iptables-1.4.12 fixes (2)

iptables-1.4.12 fixes (2)

[Jan Engelhardt]

The following changes since commit 3716dfd7eac3afa7fb3098952550e510c8df0220:

  libxt_string: fix space around arguments (2011-08-20 21:16:17 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (21):
      doc: clarify libxt_connlimit defaults
      libxt_conntrack: remove one misleading comment
      libxt_dccp: restore missing XTOPT_INVERT tags for options
      libxt_dccp: fix deprecated intrapositional ordering of !
      libxt_dccp: spell out option name on save
      libxt_dccp: provide man pages options in short help too
      libxt_dccp: fix random output of ! on --dccp-option
      libxt_dscp: restore inversion support
      libxt_hashlimit: default htable-expire must be in milliseconds
      libxt_conntrack: fix --ctproto 0 output
      xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT
      libip6t_frag: restore inversion support
      libxt_hashlimit: remove inversion from hashlimit rev 0
      libip6t_hbh: restore setting IP6T_OPTS_LEN flag
      libip6t_dst: restore setting IP6T_OPTS_LEN flag
      libipt_ttl: document that negation is available
      libxt_owner: restore inversion support
      libxt_physdev: restore inversion support
      libxt_policy: remove superfluous inversion
      tests: add negation tests for libxt_statistic
      libxt_hashlimit: observe new default gc-expire time when saving

 extensions/libip6t_dst.c       |    3 ++
 extensions/libip6t_frag.c      |   16 ++++++++++++
 extensions/libip6t_hbh.c       |    1 +
 extensions/libipt_ttl.c        |    2 +-
 extensions/libipt_ttl.man      |    2 +-
 extensions/libxt_connlimit.man |    3 +-
 extensions/libxt_conntrack.c   |   13 +++++----
 extensions/libxt_dccp.c        |   19 +++++++++-----
 extensions/libxt_dccp.man      |    2 +-
 extensions/libxt_dscp.c        |    5 ++-
 extensions/libxt_hashlimit.c   |   50 +++++++++++++++++++--------------------
 extensions/libxt_owner.c       |    3 +-
 extensions/libxt_physdev.c     |    7 +++--
 extensions/libxt_policy.c      |    3 +-
 iptables/xtoptions.c           |    8 +++++-
 tests/options-most.rules       |   19 +++++++++++++-
 16 files changed, 102 insertions(+), 54 deletions(-)

[PATCH 01/21] doc: clarify libxt_connlimit defaults

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_connlimit.man |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index bd369a6..ad9f40f 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -13,7 +13,8 @@ Group hosts using the prefix length. For IPv4, this must be a number between
 maximum prefix length for the applicable protocol is used.
 .TP
 \fB\-\-connlimit\-saddr\fP
-Apply the limit onto the source group.
+Apply the limit onto the source group. This is the default if
+\-\-connlimit\-daddr is not specified.
 .TP
 \fB\-\-connlimit\-daddr\fP
 Apply the limit onto the destination group.
-- 
1.7.3.4

[PATCH 02/21] libxt_conntrack: remove one misleading comment

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 8e1777e..a401125 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -143,8 +143,8 @@ static const struct xt_option_entry conntrack2_mt_opts[] = {
 };
 #undef s
 
-#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */
-/* We exploit the fact that v1-v3 share the same layout */
+#define s struct xt_conntrack_mtinfo3
+/* Difference from v2 is the non-NBO form. */
 static const struct xt_option_entry conntrack3_mt_opts[] = {
 	{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
-- 
1.7.3.4

[PATCH 03/21] libxt_dccp: restore missing XTOPT_INVERT tags for options

[Jan Engelhardt]

This regression goes back to v1.4.11~19^2.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dccp.c  |    5 +++--
 tests/options-most.rules |    1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 28c59b9..0fc5f7d 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -50,9 +50,10 @@ static const struct xt_option_entry dccp_opts[] = {
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
 	{.name = "dport", .id = O_DEST_PORT, .type = XTTYPE_PORTRC,
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
-	{.name = "dccp-types", .id = O_DCCP_TYPES, .type = XTTYPE_STRING},
+	{.name = "dccp-types", .id = O_DCCP_TYPES, .type = XTTYPE_STRING,
+	 .flags = XTOPT_INVERT},
 	{.name = "dccp-option", .id = O_DCCP_OPTION, .type = XTTYPE_UINT8,
-	 .min = 1, .max = UINT8_MAX, .flags = XTOPT_PUT,
+	 .min = 1, .max = UINT8_MAX, .flags = XTOPT_INVERT | XTOPT_PUT,
 	 XTOPT_POINTER(s, option)},
 	XTOPT_TABLEEND,
 };
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 4a3cd99..ab7f586 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -46,6 +46,7 @@
 -A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
 -A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
 -A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1
+-A INPUT -p dccp -m dccp ! --sport 1:2 ! --dport 3:4 ! --dccp-types REQUEST,RESPONSE ! --dccp-option 1
 -A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1
 -A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1
 -A INPUT -p esp -m esp --espspi 1:2
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 04/21] libxt_dccp: fix deprecated intrapositional ordering of !

[Jan Engelhardt]

This bug goes back to v1.4.3~63.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dccp.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 0fc5f7d..4de07cc 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -262,13 +262,14 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
 	}
 
 	if (einfo->flags & XT_DCCP_TYPE) {
-		printf(" --dccp-type");
-		print_types(einfo->typemask, einfo->invflags & XT_DCCP_TYPE,0);
+		printf("%s --dccp-type",
+		       einfo->invflags & XT_DCCP_TYPE ? " !" : "");
+		print_types(einfo->typemask, false, 0);
 	}
 
 	if (einfo->flags & XT_DCCP_OPTION) {
-		printf(" --dccp-option %s%u",
-			einfo->typemask & XT_DCCP_OPTION ? "! " : "",
+		printf("%s --dccp-option %u",
+			einfo->typemask & XT_DCCP_OPTION ? " !" : "",
 			einfo->option);
 	}
 }
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 05/21] libxt_dccp: spell out option name on save

[Jan Engelhardt]

This glitch goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dccp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 4de07cc..09ef16e 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -262,7 +262,7 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
 	}
 
 	if (einfo->flags & XT_DCCP_TYPE) {
-		printf("%s --dccp-type",
+		printf("%s --dccp-types",
 		       einfo->invflags & XT_DCCP_TYPE ? " !" : "");
 		print_types(einfo->typemask, false, 0);
 	}
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 06/21] libxt_dccp: provide man pages options in short help too

[Jan Engelhardt]

This omission goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dccp.c   |    5 ++++-
 extensions/libxt_dccp.man |    2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 09ef16e..4e52b38 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -37,7 +37,10 @@ static void dccp_help(void)
 "[!] --source-port port[:port]                          match source port(s)\n"
 " --sport ...\n"
 "[!] --destination-port port[:port]                     match destination port(s)\n"
-" --dport ...\n");
+" --dport ...\n"
+"[!] --dccp-types type[,...]                            match when packet is one of the given types\n"
+"[!] --dccp-option option                               match if option (by number!) is set\n"
+);
 }
 
 #define s struct xt_dccp_info
diff --git a/extensions/libxt_dccp.man b/extensions/libxt_dccp.man
index 82c3f70..71beb4b 100644
--- a/extensions/libxt_dccp.man
+++ b/extensions/libxt_dccp.man
@@ -9,4 +9,4 @@ list of packet types.  Packet types are:
 .BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
 .TP
 [\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
-Match if DCP option set.
+Match if DCCP option set.
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 07/21] libxt_dccp: fix random output of ! on --dccp-option

[Jan Engelhardt]

dccp-option tests info->typemask, but it really should look at
info->invflags instead.

This bug goes back to commit v1.3.4~11.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dccp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 4e52b38..a35cabb 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -272,7 +272,7 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
 
 	if (einfo->flags & XT_DCCP_OPTION) {
 		printf("%s --dccp-option %u",
-			einfo->typemask & XT_DCCP_OPTION ? " !" : "",
+			einfo->invflags & XT_DCCP_OPTION ? " !" : "",
 			einfo->option);
 	}
 }
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 08/21] libxt_dscp: restore inversion support

[Jan Engelhardt]

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_dscp.c  |    5 +++--
 tests/options-most.rules |    4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 69533d6..02b22a4 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -43,9 +43,10 @@ static void dscp_help(void)
 static const struct xt_option_entry dscp_opts[] = {
 	{.name = "dscp", .id = O_DSCP, .excl = F_DSCP_CLASS,
 	 .type = XTTYPE_UINT8, .min = 0, .max = XT_DSCP_MAX,
-	 .flags = XTOPT_PUT, XTOPT_POINTER(struct xt_dscp_info, dscp)},
+	 .flags = XTOPT_INVERT | XTOPT_PUT,
+	 XTOPT_POINTER(struct xt_dscp_info, dscp)},
 	{.name = "dscp-class", .id = O_DSCP_CLASS, .excl = F_DSCP,
-	 .type = XTTYPE_STRING},
+	 .type = XTTYPE_STRING, .flags = XTOPT_INVERT},
 	XTOPT_TABLEEND,
 };
 
diff --git a/tests/options-most.rules b/tests/options-most.rules
index ab7f586..4becc2a 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -20,8 +20,8 @@
 -A INPUT -p tcp -m connmark --mark 0x99
 -A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
 -A INPUT -p tcp -m cpu --cpu 2
--A INPUT -p tcp -m dscp --dscp 0x04
--A INPUT -p tcp -m dscp --dscp 0x00
+-A INPUT -p tcp -m dscp --dscp 0x04 -m dscp ! --dscp 0x04
+-A INPUT -p tcp -m dscp --dscp 0x00 -m dscp ! --dscp 0x00
 -A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24
 -A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1
 -A INPUT -p tcp -m helper --helper ftp
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 09/21] libxt_hashlimit: default htable-expire must be in milliseconds

[Jan Engelhardt]

Bug goes back to v1.4.12~3^2~11.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_hashlimit.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index a838680..89320bb 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -315,7 +315,7 @@ static void hashlimit_check(struct xt_fcheck_call *cb)
 		xtables_error(PARAMETER_PROBLEM,
 				"You have to specify --hashlimit");
 	if (!(cb->xflags & F_HTABLE_EXPIRE))
-		info->cfg.expire = udata->mult;
+		info->cfg.expire = udata->mult * 1000; /* from s to msec */
 }
 
 static void hashlimit_mt_check(struct xt_fcheck_call *cb)
@@ -327,7 +327,7 @@ static void hashlimit_mt_check(struct xt_fcheck_call *cb)
 		xtables_error(PARAMETER_PROBLEM,
 				"You have to specify --hashlimit");
 	if (!(cb->xflags & F_HTABLE_EXPIRE))
-		info->cfg.expire = udata->mult;
+		info->cfg.expire = udata->mult * 1000; /* from s to msec */
 }
 
 static const struct rates
-- 
1.7.3.4

[PATCH 10/21] libxt_conntrack: fix --ctproto 0 output

[Jan Engelhardt]

First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.

Bug goes back to v1.4.12~1^2.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index a401125..060b947 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -93,8 +93,7 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = {
 	{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
-	 .flags = XTOPT_INVERT,
-	 XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)},
+	 .flags = XTOPT_INVERT},
 	{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST,
@@ -117,7 +116,7 @@ static const struct xt_option_entry conntrack2_mt_opts[] = {
 	{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
-	 .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+	 .flags = XTOPT_INVERT},
 	{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -149,7 +148,7 @@ static const struct xt_option_entry conntrack3_mt_opts[] = {
 	{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
-	 .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+	 .flags = XTOPT_INVERT},
 	{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
 	 .flags = XTOPT_INVERT},
 	{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -336,6 +335,7 @@ static void conntrack_parse(struct xt_option_call *cb)
 			sinfo->invflags |= XT_CONNTRACK_STATE;
 		break;
 	case O_CTPROTO:
+		sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
 		if (cb->invert)
 			sinfo->invflags |= XT_CONNTRACK_PROTO;
 		if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
@@ -400,6 +400,7 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
 			info->invert_flags |= XT_CONNTRACK_STATE;
 		break;
 	case O_CTPROTO:
+		info->l4proto = cb->val.protocol;
 		if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
 			xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
 			           "never match protocol");
-- 
1.7.3.4

[PATCH 11/21] xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT

[Jan Engelhardt]

When XTOPT_POINTER is used (and yields a non-zero offsetof), we can
flag the absence of XTOPT_PUT.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/xtoptions.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/iptables/xtoptions.c b/iptables/xtoptions.c
index 7095e3e..04344af 100644
--- a/iptables/xtoptions.c
+++ b/iptables/xtoptions.c
@@ -847,8 +847,14 @@ void xtables_option_metavalidate(const char *name,
 			xt_params->exit_err(OTHER_PROBLEM,
 				"Extension %s uses invalid ID %u\n",
 				name, entry->id);
-		if (!(entry->flags & XTOPT_PUT))
+		if (!(entry->flags & XTOPT_PUT)) {
+			if (entry->ptroff != 0)
+				xt_params->exit_err(OTHER_PROBLEM,
+					"%s: ptroff for \"--%s\" is non-"
+					"zero but no XTOPT_PUT is specified. "
+					"Oversight?", name, entry->name);
 			continue;
+		}
 		if (entry->type >= ARRAY_SIZE(xtopt_psize) ||
 		    xtopt_psize[entry->type] == 0)
 			xt_params->exit_err(OTHER_PROBLEM,
-- 
1.7.3.4

[PATCH 12/21] libip6t_frag: restore inversion support

[Jan Engelhardt]

--fraglen also was not printed since v1.4.11~26^2~22.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_frag.c |   16 ++++++++++++++++
 tests/options-most.rules  |    2 ++
 2 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 4779386..d8bcaee 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -50,6 +50,22 @@ static void frag_parse(struct xt_option_call *cb)
 	case O_FRAGID:
 		if (cb->nvals == 1)
 			fraginfo->ids[1] = fraginfo->ids[0];
+		if (cb->invert)
+			fraginfo->invflags |= IP6T_FRAG_INV_IDS;
+		/*
+		 * Note however that IP6T_FRAG_IDS is not tested by anything,
+		 * so it is merely here for completeness.
+		 */
+		fraginfo->flags |= IP6T_FRAG_IDS;
+		break;
+	case O_FRAGLEN:
+		/*
+		 * As of Linux 3.0, the kernel does not check for
+		 * fraglen at all.
+		 */
+		if (cb->invert)
+			fraginfo->invflags |= IP6T_FRAG_INV_LEN;
+		fraginfo->flags |= IP6T_FRAG_LEN;
 		break;
 	case O_FRAGRES:
 		fraginfo->flags |= IP6T_FRAG_RES;
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 4becc2a..6839d89 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -144,6 +144,8 @@
 -A matches
 -A matches -m frag --fragid 5:4294967295
 -A matches
+-A matches -m frag ! --fragid 9:10 ! --fraglen 12
+-A matches
 -A matches -m rt --rt-segsleft 1
 -A matches
 -A matches -m rt --rt-segsleft :2
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 13/21] libxt_hashlimit: remove inversion from hashlimit rev 0

[Jan Engelhardt]

Revision 0 indeed did not have inversion support, nor presence of
--hashlimit-above. This glitch was added in v1.4.11~16^2~10.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_hashlimit.c |   13 ++-----------
 1 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 89320bb..eb52b16 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -89,7 +89,7 @@ static void hashlimit_mt_help(void)
 #define s struct xt_hashlimit_info
 static const struct xt_option_entry hashlimit_opts[] = {
 	{.name = "hashlimit", .id = O_UPTO, .excl = F_ABOVE,
-	 .type = XTTYPE_STRING, .flags = XTOPT_INVERT},
+	 .type = XTTYPE_STRING},
 	{.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32,
 	 .min = 1, .max = 10000, .flags = XTOPT_PUT,
 	 XTOPT_POINTER(s, cfg.burst)},
@@ -251,19 +251,10 @@ static void hashlimit_parse(struct xt_option_call *cb)
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_UPTO:
-		if (cb->invert)
-			info->cfg.mode |= XT_HASHLIMIT_INVERT;
 		if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
 			xtables_param_act(XTF_BAD_VALUE, "hashlimit",
 			          "--hashlimit-upto", cb->arg);
 		break;
-	case O_ABOVE:
-		if (!cb->invert)
-			info->cfg.mode |= XT_HASHLIMIT_INVERT;
-		if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
-			xtables_param_act(XTF_BAD_VALUE, "hashlimit",
-			          "--hashlimit-above", cb->arg);
-		break;
 	case O_MODE:
 		if (parse_mode(&info->cfg.mode, cb->arg) < 0)
 			xtables_param_act(XTF_BAD_VALUE, "hashlimit",
@@ -529,7 +520,7 @@ static struct xtables_match hashlimit_mt_reg[] = {
 		.x6_fcheck     = hashlimit_check,
 		.print         = hashlimit_print,
 		.save          = hashlimit_save,
-		.x6_options    = hashlimit_mt_opts,
+		.x6_options    = hashlimit_opts,
 		.udata_size    = sizeof(struct hashlimit_mt_udata),
 	},
 	{
-- 
1.7.3.4

[PATCH 14/21] libip6t_hbh: restore setting IP6T_OPTS_LEN flag

[Jan Engelhardt]

Bug origin is in commit v1.4.11~26^2~17.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_hbh.c |    1 +
 tests/options-most.rules |    2 ++
 2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 809e80d..c0389ed 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -108,6 +108,7 @@ static void hbh_parse(struct xt_option_call *cb)
 	case O_HBH_LEN:
 		if (cb->invert)
 			optinfo->invflags |= IP6T_OPTS_INV_LEN;
+		optinfo->flags |= IP6T_OPTS_LEN;
 		break;
 	case O_HBH_OPTS:
 		optinfo->optsnr = parse_options(cb->arg, optinfo->opts);
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 6839d89..1209091 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -94,6 +94,8 @@
 -A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
 -A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
 -A matches
+-A matches -m hbh ! --hbh-len 5
+-A matches
 -A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
 -A matches
 -A matches -m length --length 1
-- 
1.7.3.4

[PATCH 15/21] libip6t_dst: restore setting IP6T_OPTS_LEN flag

[Jan Engelhardt]

Bug origin is in commit v1.4.11~26^2~18.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_dst.c |    3 +++
 tests/options-most.rules |    2 ++
 2 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 4125bd3..3fd4c01 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -111,6 +111,9 @@ static void dst_parse(struct xt_option_call *cb)
 
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
+	case O_DSTLEN:
+		optinfo->flags |= IP6T_OPTS_LEN;
+		break;
 	case O_DSTOPTS:
 		optinfo->optsnr = parse_options(cb->arg, optinfo->opts);
 		optinfo->flags |= IP6T_OPTS_OPTS;
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 1209091..cd6aab8 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -79,6 +79,8 @@
 -A matches
 -A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9
 -A matches
+-A matches -m dst ! --dst-len 12
+-A matches
 -A matches -p esp -m esp --espspi 1
 -A matches
 -A matches -p esp -m esp --espspi :2
-- 
1.7.3.4

[PATCH 16/21] libipt_ttl: document that negation is available

[Jan Engelhardt]

Glitch since commit v1.2.1~75.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_ttl.c   |    2 +-
 extensions/libipt_ttl.man |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index 6370cb6..5fe08cc 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -20,7 +20,7 @@ static void ttl_help(void)
 {
 	printf(
 "ttl match options:\n"
-"  --ttl-eq value	Match time to live value\n"
+"[!] --ttl-eq value	Match time to live value\n"
 "  --ttl-lt value	Match TTL < value\n"
 "  --ttl-gt value	Match TTL > value\n");
 }
diff --git a/extensions/libipt_ttl.man b/extensions/libipt_ttl.man
index 849f704..1f32277 100644
--- a/extensions/libipt_ttl.man
+++ b/extensions/libipt_ttl.man
@@ -1,6 +1,6 @@
 This module matches the time to live field in the IP header.
 .TP
-\fB\-\-ttl\-eq\fP \fIttl\fP
+[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP
 Matches the given TTL value.
 .TP
 \fB\-\-ttl\-gt\fP \fIttl\fP
-- 
1.7.3.4

[PATCH 17/21] libxt_owner: restore inversion support

[Jan Engelhardt]

Bug origin is in commit v1.4.11~16^2~7.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_owner.c |    3 ++-
 tests/options-most.rules |    1 +
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index d2fdfa9..d9adc12 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -129,7 +129,8 @@ static const struct xt_option_entry owner_mt_opts[] = {
 	 .flags = XTOPT_INVERT},
 	{.name = "gid-owner", .id = O_GROUP, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
-	{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE},
+	{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
+	 .flags = XTOPT_INVERT},
 	XTOPT_TABLEEND,
 };
 
diff --git a/tests/options-most.rules b/tests/options-most.rules
index cd6aab8..37aeabf 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -57,6 +57,7 @@
 -A INPUT -p mobility
 -A INPUT -p mobility -m mh --mh-type 3
 -A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
+-A OUTPUT -m owner ! --socket-exists ! --uid-owner 0 ! --gid-owner 0
 -A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
 -A matches
 -A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 18/21] libxt_physdev: restore inversion support

[Jan Engelhardt]

Bug origin is in commit v1.4.11~26^2~4.

References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_physdev.c |    7 ++++---
 tests/options-most.rules   |    2 ++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c
index 8f57fe9..a11faf4 100644
--- a/extensions/libxt_physdev.c
+++ b/extensions/libxt_physdev.c
@@ -27,11 +27,12 @@ static const struct xt_option_entry physdev_opts[] = {
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physindev)},
 	{.name = "physdev-out", .id = O_PHYSDEV_OUT, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physoutdev)},
-	{.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE},
+	{.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE,
+	 .flags = XTOPT_INVERT},
 	{.name = "physdev-is-out", .id = O_PHYSDEV_IS_OUT,
-	 .type = XTTYPE_NONE},
+	 .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
 	{.name = "physdev-is-bridged", .id = O_PHYSDEV_IS_BRIDGED,
-	 .type = XTTYPE_NONE},
+	 .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
 	XTOPT_TABLEEND,
 };
 #undef s
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 37aeabf..c243649 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -111,6 +111,8 @@
 -A matches
 -A matches -m length --length 5:65535
 -A matches
+-A matches -m physdev ! --physdev-is-in ! --physdev-is-out ! --physdev-is-bridged
+-A matches
 -A matches -p tcp -m tcpmss --mss 1
 -A matches
 -A matches -p tcp -m tcpmss --mss :2
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 19/21] libxt_policy: remove superfluous inversion

[Jan Engelhardt]

--dir cannot be inverted.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_policy.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c
index 97722d6..54ec229 100644
--- a/extensions/libxt_policy.c
+++ b/extensions/libxt_policy.c
@@ -40,8 +40,7 @@ static void policy_help(void)
 }
 
 static const struct xt_option_entry policy_opts[] = {
-	{.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING,
-	 .flags = XTOPT_INVERT},
+	{.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING},
 	{.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
 	{.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
 	{.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
-- 
1.7.3.4

[PATCH 20/21] tests: add negation tests for libxt_statistic

[Jan Engelhardt]

Note: it is valid to check cb->invert before calling
xtables_option_parse.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 tests/options-most.rules |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/tests/options-most.rules b/tests/options-most.rules
index c243649..0e876e6 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -123,6 +123,10 @@
 -A matches
 -A matches -p tcp -m tcpmss --mss 5:65535
 -A matches
+-A matches -m statistic --mode random ! --probability 0.4
+-A matches
+-A matches -m statistic --mode nth ! --every 5 --packet 2
+-A matches
 -A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
 -A matches
 -A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
-- 
1.7.3.4

[PATCH 21/21] libxt_hashlimit: observe new default gc-expire time when saving

[Jan Engelhardt]

Since a while, --htable-gc-expire defaults to the chosen time quantum
instead of 10 fixed seconds, which leads the expiry value to be always
printed, which is redundant.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_hashlimit.c |   33 ++++++++++++++++++++-------------
 tests/options-most.rules     |    1 +
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index eb52b16..da34cb2 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -23,7 +23,6 @@
 
 /* miliseconds */
 #define XT_HASHLIMIT_GCINTERVAL	1000
-#define XT_HASHLIMIT_EXPIRE	10000
 
 struct hashlimit_mt_udata {
 	uint32_t mult;
@@ -187,7 +186,6 @@ static void hashlimit_init(struct xt_entry_match *m)
 
 	r->cfg.burst = XT_HASHLIMIT_BURST;
 	r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
-	r->cfg.expire = XT_HASHLIMIT_EXPIRE;
 
 }
 
@@ -198,7 +196,6 @@ static void hashlimit_mt4_init(struct xt_entry_match *match)
 	info->cfg.mode        = 0;
 	info->cfg.burst       = XT_HASHLIMIT_BURST;
 	info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
-	info->cfg.expire      = XT_HASHLIMIT_EXPIRE;
 	info->cfg.srcmask     = 32;
 	info->cfg.dstmask     = 32;
 }
@@ -210,7 +207,6 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
 	info->cfg.mode        = 0;
 	info->cfg.burst       = XT_HASHLIMIT_BURST;
 	info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
-	info->cfg.expire      = XT_HASHLIMIT_EXPIRE;
 	info->cfg.srcmask     = 128;
 	info->cfg.dstmask     = 128;
 }
@@ -330,7 +326,7 @@ static const struct rates
 	      { "min", XT_HASHLIMIT_SCALE*60 },
 	      { "sec", XT_HASHLIMIT_SCALE } };
 
-static void print_rate(uint32_t period)
+static uint32_t print_rate(uint32_t period)
 {
 	unsigned int i;
 
@@ -340,6 +336,8 @@ static void print_rate(uint32_t period)
 			break;
 
 	printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name);
+	/* return in msec */
+	return rates[i-1].mult / XT_HASHLIMIT_SCALE * 1000;
 }
 
 static void print_mode(unsigned int mode, char separator)
@@ -374,7 +372,10 @@ static void hashlimit_print(const void *ip,
                             const struct xt_entry_match *match, int numeric)
 {
 	const struct xt_hashlimit_info *r = (const void *)match->data;
-	fputs(" limit: avg", stdout); print_rate(r->cfg.avg);
+	uint32_t quantum;
+
+	fputs(" limit: avg", stdout);
+	quantum = print_rate(r->cfg.avg);
 	printf(" burst %u", r->cfg.burst);
 	fputs(" mode", stdout);
 	print_mode(r->cfg.mode, '-');
@@ -384,18 +385,20 @@ static void hashlimit_print(const void *ip,
 		printf(" htable-max %u", r->cfg.max);
 	if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
 		printf(" htable-gcinterval %u", r->cfg.gc_interval);
-	if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+	if (r->cfg.expire != quantum)
 		printf(" htable-expire %u", r->cfg.expire);
 }
 
 static void
 hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
 {
+	uint32_t quantum;
+
 	if (info->cfg.mode & XT_HASHLIMIT_INVERT)
 		fputs(" limit: above", stdout);
 	else
 		fputs(" limit: up to", stdout);
-	print_rate(info->cfg.avg);
+	quantum = print_rate(info->cfg.avg);
 	printf(" burst %u", info->cfg.burst);
 	if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
 	    XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
@@ -408,7 +411,7 @@ hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
 		printf(" htable-max %u", info->cfg.max);
 	if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
 		printf(" htable-gcinterval %u", info->cfg.gc_interval);
-	if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+	if (info->cfg.expire != quantum)
 		printf(" htable-expire %u", info->cfg.expire);
 
 	if (info->cfg.srcmask != dmask)
@@ -438,8 +441,10 @@ hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match,
 static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_hashlimit_info *r = (const void *)match->data;
+	uint32_t quantum;
 
-	fputs(" --hashlimit", stdout); print_rate(r->cfg.avg);
+	fputs(" --hashlimit", stdout);
+	quantum = print_rate(r->cfg.avg);
 	printf(" --hashlimit-burst %u", r->cfg.burst);
 
 	fputs(" --hashlimit-mode", stdout);
@@ -453,18 +458,20 @@ static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
 		printf(" --hashlimit-htable-max %u", r->cfg.max);
 	if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
 		printf(" --hashlimit-htable-gcinterval %u", r->cfg.gc_interval);
-	if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+	if (r->cfg.expire != quantum)
 		printf(" --hashlimit-htable-expire %u", r->cfg.expire);
 }
 
 static void
 hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
 {
+	uint32_t quantum;
+
 	if (info->cfg.mode & XT_HASHLIMIT_INVERT)
 		fputs(" --hashlimit-above", stdout);
 	else
 		fputs(" --hashlimit-upto", stdout);
-	print_rate(info->cfg.avg);
+	quantum = print_rate(info->cfg.avg);
 	printf(" --hashlimit-burst %u", info->cfg.burst);
 
 	if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
@@ -481,7 +488,7 @@ hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
 		printf(" --hashlimit-htable-max %u", info->cfg.max);
 	if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
 		printf(" --hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
-	if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+	if (info->cfg.expire != quantum)
 		printf(" --hashlimit-htable-expire %u", info->cfg.expire);
 
 	if (info->cfg.srcmask != dmask)
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 0e876e6..e54eb12 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -92,6 +92,7 @@
 -A matches
 -A matches -p esp -m esp --espspi 5:4294967295
 -A matches
+-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000
 -A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1
 -A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
 -A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
-- 
1.7.3.4