Pending fixes, global var reduction

Pending fixes, global var reduction

[Jan Engelhardt]

The following changes since commit 3b7a22b44d74b9b05d5e4b0529ebf72c49dcbff5:

  doc: document IPv6 TOS mangling bug in old Linux kernels (2011-06-17 05:46:22 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (7):
      doc: include matches/targets in manpage again
      libipt_LOG: fix ignoring all but last flags
      libxt_RATEEST: use guided option parser
      iptables: consolidate target/match init call
      extensions: support for per-extension instance "global" variable space
      libxt_rateest: abolish global variables
      libxt_RATEEST: abolish global variables

 extensions/libip6t_LOG.c   |   10 ++--
 extensions/libipt_LOG.c    |   10 ++--
 extensions/libxt_RATEEST.c |  107 ++++++++++++++++----------------------------
 extensions/libxt_rateest.c |   12 +----
 include/xtables.h.in       |   18 ++++++-
 iptables/Makefile.am       |    4 +-
 iptables/ip6tables.c       |    9 +---
 iptables/iptables.c        |   10 ++---
 iptables/xshared.c         |   33 +++++++++++++-
 iptables/xshared.h         |    2 +
 iptables/xtoptions.c       |    4 ++
 tests/options-most.rules   |    2 +
 12 files changed, 115 insertions(+), 106 deletions(-)

[PATCH 1/7] doc: include matches/targets in manpage again

[Jan Engelhardt]

Evil sed did not throw any warning whatsoever when it cannot find the
file.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/Makefile.am |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 13cca9c..a068278 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -51,10 +51,10 @@ v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
 endif
 
 iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
+	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@;
 
 ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
+	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@;
 
 pkgconfig_DATA = xtables.pc
 
-- 
1.7.3.4

[PATCH 2/7] libipt_LOG: fix ignoring all but last flags

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_LOG.c |   10 +++++-----
 extensions/libipt_LOG.c  |   10 +++++-----
 tests/options-most.rules |    2 ++
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index a419ec9..2b1ae28 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -87,19 +87,19 @@ static void LOG_parse(struct xt_option_call *cb)
 				   "Newlines not allowed in --log-prefix");
 		break;
 	case O_LOG_TCPSEQ:
-		info->logflags = IP6T_LOG_TCPSEQ;
+		info->logflags |= IP6T_LOG_TCPSEQ;
 		break;
 	case O_LOG_TCPOPTS:
-		info->logflags = IP6T_LOG_TCPOPT;
+		info->logflags |= IP6T_LOG_TCPOPT;
 		break;
 	case O_LOG_IPOPTS:
-		info->logflags = IP6T_LOG_IPOPT;
+		info->logflags |= IP6T_LOG_IPOPT;
 		break;
 	case O_LOG_UID:
-		info->logflags = IP6T_LOG_UID;
+		info->logflags |= IP6T_LOG_UID;
 		break;
 	case O_LOG_MAC:
-		info->logflags = IP6T_LOG_MACDECODE;
+		info->logflags |= IP6T_LOG_MACDECODE;
 		break;
 	}
 }
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index b270bcf..77f16d1 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -87,19 +87,19 @@ static void LOG_parse(struct xt_option_call *cb)
 				   "Newlines not allowed in --log-prefix");
 		break;
 	case O_LOG_TCPSEQ:
-		info->logflags = IPT_LOG_TCPSEQ;
+		info->logflags |= IPT_LOG_TCPSEQ;
 		break;
 	case O_LOG_TCPOPTS:
-		info->logflags = IPT_LOG_TCPOPT;
+		info->logflags |= IPT_LOG_TCPOPT;
 		break;
 	case O_LOG_IPOPTS:
-		info->logflags = IPT_LOG_IPOPT;
+		info->logflags |= IPT_LOG_IPOPT;
 		break;
 	case O_LOG_UID:
-		info->logflags = IPT_LOG_UID;
+		info->logflags |= IPT_LOG_UID;
 		break;
 	case O_LOG_MAC:
-		info->logflags = IPT_LOG_MACDECODE;
+		info->logflags |= IPT_LOG_MACDECODE;
 		break;
 	}
 }
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 6c4a831..13ee987 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -146,6 +146,8 @@
 -A matches
 -A matches -m rt --rt-segsleft 5:4294967295
 -A matches
+-A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options
+-A ntarg
 -A ntarg -j NFQUEUE --queue-num 1
 -A ntarg
 -A ntarg -j NFQUEUE --queue-balance 8:99
-- 
1.7.3.4

[PATCH 3/7] libxt_RATEEST: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_RATEEST.c |   94 ++++++++++++++------------------------------
 1 files changed, 30 insertions(+), 64 deletions(-)

diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 6369e9e..b928b33 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -1,9 +1,6 @@
-#include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-#include <stddef.h>
-#include <getopt.h>
 #include <math.h>
 
 #include <xtables.h>
@@ -11,7 +8,6 @@
 #include <linux/netfilter/xt_RATEEST.h>
 
 /* hack to pass raw values to final_check */
-static struct xt_rateest_target_info *RATEEST_info;
 static unsigned int interval;
 static unsigned int ewma_log;
 
@@ -25,18 +21,23 @@ RATEEST_help(void)
 "  --rateest-ewmalog value	Rate measurement averaging time constant\n");
 }
 
-enum RATEEST_options {
-	RATEEST_OPT_NAME,
-	RATEEST_OPT_INTERVAL,
-	RATEEST_OPT_EWMALOG,
+enum {
+	O_NAME = 0,
+	O_INTERVAL,
+	O_EWMALOG,
 };
 
-static const struct option RATEEST_opts[] = {
-	{.name = "rateest-name",     .has_arg = true, .val = RATEEST_OPT_NAME},
-	{.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL},
-	{.name = "rateest-ewmalog",  .has_arg = true, .val = RATEEST_OPT_EWMALOG},
-	XT_GETOPT_TABLEEND,
+#define s struct xt_rateest_target_info
+static const struct xt_option_entry RATEEST_opts[] = {
+	{.name = "rateest-name", .id = O_NAME, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name)},
+	{.name = "rateest-interval", .id = O_INTERVAL, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND},
+	{.name = "rateest-ewmalog", .id = O_EWMALOG, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND},
+	XTOPT_TABLEEND,
 };
+#undef s
 
 /* Copied from iproute */
 #define TIME_UNITS_PER_SEC	1000000
@@ -82,63 +83,28 @@ RATEEST_print_time(unsigned int time)
 		printf(" %uus", time);
 }
 
-static int
-RATEEST_parse(int c, char **argv, int invert, unsigned int *flags,
-	      const void *entry, struct xt_entry_target **target)
+static void RATEEST_parse(struct xt_option_call *cb)
 {
-	struct xt_rateest_target_info *info = (void *)(*target)->data;
-
-	RATEEST_info = info;
-
-	switch (c) {
-	case RATEEST_OPT_NAME:
-		if (*flags & (1 << c))
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_INTERVAL:
+		if (RATEEST_get_time(&interval, cb->arg) < 0)
 			xtables_error(PARAMETER_PROBLEM,
-				   "RATEEST: can't specify --rateest-name twice");
-		*flags |= 1 << c;
-
-		strncpy(info->name, optarg, sizeof(info->name) - 1);
+				   "RATEEST: bad interval value \"%s\"",
+				   cb->arg);
 		break;
-
-	case RATEEST_OPT_INTERVAL:
-		if (*flags & (1 << c))
+	case O_EWMALOG:
+		if (RATEEST_get_time(&ewma_log, cb->arg) < 0)
 			xtables_error(PARAMETER_PROBLEM,
-				   "RATEEST: can't specify --rateest-interval twice");
-		*flags |= 1 << c;
-
-		if (RATEEST_get_time(&interval, optarg) < 0)
-			xtables_error(PARAMETER_PROBLEM,
-				   "RATEEST: bad interval value `%s'", optarg);
-
-		break;
-
-	case RATEEST_OPT_EWMALOG:
-		if (*flags & (1 << c))
-			xtables_error(PARAMETER_PROBLEM,
-				   "RATEEST: can't specify --rateest-ewmalog twice");
-		*flags |= 1 << c;
-
-		if (RATEEST_get_time(&ewma_log, optarg) < 0)
-			xtables_error(PARAMETER_PROBLEM,
-				   "RATEEST: bad ewmalog value `%s'", optarg);
-
+				   "RATEEST: bad ewmalog value \"%s\"",
+				   cb->arg);
 		break;
 	}
-
-	return 1;
 }
 
-static void
-RATEEST_final_check(unsigned int flags)
+static void RATEEST_final_check(struct xt_fcheck_call *cb)
 {
-	struct xt_rateest_target_info *info = RATEEST_info;
-
-	if (!(flags & (1 << RATEEST_OPT_NAME)))
-		xtables_error(PARAMETER_PROBLEM, "RATEEST: no name specified");
-	if (!(flags & (1 << RATEEST_OPT_INTERVAL)))
-		xtables_error(PARAMETER_PROBLEM, "RATEEST: no interval specified");
-	if (!(flags & (1 << RATEEST_OPT_EWMALOG)))
-		xtables_error(PARAMETER_PROBLEM, "RATEEST: no ewmalog specified");
+	struct xt_rateest_target_info *info = cb->data;
 
 	for (info->interval = 0; info->interval <= 5; info->interval++) {
 		if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
@@ -199,11 +165,11 @@ static struct xtables_target rateest_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct xt_rateest_target_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_rateest_target_info)),
 	.help		= RATEEST_help,
-	.parse		= RATEEST_parse,
-	.final_check	= RATEEST_final_check,
+	.x6_parse	= RATEEST_parse,
+	.x6_fcheck	= RATEEST_final_check,
 	.print		= RATEEST_print,
 	.save		= RATEEST_save,
-	.extra_opts	= RATEEST_opts,
+	.x6_options	= RATEEST_opts,
 };
 
 void _init(void)
-- 
1.7.3.4

[PATCH 4/7] iptables: consolidate target/match init call

[Jan Engelhardt]

This is useful for the upcoming patch about per-instance auxiliary
data.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/ip6tables.c |    9 +++------
 iptables/iptables.c  |   10 ++++------
 iptables/xshared.c   |   15 +++++++++++++--
 iptables/xshared.h   |    2 ++
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4037acf..d13744c 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1288,8 +1288,7 @@ static void command_jump(struct iptables_command_state *cs)
 	cs->target->t->u.target_size = size;
 	strcpy(cs->target->t->u.user.name, cs->jumpto);
 	cs->target->t->u.user.revision = cs->target->revision;
-	if (cs->target->init != NULL)
-		cs->target->init(cs->target->t);
+	xs_init_target(cs->target);
 	if (cs->target->x6_options != NULL)
 		opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
 					    cs->target->x6_options,
@@ -1317,8 +1316,7 @@ static void command_match(struct iptables_command_state *cs)
 	m->m->u.match_size = size;
 	strcpy(m->m->u.user.name, m->name);
 	m->m->u.user.revision = m->revision;
-	if (m->init != NULL)
-		m->init(m->m);
+	xs_init_match(m);
 	if (m == m->next)
 		return;
 	/* Merge options for non-cloned matches */
@@ -1839,8 +1837,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			cs.target->t = xtables_calloc(1, size);
 			cs.target->t->u.target_size = size;
 			strcpy(cs.target->t->u.user.name, cs.jumpto);
-			if (cs.target->init != NULL)
-				cs.target->init(cs.target->t);
+			xs_init_target(cs.target);
 		}
 
 		if (!cs.target) {
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 4ae7541..477e8f1 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1315,8 +1315,8 @@ static void command_jump(struct iptables_command_state *cs)
 	cs->target->t->u.target_size = size;
 	strcpy(cs->target->t->u.user.name, cs->jumpto);
 	cs->target->t->u.user.revision = cs->target->revision;
-	if (cs->target->init != NULL)
-		cs->target->init(cs->target->t);
+	xs_init_target(cs->target);
+
 	if (cs->target->x6_options != NULL)
 		opts = xtables_options_xfrm(iptables_globals.orig_opts, opts,
 					    cs->target->x6_options,
@@ -1344,8 +1344,7 @@ static void command_match(struct iptables_command_state *cs)
 	m->m->u.match_size = size;
 	strcpy(m->m->u.user.name, m->name);
 	m->m->u.user.revision = m->revision;
-	if (m->init != NULL)
-		m->init(m->m);
+	xs_init_match(m);
 	if (m == m->next)
 		return;
 	/* Merge options for non-cloned matches */
@@ -1871,8 +1870,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
 			strcpy(cs.target->t->u.user.name, cs.jumpto);
 			if (!iptc_is_chain(cs.jumpto, *handle))
 				cs.target->t->u.user.revision = cs.target->revision;
-			if (cs.target->init != NULL)
-				cs.target->init(cs.target->t);
+			xs_init_target(cs.target);
 		}
 
 		if (!cs.target) {
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 0e3857b..55ce550 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -145,8 +145,7 @@ int command_default(struct iptables_command_state *cs,
 		m->m->u.match_size = size;
 		strcpy(m->m->u.user.name, m->name);
 		m->m->u.user.revision = m->revision;
-		if (m->init != NULL)
-			m->init(m->m);
+		xs_init_match(m);
 
 		if (m->x6_options != NULL)
 			gl->opts = xtables_options_xfrm(gl->orig_opts,
@@ -207,3 +206,15 @@ int subcmd_main(int argc, char **argv, const struct subcommand *cb)
 		fprintf(stderr, " * %s\n", cb->name);
 	exit(EXIT_FAILURE);
 }
+
+void xs_init_target(struct xtables_target *target)
+{
+	if (target->init != NULL)
+		target->init(target->t);
+}
+
+void xs_init_match(struct xtables_match *match)
+{
+	if (match->init != NULL)
+		match->init(match->m);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index b44a3a3..b804aaf 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -81,6 +81,8 @@ extern int command_default(struct iptables_command_state *,
 	struct xtables_globals *);
 extern struct xtables_match *load_proto(struct iptables_command_state *);
 extern int subcmd_main(int, char **, const struct subcommand *);
+extern void xs_init_target(struct xtables_target *);
+extern void xs_init_match(struct xtables_match *);
 
 extern const struct xtables_afinfo *afinfo;
 
-- 
1.7.3.4

[PATCH 5/7] extensions: support for per-extension instance "global" variable space

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/xtables.h.in |   18 +++++++++++++++---
 iptables/xshared.c   |   18 ++++++++++++++++++
 iptables/xtoptions.c |    4 ++++
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 2565dd2..0dead26 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -137,11 +137,13 @@ struct xt_option_entry {
  * @arg:	input from command line
  * @ext_name:	name of extension currently being processed
  * @entry:	current option being processed
- * @data:	per-extension data block
+ * @data:	per-extension kernel data block
  * @xflags:	options of the extension that have been used
  * @invert:	whether option was used with !
  * @nvals:	number of results in uXX_multi
  * @val:	parsed result
+ * @udata:	per-extension private scratch area
+ * 		(cf. xtables_{match,target}->udata_size)
  */
 struct xt_option_call {
 	const char *arg, *ext_name;
@@ -174,16 +176,19 @@ struct xt_option_call {
 		struct xt_entry_target **target;
 	};
 	void *xt_entry;
+	void *udata;
 };
 
 /**
  * @ext_name:	name of extension currently being processed
- * @data:	per-extension data block
+ * @data:	per-extension (kernel) data block
+ * @udata:	per-extension private scratch area
+ * 		(cf. xtables_{match,target}->udata_size)
  * @xflags:	options of the extension that have been used
  */
 struct xt_fcheck_call {
 	const char *ext_name;
-	void *data;
+	void *data, *udata;
 	unsigned int xflags;
 };
 
@@ -254,7 +259,11 @@ struct xtables_match
 	void (*x6_fcheck)(struct xt_fcheck_call *);
 	const struct xt_option_entry *x6_options;
 
+	/* Size of per-extension instance extra "global" scratch space */
+	size_t udata_size;
+
 	/* Ignore these men behind the curtain: */
+	void *udata;
 	unsigned int option_offset;
 	struct xt_entry_match *m;
 	unsigned int mflags;
@@ -318,7 +327,10 @@ struct xtables_target
 	void (*x6_fcheck)(struct xt_fcheck_call *);
 	const struct xt_option_entry *x6_options;
 
+	size_t udata_size;
+
 	/* Ignore these men behind the curtain: */
+	void *udata;
 	unsigned int option_offset;
 	struct xt_entry_target *t;
 	unsigned int tflags;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 55ce550..79da507 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -209,12 +209,30 @@ int subcmd_main(int argc, char **argv, const struct subcommand *cb)
 
 void xs_init_target(struct xtables_target *target)
 {
+	if (target->udata_size != 0) {
+		free(target->udata);
+		target->udata = calloc(1, target->udata_size);
+		if (target->udata == NULL)
+			xtables_error(RESOURCE_PROBLEM, "malloc");
+	}
 	if (target->init != NULL)
 		target->init(target->t);
 }
 
 void xs_init_match(struct xtables_match *match)
 {
+	if (match->udata_size != 0) {
+		/*
+		 * As soon as a subsequent instance of the same match
+		 * is used, e.g. "-m time -m time", the first instance
+		 * is no longer reachable anyway, so we can free udata.
+		 * Same goes for target.
+		 */
+		free(match->udata);
+		match->udata = calloc(1, match->udata_size);
+		if (match->udata == NULL)
+			xtables_error(RESOURCE_PROBLEM, "malloc");
+	}
 	if (match->init != NULL)
 		match->init(match->m);
 }
diff --git a/iptables/xtoptions.c b/iptables/xtoptions.c
index ac0601f..1423724 100644
--- a/iptables/xtoptions.c
+++ b/iptables/xtoptions.c
@@ -908,6 +908,7 @@ void xtables_option_tpcall(unsigned int c, char **argv, bool invert,
 	cb.xflags   = t->tflags;
 	cb.target   = &t->t;
 	cb.xt_entry = fw;
+	cb.udata    = t->udata;
 	t->x6_parse(&cb);
 	t->tflags = cb.xflags;
 }
@@ -943,6 +944,7 @@ void xtables_option_mpcall(unsigned int c, char **argv, bool invert,
 	cb.xflags   = m->mflags;
 	cb.match    = &m->m;
 	cb.xt_entry = fw;
+	cb.udata    = m->udata;
 	m->x6_parse(&cb);
 	m->mflags = cb.xflags;
 }
@@ -1028,6 +1030,7 @@ void xtables_option_tfcall(struct xtables_target *t)
 		cb.ext_name = t->name;
 		cb.data     = t->t->data;
 		cb.xflags   = t->tflags;
+		cb.udata    = t->udata;
 		t->x6_fcheck(&cb);
 	} else if (t->final_check != NULL) {
 		t->final_check(t->tflags);
@@ -1048,6 +1051,7 @@ void xtables_option_mfcall(struct xtables_match *m)
 		cb.ext_name = m->name;
 		cb.data     = m->m->data;
 		cb.xflags   = m->mflags;
+		cb.udata    = m->udata;
 		m->x6_fcheck(&cb);
 	} else if (m->final_check != NULL) {
 		m->final_check(m->mflags);
-- 
1.7.3.4

[PATCH 6/7] libxt_rateest: abolish global variables

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_rateest.c |   12 +++---------
 1 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 509b3e3..5f42a13 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -8,9 +8,6 @@
 #include <xtables.h>
 #include <linux/netfilter/xt_rateest.h>
 
-/* Ugly hack to pass info to final_check function. We should fix the API */
-static struct xt_rateest_match_info *rateest_info;
-
 static void rateest_help(void)
 {
 	printf(
@@ -115,8 +112,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
 	struct xt_rateest_match_info *info = (void *)(*match)->data;
 	unsigned int val;
 
-	rateest_info = info;
-
 	switch (c) {
 	case OPT_RATEEST1:
 		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
@@ -302,10 +297,9 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
 	return 1;
 }
 
-static void
-rateest_final_check(unsigned int flags)
+static void rateest_final_check(struct xt_fcheck_call *cb)
 {
-	struct xt_rateest_match_info *info = rateest_info;
+	struct xt_rateest_match_info *info = cb->data;
 
 	if (info == NULL)
 		xtables_error(PARAMETER_PROBLEM, "rateest match: "
@@ -439,7 +433,7 @@ static struct xtables_match rateest_mt_reg = {
 	.userspacesize	= XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
 	.help		= rateest_help,
 	.parse		= rateest_parse,
-	.final_check	= rateest_final_check,
+	.x6_fcheck	= rateest_final_check,
 	.print		= rateest_print,
 	.save		= rateest_save,
 	.extra_opts	= rateest_opts,
-- 
1.7.3.4

[PATCH 7/7] libxt_RATEEST: abolish global variables

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_RATEEST.c |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index b928b33..62bcb5e 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -7,9 +7,10 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_RATEEST.h>
 
-/* hack to pass raw values to final_check */
-static unsigned int interval;
-static unsigned int ewma_log;
+struct rateest_tg_udata {
+	unsigned int interval;
+	unsigned int ewma_log;
+};
 
 static void
 RATEEST_help(void)
@@ -85,16 +86,18 @@ RATEEST_print_time(unsigned int time)
 
 static void RATEEST_parse(struct xt_option_call *cb)
 {
+	struct rateest_tg_udata *udata = cb->udata;
+
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_INTERVAL:
-		if (RATEEST_get_time(&interval, cb->arg) < 0)
+		if (RATEEST_get_time(&udata->interval, cb->arg) < 0)
 			xtables_error(PARAMETER_PROBLEM,
 				   "RATEEST: bad interval value \"%s\"",
 				   cb->arg);
 		break;
 	case O_EWMALOG:
-		if (RATEEST_get_time(&ewma_log, cb->arg) < 0)
+		if (RATEEST_get_time(&udata->ewma_log, cb->arg) < 0)
 			xtables_error(PARAMETER_PROBLEM,
 				   "RATEEST: bad ewmalog value \"%s\"",
 				   cb->arg);
@@ -105,9 +108,10 @@ static void RATEEST_parse(struct xt_option_call *cb)
 static void RATEEST_final_check(struct xt_fcheck_call *cb)
 {
 	struct xt_rateest_target_info *info = cb->data;
+	struct rateest_tg_udata *udata = cb->udata;
 
 	for (info->interval = 0; info->interval <= 5; info->interval++) {
-		if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
+		if (udata->interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
 			break;
 	}
 
@@ -118,7 +122,7 @@ static void RATEEST_final_check(struct xt_fcheck_call *cb)
 
 	for (info->ewma_log = 1; info->ewma_log < 32; info->ewma_log++) {
 		double w = 1.0 - 1.0 / (1 << info->ewma_log);
-		if (interval / (-log(w)) > ewma_log)
+		if (udata->interval / (-log(w)) > udata->ewma_log)
 			break;
 	}
 	info->ewma_log--;
@@ -170,6 +174,7 @@ static struct xtables_target rateest_tg_reg = {
 	.print		= RATEEST_print,
 	.save		= RATEEST_save,
 	.x6_options	= RATEEST_opts,
+	.udata_size	= sizeof(struct rateest_tg_udata),
 };
 
 void _init(void)
-- 
1.7.3.4

Re: Pending fixes, global var reduction

[Patrick McHardy]

Am 21.06.2011 17:53, schrieb Jan Engelhardt:
> The following changes since commit 3b7a22b44d74b9b05d5e4b0529ebf72c49dcbff5:
> 
>   doc: document IPv6 TOS mangling bug in old Linux kernels (2011-06-17 05:46:22 +0200)
> 
> are available in the git repository at:
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (7):
>       doc: include matches/targets in manpage again
>       libipt_LOG: fix ignoring all but last flags
>       libxt_RATEEST: use guided option parser
>       iptables: consolidate target/match init call
>       extensions: support for per-extension instance "global" variable space
>       libxt_rateest: abolish global variables
>       libxt_RATEEST: abolish global variables


Pulled, thanks.