[PATCH 01/13] Correct the family member value of libxt_mark revision 1

[PATCH 01/13] Correct the family member value of libxt_mark revision 1

[Jan Engelhardt]

libxt_mark rev1 used AF_INET6 in the class structure where it should
have used AF_INET.
---
 extensions/libxt_mark.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index af7f844..a2c9baf 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -197,7 +197,7 @@ static struct xtables_match mark_mt6_reg = {
 	.version        = IPTABLES_VERSION,
 	.name           = "mark",
 	.revision       = 1,
-	.family         = AF_INET6,
+	.family         = AF_INET,
 	.size           = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
 	.help           = mark_mt_help,
-- 
1.5.5.rc3

[PATCH 02/13] Fix all remaining warnings (missing declarations, missing prototypes)

[Jan Engelhardt]

---
 configure.ac                |    6 +-----
 extensions/GNUmakefile.in   |    2 ++
 extensions/libip6t_policy.c |    5 -----
 extensions/libipt_ULOG.c    |    2 +-
 include/iptables.h          |    2 --
 include/libiptc/libip6tc.h  |    2 ++
 include/libiptc/libiptc.h   |    2 ++
 include/xtables.h           |    7 +++++++
 include/xtables/internal.h  |    6 ++++++
 ip6tables-multi.h           |    8 ++++++++
 ip6tables-restore.c         |    4 +++-
 ip6tables-save.c            |    1 +
 ip6tables-standalone.c      |    1 +
 ip6tables.c                 |    6 ++----
 iptables-multi.h            |    9 +++++++++
 iptables-restore.c          |    3 ++-
 iptables-save.c             |    1 +
 iptables-standalone.c       |    1 +
 iptables-xml.c              |    1 +
 iptables.c                  |    4 +---
 libiptc/libiptc.c           |    9 ++++-----
 21 files changed, 55 insertions(+), 27 deletions(-)
 create mode 100644 include/xtables/internal.h
 create mode 100644 ip6tables-multi.h
 create mode 100644 iptables-multi.h

diff --git a/configure.ac b/configure.ac
index 87fca6c..c816b2e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -41,13 +41,9 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
 	-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
+regular_CFLAGS="$regular_CFLAGS -DXTABLES_INTERNAL"
 kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
 
-# Remove workarounds soon
-regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
-	-Wno-missing-declarations -Wno-missing-prototypes \
-        -Wno-unused-parameter"
-
 AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 4892409..cf094f2 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -143,6 +143,7 @@ initext4.c: .initext4.dd
 	for i in ${initext_func}; do \
 		echo "extern void lib$${i}_init(void);" >>$@; \
 	done; \
+	echo -en "void init_extensions(void);\n" >>$@; \
 	echo -en "void init_extensions(void)\n""{\n" >>$@; \
 	for i in ${initext_func}; do \
 		echo -e "\t""lib$${i}_init();" >>$@; \
@@ -157,6 +158,7 @@ initext6.c: .initext6.dd
 	for i in ${initext6_func}; do \
 		echo "extern void lib$${i}_init(void);" >>$@; \
 	done; \
+	echo -en "void init_extensions(void);\n" >>$@; \
 	echo -en "void init_extensions(void)\n""{\n" >>$@; \
 	for i in ${initext6_func}; do \
 		echo -e "\t""lib$${i}_init();" >>$@; \
diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index f706f98..41e5c32 100644
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -126,11 +126,6 @@ mask_to_numeric(const struct in6_addr *addrp)
 	return buf;
 }
 
-/* These should be in include/ip6tables.h... */
-extern u_int16_t parse_protocol(const char *s);
-
-/* End duplicated code from ip6tables.c */
-
 static int parse_direction(char *s)
 {
 	if (strcmp(s, "in") == 0)
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 6fb2c66..31990a6 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -21,7 +21,7 @@
 #include "../include/linux/netfilter_ipv4/ipt_ULOG.h"
 
 
-void print_groups(unsigned int gmask)
+static void print_groups(unsigned int gmask)
 {
 	int b;
 	unsigned int test;
diff --git a/include/iptables.h b/include/iptables.h
index f39410c..7ce9080 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -24,8 +24,6 @@ extern int line;
 extern void register_match(struct iptables_match *me);
 extern void register_target(struct iptables_target *me);
 
-extern u_int16_t parse_protocol(const char *s);
-
 extern int do_command(int argc, char *argv[], char **table,
 		      iptc_handle_t *handle);
 extern int delete_chain(const ipt_chainlabel chain, int verbose,
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 5069689..6e8a565 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -152,4 +152,6 @@ const char *ip6tc_strerror(int err);
 /* Return prefix length, or -1 if not contiguous */
 int ipv6_prefix_length(const struct in6_addr *a);
 
+extern void dump_entries6(const ip6tc_handle_t);
+
 #endif /* _LIBIP6TC_H */
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 30f5b7d..1f6f95d 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -159,6 +159,8 @@ int iptc_get_raw_socket(void);
 /* Translates errno numbers into more human-readable form than strerror. */
 const char *iptc_strerror(int err);
 
+extern void dump_entries(const iptc_handle_t);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/xtables.h b/include/xtables.h
index 4b75e2c..157f355 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -267,4 +267,11 @@ extern void save_string(const char *value);
 #	define _init __attribute__((constructor)) _INIT
 #endif
 
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
+#ifdef XTABLES_INTERNAL
+#	include <xtables/internal.h>
+#endif
+
 #endif /* _XTABLES_H */
diff --git a/include/xtables/internal.h b/include/xtables/internal.h
new file mode 100644
index 0000000..3be72e3
--- /dev/null
+++ b/include/xtables/internal.h
@@ -0,0 +1,6 @@
+#ifndef _XTABLES_INTERNAL_H
+#define _XTABLES_INTERNAL_H 1
+
+extern void _init(void);
+
+#endif /* _XTABLES_INTERNAL_H */
diff --git a/ip6tables-multi.h b/ip6tables-multi.h
new file mode 100644
index 0000000..551029a
--- /dev/null
+++ b/ip6tables-multi.h
@@ -0,0 +1,8 @@
+#ifndef _IP6TABLES_MULTI_H
+#define _IP6TABLES_MULTI_H 1
+
+extern int ip6tables_main(int, char **);
+extern int ip6tables_save_main(int, char **);
+extern int ip6tables_restore_main(int, char **);
+
+#endif /* _IP6TABLES_MULTI_H */
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 570bd51..e9cc0ff 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -18,6 +18,7 @@
 #include "ip6tables.h"
 #include "xtables.h"
 #include "libiptc/libip6tc.h"
+#include "ip6tables-multi.h"
 
 #ifdef DEBUG
 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -55,7 +56,8 @@ static void print_usage(const char *name, const char *version)
 	exit(1);
 }
 
-ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
+static ip6tc_handle_t create_handle(const char *tablename,
+                                    const char *modprobe)
 {
 	ip6tc_handle_t handle;
 
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c73d354..e7eade1 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -16,6 +16,7 @@
 #include <arpa/inet.h>
 #include "libiptc/libip6tc.h"
 #include "ip6tables.h"
+#include "ip6tables-multi.h"
 
 #ifndef NO_SHARED_LIBS
 #include <dlfcn.h>
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index b7dfd17..4029c1f 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -35,6 +35,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <ip6tables.h>
+#include "ip6tables-multi.h"
 
 #ifdef IPTABLES_MULTI
 int
diff --git a/ip6tables.c b/ip6tables.c
index 4b517e5..e5602f7 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -41,6 +41,7 @@
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include "ip6tables-multi.h"
 
 #ifndef TRUE
 #define TRUE 1
@@ -186,9 +187,6 @@ static int inverse_for_options[NUMBER_OF_OPT] =
 const char *program_version;
 const char *program_name;
 
-/* Extra debugging from libiptc */
-extern void dump_entries6(const ip6tc_handle_t handle);
-
 /* A few hardcoded protocols for 'all' and in case the user has no
    /etc/protocols */
 struct pprot {
@@ -1140,7 +1138,7 @@ generate_entry(const struct ip6t_entry *fw,
 	return e;
 }
 
-void clear_rule_matches(struct ip6tables_rule_match **matches)
+static void clear_rule_matches(struct ip6tables_rule_match **matches)
 {
 	struct ip6tables_rule_match *matchp, *tmp;
 
diff --git a/iptables-multi.h b/iptables-multi.h
new file mode 100644
index 0000000..a9912b0
--- /dev/null
+++ b/iptables-multi.h
@@ -0,0 +1,9 @@
+#ifndef _IPTABLES_MULTI_H
+#define _IPTABLES_MULTI_H 1
+
+extern int iptables_main(int, char **);
+extern int iptables_save_main(int, char **);
+extern int iptables_restore_main(int, char **);
+extern int iptables_xml_main(int, char **);
+
+#endif /* _IPTABLES_MULTI_H */
diff --git a/iptables-restore.c b/iptables-restore.c
index 44263ce..b751d2c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -15,6 +15,7 @@
 #include "iptables.h"
 #include "xtables.h"
 #include "libiptc/libiptc.h"
+#include "iptables-multi.h"
 
 #ifdef DEBUG
 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
@@ -54,7 +55,7 @@ static void print_usage(const char *name, const char *version)
 	exit(1);
 }
 
-iptc_handle_t create_handle(const char *tablename, const char* modprobe )
+static iptc_handle_t create_handle(const char *tablename, const char *modprobe)
 {
 	iptc_handle_t handle;
 
diff --git a/iptables-save.c b/iptables-save.c
index f82c8a7..c0c37ed 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -15,6 +15,7 @@
 #include <netdb.h>
 #include "libiptc/libiptc.h"
 #include "iptables.h"
+#include "iptables-multi.h"
 
 #ifndef NO_SHARED_LIBS
 #include <dlfcn.h>
diff --git a/iptables-standalone.c b/iptables-standalone.c
index e5c7841..55c7ce9 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -36,6 +36,7 @@
 #include <errno.h>
 #include <string.h>
 #include <iptables.h>
+#include "iptables-multi.h"
 
 #ifdef IPTABLES_MULTI
 int
diff --git a/iptables-xml.c b/iptables-xml.c
index 94f2e39..d922efe 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -16,6 +16,7 @@
 #include <stdarg.h>
 #include "iptables.h"
 #include "libiptc/libiptc.h"
+#include "iptables-multi.h"
 
 #ifdef DEBUG
 #define DEBUGP(x, args...) fprintf(stderr, x, ## args)
diff --git a/iptables.c b/iptables.c
index 0363aba..b2a4b53 100644
--- a/iptables.c
+++ b/iptables.c
@@ -190,8 +190,6 @@ const char *program_name;
 
 int kernel_version;
 
-extern void dump_entries(const iptc_handle_t handle);
-
 /* A few hardcoded protocols for 'all' and in case the user has no
    /etc/protocols */
 struct pprot {
@@ -1143,7 +1141,7 @@ generate_entry(const struct ipt_entry *fw,
 	return e;
 }
 
-void clear_rule_matches(struct iptables_rule_match **matches)
+static void clear_rule_matches(struct iptables_rule_match **matches)
 {
 	struct iptables_rule_match *matchp, *tmp;
 
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index fe6b09b..de8dc60 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1474,7 +1474,7 @@ TC_NEXT_RULE(const STRUCT_ENTRY *prev, TC_HANDLE_T *handle)
 }
 
 /* How many rules in this chain? */
-unsigned int
+static unsigned int
 TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
 {
 	struct chain_head *c;
@@ -1490,9 +1490,8 @@ TC_NUM_RULES(const char *chain, TC_HANDLE_T *handle)
 	return c->num_rules;
 }
 
-const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
-				unsigned int n,
-				TC_HANDLE_T *handle)
+static const STRUCT_ENTRY *
+TC_GET_RULE(const char *chain, unsigned int n, TC_HANDLE_T *handle)
 {
 	struct chain_head *c;
 	struct rule_head *r;
@@ -1514,7 +1513,7 @@ const STRUCT_ENTRY *TC_GET_RULE(const char *chain,
 }
 
 /* Returns a pointer to the target name of this position. */
-const char *standard_target_map(int verdict)
+static const char *standard_target_map(int verdict)
 {
 	switch (verdict) {
 		case RETURN:
-- 
1.5.5.rc3

Re: [PATCH 02/13] Fix all remaining warnings (missing declarations, missing prototypes)

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  configure.ac                |    6 +-----
>  extensions/GNUmakefile.in   |    2 ++
>  extensions/libip6t_policy.c |    5 -----
>  extensions/libipt_ULOG.c    |    2 +-
>  include/iptables.h          |    2 --
>  include/libiptc/libip6tc.h  |    2 ++
>  include/libiptc/libiptc.h   |    2 ++
>  include/xtables.h           |    7 +++++++
>  include/xtables/internal.h  |    6 ++++++
>  ip6tables-multi.h           |    8 ++++++++
>  ip6tables-restore.c         |    4 +++-
>  ip6tables-save.c            |    1 +
>  ip6tables-standalone.c      |    1 +
>  ip6tables.c                 |    6 ++----
>  iptables-multi.h            |    9 +++++++++
>  iptables-restore.c          |    3 ++-
>  iptables-save.c             |    1 +
>  iptables-standalone.c       |    1 +
>  iptables-xml.c              |    1 +
>  iptables.c                  |    4 +---
>  libiptc/libiptc.c           |    9 ++++-----
>  21 files changed, 55 insertions(+), 27 deletions(-)
>  create mode 100644 include/xtables/internal.h
>  create mode 100644 ip6tables-multi.h
>  create mode 100644 iptables-multi.h

Applied.

[PATCH 03/13] xtables.h: move non-exported parts to internal.h

[Jan Engelhardt]

A number of enums, structs, functions are not used by modules, so
they do not need exporting.
---
 include/xtables.h          |   61 ------------------------------------
 include/xtables/internal.h |   60 +++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 61 deletions(-)

diff --git a/include/xtables.h b/include/xtables.h
index 157f355..5eba8ac 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -7,10 +7,6 @@
 #include <libiptc/libxtc.h>
 #include <stdbool.h>
 
-#ifndef XT_LIB_DIR
-#define XT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
 #ifndef IPPROTO_SCTP
 #define IPPROTO_SCTP 132
 #endif
@@ -21,43 +17,6 @@
 #define IPPROTO_UDPLITE	136
 #endif
 
-/* protocol family dependent informations */
-struct afinfo {
-	/* protocol family */
-	int family;
-
-	/* prefix of library name (ex "libipt_" */
-	char *libprefix;
-
-	/* used by setsockopt (ex IPPROTO_IP */
-	int ipproto;
-
-	/* kernel module (ex "ip_tables" */
-	char *kmod;
-
-	/* optname to check revision support of match */
-	int so_rev_match;
-
-	/* optname to check revision support of match */
-	int so_rev_target;
-};
-
-enum xt_tryload {
-	DONT_LOAD,
-	DURING_LOAD,
-	TRY_LOAD,
-	LOAD_MUST_SUCCEED
-};
-
-struct xtables_rule_match
-{
-	struct xtables_rule_match *next;
-	struct xtables_match *match;
-	/* Multiple matches of the same type: the ones before
-	   the current one are completed from parsing point of view */
-	unsigned int completed;
-};
-
 /* Include file for additions: new matches and targets. */
 struct xtables_match
 {
@@ -171,30 +130,10 @@ struct xtables_target
 #endif
 };
 
-extern char *lib_dir;
-
-extern void *fw_calloc(size_t count, size_t size);
-extern void *fw_malloc(size_t size);
-
-extern const char *modprobe_program;
-extern int xtables_insmod(const char *modname, const char *modprobe, int quiet);
-extern int load_xtables_ko(const char *modprobe, int quiet);
-
-/* This is decleared in ip[6]tables.c */
-extern struct afinfo afinfo;
-
-/* Keeping track of external matches and targets: linked lists.  */
-extern struct xtables_match *xtables_matches;
-extern struct xtables_target *xtables_targets;
-
 /* Your shared library should call one of these. */
 extern void xtables_register_match(struct xtables_match *me);
 extern void xtables_register_target(struct xtables_target *me);
 
-extern struct xtables_match *find_match(const char *name, enum xt_tryload,
-					struct xtables_rule_match **match);
-extern struct xtables_target *find_target(const char *name, enum xt_tryload);
-
 extern int string_to_number_ll(const char *s,
 			       unsigned long long min,
 			       unsigned long long max,
diff --git a/include/xtables/internal.h b/include/xtables/internal.h
index 3be72e3..24a5078 100644
--- a/include/xtables/internal.h
+++ b/include/xtables/internal.h
@@ -1,6 +1,66 @@
 #ifndef _XTABLES_INTERNAL_H
 #define _XTABLES_INTERNAL_H 1
 
+#ifndef XT_LIB_DIR
+#	define XT_LIB_DIR "/usr/local/lib/iptables"
+#endif
+
+/* protocol family dependent informations */
+struct afinfo {
+	/* protocol family */
+	int family;
+
+	/* prefix of library name (ex "libipt_" */
+	char *libprefix;
+
+	/* used by setsockopt (ex IPPROTO_IP */
+	int ipproto;
+
+	/* kernel module (ex "ip_tables" */
+	char *kmod;
+
+	/* optname to check revision support of match */
+	int so_rev_match;
+
+	/* optname to check revision support of match */
+	int so_rev_target;
+};
+
+enum xt_tryload {
+	DONT_LOAD,
+	DURING_LOAD,
+	TRY_LOAD,
+	LOAD_MUST_SUCCEED
+};
+
+struct xtables_rule_match {
+	struct xtables_rule_match *next;
+	struct xtables_match *match;
+	/* Multiple matches of the same type: the ones before
+	   the current one are completed from parsing point of view */
+	unsigned int completed;
+};
+
+extern char *lib_dir;
+
+extern void *fw_calloc(size_t count, size_t size);
+extern void *fw_malloc(size_t size);
+
+extern const char *modprobe_program;
+extern int xtables_insmod(const char *modname, const char *modprobe, int quiet);
+extern int load_xtables_ko(const char *modprobe, int quiet);
+
+/* This is decleared in ip[6]tables.c */
+extern struct afinfo afinfo;
+
+/* Keeping track of external matches and targets: linked lists.  */
+extern struct xtables_match *xtables_matches;
+extern struct xtables_target *xtables_targets;
+
+extern struct xtables_match *find_match(const char *name, enum xt_tryload,
+					struct xtables_rule_match **match);
+extern struct xtables_target *find_target(const char *name, enum xt_tryload);
+
 extern void _init(void);
 
 #endif /* _XTABLES_INTERNAL_H */
-- 
1.5.5.rc3

Re: [PATCH 03/13] xtables.h: move non-exported parts to internal.h

[Patrick McHardy]

Jan Engelhardt wrote:
> A number of enums, structs, functions are not used by modules, so
> they do not need exporting.
> ---
>  include/xtables.h          |   61 ------------------------------------
>  include/xtables/internal.h |   60 +++++++++++++++++++++++++++++++++++
>  2 files changed, 60 insertions(+), 61 deletions(-)

Applied.

I hope you made sure that none of this is used by tc ipt action
in iproute2. In case it is, please send a fix on top.

Re: [PATCH 03/13] xtables.h: move non-exported parts to internal.h

[Jan Engelhardt]

On Sunday 2008-04-13 07:10, Patrick McHardy wrote:

> Jan Engelhardt wrote:
>> A number of enums, structs, functions are not used by modules, so
>> they do not need exporting.
>> ---
>>  include/xtables.h          |   61 ------------------------------------
>>  include/xtables/internal.h |   60 +++++++++++++++++++++++++++++++++++
>>  2 files changed, 60 insertions(+), 61 deletions(-)
>
> Applied.
>
> I hope you made sure that none of this is used by tc ipt action
> in iproute2. In case it is, please send a fix on top.
>
tc has its own copy of everything, so stands independent.

Re: [PATCH 03/13] xtables.h: move non-exported parts to internal.h

[Patrick McHardy]

Jan Engelhardt wrote:
> On Sunday 2008-04-13 07:10, Patrick McHardy wrote:
> 
>> Jan Engelhardt wrote:
>>> A number of enums, structs, functions are not used by modules, so
>>> they do not need exporting.
>>> ---
>>>  include/xtables.h          |   61 ------------------------------------
>>>  include/xtables/internal.h |   60 +++++++++++++++++++++++++++++++++++
>>>  2 files changed, 60 insertions(+), 61 deletions(-)
>> Applied.
>>
>> I hope you made sure that none of this is used by tc ipt action
>> in iproute2. In case it is, please send a fix on top.
>>
> tc has its own copy of everything, so stands independent.
> 

Right, thanks for verifying this.

[PATCH 04/13] Add support for xt_hashlimit match revision 1

[Jan Engelhardt]

---
 extensions/libxt_hashlimit.c           |  398 ++++++++++++++++++++++--
 extensions/libxt_hashlimit.man         |   86 ++++--
 include/linux/netfilter/xt_hashlimit.h |   38 ++-
 3 files changed, 458 insertions(+), 64 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 00b0304..45c2db1 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -10,7 +10,7 @@
  * 
  * Error corections by nmalykh@bilim.com (22.01.2005)
  */
-
+#include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -45,6 +45,27 @@ static void hashlimit_help(void)
 "\n", IPTABLES_VERSION, XT_HASHLIMIT_BURST);
 }
 
+static void hashlimit_mt_help(void)
+{
+	printf(
+"hashlimit match options:\n"
+"  --hashlimit-upto <avg>           max average match rate\n"
+"                                   [Packets per second unless followed by \n"
+"                                   /sec /minute /hour /day postfixes]\n"
+"  --hashlimit-above <avg>          min average match rate\n"
+"  --hashlimit-mode <mode>          mode is a comma-separated list of\n"
+"                                   dstip,srcip,dstport,srcport (or none)\n"
+"  --hashlimit-srcmask <length>     source address grouping prefix length\n"
+"  --hashlimit-dstmask <length>     destination address grouping prefix length\n"
+"  --hashlimit-name <name>          name for /proc/net/ipt_hashlimit\n"
+"  --hashlimit-burst <num>	    number to match in a burst, default %u\n"
+"  --hashlimit-htable-size <num>    number of hashtable buckets\n"
+"  --hashlimit-htable-max <num>     number of hashtable entries\n"
+"  --hashlimit-htable-gcinterval    interval between garbage collection runs\n"
+"  --hashlimit-htable-expire        after which time are idle entries expired?\n"
+"\n", XT_HASHLIMIT_BURST);
+}
+
 static const struct option hashlimit_opts[] = {
 	{ "hashlimit", 1, NULL, '%' },
 	{ "hashlimit-burst", 1, NULL, '$' },
@@ -57,6 +78,22 @@ static const struct option hashlimit_opts[] = {
 	{ .name = NULL }
 };
 
+static const struct option hashlimit_mt_opts[] = {
+	{.name = "hashlimit-upto",              .has_arg = true, .val = '%'},
+	{.name = "hashlimit-above",             .has_arg = true, .val = '^'},
+	{.name = "hashlimit",                   .has_arg = true, .val = '%'},
+	{.name = "hashlimit-srcmask",           .has_arg = true, .val = '<'},
+	{.name = "hashlimit-dstmask",           .has_arg = true, .val = '>'},
+	{.name = "hashlimit-burst",             .has_arg = true, .val = '$'},
+	{.name = "hashlimit-htable-size",       .has_arg = true, .val = '&'},
+	{.name = "hashlimit-htable-max",        .has_arg = true, .val = '*'},
+	{.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('},
+	{.name = "hashlimit-htable-expire",     .has_arg = true, .val = ')'},
+	{.name = "hashlimit-mode",              .has_arg = true, .val = '_'},
+	{.name = "hashlimit-name",              .has_arg = true, .val = '"'},
+	{},
+};
+
 static
 int parse_rate(const char *rate, u_int32_t *val)
 {
@@ -98,15 +135,39 @@ static void hashlimit_init(struct xt_entry_match *m)
 {
 	struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
 
+	r->cfg.mode = 0;
 	r->cfg.burst = XT_HASHLIMIT_BURST;
 	r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
 	r->cfg.expire = XT_HASHLIMIT_EXPIRE;
 
 }
 
+static void hashlimit_mt4_init(struct xt_entry_match *match)
+{
+	struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+	info->cfg.mode        = 0;
+	info->cfg.burst       = XT_HASHLIMIT_BURST;
+	info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+	info->cfg.expire      = XT_HASHLIMIT_EXPIRE;
+	info->cfg.srcmask     = 32;
+	info->cfg.dstmask     = 32;
+}
+
+static void hashlimit_mt6_init(struct xt_entry_match *match)
+{
+	struct xt_hashlimit_mtinfo1 *info = (void *)match->data;
+
+	info->cfg.mode        = 0;
+	info->cfg.burst       = XT_HASHLIMIT_BURST;
+	info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
+	info->cfg.expire      = XT_HASHLIMIT_EXPIRE;
+	info->cfg.srcmask     = 128;
+	info->cfg.dstmask     = 128;
+}
 
 /* Parse a 'mode' parameter into the required bitmask */
-static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
+static int parse_mode(uint32_t *mode, char *option_arg)
 {
 	char *tok;
 	char *arg = strdup(option_arg);
@@ -114,19 +175,17 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
 	if (!arg)
 		return -1;
 
-	r->cfg.mode = 0;
-
 	for (tok = strtok(arg, ",|");
 	     tok;
 	     tok = strtok(NULL, ",|")) {
 		if (!strcmp(tok, "dstip"))
-			r->cfg.mode |= XT_HASHLIMIT_HASH_DIP;
+			*mode |= XT_HASHLIMIT_HASH_DIP;
 		else if (!strcmp(tok, "srcip"))
-			r->cfg.mode |= XT_HASHLIMIT_HASH_SIP;
+			*mode |= XT_HASHLIMIT_HASH_SIP;
 		else if (!strcmp(tok, "srcport"))
-			r->cfg.mode |= XT_HASHLIMIT_HASH_SPT;
+			*mode |= XT_HASHLIMIT_HASH_SPT;
 		else if (!strcmp(tok, "dstport"))
-			r->cfg.mode |= XT_HASHLIMIT_HASH_DPT;
+			*mode |= XT_HASHLIMIT_HASH_DPT;
 		else {
 			free(arg);
 			return -1;
@@ -136,14 +195,18 @@ static int parse_mode(struct xt_hashlimit_info *r, char *option_arg)
 	return 0;
 }
 
-#define PARAM_LIMIT		0x00000001
-#define PARAM_BURST		0x00000002
-#define PARAM_MODE		0x00000004
-#define PARAM_NAME		0x00000008
-#define PARAM_SIZE		0x00000010
-#define PARAM_MAX		0x00000020
-#define PARAM_GCINTERVAL	0x00000040
-#define PARAM_EXPIRE		0x00000080
+enum {
+	PARAM_LIMIT      = 1 << 0,
+	PARAM_BURST      = 1 << 1,
+	PARAM_MODE       = 1 << 2,
+	PARAM_NAME       = 1 << 3,
+	PARAM_SIZE       = 1 << 4,
+	PARAM_MAX        = 1 << 5,
+	PARAM_GCINTERVAL = 1 << 6,
+	PARAM_EXPIRE     = 1 << 7,
+	PARAM_SRCMASK    = 1 << 8,
+	PARAM_DSTMASK    = 1 << 9,
+};
 
 /* Function which parses command options; returns true if it
    ate an option */
@@ -224,7 +287,7 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
 		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
 		          *flags & PARAM_MODE);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (parse_mode(r, optarg) < 0)
+		if (parse_mode(&r->cfg.mode, optarg) < 0)
 			exit_error(PARAMETER_PROBLEM, 
 				   "bad --hashlimit-mode: `%s'\n", optarg);
 		*flags |= PARAM_MODE;
@@ -249,6 +312,146 @@ hashlimit_parse(int c, char **argv, int invert, unsigned int *flags,
 	return 1;
 }
 
+static int
+hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags,
+                   int c, int invert, unsigned int maxmask)
+{
+	unsigned int num;
+
+	switch(c) {
+	case '%': /* --hashlimit / --hashlimit-below */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-upto",
+		          *flags & PARAM_LIMIT);
+		if (invert)
+			info->cfg.mode |= XT_HASHLIMIT_INVERT;
+		if (!parse_rate(optarg, &info->cfg.avg))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-upto", optarg);
+		*flags |= PARAM_LIMIT;
+		return true;
+
+	case '^': /* --hashlimit-above == !--hashlimit-below */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-above",
+		          *flags & PARAM_LIMIT);
+		if (!invert)
+			info->cfg.mode |= XT_HASHLIMIT_INVERT;
+		if (!parse_rate(optarg, &info->cfg.avg))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-above", optarg);
+		*flags |= PARAM_LIMIT;
+		return true;
+
+	case '$': /* --hashlimit-burst */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+		          *flags & PARAM_BURST);
+		if (!strtonum(optarg, NULL, &num, 0, 10000))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-burst", optarg);
+		info->cfg.burst = num;
+		*flags |= PARAM_BURST;
+		return true;
+
+	case '&': /* --hashlimit-htable-size */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+		          *flags & PARAM_SIZE);
+		if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-htable-size", optarg);
+		info->cfg.size = num;
+		*flags |= PARAM_SIZE;
+		return true;
+
+	case '*': /* --hashlimit-htable-max */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+		          *flags & PARAM_MAX);
+		if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-htable-max", optarg);
+		info->cfg.max = num;
+		*flags |= PARAM_MAX;
+		return true;
+
+	case '(': /* --hashlimit-htable-gcinterval */
+		param_act(P_ONLY_ONCE, "hashlimit",
+		          "--hashlimit-htable-gcinterval",
+		          *flags & PARAM_GCINTERVAL);
+		if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-htable-gcinterval", optarg);
+		/* FIXME: not HZ dependent!! */
+		info->cfg.gc_interval = num;
+		*flags |= PARAM_GCINTERVAL;
+		return true;
+
+	case ')': /* --hashlimit-htable-expire */
+		param_act(P_ONLY_ONCE, "hashlimit",
+		          "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
+		if (!strtonum(optarg, NULL, &num, 0, 0xffffffff))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-htable-expire", optarg);
+		/* FIXME: not HZ dependent */
+		info->cfg.expire = num;
+		*flags |= PARAM_EXPIRE;
+		return true;
+
+	case '_':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+		          *flags & PARAM_MODE);
+		if (parse_mode(&info->cfg.mode, optarg) < 0)
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-mode", optarg);
+		*flags |= PARAM_MODE;
+		return true;
+
+	case '"': /* --hashlimit-name */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+		          *flags & PARAM_NAME);
+		if (strlen(optarg) == 0)
+			exit_error(PARAMETER_PROBLEM, "Zero-length name?");
+		strncpy(info->name, optarg, sizeof(info->name));
+		info->name[sizeof(info->name)-1] = '\0';
+		*flags |= PARAM_NAME;
+		return true;
+
+	case '<': /* --hashlimit-srcmask */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask",
+		          *flags & PARAM_SRCMASK);
+		if (!strtonum(optarg, NULL, &num, 0, maxmask))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-srcmask", optarg);
+		info->cfg.srcmask = num;
+		*flags |= PARAM_SRCMASK;
+		return true;
+
+	case '>': /* --hashlimit-dstmask */
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask",
+		          *flags & PARAM_DSTMASK);
+		if (!strtonum(optarg, NULL, &num, 0, maxmask))
+			param_act(P_BAD_VALUE, "hashlimit",
+			          "--hashlimit-dstmask", optarg);
+		info->cfg.dstmask = num;
+		*flags |= PARAM_DSTMASK;
+		return true;
+	}
+	return false;
+}
+
+static int
+hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+                    const void *entry, struct xt_entry_match **match)
+{
+	return hashlimit_mt_parse((void *)(*match)->data,
+	       flags, c, invert, 32);
+}
+
+static int
+hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                    const void *entry, struct xt_entry_match **match)
+{
+	return hashlimit_mt_parse((void *)(*match)->data,
+	       flags, c, invert, 128);
+}
+
 /* Final check; nothing. */
 static void hashlimit_check(unsigned int flags)
 {
@@ -263,6 +466,16 @@ static void hashlimit_check(unsigned int flags)
 				"You have to specify --hashlimit-name");
 }
 
+static void hashlimit_mt_check(unsigned int flags)
+{
+	if (!(flags & PARAM_LIMIT))
+		exit_error(PARAMETER_PROBLEM, "You have to specify "
+		           "--hashlimit-upto or --hashlimit-above");
+	if (!(flags & PARAM_NAME))
+		exit_error(PARAMETER_PROBLEM,
+		           "You have to specify --hashlimit-name");
+}
+
 static const struct rates
 {
 	const char *name;
@@ -285,29 +498,27 @@ static void print_rate(u_int32_t period)
 	printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
 }
 
-static void print_mode(const struct xt_hashlimit_info *r, char separator)
+static void print_mode(unsigned int mode, char separator)
 {
-	int prevmode = 0;
+	bool prevmode = false;
 
-	if (r->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
-		if (prevmode)
-			putchar(separator);
+	if (mode & XT_HASHLIMIT_HASH_SIP) {
 		fputs("srcip", stdout);
 		prevmode = 1;
 	}
-	if (r->cfg.mode & XT_HASHLIMIT_HASH_SPT) {
+	if (mode & XT_HASHLIMIT_HASH_SPT) {
 		if (prevmode)
 			putchar(separator);
 		fputs("srcport", stdout);
 		prevmode = 1;
 	}
-	if (r->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
+	if (mode & XT_HASHLIMIT_HASH_DIP) {
 		if (prevmode)
 			putchar(separator);
 		fputs("dstip", stdout);
 		prevmode = 1;
 	}
-	if (r->cfg.mode & XT_HASHLIMIT_HASH_DPT) {
+	if (mode & XT_HASHLIMIT_HASH_DPT) {
 		if (prevmode)
 			putchar(separator);
 		fputs("dstport", stdout);
@@ -324,7 +535,7 @@ static void hashlimit_print(const void *ip,
 	fputs("limit: avg ", stdout); print_rate(r->cfg.avg);
 	printf("burst %u ", r->cfg.burst);
 	fputs("mode ", stdout);
-	print_mode(r, '-');
+	print_mode(r->cfg.mode, '-');
 	if (r->cfg.size)
 		printf("htable-size %u ", r->cfg.size);
 	if (r->cfg.max)
@@ -335,6 +546,53 @@ static void hashlimit_print(const void *ip,
 		printf("htable-expire %u ", r->cfg.expire);
 }
 
+static void
+hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+	if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+		fputs("limit: above ", stdout);
+	else
+		fputs("limit: up to ", stdout);
+	print_rate(info->cfg.avg);
+	printf("burst %u ", info->cfg.burst);
+	if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+	    XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+		fputs("mode ", stdout);
+		print_mode(info->cfg.mode, '-');
+	}
+	if (info->cfg.size != 0)
+		printf("htable-size %u ", info->cfg.size);
+	if (info->cfg.max != 0)
+		printf("htable-max %u ", info->cfg.max);
+	if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+		printf("htable-gcinterval %u ", info->cfg.gc_interval);
+	if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+		printf("htable-expire %u ", info->cfg.expire);
+
+	if (info->cfg.srcmask != dmask)
+		printf("srcmask %u ", info->cfg.srcmask);
+	if (info->cfg.dstmask != dmask)
+		printf("dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match,
+                   int numeric)
+{
+	const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+	hashlimit_mt_print(info, 32);
+}
+
+static void
+hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
+                   int numeric)
+{
+	const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+	hashlimit_mt_print(info, 128);
+}
+
 /* FIXME: Make minimalist: only print rate if not default --RR */
 static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
 {
@@ -346,7 +604,7 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
 		printf("--hashlimit-burst %u ", r->cfg.burst);
 
 	fputs("--hashlimit-mode ", stdout);
-	print_mode(r, ',');
+	print_mode(r->cfg.mode, ',');
 	
 	printf("--hashlimit-name %s ", r->name);
 
@@ -360,10 +618,61 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
 		printf("--hashlimit-htable-expire %u ", r->cfg.expire);
 }
 
+static void
+hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
+{
+	if (info->cfg.mode & XT_HASHLIMIT_INVERT)
+		fputs("--hashlimit-above ", stdout);
+	else
+		fputs("--hashlimit-upto ", stdout);
+	print_rate(info->cfg.avg);
+	if (info->cfg.burst != XT_HASHLIMIT_BURST)
+		printf("--hashlimit-burst %u ", info->cfg.burst);
+
+	if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
+	    XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
+		fputs("--hashlimit-mode ", stdout);
+		print_mode(info->cfg.mode, ',');
+	}
+
+	printf("--hashlimit-name %s ", info->name);
+
+	if (info->cfg.size != 0)
+		printf("--hashlimit-htable-size %u ", info->cfg.size);
+	if (info->cfg.max != 0)
+		printf("--hashlimit-htable-max %u ", info->cfg.max);
+	if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
+		printf("--hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
+	if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+		printf("--hashlimit-htable-expire %u ", info->cfg.expire);
+
+	if (info->cfg.srcmask != dmask)
+		printf("--hashlimit-srcmask %u ", info->cfg.srcmask);
+	if (info->cfg.dstmask != dmask)
+		printf("--hashlimit-dstmask %u ", info->cfg.dstmask);
+}
+
+static void
+hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+	hashlimit_mt_save(info, 32);
+}
+
+static void
+hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data;
+
+	hashlimit_mt_save(info, 128);
+}
+
 static struct xtables_match hashlimit_match = {
 	.family		= AF_INET,
 	.name		= "hashlimit",
 	.version	= IPTABLES_VERSION,
+	.revision	= 0,
 	.size		= XT_ALIGN(sizeof(struct xt_hashlimit_info)),
 	.userspacesize	= offsetof(struct xt_hashlimit_info, hinfo),
 	.help		= hashlimit_help,
@@ -379,6 +688,7 @@ static struct xtables_match hashlimit_match6 = {
 	.family		= AF_INET6,
 	.name		= "hashlimit",
 	.version	= IPTABLES_VERSION,
+	.revision	= 0,
 	.size		= XT_ALIGN(sizeof(struct xt_hashlimit_info)),
 	.userspacesize	= offsetof(struct xt_hashlimit_info, hinfo),
 	.help		= hashlimit_help,
@@ -390,8 +700,42 @@ static struct xtables_match hashlimit_match6 = {
 	.extra_opts	= hashlimit_opts,
 };
 
+static struct xtables_match hashlimit_mt_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "hashlimit",
+	.revision       = 1,
+	.family         = AF_INET,
+	.size           = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+	.userspacesize  = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+	.help           = hashlimit_mt_help,
+	.init           = hashlimit_mt4_init,
+	.parse          = hashlimit_mt4_parse,
+	.final_check	= hashlimit_mt_check,
+	.print          = hashlimit_mt4_print,
+	.save           = hashlimit_mt4_save,
+	.extra_opts     = hashlimit_mt_opts,
+};
+
+static struct xtables_match hashlimit_mt6_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "hashlimit",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)),
+	.userspacesize  = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
+	.help           = hashlimit_mt_help,
+	.init           = hashlimit_mt6_init,
+	.parse          = hashlimit_mt6_parse,
+	.final_check	= hashlimit_mt_check,
+	.print          = hashlimit_mt6_print,
+	.save           = hashlimit_mt6_save,
+	.extra_opts     = hashlimit_mt_opts,
+};
+
 void _init(void)
 {
 	xtables_register_match(&hashlimit_match);
 	xtables_register_match(&hashlimit_match6);
+	xtables_register_match(&hashlimit_mt_reg);
+	xtables_register_match(&hashlimit_mt6_reg);
 }
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index c8128ec..e74aedf 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -1,35 +1,59 @@
-This patch adds a new match called 'hashlimit'.
-The idea is to have something like 'limit', but either per
-destination-ip or per (destip,destport) tuple.
-
-It gives you the ability to express
-.IP
- '1000 packets per second for every host in 192.168.0.0/16'
-.IP
- '100 packets per second for every service of 192.168.1.1'
-.P
-with a single iptables rule.
-.TP
-.BI "--hashlimit " "rate"
-A rate just like the limit match
-.TP
-.BI "--hashlimit-burst " "num"
-Burst value, just like limit match
-.TP
-.BI "--hashlimit-mode " "dstip,srcip,dstport,srcport"
-A comma-separated list of objects to take into consideration
-.TP
-.BI "--hashlimit-name " "foo"
-The name for the /proc/net/ipt_hashlimit/foo entry
-.TP
-.BI "--hashlimit-htable-size " "num"
+\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the
+\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables
+rule. Grouping can be done per-hostgroup (source and/or destination address)
+and/or per-port. It gives you the ability to express "\fIN\fR packets per time
+quantum per group":
+.TP
+matching on source host
+"1000 packets per second for every host in 192.168.0.0/16"
+.TP
+matching on source prot
+"100 packets per second for every service of 192.168.1.1"
+.TP
+matching on subnet
+"10000 packets per minute for every /28 subnet in 10.0.0.0/8"
+.PP
+A hash limit option (\fB--hashlimit-upto\fR, \fB--hashlimit-above\fR) and
+\fB--hashlimit-name\fR are required.
+.TP
+\fB--hashlimit-upto\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as
+a number, with an optional time quantum suffix; the default is 3/hour.
+.TP
+\fB--hashlimit-above\fR \fIamount\fR[\fB/second\fR|\fB/minute\fR|\fB/hour\fR|\fB/day\fR]
+Match if the rate is above \fIamount\fR/quantum.
+.TP
+\fB--hashlimit-burst\fR \fIamount\fR
+Maximum initial number of packets to match: this number gets recharged by one
+every time the limit specified above is not reached, up to this number; the
+default is 5.
+.TP
+\fB--hashlimit-mode\fR [\fBsrcip\fR|\fBsrcport\fR|\fBdstip\fR|\fBdstport\fR[\fB,\fR...]]
+A comma-separated list of objects to take into consideration. If no
+--hashlimit-mode option is given, hashlimit acts like limit, but at the
+expensive of doing the hash housekeeping.
+.TP
+\fB--hashlimit-srcmask\fR \fIprefix\fR
+When --hashlimit-mode srcip is used, all source addresses encountered will be
+grouped according to the given prefix length and the so-created subnet will be
+subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note
+that --hashlimit-srcmask 0 is basically doing the same thing as not specifying
+srcip for --hashlimit-mode, but is technically more expensive.
+.TP
+\fB--hashlimit-dstmask\fR \fIprefix\fR
+Like --hashlimit-srcmask, but for destination addresses.
+.TP
+\fB--hashlimit-name\fR \fIfoo\fR
+The name for the /proc/net/ipt_hashlimit/foo entry.
+.TP
+\fB--hashlimit-htable-size\fR \fIbuckets\fR
 The number of buckets of the hash table
 .TP
-.BI "--hashlimit-htable-max " "num"
-Maximum entries in the hash
+\fB--hashlimit-htable-max\fR \fIentries\fR
+Maximum entries in the hash.
 .TP
-.BI "--hashlimit-htable-expire " "num"
-After how many miliseconds do hash entries expire
+\fB--hashlimit-htable-expire\fR \fImsec\fR
+After how many miliseconds do hash entries expire.
 .TP
-.BI "--hashlimit-htable-gcinterval " "num"
-How many miliseconds between garbage collection intervals
+\fB--hashlimit-htable-gcinterval\fR \fImsec\fR
+How many miliseconds between garbage collection intervals.
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b4556b8..51b18d8 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
 /* details of this structure hidden by the implementation */
 struct xt_hashlimit_htable;
 
-#define XT_HASHLIMIT_HASH_DIP	0x0001
-#define XT_HASHLIMIT_HASH_DPT	0x0002
-#define XT_HASHLIMIT_HASH_SIP	0x0004
-#define XT_HASHLIMIT_HASH_SPT	0x0008
+enum {
+	XT_HASHLIMIT_HASH_DIP = 1 << 0,
+	XT_HASHLIMIT_HASH_DPT = 1 << 1,
+	XT_HASHLIMIT_HASH_SIP = 1 << 2,
+	XT_HASHLIMIT_HASH_SPT = 1 << 3,
+	XT_HASHLIMIT_INVERT   = 1 << 4,
+};
 
 struct hashlimit_cfg {
-	u_int32_t mode;	  /* bitmask of IPT_HASHLIMIT_HASH_* */
+	u_int32_t mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
 	u_int32_t avg;    /* Average secs between packets * scale */
 	u_int32_t burst;  /* Period multiplier for upper limit. */
 
@@ -29,12 +32,35 @@ struct hashlimit_cfg {
 struct xt_hashlimit_info {
 	char name [IFNAMSIZ];		/* name */
 	struct hashlimit_cfg cfg;
-	struct xt_hashlimit_htable *hinfo;
 
 	/* Used internally by the kernel */
+	struct xt_hashlimit_htable *hinfo;
 	union {
 		void *ptr;
 		struct xt_hashlimit_info *master;
 	} u;
 };
+
+struct hashlimit_cfg1 {
+	u_int32_t mode;	  /* bitmask of XT_HASHLIMIT_HASH_* */
+	u_int32_t avg;    /* Average secs between packets * scale */
+	u_int32_t burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	u_int32_t size;		/* how many buckets */
+	u_int32_t max;		/* max number of entries */
+	u_int32_t gc_interval;	/* gc interval */
+	u_int32_t expire;	/* when do entries expire? */
+
+	u_int8_t srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+	char name[IFNAMSIZ];
+	struct hashlimit_cfg1 cfg;
+
+	/* Used internally by the kernel */
+	struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
 #endif /*_XT_HASHLIMIT_H*/
-- 
1.5.5.rc3

Re: [PATCH 04/13] Add support for xt_hashlimit match revision 1

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  extensions/libxt_hashlimit.c           |  398 ++++++++++++++++++++++--
>  extensions/libxt_hashlimit.man         |   86 ++++--
>  include/linux/netfilter/xt_hashlimit.h |   38 ++-
>  3 files changed, 458 insertions(+), 64 deletions(-)

Applied.

[PATCH 05/13] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR

[Jan Engelhardt]

iptables and ip6tables will now recognize the XTABLES_LIBDIR environment
variable for extensions to look in before going to the (old) IPT_LIB_DIR
or IP6T_LIB_DIR (depending on program!) or the default location (/usr..).

XTABLES_LIBDIR can also take multiple directories (like PATH, separated
by colon).
---
 configure.ac              |   13 ++---
 extensions/GNUmakefile.in |    6 +-
 include/ip6tables.h       |    4 --
 include/iptables.h        |    4 --
 ip6tables-restore.c       |   11 +++-
 ip6tables-save.c          |   11 +++-
 ip6tables-standalone.c    |   11 +++-
 iptables-restore.c        |   11 +++-
 iptables-save.c           |   11 +++-
 iptables-standalone.c     |   11 +++-
 libiptc/libiptc.c         |    4 --
 xtables.c                 |   94 ++++++++++++++++++++-----------------
 12 files changed, 108 insertions(+), 83 deletions(-)

diff --git a/configure.ac b/configure.ac
index c816b2e..5aa0557 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,11 +22,11 @@ AC_ARG_WITH([ksource],
 	AS_HELP_STRING([--with-ksource=PATH],
 	[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
 	[ksourcedir="$withval"])
-AC_ARG_WITH([iptdir],
-	AS_HELP_STRING([--with-iptdir=PATH],
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path to iptables modules [[LIBEXECDIR/iptables]]]),
-	[iptdir="$withval"],
-	[iptdir="${libexecdir}/iptables"])
+	[xtlibdir="$withval"],
+	[xtlibdir="${libexecdir}/iptables"])
 AC_ARG_ENABLE([devel],
 	AS_HELP_STRING([--enable-devel],
 	[Build and install development files (libipq, libipq-devel, iptables-devel)]))
@@ -40,12 +40,11 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-	-DIPT_LIB_DIR=\\\"\${iptdir}\\\" -DIP6T_LIB_DIR=\\\"\${iptdir}\\\"";
-regular_CFLAGS="$regular_CFLAGS -DXTABLES_INTERNAL"
+	-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL";
 kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
 
 AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
-AC_SUBST([iptdir])
+AC_SUBST([xtlibdir])
 AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index cf094f2..ee20469 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -7,7 +7,7 @@ prefix      := @prefix@
 exec_prefix := @exec_prefix@
 libdir      := @libdir@
 libexecdir  := @libexecdir@
-iptdir      := @iptdir@
+xtlibdir    := @xtlibdir@
 
 CC             := @CC@
 CCLD           := ${CC}
@@ -82,8 +82,8 @@ targets_install :=
 all: ${targets}
 
 install: ${targets_install}
-	@mkdir -p "${DESTDIR}${iptdir}";
-	install -pm0755 $^ "${DESTDIR}${iptdir}/";
+	@mkdir -p "${DESTDIR}${xtlibdir}";
+	install -pm0755 $^ "${DESTDIR}${xtlibdir}/";
 
 clean:
 	rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
diff --git a/include/ip6tables.h b/include/ip6tables.h
index 4a511b7..e1539eb 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -5,10 +5,6 @@
 
 #include "libiptc/libip6tc.h"
 
-#ifndef IP6T_LIB_DIR
-#define IP6T_LIB_DIR XT_LIB_DIR
-#endif
-
 #ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
 #define IP6T_SO_GET_REVISION_MATCH	68
 #define IP6T_SO_GET_REVISION_TARGET	69
diff --git a/include/iptables.h b/include/iptables.h
index 7ce9080..094c64e 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -4,10 +4,6 @@
 #include "xtables.h"
 #include "libiptc/libiptc.h"
 
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR XT_LIB_DIR
-#endif
-
 #ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
 #define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
 #define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3)
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index e9cc0ff..2c3e95d 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -131,9 +131,14 @@ int main(int argc, char *argv[])
 	program_version = IPTABLES_VERSION;
 	line = 0;
 
-	lib_dir = getenv("IP6TABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IP6T_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IP6TABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e7eade1..e440887 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -332,9 +332,14 @@ int main(int argc, char *argv[])
 	program_name = "ip6tables-save";
 	program_version = IPTABLES_VERSION;
 
-	lib_dir = getenv("IP6TABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IP6T_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IP6TABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 4029c1f..1bb81bc 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -52,9 +52,14 @@ main(int argc, char *argv[])
 	program_name = "ip6tables";
 	program_version = IPTABLES_VERSION;
 
-	lib_dir = getenv("IP6TABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IP6T_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IP6TABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IP6TABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/iptables-restore.c b/iptables-restore.c
index b751d2c..f556fa5 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -132,9 +132,14 @@ main(int argc, char *argv[])
 	program_version = IPTABLES_VERSION;
 	line = 0;
 
-	lib_dir = getenv("IPTABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IPT_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IPTABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/iptables-save.c b/iptables-save.c
index c0c37ed..1ce2090 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -357,9 +357,14 @@ main(int argc, char *argv[])
 	program_name = "iptables-save";
 	program_version = IPTABLES_VERSION;
 
-	lib_dir = getenv("IPTABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IPT_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IPTABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 55c7ce9..369adaf 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -53,9 +53,14 @@ main(int argc, char *argv[])
 	program_name = "iptables";
 	program_version = IPTABLES_VERSION;
 
-	lib_dir = getenv("IPTABLES_LIB_DIR");
-	if (!lib_dir)
-		lib_dir = IPT_LIB_DIR;
+	lib_dir = getenv("XTABLES_LIBDIR");
+	if (lib_dir == NULL) {
+		lib_dir = getenv("IPTABLES_LIB_DIR");
+		if (lib_dir != NULL)
+			fprintf(stderr, "IPTABLES_LIB_DIR is deprecated\n");
+	}
+	if (lib_dir == NULL)
+		lib_dir = XTABLES_LIBDIR;
 
 #ifdef NO_SHARED_LIBS
 	init_extensions();
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index de8dc60..2b788c1 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -46,10 +46,6 @@
 #define debug(x, args...)
 #endif
 
-#ifndef IPT_LIB_DIR
-#define IPT_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
 static int sockfd = -1;
 static int sockfd_use = 0;
 static void *iptc_fn = NULL;
diff --git a/xtables.c b/xtables.c
index 89863d7..b26b416 100644
--- a/xtables.c
+++ b/xtables.c
@@ -305,12 +305,58 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
 	}
 }
 
+static void *load_extension(const char *search_path, const char *prefix,
+    const char *name, bool is_target)
+{
+	const char *dir = search_path, *next;
+	void *ptr = NULL;
+	struct stat sb;
+	char path[256];
+
+	do {
+		next = strchr(dir, ':');
+		if (next == NULL)
+			next = dir + strlen(dir);
+		snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
+		         next - dir, dir, name);
+
+		if (dlopen(path, RTLD_NOW) != NULL) {
+			/* Found library.  If it didn't register itself,
+			   maybe they specified target as match. */
+			if (is_target)
+				ptr = find_target(name, DONT_LOAD);
+			else
+				ptr = find_match(name, DONT_LOAD, NULL);
+		} else if (stat(path, &sb) == 0) {
+			fprintf(stderr, "%s: %s\n", path, dlerror());
+		}
+
+		if (ptr != NULL)
+			return ptr;
+
+		snprintf(path, sizeof(path), "%.*s/%s%s.so",
+		         next - dir, dir, prefix, name);
+		if (dlopen(path, RTLD_NOW) != NULL) {
+			if (is_target)
+				ptr = find_target(name, DONT_LOAD);
+			else
+				ptr = find_match(name, DONT_LOAD, NULL);
+		} else if (stat(path, &sb) == 0) {
+			fprintf(stderr, "%s: %s\n", path, dlerror());
+		}
+
+		if (ptr != NULL)
+			return ptr;
+
+		dir = next + 1;
+	} while (*next != '\0');
+
+	return NULL;
+}
+
 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 				 struct xtables_rule_match **matches)
 {
-#ifndef NO_SHARED_LIBS
-	struct stat sb;
-#endif
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
@@ -343,25 +389,7 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 
 #ifndef NO_SHARED_LIBS
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
-		char path[strlen(lib_dir) + sizeof("/.so")
-			  + strlen(afinfo.libprefix) + strlen(name)];
-
-		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
-		if (dlopen(path, RTLD_NOW) != NULL)
-			/* Found library.  If it didn't register itself,
-			   maybe they specified target as match. */
-			ptr = find_match(name, DONT_LOAD, NULL);
-		else if (stat(path, &sb) == 0)
-			fprintf(stderr, "%s: %s\n", path, dlerror());
-
-		if (ptr == NULL) {
-			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
-				name);
-			if (dlopen(path, RTLD_NOW) != NULL)
-				ptr = find_match(name, DONT_LOAD, NULL);
-			else if (stat(path, &sb) == 0)
-				fprintf(stderr, "%s: %s\n", path, dlerror());
-		}
+		ptr = load_extension(lib_dir, afinfo.libprefix, name, false);
 
 		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
@@ -403,9 +431,6 @@ struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 
 struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
 {
-#ifndef NO_SHARED_LIBS
-	struct stat sb;
-#endif
 	struct xtables_target *ptr;
 
 	/* Standard target? */
@@ -423,25 +448,8 @@ struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
 
 #ifndef NO_SHARED_LIBS
 	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
-		char path[strlen(lib_dir) + sizeof("/.so")
-			  + strlen(afinfo.libprefix) + strlen(name)];
+		ptr = load_extension(lib_dir, afinfo.libprefix, name, true);
 
-		sprintf(path, "%s/libxt_%s.so", lib_dir, name);
-		if (dlopen(path, RTLD_NOW) != NULL)
-			/* Found library.  If it didn't register itself,
-			   maybe they specified match as a target. */
-			ptr = find_target(name, DONT_LOAD);
-		else if (stat(path, &sb) == 0)
-			fprintf(stderr, "%s: %s\n", path, dlerror());
-
-		if (ptr == NULL) {
-			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
-				name);
-			if (dlopen(path, RTLD_NOW) != NULL)
-				ptr = find_target(name, DONT_LOAD);
-			else if (stat(path, &sb) == 0)
-				fprintf(stderr, "%s: %s\n", path, dlerror());
-		}
 		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,
 				   "Couldn't load target `%s':%s\n",
-- 
1.5.5.rc3

Re: [PATCH 05/13] Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR

[Patrick McHardy]

Jan Engelhardt wrote:
> iptables and ip6tables will now recognize the XTABLES_LIBDIR environment
> variable for extensions to look in before going to the (old) IPT_LIB_DIR
> or IP6T_LIB_DIR (depending on program!) or the default location (/usr..).
> 
> XTABLES_LIBDIR can also take multiple directories (like PATH, separated
> by colon).
> ---
>  configure.ac              |   13 ++---
>  extensions/GNUmakefile.in |    6 +-
>  include/ip6tables.h       |    4 --
>  include/iptables.h        |    4 --
>  ip6tables-restore.c       |   11 +++-
>  ip6tables-save.c          |   11 +++-
>  ip6tables-standalone.c    |   11 +++-
>  iptables-restore.c        |   11 +++-
>  iptables-save.c           |   11 +++-
>  iptables-standalone.c     |   11 +++-
>  libiptc/libiptc.c         |    4 --
>  xtables.c                 |   94 ++++++++++++++++++++-----------------
>  12 files changed, 108 insertions(+), 83 deletions(-)

Applied.

[PATCH 06/13] Move libipt_recent to libxt_recent

[Jan Engelhardt]

---
 extensions/{libipt_recent.c => libxt_recent.c}     |  122 ++++++------
 extensions/{libipt_recent.man => libxt_recent.man} |    2 +-
 include/linux/netfilter/xt_recent.h                |   26 +++
 include/linux/netfilter_ipv4/ipt_recent.h          |   27 ---
 4 files changed, 88 insertions(+), 89 deletions(-)
 rename extensions/{libipt_recent.c => libxt_recent.c} (67%)
 rename extensions/{libipt_recent.man => libxt_recent.man} (99%)
 create mode 100644 include/linux/netfilter/xt_recent.h
 delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h

diff --git a/extensions/libipt_recent.c b/extensions/libxt_recent.c
similarity index 67%
rename from extensions/libipt_recent.c
rename to extensions/libxt_recent.c
index ace778e..2fc5dca 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libxt_recent.c
@@ -5,28 +5,15 @@
 #include <stdlib.h>
 #include <getopt.h>
 
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
-
-/* Need these in order to not fail when compiling against an older kernel. */
-#ifndef RECENT_NAME
-#define RECENT_NAME	"ipt_recent"
-#endif /* RECENT_NAME */
-
-#ifndef RECENT_VER
-#define RECENT_VER	"unknown"
-#endif /* RECENT_VER */
-
-#ifndef IPT_RECENT_NAME_LEN
-#define IPT_RECENT_NAME_LEN	200
-#endif /* IPT_RECENT_NAME_LEN */
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
 
 /* Options for this module */
 static const struct option recent_opts[] = {
-	{ .name = "set",      .has_arg = 0, .val = 201 }, 
-	{ .name = "rcheck",   .has_arg = 0, .val = 202 }, 
+	{ .name = "set",      .has_arg = 0, .val = 201 },
+	{ .name = "rcheck",   .has_arg = 0, .val = 202 },
 	{ .name = "update",   .has_arg = 0, .val = 203 },
-	{ .name = "seconds",  .has_arg = 1, .val = 204 }, 
+	{ .name = "seconds",  .has_arg = 1, .val = 204 },
 	{ .name = "hitcount", .has_arg = 1, .val = 205 },
 	{ .name = "remove",   .has_arg = 0, .val = 206 },
 	{ .name = "rttl",     .has_arg = 0, .val = 207 },
@@ -40,7 +27,7 @@ static const struct option recent_opts[] = {
 static void recent_help(void)
 {
 	printf(
-"recent v%s options:\n"
+"\"recent\" match options:\n"
 "[!] --set                       Add source address to list, always matches.\n"
 "[!] --rcheck                    Match if source address in list.\n"
 "[!] --update                    Match if source address in list, also update last-seen time.\n"
@@ -59,23 +46,20 @@ static void recent_help(void)
 "    --name name                 Name of the recent list to be used.  DEFAULT used if none given.\n"
 "    --rsource                   Match/Save the source address of each packet in the recent list table (default).\n"
 "    --rdest                     Match/Save the destination address of each packet in the recent list table.\n"
-RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/\n"
-,
-IPTABLES_VERSION);
-
+"ipt_recent by: Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/\n"
+);
 }
-  
+
 /* Initialize the match. */
 static void recent_init(struct xt_entry_match *match)
 {
-	struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
-
+	struct xt_recent_mtinfo *info = (void *)(match)->data;
 
-	strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
-	/* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
+	strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+	/* even though XT_RECENT_NAME_LEN is currently defined as 200,
 	 * better be safe, than sorry */
-	info->name[IPT_RECENT_NAME_LEN-1] = '\0';
-	info->side = IPT_RECENT_SOURCE;
+	info->name[XT_RECENT_NAME_LEN-1] = '\0';
+	info->side = XT_RECENT_SOURCE;
 }
 
 /* Function which parses command options; returns true if it
@@ -83,24 +67,25 @@ static void recent_init(struct xt_entry_match *match)
 static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
                         const void *entry, struct xt_entry_match **match)
 {
-	struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
+	struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
 	switch (c) {
 		case 201:
 			if (*flags) exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_SET;
+			info->check_set |= XT_RECENT_SET;
 			if (invert) info->invert = 1;
 			*flags = 1;
 			break;
-			
+
 		case 202:
 			if (*flags) exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_CHECK;
+			info->check_set |= XT_RECENT_CHECK;
 			if(invert) info->invert = 1;
 			*flags = 1;
 			break;
@@ -110,7 +95,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_UPDATE;
+			info->check_set |= XT_RECENT_UPDATE;
 			if (invert) info->invert = 1;
 			*flags = 1;
 			break;
@@ -120,7 +105,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_REMOVE;
+			info->check_set |= XT_RECENT_REMOVE;
 			if (invert) info->invert = 1;
 			*flags = 1;
 			break;
@@ -134,20 +119,20 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 			break;
 
 		case 207:
-			info->check_set |= IPT_RECENT_TTL;
+			info->check_set |= XT_RECENT_TTL;
 			break;
 
 		case 208:
-			strncpy(info->name,optarg,IPT_RECENT_NAME_LEN);
-			info->name[IPT_RECENT_NAME_LEN-1] = '\0';
+			strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+			info->name[XT_RECENT_NAME_LEN-1] = '\0';
 			break;
 
 		case 209:
-			info->side = IPT_RECENT_SOURCE;
+			info->side = XT_RECENT_SOURCE;
 			break;
 
 		case 210:
-			info->side = IPT_RECENT_DEST;
+			info->side = XT_RECENT_DEST;
 			break;
 
 		default:
@@ -171,50 +156,65 @@ static void recent_check(unsigned int flags)
 static void recent_print(const void *ip, const struct xt_entry_match *match,
                          int numeric)
 {
-	struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+	const struct xt_recent_mtinfo *info = (const void *)match->data;
 
 	if (info->invert)
 		fputc('!', stdout);
 
 	printf("recent: ");
-	if(info->check_set & IPT_RECENT_SET) printf("SET ");
-	if(info->check_set & IPT_RECENT_CHECK) printf("CHECK ");
-	if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE ");
-	if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE ");
+	if (info->check_set & XT_RECENT_SET)
+		printf("SET ");
+	if (info->check_set & XT_RECENT_CHECK)
+		printf("CHECK ");
+	if (info->check_set & XT_RECENT_UPDATE)
+		printf("UPDATE ");
+	if (info->check_set & XT_RECENT_REMOVE)
+		printf("REMOVE ");
 	if(info->seconds) printf("seconds: %d ",info->seconds);
 	if(info->hit_count) printf("hit_count: %d ",info->hit_count);
-	if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match ");
+	if (info->check_set & XT_RECENT_TTL)
+		printf("TTL-Match ");
 	if(info->name) printf("name: %s ",info->name);
-	if(info->side == IPT_RECENT_SOURCE) printf("side: source ");
-	if(info->side == IPT_RECENT_DEST) printf("side: dest");
+	if (info->side == XT_RECENT_SOURCE)
+		printf("side: source ");
+	if (info->side == XT_RECENT_DEST)
+		printf("side: dest");
 }
 
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
 static void recent_save(const void *ip, const struct xt_entry_match *match)
 {
-	struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
+	const struct xt_recent_mtinfo *info = (const void *)match->data;
 
 	if (info->invert)
 		printf("! ");
 
-	if(info->check_set & IPT_RECENT_SET) printf("--set ");
-	if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
-	if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
-	if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
+	if (info->check_set & XT_RECENT_SET)
+		printf("--set ");
+	if (info->check_set & XT_RECENT_CHECK)
+		printf("--rcheck ");
+	if (info->check_set & XT_RECENT_UPDATE)
+		printf("--update ");
+	if (info->check_set & XT_RECENT_REMOVE)
+		printf("--remove ");
 	if(info->seconds) printf("--seconds %d ",info->seconds);
 	if(info->hit_count) printf("--hitcount %d ",info->hit_count);
-	if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
+	if (info->check_set & XT_RECENT_TTL)
+		printf("--rttl ");
 	if(info->name) printf("--name %s ",info->name);
-	if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
-	if(info->side == IPT_RECENT_DEST) printf("--rdest ");
+	if (info->side == XT_RECENT_SOURCE)
+		printf("--rsource ");
+	if (info->side == XT_RECENT_DEST)
+		printf("--rdest ");
 }
 
 /* Structure for iptables to use to communicate with module */
-static struct iptables_match recent_match = {
+static struct xtables_match recent_match = {
     .name          = "recent",
     .version       = IPTABLES_VERSION,
-    .size          = IPT_ALIGN(sizeof(struct ipt_recent_info)),
-    .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)),
+    .family        = AF_INET,
+    .size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+    .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
     .help          = recent_help,
     .init          = recent_init,
     .parse         = recent_parse,
@@ -226,5 +226,5 @@ static struct iptables_match recent_match = {
 
 void _init(void)
 {
-	register_match(&recent_match);
+	xtables_register_match(&recent_match);
 }
diff --git a/extensions/libipt_recent.man b/extensions/libxt_recent.man
similarity index 99%
rename from extensions/libipt_recent.man
rename to extensions/libxt_recent.man
index bf5d710..25be677 100644
--- a/extensions/libipt_recent.man
+++ b/extensions/libxt_recent.man
@@ -60,7 +60,7 @@ Examples:
 Official website (http://snowman.net/projects/ipt_recent/) also has
 some examples of usage.
 
-/proc/net/ipt_recent/* are the current lists of addresses and information 
+/proc/net/ipt_recent/* are the current lists of addresses and information
 about each entry of each list.
 
 Each file in /proc/net/ipt_recent/ can be read from to see the current list
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+	XT_RECENT_CHECK    = 1 << 0,
+	XT_RECENT_SET      = 1 << 1,
+	XT_RECENT_UPDATE   = 1 << 2,
+	XT_RECENT_REMOVE   = 1 << 3,
+	XT_RECENT_TTL      = 1 << 4,
+
+	XT_RECENT_SOURCE   = 0,
+	XT_RECENT_DEST     = 1,
+
+	XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+	u_int32_t seconds;
+	u_int32_t hit_count;
+	u_int8_t check_set;
+	u_int8_t invert;
+	char name[XT_RECENT_NAME_LEN];
+	u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
deleted file mode 100644
index 6508a45..0000000
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#define RECENT_NAME	"ipt_recent"
-#define RECENT_VER	"v0.3.1"
-
-#define IPT_RECENT_CHECK  1
-#define IPT_RECENT_SET    2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL   16
-
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST   1
-
-#define IPT_RECENT_NAME_LEN 200
-
-struct ipt_recent_info {
-	u_int32_t   seconds;
-	u_int32_t   hit_count;
-	u_int8_t    check_set;
-	u_int8_t    invert;
-	char        name[IPT_RECENT_NAME_LEN];
-	u_int8_t    side;
-};
-
-#endif /*_IPT_RECENT_H*/
-- 
1.5.5.rc3

Re: [PATCH 06/13] Move libipt_recent to libxt_recent

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  extensions/{libipt_recent.c => libxt_recent.c}     |  122 ++++++------
>  extensions/{libipt_recent.man => libxt_recent.man} |    2 +-
>  include/linux/netfilter/xt_recent.h                |   26 +++
>  include/linux/netfilter_ipv4/ipt_recent.h          |   27 ---
>  4 files changed, 88 insertions(+), 89 deletions(-)
>  rename extensions/{libipt_recent.c => libxt_recent.c} (67%)
>  rename extensions/{libipt_recent.man => libxt_recent.man} (99%)
>  create mode 100644 include/linux/netfilter/xt_recent.h
>  delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h

I'll apply this once I have a patch for the kenrel that I'm
willing to apply.

[PATCH 07/13] libxt_recent: add IPv6 support

[Jan Engelhardt]

---
 extensions/libxt_recent.c   |   17 +++++
 extensions/libxt_recent.man |  119 +++++++++++++++++------------------
 2 files changed, 76 insertions(+), 60 deletions(-)

diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 2fc5dca..92b66b4 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -224,7 +224,24 @@ static struct xtables_match recent_match = {
     .extra_opts    = recent_opts,
 };
 
+static struct xtables_match recent_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "recent",
+	.revision      = 0,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+	.help          = recent_help,
+	.init          = recent_init,
+	.parse         = recent_parse,
+	.final_check   = recent_check,
+	.print         = recent_print,
+	.save          = recent_save,
+	.extra_opts    = recent_opts,
+};
+
 void _init(void)
 {
 	xtables_register_match(&recent_match);
+	xtables_register_match(&recent_mt6_reg);
 }
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 25be677..f0dc3f4 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -1,93 +1,92 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
+Allows you to dynamically create a list of IP addresses and then match against
+that list in a few different ways.
+.PP
+For example, you can create a "badguy" list out of people attempting to connect
+to port 139 on your firewall and then DROP all future packets from them without
+considering them.
 .TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
+\fB--name\fR \fIname\fR
+Specify the list to use for the commands. If no name is given then
+\fBDEFAULT\fR will be used.
 .TP
 [\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
+This will add the source address of the packet to the list. If the source
+address is already in the list, this will update the existing entry. This will
+always return success (or failure if \fB!\fR is passed in).
 .TP
 [\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
+Check if the source address of the packet is currently in the list.
 .TP
 [\fB!\fR] \fB--update\fR
 Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
 matches.
 .TP
 [\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
+Check if the source address of the packet is currently in the list and if so
+that address will be removed from the list and the rule will return true. If
+the address is not found, false is returned.
 .TP
 [\fB!\fR] \fB--seconds \fIseconds\fR
 This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and was seen within the last given number of seconds.
 .TP
 [\fB!\fR] \fB--hitcount \fIhits\fR
 This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and packets had been received greater than or equal to
+the given value. This option may be used along with \fB--seconds\fR to create
+an even narrower match requiring a certain number of hits within a specific
+time frame.
 .TP
 \fB--rttl\fR
 This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
+\fB--update\fR. When used, this will narrow the match to only happen when the
+address is in the list and the TTL of the current packet matches that of the
+packet which hit the \fB--set\fR rule. This may be useful if you have problems
+with people faking their source address in order to DoS you via this module by
+disallowing others access to your site by sending bogus packets to you.
+.PP
 Examples:
 .IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
+iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+.IP
+iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.PP
+Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
 some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information
+.PP
+\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information
 about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
+.PP
+Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current
+list or written two using the following commands to modify the list:
 .TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
+\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to add \fIaddr\fR to the DEFAULT list
 .TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
+\fBecho -\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR
+to remove \fIaddr\fR from the DEFAULT list
 .TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
+\fBecho / >/proc/net/xt_recent/DEFAULT\fR
+to flush the DEFAULT list (remove all entries).
+.PP
 The module itself accepts parameters, defaults shown:
 .TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
+\fBip_list_tot\fR=\fI100\fR
+Number of addresses remembered per table.
+.TP
+\fBip_pkt_list_tot\fR=\fI20\fR
+Number of packets per address remembered.
 .TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
+\fBip_list_hash_size\fR=\fI0\fR
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
 .TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+\fBip_list_perms\fR=\fI0644\fR
+Permissions for /proc/net/xt_recent/* files.
 .TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
+\fBip_list_uid\fR=\fI0\fR
+Numerical UID for ownership of /proc/net/xt_recent/* files.
 .TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
+\fBip_list_gid\fR=\fI0\fR
+Numerical GID for ownership of /proc/net/xt_recent/* files.
-- 
1.5.5.rc3

[PATCH 08/13] libxt_recent: add missing --rsource,--rdest options to manpage

[Jan Engelhardt]

---
 extensions/libxt_recent.man |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index f0dc3f4..6b7fc86 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -14,6 +14,13 @@ This will add the source address of the packet to the list. If the source
 address is already in the list, this will update the existing entry. This will
 always return success (or failure if \fB!\fR is passed in).
 .TP
+\fB--rsource\fP
+Match/save the source address of each packet in the recent list table. This
+is the default.
+.TP
+\fB--rdest\fP
+Match/save the destination address of each packet in the recent list table.
+.TP
 [\fB!\fR] \fB--rcheck\fR
 Check if the source address of the packet is currently in the list.
 .TP
-- 
1.5.5.rc3

[PATCH 09/13] manpages: fix broken markup (missing close tags)

[Jan Engelhardt]

Rework the whole line's markup at the same time.
---
 extensions/libip6t_ah.man       |    2 +-
 extensions/libip6t_dst.man      |    2 +-
 extensions/libipt_connlimit.man |    2 +-
 extensions/libxt_NFQUEUE.man    |    2 +-
 extensions/libxt_connbytes.man  |    2 +-
 extensions/libxt_dccp.man       |    4 ++--
 extensions/libxt_recent.man     |    4 ++--
 extensions/libxt_sctp.man       |    6 +++---
 extensions/libxt_u32.man        |    2 +-
 9 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/extensions/libip6t_ah.man b/extensions/libip6t_ah.man
index 09d00fd..807f9e3 100644
--- a/extensions/libip6t_ah.man
+++ b/extensions/libip6t_ah.man
@@ -3,7 +3,7 @@ This module matches the parameters in Authentication header of IPsec packets.
 .BR "--ahspi " "[!] \fIspi\fP[:\fIspi\fP]"
 Matches SPI.
 .TP
-.BR "--ahlen " "[!] \fIlength"
+[\fB!\fP] \fB--ahlen\fP \fIlength\fP
 Total length of this header in octets.
 .TP
 .BI "--ahres"
diff --git a/extensions/libip6t_dst.man b/extensions/libip6t_dst.man
index f42d822..d895a0e 100644
--- a/extensions/libip6t_dst.man
+++ b/extensions/libip6t_dst.man
@@ -1,6 +1,6 @@
 This module matches the parameters in Destination Options header
 .TP
-.BR "--dst-len " "[!] \fIlength"
+[\fB!\fP] \fB--dst-len\fP \fIlength\fP
 Total length of this header in octets.
 .TP
 .BR "--dst-opts " "\fItype\fP[:\fIlength\fP][,\fItype\fP[:\fIlength\fP]...]"
diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man
index ca5974e..dd6a155 100644
--- a/extensions/libipt_connlimit.man
+++ b/extensions/libipt_connlimit.man
@@ -1,7 +1,7 @@
 Allows you to restrict the number of parallel connections to a server per
 client IP address (or client address block).
 .TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
+[\fB!\fP] \fB--connlimit-above\fP \fIn\fP
 Match if the number of existing connections is (not) above \fIn\fR.
 .TP
 \fB--connlimit-mask\fR \fIprefix_length\fR
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index c4e9d11..015effd 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -2,7 +2,7 @@ This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
 you to put a packet into any specific queue, identified by its 16-bit queue
 number.  
 .TP
-.BR "--queue-num " "\fIvalue"
+\fB--queue-num\fP \fIvalue\fP
 This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
 .TP
 It can only be used with Kernel versions 2.6.14 or later, since it requires
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
index ce7b665..7b7c313 100644
--- a/extensions/libxt_connbytes.man
+++ b/extensions/libxt_connbytes.man
@@ -10,7 +10,7 @@ scheduled using a lower priority band in traffic control.
 The transfered bytes per connection can also be viewed through
 /proc/net/ip_conntrack and accessed via ctnetlink
 .TP
-[\fB!\fR]\fB --connbytes \fIfrom\fB:\fR[\fIto\fR]
+[\fB!\fP] \fB--connbytes\fP \fIfrom\fP[\fB:\fR\fIto\fP]
 match packets from a connection whose packets/bytes/average packet
 size is more than FROM and less than TO bytes/packets. if TO is
 omitted only FROM check is done. "!" is used to match packets not
diff --git a/extensions/libxt_dccp.man b/extensions/libxt_dccp.man
index 6443ec3..d962ef0 100644
--- a/extensions/libxt_dccp.man
+++ b/extensions/libxt_dccp.man
@@ -1,7 +1,7 @@
 .TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
 \fB--dccp-types\fR [\fB!\fR] \fImask\fP
 Match when the DCCP packet type is one of 'mask'. 'mask' is a comma-separated
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 6b7fc86..478ffaf 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -33,12 +33,12 @@ Check if the source address of the packet is currently in the list and if so
 that address will be removed from the list and the rule will return true. If
 the address is not found, false is returned.
 .TP
-[\fB!\fR] \fB--seconds \fIseconds\fR
+[\fB!\fP] \fB--seconds\fP \fIseconds\fP
 This option must be used in conjunction with one of \fB--rcheck\fR or
 \fB--update\fR. When used, this will narrow the match to only happen when the
 address is in the list and was seen within the last given number of seconds.
 .TP
-[\fB!\fR] \fB--hitcount \fIhits\fR
+[\fB!\fP] \fB--hitcount\fP \fIhits\fP
 This option must be used in conjunction with one of \fB--rcheck\fR or
 \fB--update\fR. When used, this will narrow the match to only happen when the
 address is in the list and packets had been received greater than or equal to
diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
index 97b467d..5d7a477 100644
--- a/extensions/libxt_sctp.man
+++ b/extensions/libxt_sctp.man
@@ -1,9 +1,9 @@
 .TP
-\fB--source-port\fR,\fB--sport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--source-port\fP,\fB--sport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
-\fB--destination-port\fR,\fB--dport \fR[\fB!\fR] \fIport\fR[\fB:\fIport\fR]
+[\fB!\fP] \fB--destination-port\fP,\fB--dport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
-\fB--chunk-types\fR [\fB!\fR] \fBall\fR|\fBany\fR|\fBonly \fIchunktype\fR[\fB:\fIflags\fR] [...]
+[\fB!\fP] \fB--chunk-types\fP {\fBall\fP|\fBany\fP|\fBonly\fP} \fIchunktype\fP[\fB:\fP\fIflags\fP] [...]
 The flag letter in upper case indicates that the flag is to match if set,
 in the lower case indicates to match if unset.
 
diff --git a/extensions/libxt_u32.man b/extensions/libxt_u32.man
index 1ac02bc..8e00cc1 100644
--- a/extensions/libxt_u32.man
+++ b/extensions/libxt_u32.man
@@ -2,7 +2,7 @@ U32 tests whether quantities of up to 4 bytes extracted from a packet have
 specified values. The specification of what to extract is general enough to
 find data at given offsets from tcp headers or payloads.
 .TP
-[\fB!\fR]\fB --u32 \fItests\fR
+[\fB!\fP] \fB--u32\fP \fItests\fP
 The argument amounts to a program in a small language described below.
 .IP
 tests := location "=" value | tests "&&" location "=" value
-- 
1.5.5.rc3

Re: [PATCH 09/13] manpages: fix broken markup (missing close tags)

[Patrick McHardy]

Jan Engelhardt wrote:
> Rework the whole line's markup at the same time.
> ---
>  extensions/libip6t_ah.man       |    2 +-
>  extensions/libip6t_dst.man      |    2 +-
>  extensions/libipt_connlimit.man |    2 +-
>  extensions/libxt_NFQUEUE.man    |    2 +-
>  extensions/libxt_connbytes.man  |    2 +-
>  extensions/libxt_dccp.man       |    4 ++--
>  extensions/libxt_recent.man     |    4 ++--

Applied with out the xt_recent bits.

[PATCH 10/13] manpages: grammar and spelling

[Jan Engelhardt]

---
 extensions/libip6t_frag.man    |    2 +-
 extensions/libipt_SAME.man     |    2 +-
 extensions/libxt_NFQUEUE.man   |    2 +-
 extensions/libxt_connbytes.man |    4 ++--
 extensions/libxt_dscp.man      |    2 +-
 extensions/libxt_hashlimit.man |    4 ++--
 ip6tables.8.in                 |    2 +-
 ip6tables.c                    |    2 +-
 iptables.8.in                  |   10 +++++-----
 iptables.c                     |    2 +-
 10 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
index 5ac13a4..8937b55 100644
--- a/extensions/libip6t_frag.man
+++ b/extensions/libip6t_frag.man
@@ -17,4 +17,4 @@ Matches on the first fragment.
 Matches if there are more fragments.
 .TP
 .BR "[--fraglast]"
-Matches if this is the last fragement.
+Matches if this is the last fragment.
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index 4e88d48..d038615 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -11,5 +11,5 @@ Don't use the destination-ip in the calculations when selecting the
 new source-ip
 .TP
 .B "--random"
-Port mapping will be forcely randomized to avoid attacks based on 
+Port mapping will be forcibly randomized to avoid attacks based on 
 port prediction (kernel >= 2.6.21).
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 015effd..acd45e9 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -3,7 +3,7 @@ you to put a packet into any specific queue, identified by its 16-bit queue
 number.  
 .TP
 \fB--queue-num\fP \fIvalue\fP
-This specifies the QUEUE number to use. Valud queue numbers are 0 to 65535. The default value is 0.
+This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
 .TP
 It can only be used with Kernel versions 2.6.14 or later, since it requires
 the
diff --git a/extensions/libxt_connbytes.man b/extensions/libxt_connbytes.man
index 7b7c313..124ff6f 100644
--- a/extensions/libxt_connbytes.man
+++ b/extensions/libxt_connbytes.man
@@ -1,5 +1,5 @@
 Match by how many bytes or packets a connection (or one of the two
-flows constituting the connection) have tranferred so far, or by
+flows constituting the connection) has transferred so far, or by
 average bytes per packet.
 
 The counters are 64bit and are thus not expected to overflow ;)
@@ -7,7 +7,7 @@ The counters are 64bit and are thus not expected to overflow ;)
 The primary use is to detect long-lived downloads and mark them to be
 scheduled using a lower priority band in traffic control.
 
-The transfered bytes per connection can also be viewed through
+The transferred bytes per connection can also be viewed through
 /proc/net/ip_conntrack and accessed via ctnetlink
 .TP
 [\fB!\fP] \fB--connbytes\fP \fIfrom\fP[\fB:\fR\fIto\fP]
diff --git a/extensions/libxt_dscp.man b/extensions/libxt_dscp.man
index cb0b6f3..29ff3b2 100644
--- a/extensions/libxt_dscp.man
+++ b/extensions/libxt_dscp.man
@@ -7,4 +7,4 @@ Match against a numeric (decimal or hex) value [0-63].
 .BI "--dscp-class " "\fIDiffServ Class\fP"
 Match the DiffServ class. This value may be any of the
 BE, EF, AFxx or CSx classes.  It will then be converted
-into it's according numeric value.
+into its according numeric value.
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index e74aedf..e449406 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -53,7 +53,7 @@ The number of buckets of the hash table
 Maximum entries in the hash.
 .TP
 \fB--hashlimit-htable-expire\fR \fImsec\fR
-After how many miliseconds do hash entries expire.
+After how many milliseconds do hash entries expire.
 .TP
 \fB--hashlimit-htable-gcinterval\fR \fImsec\fR
-How many miliseconds between garbage collection intervals.
+How many milliseconds between garbage collection intervals.
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 8528b8e..f103363 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -478,7 +478,7 @@ James Morris wrote the TOS target, and tos match.
 .PP
 Jozsef Kadlecsik wrote the REJECT target.
 .PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.
+Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
 .PP
 The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
 Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
diff --git a/ip6tables.c b/ip6tables.c
index e5602f7..c7d4a4f 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -720,7 +720,7 @@ print_match(const struct ip6t_entry_match *m,
 	return 0;
 }
 
-/* e is called `fw' here for hysterical raisins */
+/* e is called `fw' here for historical reasons */
 static void
 print_firewall(const struct ip6t_entry *fw,
 	       const char *targname,
diff --git a/iptables.8.in b/iptables.8.in
index 9904c48..8ebedb8 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -55,7 +55,7 @@ a `target', which may be a jump to a user-defined chain in the same
 table.
 
 .SH TARGETS
-A firewall rule specifies criteria for a packet, and a target.  If the
+A firewall rule specifies criteria for a packet and a target.  If the
 packet does not match, the next rule in the chain is the examined; if
 it does match, then the next rule is specified by the value of the
 target, which can be the name of a user-defined chain or one of the
@@ -155,9 +155,9 @@ The options that are recognized by
 .B iptables
 can be divided into several different groups.
 .SS COMMANDS
-These options specify the specific action to perform.  Only one of them
-can be specified on the command line unless otherwise specified
-below.  For all the long versions of the command and option names, you
+These options specify the desired action to perform. Only one of them
+can be specified on the command line unless otherwise stated
+below. For long versions of the command and option names, you
 need to use only enough letters to ensure that
 .B iptables
 can differentiate it from all other options.
@@ -188,7 +188,7 @@ fail.  Rules are numbered starting at 1.
 .TP
 .BR "-L, --list " "[\fIchain\fP]"
 List all rules in the selected chain.  If no chain is selected, all
-chains are listed.  As every other iptables command, it applies to the
+chains are listed. Like every other iptables command, it applies to the
 specified table (filter is the default), so NAT rules get listed by
 .nf
  iptables -t nat -n -L
diff --git a/iptables.c b/iptables.c
index b2a4b53..7cc2448 100644
--- a/iptables.c
+++ b/iptables.c
@@ -720,7 +720,7 @@ print_match(const struct ipt_entry_match *m,
 	return 0;
 }
 
-/* e is called `fw' here for hysterical raisins */
+/* e is called `fw' here for historical reasons */
 static void
 print_firewall(const struct ipt_entry *fw,
 	       const char *targname,
-- 
1.5.5.rc3

Re: [PATCH 10/13] manpages: grammar and spelling

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  extensions/libip6t_frag.man    |    2 +-
>  extensions/libipt_SAME.man     |    2 +-
>  extensions/libxt_NFQUEUE.man   |    2 +-
>  extensions/libxt_connbytes.man |    4 ++--
>  extensions/libxt_dscp.man      |    2 +-
>  extensions/libxt_hashlimit.man |    4 ++--
>  ip6tables.8.in                 |    2 +-
>  ip6tables.c                    |    2 +-
>  iptables.8.in                  |   10 +++++-----
>  iptables.c                     |    2 +-
>  10 files changed, 16 insertions(+), 16 deletions(-)

Applied.

[PATCH 11/13] manpages: update to reflect fine-grained control

[Jan Engelhardt]

Some manpages (DNAT for example) specifies
	--to-destination ip[-ip][:port-port]
while it is actually
	--to-destination ip[-ip][:port[-port]]
---
 extensions/libip6t_frag.man   |    4 ++--
 extensions/libipt_DNAT.man    |    2 +-
 extensions/libipt_SAME.man    |    2 +-
 extensions/libipt_SNAT.man    |    2 +-
 extensions/libxt_connmark.man |    2 +-
 extensions/libxt_helper.man   |    2 +-
 extensions/libxt_iprange.man  |    4 ++--
 extensions/libxt_mark.man     |    2 +-
 extensions/libxt_owner.man    |   10 +++++-----
 extensions/libxt_tos.man      |    4 ++--
 10 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/extensions/libip6t_frag.man b/extensions/libip6t_frag.man
index 8937b55..cc13e79 100644
--- a/extensions/libip6t_frag.man
+++ b/extensions/libip6t_frag.man
@@ -13,8 +13,8 @@ Matches if the reserved fields are filled with zero.
 .BR "--fragfirst "
 Matches on the first fragment.
 .TP
-.BR "[--fragmore]"
+\fB--fragmore\fP
 Matches if there are more fragments.
 .TP
-.BR "[--fraglast]"
+\fB--fraglast\fP
 Matches if this is the last fragment.
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index f11f4e2..65c152c 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -10,7 +10,7 @@ should be modified (and all future packets in this connection will
 also be mangled), and rules should cease being examined.  It takes one
 type of option:
 .TP
-.BR "--to-destination " "[\fIipaddr\fP][-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-destination\fP [\fIipaddr\fP][\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
 which can specify a single new destination IP address, an inclusive
 range of IP addresses, and optionally, a port range (which is only
 valid if the rule also specifies
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index d038615..7e28ca5 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -2,7 +2,7 @@ Similar to SNAT/DNAT depending on chain: it takes a range of addresses
 (`--to 1.2.3.4-1.2.3.7') and gives a client the same
 source-/destination-address for each connection.
 .TP
-.BI "--to " "<ipaddr>-<ipaddr>"
+\fB--to\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP]
 Addresses to map source to. May be specified more than once for
 multiple ranges.
 .TP
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index 7b34799..34939af 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be
 mangled), and rules should cease being examined.  It takes one type
 of option:
 .TP
-.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
+\fB--to-source\fP \fIipaddr\fP[\fB-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB-\fP\fIport\fP]]
 which can specify a single new source IP address, an inclusive range
 of IP addresses, and optionally, a port range (which is only valid if
 the rule also specifies
diff --git a/extensions/libxt_connmark.man b/extensions/libxt_connmark.man
index 193a4ca..a50c537 100644
--- a/extensions/libxt_connmark.man
+++ b/extensions/libxt_connmark.man
@@ -1,6 +1,6 @@
 This module matches the netfilter mark field associated with a connection
 (which can be set using the \fBCONNMARK\fR target below).
 .TP
-\fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
 Matches packets in connections with the given mark value (if a mask is
 specified, this is logically ANDed with the mark before the comparison).
diff --git a/extensions/libxt_helper.man b/extensions/libxt_helper.man
index c3221ad..3df1d05 100644
--- a/extensions/libxt_helper.man
+++ b/extensions/libxt_helper.man
@@ -1,6 +1,6 @@
 This module matches packets related to a specific conntrack-helper.
 .TP
-.BI "--helper " "string"
+[\fB!\fP] \fB--helper\fP \fIstring\fP
 Matches packets related to the specified conntrack-helper.
 .RS
 .PP
diff --git a/extensions/libxt_iprange.man b/extensions/libxt_iprange.man
index 5acb3b3..1941a3b 100644
--- a/extensions/libxt_iprange.man
+++ b/extensions/libxt_iprange.man
@@ -1,7 +1,7 @@
 This matches on a given arbitrary range of IP addresses.
 .TP
-[\fB!\fR] \fB--src-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--src-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
 Match source IP in the specified range.
 .TP
-[\fB!\fR] \fB--dst-range\fR \fIfrom\fR-\fIto\fR
+[\fB!\fR] \fB--dst-range\fR \fIfrom\fR[\fB-\fP\fIto\fR]
 Match destination IP in the specified range.
diff --git a/extensions/libxt_mark.man b/extensions/libxt_mark.man
index a2a1395..4b29cd0 100644
--- a/extensions/libxt_mark.man
+++ b/extensions/libxt_mark.man
@@ -3,7 +3,7 @@ This module matches the netfilter mark field associated with a packet
 .B MARK
 target below).
 .TP
-.BR "--mark " "\fIvalue\fP[/\fImask\fP]"
+[\fB!\fP] \fB--mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
 Matches packets with the given unsigned mark value (if a \fImask\fP is
 specified, this is logically ANDed with the \fImask\fP before the
 comparison).
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
index 344ce2e..0bc0c65 100644
--- a/extensions/libxt_owner.man
+++ b/extensions/libxt_owner.man
@@ -3,17 +3,17 @@ for locally generated packets. This match is only valid in the OUTPUT and
 POSTROUTING chains. Forwarded packets do not have any socket associated with
 them. Packets from kernel threads do have a socket, but usually no owner.
 .TP
-\fB--uid-owner\fR \fIusername\fR
+[\fB!\fP] \fB--uid-owner\fP \fIusername\fP
 .TP
-\fB--uid-owner\fR \fIuserid\fR[\fB-\fR\fIuserid\fR]
+[\fB!\fP] \fB--uid-owner\fP \fIuserid\fP[\fB-\fP\fIuserid\fP]
 Matches if the packet socket's file structure (if it has one) is owned by the
 given user. You may also specify a numerical UID, or an UID range.
 .TP
-\fB--gid-owner\fR \fIgroupname\fR
+[\fB!\fP] \fB--gid-owner\fP \fIgroupname\fP
 .TP
-\fB--gid-owner\fR \fIgroupid\fR[\fB-\fR\fIgroupid\fR]
+[\fB!\fP] \fB--gid-owner\fP \fIgroupid\fP[\fB-\fR\fIgroupid\fP]
 Matches if the packet socket's file structure is owned by the given group.
 You may also specify a numerical GID, or a GID range.
 .TP
-\fB--socket-exists\fR
+[\fB!\fP] \fB--socket-exists\fP
 Matches if the packet is associated with a socket.
diff --git a/extensions/libxt_tos.man b/extensions/libxt_tos.man
index 0420105..cd72e95 100644
--- a/extensions/libxt_tos.man
+++ b/extensions/libxt_tos.man
@@ -2,11 +2,11 @@ This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
 including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
 header.
 .TP
-\fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+[\fB!\fP] \fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
 Matches packets with the given TOS mark value. If a mask is specified, it is
 logically ANDed with the TOS mark before the comparison.
 .TP
-\fB--tos\fR \fIsymbol\fR
+[\fB!\fP] \fB--tos\fR \fIsymbol\fR
 You can specify a symbolic name when using the tos match for IPv4. The list of
 recognized TOS names can be obtained by calling iptables with \fB-m tos -h\fR.
 Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
-- 
1.5.5.rc3

Re: [PATCH 11/13] manpages: update to reflect fine-grained control

[Patrick McHardy]

Jan Engelhardt wrote:
> Some manpages (DNAT for example) specifies
> 	--to-destination ip[-ip][:port-port]
> while it is actually
> 	--to-destination ip[-ip][:port[-port]]
> ---
>  extensions/libip6t_frag.man   |    4 ++--
>  extensions/libipt_DNAT.man    |    2 +-
>  extensions/libipt_SAME.man    |    2 +-
>  extensions/libipt_SNAT.man    |    2 +-
>  extensions/libxt_connmark.man |    2 +-
>  extensions/libxt_helper.man   |    2 +-
>  extensions/libxt_iprange.man  |    4 ++--
>  extensions/libxt_mark.man     |    2 +-
>  extensions/libxt_owner.man    |   10 +++++-----
>  extensions/libxt_tos.man      |    4 ++--
>  10 files changed, 17 insertions(+), 17 deletions(-)

Applied.

[PATCH 12/13] Add all necessary header files - compilation fix for various cases

[Jan Engelhardt]

Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
---
 Makefile.am                               |    2 +-
 configure.ac                              |   10 +-
 include/linux/compiler.h                  |  179 +++++++++++++++++++++
 include/linux/netfilter.h                 |    2 +
 include/linux/netfilter/xt_SECMARK.h      |   26 +++
 include/linux/netfilter_ipv4/ipt_DSCP.h   |   18 ++
 include/linux/netfilter_ipv4/ipt_LOG.h    |   18 ++
 include/linux/netfilter_ipv4/ipt_REJECT.h |   20 +++
 include/linux/netfilter_ipv4/ipt_TOS.h    |   12 ++
 include/linux/netfilter_ipv4/ipt_dscp.h   |   21 +++
 include/linux/netfilter_ipv4/ipt_owner.h  |   20 +++
 include/linux/netfilter_ipv4/ipt_tos.h    |   13 ++
 include/linux/netfilter_ipv6/ip6t_LOG.h   |   18 ++
 libipq/Makefile.am                        |    2 +-
 14 files changed, 356 insertions(+), 5 deletions(-)
 create mode 100644 include/linux/compiler.h
 create mode 100644 include/linux/netfilter/xt_SECMARK.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_DSCP.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_REJECT.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_TOS.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_dscp.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_owner.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_tos.h
 create mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h

diff --git a/Makefile.am b/Makefile.am
index 112b552..8babe96 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign subdir-objects
 
 regular_CFLAGS  := @regular_CFLAGS@
 kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS        = ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS        = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
 SUBDIRS         := extensions
 if ENABLE_DEVEL
 SUBDIRS         += libipq
diff --git a/configure.ac b/configure.ac
index 5aa0557..3081cc0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,8 +8,6 @@ AM_PROG_CC_C_O
 AC_DISABLE_STATIC
 AC_PROG_LIBTOOL
 
-kbuilddir="/lib/modules/$(uname -r)/build";
-ksourcedir="/lib/modules/$(uname -r)/source";
 AC_ARG_WITH([kernel],
 	AS_HELP_STRING([--with-kernel=PATH],
 	[Path to kernel source/build directory]),
@@ -41,7 +39,13 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
 	-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL";
-kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
+kinclude_CFLAGS="";
+if [[ -n "$kbuilddir" ]]; then
+	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+fi;
+if [[ -n "$ksourcedir" ]]; then
+	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+fi;
 
 AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
new file mode 100644
index 0000000..d0e17e1
--- /dev/null
+++ b/include/linux/compiler.h
@@ -0,0 +1,179 @@
+#ifndef __LINUX_COMPILER_H
+#define __LINUX_COMPILER_H
+
+#ifndef __ASSEMBLY__
+
+#ifdef __CHECKER__
+# define __user		__attribute__((noderef, address_space(1)))
+# define __kernel	/* default address space */
+# define __safe		__attribute__((safe))
+# define __force	__attribute__((force))
+# define __nocast	__attribute__((nocast))
+# define __iomem	__attribute__((noderef, address_space(2)))
+# define __acquires(x)	__attribute__((context(x,0,1)))
+# define __releases(x)	__attribute__((context(x,1,0)))
+# define __acquire(x)	__context__(x,1)
+# define __release(x)	__context__(x,-1)
+# define __cond_lock(x,c)	((c) ? ({ __acquire(x); 1; }) : 0)
+extern void __chk_user_ptr(const volatile void __user *);
+extern void __chk_io_ptr(const volatile void __iomem *);
+#else
+# define __user
+# define __kernel
+# define __safe
+# define __force
+# define __nocast
+# define __iomem
+# define __chk_user_ptr(x) (void)0
+# define __chk_io_ptr(x) (void)0
+# define __builtin_warning(x, y...) (1)
+# define __acquires(x)
+# define __releases(x)
+# define __acquire(x) (void)0
+# define __release(x) (void)0
+# define __cond_lock(x,c) (c)
+#endif
+
+#ifdef __KERNEL__
+
+#if __GNUC__ >= 4
+# include <linux/compiler-gcc4.h>
+#elif __GNUC__ == 3 && __GNUC_MINOR__ >= 2
+# include <linux/compiler-gcc3.h>
+#else
+# error Sorry, your compiler is too old/not recognized.
+#endif
+
+/* Intel compiler defines __GNUC__. So we will overwrite implementations
+ * coming from above header files here
+ */
+#ifdef __INTEL_COMPILER
+# include <linux/compiler-intel.h>
+#endif
+
+/*
+ * Generic compiler-dependent macros required for kernel
+ * build go below this comment. Actual compiler/compiler version
+ * specific implementations come from the above header files
+ */
+
+#define likely(x)	__builtin_expect(!!(x), 1)
+#define unlikely(x)	__builtin_expect(!!(x), 0)
+
+/* Optimization barrier */
+#ifndef barrier
+# define barrier() __memory_barrier()
+#endif
+
+#ifndef RELOC_HIDE
+# define RELOC_HIDE(ptr, off)					\
+  ({ unsigned long __ptr;					\
+     __ptr = (unsigned long) (ptr);				\
+    (typeof(ptr)) (__ptr + (off)); })
+#endif
+
+#endif /* __KERNEL__ */
+
+#endif /* __ASSEMBLY__ */
+
+#ifdef __KERNEL__
+/*
+ * Allow us to mark functions as 'deprecated' and have gcc emit a nice
+ * warning for each use, in hopes of speeding the functions removal.
+ * Usage is:
+ * 		int __deprecated foo(void)
+ */
+#ifndef __deprecated
+# define __deprecated		/* unimplemented */
+#endif
+
+#ifdef MODULE
+#define __deprecated_for_modules __deprecated
+#else
+#define __deprecated_for_modules
+#endif
+
+#ifndef __must_check
+#define __must_check
+#endif
+
+#ifndef CONFIG_ENABLE_MUST_CHECK
+#undef __must_check
+#define __must_check
+#endif
+#ifndef CONFIG_ENABLE_WARN_DEPRECATED
+#undef __deprecated
+#undef __deprecated_for_modules
+#define __deprecated
+#define __deprecated_for_modules
+#endif
+
+/*
+ * Allow us to avoid 'defined but not used' warnings on functions and data,
+ * as well as force them to be emitted to the assembly file.
+ *
+ * As of gcc 3.4, static functions that are not marked with attribute((used))
+ * may be elided from the assembly file.  As of gcc 3.4, static data not so
+ * marked will not be elided, but this may change in a future gcc version.
+ *
+ * NOTE: Because distributions shipped with a backported unit-at-a-time
+ * compiler in gcc 3.3, we must define __used to be __attribute__((used))
+ * for gcc >=3.3 instead of 3.4.
+ *
+ * In prior versions of gcc, such functions and data would be emitted, but
+ * would be warned about except with attribute((unused)).
+ *
+ * Mark functions that are referenced only in inline assembly as __used so
+ * the code is emitted even though it appears to be unreferenced.
+ */
+#ifndef __used
+# define __used			/* unimplemented */
+#endif
+
+#ifndef __maybe_unused
+# define __maybe_unused		/* unimplemented */
+#endif
+
+#ifndef noinline
+#define noinline
+#endif
+
+#ifndef __always_inline
+#define __always_inline inline
+#endif
+
+#endif /* __KERNEL__ */
+
+/*
+ * From the GCC manual:
+ *
+ * Many functions do not examine any values except their arguments,
+ * and have no effects except the return value.  Basically this is
+ * just slightly more strict class than the `pure' attribute above,
+ * since function is not allowed to read global memory.
+ *
+ * Note that a function that has pointer arguments and examines the
+ * data pointed to must _not_ be declared `const'.  Likewise, a
+ * function that calls a non-`const' function usually must not be
+ * `const'.  It does not make sense for a `const' function to return
+ * `void'.
+ */
+#ifndef __attribute_const__
+# define __attribute_const__	/* unimplemented */
+#endif
+
+/*
+ * Tell gcc if a function is cold. The compiler will assume any path
+ * directly leading to the call is unlikely.
+ */
+
+#ifndef __cold
+#define __cold
+#endif
+
+/* Simple shorthand for a section definition */
+#ifndef __section
+# define __section(S) __attribute__ ((__section__(#S)))
+#endif
+
+#endif /* __LINUX_COMPILER_H */
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3c5b889..0d1ba11 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -1,6 +1,8 @@
 #ifndef __LINUX_NETFILTER_H
 #define __LINUX_NETFILTER_H
 
+#include <linux/compiler.h>
+
 /* Responses from hook functions. */
 #define NF_DROP 0
 #define NF_ACCEPT 1
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 0000000..c53fbff
--- /dev/null
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL	0x01		/* SELinux */
+#define SECMARK_SELCTX_MAX	256
+
+struct xt_secmark_target_selinux_info {
+	u_int32_t selsid;
+	char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+	u_int8_t mode;
+	union {
+		struct xt_secmark_target_selinux_info sel;
+	} u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff --git a/include/linux/netfilter_ipv4/ipt_DSCP.h b/include/linux/netfilter_ipv4/ipt_DSCP.h
new file mode 100644
index 0000000..3491e52
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_DSCP.h
@@ -0,0 +1,18 @@
+/* iptables module for setting the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _IPT_DSCP_TARGET_H
+#define _IPT_DSCP_TARGET_H
+#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define ipt_DSCP_info xt_DSCP_info
+
+#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 0000000..90fa652
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT		0x02	/* Log TCP options */
+#define IPT_LOG_IPOPT		0x04	/* Log IP options */
+#define IPT_LOG_UID		0x08	/* Log UID owning local socket */
+#define IPT_LOG_NFLOG		0x10	/* Unsupported, don't reuse */
+#define IPT_LOG_MASK		0x1f
+
+struct ipt_log_info {
+	unsigned char level;
+	unsigned char logflags;
+	char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 0000000..4293a1a
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+	IPT_ICMP_NET_UNREACHABLE,
+	IPT_ICMP_HOST_UNREACHABLE,
+	IPT_ICMP_PROT_UNREACHABLE,
+	IPT_ICMP_PORT_UNREACHABLE,
+	IPT_ICMP_ECHOREPLY,
+	IPT_ICMP_NET_PROHIBITED,
+	IPT_ICMP_HOST_PROHIBITED,
+	IPT_TCP_RESET,
+	IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+	enum ipt_reject_with with;      /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
new file mode 100644
index 0000000..6bf9e1f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_TOS_H_target
+#define _IPT_TOS_H_target
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+struct ipt_tos_target_info {
+	u_int8_t tos;
+};
+
+#endif /*_IPT_TOS_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_dscp.h
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_dscp.h
@@ -0,0 +1,21 @@
+/* iptables module for matching the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _IPT_DSCP_H
+#define _IPT_DSCP_H
+
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_DSCP_MASK	XT_DSCP_MASK
+#define IPT_DSCP_SHIFT	XT_DSCP_SHIFT
+#define IPT_DSCP_MAX	XT_DSCP_MAX
+
+#define ipt_dscp_info	xt_dscp_info
+
+#endif /* _IPT_DSCP_H */
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
new file mode 100644
index 0000000..92f4bda
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_owner.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_OWNER_H
+#define _IPT_OWNER_H
+
+/* match and invert flags */
+#define IPT_OWNER_UID	0x01
+#define IPT_OWNER_GID	0x02
+#define IPT_OWNER_PID	0x04
+#define IPT_OWNER_SID	0x08
+#define IPT_OWNER_COMM	0x10
+
+struct ipt_owner_info {
+    uid_t uid;
+    gid_t gid;
+    pid_t pid;
+    pid_t sid;
+    char comm[16];
+    u_int8_t match, invert;	/* flags */
+};
+
+#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
new file mode 100644
index 0000000..a21f5df
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _IPT_TOS_H
+#define _IPT_TOS_H
+
+struct ipt_tos_info {
+    u_int8_t tos;
+    u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+#endif /*_IPT_TOS_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 0000000..0d0119b
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IP6T_LOG_H
+#define _IP6T_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IP6T_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
+#define IP6T_LOG_TCPOPT		0x02	/* Log TCP options */
+#define IP6T_LOG_IPOPT		0x04	/* Log IP options */
+#define IP6T_LOG_UID		0x08	/* Log UID owning local socket */
+#define IP6T_LOG_NFLOG		0x10	/* Unsupported, don't use */
+#define IP6T_LOG_MASK		0x1f
+
+struct ip6t_log_info {
+	unsigned char level;
+	unsigned char logflags;
+	char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 942a874..d4245e7 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -1,6 +1,6 @@
 # -*- Makefile -*-
 
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
 
 libipq_a_SOURCES = libipq.c
 lib_LIBRARIES    = libipq.a
-- 
1.5.5.rc3

Re: [PATCH 12/13] Add all necessary header files - compilation fix for various cases

[Patrick McHardy]

Jan Engelhardt wrote:
> Allow iptables to compile without a kernel source tree. This
> implies fixing build for older kernels, such as 2.6.17 which
> lack xt_SECMARK.h.

Which version are these headers based on?

> --- /dev/null
> +++ b/include/linux/compiler.h
> @@ -0,0 +1,179 @@

> +#ifdef __KERNEL__

Sanitized headers please. compiler.h seems wrong to include in
iptables, which parts do we actually need?

Re: [PATCH 12/13] Add all necessary header files - compilation fix for various cases

[Jan Engelhardt]

Whoops, left this in "Drafts" :)


On Sunday 2008-04-13 07:21, Patrick McHardy wrote:

> Jan Engelhardt wrote:
>> Allow iptables to compile without a kernel source tree. This
>> implies fixing build for older kernels, such as 2.6.17 which
>> lack xt_SECMARK.h.
>
> Which version are these headers based on?

There is just one version. The file never changed since it
was initially added as v2.6.17-69-g5e6874c.

>> --- /dev/null
>> +++ b/include/linux/compiler.h
>> @@ -0,0 +1,179 @@
>
>> +#ifdef __KERNEL__
>
> Sanitized headers please. compiler.h seems wrong to include in
> iptables, which parts do we actually need?

I fixed that up in the batch I just sent.

Re: [PATCH 12/13] Add all necessary header files - compilation fix for various cases

[Patrick McHardy]

Jan Engelhardt wrote:
> Whoops, left this in "Drafts" :)
>
>
> On Sunday 2008-04-13 07:21, Patrick McHardy wrote:
>
>   
>> Jan Engelhardt wrote:
>>     
>>> Allow iptables to compile without a kernel source tree. This
>>> implies fixing build for older kernels, such as 2.6.17 which
>>> lack xt_SECMARK.h.
>>>       
>> Which version are these headers based on?
>>     
>
> There is just one version. The file never changed since it
> was initially added as v2.6.17-69-g5e6874c.
>   

The question referred to all those headers.

Re: [PATCH 12/13] Add all necessary header files - compilation fix for various cases

[Jan Engelhardt]

On Sunday 2008-04-13 11:35, Patrick McHardy wrote:
>> > > Allow iptables to compile without a kernel source tree. This
>> > > implies fixing build for older kernels, such as 2.6.17 which
>> > > lack xt_SECMARK.h.
>> > >       
>> > Which version are these headers based on?
>>
>> There is just one version. The file never changed since it
>> was initially added as v2.6.17-69-g5e6874c.
>
> The question referred to all those headers.
>
They are from kaber/nf-2.6.26.git (46ae7629).
Except netfilter.h, which is from 7b33ed22^.

If you fold in the hunks below, it too will be up to 46ae7629. Thanks.

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 6922c7f..4196a51 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -1,7 +1,6 @@
 #ifndef __LINUX_NETFILTER_H
 #define __LINUX_NETFILTER_H
 
-//#include <linux/compiler.h>
 
 /* Responses from hook functions. */
 #define NF_DROP 0
@@ -20,7 +19,7 @@
 #define NF_VERDICT_QMASK 0xffff0000
 #define NF_VERDICT_QBITS 16
 
-#define NF_QUEUE_NR(x) (((x << NF_VERDICT_QBITS) & NF_VERDICT_QMASK) | NF_QUEUE)
+#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
 
 /* only for userspace compatibility */
 /* Generic cache responses from hook functions.
@@ -38,7 +37,7 @@ enum nf_inet_hooks {
 };
 
 union nf_inet_addr {
-	u_int32_t	all[4];
+	__u32		all[4];
 	__be32		ip;
 	__be32		ip6[4];
 	struct in_addr	in;

[PATCH 13/13] configure: split --enable-libipq from --enable-devel

[Jan Engelhardt]

---
 Makefile.am  |    2 +-
 configure.ac |    6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 8babe96..8137c93 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,7 @@ regular_CFLAGS  := @regular_CFLAGS@
 kinclude_CFLAGS := @kinclude_CFLAGS@
 AM_CFLAGS        = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
 SUBDIRS         := extensions
-if ENABLE_DEVEL
+if ENABLE_LIBIPQ
 SUBDIRS         += libipq
 endif
 
diff --git a/configure.ac b/configure.ac
index 3081cc0..10d4380 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,12 +27,16 @@ AC_ARG_WITH([xtlibdir],
 	[xtlibdir="${libexecdir}/iptables"])
 AC_ARG_ENABLE([devel],
 	AS_HELP_STRING([--enable-devel],
-	[Build and install development files (libipq, libipq-devel, iptables-devel)]))
+	[Install Xtables development headers]),
+	[enable_devel="$enableval"], [enable_devel="yes"])
+AC_ARG_ENABLE([libipq],
+	AS_HELP_STRING([--enable-libipq], [Build and install libipq]))
 
 AC_CHECK_HEADER([netinet/ip6.h], [], [AC_MSG_ERROR(but we need that for IPv6)])
 AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" == "yes"])
 AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
 AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
+AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" == "yes"])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-- 
1.5.5.rc3

Re: [PATCH 13/13] configure: split --enable-libipq from --enable-devel

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  Makefile.am  |    2 +-
>  configure.ac |    6 +++++-
>  2 files changed, 6 insertions(+), 2 deletions(-)

Applied.

Re: [PATCH 01/13] Correct the family member value of libxt_mark revision 1

[Jan Engelhardt]

On Thursday 2008-04-10 09:38, Jan Engelhardt wrote:
>libxt_mark rev1 used AF_INET6 in the class structure where it should
>have used AF_INET.

Argh, obviously wrong one.

>@@ -197,7 +197,7 @@ static struct xtables_match mark_mt6_reg = {
> 	.version        = IPTABLES_VERSION,
> 	.name           = "mark",
> 	.revision       = 1,
>-	.family         = AF_INET6,
>+	.family         = AF_INET,
> 	.size           = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
> 	.userspacesize  = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
> 	.help           = mark_mt_help,
>-- 

Re: [PATCH 01/13] Correct the family member value of libxt_mark revision 1

[Jan Engelhardt]

On Thursday 2008-04-10 09:39, Jan Engelhardt wrote:
>
>On Thursday 2008-04-10 09:38, Jan Engelhardt wrote:
>>libxt_mark rev1 used AF_INET6 in the class structure where it should
>>have used AF_INET.
>
>Argh, obviously wrong one.

(But please apply the rest of the series ;-))

>>@@ -197,7 +197,7 @@ static struct xtables_match mark_mt6_reg = {
>> 	.version        = IPTABLES_VERSION,
>> 	.name           = "mark",
>> 	.revision       = 1,
>>-	.family         = AF_INET6,
>>+	.family         = AF_INET,
>> 	.size           = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
>> 	.userspacesize  = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
>> 	.help           = mark_mt_help,
>>-- 
>--
>To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>