iptables: mainloop cleanup, symbol vis+versioning

iptables: mainloop cleanup, symbol vis+versioning

[Jan Engelhardt]

The following changes since commit 9ee2a9fe2f74b616da34878104bd1ff406534ad1:

  extensions: add extension for devgroup match (2011-02-03 06:10:41 +0100)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (8):
      iptables: reduce indentation of parse loop (1/3)
      iptables: reduce indentation of parse loop (2/3)
      iptables: use variable as shortcut in parse loop
      iptables: reduce indentation of parse loop (3/3)
      iptables: fix error message for unknown options
      build: directly use config.h in internal.h
      libxtables: symbol visibility
      libxtables: symbol versioning

 .gitignore                     |    1 -
 Makefile.am                    |    9 +-
 configure.ac                   |    6 +-
 extensions/GNUmakefile.in      |    2 +-
 include/iptables/internal.h    |   21 +++++
 include/iptables/internal.h.in |   13 ---
 ip6tables.c                    |  187 ++++++++++++++++++---------------------
 iptables.c                     |  194 ++++++++++++++++++----------------------
 libxtables.map                 |   55 +++++++++++
 m4/gcc4_visibility.m4          |   21 +++++
 xtables.c                      |  109 +++++++++++++----------
 11 files changed, 340 insertions(+), 278 deletions(-)
 create mode 100644 include/iptables/internal.h
 delete mode 100644 include/iptables/internal.h.in
 create mode 100644 libxtables.map
 create mode 100644 m4/gcc4_visibility.m4

[PATCH 1/8] iptables: reduce indentation of parse loop (1/3)

[Jan Engelhardt]

Trying to make this code suck less by using early
exclusion/break/return.

References: http://iq0.com/notes/deep.nesting.html
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |  184 ++++++++++++++++++++++++++++----------------------------
 iptables.c  |  196 +++++++++++++++++++++++++++++-----------------------------
 2 files changed, 190 insertions(+), 190 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 8c1b504..d453868 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1703,104 +1703,104 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			exit_tryhelp(2);
 
 		default:
-			if (target == NULL || target->parse == NULL ||
-			    c < target->option_offset ||
-			    c >= target->option_offset + XT_OPTION_OFFSET_SCALE ||
-			    !target->parse(c - target->option_offset,
+			if (target != NULL && target->parse != NULL &&
+			    c >= target->option_offset &&
+			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
+			    target->parse(c - target->option_offset,
 					       argv, invert,
 					       &target->tflags,
-					       &fw, &target->t)) {
-				for (matchp = matches; matchp; matchp = matchp->next) {
-					if (matchp->completed ||
-					    matchp->match->parse == NULL)
-						continue;
-					if (c < matchp->match->option_offset ||
-					    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
-						continue;
-					if (matchp->match->parse(c - matchp->match->option_offset,
-						     argv, invert,
-						     &matchp->match->mflags,
-						     &fw,
-						     &matchp->match->m))
-						break;
-				}
-				m = matchp ? matchp->match : NULL;
-
-				/* If you listen carefully, you can
-				   actually hear this code suck. */
-
-				/* some explanations (after four different bugs
-				 * in 3 different releases): If we encounter a
-				 * parameter, that has not been parsed yet,
-				 * it's not an option of an explicitly loaded
-				 * match or a target.  However, we support
-				 * implicit loading of the protocol match
-				 * extension.  '-p tcp' means 'l4 proto 6' and
-				 * at the same time 'load tcp protocol match on
-				 * demand if we specify --dport'.
-				 *
-				 * To make this work, we need to make sure:
-				 * - the parameter has not been parsed by
-				 *   a match (m above)
-				 * - a protocol has been specified
-				 * - the protocol extension has not been
-				 *   loaded yet, or is loaded and unused
-				 *   [think of ip6tables-restore!]
-				 * - the protocol extension can be successively
-				 *   loaded
-				 */
-				if (m == NULL
-				    && protocol
-				    && (!find_proto(protocol, XTF_DONT_LOAD,
-						   options&OPT_NUMERIC, NULL)
-					|| (find_proto(protocol, XTF_DONT_LOAD,
-							options&OPT_NUMERIC, NULL)
-					    && (proto_used == 0))
-				       )
-				    && (m = find_proto(protocol, XTF_TRY_LOAD,
-						       options&OPT_NUMERIC, &matches))) {
-					/* Try loading protocol */
-					size_t size;
-
-					proto_used = 1;
-
-					size = IP6T_ALIGN(sizeof(struct ip6t_entry_match))
-							 + m->size;
-
-					m->m = xtables_calloc(1, size);
-					m->m->u.match_size = size;
-					strcpy(m->m->u.user.name, m->name);
-					m->m->u.user.revision = m->revision;
-					if (m->init != NULL)
-						m->init(m->m);
-
-					opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
-					    m->extra_opts, &m->option_offset);
-
-					optind--;
+					       &fw, &target->t))
+				break;
+			for (matchp = matches; matchp; matchp = matchp->next) {
+				if (matchp->completed ||
+				    matchp->match->parse == NULL)
 					continue;
-				}
+				if (c < matchp->match->option_offset ||
+				    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+					continue;
+				if (matchp->match->parse(c - matchp->match->option_offset,
+					     argv, invert,
+					     &matchp->match->mflags,
+					     &fw,
+					     &matchp->match->m))
+					break;
+			}
+			m = matchp ? matchp->match : NULL;
+
+			/* If you listen carefully, you can
+			   actually hear this code suck. */
+
+			/* some explanations (after four different bugs
+			 * in 3 different releases): If we encounter a
+			 * parameter, that has not been parsed yet,
+			 * it's not an option of an explicitly loaded
+			 * match or a target.  However, we support
+			 * implicit loading of the protocol match
+			 * extension.  '-p tcp' means 'l4 proto 6' and
+			 * at the same time 'load tcp protocol match on
+			 * demand if we specify --dport'.
+			 *
+			 * To make this work, we need to make sure:
+			 * - the parameter has not been parsed by
+			 *   a match (m above)
+			 * - a protocol has been specified
+			 * - the protocol extension has not been
+			 *   loaded yet, or is loaded and unused
+			 *   [think of ip6tables-restore!]
+			 * - the protocol extension can be successively
+			 *   loaded
+			 */
+			if (m == NULL
+			    && protocol
+			    && (!find_proto(protocol, XTF_DONT_LOAD,
+					   options&OPT_NUMERIC, NULL)
+				|| (find_proto(protocol, XTF_DONT_LOAD,
+						options&OPT_NUMERIC, NULL)
+				    && (proto_used == 0))
+			       )
+			    && (m = find_proto(protocol, XTF_TRY_LOAD,
+					       options&OPT_NUMERIC, &matches))) {
+				/* Try loading protocol */
+				size_t size;
+
+				proto_used = 1;
+
+				size = IP6T_ALIGN(sizeof(struct ip6t_entry_match))
+						 + m->size;
 
-				if (!m) {
-					if (c == '?') {
-						if (optopt) {
-							xtables_error(
-							   PARAMETER_PROBLEM,
-							   "option `%s' "
-							   "requires an "
-							   "argument",
-							   argv[optind-1]);
-						} else {
-							xtables_error(
-							   PARAMETER_PROBLEM,
-							   "unknown option "
-							   "`%s'",
-							   argv[optind-1]);
-						}
+				m->m = xtables_calloc(1, size);
+				m->m->u.match_size = size;
+				strcpy(m->m->u.user.name, m->name);
+				m->m->u.user.revision = m->revision;
+				if (m->init != NULL)
+					m->init(m->m);
+
+				opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
+				    m->extra_opts, &m->option_offset);
+
+				optind--;
+				continue;
+			}
+
+			if (!m) {
+				if (c == '?') {
+					if (optopt) {
+						xtables_error(
+						   PARAMETER_PROBLEM,
+						   "option `%s' "
+						   "requires an "
+						   "argument",
+						   argv[optind-1]);
+					} else {
+						xtables_error(
+						   PARAMETER_PROBLEM,
+						   "unknown option "
+						   "`%s'",
+						   argv[optind-1]);
 					}
-					xtables_error(PARAMETER_PROBLEM,
-						   "Unknown arg `%s'", optarg);
 				}
+				xtables_error(PARAMETER_PROBLEM,
+					   "Unknown arg `%s'", optarg);
 			}
 		}
 		invert = FALSE;
diff --git a/iptables.c b/iptables.c
index 2459b64..eb7ac8e 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1735,109 +1735,109 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			exit_tryhelp(2);
 
 		default:
-			if (target == NULL || target->parse == NULL ||
-			    c < target->option_offset ||
-			    c >= target->option_offset + XT_OPTION_OFFSET_SCALE ||
-			    !target->parse(c - target->option_offset,
+			if (target != NULL && target->parse != NULL &&
+			    c >= target->option_offset &&
+			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
+			    target->parse(c - target->option_offset,
 					       argv, invert,
 					       &target->tflags,
-					       &fw, &target->t)) {
-				for (matchp = matches; matchp; matchp = matchp->next) {
-					if (matchp->completed ||
-					    matchp->match->parse == NULL)
-						continue;
-					if (c < matchp->match->option_offset ||
-					    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
-						continue;
-					if (matchp->match->parse(c - matchp->match->option_offset,
-						     argv, invert,
-						     &matchp->match->mflags,
-						     &fw,
-						     &matchp->match->m))
-						break;
-				}
-				m = matchp ? matchp->match : NULL;
-
-				/* If you listen carefully, you can
-				   actually hear this code suck. */
-
-				/* some explanations (after four different bugs
-				 * in 3 different releases): If we encounter a
-				 * parameter, that has not been parsed yet,
-				 * it's not an option of an explicitly loaded
-				 * match or a target.  However, we support
-				 * implicit loading of the protocol match
-				 * extension.  '-p tcp' means 'l4 proto 6' and
-				 * at the same time 'load tcp protocol match on
-				 * demand if we specify --dport'.
-				 *
-				 * To make this work, we need to make sure:
-				 * - the parameter has not been parsed by
-				 *   a match (m above)
-				 * - a protocol has been specified
-				 * - the protocol extension has not been
-				 *   loaded yet, or is loaded and unused
-				 *   [think of iptables-restore!]
-				 * - the protocol extension can be successively
-				 *   loaded
-				 */
-				if (m == NULL
-				    && protocol
-				    && (!find_proto(protocol, XTF_DONT_LOAD,
-						   options&OPT_NUMERIC, NULL)
-					|| (find_proto(protocol, XTF_DONT_LOAD,
-							options&OPT_NUMERIC, NULL)
-					    && (proto_used == 0))
-				       )
-				    && (m = find_proto(protocol, XTF_TRY_LOAD,
-						       options&OPT_NUMERIC, &matches))) {
-					/* Try loading protocol */
-					size_t size;
-
-					proto_used = 1;
-
-					size = IPT_ALIGN(sizeof(struct ipt_entry_match))
-							 + m->size;
-
-					m->m = xtables_calloc(1, size);
-					m->m->u.match_size = size;
-					strcpy(m->m->u.user.name, m->name);
-					m->m->u.user.revision = m->revision;
-					if (m->init != NULL)
-						m->init(m->m);
-
-					opts = xtables_merge_options(
-							     iptables_globals.orig_opts,
-							     opts,
-							     m->extra_opts,
-							     &m->option_offset);
-					if (opts == NULL)
-						xtables_error(OTHER_PROBLEM,
-							"can't alloc memory!");
-
-					optind--;
+					       &fw, &target->t))
+				break;
+			for (matchp = matches; matchp; matchp = matchp->next) {
+				if (matchp->completed ||
+				    matchp->match->parse == NULL)
 					continue;
-				}
-				if (!m) {
-					if (c == '?') {
-						if (optopt) {
-							xtables_error(
-							   PARAMETER_PROBLEM,
-							   "option `%s' "
-							   "requires an "
-							   "argument",
-							   argv[optind-1]);
-						} else {
-							xtables_error(
-							   PARAMETER_PROBLEM,
-							   "unknown option "
-							   "`%s'",
-							   argv[optind-1]);
-						}
+				if (c < matchp->match->option_offset ||
+				    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+					continue;
+				if (matchp->match->parse(c - matchp->match->option_offset,
+					     argv, invert,
+					     &matchp->match->mflags,
+					     &fw,
+					     &matchp->match->m))
+					break;
+			}
+			m = matchp ? matchp->match : NULL;
+
+			/* If you listen carefully, you can
+			   actually hear this code suck. */
+
+			/* some explanations (after four different bugs
+			 * in 3 different releases): If we encounter a
+			 * parameter, that has not been parsed yet,
+			 * it's not an option of an explicitly loaded
+			 * match or a target.  However, we support
+			 * implicit loading of the protocol match
+			 * extension.  '-p tcp' means 'l4 proto 6' and
+			 * at the same time 'load tcp protocol match on
+			 * demand if we specify --dport'.
+			 *
+			 * To make this work, we need to make sure:
+			 * - the parameter has not been parsed by
+			 *   a match (m above)
+			 * - a protocol has been specified
+			 * - the protocol extension has not been
+			 *   loaded yet, or is loaded and unused
+			 *   [think of iptables-restore!]
+			 * - the protocol extension can be successively
+			 *   loaded
+			 */
+			if (m == NULL
+			    && protocol
+			    && (!find_proto(protocol, XTF_DONT_LOAD,
+					   options&OPT_NUMERIC, NULL)
+				|| (find_proto(protocol, XTF_DONT_LOAD,
+						options&OPT_NUMERIC, NULL)
+				    && (proto_used == 0))
+			       )
+			    && (m = find_proto(protocol, XTF_TRY_LOAD,
+					       options&OPT_NUMERIC, &matches))) {
+				/* Try loading protocol */
+				size_t size;
+
+				proto_used = 1;
+
+				size = IPT_ALIGN(sizeof(struct ipt_entry_match))
+						 + m->size;
+
+				m->m = xtables_calloc(1, size);
+				m->m->u.match_size = size;
+				strcpy(m->m->u.user.name, m->name);
+				m->m->u.user.revision = m->revision;
+				if (m->init != NULL)
+					m->init(m->m);
+
+				opts = xtables_merge_options(
+						     iptables_globals.orig_opts,
+						     opts,
+						     m->extra_opts,
+						     &m->option_offset);
+				if (opts == NULL)
+					xtables_error(OTHER_PROBLEM,
+						"can't alloc memory!");
+
+				optind--;
+				continue;
+			}
+			if (!m) {
+				if (c == '?') {
+					if (optopt) {
+						xtables_error(
+						   PARAMETER_PROBLEM,
+						   "option `%s' "
+						   "requires an "
+						   "argument",
+						   argv[optind-1]);
+					} else {
+						xtables_error(
+						   PARAMETER_PROBLEM,
+						   "unknown option "
+						   "`%s'",
+						   argv[optind-1]);
 					}
-					xtables_error(PARAMETER_PROBLEM,
-						   "Unknown arg `%s'", optarg);
 				}
+				xtables_error(PARAMETER_PROBLEM,
+					   "Unknown arg `%s'", optarg);
 			}
 		}
 		invert = FALSE;
-- 
1.7.1

[PATCH 2/8] iptables: reduce indentation of parse loop (2/3)

[Jan Engelhardt]

The stop flag is temporary (see next patch). By using such early
break, less clauses can be removed.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |   50 ++++++++++++++++++++++++++------------------------
 iptables.c  |   49 ++++++++++++++++++++++++++-----------------------
 2 files changed, 52 insertions(+), 47 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index d453868..f581509 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1702,7 +1702,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
 			exit_tryhelp(2);
 
-		default:
+		default: {
+			bool stop = false;
+
 			if (target != NULL && target->parse != NULL &&
 			    c >= target->option_offset &&
 			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
@@ -1722,10 +1724,13 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 					     argv, invert,
 					     &matchp->match->mflags,
 					     &fw,
-					     &matchp->match->m))
+					     &matchp->match->m)) {
+					stop = true;
 					break;
+				}
 			}
-			m = matchp ? matchp->match : NULL;
+			if (stop)
+				break;
 
 			/* If you listen carefully, you can
 			   actually hear this code suck. */
@@ -1750,8 +1755,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			 * - the protocol extension can be successively
 			 *   loaded
 			 */
-			if (m == NULL
-			    && protocol
+			if (protocol != NULL
 			    && (!find_proto(protocol, XTF_DONT_LOAD,
 					   options&OPT_NUMERIC, NULL)
 				|| (find_proto(protocol, XTF_DONT_LOAD,
@@ -1781,27 +1785,25 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 				optind--;
 				continue;
 			}
-
-			if (!m) {
-				if (c == '?') {
-					if (optopt) {
-						xtables_error(
-						   PARAMETER_PROBLEM,
-						   "option `%s' "
-						   "requires an "
-						   "argument",
-						   argv[optind-1]);
-					} else {
-						xtables_error(
-						   PARAMETER_PROBLEM,
-						   "unknown option "
-						   "`%s'",
-						   argv[optind-1]);
-					}
+			if (c == '?') {
+				if (optopt) {
+					xtables_error(
+					   PARAMETER_PROBLEM,
+					   "option `%s' "
+					   "requires an "
+					   "argument",
+					   argv[optind-1]);
+				} else {
+					xtables_error(
+					   PARAMETER_PROBLEM,
+					   "unknown option "
+					   "`%s'",
+					   argv[optind-1]);
 				}
-				xtables_error(PARAMETER_PROBLEM,
-					   "Unknown arg `%s'", optarg);
 			}
+			xtables_error(PARAMETER_PROBLEM,
+				   "Unknown arg `%s'", optarg);
+		} /* default */
 		}
 		invert = FALSE;
 	}
diff --git a/iptables.c b/iptables.c
index eb7ac8e..b957e66 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1734,7 +1734,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
 			exit_tryhelp(2);
 
-		default:
+		default: {
+			bool stop = false;
+
 			if (target != NULL && target->parse != NULL &&
 			    c >= target->option_offset &&
 			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
@@ -1754,10 +1756,13 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 					     argv, invert,
 					     &matchp->match->mflags,
 					     &fw,
-					     &matchp->match->m))
+					     &matchp->match->m)) {
+					stop = true;
 					break;
+				}
 			}
-			m = matchp ? matchp->match : NULL;
+			if (stop)
+				break;
 
 			/* If you listen carefully, you can
 			   actually hear this code suck. */
@@ -1782,8 +1787,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			 * - the protocol extension can be successively
 			 *   loaded
 			 */
-			if (m == NULL
-			    && protocol
+			if (protocol != NULL
 			    && (!find_proto(protocol, XTF_DONT_LOAD,
 					   options&OPT_NUMERIC, NULL)
 				|| (find_proto(protocol, XTF_DONT_LOAD,
@@ -1819,26 +1823,25 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 				optind--;
 				continue;
 			}
-			if (!m) {
-				if (c == '?') {
-					if (optopt) {
-						xtables_error(
-						   PARAMETER_PROBLEM,
-						   "option `%s' "
-						   "requires an "
-						   "argument",
-						   argv[optind-1]);
-					} else {
-						xtables_error(
-						   PARAMETER_PROBLEM,
-						   "unknown option "
-						   "`%s'",
-						   argv[optind-1]);
-					}
+			if (c == '?') {
+				if (optopt) {
+					xtables_error(
+					   PARAMETER_PROBLEM,
+					   "option `%s' "
+					   "requires an "
+					   "argument",
+					   argv[optind-1]);
+				} else {
+					xtables_error(
+					   PARAMETER_PROBLEM,
+					   "unknown option "
+					   "`%s'",
+					   argv[optind-1]);
 				}
-				xtables_error(PARAMETER_PROBLEM,
-					   "Unknown arg `%s'", optarg);
 			}
+			xtables_error(PARAMETER_PROBLEM,
+				   "Unknown arg `%s'", optarg);
+		} /* default */
 		}
 		invert = FALSE;
 	}
-- 
1.7.1

[PATCH 3/8] iptables: use variable as shortcut in parse loop

[Jan Engelhardt]

"m" is around, so use it, cut the code.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |   17 ++++++++---------
 iptables.c  |   17 ++++++++---------
 2 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index f581509..caee730 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1714,17 +1714,16 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 					       &fw, &target->t))
 				break;
 			for (matchp = matches; matchp; matchp = matchp->next) {
-				if (matchp->completed ||
-				    matchp->match->parse == NULL)
+				m = matchp->match;
+
+				if (matchp->completed || m->parse == NULL)
 					continue;
-				if (c < matchp->match->option_offset ||
-				    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+				if (c < m->option_offset ||
+				    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
 					continue;
-				if (matchp->match->parse(c - matchp->match->option_offset,
-					     argv, invert,
-					     &matchp->match->mflags,
-					     &fw,
-					     &matchp->match->m)) {
+				if (m->parse(c - matchp->match->option_offset,
+					     argv, invert, &m->mflags, &fw,
+					     &m->m)) {
 					stop = true;
 					break;
 				}
diff --git a/iptables.c b/iptables.c
index b957e66..db8e136 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1746,17 +1746,16 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 					       &fw, &target->t))
 				break;
 			for (matchp = matches; matchp; matchp = matchp->next) {
-				if (matchp->completed ||
-				    matchp->match->parse == NULL)
+				m = matchp->match;
+
+				if (matchp->completed || m->parse == NULL)
 					continue;
-				if (c < matchp->match->option_offset ||
-				    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+				if (c < m->option_offset ||
+				    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
 					continue;
-				if (matchp->match->parse(c - matchp->match->option_offset,
-					     argv, invert,
-					     &matchp->match->mflags,
-					     &fw,
-					     &matchp->match->m)) {
+				if (m->parse(c - matchp->match->option_offset,
+					     argv, invert, &m->mflags, &fw,
+					     &m->m)) {
 					stop = true;
 					break;
 				}
-- 
1.7.1

[PATCH 4/8] iptables: reduce indentation of parse loop (3/3)

[Jan Engelhardt]

Put the default case into its own function. Essentially, 5 levels of
indentation have been stripped, and this is surely a result that looks
a lot better than it did before.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |  190 ++++++++++++++++++++++++++-------------------------------
 iptables.c  |  196 ++++++++++++++++++++++++++--------------------------------
 2 files changed, 176 insertions(+), 210 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index caee730..fb3b320 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1288,6 +1288,88 @@ static void clear_rule_matches(struct xtables_rule_match **matches)
 	*matches = NULL;
 }
 
+static void
+command_default(int c, char **argv, bool invert, struct ip6t_entry *fw,
+		const char *protocol, bool *proto_used, unsigned int options,
+		struct xtables_target *target,
+		struct xtables_rule_match **matches)
+{
+	struct xtables_rule_match *matchp;
+	struct xtables_match *m;
+
+	if (target != NULL && target->parse != NULL &&
+	    c >= target->option_offset &&
+	    c < target->option_offset + XT_OPTION_OFFSET_SCALE)
+		if (target->parse(c - target->option_offset, argv, invert,
+		    &target->tflags, fw, &target->t))
+			return;
+
+	for (matchp = *matches; matchp != NULL; matchp = matchp->next) {
+		m = matchp->match;
+
+		if (matchp->completed || m->parse == NULL)
+			continue;
+		if (c < m->option_offset ||
+		    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
+			continue;
+		if (m->parse(c - matchp->match->option_offset,
+		    argv, invert, &matchp->match->mflags, fw,
+		    &matchp->match->m))
+			return;
+	}
+
+	/*
+	 * If you listen carefully, you can actually hear this code suck.
+	 *
+	 * Some explanations (after four different bugs in 3 different
+	 * releases): If we encounter a parameter, that has not been parsed
+	 * yet, it's not an option of an explicitly loaded match or a target.
+	 * However, we support implicit loading of the protocol match
+	 * extension. '-p tcp' means 'l4 proto 6' and at the same time 'load
+	 * tcp protocol match on demand if we specify --dport'.
+	 *
+	 * To make this work, we need to make sure:
+	 * - the parameter has not been parsed by a match (m above)
+	 * - a protocol has been specified
+	 * - the protocol extension has not been loaded yet, or is loaded and
+	 *   unused [think of iptables-restore!]
+	 * - the protocol extension can be successively loaded
+	 */
+	if (m == NULL && protocol != NULL &&
+	    (!find_proto(protocol, XTF_DONT_LOAD, options & OPT_NUMERIC, NULL) ||
+	     (find_proto(protocol, XTF_DONT_LOAD, options & OPT_NUMERIC, NULL) && !*proto_used)) &&
+	    (m = find_proto(protocol, XTF_TRY_LOAD, options & OPT_NUMERIC, matches))) {
+		/* Try loading protocol */
+		size_t size;
+
+		*proto_used = true;
+		size = IP6T_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+
+		m->m = xtables_calloc(1, size);
+		m->m->u.match_size = size;
+		strcpy(m->m->u.user.name, m->name);
+		m->m->u.user.revision = m->revision;
+		if (m->init != NULL)
+			m->init(m->m);
+
+		opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
+					     m->extra_opts, &m->option_offset);
+		if (opts == NULL)
+			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
+		optind--;
+		return;
+	}
+	if (c == '?') {
+		if (optopt)
+			xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+			              "requires an argument", argv[optind-1]);
+		else
+			xtables_error(PARAMETER_PROBLEM, "unknown option "
+				      "\"%s\"", optarg);
+	}
+	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", argv[optind-1]);
+}
+
 int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **handle)
 {
 	struct ip6t_entry fw, *e = NULL;
@@ -1310,7 +1392,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 	struct xtables_target *t;
 	const char *jumpto = "";
 	char *protocol = NULL;
-	int proto_used = 0;
+	bool proto_used = false;
 	unsigned long long cnt;
 
 	memset(&fw, 0, sizeof(fw));
@@ -1702,107 +1784,11 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
 			exit_tryhelp(2);
 
-		default: {
-			bool stop = false;
-
-			if (target != NULL && target->parse != NULL &&
-			    c >= target->option_offset &&
-			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
-			    target->parse(c - target->option_offset,
-					       argv, invert,
-					       &target->tflags,
-					       &fw, &target->t))
-				break;
-			for (matchp = matches; matchp; matchp = matchp->next) {
-				m = matchp->match;
-
-				if (matchp->completed || m->parse == NULL)
-					continue;
-				if (c < m->option_offset ||
-				    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
-					continue;
-				if (m->parse(c - matchp->match->option_offset,
-					     argv, invert, &m->mflags, &fw,
-					     &m->m)) {
-					stop = true;
-					break;
-				}
-			}
-			if (stop)
-				break;
-
-			/* If you listen carefully, you can
-			   actually hear this code suck. */
-
-			/* some explanations (after four different bugs
-			 * in 3 different releases): If we encounter a
-			 * parameter, that has not been parsed yet,
-			 * it's not an option of an explicitly loaded
-			 * match or a target.  However, we support
-			 * implicit loading of the protocol match
-			 * extension.  '-p tcp' means 'l4 proto 6' and
-			 * at the same time 'load tcp protocol match on
-			 * demand if we specify --dport'.
-			 *
-			 * To make this work, we need to make sure:
-			 * - the parameter has not been parsed by
-			 *   a match (m above)
-			 * - a protocol has been specified
-			 * - the protocol extension has not been
-			 *   loaded yet, or is loaded and unused
-			 *   [think of ip6tables-restore!]
-			 * - the protocol extension can be successively
-			 *   loaded
-			 */
-			if (protocol != NULL
-			    && (!find_proto(protocol, XTF_DONT_LOAD,
-					   options&OPT_NUMERIC, NULL)
-				|| (find_proto(protocol, XTF_DONT_LOAD,
-						options&OPT_NUMERIC, NULL)
-				    && (proto_used == 0))
-			       )
-			    && (m = find_proto(protocol, XTF_TRY_LOAD,
-					       options&OPT_NUMERIC, &matches))) {
-				/* Try loading protocol */
-				size_t size;
-
-				proto_used = 1;
-
-				size = IP6T_ALIGN(sizeof(struct ip6t_entry_match))
-						 + m->size;
-
-				m->m = xtables_calloc(1, size);
-				m->m->u.match_size = size;
-				strcpy(m->m->u.user.name, m->name);
-				m->m->u.user.revision = m->revision;
-				if (m->init != NULL)
-					m->init(m->m);
-
-				opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
-				    m->extra_opts, &m->option_offset);
-
-				optind--;
-				continue;
-			}
-			if (c == '?') {
-				if (optopt) {
-					xtables_error(
-					   PARAMETER_PROBLEM,
-					   "option `%s' "
-					   "requires an "
-					   "argument",
-					   argv[optind-1]);
-				} else {
-					xtables_error(
-					   PARAMETER_PROBLEM,
-					   "unknown option "
-					   "`%s'",
-					   argv[optind-1]);
-				}
-			}
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unknown arg `%s'", optarg);
-		} /* default */
+		default:
+			command_default(c, argv, invert, &fw, protocol,
+					&proto_used, options,
+					target, &matches);
+			break;
 		}
 		invert = FALSE;
 	}
diff --git a/iptables.c b/iptables.c
index db8e136..9977634 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1311,6 +1311,88 @@ get_kernel_version(void) {
 	kernel_version = LINUX_VERSION(x, y, z);
 }
 
+static void
+command_default(int c, char **argv, bool invert, struct ipt_entry *fw,
+		const char *protocol, bool *proto_used, unsigned int options,
+		struct xtables_target *target,
+		struct xtables_rule_match **matches)
+{
+	struct xtables_rule_match *matchp;
+	struct xtables_match *m;
+
+	if (target != NULL && target->parse != NULL &&
+	    c >= target->option_offset &&
+	    c < target->option_offset + XT_OPTION_OFFSET_SCALE)
+		if (target->parse(c - target->option_offset, argv, invert,
+		    &target->tflags, fw, &target->t))
+			return;
+
+	for (matchp = *matches; matchp != NULL; matchp = matchp->next) {
+		m = matchp->match;
+
+		if (matchp->completed || m->parse == NULL)
+			continue;
+		if (c < m->option_offset ||
+		    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
+			continue;
+		if (m->parse(c - matchp->match->option_offset,
+		    argv, invert, &matchp->match->mflags, fw,
+		    &matchp->match->m))
+			return;
+	}
+
+	/*
+	 * If you listen carefully, you can actually hear this code suck.
+	 *
+	 * Some explanations (after four different bugs in 3 different
+	 * releases): If we encounter a parameter, that has not been parsed
+	 * yet, it's not an option of an explicitly loaded match or a target.
+	 * However, we support implicit loading of the protocol match
+	 * extension. '-p tcp' means 'l4 proto 6' and at the same time 'load
+	 * tcp protocol match on demand if we specify --dport'.
+	 *
+	 * To make this work, we need to make sure:
+	 * - the parameter has not been parsed by a match (m above)
+	 * - a protocol has been specified
+	 * - the protocol extension has not been loaded yet, or is loaded and
+	 *   unused [think of iptables-restore!]
+	 * - the protocol extension can be successively loaded
+	 */
+	if (m == NULL && protocol != NULL &&
+	    (!find_proto(protocol, XTF_DONT_LOAD, options & OPT_NUMERIC, NULL) ||
+	     (find_proto(protocol, XTF_DONT_LOAD, options & OPT_NUMERIC, NULL) && !*proto_used)) &&
+	    (m = find_proto(protocol, XTF_TRY_LOAD, options & OPT_NUMERIC, matches))) {
+		/* Try loading protocol */
+		size_t size;
+
+		*proto_used = true;
+		size = IPT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
+
+		m->m = xtables_calloc(1, size);
+		m->m->u.match_size = size;
+		strcpy(m->m->u.user.name, m->name);
+		m->m->u.user.revision = m->revision;
+		if (m->init != NULL)
+			m->init(m->m);
+
+		opts = xtables_merge_options(iptables_globals.orig_opts, opts,
+					     m->extra_opts, &m->option_offset);
+		if (opts == NULL)
+			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
+		optind--;
+		return;
+	}
+	if (c == '?') {
+		if (optopt)
+			xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+			              "requires an argument", argv[optind-1]);
+		else
+			xtables_error(PARAMETER_PROBLEM, "unknown option "
+				      "\"%s\"", argv[optind-1]);
+	}
+	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+}
+
 int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle)
 {
 	struct ipt_entry fw, *e = NULL;
@@ -1333,7 +1415,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	struct xtables_target *t;
 	const char *jumpto = "";
 	char *protocol = NULL;
-	int proto_used = 0;
+	bool proto_used = false;
 	unsigned long long cnt;
 
 	memset(&fw, 0, sizeof(fw));
@@ -1734,113 +1816,11 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			fprintf(stderr, "Bad argument `%s'\n", optarg);
 			exit_tryhelp(2);
 
-		default: {
-			bool stop = false;
-
-			if (target != NULL && target->parse != NULL &&
-			    c >= target->option_offset &&
-			    c < target->option_offset + XT_OPTION_OFFSET_SCALE &&
-			    target->parse(c - target->option_offset,
-					       argv, invert,
-					       &target->tflags,
-					       &fw, &target->t))
-				break;
-			for (matchp = matches; matchp; matchp = matchp->next) {
-				m = matchp->match;
-
-				if (matchp->completed || m->parse == NULL)
-					continue;
-				if (c < m->option_offset ||
-				    c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
-					continue;
-				if (m->parse(c - matchp->match->option_offset,
-					     argv, invert, &m->mflags, &fw,
-					     &m->m)) {
-					stop = true;
-					break;
-				}
-			}
-			if (stop)
-				break;
-
-			/* If you listen carefully, you can
-			   actually hear this code suck. */
-
-			/* some explanations (after four different bugs
-			 * in 3 different releases): If we encounter a
-			 * parameter, that has not been parsed yet,
-			 * it's not an option of an explicitly loaded
-			 * match or a target.  However, we support
-			 * implicit loading of the protocol match
-			 * extension.  '-p tcp' means 'l4 proto 6' and
-			 * at the same time 'load tcp protocol match on
-			 * demand if we specify --dport'.
-			 *
-			 * To make this work, we need to make sure:
-			 * - the parameter has not been parsed by
-			 *   a match (m above)
-			 * - a protocol has been specified
-			 * - the protocol extension has not been
-			 *   loaded yet, or is loaded and unused
-			 *   [think of iptables-restore!]
-			 * - the protocol extension can be successively
-			 *   loaded
-			 */
-			if (protocol != NULL
-			    && (!find_proto(protocol, XTF_DONT_LOAD,
-					   options&OPT_NUMERIC, NULL)
-				|| (find_proto(protocol, XTF_DONT_LOAD,
-						options&OPT_NUMERIC, NULL)
-				    && (proto_used == 0))
-			       )
-			    && (m = find_proto(protocol, XTF_TRY_LOAD,
-					       options&OPT_NUMERIC, &matches))) {
-				/* Try loading protocol */
-				size_t size;
-
-				proto_used = 1;
-
-				size = IPT_ALIGN(sizeof(struct ipt_entry_match))
-						 + m->size;
-
-				m->m = xtables_calloc(1, size);
-				m->m->u.match_size = size;
-				strcpy(m->m->u.user.name, m->name);
-				m->m->u.user.revision = m->revision;
-				if (m->init != NULL)
-					m->init(m->m);
-
-				opts = xtables_merge_options(
-						     iptables_globals.orig_opts,
-						     opts,
-						     m->extra_opts,
-						     &m->option_offset);
-				if (opts == NULL)
-					xtables_error(OTHER_PROBLEM,
-						"can't alloc memory!");
-
-				optind--;
-				continue;
-			}
-			if (c == '?') {
-				if (optopt) {
-					xtables_error(
-					   PARAMETER_PROBLEM,
-					   "option `%s' "
-					   "requires an "
-					   "argument",
-					   argv[optind-1]);
-				} else {
-					xtables_error(
-					   PARAMETER_PROBLEM,
-					   "unknown option "
-					   "`%s'",
-					   argv[optind-1]);
-				}
-			}
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unknown arg `%s'", optarg);
-		} /* default */
+		default:
+			command_default(c, argv, invert, &fw, protocol,
+					&proto_used, options,
+					target, &matches);
+			break;
 		}
 		invert = FALSE;
 	}
-- 
1.7.1

[PATCH 5/8] iptables: fix error message for unknown options

[Jan Engelhardt]

-From: iptables v1.4.10: option "-q" requires an argument
+To:   iptables v1.4.10: unknown option "-q"

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |   16 +++++++---------
 iptables.c  |   16 +++++++---------
 2 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index fb3b320..8cacf61 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1359,14 +1359,12 @@ command_default(int c, char **argv, bool invert, struct ip6t_entry *fw,
 		optind--;
 		return;
 	}
-	if (c == '?') {
-		if (optopt)
-			xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
-			              "requires an argument", argv[optind-1]);
-		else
-			xtables_error(PARAMETER_PROBLEM, "unknown option "
-				      "\"%s\"", optarg);
-	}
+	if (c == ':')
+		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+		              "requires an argument", argv[optind-1]);
+	if (c == '?')
+		xtables_error(PARAMETER_PROBLEM, "unknown option "
+			      "\"%s\"", argv[optind-1]);
 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", argv[optind-1]);
 }
 
@@ -1417,7 +1415,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 
 	opts = xt_params->orig_opts;
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
+	   "-:A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
 					   opts, NULL)) != -1) {
 		switch (c) {
 			/*
diff --git a/iptables.c b/iptables.c
index 9977634..504bcd8 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1382,14 +1382,12 @@ command_default(int c, char **argv, bool invert, struct ipt_entry *fw,
 		optind--;
 		return;
 	}
-	if (c == '?') {
-		if (optopt)
-			xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
-			              "requires an argument", argv[optind-1]);
-		else
-			xtables_error(PARAMETER_PROBLEM, "unknown option "
-				      "\"%s\"", argv[optind-1]);
-	}
+	if (c == ':')
+		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+		              "requires an argument", argv[optind-1]);
+	if (c == '?')
+		xtables_error(PARAMETER_PROBLEM, "unknown option "
+			      "\"%s\"", argv[optind-1]);
 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
 }
 
@@ -1440,7 +1438,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 
 	opts = xt_params->orig_opts;
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
+	   "-:A:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
 					   opts, NULL)) != -1) {
 		switch (c) {
 			/*
-- 
1.7.1

[PATCH 6/8] build: directly use config.h in internal.h

[Jan Engelhardt]

This avoids the extra indirection via the .h.in file.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 .gitignore                     |    1 -
 Makefile.am                    |    3 +--
 configure.ac                   |    2 +-
 include/iptables/internal.h    |   15 +++++++++++++++
 include/iptables/internal.h.in |   13 -------------
 5 files changed, 17 insertions(+), 17 deletions(-)
 create mode 100644 include/iptables/internal.h
 delete mode 100644 include/iptables/internal.h.in

diff --git a/.gitignore b/.gitignore
index e5d3099..7d0df25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,7 +18,6 @@ Makefile.in
 /extensions/targets?.man
 
 /include/xtables.h
-/include/iptables/internal.h
 
 /aclocal.m4
 /autom4te*.cache
diff --git a/Makefile.am b/Makefile.am
index 7f0eb2f..cfccbf2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -89,8 +89,7 @@ tarball:
 	tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/;
 	rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
 
-config.status: extensions/GNUmakefile.in \
-	include/xtables.h.in include/iptables/internal.h.in
+config.status: extensions/GNUmakefile.in include/xtables.h.in
 
 # Using if..fi avoids an ugly "error (ignored)" message :)
 install-exec-hook:
diff --git a/configure.ac b/configure.ac
index eb447e0..94d5ab2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,5 +111,5 @@ AC_SUBST([libxtables_vmajor])
 
 AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
 	libipq/Makefile utils/Makefile
-	include/xtables.h include/iptables/internal.h libiptc.pc xtables.pc])
+	include/xtables.h libiptc.pc xtables.pc])
 AC_OUTPUT
diff --git a/include/iptables/internal.h b/include/iptables/internal.h
new file mode 100644
index 0000000..531fe4f
--- /dev/null
+++ b/include/iptables/internal.h
@@ -0,0 +1,15 @@
+#ifndef IPTABLES_INTERNAL_H
+#define IPTABLES_INTERNAL_H 1
+
+#include "config.h"
+
+#define IPTABLES_VERSION PACKAGE_VERSION
+
+/**
+ * Program's own name and version.
+ */
+extern const char *program_name, *program_version;
+
+extern int line;
+
+#endif /* IPTABLES_INTERNAL_H */
diff --git a/include/iptables/internal.h.in b/include/iptables/internal.h.in
deleted file mode 100644
index 8568e58..0000000
--- a/include/iptables/internal.h.in
+++ /dev/null
@@ -1,13 +0,0 @@
-#ifndef IPTABLES_INTERNAL_H
-#define IPTABLES_INTERNAL_H 1
-
-#define IPTABLES_VERSION "@PACKAGE_VERSION@"
-
-/**
- * Program's own name and version.
- */
-extern const char *program_name, *program_version;
-
-extern int line;
-
-#endif /* IPTABLES_INTERNAL_H */
-- 
1.7.1

[PATCH 7/8] libxtables: symbol visibility

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am                 |    4 +-
 configure.ac                |    2 +
 extensions/GNUmakefile.in   |    2 +-
 include/iptables/internal.h |    6 ++
 iptables.c                  |    2 +-
 m4/gcc4_visibility.m4       |   21 ++++++++
 xtables.c                   |  109 ++++++++++++++++++++++++-------------------
 7 files changed, 94 insertions(+), 52 deletions(-)
 create mode 100644 m4/gcc4_visibility.m4

diff --git a/Makefile.am b/Makefile.am
index cfccbf2..a560113 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,11 +29,11 @@ libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 lib_LTLIBRARIES      += libxtables.la
 libxtables_la_SOURCES = xtables.c
 libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
+libxtables_la_CFLAGS  = ${AM_CFLAGS} ${GCC_FVISIBILITY_HIDDEN}
 if ENABLE_SHARED
-libxtables_la_CFLAGS  = ${AM_CFLAGS}
 libxtables_la_LIBADD  = -ldl
 else
-libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
+libxtables_la_CFLAGS += -DNO_SHARED_LIBS=1
 libxtables_la_LIBADD  =
 endif
 
diff --git a/configure.ac b/configure.ac
index 94d5ab2..cba1dc5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -14,6 +14,8 @@ AM_PROG_CC_C_O
 AC_DISABLE_STATIC
 AM_PROG_LIBTOOL
 
+CHECK_GCC_FVISIBILITY
+
 AC_ARG_WITH([kernel],
 	AS_HELP_STRING([--with-kernel=PATH],
 	[Path to kernel source/build directory]),
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 74a058c..899a52d 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -18,7 +18,7 @@ LDFLAGS        := @LDFLAGS@
 regular_CFLAGS := @regular_CFLAGS@
 kinclude_CFLAGS := @kinclude_CFLAGS@
 
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS      := ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS} -I${top_builddir}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 ifeq (${V},)
diff --git a/include/iptables/internal.h b/include/iptables/internal.h
index 531fe4f..89d11cb 100644
--- a/include/iptables/internal.h
+++ b/include/iptables/internal.h
@@ -3,6 +3,12 @@
 
 #include "config.h"
 
+#ifdef HAVE_VISIBILITY_HIDDEN
+#	define EXPORT_SYMBOL __attribute__((visibility("default")))
+#else
+#	define EXPORT_SYMBOL
+#endif
+
 #define IPTABLES_VERSION PACKAGE_VERSION
 
 /**
diff --git a/iptables.c b/iptables.c
index 504bcd8..1bc9d84 100644
--- a/iptables.c
+++ b/iptables.c
@@ -200,7 +200,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
 #define prog_name iptables_globals.program_name
 #define prog_vers iptables_globals.program_version
 
-int kernel_version;
+EXPORT_SYMBOL int kernel_version;
 
 /* Primitive headers... */
 /* defined in netinet/in.h */
diff --git a/m4/gcc4_visibility.m4 b/m4/gcc4_visibility.m4
new file mode 100644
index 0000000..84959f3
--- /dev/null
+++ b/m4/gcc4_visibility.m4
@@ -0,0 +1,21 @@
+
+# GCC 4.x -fvisibility=hidden
+
+AC_DEFUN([CHECK_GCC_FVISIBILITY], [
+	AC_LANG_PUSH([C])
+	saved_CFLAGS="$CFLAGS"
+	CFLAGS="$saved_CFLAGS -fvisibility=hidden"
+	AC_CACHE_CHECK([whether compiler accepts -fvisibility=hidden],
+	  [ac_cv_fvisibility_hidden], AC_COMPILE_IFELSE(
+		AC_LANG_PROGRAM([], []),
+		[ac_cv_fvisibility_hidden=yes],
+		[ac_cv_fvisibility_hidden=no]
+	))
+	if test "$ac_cv_fvisibility_hidden" = "yes"; then
+		AC_DEFINE([HAVE_VISIBILITY_HIDDEN], [1],
+		  [True if compiler supports -fvisibility=hidden])
+		AC_SUBST([GCC_FVISIBILITY_HIDDEN], [-fvisibility=hidden])
+	fi
+	CFLAGS="$saved_CFLAGS"
+	AC_LANG_POP([C])
+])
diff --git a/xtables.c b/xtables.c
index fc59f75..4425f38 100644
--- a/xtables.c
+++ b/xtables.c
@@ -50,6 +50,7 @@
 #endif
 #include <getopt.h>
 #include "xshared.h"
+#include "iptables/internal.h"
 
 #define NPROTO	255
 
@@ -59,7 +60,7 @@
 
 void basic_exit_err(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 
-struct xtables_globals *xt_params = NULL;
+EXPORT_SYMBOL struct xtables_globals *xt_params;
 
 void basic_exit_err(enum xtables_exittype status, const char *msg, ...)
 {
@@ -73,7 +74,7 @@ void basic_exit_err(enum xtables_exittype status, const char *msg, ...)
 	exit(status);
 }
 
-void xtables_free_opts(int unused)
+EXPORT_SYMBOL void xtables_free_opts(int unused)
 {
 	if (xt_params->opts != xt_params->orig_opts) {
 		free(xt_params->opts);
@@ -81,10 +82,10 @@ void xtables_free_opts(int unused)
 	}
 }
 
-struct option *xtables_merge_options(struct option *orig_opts,
-				     struct option *oldopts,
-				     const struct option *newopts,
-				     unsigned int *option_offset)
+EXPORT_SYMBOL struct option *
+xtables_merge_options(struct option *orig_opts, struct option *oldopts,
+		      const struct option *newopts,
+		      unsigned int *option_offset)
 {
 	unsigned int num_oold = 0, num_old = 0, num_new = 0, i;
 	struct option *merge, *mp;
@@ -172,11 +173,11 @@ static const struct xtables_afinfo *afinfo;
 static const char *xtables_libdir;
 
 /* the path to command to load kernel module */
-const char *xtables_modprobe_program;
+EXPORT_SYMBOL const char *xtables_modprobe_program;
 
 /* Keeping track of external matches and targets: linked lists.  */
-struct xtables_match *xtables_matches;
-struct xtables_target *xtables_targets;
+EXPORT_SYMBOL struct xtables_match *xtables_matches;
+EXPORT_SYMBOL struct xtables_target *xtables_targets;
 
 void xtables_init(void)
 {
@@ -230,7 +231,7 @@ void xtables_set_nfproto(uint8_t nfproto)
  *
  * Returns -1 on failure to set and 0 on success
  */
-int xtables_set_params(struct xtables_globals *xtp)
+EXPORT_SYMBOL int xtables_set_params(struct xtables_globals *xtp)
 {
 	if (!xtp) {
 		fprintf(stderr, "%s: Illegal global params\n",__func__);
@@ -245,7 +246,8 @@ int xtables_set_params(struct xtables_globals *xtp)
 	return 0;
 }
 
-int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto)
+EXPORT_SYMBOL int
+xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto)
 {
 	xtables_init();
 	xtables_set_nfproto(nfproto);
@@ -255,7 +257,7 @@ int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto)
 /**
  * xtables_*alloc - wrappers that exit on failure
  */
-void *xtables_calloc(size_t count, size_t size)
+EXPORT_SYMBOL void *xtables_calloc(size_t count, size_t size)
 {
 	void *p;
 
@@ -267,7 +269,7 @@ void *xtables_calloc(size_t count, size_t size)
 	return p;
 }
 
-void *xtables_malloc(size_t size)
+EXPORT_SYMBOL void *xtables_malloc(size_t size)
 {
 	void *p;
 
@@ -367,7 +369,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
 	return -1;
 }
 
-int xtables_load_ko(const char *modprobe, bool quiet)
+EXPORT_SYMBOL int xtables_load_ko(const char *modprobe, bool quiet)
 {
 	static bool loaded = false;
 	static int ret = -1;
@@ -421,8 +423,9 @@ bool xtables_strtoul(const char *s, char **end, unsigned long *value,
 	return false;
 }
 
-bool xtables_strtoui(const char *s, char **end, unsigned int *value,
-                     unsigned int min, unsigned int max)
+EXPORT_SYMBOL bool
+xtables_strtoui(const char *s, char **end, unsigned int *value,
+		unsigned int min, unsigned int max)
 {
 	unsigned long v;
 	bool ret;
@@ -433,7 +436,7 @@ bool xtables_strtoui(const char *s, char **end, unsigned int *value,
 	return ret;
 }
 
-int xtables_service_to_port(const char *name, const char *proto)
+EXPORT_SYMBOL int xtables_service_to_port(const char *name, const char *proto)
 {
 	struct servent *service;
 
@@ -443,7 +446,7 @@ int xtables_service_to_port(const char *name, const char *proto)
 	return -1;
 }
 
-uint16_t xtables_parse_port(const char *port, const char *proto)
+EXPORT_SYMBOL uint16_t xtables_parse_port(const char *port, const char *proto)
 {
 	unsigned int portnum;
 
@@ -455,8 +458,8 @@ uint16_t xtables_parse_port(const char *port, const char *proto)
 		   "invalid port/service `%s' specified", port);
 }
 
-void xtables_parse_interface(const char *arg, char *vianame,
-			     unsigned char *mask)
+EXPORT_SYMBOL void
+xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask)
 {
 	unsigned int vialen = strlen(arg);
 	unsigned int i;
@@ -547,7 +550,7 @@ static void *load_extension(const char *search_path, const char *af_prefix,
 }
 #endif
 
-struct xtables_match *
+EXPORT_SYMBOL struct xtables_match *
 xtables_find_match(const char *name, enum xtables_tryload tryload,
 		   struct xtables_rule_match **matches)
 {
@@ -628,7 +631,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	return ptr;
 }
 
-struct xtables_target *
+EXPORT_SYMBOL struct xtables_target *
 xtables_find_target(const char *name, enum xtables_tryload tryload)
 {
 	struct xtables_target *ptr;
@@ -744,7 +747,7 @@ static void xtables_check_options(const char *name, const struct option *opt)
 		}
 }
 
-void xtables_register_match(struct xtables_match *me)
+EXPORT_SYMBOL void xtables_register_match(struct xtables_match *me)
 {
 	struct xtables_match **i, *old;
 
@@ -825,14 +828,15 @@ void xtables_register_match(struct xtables_match *me)
 	me->mflags = 0;
 }
 
-void xtables_register_matches(struct xtables_match *match, unsigned int n)
+EXPORT_SYMBOL void
+xtables_register_matches(struct xtables_match *match, unsigned int n)
 {
 	do {
 		xtables_register_match(&match[--n]);
 	} while (n > 0);
 }
 
-void xtables_register_target(struct xtables_target *me)
+EXPORT_SYMBOL void xtables_register_target(struct xtables_target *me)
 {
 	struct xtables_target *old;
 
@@ -913,7 +917,8 @@ void xtables_register_target(struct xtables_target *me)
 	me->tflags = 0;
 }
 
-void xtables_register_targets(struct xtables_target *target, unsigned int n)
+EXPORT_SYMBOL void
+xtables_register_targets(struct xtables_target *target, unsigned int n)
 {
 	do {
 		xtables_register_target(&target[--n]);
@@ -944,7 +949,7 @@ void xtables_register_targets(struct xtables_target *target, unsigned int n)
  *
  * Displays an error message and exits the program.
  */
-void xtables_param_act(unsigned int status, const char *p1, ...)
+EXPORT_SYMBOL void xtables_param_act(unsigned int status, const char *p1, ...)
 {
 	const char *p2, *p3;
 	va_list args;
@@ -992,7 +997,8 @@ void xtables_param_act(unsigned int status, const char *p1, ...)
 	va_end(args);
 }
 
-const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp)
+EXPORT_SYMBOL const char *
+xtables_ipaddr_to_numeric(const struct in_addr *addrp)
 {
 	static char buf[20];
 	const unsigned char *bytep = (const void *)&addrp->s_addr;
@@ -1022,7 +1028,7 @@ static const char *ipaddr_to_network(const struct in_addr *addr)
 	return NULL;
 }
 
-const char *xtables_ipaddr_to_anyname(const struct in_addr *addr)
+EXPORT_SYMBOL const char *xtables_ipaddr_to_anyname(const struct in_addr *addr)
 {
 	const char *name;
 
@@ -1033,7 +1039,7 @@ const char *xtables_ipaddr_to_anyname(const struct in_addr *addr)
 	return xtables_ipaddr_to_numeric(addr);
 }
 
-const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
+EXPORT_SYMBOL const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
 {
 	static char buf[20];
 	uint32_t maskaddr, bits;
@@ -1104,12 +1110,12 @@ static struct in_addr *__numeric_to_ipaddr(const char *dotted, bool is_mask)
 	return &addr;
 }
 
-struct in_addr *xtables_numeric_to_ipaddr(const char *dotted)
+EXPORT_SYMBOL struct in_addr *xtables_numeric_to_ipaddr(const char *dotted)
 {
 	return __numeric_to_ipaddr(dotted, false);
 }
 
-struct in_addr *xtables_numeric_to_ipmask(const char *dotted)
+EXPORT_SYMBOL struct in_addr *xtables_numeric_to_ipmask(const char *dotted)
 {
 	return __numeric_to_ipaddr(dotted, true);
 }
@@ -1197,8 +1203,9 @@ static struct in_addr *parse_ipmask(const char *mask)
 	return &maskaddr;
 }
 
-void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
-                              struct in_addr **maskpp, unsigned int *naddrs)
+EXPORT_SYMBOL void
+xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
+			 struct in_addr **maskpp, unsigned int *naddrs)
 {
 	struct in_addr *addrp;
 	char buf[256], *p;
@@ -1284,8 +1291,9 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
  * 	m{^($hostname|$networkname|$ipaddr)(/$mask)?}
  * "1.2.3.4/5", "1.2.3.4", "hostname", "networkname"
  */
-void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
-                         struct in_addr *maskp, unsigned int *naddrs)
+EXPORT_SYMBOL void
+xtables_ipparse_any(const char *name, struct in_addr **addrpp,
+		    struct in_addr *maskp, unsigned int *naddrs)
 {
 	unsigned int i, j, k, n;
 	struct in_addr *addrp;
@@ -1318,7 +1326,8 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
 	}
 }
 
-const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp)
+EXPORT_SYMBOL const char *
+xtables_ip6addr_to_numeric(const struct in6_addr *addrp)
 {
 	/* 0000:0000:0000:0000:0000:000.000.000.000
 	 * 0000:0000:0000:0000:0000:0000:0000:0000 */
@@ -1351,7 +1360,8 @@ static const char *ip6addr_to_host(const struct in6_addr *addr)
 	return hostname;
 }
 
-const char *xtables_ip6addr_to_anyname(const struct in6_addr *addr)
+EXPORT_SYMBOL const char *
+xtables_ip6addr_to_anyname(const struct in6_addr *addr)
 {
 	const char *name;
 
@@ -1385,7 +1395,8 @@ static int ip6addr_prefix_length(const struct in6_addr *k)
 	return bits;
 }
 
-const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
+EXPORT_SYMBOL const char *
+xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
 {
 	static char buf[50+2];
 	int l = ip6addr_prefix_length(addrp);
@@ -1399,7 +1410,7 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
 	return buf;
 }
 
-struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
+EXPORT_SYMBOL struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
 {
 	static struct in6_addr ap;
 	int err;
@@ -1508,7 +1519,7 @@ static struct in6_addr *parse_ip6mask(char *mask)
 	return &maskaddr;
 }
 
-void
+EXPORT_SYMBOL void
 xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 		      struct in6_addr **maskpp, unsigned int *naddrs)
 {
@@ -1592,8 +1603,9 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 			(*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
 }
 
-void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
-                          struct in6_addr *maskp, unsigned int *naddrs)
+EXPORT_SYMBOL void
+xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
+		     struct in6_addr *maskp, unsigned int *naddrs)
 {
 	static const struct in6_addr zero_addr;
 	struct in6_addr *addrp;
@@ -1629,7 +1641,7 @@ void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
 	}
 }
 
-void xtables_save_string(const char *value)
+EXPORT_SYMBOL void xtables_save_string(const char *value)
 {
 	static const char no_quote_chars[] = "_-0123456789"
 		"abcdefghijklmnopqrstuvwxyz"
@@ -1670,8 +1682,9 @@ void xtables_save_string(const char *value)
  * Check for option-intrapositional negation.
  * Do not use in new code.
  */
-int xtables_check_inverse(const char option[], int *invert,
-			  int *my_optind, int argc, char **argv)
+EXPORT_SYMBOL int
+xtables_check_inverse(const char *option, int *invert, int *my_optind,
+		      int argc, char **argv)
 {
 	if (option == NULL || strcmp(option, "!") != 0)
 		return false;
@@ -1695,7 +1708,7 @@ int xtables_check_inverse(const char option[], int *invert,
 	return true;
 }
 
-const struct xtables_pprot xtables_chain_protos[] = {
+EXPORT_SYMBOL const struct xtables_pprot xtables_chain_protos[] = {
 	{"tcp",       IPPROTO_TCP},
 	{"sctp",      IPPROTO_SCTP},
 	{"udp",       IPPROTO_UDP},
@@ -1711,7 +1724,7 @@ const struct xtables_pprot xtables_chain_protos[] = {
 	{NULL},
 };
 
-uint16_t
+EXPORT_SYMBOL uint16_t
 xtables_parse_protocol(const char *s)
 {
 	unsigned int proto;
-- 
1.7.1

[PATCH 8/8] libxtables: symbol versioning

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am    |    2 +-
 configure.ac   |    2 +-
 libxtables.map |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 libxtables.map

diff --git a/Makefile.am b/Makefile.am
index a560113..4406435 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,7 +28,7 @@ libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 
 lib_LTLIBRARIES      += libxtables.la
 libxtables_la_SOURCES = xtables.c
-libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
+libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} -Wl,--version-script=${srcdir}/libxtables.map
 libxtables_la_CFLAGS  = ${AM_CFLAGS} ${GCC_FVISIBILITY_HIDDEN}
 if ENABLE_SHARED
 libxtables_la_LIBADD  = -ldl
diff --git a/configure.ac b/configure.ac
index cba1dc5..ec44c3a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
 AC_INIT([iptables], [1.4.10])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=5
+libxtables_vcurrent=6
 libxtables_vage=0
 
 AC_CONFIG_HEADERS([config.h])
diff --git a/libxtables.map b/libxtables.map
new file mode 100644
index 0000000..54fd64c
--- /dev/null
+++ b/libxtables.map
@@ -0,0 +1,55 @@
+XTABLES_1.4.2 {
+global:
+	xtables_matches;
+	xtables_targets;
+	xtables_register_match;
+	xtables_register_target;
+local:
+	*;
+};
+
+XTABLES_1.4.3 {
+	xt_params;
+	xtables_free_opts;
+	xtables_modprobe_program;
+	xtables_set_params;
+	xtables_init_all;
+	xtables_calloc;
+	xtables_malloc;
+	xtables_load_ko;
+	xtables_strtoui;
+	xtables_service_to_port;
+	xtables_parse_port;
+	xtables_parse_interface;
+	xtables_find_match;
+	xtables_find_target;
+	xtables_param_act;
+	xtables_ipaddr_to_numeric;
+	xtables_ipaddr_to_anyname;
+	xtables_ipmask_to_numeric;
+	xtables_numeric_to_ipaddr;
+	xtables_numeric_to_ipmask;
+	xtables_ipparse_any;
+	xtables_ip6addr_to_numeric;
+	xtables_ip6addr_to_anyname;
+	xtables_ip6mask_to_numeric;
+	xtables_numeric_to_ip6addr;
+	xtables_ip6parse_any;
+	xtables_save_string;
+	xtables_check_inverse;
+	xtables_chain_protos;
+	xtables_parse_protocol;
+} XTABLES_1.4.2;
+
+XTABLES_1.4.5 {
+global:
+	xtables_register_matches;
+	xtables_register_targets;
+	xtables_ipparse_multiple;
+	xtables_ip6parse_multiple;
+} XTABLES_1.4.3;
+
+XTABLES_1.4.11 {
+global:
+	xtables_merge_options;
+} XTABLES_1.4.5;
-- 
1.7.1

Re: [PATCH 7/8] libxtables: symbol visibility

[Patrick McHardy]

On 04.02.2011 14:08, Jan Engelhardt wrote:
> -void xtables_free_opts(int unused)
> +EXPORT_SYMBOL void xtables_free_opts(int unused)

This is pretty ugly in my opinion. Please do something like this:

#define EXPORT_SYMBOL(x)        typeof(x) (x)
__attribute__((visibility("default")))

so you can use EXPORT_SYMBOL as in the kernel.

Re: [PATCH 7/8] libxtables: symbol visibility

[Jan Engelhardt]

On Friday 2011-02-04 14:13, Patrick McHardy wrote:

>On 04.02.2011 14:08, Jan Engelhardt wrote:
>> -void xtables_free_opts(int unused)
>> +EXPORT_SYMBOL void xtables_free_opts(int unused)
>
>This is pretty ugly in my opinion. Please do something like this:
>
>#define EXPORT_SYMBOL(x)        typeof(x) (x)
>__attribute__((visibility("default")))
>
>so you can use EXPORT_SYMBOL as in the kernel.

But that is redundancy nonplusultra. The reason why EXPORT_SYMBOL is a 
separate statement is because it is much more than just a function 
attribute inside the kernel.

Re: [PATCH 7/8] libxtables: symbol visibility

[Patrick McHardy]

On 04.02.2011 14:22, Jan Engelhardt wrote:
> On Friday 2011-02-04 14:13, Patrick McHardy wrote:
> 
>> On 04.02.2011 14:08, Jan Engelhardt wrote:
>>> -void xtables_free_opts(int unused)
>>> +EXPORT_SYMBOL void xtables_free_opts(int unused)
>>
>> This is pretty ugly in my opinion. Please do something like this:
>>
>> #define EXPORT_SYMBOL(x)        typeof(x) (x)
>> __attribute__((visibility("default")))
>>
>> so you can use EXPORT_SYMBOL as in the kernel.
> 
> But that is redundancy nonplusultra.

Who cares? Its a lot nicer to look at and people are used to using
it this way. In fact Pablo just changed libmnl to the same style.

> The reason why EXPORT_SYMBOL is a 
> separate statement is because it is much more than just a function 
> attribute inside the kernel.

That might be one reason.