_TARGET,
.targetsize = sizeof(int),
- .family = NF_ARP,
+ .family = AF_ARP,
#ifdef CONFIG_COMPAT
.compatsize = sizeof(compat_int_t),
.compat_from_user = compat_standard_from_user,
@@ -1802,7 +1802,7 @@ static struct xt_target arpt_error_target __read_mostly = {
.name = XT_ERROR_TARGET,
.target = arpt_error,
.targetsize = ARPT_FUNCTION_MAXNAMELEN,
- .family = NF_ARP,
+ .family = AF_ARP,
};
static struct nf_sockopt_ops arpt_sockopts = {
@@ -1824,12 +1824,12 @@ static struct nf_sockopt_ops arpt_sockopts = {
static int __net_init arp_tables_net_init(struct net *net)
{
- return xt_proto_init(net, NF_ARP);
+ return xt_proto_init(net, AF_ARP);
}
static void __net_exit arp_tables_net_exit(struct net *net)
{
- xt_proto_fini(net, NF_ARP);
+ xt_proto_fini(net, AF_ARP);
}
static struct pernet_operations arp_tables_net_ops = {
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index 6cccaab..dabf45a 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -75,7 +75,7 @@ checkentry(const char *tablename, const void *e, const struct xt_target *target,
static struct xt_target arpt_mangle_reg __read_mostly = {
.name = "mangle",
- .family = NF_ARP,
+ .family = AF_ARP,
.target = target,
.targetsize = sizeof(struct arpt_mangle),
.checkentry = checkentry,
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 2ed7d72..56c8db9 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -51,7 +51,7 @@ static struct xt_table packet_filter = {
.lock = RW_LOCK_UNLOCKED,
.private = NULL,
.me = THIS_MODULE,
- .af = NF_ARP,
+ .af = AF_ARP,
};
/* The work comes in here from netfilter.c */
@@ -68,19 +68,19 @@ static struct nf_hook_ops arpt_ops[] __read_mostly = {
{
.hook = arpt_hook,
.owner = THIS_MODULE,
- .pf = NF_ARP,
+ .pf = AF_ARP,
.hooknum = NF_ARP_IN,
},
{
.hook = arpt_hook,
.owner = THIS_MODULE,
- .pf = NF_ARP,
+ .pf = AF_ARP,
.hooknum = NF_ARP_OUT,
},
{
.hook = arpt_hook,
.owner = THIS_MODULE,
- .pf = NF_ARP,
+ .pf = AF_ARP,
.hooknum = NF_ARP_FORWARD,
},
};
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index b8c793c..bb57106 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -546,7 +546,7 @@ arp_mangle(unsigned int hook,
static struct nf_hook_ops cip_arp_ops __read_mostly = {
.hook = arp_mangle,
- .pf = NF_ARP,
+ .pf = AF_ARP,
.hooknum = NF_ARP_OUT,
.priority = -1
};
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 78877d5..8bbc4ac 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -61,7 +61,7 @@ static struct xt_af *xt;
static const char *const xt_prefix[NPROTO] = {
[AF_INET] = "ip",
[AF_INET6] = "ip6",
- [NF_ARP] = "arp",
+ [AF_ARP] = "arp",
};
/* Registration hooks for targets. */
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index beb24d1..e18ad69 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -50,7 +50,7 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
},
{
.name = "NFQUEUE",
- .family = NF_ARP,
+ .family = AF_ARP,
.target = nfqueue_tg,
.targetsize = sizeof(struct xt_NFQ_info),
.me = THIS_MODULE,
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 15/19] [NETFILTER]: Implement AF_UNSPEC as a wildcard for extensions
2008-03-04 15:51 ` Jan Engelhardt
` (37 preceding siblings ...)
2008-03-04 16:36 ` [PATCH 14/19] [NETFILTER]: rename NF_ARP to AF_ARP and assign a non-clashing value Jan Engelhardt
@ 2008-03-04 16:37 ` Jan Engelhardt
2008-03-04 16:37 ` [PATCH 16/19] [NETFILTER]: Explicitly initialize .priority in arptable_filter Jan Engelhardt
` (3 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:37 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 008144757b4423aad7e548132f1967b44ff6a60f
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 03:21:32 2008 +0100
[NETFILTER]: Implement AF_UNSPEC as a wildcard for extensions
When a match or target is looked up using xt_find_{match,target},
Xtables will also search the AF_UNSPEC module list. This allows for
extensions to be reused from other components (e.g. arptables,
ebtables).
Extensions that take different codepaths depending on match->family
or target->family of course cannot use AF_UNSPEC within the
registration structure (e.g. xt_pkttype).
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/x_tables.c | 11 +++++++++
net/netfilter/xt_CLASSIFY.c | 38 ++++++++++----------------------
net/netfilter/xt_MARK.c | 10 +-------
net/netfilter/xt_RATEEST.c | 33 +++++++++------------------
net/netfilter/xt_SECMARK.c | 35 ++++++++++-------------------
net/netfilter/xt_TRACE.c | 27 ++++++++--------------
net/netfilter/xt_limit.c | 40 +++++++++++-----------------------
net/netfilter/xt_mark.c | 26 +--------------------
net/netfilter/xt_quota.c | 29 ++++++++----------------
net/netfilter/xt_rateest.c | 33 +++++++++------------------
net/netfilter/xt_statistic.c | 31 ++++++++-----------------
net/netfilter/xt_string.c | 32 +++++++++-----------------
net/netfilter/xt_time.c | 28 +++++++----------------
net/netfilter/xt_u32.c | 26 +++++++--------------
14 files changed, 132 insertions(+), 267 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8bbc4ac..065103e 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -59,6 +59,7 @@ static struct xt_af *xt;
#endif
static const char *const xt_prefix[NPROTO] = {
+ [AF_UNSPEC] = "x",
[AF_INET] = "ip",
[AF_INET6] = "ip6",
[AF_ARP] = "arp",
@@ -207,6 +208,11 @@ struct xt_match *xt_find_match(unsigned int af, const char *name, u8 revision)
}
}
mutex_unlock(&xt[af].mutex);
+
+ if (af != AF_UNSPEC)
+ /* Try searching again in the family-independent list */
+ return xt_find_match(AF_UNSPEC, name, revision);
+
return ERR_PTR(err);
}
EXPORT_SYMBOL(xt_find_match);
@@ -232,6 +238,11 @@ struct xt_target *xt_find_target(unsigned int af, const char *name, u8 revision)
}
}
mutex_unlock(&xt[af].mutex);
+
+ if (af != AF_UNSPEC)
+ /* Try searching again in the family-independent list */
+ return xt_find_target(AF_UNSPEC, name, revision);
+
return ERR_PTR(err);
}
EXPORT_SYMBOL(xt_find_target);
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 77a52bf..268fb28 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -37,40 +37,26 @@ classify_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
-static struct xt_target classify_tg_reg[] __read_mostly = {
- {
- .family = AF_INET,
- .name = "CLASSIFY",
- .target = classify_tg,
- .targetsize = sizeof(struct xt_classify_target_info),
- .table = "mangle",
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_FORWARD) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
- {
- .name = "CLASSIFY",
- .family = AF_INET6,
- .target = classify_tg,
- .targetsize = sizeof(struct xt_classify_target_info),
- .table = "mangle",
- .hooks = (1 << NF_INET_LOCAL_OUT) |
- (1 << NF_INET_FORWARD) |
- (1 << NF_INET_POST_ROUTING),
- .me = THIS_MODULE,
- },
+static struct xt_target classify_tg_reg __read_mostly = {
+ .name = "CLASSIFY",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .table = "mangle",
+ .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+ (1 << NF_INET_POST_ROUTING),
+ .target = classify_tg,
+ .targetsize = sizeof(struct xt_classify_target_info),
+ .me = THIS_MODULE,
};
static int __init classify_tg_init(void)
{
- return xt_register_targets(classify_tg_reg,
- ARRAY_SIZE(classify_tg_reg));
+ return xt_register_target(&classify_tg_reg);
}
static void __exit classify_tg_exit(void)
{
- xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
+ xt_unregister_target(&classify_tg_reg);
}
module_init(classify_tg_init);
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index f9ce20b..f2498f9 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -222,15 +222,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
{
.name = "MARK",
.revision = 2,
- .family = AF_INET,
- .target = mark_tg,
- .targetsize = sizeof(struct xt_mark_tginfo2),
- .me = THIS_MODULE,
- },
- {
- .name = "MARK",
- .revision = 2,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 64d6ad3..2014f2a 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -157,25 +157,15 @@ static void xt_rateest_tg_destroy(const struct xt_target *target,
xt_rateest_put(info->est);
}
-static struct xt_target xt_rateest_target[] __read_mostly = {
- {
- .family = AF_INET,
- .name = "RATEEST",
- .target = xt_rateest_tg,
- .checkentry = xt_rateest_tg_checkentry,
- .destroy = xt_rateest_tg_destroy,
- .targetsize = sizeof(struct xt_rateest_target_info),
- .me = THIS_MODULE,
- },
- {
- .family = AF_INET6,
- .name = "RATEEST",
- .target = xt_rateest_tg,
- .checkentry = xt_rateest_tg_checkentry,
- .destroy = xt_rateest_tg_destroy,
- .targetsize = sizeof(struct xt_rateest_target_info),
- .me = THIS_MODULE,
- },
+static struct xt_target xt_rateest_tg_reg __read_mostly = {
+ .name = "RATEEST",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .target = xt_rateest_tg,
+ .checkentry = xt_rateest_tg_checkentry,
+ .destroy = xt_rateest_tg_destroy,
+ .targetsize = sizeof(struct xt_rateest_target_info),
+ .me = THIS_MODULE,
};
static int __init xt_rateest_tg_init(void)
@@ -186,13 +176,12 @@ static int __init xt_rateest_tg_init(void)
INIT_HLIST_HEAD(&rateest_hash[i]);
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
- return xt_register_targets(xt_rateest_target,
- ARRAY_SIZE(xt_rateest_target));
+ return xt_register_target(&xt_rateest_tg_reg);
}
static void __exit xt_rateest_tg_fini(void)
{
- xt_unregister_targets(xt_rateest_target, ARRAY_SIZE(xt_rateest_target));
+ xt_unregister_target(&xt_rateest_tg_reg);
}
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index c028485..23baaa3 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -119,37 +119,26 @@ static void secmark_tg_destroy(const struct xt_target *target, void *targinfo)
}
}
-static struct xt_target secmark_tg_reg[] __read_mostly = {
- {
- .name = "SECMARK",
- .family = AF_INET,
- .checkentry = secmark_tg_check,
- .destroy = secmark_tg_destroy,
- .target = secmark_tg,
- .targetsize = sizeof(struct xt_secmark_target_info),
- .table = "mangle",
- .me = THIS_MODULE,
- },
- {
- .name = "SECMARK",
- .family = AF_INET6,
- .checkentry = secmark_tg_check,
- .destroy = secmark_tg_destroy,
- .target = secmark_tg,
- .targetsize = sizeof(struct xt_secmark_target_info),
- .table = "mangle",
- .me = THIS_MODULE,
- },
+static struct xt_target secmark_tg_reg __read_mostly = {
+ .name = "SECMARK",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .table = "mangle",
+ .target = secmark_tg,
+ .checkentry = secmark_tg_check,
+ .destroy = secmark_tg_destroy,
+ .targetsize = sizeof(struct xt_secmark_target_info),
+ .me = THIS_MODULE,
};
static int __init secmark_tg_init(void)
{
- return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ return xt_register_target(&secmark_tg_reg);
}
static void __exit secmark_tg_exit(void)
{
- xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ xt_unregister_target(&secmark_tg_reg);
}
module_init(secmark_tg_init);
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 30dab79..d50f689 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -19,31 +19,24 @@ trace_tg(struct sk_buff *skb, const struct net_device *in,
return XT_CONTINUE;
}
-static struct xt_target trace_tg_reg[] __read_mostly = {
- {
- .name = "TRACE",
- .family = AF_INET,
- .target = trace_tg,
- .table = "raw",
- .me = THIS_MODULE,
- },
- {
- .name = "TRACE",
- .family = AF_INET6,
- .target = trace_tg,
- .table = "raw",
- .me = THIS_MODULE,
- },
+static struct xt_target trace_tg_reg __read_mostly = {
+ .name = "TRACE",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .table = "raw",
+ .target = trace_tg,
+ .targetsize = XT_ALIGN(0),
+ .me = THIS_MODULE,
};
static int __init trace_tg_init(void)
{
- return xt_register_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
+ return xt_register_target(&trace_tg_reg);
}
static void __exit trace_tg_exit(void)
{
- xt_unregister_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
+ xt_unregister_target(&trace_tg_reg);
}
module_init(trace_tg_init);
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index aad9ab8..88be2cc 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -167,43 +167,29 @@ static int limit_mt_compat_to_user(void __user *dst, void *src)
}
#endif /* CONFIG_COMPAT */
-static struct xt_match limit_mt_reg[] __read_mostly = {
- {
- .name = "limit",
- .family = AF_INET,
- .checkentry = limit_mt_check,
- .match = limit_mt,
- .matchsize = sizeof(struct xt_rateinfo),
+static struct xt_match limit_mt_reg __read_mostly = {
+ .name = "limit",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = limit_mt,
+ .checkentry = limit_mt_check,
+ .matchsize = sizeof(struct xt_rateinfo),
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_rateinfo),
- .compat_from_user = limit_mt_compat_from_user,
- .compat_to_user = limit_mt_compat_to_user,
+ .compatsize = sizeof(struct compat_xt_rateinfo),
+ .compat_from_user = limit_mt_compat_from_user,
+ .compat_to_user = limit_mt_compat_to_user,
#endif
- .me = THIS_MODULE,
- },
- {
- .name = "limit",
- .family = AF_INET6,
- .checkentry = limit_mt_check,
- .match = limit_mt,
- .matchsize = sizeof(struct xt_rateinfo),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_rateinfo),
- .compat_from_user = limit_mt_compat_from_user,
- .compat_to_user = limit_mt_compat_to_user,
-#endif
- .me = THIS_MODULE,
- },
+ .me = THIS_MODULE,
};
static int __init limit_mt_init(void)
{
- return xt_register_matches(limit_mt_reg, ARRAY_SIZE(limit_mt_reg));
+ return xt_register_match(&limit_mt_reg);
}
static void __exit limit_mt_exit(void)
{
- xt_unregister_matches(limit_mt_reg, ARRAY_SIZE(limit_mt_reg));
+ xt_unregister_match(&limit_mt_reg);
}
module_init(limit_mt_init);
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 9f78f61..1697ba9 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -92,7 +92,7 @@ static struct xt_match mark_mt_reg[] __read_mostly = {
{
.name = "mark",
.revision = 0,
- .family = AF_INET,
+ .family = AF_UNSPEC,
.checkentry = mark_mt_check_v0,
.match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
@@ -104,31 +104,9 @@ static struct xt_match mark_mt_reg[] __read_mostly = {
.me = THIS_MODULE,
},
{
- .name = "mark",
- .revision = 0,
- .family = AF_INET6,
- .checkentry = mark_mt_check_v0,
- .match = mark_mt_v0,
- .matchsize = sizeof(struct xt_mark_info),
-#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_mark_info),
- .compat_from_user = mark_mt_compat_from_user_v0,
- .compat_to_user = mark_mt_compat_to_user_v0,
-#endif
- .me = THIS_MODULE,
- },
- {
- .name = "mark",
- .revision = 1,
- .family = AF_INET,
- .match = mark_mt,
- .matchsize = sizeof(struct xt_mark_mtinfo1),
- .me = THIS_MODULE,
- },
- {
.name = "mark",
.revision = 1,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.match = mark_mt,
.matchsize = sizeof(struct xt_mark_mtinfo1),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 3b021d0..60be101 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -54,33 +54,24 @@ quota_mt_check(const char *tablename, const void *entry,
return true;
}
-static struct xt_match quota_mt_reg[] __read_mostly = {
- {
- .name = "quota",
- .family = AF_INET,
- .checkentry = quota_mt_check,
- .match = quota_mt,
- .matchsize = sizeof(struct xt_quota_info),
- .me = THIS_MODULE
- },
- {
- .name = "quota",
- .family = AF_INET6,
- .checkentry = quota_mt_check,
- .match = quota_mt,
- .matchsize = sizeof(struct xt_quota_info),
- .me = THIS_MODULE
- },
+static struct xt_match quota_mt_reg __read_mostly = {
+ .name = "quota",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = quota_mt,
+ .checkentry = quota_mt_check,
+ .matchsize = sizeof(struct xt_quota_info),
+ .me = THIS_MODULE,
};
static int __init quota_mt_init(void)
{
- return xt_register_matches(quota_mt_reg, ARRAY_SIZE(quota_mt_reg));
+ return xt_register_match("a_mt_reg);
}
static void __exit quota_mt_exit(void)
{
- xt_unregister_matches(quota_mt_reg, ARRAY_SIZE(quota_mt_reg));
+ xt_unregister_match("a_mt_reg);
}
module_init(quota_mt_init);
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index ebd84f1..917fe41 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -137,36 +137,25 @@ static void xt_rateest_mt_destroy(const struct xt_match *match,
xt_rateest_put(info->est2);
}
-static struct xt_match xt_rateest_match[] __read_mostly = {
- {
- .family = AF_INET,
- .name = "rateest",
- .match = xt_rateest_mt,
- .checkentry = xt_rateest_mt_checkentry,
- .destroy = xt_rateest_mt_destroy,
- .matchsize = sizeof(struct xt_rateest_match_info),
- .me = THIS_MODULE,
- },
- {
- .family = AF_INET6,
- .name = "rateest",
- .match = xt_rateest_mt,
- .checkentry = xt_rateest_mt_checkentry,
- .destroy = xt_rateest_mt_destroy,
- .matchsize = sizeof(struct xt_rateest_match_info),
- .me = THIS_MODULE,
- },
+static struct xt_match xt_rateest_mt_reg __read_mostly = {
+ .name = "rateest",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = xt_rateest_mt,
+ .checkentry = xt_rateest_mt_checkentry,
+ .destroy = xt_rateest_mt_destroy,
+ .matchsize = sizeof(struct xt_rateest_match_info),
+ .me = THIS_MODULE,
};
static int __init xt_rateest_mt_init(void)
{
- return xt_register_matches(xt_rateest_match,
- ARRAY_SIZE(xt_rateest_match));
+ return xt_register_match(&xt_rateest_mt_reg);
}
static void __exit xt_rateest_mt_fini(void)
{
- xt_unregister_matches(xt_rateest_match, ARRAY_SIZE(xt_rateest_match));
+ xt_unregister_match(&xt_rateest_mt_reg);
}
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 4313308..422090c 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -66,35 +66,24 @@ statistic_mt_check(const char *tablename, const void *entry,
return true;
}
-static struct xt_match statistic_mt_reg[] __read_mostly = {
- {
- .name = "statistic",
- .family = AF_INET,
- .checkentry = statistic_mt_check,
- .match = statistic_mt,
- .matchsize = sizeof(struct xt_statistic_info),
- .me = THIS_MODULE,
- },
- {
- .name = "statistic",
- .family = AF_INET6,
- .checkentry = statistic_mt_check,
- .match = statistic_mt,
- .matchsize = sizeof(struct xt_statistic_info),
- .me = THIS_MODULE,
- },
+static struct xt_match xt_statistic_mt_reg __read_mostly = {
+ .name = "statistic",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = statistic_mt,
+ .checkentry = statistic_mt_check,
+ .matchsize = sizeof(struct xt_statistic_info),
+ .me = THIS_MODULE,
};
static int __init statistic_mt_init(void)
{
- return xt_register_matches(statistic_mt_reg,
- ARRAY_SIZE(statistic_mt_reg));
+ return xt_register_match(&xt_statistic_mt_reg);
}
static void __exit statistic_mt_exit(void)
{
- xt_unregister_matches(statistic_mt_reg,
- ARRAY_SIZE(statistic_mt_reg));
+ xt_unregister_match(&xt_statistic_mt_reg);
}
module_init(statistic_mt_init);
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 72f694d..e7fb2de 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -69,35 +69,25 @@ static void string_mt_destroy(const struct xt_match *match, void *matchinfo)
textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
}
-static struct xt_match string_mt_reg[] __read_mostly = {
- {
- .name = "string",
- .family = AF_INET,
- .checkentry = string_mt_check,
- .match = string_mt,
- .destroy = string_mt_destroy,
- .matchsize = sizeof(struct xt_string_info),
- .me = THIS_MODULE
- },
- {
- .name = "string",
- .family = AF_INET6,
- .checkentry = string_mt_check,
- .match = string_mt,
- .destroy = string_mt_destroy,
- .matchsize = sizeof(struct xt_string_info),
- .me = THIS_MODULE
- },
+static struct xt_match xt_string_mt_reg __read_mostly = {
+ .name = "string",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = string_mt,
+ .checkentry = string_mt_check,
+ .destroy = string_mt_destroy,
+ .matchsize = sizeof(struct xt_string_info),
+ .me = THIS_MODULE,
};
static int __init string_mt_init(void)
{
- return xt_register_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg));
+ return xt_register_match(&xt_string_mt_reg);
}
static void __exit string_mt_exit(void)
{
- xt_unregister_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg));
+ xt_unregister_match(&xt_string_mt_reg);
}
module_init(string_mt_init);
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 41297d0..997761d 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -232,33 +232,23 @@ time_mt_check(const char *tablename, const void *ip,
return true;
}
-static struct xt_match time_mt_reg[] __read_mostly = {
- {
- .name = "time",
- .family = AF_INET,
- .match = time_mt,
- .matchsize = sizeof(struct xt_time_info),
- .checkentry = time_mt_check,
- .me = THIS_MODULE,
- },
- {
- .name = "time",
- .family = AF_INET6,
- .match = time_mt,
- .matchsize = sizeof(struct xt_time_info),
- .checkentry = time_mt_check,
- .me = THIS_MODULE,
- },
+static struct xt_match xt_time_mt_reg __read_mostly = {
+ .name = "time",
+ .family = AF_UNSPEC,
+ .match = time_mt,
+ .checkentry = time_mt_check,
+ .matchsize = sizeof(struct xt_time_info),
+ .me = THIS_MODULE,
};
static int __init time_mt_init(void)
{
- return xt_register_matches(time_mt_reg, ARRAY_SIZE(time_mt_reg));
+ return xt_register_match(&xt_time_mt_reg);
}
static void __exit time_mt_exit(void)
{
- xt_unregister_matches(time_mt_reg, ARRAY_SIZE(time_mt_reg));
+ xt_unregister_match(&xt_time_mt_reg);
}
module_init(time_mt_init);
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 627e0f3..343b8d1 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -99,31 +99,23 @@ u32_mt(const struct sk_buff *skb, const struct net_device *in,
return ret ^ data->invert;
}
-static struct xt_match u32_mt_reg[] __read_mostly = {
- {
- .name = "u32",
- .family = AF_INET,
- .match = u32_mt,
- .matchsize = sizeof(struct xt_u32),
- .me = THIS_MODULE,
- },
- {
- .name = "u32",
- .family = AF_INET6,
- .match = u32_mt,
- .matchsize = sizeof(struct xt_u32),
- .me = THIS_MODULE,
- },
+static struct xt_match xt_u32_mt_reg __read_mostly = {
+ .name = "u32",
+ .revision = 0,
+ .family = AF_UNSPEC,
+ .match = u32_mt,
+ .matchsize = sizeof(struct xt_u32),
+ .me = THIS_MODULE,
};
static int __init u32_mt_init(void)
{
- return xt_register_matches(u32_mt_reg, ARRAY_SIZE(u32_mt_reg));
+ return xt_register_match(&xt_u32_mt_reg);
}
static void __exit u32_mt_exit(void)
{
- xt_unregister_matches(u32_mt_reg, ARRAY_SIZE(u32_mt_reg));
+ xt_unregister_match(&xt_u32_mt_reg);
}
module_init(u32_mt_init);
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 16/19] [NETFILTER]: Explicitly initialize .priority in arptable_filter
2008-03-04 15:51 ` Jan Engelhardt
` (38 preceding siblings ...)
2008-03-04 16:37 ` [PATCH 15/19] [NETFILTER]: Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
@ 2008-03-04 16:37 ` Jan Engelhardt
2008-03-04 16:38 ` [PATCH 17/19] [NETFILTER]: Give AF-independent extensions an arpt_ alias Jan Engelhardt
` (2 subsequent siblings)
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:37 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit a26e22d56128682e37ebc2106324654783193458
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 04:00:29 2008 +0100
[NETFILTER]: Explicitly initialize .priority in arptable_filter
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/ipv4/netfilter/arptable_filter.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 56c8db9..cd69fdc 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -70,18 +70,21 @@ static struct nf_hook_ops arpt_ops[] __read_mostly = {
.owner = THIS_MODULE,
.pf = AF_ARP,
.hooknum = NF_ARP_IN,
+ .priority = NF_IP_PRI_FILTER,
},
{
.hook = arpt_hook,
.owner = THIS_MODULE,
.pf = AF_ARP,
.hooknum = NF_ARP_OUT,
+ .priority = NF_IP_PRI_FILTER,
},
{
.hook = arpt_hook,
.owner = THIS_MODULE,
.pf = AF_ARP,
.hooknum = NF_ARP_FORWARD,
+ .priority = NF_IP_PRI_FILTER,
},
};
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 17/19] [NETFILTER]: Give AF-independent extensions an arpt_ alias
2008-03-04 15:51 ` Jan Engelhardt
` (39 preceding siblings ...)
2008-03-04 16:37 ` [PATCH 16/19] [NETFILTER]: Explicitly initialize .priority in arptable_filter Jan Engelhardt
@ 2008-03-04 16:38 ` Jan Engelhardt
2008-03-04 16:38 ` [PATCH 18/19] [NETFILTER]: Rename ipt_recent to xt_recent Jan Engelhardt
2008-03-04 16:38 ` [PATCH 19/19] [NETFILTER]: xt_recent: IPv6 support Jan Engelhardt
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:38 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
(This makes matches such as xt_time available for arptables - later on
when I got around to tweak arptables/xtables.)
===
commit ea7107947ea397104758b241145ff4fdccb98068
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 04:01:21 2008 +0100
[NETFILTER]: Give AF-independent extensions an arpt_ alias
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/xt_CLASSIFY.c | 1 +
net/netfilter/xt_MARK.c | 1 +
net/netfilter/xt_RATEEST.c | 1 +
net/netfilter/xt_limit.c | 1 +
net/netfilter/xt_mark.c | 1 +
net/netfilter/xt_quota.c | 1 +
net/netfilter/xt_rateest.c | 1 +
net/netfilter/xt_statistic.c | 1 +
net/netfilter/xt_time.c | 1 +
net/netfilter/xt_u32.c | 1 +
10 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 268fb28..4629bdf 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -25,6 +25,7 @@ MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: Qdisc classification");
MODULE_ALIAS("ipt_CLASSIFY");
MODULE_ALIAS("ip6t_CLASSIFY");
+MODULE_ALIAS("arpt_CLASSIFY");
static unsigned int
classify_tg(struct sk_buff *skb, const struct net_device *in,
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index f2498f9..4c81ec4 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -23,6 +23,7 @@ MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("Xtables: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
+MODULE_ALIAS("arpt_MARK");
static unsigned int
mark_tg_v0(struct sk_buff *skb, const struct net_device *in,
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 2014f2a..5a9b0d4 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -190,5 +190,6 @@ MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: packet rate estimator");
MODULE_ALIAS("ipt_RATEEST");
MODULE_ALIAS("ip6t_RATEEST");
+MODULE_ALIAS("arpt_RATEEST");
module_init(xt_rateest_tg_init);
module_exit(xt_rateest_tg_fini);
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 88be2cc..27df112 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -19,6 +19,7 @@ MODULE_AUTHOR("Herve Eychenne <rv@wallfire.org>");
MODULE_DESCRIPTION("Xtables: rate-limit match");
MODULE_ALIAS("ipt_limit");
MODULE_ALIAS("ip6t_limit");
+MODULE_ALIAS("arpt_limit");
/* The algorithm used is the Simple Token Bucket Filter (TBF)
* see net/sched/sch_tbf.c in the linux source tree
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1697ba9..31332a2 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -21,6 +21,7 @@ MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("Xtables: packet mark match");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
+MODULE_ALIAS("arpt_mark");
static bool
mark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 60be101..e143b1b 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -14,6 +14,7 @@ MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
MODULE_DESCRIPTION("Xtables: countdown quota match");
MODULE_ALIAS("ipt_quota");
MODULE_ALIAS("ip6t_quota");
+MODULE_ALIAS("arpt_quota");
static DEFINE_SPINLOCK(quota_lock);
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 917fe41..32a5853 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -163,5 +163,6 @@ MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("xtables rate estimator match");
MODULE_ALIAS("ipt_rateest");
MODULE_ALIAS("ip6t_rateest");
+MODULE_ALIAS("arpt_rateest");
module_init(xt_rateest_mt_init);
module_exit(xt_rateest_mt_fini);
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 422090c..8c6d866 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -21,6 +21,7 @@ MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Xtables: statistics-based matching (\"Nth\", random)");
MODULE_ALIAS("ipt_statistic");
MODULE_ALIAS("ip6t_statistic");
+MODULE_ALIAS("arpt_statistic");
static DEFINE_SPINLOCK(nth_lock);
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 997761d..065d567 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -258,3 +258,4 @@ MODULE_DESCRIPTION("Xtables: time-based matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_time");
MODULE_ALIAS("ip6t_time");
+MODULE_ALIAS("arpt_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 343b8d1..0101a71 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -125,3 +125,4 @@ MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_u32");
MODULE_ALIAS("ip6t_u32");
+MODULE_ALIAS("arpt_u32");
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 18/19] [NETFILTER]: Rename ipt_recent to xt_recent
2008-03-04 15:51 ` Jan Engelhardt
` (40 preceding siblings ...)
2008-03-04 16:38 ` [PATCH 17/19] [NETFILTER]: Give AF-independent extensions an arpt_ alias Jan Engelhardt
@ 2008-03-04 16:38 ` Jan Engelhardt
2008-03-04 16:38 ` [PATCH 19/19] [NETFILTER]: xt_recent: IPv6 support Jan Engelhardt
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:38 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit 4f285c120d110e9c95d06a1de6093a65c369ae91
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 02:17:07 2008 +0100
[NETFILTER]: Rename ipt_recent to xt_recent
Like with other modules (such as ipt_state), ipt_recent.h is changed
to forward definitions to (IOW include) xt_recent.h, and xt_recent.c
is changed to use the new constant names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
include/linux/netfilter/xt_recent.h | 26 ++++++++
include/linux/netfilter_ipv4/ipt_recent.h | 28 ++++-----
net/ipv4/netfilter/Kconfig | 13 ----
net/ipv4/netfilter/Makefile | 1 -
net/netfilter/Kconfig | 11 ++++
net/netfilter/Makefile | 1 +
.../ipt_recent.c => netfilter/xt_recent.c} | 37 ++++++------
7 files changed, 68 insertions(+), 49 deletions(-)
create mode 100644 include/linux/netfilter/xt_recent.h
rename net/{ipv4/netfilter/ipt_recent.c => netfilter/xt_recent.c} (92%)
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+ XT_RECENT_CHECK = 1 << 0,
+ XT_RECENT_SET = 1 << 1,
+ XT_RECENT_UPDATE = 1 << 2,
+ XT_RECENT_REMOVE = 1 << 3,
+ XT_RECENT_TTL = 1 << 4,
+
+ XT_RECENT_SOURCE = 0,
+ XT_RECENT_DEST = 1,
+
+ XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+ u_int32_t seconds;
+ u_int32_t hit_count;
+ u_int8_t check_set;
+ u_int8_t invert;
+ char name[XT_RECENT_NAME_LEN];
+ u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
index 6508a45..d636cca 100644
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ b/include/linux/netfilter_ipv4/ipt_recent.h
@@ -1,27 +1,21 @@
#ifndef _IPT_RECENT_H
#define _IPT_RECENT_H
-#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
+#include <linux/netfilter/xt_recent.h>
-#define IPT_RECENT_CHECK 1
-#define IPT_RECENT_SET 2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL 16
+#define ipt_recent_info xt_recent_mtinfo
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST 1
+enum {
+ IPT_RECENT_CHECK = XT_RECENT_CHECK,
+ IPT_RECENT_SET = XT_RECENT_SET,
+ IPT_RECENT_UPDATE = XT_RECENT_UPDATE,
+ IPT_RECENT_REMOVE = XT_RECENT_REMOVE,
+ IPT_RECENT_TTL = XT_RECENT_TTL,
-#define IPT_RECENT_NAME_LEN 200
+ IPT_RECENT_SOURCE = XT_RECENT_SOURCE,
+ IPT_RECENT_DEST = XT_RECENT_DEST,
-struct ipt_recent_info {
- u_int32_t seconds;
- u_int32_t hit_count;
- u_int8_t check_set;
- u_int8_t invert;
- char name[IPT_RECENT_NAME_LEN];
- u_int8_t side;
+ IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN,
};
#endif /*_IPT_RECENT_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9a077cb..eeaab13 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -57,19 +57,6 @@ config IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
# The matches.
-config IP_NF_MATCH_RECENT
- tristate '"recent" match support'
- depends on IP_NF_IPTABLES
- depends on NETFILTER_ADVANCED
- help
- This match is used for creating one or many lists of recently
- used addresses and then matching against that/those list(s).
-
- Short options are available by using 'iptables -m recent -h'
- Official Website: <http://snowman.net/projects/ipt_recent/>
-
- To compile it as a module, choose M here. If unsure, say N.
-
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on IP_NF_IPTABLES
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 0c7dc78..7b1b4e5 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -44,7 +44,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
-obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
# targets
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index daf5b88..222aa07 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -711,6 +711,17 @@ config NETFILTER_XT_MATCH_REALM
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_RECENT
+ tristate '"recent" match support'
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ ---help---
+ This match is used for creating one or many lists of recently
+ used addresses and then matching against that/those list(s).
+
+ Short options are available by using 'iptables -m recent -h'
+ Official Website: <http://snowman.net/projects/ipt_recent/>
+
config NETFILTER_XT_MATCH_SCTP
tristate '"sctp" protocol match support (EXPERIMENTAL)'
depends on NETFILTER_XTABLES && EXPERIMENTAL
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ea75083..9599083 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -75,6 +75,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) += xt_recent.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/netfilter/xt_recent.c
similarity index 92%
rename from net/ipv4/netfilter/ipt_recent.c
rename to net/netfilter/xt_recent.c
index f2142b7..c7af6a8 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -27,11 +27,12 @@
#include <net/net_namespace.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
+#include <linux/netfilter/xt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_recent");
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;
@@ -64,7 +65,7 @@ struct recent_entry {
struct recent_table {
struct list_head list;
- char name[IPT_RECENT_NAME_LEN];
+ char name[XT_RECENT_NAME_LEN];
#ifdef CONFIG_PROC_FS
struct proc_dir_entry *proc;
#endif
@@ -175,14 +176,14 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
const void *matchinfo, int offset, unsigned int protoff,
bool *hotdrop)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
struct recent_entry *e;
__be32 addr;
u_int8_t ttl;
bool ret = info->invert;
- if (info->side == IPT_RECENT_DEST)
+ if (info->side == XT_RECENT_DEST)
addr = ip_hdr(skb)->daddr;
else
addr = ip_hdr(skb)->saddr;
@@ -195,9 +196,9 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
spin_lock_bh(&recent_lock);
t = recent_table_lookup(info->name);
e = recent_entry_lookup(t, addr,
- info->check_set & IPT_RECENT_TTL ? ttl : 0);
+ info->check_set & XT_RECENT_TTL ? ttl : 0);
if (e == NULL) {
- if (!(info->check_set & IPT_RECENT_SET))
+ if (!(info->check_set & XT_RECENT_SET))
goto out;
e = recent_entry_init(t, addr, ttl);
if (e == NULL)
@@ -206,12 +207,12 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
goto out;
}
- if (info->check_set & IPT_RECENT_SET)
+ if (info->check_set & XT_RECENT_SET)
ret = !ret;
- else if (info->check_set & IPT_RECENT_REMOVE) {
+ else if (info->check_set & XT_RECENT_REMOVE) {
recent_entry_remove(t, e);
ret = !ret;
- } else if (info->check_set & (IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) {
+ } else if (info->check_set & (XT_RECENT_CHECK | XT_RECENT_UPDATE)) {
unsigned long time = jiffies - info->seconds * HZ;
unsigned int i, hits = 0;
@@ -225,8 +226,8 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
}
}
- if (info->check_set & IPT_RECENT_SET ||
- (info->check_set & IPT_RECENT_UPDATE && ret)) {
+ if (info->check_set & XT_RECENT_SET ||
+ (info->check_set & XT_RECENT_UPDATE && ret)) {
recent_entry_update(t, e);
e->ttl = ttl;
}
@@ -240,20 +241,20 @@ recent_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
unsigned i;
bool ret = false;
if (hweight8(info->check_set &
- (IPT_RECENT_SET | IPT_RECENT_REMOVE |
- IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) != 1)
+ (XT_RECENT_SET | XT_RECENT_REMOVE |
+ XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
return false;
- if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) &&
+ if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
(info->seconds || info->hit_count))
return false;
if (info->name[0] == '\0' ||
- strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
+ strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
return false;
mutex_lock(&recent_mutex);
@@ -295,7 +296,7 @@ out:
static void recent_mt_destroy(const struct xt_match *match, void *matchinfo)
{
- const struct ipt_recent_info *info = matchinfo;
+ const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
mutex_lock(&recent_mutex);
@@ -460,7 +461,7 @@ static struct xt_match recent_mt_reg __read_mostly = {
.name = "recent",
.family = AF_INET,
.match = recent_mt,
- .matchsize = sizeof(struct ipt_recent_info),
+ .matchsize = sizeof(struct xt_recent_mtinfo),
.checkentry = recent_mt_check,
.destroy = recent_mt_destroy,
.me = THIS_MODULE,
^ permalink raw reply related [flat|nested] 51+ messages in thread* [PATCH 19/19] [NETFILTER]: xt_recent: IPv6 support
2008-03-04 15:51 ` Jan Engelhardt
` (41 preceding siblings ...)
2008-03-04 16:38 ` [PATCH 18/19] [NETFILTER]: Rename ipt_recent to xt_recent Jan Engelhardt
@ 2008-03-04 16:38 ` Jan Engelhardt
42 siblings, 0 replies; 51+ messages in thread
From: Jan Engelhardt @ 2008-03-04 16:38 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
commit ba5aecde37b53f3c3853943f33c7def80bca3e38
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Jan 31 04:36:12 2008 +0100
[NETFILTER]: xt_recent: IPv6 support
This updates xt_recent to support IPv6 handling. It is sort of a flag
day, as the new control directory is /proc/net/xt_recent with a new,
more strict protocol (the string you ought to write into
/proc/net/xt_recent/LIST). But on the other hand, I kept the binary
interface towards iptables (which is quite memory consuming I must
say) to keep the patch small.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
---
net/netfilter/xt_recent.c | 207 +++++++++++++++++++++++++------------
1 files changed, 143 insertions(+), 64 deletions(-)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index c7af6a8..74caea8 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -13,6 +14,8 @@
*/
#include <linux/init.h>
#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
@@ -30,9 +33,11 @@
#include <linux/netfilter/xt_recent.h>
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_recent");
+MODULE_ALIAS("ip6t_recent");
static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;
@@ -49,14 +54,15 @@ module_param(ip_list_gid, uint, 0400);
MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
-MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");
-MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/ipt_recent/* files");
-MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
struct recent_entry {
struct list_head list;
struct list_head lru_list;
- __be32 addr;
+ union nf_inet_addr addr;
+ u_int16_t family;
u_int8_t ttl;
u_int8_t index;
u_int16_t nstamps;
@@ -87,24 +93,43 @@ static const struct file_operations recent_fops;
static u_int32_t hash_rnd;
static int hash_rnd_initted;
-static unsigned int recent_entry_hash(__be32 addr)
+static unsigned int recent_entry_hash4(const union nf_inet_addr *addr)
{
if (!hash_rnd_initted) {
- get_random_bytes(&hash_rnd, 4);
+ get_random_bytes(&hash_rnd, sizeof(hash_rnd));
hash_rnd_initted = 1;
}
- return jhash_1word((__force u32)addr, hash_rnd) & (ip_list_hash_size - 1);
+ return jhash_1word((__force u32)addr->ip, hash_rnd) &
+ (ip_list_hash_size - 1);
+}
+
+static unsigned int recent_entry_hash6(const union nf_inet_addr *addr)
+{
+ if (!hash_rnd_initted) {
+ get_random_bytes(&hash_rnd, sizeof(hash_rnd));
+ hash_rnd_initted = 1;
+ }
+ return jhash2((u32 *)addr->ip6, ARRAY_SIZE(addr->ip6), hash_rnd) &
+ (ip_list_hash_size - 1);
}
static struct recent_entry *
-recent_entry_lookup(const struct recent_table *table, __be32 addr, u_int8_t ttl)
+recent_entry_lookup(const struct recent_table *table,
+ const union nf_inet_addr *addrp, u_int16_t family,
+ u_int8_t ttl)
{
struct recent_entry *e;
unsigned int h;
- h = recent_entry_hash(addr);
+ if (family == AF_INET)
+ h = recent_entry_hash4(addrp);
+ else
+ h = recent_entry_hash6(addrp);
+
list_for_each_entry(e, &table->iphash[h], list)
- if (e->addr == addr && (ttl == e->ttl || !ttl || !e->ttl))
+ if (e->family == family &&
+ memcmp(&e->addr, addrp, sizeof(e->addr)) == 0 &&
+ (ttl == e->ttl || ttl == 0 || e->ttl == 0))
return e;
return NULL;
}
@@ -118,7 +143,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
}
static struct recent_entry *
-recent_entry_init(struct recent_table *t, __be32 addr, u_int8_t ttl)
+recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
+ u_int16_t family, u_int8_t ttl)
{
struct recent_entry *e;
@@ -130,12 +156,16 @@ recent_entry_init(struct recent_table *t, __be32 addr, u_int8_t ttl)
GFP_ATOMIC);
if (e == NULL)
return NULL;
- e->addr = addr;
+ memcpy(&e->addr, addr, sizeof(e->addr));
e->ttl = ttl;
e->stamps[0] = jiffies;
e->nstamps = 1;
e->index = 1;
- list_add_tail(&e->list, &t->iphash[recent_entry_hash(addr)]);
+ e->family = family;
+ if (family == AF_INET)
+ list_add_tail(&e->list, &t->iphash[recent_entry_hash4(addr)]);
+ else
+ list_add_tail(&e->list, &t->iphash[recent_entry_hash6(addr)]);
list_add_tail(&e->lru_list, &t->lru_list);
t->entries++;
return e;
@@ -179,28 +209,42 @@ recent_mt(const struct sk_buff *skb, const struct net_device *in,
const struct xt_recent_mtinfo *info = matchinfo;
struct recent_table *t;
struct recent_entry *e;
- __be32 addr;
+ union nf_inet_addr addr;
u_int8_t ttl;
bool ret = info->invert;
- if (info->side == XT_RECENT_DEST)
- addr = ip_hdr(skb)->daddr;
- else
- addr = ip_hdr(skb)->saddr;
+ if (match->family == AF_INET) {
+ const struct iphdr *iph = ip_hdr(skb);
+
+ if (info->side == XT_RECENT_DEST)
+ addr.ip = iph->daddr;
+ else
+ addr.ip = iph->saddr;
+
+ ttl = iph->ttl;
+ } else {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+
+ if (info->side == XT_RECENT_DEST)
+ memcpy(&addr.in6, &iph->daddr, sizeof(addr.in6));
+ else
+ memcpy(&addr.in6, &iph->saddr, sizeof(addr.in6));
+
+ ttl = iph->hop_limit;
+ }
- ttl = ip_hdr(skb)->ttl;
/* use TTL as seen before forwarding */
if (out && !skb->sk)
ttl++;
spin_lock_bh(&recent_lock);
t = recent_table_lookup(info->name);
- e = recent_entry_lookup(t, addr,
+ e = recent_entry_lookup(t, &addr, match->family,
info->check_set & XT_RECENT_TTL ? ttl : 0);
if (e == NULL) {
if (!(info->check_set & XT_RECENT_SET))
goto out;
- e = recent_entry_init(t, addr, ttl);
+ e = recent_entry_init(t, &addr, match->family, ttl);
if (e == NULL)
*hotdrop = true;
ret = !ret;
@@ -316,7 +360,7 @@ static void recent_mt_destroy(const struct xt_match *match, void *matchinfo)
#ifdef CONFIG_PROC_FS
struct recent_iter_state {
- struct recent_table *table;
+ const struct recent_table *table;
unsigned int bucket;
};
@@ -341,8 +385,8 @@ static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
struct recent_iter_state *st = seq->private;
const struct recent_table *t = st->table;
- struct recent_entry *e = v;
- struct list_head *head = e->list.next;
+ const struct recent_entry *e = v;
+ const struct list_head *head = e->list.next;
while (head == &t->iphash[st->bucket]) {
if (++st->bucket >= ip_list_hash_size)
@@ -365,8 +409,14 @@ static int recent_seq_show(struct seq_file *seq, void *v)
unsigned int i;
i = (e->index - 1) % ip_pkt_list_tot;
- seq_printf(seq, "src=%u.%u.%u.%u ttl: %u last_seen: %lu oldest_pkt: %u",
- NIPQUAD(e->addr), e->ttl, e->stamps[i], e->index);
+ if (e->family == AF_INET)
+ seq_printf(seq, "src=" NIPQUAD_FMT " ttl: %u last_seen: %lu "
+ "oldest_pkt: %u", NIPQUAD(e->addr.ip), e->ttl,
+ e->stamps[i], e->index);
+ else
+ seq_printf(seq, "src=" NIP6_FMT " ttl: %u last_seen: %lu "
+ "oldest_pkt: %u", NIP6(e->addr.in6), e->ttl,
+ e->stamps[i], e->index);
for (i = 0; i < e->nstamps; i++)
seq_printf(seq, "%s %lu", i ? "," : "", e->stamps[i]);
seq_printf(seq, "\n");
@@ -399,45 +449,59 @@ static ssize_t recent_proc_write(struct file *file, const char __user *input,
const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct recent_table *t = pde->data;
struct recent_entry *e;
- char buf[sizeof("+255.255.255.255")], *c = buf;
- __be32 addr;
- int add;
+ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")], *c = buf;
+ union nf_inet_addr addr;
+ u_int16_t family;
+ bool add, succ;
+ if (size == 0)
+ return 0;
if (size > sizeof(buf))
size = sizeof(buf);
- if (copy_from_user(buf, input, size))
+ if (copy_from_user(buf, input, size) != 0)
return -EFAULT;
- while (isspace(*c))
- c++;
- if (size - (c - buf) < 5)
- return c - buf;
- if (!strncmp(c, "clear", 5)) {
- c += 5;
+ /* Strict protocol! */
+ if (*loff != 0)
+ return -ESPIPE;
+ switch (*c) {
+ case '/': /* flush table */
spin_lock_bh(&recent_lock);
recent_table_flush(t);
spin_unlock_bh(&recent_lock);
- return c - buf;
- }
-
- switch (*c) {
- case '-':
- add = 0;
- c++;
+ return size;
+ case '-': /* remove address */
+ add = false;
break;
- case '+':
- c++;
- default:
- add = 1;
+ case '+': /* add address */
+ add = true;
break;
+ default:
+ printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n");
+ return -EINVAL;
+ }
+
+ ++c;
+ --size;
+ if (strnchr(c, size, ':') != NULL) {
+ family = AF_INET6;
+ succ = in6_pton(c, size, (void *)&addr, '\n', NULL);
+ } else {
+ family = AF_INET;
+ succ = in4_pton(c, size, (void *)&addr, '\n', NULL);
+ }
+
+ if (!succ) {
+ printk(KERN_INFO KBUILD_MODNAME ": illegal address written "
+ "to procfs\n");
+ return -EINVAL;
}
- addr = in_aton(c);
spin_lock_bh(&recent_lock);
- e = recent_entry_lookup(t, addr, 0);
+ e = recent_entry_lookup(t, &addr, family, 0);
if (e == NULL) {
if (add)
- recent_entry_init(t, addr, 0);
+ recent_entry_init(t, &addr, family, 0);
} else {
if (add)
recent_entry_update(t, e);
@@ -445,7 +509,9 @@ static ssize_t recent_proc_write(struct file *file, const char __user *input,
recent_entry_remove(t, e);
}
spin_unlock_bh(&recent_lock);
- return size;
+ /* Note we removed one above */
+ *loff += size + 1;
+ return size + 1;
}
static const struct file_operations recent_fops = {
@@ -457,14 +523,27 @@ static const struct file_operations recent_fops = {
};
#endif /* CONFIG_PROC_FS */
-static struct xt_match recent_mt_reg __read_mostly = {
- .name = "recent",
- .family = AF_INET,
- .match = recent_mt,
- .matchsize = sizeof(struct xt_recent_mtinfo),
- .checkentry = recent_mt_check,
- .destroy = recent_mt_destroy,
- .me = THIS_MODULE,
+static struct xt_match recent_mt_reg[] __read_mostly = {
+ {
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET,
+ .match = recent_mt,
+ .matchsize = sizeof(struct xt_recent_mtinfo),
+ .checkentry = recent_mt_check,
+ .destroy = recent_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET6,
+ .match = recent_mt,
+ .matchsize = sizeof(struct xt_recent_mtinfo),
+ .checkentry = recent_mt_check,
+ .destroy = recent_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init recent_mt_init(void)
@@ -475,13 +554,13 @@ static int __init recent_mt_init(void)
return -EINVAL;
ip_list_hash_size = 1 << fls(ip_list_tot);
- err = xt_register_match(&recent_mt_reg);
+ err = xt_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
#ifdef CONFIG_PROC_FS
if (err)
return err;
- proc_dir = proc_mkdir("ipt_recent", init_net.proc_net);
+ proc_dir = proc_mkdir("xt_recent", init_net.proc_net);
if (proc_dir == NULL) {
- xt_unregister_match(&recent_mt_reg);
+ xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
err = -ENOMEM;
}
#endif
@@ -491,9 +570,9 @@ static int __init recent_mt_init(void)
static void __exit recent_mt_exit(void)
{
BUG_ON(!list_empty(&tables));
- xt_unregister_match(&recent_mt_reg);
+ xt_unregister_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
#ifdef CONFIG_PROC_FS
- remove_proc_entry("ipt_recent", init_net.proc_net);
+ remove_proc_entry("xt_recent", init_net.proc_net);
#endif
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 51+ messages in thread