ip6tables doesn't support --goto option

ip6tables doesn't support --goto option

[Thomas Jacob]

Hello list,

The ip6tables frontend in 1.4.1.1 doesn't seem to support the --goto
option but the code for handling it seems to be in the kernel:

ip6_tables.c/ip6t_do_table
  if (table_base + v != (void *)e + e->next_offset
     && !(e->ipv6.flags & IP6T_F_GOTO)) {
       .....

Is there some sort of technical/political reason for this, or has the
feature simply not been implemented yet (and hence a patch would
probably be welcome)?

    Regards,
        Thomas

Re: ip6tables doesn't support --goto option

[Jan Engelhardt]

On Friday 2008-06-20 18:45, Thomas Jacob wrote:

>Hello list,
>
>The ip6tables frontend in 1.4.1.1 doesn't seem to support the --goto
>option but the code for handling it seems to be in the kernel:
>
>ip6_tables.c/ip6t_do_table
>  if (table_base + v != (void *)e + e->next_offset
>     && !(e->ipv6.flags & IP6T_F_GOTO)) {
>       .....
>
>Is there some sort of technical/political reason for this, or has the
>feature simply not been implemented yet (and hence a patch would
>probably be welcome)?

I suppose it was just forgotten, as the original commit (17fc163b) only
touched iptables.c, not ip6tables.c.

Re: ip6tables doesn't support --goto option

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

On fre, 2008-06-20 at 20:10 +0200, Jan Engelhardt wrote:

> I suppose it was just forgotten, as the original commit (17fc163b) only
> touched iptables.c, not ip6tables.c.

Quite likely my fault as I only use iptables, not yet ip6tables..

Here is a really good project lurking for someone looking for a starter
iptables project: eleminate all the duplicated code between iptables and
ip6tables..

Regards
Henrik

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: ip6tables doesn't support --goto option

[Patrick McHardy]

Henrik Nordstrom wrote:
> On fre, 2008-06-20 at 20:10 +0200, Jan Engelhardt wrote:
> 
>> I suppose it was just forgotten, as the original commit (17fc163b) only
>> touched iptables.c, not ip6tables.c.
> 
> Quite likely my fault as I only use iptables, not yet ip6tables..

I think it was me, I added the ip6_tables support, for seem to
have forgotten about userspace.

Does anyone wants to send a patch for this?

Re: ip6tables doesn't support --goto option

[Thomas Jacob]

[-- Attachment #1.1: Type: text/plain, Size: 334 bytes --]

On Sat, Jun 21, 2008 at 10:27:34AM +0200, Patrick McHardy wrote:
> I think it was me, I added the ip6_tables support, for seem to
> have forgotten about userspace.
>
> Does anyone wants to send a patch for this?

Here's what I got by copying the --goto changes from iptables.c,
not sure if it's complete, but it seems to work for me.

[-- Attachment #1.2: ipv6goto.patch --]
[-- Type: text/x-diff, Size: 3795 bytes --]

diff --git a/ip6tables.8.in b/ip6tables.8.in
index 45b14dc..f5d33db 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -301,10 +301,18 @@ one this rule is in), one of the special builtin targets which decide
 the fate of the packet immediately, or an extension (see
 .B EXTENSIONS
 below).  If this
-option is omitted in a rule, then matching the rule will have no
+option is omitted in a rule (and
+.B -g
+is not used), then matching the rule will have no
 effect on the packet's fate, but the counters on the rule will be
 incremented.
 .TP
+.BI "-g, --goto " "chain"
+This specifies that the processing should continue in a user
+specified chain. Unlike the --jump option return will not continue
+processing in this chain but instead in the chain that called us via
+--jump.
+.TP
 .BR "-i, --in-interface " "[!] \fIname\fP"
 Name of an interface via which a packet is going to be received (only for
 packets entering the 
diff --git a/ip6tables.c b/ip6tables.c
index e146114..2b05392 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -132,6 +132,7 @@ static struct option original_opts[] = {
 	{.name = "line-numbers",  .has_arg = 0, .val = '0'},
 	{.name = "modprobe",      .has_arg = 1, .val = 'M'},
 	{.name = "set-counters",  .has_arg = 1, .val = 'c'},
+	{.name = "goto",          .has_arg = 1, .val = 'g'},
 	{NULL},
 };
 
@@ -328,6 +329,10 @@ exit_printhelp(struct ip6tables_rule_match *matches)
 "				network interface name ([+] for wildcard)\n"
 "  --jump	-j target\n"
 "				target for rule (may load target extension)\n"
+#ifdef IP6T_F_GOTO
+"  --goto	-g chain\n"
+"				jump to chain with no return\n"
+#endif
 "  --match	-m match\n"
 "				extended match (may load extension)\n"
 "  --numeric	-n		numeric output of addresses and ports\n"
@@ -823,6 +828,11 @@ print_firewall(const struct ip6t_entry *fw,
 	if (format & FMT_NOTABLE)
 		fputs("  ", stdout);
 
+#ifdef IP6T_F_GOTO
+	if(fw->ipv6.flags & IP6T_F_GOTO)
+		printf("[goto] ");
+#endif
+
 	IP6T_MATCH_ITERATE(fw, print_match, &fw->ipv6, format & FMT_NUMERIC);
 
 	if (target) {
@@ -1259,7 +1269,11 @@ void print_rule(const struct ip6t_entry *e,
 	/* Print target name */
 	target_name = ip6tc_get_target(e, h);
 	if (target_name && (*target_name != '\0'))
+#ifdef IP6T_F_GOTO
+		printf("-%c %s ", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
+#else
 		printf("-j %s ", target_name);
+#endif
 
 	/* Print targinfo part */
 	t = ip6t_get_target((struct ip6t_entry *)e);
@@ -1447,7 +1461,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 	opterr = 0;
 
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:",
+	   "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
 					   opts, NULL)) != -1) {
 		switch (c) {
 			/*
@@ -1638,6 +1652,15 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 			dhostnetworkmask = argv[optind-1];
 			break;
 
+#ifdef IP6T_F_GOTO
+		case 'g':
+			set_option(&options, OPT_JUMP, &fw.ipv6.invflags,
+					invert);
+			fw.ipv6.flags |= IP6T_F_GOTO;
+			jumpto = parse_target(optarg);
+			break;
+#endif
+
 		case 'j':
 			set_option(&options, OPT_JUMP, &fw.ipv6.invflags,
 				   invert);
@@ -1995,6 +2018,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 			 * We cannot know if the plugin is corrupt, non
 			 * existant OR if the user just misspelled a
 			 * chain. */
+#ifdef IP6T_F_GOTO
+			if (fw.ipv6.flags & IP6T_F_GOTO)
+				exit_error(PARAMETER_PROBLEM,
+						"goto '%s' is not a chain\n", jumpto);
+#endif
 			find_target(jumpto, LOAD_MUST_SUCCEED);
 		} else {
 			e = generate_entry(&fw, matches, target->t);

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ip6tables doesn't support --goto option

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

On lör, 2008-06-21 at 16:43 +0200, Thomas Jacob wrote:
> On Sat, Jun 21, 2008 at 10:27:34AM +0200, Patrick McHardy wrote:
> > I think it was me, I added the ip6_tables support, for seem to
> > have forgotten about userspace.
> >
> > Does anyone wants to send a patch for this?
> 
> Here's what I got by copying the --goto changes from iptables.c,
> not sure if it's complete, but it seems to work for me.

Looks fine to me. Did the same but you beat me in sending the
submission..

Regards
Henrik

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: ip6tables doesn't support --goto option

[Patrick McHardy]

Thomas Jacob wrote:
> On Sat, Jun 21, 2008 at 10:27:34AM +0200, Patrick McHardy wrote:
>> I think it was me, I added the ip6_tables support, for seem to
>> have forgotten about userspace.
>>
>> Does anyone wants to send a patch for this?
> 
> Here's what I got by copying the --goto changes from iptables.c,
> not sure if it's complete, but it seems to work for me.


Applied, thanks. Please remember to sign off your patches in
the future.