* [PATCH 02/24] Correct the family member value of libxt_mark revision 1
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
@ 2008-04-06 15:26 ` Jan Engelhardt
2008-04-06 15:31 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 03/24] Makefile: add a "tarball" target Jan Engelhardt
` (22 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:26 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
libxt_mark rev1 used AF_INET6 in the class structure where it should
have used AF_INET.
---
extensions/libxt_mark.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index 1dfcc58..af7f844 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -182,7 +182,7 @@ static struct xtables_match mark_mt_reg = {
.version = IPTABLES_VERSION,
.name = "mark",
.revision = 1,
- .family = AF_INET6,
+ .family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.help = mark_mt_help,
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 03/24] Makefile: add a "tarball" target
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
2008-04-06 15:26 ` [PATCH 02/24] Correct the family member value of libxt_mark revision 1 Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:32 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 04/24] Drop -W from CFLAGS and some tiny code cleanups Jan Engelhardt
` (21 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
Makefile.am | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index a0f33c6..112b552 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -93,3 +93,11 @@ ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets
extensions/%:
${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+
+.PHONY: tarball
+tarball:
+ rm -Rf /tmp/xtables-${PACKAGE_VERSION};
+ pushd ${top_srcdir} && git-archive --prefix=xtables-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
+ pushd /tmp/xtables-${PACKAGE_VERSION} && ./autogen.sh && popd;
+ tar -C /tmp -cjf xtables-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-${PACKAGE_VERSION}/;
+ rm -Rf /tmp/xtables-${PACKAGE_VERSION};
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 04/24] Drop -W from CFLAGS and some tiny code cleanups
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
2008-04-06 15:26 ` [PATCH 02/24] Correct the family member value of libxt_mark revision 1 Jan Engelhardt
2008-04-06 15:27 ` [PATCH 03/24] Makefile: add a "tarball" target Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:33 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h Jan Engelhardt
` (20 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
- change "unsigned" to explicit "unsigned int"
- remove some casts
---
configure.ac | 2 +-
extensions/dscp_helper.c | 2 +-
extensions/libip6t_dst.c | 2 +-
extensions/libip6t_hbh.c | 2 +-
extensions/libip6t_rt.c | 2 +-
extensions/libipt_SAME.c | 6 +++---
extensions/libxt_TCPOPTSTRIP.c | 2 +-
extensions/libxt_quota.c | 2 +-
iptables-xml.c | 14 +++++++-------
xtables.c | 2 +-
10 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/configure.ac b/configure.ac
index a435ae4..004a517 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
- -D_REENTRANT -W -Wall -Waggregate-return -Wmissing-declarations \
+ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
diff --git a/extensions/dscp_helper.c b/extensions/dscp_helper.c
index 9e9a163..217df09 100644
--- a/extensions/dscp_helper.c
+++ b/extensions/dscp_helper.c
@@ -49,7 +49,7 @@ static const struct ds_class
static unsigned int
class_to_dscp(const char *name)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
if (!strncasecmp(name, ds_classes[i].name,
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 9e4d870..5b06033 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -168,7 +168,7 @@ static int dst_parse(int c, char **argv, int invert, unsigned int *flags,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 1052575..ad12547 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -162,7 +162,7 @@ static int hbh_parse(int c, char **argv, int invert, unsigned int *flags,
}
static void
-print_options(unsigned optsnr, u_int16_t *optsp)
+print_options(unsigned int optsnr, u_int16_t *optsp)
{
unsigned int i;
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index a9ced6a..e2ae09f 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -255,7 +255,7 @@ print_nums(const char *name, u_int32_t min, u_int32_t max,
}
static void
-print_addresses(unsigned addrnr, struct in6_addr *addrp)
+print_addresses(unsigned int addrnr, struct in6_addr *addrp)
{
unsigned int i;
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index e03ae80..d1e6903 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -90,7 +90,7 @@ static int SAME_parse(int c, char **argv, int invert, unsigned int *flags,
{
struct ipt_same_info *mr
= (struct ipt_same_info *)(*target)->data;
- unsigned count;
+ unsigned int count;
switch (c) {
case '1':
@@ -146,7 +146,7 @@ static void SAME_check(unsigned int flags)
static void SAME_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
@@ -180,7 +180,7 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
/* Saves the union ipt_targinfo in parsable form to stdout. */
static void SAME_save(const void *ip, const struct xt_entry_target *target)
{
- unsigned count;
+ unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
int random = 0;
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index df107f4..bd66435 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -22,7 +22,7 @@ enum {
struct tcp_optionmap {
const char *name, *desc;
- const unsigned option;
+ const unsigned int option;
};
static const struct option tcpoptstrip_tg_opts[] = {
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index 57050f2..b4fb78b 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -43,7 +43,7 @@ quota_save(const void *ip, const struct xt_entry_match *match)
static int
parse_quota(const char *s, u_int64_t * quota)
{
- *quota = strtoull(s, (char **) NULL, 10);
+ *quota = strtoull(s, NULL, 10);
#ifdef DEBUG_XT_QUOTA
printf("Quota: %llu\n", *quota);
diff --git a/iptables-xml.c b/iptables-xml.c
index 087b7c7..404d020 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -85,10 +85,10 @@ parse_counters(char *string, struct ipt_counters *ctr)
/* global new argv and argc */
static char *newargv[255];
-static unsigned newargc = 0;
+static unsigned int newargc = 0;
static char *oldargv[255];
-static unsigned oldargc = 0;
+static unsigned int oldargc = 0;
/* arg meta data, were they quoted, frinstance */
static int newargvattr[255];
@@ -129,7 +129,7 @@ add_argv(char *what, int quoted)
static void
free_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < newargc; i++) {
free(newargv[i]);
@@ -149,7 +149,7 @@ free_argv(void)
static void
save_argv(void)
{
- unsigned i;
+ unsigned int i;
for (i = 0; i < oldargc; i++)
free(oldargv[i]);
@@ -545,8 +545,8 @@ compareRules(void)
is the case when processing the ACTUAL output of actual iptables-save
rather than a file merely in a compatable format */
- unsigned old = 0;
- unsigned new = 0;
+ unsigned int old = 0;
+ unsigned int new = 0;
int compare = 0;
@@ -748,7 +748,7 @@ main(int argc, char *argv[])
ret = 1;
} else if (curTable[0]) {
- unsigned a;
+ unsigned int a;
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
diff --git a/xtables.c b/xtables.c
index af4d3dc..dba9081 100644
--- a/xtables.c
+++ b/xtables.c
@@ -257,7 +257,7 @@ int service_to_port(const char *name, const char *proto)
u_int16_t parse_port(const char *port, const char *proto)
{
- unsigned portnum;
+ unsigned int portnum;
if ((string_to_number(port, 0, 65535, &portnum)) != -1 ||
(portnum = service_to_port(port, proto)) != (unsigned)-1)
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (2 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 04/24] Drop -W from CFLAGS and some tiny code cleanups Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:35 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes) Jan Engelhardt
` (19 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
---
configure.ac | 3 +-
extensions/libipt_SAME.c | 12 ++--
extensions/libipt_addrtype.c | 4 +-
extensions/libxt_RATEEST.c | 12 ++--
extensions/libxt_conntrack.c | 28 +++++-----
extensions/libxt_hashlimit.c | 4 +-
extensions/libxt_state.c | 12 ++--
extensions/libxt_statistic.c | 23 +++++---
include/linux/netfilter/xt_sctp.h | 87 ++++++++++++----------------
include/xtables.h | 4 +-
ip6tables-save.c | 10 ++--
ip6tables.c | 12 ++--
iptables-save.c | 10 ++--
iptables-xml.c | 7 +-
iptables.c | 12 ++--
libiptc/libiptc.c | 49 +++++++---------
xtables.c | 4 +-
17 files changed, 140 insertions(+), 153 deletions(-)
diff --git a/configure.ac b/configure.ac
index 004a517..87fca6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -46,8 +46,7 @@ kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
# Remove workarounds soon
regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
-Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter \
- -Wno-shadow -Wno-inline"
+ -Wno-unused-parameter"
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index d1e6903..f7c737c 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -149,7 +149,7 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
printf("same:");
@@ -167,13 +167,13 @@ static void SAME_print(const void *ip, const struct xt_entry_target *target,
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("nodst ");
- if (random)
+ if (random_selection)
printf("random ");
}
@@ -183,7 +183,7 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
unsigned int count;
struct ipt_same_info *mr
= (struct ipt_same_info *)target->data;
- int random = 0;
+ int random_selection = 0;
for (count = 0; count < mr->rangesize; count++) {
struct ip_nat_range *r = &mr->range[count];
@@ -198,13 +198,13 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
else
printf("-%s ", ipaddr_to_numeric(&a));
if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
- random = 1;
+ random_selection = 1;
}
if (mr->info & IPT_SAME_NODST)
printf("--nodst ");
- if (random)
+ if (random_selection)
printf("--random ");
}
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 5557af2..7db9dce 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -49,12 +49,12 @@ static void addrtype_help(void)
}
static int
-parse_type(const char *name, size_t strlen, u_int16_t *mask)
+parse_type(const char *name, size_t len, u_int16_t *mask)
{
int i;
for (i = 0; rtn_names[i]; i++)
- if (strncasecmp(name, rtn_names[i], strlen) == 0) {
+ if (strncasecmp(name, rtn_names[i], len) == 0) {
/* build up bitmask for kernel module */
*mask |= (1 << i);
return 1;
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 1871657..4f52c2e 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -177,17 +177,17 @@ static void
__RATEEST_print(const struct xt_entry_target *target, const char *prefix)
{
struct xt_rateest_target_info *info = (void *)target->data;
- unsigned int interval;
- unsigned int ewma_log;
+ unsigned int local_interval;
+ unsigned int local_ewma_log;
- interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
- ewma_log = interval * (1 << (info->ewma_log));
+ local_interval = (TIME_UNITS_PER_SEC << (info->interval + 2)) / 4;
+ local_ewma_log = local_interval * (1 << (info->ewma_log));
printf("%sname %s ", prefix, info->name);
printf("%sinterval ", prefix);
- RATEEST_print_time(interval);
+ RATEEST_print_time(local_interval);
printf("%sewmalog ", prefix);
- RATEEST_print_time(ewma_log);
+ RATEEST_print_time(local_ewma_log);
}
static void
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index d1c0aa0..e3e29f0 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -78,21 +78,21 @@ static const struct option conntrack_mt_opts[] = {
};
static int
-parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
- else if (strncasecmp(state, "SNAT", strlen) == 0)
+ else if (strncasecmp(state, "SNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
- else if (strncasecmp(state, "DNAT", strlen) == 0)
+ else if (strncasecmp(state, "DNAT", len) == 0)
sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
else
return 0;
@@ -154,18 +154,18 @@ conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
}
static int
-parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
+parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
{
- if (strncasecmp(status, "NONE", strlen) == 0)
+ if (strncasecmp(status, "NONE", len) == 0)
sinfo->statusmask |= 0;
- else if (strncasecmp(status, "EXPECTED", strlen) == 0)
+ else if (strncasecmp(status, "EXPECTED", len) == 0)
sinfo->statusmask |= IPS_EXPECTED;
- else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
+ else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
sinfo->statusmask |= IPS_SEEN_REPLY;
- else if (strncasecmp(status, "ASSURED", strlen) == 0)
+ else if (strncasecmp(status, "ASSURED", len) == 0)
sinfo->statusmask |= IPS_ASSURED;
#ifdef IPS_CONFIRMED
- else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+ else if (strncasecmp(status, "CONFIRMED", len) == 0)
sinfo->statusmask |= IPS_CONFIRMED;
#endif
else
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index d8a0035..00b0304 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -106,10 +106,10 @@ static void hashlimit_init(struct xt_entry_match *m)
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *optarg)
+static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
{
char *tok;
- char *arg = strdup(optarg);
+ char *arg = strdup(option_arg);
if (!arg)
return -1;
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index 68f5280..5b8beea 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -29,17 +29,17 @@ static const struct option state_opts[] = {
};
static int
-state_parse_state(const char *state, size_t strlen, struct xt_state_info *sinfo)
+state_parse_state(const char *state, size_t len, struct xt_state_info *sinfo)
{
- if (strncasecmp(state, "INVALID", strlen) == 0)
+ if (strncasecmp(state, "INVALID", len) == 0)
sinfo->statemask |= XT_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
+ else if (strncasecmp(state, "NEW", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ else if (strncasecmp(state, "ESTABLISHED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
+ else if (strncasecmp(state, "RELATED", len) == 0)
sinfo->statemask |= XT_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ else if (strncasecmp(state, "UNTRACKED", len) == 0)
sinfo->statemask |= XT_STATE_UNTRACKED;
else
return 0;
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 19bb121..ebb4e91 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -30,16 +30,20 @@ static const struct option statistic_opts[] = {
{ .name = NULL }
};
-static struct xt_statistic_info *info;
+static struct xt_statistic_info *global_info;
+
+static void statistic_mt_init(struct xt_entry_match *match)
+{
+ global_info = (void *)match->data;
+}
static int
statistic_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
+ struct xt_statistic_info *info = (void *)(*match)->data;
double prob;
- info = (void *)(*match)->data;
-
if (invert)
info->flags |= XT_STATISTIC_INVERT;
@@ -100,25 +104,26 @@ static void statistic_check(unsigned int flags)
if ((flags & 0x2) && (flags & (0x4 | 0x8)))
exit_error(PARAMETER_PROBLEM,
"both nth and random parameters given");
- if (flags & 0x2 && info->mode != XT_STATISTIC_MODE_RANDOM)
+ if (flags & 0x2 && global_info->mode != XT_STATISTIC_MODE_RANDOM)
exit_error(PARAMETER_PROBLEM,
"--probability can only be used in random mode");
- if (flags & 0x4 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x4 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--every can only be used in nth mode");
- if (flags & 0x8 && info->mode != XT_STATISTIC_MODE_NTH)
+ if (flags & 0x8 && global_info->mode != XT_STATISTIC_MODE_NTH)
exit_error(PARAMETER_PROBLEM,
"--packet can only be used in nth mode");
if ((flags & 0x8) && !(flags & 0x4))
exit_error(PARAMETER_PROBLEM,
"--packet can only be used with --every");
/* at this point, info->u.nth.every have been decreased. */
- if (info->u.nth.packet > info->u.nth.every)
+ if (global_info->u.nth.packet > global_info->u.nth.every)
exit_error(PARAMETER_PROBLEM,
"the --packet p must be 0 <= p <= n-1");
- info->u.nth.count = info->u.nth.every - info->u.nth.packet;
+ global_info->u.nth.count = global_info->u.nth.every -
+ global_info->u.nth.packet;
}
/* Prints out the matchinfo. */
@@ -164,6 +169,7 @@ static struct xtables_match statistic_match = {
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
@@ -178,6 +184,7 @@ static struct xtables_match statistic_match6 = {
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
+ .init = statistic_mt_init,
.help = statistic_help,
.parse = statistic_parse,
.final_check = statistic_check,
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index b157897..62ffdcb 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -7,7 +7,8 @@
#define XT_SCTP_VALID_FLAGS 0x07
-#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+/* temporary */
+#define SCTP_ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
struct xt_sctp_flag_info {
@@ -40,68 +41,54 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] |= \
+ (chunkmap)[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
- chunkmap[type / bytes(u_int32_t)] &= \
+ (chunkmap)[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
- (chunkmap[type / bytes (u_int32_t)] & \
+ ((chunkmap)[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
-#define SCTP_CHUNKMAP_RESET(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = 0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- chunkmap[i] = ~0; \
- } while (0)
-
-#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
- do { \
- int i; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) \
- destmap[i] = srcmap[i]; \
- } while (0)
-
-#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i]) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
-
-#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
-({ \
- int i; \
- int flag = 1; \
- for (i = 0; i < ELEMCOUNT(chunkmap); i++) { \
- if (chunkmap[i] != ~0) { \
- flag = 0; \
- break; \
- } \
- } \
- flag; \
-})
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+ memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+ memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+ memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+ __sctp_chunkmap_is_clear((chunkmap), SCTP_ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i])
+ return false;
+ return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n)
+{
+ unsigned int i;
+ for (i = 0; i < n; ++i)
+ if (chunkmap[i] != ~0U)
+ return false;
+ return true;
+}
#endif /* _XT_SCTP_H_ */
diff --git a/include/xtables.h b/include/xtables.h
index 484e436..4b75e2c 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -176,7 +176,7 @@ extern char *lib_dir;
extern void *fw_calloc(size_t count, size_t size);
extern void *fw_malloc(size_t size);
-extern const char *modprobe;
+extern const char *modprobe_program;
extern int xtables_insmod(const char *modname, const char *modprobe, int quiet);
extern int load_xtables_ko(const char *modprobe, int quiet);
@@ -230,7 +230,7 @@ enum exittype {
/* this is a special 64bit data type that is 8-byte aligned */
#define aligned_u64 u_int64_t __attribute__((aligned(8)))
-int check_inverse(const char option[], int *invert, int *optind, int argc);
+int check_inverse(const char option[], int *invert, int *my_optind, int argc);
void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
format(printf,2,3)));
extern void param_act(unsigned int, const char *, ...);
diff --git a/ip6tables-save.c b/ip6tables-save.c
index fe57cfd..c73d354 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -21,7 +21,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -264,7 +264,7 @@ static int do_output(const char *tablename)
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
ip6tc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
@@ -297,7 +297,7 @@ static int do_output(const char *tablename)
/* Dump out rules */
e = ip6tc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = ip6tc_next_rule(e, &h);
}
}
@@ -342,11 +342,11 @@ int main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
diff --git a/ip6tables.c b/ip6tables.c
index c542377..4b517e5 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -440,16 +440,16 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1492,7 +1492,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1673,7 +1673,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
*handle = ip6tc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = ip6tc_init(*table);
if (!*handle)
diff --git a/iptables-save.c b/iptables-save.c
index f8a61c2..f82c8a7 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -20,7 +20,7 @@
#include <dlfcn.h>
#endif
-static int binary = 0, counters = 0;
+static int show_binary = 0, show_counters = 0;
static struct option options[] = {
{ "binary", 0, 0, 'b' },
@@ -287,7 +287,7 @@ static int do_output(const char *tablename)
exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
iptc_strerror(errno));
- if (!binary) {
+ if (!show_binary) {
time_t now = time(NULL);
printf("# Generated by iptables-save v%s on %s",
@@ -320,7 +320,7 @@ static int do_output(const char *tablename)
/* Dump out rules */
e = iptc_first_rule(chain, &h);
while(e) {
- print_rule(e, &h, chain, counters);
+ print_rule(e, &h, chain, show_counters);
e = iptc_next_rule(e, &h);
}
}
@@ -367,11 +367,11 @@ main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
- binary = 1;
+ show_binary = 1;
break;
case 'c':
- counters = 1;
+ show_counters = 1;
break;
case 't':
diff --git a/iptables-xml.c b/iptables-xml.c
index 404d020..94f2e39 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -99,16 +99,15 @@ char closeRuleTag[IPT_TABLE_MAXNAMELEN + 1];
char curTable[IPT_TABLE_MAXNAMELEN + 1];
char curChain[IPT_CHAIN_MAXNAMELEN + 1];
-typedef struct chain
-{
+struct chain {
char *chain;
char *policy;
struct ipt_counters count;
int created;
-} chain;
+};
#define maxChains 10240 /* max chains per table */
-static chain chains[maxChains];
+static struct chain chains[maxChains];
static int nextChain = 0;
/* funCtion adding one argument to newargv, updating newargc
diff --git a/iptables.c b/iptables.c
index 43e3653..0363aba 100644
--- a/iptables.c
+++ b/iptables.c
@@ -447,16 +447,16 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
}
int
-check_inverse(const char option[], int *invert, int *optind, int argc)
+check_inverse(const char option[], int *invert, int *my_optind, int argc)
{
if (option && strcmp(option, "!") == 0) {
if (*invert)
exit_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = TRUE;
- if (optind) {
- *optind = *optind+1;
- if (argc && *optind > argc)
+ if (my_optind != NULL) {
+ ++*my_optind;
+ if (argc && *my_optind > argc)
exit_error(PARAMETER_PROBLEM,
"no argument following `!'");
}
@@ -1529,7 +1529,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
break;
case 'M':
- modprobe = optarg;
+ modprobe_program = optarg;
break;
case 'c':
@@ -1712,7 +1712,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
*handle = iptc_init(*table);
/* try to insmod the module if iptc_init failed */
- if (!*handle && load_xtables_ko(modprobe, 0) != -1)
+ if (!*handle && load_xtables_ko(modprobe_program, 0) != -1)
*handle = iptc_init(*table);
if (!*handle)
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index b7bf785..113c250 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -317,7 +317,7 @@ static inline unsigned int iptcc_is_builtin(struct chain_head *c);
* is sorted by name.
*/
static struct list_head *
-iptcc_bsearch_chain_index(const char *name, unsigned int *index, TC_HANDLE_T handle)
+iptcc_bsearch_chain_index(const char *name, unsigned int *idx, TC_HANDLE_T handle)
{
unsigned int pos, end;
int res;
@@ -346,7 +346,7 @@ iptcc_bsearch_chain_index(const char *name, unsigned int *index, TC_HANDLE_T han
res = strcmp(name, handle->chain_index[pos]->name);
list_pos = &handle->chain_index[pos]->list;
- (*index)=pos;
+ *idx = pos;
debug("bsearch Index[%d] name:%s res:%d ",
pos, handle->chain_index[pos]->name, res);
@@ -536,9 +536,9 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h)
{
struct list_head *index_ptr, *index_ptr2, *next;
struct chain_head *c2;
- unsigned int index, index2;
+ unsigned int idx, idx2;
- index_ptr = iptcc_bsearch_chain_index(c->name, &index, h);
+ index_ptr = iptcc_bsearch_chain_index(c->name, &idx, h);
debug("Del chain[%s] c->list:%p index_ptr:%p\n",
c->name, &c->list, index_ptr);
@@ -554,15 +554,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, TC_HANDLE_T h)
* is located in the same index bucket.
*/
c2 = list_entry(next, struct chain_head, list);
- index_ptr2 = iptcc_bsearch_chain_index(c2->name, &index2, h);
- if (index != index2) {
+ index_ptr2 = iptcc_bsearch_chain_index(c2->name, &idx2, h);
+ if (idx != idx2) {
/* Rebuild needed */
return iptcc_chain_index_rebuild(h);
} else {
/* Avoiding rebuild */
debug("Update cindex[%d] with next ptr name:[%s]\n",
- index, c2->name);
- h->chain_index[index]=c2;
+ idx, c2->name);
+ h->chain_index[idx]=c2;
return 0;
}
}
@@ -962,18 +962,18 @@ static int parse_table(TC_HANDLE_T h)
list_for_each_entry(c, &h->chains, list) {
struct rule_head *r;
list_for_each_entry(r, &c->rules, list) {
- struct chain_head *c;
+ struct chain_head *lc;
STRUCT_STANDARD_TARGET *t;
if (r->type != IPTCC_R_JUMP)
continue;
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
- c = iptcc_find_chain_by_offset(h, t->verdict);
- if (!c)
+ lc = iptcc_find_chain_by_offset(h, t->verdict);
+ if (!lc)
return -1;
- r->jump = c;
- c->references++;
+ r->jump = lc;
+ lc->references++;
}
}
@@ -2395,16 +2395,14 @@ subtract_counters(STRUCT_COUNTERS *answer,
}
-static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index)
+static void counters_nomap(STRUCT_COUNTERS_INFO *newcounters, unsigned int idx)
{
- newcounters->counters[index] = ((STRUCT_COUNTERS) { 0, 0});
+ newcounters->counters[idx] = ((STRUCT_COUNTERS) { 0, 0});
DEBUGP_C("NOMAP => zero\n");
}
static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
+ STRUCT_REPLACE *repl, unsigned int idx,
unsigned int mappos)
{
/* Original read: X.
@@ -2414,15 +2412,13 @@ static void counters_normal_map(STRUCT_COUNTERS_INFO *newcounters,
* => Add in X + Y
* => Add in replacement read.
*/
- newcounters->counters[index] = repl->counters[mappos];
+ newcounters->counters[idx] = repl->counters[mappos];
DEBUGP_C("NORMAL_MAP => mappos %u \n", mappos);
}
static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
- STRUCT_REPLACE *repl,
- unsigned int index,
- unsigned int mappos,
- STRUCT_COUNTERS *counters)
+ STRUCT_REPLACE *repl, unsigned int idx,
+ unsigned int mappos, STRUCT_COUNTERS *counters)
{
/* Original read: X.
* Atomic read on replacement: X + Y.
@@ -2431,19 +2427,18 @@ static void counters_map_zeroed(STRUCT_COUNTERS_INFO *newcounters,
* => Add in Y.
* => Add in (replacement read - original read).
*/
- subtract_counters(&newcounters->counters[index],
+ subtract_counters(&newcounters->counters[idx],
&repl->counters[mappos],
counters);
DEBUGP_C("ZEROED => mappos %u\n", mappos);
}
static void counters_map_set(STRUCT_COUNTERS_INFO *newcounters,
- unsigned int index,
- STRUCT_COUNTERS *counters)
+ unsigned int idx, STRUCT_COUNTERS *counters)
{
/* Want to set counter (iptables-restore) */
- memcpy(&newcounters->counters[index], counters,
+ memcpy(&newcounters->counters[idx], counters,
sizeof(STRUCT_COUNTERS));
DEBUGP_C("SET\n");
diff --git a/xtables.c b/xtables.c
index dba9081..89863d7 100644
--- a/xtables.c
+++ b/xtables.c
@@ -46,7 +46,7 @@
char *lib_dir;
/* the path to command to load kernel module */
-const char *modprobe = NULL;
+const char *modprobe_program = NULL;
/* Keeping track of external matches and targets: linked lists. */
struct xtables_match *xtables_matches;
@@ -488,7 +488,7 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
exit(1);
}
- load_xtables_ko(modprobe, 1);
+ load_xtables_ko(modprobe_program, 1);
strcpy(rev.name, name);
rev.revision = revision;
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h
2008-04-06 15:27 ` [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h Jan Engelhardt
@ 2008-04-06 15:35 ` Patrick McHardy
0 siblings, 0 replies; 35+ messages in thread
From: Patrick McHardy @ 2008-04-06 15:35 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Note: xt_sctp.h is still not merged upstream in the kernel as of
> this commit. But a refactoring was really needed.
> ---
> configure.ac | 3 +-
> extensions/libipt_SAME.c | 12 ++--
> extensions/libipt_addrtype.c | 4 +-
> extensions/libxt_RATEEST.c | 12 ++--
> extensions/libxt_conntrack.c | 28 +++++-----
> extensions/libxt_hashlimit.c | 4 +-
> extensions/libxt_state.c | 12 ++--
> extensions/libxt_statistic.c | 23 +++++---
> include/linux/netfilter/xt_sctp.h | 87 ++++++++++++----------------
> include/xtables.h | 4 +-
> ip6tables-save.c | 10 ++--
> ip6tables.c | 12 ++--
> iptables-save.c | 10 ++--
> iptables-xml.c | 7 +-
> iptables.c | 12 ++--
> libiptc/libiptc.c | 49 +++++++---------
> xtables.c | 4 +-
> 17 files changed, 140 insertions(+), 153 deletions(-)
>
I have my doubts about the usefulness of -Wshadow, but the
cleanups don't hurt I hope, so applied.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (3 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:41 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 07/24] Add support for xt_hashlimit match revision 1 Jan Engelhardt
` (18 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
configure.ac | 5 -----
extensions/GNUmakefile.in | 2 ++
extensions/libip6t_HL.c | 1 +
extensions/libip6t_LOG.c | 1 +
extensions/libip6t_REJECT.c | 1 +
extensions/libip6t_ah.c | 4 ++--
extensions/libip6t_condition.c | 5 ++---
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_eui64.c | 1 +
extensions/libip6t_frag.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 2 +-
extensions/libip6t_icmp6.c | 1 +
| 1 +
extensions/libip6t_mh.c | 1 +
extensions/libip6t_policy.c | 6 +-----
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 1 +
extensions/libipt_DNAT.c | 1 +
extensions/libipt_ECN.c | 1 +
extensions/libipt_LOG.c | 1 +
extensions/libipt_MASQUERADE.c | 1 +
extensions/libipt_MIRROR.c | 1 +
extensions/libipt_NETMAP.c | 1 +
extensions/libipt_REDIRECT.c | 1 +
extensions/libipt_REJECT.c | 1 +
extensions/libipt_SAME.c | 1 +
extensions/libipt_SET.c | 1 +
extensions/libipt_SNAT.c | 1 +
extensions/libipt_TTL.c | 1 +
extensions/libipt_ULOG.c | 3 ++-
extensions/libipt_addrtype.c | 2 +-
extensions/libipt_ah.c | 4 ++--
extensions/libipt_condition.c | 5 ++---
extensions/libipt_ecn.c | 1 +
extensions/libipt_icmp.c | 1 +
extensions/libipt_policy.c | 1 +
extensions/libipt_realm.c | 1 +
extensions/libipt_recent.c | 1 +
extensions/libipt_set.c | 1 +
extensions/libipt_ttl.c | 2 +-
extensions/libipt_unclean.c | 1 +
extensions/libxt_CLASSIFY.c | 1 +
extensions/libxt_CONNMARK.c | 1 +
extensions/libxt_CONNSECMARK.c | 1 +
extensions/libxt_DSCP.c | 1 +
extensions/libxt_MARK.c | 1 +
extensions/libxt_NFLOG.c | 1 +
extensions/libxt_NFQUEUE.c | 1 +
extensions/libxt_NOTRACK.c | 1 +
extensions/libxt_RATEEST.c | 1 +
extensions/libxt_SECMARK.c | 1 +
extensions/libxt_TCPMSS.c | 1 +
extensions/libxt_TCPOPTSTRIP.c | 1 +
extensions/libxt_TOS.c | 1 +
extensions/libxt_TRACE.c | 1 +
| 1 +
extensions/libxt_connbytes.c | 1 +
extensions/libxt_connlimit.c | 1 +
extensions/libxt_connmark.c | 1 +
extensions/libxt_conntrack.c | 1 +
extensions/libxt_dccp.c | 1 +
extensions/libxt_dscp.c | 1 +
extensions/libxt_esp.c | 4 ++--
extensions/libxt_hashlimit.c | 1 +
extensions/libxt_helper.c | 1 +
extensions/libxt_iprange.c | 1 +
extensions/libxt_length.c | 1 +
extensions/libxt_limit.c | 1 +
extensions/libxt_mac.c | 1 +
extensions/libxt_mark.c | 1 +
extensions/libxt_multiport.c | 4 ++--
extensions/libxt_owner.c | 1 +
extensions/libxt_physdev.c | 1 +
extensions/libxt_pkttype.c | 1 +
extensions/libxt_quota.c | 4 ++--
extensions/libxt_rateest.c | 1 +
extensions/libxt_sctp.c | 1 +
extensions/libxt_standard.c | 1 +
extensions/libxt_state.c | 1 +
extensions/libxt_statistic.c | 1 +
extensions/libxt_string.c | 1 +
extensions/libxt_tcp.c | 4 ++--
extensions/libxt_tcpmss.c | 1 +
extensions/libxt_time.c | 1 +
extensions/libxt_tos.c | 1 +
extensions/libxt_u32.c | 1 +
extensions/libxt_udp.c | 4 ++--
include/iptables.h | 2 --
include/libiptc/libip6tc.h | 2 ++
include/libiptc/libiptc.h | 2 ++
include/xtables.h | 3 +++
ip6tables-multi.h | 8 ++++++++
ip6tables-restore.c | 4 +++-
ip6tables-save.c | 1 +
ip6tables-standalone.c | 1 +
ip6tables.c | 6 ++----
iptables-multi.h | 9 +++++++++
iptables-restore.c | 3 ++-
iptables-save.c | 1 +
iptables-standalone.c | 1 +
iptables-xml.c | 1 +
iptables.c | 4 +---
libiptc/libiptc.c | 9 ++++-----
104 files changed, 143 insertions(+), 58 deletions(-)
create mode 100644 ip6tables-multi.h
create mode 100644 iptables-multi.h
diff --git a/configure.ac b/configure.ac
index 87fca6c..29f54dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,11 +43,6 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
-# Remove workarounds soon
-regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
- -Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter"
-
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 4892409..cf094f2 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -143,6 +143,7 @@ initext4.c: .initext4.dd
for i in ${initext_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
@@ -157,6 +158,7 @@ initext6.c: .initext6.dd
for i in ${initext6_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext6_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
index c20147b..3104285 100644
--- a/extensions/libip6t_HL.c
+++ b/extensions/libip6t_HL.c
@@ -152,6 +152,7 @@ static struct ip6tables_target hl_target6 = {
.extra_opts = HL_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&hl_target6);
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 6fd4c0b..e8de148 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -269,6 +269,7 @@ static struct ip6tables_target log_target6 = {
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&log_target6);
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index 000096e..9445534 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -151,6 +151,7 @@ static struct ip6tables_target reject_target6 = {
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target6(&reject_target6);
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index 46469ea..afebdb1 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -206,8 +206,8 @@ static struct ip6tables_match ah_match6 = {
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&ah_match6);
}
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
index 03e2722..56793b2 100644
--- a/extensions/libip6t_condition.c
+++ b/extensions/libip6t_condition.c
@@ -87,9 +87,8 @@ static struct ip6tables_match condition_match6 = {
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&condition_match6);
}
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 5b06033..1333418 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -240,8 +240,8 @@ static struct ip6tables_match dst_match6 = {
.extra_opts = dst_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&dst_match6);
}
diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c
index 45988c4..7739e30 100644
--- a/extensions/libip6t_eui64.c
+++ b/extensions/libip6t_eui64.c
@@ -38,6 +38,7 @@ static struct ip6tables_match eui64_target6 = {
.parse = eui64_parse,
};
+void _init(void);
void _init(void)
{
register_match6(&eui64_target6);
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 86f40f4..834dd06 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -251,8 +251,8 @@ static struct ip6tables_match frag_match6 = {
.extra_opts = frag_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&frag_match6);
}
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index ad12547..7ca2b69 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -227,8 +227,8 @@ static struct ip6tables_match hbh_match6 = {
.extra_opts = hbh_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&hbh_match6);
}
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c
index 7f99598..d2616b8 100644
--- a/extensions/libip6t_hl.c
+++ b/extensions/libip6t_hl.c
@@ -138,7 +138,7 @@ static struct ip6tables_match hl_match6 = {
.extra_opts = hl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match6(&hl_match6);
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index 8c9653f..d9bc785 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -265,6 +265,7 @@ static struct ip6tables_match icmp6_match6 = {
.extra_opts = icmp6_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&icmp6_match6);
--git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index c20fb94..05835ac 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -300,6 +300,7 @@ static struct ip6tables_match ipv6header_match6 = {
.extra_opts = ipv6header_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&ipv6header_match6);
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index dd0da2b..fd3f452 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -236,6 +236,7 @@ static struct ip6tables_match mh_match6 = {
.extra_opts = mh_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&mh_match6);
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index f706f98..4c2f405 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -126,11 +126,6 @@ mask_to_numeric(const struct in6_addr *addrp)
return buf;
}
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-
-/* End duplicated code from ip6tables.c */
-
static int parse_direction(char *s)
{
if (strcmp(s, "in") == 0)
@@ -461,6 +456,7 @@ static struct ip6tables_match policy_match6 = {
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match6(&policy_match6);
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index e2ae09f..33d282f 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -342,8 +342,8 @@ static struct ip6tables_match rt_match6 = {
.extra_opts = rt_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match6(&rt_match6);
}
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index fdeae86..2314185 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -248,6 +248,7 @@ static struct iptables_target clusterip_target = {
.extra_opts = CLUSTERIP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&clusterip_target);
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 3ad412b..a0dbfc5 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -256,6 +256,7 @@ static struct iptables_target dnat_target = {
.extra_opts = DNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&dnat_target);
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 1523b2d..8335cca 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -166,6 +166,7 @@ static struct iptables_target ecn_target = {
.extra_opts = ECN_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ecn_target);
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 6b08f58..8287d95 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -271,6 +271,7 @@ static struct iptables_target log_target = {
.extra_opts = LOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&log_target);
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index fc914c5..c0c519d 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -164,6 +164,7 @@ static struct iptables_target masquerade_target = {
.extra_opts = MASQUERADE_opts,
};
+void _init(void);
void _init(void)
{
register_target(&masquerade_target);
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index 83397fe..8506eff 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -34,6 +34,7 @@ static struct iptables_target mirror_target = {
.save = NULL,
};
+void _init(void);
void _init(void)
{
register_target(&mirror_target);
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index da0e5f4..0043cca 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -184,6 +184,7 @@ static struct iptables_target netmap_target = {
.extra_opts = NETMAP_opts,
};
+void _init(void);
void _init(void)
{
register_target(&netmap_target);
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 1918df8..0bcc9dd 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -170,6 +170,7 @@ static struct iptables_target redirect_target = {
.extra_opts = REDIRECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&redirect_target);
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 5901a5e..aa139fd 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -170,6 +170,7 @@ static struct iptables_target reject_target = {
.extra_opts = REJECT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&reject_target);
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index f7c737c..9d58bf0 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -222,6 +222,7 @@ static struct iptables_target same_target = {
.extra_opts = SAME_opts,
};
+void _init(void);
void _init(void)
{
register_target(&same_target);
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
index dd42867..91ab488 100644
--- a/extensions/libipt_SET.c
+++ b/extensions/libipt_SET.c
@@ -168,6 +168,7 @@ static struct iptables_target set_target = {
.extra_opts = SET_opts,
};
+void _init(void);
void _init(void)
{
register_target(&set_target);
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 7b9e176..9a553cd 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -257,6 +257,7 @@ static struct iptables_target snat_target = {
.extra_opts = SNAT_opts,
};
+void _init(void);
void _init(void)
{
register_target(&snat_target);
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index b5a32c4..e19c3a0 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -153,6 +153,7 @@ static struct iptables_target ttl_target = {
.extra_opts = TTL_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ttl_target);
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 6fb2c66..10301f0 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -21,7 +21,7 @@
#include "../include/linux/netfilter_ipv4/ipt_ULOG.h"
-void print_groups(unsigned int gmask)
+static void print_groups(unsigned int gmask)
{
int b;
unsigned int test;
@@ -199,6 +199,7 @@ static struct iptables_target ulog_target = {
.extra_opts = ULOG_opts,
};
+void _init(void);
void _init(void)
{
register_target(&ulog_target);
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 7db9dce..02752d3 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -196,7 +196,7 @@ static struct iptables_match addrtype_match = {
.extra_opts = addrtype_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&addrtype_match);
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index 2555b5d..5d9ab6c 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -169,8 +169,8 @@ static struct iptables_match ah_match = {
.extra_opts = ah_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&ah_match);
}
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
index 4a98dd8..5bd1c44 100644
--- a/extensions/libipt_condition.c
+++ b/extensions/libipt_condition.c
@@ -86,9 +86,8 @@ static struct iptables_match condition_match = {
.extra_opts = condition_opts,
};
-
-void
-_init(void)
+void _init(void);
+void _init(void)
{
register_match(&condition_match);
}
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 9c07eab..5c0428d 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -157,6 +157,7 @@ static struct iptables_match ecn_match = {
.extra_opts = ecn_opts,
};
+void _init(void);
void _init(void)
{
register_match(&ecn_match);
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index b1fccbf..df57a5e 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -287,6 +287,7 @@ static struct iptables_match icmp_match = {
.extra_opts = icmp_opts,
};
+void _init(void);
void _init(void)
{
register_match(&icmp_match);
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index 48b96be..cdef750 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -421,6 +421,7 @@ static struct iptables_match policy_match = {
.extra_opts = policy_opts,
};
+void _init(void);
void _init(void)
{
register_match(&policy_match);
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 7026fc2..73444de 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -256,6 +256,7 @@ static struct iptables_match realm_match = {
.extra_opts = realm_opts,
};
+void _init(void);
void _init(void)
{
register_match(&realm_match);
diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index ace778e..d82b026 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -224,6 +224,7 @@ static struct iptables_match recent_match = {
.extra_opts = recent_opts,
};
+void _init(void);
void _init(void)
{
register_match(&recent_match);
diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
index 932008b..78a02b5 100644
--- a/extensions/libipt_set.c
+++ b/extensions/libipt_set.c
@@ -155,6 +155,7 @@ static struct iptables_match set_match = {
.extra_opts = set_opts,
};
+void _init(void);
void _init(void)
{
register_match(&set_match);
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index d7820f1..d358dfc 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -161,7 +161,7 @@ static struct iptables_match ttl_match = {
.extra_opts = ttl_opts,
};
-
+void _init(void);
void _init(void)
{
register_match(&ttl_match);
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index 648d098..9956c1a 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -29,6 +29,7 @@ static struct iptables_match unclean_match = {
.parse = unclean_parse,
};
+void _init(void);
void _init(void)
{
register_match(&unclean_match);
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index e39367a..ea6cdbe 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -130,6 +130,7 @@ static struct xtables_target classify_target6 = {
.extra_opts = CLASSIFY_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&classify_target);
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 9e8013a..73f8214 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -470,6 +470,7 @@ static struct xtables_target connmark_tg6_reg = {
.extra_opts = connmark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connmark_target);
diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
index e8d0a5e..779594f 100644
--- a/extensions/libxt_CONNSECMARK.c
+++ b/extensions/libxt_CONNSECMARK.c
@@ -138,6 +138,7 @@ static struct xtables_target connsecmark_target6 = {
.extra_opts = CONNSECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&connsecmark_target);
diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
index c15f0e1..3a99b33 100644
--- a/extensions/libxt_DSCP.c
+++ b/extensions/libxt_DSCP.c
@@ -160,6 +160,7 @@ static struct xtables_target dscp_target6 = {
.extra_opts = DSCP_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&dscp_target);
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 569d2e8..2994e75 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -359,6 +359,7 @@ static struct xtables_target mark_tg6_reg_v2 = {
.extra_opts = mark_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&mark_target_v0);
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index d4dc971..4b6c5a9 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -167,6 +167,7 @@ static struct xtables_target nflog_target6 = {
.extra_opts = NFLOG_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nflog_target);
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index b1c5ef3..287c1c8 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -106,6 +106,7 @@ static struct xtables_target nfqueue_target6 = {
.extra_opts = NFQUEUE_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&nfqueue_target);
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
index 18ad5e1..cb6bd1e 100644
--- a/extensions/libxt_NOTRACK.c
+++ b/extensions/libxt_NOTRACK.c
@@ -44,6 +44,7 @@ static struct xtables_target notrack_target6 = {
.parse = NOTRACK_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(¬rack_target);
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 4f52c2e..df16581 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -233,6 +233,7 @@ static struct xtables_target rateest_target6 = {
.extra_opts = RATEEST_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&rateest_target4);
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index b794e7d..5dfd21e 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -129,6 +129,7 @@ static struct xtables_target secmark_target6 = {
.extra_opts = SECMARK_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&secmark_target);
diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c
index 9ab69bf..f4a45c3 100644
--- a/extensions/libxt_TCPMSS.c
+++ b/extensions/libxt_TCPMSS.c
@@ -151,6 +151,7 @@ static struct xtables_target tcpmss_target6 = {
.extra_opts = TCPMSS_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpmss_target);
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index bd66435..22e921a 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -205,6 +205,7 @@ static struct xtables_target tcpoptstrip_tg6_reg = {
.extra_opts = tcpoptstrip_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tcpoptstrip_tg_reg);
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c
index 777d7cf..dfc7af7 100644
--- a/extensions/libxt_TOS.c
+++ b/extensions/libxt_TOS.c
@@ -249,6 +249,7 @@ static struct xtables_target tos_tg6_reg = {
.extra_opts = tos_tg_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&tos_tg_reg_v0);
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index c70df6a..f1d2d94 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -43,6 +43,7 @@ static struct xtables_target trace_target6 = {
.parse = TRACE_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&trace_target);
--git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 20277d4..8ae77fc 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -121,6 +121,7 @@ static struct xtables_match comment_match6 = {
.extra_opts = comment_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&comment_match);
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index e6cb1f4..9fd5a47 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -213,6 +213,7 @@ static struct xtables_match connbytes_match6 = {
.extra_opts = connbytes_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connbytes_match);
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 9e2137a..2b4d3d5 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -208,6 +208,7 @@ static struct xtables_match connlimit_match6 = {
.extra_opts = connlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connlimit_match);
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
index 1e38f7c..dd43359 100644
--- a/extensions/libxt_connmark.c
+++ b/extensions/libxt_connmark.c
@@ -228,6 +228,7 @@ static struct xtables_match connmark_mt6_reg = {
.extra_opts = connmark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&connmark_mt_reg_v0);
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index e3e29f0..d5f1be7 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1061,6 +1061,7 @@ static struct xtables_match conntrack_mt6_reg = {
.extra_opts = conntrack_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&conntrack_match);
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 467a695..d21de16 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -367,6 +367,7 @@ static struct xtables_match dccp_match6 = {
.extra_opts = dccp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dccp_match);
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index a28af09..75941ab 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -174,6 +174,7 @@ static struct xtables_match dscp_match6 = {
.extra_opts = dscp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&dscp_match);
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index f37c088..b20999d 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -181,8 +181,8 @@ static struct xtables_match esp_match6 = {
.extra_opts = esp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&esp_match);
xtables_register_match(&esp_match6);
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 00b0304..a19ab8f 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -390,6 +390,7 @@ static struct xtables_match hashlimit_match6 = {
.extra_opts = hashlimit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 31ae4fc..4ce1d4b 100644
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -102,6 +102,7 @@ static struct xtables_match helper_match6 = {
.extra_opts = helper_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&helper_match);
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 51b35f8..54d7d9c 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -383,6 +383,7 @@ static struct xtables_match iprange_mt6_reg = {
.extra_opts = iprange_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&iprange_match);
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index b812b67..8fb2150 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -152,6 +152,7 @@ static struct xtables_match length_match6 = {
.extra_opts = length_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&length_match);
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index 65a8df3..e93388b 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -192,6 +192,7 @@ static struct xtables_match limit_match6 = {
.extra_opts = limit_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&limit_match);
diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
index 2284d2a..112ac5b 100644
--- a/extensions/libxt_mac.c
+++ b/extensions/libxt_mac.c
@@ -143,6 +143,7 @@ static struct xtables_match mac_match6 = {
.extra_opts = mac_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mac_match);
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index af7f844..1e07736 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -208,6 +208,7 @@ static struct xtables_match mark_mt6_reg = {
.extra_opts = mark_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&mark_match);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 6de7bc1..7b96e6c 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -569,8 +569,8 @@ static struct xtables_match multiport_match6_v1 = {
.extra_opts = multiport_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&multiport_match);
xtables_register_match(&multiport_match6);
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index ea86f99..18f3d9a 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -591,6 +591,7 @@ static struct xtables_match owner_mt6_reg = {
.extra_opts = owner_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&owner_mt_reg_v0);
diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
index e971d1e..6b5fe20 100644
--- a/extensions/libxt_physdev.c
+++ b/extensions/libxt_physdev.c
@@ -190,6 +190,7 @@ static struct xtables_match physdev_match6 = {
.extra_opts = physdev_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&physdev_match);
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index 75194fc..893fe43 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -174,6 +174,7 @@ static struct xtables_match pkttype_match6 = {
.extra_opts = pkttype_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&pkttype_match);
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index b4fb78b..9ce350d 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -103,8 +103,8 @@ struct xtables_match quota_match6 = {
.extra_opts = quota_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match("a_match);
xtables_register_match("a_match6);
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 5f13340..0771fcd 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -454,6 +454,7 @@ static struct xtables_match rateest_match6 = {
.extra_opts = rateest_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&rateest_match4);
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 2ca1572..af6faba 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -539,6 +539,7 @@ static struct xtables_match sctp_match6 = {
.extra_opts = sctp_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&sctp_match);
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index eef9369..2417f09 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -43,6 +43,7 @@ static struct xtables_target standard_target6 = {
.parse = standard_parse,
};
+void _init(void);
void _init(void)
{
xtables_register_target(&standard_target);
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index 5b8beea..cbc8419 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -170,6 +170,7 @@ static struct xtables_match state_match6 = {
.extra_opts = state_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&state_match);
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index ebb4e91..5ac77b6 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -193,6 +193,7 @@ static struct xtables_match statistic_match6 = {
.extra_opts = statistic_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&statistic_match);
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index f1030bb..5be14ef 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -356,6 +356,7 @@ static struct xtables_match string_match6 = {
.extra_opts = string_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&string_match);
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 3274f08..2026368 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -411,8 +411,8 @@ static struct xtables_match tcp_match6 = {
.extra_opts = tcp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&tcp_match);
xtables_register_match(&tcp_match6);
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index 7a026bf..36d445c 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -153,6 +153,7 @@ static struct xtables_match tcpmss_match6 = {
.extra_opts = tcpmss_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tcpmss_match);
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index c39ab1a..3efc727 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -492,6 +492,7 @@ static struct xtables_match time_match6 = {
.extra_opts = time_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&time_match);
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index 16a90ef..cd21560 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -182,6 +182,7 @@ static struct xtables_match tos_mt6_reg = {
.extra_opts = tos_mt_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&tos_mt_reg_v0);
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 251b2d4..1e79c57 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -296,6 +296,7 @@ static struct xtables_match u32_match6 = {
.extra_opts = u32_opts,
};
+void _init(void);
void _init(void)
{
xtables_register_match(&u32_match);
diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
index 4e83ae8..2ba781e 100644
--- a/extensions/libxt_udp.c
+++ b/extensions/libxt_udp.c
@@ -224,8 +224,8 @@ static struct xtables_match udp_match6 = {
.extra_opts = udp_opts,
};
-void
-_init(void)
+void _init(void);
+void _init(void)
{
xtables_register_match(&udp_match);
xtables_register_match(&udp_match6);
diff --git a/include/iptables.h b/include/iptables.h
index f39410c..7ce9080 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -24,8 +24,6 @@ extern int line;
extern void register_match(struct iptables_match *me);
extern void register_target(struct iptables_target *me);
-extern u_int16_t parse_protocol(const char *s);
-
extern int do_command(int argc, char *argv[], char **table,
iptc_handle_t *handle);
extern int delete_chain(const ipt_chainlabel chain, int verbose,
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 5069689..6e8a565 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -152,4 +152,6 @@ const char *ip6tc_strerror(int err);
/* Return prefix length, or -1 if not contiguous */
int ipv6_prefix_length(const struct in6_addr *a);
+extern void dump_entries6(const ip6tc_handle_t);
+
#endif /* _LIBIP6TC_H */
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 30f5b7d..1f6f95d 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -159,6 +159,8 @@ int iptc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *iptc_strerror(int err);
+extern void dump_entries(const iptc_handle_t);
+
#ifdef __cplusplus
}
#endif
diff --git a/include/xtables.h b/include/xtables.h
index 4b75e2c..f2bcb44 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -267,4 +267,7 @@ extern void save_string(const char *value);
# define _init __attribute__((constructor)) _INIT
#endif
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
#endif /* _XTABLES_H */
diff --git a/ip6tables-multi.h b/ip6tables-multi.h
new file mode 100644
index 0000000..551029a
--- /dev/null
+++ b/ip6tables-multi.h
@@ -0,0 +1,8 @@
+#ifndef _IP6TABLES_MULTI_H
+#define _IP6TABLES_MULTI_H 1
+
+extern int ip6tables_main(int, char **);
+extern int ip6tables_save_main(int, char **);
+extern int ip6tables_restore_main(int, char **);
+
+#endif /* _IP6TABLES_MULTI_H */
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 570bd51..e9cc0ff 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -18,6 +18,7 @@
#include "ip6tables.h"
#include "xtables.h"
#include "libiptc/libip6tc.h"
+#include "ip6tables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -55,7 +56,8 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
+static ip6tc_handle_t create_handle(const char *tablename,
+ const char *modprobe)
{
ip6tc_handle_t handle;
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c73d354..e7eade1 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -16,6 +16,7 @@
#include <arpa/inet.h>
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
+#include "ip6tables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index b7dfd17..4029c1f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -35,6 +35,7 @@
#include <stdlib.h>
#include <errno.h>
#include <ip6tables.h>
+#include "ip6tables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/ip6tables.c b/ip6tables.c
index 4b517e5..e5602f7 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include "ip6tables-multi.h"
#ifndef TRUE
#define TRUE 1
@@ -186,9 +187,6 @@ static int inverse_for_options[NUMBER_OF_OPT] =
const char *program_version;
const char *program_name;
-/* Extra debugging from libiptc */
-extern void dump_entries6(const ip6tc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1140,7 +1138,7 @@ generate_entry(const struct ip6t_entry *fw,
return e;
}
-void clear_rule_matches(struct ip6tables_rule_match **matches)
+static void clear_rule_matches(struct ip6tables_rule_match **matches)
{
struct ip6tables_rule_match *matchp, *tmp;
diff --git a/iptables-multi.h b/iptables-multi.h
new file mode 100644
index 0000000..a9912b0
--- /dev/null
+++ b/iptables-multi.h
@@ -0,0 +1,9 @@
+#ifndef _IPTABLES_MULTI_H
+#define _IPTABLES_MULTI_H 1
+
+extern int iptables_main(int, char **);
+extern int iptables_save_main(int, char **);
+extern int iptables_restore_main(int, char **);
+extern int iptables_xml_main(int, char **);
+
+#endif /* _IPTABLES_MULTI_H */
diff --git a/iptables-restore.c b/iptables-restore.c
index 44263ce..b751d2c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -15,6 +15,7 @@
#include "iptables.h"
#include "xtables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -54,7 +55,7 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-iptc_handle_t create_handle(const char *tablename, const char* modprobe )
+static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
{
iptc_handle_t handle;
diff --git a/iptables-save.c b/iptables-save.c
index f82c8a7..c0c37ed 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -15,6 +15,7 @@
#include <netdb.h>
#include "libiptc/libiptc.h"
#include "iptables.h"
+#include "iptables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/iptables-standalone.c b/iptables-standalone.c
index e5c7841..55c7ce9 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -36,6 +36,7 @@
#include <errno.h>
#include <string.h>
#include <iptables.h>
+#include "iptables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/iptables-xml.c b/iptables-xml.c
index 94f2e39..d922efe 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -16,6 +16,7 @@
#include <stdarg.h>
#include "iptables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
diff --git a/iptables.c b/iptables.c
index 0363aba..b2a4b53 100644
--- a/iptables.c
+++ b/iptables.c
@@ -190,8 +190,6 @@ const char *program_name;
int kernel_version;
-extern void dump_entries(const iptc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1143,7 +1141,7 @@ generate_entry(const struct ipt_entry *fw,
return e;
}
-void clear_rule_matches(struct iptables_rule_match **matches)
+static void clear_rule_matches(struct iptables_rule_match **matches)
{
struct iptables_rule_match *matchp, *tmp;
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 113c250..e8f14fc 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1471,7 +1471,7 @@ TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
}
/* How many rules in this chain? */
-unsigned int
+static unsigned int
TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
{
struct chain_head *c;
@@ -1487,9 +1487,8 @@ TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
return c->num_rules;
}
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
+static const STRUCT_ENTRY *
+TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
{
struct chain_head *c;
struct rule_head *r;
@@ -1511,7 +1510,7 @@ const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
}
/* Returns a pointer to the target name of this position. */
-const char *standard_target_map(int verdict)
+static const char *standard_target_map(int verdict)
{
switch (verdict) {
case RETURN:
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-04-06 15:27 ` [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes) Jan Engelhardt
@ 2008-04-06 15:41 ` Patrick McHardy
2008-04-08 14:43 ` Jan Engelhardt
0 siblings, 1 reply; 35+ messages in thread
From: Patrick McHardy @ 2008-04-06 15:41 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> --- a/extensions/libip6t_LOG.c
> +++ b/extensions/libip6t_LOG.c
> @@ -269,6 +269,7 @@ static struct ip6tables_target log_target6 = {
> .extra_opts = LOG_opts,
> };
>
> +void _init(void);
> void _init(void)
> {
> register_target6(&log_target6);
I don't like this very much. A global prototype or simply using
__attribute__ ((constructor)) and __attribute__ ((destructor))
would be preferred.
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-04-06 15:41 ` Patrick McHardy
@ 2008-04-08 14:43 ` Jan Engelhardt
2008-04-08 15:30 ` Patrick McHardy
0 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-08 14:43 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Sunday 2008-04-06 17:41, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> --- a/extensions/libip6t_LOG.c
>> +++ b/extensions/libip6t_LOG.c
>> @@ -269,6 +269,7 @@ static struct ip6tables_target log_target6 = {
>> .extra_opts = LOG_opts,
>> };
>>
>> +void _init(void);
>> void _init(void)
>> {
>> register_target6(&log_target6);
>
> I don't like this very much.
But it is relatively error-safe.
> A global prototype
I remember why I did not do that... every .c file would have to
#include "proto.h"
or some kind - is this really that badly needed? This would also
cause a needless recompilation of all modules if the list of
modules changed.
> or simply using __attribute__ ((constructor)) and
> __attribute__ ((destructor)) would be preferred.
Been there, done that, threw it out. Doing a CTOR with iptables-static
leads to a NULL deref because the ctors get run before any of the iptables
data structures are initialized.
Of course, one can always cook up more and more magic, i.e. test
for
if (!initalized)
run_init_first();
in a ctor (as well as main(), for consistency), but that's the least
thrilling thing to do IMO.
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-04-08 14:43 ` Jan Engelhardt
@ 2008-04-08 15:30 ` Patrick McHardy
2008-04-08 16:14 ` Jan Engelhardt
0 siblings, 1 reply; 35+ messages in thread
From: Patrick McHardy @ 2008-04-08 15:30 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Sunday 2008-04-06 17:41, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> --- a/extensions/libip6t_LOG.c
>>> +++ b/extensions/libip6t_LOG.c
>>> @@ -269,6 +269,7 @@ static struct ip6tables_target log_target6 = {
>>> .extra_opts = LOG_opts,
>>> };
>>>
>>> +void _init(void);
>>> void _init(void)
>>> {
>>> register_target6(&log_target6);
>> I don't like this very much.
>
> But it is relatively error-safe.
>
>> A global prototype
>
> I remember why I did not do that... every .c file would have to
> #include "proto.h"
> or some kind - is this really that badly needed? This would also
> cause a needless recompilation of all modules if the list of
> modules changed.
I meant something like:
include/x_tables.h:
extern void _init(void);
extern void _exit(void);
Actually this should really be defined by gcc in my opinion.
>> or simply using __attribute__ ((constructor)) and
>> __attribute__ ((destructor)) would be preferred.
>
> Been there, done that, threw it out. Doing a CTOR with iptables-static
> leads to a NULL deref because the ctors get run before any of the iptables
> data structures are initialized.
>
> Of course, one can always cook up more and more magic, i.e. test
> for
>
> if (!initalized)
> run_init_first();
>
> in a ctor (as well as main(), for consistency), but that's the least
> thrilling thing to do IMO.
Good point, that idea sucks :)
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes)
2008-04-08 15:30 ` Patrick McHardy
@ 2008-04-08 16:14 ` Jan Engelhardt
0 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-08 16:14 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Tuesday 2008-04-08 17:30, Patrick McHardy wrote:
> I meant something like:
> include/x_tables.h:
>
> extern void _init(void);
> extern void _exit(void);
>
> Actually this should really be defined by gcc in my opinion.
man dlopen => says _init and _exit (in their original meaning) are obsolete.
Anyway, it's just a name. Patch below. Though include/xtables/internal.h
is just small, I plan on moving more defs in there soonish.
Rationale behind that is that external packages like Xtables-addons
really only needs xtables.h and not the internal(.h) pieces. Okay?
===
commit 45679164d6bf17f0e66d6213796a02698ae42a28
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Mon Feb 11 00:54:00 2008 +0100
Fix all remaining warnings (missing declarations, missing prototypes)
---
configure.ac | 6 +-----
extensions/GNUmakefile.in | 2 ++
extensions/libip6t_policy.c | 5 -----
extensions/libipt_ULOG.c | 2 +-
include/iptables.h | 2 --
include/libiptc/libip6tc.h | 2 ++
include/libiptc/libiptc.h | 2 ++
include/xtables.h | 7 +++++++
include/xtables/internal.h | 6 ++++++
ip6tables-multi.h | 8 ++++++++
ip6tables-restore.c | 4 +++-
ip6tables-save.c | 1 +
ip6tables-standalone.c | 1 +
ip6tables.c | 6 ++----
iptables-multi.h | 9 +++++++++
iptables-restore.c | 3 ++-
iptables-save.c | 1 +
iptables-standalone.c | 1 +
iptables-xml.c | 1 +
iptables.c | 4 +---
libiptc/libiptc.c | 9 ++++-----
21 files changed, 55 insertions(+), 27 deletions(-)
create mode 100644 include/xtables/internal.h
create mode 100644 ip6tables-multi.h
create mode 100644 iptables-multi.h
diff --git a/configure.ac b/configure.ac
index 87fca6c..c816b2e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -41,13 +41,9 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
+regular_CFLAGS="$regular_CFLAGS -DXTABLES_INTERNAL"
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
-# Remove workarounds soon
-regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
- -Wno-missing-declarations -Wno-missing-prototypes \
- -Wno-unused-parameter"
-
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 4892409..cf094f2 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -143,6 +143,7 @@ initext4.c: .initext4.dd
for i in ${initext_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
@@ -157,6 +158,7 @@ initext6.c: .initext6.dd
for i in ${initext6_func}; do \
echo "extern void lib$${i}_init(void);" >>$@; \
done; \
+ echo -en "void init_extensions(void);\n" >>$@; \
echo -en "void init_extensions(void)\n""{\n" >>$@; \
for i in ${initext6_func}; do \
echo -e "\t""lib$${i}_init();" >>$@; \
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index f706f98..41e5c32 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -126,11 +126,6 @@ mask_to_numeric(const struct in6_addr *addrp)
return buf;
}
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-
-/* End duplicated code from ip6tables.c */
-
static int parse_direction(char *s)
{
if (strcmp(s, "in") == 0)
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 6fb2c66..31990a6 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -21,7 +21,7 @@
#include "../include/linux/netfilter_ipv4/ipt_ULOG.h"
-void print_groups(unsigned int gmask)
+static void print_groups(unsigned int gmask)
{
int b;
unsigned int test;
diff --git a/include/iptables.h b/include/iptables.h
index f39410c..7ce9080 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -24,8 +24,6 @@ extern int line;
extern void register_match(struct iptables_match *me);
extern void register_target(struct iptables_target *me);
-extern u_int16_t parse_protocol(const char *s);
-
extern int do_command(int argc, char *argv[], char **table,
iptc_handle_t *handle);
extern int delete_chain(const ipt_chainlabel chain, int verbose,
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 5069689..6e8a565 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -152,4 +152,6 @@ const char *ip6tc_strerror(int err);
/* Return prefix length, or -1 if not contiguous */
int ipv6_prefix_length(const struct in6_addr *a);
+extern void dump_entries6(const ip6tc_handle_t);
+
#endif /* _LIBIP6TC_H */
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 30f5b7d..1f6f95d 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -159,6 +159,8 @@ int iptc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *iptc_strerror(int err);
+extern void dump_entries(const iptc_handle_t);
+
#ifdef __cplusplus
}
#endif
diff --git a/include/xtables.h b/include/xtables.h
index 4b75e2c..157f355 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -267,4 +267,11 @@ extern void save_string(const char *value);
# define _init __attribute__((constructor)) _INIT
#endif
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
+#ifdef XTABLES_INTERNAL
+# include <xtables/internal.h>
+#endif
+
#endif /* _XTABLES_H */
diff --git a/include/xtables/internal.h b/include/xtables/internal.h
new file mode 100644
index 0000000..3be72e3
--- /dev/null
+++ b/include/xtables/internal.h
@@ -0,0 +1,6 @@
+#ifndef _XTABLES_INTERNAL_H
+#define _XTABLES_INTERNAL_H 1
+
+extern void _init(void);
+
+#endif /* _XTABLES_INTERNAL_H */
diff --git a/ip6tables-multi.h b/ip6tables-multi.h
new file mode 100644
index 0000000..551029a
--- /dev/null
+++ b/ip6tables-multi.h
@@ -0,0 +1,8 @@
+#ifndef _IP6TABLES_MULTI_H
+#define _IP6TABLES_MULTI_H 1
+
+extern int ip6tables_main(int, char **);
+extern int ip6tables_save_main(int, char **);
+extern int ip6tables_restore_main(int, char **);
+
+#endif /* _IP6TABLES_MULTI_H */
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 570bd51..e9cc0ff 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -18,6 +18,7 @@
#include "ip6tables.h"
#include "xtables.h"
#include "libiptc/libip6tc.h"
+#include "ip6tables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -55,7 +56,8 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
+static ip6tc_handle_t create_handle(const char *tablename,
+ const char *modprobe)
{
ip6tc_handle_t handle;
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c73d354..e7eade1 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -16,6 +16,7 @@
#include <arpa/inet.h>
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
+#include "ip6tables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index b7dfd17..4029c1f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -35,6 +35,7 @@
#include <stdlib.h>
#include <errno.h>
#include <ip6tables.h>
+#include "ip6tables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/ip6tables.c b/ip6tables.c
index 4b517e5..e5602f7 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -41,6 +41,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include "ip6tables-multi.h"
#ifndef TRUE
#define TRUE 1
@@ -186,9 +187,6 @@ static int inverse_for_options[NUMBER_OF_OPT] =
const char *program_version;
const char *program_name;
-/* Extra debugging from libiptc */
-extern void dump_entries6(const ip6tc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1140,7 +1138,7 @@ generate_entry(const struct ip6t_entry *fw,
return e;
}
-void clear_rule_matches(struct ip6tables_rule_match **matches)
+static void clear_rule_matches(struct ip6tables_rule_match **matches)
{
struct ip6tables_rule_match *matchp, *tmp;
diff --git a/iptables-multi.h b/iptables-multi.h
new file mode 100644
index 0000000..a9912b0
--- /dev/null
+++ b/iptables-multi.h
@@ -0,0 +1,9 @@
+#ifndef _IPTABLES_MULTI_H
+#define _IPTABLES_MULTI_H 1
+
+extern int iptables_main(int, char **);
+extern int iptables_save_main(int, char **);
+extern int iptables_restore_main(int, char **);
+extern int iptables_xml_main(int, char **);
+
+#endif /* _IPTABLES_MULTI_H */
diff --git a/iptables-restore.c b/iptables-restore.c
index 44263ce..b751d2c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -15,6 +15,7 @@
#include "iptables.h"
#include "xtables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -54,7 +55,7 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-iptc_handle_t create_handle(const char *tablename, const char* modprobe )
+static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
{
iptc_handle_t handle;
diff --git a/iptables-save.c b/iptables-save.c
index f82c8a7..c0c37ed 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -15,6 +15,7 @@
#include <netdb.h>
#include "libiptc/libiptc.h"
#include "iptables.h"
+#include "iptables-multi.h"
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
diff --git a/iptables-standalone.c b/iptables-standalone.c
index e5c7841..55c7ce9 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -36,6 +36,7 @@
#include <errno.h>
#include <string.h>
#include <iptables.h>
+#include "iptables-multi.h"
#ifdef IPTABLES_MULTI
int
diff --git a/iptables-xml.c b/iptables-xml.c
index 94f2e39..d922efe 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -16,6 +16,7 @@
#include <stdarg.h>
#include "iptables.h"
#include "libiptc/libiptc.h"
+#include "iptables-multi.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
diff --git a/iptables.c b/iptables.c
index 0363aba..b2a4b53 100644
--- a/iptables.c
+++ b/iptables.c
@@ -190,8 +190,6 @@ const char *program_name;
int kernel_version;
-extern void dump_entries(const iptc_handle_t handle);
-
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
@@ -1143,7 +1141,7 @@ generate_entry(const struct ipt_entry *fw,
return e;
}
-void clear_rule_matches(struct iptables_rule_match **matches)
+static void clear_rule_matches(struct iptables_rule_match **matches)
{
struct iptables_rule_match *matchp, *tmp;
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index fe6b09b..de8dc60 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1474,7 +1474,7 @@ TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
}
/* How many rules in this chain? */
-unsigned int
+static unsigned int
TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
{
struct chain_head *c;
@@ -1490,9 +1490,8 @@ TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
return c->num_rules;
}
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
- unsigned int n,
- TC_HANDLE_T *handle)
+static const STRUCT_ENTRY *
+TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
{
struct chain_head *c;
struct rule_head *r;
@@ -1514,7 +1513,7 @@ const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
}
/* Returns a pointer to the target name of this position. */
-const char *standard_target_map(int verdict)
+static const char *standard_target_map(int verdict)
{
switch (verdict) {
case RETURN:
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 07/24] Add support for xt_hashlimit match revision 1
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (4 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 06/24] Fix all remaining warnings (missing declarations, missing prototypes) Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 08/24] Update the libxt_owner manpage with the UID/GID-range feature Jan Engelhardt
` (17 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libxt_hashlimit.c | 398 ++++++++++++++++++++++--
extensions/libxt_hashlimit.man | 86 ++++--
include/linux/netfilter/xt_hashlimit.h | 38 ++-
3 files changed, 458 insertions(+), 64 deletions(-)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index a19ab8f..e430f93 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -10,7 +10,7 @@
*
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
-
+#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -45,6 +45,27 @@ static void hashlimit_help(void)
"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
}
+static void hashlimit_mt_help(void)
+{
+ printf(
+"hashlimit match options:\n"
+" --hashlimit-upto <avg> max average match rate\n"
+" [Packets per second unless followed by \n"
+" /sec /minute /hour /day postfixes]\n"
+" --hashlimit-above <avg> min average match rate\n"
+" --hashlimit-mode <mode> mode is a comma-separated list of\n"
+" dstip,srcip,dstport,srcport (or none)\n"
+" --hashlimit-srcmask <length> source address grouping prefix length\n"
+" --hashlimit-dstmask <length> destination address grouping prefix length\n"
+" --hashlimit-name <name> name for /proc/net/ipt_hashlimit\n"
+" --hashlimit-burst <num> number to match in a burst, default %u\n"
+" --hashlimit-htable-size <num> number of hashtable buckets\n"
+" --hashlimit-htable-max <num> number of hashtable entries\n"
+" --hashlimit-htable-gcinterval interval between garbage collection runs\n"
+" --hashlimit-htable-expire after which time are idle entries expired?\n"
+"\n", XT_HASHLIMIT_BURST);
+}
+
static const struct option hashlimit_opts[] = {
{ "hashlimit", 1, NULL, '%' },
{ "hashlimit-burst", 1, NULL, '$' },
@@ -57,6 +78,22 @@ static const struct option hashlimit_opts[] = {
{ .name = NULL }
};
+static const struct option hashlimit_mt_opts[] = {
+ {.name = "hashlimit-upto", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-above", .has_arg = true, .val = '^'},
+ {.name = "hashlimit", .has_arg = true, .val = '%'},
+ {.name = "hashlimit-srcmask", .has_arg = true, .val = '<'},
+ {.name = "hashlimit-dstmask", .has_arg = true, .val = '>'},
+ {.name = "hashlimit-burst", .has_arg = true, .val = '$'},
+ {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'},
+ {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'},
+ {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('},
+ {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'},
+ {.name = "hashlimit-mode", .has_arg = true, .val = '_'},
+ {.name = "hashlimit-name", .has_arg = true, .val = '"'},
+ {},
+};
+
static
int parse_rate(const char *rate, u_int32_t *val)
{
@@ -98,15 +135,39 @@ static void hashlimit_init(struct xt_entry_match *m)
{
struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
+ r->cfg.mode = 0;
r->cfg.burst = XT_HASHLIMIT_BURST;
r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
r->cfg.expire = XT_HASHLIMIT_EXPIRE;
}
+static void hashlimit_mt4_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 32;
+ info->cfg.dstmask = 32;
+}
+
+static void hashlimit_mt6_init(struct xt_entry_match *match)
+{
+ struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+ info->cfg.mode = 0;
+ info->cfg.burst = XT_HASHLIMIT_BURST;
+ info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+ info->cfg.expire = XT_HASHLIMIT_EXPIRE;
+ info->cfg.srcmask = 128;
+ info->cfg.dstmask = 128;
+}
/* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
+static int parse_mode(uint32_t *mode, char *option_arg)
{
char *tok;
char *arg = strdup(option_arg);
@@ -114,19 +175,17 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
if (!arg)
return -1;
- r->cfg.mode = 0;
-
for (tok = strtok(arg, ",|");
tok;
tok = strtok(NULL, ",|")) {
if (!strcmp(tok, "dstip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DIP;
+ *mode |= XT_HASHLIMIT_HASH_DIP;
else if (!strcmp(tok, "srcip"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SIP;
+ *mode |= XT_HASHLIMIT_HASH_SIP;
else if (!strcmp(tok, "srcport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_SPT;
+ *mode |= XT_HASHLIMIT_HASH_SPT;
else if (!strcmp(tok, "dstport"))
- r->cfg.mode |= XT_HASHLIMIT_HASH_DPT;
+ *mode |= XT_HASHLIMIT_HASH_DPT;
else {
free(arg);
return -1;
@@ -136,14 +195,18 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
return 0;
}
-#define PARAM_LIMIT 0x00000001
-#define PARAM_BURST 0x00000002
-#define PARAM_MODE 0x00000004
-#define PARAM_NAME 0x00000008
-#define PARAM_SIZE 0x00000010
-#define PARAM_MAX 0x00000020
-#define PARAM_GCINTERVAL 0x00000040
-#define PARAM_EXPIRE 0x00000080
+enum {
+ PARAM_LIMIT = 1 << 0,
+ PARAM_BURST = 1 << 1,
+ PARAM_MODE = 1 << 2,
+ PARAM_NAME = 1 << 3,
+ PARAM_SIZE = 1 << 4,
+ PARAM_MAX = 1 << 5,
+ PARAM_GCINTERVAL = 1 << 6,
+ PARAM_EXPIRE = 1 << 7,
+ PARAM_SRCMASK = 1 << 8,
+ PARAM_DSTMASK = 1 << 9,
+};
/* Function which parses command options; returns true if it
ate an option */
@@ -224,7 +287,7 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
*flags & PARAM_MODE);
if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
- if (parse_mode(r, optarg) < 0)
+ if (parse_mode(&r->cfg.mode, optarg) < 0)
exit_error(PARAMETER_PROBLEM,
"bad --hashlimit-mode: `%s'\n", optarg);
*flags |= PARAM_MODE;
@@ -249,6 +312,146 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
return 1;
}
+static int
+hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags,
+ int c, int invert, unsigned int maxmask)
+{
+ unsigned int num;
+
+ switch(c) {
+ case '%': /* --hashlimit / --hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-upto",
+ *flags & PARAM_LIMIT);
+ if (invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-upto", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '^': /* --hashlimit-above == !--hashlimit-below */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-above",
+ *flags & PARAM_LIMIT);
+ if (!invert)
+ info->cfg.mode |= XT_HASHLIMIT_INVERT;
+ if (!parse_rate(optarg, &info->cfg.avg))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-above", optarg);
+ *flags |= PARAM_LIMIT;
+ return true;
+
+ case '$': /* --hashlimit-burst */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+ *flags & PARAM_BURST);
+ if (!strtonum(optarg, NULL, &num, 0, 10000))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-burst", optarg);
+ info->cfg.burst = num;
+ *flags |= PARAM_BURST;
+ return true;
+
+ case '&': /* --hashlimit-htable-size */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+ *flags & PARAM_SIZE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-size", optarg);
+ info->cfg.size = num;
+ *flags |= PARAM_SIZE;
+ return true;
+
+ case '*': /* --hashlimit-htable-max */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+ *flags & PARAM_MAX);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-max", optarg);
+ info->cfg.max = num;
+ *flags |= PARAM_MAX;
+ return true;
+
+ case '(': /* --hashlimit-htable-gcinterval */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-gcinterval",
+ *flags & PARAM_GCINTERVAL);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-gcinterval", optarg);
+ /* FIXME: not HZ dependent!! */
+ info->cfg.gc_interval = num;
+ *flags |= PARAM_GCINTERVAL;
+ return true;
+
+ case ')': /* --hashlimit-htable-expire */
+ param_act(P_ONLY_ONCE, "hashlimit",
+ "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+ if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-htable-expire", optarg);
+ /* FIXME: not HZ dependent */
+ info->cfg.expire = num;
+ *flags |= PARAM_EXPIRE;
+ return true;
+
+ case '_':
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+ *flags & PARAM_MODE);
+ if (parse_mode(&info->cfg.mode, optarg) < 0)
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-mode", optarg);
+ *flags |= PARAM_MODE;
+ return true;
+
+ case '"': /* --hashlimit-name */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+ *flags & PARAM_NAME);
+ if (strlen(optarg) == 0)
+ exit_error(PARAMETER_PROBLEM, "Zero-length name?");
+ strncpy(info->name, optarg, sizeof(info->name));
+ info->name[sizeof(info->name)-1] = '\0';
+ *flags |= PARAM_NAME;
+ return true;
+
+ case '<': /* --hashlimit-srcmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask",
+ *flags & PARAM_SRCMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-srcmask", optarg);
+ info->cfg.srcmask = num;
+ *flags |= PARAM_SRCMASK;
+ return true;
+
+ case '>': /* --hashlimit-dstmask */
+ param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask",
+ *flags & PARAM_DSTMASK);
+ if (!strtonum(optarg, NULL, &num, 0, maxmask))
+ param_act(P_BAD_VALUE, "hashlimit",
+ "--hashlimit-dstmask", optarg);
+ info->cfg.dstmask = num;
+ *flags |= PARAM_DSTMASK;
+ return true;
+ }
+ return false;
+}
+
+static int
+hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 32);
+}
+
+static int
+hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ return hashlimit_mt_parse((void *)(*match)->data,
+ flags, c, invert, 128);
+}
+
/* Final check; nothing. */
static void hashlimit_check(unsigned int flags)
{
@@ -263,6 +466,16 @@ static void hashlimit_check(unsigned int flags)
"You have to specify --hashlimit-name");
}
+static void hashlimit_mt_check(unsigned int flags)
+{
+ if (!(flags & PARAM_LIMIT))
+ exit_error(PARAMETER_PROBLEM, "You have to specify "
+ "--hashlimit-upto or --hashlimit-above");
+ if (!(flags & PARAM_NAME))
+ exit_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit-name");
+}
+
static const struct rates
{
const char *name;
@@ -285,29 +498,27 @@ static void print_rate(u_int32_t period)
printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
}
-static void print_mode(const struct xt_hashlimit_info *r, char separator)
+static void print_mode(unsigned int mode, char separator)
{
- int prevmode = 0;
+ bool prevmode = false;
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
- if (prevmode)
- putchar(separator);
+ if (mode & XT_HASHLIMIT_HASH_SIP) {
fputs("srcip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_SPT) {
+ if (mode & XT_HASHLIMIT_HASH_SPT) {
if (prevmode)
putchar(separator);
fputs("srcport", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
+ if (mode & XT_HASHLIMIT_HASH_DIP) {
if (prevmode)
putchar(separator);
fputs("dstip", stdout);
prevmode = 1;
}
- if (r->cfg.mode & XT_HASHLIMIT_HASH_DPT) {
+ if (mode & XT_HASHLIMIT_HASH_DPT) {
if (prevmode)
putchar(separator);
fputs("dstport", stdout);
@@ -324,7 +535,7 @@ static void hashlimit_print(const void *ip,
fputs("limit: avg ", stdout); print_rate(r->cfg.avg);
printf("burst %u ", r->cfg.burst);
fputs("mode ", stdout);
- print_mode(r, '-');
+ print_mode(r->cfg.mode, '-');
if (r->cfg.size)
printf("htable-size %u ", r->cfg.size);
if (r->cfg.max)
@@ -335,6 +546,53 @@ static void hashlimit_print(const void *ip,
printf("htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("limit: above ", stdout);
+ else
+ fputs("limit: up to ", stdout);
+ print_rate(info->cfg.avg);
+ printf("burst %u ", info->cfg.burst);
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("mode ", stdout);
+ print_mode(info->cfg.mode, '-');
+ }
+ if (info->cfg.size != 0)
+ printf("htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("htable-gcinterval %u ", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 32);
+}
+
+static void
+hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_print(info, 128);
+}
+
/* FIXME: Make minimalist: only print rate if not default --RR */
static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
{
@@ -346,7 +604,7 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
printf("--hashlimit-burst %u ", r->cfg.burst);
fputs("--hashlimit-mode ", stdout);
- print_mode(r, ',');
+ print_mode(r->cfg.mode, ',');
printf("--hashlimit-name %s ", r->name);
@@ -360,10 +618,61 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
printf("--hashlimit-htable-expire %u ", r->cfg.expire);
}
+static void
+hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+ if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+ fputs("--hashlimit-above ", stdout);
+ else
+ fputs("--hashlimit-upto ", stdout);
+ print_rate(info->cfg.avg);
+ if (info->cfg.burst != XT_HASHLIMIT_BURST)
+ printf("--hashlimit-burst %u ", info->cfg.burst);
+
+ if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+ XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+ fputs("--hashlimit-mode ", stdout);
+ print_mode(info->cfg.mode, ',');
+ }
+
+ printf("--hashlimit-name %s ", info->name);
+
+ if (info->cfg.size != 0)
+ printf("--hashlimit-htable-size %u ", info->cfg.size);
+ if (info->cfg.max != 0)
+ printf("--hashlimit-htable-max %u ", info->cfg.max);
+ if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+ printf("--hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
+ if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ printf("--hashlimit-htable-expire %u ", info->cfg.expire);
+
+ if (info->cfg.srcmask != dmask)
+ printf("--hashlimit-srcmask %u ", info->cfg.srcmask);
+ if (info->cfg.dstmask != dmask)
+ printf("--hashlimit-dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 32);
+}
+
+static void
+hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+ hashlimit_mt_save(info, 128);
+}
+
static struct xtables_match hashlimit_match = {
.family = AF_INET,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -379,6 +688,7 @@ static struct xtables_match hashlimit_match6 = {
.family = AF_INET6,
.name = "hashlimit",
.version = IPTABLES_VERSION,
+ .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
.help = hashlimit_help,
@@ -390,9 +700,43 @@ static struct xtables_match hashlimit_match6 = {
.extra_opts = hashlimit_opts,
};
+static struct xtables_match hashlimit_mt_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt4_init,
+ .parse = hashlimit_mt4_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt4_print,
+ .save = hashlimit_mt4_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
+static struct xtables_match hashlimit_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "hashlimit",
+ .revision = 1,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+ .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+ .help = hashlimit_mt_help,
+ .init = hashlimit_mt6_init,
+ .parse = hashlimit_mt6_parse,
+ .final_check = hashlimit_mt_check,
+ .print = hashlimit_mt6_print,
+ .save = hashlimit_mt6_save,
+ .extra_opts = hashlimit_mt_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&hashlimit_match);
xtables_register_match(&hashlimit_match6);
+ xtables_register_match(&hashlimit_mt_reg);
+ xtables_register_match(&hashlimit_mt6_reg);
}
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index c8128ec..e74aedf 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -1,35 +1,59 @@
-This patch adds a new match called 'hashlimit'.
-The idea is to have something like 'limit', but either per
-destination-ip or per (destip,destport) tuple.
-
-It gives you the ability to express
-.IP
- '1000 packets per second for every host in 192.168.0.0/16'
-.IP
- '100 packets per second for every service of 192.168.1.1'
-.P
-with a single iptables rule.
-.TP
-.BI "--hashlimit " "rate"
-A rate just like the limit match
-.TP
-.BI "--hashlimit-burst " "num"
-Burst value, just like limit match
-.TP
-.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport"
-A comma-separated list of objects to take into consideration
-.TP
-.BI "--hashlimit-name " "foo"
-The name for the /proc/net/ipt_hashlimit/foo entry
-.TP
-.BI "--hashlimit-htable-size " "num"
+\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
+\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
+rule. Grouping can be done per-hostgroup (source and/or destination address)
+and/or per-port. It gives you the ability to express "\fIN\fR packets per time
+quantum per group":
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16"
+.TP
+matching on source prot
+"100 packets per second for every service of 192.168.1.1"
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+.PP
+A hash limit option (\fB--hashlimit-upto\fR, \fB--hashlimit-above\fR) and
+\fB--hashlimit-name\fR are required.
+.TP
+\fB--hashlimit-upto\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
+a number, with an optional time quantum suffix; the default is 3/hour.
+.TP
+\fB--hashlimit-above\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is above \fIamount\fR/quantum.
+.TP
+\fB--hashlimit-burst\fR \fIamount\fR
+Maximum initial number of packets to match: this number gets recharged by one
+every time the limit specified above is not reached, up to this number; the
+default is 5.
+.TP
+\fB--hashlimit-mode\fR [\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR[\fB,\fR...]]
+A comma-separated list of objects to take into consideration. If no
+--hashlimit-mode option is given, hashlimit acts like limit, but at the
+expensive of doing the hash housekeeping.
+.TP
+\fB--hashlimit-srcmask\fR \fIprefix\fR
+When --hashlimit-mode srcip is used, all source addresses encountered will be
+grouped according to the given prefix length and the so-created subnet will be
+subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
+that --hashlimit-srcmask 0 is basically doing the same thing as not specifying
+srcip for --hashlimit-mode, but is technically more expensive.
+.TP
+\fB--hashlimit-dstmask\fR \fIprefix\fR
+Like --hashlimit-srcmask, but for destination addresses.
+.TP
+\fB--hashlimit-name\fR \fIfoo\fR
+The name for the /proc/net/ipt_hashlimit/foo entry.
+.TP
+\fB--hashlimit-htable-size\fR \fIbuckets\fR
The number of buckets of the hash table
.TP
-.BI "--hashlimit-htable-max " "num"
-Maximum entries in the hash
+\fB--hashlimit-htable-max\fR \fIentries\fR
+Maximum entries in the hash.
.TP
-.BI "--hashlimit-htable-expire " "num"
-After how many miliseconds do hash entries expire
+\fB--hashlimit-htable-expire\fR \fImsec\fR
+After how many miliseconds do hash entries expire.
.TP
-.BI "--hashlimit-htable-gcinterval " "num"
-How many miliseconds between garbage collection intervals
+\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
+How many miliseconds between garbage collection intervals.
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b4556b8..51b18d8 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
-#define XT_HASHLIMIT_HASH_DIP 0x0001
-#define XT_HASHLIMIT_HASH_DPT 0x0002
-#define XT_HASHLIMIT_HASH_SIP 0x0004
-#define XT_HASHLIMIT_HASH_SPT 0x0008
+enum {
+ XT_HASHLIMIT_HASH_DIP = 1 << 0,
+ XT_HASHLIMIT_HASH_DPT = 1 << 1,
+ XT_HASHLIMIT_HASH_SIP = 1 << 2,
+ XT_HASHLIMIT_HASH_SPT = 1 << 3,
+ XT_HASHLIMIT_INVERT = 1 << 4,
+};
struct hashlimit_cfg {
- u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
@@ -29,12 +32,35 @@ struct hashlimit_cfg {
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
- struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo;
union {
void *ptr;
struct xt_hashlimit_info *master;
} u;
};
+
+struct hashlimit_cfg1 {
+ u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
+ u_int32_t avg; /* Average secs between packets * scale */
+ u_int32_t burst; /* Period multiplier for upper limit. */
+
+ /* user specified */
+ u_int32_t size; /* how many buckets */
+ u_int32_t max; /* max number of entries */
+ u_int32_t gc_interval; /* gc interval */
+ u_int32_t expire; /* when do entries expire? */
+
+ u_int8_t srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+ char name[IFNAMSIZ];
+ struct hashlimit_cfg1 cfg;
+
+ /* Used internally by the kernel */
+ struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
#endif /*_XT_HASHLIMIT_H*/
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 08/24] Update the libxt_owner manpage with the UID/GID-range feature
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (5 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 07/24] Add support for xt_hashlimit match revision 1 Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 16:31 ` Patrick McHardy
2008-04-06 15:27 ` [PATCH 09/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
` (16 subsequent siblings)
23 siblings, 1 reply; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libxt_owner.man | 15 +++++++++------
1 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
index add2369..344ce2e 100644
--- a/extensions/libxt_owner.man
+++ b/extensions/libxt_owner.man
@@ -3,14 +3,17 @@ for locally generated packets. This match is only valid in the OUTPUT and
POSTROUTING chains. Forwarded packets do not have any socket associated with
them. Packets from kernel threads do have a socket, but usually no owner.
.TP
-\fB--uid-owner\fR \fIuserid\fR
+\fB--uid-owner\fR \fIusername\fR
+.TP
+\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
Matches if the packet socket's file structure (if it has one) is owned by the
-given user ID. A user name may be specified in place of \fIuserid\fR, in which
-case iptables will try to look it up.
+given user. You may also specify a numerical UID, or an UID range.
+.TP
+\fB--gid-owner\fR \fIgroupname\fR
.TP
-\fB--gid-owner\fR \fIgroupid\fR
-Matches if the packet socket's file structure is owned by the given group ID.
-A group name may be specified in place of \fIgroupid\fR.
+\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+Matches if the packet socket's file structure is owned by the given group.
+You may also specify a numerical GID, or a GID range.
.TP
\fB--socket-exists\fR
Matches if the packet is associated with a socket.
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 09/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (6 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 08/24] Update the libxt_owner manpage with the UID/GID-range feature Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 10/24] Fixed incorrect call to find_match on loading a target Jan Engelhardt
` (15 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
iptables and ip6tables will now recognize the XTABLES_LIBDIR environment
variable for extensions to look in before going to the (old) IPT_LIB_DIR
or IP6T_LIB_DIR (depending on program!) or the default location (/usr..).
XTABLES_LIBDIR can also take multiple directories (like PATH, separated
by colon).
---
configure.ac | 12 +++---
extensions/GNUmakefile.in | 6 +-
include/ip6tables.h | 4 --
include/iptables.h | 4 --
include/xtables.h | 4 --
ip6tables-restore.c | 11 +++-
ip6tables-save.c | 11 +++-
ip6tables-standalone.c | 11 +++-
iptables-restore.c | 11 +++-
iptables-save.c | 11 +++-
iptables-standalone.c | 11 +++-
libiptc/libiptc.c | 4 --
xtables.c | 86 ++++++++++++++++++------------------
13 files changed, 100 insertions(+), 86 deletions(-)
diff --git a/configure.ac b/configure.ac
index 29f54dc..79775ad 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,11 +22,11 @@ AC_ARG_WITH([ksource],
AS_HELP_STRING([--with-ksource=PATH],
[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
[ksourcedir="$withval"])
-AC_ARG_WITH([iptdir],
- AS_HELP_STRING([--with-iptdir=PATH],
+AC_ARG_WITH([xtlibdir],
+ AS_HELP_STRING([--with-xtlibdir=PATH],
[Path to iptables modules [[LIBEXECDIR/iptables]]]),
- [iptdir="$withval"],
- [iptdir="${libexecdir}/iptables"])
+ [xtlibdir="$withval"],
+ [xtlibdir="${libexecdir}/iptables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
[Build and install development files (libipq, libipq-devel, iptables-devel)]))
@@ -40,11 +40,11 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
- -DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
+ -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
-AC_SUBST([iptdir])
+AC_SUBST([xtlibdir])
AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index cf094f2..ee20469 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -7,7 +7,7 @@ prefix := @prefix@
exec_prefix := @exec_prefix@
libdir := @libdir@
libexecdir := @libexecdir@
-iptdir := @iptdir@
+xtlibdir := @xtlibdir@
CC := @CC@
CCLD := ${CC}
@@ -82,8 +82,8 @@ targets_install :=
all: ${targets}
install: ${targets_install}
- @mkdir -p "${DESTDIR}${iptdir}";
- install -pm0755 $^ "${DESTDIR}${iptdir}/";
+ @mkdir -p "${DESTDIR}${xtlibdir}";
+ install -pm0755 $^ "${DESTDIR}${xtlibdir}/";
clean:
rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
diff --git a/include/ip6tables.h b/include/ip6tables.h
index 4a511b7..e1539eb 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -5,10 +5,6 @@
#include "libiptc/libip6tc.h"
-#ifndef IP6T_LIB_DIR
-#define IP6T_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IP6T_SO_GET_REVISION_MATCH 68
#define IP6T_SO_GET_REVISION_TARGET 69
diff --git a/include/iptables.h b/include/iptables.h
index 7ce9080..094c64e 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -4,10 +4,6 @@
#include "xtables.h"
#include "libiptc/libiptc.h"
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR XT_LIB_DIR
-#endif
-
#ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
diff --git a/include/xtables.h b/include/xtables.h
index f2bcb44..408d199 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -7,10 +7,6 @@
#include <libiptc/libxtc.h>
#include <stdbool.h>
-#ifndef XT_LIB_DIR
-#define XT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index e9cc0ff..2c3e95d 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -131,9 +131,14 @@ int main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e7eade1..e440887 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -332,9 +332,14 @@ int main(int argc, char *argv[])
program_name = "ip6tables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 4029c1f..1bb81bc 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -52,9 +52,14 @@ main(int argc, char *argv[])
program_name = "ip6tables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IP6TABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IP6T_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IP6TABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-restore.c b/iptables-restore.c
index b751d2c..f556fa5 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -132,9 +132,14 @@ main(int argc, char *argv[])
program_version = IPTABLES_VERSION;
line = 0;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-save.c b/iptables-save.c
index c0c37ed..1ce2090 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -357,9 +357,14 @@ main(int argc, char *argv[])
program_name = "iptables-save";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 55c7ce9..369adaf 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -53,9 +53,14 @@ main(int argc, char *argv[])
program_name = "iptables";
program_version = IPTABLES_VERSION;
- lib_dir = getenv("IPTABLES_LIB_DIR");
- if (!lib_dir)
- lib_dir = IPT_LIB_DIR;
+ lib_dir = getenv("XTABLES_LIBDIR");
+ if (lib_dir == NULL) {
+ lib_dir = getenv("IPTABLES_LIB_DIR");
+ if (lib_dir != NULL)
+ fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+ }
+ if (lib_dir == NULL)
+ lib_dir = XTABLES_LIBDIR;
#ifdef NO_SHARED_LIBS
init_extensions();
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e8f14fc..ca95748 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -46,10 +46,6 @@
#define debug(x, args...)
#endif
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
static int sockfd = -1;
static int sockfd_use = 0;
static void *iptc_fn = NULL;
diff --git a/xtables.c b/xtables.c
index 89863d7..0405e3e 100644
--- a/xtables.c
+++ b/xtables.c
@@ -305,12 +305,50 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
}
}
+static void *load_extension(const char *search_path, const char *prefix,
+ const char *name)
+{
+ const char *dir = search_path, *next;
+ void *ptr = NULL;
+ struct stat sb;
+ char path[256];
+
+ do {
+ next = strchr(dir, ':');
+ if (next == NULL)
+ next = dir + strlen(dir);
+ snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
+ next - dir, dir, name);
+
+ if (dlopen(path, RTLD_NOW) != NULL)
+ /* Found library. If it didn't register itself,
+ maybe they specified target as match. */
+ ptr = find_match(name, DONT_LOAD, NULL);
+ else if (stat(path, &sb) == 0)
+ fprintf(stderr, "%s: %s\n", path, dlerror());
+
+ if (ptr != NULL)
+ return ptr;
+
+ snprintf(path, sizeof(path), "%.*s/%s%s.so",
+ next - dir, dir, prefix, name);
+ if (dlopen(path, RTLD_NOW) != NULL)
+ ptr = find_match(name, DONT_LOAD, NULL);
+ else if (stat(path, &sb) == 0)
+ fprintf(stderr, "%s: %s\n", path, dlerror());
+
+ if (ptr != NULL)
+ return ptr;
+
+ dir = next + 1;
+ } while (*next != '\0');
+
+ return NULL;
+}
+
struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
struct xtables_rule_match **matches)
{
-#ifndef NO_SHARED_LIBS
- struct stat sb;
-#endif
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
@@ -343,25 +381,7 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- char path[strlen(lib_dir) + sizeof("/.so")
- + strlen(afinfo.libprefix) + strlen(name)];
-
- sprintf(path, "%s/libxt_%s.so", lib_dir, name);
- if (dlopen(path, RTLD_NOW) != NULL)
- /* Found library. If it didn't register itself,
- maybe they specified target as match. */
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
-
- if (ptr == NULL) {
- sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
- name);
- if (dlopen(path, RTLD_NOW) != NULL)
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
- }
+ ptr = load_extension(lib_dir, afinfo.libprefix, name);
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
@@ -403,9 +423,6 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
{
-#ifndef NO_SHARED_LIBS
- struct stat sb;
-#endif
struct xtables_target *ptr;
/* Standard target? */
@@ -423,25 +440,8 @@ struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- char path[strlen(lib_dir) + sizeof("/.so")
- + strlen(afinfo.libprefix) + strlen(name)];
-
- sprintf(path, "%s/libxt_%s.so", lib_dir, name);
- if (dlopen(path, RTLD_NOW) != NULL)
- /* Found library. If it didn't register itself,
- maybe they specified match as a target. */
- ptr = find_target(name, DONT_LOAD);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
+ ptr = load_extension(lib_dir, afinfo.libprefix, name);
- if (ptr == NULL) {
- sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
- name);
- if (dlopen(path, RTLD_NOW) != NULL)
- ptr = find_target(name, DONT_LOAD);
- else if (stat(path, &sb) == 0)
- fprintf(stderr, "%s: %s\n", path, dlerror());
- }
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
"Couldn't load target `%s':%s\n",
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 10/24] Fixed incorrect call to find_match on loading a target
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (7 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 09/24] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 11/24] Move libipt_recent to libxt_recent Jan Engelhardt
` (14 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
xtables.c | 26 +++++++++++++++++---------
1 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/xtables.c b/xtables.c
index 0405e3e..b26b416 100644
--- a/xtables.c
+++ b/xtables.c
@@ -306,7 +306,7 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
}
static void *load_extension(const char *search_path, const char *prefix,
- const char *name)
+ const char *name, bool is_target)
{
const char *dir = search_path, *next;
void *ptr = NULL;
@@ -320,22 +320,30 @@ static void *load_extension(const char *search_path, const char *prefix,
snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
next - dir, dir, name);
- if (dlopen(path, RTLD_NOW) != NULL)
+ if (dlopen(path, RTLD_NOW) != NULL) {
/* Found library. If it didn't register itself,
maybe they specified target as match. */
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
+ if (is_target)
+ ptr = find_target(name, DONT_LOAD);
+ else
+ ptr = find_match(name, DONT_LOAD, NULL);
+ } else if (stat(path, &sb) == 0) {
fprintf(stderr, "%s: %s\n", path, dlerror());
+ }
if (ptr != NULL)
return ptr;
snprintf(path, sizeof(path), "%.*s/%s%s.so",
next - dir, dir, prefix, name);
- if (dlopen(path, RTLD_NOW) != NULL)
- ptr = find_match(name, DONT_LOAD, NULL);
- else if (stat(path, &sb) == 0)
+ if (dlopen(path, RTLD_NOW) != NULL) {
+ if (is_target)
+ ptr = find_target(name, DONT_LOAD);
+ else
+ ptr = find_match(name, DONT_LOAD, NULL);
+ } else if (stat(path, &sb) == 0) {
fprintf(stderr, "%s: %s\n", path, dlerror());
+ }
if (ptr != NULL)
return ptr;
@@ -381,7 +389,7 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- ptr = load_extension(lib_dir, afinfo.libprefix, name);
+ ptr = load_extension(lib_dir, afinfo.libprefix, name, false);
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
@@ -440,7 +448,7 @@ struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
- ptr = load_extension(lib_dir, afinfo.libprefix, name);
+ ptr = load_extension(lib_dir, afinfo.libprefix, name, true);
if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
exit_error(PARAMETER_PROBLEM,
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 11/24] Move libipt_recent to libxt_recent
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (8 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 10/24] Fixed incorrect call to find_match on loading a target Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 12/24] Add IPv6 support " Jan Engelhardt
` (13 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/{libipt_recent.c => libxt_recent.c} | 122 ++++++------
extensions/{libipt_recent.man => libxt_recent.man} | 2 +-
include/linux/netfilter/xt_recent.h | 26 +++
include/linux/netfilter_ipv4/ipt_recent.h | 27 ---
4 files changed, 88 insertions(+), 89 deletions(-)
rename extensions/{libipt_recent.c => libxt_recent.c} (67%)
rename extensions/{libipt_recent.man => libxt_recent.man} (99%)
create mode 100644 include/linux/netfilter/xt_recent.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h
diff --git a/extensions/libipt_recent.c b/extensions/libxt_recent.c
similarity index 67%
rename from extensions/libipt_recent.c
rename to extensions/libxt_recent.c
index d82b026..5b26015 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libxt_recent.c
@@ -5,28 +5,15 @@
#include <stdlib.h>
#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
-
-/* Need these in order to not fail when compiling against an older kernel. */
-#ifndef RECENT_NAME
-#define RECENT_NAME "ipt_recent"
-#endif /* RECENT_NAME */
-
-#ifndef RECENT_VER
-#define RECENT_VER "unknown"
-#endif /* RECENT_VER */
-
-#ifndef IPT_RECENT_NAME_LEN
-#define IPT_RECENT_NAME_LEN 200
-#endif /* IPT_RECENT_NAME_LEN */
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
/* Options for this module */
static const struct option recent_opts[] = {
- { .name = "set", .has_arg = 0, .val = 201 },
- { .name = "rcheck", .has_arg = 0, .val = 202 },
+ { .name = "set", .has_arg = 0, .val = 201 },
+ { .name = "rcheck", .has_arg = 0, .val = 202 },
{ .name = "update", .has_arg = 0, .val = 203 },
- { .name = "seconds", .has_arg = 1, .val = 204 },
+ { .name = "seconds", .has_arg = 1, .val = 204 },
{ .name = "hitcount", .has_arg = 1, .val = 205 },
{ .name = "remove", .has_arg = 0, .val = 206 },
{ .name = "rttl", .has_arg = 0, .val = 207 },
@@ -40,7 +27,7 @@ static const struct option recent_opts[] = {
static void recent_help(void)
{
printf(
-"recent v%s options:\n"
+"\"recent\" match options:\n"
"[!] --set Add source address to list, always matches.\n"
"[!] --rcheck Match if source address in list.\n"
"[!] --update Match if source address in list, also update last-seen time.\n"
@@ -59,23 +46,20 @@ static void recent_help(void)
" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
" --rdest Match/Save the destination address of each packet in the recent list table.\n"
-RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
-,
-IPTABLES_VERSION);
-
+"ipt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
+);
}
-
+
/* Initialize the match. */
static void recent_init(struct xt_entry_match *match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
-
+ struct xt_recent_mtinfo *info = (void *)(match)->data;
- strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
- /* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
+ strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+ /* even though XT_RECENT_NAME_LEN is currently defined as 200,
* better be safe, than sorry */
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
- info->side = IPT_RECENT_SOURCE;
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
+ info->side = XT_RECENT_SOURCE;
}
/* Function which parses command options; returns true if it
@@ -83,24 +67,25 @@ static void recent_init(struct xt_entry_match *match)
static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
+ struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
switch (c) {
case 201:
if (*flags) exit_error(PARAMETER_PROBLEM,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_SET;
+ info->check_set |= XT_RECENT_SET;
if (invert) info->invert = 1;
*flags = 1;
break;
-
+
case 202:
if (*flags) exit_error(PARAMETER_PROBLEM,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_CHECK;
+ info->check_set |= XT_RECENT_CHECK;
if(invert) info->invert = 1;
*flags = 1;
break;
@@ -110,7 +95,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_UPDATE;
+ info->check_set |= XT_RECENT_UPDATE;
if (invert) info->invert = 1;
*flags = 1;
break;
@@ -120,7 +105,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
"recent: only one of `--set', `--rcheck' "
"`--update' or `--remove' may be set");
check_inverse(optarg, &invert, &optind, 0);
- info->check_set |= IPT_RECENT_REMOVE;
+ info->check_set |= XT_RECENT_REMOVE;
if (invert) info->invert = 1;
*flags = 1;
break;
@@ -134,20 +119,20 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case 207:
- info->check_set |= IPT_RECENT_TTL;
+ info->check_set |= XT_RECENT_TTL;
break;
case 208:
- strncpy(info->name,optarg,IPT_RECENT_NAME_LEN);
- info->name[IPT_RECENT_NAME_LEN-1] = '\0';
+ strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+ info->name[XT_RECENT_NAME_LEN-1] = '\0';
break;
case 209:
- info->side = IPT_RECENT_SOURCE;
+ info->side = XT_RECENT_SOURCE;
break;
case 210:
- info->side = IPT_RECENT_DEST;
+ info->side = XT_RECENT_DEST;
break;
default:
@@ -171,50 +156,65 @@ static void recent_check(unsigned int flags)
static void recent_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
if (info->invert)
fputc('!', stdout);
printf("recent: ");
- if(info->check_set & IPT_RECENT_SET) printf("SET ");
- if(info->check_set & IPT_RECENT_CHECK) printf("CHECK ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE ");
+ if (info->check_set & XT_RECENT_SET)
+ printf("SET ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("CHECK ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("UPDATE ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("REMOVE ");
if(info->seconds) printf("seconds: %d ",info->seconds);
if(info->hit_count) printf("hit_count: %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match ");
+ if (info->check_set & XT_RECENT_TTL)
+ printf("TTL-Match ");
if(info->name) printf("name: %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("side: source ");
- if(info->side == IPT_RECENT_DEST) printf("side: dest");
+ if (info->side == XT_RECENT_SOURCE)
+ printf("side: source ");
+ if (info->side == XT_RECENT_DEST)
+ printf("side: dest");
}
/* Saves the union ipt_matchinfo in parsable form to stdout. */
static void recent_save(const void *ip, const struct xt_entry_match *match)
{
- struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+ const struct xt_recent_mtinfo *info = (const void *)match->data;
if (info->invert)
printf("! ");
- if(info->check_set & IPT_RECENT_SET) printf("--set ");
- if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
- if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
- if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
+ if (info->check_set & XT_RECENT_SET)
+ printf("--set ");
+ if (info->check_set & XT_RECENT_CHECK)
+ printf("--rcheck ");
+ if (info->check_set & XT_RECENT_UPDATE)
+ printf("--update ");
+ if (info->check_set & XT_RECENT_REMOVE)
+ printf("--remove ");
if(info->seconds) printf("--seconds %d ",info->seconds);
if(info->hit_count) printf("--hitcount %d ",info->hit_count);
- if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
+ if (info->check_set & XT_RECENT_TTL)
+ printf("--rttl ");
if(info->name) printf("--name %s ",info->name);
- if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
- if(info->side == IPT_RECENT_DEST) printf("--rdest ");
+ if (info->side == XT_RECENT_SOURCE)
+ printf("--rsource ");
+ if (info->side == XT_RECENT_DEST)
+ printf("--rdest ");
}
/* Structure for iptables to use to communicate with module */
-static struct iptables_match recent_match = {
+static struct xtables_match recent_match = {
.name = "recent",
.version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_recent_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)),
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
.help = recent_help,
.init = recent_init,
.parse = recent_parse,
@@ -227,5 +227,5 @@ static struct iptables_match recent_match = {
void _init(void);
void _init(void)
{
- register_match(&recent_match);
+ xtables_register_match(&recent_match);
}
diff --git a/extensions/libipt_recent.man b/extensions/libxt_recent.man
similarity index 99%
rename from extensions/libipt_recent.man
rename to extensions/libxt_recent.man
index bf5d710..25be677 100644
--- a/extensions/libipt_recent.man
+++ b/extensions/libxt_recent.man
@@ -60,7 +60,7 @@ Examples:
Official website (http://snowman.net/projects/ipt_recent/) also has
some examples of usage.
-/proc/net/ipt_recent/* are the current lists of addresses and information
+/proc/net/ipt_recent/* are the current lists of addresses and information
about each entry of each list.
Each file in /proc/net/ipt_recent/ can be read from to see the current list
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+ XT_RECENT_CHECK = 1 << 0,
+ XT_RECENT_SET = 1 << 1,
+ XT_RECENT_UPDATE = 1 << 2,
+ XT_RECENT_REMOVE = 1 << 3,
+ XT_RECENT_TTL = 1 << 4,
+
+ XT_RECENT_SOURCE = 0,
+ XT_RECENT_DEST = 1,
+
+ XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+ u_int32_t seconds;
+ u_int32_t hit_count;
+ u_int8_t check_set;
+ u_int8_t invert;
+ char name[XT_RECENT_NAME_LEN];
+ u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
deleted file mode 100644
index 6508a45..0000000
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
-
-#define IPT_RECENT_CHECK 1
-#define IPT_RECENT_SET 2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL 16
-
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST 1
-
-#define IPT_RECENT_NAME_LEN 200
-
-struct ipt_recent_info {
- u_int32_t seconds;
- u_int32_t hit_count;
- u_int8_t check_set;
- u_int8_t invert;
- char name[IPT_RECENT_NAME_LEN];
- u_int8_t side;
-};
-
-#endif /*_IPT_RECENT_H*/
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 12/24] Add IPv6 support to libxt_recent
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (9 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 11/24] Move libipt_recent to libxt_recent Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 13/24] Add all necessary header files - compilation fix for various cases Jan Engelhardt
` (12 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libxt_recent.c | 17 +++++
extensions/libxt_recent.man | 119 +++++++++++++++++------------------
2 files changed, 76 insertions(+), 60 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 5b26015..5b0112f 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -224,8 +224,25 @@ static struct xtables_match recent_match = {
.extra_opts = recent_opts,
};
+static struct xtables_match recent_mt6_reg = {
+ .version = IPTABLES_VERSION,
+ .name = "recent",
+ .revision = 0,
+ .family = AF_INET6,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init,
+ .parse = recent_parse,
+ .final_check = recent_check,
+ .print = recent_print,
+ .save = recent_save,
+ .extra_opts = recent_opts,
+};
+
void _init(void);
void _init(void)
{
xtables_register_match(&recent_match);
+ xtables_register_match(&recent_mt6_reg);
}
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 25be677..f0dc3f4 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -1,93 +1,92 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
+Allows you to dynamically create a list of IP addresses and then match against
+that list in a few different ways.
+.PP
+For example, you can create a "badguy" list out of people attempting to connect
+to port 139 on your firewall and then DROP all future packets from them without
+considering them.
.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
+\fB--name\fR \fIname\fR
+Specify the list to use for the commands. If no name is given then
+\fBDEFAULT\fR will be used.
.TP
[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
+This will add the source address of the packet to the list. If the source
+address is already in the list, this will update the existing entry. This will
+always return success (or failure if \fB!\fR is passed in).
.TP
[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
+Check if the source address of the packet is currently in the list.
.TP
[\fB!\fR] \fB--update\fR
Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
matches.
.TP
[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
+Check if the source address of the packet is currently in the list and if so
+that address will be removed from the list and the rule will return true. If
+the address is not found, false is returned.
.TP
[\fB!\fR] \fB--seconds \fIseconds\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and was seen within the last given number of seconds.
.TP
[\fB!\fR] \fB--hitcount \fIhits\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and packets had been received greater than or equal to
+the given value. This option may be used along with \fB--seconds\fR to create
+an even narrower match requiring a certain number of hits within a specific
+time frame.
.TP
\fB--rttl\fR
This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and the TTL of the current packet matches that of the
+packet which hit the \fB--set\fR rule. This may be useful if you have problems
+with people faking their source address in order to DoS you via this module by
+disallowing others access to your site by sending bogus packets to you.
+.PP
Examples:
.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
+iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+.IP
+iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.PP
+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
+.PP
+\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information
about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
+.PP
+Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current
+list or written two using the following commands to modify the list:
.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
+\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to add \fIaddr\fR to the DEFAULT list
.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
+\fBecho -\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to remove \fIaddr\fR from the DEFAULT list
.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
+\fBecho / >/proc/net/xt_recent/DEFAULT\fR
+to flush the DEFAULT list (remove all entries).
+.PP
The module itself accepts parameters, defaults shown:
.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
+\fBip_list_tot\fR=\fI100\fR
+Number of addresses remembered per table.
+.TP
+\fBip_pkt_list_tot\fR=\fI20\fR
+Number of packets per address remembered.
.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
+\fBip_list_hash_size\fR=\fI0\fR
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+\fBip_list_perms\fR=\fI0644\fR
+Permissions for /proc/net/xt_recent/* files.
.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
+\fBip_list_uid\fR=\fI0\fR
+Numerical UID for ownership of /proc/net/xt_recent/* files.
.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
+\fBip_list_gid\fR=\fI0\fR
+Numerical GID for ownership of /proc/net/xt_recent/* files.
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 13/24] Add all necessary header files - compilation fix for various cases
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (10 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 12/24] Add IPv6 support " Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 14/24] configure: split --enable-libipq from --enable-devel Jan Engelhardt
` (11 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
---
Makefile.am | 2 +-
configure.ac | 10 +-
include/linux/compiler.h | 179 +++++++++++++++++++++
include/linux/netfilter.h | 2 +
include/linux/netfilter/xt_SECMARK.h | 26 +++
include/linux/netfilter_ipv4/ipt_DSCP.h | 18 ++
include/linux/netfilter_ipv4/ipt_LOG.h | 18 ++
include/linux/netfilter_ipv4/ipt_REJECT.h | 20 +++
include/linux/netfilter_ipv4/ipt_TOS.h | 12 ++
include/linux/netfilter_ipv4/ipt_dscp.h | 21 +++
include/linux/netfilter_ipv4/ipt_owner.h | 20 +++
include/linux/netfilter_ipv4/ipt_tos.h | 13 ++
include/linux/netfilter_ipv6/ip6t_LOG.h | 18 ++
libipq/Makefile.am | 2 +-
14 files changed, 356 insertions(+), 5 deletions(-)
create mode 100644 include/linux/compiler.h
create mode 100644 include/linux/netfilter/xt_SECMARK.h
create mode 100644 include/linux/netfilter_ipv4/ipt_DSCP.h
create mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
create mode 100644 include/linux/netfilter_ipv4/ipt_REJECT.h
create mode 100644 include/linux/netfilter_ipv4/ipt_TOS.h
create mode 100644 include/linux/netfilter_ipv4/ipt_dscp.h
create mode 100644 include/linux/netfilter_ipv4/ipt_owner.h
create mode 100644 include/linux/netfilter_ipv4/ipt_tos.h
create mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h
diff --git a/Makefile.am b/Makefile.am
index 112b552..8babe96 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign subdir-objects
regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
SUBDIRS := extensions
if ENABLE_DEVEL
SUBDIRS += libipq
diff --git a/configure.ac b/configure.ac
index 79775ad..4c18cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,8 +8,6 @@ AM_PROG_CC_C_O
AC_DISABLE_STATIC
AC_PROG_LIBTOOL
-kbuilddir="/lib/modules/$(uname -r)/build";
-ksourcedir="/lib/modules/$(uname -r)/source";
AC_ARG_WITH([kernel],
AS_HELP_STRING([--with-kernel=PATH],
[Path to kernel source/build directory]),
@@ -41,7 +39,13 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
+kinclude_CFLAGS="";
+if [[ -n "$kbuilddir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+fi;
+if [[ -n "$ksourcedir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+fi;
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
new file mode 100644
index 0000000..d0e17e1
--- /dev/null
+++ b/include/linux/compiler.h
@@ -0,0 +1,179 @@
+#ifndef __LINUX_COMPILER_H
+#define __LINUX_COMPILER_H
+
+#ifndef __ASSEMBLY__
+
+#ifdef __CHECKER__
+# define __user __attribute__((noderef, address_space(1)))
+# define __kernel /* default address space */
+# define __safe __attribute__((safe))
+# define __force __attribute__((force))
+# define __nocast __attribute__((nocast))
+# define __iomem __attribute__((noderef, address_space(2)))
+# define __acquires(x) __attribute__((context(x,0,1)))
+# define __releases(x) __attribute__((context(x,1,0)))
+# define __acquire(x) __context__(x,1)
+# define __release(x) __context__(x,-1)
+# define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
+extern void __chk_user_ptr(const volatile void __user *);
+extern void __chk_io_ptr(const volatile void __iomem *);
+#else
+# define __user
+# define __kernel
+# define __safe
+# define __force
+# define __nocast
+# define __iomem
+# define __chk_user_ptr(x) (void)0
+# define __chk_io_ptr(x) (void)0
+# define __builtin_warning(x, y...) (1)
+# define __acquires(x)
+# define __releases(x)
+# define __acquire(x) (void)0
+# define __release(x) (void)0
+# define __cond_lock(x,c) (c)
+#endif
+
+#ifdef __KERNEL__
+
+#if __GNUC__ >= 4
+# include <linux/compiler-gcc4.h>
+#elif __GNUC__ == 3 && __GNUC_MINOR__ >= 2
+# include <linux/compiler-gcc3.h>
+#else
+# error Sorry, your compiler is too old/not recognized.
+#endif
+
+/* Intel compiler defines __GNUC__. So we will overwrite implementations
+ * coming from above header files here
+ */
+#ifdef __INTEL_COMPILER
+# include <linux/compiler-intel.h>
+#endif
+
+/*
+ * Generic compiler-dependent macros required for kernel
+ * build go below this comment. Actual compiler/compiler version
+ * specific implementations come from the above header files
+ */
+
+#define likely(x) __builtin_expect(!!(x), 1)
+#define unlikely(x) __builtin_expect(!!(x), 0)
+
+/* Optimization barrier */
+#ifndef barrier
+# define barrier() __memory_barrier()
+#endif
+
+#ifndef RELOC_HIDE
+# define RELOC_HIDE(ptr, off) \
+ ({ unsigned long __ptr; \
+ __ptr = (unsigned long) (ptr); \
+ (typeof(ptr)) (__ptr + (off)); })
+#endif
+
+#endif /* __KERNEL__ */
+
+#endif /* __ASSEMBLY__ */
+
+#ifdef __KERNEL__
+/*
+ * Allow us to mark functions as 'deprecated' and have gcc emit a nice
+ * warning for each use, in hopes of speeding the functions removal.
+ * Usage is:
+ * int __deprecated foo(void)
+ */
+#ifndef __deprecated
+# define __deprecated /* unimplemented */
+#endif
+
+#ifdef MODULE
+#define __deprecated_for_modules __deprecated
+#else
+#define __deprecated_for_modules
+#endif
+
+#ifndef __must_check
+#define __must_check
+#endif
+
+#ifndef CONFIG_ENABLE_MUST_CHECK
+#undef __must_check
+#define __must_check
+#endif
+#ifndef CONFIG_ENABLE_WARN_DEPRECATED
+#undef __deprecated
+#undef __deprecated_for_modules
+#define __deprecated
+#define __deprecated_for_modules
+#endif
+
+/*
+ * Allow us to avoid 'defined but not used' warnings on functions and data,
+ * as well as force them to be emitted to the assembly file.
+ *
+ * As of gcc 3.4, static functions that are not marked with attribute((used))
+ * may be elided from the assembly file. As of gcc 3.4, static data not so
+ * marked will not be elided, but this may change in a future gcc version.
+ *
+ * NOTE: Because distributions shipped with a backported unit-at-a-time
+ * compiler in gcc 3.3, we must define __used to be __attribute__((used))
+ * for gcc >=3.3 instead of 3.4.
+ *
+ * In prior versions of gcc, such functions and data would be emitted, but
+ * would be warned about except with attribute((unused)).
+ *
+ * Mark functions that are referenced only in inline assembly as __used so
+ * the code is emitted even though it appears to be unreferenced.
+ */
+#ifndef __used
+# define __used /* unimplemented */
+#endif
+
+#ifndef __maybe_unused
+# define __maybe_unused /* unimplemented */
+#endif
+
+#ifndef noinline
+#define noinline
+#endif
+
+#ifndef __always_inline
+#define __always_inline inline
+#endif
+
+#endif /* __KERNEL__ */
+
+/*
+ * From the GCC manual:
+ *
+ * Many functions do not examine any values except their arguments,
+ * and have no effects except the return value. Basically this is
+ * just slightly more strict class than the `pure' attribute above,
+ * since function is not allowed to read global memory.
+ *
+ * Note that a function that has pointer arguments and examines the
+ * data pointed to must _not_ be declared `const'. Likewise, a
+ * function that calls a non-`const' function usually must not be
+ * `const'. It does not make sense for a `const' function to return
+ * `void'.
+ */
+#ifndef __attribute_const__
+# define __attribute_const__ /* unimplemented */
+#endif
+
+/*
+ * Tell gcc if a function is cold. The compiler will assume any path
+ * directly leading to the call is unlikely.
+ */
+
+#ifndef __cold
+#define __cold
+#endif
+
+/* Simple shorthand for a section definition */
+#ifndef __section
+# define __section(S) __attribute__ ((__section__(#S)))
+#endif
+
+#endif /* __LINUX_COMPILER_H */
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3c5b889..0d1ba11 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -1,6 +1,8 @@
#ifndef __LINUX_NETFILTER_H
#define __LINUX_NETFILTER_H
+#include <linux/compiler.h>
+
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 0000000..c53fbff
--- /dev/null
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SELCTX_MAX 256
+
+struct xt_secmark_target_selinux_info {
+ u_int32_t selsid;
+ char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+ u_int8_t mode;
+ union {
+ struct xt_secmark_target_selinux_info sel;
+ } u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff --git a/include/linux/netfilter_ipv4/ipt_DSCP.h b/include/linux/netfilter_ipv4/ipt_DSCP.h
new file mode 100644
index 0000000..3491e52
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_DSCP.h
@@ -0,0 +1,18 @@
+/* iptables module for setting the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _IPT_DSCP_TARGET_H
+#define _IPT_DSCP_TARGET_H
+#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define ipt_DSCP_info xt_DSCP_info
+
+#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 0000000..90fa652
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IPT_LOG_IPOPT 0x04 /* Log IP options */
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define IPT_LOG_MASK 0x1f
+
+struct ipt_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 0000000..4293a1a
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+ IPT_ICMP_NET_UNREACHABLE,
+ IPT_ICMP_HOST_UNREACHABLE,
+ IPT_ICMP_PROT_UNREACHABLE,
+ IPT_ICMP_PORT_UNREACHABLE,
+ IPT_ICMP_ECHOREPLY,
+ IPT_ICMP_NET_PROHIBITED,
+ IPT_ICMP_HOST_PROHIBITED,
+ IPT_TCP_RESET,
+ IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+ enum ipt_reject_with with; /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
new file mode 100644
index 0000000..6bf9e1f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_TOS_H_target
+#define _IPT_TOS_H_target
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+struct ipt_tos_target_info {
+ u_int8_t tos;
+};
+
+#endif /*_IPT_TOS_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_dscp.h
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_dscp.h
@@ -0,0 +1,21 @@
+/* iptables module for matching the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _IPT_DSCP_H
+#define _IPT_DSCP_H
+
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_DSCP_MASK XT_DSCP_MASK
+#define IPT_DSCP_SHIFT XT_DSCP_SHIFT
+#define IPT_DSCP_MAX XT_DSCP_MAX
+
+#define ipt_dscp_info xt_dscp_info
+
+#endif /* _IPT_DSCP_H */
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
new file mode 100644
index 0000000..92f4bda
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_owner.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_OWNER_H
+#define _IPT_OWNER_H
+
+/* match and invert flags */
+#define IPT_OWNER_UID 0x01
+#define IPT_OWNER_GID 0x02
+#define IPT_OWNER_PID 0x04
+#define IPT_OWNER_SID 0x08
+#define IPT_OWNER_COMM 0x10
+
+struct ipt_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
new file mode 100644
index 0000000..a21f5df
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _IPT_TOS_H
+#define _IPT_TOS_H
+
+struct ipt_tos_info {
+ u_int8_t tos;
+ u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+#endif /*_IPT_TOS_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 0000000..0d0119b
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IP6T_LOG_H
+#define _IP6T_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
+#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
+#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
+#define IP6T_LOG_MASK 0x1f
+
+struct ip6t_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 942a874..d4245e7 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -1,6 +1,6 @@
# -*- Makefile -*-
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
libipq_a_SOURCES = libipq.c
lib_LIBRARIES = libipq.a
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 14/24] configure: split --enable-libipq from --enable-devel
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (11 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 13/24] Add all necessary header files - compilation fix for various cases Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 15/24] Update package name (Xtables) and documentation Jan Engelhardt
` (10 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
Makefile.am | 2 +-
configure.ac | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8babe96..8137c93 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,7 @@ regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
SUBDIRS := extensions
-if ENABLE_DEVEL
+if ENABLE_LIBIPQ
SUBDIRS += libipq
endif
diff --git a/configure.ac b/configure.ac
index 4c18cb0..3a0bff3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,12 +27,16 @@ AC_ARG_WITH([xtlibdir],
[xtlibdir="${libexecdir}/iptables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
- [Build and install development files (libipq, libipq-devel, iptables-devel)]))
+ [Install Xtables development headers]),
+ [enable_devel="$enableval"], [enable_devel="yes"])
+AC_ARG_ENABLE([libipq],
+ AS_HELP_STRING([--enable-libipq], [Build and install libipq]))
AC_CHECK_HEADER([netinet/ip6.h], [], [AC_MSG_ERROR(but we need that for IPv6)])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" == "yes"])
AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
+AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 15/24] Update package name (Xtables) and documentation
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (12 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 14/24] configure: split --enable-libipq from --enable-devel Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 16/24] Install libiptc header files because xtables.h depends on it Jan Engelhardt
` (9 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
INSTALL | 96 ++++++++++++++++++++++++++++++++------------------
configure.ac | 4 +-
2 files changed, 64 insertions(+), 36 deletions(-)
diff --git a/INSTALL b/INSTALL
index a41e0cc..e8d9ba4 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,52 +1,80 @@
-FOLLOW THESE STEPS:
+Installation instructions for Xtables
+=====================================
-0) There may be some outstanding bugfixes or tweaks which are not yet
- in the official kernel. Those are now (as of iptables-1.2.7) kept
- in a seperate package, called patch-o-matic. It is available from
- ftp://ftp.netfilter.org/pub/patch-o-matic/
+Xtables uses the well-known configure(autotools) infrastructure.
-1) Next, make the package. If you use a standard distribution kernel,
- just run ./configure.
+ $ ./configure
+ $ make
+ # make install
- If you want to build against an own kernel tree:
- $ ./configure --with-kernel=/home/jengelh/mykernel
+Prerequisites
+=============
- or whereever you put it. If you are using a dedicated kernel build
- directory, you use:
+ * no kernel-source required
- $ ./configure --with-kbuild=<<where-built>> --with-ksource=<<source>>
+ * but obviously a compiler, glibc-devel and linux-kernel-headers
+ (/usr/include/linux)
-2) Finally, you need to install the binaries and shared libraries:
- # make install
+Configuring and compiling
+=========================
-That's it!
-================================================================
-PROBLEMS YOU MAY ENCOUNTER:
+./configure [options]
-1) This package requires a 2.4.4 kernel, or above.
+--prefix=
-2) If you get the kernel directory wrong, you may get compile failures.
+ The prefix to put all installed files under. It defaults to
+ /usr/local, so the binaries will go into /usr/local/bin, sbin,
+ manpages into /usr/local/share/man, etc.
-3) If you want to specify alternate directories for installation
-(instead of /usr/local/ bin lib man), do this:
+--with-xtlibdir=
- $ ./configure --prefix=/usr
- $ make
- # make install
+ The path to where Xtables extensions should be installed to. It
+ defaults to ${prefix}/libexec/xtables.
+
+--enable-devel (or --disable-devel)
+
+ This option causes development files to be installed to
+ ${includedir}, which is needed for building additional packages,
+ such as Xtables-addons or other 3rd-party extensions.
+
+ It is enabled by default.
+
+--enable-libipq
+
+ This option causes libipq to be installed into ${libdir} and
+ ${includedir}.
+
+--enable-static
+
+ Enable building single standalone multipurpose binaries,
+ (iptables-static and ip6tables-static), which contain every
+ extension compiled-in (and does not support additional
+ extensions).
+
+--with-ksource=
+
+ Xtables does not depend on kernel headers anymore, but you can
+ optionally specify a search path to include anyway. This is
+ probably only useful for development.
+
+If you want to enable debugging, use
+
+ ./configure CFLAGS="-ggdb3 -O0"
-4) The make process will automatically build a multipurpose binary under the
- names iptables-multi and ip6tables-multi.
+(-O0 is used to turn off instruction reordering, which makes debugging
+much easier.)
-5) If you want to build a statically linked version of the iptables binary,
- without the need for loading the plugins at runtime (e.g. for an embedded
- device or router-on-a-disk), please use
- $ ./configure --enable-static
+Other notes
+===========
- which will build both a semi-static multi binary (iptables-mtss, uses
- libc but not plugins) and a fully static multi binary (iptables-static).
+The make process will automatically build multipurpose binaries.
+These have the core (iptables), -save, -restore and -xml code
+compiled into one binary, but extensions remain as modules.
-6) If you want to install libipq (old interface), add --enable-devel to
- ./configure.
+If you want to build a statically linked version of the iptables binary,
+without the need for loading the plugins at runtime (e.g. for an
+embedded device or router-on-a-disk), you can use the --enable-static
+configure flag.
diff --git a/configure.ac b/configure.ac
index 3a0bff3..ec0a7d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,9 +22,9 @@ AC_ARG_WITH([ksource],
[ksourcedir="$withval"])
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
- [Path to iptables modules [[LIBEXECDIR/iptables]]]),
+ [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
[xtlibdir="$withval"],
- [xtlibdir="${libexecdir}/iptables"])
+ [xtlibdir="${libexecdir}/xtables"])
AC_ARG_ENABLE([devel],
AS_HELP_STRING([--enable-devel],
[Install Xtables development headers]),
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 16/24] Install libiptc header files because xtables.h depends on it
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (13 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 15/24] Update package name (Xtables) and documentation Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
` (8 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
Makefile.am | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8137c93..bb7dc4f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -75,6 +75,9 @@ man_MANS := iptables.8 iptables-restore.8 iptables-save.8 \
CLEANFILES := iptables.8 ip6tables.8
if ENABLE_DEVEL
include_HEADERS := include/xtables.h include/iptables.h include/ip6tables.h
+iptcdir := ${includedir}/libiptc
+iptc_HEADERS := include/libiptc/libxtc.h \
+ include/libiptc/ipt_kernel_headers.h
endif
if ENABLE_STATIC
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 17/24] Remove support for compilation of conditional extensions
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (14 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 16/24] Install libiptc header files because xtables.h depends on it Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 18/24] Combine ipt and ip6t manpages Jan Engelhardt
` (7 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/.condition-test | 4 -
extensions/.condition-test6 | 4 -
extensions/.set-test | 4 -
extensions/GNUmakefile.in | 27 +----
extensions/libip6t_condition.c | 94 ----------------
extensions/libip6t_condition.man | 4 -
extensions/libipt_SET.c | 175 ------------------------------
extensions/libipt_SET.man | 16 ---
extensions/libipt_condition.c | 93 ----------------
extensions/libipt_condition.man | 4 -
extensions/libipt_set.c | 162 ---------------------------
extensions/libipt_set.h | 104 ------------------
extensions/libipt_set.man | 17 ---
13 files changed, 3 insertions(+), 705 deletions(-)
delete mode 100755 extensions/.condition-test
delete mode 100755 extensions/.condition-test6
delete mode 100755 extensions/.set-test
delete mode 100644 extensions/libip6t_condition.c
delete mode 100644 extensions/libip6t_condition.man
delete mode 100644 extensions/libipt_SET.c
delete mode 100644 extensions/libipt_SET.man
delete mode 100644 extensions/libipt_condition.c
delete mode 100644 extensions/libipt_condition.man
delete mode 100644 extensions/libipt_set.c
delete mode 100644 extensions/libipt_set.h
delete mode 100644 extensions/libipt_set.man
diff --git a/extensions/.condition-test b/extensions/.condition-test
deleted file mode 100755
index 2470a18..0000000
--- a/extensions/.condition-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.condition-test6 b/extensions/.condition-test6
deleted file mode 100755
index 15a0f04..0000000
--- a/extensions/.condition-test6
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.set-test b/extensions/.set-test
deleted file mode 100755
index 754abfd..0000000
--- a/extensions/.set-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#! /bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h" ] && \
-echo "set SET";
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index ee20469..31e6fb7 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -32,30 +32,9 @@ endif
#
# Wildcard module list
#
-pfx_all_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
-pf4_all_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
-pf6_all_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
-
-#
-# Conditional module list
-#
-pfx_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf4_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf6_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-
-#
-# Conditional modules to build
-#
-pfx_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf4_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf6_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-
-#
-# Total list of modules to build
-#
-pfx_build_mod := $(filter-out ${pfx_cond_mod},${pfx_all_mod}) ${pfx_bc_mod}
-pf4_build_mod := $(filter-out ${pf4_cond_mod},${pf4_all_mod}) ${pf4_bc_mod}
-pf6_build_mod := $(filter-out ${pf6_cond_mod},${pf6_all_mod}) ${pf6_bc_mod}
+pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
deleted file mode 100644
index 56793b2..0000000
--- a/extensions/libip6t_condition.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* Shared library add-on to ip6tables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <ip6tables.h>
-
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int
-condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition6_info *info =
- (struct condition6_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct ip6tables_match condition_match6 = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct condition6_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match6(&condition_match6);
-}
diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man
deleted file mode 100644
index e0bba75..0000000
--- a/extensions/libip6t_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
deleted file mode 100644
index 91ab488..0000000
--- a/extensions/libipt_SET.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set mangling target. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void SET_help(void)
-{
- printf("SET v%s options:\n"
- " --add-set name flags\n"
- " --del-set name flags\n"
- " add/del src/dst IP/port from/to named sets,\n"
- " where flags are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option SET_opts[] = {
- {"add-set", 1, 0, '1'},
- {"del-set", 1, 0, '2'},
- {0}
-};
-
-/* Initialize the target. */
-static void SET_init(struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- memset(info, 0, sizeof(struct ipt_set_info_target));
- info->add_set.index =
- info->del_set.index = IP_SET_INVALID_ID;
-
-}
-
-static void
-parse_target(char **argv, int invert, unsigned int *flags,
- struct ipt_set_info *info, const char *what)
-{
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--%s can be specified only once", what);
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
- if (!argv[optind]
- || argv[optind][0] == '-' || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--%s requires two args.", what);
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- optind++;
-
- *flags = 1;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int SET_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
-{
- struct ipt_set_info_target *myinfo =
- (struct ipt_set_info_target *) (*target)->data;
-
- switch (c) {
- case '1': /* --add-set <set> <flags> */
- parse_target(argv, invert, flags,
- &myinfo->add_set, "add-set");
- break;
- case '2': /* --del-set <set>[:<flags>] <flags> */
- parse_target(argv, invert, flags,
- &myinfo->del_set, "del-set");
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; must specify at least one. */
-static void SET_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify either `--add-set' or `--del-set'");
-}
-
-static void
-print_target(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- if (info->index == IP_SET_INVALID_ID)
- return;
- get_set_byid(setname, info->index);
- printf("%s %s", prefix, setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the targinfo. */
-static void SET_print(const void *ip, const struct xt_entry_target *target,
- int numeric)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("add-set", &info->add_set);
- print_target("del-set", &info->del_set);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void SET_save(const void *ip, const struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("--add-set", &info->add_set);
- print_target("--del-set", &info->del_set);
-}
-
-static struct iptables_target set_target = {
- .name = "SET",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .help = SET_help,
- .init = SET_init,
- .parse = SET_parse,
- .final_check = SET_check,
- .print = SET_print,
- .save = SET_save,
- .extra_opts = SET_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_target(&set_target);
-}
diff --git a/extensions/libipt_SET.man b/extensions/libipt_SET.man
deleted file mode 100644
index 8f25bea..0000000
--- a/extensions/libipt_SET.man
+++ /dev/null
@@ -1,16 +0,0 @@
-This modules adds and/or deletes entries from IP sets which can be defined
-by ipset(8).
-.TP
-.BR "--add-set " "setname flag[,flag...]"
-add the address(es)/port(s) of the packet to the sets
-.TP
-.BR "--del-set " "setname flag[,flag...]"
-delete the address(es)/port(s) of the packet from the sets,
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them.
-.TP
-The bindings to follow must previously be defined in order to use
-multilevel adding/deleting by the SET target.
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
deleted file mode 100644
index 5bd1c44..0000000
--- a/extensions/libipt_condition.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* Shared library add-on to iptables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition_info *info =
- (struct condition_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct iptables_match condition_match = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct condition_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct condition_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match(&condition_match);
-}
diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man
deleted file mode 100644
index ce2aa95..0000000
--- a/extensions/libipt_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
deleted file mode 100644
index 78a02b5..0000000
--- a/extensions/libipt_set.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set matching. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void set_help(void)
-{
- printf("set v%s options:\n"
- " [!] --set name flags\n"
- " 'name' is the set name from to match,\n"
- " 'flags' are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option set_opts[] = {
- {"set", 1, 0, '1'},
- {0}
-};
-
-/* Initialize the match. */
-static void set_init(struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
-
- memset(info, 0, sizeof(struct ipt_set_info_match));
-
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int set_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct ipt_set_info_match *myinfo =
- (struct ipt_set_info_match *) (*match)->data;
- struct ipt_set_info *info = &myinfo->match_set;
-
- switch (c) {
- case '1': /* --set <set> <flag>[,<flag> */
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--set can be specified only once");
-
- check_inverse(optarg, &invert, &optind, 0);
- if (invert)
- info->flags[0] |= IPSET_MATCH_INV;
-
- if (!argv[optind]
- || argv[optind][0] == '-'
- || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--set requires two args.");
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- DEBUGP("parse: set index %u\n", info->index);
- optind++;
-
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --set. */
-static void set_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify `--set' with proper arguments");
- DEBUGP("final check OK\n");
-}
-
-static void
-print_match(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- get_set_byid(setname, info->index);
- printf("%s%s %s",
- (info->flags[0] & IPSET_MATCH_INV) ? "! " : "",
- prefix,
- setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the matchinfo. */
-static void set_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("set", &info->match_set);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void set_save(const void *ip, const struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("--set", &info->match_set);
-}
-
-static struct iptables_match set_match = {
- .name = "set",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .help = set_help,
- .init = set_init,
- .parse = set_parse,
- .final_check = set_check,
- .print = set_print,
- .save = set_save,
- .extra_opts = set_opts,
-};
-
-void _init(void);
-void _init(void)
-{
- register_match(&set_match);
-}
diff --git a/extensions/libipt_set.h b/extensions/libipt_set.h
deleted file mode 100644
index 02de0fa..0000000
--- a/extensions/libipt_set.h
+++ /dev/null
@@ -1,104 +0,0 @@
-#ifndef _LIBIPT_SET_H
-#define _LIBIPT_SET_H
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <errno.h>
-
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
-static void
-parse_bindings(const char *optarg, struct ipt_set_info *info)
-{
- char *saved = strdup(optarg);
- char *ptr, *tmp = saved;
- int i = 0;
-
- while (i < (IP_SET_MAX_BINDINGS - 1) && tmp != NULL) {
- ptr = strsep(&tmp, ",");
- if (strncmp(ptr, "src", 3) == 0)
- info->flags[i++] |= IPSET_SRC;
- else if (strncmp(ptr, "dst", 3) == 0)
- info->flags[i++] |= IPSET_DST;
- else
- exit_error(PARAMETER_PROBLEM,
- "You must spefify (the comma separated list of) 'src' or 'dst'.");
- }
-
- if (tmp)
- exit_error(PARAMETER_PROBLEM,
- "Can't follow bindings deeper than %i.",
- IP_SET_MAX_BINDINGS - 1);
-
- free(saved);
-}
-
-static int get_set_getsockopt(void *data, socklen_t * size)
-{
- int sockfd = -1;
- sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- exit_error(OTHER_PROBLEM,
- "Can't open socket to ipset.\n");
- /* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-}
-
-static void get_set_byname(const char *setname, struct ipt_set_info *info)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYNAME;
- req.version = IP_SET_PROTOCOL_VERSION;
- strncpy(req.set.name, setname, IP_SET_MAXNAMELEN);
- req.set.name[IP_SET_MAXNAMELEN - 1] = '\0';
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.index == IP_SET_INVALID_ID)
- exit_error(PARAMETER_PROBLEM,
- "Set %s doesn't exist.\n", setname);
-
- info->index = req.set.index;
-}
-
-static void get_set_byid(char * setname, ip_set_id_t index)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYINDEX;
- req.version = IP_SET_PROTOCOL_VERSION;
- req.set.index = index;
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.name[0] == '\0')
- exit_error(PARAMETER_PROBLEM,
- "Set id %i in kernel doesn't exist.\n", index);
-
- strncpy(setname, req.set.name, IP_SET_MAXNAMELEN);
-}
-
-#endif /*_LIBIPT_SET_H*/
diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man
deleted file mode 100644
index d280577..0000000
--- a/extensions/libipt_set.man
+++ /dev/null
@@ -1,17 +0,0 @@
-This modules macthes IP sets which can be defined by ipset(8).
-.TP
-.BR "--set " "setname flag[,flag...]"
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them. Hence the command
-.nf
- iptables -A FORWARD -m set --set test src,dst
-.fi
-will match packets, for which (depending on the type of the set) the source
-address or port number of the packet can be found in the specified set. If
-there is a binding belonging to the mached set element or there is a default
-binding for the given set, then the rule will match the packet only if
-additionally (depending on the type of the set) the destination address or
-port number of the packet can be found in the set according to the binding.
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 18/24] Combine ipt and ip6t manpages
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (15 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 17/24] Remove support for compilation of conditional extensions Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
` (6 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libip6t_TCPMSS.man | 42 ----------
extensions/libip6t_connlimit.man | 27 -------
extensions/libip6t_length.man | 4 -
extensions/libip6t_multiport.man | 20 -----
extensions/libip6t_tcp.man | 45 -----------
extensions/libipt_TRACE.man | 10 ---
extensions/libipt_length.man | 4 -
extensions/libipt_policy.man | 48 ------------
extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} | 8 +-
extensions/{libip6t_TRACE.man => libxt_TRACE.man} | 3 +-
.../{libipt_connlimit.man => libxt_connlimit.man} | 0
extensions/libxt_length.man | 5 +
.../{libipt_multiport.man => libxt_multiport.man} | 0
.../{libip6t_policy.man => libxt_policy.man} | 0
extensions/{libipt_tcp.man => libxt_tcp.man} | 0
15 files changed, 12 insertions(+), 204 deletions(-)
delete mode 100644 extensions/libip6t_TCPMSS.man
delete mode 100644 extensions/libip6t_connlimit.man
delete mode 100644 extensions/libip6t_length.man
delete mode 100644 extensions/libip6t_multiport.man
delete mode 100644 extensions/libip6t_tcp.man
delete mode 100644 extensions/libipt_TRACE.man
delete mode 100644 extensions/libipt_length.man
delete mode 100644 extensions/libipt_policy.man
rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
create mode 100644 extensions/libxt_length.man
rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
rename extensions/{libip6t_policy.man => libxt_policy.man} (100%)
rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man
deleted file mode 100644
index b4c357e..0000000
--- a/extensions/libip6t_TCPMSS.man
+++ /dev/null
@@ -1,42 +0,0 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 60). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-It is only valid in the
-.BR mangle
-table.
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMPv6 Packet Too Big packets or are unable to send them.
-The symptoms of this problem are that everything works fine from your
-Linux firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 60).
-.TP
-These options are mutually exclusive.
-
diff --git a/extensions/libip6t_connlimit.man b/extensions/libip6t_connlimit.man
deleted file mode 100644
index d1a4447..0000000
--- a/extensions/libip6t_connlimit.man
+++ /dev/null
@@ -1,27 +0,0 @@
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-Match if the number of existing connections is (not) above \fIn\fR.
-.TP
-\fB--connlimit-mask\fR \fIprefix_length\fR
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
-ip6tables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
-(ipv6)
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
-16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man
deleted file mode 100644
index d781a04..0000000
--- a/extensions/libip6t_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of the IPv6 payload in octets, or range of it.
-IPv6 header itself isn't counted.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man
deleted file mode 100644
index 6f75a6e..0000000
--- a/extensions/libip6t_multiport.man
+++ /dev/null
@@ -1,20 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction
-with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
deleted file mode 100644
index 41b89a4..0000000
--- a/extensions/libip6t_tcp.man
+++ /dev/null
@@ -1,45 +0,0 @@
-These extensions can be used if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 7fbe8e7..0000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,10 +0,0 @@
-This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ipt_LOG module
-is required for the logging.) The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man
deleted file mode 100644
index 43bbdcf..0000000
--- a/extensions/libipt_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_policy.man b/extensions/libipt_policy.man
deleted file mode 100644
index eed163e..0000000
--- a/extensions/libipt_policy.man
+++ /dev/null
@@ -1,48 +0,0 @@
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
diff --git a/extensions/libipt_TCPMSS.man b/extensions/libxt_TCPMSS.man
similarity index 77%
rename from extensions/libipt_TCPMSS.man
rename to extensions/libxt_TCPMSS.man
index 30668b0..82f93e0 100644
--- a/extensions/libipt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -1,6 +1,7 @@
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
+Of course, it can only be used
in conjunction with
.BR "-p tcp" .
It is only valid in the
@@ -8,7 +9,8 @@ It is only valid in the
table.
.br
This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
+packets. The symptoms of this
problem are that everything works fine from your Linux
firewall/router, but machines behind it can never exchange large
packets:
@@ -36,6 +38,6 @@ configuration like:
Explicitly set MSS option to specified value.
.TP
.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
+Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).
.TP
These options are mutually exclusive.
diff --git a/extensions/libip6t_TRACE.man b/extensions/libxt_TRACE.man
similarity index 94%
rename from extensions/libip6t_TRACE.man
rename to extensions/libxt_TRACE.man
index ca3895a..d28c3a0 100644
--- a/extensions/libip6t_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,5 +1,6 @@
This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ip6t_LOG module
+the packets as those traverse the tables, chains, rules. (The ipt_LOG or
+ip6t_LOG module
is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
plain rule, "return" for implicit rule at the end of a user defined chain
diff --git a/extensions/libipt_connlimit.man b/extensions/libxt_connlimit.man
similarity index 100%
rename from extensions/libipt_connlimit.man
rename to extensions/libxt_connlimit.man
diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man
new file mode 100644
index 0000000..5a8198b
--- /dev/null
+++ b/extensions/libxt_length.man
@@ -0,0 +1,5 @@
+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
+f a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_multiport.man b/extensions/libxt_multiport.man
similarity index 100%
rename from extensions/libipt_multiport.man
rename to extensions/libxt_multiport.man
diff --git a/extensions/libip6t_policy.man b/extensions/libxt_policy.man
similarity index 100%
rename from extensions/libip6t_policy.man
rename to extensions/libxt_policy.man
diff --git a/extensions/libipt_tcp.man b/extensions/libxt_tcp.man
similarity index 100%
rename from extensions/libipt_tcp.man
rename to extensions/libxt_tcp.man
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (16 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 18/24] Combine ipt and ip6t manpages Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION Jan Engelhardt
` (5 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
When a match or target is registered using
xtables_register_{match,target}, xtables.c will consider AF_UNSPEC as
a wildcard when specified as the .family member. Rules between
two competing matches/targets are:
- higher revision (if usable in kernel) wins over lower revision
- in case of same revision: generic AF_UNSPEC loses to specific AF_...
---
extensions/libxt_CLASSIFY.c | 17 +---------------
extensions/libxt_MARK.c | 18 +----------------
extensions/libxt_RATEEST.c | 22 ++-----------------
extensions/libxt_SECMARK.c | 18 +----------------
extensions/libxt_TRACE.c | 13 +-----------
extensions/libxt_length.c | 17 +---------------
extensions/libxt_limit.c | 17 +---------------
extensions/libxt_mark.c | 36 +--------------------------------
extensions/libxt_pkttype.c | 17 +---------------
extensions/libxt_quota.c | 16 +--------------
extensions/libxt_rateest.c | 21 ++-----------------
extensions/libxt_standard.c | 13 +-----------
extensions/libxt_statistic.c | 18 +----------------
extensions/libxt_string.c | 19 +-----------------
extensions/libxt_time.c | 17 +---------------
extensions/libxt_u32.c | 17 +---------------
xtables.c | 22 +++++++++++++++-----
17 files changed, 37 insertions(+), 281 deletions(-)
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index ea6cdbe..1bf9494 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -103,21 +103,7 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target classify_target = {
- .family = AF_INET,
- .name = "CLASSIFY",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .help = CLASSIFY_help,
- .parse = CLASSIFY_parse,
- .final_check = CLASSIFY_final_check,
- .print = CLASSIFY_print,
- .save = CLASSIFY_save,
- .extra_opts = CLASSIFY_opts,
-};
-
-static struct xtables_target classify_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "CLASSIFY",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
@@ -134,5 +120,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&classify_target);
- xtables_register_target(&classify_target6);
}
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 2994e75..4003d26 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -333,22 +333,7 @@ static struct xtables_target mark_tg_reg_v2 = {
.version = IPTABLES_VERSION,
.name = "MARK",
.revision = 2,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .help = mark_tg_help,
- .parse = mark_tg_parse,
- .final_check = mark_tg_check,
- .print = mark_tg_print,
- .save = mark_tg_save,
- .extra_opts = mark_tg_opts,
-};
-
-static struct xtables_target mark_tg6_reg_v2 = {
- .version = IPTABLES_VERSION,
- .name = "MARK",
- .revision = 2,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.help = mark_tg_help,
@@ -366,5 +351,4 @@ void _init(void)
xtables_register_target(&mark_target_v1);
xtables_register_target(&mark_target6_v0);
xtables_register_target(&mark_tg_reg_v2);
- xtables_register_target(&mark_tg6_reg_v2);
}
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index df16581..6918f76 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -203,23 +203,8 @@ RATEEST_save(const void *ip, const struct xt_entry_target *target)
__RATEEST_print(target, "--rateest-");
}
-static struct xtables_target rateest_target4 = {
- .family = AF_INET,
- .name = "RATEEST",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .help = RATEEST_help,
- .init = RATEEST_init,
- .parse = RATEEST_parse,
- .final_check = RATEEST_final_check,
- .print = RATEEST_print,
- .save = RATEEST_save,
- .extra_opts = RATEEST_opts,
-};
-
-static struct xtables_target rateest_target6 = {
- .family = AF_INET6,
+static struct xtables_target rateest_tg_reg = {
+ .family = AF_UNSPEC,
.name = "RATEEST",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
@@ -236,6 +221,5 @@ static struct xtables_target rateest_target6 = {
void _init(void);
void _init(void)
{
- xtables_register_target(&rateest_target4);
- xtables_register_target(&rateest_target6);
+ xtables_register_target(&rateest_tg_reg);
}
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 5dfd21e..d143037 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -100,22 +100,7 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target secmark_target = {
- .family = AF_INET,
- .name = "SECMARK",
- .version = IPTABLES_VERSION,
- .revision = 0,
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .help = SECMARK_help,
- .parse = SECMARK_parse,
- .final_check = SECMARK_check,
- .print = SECMARK_print,
- .save = SECMARK_save,
- .extra_opts = SECMARK_opts,
-};
-
-static struct xtables_target secmark_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "SECMARK",
.version = IPTABLES_VERSION,
.revision = 0,
@@ -133,5 +118,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&secmark_target);
- xtables_register_target(&secmark_target6);
}
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index f1d2d94..7241f2b 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -24,17 +24,7 @@ static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target trace_target = {
- .family = AF_INET,
- .name = "TRACE",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
- .help = TRACE_help,
- .parse = TRACE_parse,
-};
-
-static struct xtables_target trace_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "TRACE",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(0),
@@ -47,5 +37,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&trace_target);
- xtables_register_target(&trace_target6);
}
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index 8fb2150..136034c 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -125,21 +125,7 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match length_match = {
- .family = AF_INET,
- .name = "length",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_length_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
- .help = length_help,
- .parse = length_parse,
- .final_check = length_check,
- .print = length_print,
- .save = length_save,
- .extra_opts = length_opts,
-};
-
-static struct xtables_match length_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "length",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_length_info)),
@@ -156,5 +142,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&length_match);
- xtables_register_match(&length_match6);
}
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index e93388b..da64750 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -165,21 +165,7 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match limit_match = {
- .family = AF_INET,
- .name = "limit",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateinfo)),
- .userspacesize = offsetof(struct xt_rateinfo, prev),
- .help = limit_help,
- .init = limit_init,
- .parse = limit_parse,
- .print = limit_print,
- .save = limit_save,
- .extra_opts = limit_opts,
-};
-
-static struct xtables_match limit_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "limit",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
@@ -196,5 +182,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&limit_match);
- xtables_register_match(&limit_match6);
}
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index 1e07736..e805a2b 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -149,22 +149,7 @@ mark_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match mark_match = {
- .family = AF_INET,
- .name = "mark",
- .revision = 0,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_mark_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
- .help = mark_mt_help,
- .parse = mark_parse,
- .final_check = mark_mt_check,
- .print = mark_print,
- .save = mark_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "mark",
.revision = 0,
.version = IPTABLES_VERSION,
@@ -182,22 +167,7 @@ static struct xtables_match mark_mt_reg = {
.version = IPTABLES_VERSION,
.name = "mark",
.revision = 1,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .help = mark_mt_help,
- .parse = mark_mt_parse,
- .final_check = mark_mt_check,
- .print = mark_mt_print,
- .save = mark_mt_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_mt6_reg = {
- .version = IPTABLES_VERSION,
- .name = "mark",
- .revision = 1,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.help = mark_mt_help,
@@ -212,7 +182,5 @@ void _init(void);
void _init(void)
{
xtables_register_match(&mark_match);
- xtables_register_match(&mark_match6);
xtables_register_match(&mark_mt_reg);
- xtables_register_match(&mark_mt6_reg);
}
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index 893fe43..a5cf90a 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -147,21 +147,7 @@ static void pkttype_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match pkttype_match = {
- .family = AF_INET,
- .name = "pkttype",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .help = pkttype_help,
- .parse = pkttype_parse,
- .final_check = pkttype_check,
- .print = pkttype_print,
- .save = pkttype_save,
- .extra_opts = pkttype_opts,
-};
-
-static struct xtables_match pkttype_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "pkttype",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
@@ -178,5 +164,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&pkttype_match);
- xtables_register_match(&pkttype_match6);
}
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index 9ce350d..f73089d 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -78,20 +78,7 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
}
struct xtables_match quota_match = {
- .family = AF_INET,
- .name = "quota",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof (struct xt_quota_info)),
- .userspacesize = offsetof(struct xt_quota_info, quota),
- .help = quota_help,
- .parse = quota_parse,
- .print = quota_print,
- .save = quota_save,
- .extra_opts = quota_opts,
-};
-
-struct xtables_match quota_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "quota",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_info)),
@@ -107,5 +94,4 @@ void _init(void);
void _init(void)
{
xtables_register_match("a_match);
- xtables_register_match("a_match6);
}
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 0771fcd..69edaba 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -426,22 +426,8 @@ rateest_save(const void *ip, const struct xt_entry_match *match)
}
}
-static struct xtables_match rateest_match4 = {
- .family = AF_INET,
- .name = "rateest",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
- .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
- .help = rateest_help,
- .parse = rateest_parse,
- .final_check = rateest_final_check,
- .print = rateest_print,
- .save = rateest_save,
- .extra_opts = rateest_opts,
-};
-
-static struct xtables_match rateest_match6 = {
- .family = AF_INET6,
+static struct xtables_match rateest_mt_reg = {
+ .family = AF_UNSPEC,
.name = "rateest",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
@@ -457,6 +443,5 @@ static struct xtables_match rateest_match6 = {
void _init(void);
void _init(void)
{
- xtables_register_match(&rateest_match4);
- xtables_register_match(&rateest_match6);
+ xtables_register_match(&rateest_mt_reg);
}
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index 2417f09..68bf16d 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -24,17 +24,7 @@ static int standard_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target standard_target = {
- .family = AF_INET,
- .name = "standard",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(int)),
- .userspacesize = XT_ALIGN(sizeof(int)),
- .help = standard_help,
- .parse = standard_parse,
-};
-
-static struct xtables_target standard_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "standard",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(int)),
@@ -47,5 +37,4 @@ void _init(void);
void _init(void)
{
xtables_register_target(&standard_target);
- xtables_register_target(&standard_target6);
}
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 5ac77b6..67cf9e3 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -164,22 +164,7 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match statistic_match = {
- .family = AF_INET,
- .name = "statistic",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_statistic_info)),
- .userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
- .init = statistic_mt_init,
- .help = statistic_help,
- .parse = statistic_parse,
- .final_check = statistic_check,
- .print = statistic_print,
- .save = statistic_save,
- .extra_opts = statistic_opts,
-};
-
-static struct xtables_match statistic_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "statistic",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
@@ -197,5 +182,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&statistic_match);
- xtables_register_match(&statistic_match6);
}
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 5be14ef..182d474 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -327,23 +327,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match string_match = {
.name = "string",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_string_info)),
- .userspacesize = offsetof(struct xt_string_info, config),
- .help = string_help,
- .init = string_init,
- .parse = string_parse,
- .final_check = string_check,
- .print = string_print,
- .save = string_save,
- .extra_opts = string_opts,
-};
-
-
-static struct xtables_match string_match6 = {
- .name = "string",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_string_info)),
.userspacesize = offsetof(struct xt_string_info, config),
@@ -360,5 +344,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&string_match);
- xtables_register_match(&string_match6);
}
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 3efc727..3a9ccd6 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -466,21 +466,7 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match time_match = {
.name = "time",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_time_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
- .help = time_help,
- .init = time_init,
- .parse = time_parse,
- .print = time_print,
- .save = time_save,
- .extra_opts = time_opts,
-};
-
-static struct xtables_match time_match6 = {
- .name = "time",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_time_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
@@ -496,5 +482,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&time_match);
- xtables_register_match(&time_match6);
}
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 1e79c57..2dff28f 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -272,20 +272,7 @@ static void u32_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match u32_match = {
.name = "u32",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_u32)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
- .help = u32_help,
- .parse = u32_parse,
- .print = u32_print,
- .save = u32_save,
- .extra_opts = u32_opts,
-};
-
-static struct xtables_match u32_match6 = {
- .name = "u32",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_u32)),
.userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
@@ -300,6 +287,4 @@ void _init(void);
void _init(void)
{
xtables_register_match(&u32_match);
- xtables_register_match(&u32_match6);
- return;
}
diff --git a/xtables.c b/xtables.c
index b26b416..21da4b5 100644
--- a/xtables.c
+++ b/xtables.c
@@ -557,12 +557,13 @@ void xtables_register_match(struct xtables_match *me)
}
/* ignore not interested match */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_match(me->name, DURING_LOAD, NULL);
if (old) {
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: match `%s' already registered.\n",
program_name, me->name);
@@ -574,10 +575,14 @@ void xtables_register_match(struct xtables_match *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new match can be used. */
if (!compatible_match_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_matches; *i!=old; i = &(*i)->next);
*i = old->next;
@@ -623,14 +628,15 @@ void xtables_register_target(struct xtables_target *me)
}
/* ignore not interested target */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_target(me->name, DURING_LOAD);
if (old) {
struct xtables_target **i;
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: target `%s' already registered.\n",
program_name, me->name);
@@ -642,10 +648,14 @@ void xtables_register_target(struct xtables_target *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new target can be used. */
if (!compatible_target_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_targets; *i!=old; i = &(*i)->next);
*i = old->next;
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (17 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 19/24] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 21/24] libxt_recent: add missing --rsource,--rdest options to manpage Jan Engelhardt
` (4 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Move the XTABLES_VERSION macro into xtables.h so that out-of-tree
extensions can be compiled and loaded without iptables throwing a
version mismatch.
---
configure.ac | 6 +++---
extensions/GNUmakefile.in | 4 +++-
extensions/libip6t_HL.c | 4 ++--
extensions/libip6t_LOG.c | 4 ++--
extensions/libip6t_REJECT.c | 2 +-
extensions/libip6t_ah.c | 4 ++--
extensions/libip6t_dst.c | 4 ++--
extensions/libip6t_eui64.c | 4 ++--
extensions/libip6t_frag.c | 4 ++--
extensions/libip6t_hbh.c | 4 ++--
extensions/libip6t_hl.c | 4 ++--
extensions/libip6t_icmp6.c | 4 ++--
| 4 ++--
extensions/libip6t_mh.c | 4 ++--
extensions/libip6t_policy.c | 4 ++--
extensions/libip6t_rt.c | 4 ++--
extensions/libipt_CLUSTERIP.c | 4 ++--
extensions/libipt_DNAT.c | 4 ++--
extensions/libipt_ECN.c | 4 ++--
extensions/libipt_LOG.c | 4 ++--
extensions/libipt_MASQUERADE.c | 4 ++--
extensions/libipt_MIRROR.c | 4 ++--
extensions/libipt_NETMAP.c | 4 ++--
extensions/libipt_REDIRECT.c | 4 ++--
extensions/libipt_REJECT.c | 2 +-
extensions/libipt_SAME.c | 4 ++--
extensions/libipt_SNAT.c | 4 ++--
extensions/libipt_TTL.c | 4 ++--
extensions/libipt_ULOG.c | 4 ++--
extensions/libipt_addrtype.c | 4 ++--
extensions/libipt_ah.c | 4 ++--
extensions/libipt_ecn.c | 4 ++--
extensions/libipt_icmp.c | 4 ++--
extensions/libipt_policy.c | 4 ++--
extensions/libipt_realm.c | 4 ++--
extensions/libipt_ttl.c | 4 ++--
extensions/libipt_unclean.c | 4 ++--
extensions/libxt_CLASSIFY.c | 4 ++--
extensions/libxt_CONNMARK.c | 10 +++++-----
extensions/libxt_CONNSECMARK.c | 6 +++---
extensions/libxt_DSCP.c | 4 ++--
extensions/libxt_MARK.c | 10 +++++-----
extensions/libxt_NFLOG.c | 6 +++---
extensions/libxt_NFQUEUE.c | 4 ++--
extensions/libxt_NOTRACK.c | 6 +++---
extensions/libxt_RATEEST.c | 4 ++--
extensions/libxt_SECMARK.c | 4 ++--
extensions/libxt_TCPMSS.c | 6 +++---
extensions/libxt_TCPOPTSTRIP.c | 4 ++--
extensions/libxt_TOS.c | 8 ++++----
extensions/libxt_TRACE.c | 4 ++--
| 4 ++--
extensions/libxt_connbytes.c | 6 +++---
extensions/libxt_connlimit.c | 6 +++---
extensions/libxt_connmark.c | 8 ++++----
extensions/libxt_conntrack.c | 6 +++---
extensions/libxt_dccp.c | 6 +++---
extensions/libxt_dscp.c | 6 +++---
extensions/libxt_esp.c | 6 +++---
extensions/libxt_hashlimit.c | 10 +++++-----
extensions/libxt_helper.c | 6 +++---
extensions/libxt_iprange.c | 6 +++---
extensions/libxt_length.c | 4 ++--
extensions/libxt_limit.c | 4 ++--
extensions/libxt_mac.c | 6 +++---
extensions/libxt_mark.c | 4 ++--
extensions/libxt_multiport.c | 12 ++++++------
extensions/libxt_owner.c | 8 ++++----
extensions/libxt_physdev.c | 6 +++---
extensions/libxt_pkttype.c | 2 +-
extensions/libxt_quota.c | 2 +-
extensions/libxt_rateest.c | 4 ++--
extensions/libxt_recent.c | 4 ++--
extensions/libxt_sctp.c | 6 +++---
extensions/libxt_standard.c | 4 ++--
extensions/libxt_state.c | 6 +++---
extensions/libxt_statistic.c | 4 ++--
extensions/libxt_string.c | 4 ++--
extensions/libxt_tcp.c | 6 +++---
extensions/libxt_tcpmss.c | 6 +++---
extensions/libxt_time.c | 4 ++--
extensions/libxt_tos.c | 6 +++---
extensions/libxt_u32.c | 4 ++--
extensions/libxt_udp.c | 6 +++---
include/{xtables.h => xtables.h.in} | 2 ++
ip6tables-restore.c | 4 ++--
ip6tables-save.c | 4 ++--
ip6tables-standalone.c | 2 +-
iptables-restore.c | 4 ++--
iptables-save.c | 4 ++--
iptables-standalone.c | 2 +-
iptables-xml.c | 4 ++--
libiptc/libiptc.c | 3 ++-
xtables.c | 2 ++
94 files changed, 223 insertions(+), 216 deletions(-)
rename include/{xtables.h => xtables.h.in} (99%)
diff --git a/configure.ac b/configure.ac
index ec0a7d0..1ac6c6b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -41,8 +41,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
- -Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
- -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+ -Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="";
if [[ -n "$kbuilddir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
@@ -55,4 +54,5 @@ AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
+AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile
+ include/xtables.h])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 31e6fb7..bef35ec 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -1,5 +1,7 @@
# -*- Makefile -*-
+top_builddir := @top_builddir@
+builddir := @builddir@
top_srcdir := @top_srcdir@
srcdir := @srcdir@
ksourcedir := @ksourcedir@
@@ -16,7 +18,7 @@ LDFLAGS := @LDFLAGS@
regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS := ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS := ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
ifeq (${V},)
diff --git a/extensions/libip6t_HL.c b/extensions/libip6t_HL.c
index 3104285..f2b5861 100644
--- a/extensions/libip6t_HL.c
+++ b/extensions/libip6t_HL.c
@@ -23,7 +23,7 @@ static void HL_help(void)
" --hl-set value Set HL to <value 0-255>\n"
" --hl-dec value Decrement HL by <value 1-255>\n"
" --hl-inc value Increment HL by <value 1-255>\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int HL_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -141,7 +141,7 @@ static const struct option HL_opts[] = {
static struct ip6tables_target hl_target6 = {
.name = "HL",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_HL_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_HL_info)),
.help = HL_help,
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index e8de148..76a7e53 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -28,7 +28,7 @@ static void LOG_help(void)
" --log-tcp-options Log TCP options.\n\n"
" --log-ip-options Log IP options.\n\n"
" --log-uid Log UID owning the local socket.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option LOG_opts[] = {
@@ -258,7 +258,7 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
static struct ip6tables_target log_target6 = {
.name = "LOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_log_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_log_info)),
.help = LOG_help,
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index 9445534..067f2a5 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -140,7 +140,7 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
static struct ip6tables_target reject_target6 = {
.name = "REJECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_reject_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_reject_info)),
.help = REJECT_help,
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index afebdb1..110b1fe 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -16,7 +16,7 @@ static void ah_help(void)
" --ahspi [!] spi[:spi] match spi (range)\n"
" --ahlen [!] length total length of this header\n"
" --ahres check the reserved filed, too\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option ah_opts[] = {
@@ -195,7 +195,7 @@ static void ah_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match ah_match6 = {
.name = "ah",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_ah)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ah)),
.help = ah_help,
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 1333418..6cbf9cd 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -19,7 +19,7 @@ static void dst_help(void)
" --dst-len [!] length total length of this header\n"
" --dst-opts TYPE[:LEN][,TYPE[:LEN]...]\n"
" Options and its length (list, max: %d)\n",
-IPTABLES_VERSION, IP6T_OPTS_OPTSNR);
+XTABLES_VERSION, IP6T_OPTS_OPTSNR);
}
static const struct option dst_opts[] = {
@@ -229,7 +229,7 @@ static void dst_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match dst_match6 = {
.name = "dst",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.help = dst_help,
diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c
index 7739e30..51bbaf8 100644
--- a/extensions/libip6t_eui64.c
+++ b/extensions/libip6t_eui64.c
@@ -18,7 +18,7 @@ static void eui64_help(void)
"eui64 v%s options:\n"
" This module hasn't got any option\n"
" This module checks for EUI64 IPv6 addresses\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -31,7 +31,7 @@ static int eui64_parse(int c, char **argv, int invert, unsigned int *flags,
static struct ip6tables_match eui64_target6 = {
.name = "eui64",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(int)),
.userspacesize = IP6T_ALIGN(sizeof(int)),
.help = eui64_help,
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 834dd06..8ed20d9 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -19,7 +19,7 @@ static void frag_help(void)
" --fragfirst matches on the first fragment\n"
" [--fragmore|--fraglast] there are more fragments or this\n"
" is the last one\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option frag_opts[] = {
@@ -240,7 +240,7 @@ static void frag_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match frag_match6 = {
.name = "frag",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_frag)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_frag)),
.help = frag_help,
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 7ca2b69..ac837ac 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -22,7 +22,7 @@ static void hbh_help(void)
" --hbh-len [!] length total length of this header\n"
" --hbh-opts TYPE[:LEN][,TYPE[:LEN]...] \n"
" Options and its length (list, max: %d)\n",
-IPTABLES_VERSION, IP6T_OPTS_OPTSNR);
+XTABLES_VERSION, IP6T_OPTS_OPTSNR);
}
static const struct option hbh_opts[] = {
@@ -216,7 +216,7 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match hbh_match6 = {
.name = "hbh",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_opts)),
.help = hbh_help,
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_hl.c
index d2616b8..02c980d 100644
--- a/extensions/libip6t_hl.c
+++ b/extensions/libip6t_hl.c
@@ -22,7 +22,7 @@ static void hl_help(void)
" --hl-eq [!] value Match hop limit value\n"
" --hl-lt value Match HL < value\n"
" --hl-gt value Match HL > value\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int hl_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -127,7 +127,7 @@ static const struct option hl_opts[] = {
static struct ip6tables_match hl_match6 = {
.name = "hl",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
.help = hl_help,
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index d9bc785..3e8cc37 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -80,7 +80,7 @@ static void icmp6_help(void)
"ICMPv6 v%s options:\n"
" --icmpv6-type [!] typename match icmpv6 type\n"
" (or numeric type or type/code)\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
print_icmpv6types();
}
@@ -253,7 +253,7 @@ static void icmp6_check(unsigned int flags)
static struct ip6tables_match icmp6_match6 = {
.name = "icmp6",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
.help = icmp6_help,
--git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index 05835ac..7ca50ad 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -144,7 +144,7 @@ static void ipv6header_help(void)
" ipv6-frag,ah,esp,ipv6-nonxt,protocol\n"
" numbers: 0,60,43,44,51,50,59\n"
"--soft The header CONTAINS the specified extensions\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ipv6header_opts[] = {
@@ -288,7 +288,7 @@ static void ipv6header_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match ipv6header_match6 = {
.name = "ipv6header",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info)),
.help = ipv6header_help,
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index fd3f452..e91a5ad 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -63,7 +63,7 @@ static void mh_help(void)
printf(
"MH v%s options:\n"
" --mh-type [!] type[:type] match mh type\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
print_types_all();
}
@@ -225,7 +225,7 @@ static const struct option mh_opts[] = {
static struct ip6tables_match mh_match6 = {
.name = "mh",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_mh)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mh)),
.help = mh_help,
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 4c2f405..6cf987d 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -38,7 +38,7 @@ static void policy_help(void)
"[!] --tunnel-src addr/masklen match tunnel source\n"
"[!] --tunnel-dst addr/masklen match tunnel destination\n"
" --next begin next element in policy\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option policy_opts[] =
@@ -445,7 +445,7 @@ static void policy_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match policy_match6 = {
.name = "policy",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_policy_info)),
.help = policy_help,
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 33d282f..d33e76d 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -25,7 +25,7 @@ static void rt_help(void)
" --rt-0-res check the reserved filed, too (type 0)\n"
" --rt-0-addrs ADDR[,ADDR...] Type=0 addresses (list, max: %d)\n"
" --rt-0-not-strict List of Type=0 addresses not a strict list\n",
-IPTABLES_VERSION, IP6T_RT_HOPS);
+XTABLES_VERSION, IP6T_RT_HOPS);
}
static const struct option rt_opts[] = {
@@ -331,7 +331,7 @@ static void rt_save(const void *ip, const struct xt_entry_match *match)
static struct ip6tables_match rt_match6 = {
.name = "rt",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IP6T_ALIGN(sizeof(struct ip6t_rt)),
.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rt)),
.help = rt_help,
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index 2314185..dca9a86 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -33,7 +33,7 @@ static void CLUSTERIP_help(void)
" --local-node <num> Set the local node number\n"
" --hash-init <num> Set init value of the Jenkins hash\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
#define PARAM_NEW 0x0001
@@ -237,7 +237,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target clusterip_target = {
.name = "CLUSTERIP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
.userspacesize = offsetof(struct ipt_clusterip_tgt_info, config),
.help = CLUSTERIP_help,
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index a0dbfc5..a98a875 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -28,7 +28,7 @@ static void DNAT_help(void)
" Address to map destination to.\n"
"[--random]\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option DNAT_opts[] = {
@@ -245,7 +245,7 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target dnat_target = {
.name = "DNAT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = DNAT_help,
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 8335cca..b216307 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -22,7 +22,7 @@ static void ECN_help(void)
printf(
"ECN target v%s options\n"
" --ecn-tcp-remove Remove all ECN bits from TCP header\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
#if 0
@@ -155,7 +155,7 @@ static void ECN_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target ecn_target = {
.name = "ECN",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ECN_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ECN_info)),
.help = ECN_help,
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 8287d95..d59d22b 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -28,7 +28,7 @@ static void LOG_help(void)
" --log-tcp-options Log TCP options.\n\n"
" --log-ip-options Log IP options.\n\n"
" --log-uid Log UID owning the local socket.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option LOG_opts[] = {
@@ -260,7 +260,7 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target log_target = {
.name = "LOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_log_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_log_info)),
.help = LOG_help,
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index c0c519d..671e278 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -19,7 +19,7 @@ static void MASQUERADE_help(void)
" Randomize source port.\n"
"\n"
,
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option MASQUERADE_opts[] = {
@@ -153,7 +153,7 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target masquerade_target = {
.name = "MASQUERADE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = MASQUERADE_help,
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index 8506eff..cde04a4 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -12,7 +12,7 @@ static void MIRROR_help(void)
{
printf(
"MIRROR target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -25,7 +25,7 @@ static int MIRROR_parse(int c, char **argv, int invert, unsigned int *flags,
static struct iptables_target mirror_target = {
.name = "MIRROR",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(0),
.userspacesize = IPT_ALIGN(0),
.help = MIRROR_help,
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index 0043cca..9bf779d 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -24,7 +24,7 @@ static void NETMAP_help(void)
printf(MODULENAME" v%s options:\n"
" --%s address[/mask]\n"
" Network address to map to.\n\n",
- IPTABLES_VERSION, NETMAP_opts[0].name);
+ XTABLES_VERSION, NETMAP_opts[0].name);
}
static u_int32_t
@@ -172,7 +172,7 @@ static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target netmap_target = {
.name = MODULENAME,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = NETMAP_help,
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 0bcc9dd..116b577 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -18,7 +18,7 @@ static void REDIRECT_help(void)
"REDIRECT v%s options:\n"
" --to-ports <port>[-<port>]\n"
" Port (range) to map to.\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option REDIRECT_opts[] = {
@@ -159,7 +159,7 @@ static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target redirect_target = {
.name = "REDIRECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = REDIRECT_help,
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index aa139fd..2824a1a 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -159,7 +159,7 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target reject_target = {
.name = "REJECT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_reject_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_reject_info)),
.help = REJECT_help,
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index 9d58bf0..226cecf 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -25,7 +25,7 @@ static void SAME_help(void)
" --random\n"
" Randomize source port\n"
,
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SAME_opts[] = {
@@ -210,7 +210,7 @@ static void SAME_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target same_target = {
.name = "SAME",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_same_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_same_info)),
.help = SAME_help,
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 9a553cd..ea998c2 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -28,7 +28,7 @@ static void SNAT_help(void)
" Address to map source to.\n"
"[--random]\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SNAT_opts[] = {
@@ -246,7 +246,7 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
static struct iptables_target snat_target = {
.name = "SNAT",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
.help = SNAT_help,
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index e19c3a0..34991cf 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -23,7 +23,7 @@ static void TTL_help(void)
" --ttl-set value Set TTL to <value 0-255>\n"
" --ttl-dec value Decrement TTL by <value 1-255>\n"
" --ttl-inc value Increment TTL by <value 1-255>\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int TTL_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -142,7 +142,7 @@ static const struct option TTL_opts[] = {
static struct iptables_target ttl_target = {
.next = NULL,
.name = "TTL",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_TTL_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_TTL_info)),
.help = TTL_help,
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 10301f0..925d62b 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -41,7 +41,7 @@ static void ULOG_help(void)
" --ulog-cprange size Bytes of each packet to be passed\n"
" --ulog-qthreshold Threshold of in-kernel queue\n"
" --ulog-prefix prefix Prefix log messages with this prefix.\n\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ULOG_opts[] = {
@@ -188,7 +188,7 @@ static void ULOG_print(const void *ip, const struct xt_entry_target *target,
static struct iptables_target ulog_target = {
.name = "ULOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ulog_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ulog_info)),
.help = ULOG_help,
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index 02752d3..388467f 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -44,7 +44,7 @@ static void addrtype_help(void)
" [!] --dst-type type[,...] Match destination address type\n"
"\n"
"Valid types: \n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
addrtype_help_types();
}
@@ -185,7 +185,7 @@ static const struct option addrtype_opts[] = {
static struct iptables_match addrtype_match = {
.name = "addrtype",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
.help = addrtype_help,
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index 5d9ab6c..92e412f 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -15,7 +15,7 @@ static void ah_help(void)
"AH v%s options:\n"
" --ahspi [!] spi[:spi]\n"
" match spi (range)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option ah_opts[] = {
@@ -158,7 +158,7 @@ static void ah_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match ah_match = {
.name = "ah",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ah)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ah)),
.help = ah_help,
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_ecn.c
index 5c0428d..44a3c22 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_ecn.c
@@ -23,7 +23,7 @@ static void ecn_help(void)
"[!] --ecn-tcp-cwr Match CWR bit of TCP header\n"
"[!] --ecn-tcp-ece Match ECE bit of TCP header\n"
"[!] --ecn-ip-ect [0..3] Match ECN codepoint in IPv4 header\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option ecn_opts[] = {
@@ -146,7 +146,7 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match ecn_match = {
.name = "ecn",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
.help = ecn_help,
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index df57a5e..69c0347 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -104,7 +104,7 @@ static void icmp_help(void)
"ICMP v%s options:\n"
" --icmp-type [!] typename match icmp type\n"
" (or numeric type or type/code)\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
print_icmptypes();
}
@@ -276,7 +276,7 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match icmp_match = {
.name = "icmp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_icmp)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_icmp)),
.help = icmp_help,
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index cdef750..e320017 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -37,7 +37,7 @@ static void policy_help(void)
"[!] --tunnel-src addr/mask match tunnel source\n"
"[!] --tunnel-dst addr/mask match tunnel destination\n"
" --next begin next element in policy\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option policy_opts[] =
@@ -410,7 +410,7 @@ static void policy_save(const void *ip, const struct xt_entry_match *match)
static struct iptables_match policy_match = {
.name = "policy",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_policy_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_policy_info)),
.help = policy_help,
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 73444de..6795dd4 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -21,7 +21,7 @@ static void realm_help(void)
"realm v%s options:\n"
" --realm [!] value[/mask]\n"
" Match realm\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option realm_opts[] = {
@@ -245,7 +245,7 @@ static void realm_check(unsigned int flags)
static struct iptables_match realm_match = {
.name = "realm",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_realm_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_realm_info)),
.help = realm_help,
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index d358dfc..feee70b 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -21,7 +21,7 @@ static void ttl_help(void)
" --ttl-eq value Match time to live value\n"
" --ttl-lt value Match TTL < value\n"
" --ttl-gt value Match TTL > value\n"
-, IPTABLES_VERSION);
+, XTABLES_VERSION);
}
static int ttl_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -150,7 +150,7 @@ static const struct option ttl_opts[] = {
static struct iptables_match ttl_match = {
.name = "ttl",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_ttl_info)),
.userspacesize = IPT_ALIGN(sizeof(struct ipt_ttl_info)),
.help = ttl_help,
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index 9956c1a..b15d62f 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -9,7 +9,7 @@ static void unclean_help(void)
{
printf(
"unclean v%s takes no options\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -22,7 +22,7 @@ static int unclean_parse(int c, char **argv, int invert, unsigned int *flags,
static struct iptables_match unclean_match = {
.name = "unclean",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = IPT_ALIGN(0),
.userspacesize = IPT_ALIGN(0),
.help = unclean_help,
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index 1bf9494..e8506fe 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -18,7 +18,7 @@ CLASSIFY_help(void)
"CLASSIFY target v%s options:\n"
" --set-class [MAJOR:MINOR] Set skb->priority value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CLASSIFY_opts[] = {
@@ -105,7 +105,7 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target classify_target = {
.family = AF_UNSPEC,
.name = "CLASSIFY",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
.help = CLASSIFY_help,
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 73f8214..a064d72 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -42,7 +42,7 @@ static void CONNMARK_help(void)
" --save-mark [--mask mask] Save the packet nfmark in the connection\n"
" --restore-mark [--mask mask] Restore saved nfmark value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CONNMARK_opts[] = {
@@ -410,7 +410,7 @@ static struct xtables_target connmark_target = {
.family = AF_INET,
.name = "CONNMARK",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.help = CONNMARK_help,
@@ -426,7 +426,7 @@ static struct xtables_target connmark_target6 = {
.family = AF_INET6,
.name = "CONNMARK",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)),
.help = CONNMARK_help,
@@ -439,7 +439,7 @@ static struct xtables_target connmark_target6 = {
};
static struct xtables_target connmark_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "CONNMARK",
.revision = 1,
.family = AF_INET,
@@ -455,7 +455,7 @@ static struct xtables_target connmark_tg_reg = {
};
static struct xtables_target connmark_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "CONNMARK",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c
index 779594f..4d9a682 100644
--- a/extensions/libxt_CONNSECMARK.c
+++ b/extensions/libxt_CONNSECMARK.c
@@ -21,7 +21,7 @@ static void CONNSECMARK_help(void)
" --save Copy security mark from packet to conntrack\n"
" --restore Copy security mark from connection to packet\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option CONNSECMARK_opts[] = {
@@ -111,7 +111,7 @@ CONNSECMARK_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target connsecmark_target = {
.family = AF_INET,
.name = "CONNSECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
@@ -126,7 +126,7 @@ static struct xtables_target connsecmark_target = {
static struct xtables_target connsecmark_target6 = {
.family = AF_INET6,
.name = "CONNSECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c
index 3a99b33..7012647 100644
--- a/extensions/libxt_DSCP.c
+++ b/extensions/libxt_DSCP.c
@@ -135,7 +135,7 @@ static void DSCP_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target dscp_target = {
.family = AF_INET,
.name = "DSCP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.help = DSCP_help,
@@ -149,7 +149,7 @@ static struct xtables_target dscp_target = {
static struct xtables_target dscp_target6 = {
.family = AF_INET6,
.name = "DSCP",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)),
.help = DSCP_help,
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 4003d26..167db21 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -22,7 +22,7 @@ static void MARK_help(void)
" --and-mark value Binary AND the nfmark with value\n"
" --or-mark value Binary OR the nfmark with value\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option MARK_opts[] = {
@@ -287,7 +287,7 @@ static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target mark_target_v0 = {
.family = AF_INET,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)),
@@ -302,7 +302,7 @@ static struct xtables_target mark_target_v0 = {
static struct xtables_target mark_target_v1 = {
.family = AF_INET,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)),
@@ -317,7 +317,7 @@ static struct xtables_target mark_target_v1 = {
static struct xtables_target mark_target6_v0 = {
.family = AF_INET6,
.name = "MARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_mark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)),
@@ -330,7 +330,7 @@ static struct xtables_target mark_target6_v0 = {
};
static struct xtables_target mark_tg_reg_v2 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "MARK",
.revision = 2,
.family = AF_UNSPEC,
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index 4b6c5a9..e343ee6 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -29,7 +29,7 @@ static void NFLOG_help(void)
" --nflog-range NUM Number of byte to copy\n"
" --nflog-threshold NUM Message threshold of in-kernel queue\n"
" --nflog-prefix STRING Prefix string for log messages\n\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static void NFLOG_init(struct xt_entry_target *t)
@@ -142,7 +142,7 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target nflog_target = {
.family = AF_INET,
.name = "NFLOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nflog_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
.help = NFLOG_help,
@@ -156,7 +156,7 @@ static struct xtables_target nflog_target = {
static struct xtables_target nflog_target6 = {
.family = AF_INET6,
.name = "NFLOG",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nflog_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)),
.help = NFLOG_help,
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 287c1c8..58fb881 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -83,7 +83,7 @@ static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target nfqueue_target = {
.family = AF_INET,
.name = "NFQUEUE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.help = NFQUEUE_help,
@@ -96,7 +96,7 @@ static struct xtables_target nfqueue_target = {
static struct xtables_target nfqueue_target6 = {
.family = AF_INET6,
.name = "NFQUEUE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)),
.help = NFQUEUE_help,
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
index cb6bd1e..f613369 100644
--- a/extensions/libxt_NOTRACK.c
+++ b/extensions/libxt_NOTRACK.c
@@ -12,7 +12,7 @@ static void NOTRACK_help(void)
{
printf(
"NOTRACK target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -27,7 +27,7 @@ NOTRACK_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target notrack_target = {
.family = AF_INET,
.name = "NOTRACK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = NOTRACK_help,
@@ -37,7 +37,7 @@ static struct xtables_target notrack_target = {
static struct xtables_target notrack_target6 = {
.family = AF_INET6,
.name = "NOTRACK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = NOTRACK_help,
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 6918f76..cee9c82 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -23,7 +23,7 @@ RATEEST_help(void)
" --rateest-interval sec Rate measurement interval in seconds\n"
" --rateest-ewmalog value Rate measurement averaging time constant\n"
"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
enum RATEEST_options {
@@ -206,7 +206,7 @@ RATEEST_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target rateest_tg_reg = {
.family = AF_UNSPEC,
.name = "RATEEST",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
.help = RATEEST_help,
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index d143037..a71d028 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -20,7 +20,7 @@ static void SECMARK_help(void)
"SECMARK target v%s options:\n"
" --selctx value Set the SELinux security context\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option SECMARK_opts[] = {
@@ -102,7 +102,7 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target secmark_target = {
.family = AF_UNSPEC,
.name = "SECMARK",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
diff --git a/extensions/libxt_TCPMSS.c b/extensions/libxt_TCPMSS.c
index f4a45c3..9b9602b 100644
--- a/extensions/libxt_TCPMSS.c
+++ b/extensions/libxt_TCPMSS.c
@@ -23,7 +23,7 @@ static void __TCPMSS_help(int hdrsize)
"TCPMSS target v%s mutually-exclusive options:\n"
" --set-mss value explicitly set MSS option to specified value\n"
" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - %d)\n",
-IPTABLES_VERSION, hdrsize);
+XTABLES_VERSION, hdrsize);
}
static void TCPMSS_help(void)
@@ -126,7 +126,7 @@ static void TCPMSS_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target tcpmss_target = {
.family = AF_INET,
.name = "TCPMSS",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.help = TCPMSS_help,
@@ -140,7 +140,7 @@ static struct xtables_target tcpmss_target = {
static struct xtables_target tcpmss_target6 = {
.family = AF_INET6,
.name = "TCPMSS",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
.help = TCPMSS_help6,
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index 22e921a..0318421 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -176,7 +176,7 @@ tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target tcpoptstrip_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TCPOPTSTRIP",
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
@@ -191,7 +191,7 @@ static struct xtables_target tcpoptstrip_tg_reg = {
};
static struct xtables_target tcpoptstrip_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TCPOPTSTRIP",
.family = AF_INET6,
.size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c
index dfc7af7..bf94916 100644
--- a/extensions/libxt_TOS.c
+++ b/extensions/libxt_TOS.c
@@ -59,7 +59,7 @@ static void tos_tg_help(void)
" --set-tos symbol Set TOS field (IPv4 only) by symbol\n"
" (this zeroes the 4-bit Precedence part!)\n"
" Accepted symbolic names for value are:\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
printf(" (0x%02x) %2u %s\n",
@@ -205,7 +205,7 @@ static void tos_tg_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target tos_tg_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.revision = 0,
.family = AF_INET,
@@ -220,7 +220,7 @@ static struct xtables_target tos_tg_reg_v0 = {
};
static struct xtables_target tos_tg_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.revision = 1,
.family = AF_INET,
@@ -235,7 +235,7 @@ static struct xtables_target tos_tg_reg = {
};
static struct xtables_target tos_tg6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "TOS",
.family = AF_INET6,
.revision = 1,
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index 7241f2b..4b13ed4 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -12,7 +12,7 @@ static void TRACE_help(void)
{
printf(
"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -26,7 +26,7 @@ static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target trace_target = {
.family = AF_UNSPEC,
.name = "TRACE",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.help = TRACE_help,
--git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 8ae77fc..b16c721 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -96,7 +96,7 @@ comment_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match comment_match = {
.family = AF_INET,
.name = "comment",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_comment_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)),
.help = comment_help,
@@ -110,7 +110,7 @@ static struct xtables_match comment_match = {
static struct xtables_match comment_match6 = {
.family = AF_INET6,
.name = "comment",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_comment_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)),
.help = comment_help,
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index 9fd5a47..f0e0152 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -16,7 +16,7 @@ static void connbytes_help(void)
" [!] --connbytes from:[to]\n"
" --connbytes-dir [original, reply, both]\n"
" --connbytes-mode [packets, bytes, avgpkt]\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option connbytes_opts[] = {
@@ -188,7 +188,7 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match connbytes_match = {
.family = AF_INET,
.name = "connbytes",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.help = connbytes_help,
@@ -202,7 +202,7 @@ static struct xtables_match connbytes_match = {
static struct xtables_match connbytes_match6 = {
.family = AF_INET6,
.name = "connbytes",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
.help = connbytes_help,
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 2b4d3d5..19f46a7 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -15,7 +15,7 @@ static void connlimit_help(void)
"[!] --connlimit-above n match if the number of existing "
" connections is (not) above n\n"
" --connlimit-mask n group hosts using mask\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option connlimit_opts[] = {
@@ -181,7 +181,7 @@ static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
static struct xtables_match connlimit_match = {
.name = "connlimit",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
.userspacesize = offsetof(struct xt_connlimit_info, data),
.help = connlimit_help,
@@ -196,7 +196,7 @@ static struct xtables_match connlimit_match = {
static struct xtables_match connlimit_match6 = {
.name = "connlimit",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
.userspacesize = offsetof(struct xt_connlimit_info, data),
.help = connlimit_help,
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
index dd43359..912f053 100644
--- a/extensions/libxt_connmark.c
+++ b/extensions/libxt_connmark.c
@@ -172,7 +172,7 @@ static struct xtables_match connmark_mt_reg_v0 = {
.family = AF_INET,
.name = "connmark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)),
.help = connmark_mt_help,
@@ -187,7 +187,7 @@ static struct xtables_match connmark_mt6_reg_v0 = {
.family = AF_INET6,
.name = "connmark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connmark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)),
.help = connmark_mt_help,
@@ -199,7 +199,7 @@ static struct xtables_match connmark_mt6_reg_v0 = {
};
static struct xtables_match connmark_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "connmark",
.revision = 1,
.family = AF_INET,
@@ -214,7 +214,7 @@ static struct xtables_match connmark_mt_reg = {
};
static struct xtables_match connmark_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "connmark",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index d5f1be7..fc2ba42 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1017,7 +1017,7 @@ static void conntrack_mt6_save(const void *ip,
}
static struct xtables_match conntrack_match = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 0,
.family = AF_INET,
@@ -1032,7 +1032,7 @@ static struct xtables_match conntrack_match = {
};
static struct xtables_match conntrack_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 1,
.family = AF_INET,
@@ -1047,7 +1047,7 @@ static struct xtables_match conntrack_mt_reg = {
};
static struct xtables_match conntrack_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "conntrack",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index d21de16..97daf4a 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -41,7 +41,7 @@ static void dccp_help(void)
" --destination-port [!] port[:port] match destination port(s)\n"
" --dport ...\n"
,
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option dccp_opts[] = {
@@ -342,7 +342,7 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match dccp_match = {
.name = "dccp",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dccp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)),
.help = dccp_help,
@@ -356,7 +356,7 @@ static struct xtables_match dccp_match = {
static struct xtables_match dccp_match6 = {
.name = "dccp",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dccp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)),
.help = dccp_help,
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 75941ab..97dafac 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -35,7 +35,7 @@ static void dscp_help(void)
" be any of the BE,EF, AFxx or CSx classes\n"
"\n"
" These two options are mutually exclusive !\n"
- , IPTABLES_VERSION
+ , XTABLES_VERSION
);
}
@@ -149,7 +149,7 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match dscp_match = {
.family = AF_INET,
.name = "dscp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dscp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
.help = dscp_help,
@@ -163,7 +163,7 @@ static struct xtables_match dscp_match = {
static struct xtables_match dscp_match6 = {
.family = AF_INET6,
.name = "dscp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_dscp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
.help = dscp_help,
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index b20999d..45b2c8b 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -15,7 +15,7 @@ static void esp_help(void)
"ESP v%s options:\n"
" --espspi [!] spi[:spi]\n"
" match spi (range)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option esp_opts[] = {
@@ -156,7 +156,7 @@ static void esp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match esp_match = {
.family = AF_INET,
.name = "esp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_esp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
.help = esp_help,
@@ -170,7 +170,7 @@ static struct xtables_match esp_match = {
static struct xtables_match esp_match6 = {
.family = AF_INET6,
.name = "esp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_esp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
.help = esp_help,
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index e430f93..3445c9d 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -42,7 +42,7 @@ static void hashlimit_help(void)
"[--hashlimit-htable-max <num>] number of hashtable entries\n"
"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n"
"[--hashlimit-htable-expire] after which time are idle entries expired?\n"
-"\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
+"\n", XTABLES_VERSION, XT_HASHLIMIT_BURST);
}
static void hashlimit_mt_help(void)
@@ -671,7 +671,7 @@ hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match hashlimit_match = {
.family = AF_INET,
.name = "hashlimit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
@@ -687,7 +687,7 @@ static struct xtables_match hashlimit_match = {
static struct xtables_match hashlimit_match6 = {
.family = AF_INET6,
.name = "hashlimit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 0,
.size = XT_ALIGN(sizeof(struct xt_hashlimit_info)),
.userspacesize = offsetof(struct xt_hashlimit_info, hinfo),
@@ -701,7 +701,7 @@ static struct xtables_match hashlimit_match6 = {
};
static struct xtables_match hashlimit_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "hashlimit",
.revision = 1,
.family = AF_INET,
@@ -717,7 +717,7 @@ static struct xtables_match hashlimit_mt_reg = {
};
static struct xtables_match hashlimit_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "hashlimit",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 4ce1d4b..a028bbc 100644
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -15,7 +15,7 @@ static void helper_help(void)
"helper match v%s options:\n"
"[!] --helper string Match helper identified by string\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option helper_opts[] = {
@@ -79,7 +79,7 @@ static void helper_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match helper_match = {
.family = AF_INET,
.name = "helper",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_helper_info)),
.help = helper_help,
.parse = helper_parse,
@@ -92,7 +92,7 @@ static struct xtables_match helper_match = {
static struct xtables_match helper_match6 = {
.family = AF_INET6,
.name = "helper",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_helper_info)),
.help = helper_help,
.parse = helper_parse,
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 54d7d9c..f0c4f5b 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -339,7 +339,7 @@ static void iprange_mt6_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match iprange_match = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 0,
.family = AF_INET,
@@ -354,7 +354,7 @@ static struct xtables_match iprange_match = {
};
static struct xtables_match iprange_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 1,
.family = AF_INET,
@@ -369,7 +369,7 @@ static struct xtables_match iprange_mt_reg = {
};
static struct xtables_match iprange_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "iprange",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index 136034c..ae64942 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -15,7 +15,7 @@ static void length_help(void)
"length v%s options:\n"
"[!] --length length[:length] Match packet length against value or range\n"
" of values (inclusive)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
@@ -127,7 +127,7 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match length_match = {
.family = AF_UNSPEC,
.name = "length",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_length_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
.help = length_help,
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index da64750..6898758 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -26,7 +26,7 @@ static void limit_help(void)
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
-"\n", IPTABLES_VERSION, XT_LIMIT_BURST);
+"\n", XTABLES_VERSION, XT_LIMIT_BURST);
}
static const struct option limit_opts[] = {
@@ -167,7 +167,7 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match limit_match = {
.family = AF_UNSPEC,
.name = "limit",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
.userspacesize = offsetof(struct xt_rateinfo, prev),
.help = limit_help,
diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
index 112ac5b..9b76a9a 100644
--- a/extensions/libxt_mac.c
+++ b/extensions/libxt_mac.c
@@ -19,7 +19,7 @@ static void mac_help(void)
"MAC v%s options:\n"
" --mac-source [!] XX:XX:XX:XX:XX:XX\n"
" Match source MAC address\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option mac_opts[] = {
@@ -118,7 +118,7 @@ static void mac_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match mac_match = {
.family = AF_INET,
.name = "mac",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mac_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)),
.help = mac_help,
@@ -132,7 +132,7 @@ static struct xtables_match mac_match = {
static struct xtables_match mac_match6 = {
.family = AF_INET6,
.name = "mac",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mac_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)),
.help = mac_help,
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index e805a2b..be66169 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -152,7 +152,7 @@ static struct xtables_match mark_match = {
.family = AF_UNSPEC,
.name = "mark",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_mark_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
.help = mark_mt_help,
@@ -164,7 +164,7 @@ static struct xtables_match mark_match = {
};
static struct xtables_match mark_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "mark",
.revision = 1,
.family = AF_UNSPEC,
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 7b96e6c..7d3c122 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -25,7 +25,7 @@ static void multiport_help(void)
" --ports port[,port,port]\n"
" match both source and destination port(s)\n"
" NOTE: this kernel does not support port ranges in multiport.\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static void multiport_help_v1(void)
@@ -40,7 +40,7 @@ static void multiport_help_v1(void)
" match destination port(s)\n"
" --ports [!] port[,port:port,port]\n"
" match both source and destination port(s)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option multiport_opts[] = {
@@ -513,7 +513,7 @@ static struct xtables_match multiport_match = {
.family = AF_INET,
.name = "multiport",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_multiport)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
.help = multiport_help,
@@ -528,7 +528,7 @@ static struct xtables_match multiport_match6 = {
.family = AF_INET6,
.name = "multiport",
.revision = 0,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_multiport)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
.help = multiport_help,
@@ -542,7 +542,7 @@ static struct xtables_match multiport_match6 = {
static struct xtables_match multiport_match_v1 = {
.family = AF_INET,
.name = "multiport",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
@@ -557,7 +557,7 @@ static struct xtables_match multiport_match_v1 = {
static struct xtables_match multiport_match6_v1 = {
.family = AF_INET6,
.name = "multiport",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)),
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index 18f3d9a..221fdaf 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -532,7 +532,7 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match owner_mt_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 0,
.family = AF_INET,
@@ -547,7 +547,7 @@ static struct xtables_match owner_mt_reg_v0 = {
};
static struct xtables_match owner_mt6_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 0,
.family = AF_INET6,
@@ -562,7 +562,7 @@ static struct xtables_match owner_mt6_reg_v0 = {
};
static struct xtables_match owner_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 1,
.family = AF_INET,
@@ -577,7 +577,7 @@ static struct xtables_match owner_mt_reg = {
};
static struct xtables_match owner_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "owner",
.revision = 1,
.family = AF_INET6,
diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
index 6b5fe20..ceb42a7 100644
--- a/extensions/libxt_physdev.c
+++ b/extensions/libxt_physdev.c
@@ -21,7 +21,7 @@ static void physdev_help(void)
" [!] --physdev-is-in arrived on a bridge device\n"
" [!] --physdev-is-out will leave on a bridge device\n"
" [!] --physdev-is-bridged it's a bridged packet\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option physdev_opts[] = {
@@ -165,7 +165,7 @@ static void physdev_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match physdev_match = {
.family = AF_INET,
.name = "physdev",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_physdev_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
.help = physdev_help,
@@ -179,7 +179,7 @@ static struct xtables_match physdev_match = {
static struct xtables_match physdev_match6 = {
.family = AF_INET6,
.name = "physdev",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_physdev_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
.help = physdev_help,
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index a5cf90a..ab41867 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -149,7 +149,7 @@ static void pkttype_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match pkttype_match = {
.family = AF_UNSPEC,
.name = "pkttype",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
.help = pkttype_help,
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index f73089d..1482dd9 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -80,7 +80,7 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
struct xtables_match quota_match = {
.family = AF_UNSPEC,
.name = "quota",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_info)),
.userspacesize = offsetof(struct xt_quota_info, quota),
.help = quota_help,
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 69edaba..d959899 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -25,7 +25,7 @@ static void rateest_help(void)
" [!] --rateest-gt Match if rate is greater than given rate/estimator\n"
" [!] --rateest-eq Match if rate is equal to given rate/estimator\n"
"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
enum rateest_options {
@@ -429,7 +429,7 @@ rateest_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match rateest_mt_reg = {
.family = AF_UNSPEC,
.name = "rateest",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
.userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
.help = rateest_help,
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 5b0112f..391a32f 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -211,7 +211,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
/* Structure for iptables to use to communicate with module */
static struct xtables_match recent_match = {
.name = "recent",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
@@ -225,7 +225,7 @@ static struct xtables_match recent_match = {
};
static struct xtables_match recent_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "recent",
.revision = 0,
.family = AF_INET6,
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index af6faba..4ab6aab 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -64,7 +64,7 @@ static void sctp_help(void)
" --chunk-types [!] (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
" chunktypes are present\n"
"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
}
static const struct option sctp_opts[] = {
@@ -514,7 +514,7 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match sctp_match = {
.name = "sctp",
.family = AF_INET,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_sctp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
.help = sctp_help,
@@ -528,7 +528,7 @@ static struct xtables_match sctp_match = {
static struct xtables_match sctp_match6 = {
.name = "sctp",
.family = AF_INET6,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_sctp_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)),
.help = sctp_help,
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index 68bf16d..b78fa25 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -12,7 +12,7 @@ static void standard_help(void)
{
printf(
"Standard v%s options:\n"
-"(If target is DROP, ACCEPT, RETURN or nothing)\n", IPTABLES_VERSION);
+"(If target is DROP, ACCEPT, RETURN or nothing)\n", XTABLES_VERSION);
}
/* Function which parses command options; returns true if it
@@ -26,7 +26,7 @@ static int standard_parse(int c, char **argv, int invert, unsigned int *flags,
static struct xtables_target standard_target = {
.family = AF_UNSPEC,
.name = "standard",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(int)),
.userspacesize = XT_ALIGN(sizeof(int)),
.help = standard_help,
diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c
index cbc8419..0640544 100644
--- a/extensions/libxt_state.c
+++ b/extensions/libxt_state.c
@@ -20,7 +20,7 @@ state_help(void)
"state v%s options:\n"
" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
" State(s) to match\n"
-"\n", IPTABLES_VERSION);
+"\n", XTABLES_VERSION);
}
static const struct option state_opts[] = {
@@ -145,7 +145,7 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match state_match = {
.family = AF_INET,
.name = "state",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_state_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
.help = state_help,
@@ -159,7 +159,7 @@ static struct xtables_match state_match = {
static struct xtables_match state_match6 = {
.family = AF_INET6,
.name = "state",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_state_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_state_info)),
.help = state_help,
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 67cf9e3..c2a921e 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -19,7 +19,7 @@ static void statistic_help(void)
" --every n Match every nth packet\n"
" --packet p Initial counter value (0 <= p <= n-1, default 0)\n"
"\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option statistic_opts[] = {
@@ -166,7 +166,7 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match statistic_match = {
.family = AF_UNSPEC,
.name = "statistic",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
.userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
.init = statistic_mt_init,
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 182d474..1482614 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -40,7 +40,7 @@ static void string_help(void)
"--algo Algorithm\n"
"--string [!] string Match a string in a packet\n"
"--hex-string [!] string Match a hex string in a packet\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option string_opts[] = {
@@ -328,7 +328,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match string_match = {
.name = "string",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_string_info)),
.userspacesize = offsetof(struct xt_string_info, config),
.help = string_help,
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 2026368..18b8eb9 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -23,7 +23,7 @@ static void tcp_help(void)
" --dport ...\n"
" match destination port(s)\n"
" --tcp-option [!] number match if TCP option set\n\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option tcp_opts[] = {
@@ -386,7 +386,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match tcp_match = {
.family = AF_INET,
.name = "tcp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcp)),
.help = tcp_help,
@@ -400,7 +400,7 @@ static struct xtables_match tcp_match = {
static struct xtables_match tcp_match6 = {
.family = AF_INET6,
.name = "tcp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcp)),
.help = tcp_help,
diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index 36d445c..d90dbbb 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -15,7 +15,7 @@ static void tcpmss_help(void)
"tcpmss match v%s options:\n"
"[!] --mss value[:value] Match TCP MSS range.\n"
" (only valid for TCP SYN or SYN/ACK packets)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option tcpmss_opts[] = {
@@ -128,7 +128,7 @@ static void tcpmss_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match tcpmss_match = {
.family = AF_INET,
.name = "tcpmss",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.help = tcpmss_help,
@@ -142,7 +142,7 @@ static struct xtables_match tcpmss_match = {
static struct xtables_match tcpmss_match6 = {
.family = AF_INET6,
.name = "tcpmss",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)),
.help = tcpmss_help,
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 3a9ccd6..b682705 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -61,7 +61,7 @@ static void time_help(void)
" (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
" Defaults to all weekdays.)\n"
" --localtz/--utc Time is interpreted as UTC/local time\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static void time_init(struct xt_entry_match *m)
@@ -467,7 +467,7 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match time_match = {
.name = "time",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_time_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
.help = time_help,
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index cd21560..f0d1635 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -138,7 +138,7 @@ static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match tos_mt_reg_v0 = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET,
.revision = 0,
@@ -153,7 +153,7 @@ static struct xtables_match tos_mt_reg_v0 = {
};
static struct xtables_match tos_mt_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET,
.revision = 1,
@@ -168,7 +168,7 @@ static struct xtables_match tos_mt_reg = {
};
static struct xtables_match tos_mt6_reg = {
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.name = "tos",
.family = AF_INET6,
.revision = 1,
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 2dff28f..c692e21 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -37,7 +37,7 @@ static void u32_help(void)
"\t\t""range := number | number \":\" number\n"
"\t\t""location := number | location operator number\n"
"\t\t""operator := \"&\" | \"<<\" | \">>\" | \"@\"\n",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
return;
}
@@ -273,7 +273,7 @@ static void u32_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match u32_match = {
.name = "u32",
.family = AF_UNSPEC,
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_u32)),
.userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
.help = u32_help,
diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
index 2ba781e..45af4ab 100644
--- a/extensions/libxt_udp.c
+++ b/extensions/libxt_udp.c
@@ -18,7 +18,7 @@ static void udp_help(void)
" --destination-port [!] port[:port]\n"
" --dport ...\n"
" match destination port(s)\n",
-IPTABLES_VERSION);
+XTABLES_VERSION);
}
static const struct option udp_opts[] = {
@@ -199,7 +199,7 @@ static void udp_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match udp_match = {
.family = AF_INET,
.name = "udp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_udp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
.help = udp_help,
@@ -213,7 +213,7 @@ static struct xtables_match udp_match = {
static struct xtables_match udp_match6 = {
.family = AF_INET6,
.name = "udp",
- .version = IPTABLES_VERSION,
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_udp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_udp)),
.help = udp_help,
diff --git a/include/xtables.h b/include/xtables.h.in
similarity index 99%
rename from include/xtables.h
rename to include/xtables.h.in
index 408d199..02fb7a0 100644
--- a/include/xtables.h
+++ b/include/xtables.h.in
@@ -7,6 +7,8 @@
#include <libiptc/libxtc.h>
#include <stdbool.h>
+#define XTABLES_VERSION "@PACKAGE_VERSION@"
+
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 2c3e95d..e28f649 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -128,7 +128,7 @@ int main(int argc, char *argv[])
int in_table = 0, testing = 0;
program_name = "ip6tables-restore";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
lib_dir = getenv("XTABLES_LIBDIR");
@@ -160,7 +160,7 @@ int main(int argc, char *argv[])
break;
case 'h':
print_usage("ip6tables-restore",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
break;
case 'n':
noflush = 1;
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e440887..3c72cfd 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -269,7 +269,7 @@ static int do_output(const char *tablename)
time_t now = time(NULL);
printf("# Generated by ip6tables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
+ XTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
@@ -330,7 +330,7 @@ int main(int argc, char *argv[])
int c;
program_name = "ip6tables-save";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 1bb81bc..5bdcd4f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -50,7 +50,7 @@ main(int argc, char *argv[])
ip6tc_handle_t handle = NULL;
program_name = "ip6tables";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-restore.c b/iptables-restore.c
index f556fa5..26f7e2f 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -129,7 +129,7 @@ main(int argc, char *argv[])
const char *tablename = 0;
program_name = "iptables-restore";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
lib_dir = getenv("XTABLES_LIBDIR");
@@ -161,7 +161,7 @@ main(int argc, char *argv[])
break;
case 'h':
print_usage("iptables-restore",
- IPTABLES_VERSION);
+ XTABLES_VERSION);
break;
case 'n':
noflush = 1;
diff --git a/iptables-save.c b/iptables-save.c
index 1ce2090..4f31aee 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -292,7 +292,7 @@ static int do_output(const char *tablename)
time_t now = time(NULL);
printf("# Generated by iptables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
+ XTABLES_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
@@ -355,7 +355,7 @@ main(int argc, char *argv[])
int c;
program_name = "iptables-save";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 369adaf..55d9bbe 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -51,7 +51,7 @@ main(int argc, char *argv[])
iptc_handle_t handle = NULL;
program_name = "iptables";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
lib_dir = getenv("XTABLES_LIBDIR");
if (lib_dir == NULL) {
diff --git a/iptables-xml.c b/iptables-xml.c
index d922efe..fea63ef 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -645,7 +645,7 @@ main(int argc, char *argv[])
FILE *in;
program_name = "iptables-xml";
- program_version = IPTABLES_VERSION;
+ program_version = XTABLES_VERSION;
line = 0;
while ((c = getopt_long(argc, argv, "cvh", options, NULL)) != -1) {
@@ -658,7 +658,7 @@ main(int argc, char *argv[])
verbose = 1;
break;
case 'h':
- print_usage("iptables-xml", IPTABLES_VERSION);
+ print_usage("iptables-xml", XTABLES_VERSION);
break;
}
}
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index ca95748..b638dc9 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -26,6 +26,7 @@
*/
#include <sys/types.h>
#include <sys/socket.h>
+#include <xtables.h>
#include "linux_list.h"
@@ -1323,7 +1324,7 @@ TC_DUMP_ENTRIES(const TC_HANDLE_T handle)
CHECK(handle);
printf("libiptc v%s. %u bytes.\n",
- IPTABLES_VERSION, handle->entries->size);
+ XTABLES_VERSION, handle->entries->size);
printf("Table `%s'\n", handle->info.name);
printf("Hooks: pre/in/fwd/out/post = %u/%u/%u/%u/%u\n",
handle->info.hook_entry[HOOK_PRE_ROUTING],
diff --git a/xtables.c b/xtables.c
index 21da4b5..af029b4 100644
--- a/xtables.c
+++ b/xtables.c
@@ -305,6 +305,7 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
}
}
+#ifndef NO_SHARED_LIBS
static void *load_extension(const char *search_path, const char *prefix,
const char *name, bool is_target)
{
@@ -353,6 +354,7 @@ static void *load_extension(const char *search_path, const char *prefix,
return NULL;
}
+#endif
struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
struct xtables_rule_match **matches)
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 21/24] libxt_recent: add missing --rsource,--rdest options to manpage
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (18 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 20/24] Change IPTABLES_VERSION to XTABLES_VERSION Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 22/24] manpages: fix broken markup (missing close tags) Jan Engelhardt
` (3 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libxt_recent.man | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index f0dc3f4..6b7fc86 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -14,6 +14,13 @@ This will add the source address of the packet to the list. If the source
address is already in the list, this will update the existing entry. This will
always return success (or failure if \fB!\fR is passed in).
.TP
+\fB--rsource\fP
+Match/save the source address of each packet in the recent list table. This
+is the default.
+.TP
+\fB--rdest\fP
+Match/save the destination address of each packet in the recent list table.
+.TP
[\fB!\fR] \fB--rcheck\fR
Check if the source address of the packet is currently in the list.
.TP
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 22/24] manpages: fix broken markup (missing close tags)
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (19 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 21/24] libxt_recent: add missing --rsource,--rdest options to manpage Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 23/24] manpages: grammar and spelling Jan Engelhardt
` (2 subsequent siblings)
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Rework the whole line's markup at the same time.
---
extensions/libip6t_ah.man | 2 +-
extensions/libip6t_dst.man | 2 +-
extensions/libxt_NFQUEUE.man | 2 +-
extensions/libxt_connbytes.man | 2 +-
extensions/libxt_connlimit.man | 2 +-
extensions/libxt_dccp.man | 4 ++--
extensions/libxt_recent.man | 4 ++--
extensions/libxt_sctp.man | 6 +++---
extensions/libxt_u32.man | 2 +-
9 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man
index 09d00fd..807f9e3 100644
--- a/extensions/libip6t_ah.man
+++ b/extensions/libip6t_ah.man
@@ -3,7 +3,7 @@ This module matches the parameters in Authentication header of IPsec packets.
.BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
Matches SPI.
.TP
-.BR "--ahlen " "[!] \fIlength"
+[\fB!\fP] \fB--ahlen\fP \fIlength\fP
Total length of this header in octets.
.TP
.BI "--ahres"
diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man
index f42d822..d895a0e 100644
--- a/extensions/libip6t_dst.man
+++ b/extensions/libip6t_dst.man
@@ -1,6 +1,6 @@
This module matches the parameters in Destination Options header
.TP
-.BR "--dst-len " "[!] \fIlength"
+[\fB!\fP] \fB--dst-len\fP \fIlength\fP
Total length of this header in octets.
.TP
.BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index c4e9d11..015effd 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -2,7 +2,7 @@ This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
you to put a packet into any specific queue, identified by its 16-bit queue
number.
.TP
-.BR "--queue-num " "\fIvalue"
+\fB--queue-num\fP \fIvalue\fP
This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
.TP
It can only be used with Kernel versions 2.6.14 or later, since it requires
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
index ce7b665..7b7c313 100644
--- a/extensions/libxt_connbytes.man
+++ b/extensions/libxt_connbytes.man
@@ -10,7 +10,7 @@ scheduled using a lower priority band in traffic control.
The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
.TP
-[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
+[\fB!\fP] \fB--connbytes\fP \fIfrom\fP[\fB:\fR\fIto\fP]
match packets from a connection whose packets/bytes/average packet
size is more than FROM and less than TO bytes/packets. if TO is
omitted only FROM check is done. "!" is used to match packets not
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index ca5974e..dd6a155 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -1,7 +1,7 @@
Allows you to restrict the number of parallel connections to a server per
client IP address (or client address block).
.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
+[\fB!\fP] \fB--connlimit-above\fP \fIn\fP
Match if the number of existing connections is (not) above \fIn\fR.
.TP
\fB--connlimit-mask\fR \fIprefix_length\fR
diff --git a/extensions/libxt_dccp.man b/extensions/libxt_dccp.man
index 6443ec3..d962ef0 100644
--- a/extensions/libxt_dccp.man
+++ b/extensions/libxt_dccp.man
@@ -1,7 +1,7 @@
.TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP
\fB--dccp-types\fR [\fB!\fR] \fImask\fP
Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 6b7fc86..478ffaf 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -33,12 +33,12 @@ Check if the source address of the packet is currently in the list and if so
that address will be removed from the list and the rule will return true. If
the address is not found, false is returned.
.TP
-[\fB!\fR] \fB--seconds \fIseconds\fR
+[\fB!\fP] \fB--seconds\fP \fIseconds\fP
This option must be used in conjunction with one of \fB--rcheck\fR or
\fB--update\fR. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
-[\fB!\fR] \fB--hitcount \fIhits\fR
+[\fB!\fP] \fB--hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB--rcheck\fR or
\fB--update\fR. When used, this will narrow the match to only happen when the
address is in the list and packets had been received greater than or equal to
diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
index 97b467d..5d7a477 100644
--- a/extensions/libxt_sctp.man
+++ b/extensions/libxt_sctp.man
@@ -1,9 +1,9 @@
.TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP
-\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
+[\fB!\fP] \fB--chunk-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
The flag letter in upper case indicates that the flag is to match if set,
in the lower case indicates to match if unset.
diff --git a/extensions/libxt_u32.man b/extensions/libxt_u32.man
index 1ac02bc..8e00cc1 100644
--- a/extensions/libxt_u32.man
+++ b/extensions/libxt_u32.man
@@ -2,7 +2,7 @@ U32 tests whether quantities of up to 4 bytes extracted from a packet have
specified values. The specification of what to extract is general enough to
find data at given offsets from tcp headers or payloads.
.TP
-[\fB!\fR]\fB --u32 \fItests\fR
+[\fB!\fP] \fB--u32\fP \fItests\fP
The argument amounts to a program in a small language described below.
.IP
tests := location "=" value | tests "&&" location "=" value
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 23/24] manpages: grammar and spelling
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (20 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 22/24] manpages: fix broken markup (missing close tags) Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:27 ` [PATCH 24/24] manpages: update to reflect fine-grained control Jan Engelhardt
2008-04-06 15:31 ` [PATCH 01/24] Fix compilation of iptables-static build Patrick McHardy
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
---
extensions/libip6t_frag.man | 2 +-
extensions/libipt_SAME.man | 2 +-
extensions/libxt_NFQUEUE.man | 2 +-
extensions/libxt_connbytes.man | 4 ++--
extensions/libxt_dscp.man | 2 +-
extensions/libxt_hashlimit.man | 4 ++--
ip6tables.8.in | 2 +-
ip6tables.c | 2 +-
iptables.8.in | 10 +++++-----
iptables.c | 2 +-
10 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
index 5ac13a4..8937b55 100644
--- a/extensions/libip6t_frag.man
+++ b/extensions/libip6t_frag.man
@@ -17,4 +17,4 @@ Matches on the first fragment.
Matches if there are more fragments.
.TP
.BR "[--fraglast]"
-Matches if this is the last fragement.
+Matches if this is the last fragment.
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index 4e88d48..d038615 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -11,5 +11,5 @@ Don't use the destination-ip in the calculations when selecting the
new source-ip
.TP
.B "--random"
-Port mapping will be forcely randomized to avoid attacks based on
+Port mapping will be forcibly randomized to avoid attacks based on
port prediction (kernel >= 2.6.21).
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 015effd..acd45e9 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -3,7 +3,7 @@ you to put a packet into any specific queue, identified by its 16-bit queue
number.
.TP
\fB--queue-num\fP \fIvalue\fP
-This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
+This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
.TP
It can only be used with Kernel versions 2.6.14 or later, since it requires
the
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
index 7b7c313..124ff6f 100644
--- a/extensions/libxt_connbytes.man
+++ b/extensions/libxt_connbytes.man
@@ -1,5 +1,5 @@
Match by how many bytes or packets a connection (or one of the two
-flows constituting the connection) have tranferred so far, or by
+flows constituting the connection) has transferred so far, or by
average bytes per packet.
The counters are 64bit and are thus not expected to overflow ;)
@@ -7,7 +7,7 @@ The counters are 64bit and are thus not expected to overflow ;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
-The transfered bytes per connection can also be viewed through
+The transferred bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
.TP
[\fB!\fP] \fB--connbytes\fP \fIfrom\fP[\fB:\fR\fIto\fP]
diff --git a/extensions/libxt_dscp.man b/extensions/libxt_dscp.man
index cb0b6f3..29ff3b2 100644
--- a/extensions/libxt_dscp.man
+++ b/extensions/libxt_dscp.man
@@ -7,4 +7,4 @@ Match against a numeric (decimal or hex) value [0-63].
.BI "--dscp-class " "\fIDiffServ Class\fP"
Match the DiffServ class. This value may be any of the
BE, EF, AFxx or CSx classes. It will then be converted
-into it's according numeric value.
+into its according numeric value.
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index e74aedf..e449406 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -53,7 +53,7 @@ The number of buckets of the hash table
Maximum entries in the hash.
.TP
\fB--hashlimit-htable-expire\fR \fImsec\fR
-After how many miliseconds do hash entries expire.
+After how many milliseconds do hash entries expire.
.TP
\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
-How many miliseconds between garbage collection intervals.
+How many milliseconds between garbage collection intervals.
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 8528b8e..f103363 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -478,7 +478,7 @@ James Morris wrote the TOS target, and tos match.
.PP
Jozsef Kadlecsik wrote the REJECT target.
.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
.PP
The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
diff --git a/ip6tables.c b/ip6tables.c
index e5602f7..c7d4a4f 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -720,7 +720,7 @@ print_match(const struct ip6t_entry_match *m,
return 0;
}
-/* e is called `fw' here for hysterical raisins */
+/* e is called `fw' here for historical reasons */
static void
print_firewall(const struct ip6t_entry *fw,
const char *targname,
diff --git a/iptables.8.in b/iptables.8.in
index 9904c48..8ebedb8 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -55,7 +55,7 @@ a `target', which may be a jump to a user-defined chain in the same
table.
.SH TARGETS
-A firewall rule specifies criteria for a packet, and a target. If the
+A firewall rule specifies criteria for a packet and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the
target, which can be the name of a user-defined chain or one of the
@@ -155,9 +155,9 @@ The options that are recognized by
.B iptables
can be divided into several different groups.
.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
+These options specify the desired action to perform. Only one of them
+can be specified on the command line unless otherwise stated
+below. For long versions of the command and option names, you
need to use only enough letters to ensure that
.B iptables
can differentiate it from all other options.
@@ -188,7 +188,7 @@ fail. Rules are numbered starting at 1.
.TP
.BR "-L, --list " "[\fIchain\fP]"
List all rules in the selected chain. If no chain is selected, all
-chains are listed. As every other iptables command, it applies to the
+chains are listed. Like every other iptables command, it applies to the
specified table (filter is the default), so NAT rules get listed by
.nf
iptables -t nat -n -L
diff --git a/iptables.c b/iptables.c
index b2a4b53..7cc2448 100644
--- a/iptables.c
+++ b/iptables.c
@@ -720,7 +720,7 @@ print_match(const struct ipt_entry_match *m,
return 0;
}
-/* e is called `fw' here for hysterical raisins */
+/* e is called `fw' here for historical reasons */
static void
print_firewall(const struct ipt_entry *fw,
const char *targname,
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* [PATCH 24/24] manpages: update to reflect fine-grained control
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (21 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 23/24] manpages: grammar and spelling Jan Engelhardt
@ 2008-04-06 15:27 ` Jan Engelhardt
2008-04-06 15:31 ` [PATCH 01/24] Fix compilation of iptables-static build Patrick McHardy
23 siblings, 0 replies; 35+ messages in thread
From: Jan Engelhardt @ 2008-04-06 15:27 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Some manpages (DNAT for example) specifies
--to-destination ip[-ip][:port-port]
while it is actually
--to-destination ip[-ip][:port[-port]]
---
extensions/libip6t_frag.man | 4 ++--
extensions/libipt_DNAT.man | 2 +-
extensions/libipt_SAME.man | 2 +-
extensions/libipt_SNAT.man | 2 +-
extensions/libxt_connmark.man | 2 +-
extensions/libxt_helper.man | 2 +-
extensions/libxt_iprange.man | 4 ++--
extensions/libxt_mark.man | 2 +-
extensions/libxt_owner.man | 10 +++++-----
extensions/libxt_tos.man | 4 ++--
10 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
index 8937b55..cc13e79 100644
--- a/extensions/libip6t_frag.man
+++ b/extensions/libip6t_frag.man
@@ -13,8 +13,8 @@ Matches if the reserved fields are filled with zero.
.BR "--fragfirst "
Matches on the first fragment.
.TP
-.BR "[--fragmore]"
+\fB--fragmore\fP
Matches if there are more fragments.
.TP
-.BR "[--fraglast]"
+\fB--fraglast\fP
Matches if this is the last fragment.
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index f11f4e2..65c152c 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -10,7 +10,7 @@ should be modified (and all future packets in this connection will
also be mangled), and rules should cease being examined. It takes one
type of option:
.TP
-.BR "--to-destination " "[\fIipaddr\fP][-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-destination\fP [\fIipaddr\fP][\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
which can specify a single new destination IP address, an inclusive
range of IP addresses, and optionally, a port range (which is only
valid if the rule also specifies
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index d038615..7e28ca5 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -2,7 +2,7 @@ Similar to SNAT/DNAT depending on chain: it takes a range of addresses
(`--to 1.2.3.4-1.2.3.7') and gives a client the same
source-/destination-address for each connection.
.TP
-.BI "--to " "<ipaddr>-<ipaddr>"
+\fB--to\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP]
Addresses to map source to. May be specified more than once for
multiple ranges.
.TP
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index 7b34799..34939af 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type
of option:
.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-source\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
diff --git a/extensions/libxt_connmark.man b/extensions/libxt_connmark.man
index 193a4ca..a50c537 100644
--- a/extensions/libxt_connmark.man
+++ b/extensions/libxt_connmark.man
@@ -1,6 +1,6 @@
This module matches the netfilter mark field associated with a connection
(which can be set using the \fBCONNMARK\fR target below).
.TP
-\fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
Matches packets in connections with the given mark value (if a mask is
specified, this is logically ANDed with the mark before the comparison).
diff --git a/extensions/libxt_helper.man b/extensions/libxt_helper.man
index c3221ad..3df1d05 100644
--- a/extensions/libxt_helper.man
+++ b/extensions/libxt_helper.man
@@ -1,6 +1,6 @@
This module matches packets related to a specific conntrack-helper.
.TP
-.BI "--helper " "string"
+[\fB!\fP] \fB--helper\fP \fIstring\fP
Matches packets related to the specified conntrack-helper.
.RS
.PP
diff --git a/extensions/libxt_iprange.man b/extensions/libxt_iprange.man
index 5acb3b3..1941a3b 100644
--- a/extensions/libxt_iprange.man
+++ b/extensions/libxt_iprange.man
@@ -1,7 +1,7 @@
This matches on a given arbitrary range of IP addresses.
.TP
-[\fB!\fR] \fB--src-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--src-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
Match source IP in the specified range.
.TP
-[\fB!\fR] \fB--dst-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--dst-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
Match destination IP in the specified range.
diff --git a/extensions/libxt_mark.man b/extensions/libxt_mark.man
index a2a1395..4b29cd0 100644
--- a/extensions/libxt_mark.man
+++ b/extensions/libxt_mark.man
@@ -3,7 +3,7 @@ This module matches the netfilter mark field associated with a packet
.B MARK
target below).
.TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+[\fB!\fP] \fB--mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
Matches packets with the given unsigned mark value (if a \fImask\fP is
specified, this is logically ANDed with the \fImask\fP before the
comparison).
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
index 344ce2e..0bc0c65 100644
--- a/extensions/libxt_owner.man
+++ b/extensions/libxt_owner.man
@@ -3,17 +3,17 @@ for locally generated packets. This match is only valid in the OUTPUT and
POSTROUTING chains. Forwarded packets do not have any socket associated with
them. Packets from kernel threads do have a socket, but usually no owner.
.TP
-\fB--uid-owner\fR \fIusername\fR
+[\fB!\fP] \fB--uid-owner\fP \fIusername\fP
.TP
-\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
+[\fB!\fP] \fB--uid-owner\fP \fIuserid\fP[\fB-\fP\fIuserid\fP]
Matches if the packet socket's file structure (if it has one) is owned by the
given user. You may also specify a numerical UID, or an UID range.
.TP
-\fB--gid-owner\fR \fIgroupname\fR
+[\fB!\fP] \fB--gid-owner\fP \fIgroupname\fP
.TP
-\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+[\fB!\fP] \fB--gid-owner\fP \fIgroupid\fP[\fB-\fR\fIgroupid\fP]
Matches if the packet socket's file structure is owned by the given group.
You may also specify a numerical GID, or a GID range.
.TP
-\fB--socket-exists\fR
+[\fB!\fP] \fB--socket-exists\fP
Matches if the packet is associated with a socket.
diff --git a/extensions/libxt_tos.man b/extensions/libxt_tos.man
index 0420105..cd72e95 100644
--- a/extensions/libxt_tos.man
+++ b/extensions/libxt_tos.man
@@ -2,11 +2,11 @@ This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
header.
.TP
-\fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
Matches packets with the given TOS mark value. If a mask is specified, it is
logically ANDed with the TOS mark before the comparison.
.TP
-\fB--tos\fR \fIsymbol\fR
+[\fB!\fP] \fB--tos\fR \fIsymbol\fR
You can specify a symbolic name when using the tos match for IPv4. The list of
recognized TOS names can be obtained by calling iptables with \fB-m tos -h\fR.
Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [PATCH 01/24] Fix compilation of iptables-static build
2008-04-06 15:26 ` [PATCH 01/24] Fix compilation of iptables-static build Jan Engelhardt
` (22 preceding siblings ...)
2008-04-06 15:27 ` [PATCH 24/24] manpages: update to reflect fine-grained control Jan Engelhardt
@ 2008-04-06 15:31 ` Patrick McHardy
23 siblings, 0 replies; 35+ messages in thread
From: Patrick McHardy @ 2008-04-06 15:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Adjust the _INIT macro and thus fix the build/linking procedure of
> the monolithic do-it-all binary (iptables-static).
>
> Also fix the Makefile since unfortunately, lib%.o does not seem to
> have a higher precedence than %.o
> ---
> extensions/GNUmakefile.in | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
Applied.
^ permalink raw reply [flat|nested] 35+ messages in thread