From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH v2 16/17] xtables: Support '!' betwen option and argument
Date: Thu, 30 Sep 2021 16:04:18 +0200 [thread overview]
Message-ID: <20210930140419.6170-17-phil@nwl.cc> (raw)
In-Reply-To: <20210930140419.6170-1-phil@nwl.cc>
Accept this for arptables only for now, iptables dropped support for it
long time ago.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xtables.c | 63 ++++++++++++++++++++++++++++++++++++----------
1 file changed, 50 insertions(+), 13 deletions(-)
diff --git a/iptables/xtables.c b/iptables/xtables.c
index c77d76c89a543..dba497b85064a 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -262,6 +262,31 @@ list_rules(struct nft_handle *h, const char *chain, const char *table,
return nft_cmd_rule_list_save(h, chain, table, rulenum, counters);
}
+static void check_inverse(struct nft_handle *h, const char option[],
+ bool *invert, int *optidx, int argc)
+{
+ switch (h->family) {
+ case NFPROTO_ARP:
+ break;
+ default:
+ return;
+ }
+
+ if (!option || strcmp(option, "!"))
+ return false;
+
+ if (*invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "Multiple `!' flags not allowed");
+ *invert = true;
+ if (optidx) {
+ *optidx = *optidx + 1;
+ if (argc && *optidx > argc)
+ xtables_error(PARAMETER_PROBLEM,
+ "no argument following `!'");
+ }
+}
+
void do_parse(struct nft_handle *h, int argc, char *argv[],
struct nft_xt_cmd_parse *p, struct iptables_command_state *cs,
struct xtables_args *args)
@@ -447,14 +472,16 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
* Option selection
*/
case 'p':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_PROTOCOL,
&args->invflags, invert);
/* Canonicalize into lower case */
- for (cs->protocol = optarg; *cs->protocol; cs->protocol++)
+ for (cs->protocol = argv[optind - 1];
+ *cs->protocol; cs->protocol++)
*cs->protocol = tolower(*cs->protocol);
- cs->protocol = optarg;
+ cs->protocol = argv[optind - 1];
args->proto = xtables_parse_protocol(cs->protocol);
if (args->proto == 0 &&
@@ -468,15 +495,17 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 's':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_SOURCE,
&args->invflags, invert);
- args->shostnetworkmask = optarg;
+ args->shostnetworkmask = argv[optind - 1];
break;
case 'd':
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_DESTINATION,
&args->invflags, invert);
- args->dhostnetworkmask = optarg;
+ args->dhostnetworkmask = argv[optind - 1];
break;
#ifdef IPT_F_GOTO
@@ -489,47 +518,53 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
#endif
case 2:/* src-mac */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_S_MAC, &args->invflags,
invert);
- args->src_mac = optarg;
+ args->src_mac = argv[optind - 1];
break;
case 3:/* dst-mac */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_D_MAC, &args->invflags,
invert);
- args->dst_mac = optarg;
+ args->dst_mac = argv[optind - 1];
break;
case 'l':/* hardware length */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_H_LENGTH, &args->invflags,
invert);
- args->arp_hlen = optarg;
+ args->arp_hlen = argv[optind - 1];
break;
case 8: /* was never supported, not even in arptables-legacy */
xtables_error(PARAMETER_PROBLEM, "not supported");
case 4:/* opcode */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_OPCODE, &args->invflags,
invert);
- args->arp_opcode = optarg;
+ args->arp_opcode = argv[optind - 1];
break;
case 5:/* h-type */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_H_TYPE, &args->invflags,
invert);
- args->arp_htype = optarg;
+ args->arp_htype = argv[optind - 1];
break;
case 6:/* proto-type */
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_P_TYPE, &args->invflags,
invert);
- args->arp_ptype = optarg;
+ args->arp_ptype = argv[optind - 1];
break;
case 'j':
set_option(&cs->options, OPT_JUMP, &args->invflags,
invert);
- command_jump(cs, optarg);
+ command_jump(cs, argv[optind - 1]);
break;
case 'i':
@@ -537,9 +572,10 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_VIANAMEIN,
&args->invflags, invert);
- xtables_parse_interface(optarg,
+ xtables_parse_interface(argv[optind - 1],
args->iniface,
args->iniface_mask);
break;
@@ -549,9 +585,10 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
+ check_inverse(h, optarg, &invert, &optind, argc);
set_option(&cs->options, OPT_VIANAMEOUT,
&args->invflags, invert);
- xtables_parse_interface(optarg,
+ xtables_parse_interface(argv[optind - 1],
args->outiface,
args->outiface_mask);
break;
--
2.33.0
next prev parent reply other threads:[~2021-09-30 14:05 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-30 14:04 [iptables PATCH v2 00/17] Eliminate dedicated arptables-nft parser Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 01/17] nft: Introduce builtin_tables_lookup() Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 02/17] xshared: Store optstring in xtables_globals Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 03/17] nft-shared: Introduce init_cs family ops callback Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 04/17] xtables: Simplify addr_mask freeing Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 05/17] nft: Add family ops callbacks wrapping different nft_cmd_* functions Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 06/17] xtables-standalone: Drop version number from init errors Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 07/17] libxtables: Introduce xtables_globals print_help callback Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 08/17] arptables: Use standard data structures when parsing Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 09/17] nft-arp: Introduce post_parse callback Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 10/17] nft-shared: Make nft_check_xt_legacy() family agnostic Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 11/17] xtables: Derive xtables_globals from family Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 12/17] nft: Merge xtables-arp-standalone.c into xtables-standalone.c Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 13/17] xtables: arptables doesn't warn about empty interface Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 14/17] xtables: arptables accepts but ignores '-m' Phil Sutter
2021-09-30 14:04 ` [iptables PATCH v2 15/17] xtables: arptables ignores wrong -t values Phil Sutter
2021-09-30 14:04 ` Phil Sutter [this message]
2021-09-30 14:04 ` [iptables PATCH v2 17/17] nft: Store maximum allowed chain name length in family ops Phil Sutter
2021-10-14 20:56 ` [iptables PATCH v2 00/17] Eliminate dedicated arptables-nft parser Pablo Neira Ayuso
2021-10-15 11:01 ` Phil Sutter
2021-10-15 11:25 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210930140419.6170-17-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).