A small series of iptables userspace cleanups

A small series of iptables userspace cleanups

[Maciej Żenczykowski]

I'm going to follow up on this email with a small series of 17 patches
to userspace iptables code.
These patches have all received extensive testing when applied to 1.4.4.
I've ported the patches and tested that everything compiles cleanly
with current head, but they don't have nearly the same level of
thorough testing.

* The first patch simply allows targets and matches to include
underscores.  Without this the relevant man page sections don't get
included.

* The second is a trivial application of a Redhat/Fedora FD_CLOEXEC patch.

* The third fixes an ipv6 comment thinko/typo.

* The fourth is more complex: it delays match and target
initialization to later on.
For built-in matches/targets we run their init code regardless of what
we're doing.
Unfortunately init code can result in modules being autoloaded as a
result of version probing.
This is undesirable, by splitting registration into two fragments this
is prevented.
The code is just a teeny bit tricky because of some pointer to pointer
link muckery.

* The remaining 13 patches rename functions which are duplicated
between v4 and v6 code to suffix '4' or '6'.
After these renames are applied the following grep correctly results
in nothing being found:
  egrep --exclude-dir=.git -r
'(^|[^_])(init_extensions|for_each_chain|flush_entries|delete_chain|print_rule|do_command)([^46]|$)'
.

This combined with the previous patch will hopefully allow building a
single multi-purpose busybox-style ipv4 and ipv6 capable ip6?tables
binary.
I have this working for iptables 1.4.4, but haven't yet ported all of
the Makefile/etc changes to the current iptables master branch.

With UPX compression a relatively full-featured static multipurpose
single-binary build of 1.4.4 uses 100KB for i386 and 120KB for x86_64.

/sbin/iptables -> /bin/argv0switch
/sbin/iptables32 -> xtables-tiny32
/sbin/iptables64 -> xtables-tiny64
/sbin/iptables-restore -> /bin/argv0switch
/sbin/iptables-restore32 -> xtables-tiny32
/sbin/iptables-restore64 -> xtables-tiny64
/sbin/iptables-save -> /bin/argv0switch
/sbin/iptables-save32 -> xtables-tiny32
/sbin/iptables-save64 -> xtables-tiny64
/sbin/xtables-tiny32 [100796 bytes]
/sbin/xtables-tiny64 [120044 bytes]

(as you can probably guess /bin/argv0switch picks argv0+"32" or
argv[0]+"64" based on machine architecture)

Cheers,
Maciej Żenczykowski
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 01/17] man pages: allow underscores in match and target names

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 extensions/GNUmakefile.in |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 74a058c..b96bd11 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -155,8 +155,8 @@ initext6.c: .initext6.dd
 #
 #	Manual pages
 #
-ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b'))
-ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]]+\b'))
+ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]_]+\b'))
+ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]_]+\b'))
 man_run    = \
 	${AM_VERBOSE_GEN} \
 	for ext in $(1); do \
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 01/17] man pages: allow underscores in match and target names

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> From: Maciej Żenczykowski <maze@google.com>
> 
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 extensions/libipt_realm.c |    2 +-
 ip6tables-restore.c       |    2 +-
 ip6tables-save.c          |    2 +-
 iptables-restore.c        |    2 +-
 iptables-save.c           |    2 +-
 iptables-xml.c            |    2 +-
 xtables.c                 |   11 +++++++++++
 7 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index a250570..17b1754 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -49,7 +49,7 @@ static void load_realms(void)
 	int id;
 	struct realmname *oldnm = NULL, *newnm = NULL;
 
-	fil = fopen(rfnm, "r");
+	fil = fopen(rfnm, "re");
 	if (!fil) {
 		rdberr = 1;
 		return;
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index e9a130f..10c3acf 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -168,7 +168,7 @@ int main(int argc, char *argv[])
 	}
 
 	if (optind == argc - 1) {
-		in = fopen(argv[optind], "r");
+		in = fopen(argv[optind], "re");
 		if (!in) {
 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
 				strerror(errno));
diff --git a/ip6tables-save.c b/ip6tables-save.c
index dc189e9..c3b8ec0 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -41,7 +41,7 @@ static int for_each_table(int (*func)(const char *tablename))
 	FILE *procfile = NULL;
 	char tablename[IP6T_TABLE_MAXNAMELEN+1];
 
-	procfile = fopen("/proc/net/ip6_tables_names", "r");
+	procfile = fopen("/proc/net/ip6_tables_names", "re");
 	if (!procfile)
 		return ret;
 
diff --git a/iptables-restore.c b/iptables-restore.c
index 31ce52b..c2cc58c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -174,7 +174,7 @@ main(int argc, char *argv[])
 	}
 
 	if (optind == argc - 1) {
-		in = fopen(argv[optind], "r");
+		in = fopen(argv[optind], "re");
 		if (!in) {
 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
 				strerror(errno));
diff --git a/iptables-save.c b/iptables-save.c
index 3bcf422..3e3ec43 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -39,7 +39,7 @@ static int for_each_table(int (*func)(const char *tablename))
 	FILE *procfile = NULL;
 	char tablename[IPT_TABLE_MAXNAMELEN+1];
 
-	procfile = fopen("/proc/net/ip_tables_names", "r");
+	procfile = fopen("/proc/net/ip_tables_names", "re");
 	if (!procfile)
 		return ret;
 
diff --git a/iptables-xml.c b/iptables-xml.c
index 8d67056..57c7486 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -651,7 +651,7 @@ main(int argc, char *argv[])
 	}
 
 	if (optind == argc - 1) {
-		in = fopen(argv[optind], "r");
+		in = fopen(argv[optind], "re");
 		if (!in) {
 			fprintf(stderr, "Can't open %s: %s", argv[optind],
 				strerror(errno));
diff --git a/xtables.c b/xtables.c
index 2f00e39..352963f 100644
--- a/xtables.c
+++ b/xtables.c
@@ -300,6 +300,11 @@ static char *get_modprobe(void)
 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
 	if (procfile < 0)
 		return NULL;
+	if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
+		fprintf(stderr, "Could not set close on exec: %s\n",
+			strerror(errno));
+		exit(1);
+	}
 
 	ret = malloc(PROCFILE_BUFSIZ);
 	if (ret) {
@@ -697,6 +702,12 @@ static int compatible_revision(const char *name, uint8_t revision, int opt)
 		exit(1);
 	}
 
+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+		fprintf(stderr, "Could not set close on exec: %s\n",
+			strerror(errno));
+		exit(1);
+	}
+
 	xtables_load_ko(xtables_modprobe_program, true);
 
 	strcpy(rev.name, name);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Jan Engelhardt]

On Friday 2011-04-01 06:27, Maciej Żenczykowski wrote:

>From: Maciej Żenczykowski <maze@google.com>
>
>(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Redhat still has not given a reason as to why this is needed.


>@@ -49,7 +49,7 @@ static void load_realms(void)
> 	int id;
> 	struct realmname *oldnm = NULL, *newnm = NULL;
> 
>-	fil = fopen(rfnm, "r");
>+	fil = fopen(rfnm, "re");
> 	if (!fil) {
> 		rdberr = 1;
> 		return;
>diff --git a/ip6tables-restore.c b/ip6tables-restore.c
>index e9a130f..10c3acf 100644
>--- a/ip6tables-restore.c
>+++ b/ip6tables-restore.c
>@@ -168,7 +168,7 @@ int main(int argc, char *argv[])
> 	}
> 
> 	if (optind == argc - 1) {
>-		in = fopen(argv[optind], "r");
>+		in = fopen(argv[optind], "re");
> 		if (!in) {
> 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
> 				strerror(errno));
>diff --git a/ip6tables-save.c b/ip6tables-save.c
>index dc189e9..c3b8ec0 100644
>--- a/ip6tables-save.c
>+++ b/ip6tables-save.c
>@@ -41,7 +41,7 @@ static int for_each_table(int (*func)(const char *tablename))
> 	FILE *procfile = NULL;
> 	char tablename[IP6T_TABLE_MAXNAMELEN+1];
> 
>-	procfile = fopen("/proc/net/ip6_tables_names", "r");
>+	procfile = fopen("/proc/net/ip6_tables_names", "re");
> 	if (!procfile)
> 		return ret;
> 
>diff --git a/iptables-restore.c b/iptables-restore.c
>index 31ce52b..c2cc58c 100644
>--- a/iptables-restore.c
>+++ b/iptables-restore.c
>@@ -174,7 +174,7 @@ main(int argc, char *argv[])
> 	}
> 
> 	if (optind == argc - 1) {
>-		in = fopen(argv[optind], "r");
>+		in = fopen(argv[optind], "re");
> 		if (!in) {
> 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
> 				strerror(errno));
>diff --git a/iptables-save.c b/iptables-save.c
>index 3bcf422..3e3ec43 100644
>--- a/iptables-save.c
>+++ b/iptables-save.c
>@@ -39,7 +39,7 @@ static int for_each_table(int (*func)(const char *tablename))
> 	FILE *procfile = NULL;
> 	char tablename[IPT_TABLE_MAXNAMELEN+1];
> 
>-	procfile = fopen("/proc/net/ip_tables_names", "r");
>+	procfile = fopen("/proc/net/ip_tables_names", "re");
> 	if (!procfile)
> 		return ret;
> 
>diff --git a/iptables-xml.c b/iptables-xml.c
>index 8d67056..57c7486 100644
>--- a/iptables-xml.c
>+++ b/iptables-xml.c
>@@ -651,7 +651,7 @@ main(int argc, char *argv[])
> 	}
> 
> 	if (optind == argc - 1) {
>-		in = fopen(argv[optind], "r");
>+		in = fopen(argv[optind], "re");
> 		if (!in) {
> 			fprintf(stderr, "Can't open %s: %s", argv[optind],
> 				strerror(errno));
>diff --git a/xtables.c b/xtables.c
>index 2f00e39..352963f 100644
>--- a/xtables.c
>+++ b/xtables.c
>@@ -300,6 +300,11 @@ static char *get_modprobe(void)
> 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
> 	if (procfile < 0)
> 		return NULL;
>+	if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
>+		fprintf(stderr, "Could not set close on exec: %s\n",
>+			strerror(errno));
>+		exit(1);
>+	}
> 
> 	ret = malloc(PROCFILE_BUFSIZ);
> 	if (ret) {
>@@ -697,6 +702,12 @@ static int compatible_revision(const char *name, uint8_t revision, int opt)
> 		exit(1);
> 	}
> 
>+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
>+		fprintf(stderr, "Could not set close on exec: %s\n",
>+			strerror(errno));
>+		exit(1);
>+	}
>+
> 	xtables_load_ko(xtables_modprobe_program, true);
> 
> 	strcpy(rev.name, name);
>-- 
>1.7.3.1
>
>--
>To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Maciej Żenczykowski]

> Redhat still has not given a reason as to why this is needed.

I believe:
  a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX)
API bug (which of course can't be fixed...)
  b) not setting CLOEXEC on every fd is an application bug (with the
exception of the specific few fd's you actually want inherited)
  c) iptables does occasionally fork/exec (to load modules), for
example "/sbin/modprobe ip6_tables -q", but also for match/target
revision compatibility checking, and when it does this it can call
modprobe with additional opened descriptors (for example sockfd inside
of compatible_revision isn't closed before fork/exec modprobe) - this
is unclean, and could potentially cause security warnings (or even
issues?) since iptables and modprobe have different contexts.

[fc14]# ls -alZ `which iptables`
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables
-> iptables-multi
[fc14]# ls -alZ /sbin/iptables-multi
-rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi
[fc14]#  ls -alZ `which modprobe`
-rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe

I'm not going to claim I fully understand the security implications of
leaving the file descriptor open across exec, but there is clearly no
reason to do so, hence the patch.

Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Patrick McHardy]

On 01.04.2011 23:34, Maciej Żenczykowski wrote:
>> Redhat still has not given a reason as to why this is needed.
> 
> I believe:
>   a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX)
> API bug (which of course can't be fixed...)
>   b) not setting CLOEXEC on every fd is an application bug (with the
> exception of the specific few fd's you actually want inherited)
>   c) iptables does occasionally fork/exec (to load modules), for
> example "/sbin/modprobe ip6_tables -q", but also for match/target
> revision compatibility checking, and when it does this it can call
> modprobe with additional opened descriptors (for example sockfd inside
> of compatible_revision isn't closed before fork/exec modprobe) - this
> is unclean, and could potentially cause security warnings (or even
> issues?) since iptables and modprobe have different contexts.
> 
> [fc14]# ls -alZ `which iptables`
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables
> -> iptables-multi
> [fc14]# ls -alZ /sbin/iptables-multi
> -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi
> [fc14]#  ls -alZ `which modprobe`
> -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe
> 
> I'm not going to claim I fully understand the security implications of
> leaving the file descriptor open across exec, but there is clearly no
> reason to do so, hence the patch.

This seems reasonable to me. Jan, any further objections?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Jan Engelhardt]

On Monday 2011-04-04 14:58, Patrick McHardy wrote:

>On 01.04.2011 23:34, Maciej Żenczykowski wrote:
>>> Redhat still has not given a reason as to why this is needed.
>> 
>> I believe:
>>   a) the fact CLOEXEC isn't the default on new fd's is a (UNIX/POSIX)
>> API bug (which of course can't be fixed...)
>>   b) not setting CLOEXEC on every fd is an application bug (with the
>> exception of the specific few fd's you actually want inherited)
>>   c) iptables does occasionally fork/exec (to load modules), for
>> example "/sbin/modprobe ip6_tables -q", but also for match/target
>> revision compatibility checking, and when it does this it can call
>> modprobe with additional opened descriptors (for example sockfd inside
>> of compatible_revision isn't closed before fork/exec modprobe) - this
>> is unclean, and could potentially cause security warnings (or even
>> issues?) since iptables and modprobe have different contexts.
>> 
>> [fc14]# ls -alZ `which iptables`
>> lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables
>> -> iptables-multi
>> [fc14]# ls -alZ /sbin/iptables-multi
>> -rwxr-xr-x. root root system_u:object_r:iptables_exec_t:s0 /sbin/iptables-multi
>> [fc14]#  ls -alZ `which modprobe`
>> -rwxr-xr-x. root root system_u:object_r:insmod_exec_t:s0 /sbin/modprobe
>> 
>> I'm not going to claim I fully understand the security implications of
>> leaving the file descriptor open across exec, but there is clearly no
>> reason to do so, hence the patch.
>
>This seems reasonable to me. Jan, any further objections?
>
No objections, they may be merged all.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 02/17] mark newly opened fds as FD_CLOEXEC (close on exec)

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> (This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 03/17] xtables_ip6addr_to_numeric: fix typo in comment

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

An IPv6 address consists of eight hexadecimal 16-bit values seperated
by colons, or alternatively, six (not five) of these followed by a colon
and an IPv4 address in standard dotted decimal quad notation
(for IPv4 mapped addresses and the like).

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 xtables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xtables.c b/xtables.c
index 352963f..7d36742 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1336,7 +1336,7 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
 
 const char *xtables_ip6addr_to_numeric(const struct in6_addr *addrp)
 {
-	/* 0000:0000:0000:0000:0000:000.000.000.000
+	/* 0000:0000:0000:0000:0000:0000:000.000.000.000
 	 * 0000:0000:0000:0000:0000:0000:0000:0000 */
 	static char buf[50+1];
 	return inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 03/17] xtables_ip6addr_to_numeric: fix typo in comment

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> An IPv6 address consists of eight hexadecimal 16-bit values seperated
> by colons, or alternatively, six (not five) of these followed by a colon
> and an IPv4 address in standard dotted decimal quad notation
> (for IPv4 mapped addresses and the like).
> 

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 04/17] Delay (statically built) match/target initialization

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Matches and targets built into the iptables static binary will always
be registered as the binary starts up, this may potentially (as a result
of kernel version support checking) result in modules being autoloaded.

This is undesirable (for example it may cause CONNMARK target to load
and thus cause the kernel to load the conntrack module, which isn't a no-op).

Transition to a system where matches and targets are registered into
a pending list, from whence they get fully registered only when required.

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 xtables.c |   58 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/xtables.c b/xtables.c
index 7d36742..4c708b8 100644
--- a/xtables.c
+++ b/xtables.c
@@ -174,10 +174,18 @@ static const char *xtables_libdir;
 /* the path to command to load kernel module */
 const char *xtables_modprobe_program;
 
-/* Keeping track of external matches and targets: linked lists.  */
+/* Keep track of matches/targets pending full registration: linked lists. */
+struct xtables_match *xtables_pending_matches;
+struct xtables_target *xtables_pending_targets;
+
+/* Keep track of fully registered external matches/targets: linked lists. */
 struct xtables_match *xtables_matches;
 struct xtables_target *xtables_targets;
 
+/* Fully register a match/target which was previously partially registered. */
+static void xtables_fully_register_pending_match(struct xtables_match *me);
+static void xtables_fully_register_pending_target(struct xtables_target *me);
+
 void xtables_init(void)
 {
 	xtables_libdir = getenv("XTABLES_LIBDIR");
@@ -556,6 +564,7 @@ struct xtables_match *
 xtables_find_match(const char *name, enum xtables_tryload tryload,
 		   struct xtables_rule_match **matches)
 {
+	struct xtables_match **dptr;
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
@@ -571,6 +580,18 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	     (strcmp(name,"icmp6") == 0) )
 		name = icmp6;
 
+	/* Trigger delayed initialization */
+	for (dptr = &xtables_pending_matches; *dptr; ) {
+		if (strcmp(name, (*dptr)->name) == 0) {
+			ptr = *dptr;
+			*dptr = (*dptr)->next;
+			ptr->next = NULL;
+			xtables_fully_register_pending_match(ptr);
+		} else {
+			dptr = &((*dptr)->next);
+		}
+	}
+
 	for (ptr = xtables_matches; ptr; ptr = ptr->next) {
 		if (strcmp(name, ptr->name) == 0) {
 			struct xtables_match *clone;
@@ -636,6 +657,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 struct xtables_target *
 xtables_find_target(const char *name, enum xtables_tryload tryload)
 {
+	struct xtables_target **dptr;
 	struct xtables_target *ptr;
 
 	/* Standard target? */
@@ -646,6 +668,18 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 	    || strcmp(name, XTC_LABEL_RETURN) == 0)
 		name = "standard";
 
+	/* Trigger delayed initialization */
+	for (dptr = &xtables_pending_targets; *dptr; ) {
+		if (strcmp(name, (*dptr)->name) == 0) {
+			ptr = *dptr;
+			*dptr = (*dptr)->next;
+			ptr->next = NULL;
+			xtables_fully_register_pending_target(ptr);
+		} else {
+			dptr = &((*dptr)->next);
+		}
+	}
+
 	for (ptr = xtables_targets; ptr; ptr = ptr->next) {
 		if (strcmp(name, ptr->name) == 0)
 			break;
@@ -757,8 +791,6 @@ static void xtables_check_options(const char *name, const struct option *opt)
 
 void xtables_register_match(struct xtables_match *me)
 {
-	struct xtables_match **i, *old;
-
 	if (me->version == NULL) {
 		fprintf(stderr, "%s: match %s<%u> is missing a version\n",
 		        xt_params->program_name, me->name, me->revision);
@@ -792,6 +824,15 @@ void xtables_register_match(struct xtables_match *me)
 	if (me->family != afinfo->family && me->family != AF_UNSPEC)
 		return;
 
+	/* place on linked list of matches pending full registration */
+	me->next = xtables_pending_matches;
+	xtables_pending_matches = me;
+}
+
+static void xtables_fully_register_pending_match(struct xtables_match *me)
+{
+	struct xtables_match **i, *old;
+
 	old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL);
 	if (old) {
 		if (old->revision == me->revision &&
@@ -845,8 +886,6 @@ void xtables_register_matches(struct xtables_match *match, unsigned int n)
 
 void xtables_register_target(struct xtables_target *me)
 {
-	struct xtables_target *old;
-
 	if (me->version == NULL) {
 		fprintf(stderr, "%s: target %s<%u> is missing a version\n",
 		        xt_params->program_name, me->name, me->revision);
@@ -880,6 +919,15 @@ void xtables_register_target(struct xtables_target *me)
 	if (me->family != afinfo->family && me->family != AF_UNSPEC)
 		return;
 
+	/* place on linked list of targets pending full registration */
+	me->next = xtables_pending_targets;
+	xtables_pending_targets = me;
+}
+
+static void xtables_fully_register_pending_target(struct xtables_target *me)
+{
+	struct xtables_target *old;
+
 	old = xtables_find_target(me->name, XTF_DURING_LOAD);
 	if (old) {
 		struct xtables_target **i;
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 04/17] Delay (statically built) match/target initialization

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Matches and targets built into the iptables static binary will always
> be registered as the binary starts up, this may potentially (as a result
> of kernel version support checking) result in modules being autoloaded.
> 
> This is undesirable (for example it may cause CONNMARK target to load
> and thus cause the kernel to load the conntrack module, which isn't a no-op).
> 
> Transition to a system where matches and targets are registered into
> a pending list, from whence they get fully registered only when required.
> 

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 05/17] v4: rename init_extensions() to init_extensions4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 extensions/GNUmakefile.in |    4 ++--
 include/xtables.h.in      |    1 +
 iptables-restore.c        |    2 +-
 iptables-save.c           |    2 +-
 iptables-standalone.c     |    2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index b96bd11..84688d3 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -127,8 +127,8 @@ initext4.c: .initext4.dd
 	for i in ${initext_func}; do \
 		echo "extern void lib$${i}_init(void);" >>$@; \
 	done; \
-	echo "void init_extensions(void);" >>$@; \
-	echo "void init_extensions(void)" >>$@; \
+	echo "void init_extensions4(void);" >>$@; \
+	echo "void init_extensions4(void)" >>$@; \
 	echo "{" >>$@; \
 	for i in ${initext_func}; do \
 		echo  " ""lib$${i}_init();" >>$@; \
diff --git a/include/xtables.h.in b/include/xtables.h.in
index c3d34af..6abb279 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -285,6 +285,7 @@ extern void xtables_save_string(const char *value);
 #		define _init _INIT
 #	endif
 	extern void init_extensions(void);
+	extern void init_extensions4(void);
 #else
 #	define _init __attribute__((constructor)) _INIT
 #endif
diff --git a/iptables-restore.c b/iptables-restore.c
index c2cc58c..34a8156 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -140,7 +140,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions4();
 #endif
 
 	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
diff --git a/iptables-save.c b/iptables-save.c
index 3e3ec43..a0aa5d8 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -149,7 +149,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions4();
 #endif
 
 	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 1f60e31..38dd2c2 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -59,7 +59,7 @@ main(int argc, char *argv[])
 				exit(1);
 	}
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions4();
 #endif
 
 	ret = do_command(argc, argv, &table, &handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 05/17] v4: rename init_extensions() to init_extensions4()

[Jan Engelhardt]

On Friday 2011-04-01 06:27, Maciej Żenczykowski wrote:
>diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
>index b96bd11..84688d3 100644
>--- a/extensions/GNUmakefile.in
>+++ b/extensions/GNUmakefile.in
>@@ -127,8 +127,8 @@ initext4.c: .initext4.dd
> 	for i in ${initext_func}; do \
> 		echo "extern void lib$${i}_init(void);" >>$@; \
> 	done; \
>-	echo "void init_extensions(void);" >>$@; \
>-	echo "void init_extensions(void)" >>$@; \
>+	echo "void init_extensions4(void);" >>$@; \
>+	echo "void init_extensions4(void)" >>$@; \
> 	echo "{" >>$@; \
> 	for i in ${initext_func}; do \
> 		echo  " ""lib$${i}_init();" >>$@; \

And the reason for these renames is...?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 05/17] v4: rename init_extensions() to init_extensions4()

[Maciej Żenczykowski]

To be able to combine iptables-multi and ip6tables-multi into one
binary (ie. to avoid duplicate symbol definition problems at link
time).

2011/4/1 Jan Engelhardt <jengelh@medozas.de>:
> On Friday 2011-04-01 06:27, Maciej Żenczykowski wrote:
>>diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
>>index b96bd11..84688d3 100644
>>--- a/extensions/GNUmakefile.in
>>+++ b/extensions/GNUmakefile.in
>>@@ -127,8 +127,8 @@ initext4.c: .initext4.dd
>>       for i in ${initext_func}; do \
>>               echo "extern void lib$${i}_init(void);" >>$@; \
>>       done; \
>>-      echo "void init_extensions(void);" >>$@; \
>>-      echo "void init_extensions(void)" >>$@; \
>>+      echo "void init_extensions4(void);" >>$@; \
>>+      echo "void init_extensions4(void)" >>$@; \
>>       echo "{" >>$@; \
>>       for i in ${initext_func}; do \
>>               echo  " ""lib$${i}_init();" >>$@; \
>
> And the reason for these renames is...?
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 05/17] v4: rename init_extensions() to init_extensions4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 06/17] v6: rename init_extensions() to init_extensions6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 extensions/GNUmakefile.in |    4 ++--
 include/xtables.h.in      |    1 +
 ip6tables-restore.c       |    2 +-
 ip6tables-save.c          |    2 +-
 ip6tables-standalone.c    |    2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 84688d3..1419d76 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -143,8 +143,8 @@ initext6.c: .initext6.dd
 	for i in ${initext6_func}; do \
 		echo "extern void lib$${i}_init(void);" >>$@; \
 	done; \
-	echo "void init_extensions(void);" >>$@; \
-	echo "void init_extensions(void)" >>$@; \
+	echo "void init_extensions6(void);" >>$@; \
+	echo "void init_extensions6(void)" >>$@; \
 	echo "{" >>$@; \
 	for i in ${initext6_func}; do \
 		echo " ""lib$${i}_init();" >>$@; \
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 6abb279..bb0a40c 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -286,6 +286,7 @@ extern void xtables_save_string(const char *value);
 #	endif
 	extern void init_extensions(void);
 	extern void init_extensions4(void);
+	extern void init_extensions6(void);
 #else
 #	define _init __attribute__((constructor)) _INIT
 #endif
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 10c3acf..48ff98c 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -137,7 +137,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions6();
 #endif
 
 	while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c3b8ec0..1a5e3c8 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -149,7 +149,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions6();
 #endif
 
 	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 8661bd9..7d34684 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -59,7 +59,7 @@ main(int argc, char *argv[])
 	}
 
 #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
-	init_extensions();
+	init_extensions6();
 #endif
 
 	ret = do_command6(argc, argv, &table, &handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 06/17] v6: rename init_extensions() to init_extensions6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 07/17] xtables.h: init_extensions() no longer exists.

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/xtables.h.in |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index bb0a40c..c71839e 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -284,7 +284,6 @@ extern void xtables_save_string(const char *value);
 #		undef _init
 #		define _init _INIT
 #	endif
-	extern void init_extensions(void);
 	extern void init_extensions4(void);
 	extern void init_extensions6(void);
 #else
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 07/17] xtables.h: init_extensions() no longer exists.

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 08/17] v4: rename for_each_chain() to for_each_chain4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/iptables.h |    2 +-
 iptables-restore.c |    4 ++--
 iptables.c         |    8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/iptables.h b/include/iptables.h
index 84211c3..76cc8d6 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -13,7 +13,7 @@ extern int delete_chain(const ipt_chainlabel chain, int verbose,
 			struct iptc_handle *handle);
 extern int flush_entries(const ipt_chainlabel chain, int verbose, 
 			struct iptc_handle *handle);
-extern int for_each_chain(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
+extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
 		int verbose, int builtinstoo, struct iptc_handle *handle);
 extern void print_rule(const struct ipt_entry *e,
 		struct iptc_handle *handle, const char *chain, int counters);
diff --git a/iptables-restore.c b/iptables-restore.c
index 34a8156..d3b7124 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -233,12 +233,12 @@ main(int argc, char *argv[])
 			if (noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
-				for_each_chain(flush_entries, verbose, 1,
+				for_each_chain4(flush_entries, verbose, 1,
 						handle);
 
 				DEBUGP("Deleting all user-defined chains "
 				       "of table '%s'\n", table);
-				for_each_chain(delete_chain, verbose, 0,
+				for_each_chain4(delete_chain, verbose, 0,
 						handle);
 			}
 
diff --git a/iptables.c b/iptables.c
index cff4a7b..b7cedd2 100644
--- a/iptables.c
+++ b/iptables.c
@@ -862,7 +862,7 @@ check_entry(const ipt_chainlabel chain, struct ipt_entry *fw,
 }
 
 int
-for_each_chain(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
+for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
 	       int verbose, int builtinstoo, struct iptc_handle *handle)
 {
         int ret = 1;
@@ -902,7 +902,7 @@ flush_entries(const ipt_chainlabel chain, int verbose,
 	      struct iptc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(flush_entries, verbose, 1, handle);
+		return for_each_chain4(flush_entries, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Flushing chain `%s'\n", chain);
@@ -914,7 +914,7 @@ zero_entries(const ipt_chainlabel chain, int verbose,
 	     struct iptc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(zero_entries, verbose, 1, handle);
+		return for_each_chain4(zero_entries, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Zeroing chain `%s'\n", chain);
@@ -926,7 +926,7 @@ delete_chain(const ipt_chainlabel chain, int verbose,
 	     struct iptc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(delete_chain, verbose, 0, handle);
+		return for_each_chain4(delete_chain, verbose, 0, handle);
 
 	if (verbose)
 		fprintf(stdout, "Deleting chain `%s'\n", chain);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 08/17] v4: rename for_each_chain() to for_each_chain4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 09/17] v6: rename for_each_chain() to for_each_chain6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/ip6tables.h |    2 +-
 ip6tables-restore.c |    4 ++--
 ip6tables.c         |    8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/ip6tables.h b/include/ip6tables.h
index ca0f9a0..e9a0f4e 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -10,7 +10,7 @@
 extern int do_command6(int argc, char *argv[], char **table,
 		       struct ip6tc_handle **handle);
 
-extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
+extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
 extern int flush_entries(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 extern int delete_chain(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 void print_rule(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 48ff98c..a4e3707 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -226,12 +226,12 @@ int main(int argc, char *argv[])
 			if (noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
-				for_each_chain(flush_entries, verbose, 1,
+				for_each_chain6(flush_entries, verbose, 1,
 						handle);
 
 				DEBUGP("Deleting all user-defined chains "
 				       "of table '%s'\n", table);
-				for_each_chain(delete_chain, verbose, 0,
+				for_each_chain6(delete_chain, verbose, 0,
 						handle);
 			}
 
diff --git a/ip6tables.c b/ip6tables.c
index 96a0fdc..6774586 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -859,7 +859,7 @@ check_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw,
 }
 
 int
-for_each_chain(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
+for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
 	       int verbose, int builtinstoo, struct ip6tc_handle *handle)
 {
 	int ret = 1;
@@ -899,7 +899,7 @@ flush_entries(const ip6t_chainlabel chain, int verbose,
 	      struct ip6tc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(flush_entries, verbose, 1, handle);
+		return for_each_chain6(flush_entries, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Flushing chain `%s'\n", chain);
@@ -911,7 +911,7 @@ zero_entries(const ip6t_chainlabel chain, int verbose,
 	     struct ip6tc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(zero_entries, verbose, 1, handle);
+		return for_each_chain6(zero_entries, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Zeroing chain `%s'\n", chain);
@@ -923,7 +923,7 @@ delete_chain(const ip6t_chainlabel chain, int verbose,
 	     struct ip6tc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain(delete_chain, verbose, 0, handle);
+		return for_each_chain6(delete_chain, verbose, 0, handle);
 
 	if (verbose)
 		fprintf(stdout, "Deleting chain `%s'\n", chain);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 09/17] v6: rename for_each_chain() to for_each_chain6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 10/17] v4: rename flush_entries() to flush_entries4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/iptables.h |    2 +-
 iptables-restore.c |    2 +-
 iptables.c         |    6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/iptables.h b/include/iptables.h
index 76cc8d6..a2ed9d6 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -11,7 +11,7 @@ extern int do_command(int argc, char *argv[], char **table,
 		      struct iptc_handle **handle);
 extern int delete_chain(const ipt_chainlabel chain, int verbose,
 			struct iptc_handle *handle);
-extern int flush_entries(const ipt_chainlabel chain, int verbose, 
+extern int flush_entries4(const ipt_chainlabel chain, int verbose, 
 			struct iptc_handle *handle);
 extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
 		int verbose, int builtinstoo, struct iptc_handle *handle);
diff --git a/iptables-restore.c b/iptables-restore.c
index d3b7124..1bdce8a 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -233,7 +233,7 @@ main(int argc, char *argv[])
 			if (noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
-				for_each_chain4(flush_entries, verbose, 1,
+				for_each_chain4(flush_entries4, verbose, 1,
 						handle);
 
 				DEBUGP("Deleting all user-defined chains "
diff --git a/iptables.c b/iptables.c
index b7cedd2..3987b67 100644
--- a/iptables.c
+++ b/iptables.c
@@ -898,11 +898,11 @@ for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
 }
 
 int
-flush_entries(const ipt_chainlabel chain, int verbose,
+flush_entries4(const ipt_chainlabel chain, int verbose,
 	      struct iptc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain4(flush_entries, verbose, 1, handle);
+		return for_each_chain4(flush_entries4, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Flushing chain `%s'\n", chain);
@@ -1975,7 +1975,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 				   *handle);
 		break;
 	case CMD_FLUSH:
-		ret = flush_entries(chain, cs.options&OPT_VERBOSE, *handle);
+		ret = flush_entries4(chain, cs.options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_ZERO:
 		ret = zero_entries(chain, cs.options&OPT_VERBOSE, *handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 10/17] v4: rename flush_entries() to flush_entries4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 11/17] v6: rename flush_entries() to flush_entries6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/ip6tables.h |    2 +-
 ip6tables-restore.c |    2 +-
 ip6tables.c         |    6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/ip6tables.h b/include/ip6tables.h
index e9a0f4e..672faed 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -11,7 +11,7 @@ extern int do_command6(int argc, char *argv[], char **table,
 		       struct ip6tc_handle **handle);
 
 extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
-extern int flush_entries(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
+extern int flush_entries6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 extern int delete_chain(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 void print_rule(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
 
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index a4e3707..3b50a54 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -226,7 +226,7 @@ int main(int argc, char *argv[])
 			if (noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
-				for_each_chain6(flush_entries, verbose, 1,
+				for_each_chain6(flush_entries6, verbose, 1,
 						handle);
 
 				DEBUGP("Deleting all user-defined chains "
diff --git a/ip6tables.c b/ip6tables.c
index 6774586..abcf0ca 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -895,11 +895,11 @@ for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
 }
 
 int
-flush_entries(const ip6t_chainlabel chain, int verbose,
+flush_entries6(const ip6t_chainlabel chain, int verbose,
 	      struct ip6tc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain6(flush_entries, verbose, 1, handle);
+		return for_each_chain6(flush_entries6, verbose, 1, handle);
 
 	if (verbose)
 		fprintf(stdout, "Flushing chain `%s'\n", chain);
@@ -1937,7 +1937,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 				   *handle);
 		break;
 	case CMD_FLUSH:
-		ret = flush_entries(chain, cs.options&OPT_VERBOSE, *handle);
+		ret = flush_entries6(chain, cs.options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_ZERO:
 		ret = zero_entries(chain, cs.options&OPT_VERBOSE, *handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 11/17] v6: rename flush_entries() to flush_entries6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 12/17] v4: rename delete_chain() to delete_chain4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/iptables.h |    2 +-
 iptables-restore.c |    2 +-
 iptables.c         |    6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/iptables.h b/include/iptables.h
index a2ed9d6..4e9ae19 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -9,7 +9,7 @@
 /* Your shared library should call one of these. */
 extern int do_command(int argc, char *argv[], char **table,
 		      struct iptc_handle **handle);
-extern int delete_chain(const ipt_chainlabel chain, int verbose,
+extern int delete_chain4(const ipt_chainlabel chain, int verbose,
 			struct iptc_handle *handle);
 extern int flush_entries4(const ipt_chainlabel chain, int verbose, 
 			struct iptc_handle *handle);
diff --git a/iptables-restore.c b/iptables-restore.c
index 1bdce8a..6163a92 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -238,7 +238,7 @@ main(int argc, char *argv[])
 
 				DEBUGP("Deleting all user-defined chains "
 				       "of table '%s'\n", table);
-				for_each_chain4(delete_chain, verbose, 0,
+				for_each_chain4(delete_chain4, verbose, 0,
 						handle);
 			}
 
diff --git a/iptables.c b/iptables.c
index 3987b67..5af832e 100644
--- a/iptables.c
+++ b/iptables.c
@@ -922,11 +922,11 @@ zero_entries(const ipt_chainlabel chain, int verbose,
 }
 
 int
-delete_chain(const ipt_chainlabel chain, int verbose,
+delete_chain4(const ipt_chainlabel chain, int verbose,
 	     struct iptc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain4(delete_chain, verbose, 0, handle);
+		return for_each_chain4(delete_chain4, verbose, 0, handle);
 
 	if (verbose)
 		fprintf(stdout, "Deleting chain `%s'\n", chain);
@@ -2016,7 +2016,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 		ret = iptc_create_chain(chain, *handle);
 		break;
 	case CMD_DELETE_CHAIN:
-		ret = delete_chain(chain, cs.options&OPT_VERBOSE, *handle);
+		ret = delete_chain4(chain, cs.options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_RENAME_CHAIN:
 		ret = iptc_rename_chain(chain, newname,	*handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 12/17] v4: rename delete_chain() to delete_chain4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 13/17] v6: rename delete_chain() to delete_chain6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/ip6tables.h |    2 +-
 ip6tables-restore.c |    2 +-
 ip6tables.c         |    6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/ip6tables.h b/include/ip6tables.h
index 672faed..48633b7 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -12,7 +12,7 @@ extern int do_command6(int argc, char *argv[], char **table,
 
 extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
 extern int flush_entries6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
-extern int delete_chain(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
+extern int delete_chain6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 void print_rule(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
 
 extern struct xtables_globals ip6tables_globals;
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 3b50a54..5531d6e 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -231,7 +231,7 @@ int main(int argc, char *argv[])
 
 				DEBUGP("Deleting all user-defined chains "
 				       "of table '%s'\n", table);
-				for_each_chain6(delete_chain, verbose, 0,
+				for_each_chain6(delete_chain6, verbose, 0,
 						handle);
 			}
 
diff --git a/ip6tables.c b/ip6tables.c
index abcf0ca..a8ea551 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -919,11 +919,11 @@ zero_entries(const ip6t_chainlabel chain, int verbose,
 }
 
 int
-delete_chain(const ip6t_chainlabel chain, int verbose,
+delete_chain6(const ip6t_chainlabel chain, int verbose,
 	     struct ip6tc_handle *handle)
 {
 	if (!chain)
-		return for_each_chain6(delete_chain, verbose, 0, handle);
+		return for_each_chain6(delete_chain6, verbose, 0, handle);
 
 	if (verbose)
 		fprintf(stdout, "Deleting chain `%s'\n", chain);
@@ -1978,7 +1978,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 		ret = ip6tc_create_chain(chain, *handle);
 		break;
 	case CMD_DELETE_CHAIN:
-		ret = delete_chain(chain, cs.options&OPT_VERBOSE, *handle);
+		ret = delete_chain6(chain, cs.options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_RENAME_CHAIN:
 		ret = ip6tc_rename_chain(chain, newname,	*handle);
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 13/17] v6: rename delete_chain() to delete_chain6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 14/17] v4: rename print_rule() to print_rule4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/iptables.h |    2 +-
 iptables-save.c    |    2 +-
 iptables.c         |    4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/iptables.h b/include/iptables.h
index 4e9ae19..204c92e 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -15,7 +15,7 @@ extern int flush_entries4(const ipt_chainlabel chain, int verbose,
 			struct iptc_handle *handle);
 extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
 		int verbose, int builtinstoo, struct iptc_handle *handle);
-extern void print_rule(const struct ipt_entry *e,
+extern void print_rule4(const struct ipt_entry *e,
 		struct iptc_handle *handle, const char *chain, int counters);
 
 /* kernel revision handling */
diff --git a/iptables-save.c b/iptables-save.c
index a0aa5d8..dee1752 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -107,7 +107,7 @@ static int do_output(const char *tablename)
 			/* Dump out rules */
 			e = iptc_first_rule(chain, h);
 			while(e) {
-				print_rule(e, h, chain, show_counters);
+				print_rule4(e, h, chain, show_counters);
 				e = iptc_next_rule(e, h);
 			}
 		}
diff --git a/iptables.c b/iptables.c
index 5af832e..b7c9498 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1101,7 +1101,7 @@ static void print_ip(const char *prefix, uint32_t ip,
 
 /* We want this to be readable, so only print out neccessary fields.
  * Because that's the kind of world I want to live in.  */
-void print_rule(const struct ipt_entry *e,
+void print_rule4(const struct ipt_entry *e,
 		struct iptc_handle *h, const char *chain, int counters)
 {
 	const struct ipt_entry_target *t;
@@ -1224,7 +1224,7 @@ list_rules(const ipt_chainlabel chain, int rulenum, int counters,
 		while(e) {
 			num++;
 			if (!rulenum || num == rulenum)
-			    print_rule(e, handle, this, counters);
+			    print_rule4(e, handle, this, counters);
 			e = iptc_next_rule(e, handle);
 		}
 		found = 1;
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 14/17] v4: rename print_rule() to print_rule4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 15/17] v6: rename print_rule() to print_rule6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/ip6tables.h |    2 +-
 ip6tables-save.c    |    2 +-
 ip6tables.c         |    4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/ip6tables.h b/include/ip6tables.h
index 48633b7..e976361 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -13,7 +13,7 @@ extern int do_command6(int argc, char *argv[], char **table,
 extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
 extern int flush_entries6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
 extern int delete_chain6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
-void print_rule(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
+void print_rule6(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
 
 extern struct xtables_globals ip6tables_globals;
 
diff --git a/ip6tables-save.c b/ip6tables-save.c
index 1a5e3c8..d9ecc62 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -109,7 +109,7 @@ static int do_output(const char *tablename)
 			/* Dump out rules */
 			e = ip6tc_first_rule(chain, h);
 			while(e) {
-				print_rule(e, h, chain, show_counters);
+				print_rule6(e, h, chain, show_counters);
 				e = ip6tc_next_rule(e, h);
 			}
 		}
diff --git a/ip6tables.c b/ip6tables.c
index a8ea551..83d8aed 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1083,7 +1083,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
 
 /* We want this to be readable, so only print out neccessary fields.
  * Because that's the kind of world I want to live in.  */
-void print_rule(const struct ip6t_entry *e,
+void print_rule6(const struct ip6t_entry *e,
 		       struct ip6tc_handle *h, const char *chain, int counters)
 {
 	const struct ip6t_entry_target *t;
@@ -1215,7 +1215,7 @@ list_rules(const ip6t_chainlabel chain, int rulenum, int counters,
 		while(e) {
 			num++;
 			if (!rulenum || num == rulenum)
-			    print_rule(e, handle, this, counters);
+			    print_rule6(e, handle, this, counters);
 			e = ip6tc_next_rule(e, handle);
 		}
 		found = 1;
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 15/17] v6: rename print_rule() to print_rule6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 16/17] v4: rename do_command() to do_command4()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/iptables.h    |    2 +-
 iptables-restore.c    |    4 ++--
 iptables-standalone.c |    2 +-
 iptables-xml.c        |    2 +-
 iptables.c            |    6 +++---
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/include/iptables.h b/include/iptables.h
index 204c92e..65b3290 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -7,7 +7,7 @@
 #include <iptables/internal.h>
 
 /* Your shared library should call one of these. */
-extern int do_command(int argc, char *argv[], char **table,
+extern int do_command4(int argc, char *argv[], char **table,
 		      struct iptc_handle **handle);
 extern int delete_chain4(const ipt_chainlabel chain, int verbose,
 			struct iptc_handle *handle);
diff --git a/iptables-restore.c b/iptables-restore.c
index 6163a92..e4f0604 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -438,13 +438,13 @@ main(int argc, char *argv[])
 				}
 			}
 
-			DEBUGP("calling do_command(%u, argv, &%s, handle):\n",
+			DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
 				newargc, curtable);
 
 			for (a = 0; a < newargc; a++)
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 
-			ret = do_command(newargc, newargv,
+			ret = do_command4(newargc, newargv,
 					 &newargv[2], &handle);
 
 			free_argv();
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 38dd2c2..b085946 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -62,7 +62,7 @@ main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	ret = do_command(argc, argv, &table, &handle);
+	ret = do_command4(argc, argv, &table, &handle);
 	if (ret) {
 		ret = iptc_commit(handle);
 		iptc_free(handle);
diff --git a/iptables-xml.c b/iptables-xml.c
index 57c7486..dc3cd4f 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -844,7 +844,7 @@ main(int argc, char *argv[])
 				}
 			}
 
-			DEBUGP("calling do_command(%u, argv, &%s, handle):\n",
+			DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
 			       newargc, curTable);
 
 			for (a = 0; a < newargc; a++)
diff --git a/iptables.c b/iptables.c
index b7c9498..0995d6f 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1413,7 +1413,7 @@ static void command_match(struct iptables_command_state *cs)
 	}
 }
 
-int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle)
+int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handle)
 {
 	struct iptables_command_state cs;
 	struct ipt_entry *e = NULL;
@@ -1437,11 +1437,11 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	cs.jumpto = "";
 	cs.argv = argv;
 
-	/* re-set optind to 0 in case do_command gets called
+	/* re-set optind to 0 in case do_command4 gets called
 	 * a second time */
 	optind = 0;
 
-	/* clear mflags in case do_command gets called a second time
+	/* clear mflags in case do_command4 gets called a second time
 	 * (we clear the global list of all matches for security)*/
 	for (m = xtables_matches; m; m = m->next)
 		m->mflags = 0;
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 16/17] v4: rename do_command() to do_command4()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 17/17] v6: rename do_command() to do_command6()

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

(actually only applies to two comments, since the
function has long been called do_command6)

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 ip6tables.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 83d8aed..15508d6 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1407,11 +1407,11 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 	cs.jumpto = "";
 	cs.argv = argv;
 
-	/* re-set optind to 0 in case do_command gets called
+	/* re-set optind to 0 in case do_command6 gets called
 	 * a second time */
 	optind = 0;
 
-	/* clear mflags in case do_command gets called a second time
+	/* clear mflags in case do_command6 gets called a second time
 	 * (we clear the global list of all matches for security)*/
 	for (m = xtables_matches; m; m = m->next)
 		m->mflags = 0;
-- 
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 17/17] v6: rename do_command() to do_command6()

[Patrick McHardy]

On 01.04.2011 06:27, Maciej Żenczykowski wrote:
> (actually only applies to two comments, since the
> function has long been called do_command6)
> 

Also applied, thanks.

If you plan to submit more patches in the future, I'd appreciate it
if you would combine simple patches that basically all do the same
things like the v4 and v6 renames into a single larger patch.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 17/17] v6: rename do_command() to do_command6()

[Maciej Żenczykowski]

> Also applied, thanks.
>
> If you plan to submit more patches in the future, I'd appreciate it
> if you would combine simple patches that basically all do the same
> things like the v4 and v6 renames into a single larger patch.

Ok, I was assuming review would be easier with simpler patches.
Does your request also hold true if I provide a git repo to pull from?

Maciej

Re: [PATCH 17/17] v6: rename do_command() to do_command6()

[Patrick McHardy]

Am 04.04.2011 21:33, schrieb Maciej Żenczykowski:
>> Also applied, thanks.
>>
>> If you plan to submit more patches in the future, I'd appreciate it
>> if you would combine simple patches that basically all do the same
>> things like the v4 and v6 renames into a single larger patch.
> 
> Ok, I was assuming review would be easier with simpler patches.
> Does your request also hold true if I provide a git repo to pull from?

That's always preferred, but I think it would still make sense to
fold a bunch of renames that happen for the same purpose into a
single patch. If it gets to large, one patch for v4 and one for v6
would also be fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html