[0/19] slew of iptables patches

[0/19] slew of iptables patches

[Jan Engelhardt]

Filler filler filler filler.
 
Here we are, 19-patch series for iptables.

Autotools comes first, it seemed like a good thing. Hope I got it right. 
Nothing spectacular about the patch, just notice the chmod request in 
it. Please read INSTALL afterwards for the new shiny syntax.

The rest of the patches is boilerplate, code shuffling and waxing and 
so. Old cruft gets gradually removed afterwards. (You can tell I have 
bigger plans :)

Anyway, let the series begin.

[01/19] use automake

[Jan Engelhardt]

Converts the iptables build infrastructure to autotools.

	- Can build both static and dynamic at the same time

	- iptables-static will be a multi-binary, semi-static
	(link against libc but w/o dynamic plugins)

	- Always build IPv6 modules

	- consider INSTALL

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>


---
Patch instructions:
 create autogen.sh with mode 0755

 INSTALL                         |   47 +++---
 Makefile                        |  272 ----------------------------------
 Makefile.am                     |   92 +++++++++++
 Rules.make                      |   58 -------
 autogen.sh                      |    4 
 configure.ac                    |   55 +++++++
 extensions/.condition-test      |    5 
 extensions/.condition-test6     |    5 
 extensions/.set-test            |    4 
 extensions/GNUmakefile.in       |  204 ++++++++++++++++++++++++++
 extensions/Makefile             |  311 ----------------------------------------
 extensions/dscp_helper.c        |   81 ++++++++++
 extensions/libipt_dscp_helper.c |   81 ----------
 extensions/libxt_DSCP.c         |    2 
 extensions/libxt_dscp.c         |    2 
 include/xtables.h               |   13 -
 libipq/Makefile                 |   28 ---
 libipq/Makefile.am              |   11 +
 18 files changed, 491 insertions(+), 784 deletions(-)

Index: iptables-modules/INSTALL
===================================================================
--- iptables-modules.orig/INSTALL
+++ iptables-modules/INSTALL
@@ -5,15 +5,21 @@ FOLLOW THESE STEPS:
    in a seperate package, called patch-o-matic.  It is available from
    ftp://ftp.netfilter.org/pub/patch-o-matic/
 
-1) Next, make the package.
-	% make KERNEL_DIR=<<where-you-built-your-kernel>>
+1) Next, make the package. If you use a standard distribution kernel,
+   just run ./configure.
 
-2) Finally, you need to to install the shared libraries, and the binary:
-	# make install KERNEL_DIR=<<where-you-built-your-kernel>>
+   If you want to build against an own kernel tree:
 
-If you are a developer, you can install the headers, development libraries
-and associated development man pages, with:
-	# make install-devel
+	$ ./configure --with-kernel=/home/jengelh/mykernel
+
+   or whereever you put it. If you are using a dedicated kernel build
+   directory, you use:
+
+	$ ./configure --with-kbuild=<<where-built>> --with-ksource=<<source>>
+
+2) Finally, you need to install the binaries and shared libraries:
+
+	# make install
 
 That's it!
 ================================================================
@@ -21,27 +27,26 @@ PROBLEMS YOU MAY ENCOUNTER:
 
 1) This package requires a 2.4.4 kernel, or above.
 
-2) If you get the kernel directory wrong, you may see a message like:
-	Please try `make KERNEL_DIR=path-to-correct-kernel'
+2) If you get the kernel directory wrong, you may get compile failures.
 
 3) If you want to specify alternate directories for installation
 (instead of /usr/local/ bin lib man), do this:
 
-	% make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man
-	# make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man install
+	$ ./configure --prefix=/usr
+	$ make
+	# make install
+
+4) The make process will automatically build a multipurpose binary under the
+   names iptables-multi and ip6tables-multi.
 
-4) If you want to build a statically linked version of the iptables binary,
+5) If you want to build a statically linked version of the iptables binary,
    without the need for loading the plugins at runtime (e.g. for an embedded
    device or router-on-a-disk), please use
 
-	% make NO_SHARED_LIBS=1
-
-5) If you want to build a single BusyBox style multipurpose binary instead of
-   the individual iptables, iptables-save and iptables-restore binaries, then
-   please use
+	$ ./configure --enable-static
 
-	% make DO_MULTI=1
+   which will build both a semi-static multi binary (iptables-mtss, uses
+   libc but not plugins) and a fully static multi binary (iptables-static).
 
-NOTE: make sure you build with at least the correct LIBDIR=
-specification, otherwise iptables(8) won't know where to find the
-dynamic objects.
+6) If you want to install libipq (old interface), add --enable-devel to
+   ./configure.
Index: iptables-modules/Makefile
===================================================================
--- iptables-modules.orig/Makefile
+++ /dev/null
@@ -1,272 +0,0 @@
-# uncomment this to get a fully statically linked version
-# NO_SHARED_LIBS = 1
-
-# uncomment this to disable IPv6 support
-# DO_IPV6 = 0
-
-######################################################################
-# YOU SHOULD NOT NEED TO TOUCH ANYTHING BELOW THIS LINE
-######################################################################
-
-# Standard part of Makefile for topdir.
-TOPLEVEL_INCLUDED=YES
-
-# For recent kernels we only need the source in KERNEL_DIR to build. Older
-# kernels have a bug, where linux/netfilter_ipv4.h includes linux/config.h,
-# which includes linux/autoconf.h, which is placed into KBUILD_OUTPUT.
-ifndef KERNEL_DIR
-KERNEL_DIR="/lib/modules/$(shell uname -r)/source"
-endif
-ifndef KBUILD_OUTPUT
-KBUILD_OUTPUT="/lib/modules/$(shell uname -r)/build"
-endif
-IPTABLES_VERSION:=1.4.0
-OLD_IPTABLES_VERSION:=1.4.0rc1
-
-PREFIX:=/usr/local
-LIBDIR:=$(PREFIX)/lib
-BINDIR:=$(PREFIX)/sbin
-MANDIR:=$(PREFIX)/man
-INCDIR:=$(PREFIX)/include
-
-# directory for new iptables releases
-RELEASE_DIR:=/tmp
-
-# Need libc6 for this.  FIXME: Should covert to autoconf.
-ifeq ($(shell [ -f /usr/include/netinet/ip6.h ] && echo YES), YES)
-DO_IPV6:=1
-endif
-
-# Enable linking to libselinux via enviornment 'DO_SELINUX=1'
-ifndef DO_SELINUX
-DO_SELINUX=0
-endif
-
-COPT_FLAGS:=-O2
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KBUILD_OUTPUT)/include -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
-
-ifdef NO_SHARED_LIBS
-CFLAGS += -DNO_SHARED_LIBS=1
-endif
-
-EXTRAS+=iptables iptables.o iptables.8
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8
-
-# No longer experimental.
-ifneq ($(DO_MULTI), 1)
-EXTRAS+=iptables-save iptables-restore iptables-xml
-endif
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(BINDIR)/iptables-xml $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8
-
-ifeq ($(DO_IPV6), 1)
-EXTRAS+=ip6tables ip6tables.o ip6tables.8
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8
-
-ifneq ($(DO_MULTI), 1)
-EXTRAS+=ip6tables-save ip6tables-restore
-endif
-EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8
-endif
-
-ifndef IPT_LIBDIR
-IPT_LIBDIR:=$(LIBDIR)/iptables
-endif
-DEST_IPT_LIBDIR:=$(DESTDIR)$(LIBDIR)/iptables
-
-ifndef NO_SHARED_LIBS
-DEPFILES = $(SHARED_LIBS:%.so=%.d)
-DEPFILES += $(SHARED_SE_LIBS:%.so=%.d)
-SH_CFLAGS:=$(CFLAGS) -fPIC
-STATIC_LIBS  =
-STATIC6_LIBS =
-LDFLAGS      = -rdynamic
-LDLIBS       = -ldl -lm
-ifeq ($(DO_SELINUX), 1)
-LDLIBS       += -lselinux
-endif
-else
-DEPFILES = $(EXT_OBJS:%.o=%.d)
-STATIC_LIBS  = extensions/libext.a
-STATIC6_LIBS = extensions/libext6.a
-LDFLAGS      = -static
-LDLIBS	     = -lm
-ifeq ($(DO_SELINUX), 1)
-LDLIBS       += -lselinux
-endif
-endif
-
-.PHONY: default
-default: print-extensions all
-
-.PHONY: print-extensions
-print-extensions:
-	@[ -n "$(OPTIONALS)" ] && echo Extensions found: $(OPTIONALS)
-
-iptables.o: iptables.c
-	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $<
-
-ifeq ($(DO_MULTI), 1)
-iptables: iptables-multi.c iptables-save.c iptables-restore.c iptables-xml.c iptables-standalone.c iptables.o xtables.o $(STATIC_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIPTABLES_MULTI -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-else
-iptables: iptables-standalone.c iptables.o xtables.o $(STATIC_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-endif
-
-$(DESTDIR)$(BINDIR)/iptables: iptables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-
-iptables-save: iptables-save.c iptables.o xtables.o $(STATIC_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
-ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/iptables-save: iptables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	ln -sf $< $@
-else
-$(DESTDIR)$(BINDIR)/iptables-save: iptables-save
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-endif
-
-iptables-restore: iptables-restore.c iptables.o xtables.o $(STATIC_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
-ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/iptables-restore: iptables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	ln -sf $< $@
-else
-$(DESTDIR)$(BINDIR)/iptables-restore: iptables-restore
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-endif
-
-iptables-xml: iptables-xml.c #iptables.o # $(STATIC_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
-ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/iptables-xml: iptables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	ln -sf $< $@
-else
-$(DESTDIR)$(BINDIR)/iptables-xml: iptables-xml
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-endif
-
-ip6tables.o: ip6tables.c
-	$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $<
-
-ifeq ($(DO_MULTI), 1)
-ip6tables: ip6tables-multi.c ip6tables-save.c ip6tables-restore.c ip6tables-standalone.c ip6tables.o xtables.o $(STATIC6_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIPTABLES_MULTI -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-else
-ip6tables: ip6tables-standalone.c ip6tables.o xtables.o $(STATIC6_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-endif
-
-$(DESTDIR)$(BINDIR)/ip6tables: ip6tables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-
-ip6tables-save: ip6tables-save.c ip6tables.o xtables.o $(STATIC6_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
-ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/ip6tables-save: ip6tables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	ln -sf $< $@
-else
-$(DESTDIR)$(BINDIR)/ip6tables-save: ip6tables-save
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-endif
-
-ip6tables-restore: ip6tables-restore.c ip6tables.o xtables.o $(STATIC6_LIBS) libiptc/libiptc.a
-	$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
-ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/ip6tables-restore: ip6tables
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	ln -sf $< $@
-else
-$(DESTDIR)$(BINDIR)/ip6tables-restore: ip6tables-restore
-	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
-	cp $< $@
-endif
-
-$(DESTDIR)$(MANDIR)/man8/%.8: %.8
-	@[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
-	cp $< $@
-
-EXTRA_DEPENDS+=iptables-standalone.d iptables.d
-
-iptables-standalone.d iptables.d: %.d: %.c
-	@-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d $*.o:@' > $@
-
-iptables.8: iptables.8.in extensions/libipt_matches.man extensions/libipt_targets.man
-	@sed -e '/@MATCH@/ r extensions/libipt_matches.man' -e '/@TARGET@/ r extensions/libipt_targets.man' iptables.8.in >iptables.8
-
-ip6tables.8: ip6tables.8.in extensions/libip6t_matches.man extensions/libip6t_targets.man
-	@sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libip6t_targets.man' ip6tables.8.in >ip6tables.8
-
-# Development Targets
-.PHONY: install-devel-man3
-install-devel-man3: $(DEVEL_MAN3)
-	@[ -d $(DESTDIR)$(MANDIR)/man3 ] || mkdir -p $(DESTDIR)$(MANDIR)/man3
-	@cp -v $(DEVEL_MAN3) $(DESTDIR)$(MANDIR)/man3
-
-.PHONY: install-devel-headers
-install-devel-headers: $(DEVEL_HEADERS)
-	@[ -d $(DESTDIR)$(INCDIR) ] || mkdir -p $(DESTDIR)$(INCDIR)
-	@cp -v $(DEVEL_HEADERS) $(DESTDIR)$(INCDIR)
-
-.PHONY: install-devel-libs
-install-devel-libs: $(DEVEL_LIBS)
-	@[ -d $(DESTDIR)$(LIBDIR) ] || mkdir -p $(DESTDIR)$(LIBDIR)
-	@cp -v $(DEVEL_LIBS) $(DESTDIR)$(LIBDIR)
-
-.PHONY: install-devel
-install-devel: all install-devel-man3 install-devel-headers install-devel-libs
-
-.PHONY: distclean
-distclean: clean
-	@rm -f TAGS `find . -name '*~' -o -name '.*~'` `find . -name '*.rej'` `find . -name '*.d'` .makefirst
-
-# Rusty's distro magic.
-.PHONY: distrib
-distrib: check distclean delrelease $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2 diff md5sums # nowhitespace
-
-# Makefile must not define:
-# -g -pg -DIPTC_DEBUG
-.PHONY: check
-check:
-	@if echo $(CFLAGS) | egrep -e '(^|[[:space:]])(-g|-pg|-DIPTC_DEBUG)([[:space:]]|$)' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
-
-.PHONY: nowhitespace
-nowhitespace:
-	@if grep -n '[ 	]$$' `find . -name 'Makefile' -o -name '*.[ch]'`; then exit 1; else exit 0; fi
-
-.PHONY: delrelease
-delrelease:
-	rm -f $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2
-
-$(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2:
-	cd .. && ln -sf iptables iptables-$(IPTABLES_VERSION) && tar cvf - --exclude .svn iptables-$(IPTABLES_VERSION)/. | bzip2 -9 > $@ && rm iptables-$(IPTABLES_VERSION)
-
-.PHONY: diff
-diff: $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2
-	@mkdir /tmp/diffdir
-	@cd /tmp/diffdir && tar -x --bzip2 -f $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2
-	@set -e; cd /tmp/diffdir; tar -x --bzip2 -f $(RELEASE_DIR)/iptables-$(OLD_IPTABLES_VERSION).tar.bz2; echo Creating patch-iptables-$(OLD_IPTABLES_VERSION)-$(IPTABLES_VERSION).bz2; diff -urN iptables-$(OLD_IPTABLES_VERSION) iptables-$(IPTABLES_VERSION) | bzip2 -9 > $(RELEASE_DIR)/patch-iptables-$(OLD_IPTABLES_VERSION)-$(IPTABLES_VERSION).bz2
-	@rm -rf /tmp/diffdir
-
-.PHONY: md5sums
-md5sums:
-	cd $(RELEASE_DIR)/ && md5sum patch-iptables-*-$(IPTABLES_VERSION).bz2 iptables-$(IPTABLES_VERSION).tar.bz2
-
-# $(wildcard) fails wierdly with make v.3.78.1.
-include $(shell echo */Makefile)
-include Rules.make
Index: iptables-modules/Makefile.am
===================================================================
--- /dev/null
+++ iptables-modules/Makefile.am
@@ -0,0 +1,92 @@
+# -*- Makefile -*-
+
+AUTOMAKE_OPTIONS = foreign subdir-objects
+AM_CFLAGS        = ${regular_CFLAGS} -I${top_srcdir}/include
+SUBDIRS         := extensions
+if ENABLE_DEVEL
+SUBDIRS         += libipq
+endif
+
+# libiptc
+libiptc_libiptc_a_SOURCES = libiptc/libip4tc.c libiptc/libip6tc.c
+
+# iptables, dynamic
+iptables_SOURCES          = iptables-standalone.c iptables.c xtables.c
+iptables_LDFLAGS          = -rdynamic
+iptables_LDADD            = -ldl -lm libiptc/libiptc.a extensions/libext4.a
+
+iptables_multi_SOURCES    = iptables-multi.c iptables-save.c \
+                            iptables-restore.c iptables-xml.c \
+                            iptables-standalone.c iptables.c xtables.c
+iptables_multi_CFLAGS     = ${AM_CFLAGS} -DIPTABLES_MULTI
+iptables_multi_LDFLAGS    = ${iptables_LDFLAGS}
+iptables_multi_LDADD      = ${iptables_LDADD}
+
+iptables_restore_SOURCES  = iptables-restore.c iptables.c xtables.c
+iptables_restore_LDFLAGS  = ${iptables_LDFLAGS}
+iptables_restore_LDADD    = ${iptables_LDADD}
+
+iptables_save_SOURCES     = iptables-save.c iptables.c xtables.c
+iptables_save_LDFLAGS     = ${iptables_LDFLAGS}
+iptables_save_LDADD       = ${iptables_LDADD}
+
+# iptables-multi, semi-static
+iptables_static_SOURCES   = ${iptables_multi_SOURCES}
+iptables_static_CFLAGS    = ${iptables_multi_CFLAGS} -DNO_SHARED_LIBS=1
+iptables_static_LDADD     = -lm libiptc/libiptc.a extensions/libext4.a
+
+iptables_xml_SOURCES      = iptables-xml.c
+
+# ip6tables, dynamic
+ip6tables_SOURCES         = ip6tables-standalone.c ip6tables.c xtables.c
+ip6tables_LDFLAGS         = -rdynamic
+ip6tables_LDADD           = -ldl -lm libiptc/libiptc.a extensions/libext6.a
+
+ip6tables_multi_SOURCES   = ip6tables-multi.c ip6tables-save.c \
+                            ip6tables-restore.c ip6tables-standalone.c \
+                            ip6tables.c xtables.c
+ip6tables_multi_CFLAGS    = ${AM_CFLAGS} -DIPTABLES_MULTI
+ip6tables_multi_LDFLAGS   = ${ip6tables_LDFLAGS}
+ip6tables_multi_LDADD     = ${ip6tables_LDADD}
+
+ip6tables_restore_SOURCES = ip6tables-restore.c ip6tables.c xtables.c
+ip6tables_restore_LDFLAGS = ${ip6tables_LDFLAGS}
+ip6tables_restore_LDADD   = ${ip6tables_LDADD}
+
+ip6tables_save_SOURCES    = ip6tables-save.c ip6tables.c xtables.c
+ip6tables_save_LDFLAGS    = ${ip6tables_LDFLAGS}
+ip6tables_save_LDADD      = ${ip6tables_LDADD}
+
+# iptables-multi, semi-static
+ip6tables_static_SOURCES    = ${ip6tables_multi_SOURCES}
+ip6tables_static_CFLAGS     = ${ip6tables_multi_CFLAGS} -DNO_SHARED_LIBS=1
+ip6tables_static_LDADD      = -lm libiptc/libiptc.a extensions/libext6.a
+
+noinst_LIBRARIES := libiptc/libiptc.a
+bin_PROGRAMS     := iptables-xml
+sbin_PROGRAMS    :=
+noinst_PROGRAMS  :=
+man_MANS         := iptables.8 iptables-restore.8 iptables-save.8 \
+                    iptables-xml.8 ip6tables.8 ip6tables-restore.8 \
+                    ip6tables-save.8
+CLEANFILES       := iptables.8 ip6tables.8
+if ENABLE_DEVEL
+include_HEADERS  := include/xtables.h include/iptables.h include/ip6tables.h
+endif
+
+if ENABLE_STATIC
+sbin_PROGRAMS += iptables-static ip6tables-static
+endif
+if ENABLE_SHARED
+sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save \
+                 ip6tables ip6tables-multi ip6tables-restore ip6tables-save
+endif
+
+iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man
+	${AM_VERBOSE_GEN} sed -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
+
+ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets6.man
+	${AM_VERBOSE_GEN} sed -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
+
+extensions/%:
+	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
Index: iptables-modules/Rules.make
===================================================================
--- iptables-modules.orig/Rules.make
+++ /dev/null
@@ -1,58 +0,0 @@
-#! /usr/bin/make
-
-all: $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS)
-
-experimental: $(EXTRAS_EXP)
-
-# Have to handle extensions which no longer exist.
-clean: $(EXTRA_CLEANS)
-	rm -f $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o) $(SHARED_SE_LIBS:%.so=%_sh.o)
-	rm -f extensions/initext.c extensions/initext6.c
-	@find . -name '*.[ao]' -o -name '*.so' | xargs rm -f
-
-install: all $(EXTRA_INSTALLS)
-	@if [ -f /usr/local/bin/iptables -a "$(BINDIR)" = "/usr/local/sbin" ];\
-	then echo 'Erasing iptables from old location (now /usr/local/sbin).';\
-	rm -f /usr/local/bin/iptables;\
-	fi
-
-install-experimental: $(EXTRA_INSTALLS_EXP)
-
-TAGS:
-	@rm -f $@
-	find . -name '*.[ch]' | xargs etags -a
-
-dep: $(DEPFILES) $(EXTRA_DEPENDS)
-	@echo Dependencies will be generated on next make.
-	rm -f $(DEPFILES) $(EXTRA_DEPENDS) .makefirst
-
-$(SHARED_LIBS:%.so=%.d): %.d: %.c
-	@-$(CC) -M -MG $(CFLAGS) $< | \
-	    sed -e 's@^.*\.o:@$*.d $*_sh.o:@' > $@
-
-$(SHARED_LIBS): %.so : %_sh.o
-	$(CC) -shared $(EXT_LDFLAGS) -o $@ $<
-
-$(SHARED_SE_LIBS:%.so=%.d): %.d: %.c
-	@-$(CC) -M -MG $(CFLAGS) $< | \
-		sed -e 's@^.*\.o:@$*.d $*_sh.o:@' > $@
-
-$(SHARED_SE_LIBS): %.so : %_sh.o
-	$(LD) -shared $(EXT_LDFLAGS) -o $@ $< $(LDLIBS)
-
-%_sh.o : %.c
-	$(CC) $(SH_CFLAGS) -o $@ -c $<
-
-.makefirst:
-	@echo Making dependencies: please wait...
-	@touch .makefirst
-
-# This is useful for when dependencies completely screwed
-%.h::
-	@echo "Unable to resolve dependency on $@. Try 'make clean'."
-	@-rm -f $(DEPFILES) $(EXTRA_DEPENDS) .makefirst
-	@[ -d $(KERNEL_DIR)/include/linux/netfilter_ipv4 ] || echo -e '\n\n    Please try `make KERNEL_DIR=path-to-correct-kernel'\'.'\n\n'
-	@exit 1
-
--include $(DEPFILES) $(EXTRA_DEPENDS)
--include .makefirst
Index: iptables-modules/autogen.sh
===================================================================
--- /dev/null
+++ iptables-modules/autogen.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+autoreconf -fi;
+rm -Rf autom4te*.cache;
Index: iptables-modules/configure.ac
===================================================================
--- /dev/null
+++ iptables-modules/configure.ac
@@ -0,0 +1,55 @@
+
+AC_INIT([iptables], [1.4.0])
+AC_CONFIG_HEADERS([config.h])
+AC_PROG_INSTALL
+AM_INIT_AUTOMAKE
+AC_PROG_CC
+AM_PROG_CC_C_O
+AC_DISABLE_STATIC
+AC_PROG_LIBTOOL
+
+kbuilddir="/lib/modules/$(uname -r)/build";
+ksourcedir="/lib/modules/$(uname -r)/source";
+AC_ARG_WITH([kernel],
+	AS_HELP_STRING([--with-kernel=PATH],
+	[Path to kernel source/build directory]),
+	[kbuilddir="$withval"; ksourcedir="$withval";])
+AC_ARG_WITH([kbuild],
+	AS_HELP_STRING([--with-kbuild=PATH],
+	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
+	[kbuilddir="$withval"])
+AC_ARG_WITH([ksource],
+	AS_HELP_STRING([--with-ksource=PATH],
+	[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
+	[ksourcedir="$withval"])
+AC_ARG_WITH([iptdir],
+	AS_HELP_STRING([--with-iptdir=PATH],
+	[Path to iptables modules [[LIBEXECDIR/iptables]]]),
+	[iptdir="$withval"],
+	[iptdir="${libexecdir}/iptables"])
+AC_ARG_ENABLE([devel],
+	AS_HELP_STRING([--enable-devel],
+	[Build and install development files (libipq, libipq-devel, iptables-devel)]))
+
+AC_CHECK_HEADER([netinet/ip6.h], [], [AC_MSG_ERROR(but we need that for IPv6)])
+AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" == "yes"])
+AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" == "yes"])
+AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" == "yes"])
+
+regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
+	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
+	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
+	-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
+	-DIPT_LIB_DIR=\\\"\${iptdir}\\\" \
+	-I\"$kbuilddir/include\" -I\"$ksourcedir/include\""
+
+# Remove workarounds soon
+regular_CFLAGS="$regular_CFLAGS -Wno-aggregate-return \
+	-Wno-missing-declarations -Wno-missing-prototypes \
+	-Wno-redundant-decls -Wno-shadow -Wno-strict-prototypes -Wno-inline"
+
+AC_SUBST([regular_CFLAGS])
+AC_SUBST([kbuilddir])
+AC_SUBST([ksourcedir])
+AC_SUBST([iptdir])
+AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
Index: iptables-modules/extensions/.condition-test
===================================================================
--- iptables-modules.orig/extensions/.condition-test
+++ iptables-modules/extensions/.condition-test
@@ -1,3 +1,4 @@
 #!/bin/sh
-# True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+[ "$1" == "provides" -o \
+-f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" ] && \
+echo "condition";
Index: iptables-modules/extensions/.condition-test6
===================================================================
--- iptables-modules.orig/extensions/.condition-test6
+++ iptables-modules/extensions/.condition-test6
@@ -1,3 +1,4 @@
 #!/bin/sh
-# True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+[ "$1" == "provides" -o \
+-f "$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h" ] && \
+echo "condition";
Index: iptables-modules/extensions/.set-test
===================================================================
--- iptables-modules.orig/extensions/.set-test
+++ iptables-modules/extensions/.set-test
@@ -1,2 +1,4 @@
 #! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h ] && echo set SET
+[ "$1" == "provides" -o \
+-f "$KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h" ] && \
+echo "set SET";
Index: iptables-modules/extensions/GNUmakefile.in
===================================================================
--- /dev/null
+++ iptables-modules/extensions/GNUmakefile.in
@@ -0,0 +1,204 @@
+# -*- Makefile -*-
+
+top_srcdir  := @top_srcdir@
+srcdir      := @srcdir@
+ksourcedir  := @ksourcedir@
+prefix      := @prefix@
+exec_prefix := @exec_prefix@
+libdir      := @libdir@
+libexecdir  := @libexecdir@
+iptdir      := @iptdir@
+
+CC             := @CC@
+CCLD           := ${CC}
+CFLAGS         := @CFLAGS@
+LDFLAGS        := @LDFLAGS@
+regular_CFLAGS := @regular_CFLAGS@
+
+AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include
+AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+ifeq (${V},)
+AM_LIBTOOL_SILENT = --silent
+AM_VERBOSE_CC     = @echo "  CC      " $@;
+AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
+AM_VERBOSE_CXX    = @echo "  CXX     " $@;
+AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
+AM_VERBOSE_AR     = @echo "  AR      " $@;
+AM_VERBOSE_GEN    = @echo "  GEN     " $@;
+endif
+
+#
+#	Wildcard module list
+#
+pfx_all_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+pf4_all_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+pf6_all_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
+
+#
+#	Conditional module list
+#
+pfx_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
+pf4_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
+pf6_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
+
+#
+#	Conditional modules to build
+#
+pfx_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i}))
+pf4_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i}))
+pf6_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i}))
+
+#
+#	Total list of modules to build
+#
+pfx_build_mod := $(filter-out ${pfx_cond_mod},${pfx_all_mod}) ${pfx_bc_mod}
+pf4_build_mod := $(filter-out ${pf4_cond_mod},${pf4_all_mod}) ${pf4_bc_mod}
+pf6_build_mod := $(filter-out ${pf6_cond_mod},${pf6_all_mod}) ${pf6_bc_mod}
+pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
+pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+
+
+#
+# Building blocks
+#
+targets := libext4.a libext6.a matches4.man matches6.man \
+           targets4.man targets6.man
+targets_install :=
+@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
+@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
+@ENABLE_SHARED_TRUE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_SHARED_TRUE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+
+.SECONDARY:
+
+.PHONY: all install clean distclean FORCE
+
+all: ${targets}
+
+install: ${targets_install}
+	@mkdir -p "${DESTDIR}${iptdir}";
+	install -pm0755 $^ "${DESTDIR}${iptdir}/";
+
+clean:
+	rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c;
+
+distclean: clean
+	rm -f .*.d *.dd;
+
+%.o: %.c
+	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+
+-include .*.d
+
+
+#
+#	Shared libraries
+#
+lib%.so: lib%.oo
+	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+
+lib%.oo: ${srcdir}/lib%.c
+	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+
+
+#
+#	Static bits
+#
+#	If static building is disabled, libext*.a will still be generated,
+#	but will be empty. This is good since we can do with less case
+#	handling code in the Makefiles.
+#
+lib%.o: ${srcdir}/lib%.c
+	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
+
+libext4.a: initext4.o ${libext4_objs}
+	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+libext6.a: initext6.o ${libext6_objs}
+	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+initext_func  := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
+initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
+
+.initext4.dd: FORCE
+	@echo "${initext_func}" >$@.tmp; \
+	cmp -s $@ $@.tmp || mv $@.tmp $@; \
+	rm -f $@.tmp;
+
+.initext6.dd: FORCE
+	@echo "${initext6_func}" >$@.tmp; \
+	cmp -s $@ $@.tmp || mv $@.tmp $@; \
+	rm -f $@.tmp;
+
+initext4.c: .initext4.dd
+	${AM_VERBOSE_GEN}
+	@( \
+	echo "" >$@; \
+	for i in ${initext_func}; do \
+		echo "extern void lib$${i}_init(void);" >>$@; \
+	done; \
+	echo -en "void init_extensions(void)\n""{\n" >>$@; \
+	for i in ${initext_func}; do \
+		echo -e "\t""lib$${i}_init();" >>$@; \
+	done; \
+	echo "}" >>$@; \
+	);
+
+initext6.c: .initext6.dd
+	${AM_VERBOSE_GEN}
+	@( \
+	echo "" >$@; \
+	for i in ${initext6_func}; do \
+		echo "extern void lib$${i}_init(void);" >>$@; \
+	done; \
+	echo -en "void init_extensions(void)\n""{\n" >>$@; \
+	for i in ${initext6_func}; do \
+		echo -e "\t""lib$${i}_init();" >>$@; \
+	done; \
+	echo "}" >>$@; \
+	);
+
+#
+#	Manual pages
+#
+ex_matches = $(sort $(shell echo $(1) | grep -Eo '\b[a-z0-9]+\b'))
+ex_targets = $(sort $(shell echo $(1) | grep -Eo '\b[A-Z0-9]+\b'))
+man_run    = \
+	${AM_VERBOSE_GEN} \
+	for ext in $(1); do \
+		f="${srcdir}/libxt_$$ext.man"; \
+		if [ -f "$$f" ]; then \
+			echo ".SS $$ext"; \
+			cat "$$f"; \
+			continue; \
+		fi; \
+		f="${srcdir}/libipt_$$ext.man"; \
+		if [ -f "$$f" ]; then \
+			echo ".SS $$ext"; \
+			cat "$$f"; \
+			continue; \
+		fi; \
+		f="${srcdir}/libip6t_$$ext.man"; \
+		if [ -f "$$f" ]; then \
+			echo ".SS $$ext"; \
+			cat "$$f"; \
+			continue; \
+		fi; \
+	done >$@;
+
+matches4.man: .initext4.dd $(wildcard lib*.man)
+	$(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}))
+
+matches6.man: .initext6.dd $(wildcard lib*.man)
+	$(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}))
+
+targets4.man: .initext4.dd $(wildcard lib*.man)
+	$(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}))
+
+targets6.man: .initext6.dd $(wildcard lib*.man)
+	$(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}))
Index: iptables-modules/extensions/Makefile
===================================================================
--- iptables-modules.orig/extensions/Makefile
+++ /dev/null
@@ -1,311 +0,0 @@
-#! /usr/bin/make
-
-# WARNING:
-# only add extensions here that are either present in the kernel, or whose
-# header files are present in the include/linux directory of this iptables
-# package (HW)
-#
-PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
-PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
-PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota rateest sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK RATEEST TCPMSS TRACE
-
-PF_EXT_SELINUX_SLIB:=
-PF6_EXT_SELINUX_SLIB:=
-PFX_EXT_SELINUX_SLIB:=CONNSECMARK SECMARK
-
-ifeq ($(DO_SELINUX), 1)
-PF_EXT_SE_SLIB:=$(PF_EXT_SELINUX_SLIB)
-PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB)
-PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB)
-endif
-
-# Optionals
-PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-PFX_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-testx),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-
-PF_EXT_ALL_SLIB:=$(PF_EXT_SLIB) $(PF_EXT_SE_SLIB) $(PF_EXT_SLIB_OPTS)
-PF6_EXT_ALL_SLIB:=$(PF6_EXT_SLIB) $(PF6_EXT_SE_SLIB) $(PF6_EXT_SLIB_OPTS)
-PFX_EXT_ALL_SLIB:=$(PFX_EXT_SLIB) $(PFX_EXT_SE_SLIB) $(PFX_EXT_SLIB_OPTS)
-
-# libipt*.c with libipt*.man
-PF_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_match extensions/libipt_$(T).c  && echo $(T)))
-PF_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q register_target extensions/libipt_$(T).c && echo $(T)))
-PF6_EXT_MAN_ALL_MATCHES:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_match6 extensions/libip6t_$(T).c  && echo $(T)))
-PF6_EXT_MAN_ALL_TARGETS:=$(foreach T,$(PF6_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q register_target6 extensions/libip6t_$(T).c && echo $(T)))
-
-# libxt*.c with libipt*.man
-PF_EXT_MAN_ALL_MATCHES+=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q xtables_register_match extensions/libxt_$(T).c  && echo $(T)))
-PF_EXT_MAN_ALL_TARGETS+=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libipt_$(T).man && grep -q xtables_register_target extensions/libxt_$(T).c && echo $(T)))
-PF6_EXT_MAN_ALL_MATCHES+=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q xtables_register_match extensions/libxt_$(T).c  && echo $(T)))
-PF6_EXT_MAN_ALL_TARGETS+=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libip6t_$(T).man && grep -q xtables_register_target extensions/libxt_$(T).c && echo $(T)))
-
-# libxt*.c with libxt*.man
-PFX_EXT_MAN_ALL_MATCHES=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libxt_$(T).man && grep -q xtables_register_match extensions/libxt_$(T).c  && echo $(T)))
-PFX_EXT_MAN_ALL_TARGETS=$(foreach T,$(PFX_EXT_ALL_SLIB),$(shell test -f extensions/libxt_$(T).man && grep -q xtables_register_target extensions/libxt_$(T).c && echo $(T)))
-
-# libipt*.man
-PF_EXT_MAN_MATCHES:=$(filter $(PF_EXT_SLIB), $(PF_EXT_MAN_ALL_MATCHES))
-PF_EXT_MAN_MATCHES+=$(filter $(PFX_EXT_SLIB), $(PF_EXT_MAN_ALL_MATCHES))
-PF_EXT_MAN_MATCHES+=$(filter $(PF_EXT_SE_SLIB), $(PF_EXT_MAN_ALL_MATCHES))
-PF_EXT_MAN_MATCHES+=$(filter $(PFX_EXT_SE_SLIB), $(PF_EXT_MAN_ALL_MATCHES))
-
-# libipt*.man
-PF_EXT_MAN_TARGETS:=$(filter $(PF_EXT_SLIB), $(PF_EXT_MAN_ALL_TARGETS))
-PF_EXT_MAN_TARGETS+=$(filter $(PFX_EXT_SLIB), $(PF_EXT_MAN_ALL_TARGETS))
-PF_EXT_MAN_TARGETS+=$(filter $(PF_EXT_SE_SLIB), $(PF_EXT_MAN_ALL_TARGETS))
-PF_EXT_MAN_TARGETS+=$(filter $(PFX_EXT_SE_SLIB), $(PF_EXT_MAN_ALL_TARGETS))
-
-# libipt*.man
-PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF_EXT_MAN_MATCHES), $(PF_EXT_MAN_ALL_MATCHES))
-PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF_EXT_MAN_TARGETS), $(PF_EXT_MAN_ALL_TARGETS))
-
-# libip6t*.man
-PF6_EXT_MAN_MATCHES:=$(filter $(PF6_EXT_SLIB), $(PF6_EXT_MAN_ALL_MATCHES))
-PF6_EXT_MAN_MATCHES+=$(filter $(PFX_EXT_SLIB), $(PF6_EXT_MAN_ALL_MATCHES))
-PF6_EXT_MAN_MATCHES+=$(filter $(PF6_EXT_SE_SLIB), $(PF6_EXT_MAN_ALL_MATCHES))
-PF6_EXT_MAN_MATCHES+=$(filter $(PFX_EXT_SE_SLIB), $(PF6_EXT_MAN_ALL_MATCHES))
-
-# libip6t*.man
-PF6_EXT_MAN_TARGETS:=$(filter $(PF6_EXT_SLIB), $(PF6_EXT_MAN_ALL_TARGETS))
-PF6_EXT_MAN_TARGETS+=$(filter $(PFX_EXT_SLIB), $(PF6_EXT_MAN_ALL_TARGETS))
-PF6_EXT_MAN_TARGETS+=$(filter $(PF6_EXT_SE_SLIB), $(PF6_EXT_MAN_ALL_TARGETS))
-PF6_EXT_MAN_TARGETS+=$(filter $(PFX_EXT_SE_SLIB), $(PF6_EXT_MAN_ALL_TARGETS))
-
-# libip6t*.man
-PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF6_EXT_MAN_MATCHES), $(PF6_EXT_MAN_ALL_MATCHES))
-PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF6_EXT_MAN_TARGETS), $(PF6_EXT_MAN_ALL_TARGETS))
-
-# libxt*.man
-PFX_EXT_MAN_MATCHES:=$(filter $(PFX_EXT_SLIB), $(PFX_EXT_MAN_ALL_MATCHES))
-PFX_EXT_MAN_MATCHES+=$(filter $(PFX_EXT_SE_SLIB), $(PFX_EXT_MAN_ALL_MATCHES))
-PFX_EXT_MAN_TARGETS:=$(filter $(PFX_EXT_SLIB), $(PFX_EXT_MAN_ALL_TARGETS))
-PFX_EXT_MAN_TARGETS+=$(filter $(PFX_EXT_SE_SLIB), $(PFX_EXT_MAN_ALL_TARGETS))
-
-# libxt*.man
-PFX_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PFX_EXT_MAN_MATCHES), $(PFX_EXT_MAN_ALL_MATCHES))
-PFX_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PFX_EXT_MAN_TARGETS), $(PFX_EXT_MAN_ALL_TARGETS))
-
-ifneq ($(DO_SELINUX), 1)
-PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF_EXT_SELINUX_SLIB), $(PF_EXT_MAN_EXTRA_MATCHES))
-PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF_EXT_SELINUX_SLIB), $(PF_EXT_MAN_EXTRA_TARGETS))
-PF_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PF_EXT_MAN_EXTRA_MATCHES))
-PF_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PF_EXT_MAN_EXTRA_TARGETS))
-
-PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PF6_EXT_SELINUX_SLIB), $(PF6_EXT_MAN_EXTRA_MATCHES))
-PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PF6_EXT_SELINUX_SLIB), $(PF6_EXT_MAN_EXTRA_TARGETS))
-PF6_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PF6_EXT_MAN_EXTRA_MATCHES))
-PF6_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PF6_EXT_MAN_EXTRA_TARGETS))
-
-PFX_EXT_MAN_EXTRA_MATCHES:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PFX_EXT_MAN_EXTRA_MATCHES))
-PFX_EXT_MAN_EXTRA_TARGETS:=$(filter-out $(PFX_EXT_SELINUX_SLIB), $(PFX_EXT_MAN_EXTRA_TARGETS))
-endif
-
-# extra man pages requires this (really _A_ll)
-PFA4_EXT_MAN_EXTRA_MATCHES:=$(PF_EXT_MAN_EXTRA_MATCHES) $(PFX_EXT_MAN_EXTRA_MATCHES)
-PFA4_EXT_MAN_EXTRA_TARGETS:=$(PF_EXT_MAN_EXTRA_TARGETS) $(PFX_EXT_MAN_EXTRA_TARGETS)
-PFA6_EXT_MAN_EXTRA_MATCHES:=$(PF6_EXT_MAN_EXTRA_MATCHES) $(PFX_EXT_MAN_EXTRA_MATCHES)
-PFA6_EXT_MAN_EXTRA_TARGETS:=$(PF6_EXT_MAN_EXTRA_TARGETS) $(PFX_EXT_MAN_EXTRA_TARGETS)
-
-
-allman:
-	@echo 'ALL_SLIB (IPv4):' $(PF_EXT_ALL_SLIB)
-	@echo 'ALL_SLIB (IPv6):' $(PF6_EXT_ALL_SLIB)
-	@echo 'ALL_SLIB (both):' $(PFX_EXT_ALL_SLIB)
-	@echo 'ALL_MATCH (IPv4):' $(PF_EXT_MAN_ALL_MATCHES)
-	@echo 'ALL_MATCH (IPv6):' $(PF6_EXT_MAN_ALL_MATCHES)
-	@echo 'ALL_MATCH (both):' $(PFX_EXT_MAN_ALL_MATCHES)
-	@echo 'ALL_TARGET (IPv4):' $(PF_EXT_MAN_ALL_TARGETS)
-	@echo 'ALL_TARGET (IPv6):' $(PF6_EXT_MAN_ALL_TARGETS)
-	@echo 'ALL_TARGET (both):' $(PFX_EXT_MAN_ALL_TARGETS)
-
-PF_EXT_SLIB+=$(PF_EXT_SLIB_OPTS)
-PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS)
-PFX_EXT_SLIB+=$(PFX_EXT_SLIB_OPTS)
-
-OPTIONALS+=$(patsubst %,XT:%,$(PFX_EXT_SLIB_OPTS))
-OPTIONALS+=$(patsubst %,IPv4:%,$(PF_EXT_SLIB_OPTS))
-OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT_SLIB_OPTS))
-
-ifndef NO_SHARED_LIBS
-SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
-SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DEST_IPT_LIBDIR)/libipt_$(T).so)
-
-ifeq ($(DO_IPV6), 1)
-SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
-SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DEST_IPT_LIBDIR)/libip6t_$(T).so)
-endif
-
-SHARED_LIBS+=$(foreach T,$(PFX_EXT_SLIB),extensions/libxt_$(T).so)
-SHARED_SE_LIBS+=$(foreach T,$(PFX_EXT_SE_SLIB),extensions/libxt_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PFX_EXT_SLIB), $(DEST_IPT_LIBDIR)/libxt_$(T).so)
-EXTRA_INSTALLS+=$(foreach T, $(PFX_EXT_SE_SLIB), $(DEST_IPT_LIBDIR)/libxt_$(T).so)
-
-else 	# NO_SHARED_LIBS
-EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o)
-EXT_OBJS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).o)
-EXT_OBJS+=$(foreach T,$(PFX_EXT_SLIB),extensions/libxt_$(T).o)
-EXT_OBJS+=$(foreach T,$(PFX_EXT_SE_SLIB),extensions/libxt_$(T).o)
-EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
-EXT_FUNC+=$(foreach T,$(PF_EXT_SE_SLIB),ipt_$(T))
-EXT_FUNC+=$(foreach T,$(PFX_EXT_SLIB),xt_$(T))
-EXT_FUNC+=$(foreach T,$(PFX_EXT_SE_SLIB),xt_$(T))
-EXT_OBJS+= extensions/initext.o
-ifeq ($(DO_IPV6), 1)
-EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o)
-EXT6_OBJS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).o)
-EXT6_OBJS+=$(foreach T,$(PFX_EXT_SLIB),extensions/libxt_$(T).o)
-EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T))
-EXT6_FUNC+=$(foreach T,$(PF6_EXT_SE_SLIB),ip6t_$(T))
-EXT6_FUNC+=$(foreach T,$(PFX_EXT_SLIB),xt_$(T))
-EXT6_OBJS+=$(foreach T,$(PFX_EXT_SE_SLIB),extensions/libxt_$(T).o)
-EXT6_FUNC+=$(foreach T,$(PFX_EXT_SE_SLIB),xt_$(T))
-EXT6_OBJS+= extensions/initext6.o
-endif	# DO_IPV6
-endif	# NO_SHARED_LIBS
-
-ifndef TOPLEVEL_INCLUDED
-local:
-	cd .. && $(MAKE) $(SHARED_LIBS) $(SHARED_SE_LIBS)
-endif
-
-ifdef NO_SHARED_LIBS
-extensions/libext.a: $(EXT_OBJS)
-	rm -f $@; ar crv $@ $(EXT_OBJS)
-
-extensions/libext6.a: $(EXT6_OBJS)
-	rm -f $@; ar crv $@ $(EXT6_OBJS)
-
-extensions/initext.o: extensions/initext.c
-extensions/initext6.o: extensions/initext6.c
-
-extensions/initext.c: extensions/Makefile
-	echo "" > $@
-	for i in $(EXT_FUNC); do \
-		echo "extern void $${i}_init(void);" >> $@; \
-	done
-	echo "void init_extensions(void) {" >> $@
-	for i in $(EXT_FUNC); do \
-		echo "	$${i}_init();" >> $@; \
-	done
-	echo "}" >> $@
-
-extensions/initext6.c: extensions/Makefile
-	echo "" > $@
-	for i in $(EXT6_FUNC); do \
-		echo "extern void $${i}_init(void);" >> $@; \
-	done
-	echo "void init_extensions(void) {" >> $@
-	for i in $(EXT6_FUNC); do \
-		echo "	$${i}_init();" >> $@; \
-	done
-	echo "}" >> $@
-
-extensions/lib%.o: extensions/lib%.c
-	$(CC) $(CFLAGS) -D_INIT=$*_init -c -o $@ $<
-
-endif
- 
-EXTRAS += extensions/libipt_targets.man
-extensions/libipt_targets.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_TARGETS)) $(patsubst %,extensions/libxt_%.man,$(PFX_EXT_MAN_ALL_TARGETS))
-	@for ext in `echo $(PF_EXT_MAN_TARGETS) $(PFX_EXT_MAN_TARGETS) | sed 's/ /\n/g' | sort`; do \
-	    echo ".SS $$ext" ;\
-	    if test -f extensions/libipt_$$ext.man; then \
-		cat extensions/libipt_$$ext.man ;\
-	    else \
-		cat extensions/libxt_$$ext.man ;\
-	    fi; \
-	done >extensions/libipt_targets.man
-	@if [ -n "$(PFA4_EXT_MAN_EXTRA_TARGETS)" ]; then \
-	    extra="$(PFA4_EXT_MAN_EXTRA_TARGETS)" ;\
-	    for ext in `echo $${extra:-""} | sed 's/ /\n/g' | sort`; do \
-		echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
-		if test -f extensions/libipt_$$ext.man; then \
-		    cat extensions/libipt_$$ext.man ;\
-		else \
-		    cat extensions/libxt_$$ext.man ;\
-		fi; \
-	    done ;\
-       	fi >>extensions/libipt_targets.man
-
-EXTRAS += extensions/libipt_matches.man
-extensions/libipt_matches.man: $(patsubst %,extensions/libipt_%.man,$(PF_EXT_MAN_ALL_MATCHES)) $(patsubst %,extensions/libxt_%.man,$(PFX_EXT_MAN_ALL_MATCHES))
-	@for ext in `echo $(PF_EXT_MAN_MATCHES) $(PFX_EXT_MAN_MATCHES) | sed 's/ /\n/g' | sort`; do \
-	    echo ".SS $$ext" ;\
-	    if test -f extensions/libipt_$$ext.man; then \
-		cat extensions/libipt_$$ext.man ;\
-	    else \
-		cat extensions/libxt_$$ext.man ;\
-	    fi; \
-	done >extensions/libipt_matches.man
-	@if [ -n "$(PFA4_EXT_MAN_EXTRA_MATCHES)" ]; then \
-	    extra="$(PFA4_EXT_MAN_EXTRA_MATCHES)" ;\
-	    for ext in `echo $${extra:-""} | sed 's/ /\n/g' | sort`; do \
-		echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
-		if test -f extensions/libipt_$$ext.man; then \
-		    cat extensions/libipt_$$ext.man ;\
-		else \
-		    cat extensions/libxt_$$ext.man ;\
-		fi; \
-	    done ;\
-       	fi >>extensions/libipt_matches.man
-
-EXTRAS += extensions/libip6t_targets.man
-extensions/libip6t_targets.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_TARGETS)) $(patsubst %,extensions/libxt_%.man,$(PFX_EXT_MAN_ALL_TARGETS))
-	@for ext in `echo $(PF6_EXT_MAN_TARGETS) $(PFX_EXT_MAN_TARGETS) | sed 's/ /\n/g' | sort`; do \
-	    echo ".SS $$ext" ;\
-	    if test -f extensions/libip6t_$$ext.man; then \
-		cat extensions/libip6t_$$ext.man ;\
-	    else \
-		cat extensions/libxt_$$ext.man ;\
-	    fi; \
-	done >extensions/libip6t_targets.man
-	@if [ -n "$(PFA6_EXT_MAN_EXTRA_TARGETS)" ]; then \
-	    extra="$(PFA6_EXT_MAN_EXTRA_TARGETS)" ;\
-	    for ext in `echo $${extra:-""} | sed 's/ /\n/g' | sort`; do \
-		echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
-		if test -f extensions/libip6t_$$ext.man; then \
-		    cat extensions/libip6t_$$ext.man ;\
-		else \
-		    cat extensions/libxt_$$ext.man ;\
-		fi; \
-	    done ;\
-       	fi >>extensions/libip6t_targets.man
-
-EXTRAS += extensions/libip6t_matches.man
-extensions/libip6t_matches.man: $(patsubst %, extensions/libip6t_%.man, $(PF6_EXT_MAN_ALL_MATCHES)) $(patsubst %,extensions/libxt_%.man,$(PFX_EXT_MAN_ALL_MATCHES))
-	@for ext in `echo $(PF6_EXT_MAN_MATCHES) $(PFX_EXT_MAN_MATCHES) | sed 's/ /\n/g' | sort`; do \
-	    echo ".SS $$ext" ;\
-	    if test -f extensions/libip6t_$$ext.man; then \
-		cat extensions/libip6t_$$ext.man ;\
-	    else \
-		cat extensions/libxt_$$ext.man ;\
-	    fi; \
-	done >extensions/libip6t_matches.man
-	@if [ -n "$(PFA6_EXT_MAN_EXTRA_MATCHES)" ]; then \
-	    extra="$(PFA6_EXT_MAN_EXTRA_MATCHES)" ;\
-	    for ext in `echo $${extra:-""} | sed 's/ /\n/g' | sort`; do \
-		echo ".SS $$ext (not supported, see Patch-O-Matic)" ;\
-		if test -f extensions/libip6t_$$ext.man; then \
-		    cat extensions/libip6t_$$ext.man ;\
-		else \
-		    cat extensions/libxt_$$ext.man ;\
-		fi; \
-	    done ;\
-       	fi >>extensions/libip6t_matches.man
-
-$(DEST_IPT_LIBDIR)/libipt_%.so: extensions/libipt_%.so
-	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
-	cp $< $@
-
-$(DEST_IPT_LIBDIR)/libip6t_%.so: extensions/libip6t_%.so
-	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
-	cp $< $@
-
-$(DEST_IPT_LIBDIR)/libxt_%.so: extensions/libxt_%.so
-	@[ -d $(DEST_IPT_LIBDIR)/ ] || mkdir -p $(DEST_IPT_LIBDIR)/
-	cp $< $@
Index: iptables-modules/extensions/dscp_helper.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/dscp_helper.c
@@ -0,0 +1,81 @@
+/*
+ * DiffServ classname <-> DiffServ codepoint mapping functions.
+ *
+ * The latest list of the mappings can be found at:
+ * <http://www.iana.org/assignments/dscp-registry>
+ *
+ * This code is released under the GNU GPL v2, 1991
+ *
+ * Author: Iain Barnes
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+
+
+static const struct ds_class
+{
+	const char *name;
+	unsigned int dscp;
+} ds_classes[] =
+{
+	{ "CS0", 0x00 },
+	{ "CS1", 0x08 },
+	{ "CS2", 0x10 },
+	{ "CS3", 0x18 },
+	{ "CS4", 0x20 },
+	{ "CS5", 0x28 },
+	{ "CS6", 0x30 },
+	{ "CS7", 0x38 },
+	{ "BE", 0x00 },
+	{ "AF11", 0x0a },
+	{ "AF12", 0x0c },
+	{ "AF13", 0x0e },
+	{ "AF21", 0x12 },
+	{ "AF22", 0x14 },
+	{ "AF23", 0x16 },
+	{ "AF31", 0x1a },
+	{ "AF32", 0x1c },
+	{ "AF33", 0x1e },
+	{ "AF41", 0x22 },
+	{ "AF42", 0x24 },
+	{ "AF43", 0x26 },
+	{ "EF", 0x2e }
+};
+
+
+
+static unsigned int
+class_to_dscp(const char *name)
+{
+	int i;
+
+	for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
+		if (!strncasecmp(name, ds_classes[i].name,
+					strlen(ds_classes[i].name)))
+			return ds_classes[i].dscp;
+	}
+
+	exit_error(PARAMETER_PROBLEM,
+			"Invalid DSCP value `%s'\n", name);
+}
+
+
+#if 0
+static const char *
+dscp_to_name(unsigned int dscp)
+{
+	int i;
+
+	for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
+		if (dscp == ds_classes[i].dscp)
+			return ds_classes[i].name;
+	}
+
+
+	exit_error(PARAMETER_PROBLEM,
+			"Invalid DSCP value `%d'\n", dscp);
+}
+#endif
+
Index: iptables-modules/extensions/libipt_dscp_helper.c
===================================================================
--- iptables-modules.orig/extensions/libipt_dscp_helper.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * DiffServ classname <-> DiffServ codepoint mapping functions.
- *
- * The latest list of the mappings can be found at:
- * <http://www.iana.org/assignments/dscp-registry>
- *
- * This code is released under the GNU GPL v2, 1991
- * 
- * Author: Iain Barnes
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-
-
-static const struct ds_class
-{
-	const char *name;
-	unsigned int dscp;
-} ds_classes[] = 
-{
-	{ "CS0", 0x00 },
-	{ "CS1", 0x08 },
-	{ "CS2", 0x10 },
-	{ "CS3", 0x18 },
-	{ "CS4", 0x20 },
-	{ "CS5", 0x28 },
-	{ "CS6", 0x30 },
-	{ "CS7", 0x38 },
-	{ "BE", 0x00 },
-	{ "AF11", 0x0a },
-	{ "AF12", 0x0c },
-	{ "AF13", 0x0e },
-	{ "AF21", 0x12 },
-	{ "AF22", 0x14 },
-	{ "AF23", 0x16 },
-	{ "AF31", 0x1a },
-	{ "AF32", 0x1c },
-	{ "AF33", 0x1e },
-	{ "AF41", 0x22 },
-	{ "AF42", 0x24 },
-	{ "AF43", 0x26 },
-	{ "EF", 0x2e }
-};
-
-
-
-static unsigned int 
-class_to_dscp(const char *name)
-{
-	int i;
-
-	for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
-		if (!strncasecmp(name, ds_classes[i].name,
-					strlen(ds_classes[i].name))) 
-			return ds_classes[i].dscp;
-	}
-
-	exit_error(PARAMETER_PROBLEM, 
-			"Invalid DSCP value `%s'\n", name);
-}
-
-
-#if 0
-static const char *
-dscp_to_name(unsigned int dscp)
-{
-	int i;
-
-	for (i = 0; i < sizeof(ds_classes) / sizeof(struct ds_class); i++) {
-		if (dscp == ds_classes[i].dscp)
-			return ds_classes[i].name;
-	}
-
-	
-	exit_error(PARAMETER_PROBLEM,
-			"Invalid DSCP value `%d'\n", dscp);
-}
-#endif
-
Index: iptables-modules/extensions/libxt_DSCP.c
===================================================================
--- iptables-modules.orig/extensions/libxt_DSCP.c
+++ iptables-modules/extensions/libxt_DSCP.c
@@ -19,7 +19,7 @@
 #include <linux/netfilter/xt_DSCP.h>
 
 /* This is evil, but it's my code - HW*/
-#include "libipt_dscp_helper.c"
+#include "dscp_helper.c"
 
 static void DSCP_help(void)
 {
Index: iptables-modules/extensions/libxt_dscp.c
===================================================================
--- iptables-modules.orig/extensions/libxt_dscp.c
+++ iptables-modules/extensions/libxt_dscp.c
@@ -22,7 +22,7 @@
 #include <linux/netfilter/xt_dscp.h>
 
 /* This is evil, but it's my code - HW*/
-#include "libipt_dscp_helper.c"
+#include "dscp_helper.c"
 
 static void dscp_help(void)
 {
Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -226,13 +226,14 @@ void exit_error(enum exittype, const cha
 							  format(printf,2,3)));
 extern const char *program_name, *program_version;
 
-#define _init __attribute__((constructor)) my_init
 #ifdef NO_SHARED_LIBS
-# ifdef _INIT
-#  undef _init
-#  define _init _INIT
-# endif
-  extern void init_extensions(void);
+#	ifdef _INIT
+#		undef _init
+#		define _init _INIT
+#	endif
+	extern void init_extensions(void);
+#else
+#	define _init __attribute__((constructor)) _INIT
 #endif
 
 #endif /* _XTABLES_H */
Index: iptables-modules/libipq/Makefile
===================================================================
--- iptables-modules.orig/libipq/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-#! /usr/bin/make
-
-EXTRAS+=libipq/libipq.a
-#CFLAGS+=-DDEBUG_LIBIPTQ
-
-DEVEL_MAN3+=libipq/ipq_create_handle.3 \
-	libipq/ipq_destroy_handle.3 \
-	libipq/ipq_errstr.3 \
-	libipq/ipq_get_msgerr.3 \
-	libipq/ipq_get_packet.3 \
-	libipq/ipq_message_type.3 \
-	libipq/ipq_perror.3 \
-	libipq/ipq_read.3 \
-	libipq/ipq_set_mode.3 \
-	libipq/ipq_set_verdict.3 \
-	libipq/libipq.3
-
-DEVEL_LIBS+=libipq/libipq.a
-
-DEVEL_HEADERS+=include/libipq/libipq.h
-
-ifndef TOPLEVEL_INCLUDED
-local:
-	cd .. && $(MAKE) $(SHARED_LIBS) $(EXTRAS)
-else
-libipq/libipq.a: libipq/libipq.a(libipq/libipq.o)
-endif
-
Index: iptables-modules/libipq/Makefile.am
===================================================================
--- /dev/null
+++ iptables-modules/libipq/Makefile.am
@@ -0,0 +1,11 @@
+# -*- Makefile -*-
+
+AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include
+
+libipq_a_SOURCES = libipq.c
+lib_LIBRARIES    = libipq.a
+include_HEADERS  = ${top_srcdir}/include/libipq/libipq.h
+man_MANS         = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \
+                   ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \
+                   ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \
+                   libipq.3

Re: [01/19] use automake

[Patrick McHardy]

Jan Engelhardt wrote:
> Converts the iptables build infrastructure to autotools.
> 
> 	- Can build both static and dynamic at the same time
> 
> 	- iptables-static will be a multi-binary, semi-static
> 	(link against libc but w/o dynamic plugins)
> 
> 	- Always build IPv6 modules
> 
> 	- consider INSTALL
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Applied, thanks Jan.

Re: [01/19] use automake

[Jan Engelhardt]

On Jan 20 2008 14:13, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Converts the iptables build infrastructure to autotools.
>> 
>>  - Can build both static and dynamic at the same time
>> 
>>  - iptables-static will be a multi-binary, semi-static
>>  (link against libc but w/o dynamic plugins)
>> 
>>  - Always build IPv6 modules
>> 
>>  - consider INSTALL
>> 
>> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> Applied, thanks Jan.

Looks like libiptc/Makefile missed the deletion.

Re: [01/19] use automake

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 20 2008 14:13, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> Converts the iptables build infrastructure to autotools.
>>>
>>>  - Can build both static and dynamic at the same time
>>>
>>>  - iptables-static will be a multi-binary, semi-static
>>>  (link against libc but w/o dynamic plugins)
>>>
>>>  - Always build IPv6 modules
>>>
>>>  - consider INSTALL
>>>
>>> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>> Applied, thanks Jan.
> 
> Looks like libiptc/Makefile missed the deletion.

Its gone now, thanks.

[02/19] strtonum

[Jan Engelhardt]

Introduce strtonum(), which works like string_to_number(), but passes
back the 'end' pointer. It is useful where you want to do boundary
checking yet work with strings that are not entirely slurped by
strtoul(), e.g.:

	s = "1/2"; /* one half */
	if (!strtonum(s, &end, &value, 0, 5))
		error("Zero-length string, or value out of bounds");
	if (*end != '/')
		error("Malformed string");
	info->param1 = value;
	if (!strtonum(end + 1, &end, &value, 2, 4))
		error("..");
	if (*end != '\0')
		error("Malformed string");
	info->param2 = value;

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/xtables.h |    5 +++++
 xtables.c         |   44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -5,6 +5,7 @@
 #include <linux/types.h>
 #include <linux/netfilter/x_tables.h>
 #include <libiptc/libxtc.h>
+#include <stdbool.h>
 
 #ifndef XT_LIB_DIR
 #define XT_LIB_DIR "/usr/local/lib/iptables"
@@ -206,6 +207,10 @@ extern int string_to_number(const char *
 			    unsigned int min,
 			    unsigned int max,
 			    unsigned int *ret);
+extern bool strtonuml(const char *, char **, unsigned long *,
+	unsigned long, unsigned long);
+extern bool strtonum(const char *, char **, unsigned int *,
+	unsigned int, unsigned int);
 extern int service_to_port(const char *name, const char *proto);
 extern u_int16_t parse_port(const char *port, const char *proto);
 extern void
Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -19,6 +19,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -199,6 +200,49 @@ int string_to_number(const char *s, unsi
 	return result;
 }
 
+/*
+ * strtonum{,l} - string to number conversion
+ *
+ * If @end is NULL, we assume the caller does not want
+ * a case like "15a", so reject it.
+ */
+bool strtonuml(const char *s, char **end, unsigned long *value,
+               unsigned long min, unsigned long max)
+{
+	unsigned long v;
+	char *my_end;
+
+	errno = 0;
+	v = strtoul(s, &my_end, 0);
+
+	if (my_end == s)
+		return false;
+	if (end != NULL)
+		*end = my_end;
+
+	if (errno != ERANGE && min <= v && (max == 0 || v <= max)) {
+		if (value != NULL)
+			*value = v;
+		if (end == NULL)
+			return *my_end == '\0';
+		return true;
+	}
+
+	return false;
+}
+
+bool strtonum(const char *s, char **end, unsigned int *value,
+                  unsigned int min, unsigned int max)
+{
+	unsigned long v;
+	bool ret;
+
+	ret = strtonuml(s, end, &v, min, max);
+	if (value != NULL)
+		*value = v;
+	return ret;
+}
+
 int service_to_port(const char *name, const char *proto)
 {
 	struct servent *service;

Re: [02/19] strtonum

[Patrick McHardy]

Jan Engelhardt wrote:
> Introduce strtonum(), which works like string_to_number(), but passes
> back the 'end' pointer. It is useful where you want to do boundary
> checking yet work with strings that are not entirely slurped by
> strtoul(), e.g.:
> 
> 	s = "1/2"; /* one half */
> 	if (!strtonum(s, &end, &value, 0, 5))
> 		error("Zero-length string, or value out of bounds");
> 	if (*end != '/')
> 		error("Malformed string");
> 	info->param1 = value;
> 	if (!strtonum(end + 1, &end, &value, 2, 4))
> 		error("..");
> 	if (*end != '\0')
> 		error("Malformed string");
> 	info->param2 = value;
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Applied, thanks.

[03/19] common error messages

[Jan Engelhardt]

Error messages vary wildly among modules, and there is a lot of
reundance in it too. Introduce a helper function that does all of
the parameter checking boilerplate and gives unique messages.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/xtables.h |    7 ++++++-
 xtables.c         |   49 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)

Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -220,7 +220,11 @@ enum exittype {
 	OTHER_PROBLEM = 1,
 	PARAMETER_PROBLEM,
 	VERSION_PROBLEM,
-	RESOURCE_PROBLEM
+	RESOURCE_PROBLEM,
+	P_ONLY_ONCE,
+	P_NO_INVERT,
+	P_BAD_VALUE,
+	P_ONE_ACTION,
 };
 
 /* this is a special 64bit data type that is 8-byte aligned */
@@ -229,6 +233,7 @@ enum exittype {
 int check_inverse(const char option[], int *invert, int *optind, int argc);
 void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
 							  format(printf,2,3)));
+extern void param_act(unsigned int, const char *, ...);
 extern const char *program_name, *program_version;
 
 #ifdef NO_SHARED_LIBS
Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -19,6 +19,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
+#include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -639,3 +640,51 @@ void xtables_register_target(struct xtab
 	me->t = NULL;
 	me->tflags = 0;
 }
+
+void param_act(unsigned int status, const char *p1, ...)
+{
+	const char *p2, *p3;
+	va_list args;
+	bool b;
+
+	va_start(args, p1);
+
+	switch (status) {
+	case P_ONLY_ONCE:
+		p2 = va_arg(args, const char *);
+		b  = va_arg(args, unsigned int);
+		if (!b)
+			return;
+		exit_error(PARAMETER_PROBLEM,
+		           "%s: \"%s\" option may only be specified once",
+		           p1, p2);
+		break;
+	case P_NO_INVERT:
+		p2 = va_arg(args, const char *);
+		b  = va_arg(args, unsigned int);
+		if (!b)
+			return;
+		exit_error(PARAMETER_PROBLEM,
+		           "%s: \"%s\" option cannot be inverted", p1, p2);
+		break;
+	case P_BAD_VALUE:
+		p2 = va_arg(args, const char *);
+		p3 = va_arg(args, const char *);
+		exit_error(PARAMETER_PROBLEM,
+		           "%s: Bad value for \"%s\" option: \"%s\"",
+		           p1, p2, p3);
+		break;
+	case P_ONE_ACTION:
+		b = va_arg(args, unsigned int);
+		if (!b)
+			return;
+		exit_error(PARAMETER_PROBLEM,
+		           "%s: At most one action is possible", p1);
+		break;
+	default:
+		exit_error(status, p1, args);
+		break;
+	}
+
+	va_end(args);
+}

Re: [03/19] common error messages

[Patrick McHardy]

Jan Engelhardt wrote:
> Error messages vary wildly among modules, and there is a lot of
> reundance in it too. Introduce a helper function that does all of
> the parameter checking boilerplate and gives unique messages.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Looks good, applied.

[04/19] libxt_owner

[Jan Engelhardt]

Import libxt_owner into iptables


libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the xt_owner match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libip6t_owner.c         |  240 ---------------
 extensions/libip6t_owner.man       |   23 -
 extensions/libipt_owner.c          |  241 ---------------
 extensions/libipt_owner.man        |   28 -
 extensions/libxt_owner.c           |  574 +++++++++++++++++++++++++++++++++++++
 extensions/libxt_owner.man         |   16 +
 include/linux/netfilter/xt_owner.h |   16 +
 7 files changed, 606 insertions(+), 532 deletions(-)

Index: iptables-modules/extensions/libip6t_owner.c
===================================================================
--- iptables-modules.orig/extensions/libip6t_owner.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/* Shared library add-on to iptables to add OWNER matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <pwd.h>
-#include <grp.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-
-/* Function which prints out usage message. */
-static void owner_help(void)
-{
-#ifdef IP6T_OWNER_COMM
-	printf(
-"OWNER match v%s options:\n"
-"[!] --uid-owner userid     Match local uid\n"
-"[!] --gid-owner groupid    Match local gid\n"
-"[!] --pid-owner processid  Match local pid\n"
-"[!] --sid-owner sessionid  Match local sid\n"
-"[!] --cmd-owner name       Match local command name\n"
-"\n",
-IPTABLES_VERSION);
-#else
-	printf(
-"OWNER match v%s options:\n"
-"[!] --uid-owner userid     Match local uid\n"
-"[!] --gid-owner groupid    Match local gid\n"
-"[!] --pid-owner processid  Match local pid\n"
-"[!] --sid-owner sessionid  Match local sid\n"
-"\n",
-IPTABLES_VERSION);
-#endif /* IP6T_OWNER_COMM */
-}
-
-static const struct option owner_opts[] = {
-	{ "uid-owner", 1, NULL, '1' },
-	{ "gid-owner", 1, NULL, '2' },
-	{ "pid-owner", 1, NULL, '3' },
-	{ "sid-owner", 1, NULL, '4' },
-#ifdef IP6T_OWNER_COMM
-	{ "cmd-owner", 1, NULL, '5' },
-#endif
-	{ }
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int owner_parse(int c, char **argv, int invert, unsigned int *flags,
-                       const void *entry, struct xt_entry_match **match)
-{
-	struct ip6t_owner_info *ownerinfo = (struct ip6t_owner_info *)(*match)->data;
-
-	switch (c) {
-		char *end;
-		struct passwd *pwd;
-		struct group *grp;
-	case '1':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if ((pwd = getpwnam(optarg)))
-			ownerinfo->uid = pwd->pw_uid;
-		else {
-			ownerinfo->uid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
-		}
-		if (invert)
-			ownerinfo->invert |= IP6T_OWNER_UID;
-		ownerinfo->match |= IP6T_OWNER_UID;
-		*flags = 1;
-		break;
-
-	case '2':
-		check_inverse(optarg, &invert, &optind, 0);
-		if ((grp = getgrnam(optarg)))
-			ownerinfo->gid = grp->gr_gid;
-		else {
-			ownerinfo->gid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
-		}
-		if (invert)
-			ownerinfo->invert |= IP6T_OWNER_GID;
-		ownerinfo->match |= IP6T_OWNER_GID;
-		*flags = 1;
-		break;
-
-	case '3':
-		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->pid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
-		if (invert)
-			ownerinfo->invert |= IP6T_OWNER_PID;
-		ownerinfo->match |= IP6T_OWNER_PID;
-		*flags = 1;
-		break;
-
-	case '4':
-		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->sid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
-		if (invert)
-			ownerinfo->invert |= IP6T_OWNER_SID;
-		ownerinfo->match |= IP6T_OWNER_SID;
-		*flags = 1;
-		break;
-
-#ifdef IP6T_OWNER_COMM
-	case '5':
-		check_inverse(optarg, &invert, &optind, 0);
-		if(strlen(optarg) > sizeof(ownerinfo->comm))
-			exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
-		
-		strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
-		ownerinfo->comm[sizeof(ownerinfo->comm)-1] = '\0';
-
-		if (invert)
-			ownerinfo->invert |= IP6T_OWNER_COMM;
-		ownerinfo->match |= IP6T_OWNER_COMM;
-		*flags = 1;
-		break;
-#endif
-		
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void
-print_item(struct ip6t_owner_info *info, u_int8_t flag, int numeric, char *label)
-{
-	if(info->match & flag) {
-
-		if (info->invert & flag)
-			printf("! ");
-
-		printf(label);
-
-		switch(info->match & flag) {
-		case IP6T_OWNER_UID:
-			if(!numeric) {
-				struct passwd *pwd = getpwuid(info->uid);
-
-				if(pwd && pwd->pw_name) {
-					printf("%s ", pwd->pw_name);
-					break;
-				}
-				/* FALLTHROUGH */
-			}
-			printf("%u ", info->uid);
-			break;
-		case IP6T_OWNER_GID:
-			if(!numeric) {
-				struct group *grp = getgrgid(info->gid);
-
-				if(grp && grp->gr_name) {
-					printf("%s ", grp->gr_name);
-					break;
-				}
-				/* FALLTHROUGH */
-			}
-			printf("%u ", info->gid);
-			break;
-		case IP6T_OWNER_PID:
-			printf("%u ", info->pid);
-			break;
-		case IP6T_OWNER_SID:
-			printf("%u ", info->sid);
-			break;
-#ifdef IP6T_OWNER_COMM
-		case IP6T_OWNER_COMM:
-			printf("%.*s ", (int)sizeof(info->comm), info->comm);
-			break;
-#endif
-		default:
-			break;
-		}
-	}
-}
-
-/* Final check; must have specified --own. */
-static void owner_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "OWNER match: You must specify one or more options");
-}
-
-/* Prints out the matchinfo. */
-static void owner_print(const void *ip, const struct xt_entry_match *match,
-                        int numeric)
-{
-	struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data;
-
-	print_item(info, IP6T_OWNER_UID, numeric, "OWNER UID match ");
-	print_item(info, IP6T_OWNER_GID, numeric, "OWNER GID match ");
-	print_item(info, IP6T_OWNER_PID, numeric, "OWNER PID match ");
-	print_item(info, IP6T_OWNER_SID, numeric, "OWNER SID match ");
-#ifdef IP6T_OWNER_COMM
-	print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
-#endif
-}
-
-/* Saves the union ip6t_matchinfo in parsable form to stdout. */
-static void owner_save(const void *ip, const struct xt_entry_match *match)
-{
-	struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data;
-
-	print_item(info, IP6T_OWNER_UID, 0, "--uid-owner ");
-	print_item(info, IP6T_OWNER_GID, 0, "--gid-owner ");
-	print_item(info, IP6T_OWNER_PID, 0, "--pid-owner ");
-	print_item(info, IP6T_OWNER_SID, 0, "--sid-owner ");
-#ifdef IP6T_OWNER_COMM
-	print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
-#endif
-}
-
-static struct ip6tables_match owner_match6 = {
-	.name 		= "owner",
-	.version	= IPTABLES_VERSION,
-	.size		= IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
-	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
-	.help		= owner_help,
-	.parse		= owner_parse,
-	.final_check	= owner_check,
-	.print		= owner_print,
-	.save		= owner_save,
-	.extra_opts	= owner_opts,
-};
-
-void _init(void)
-{
-	register_match6(&owner_match6);
-}
Index: iptables-modules/extensions/libip6t_owner.man
===================================================================
--- iptables-modules.orig/extensions/libip6t_owner.man
+++ /dev/null
@@ -1,23 +0,0 @@
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets.  It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMPv6 ping responses) may
-have no owner, and hence never match.  This is regarded as experimental.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
Index: iptables-modules/extensions/libipt_owner.c
===================================================================
--- iptables-modules.orig/extensions/libipt_owner.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/* Shared library add-on to iptables to add OWNER matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <pwd.h>
-#include <grp.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-
-/* Function which prints out usage message. */
-static void owner_help(void)
-{
-#ifdef IPT_OWNER_COMM
-	printf(
-"OWNER match v%s options:\n"
-"[!] --uid-owner userid     Match local uid\n"
-"[!] --gid-owner groupid    Match local gid\n"
-"[!] --pid-owner processid  Match local pid\n"
-"[!] --sid-owner sessionid  Match local sid\n"
-"[!] --cmd-owner name       Match local command name\n"
-"NOTE: pid, sid and command matching are broken on SMP\n"
-"\n",
-IPTABLES_VERSION);
-#else
-	printf(
-"OWNER match v%s options:\n"
-"[!] --uid-owner userid     Match local uid\n"
-"[!] --gid-owner groupid    Match local gid\n"
-"[!] --pid-owner processid  Match local pid\n"
-"[!] --sid-owner sessionid  Match local sid\n"
-"NOTE: pid and sid matching are broken on SMP\n"
-"\n",
-IPTABLES_VERSION);
-#endif /* IPT_OWNER_COMM */
-}
-
-static const struct option owner_opts[] = {
-	{ "uid-owner", 1, NULL, '1' },
-	{ "gid-owner", 1, NULL, '2' },
-	{ "pid-owner", 1, NULL, '3' },
-	{ "sid-owner", 1, NULL, '4' },
-#ifdef IPT_OWNER_COMM
-	{ "cmd-owner", 1, NULL, '5' },
-#endif
-	{ }
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int owner_parse(int c, char **argv, int invert, unsigned int *flags,
-                       const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_owner_info *ownerinfo = (struct ipt_owner_info *)(*match)->data;
-
-	switch (c) {
-		char *end;
-		struct passwd *pwd;
-		struct group *grp;
-	case '1':
-		check_inverse(optarg, &invert, &optind, 0);
-		if ((pwd = getpwnam(optarg)))
-			ownerinfo->uid = pwd->pw_uid;
-		else {
-			ownerinfo->uid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
-		}
-		if (invert)
-			ownerinfo->invert |= IPT_OWNER_UID;
-		ownerinfo->match |= IPT_OWNER_UID;
-		*flags = 1;
-		break;
-
-	case '2':
-		check_inverse(optarg, &invert, &optind, 0);
-		if ((grp = getgrnam(optarg)))
-			ownerinfo->gid = grp->gr_gid;
-		else {
-			ownerinfo->gid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
-		}
-		if (invert)
-			ownerinfo->invert |= IPT_OWNER_GID;
-		ownerinfo->match |= IPT_OWNER_GID;
-		*flags = 1;
-		break;
-
-	case '3':
-		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->pid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
-		if (invert)
-			ownerinfo->invert |= IPT_OWNER_PID;
-		ownerinfo->match |= IPT_OWNER_PID;
-		*flags = 1;
-		break;
-
-	case '4':
-		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->sid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
-		if (invert)
-			ownerinfo->invert |= IPT_OWNER_SID;
-		ownerinfo->match |= IPT_OWNER_SID;
-		*flags = 1;
-		break;
-
-#ifdef IPT_OWNER_COMM
-	case '5':
-		check_inverse(optarg, &invert, &optind, 0);
-		if(strlen(optarg) > sizeof(ownerinfo->comm))
-			exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %u characters", optarg, (unsigned int)sizeof(ownerinfo->comm));
-
-		strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
-		ownerinfo->comm[sizeof(ownerinfo->comm)-1] = '\0';
-
-		if (invert)
-			ownerinfo->invert |= IPT_OWNER_COMM;
-		ownerinfo->match |= IPT_OWNER_COMM;
-		*flags = 1;
-		break;
-#endif
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void
-print_item(struct ipt_owner_info *info, u_int8_t flag, int numeric, char *label)
-{
-	if(info->match & flag) {
-
-		if (info->invert & flag)
-			printf("! ");
-
-		printf(label);
-
-		switch(info->match & flag) {
-		case IPT_OWNER_UID:
-			if(!numeric) {
-				struct passwd *pwd = getpwuid(info->uid);
-
-				if(pwd && pwd->pw_name) {
-					printf("%s ", pwd->pw_name);
-					break;
-				}
-				/* FALLTHROUGH */
-			}
-			printf("%u ", info->uid);
-			break;
-		case IPT_OWNER_GID:
-			if(!numeric) {
-				struct group *grp = getgrgid(info->gid);
-
-				if(grp && grp->gr_name) {
-					printf("%s ", grp->gr_name);
-					break;
-				}
-				/* FALLTHROUGH */
-			}
-			printf("%u ", info->gid);
-			break;
-		case IPT_OWNER_PID:
-			printf("%u ", info->pid);
-			break;
-		case IPT_OWNER_SID:
-			printf("%u ", info->sid);
-			break;
-#ifdef IPT_OWNER_COMM
-		case IPT_OWNER_COMM:
-			printf("%.*s ", (int)sizeof(info->comm), info->comm);
-			break;
-#endif
-		default:
-			break;
-		}
-	}
-}
-
-/* Final check; must have specified --own. */
-static void owner_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "OWNER match: You must specify one or more options");
-}
-
-/* Prints out the matchinfo. */
-static void owner_print(const void *ip, const struct xt_entry_match *match,
-                        int numeric)
-{
-	struct ipt_owner_info *info = (struct ipt_owner_info *)match->data;
-
-	print_item(info, IPT_OWNER_UID, numeric, "OWNER UID match ");
-	print_item(info, IPT_OWNER_GID, numeric, "OWNER GID match ");
-	print_item(info, IPT_OWNER_PID, numeric, "OWNER PID match ");
-	print_item(info, IPT_OWNER_SID, numeric, "OWNER SID match ");
-#ifdef IPT_OWNER_COMM
-	print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
-#endif
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void owner_save(const void *ip, const struct xt_entry_match *match)
-{
-	struct ipt_owner_info *info = (struct ipt_owner_info *)match->data;
-
-	print_item(info, IPT_OWNER_UID, 0, "--uid-owner ");
-	print_item(info, IPT_OWNER_GID, 0, "--gid-owner ");
-	print_item(info, IPT_OWNER_PID, 0, "--pid-owner ");
-	print_item(info, IPT_OWNER_SID, 0, "--sid-owner ");
-#ifdef IPT_OWNER_COMM
-	print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
-#endif
-}
-
-static struct iptables_match owner_match = {
-	.name		= "owner",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_owner_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_owner_info)),
-	.help		= owner_help,
-	.parse		= owner_parse,
-	.final_check	= owner_check,
-	.print		= owner_print,
-	.save		= owner_save,
-	.extra_opts	= owner_opts,
-};
-
-void _init(void)
-{
-	register_match(&owner_match);
-}
Index: iptables-modules/extensions/libipt_owner.man
===================================================================
--- iptables-modules.orig/extensions/libipt_owner.man
+++ /dev/null
@@ -1,28 +0,0 @@
-This module attempts to match various characteristics of the packet
-creator, for locally-generated packets.  It is only valid in the
-.B OUTPUT
-chain, and even this some packets (such as ICMP ping responses) may
-have no owner, and hence never match.
-.TP
-.BI "--uid-owner " "userid"
-Matches if the packet was created by a process with the given
-effective user id.
-.TP
-.BI "--gid-owner " "groupid"
-Matches if the packet was created by a process with the given
-effective group id.
-.TP
-.BI "--pid-owner " "processid"
-Matches if the packet was created by a process with the given
-process id.
-.TP
-.BI "--sid-owner " "sessionid"
-Matches if the packet was created by a process in the given session
-group.
-.TP
-.BI "--cmd-owner " "name"
-Matches if the packet was created by a process with the given command name.
-(this option is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.B NOTE: pid, sid and command matching are broken on SMP
Index: iptables-modules/extensions/libxt_owner.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_owner.c
@@ -0,0 +1,574 @@
+/*
+ *	libxt_owner - iptables addon for xt_owner
+ *
+ *	Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ *	Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_owner.h>
+#include <linux/netfilter_ipv4/ipt_owner.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+
+enum {
+	FLAG_UID_OWNER     = 1 << 0,
+	FLAG_GID_OWNER     = 1 << 1,
+	FLAG_SOCKET_EXISTS = 1 << 2,
+	FLAG_PID_OWNER     = 1 << 3,
+	FLAG_SID_OWNER     = 1 << 4,
+	FLAG_COMM          = 1 << 5,
+};
+
+static void owner_mt_help_v0(void)
+{
+#ifdef IPT_OWNER_COMM
+	printf(
+"owner match options:\n"
+"[!] --uid-owner userid       Match local UID\n"
+"[!] --gid-owner groupid      Match local GID\n"
+"[!] --pid-owner processid    Match local PID\n"
+"[!] --sid-owner sessionid    Match local SID\n"
+"[!] --cmd-owner name         Match local command name\n"
+"NOTE: PID, SID and command matching are broken on SMP\n"
+"\n");
+#else
+	printf(
+"owner match options:\n"
+"[!] --uid-owner userid       Match local UID\n"
+"[!] --gid-owner groupid      Match local GID\n"
+"[!] --pid-owner processid    Match local PID\n"
+"[!] --sid-owner sessionid    Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n"
+"\n");
+#endif /* IPT_OWNER_COMM */
+}
+
+static void owner_mt6_help_v0(void)
+{
+	printf(
+"owner match options:\n"
+"[!] --uid-owner userid       Match local UID\n"
+"[!] --gid-owner groupid      Match local GID\n"
+"[!] --pid-owner processid    Match local PID\n"
+"[!] --sid-owner sessionid    Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n"
+"\n");
+}
+
+static void owner_mt_help(void)
+{
+	printf(
+"owner match options:\n"
+"[!] --uid-owner userid     Match local UID\n"
+"[!] --gid-owner groupid    Match local GID\n"
+"[!] --socket-exists        Match if socket exists\n"
+"\n");
+}
+
+static const struct option owner_mt_opts_v0[] = {
+	{.name = "uid-owner", .has_arg = true, .val = 'u'},
+	{.name = "gid-owner", .has_arg = true, .val = 'g'},
+	{.name = "pid-owner", .has_arg = true, .val = 'p'},
+	{.name = "sid-owner", .has_arg = true, .val = 's'},
+#ifdef IPT_OWNER_COMM
+	{.name = "cmd-owner", .has_arg = true, .val = 'c'},
+#endif
+	{},
+};
+
+static const struct option owner_mt6_opts_v0[] = {
+	{.name = "uid-owner", .has_arg = true, .val = 'u'},
+	{.name = "gid-owner", .has_arg = true, .val = 'g'},
+	{.name = "pid-owner", .has_arg = true, .val = 'p'},
+	{.name = "sid-owner", .has_arg = true, .val = 's'},
+	{},
+};
+
+static const struct option owner_mt_opts[] = {
+	{.name = "uid-owner",     .has_arg = true,  .val = 'u'},
+	{.name = "gid-owner",     .has_arg = true,  .val = 'g'},
+	{.name = "socket-exists", .has_arg = false, .val = 'k'},
+	{},
+};
+
+static int
+owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_match **match)
+{
+	struct ipt_owner_info *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int id;
+
+	switch (c) {
+	case 'u':
+		param_act(P_ONLY_ONCE, "owner", "--uid-owner", *flags & FLAG_UID_OWNER);
+		if ((pwd = getpwnam(optarg)) != NULL)
+			id = pwd->pw_uid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(uid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--uid-owner", optarg);
+		if (invert)
+			info->invert |= IPT_OWNER_UID;
+		info->match |= IPT_OWNER_UID;
+		info->uid    = id;
+		*flags      |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		param_act(P_ONLY_ONCE, "owner", "--gid-owner", *flags & FLAG_GID_OWNER);
+		if ((grp = getgrnam(optarg)) != NULL)
+			id = grp->gr_gid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(gid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--gid-owner", optarg);
+		if (invert)
+			info->invert |= IPT_OWNER_GID;
+		info->match |= IPT_OWNER_GID;
+		info->gid    = id;
+		*flags      |= FLAG_GID_OWNER;
+		return true;
+
+	case 'p':
+		param_act(P_ONLY_ONCE, "owner", "--pid-owner", *flags & FLAG_PID_OWNER);
+		if (!strtonum(optarg, NULL, &id, 0, INT_MAX))
+			param_act(P_BAD_VALUE, "owner", "--pid-owner", optarg);
+		if (invert)
+			info->invert |= IPT_OWNER_PID;
+		info->match |= IPT_OWNER_PID;
+		info->pid    = id;
+		*flags      |= FLAG_PID_OWNER;
+		return true;
+
+	case 's':
+		param_act(P_ONLY_ONCE, "owner", "--sid-owner", *flags & FLAG_SID_OWNER);
+		if (!strtonum(optarg, NULL, &id, 0, INT_MAX))
+			param_act(P_BAD_VALUE, "owner", "--sid-value", optarg);
+		if (invert)
+			info->invert |= IPT_OWNER_SID;
+		info->match |= IPT_OWNER_SID;
+		info->sid    = id;
+		*flags      |= FLAG_SID_OWNER;
+		return true;
+
+#ifdef IPT_OWNER_COMM
+	case 'c':
+		param_act(P_ONLY_ONCE, "owner", "--cmd-owner", *flags & FLAG_COMM);
+		if (strlen(optarg) > sizeof(info->comm))
+			exit_error(PARAMETER_PROBLEM, "owner match: command "
+			           "\"%s\" too long, max. %zu characters",
+			           optarg, sizeof(info->comm));
+
+		info->comm[sizeof(info->comm)-1] = '\0';
+		strncpy(info->comm, optarg, sizeof(info->comm));
+
+		if (invert)
+			info->invert |= IPT_OWNER_COMM;
+		info->match |= IPT_OWNER_COMM;
+		*flags      |= FLAG_COMM;
+		return true;
+#endif
+	}
+	return false;
+}
+
+static int
+owner_mt6_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                   const void *entry, struct xt_entry_match **match)
+{
+	struct ip6t_owner_info *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int id;
+
+	switch (c) {
+	case 'u':
+		param_act(P_ONLY_ONCE, "owner", "--uid-owner",
+		          *flags & FLAG_UID_OWNER);
+		if ((pwd = getpwnam(optarg)) != NULL)
+			id = pwd->pw_uid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(uid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--uid-owner", optarg);
+		if (invert)
+			info->invert |= IP6T_OWNER_UID;
+		info->match |= IP6T_OWNER_UID;
+		info->uid    = id;
+		*flags      |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		param_act(P_ONLY_ONCE, "owner", "--gid-owner",
+		          *flags & FLAG_GID_OWNER);
+		if ((grp = getgrnam(optarg)) != NULL)
+			id = grp->gr_gid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(gid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--gid-owner", optarg);
+		if (invert)
+			info->invert |= IP6T_OWNER_GID;
+		info->match |= IP6T_OWNER_GID;
+		info->gid    = id;
+		*flags      |= FLAG_GID_OWNER;
+		return true;
+
+	case 'p':
+		param_act(P_ONLY_ONCE, "owner", "--pid-owner",
+		          *flags & FLAG_PID_OWNER);
+		if (!strtonum(optarg, NULL, &id, 0, INT_MAX))
+			param_act(P_BAD_VALUE, "owner", "--pid-owner", optarg);
+		if (invert)
+			info->invert |= IP6T_OWNER_PID;
+		info->match |= IP6T_OWNER_PID;
+		info->pid    = id;
+		*flags      |= FLAG_PID_OWNER;
+		return true;
+
+	case 's':
+		param_act(P_ONLY_ONCE, "owner", "--sid-owner",
+		          *flags & FLAG_SID_OWNER);
+		if (!strtonum(optarg, NULL, &id, 0, INT_MAX))
+			param_act(P_BAD_VALUE, "owner", "--sid-owner", optarg);
+		if (invert)
+			info->invert |= IP6T_OWNER_SID;
+		info->match |= IP6T_OWNER_SID;
+		info->sid    = id;
+		*flags      |= FLAG_SID_OWNER;
+		return true;
+	}
+	return false;
+}
+
+static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+	struct xt_owner_match_info *info = (void *)(*match)->data;
+	struct passwd *pwd;
+	struct group *grp;
+	unsigned int id;
+
+	switch (c) {
+	case 'u':
+		param_act(P_ONLY_ONCE, "owner", "--uid-owner",
+		          *flags & FLAG_UID_OWNER);
+		if ((pwd = getpwnam(optarg)) != NULL)
+			id = pwd->pw_uid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(uid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--uid-owner", optarg);
+		if (invert)
+			info->invert |= XT_OWNER_UID;
+		info->match |= XT_OWNER_UID;
+		info->uid    = id;
+		*flags      |= FLAG_UID_OWNER;
+		return true;
+
+	case 'g':
+		param_act(P_ONLY_ONCE, "owner", "--gid-owner",
+		          *flags & FLAG_GID_OWNER);
+		if ((grp = getgrnam(optarg)) != NULL)
+			id = grp->gr_gid;
+		else if (!strtonum(optarg, NULL, &id, 0, ~(gid_t)0))
+			param_act(P_BAD_VALUE, "owner", "--gid-owner", optarg);
+		if (invert)
+			info->invert |= XT_OWNER_GID;
+		info->match |= XT_OWNER_GID;
+		info->gid    = id;
+		*flags      |= FLAG_GID_OWNER;
+		return true;
+
+	case 'k':
+		param_act(P_ONLY_ONCE, "owner", "--socket-exists",
+		          *flags & FLAG_SOCKET_EXISTS);
+		if (invert)
+			info->invert |= XT_OWNER_SOCKET;
+		info->match |= XT_OWNER_SOCKET;
+		*flags |= FLAG_SOCKET_EXISTS;
+		return true;
+
+	}
+	return false;
+}
+
+static void owner_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM, "owner: At least one of "
+		           "--uid-owner, --gid-owner or --socket-exists "
+		           "is required");
+}
+
+static void
+owner_mt_print_item_v0(const struct ipt_owner_info *info, const char *label,
+                       u_int8_t flag, bool numeric)
+{
+	if (!(info->match & flag))
+		return;
+	if (info->invert & flag)
+		printf("! ");
+	printf(label);
+
+	switch (info->match & flag) {
+	case IPT_OWNER_UID:
+		if (!numeric) {
+			struct passwd *pwd = getpwuid(info->uid);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid);
+		break;
+
+	case IPT_OWNER_GID:
+		if (!numeric) {
+			struct group *grp = getgrgid(info->gid);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid);
+		break;
+
+	case IPT_OWNER_PID:
+		printf("%u ", (unsigned int)info->pid);
+		break;
+
+	case IPT_OWNER_SID:
+		printf("%u ", (unsigned int)info->sid);
+		break;
+
+#ifdef IPT_OWNER_COMM
+	case IPT_OWNER_COMM:
+		printf("%.*s ", (int)sizeof(info->comm), info->comm);
+		break;
+#endif
+	}
+}
+
+static void
+owner_mt6_print_item_v0(const struct ip6t_owner_info *info, const char *label,
+                        u_int8_t flag, bool numeric)
+{
+	if (!(info->match & flag))
+		return;
+	if (info->invert & flag)
+		printf("! ");
+	printf(label);
+
+	switch (info->match & flag) {
+	case IP6T_OWNER_UID:
+		if (!numeric) {
+			struct passwd *pwd = getpwuid(info->uid);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid);
+		break;
+
+	case IP6T_OWNER_GID:
+		if (!numeric) {
+			struct group *grp = getgrgid(info->gid);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid);
+		break;
+
+	case IP6T_OWNER_PID:
+		printf("%u ", (unsigned int)info->pid);
+		break;
+
+	case IP6T_OWNER_SID:
+		printf("%u ", (unsigned int)info->sid);
+		break;
+	}
+}
+
+static void
+owner_mt_print_item(const struct xt_owner_match_info *info, const char *label,
+                    u_int8_t flag, bool numeric)
+{
+	if (!(info->match & flag))
+		return;
+	if (info->invert & flag)
+		printf("! ");
+	printf(label);
+
+	switch (info->match & flag) {
+	case XT_OWNER_UID:
+		if (!numeric) {
+			const struct passwd *pwd = getpwuid(info->uid);
+
+			if (pwd != NULL && pwd->pw_name != NULL) {
+				printf("%s ", pwd->pw_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->uid);
+		break;
+
+	case XT_OWNER_GID:
+		if (!numeric) {
+			const struct group *grp = getgrgid(info->gid);
+
+			if (grp != NULL && grp->gr_name != NULL) {
+				printf("%s ", grp->gr_name);
+				break;
+			}
+		}
+		printf("%u ", (unsigned int)info->gid);
+		break;
+	}
+}
+
+static void
+owner_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+                  int numeric)
+{
+	const struct ipt_owner_info *info = (void *)match->data;
+
+	owner_mt_print_item_v0(info, "owner UID match ", IPT_OWNER_UID, numeric);
+	owner_mt_print_item_v0(info, "owner GID match ", IPT_OWNER_GID, numeric);
+	owner_mt_print_item_v0(info, "owner PID match ", IPT_OWNER_PID, numeric);
+	owner_mt_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, numeric);
+#ifdef IPT_OWNER_COMM
+	owner_mt_print_item_v0(info, "owner CMD match ", IPT_OWNER_COMM, numeric);
+#endif
+}
+
+static void
+owner_mt6_print_v0(const void *ip, const struct xt_entry_match *match,
+                   int numeric)
+{
+	const struct ip6t_owner_info *info = (void *)match->data;
+
+	owner_mt6_print_item_v0(info, "owner UID match ", IPT_OWNER_UID, numeric);
+	owner_mt6_print_item_v0(info, "owner GID match ", IPT_OWNER_GID, numeric);
+	owner_mt6_print_item_v0(info, "owner PID match ", IPT_OWNER_PID, numeric);
+	owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, numeric);
+}
+
+static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, "owner socket exists ", XT_OWNER_SOCKET, numeric);
+	owner_mt_print_item(info, "owner UID match ",     XT_OWNER_UID,    numeric);
+	owner_mt_print_item(info, "owner GID match ",     XT_OWNER_GID,    numeric);
+}
+
+static void
+owner_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+	const struct ipt_owner_info *info = (void *)match->data;
+
+	owner_mt_print_item_v0(info, "owner UID match ", IPT_OWNER_UID, true);
+	owner_mt_print_item_v0(info, "owner GID match ", IPT_OWNER_GID, true);
+	owner_mt_print_item_v0(info, "owner PID match ", IPT_OWNER_PID, true);
+	owner_mt_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, true);
+#ifdef IPT_OWNER_COMM
+	owner_mt_print_item_v0(info, "owner CMD match ", IPT_OWNER_COMM, true);
+#endif
+}
+
+static void
+owner_mt6_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+	const struct ip6t_owner_info *info = (void *)match->data;
+
+	owner_mt6_print_item_v0(info, "owner UID match ", IPT_OWNER_UID, true);
+	owner_mt6_print_item_v0(info, "owner GID match ", IPT_OWNER_GID, true);
+	owner_mt6_print_item_v0(info, "owner PID match ", IPT_OWNER_PID, true);
+	owner_mt6_print_item_v0(info, "owner SID match ", IPT_OWNER_SID, true);
+}
+
+static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_owner_match_info *info = (void *)match->data;
+
+	owner_mt_print_item(info, "--socket-exists ", XT_OWNER_SOCKET, false);
+	owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,    false);
+	owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,    false);
+}
+
+static struct xtables_match owner_mt_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct ipt_owner_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)),
+	.help          = owner_mt_help_v0,
+	.parse         = owner_mt_parse_v0,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print_v0,
+	.save          = owner_mt_save_v0,
+	.extra_opts    = owner_mt_opts_v0,
+};
+
+static struct xtables_match owner_mt6_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.revision      = 0,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+	.help          = owner_mt6_help_v0,
+	.parse         = owner_mt6_parse_v0,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt6_print_v0,
+	.save          = owner_mt6_save_v0,
+	.extra_opts    = owner_mt6_opts_v0,
+};
+
+static struct xtables_match owner_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.revision      = 1,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+static struct xtables_match owner_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "owner",
+	.revision      = 1,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+	.help          = owner_mt_help,
+	.parse         = owner_mt_parse,
+	.final_check   = owner_mt_check,
+	.print         = owner_mt_print,
+	.save          = owner_mt_save,
+	.extra_opts    = owner_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&owner_mt_reg_v0);
+	xtables_register_match(&owner_mt6_reg_v0);
+	xtables_register_match(&owner_mt_reg);
+	xtables_register_match(&owner_mt6_reg);
+}
Index: iptables-modules/extensions/libxt_owner.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_owner.man
@@ -0,0 +1,16 @@
+This module attempts to match various characteristics of the packet creator,
+for locally generated packets. This match is only valid in the OUTPUT and
+POSTROUTING chains. Forwarded packets do not have any socket associated with
+them. Packets from kernel threads do have a socket, but usually no owner.
+.TP
+\fB--uid-owner\fR \fIuserid\fR
+Matches if the packet socket's file structure (if it has one) is owned by the
+given user ID. A user name may be specified in place of \fIuserid\fR, in which
+case iptables will try to look it up.
+.TP
+\fB--gid-owner\fR \fIgroupid\fR
+Matches if the packet socket's file structure is owned by the given group ID.
+A group name may be specified in place of \fIgroupid\fR.
+.TP
+\fB--socket-exists\fR
+Matches if the packet is associated with a socket.
Index: iptables-modules/include/linux/netfilter/xt_owner.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_owner.h
@@ -0,0 +1,16 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+enum {
+	XT_OWNER_UID    = 1 << 0,
+	XT_OWNER_GID    = 1 << 1,
+	XT_OWNER_SOCKET = 1 << 2,
+};
+
+struct xt_owner_match_info {
+	u_int32_t uid;
+	u_int32_t gid;
+	u_int8_t match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [04/19] libxt_owner

[Patrick McHardy]

Jan Engelhardt wrote:
> Import libxt_owner into iptables
> 
> 
> libxt_owner merges libipt_owner and libip6t_owner, and adds support
> for the xt_owner match revision 1.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libip6t_owner.c         |  240 ---------------
>  extensions/libip6t_owner.man       |   23 -
>  extensions/libipt_owner.c          |  241 ---------------
>  extensions/libipt_owner.man        |   28 -
>  extensions/libxt_owner.c           |  574 +++++++++++++++++++++++++++++++++++++
>  extensions/libxt_owner.man         |   16 +
>  include/linux/netfilter/xt_owner.h |   16 +
>  7 files changed, 606 insertions(+), 532 deletions(-)

Applied, thanks.

[05/19] libxt_tos

[Jan Engelhardt]

Move libipt_tos revision 0 to libxt_tos revision 0 and add support
for xt_tos match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_tos.c           |  163 --------------------------------
 extensions/libipt_tos.man         |    9 -
 extensions/libxt_tos.c            |  190 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_tos.man          |   12 ++
 extensions/tos_values.c           |   90 ++++++++++++++++++
 include/linux/netfilter/xt_dscp.h |    6 +
 6 files changed, 298 insertions(+), 172 deletions(-)

Index: iptables-modules/extensions/libipt_tos.c
===================================================================
--- iptables-modules.orig/extensions/libipt_tos.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/* Shared library add-on to iptables to add TOS matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_tos.h>
-
-/* TOS names and values. */
-static const
-struct TOS_value
-{
-	unsigned char TOS;
-	const char *name;
-} TOS_values[] = {
-	{ IPTOS_LOWDELAY,    "Minimize-Delay" },
-	{ IPTOS_THROUGHPUT,  "Maximize-Throughput" },
-	{ IPTOS_RELIABILITY, "Maximize-Reliability" },
-	{ IPTOS_MINCOST,     "Minimize-Cost" },
-	{ IPTOS_NORMALSVC,   "Normal-Service" },
-};
-
-/* Function which prints out usage message. */
-static void tos_help(void)
-{
-	unsigned int i;
-
-	printf(
-"TOS match v%s options:\n"
-"[!] --tos value                 Match Type of Service field from one of the\n"
-"                                following numeric or descriptive values:\n",
-IPTABLES_VERSION);
-
-	for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++)
-		printf("                                     %s %u (0x%02x)\n",
-		       TOS_values[i].name,
-                       TOS_values[i].TOS,
-                       TOS_values[i].TOS);
-	fputc('\n', stdout);
-}
-
-static const struct option tos_opts[] = {
-	{ "tos", 1, NULL, '1' },
-	{ }
-};
-
-static void
-parse_tos(const char *s, struct ipt_tos_info *info)
-{
-	unsigned int i;
-	unsigned int tos;
-
-	if (string_to_number(s, 0, 255, &tos) != -1) {
-		if (tos == IPTOS_LOWDELAY
-		    || tos == IPTOS_THROUGHPUT
-		    || tos == IPTOS_RELIABILITY
-		    || tos == IPTOS_MINCOST
-		    || tos == IPTOS_NORMALSVC) {
-		    	info->tos = (u_int8_t )tos;
-		    	return;
-		}
-	} else {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (strcasecmp(s,TOS_values[i].name) == 0) {
-				info->tos = TOS_values[i].TOS;
-				return;
-			}
-	}
-	exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int tos_parse(int c, char **argv, int invert, unsigned int *flags,
-                     const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_tos_info *tosinfo = (struct ipt_tos_info *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		/* Ensure that `--tos' haven't been used yet. */
-		if (*flags == 1)
-			exit_error(PARAMETER_PROBLEM,
-					"tos match: only use --tos once!");
-
-		check_inverse(optarg, &invert, &optind, 0);
-		parse_tos(argv[optind-1], tosinfo);
-		if (invert)
-			tosinfo->invert = 1;
-		*flags = 1;
-		break;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void
-print_tos(u_int8_t tos, int numeric)
-{
-	unsigned int i;
-
-	if (!numeric) {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (TOS_values[i].TOS == tos) {
-				printf("%s ", TOS_values[i].name);
-				return;
-			}
-	}
-	printf("0x%02x ", tos);
-}
-
-/* Final check; must have specified --tos. */
-static void tos_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "TOS match: You must specify `--tos'");
-}
-
-/* Prints out the matchinfo. */
-static void tos_print(const void *ip, const struct xt_entry_match *match,
-                      int numeric)
-{
-	const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data;
-    
-	printf("TOS match ");
-	if (info->invert)
-		printf("!");
-	print_tos(info->tos, numeric);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void tos_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct ipt_tos_info *info = (const struct ipt_tos_info *)match->data;
-    
-	if (info->invert)
-		printf("! ");
-	printf("--tos ");
-	print_tos(info->tos, 0);
-}
-
-static struct iptables_match tos_match = {
-	.name		= "tos",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_tos_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tos_info)),
-	.help		= tos_help,
-	.parse		= tos_parse,
-	.final_check	= tos_check,
-	.print		= tos_print,
-	.save		= tos_save,
-	.extra_opts	= tos_opts,
-};
-
-void _init(void)
-{
-	register_match(&tos_match);
-}
Index: iptables-modules/extensions/libipt_tos.man
===================================================================
--- iptables-modules.orig/extensions/libipt_tos.man
+++ /dev/null
@@ -1,9 +0,0 @@
-This module matches the 8 bits of Type of Service field in the IP
-header (ie. including the precedence bits).
-.TP
-.BI "--tos " "tos"
-The argument is either a standard name, (use
-.br
- iptables -m tos -h
-.br
-to see the list), or a numeric value to match.
Index: iptables-modules/extensions/libxt_tos.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_tos.c
@@ -0,0 +1,190 @@
+/*
+ * Shared library add-on to iptables to add tos match support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_tos.h>
+#include "tos_values.c"
+
+enum {
+	FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_mt_opts[] = {
+	{.name = "tos", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void tos_mt_help(void)
+{
+	const struct tos_symbol_info *symbol;
+
+	printf(
+"tos match options:\n"
+"[!] --tos value[/mask]    Match Type of Service/Priority field value\n"
+"[!] --tos symbol          Match TOS field (IPv4 only) by symbol\n"
+"                          Accepted symbolic names for value are:\n");
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		printf("                          (0x%02x) %2u %s\n",
+		       symbol->value, symbol->value, symbol->name);
+
+	printf("\n");
+}
+
+static int tos_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct ipt_tos_info *info = (void *)(*match)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case 't':
+		param_act(P_ONLY_ONCE, "tos", "--tos", *flags & FLAG_TOS);
+		if (!tos_parse_symbolic(optarg, &tvm, 0xFF))
+			param_act(P_BAD_VALUE, "tos", "--tos", optarg);
+		if (tvm.mask != 0xFF)
+			exit_error(PARAMETER_PROBLEM, "tos: Your kernel is "
+			           "too old to support anything besides /0xFF "
+				   "as a mask.");
+		info->tos = tvm.value;
+		if (invert)
+			info->invert = true;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+	return false;
+}
+
+static int tos_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, struct xt_entry_match **match)
+{
+	struct xt_tos_match_info *info = (void *)(*match)->data;
+	struct tos_value_mask tvm = {.mask = 0xFF};
+
+	switch (c) {
+	case 't':
+		param_act(P_ONLY_ONCE, "tos", "--tos", *flags & FLAG_TOS);
+		if (!tos_parse_symbolic(optarg, &tvm, 0x3F))
+			param_act(P_BAD_VALUE, "tos", "--tos", optarg);
+		info->tos_value = tvm.value;
+		info->tos_mask  = tvm.mask;
+		if (invert)
+			info->invert = true;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+	return false;
+}
+
+static void tos_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "tos: --tos parameter required");
+}
+
+static void tos_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct ipt_tos_info *info = (const void *)match->data;
+
+	printf("tos match ");
+	if (info->invert)
+		printf("!");
+	if (numeric || !tos_try_print_symbolic("", info->tos, 0x3F))
+		printf("0x%02x ", info->tos);
+}
+
+static void tos_mt_print(const void *ip, const struct xt_entry_match *match,
+                         int numeric)
+{
+	const struct xt_tos_match_info *info = (const void *)match->data;
+
+	printf("tos match ");
+	if (info->invert)
+		printf("!");
+	if (numeric ||
+	    !tos_try_print_symbolic("", info->tos_value, info->tos_mask))
+		printf("0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static void tos_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+	const struct ipt_tos_info *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--tos 0x%02x ", info->tos);
+}
+
+static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_tos_match_info *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_match tos_mt_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET,
+	.revision      = 0,
+	.size          = XT_ALIGN(sizeof(struct ipt_tos_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt_parse_v0,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print_v0,
+	.save          = tos_mt_save_v0,
+	.extra_opts    = tos_mt_opts,
+};
+
+static struct xtables_match tos_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt_parse,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print,
+	.save          = tos_mt_save,
+	.extra_opts    = tos_mt_opts,
+};
+
+static struct xtables_match tos_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "tos",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)),
+	.help          = tos_mt_help,
+	.parse         = tos_mt_parse,
+	.final_check   = tos_mt_check,
+	.print         = tos_mt_print,
+	.save          = tos_mt_save,
+	.extra_opts    = tos_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&tos_mt_reg_v0);
+	xtables_register_match(&tos_mt_reg);
+	xtables_register_match(&tos_mt6_reg);
+}
Index: iptables-modules/extensions/libxt_tos.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_tos.man
@@ -0,0 +1,12 @@
+This module matches the 8-bit Type of Service field in the IPv4 header (i.e.
+including the "Precedence" bits) or the (also 8-bit) Priority field in the IPv6
+header.
+.TP
+\fB--tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Matches packets with the given TOS mark value. If a mask is specified, it is
+logically ANDed with the TOS mark before the comparison.
+.TP
+\fB--tos\fR \fIsymbol\fR
+You can specify a symbolic name when using the tos match for IPv4. The list of
+recognized TOS names can be obtained by calling iptables with \fB-m tos -h\fR.
+Note that this implies a mask of 0x3F, i.e. all but the ECN bits.
Index: iptables-modules/extensions/tos_values.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/tos_values.c
@@ -0,0 +1,90 @@
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+
+struct tos_value_mask {
+	uint8_t value, mask;
+};
+
+static const struct tos_symbol_info {
+	unsigned char value;
+	const char *name;
+} tos_symbol_names[] = {
+	{IPTOS_LOWDELAY,    "Minimize-Delay"},
+	{IPTOS_THROUGHPUT,  "Maximize-Throughput"},
+	{IPTOS_RELIABILITY, "Maximize-Reliability"},
+	{IPTOS_MINCOST,     "Minimize-Cost"},
+	{IPTOS_NORMALSVC,   "Normal-Service"},
+	{},
+};
+
+/*
+ * tos_parse_numeric - parse sth. like "15/255"
+ *
+ * @s:		input string
+ * @info:	accompanying structure
+ * @bits:	number of bits that are allowed
+ *		(8 for IPv4 TOS field, 4 for IPv6 Priority Field)
+ */
+static bool tos_parse_numeric(const char *str, struct tos_value_mask *tvm,
+                              unsigned int bits)
+{
+	const unsigned int max = (1 << bits) - 1;
+	unsigned int value;
+	char *end;
+
+	strtonum(str, &end, &value, 0, max);
+	tvm->value = value;
+	tvm->mask  = max;
+
+	if (*end == '/') {
+		const char *p = end + 1;
+
+		if (!strtonum(p, &end, &value, 0, max))
+			exit_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"",
+			           str);
+		tvm->mask = value;
+	}
+
+	if (*end != '\0')
+		exit_error(PARAMETER_PROBLEM, "Illegal value: \"%s\"", str);
+	return true;
+}
+
+static bool tos_parse_symbolic(const char *str, struct tos_value_mask *tvm,
+    unsigned int def_mask)
+{
+	const unsigned int max = 255;
+	const struct tos_symbol_info *symbol;
+
+	if (strtonum(str, NULL, NULL, 0, max))
+		return tos_parse_numeric(str, tvm, max);
+
+	/* Do not consider ECN bits */
+	tvm->mask = def_mask;
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		if (strcasecmp(str, symbol->name) == 0) {
+			tvm->value = symbol->value;
+			return true;
+		}
+
+	exit_error(PARAMETER_PROBLEM, "Symbolic name \"%s\" is unknown", str);
+	return false;
+}
+
+static bool tos_try_print_symbolic(const char *prefix,
+    u_int8_t value, u_int8_t mask)
+{
+	const struct tos_symbol_info *symbol;
+
+	if (mask != 0x3F)
+		return false;
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		if (value == symbol->value) {
+			printf("%s%s ", prefix, symbol->name);
+			return true;
+		}
+
+	return false;
+}
Index: iptables-modules/include/linux/netfilter/xt_dscp.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_dscp.h
+++ iptables-modules/include/linux/netfilter/xt_dscp.h
@@ -20,4 +20,10 @@ struct xt_dscp_info {
 	u_int8_t invert;
 };
 
+struct xt_tos_match_info {
+	u_int8_t tos_mask;
+	u_int8_t tos_value;
+	u_int8_t invert;
+};
+
 #endif /* _XT_DSCP_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [05/19] libxt_tos

[Patrick McHardy]

Jan Engelhardt wrote:
> Move libipt_tos revision 0 to libxt_tos revision 0 and add support
> for xt_tos match revision 1.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Also applied, thanks.

[06/19] libxt_TOS

[Jan Engelhardt]

Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support
for xt_TOS target revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_TOS.c           |  159 -----------------------
 extensions/libipt_TOS.man         |   11 -
 extensions/libxt_TOS.c            |  257 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_TOS.man          |   27 +++
 include/linux/netfilter/xt_DSCP.h |    5 
 5 files changed, 289 insertions(+), 170 deletions(-)

Index: iptables-modules/extensions/libipt_TOS.c
===================================================================
--- iptables-modules.orig/extensions/libipt_TOS.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* Shared library add-on to iptables to add TOS target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TOS.h>
-
-struct tosinfo {
-	struct xt_entry_target t;
-	struct ipt_tos_target_info tos;
-};
-
-/* TOS names and values. */
-static const
-struct TOS_value
-{
-	unsigned char TOS;
-	const char *name;
-} TOS_values[] = {
-	{ IPTOS_LOWDELAY,    "Minimize-Delay" },
-	{ IPTOS_THROUGHPUT,  "Maximize-Throughput" },
-	{ IPTOS_RELIABILITY, "Maximize-Reliability" },
-	{ IPTOS_MINCOST,     "Minimize-Cost" },
-	{ IPTOS_NORMALSVC,   "Normal-Service" },
-};
-
-/* Function which prints out usage message. */
-static void TOS_help(void)
-{
-	unsigned int i;
-
-	printf(
-"TOS target v%s options:\n"
-"  --set-tos value                   Set Type of Service field to one of the\n"
-"                                following numeric or descriptive values:\n",
-IPTABLES_VERSION);
-
-	for (i = 0; i < sizeof(TOS_values)/sizeof(struct TOS_value);i++)
-		printf("                                     %s %u (0x%02x)\n",
-		       TOS_values[i].name,
-                       TOS_values[i].TOS,
-                       TOS_values[i].TOS);
-	fputc('\n', stdout);
-}
-
-static const struct option TOS_opts[] = {
-	{ "set-tos", 1, NULL, '1' },
-	{ }
-};
-
-static void
-parse_tos(const char *s, struct ipt_tos_target_info *info)
-{
-	unsigned int i, tos;
-
-	if (string_to_number(s, 0, 255, &tos) != -1) {
-		if (tos == IPTOS_LOWDELAY
-		    || tos == IPTOS_THROUGHPUT
-		    || tos == IPTOS_RELIABILITY
-		    || tos == IPTOS_MINCOST
-		    || tos == IPTOS_NORMALSVC) {
-		    	info->tos = (u_int8_t )tos;
-		    	return;
-		}
-	} else {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (strcasecmp(s,TOS_values[i].name) == 0) {
-				info->tos = TOS_values[i].TOS;
-				return;
-			}
-	}
-	exit_error(PARAMETER_PROBLEM, "Bad TOS value `%s'", s);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int TOS_parse(int c, char **argv, int invert, unsigned int *flags,
-                     const void *entry, struct xt_entry_target **target)
-{
-	struct ipt_tos_target_info *tosinfo
-		= (struct ipt_tos_target_info *)(*target)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-			           "TOS target: Cant specify --set-tos twice");
-		parse_tos(optarg, tosinfo);
-		*flags = 1;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void TOS_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-		           "TOS target: Parameter --set-tos is required");
-}
-
-static void
-print_tos(u_int8_t tos, int numeric)
-{
-	unsigned int i;
-
-	if (!numeric) {
-		for (i = 0; i<sizeof(TOS_values)/sizeof(struct TOS_value); i++)
-			if (TOS_values[i].TOS == tos) {
-				printf("%s ", TOS_values[i].name);
-				return;
-			}
-	}
-	printf("0x%02x ", tos);
-}
-
-/* Prints out the targinfo. */
-static void TOS_print(const void *ip, const struct xt_entry_target *target,
-                      int numeric)
-{
-	const struct ipt_tos_target_info *tosinfo =
-		(const struct ipt_tos_target_info *)target->data;
-	printf("TOS set ");
-	print_tos(tosinfo->tos, numeric);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void TOS_save(const void *ip, const struct xt_entry_target *target)
-{
-	const struct ipt_tos_target_info *tosinfo =
-		(const struct ipt_tos_target_info *)target->data;
-
-	printf("--set-tos 0x%02x ", tosinfo->tos);
-}
-
-static struct iptables_target tos_target = {
-	.name		= "TOS",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_tos_target_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tos_target_info)),
-	.help		= TOS_help,
-	.parse		= TOS_parse,
-	.final_check	= TOS_check,
-	.print		= TOS_print,
-	.save		= TOS_save,
-	.extra_opts	= TOS_opts,
-};
-
-void _init(void)
-{
-	register_target(&tos_target);
-}
Index: iptables-modules/extensions/libipt_TOS.man
===================================================================
--- iptables-modules.orig/extensions/libipt_TOS.man
+++ /dev/null
@@ -1,11 +0,0 @@
-This is used to set the 8-bit Type of Service field in the IP header.
-It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-tos " "tos"
-You can use a numeric TOS values, or use
-.nf
- iptables -j TOS -h
-.fi
-to see the list of valid TOS names.
Index: iptables-modules/extensions/libxt_TOS.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TOS.c
@@ -0,0 +1,257 @@
+/*
+ * Shared library add-on to iptables to add TOS target support
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_DSCP.h>
+#include <linux/netfilter_ipv4/ipt_TOS.h>
+#include "tos_values.c"
+
+enum {
+	FLAG_TOS = 1 << 0,
+};
+
+static const struct option tos_tg_opts_v0[] = {
+	{.name = "set-tos", .has_arg = true, .val = '='},
+	{},
+};
+
+static const struct option tos_tg_opts[] = {
+	{.name = "set-tos", .has_arg = true, .val = '='},
+	{.name = "and-tos", .has_arg = true, .val = '&'},
+	{.name = "or-tos",  .has_arg = true, .val = '|'},
+	{.name = "xor-tos", .has_arg = true, .val = '^'},
+	{},
+};
+
+static void tos_tg_help_v0(void)
+{
+	const struct tos_symbol_info *symbol;
+
+	printf(
+"TOS target options:\n"
+"  --set-tos value     Set Type of Service/Priority field to value\n"
+"  --set-tos symbol    Set TOS field (IPv4 only) by symbol\n"
+"                      Accepted symbolic names for value are:\n");
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		printf("                        (0x%02x) %2u %s\n",
+		       symbol->value, symbol->value, symbol->name);
+
+	printf("\n");
+}
+
+static void tos_tg_help(void)
+{
+	const struct tos_symbol_info *symbol;
+
+	printf(
+"TOS target v%s options:\n"
+"  --set-tos value[/mask]  Set Type of Service/Priority field to value\n"
+"                          (Zero out bits in mask and XOR value into TOS)\n"
+"  --set-tos symbol        Set TOS field (IPv4 only) by symbol\n"
+"                          (this zeroes the 4-bit Precedence part!)\n"
+"                          Accepted symbolic names for value are:\n",
+IPTABLES_VERSION);
+
+	for (symbol = tos_symbol_names; symbol->name != NULL; ++symbol)
+		printf("                            (0x%02x) %2u %s\n",
+		       symbol->value, symbol->value, symbol->name);
+
+	printf(
+"\n"
+"  --and-tos bits          Binary AND the TOS value with bits\n"
+"  --or-tos  bits          Binary OR the TOS value with bits\n"
+"  --xor-tos bits          Binary XOR the TOS value with bits\n"
+);
+}
+
+static int tos_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_tos_target_info *info = (void *)(*target)->data;
+	struct tos_value_mask tvm;
+
+	switch (c) {
+	case '=':
+		param_act(P_ONLY_ONCE, "TOS", "--set-tos", *flags & FLAG_TOS);
+		param_act(P_NO_INVERT, "TOS", "--set-tos", invert);
+		if (!tos_parse_symbolic(optarg, &tvm, 0xFF))
+			param_act(P_BAD_VALUE, "TOS", "--set-tos", optarg);
+		if (tvm.mask != 0xFF)
+			exit_error(PARAMETER_PROBLEM, "tos match: Your kernel "
+			           "is too old to support anything besides "
+				   "/0xFF as a mask.");
+		info->tos = tvm.value;
+		*flags |= FLAG_TOS;
+		return true;
+	}
+
+	return false;
+}
+
+static int tos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tos_target_info *info = (void *)(*target)->data;
+	struct tos_value_mask tvm;
+	unsigned int bits;
+
+	switch (c) {
+	case '=': /* --set-tos */
+		param_act(P_ONLY_ONCE, "TOS", "--set-tos", *flags & FLAG_TOS);
+		param_act(P_NO_INVERT, "TOS", "--set-tos", invert);
+		if (!tos_parse_symbolic(optarg, &tvm, 0x3F))
+			param_act(P_BAD_VALUE, "TOS", "--set-tos", optarg);
+		info->tos_value = tvm.value;
+		info->tos_mask  = tvm.mask;
+		break;
+
+	case '&': /* --and-tos */
+		param_act(P_ONLY_ONCE, "TOS", "--and-tos", *flags & FLAG_TOS);
+		param_act(P_NO_INVERT, "TOS", "--and-tos", invert);
+		if (!strtonum(optarg, NULL, &bits, 0, 0xFF))
+			param_act(P_BAD_VALUE, "TOS", "--and-tos", optarg);
+		info->tos_value = 0;
+		info->tos_mask  = ~bits;
+		break;
+
+	case '|': /* --or-tos */
+		param_act(P_ONLY_ONCE, "TOS", "--or-tos", *flags & FLAG_TOS);
+		param_act(P_NO_INVERT, "TOS", "--or-tos", invert);
+		if (!strtonum(optarg, NULL, &bits, 0, 0xFF))
+			param_act(P_BAD_VALUE, "TOS", "--or-tos", optarg);
+		info->tos_value = bits;
+		info->tos_mask  = bits;
+		break;
+
+	case '^': /* --xor-tos */
+		param_act(P_ONLY_ONCE, "TOS", "--xor-tos", *flags & FLAG_TOS);
+		param_act(P_NO_INVERT, "TOS", "--xor-tos", invert);
+		if (!strtonum(optarg, NULL, &bits, 0, 0xFF))
+			param_act(P_BAD_VALUE, "TOS", "--xor-tos", optarg);
+		info->tos_value = bits;
+		info->tos_mask  = 0;
+		break;
+
+	default:
+		return false;
+	}
+
+	*flags |= FLAG_TOS;
+	return true;
+}
+
+static void tos_tg_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "TOS: The --set-tos parameter is required");
+}
+
+static void tos_tg_print_v0(const void *ip,
+                            const struct xt_entry_target *target, int numeric)
+{
+	const struct ipt_tos_target_info *info = (const void *)target->data;
+
+	printf("TOS set ");
+	if (numeric || !tos_try_print_symbolic("", info->tos, 0xFF))
+		printf("0x%02x ", info->tos);
+}
+
+static void tos_tg_print(const void *ip, const struct xt_entry_target *target,
+                         int numeric)
+{
+	const struct xt_tos_target_info *info = (const void *)target->data;
+
+	if (numeric)
+		printf("TOS set 0x%02x/0x%02x ",
+		       info->tos_value, info->tos_mask);
+	else if (tos_try_print_symbolic("TOS set ",
+	    info->tos_value, info->tos_mask))
+		/* already printed by call */
+		return;
+	else if (info->tos_value == 0)
+		printf("TOS and 0x%02x ",
+		       (unsigned int)(u_int8_t)~info->tos_mask);
+	else if (info->tos_value == info->tos_mask)
+		printf("TOS or 0x%02x ", info->tos_value);
+	else if (info->tos_mask == 0)
+		printf("TOS xor 0x%02x ", info->tos_value);
+	else
+		printf("TOS set 0x%02x/0x%02x ",
+		       info->tos_value, info->tos_mask);
+}
+
+static void tos_tg_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+	const struct ipt_tos_target_info *info = (const void *)target->data;
+
+	printf("--set-tos 0x%02x ", info->tos);
+}
+
+static void tos_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tos_target_info *info = (const void *)target->data;
+
+	printf("--set-tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask);
+}
+
+static struct xtables_target tos_tg_reg_v0 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help_v0,
+	.parse         = tos_tg_parse_v0,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print_v0,
+	.save          = tos_tg_save_v0,
+	.extra_opts    = tos_tg_opts_v0,
+};
+
+static struct xtables_target tos_tg_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.revision      = 1,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help,
+	.parse         = tos_tg_parse,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print,
+	.save          = tos_tg_save,
+	.extra_opts    = tos_tg_opts,
+};
+
+static struct xtables_target tos_tg6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TOS",
+	.family        = AF_INET6,
+	.revision      = 1,
+	.size          = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)),
+	.help          = tos_tg_help,
+	.parse         = tos_tg_parse,
+	.final_check   = tos_tg_check,
+	.print         = tos_tg_print,
+	.save          = tos_tg_save,
+	.extra_opts    = tos_tg_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&tos_tg_reg_v0);
+	xtables_register_target(&tos_tg_reg);
+	xtables_register_target(&tos_tg6_reg);
+}
Index: iptables-modules/extensions/libxt_TOS.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TOS.man
@@ -0,0 +1,27 @@
+This module sets the Type of Service field in the IPv4 header (including the
+'precedence' bits) or the Priority field in the IPv6 header. Note that TOS
+shares the same bits as DSCP and ECN. The TOS target is only valid in the
+\fBmangle\fR table.
+.TP
+\fB--set-tos\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the
+TOS/Priority field. If \fImask\fR is omitted, 0xFF is assumed.
+.TP
+\fB--set-tos\fR \fIsymbol\fR
+You can specify a symbolic name when using the TOS target for IPv4. It implies
+a mask of 0xFF. The list of recognized TOS names can be obtained by calling
+iptables with \fB-j TOS -h\fR.
+.PP
+The following mnemonics are available:
+.TP
+\fB--and-tos\fR \fIbits\fR
+Binary AND the TOS value with \fIbits\fR. (Mnemonic for \fB--set-tos
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB--or-tos\fR \fIbits\fR
+Binary OR the TOS value with \fIbits\fR. (Mnemonic for \fB--set-tos\fR
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB--xor-tos\fR \fIbits\fR
+Binary XOR the TOS value with \fIbits\fR. (Mnemonic for \fB--set-tos\fR
+\fIbits\fR\fB/0\fR.)
Index: iptables-modules/include/linux/netfilter/xt_DSCP.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_DSCP.h
+++ iptables-modules/include/linux/netfilter/xt_DSCP.h
@@ -17,4 +17,9 @@ struct xt_DSCP_info {
 	u_int8_t dscp;
 };
 
+struct xt_tos_target_info {
+	u_int8_t tos_value;
+	u_int8_t tos_mask;
+};
+
 #endif /* _XT_DSCP_TARGET_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [06/19] libxt_TOS

[Patrick McHardy]

Jan Engelhardt wrote:
> Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support
> for xt_TOS target revision 1.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libipt_TOS.c           |  159 -----------------------
>  extensions/libipt_TOS.man         |   11 -
>  extensions/libxt_TOS.c            |  257 ++++++++++++++++++++++++++++++++++++++
>  extensions/libxt_TOS.man          |   27 +++
>  include/linux/netfilter/xt_DSCP.h |    5 
>  5 files changed, 289 insertions(+), 170 deletions(-)

Applied.

[07/19] libxt_CONNMARK r1

[Jan Engelhardt]

Add support for xt_CONNMARK target revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_CONNMARK.c           |  266 ++++++++++++++++++++++++++++++++--
 extensions/libxt_CONNMARK.man         |   51 ++++--
 include/linux/netfilter/xt_CONNMARK.h |    5 
 3 files changed, 300 insertions(+), 22 deletions(-)

Index: iptables-modules/extensions/libxt_CONNMARK.c
===================================================================
--- iptables-modules.orig/extensions/libxt_CONNMARK.c
+++ iptables-modules/extensions/libxt_CONNMARK.c
@@ -28,12 +28,10 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CONNMARK.h>
 
-#if 0
-struct markinfo {
-	struct xt_entry_target t;
-	struct ipt_connmark_target_info mark;
+enum {
+	F_MARK    = 1 << 0,
+	F_SR_MARK = 1 << 1,
 };
-#endif
 
 /* Function which prints out usage message. */
 static void CONNMARK_help(void)
@@ -55,6 +53,52 @@ static const struct option CONNMARK_opts
 	{ }
 };
 
+static const struct option connmark_tg_opts[] = {
+	{.name = "set-xmark",     .has_arg = true,  .val = '='},
+	{.name = "set-mark",      .has_arg = true,  .val = '-'},
+	{.name = "and-mark",      .has_arg = true,  .val = '&'},
+	{.name = "or-mark",       .has_arg = true,  .val = '|'},
+	{.name = "xor-mark",      .has_arg = true,  .val = '^'},
+	{.name = "save-mark",     .has_arg = false, .val = 'S'},
+	{.name = "restore-mark",  .has_arg = false, .val = 'R'},
+	{.name = "ctmask",        .has_arg = true,  .val = 'c'},
+	{.name = "nfmask",        .has_arg = true,  .val = 'n'},
+	{.name = "mask",          .has_arg = true,  .val = 'm'},
+	{},
+};
+
+static void connmark_tg_help(void)
+{
+	printf(
+"CONNMARK target options:\n"
+"  XOR-based operations:\n"
+"  --set-xmark value[/ctmask]    Zero mask bits and XOR ctmark with value\n"
+"  --save-mark [--ctmask mask] [--nfmask mask]\n"
+"                                Copy ctmark to nfmark using masks\n"
+"  --restore-mark [--ctmask mask] [--nfmask mask]\n"
+"                                Copy nfmark to ctmark using masks\n"
+"  --and-mark bits\n"
+"  --or-mark bits\n"
+"  --xor-mark bits\n"
+"  OR-based operations (deprecated):\n"
+"  --set-mark value[/mask]       Set conntrack mark value\n"
+"  --save-mark [--mask mask]     Save the packet nfmark in the connection\n"
+"  --restore-mark [--mask mask]  Restore saved nfmark value\n"
+);
+}
+
+static void connmark_tg_init(struct xt_entry_target *target)
+{
+	struct xt_connmark_tginfo1 *info = (void *)target->data;
+
+	/*
+	 * Need these defaults for --save-mark/--restore-mark if no
+	 * --ctmark or --nfmask is given.
+	 */
+	info->ctmask = ~0U;
+	info->nfmask = ~0U;
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -110,7 +154,110 @@ CONNMARK_parse(int c, char **argv, int i
 	return 1;
 }
 
-static void CONNMARK_check(unsigned int flags)
+static int connmark_tg_parse(int c, char **argv, int invert,
+                             unsigned int *flags, const void *entry,
+                             struct xt_entry_target **target)
+{
+	struct xt_connmark_tginfo1 *info = (void *)(*target)->data;
+	unsigned int value, mask = ~0U;
+	char *end;
+
+	switch (c) {
+	case '=': /* --set-xmark */
+	case '-': /* --set-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		if (!strtonum(optarg, &end, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+		if (*end == '/')
+			if (!strtonum(end + 1, &end, &mask, 0, ~0U))
+				param_act(P_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+		if (*end != '\0')
+			param_act(P_BAD_VALUE, "CONNMARK", "--set-xmark/--set-mark", optarg);
+		info->mode   = XT_CONNMARK_SET;
+		info->ctmark = value;
+		info->ctmask = mask;
+		if (c == '-')
+			info->ctmask = value | mask;
+		*flags |= F_MARK;
+		return true;
+
+	case '&': /* --and-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		if (!strtonum(optarg, NULL, &mask, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--and-mark", optarg);
+		info->mode   = XT_CONNMARK_SET;
+		info->ctmark = 0;
+		info->ctmask = ~mask;
+		*flags      |= F_MARK;
+		return true;
+
+	case '|': /* --or-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--or-mark", optarg);
+		info->mode   = XT_CONNMARK_SET;
+		info->ctmark = value;
+		info->ctmask = value;
+		*flags      |= F_MARK;
+		return true;
+
+	case '^': /* --xor-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--xor-mark", optarg);
+		info->mode   = XT_CONNMARK_SET;
+		info->ctmark = value;
+		info->ctmask = 0;
+		*flags      |= F_MARK;
+		return true;
+
+	case 'S': /* --save-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		info->mode = XT_CONNMARK_SAVE;
+		*flags |= F_MARK | F_SR_MARK;
+		return true;
+
+	case 'R': /* --restore-mark */
+		param_act(P_ONE_ACTION, "CONNMARK", *flags & F_MARK);
+		info->mode = XT_CONNMARK_RESTORE;
+		*flags |= F_MARK | F_SR_MARK;
+		return true;
+
+	case 'n': /* --nfmask */
+		if (!(*flags & F_SR_MARK))
+			exit_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+			           "or --restore-mark is required for "
+			           "--nfmask");
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--nfmask", optarg);
+		info->nfmask = value;
+		return true;
+
+	case 'c': /* --ctmask */
+		if (!(*flags & F_SR_MARK))
+			exit_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+			           "or --restore-mark is required for "
+			           "--ctmask");
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--ctmask", optarg);
+		info->ctmask = value;
+		return true;
+
+	case 'm': /* --mask */
+		if (!(*flags & F_SR_MARK))
+			exit_error(PARAMETER_PROBLEM, "CONNMARK: --save-mark "
+			           "or --restore-mark is required for "
+			           "--mask");
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "CONNMARK", "--mask", optarg);
+		info->nfmask = info->ctmask = value;
+		return true;
+	}
+
+	return false;
+}
+
+static void connmark_tg_check(unsigned int flags)
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
@@ -159,6 +306,50 @@ static void CONNMARK_print(const void *i
 	}
 }
 
+static void
+connmark_tg_print(const void *ip, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+	switch (info->mode) {
+	case XT_CONNMARK_SET:
+		if (info->ctmark == 0)
+			printf("CONNMARK and 0x%x ",
+			       (unsigned int)(u_int32_t)~info->ctmask);
+		else if (info->ctmark == info->ctmask)
+			printf("CONNMARK or 0x%x ", info->ctmark);
+		else if (info->ctmask == 0)
+			printf("CONNMARK xor 0x%x ", info->ctmark);
+		else
+			printf("CONNMARK xset 0x%x/0x%x ",
+			       info->ctmark, info->ctmask);
+		break;
+	case XT_CONNMARK_SAVE:
+		if (info->nfmask == ~0U && info->ctmask == ~0U)
+			printf("CONNMARK save ");
+		else if (info->nfmask == info->ctmask)
+			printf("CONNMARK save mask 0x%x ", info->nfmask);
+		else
+			printf("CONNMARK save nfmask 0x%x ctmask ~0x%x ",
+			       info->nfmask, info->ctmask);
+		break;
+	case XT_CONNMARK_RESTORE:
+		if (info->ctmask == ~0U && info->nfmask == ~0U)
+			printf("CONNMARK restore ");
+		else if (info->ctmask == info->nfmask)
+			printf("CONNMARK restore mask 0x%x ", info->ctmask);
+		else
+			printf("CONNMARK restore ctmask 0x%x nfmask ~0x%x ",
+			       info->ctmask, info->nfmask);
+		break;
+
+	default:
+		printf("ERROR: UNKNOWN CONNMARK MODE");
+		break;
+	}
+}
+
 /* Saves the target into in parsable form to stdout. */
 static void CONNMARK_save(const void *ip, const struct xt_entry_target *target)
 {
@@ -194,16 +385,40 @@ static void CONNMARK_init(struct xt_entr
 	markinfo->mask = 0xffffffffUL;
 }
 
+static void
+connmark_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+	switch (info->mode) {
+	case XT_CONNMARK_SET:
+		printf("--set-xmark 0x%x/0x%x ", info->ctmark, info->ctmask);
+		break;
+	case XT_CONNMARK_SAVE:
+		printf("--save-mark --nfmask 0x%x --ctmask 0x%x ",
+		       info->nfmask, info->ctmask);
+		break;
+	case XT_CONNMARK_RESTORE:
+		printf("--restore-mark --nfmask 0x%x --ctmask 0x%x ",
+		       info->nfmask, info->ctmask);
+		break;
+	default:
+		printf("ERROR: UNKNOWN CONNMARK MODE");
+		break;
+	}
+}
+
 static struct xtables_target connmark_target = {
 	.family		= AF_INET,
 	.name		= "CONNMARK",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_connmark_target_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_connmark_target_info)),
 	.help		= CONNMARK_help,
 	.init           = CONNMARK_init,
 	.parse		= CONNMARK_parse,
-	.final_check	= CONNMARK_check,
+	.final_check	= connmark_tg_check,
 	.print		= CONNMARK_print,
 	.save		= CONNMARK_save,
 	.extra_opts	= CONNMARK_opts,
@@ -212,20 +427,55 @@ static struct xtables_target connmark_ta
 static struct xtables_target connmark_target6 = {
 	.family		= AF_INET6,
 	.name		= "CONNMARK",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_connmark_target_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_connmark_target_info)),
 	.help		= CONNMARK_help,
 	.init           = CONNMARK_init,
 	.parse		= CONNMARK_parse,
-	.final_check	= CONNMARK_check,
+	.final_check	= connmark_tg_check,
 	.print		= CONNMARK_print,
 	.save		= CONNMARK_save,
 	.extra_opts	= CONNMARK_opts,
 };
 
+static struct xtables_target connmark_tg_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "CONNMARK",
+	.revision       = 1,
+	.family         = AF_INET,
+	.size           = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+	.help           = connmark_tg_help,
+	.init           = connmark_tg_init,
+	.parse          = connmark_tg_parse,
+	.final_check    = connmark_tg_check,
+	.print          = connmark_tg_print,
+	.save           = connmark_tg_save,
+	.extra_opts     = connmark_tg_opts,
+};
+
+static struct xtables_target connmark_tg6_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "CONNMARK",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)),
+	.help           = connmark_tg_help,
+	.init           = connmark_tg_init,
+	.parse          = connmark_tg_parse,
+	.final_check    = connmark_tg_check,
+	.print          = connmark_tg_print,
+	.save           = connmark_tg_save,
+	.extra_opts     = connmark_tg_opts,
+};
+
 void _init(void)
 {
 	xtables_register_target(&connmark_target);
 	xtables_register_target(&connmark_target6);
+	xtables_register_target(&connmark_tg_reg);
+	xtables_register_target(&connmark_tg6_reg);
 }
Index: iptables-modules/extensions/libxt_CONNMARK.man
===================================================================
--- iptables-modules.orig/extensions/libxt_CONNMARK.man
+++ iptables-modules/extensions/libxt_CONNMARK.man
@@ -1,15 +1,38 @@
-This module sets the netfilter mark value associated with a connection
+This module sets the netfilter mark value associated with a connection.
 .TP
-.B --set-mark mark[/mask]
-Set connection mark. If a mask is specified then only those bits set in the
-mask is modified.
-.TP
-.B --save-mark [--mask mask]
-Copy the netfilter packet mark value to the connection mark. If a mask
-is specified then only those bits are copied.
-.TP
-.B --restore-mark [--mask mask]
-Copy the connection mark value to the packet. If a mask is specified
-then only those bits are copied. This is only valid in the
-.B mangle
-table.
+\fB--set-xmark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zero out the bits given by \fImask\fR and XOR \fIvalue\fR into the ctmark.
+.TP
+\fB--save-mark\fR [\fB--nfmask\fR \fInfmask\fR] [\fB--ctmask\fR \fIctmask\fR]
+Copy the packet mark (nfmark) to the connection mark (ctmark) using the given
+masks. The new nfmark value is determined as follows:
+.IP
+ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask)
+.TP
+i.e. \fIctmask\fR defines what bits to clear and \fInfmask\fR what bits of the
+nfmark to XOR into the ctmark.
+.TP
+\fB--restore-mark\fR [\fB--nfmask\fR \fInfmask\fR] [\fB--ctmask\fR \fIctmask\fR]
+Copy the connection mark (ctmark) to the packet mark (nfmark) using the given
+masks. The new ctmark value is determined as follows:
+.IP
+nfmark = (nfmark & ~\fInfmask\fR) ^ (ctmark & \fIctmask\fR);
+.TP
+i.e. \fInfmask\fR defines what bits to clear and \fIctmask\fR what bits of the
+ctmark to XOR into the nfmark.
+.TP
+\fB--restore-mark\fR is only valid in the \fBmangle\fR table.
+.PP
+The following mnemonics are available for \fB--set-xmark\fR:
+.TP
+\fB--and-mark\fR \fIbits\fR
+Binary AND the ctmark with \fIbits\fR. (Mnemonic for \fB--set-xmark
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB--or-mark\fR \fIbits\fR
+Binary OR the ctmark with \fIbits\fR. (Mnemonic for \fB--set-xmark\fR
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB--xor-mark\fR \fIbits\fR
+Binary XOR the ctmark with \fIbits\fR. (Mnemonic for \fB--set-xmark\fR
+\fIbits\fR\fB/0\fR.)
Index: iptables-modules/include/linux/netfilter/xt_CONNMARK.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_CONNMARK.h
+++ iptables-modules/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
 	u_int8_t mode;
 };
 
+struct xt_connmark_tginfo1 {
+	u_int32_t ctmark, ctmask, nfmask;
+	u_int8_t mode;
+};
+
 #endif /*_XT_CONNMARK_H_target*/

Re: [07/19] libxt_CONNMARK r1

[Patrick McHardy]

Jan Engelhardt wrote:
> Add support for xt_CONNMARK target revision 1.
> 
> +static void connmark_tg_help(void)
> +{
> +	printf(
> +"CONNMARK target options:\n"
> +"  XOR-based operations:\n"
> +"  --set-xmark value[/ctmask]    Zero mask bits and XOR ctmark with value\n"
> +"  --save-mark [--ctmask mask] [--nfmask mask]\n"
> +"                                Copy ctmark to nfmark using masks\n"
> +"  --restore-mark [--ctmask mask] [--nfmask mask]\n"
> +"                                Copy nfmark to ctmark using masks\n"
> +"  --and-mark bits\n"
> +"  --or-mark bits\n"
> +"  --xor-mark bits\n"
> +"  OR-based operations (deprecated):\n"
> +"  --set-mark value[/mask]       Set conntrack mark value\n"
> +"  --save-mark [--mask mask]     Save the packet nfmark in the connection\n"
> +"  --restore-mark [--mask mask]  Restore saved nfmark value\n"
> +);
> +}

This confuses me - why are --set-mark and --restore-mark deprecated?
I also want to keep --set-mark. Why not simply keep all the options
named like before?

[08/19] libxt_MARK r2

[Jan Engelhardt]

Add support for xt_MARK target revision 2.
Also consolidate libip6t_MARK.man and libipt_MARK.man.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libip6t_MARK.man       |    6 -
 extensions/libipt_MARK.man        |   13 ---
 extensions/libxt_MARK.c           |  148 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_MARK.man         |   25 ++++++
 include/linux/netfilter/xt_MARK.h |    4 +
 5 files changed, 177 insertions(+), 19 deletions(-)

Index: iptables-modules/extensions/libip6t_MARK.man
===================================================================
--- iptables-modules.orig/extensions/libip6t_MARK.man
+++ /dev/null
@@ -1,6 +0,0 @@
-This is used to set the netfilter mark value associated with the
-packet.  It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-mark " "mark"
Index: iptables-modules/extensions/libipt_MARK.man
===================================================================
--- iptables-modules.orig/extensions/libipt_MARK.man
+++ /dev/null
@@ -1,13 +0,0 @@
-This is used to set the netfilter mark value associated with the
-packet.  It is only valid in the
-.B mangle
-table.  It can for example be used in conjunction with iproute2.
-.TP
-.BI "--set-mark " "value"
-Set nfmark value
-.TP
-.BI "--and-mark " "value"
-Binary AND the nfmark with value
-.TP
-.BI "--or-mark " "value"
-Binary OR  the nfmark with value
Index: iptables-modules/extensions/libxt_MARK.c
===================================================================
--- iptables-modules.orig/extensions/libxt_MARK.c
+++ iptables-modules/extensions/libxt_MARK.c
@@ -1,4 +1,5 @@
 /* Shared library add-on to iptables to add MARK target support. */
+#include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -8,6 +9,10 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_MARK.h>
 
+enum {
+	F_MARK = 1 << 0,
+};
+
 /* Function which prints out usage message. */
 static void MARK_help(void)
 {
@@ -27,6 +32,27 @@ static const struct option MARK_opts[] =
 	{ }
 };
 
+static const struct option mark_tg_opts[] = {
+	{.name = "set-xmark", .has_arg = true, .val = 'X'},
+	{.name = "set-mark",  .has_arg = true, .val = '='},
+	{.name = "and-mark",  .has_arg = true, .val = '&'},
+	{.name = "or-mark",   .has_arg = true, .val = '|'},
+	{.name = "xor-mark",  .has_arg = true, .val = '^'},
+	{},
+};
+
+static void mark_tg_help(void)
+{
+	printf(
+"MARK target options:\n"
+"  --set-xmark value[/mask]  Clear bits in mask and XOR value into nfmark\n"
+"  --set-mark value[/mask]   Clear bits in mask and OR value into nfmark\n"
+"  --and-mark bits           Binary AND the nfmark with bits\n"
+"  --or-mark bits            Binary OR the nfmark with bits\n"
+"  --xor-mask bits           Binary XOR the nfmark with bits\n"
+"\n");
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -101,6 +127,74 @@ MARK_parse_v1(int c, char **argv, int in
 	return 1;
 }
 
+static int mark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_mark_tginfo2 *info = (void *)(*target)->data;
+	unsigned int value, mask = ~0U;
+	char *end;
+
+	switch (c) {
+	case 'X': /* --set-xmark */
+	case '=': /* --set-mark */
+		param_act(P_ONE_ACTION, "MARK", *flags & F_MARK);
+		param_act(P_NO_INVERT, "MARK", "--set-xmark/--set-mark", invert);
+		if (!strtonum(optarg, &end, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+		if (*end == '/')
+			if (!strtonum(end + 1, &end, &mask, 0, ~0U))
+				param_act(P_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+		if (*end != '\0')
+			param_act(P_BAD_VALUE, "MARK", "--set-xmark/--set-mark", optarg);
+		info->mark = value;
+		info->mask = mask;
+
+		if (c == '=')
+			info->mask = value | mask;
+		break;
+
+	case '&': /* --and-mark */
+		param_act(P_ONE_ACTION, "MARK", *flags & F_MARK);
+		param_act(P_NO_INVERT, "MARK", "--and-mark", invert);
+		if (!strtonum(optarg, NULL, &mask, 0, ~0U))
+			param_act(P_BAD_VALUE, "MARK", "--and-mark", optarg);
+		info->mark = 0;
+		info->mask = ~mask;
+		break;
+
+	case '|': /* --or-mark */
+		param_act(P_ONE_ACTION, "MARK", *flags & F_MARK);
+		param_act(P_NO_INVERT, "MARK", "--or-mark", invert);
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "MARK", "--or-mark", optarg);
+		info->mark = value;
+		info->mask = value;
+		break;
+
+	case '^': /* --xor-mark */
+		param_act(P_ONE_ACTION, "MARK", *flags & F_MARK);
+		param_act(P_NO_INVERT, "MARK", "--xor-mark", invert);
+		if (!strtonum(optarg, NULL, &value, 0, ~0U))
+			param_act(P_BAD_VALUE, "MARK", "--xor-mark", optarg);
+		info->mark = value;
+		info->mask = 0;
+		break;
+
+	default:
+		return false;
+	}
+
+	*flags |= F_MARK;
+	return true;
+}
+
+static void mark_tg_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM, "MARK: One of the --set-xmark, "
+		           "--{and,or,xor,set}-mark options is required");
+}
+
 static void
 print_mark(unsigned long mark)
 {
@@ -148,6 +242,21 @@ static void MARK_print_v1(const void *ip
 	print_mark(markinfo->mark);
 }
 
+static void mark_tg_print(const void *ip, const struct xt_entry_target *target,
+                          int numeric)
+{
+	const struct xt_mark_tginfo2 *info = (const void *)target->data;
+
+	if (info->mark == 0)
+		printf("MARK and 0x%x ", (unsigned int)(u_int32_t)~info->mask);
+	else if (info->mark == info->mask)
+		printf("MARK or 0x%x ", info->mark);
+	else if (info->mask == 0)
+		printf("MARK xor 0x%x ", info->mark);
+	else
+		printf("MARK xset 0x%x/0x%x ", info->mark, info->mask);
+}
+
 /* Saves the union ipt_targinfo in parsable form to stdout. */
 static void MARK_save_v1(const void *ip, const struct xt_entry_target *target)
 {
@@ -168,6 +277,13 @@ static void MARK_save_v1(const void *ip,
 	print_mark(markinfo->mark);
 }
 
+static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_mark_tginfo2 *info = (const void *)target->data;
+
+	printf("--set-xmark 0x%x/0x%x ", info->mark, info->mask);
+}
+
 static struct xtables_target mark_target_v0 = {
 	.family		= AF_INET,
 	.name		= "MARK",
@@ -213,9 +329,41 @@ static struct xtables_target mark_target
 	.extra_opts	= MARK_opts,
 };
 
+static struct xtables_target mark_tg_reg_v2 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "MARK",
+	.revision      = 2,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	.help          = mark_tg_help,
+	.parse         = mark_tg_parse,
+	.final_check   = mark_tg_check,
+	.print         = mark_tg_print,
+	.save          = mark_tg_save,
+	.extra_opts    = mark_tg_opts,
+};
+
+static struct xtables_target mark_tg6_reg_v2 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "MARK",
+	.revision      = 2,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
+	.help          = mark_tg_help,
+	.parse         = mark_tg_parse,
+	.final_check   = mark_tg_check,
+	.print         = mark_tg_print,
+	.save          = mark_tg_save,
+	.extra_opts    = mark_tg_opts,
+};
+
 void _init(void)
 {
 	xtables_register_target(&mark_target_v0);
 	xtables_register_target(&mark_target_v1);
 	xtables_register_target(&mark_target6_v0);
+	xtables_register_target(&mark_tg_reg_v2);
+	xtables_register_target(&mark_tg6_reg_v2);
 }
Index: iptables-modules/extensions/libxt_MARK.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_MARK.man
@@ -0,0 +1,25 @@
+This target is used to set the Netfilter mark value associated with the packet.
+The target can only be used in the \fBmangle\fR table. It can, for example, be
+used in conjunction with routing based on fwmark (needs iproute2).
+.TP
+\fB--set-xmark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the packet
+mark ("nfmark"). If \fImask\fR is omitted, 0xFFFFFFFF is assumed.
+.TP
+\fB--set-mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zeroes out the bits given by \fImask\fR and ORs \fIvalue\fR into the packet
+mark. If \fImask\fR is omitted, 0xFFFFFFFF is assumed.
+.PP
+The following mnemonics are available:
+.TP
+\fB--and-mark\fR \fIbits\fR
+Binary AND the nfmark with \fIbits\fR. (Mnemonic for \fB--set-xmark
+0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.)
+.TP
+\fB--or-mark\fR \fIbits\fR
+Binary OR the nfmark with \fIbits\fR. (Mnemonic for \fB--set-xmark\fR
+\fIbits\fR\fB/\fR\fIbits\fR.)
+.TP
+\fB--xor-mark\fR \fIbits\fR
+Binary XOR the nfmark with \fIbits\fR. (Mnemonic for \fB--set-xmark\fR
+\fIbits\fR\fB/0\fR.)
Index: iptables-modules/include/linux/netfilter/xt_MARK.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_MARK.h
+++ iptables-modules/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
 	u_int8_t mode;
 };
 
+struct xt_mark_tginfo2 {
+	u_int32_t mark, mask;
+};
+
 #endif /*_XT_MARK_H_target */

Re: [08/19] libxt_MARK r2

[Patrick McHardy]

Jan Engelhardt wrote:
> Add support for xt_MARK target revision 2.
> Also consolidate libip6t_MARK.man and libipt_MARK.man.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libip6t_MARK.man       |    6 -
>  extensions/libipt_MARK.man        |   13 ---
>  extensions/libxt_MARK.c           |  148 ++++++++++++++++++++++++++++++++++++++
>  extensions/libxt_MARK.man         |   25 ++++++
>  include/linux/netfilter/xt_MARK.h |    4 +
>  5 files changed, 177 insertions(+), 19 deletions(-)

Applied, thanks.

[09/19] libxt_connmark r1

[Jan Engelhardt]

Add support for xt_connmark match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_connmark.c           |  146 +++++++++++++++++++++++++++-------
 extensions/libxt_connmark.man         |    9 --
 include/linux/netfilter/xt_connmark.h |    5 +
 3 files changed, 124 insertions(+), 36 deletions(-)

Index: iptables-modules/extensions/libxt_connmark.c
===================================================================
--- iptables-modules.orig/extensions/libxt_connmark.c
+++ iptables-modules/extensions/libxt_connmark.c
@@ -28,21 +28,52 @@
 #include <xtables.h>
 #include <linux/netfilter/xt_connmark.h>
 
-/* Function which prints out usage message. */
-static void connmark_help(void)
+enum {
+	F_MARK = 1 << 0,
+};
+
+static void connmark_mt_help(void)
 {
 	printf(
-"CONNMARK match v%s options:\n"
-"[!] --mark value[/mask]         Match nfmark value with optional mask\n"
-"\n",
-IPTABLES_VERSION);
+"connmark match options:\n"
+"[!] --mark value[/mask]    Match ctmark value with optional mask\n"
+"\n");
 }
 
-static const struct option connmark_opts[] = {
-	{ "mark", 1, NULL, '1' },
-	{ }
+static const struct option connmark_mt_opts[] = {
+	{.name = "mark", .has_arg = true, .val = '1'},
+	{},
 };
 
+static int
+connmark_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_match **match)
+{
+	struct xt_connmark_mtinfo1 *info = (void *)(*match)->data;
+	unsigned int mark, mask = ~0U;
+	char *end;
+
+	switch (c) {
+	case '1': /* --mark */
+		param_act(P_ONLY_ONCE, "connmark", "--mark", *flags & F_MARK);
+		if (!strtonum(optarg, &end, &mark, 0, ~0U))
+			param_act(P_BAD_VALUE, "connmark", "--mark", optarg);
+		if (*end == '/')
+			if (!strtonum(end + 1, &end, &mask, 0, ~0U))
+				param_act(P_BAD_VALUE, "connmark", "--mark", optarg);
+		if (*end != '\0')
+			param_act(P_BAD_VALUE, "connmark", "--mark", optarg);
+
+		if (invert)
+			info->invert = true;
+		info->mark = mark;
+		info->mask = mask;
+		*flags    |= F_MARK;
+		return true;
+	}
+	return false;
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -75,21 +106,19 @@ connmark_parse(int c, char **argv, int i
 	return 1;
 }
 
-static void
-print_mark(unsigned long mark, unsigned long mask, int numeric)
+static void print_mark(unsigned int mark, unsigned int mask)
 {
-	if(mask != 0xffffffffUL)
-		printf("0x%lx/0x%lx ", mark, mask);
+	if (mask != 0xffffffffU)
+		printf("0x%x/0x%x ", mark, mask);
 	else
-		printf("0x%lx ", mark);
+		printf("0x%x ", mark);
 }
 
-/* Final check; must have specified --mark. */
-static void connmark_check(unsigned int flags)
+static void connmark_mt_check(unsigned int flags)
 {
-	if (!flags)
+	if (flags == 0)
 		exit_error(PARAMETER_PROBLEM,
-			   "MARK match: You must specify `--mark'");
+		           "connmark: The --mark option is required");
 }
 
 /* Prints out the matchinfo. */
@@ -101,7 +130,18 @@ connmark_print(const void *ip, const str
 	printf("CONNMARK match ");
 	if (info->invert)
 		printf("!");
-	print_mark(info->mark, info->mask, numeric);
+	print_mark(info->mark, info->mask);
+}
+
+static void
+connmark_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_connmark_mtinfo1 *info = (const void *)match->data;
+
+	printf("connmark match ");
+	if (info->invert)
+		printf("!");
+	print_mark(info->mark, info->mask);
 }
 
 /* Saves the matchinfo in parsable form to stdout. */
@@ -113,39 +153,85 @@ static void connmark_save(const void *ip
 		printf("! ");
 
 	printf("--mark ");
-	print_mark(info->mark, info->mask, 0);
+	print_mark(info->mark, info->mask);
+}
+
+static void
+connmark_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_connmark_mtinfo1 *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+
+	printf("--mark ");
+	print_mark(info->mark, info->mask);
 }
 
-static struct xtables_match connmark_match = {
+static struct xtables_match connmark_mt_reg_v0 = {
 	.family		= AF_INET,
 	.name		= "connmark",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_connmark_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_connmark_info)),
-	.help		= connmark_help,
+	.help		= connmark_mt_help,
 	.parse		= connmark_parse,
-	.final_check	= connmark_check,
+	.final_check	= connmark_mt_check,
 	.print		= connmark_print,
 	.save		= connmark_save,
-	.extra_opts	= connmark_opts,
+	.extra_opts	= connmark_mt_opts,
 };
 
-static struct xtables_match connmark_match6 = {
+static struct xtables_match connmark_mt6_reg_v0 = {
 	.family		= AF_INET6,
 	.name		= "connmark",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_connmark_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_connmark_info)),
-	.help		= connmark_help,
+	.help		= connmark_mt_help,
 	.parse		= connmark_parse,
-	.final_check	= connmark_check,
+	.final_check	= connmark_mt_check,
 	.print		= connmark_print,
 	.save		= connmark_save,
-	.extra_opts	= connmark_opts,
+	.extra_opts	= connmark_mt_opts,
+};
+
+static struct xtables_match connmark_mt_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "connmark",
+	.revision       = 1,
+	.family         = AF_INET,
+	.size           = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+	.help           = connmark_mt_help,
+	.parse          = connmark_mt_parse,
+	.final_check    = connmark_mt_check,
+	.print          = connmark_mt_print,
+	.save           = connmark_mt_save,
+	.extra_opts     = connmark_mt_opts,
+};
+
+static struct xtables_match connmark_mt6_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "connmark",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)),
+	.help           = connmark_mt_help,
+	.parse          = connmark_mt_parse,
+	.final_check    = connmark_mt_check,
+	.print          = connmark_mt_print,
+	.save           = connmark_mt_save,
+	.extra_opts     = connmark_mt_opts,
 };
 
 void _init(void)
 {
-	xtables_register_match(&connmark_match);
-	xtables_register_match(&connmark_match6);
+	xtables_register_match(&connmark_mt_reg_v0);
+	xtables_register_match(&connmark_mt6_reg_v0);
+	xtables_register_match(&connmark_mt_reg);
+	xtables_register_match(&connmark_mt6_reg);
 }
Index: iptables-modules/extensions/libxt_connmark.man
===================================================================
--- iptables-modules.orig/extensions/libxt_connmark.man
+++ iptables-modules/extensions/libxt_connmark.man
@@ -1,9 +1,6 @@
 This module matches the netfilter mark field associated with a connection
-(which can be set using the
-.B CONNMARK
-target below).
+(which can be set using the \fBCONNMARK\fR target below).
 .TP
-.BI "--mark " "value[/mask]"
+\fB--mark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
 Matches packets in connections with the given mark value (if a mask is
-specified, this is logically ANDed with the mark before the
-comparison).
+specified, this is logically ANDed with the mark before the comparison).
Index: iptables-modules/include/linux/netfilter/xt_connmark.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_connmark.h
+++ iptables-modules/include/linux/netfilter/xt_connmark.h
@@ -15,4 +15,9 @@ struct xt_connmark_info {
 	u_int8_t invert;
 };
 
+struct xt_connmark_mtinfo1 {
+	u_int32_t mark, mask;
+	u_int8_t invert;
+};
+
 #endif /*_XT_CONNMARK_H*/

Re: [09/19] libxt_connmark r1

[Patrick McHardy]

Jan Engelhardt wrote:
> Add support for xt_connmark match revision 1.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Applied, thanks.

[10/19] print warning when dlopen fails

[Jan Engelhardt]

If the file exists but could not be loaded, print the dlerror().
Often it is a missing symbol.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 xtables.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -307,6 +307,9 @@ void parse_interface(const char *arg, ch
 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 				 struct xtables_rule_match **matches)
 {
+#ifndef NO_SHARED_LIBS
+	struct stat sb;
+#endif
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
@@ -347,12 +350,16 @@ struct xtables_match *find_match(const c
 			/* Found library.  If it didn't register itself,
 			   maybe they specified target as match. */
 			ptr = find_match(name, DONT_LOAD, NULL);
+		else if (stat(path, &sb) == 0)
+			fprintf(stderr, "%s: %s\n", path, dlerror());
 
 		if (ptr == NULL) {
 			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
 				name);
 			if (dlopen(path, RTLD_NOW) != NULL)
 				ptr = find_match(name, DONT_LOAD, NULL);
+			else if (stat(path, &sb) == 0)
+				fprintf(stderr, "%s: %s\n", path, dlerror());
 		}
 
 		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
@@ -395,6 +402,9 @@ struct xtables_match *find_match(const c
 
 struct xtables_target *find_target(const char *name, enum xt_tryload tryload)
 {
+#ifndef NO_SHARED_LIBS
+	struct stat sb;
+#endif
 	struct xtables_target *ptr;
 
 	/* Standard target? */
@@ -420,12 +430,16 @@ struct xtables_target *find_target(const
 			/* Found library.  If it didn't register itself,
 			   maybe they specified match as a target. */
 			ptr = find_target(name, DONT_LOAD);
+		else if (stat(path, &sb) == 0)
+			fprintf(stderr, "%s: %s\n", path, dlerror());
 
 		if (ptr == NULL) {
 			sprintf(path, "%s/%s%s.so", lib_dir, afinfo.libprefix,
 				name);
 			if (dlopen(path, RTLD_NOW) != NULL)
 				ptr = find_target(name, DONT_LOAD);
+			else if (stat(path, &sb) == 0)
+				fprintf(stderr, "%s: %s\n", path, dlerror());
 		}
 		if (ptr == NULL && tryload == LOAD_MUST_SUCCEED)
 			exit_error(PARAMETER_PROBLEM,

Re: [10/19] print warning when dlopen fails

[Patrick McHardy]

Jan Engelhardt wrote:
> If the file exists but could not be loaded, print the dlerror().
> Often it is a missing symbol.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  xtables.c |   14 ++++++++++++++
>  1 file changed, 14 insertions(+)

Applied.

[11/19] libxt_conntrack r0

[Jan Engelhardt]

Move libipt_conntrack to libxt_conntrack.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_conntrack.c                |  514 --------------------------
 extensions/libipt_conntrack.man              |   49 --
 extensions/libxt_conntrack.c                 |  517 +++++++++++++++++++++++++++
 extensions/libxt_conntrack.man               |   71 +++
 include/linux/netfilter/xt_conntrack.h       |   83 ++++
 include/linux/netfilter_ipv4/ipt_conntrack.h |   77 ----
 6 files changed, 671 insertions(+), 640 deletions(-)

Index: iptables-modules/extensions/libipt_conntrack.c
===================================================================
--- iptables-modules.orig/extensions/libipt_conntrack.c
+++ /dev/null
@@ -1,514 +0,0 @@
-/* Shared library add-on to iptables for conntrack matching support.
- * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <iptables.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-/* For 64bit kernel / 32bit userspace */
-#include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
-
-#ifndef IPT_CONNTRACK_STATE_UNTRACKED
-#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-#endif
-
-/* Function which prints out usage message. */
-static void conntrack_help(void)
-{
-	printf(
-"conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
-"				State(s) to match\n"
-" [!] --ctproto	proto		Protocol to match; by number or name, eg. `tcp'\n"
-"     --ctorigsrc  [!] address[/mask]\n"
-"				Original source specification\n"
-"     --ctorigdst  [!] address[/mask]\n"
-"				Original destination specification\n"
-"     --ctreplsrc  [!] address[/mask]\n"
-"				Reply source specification\n"
-"     --ctrepldst  [!] address[/mask]\n"
-"				Reply destination specification\n"
-" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n"
-"				Status(es) to match\n"
-" [!] --ctexpire time[:time]	Match remaining lifetime in seconds against\n"
-"				value or range of values (inclusive)\n"
-"\n", IPTABLES_VERSION);
-}
-
-static const struct option conntrack_opts[] = {
-	{ "ctstate", 1, NULL, '1' },
-	{ "ctproto", 1, NULL, '2' },
-	{ "ctorigsrc", 1, NULL, '3' },
-	{ "ctorigdst", 1, NULL, '4' },
-	{ "ctreplsrc", 1, NULL, '5' },
-	{ "ctrepldst", 1, NULL, '6' },
-	{ "ctstatus", 1, NULL, '7' },
-	{ "ctexpire", 1, NULL, '8' },
-	{ }
-};
-
-static int
-parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo)
-{
-	if (strncasecmp(state, "INVALID", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_INVALID;
-	else if (strncasecmp(state, "NEW", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_NEW);
-	else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
-	else if (strncasecmp(state, "RELATED", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
-	else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_UNTRACKED;
-	else if (strncasecmp(state, "SNAT", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
-	else if (strncasecmp(state, "DNAT", strlen) == 0)
-		sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT;
-	else
-		return 0;
-	return 1;
-}
-
-static void
-parse_states(const char *arg, struct ipt_conntrack_info *sinfo)
-{
-	const char *comma;
-
-	while ((comma = strchr(arg, ',')) != NULL) {
-		if (comma == arg || !parse_state(arg, comma-arg, sinfo))
-			exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
-		arg = comma+1;
-	}
-
-	if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
-		exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
-}
-
-static int
-parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo)
-{
-	if (strncasecmp(status, "NONE", strlen) == 0)
-		sinfo->statusmask |= 0;
-	else if (strncasecmp(status, "EXPECTED", strlen) == 0)
-		sinfo->statusmask |= IPS_EXPECTED;
-	else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
-		sinfo->statusmask |= IPS_SEEN_REPLY;
-	else if (strncasecmp(status, "ASSURED", strlen) == 0)
-		sinfo->statusmask |= IPS_ASSURED;
-#ifdef IPS_CONFIRMED
-	else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
-		sinfo->stausmask |= IPS_CONFIRMED;
-#endif
-	else
-		return 0;
-	return 1;
-}
-
-static void
-parse_statuses(const char *arg, struct ipt_conntrack_info *sinfo)
-{
-	const char *comma;
-
-	while ((comma = strchr(arg, ',')) != NULL) {
-		if (comma == arg || !parse_status(arg, comma-arg, sinfo))
-			exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
-		arg = comma+1;
-	}
-
-	if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
-		exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
-}
-
-static unsigned long
-parse_expire(const char *s)
-{
-	unsigned int len;
-	
-	if (string_to_number(s, 0, 0, &len) == -1)
-		exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
-	else
-		return len;
-}
-
-/* If a single value is provided, min and max are both set to the value */
-static void
-parse_expires(const char *s, struct ipt_conntrack_info *sinfo)
-{
-	char *buffer;
-	char *cp;
-
-	buffer = strdup(s);
-	if ((cp = strchr(buffer, ':')) == NULL)
-		sinfo->expires_min = sinfo->expires_max = parse_expire(buffer);
-	else {
-		*cp = '\0';
-		cp++;
-
-		sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
-		sinfo->expires_max = cp[0] ? parse_expire(cp) : -1;
-	}
-	free(buffer);
-	
-	if (sinfo->expires_min > sinfo->expires_max)
-		exit_error(PARAMETER_PROBLEM,
-		           "expire min. range value `%lu' greater than max. "
-		           "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
-                           const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)(*match)->data;
-	char *protocol = NULL;
-	unsigned int naddrs = 0;
-	struct in_addr *addrs = NULL;
-
-
-	switch (c) {
-	case '1':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		parse_states(argv[optind-1], sinfo);
-		if (invert) {
-			sinfo->invflags |= IPT_CONNTRACK_STATE;
-		}
-		sinfo->flags |= IPT_CONNTRACK_STATE;
-		break;
-
-	case '2':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if(invert)
-			sinfo->invflags |= IPT_CONNTRACK_PROTO;
-
-		/* Canonicalize into lower case */
-		for (protocol = argv[optind-1]; *protocol; protocol++)
-			*protocol = tolower(*protocol);
-
-		protocol = argv[optind-1];
-		sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
-
-		if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
-		    && (sinfo->invflags & IPT_INV_PROTO))
-			exit_error(PARAMETER_PROBLEM,
-				   "rule would never match protocol");
-
-		sinfo->flags |= IPT_CONNTRACK_PROTO;
-		break;
-
-	case '3':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (invert)
-			sinfo->invflags |= IPT_CONNTRACK_ORIGSRC;
-
-		parse_hostnetworkmask(argv[optind-1], &addrs,
-					&sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
-					&naddrs);
-		if(naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-				"multiple IP addresses not allowed");
-
-		if(naddrs == 1) {
-			sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
-		}
-
-		sinfo->flags |= IPT_CONNTRACK_ORIGSRC;
-		break;
-
-	case '4':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (invert)
-			sinfo->invflags |= IPT_CONNTRACK_ORIGDST;
-
-		parse_hostnetworkmask(argv[optind-1], &addrs,
-					&sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
-					&naddrs);
-		if(naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-				"multiple IP addresses not allowed");
-
-		if(naddrs == 1) {
-			sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
-		}
-
-		sinfo->flags |= IPT_CONNTRACK_ORIGDST;
-		break;
-
-	case '5':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (invert)
-			sinfo->invflags |= IPT_CONNTRACK_REPLSRC;
-
-		parse_hostnetworkmask(argv[optind-1], &addrs,
-					&sinfo->sipmsk[IP_CT_DIR_REPLY],
-					&naddrs);
-		if(naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-				"multiple IP addresses not allowed");
-
-		if(naddrs == 1) {
-			sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
-		}
-
-		sinfo->flags |= IPT_CONNTRACK_REPLSRC;
-		break;
-
-	case '6':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (invert)
-			sinfo->invflags |= IPT_CONNTRACK_REPLDST;
-
-		parse_hostnetworkmask(argv[optind-1], &addrs,
-					&sinfo->dipmsk[IP_CT_DIR_REPLY],
-					&naddrs);
-		if(naddrs > 1)
-			exit_error(PARAMETER_PROBLEM,
-				"multiple IP addresses not allowed");
-
-		if(naddrs == 1) {
-			sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
-		}
-
-		sinfo->flags |= IPT_CONNTRACK_REPLDST;
-		break;
-
-	case '7':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		parse_statuses(argv[optind-1], sinfo);
-		if (invert) {
-			sinfo->invflags |= IPT_CONNTRACK_STATUS;
-		}
-		sinfo->flags |= IPT_CONNTRACK_STATUS;
-		break;
-
-	case '8':
-		check_inverse(optarg, &invert, &optind, 0);
-
-		parse_expires(argv[optind-1], sinfo);
-		if (invert) {
-			sinfo->invflags |= IPT_CONNTRACK_EXPIRES;
-		}
-		sinfo->flags |= IPT_CONNTRACK_EXPIRES;
-		break;
-
-	default:
-		return 0;
-	}
-
-	*flags = sinfo->flags;
-	return 1;
-}
-
-static void conntrack_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM, "You must specify one or more options");
-}
-
-static void
-print_state(unsigned int statemask)
-{
-	const char *sep = "";
-
-	if (statemask & IPT_CONNTRACK_STATE_INVALID) {
-		printf("%sINVALID", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
-		printf("%sNEW", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
-		printf("%sRELATED", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
-		printf("%sESTABLISHED", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_UNTRACKED) {
-		printf("%sUNTRACKED", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_SNAT) {
-		printf("%sSNAT", sep);
-		sep = ",";
-	}
-	if (statemask & IPT_CONNTRACK_STATE_DNAT) {
-		printf("%sDNAT", sep);
-		sep = ",";
-	}
-	printf(" ");
-}
-
-static void
-print_status(unsigned int statusmask)
-{
-	const char *sep = "";
-
-	if (statusmask & IPS_EXPECTED) {
-		printf("%sEXPECTED", sep);
-		sep = ",";
-	}
-	if (statusmask & IPS_SEEN_REPLY) {
-		printf("%sSEEN_REPLY", sep);
-		sep = ",";
-	}
-	if (statusmask & IPS_ASSURED) {
-		printf("%sASSURED", sep);
-		sep = ",";
-	}
-#ifdef IPS_CONFIRMED
-	if (statusmask & IPS_CONFIRMED) {
-		printf("%sCONFIRMED", sep);
-		sep =",";
-	}
-#endif
-	if (statusmask == 0) {
-		printf("%sNONE", sep);
-		sep = ",";
-	}
-	printf(" ");
-}
-
-static void
-print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
-{
-	char buf[BUFSIZ];
-
-        if (inv) 
-               	printf("! ");
-
-	if (mask->s_addr == 0L && !numeric)
-		printf("%s ", "anywhere");
-	else {
-		if (numeric)
-			sprintf(buf, "%s", addr_to_dotted(addr));
-		else
-			sprintf(buf, "%s", addr_to_anyname(addr));
-		strcat(buf, mask_to_dotted(mask));
-		printf("%s ", buf);
-	}
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void
-matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
-{
-	struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)match->data;
-
-	if(sinfo->flags & IPT_CONNTRACK_STATE) {
-		printf("%sctstate ", optpfx);
-        	if (sinfo->invflags & IPT_CONNTRACK_STATE)
-                	printf("! ");
-		print_state(sinfo->statemask);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_PROTO) {
-		printf("%sctproto ", optpfx);
-        	if (sinfo->invflags & IPT_CONNTRACK_PROTO)
-                	printf("! ");
-		printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) {
-		printf("%sctorigsrc ", optpfx);
-
-		print_addr(
-		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
-		    &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
-		    sinfo->invflags & IPT_CONNTRACK_ORIGSRC,
-		    numeric);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_ORIGDST) {
-		printf("%sctorigdst ", optpfx);
-
-		print_addr(
-		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
-		    &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
-		    sinfo->invflags & IPT_CONNTRACK_ORIGDST,
-		    numeric);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_REPLSRC) {
-		printf("%sctreplsrc ", optpfx);
-
-		print_addr(
-		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
-		    &sinfo->sipmsk[IP_CT_DIR_REPLY],
-		    sinfo->invflags & IPT_CONNTRACK_REPLSRC,
-		    numeric);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_REPLDST) {
-		printf("%sctrepldst ", optpfx);
-
-		print_addr(
-		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
-		    &sinfo->dipmsk[IP_CT_DIR_REPLY],
-		    sinfo->invflags & IPT_CONNTRACK_REPLDST,
-		    numeric);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_STATUS) {
-		printf("%sctstatus ", optpfx);
-        	if (sinfo->invflags & IPT_CONNTRACK_STATUS)
-                	printf("! ");
-		print_status(sinfo->statusmask);
-	}
-
-	if(sinfo->flags & IPT_CONNTRACK_EXPIRES) {
-		printf("%sctexpire ", optpfx);
-        	if (sinfo->invflags & IPT_CONNTRACK_EXPIRES)
-                	printf("! ");
-
-        	if (sinfo->expires_max == sinfo->expires_min)
-                	printf("%lu ", sinfo->expires_min);
-        	else
-                	printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
-	}
-}
-
-/* Prints out the matchinfo. */
-static void conntrack_print(const void *ip, const struct xt_entry_match *match,
-                            int numeric)
-{
-	matchinfo_print(ip, match, numeric, "");
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void conntrack_save(const void *ip, const struct xt_entry_match *match)
-{
-	matchinfo_print(ip, match, 1, "--");
-}
-
-static struct iptables_match conntrack_match = {
-	.name		= "conntrack",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
-	.help		= conntrack_help,
-	.parse		= conntrack_parse,
-	.final_check	= conntrack_check,
-	.print		= conntrack_print,
-	.save		= conntrack_save,
-	.extra_opts	= conntrack_opts,
-};
-
-void _init(void)
-{
-	register_match(&conntrack_match);
-}
Index: iptables-modules/extensions/libipt_conntrack.man
===================================================================
--- iptables-modules.orig/extensions/libipt_conntrack.man
+++ /dev/null
@@ -1,49 +0,0 @@
-This module, when combined with connection tracking, allows access to
-more connection tracking information than the "state" match.
-(this module is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.BI "--ctstate " "state"
-Where state is a comma separated list of the connection states to
-match.  Possible states are
-.B INVALID
-meaning that the packet is associated with no known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.B SNAT
-A virtual state, matching if the original source address differs from
-the reply destination.
-.B DNAT
-A virtual state, matching if the original destination differs from the
-reply source.
-.TP
-.BI "--ctproto " "proto"
-Protocol to match (by number or name)
-.TP
-.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original source address
-.TP
-.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original destination address
-.TP
-.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against reply source address
-.TP
-.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
-Match against reply destination address
-.TP
-.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
-Match against internal conntrack states
-.TP
-.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
-Match remaining lifetime in seconds against given value
-or range of values (inclusive)
Index: iptables-modules/extensions/libxt_conntrack.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_conntrack.c
@@ -0,0 +1,517 @@
+/* Shared library add-on to iptables for conntrack matching support.
+ * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ */
+
+#include <ctype.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <iptables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+
+/* Function which prints out usage message. */
+static void conntrack_mt_help(void)
+{
+	printf(
+"conntrack match options:\n"
+"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
+"                               State(s) to match\n"
+"[!] --ctproto proto            Protocol to match; by number or name, e.g. \"tcp\"\n"
+"[!] --ctorigsrc address[/mask]\n"
+"[!] --ctorigdst address[/mask]\n"
+"[!] --ctreplsrc address[/mask]\n"
+"[!] --ctrepldst address[/mask]\n"
+"                               Original/Reply source/destination address\n"
+"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
+"                               Status(es) to match\n"
+"[!] --ctexpire time[:time]     Match remaining lifetime in seconds against\n"
+"                               value or range of values (inclusive)\n"
+"\n");
+}
+
+static const struct option conntrack_mt_opts[] = {
+	{.name = "ctstate",   .has_arg = true, .val = '1'},
+	{.name = "ctproto",   .has_arg = true, .val = '2'},
+	{.name = "ctorigsrc", .has_arg = true, .val = '3'},
+	{.name = "ctorigdst", .has_arg = true, .val = '4'},
+	{.name = "ctreplsrc", .has_arg = true, .val = '5'},
+	{.name = "ctrepldst", .has_arg = true, .val = '6'},
+	{.name = "ctstatus",  .has_arg = true, .val = '7'},
+	{.name = "ctexpire",  .has_arg = true, .val = '8'},
+	{},
+};
+
+static int
+parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
+{
+	if (strncasecmp(state, "INVALID", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
+	else if (strncasecmp(state, "NEW", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
+	else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
+	else if (strncasecmp(state, "RELATED", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+	else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
+	else if (strncasecmp(state, "SNAT", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
+	else if (strncasecmp(state, "DNAT", strlen) == 0)
+		sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
+	else
+		return 0;
+	return 1;
+}
+
+static void
+parse_states(const char *arg, struct xt_conntrack_info *sinfo)
+{
+	const char *comma;
+
+	while ((comma = strchr(arg, ',')) != NULL) {
+		if (comma == arg || !parse_state(arg, comma-arg, sinfo))
+			exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
+		arg = comma+1;
+	}
+
+	if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
+		exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
+}
+
+static int
+parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
+{
+	if (strncasecmp(status, "NONE", strlen) == 0)
+		sinfo->statusmask |= 0;
+	else if (strncasecmp(status, "EXPECTED", strlen) == 0)
+		sinfo->statusmask |= IPS_EXPECTED;
+	else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
+		sinfo->statusmask |= IPS_SEEN_REPLY;
+	else if (strncasecmp(status, "ASSURED", strlen) == 0)
+		sinfo->statusmask |= IPS_ASSURED;
+#ifdef IPS_CONFIRMED
+	else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+		sinfo->stausmask |= IPS_CONFIRMED;
+#endif
+	else
+		return 0;
+	return 1;
+}
+
+static void
+parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
+{
+	const char *comma;
+
+	while ((comma = strchr(arg, ',')) != NULL) {
+		if (comma == arg || !parse_status(arg, comma-arg, sinfo))
+			exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
+		arg = comma+1;
+	}
+
+	if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
+		exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
+}
+
+static unsigned long
+parse_expire(const char *s)
+{
+	unsigned int len;
+
+	if (string_to_number(s, 0, 0, &len) == -1)
+		exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
+	else
+		return len;
+}
+
+/* If a single value is provided, min and max are both set to the value */
+static void
+parse_expires(const char *s, struct xt_conntrack_info *sinfo)
+{
+	char *buffer;
+	char *cp;
+
+	buffer = strdup(s);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		sinfo->expires_min = sinfo->expires_max = parse_expire(buffer);
+	else {
+		*cp = '\0';
+		cp++;
+
+		sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
+		sinfo->expires_max = cp[0] ? parse_expire(cp) : -1;
+	}
+	free(buffer);
+
+	if (sinfo->expires_min > sinfo->expires_max)
+		exit_error(PARAMETER_PROBLEM,
+		           "expire min. range value `%lu' greater than max. "
+		           "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct xt_conntrack_info *sinfo = (void *)(*match)->data;
+	char *protocol = NULL;
+	unsigned int naddrs = 0;
+	struct in_addr *addrs = NULL;
+
+
+	switch (c) {
+	case '1':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		parse_states(argv[optind-1], sinfo);
+		if (invert) {
+			sinfo->invflags |= XT_CONNTRACK_STATE;
+		}
+		sinfo->flags |= XT_CONNTRACK_STATE;
+		break;
+
+	case '2':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if(invert)
+			sinfo->invflags |= XT_CONNTRACK_PROTO;
+
+		/* Canonicalize into lower case */
+		for (protocol = argv[optind-1]; *protocol; protocol++)
+			*protocol = tolower(*protocol);
+
+		protocol = argv[optind-1];
+		sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
+
+		if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
+		    && (sinfo->invflags & XT_INV_PROTO))
+			exit_error(PARAMETER_PROBLEM,
+				   "rule would never match protocol");
+
+		sinfo->flags |= XT_CONNTRACK_PROTO;
+		break;
+
+	case '3':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if (invert)
+			sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
+
+		parse_hostnetworkmask(argv[optind-1], &addrs,
+					&sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+					&naddrs);
+		if(naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+				"multiple IP addresses not allowed");
+
+		if(naddrs == 1) {
+			sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
+		}
+
+		sinfo->flags |= XT_CONNTRACK_ORIGSRC;
+		break;
+
+	case '4':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if (invert)
+			sinfo->invflags |= XT_CONNTRACK_ORIGDST;
+
+		parse_hostnetworkmask(argv[optind-1], &addrs,
+					&sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+					&naddrs);
+		if(naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+				"multiple IP addresses not allowed");
+
+		if(naddrs == 1) {
+			sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
+		}
+
+		sinfo->flags |= XT_CONNTRACK_ORIGDST;
+		break;
+
+	case '5':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if (invert)
+			sinfo->invflags |= XT_CONNTRACK_REPLSRC;
+
+		parse_hostnetworkmask(argv[optind-1], &addrs,
+					&sinfo->sipmsk[IP_CT_DIR_REPLY],
+					&naddrs);
+		if(naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+				"multiple IP addresses not allowed");
+
+		if(naddrs == 1) {
+			sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
+		}
+
+		sinfo->flags |= XT_CONNTRACK_REPLSRC;
+		break;
+
+	case '6':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		if (invert)
+			sinfo->invflags |= XT_CONNTRACK_REPLDST;
+
+		parse_hostnetworkmask(argv[optind-1], &addrs,
+					&sinfo->dipmsk[IP_CT_DIR_REPLY],
+					&naddrs);
+		if(naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+				"multiple IP addresses not allowed");
+
+		if(naddrs == 1) {
+			sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
+		}
+
+		sinfo->flags |= XT_CONNTRACK_REPLDST;
+		break;
+
+	case '7':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		parse_statuses(argv[optind-1], sinfo);
+		if (invert) {
+			sinfo->invflags |= XT_CONNTRACK_STATUS;
+		}
+		sinfo->flags |= XT_CONNTRACK_STATUS;
+		break;
+
+	case '8':
+		check_inverse(optarg, &invert, &optind, 0);
+
+		parse_expires(argv[optind-1], sinfo);
+		if (invert) {
+			sinfo->invflags |= XT_CONNTRACK_EXPIRES;
+		}
+		sinfo->flags |= XT_CONNTRACK_EXPIRES;
+		break;
+
+	default:
+		return 0;
+	}
+
+	*flags = sinfo->flags;
+	return 1;
+}
+
+static void conntrack_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM, "You must specify one or more options");
+}
+
+static void
+print_state(unsigned int statemask)
+{
+	const char *sep = "";
+
+	if (statemask & XT_CONNTRACK_STATE_INVALID) {
+		printf("%sINVALID", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
+		printf("%sNEW", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
+		printf("%sRELATED", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
+		printf("%sESTABLISHED", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
+		printf("%sUNTRACKED", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_SNAT) {
+		printf("%sSNAT", sep);
+		sep = ",";
+	}
+	if (statemask & XT_CONNTRACK_STATE_DNAT) {
+		printf("%sDNAT", sep);
+		sep = ",";
+	}
+	printf(" ");
+}
+
+static void
+print_status(unsigned int statusmask)
+{
+	const char *sep = "";
+
+	if (statusmask & IPS_EXPECTED) {
+		printf("%sEXPECTED", sep);
+		sep = ",";
+	}
+	if (statusmask & IPS_SEEN_REPLY) {
+		printf("%sSEEN_REPLY", sep);
+		sep = ",";
+	}
+	if (statusmask & IPS_ASSURED) {
+		printf("%sASSURED", sep);
+		sep = ",";
+	}
+#ifdef IPS_CONFIRMED
+	if (statusmask & IPS_CONFIRMED) {
+		printf("%sCONFIRMED", sep);
+		sep =",";
+	}
+#endif
+	if (statusmask == 0) {
+		printf("%sNONE", sep);
+		sep = ",";
+	}
+	printf(" ");
+}
+
+static void
+print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
+{
+	char buf[BUFSIZ];
+
+	if (inv)
+	       	printf("! ");
+
+	if (mask->s_addr == 0L && !numeric)
+		printf("%s ", "anywhere");
+	else {
+		if (numeric)
+			sprintf(buf, "%s", addr_to_dotted(addr));
+		else
+			sprintf(buf, "%s", addr_to_anyname(addr));
+		strcat(buf, mask_to_dotted(mask));
+		printf("%s ", buf);
+	}
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void
+matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
+{
+	struct xt_conntrack_info *sinfo = (void *)match->data;
+
+	if(sinfo->flags & XT_CONNTRACK_STATE) {
+        	if (sinfo->invflags & XT_CONNTRACK_STATE)
+                	printf("! ");
+		printf("%sctstate ", optpfx);
+		print_state(sinfo->statemask);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_PROTO) {
+        	if (sinfo->invflags & XT_CONNTRACK_PROTO)
+                	printf("! ");
+		printf("%sctproto ", optpfx);
+		printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
+		if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
+			printf("! ");
+		printf("%sctorigsrc ", optpfx);
+
+		print_addr(
+		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
+		    &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+		    false,
+		    numeric);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
+		if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
+			printf("! ");
+		printf("%sctorigdst ", optpfx);
+
+		print_addr(
+		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
+		    &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+		    false,
+		    numeric);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
+		if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
+			printf("! ");
+		printf("%sctreplsrc ", optpfx);
+
+		print_addr(
+		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
+		    &sinfo->sipmsk[IP_CT_DIR_REPLY],
+		    false,
+		    numeric);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_REPLDST) {
+		if (sinfo->invflags & XT_CONNTRACK_REPLDST)
+			printf("! ");
+		printf("%sctrepldst ", optpfx);
+
+		print_addr(
+		    (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
+		    &sinfo->dipmsk[IP_CT_DIR_REPLY],
+		    false,
+		    numeric);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_STATUS) {
+        	if (sinfo->invflags & XT_CONNTRACK_STATUS)
+                	printf("! ");
+		printf("%sctstatus ", optpfx);
+		print_status(sinfo->statusmask);
+	}
+
+	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
+        	if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
+                	printf("! ");
+		printf("%sctexpire ", optpfx);
+
+        	if (sinfo->expires_max == sinfo->expires_min)
+                	printf("%lu ", sinfo->expires_min);
+        	else
+                	printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
+	}
+}
+
+/* Prints out the matchinfo. */
+static void conntrack_print(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	matchinfo_print(ip, match, numeric, "");
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void conntrack_save(const void *ip, const struct xt_entry_match *match)
+{
+	matchinfo_print(ip, match, 1, "--");
+}
+
+static struct xtables_match conntrack_match = {
+	.version       = IPTABLES_VERSION,
+	.name          = "conntrack",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+	.help          = conntrack_mt_help,
+	.parse         = conntrack_parse,
+	.final_check   = conntrack_mt_check,
+	.print         = conntrack_print,
+	.save          = conntrack_save,
+	.extra_opts    = conntrack_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&conntrack_match);
+}
Index: iptables-modules/extensions/libxt_conntrack.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_conntrack.man
@@ -0,0 +1,71 @@
+This module, when combined with connection tracking, allows access to the
+connection tracking state for this packet/connection.
+.TP
+[\fB!\fR] \fB--ctstate\fR \fIstatelist\fR
+\fIstatelist\fR is a comma separated list of the connection states to match.
+Possible states are listed below.
+.TP
+[\fB!\fR] \fB--ctproto\fR \fIl4proto\fR
+Layer-4 protocol to match (by number or name)
+.TP
+[\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against original source address
+.TP
+[\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against original destination address
+.TP
+[\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against reply source address
+.TP
+[\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against reply destination address
+.TP
+[\fB!\fR] \fB--ctstatus\fR \fIstatelist\fR
+\fIstatuslist\fR is a comma separated list of the connection statuses to match.
+Possible statuses are listed below.
+.TP
+[\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR]
+Match remaining lifetime in seconds against given value or range of values
+(inclusive)
+.PP
+States for \fB--ctstate\fR:
+.TP
+\fBINVALID\fR
+meaning that the packet is associated with no known connection
+.TP
+\fBNEW\fR
+meaning that the packet has started a new connection, or otherwise associated
+with a connection which has not seen packets in both directions, and
+.TP
+\fBESTABLISHED\fR
+meaning that the packet is associated with a connection which has seen packets
+in both directions,
+.TP
+\fBRELATED\fR
+meaning that the packet is starting a new connection, but is associated with an
+existing connection, such as an FTP data transfer, or an ICMP error.
+.TP
+\fBSNAT\fR
+A virtual state, matching if the original source address differs from the reply
+destination.
+.TP
+\fBDNAT\fR
+A virtual state, matching if the original destination differs from the reply
+source.
+.PP
+Statuses for \fB--ctstatus\fR:
+.TP
+\fBNONE\fR
+None of the below.
+.TP
+\fBEXPECTED\fR
+This is an expected connection (i.e. a conntrack helper set it up)
+.TP
+\fBSEEN_REPLY\fR
+Conntrack has seen packets in both directions.
+.TP
+\fBASSURED\fR
+Conntrack entry should never be early-expired.
+.TP
+\fBCONFIRMED\fR
+Connection is confirmed: originating packet has left box.
Index: iptables-modules/include/linux/netfilter/xt_conntrack.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,83 @@
+/* Header file for kernel module to match connection tracking information.
+ * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ */
+
+#ifndef _XT_CONNTRACK_H
+#define _XT_CONNTRACK_H
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_CONNTRACK_STATE_INVALID (1 << 0)
+
+#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+/* flags, invflags: */
+enum {
+	XT_CONNTRACK_STATE        = 1 << 0,
+	XT_CONNTRACK_PROTO        = 1 << 1,
+	XT_CONNTRACK_ORIGSRC      = 1 << 2,
+	XT_CONNTRACK_ORIGDST      = 1 << 3,
+	XT_CONNTRACK_REPLSRC      = 1 << 4,
+	XT_CONNTRACK_REPLDST      = 1 << 5,
+	XT_CONNTRACK_STATUS       = 1 << 6,
+	XT_CONNTRACK_EXPIRES      = 1 << 7,
+	XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
+	XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
+	XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
+	XT_CONNTRACK_REPLDST_PORT = 1 << 11,
+	XT_CONNTRACK_DIRECTION    = 1 << 12,
+};
+
+/* This is exposed to userspace, so remains frozen in time. */
+struct ip_conntrack_old_tuple
+{
+	struct {
+		__be32 ip;
+		union {
+			__u16 all;
+		} u;
+	} src;
+
+	struct {
+		__be32 ip;
+		union {
+			__u16 all;
+		} u;
+
+		/* The protocol. */
+		__u16 protonum;
+	} dst;
+};
+
+struct xt_conntrack_info
+{
+	unsigned int statemask, statusmask;
+
+	struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
+	struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
+
+	unsigned long expires_min, expires_max;
+
+	/* Flags word */
+	u_int8_t flags;
+	/* Inverse flags */
+	u_int8_t invflags;
+};
+
+struct xt_conntrack_mtinfo1 {
+	union nf_inet_addr origsrc_addr, origsrc_mask;
+	union nf_inet_addr origdst_addr, origdst_mask;
+	union nf_inet_addr replsrc_addr, replsrc_mask;
+	union nf_inet_addr repldst_addr, repldst_mask;
+	u_int32_t expires_min, expires_max;
+	u_int16_t l4proto;
+	u_int16_t origsrc_port, origdst_port;
+	u_int16_t replsrc_port, repldst_port;
+	u_int16_t match_flags, invert_flags;
+	u_int8_t state_mask, status_mask;
+};
+
+#endif /*_XT_CONNTRACK_H*/
Index: iptables-modules/include/linux/netfilter_ipv4/ipt_conntrack.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_conntrack.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/* Header file for kernel module to match connection tracking information.
- * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
- */
-
-#ifndef _IPT_CONNTRACK_H
-#define _IPT_CONNTRACK_H
-
-#include <linux/netfilter/nf_conntrack_common.h>
-
-/* backwards compatibility crap. only exists in userspace - HW */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(a,b,c) (((a) << 16) | ((b) << 8) | (c))
-#endif
-
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,4,18)) || !defined IPS_EXPECTED
-#define IPS_EXPECTED	(1 << 0)
-#define IPS_SEEN_REPLY	(1 << 1)
-#define IPS_ASSURED	(1 << 2)
-#define IP_CT_DIR_ORIGINAL	0
-#define IP_CT_DIR_REPLY		1
-#define IP_CT_DIR_MAX		2
-#endif
-
-#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
-
-#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
-#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
-#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-
-/* flags, invflags: */
-#define IPT_CONNTRACK_STATE	0x01
-#define IPT_CONNTRACK_PROTO	0x02
-#define IPT_CONNTRACK_ORIGSRC	0x04
-#define IPT_CONNTRACK_ORIGDST	0x08
-#define IPT_CONNTRACK_REPLSRC	0x10
-#define IPT_CONNTRACK_REPLDST	0x20
-#define IPT_CONNTRACK_STATUS	0x40
-#define IPT_CONNTRACK_EXPIRES	0x80
-
-/* This is exposed to userspace, so remains frozen in time. */
-struct ip_conntrack_old_tuple
-{
-	struct {
-		u_int32_t ip;
-		union {
-			u_int16_t all;
-		} u;
-	} src;
-
-	struct {
-		u_int32_t ip;
-		union {
-			u_int16_t all;
-		} u;
-
-		/* The protocol. */
-		u_int16_t protonum;
-	} dst;
-};
-
-struct ipt_conntrack_info
-{
-	unsigned int statemask, statusmask;
-
-	struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
-	struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
-
-	unsigned long expires_min, expires_max;
-
-	/* Flags word */
-	u_int8_t flags;
-	/* Inverse flags */
-	u_int8_t invflags;
-};
-#endif /*_IPT_CONNTRACK_H*/

Re: [11/19] libxt_conntrack r0

[Patrick McHardy]

Jan Engelhardt wrote:
> Move libipt_conntrack to libxt_conntrack.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libipt_conntrack.c                |  514 --------------------------
>  extensions/libipt_conntrack.man              |   49 --
>  extensions/libxt_conntrack.c                 |  517 +++++++++++++++++++++++++++
>  extensions/libxt_conntrack.man               |   71 +++
>  include/linux/netfilter/xt_conntrack.h       |   83 ++++
>  include/linux/netfilter_ipv4/ipt_conntrack.h |   77 ----
>  6 files changed, 671 insertions(+), 640 deletions(-)

Applied, thanks.

[12/19] bunch o' renames

[Jan Engelhardt]

Move a few functions from iptables.c/ip6tables.c to xtables.c
so they are available for combined (both AF_INET and AF_INET6)
libxt modules. Rename overlapping function names.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_DNAT.c     |    4 -
 extensions/libipt_NETMAP.c   |    4 -
 extensions/libipt_SAME.c     |    8 +-
 extensions/libipt_SNAT.c     |    4 -
 extensions/libipt_policy.c   |    8 +-
 extensions/libxt_conntrack.c |    7 +-
 include/iptables.h           |    3 
 include/xtables.h            |    8 ++
 ip6tables.c                  |   91 ++------------------------
 iptables.c                   |   84 +-----------------------
 xtables.c                    |  148 +++++++++++++++++++++++++++++++++++++++++++
 11 files changed, 190 insertions(+), 179 deletions(-)

Index: iptables-modules/extensions/libipt_DNAT.c
===================================================================
--- iptables-modules.orig/extensions/libipt_DNAT.c
+++ iptables-modules/extensions/libipt_DNAT.c
@@ -198,10 +198,10 @@ static void print_range(const struct ip_
 		struct in_addr a;
 
 		a.s_addr = r->min_ip;
-		printf("%s", addr_to_dotted(&a));
+		printf("%s", ipaddr_to_numeric(&a));
 		if (r->max_ip != r->min_ip) {
 			a.s_addr = r->max_ip;
-			printf("-%s", addr_to_dotted(&a));
+			printf("-%s", ipaddr_to_numeric(&a));
 		}
 	}
 	if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
Index: iptables-modules/extensions/libipt_NETMAP.c
===================================================================
--- iptables-modules.orig/extensions/libipt_NETMAP.c
+++ iptables-modules/extensions/libipt_NETMAP.c
@@ -154,11 +154,11 @@ static void NETMAP_print(const void *ip,
 	int bits;
 
 	a.s_addr = r->min_ip;
-	printf("%s", addr_to_dotted(&a));
+	printf("%s", ipaddr_to_numeric(&a));
 	a.s_addr = ~(r->min_ip ^ r->max_ip);
 	bits = netmask2bits(a.s_addr);
 	if (bits < 0)
-		printf("/%s", addr_to_dotted(&a));
+		printf("/%s", ipaddr_to_numeric(&a));
 	else
 		printf("/%d", bits);
 }
Index: iptables-modules/extensions/libipt_SAME.c
===================================================================
--- iptables-modules.orig/extensions/libipt_SAME.c
+++ iptables-modules/extensions/libipt_SAME.c
@@ -159,13 +159,13 @@ static void SAME_print(const void *ip, c
 
 		a.s_addr = r->min_ip;
 
-		printf("%s", addr_to_dotted(&a));
+		printf("%s", ipaddr_to_numeric(&a));
 		a.s_addr = r->max_ip;
 		
 		if (r->min_ip == r->max_ip)
 			printf(" ");
 		else
-			printf("-%s ", addr_to_dotted(&a));
+			printf("-%s ", ipaddr_to_numeric(&a));
 		if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) 
 			random = 1;
 	}
@@ -190,13 +190,13 @@ static void SAME_save(const void *ip, co
 		struct in_addr a;
 
 		a.s_addr = r->min_ip;
-		printf("--to %s", addr_to_dotted(&a));
+		printf("--to %s", ipaddr_to_numeric(&a));
 		a.s_addr = r->max_ip;
 
 		if (r->min_ip == r->max_ip)
 			printf(" ");
 		else
-			printf("-%s ", addr_to_dotted(&a));
+			printf("-%s ", ipaddr_to_numeric(&a));
 		if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) 
 			random = 1;
 	}
Index: iptables-modules/extensions/libipt_SNAT.c
===================================================================
--- iptables-modules.orig/extensions/libipt_SNAT.c
+++ iptables-modules/extensions/libipt_SNAT.c
@@ -199,10 +199,10 @@ static void print_range(const struct ip_
 		struct in_addr a;
 
 		a.s_addr = r->min_ip;
-		printf("%s", addr_to_dotted(&a));
+		printf("%s", ipaddr_to_numeric(&a));
 		if (r->max_ip != r->min_ip) {
 			a.s_addr = r->max_ip;
-			printf("-%s", addr_to_dotted(&a));
+			printf("-%s", ipaddr_to_numeric(&a));
 		}
 	}
 	if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
Index: iptables-modules/extensions/libipt_policy.c
===================================================================
--- iptables-modules.orig/extensions/libipt_policy.c
+++ iptables-modules/extensions/libipt_policy.c
@@ -353,14 +353,14 @@ static void print_entry(char *prefix, co
 	if (e->match.daddr) {
 		PRINT_INVERT(e->invert.daddr);
 		printf("%stunnel-dst %s%s ", prefix,
-		       addr_to_dotted((struct in_addr *)&e->daddr),
-		       mask_to_dotted((struct in_addr *)&e->dmask));
+		       ipaddr_to_numeric((const void *)&e->daddr),
+		       ipmask_to_numeric((const void *)&e->dmask));
 	}
 	if (e->match.saddr) {
 		PRINT_INVERT(e->invert.saddr);
 		printf("%stunnel-src %s%s ", prefix,
-		       addr_to_dotted((struct in_addr *)&e->saddr),
-		       mask_to_dotted((struct in_addr *)&e->smask));
+		       ipaddr_to_numeric((const void *)&e->saddr),
+		       ipmask_to_numeric((const void *)&e->smask));
 	}
 }
 
Index: iptables-modules/extensions/libxt_conntrack.c
===================================================================
--- iptables-modules.orig/extensions/libxt_conntrack.c
+++ iptables-modules/extensions/libxt_conntrack.c
@@ -9,6 +9,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <iptables.h>
+#include <xtables.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/xt_conntrack.h>
 #include <linux/netfilter/nf_conntrack_common.h>
@@ -388,10 +389,10 @@ print_addr(struct in_addr *addr, struct 
 		printf("%s ", "anywhere");
 	else {
 		if (numeric)
-			sprintf(buf, "%s", addr_to_dotted(addr));
+			sprintf(buf, "%s", ipaddr_to_numeric(addr));
 		else
-			sprintf(buf, "%s", addr_to_anyname(addr));
-		strcat(buf, mask_to_dotted(mask));
+			sprintf(buf, "%s", ipaddr_to_anyname(addr));
+		strcat(buf, ipmask_to_numeric(mask));
 		printf("%s ", buf);
 	}
 }
Index: iptables-modules/include/iptables.h
===================================================================
--- iptables-modules.orig/include/iptables.h
+++ iptables-modules/include/iptables.h
@@ -26,9 +26,6 @@ extern void register_target(struct iptab
 
 extern struct in_addr *dotted_to_addr(const char *dotted);
 extern struct in_addr *dotted_to_mask(const char *dotted);
-extern char *addr_to_dotted(const struct in_addr *addrp);
-extern char *addr_to_anyname(const struct in_addr *addr);
-extern char *mask_to_dotted(const struct in_addr *mask);
 
 extern void parse_hostnetworkmask(const char *name, struct in_addr **addrpp,
                       struct in_addr *maskp, unsigned int *naddrs);
Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -236,6 +236,14 @@ void exit_error(enum exittype, const cha
 extern void param_act(unsigned int, const char *, ...);
 extern const char *program_name, *program_version;
 
+extern const char *ipaddr_to_numeric(const struct in_addr *);
+extern const char *ipaddr_to_anyname(const struct in_addr *);
+extern const char *ipmask_to_numeric(const struct in_addr *);
+
+extern const char *ip6addr_to_numeric(const struct in6_addr *);
+extern const char *ip6addr_to_anyname(const struct in6_addr *);
+extern const char *ip6mask_to_numeric(const struct in6_addr *);
+
 #ifdef NO_SHARED_LIBS
 #	ifdef _INIT
 #		undef _init
Index: iptables-modules/ip6tables.c
===================================================================
--- iptables-modules.orig/ip6tables.c
+++ iptables-modules/ip6tables.c
@@ -250,13 +250,6 @@ proto_to_name(u_int8_t proto, int nolook
 	return NULL;
 }
 
-static void
-in6addrcpy(struct in6_addr *dst, struct in6_addr *src)
-{
-	memcpy(dst, src, sizeof(struct in6_addr));
-	/* dst->s6_addr = src->s6_addr; */
-}
-
 static void free_opts(int reset_offset)
 {
 	if (opts != original_opts) {
@@ -466,15 +459,6 @@ check_inverse(const char option[], int *
 	return FALSE;
 }
 
-static char *
-addr_to_numeric(const struct in6_addr *addrp)
-{
-	/* 0000:0000:0000:0000:0000:000.000.000.000
-	 * 0000:0000:0000:0000:0000:0000:0000:0000 */
-	static char buf[50+1];
-	return (char *)inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
-}
-
 static struct in6_addr *
 numeric_to_addr(const char *num)
 {
@@ -521,8 +505,8 @@ host_to_addr(const char *name, unsigned 
 #endif
 		/* Get the first element of the address-chain */
 		addr = fw_calloc(1, sizeof(struct in6_addr));
-		in6addrcpy(addr, (struct in6_addr *)
-			&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr);
+		memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
+		       sizeof(struct in6_addr));
 		freeaddrinfo(res);
 		*naddr = 1;
 		return addr;
@@ -531,50 +515,6 @@ host_to_addr(const char *name, unsigned 
 	return (struct in6_addr *) NULL;
 }
 
-static char *
-addr_to_host(const struct in6_addr *addr)
-{
-	struct sockaddr_in6 saddr;
-	int err;
-	static char hostname[NI_MAXHOST];
-
-	memset(&saddr, 0, sizeof(struct sockaddr_in6));
-	in6addrcpy(&(saddr.sin6_addr),(struct in6_addr *)addr);
-	saddr.sin6_family = AF_INET6;
-
-        if ( (err=getnameinfo((struct sockaddr *)&saddr,
-			       sizeof(struct sockaddr_in6),
-			       hostname, sizeof(hostname)-1,
-			       NULL, 0, 0)) != 0 ){
-#ifdef DEBUG
-                fprintf(stderr,"IP2Name: %s\n",gai_strerror(err)); 
-#endif
-                return (char *) NULL;
-        } else {
-#ifdef DEBUG
-		fprintf (stderr, "\naddr2host: %s\n", hostname);
-#endif
-
-		return hostname;
-	}
-
-	return (char *) NULL;
-}
-
-static char *
-mask_to_numeric(const struct in6_addr *addrp)
-{
-	static char buf[50+2];
-	int l = ipv6_prefix_length(addrp);
-	if (l == -1) {
-		strcpy(buf, "/");
-		strcat(buf, addr_to_numeric(addrp));
-		return buf;
-	}
-	sprintf(buf, "/%d", l);
-	return buf;
-}
-
 static struct in6_addr *
 network_to_addr(const char *name)
 {
@@ -584,17 +524,6 @@ network_to_addr(const char *name)
 	return (struct in6_addr *)NULL;
 }
 
-static char *
-addr_to_anyname(const struct in6_addr *addr)
-{
-	char *name;
-
-	if ((name = addr_to_host(addr)) != NULL)
-		return name;
-
-	return addr_to_numeric(addr);
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
@@ -612,7 +541,7 @@ parse_hostnetwork(const char *name, unsi
 	if ((addrptmp = numeric_to_addr(name)) != NULL ||
 	    (addrptmp = network_to_addr(name)) != NULL) {
 		addrp = fw_malloc(sizeof(struct in6_addr));
-		in6addrcpy(addrp, addrptmp);
+		memcpy(addrp, addrptmp, sizeof(*addrp));
 		*naddrs = 1;
 		return addrp;
 	}
@@ -667,7 +596,7 @@ parse_hostnetworkmask(const char *name, 
 		addrp = parse_mask(p + 1);
 	} else
 		addrp = parse_mask(NULL);
-	in6addrcpy(maskp, addrp);
+	memcpy(maskp, addrp, sizeof(*maskp));
 
 	/* if a null mask is given, the name is ignored, like in "any/0" */
 	if (!memcmp(maskp, &in6addr_any, sizeof(in6addr_any)))
@@ -1029,10 +958,10 @@ print_firewall(const struct ip6t_entry *
 		printf(FMT("%-19s ","%s "), "anywhere");
 	else {
 		if (format & FMT_NUMERIC)
-			sprintf(buf, "%s", addr_to_numeric(&(fw->ipv6.src)));
+			sprintf(buf, "%s", ip6addr_to_numeric(&fw->ipv6.src));
 		else
-			sprintf(buf, "%s", addr_to_anyname(&(fw->ipv6.src)));
-		strcat(buf, mask_to_numeric(&(fw->ipv6.smsk)));
+			sprintf(buf, "%s", ip6addr_to_anyname(&fw->ipv6.src));
+		strcat(buf, ip6mask_to_numeric(&fw->ipv6.smsk));
 		printf(FMT("%-19s ","%s "), buf);
 	}
 
@@ -1042,10 +971,10 @@ print_firewall(const struct ip6t_entry *
 		printf(FMT("%-19s","-> %s"), "anywhere");
 	else {
 		if (format & FMT_NUMERIC)
-			sprintf(buf, "%s", addr_to_numeric(&(fw->ipv6.dst)));
+			sprintf(buf, "%s", ip6addr_to_numeric(&fw->ipv6.dst));
 		else
-			sprintf(buf, "%s", addr_to_anyname(&(fw->ipv6.dst)));
-		strcat(buf, mask_to_numeric(&(fw->ipv6.dmsk)));
+			sprintf(buf, "%s", ip6addr_to_anyname(&fw->ipv6.dst));
+		strcat(buf, ip6mask_to_numeric(&fw->ipv6.dmsk));
 		printf(FMT("%-19s","-> %s"), buf);
 	}
 
Index: iptables-modules/iptables.c
===================================================================
--- iptables-modules.orig/iptables.c
+++ iptables-modules/iptables.c
@@ -575,18 +575,6 @@ host_to_addr(const char *name, unsigned 
 	return (struct in_addr *) NULL;
 }
 
-static char *
-addr_to_host(const struct in_addr *addr)
-{
-	struct hostent *host;
-
-	if ((host = gethostbyaddr((char *) addr,
-				  sizeof(struct in_addr), AF_INET)) != NULL)
-		return (char *) host->h_name;
-
-	return (char *) NULL;
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
@@ -765,66 +753,6 @@ parse_target(const char *targetname)
 	return targetname;
 }
 
-static char *
-addr_to_network(const struct in_addr *addr)
-{
-	struct netent *net;
-
-	if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
-		return (char *) net->n_name;
-
-	return (char *) NULL;
-}
-
-char *
-addr_to_dotted(const struct in_addr *addrp)
-{
-	static char buf[20];
-	const unsigned char *bytep;
-
-	bytep = (const unsigned char *) &(addrp->s_addr);
-	sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
-	return buf;
-}
-
-char *
-addr_to_anyname(const struct in_addr *addr)
-{
-	char *name;
-
-	if ((name = addr_to_host(addr)) != NULL ||
-	    (name = addr_to_network(addr)) != NULL)
-		return name;
-
-	return addr_to_dotted(addr);
-}
-
-char *
-mask_to_dotted(const struct in_addr *mask)
-{
-	int i;
-	static char buf[20];
-	u_int32_t maskaddr, bits;
-
-	maskaddr = ntohl(mask->s_addr);
-
-	if (maskaddr == 0xFFFFFFFFL)
-		/* we don't want to see "/32" */
-		return "";
-
-	i = 32;
-	bits = 0xFFFFFFFEL;
-	while (--i >= 0 && maskaddr != bits)
-		bits <<= 1;
-	if (i >= 0)
-		sprintf(buf, "/%d", i);
-	else
-		/* mask was not a decent combination of 1's and 0's */
-		sprintf(buf, "/%s", addr_to_dotted(mask));
-
-	return buf;
-}
-
 static void
 set_option(unsigned int *options, unsigned int option, u_int8_t *invflg,
 	   int invert)
@@ -1066,10 +994,10 @@ print_firewall(const struct ipt_entry *f
 		printf(FMT("%-19s ","%s "), "anywhere");
 	else {
 		if (format & FMT_NUMERIC)
-			sprintf(buf, "%s", addr_to_dotted(&(fw->ip.src)));
+			sprintf(buf, "%s", ipaddr_to_numeric(&fw->ip.src));
 		else
-			sprintf(buf, "%s", addr_to_anyname(&(fw->ip.src)));
-		strcat(buf, mask_to_dotted(&(fw->ip.smsk)));
+			sprintf(buf, "%s", ipaddr_to_anyname(&fw->ip.src));
+		strcat(buf, ipmask_to_numeric(&fw->ip.smsk));
 		printf(FMT("%-19s ","%s "), buf);
 	}
 
@@ -1078,10 +1006,10 @@ print_firewall(const struct ipt_entry *f
 		printf(FMT("%-19s ","-> %s"), "anywhere");
 	else {
 		if (format & FMT_NUMERIC)
-			sprintf(buf, "%s", addr_to_dotted(&(fw->ip.dst)));
+			sprintf(buf, "%s", ipaddr_to_numeric(&fw->ip.dst));
 		else
-			sprintf(buf, "%s", addr_to_anyname(&(fw->ip.dst)));
-		strcat(buf, mask_to_dotted(&(fw->ip.dmsk)));
+			sprintf(buf, "%s", ipaddr_to_anyname(&fw->ip.dst));
+		strcat(buf, ipmask_to_numeric(&fw->ip.dmsk));
 		printf(FMT("%-19s ","-> %s"), buf);
 	}
 
Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -29,6 +29,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <arpa/inet.h>
 
 #include <xtables.h>
 
@@ -702,3 +703,150 @@ void param_act(unsigned int status, cons
 
 	va_end(args);
 }
+
+const char *ipaddr_to_numeric(const struct in_addr *addrp)
+{
+	static char buf[20];
+	const unsigned char *bytep = (const void *)&addrp->s_addr;
+
+	sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
+	return buf;
+}
+
+static const char *ipaddr_to_host(const struct in_addr *addr)
+{
+	struct hostent *host;
+
+	host = gethostbyaddr(addr, sizeof(struct in_addr), AF_INET);
+	if (host == NULL)
+		return NULL;
+
+	return host->h_name;
+}
+
+static const char *ipaddr_to_network(const struct in_addr *addr)
+{
+	struct netent *net;
+
+	if ((net = getnetbyaddr(ntohl(addr->s_addr), AF_INET)) != NULL)
+		return net->n_name;
+
+	return NULL;
+}
+
+const char *ipaddr_to_anyname(const struct in_addr *addr)
+{
+	const char *name;
+
+	if ((name = ipaddr_to_host(addr)) != NULL ||
+	    (name = ipaddr_to_network(addr)) != NULL)
+		return name;
+
+	return ipaddr_to_numeric(addr);
+}
+
+const char *ipmask_to_numeric(const struct in_addr *mask)
+{
+	static char buf[20];
+	uint32_t maskaddr, bits;
+	int i;
+
+	maskaddr = ntohl(mask->s_addr);
+
+	if (maskaddr == 0xFFFFFFFFL)
+		/* we don't want to see "/32" */
+		return "";
+
+	i = 32;
+	bits = 0xFFFFFFFEL;
+	while (--i >= 0 && maskaddr != bits)
+		bits <<= 1;
+	if (i >= 0)
+		sprintf(buf, "/%d", i);
+	else
+		/* mask was not a decent combination of 1's and 0's */
+		sprintf(buf, "/%s", ipaddr_to_numeric(mask));
+
+	return buf;
+}
+
+const char *ip6addr_to_numeric(const struct in6_addr *addrp)
+{
+	/* 0000:0000:0000:0000:0000:000.000.000.000
+	 * 0000:0000:0000:0000:0000:0000:0000:0000 */
+	static char buf[50+1];
+	return inet_ntop(AF_INET6, addrp, buf, sizeof(buf));
+}
+
+static const char *ip6addr_to_host(const struct in6_addr *addr)
+{
+	static char hostname[NI_MAXHOST];
+	struct sockaddr_in6 saddr;
+	int err;
+
+	memset(&saddr, 0, sizeof(struct sockaddr_in6));
+	memcpy(&saddr.sin6_addr, addr, sizeof(*addr));
+	saddr.sin6_family = AF_INET6;
+
+	err = getnameinfo((const void *)&saddr, sizeof(struct sockaddr_in6),
+	      hostname, sizeof(hostname) - 1, NULL, 0, 0);
+	if (err != 0) {
+#ifdef DEBUG
+		fprintf(stderr,"IP2Name: %s\n",gai_strerror(err));
+#endif
+		return NULL;
+	}
+
+#ifdef DEBUG
+	fprintf (stderr, "\naddr2host: %s\n", hostname);
+#endif
+	return hostname;
+}
+
+const char *ip6addr_to_anyname(const struct in6_addr *addr)
+{
+	const char *name;
+
+	if ((name = ip6addr_to_host(addr)) != NULL)
+		return name;
+
+	return ip6addr_to_numeric(addr);
+}
+
+static int ip6addr_prefix_length(const struct in6_addr *k)
+{
+	unsigned int bits = 0;
+	uint32_t a, b, c, d;
+
+	a = k->s6_addr32[0];
+	b = k->s6_addr32[1];
+	c = k->s6_addr32[2];
+	d = k->s6_addr32[3];
+	while (a & 0x80000000U) {
+		++bits;
+		a <<= 1;
+		a  |= (b >> 31) & 1;
+		b <<= 1;
+		b  |= (c >> 31) & 1;
+		c <<= 1;
+		c  |= (d >> 31) & 1;
+		d <<= 1;
+	}
+	if (a != 0 || b != 0 || c != 0 || d != 0)
+		return -1;
+	return bits;
+}
+
+const char *ip6mask_to_numeric(const struct in6_addr *addrp)
+{
+	static char buf[50+2];
+	int l = ip6addr_prefix_length(addrp);
+
+	if (l == -1) {
+		strcpy(buf, "/");
+		strcat(buf, ip6addr_to_numeric(addrp));
+		return buf;
+	}
+	sprintf(buf, "/%d", l);
+	return buf;
+}

Re: [12/19] bunch o' renames

[Patrick McHardy]

Jan Engelhardt wrote:
> Move a few functions from iptables.c/ip6tables.c to xtables.c
> so they are available for combined (both AF_INET and AF_INET6)
> libxt modules. Rename overlapping function names.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libipt_DNAT.c     |    4 -
>  extensions/libipt_NETMAP.c   |    4 -
>  extensions/libipt_SAME.c     |    8 +-
>  extensions/libipt_SNAT.c     |    4 -
>  extensions/libipt_policy.c   |    8 +-
>  extensions/libxt_conntrack.c |    7 +-
>  include/iptables.h           |    3 
>  include/xtables.h            |    8 ++
>  ip6tables.c                  |   91 ++------------------------
>  iptables.c                   |   84 +-----------------------
>  xtables.c                    |  148 +++++++++++++++++++++++++++++++++++++++++++
>  11 files changed, 190 insertions(+), 179 deletions(-)

Applied.

[13/19] rename overlapping function names

[Jan Engelhardt]

Rename overlapping function names.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libip6t_policy.c  |    6 
 extensions/libipt_DNAT.c     |    6 
 extensions/libipt_NETMAP.c   |    6 
 extensions/libipt_SAME.c     |    6 
 extensions/libipt_SNAT.c     |    6 
 extensions/libipt_iprange.c  |    6 
 extensions/libipt_policy.c   |    4 
 extensions/libxt_conntrack.c |    8 -
 include/iptables.h           |    5 
 include/xtables.h            |    7 
 ip6tables.c                  |  159 ---------------------
 iptables.c                   |  198 --------------------------
 xtables.c                    |  318 +++++++++++++++++++++++++++++++++++++++++++
 13 files changed, 356 insertions(+), 379 deletions(-)

Index: iptables-modules/extensions/libip6t_policy.c
===================================================================
--- iptables-modules.orig/extensions/libip6t_policy.c
+++ iptables-modules/extensions/libip6t_policy.c
@@ -128,8 +128,6 @@ mask_to_numeric(const struct in6_addr *a
 
 /* These should be in include/ip6tables.h... */
 extern u_int16_t parse_protocol(const char *s);
-extern void parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
-		struct in6_addr *maskp, unsigned int *naddrs);
 
 /* End duplicated code from ip6tables.c */
 
@@ -223,7 +221,7 @@ static int policy_parse(int c, char **ar
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: double --tunnel-src option");
 
-		parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
+		ip6parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 		if (naddr > 1)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: name resolves to multiple IPs");
@@ -238,7 +236,7 @@ static int policy_parse(int c, char **ar
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: double --tunnel-dst option");
 
-		parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
+		ip6parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 		if (naddr > 1)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: name resolves to multiple IPs");
Index: iptables-modules/extensions/libipt_DNAT.c
===================================================================
--- iptables-modules.orig/extensions/libipt_DNAT.c
+++ iptables-modules/extensions/libipt_DNAT.c
@@ -62,7 +62,7 @@ parse_to(char *arg, int portok, struct i
 {
 	struct ip_nat_range range;
 	char *colon, *dash, *error;
-	struct in_addr *ip;
+	const struct in_addr *ip;
 
 	memset(&range, 0, sizeof(range));
 	colon = strchr(arg, ':');
@@ -119,13 +119,13 @@ parse_to(char *arg, int portok, struct i
 	if (dash)
 		*dash = '\0';
 
-	ip = dotted_to_addr(arg);
+	ip = numeric_to_ipaddr(arg);
 	if (!ip)
 		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 			   arg);
 	range.min_ip = ip->s_addr;
 	if (dash) {
-		ip = dotted_to_addr(dash+1);
+		ip = numeric_to_ipaddr(dash+1);
 		if (!ip)
 			exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 				   dash+1);
Index: iptables-modules/extensions/libipt_NETMAP.c
===================================================================
--- iptables-modules.orig/extensions/libipt_NETMAP.c
+++ iptables-modules/extensions/libipt_NETMAP.c
@@ -68,7 +68,7 @@ static void
 parse_to(char *arg, struct ip_nat_range *range)
 {
 	char *slash;
-	struct in_addr *ip;
+	const struct in_addr *ip;
 	u_int32_t netmask;
 	unsigned int bits;
 
@@ -77,14 +77,14 @@ parse_to(char *arg, struct ip_nat_range 
 	if (slash)
 		*slash = '\0';
 
-	ip = dotted_to_addr(arg);
+	ip = numeric_to_ipaddr(arg);
 	if (!ip)
 		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 			   arg);
 	range->min_ip = ip->s_addr;
 	if (slash) {
 		if (strchr(slash+1, '.')) {
-			ip = dotted_to_mask(slash+1);
+			ip = numeric_to_ipmask(slash+1);
 			if (!ip)
 				exit_error(PARAMETER_PROBLEM, "Bad netmask `%s'\n",
 					   slash+1);
Index: iptables-modules/extensions/libipt_SAME.c
===================================================================
--- iptables-modules.orig/extensions/libipt_SAME.c
+++ iptables-modules/extensions/libipt_SAME.c
@@ -52,7 +52,7 @@ static void
 parse_to(char *arg, struct ip_nat_range *range)
 {
 	char *dash;
-	struct in_addr *ip;
+	const struct in_addr *ip;
 
 	range->flags |= IP_NAT_RANGE_MAP_IPS;
 	dash = strchr(arg, '-');
@@ -60,14 +60,14 @@ parse_to(char *arg, struct ip_nat_range 
 	if (dash)
 		*dash = '\0';
 
-	ip = dotted_to_addr(arg);
+	ip = numeric_to_ipaddr(arg);
 	if (!ip)
 		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 			   arg);
 	range->min_ip = ip->s_addr;
 
 	if (dash) {
-		ip = dotted_to_addr(dash+1);
+		ip = numeric_to_ipaddr(dash+1);
 		if (!ip)
 			exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 				   dash+1);
Index: iptables-modules/extensions/libipt_SNAT.c
===================================================================
--- iptables-modules.orig/extensions/libipt_SNAT.c
+++ iptables-modules/extensions/libipt_SNAT.c
@@ -62,7 +62,7 @@ parse_to(char *arg, int portok, struct i
 {
 	struct ip_nat_range range;
 	char *colon, *dash, *error;
-	struct in_addr *ip;
+	const struct in_addr *ip;
 
 	memset(&range, 0, sizeof(range));
 	colon = strchr(arg, ':');
@@ -119,13 +119,13 @@ parse_to(char *arg, int portok, struct i
 	if (dash)
 		*dash = '\0';
 
-	ip = dotted_to_addr(arg);
+	ip = numeric_to_ipaddr(arg);
 	if (!ip)
 		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 			   arg);
 	range.min_ip = ip->s_addr;
 	if (dash) {
-		ip = dotted_to_addr(dash+1);
+		ip = numeric_to_ipaddr(dash+1);
 		if (!ip)
 			exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
 				   dash+1);
Index: iptables-modules/extensions/libipt_iprange.c
===================================================================
--- iptables-modules.orig/extensions/libipt_iprange.c
+++ iptables-modules/extensions/libipt_iprange.c
@@ -29,20 +29,20 @@ static void
 parse_iprange(char *arg, struct ipt_iprange *range)
 {
 	char *dash;
-	struct in_addr *ip;
+	const struct in_addr *ip;
 
 	dash = strchr(arg, '-');
 	if (dash)
 		*dash = '\0';
 		
-	ip = dotted_to_addr(arg);
+	ip = numeric_to_ipaddr(arg);
 	if (!ip)
 		exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", 
 			   arg);
 	range->min_ip = ip->s_addr;
 
 	if (dash) {
-		ip = dotted_to_addr(dash+1);
+		ip = numeric_to_ipaddr(dash+1);
 		if (!ip)
 			exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
 				   dash+1);
Index: iptables-modules/extensions/libipt_policy.c
===================================================================
--- iptables-modules.orig/extensions/libipt_policy.c
+++ iptables-modules/extensions/libipt_policy.c
@@ -183,7 +183,7 @@ static int policy_parse(int c, char **ar
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: double --tunnel-src option");
 
-		parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
+		ipparse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 		if (naddr > 1)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: name resolves to multiple IPs");
@@ -198,7 +198,7 @@ static int policy_parse(int c, char **ar
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: double --tunnel-dst option");
 
-		parse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
+		ipparse_hostnetworkmask(argv[optind-1], &addr, &mask, &naddr);
 		if (naddr > 1)
 			exit_error(PARAMETER_PROBLEM,
 			           "policy match: name resolves to multiple IPs");
Index: iptables-modules/extensions/libxt_conntrack.c
===================================================================
--- iptables-modules.orig/extensions/libxt_conntrack.c
+++ iptables-modules/extensions/libxt_conntrack.c
@@ -203,7 +203,7 @@ static int conntrack_parse(int c, char *
 		if (invert)
 			sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
 
-		parse_hostnetworkmask(argv[optind-1], &addrs,
+		ipparse_hostnetworkmask(argv[optind-1], &addrs,
 					&sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
 					&naddrs);
 		if(naddrs > 1)
@@ -223,7 +223,7 @@ static int conntrack_parse(int c, char *
 		if (invert)
 			sinfo->invflags |= XT_CONNTRACK_ORIGDST;
 
-		parse_hostnetworkmask(argv[optind-1], &addrs,
+		ipparse_hostnetworkmask(argv[optind-1], &addrs,
 					&sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
 					&naddrs);
 		if(naddrs > 1)
@@ -243,7 +243,7 @@ static int conntrack_parse(int c, char *
 		if (invert)
 			sinfo->invflags |= XT_CONNTRACK_REPLSRC;
 
-		parse_hostnetworkmask(argv[optind-1], &addrs,
+		ipparse_hostnetworkmask(argv[optind-1], &addrs,
 					&sinfo->sipmsk[IP_CT_DIR_REPLY],
 					&naddrs);
 		if(naddrs > 1)
@@ -263,7 +263,7 @@ static int conntrack_parse(int c, char *
 		if (invert)
 			sinfo->invflags |= XT_CONNTRACK_REPLDST;
 
-		parse_hostnetworkmask(argv[optind-1], &addrs,
+		ipparse_hostnetworkmask(argv[optind-1], &addrs,
 					&sinfo->dipmsk[IP_CT_DIR_REPLY],
 					&naddrs);
 		if(naddrs > 1)
Index: iptables-modules/include/iptables.h
===================================================================
--- iptables-modules.orig/include/iptables.h
+++ iptables-modules/include/iptables.h
@@ -24,11 +24,6 @@ extern int line;
 extern void register_match(struct iptables_match *me);
 extern void register_target(struct iptables_target *me);
 
-extern struct in_addr *dotted_to_addr(const char *dotted);
-extern struct in_addr *dotted_to_mask(const char *dotted);
-
-extern void parse_hostnetworkmask(const char *name, struct in_addr **addrpp,
-                      struct in_addr *maskp, unsigned int *naddrs);
 extern u_int16_t parse_protocol(const char *s);
 
 extern int do_command(int argc, char *argv[], char **table,
Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -239,10 +239,17 @@ extern const char *program_name, *progra
 extern const char *ipaddr_to_numeric(const struct in_addr *);
 extern const char *ipaddr_to_anyname(const struct in_addr *);
 extern const char *ipmask_to_numeric(const struct in_addr *);
+extern struct in_addr *numeric_to_ipaddr(const char *);
+extern struct in_addr *numeric_to_ipmask(const char *);
+extern void ipparse_hostnetworkmask(const char *, struct in_addr **,
+	struct in_addr *, unsigned int *);
 
+extern struct in6_addr *numeric_to_ip6addr(const char *);
 extern const char *ip6addr_to_numeric(const struct in6_addr *);
 extern const char *ip6addr_to_anyname(const struct in6_addr *);
 extern const char *ip6mask_to_numeric(const struct in6_addr *);
+extern void ip6parse_hostnetworkmask(const char *, struct in6_addr **,
+	struct in6_addr *, unsigned int *);
 
 #ifdef NO_SHARED_LIBS
 #	ifdef _INIT
Index: iptables-modules/ip6tables.c
===================================================================
--- iptables-modules.orig/ip6tables.c
+++ iptables-modules/ip6tables.c
@@ -459,71 +459,6 @@ check_inverse(const char option[], int *
 	return FALSE;
 }
 
-static struct in6_addr *
-numeric_to_addr(const char *num)
-{
-	static struct in6_addr ap;
-	int err;
-	if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
-		return &ap;
-#ifdef DEBUG
-	fprintf(stderr, "\nnumeric2addr: %d\n", err);
-#endif
-	return (struct in6_addr *)NULL;
-}
-
-
-static struct in6_addr *
-host_to_addr(const char *name, unsigned int *naddr)
-{
-	struct addrinfo hints;
-        struct addrinfo *res;
-        static struct in6_addr *addr;
-	int err;
-
-	memset(&hints, 0, sizeof(hints));
-        hints.ai_flags=AI_CANONNAME;
-        hints.ai_family=AF_INET6;
-        hints.ai_socktype=SOCK_RAW;
-        hints.ai_protocol=41;
-        hints.ai_next=NULL;
-
-	*naddr = 0;
-        if ( (err=getaddrinfo(name, NULL, &hints, &res)) != 0 ){
-#ifdef DEBUG
-                fprintf(stderr,"Name2IP: %s\n",gai_strerror(err)); 
-#endif
-                return (struct in6_addr *) NULL;
-        } else {
-		if (res->ai_family != AF_INET6 ||
-		    res->ai_addrlen != sizeof(struct sockaddr_in6))
-			return (struct in6_addr *) NULL;
-
-#ifdef DEBUG
-                fprintf(stderr, "resolved: len=%d  %s ", res->ai_addrlen, 
-                    addr_to_numeric(&(((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)));
-#endif
-		/* Get the first element of the address-chain */
-		addr = fw_calloc(1, sizeof(struct in6_addr));
-		memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
-		       sizeof(struct in6_addr));
-		freeaddrinfo(res);
-		*naddr = 1;
-		return addr;
-	}
-
-	return (struct in6_addr *) NULL;
-}
-
-static struct in6_addr *
-network_to_addr(const char *name)
-{
-	/*	abort();*/
-	/* TODO: not implemented yet, but the exception breaks the
-	 *       name resolvation */
-	return (struct in6_addr *)NULL;
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
@@ -533,92 +468,6 @@ network_to_addr(const char *name)
  *	return global static data.
 */
 
-static struct in6_addr *
-parse_hostnetwork(const char *name, unsigned int *naddrs)
-{
-	struct in6_addr *addrp, *addrptmp;
-
-	if ((addrptmp = numeric_to_addr(name)) != NULL ||
-	    (addrptmp = network_to_addr(name)) != NULL) {
-		addrp = fw_malloc(sizeof(struct in6_addr));
-		memcpy(addrp, addrptmp, sizeof(*addrp));
-		*naddrs = 1;
-		return addrp;
-	}
-	if ((addrp = host_to_addr(name, naddrs)) != NULL)
-		return addrp;
-
-	exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
-}
-
-static struct in6_addr *
-parse_mask(char *mask)
-{
-	static struct in6_addr maskaddr;
-	struct in6_addr *addrp;
-	unsigned int bits;
-
-	if (mask == NULL) {
-		/* no mask at all defaults to 128 bits */
-		memset(&maskaddr, 0xff, sizeof maskaddr);
-		return &maskaddr;
-	}
-	if ((addrp = numeric_to_addr(mask)) != NULL)
-		return addrp;
-	if (string_to_number(mask, 0, 128, &bits) == -1)
-		exit_error(PARAMETER_PROBLEM,
-			   "invalid mask `%s' specified", mask);
-	if (bits != 0) {
-		char *p = (char *)&maskaddr;
-		memset(p, 0xff, bits / 8);
-		memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
-		p[bits / 8] = 0xff << (8 - (bits & 7));
-		return &maskaddr;
-	}
-
-	memset(&maskaddr, 0, sizeof maskaddr);
-	return &maskaddr;
-}
-
-void
-parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
-		      struct in6_addr *maskp, unsigned int *naddrs)
-{
-	struct in6_addr *addrp;
-	char buf[256];
-	char *p;
-	int i, j, n;
-
-	strncpy(buf, name, sizeof(buf) - 1);
-	buf[sizeof(buf) - 1] = '\0';
-	if ((p = strrchr(buf, '/')) != NULL) {
-		*p = '\0';
-		addrp = parse_mask(p + 1);
-	} else
-		addrp = parse_mask(NULL);
-	memcpy(maskp, addrp, sizeof(*maskp));
-
-	/* if a null mask is given, the name is ignored, like in "any/0" */
-	if (!memcmp(maskp, &in6addr_any, sizeof(in6addr_any)))
-		strcpy(buf, "::");
-
-	addrp = *addrpp = parse_hostnetwork(buf, naddrs);
-	n = *naddrs;
-	for (i = 0, j = 0; i < n; i++) {
-		int k;
-		for (k = 0; k < 4; k++)
-			addrp[j].in6_u.u6_addr32[k] &= maskp->in6_u.u6_addr32[k];
-		j++;
-		for (k = 0; k < j - 1; k++) {
-			if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) {
-				(*naddrs)--;
-				j--;
-				break;
-			}
-		}
-	}
-}
-
 /* Christophe Burki wants `-p 6' to imply `-m tcp'.  */
 static struct ip6tables_match *
 find_proto(const char *pname, enum ip6t_tryload tryload, int nolookup, struct ip6tables_rule_match **matches)
@@ -1795,12 +1644,12 @@ int do_command6(int argc, char *argv[], 
 	}
 
 	if (shostnetworkmask)
-		parse_hostnetworkmask(shostnetworkmask, &saddrs,
-				      &(fw.ipv6.smsk), &nsaddrs);
+		ip6parse_hostnetworkmask(shostnetworkmask, &saddrs,
+		                         &fw.ipv6.smsk, &nsaddrs);
 
 	if (dhostnetworkmask)
-		parse_hostnetworkmask(dhostnetworkmask, &daddrs,
-				      &(fw.ipv6.dmsk), &ndaddrs);
+		ip6parse_hostnetworkmask(dhostnetworkmask, &daddrs,
+		                         &fw.ipv6.dmsk, &ndaddrs);
 
 	if ((nsaddrs > 1 || ndaddrs > 1) &&
 	    (fw.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP)))
Index: iptables-modules/iptables.c
===================================================================
--- iptables-modules.orig/iptables.c
+++ iptables-modules/iptables.c
@@ -253,90 +253,6 @@ enum {
 	IPT_DOTTED_MASK
 };
 
-static struct in_addr *
-__dotted_to_addr(const char *dotted, int type)
-{
-	static struct in_addr addr;
-	unsigned char *addrp;
-	char *p, *q;
-	unsigned int onebyte;
-	int i;
-	char buf[20];
-
-	/* copy dotted string, because we need to modify it */
-	strncpy(buf, dotted, sizeof(buf) - 1);
-	buf[sizeof(buf) - 1] = '\0';
-	addrp = (unsigned char *) &(addr.s_addr);
-
-	p = buf;
-	for (i = 0; i < 3; i++) {
-		if ((q = strchr(p, '.')) == NULL) {
-			if (type == IPT_DOTTED_ADDR) {
-				/* autocomplete, this is a network address */
-				if (string_to_number(p, 0, 255, &onebyte) == -1)
-					return (struct in_addr *) NULL;
-
-				addrp[i] = (unsigned char) onebyte;
-				while (i < 3)
-					addrp[++i] = 0;
-
-				return &addr;
-			} else
-				return (struct in_addr *) NULL;
-		}
-
-		*q = '\0';
-		if (string_to_number(p, 0, 255, &onebyte) == -1)
-			return (struct in_addr *) NULL;
-
-		addrp[i] = (unsigned char) onebyte;
-		p = q + 1;
-	}
-
-	/* we've checked 3 bytes, now we check the last one */
-	if (string_to_number(p, 0, 255, &onebyte) == -1)
-		return (struct in_addr *) NULL;
-
-	addrp[3] = (unsigned char) onebyte;
-
-	return &addr;
-}
-
-struct in_addr *
-dotted_to_addr(const char *dotted)
-{
-	return __dotted_to_addr(dotted, IPT_DOTTED_ADDR);
-}
-
-struct in_addr *
-dotted_to_mask(const char *dotted)
-{
-	return __dotted_to_addr(dotted, IPT_DOTTED_MASK);
-}
-
-static struct in_addr *
-network_to_addr(const char *name)
-{
-	struct netent *net;
-	static struct in_addr addr;
-
-	if ((net = getnetbyname(name)) != NULL) {
-		if (net->n_addrtype != AF_INET)
-			return (struct in_addr *) NULL;
-		addr.s_addr = htonl((unsigned long) net->n_net);
-		return &addr;
-	}
-
-	return (struct in_addr *) NULL;
-}
-
-static void
-inaddrcpy(struct in_addr *dst, struct in_addr *src)
-{
-	/* memcpy(dst, src, sizeof(struct in_addr)); */
-	dst->s_addr = src->s_addr;
-}
-
 static void free_opts(int reset_offset)
 {
 	if (opts != original_opts) {
@@ -550,31 +466,6 @@ check_inverse(const char option[], int *
 	return FALSE;
 }
 
-static struct in_addr *
-host_to_addr(const char *name, unsigned int *naddr)
-{
-	struct hostent *host;
-	struct in_addr *addr;
-	unsigned int i;
-
-	*naddr = 0;
-	if ((host = gethostbyname(name)) != NULL) {
-		if (host->h_addrtype != AF_INET ||
-		    host->h_length != sizeof(struct in_addr))
-			return (struct in_addr *) NULL;
-
-		while (host->h_addr_list[*naddr] != (char *) NULL)
-			(*naddr)++;
-		addr = fw_calloc(*naddr, sizeof(struct in_addr) * *naddr);
-		for (i = 0; i < *naddr; i++)
-			inaddrcpy(&(addr[i]),
-				  (struct in_addr *) host->h_addr_list[i]);
-		return addr;
-	}
-
-	return (struct in_addr *) NULL;
-}
-
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
@@ -584,87 +475,6 @@ host_to_addr(const char *name, unsigned 
  *	return global static data.
 */
 
-static struct in_addr *
-parse_hostnetwork(const char *name, unsigned int *naddrs)
-{
-	struct in_addr *addrp, *addrptmp;
-
-	if ((addrptmp = dotted_to_addr(name)) != NULL ||
-	    (addrptmp = network_to_addr(name)) != NULL) {
-		addrp = fw_malloc(sizeof(struct in_addr));
-		inaddrcpy(addrp, addrptmp);
-		*naddrs = 1;
-		return addrp;
-	}
-	if ((addrp = host_to_addr(name, naddrs)) != NULL)
-		return addrp;
-
-	exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
-}
-
-static struct in_addr *
-parse_mask(char *mask)
-{
-	static struct in_addr maskaddr;
-	struct in_addr *addrp;
-	unsigned int bits;
-
-	if (mask == NULL) {
-		/* no mask at all defaults to 32 bits */
-		maskaddr.s_addr = 0xFFFFFFFF;
-		return &maskaddr;
-	}
-	if ((addrp = dotted_to_mask(mask)) != NULL)
-		/* dotted_to_addr already returns a network byte order addr */
-		return addrp;
-	if (string_to_number(mask, 0, 32, &bits) == -1)
-		exit_error(PARAMETER_PROBLEM,
-			   "invalid mask `%s' specified", mask);
-	if (bits != 0) {
-		maskaddr.s_addr = htonl(0xFFFFFFFF << (32 - bits));
-		return &maskaddr;
-	}
-
-	maskaddr.s_addr = 0L;
-	return &maskaddr;
-}
-
-void
-parse_hostnetworkmask(const char *name, struct in_addr **addrpp,
-		      struct in_addr *maskp, unsigned int *naddrs)
-{
-	struct in_addr *addrp;
-	char buf[256];
-	char *p;
-	int i, j, k, n;
-
-	strncpy(buf, name, sizeof(buf) - 1);
-	buf[sizeof(buf) - 1] = '\0';
-	if ((p = strrchr(buf, '/')) != NULL) {
-		*p = '\0';
-		addrp = parse_mask(p + 1);
-	} else
-		addrp = parse_mask(NULL);
-	inaddrcpy(maskp, addrp);
-
-	/* if a null mask is given, the name is ignored, like in "any/0" */
-	if (maskp->s_addr == 0L)
-		strcpy(buf, "0.0.0.0");
-
-	addrp = *addrpp = parse_hostnetwork(buf, naddrs);
-	n = *naddrs;
-	for (i = 0, j = 0; i < n; i++) {
-		addrp[j++].s_addr &= maskp->s_addr;
-		for (k = 0; k < j - 1; k++) {
-			if (addrp[k].s_addr == addrp[j - 1].s_addr) {
-				(*naddrs)--;
-				j--;
-				break;
-			}
-		}
-	}
-}
-
 /* Christophe Burki wants `-p 6' to imply `-m tcp'.  */
 static struct iptables_match *
 find_proto(const char *pname, enum ipt_tryload tryload, int nolookup, struct iptables_rule_match **matches)
@@ -1857,12 +1667,12 @@ int do_command(int argc, char *argv[], c
 	}
 
 	if (shostnetworkmask)
-		parse_hostnetworkmask(shostnetworkmask, &saddrs,
-				      &(fw.ip.smsk), &nsaddrs);
+		ipparse_hostnetworkmask(shostnetworkmask, &saddrs,
+		                        &fw.ip.smsk, &nsaddrs);
 
 	if (dhostnetworkmask)
-		parse_hostnetworkmask(dhostnetworkmask, &daddrs,
-				      &(fw.ip.dmsk), &ndaddrs);
+		ipparse_hostnetworkmask(dhostnetworkmask, &daddrs,
+		                        &fw.ip.dmsk, &ndaddrs);
 
 	if ((nsaddrs > 1 || ndaddrs > 1) &&
 	    (fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
Index: iptables-modules/xtables.c
===================================================================
--- iptables-modules.orig/xtables.c
+++ iptables-modules/xtables.c
@@ -770,6 +770,179 @@ const char *ipmask_to_numeric(const stru
 	return buf;
 }
 
+static struct in_addr *__numeric_to_ipaddr(const char *dotted, bool is_mask)
+{
+	static struct in_addr addr;
+	unsigned char *addrp;
+	unsigned int onebyte;
+	char buf[20], *p, *q;
+	int i;
+
+	/* copy dotted string, because we need to modify it */
+	strncpy(buf, dotted, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = '\0';
+	addrp = (void *)&addr.s_addr;
+
+	p = buf;
+	for (i = 0; i < 3; ++i) {
+		if ((q = strchr(p, '.')) == NULL) {
+			if (is_mask)
+				return NULL;
+
+			/* autocomplete, this is a network address */
+			if (!strtonum(p, NULL, &onebyte, 0, 255))
+				return NULL;
+
+			addrp[i] = onebyte;
+			while (i < 3)
+				addrp[++i] = 0;
+
+			return &addr;
+		}
+
+		*q = '\0';
+		if (!strtonum(p, NULL, &onebyte, 0, 255))
+			return NULL;
+
+		addrp[i] = onebyte;
+		p = q + 1;
+	}
+
+	/* we have checked 3 bytes, now we check the last one */
+	if (!strtonum(p, NULL, &onebyte, 0, 255))
+		return NULL;
+
+	addrp[3] = onebyte;
+	return &addr;
+}
+
+struct in_addr *numeric_to_ipaddr(const char *dotted)
+{
+	return __numeric_to_ipaddr(dotted, false);
+}
+
+struct in_addr *numeric_to_ipmask(const char *dotted)
+{
+	return __numeric_to_ipaddr(dotted, true);
+}
+
+static struct in_addr *network_to_ipaddr(const char *name)
+{
+	static struct in_addr addr;
+	struct netent *net;
+
+	if ((net = getnetbyname(name)) != NULL) {
+		if (net->n_addrtype != AF_INET)
+			return NULL;
+		addr.s_addr = htonl(net->n_net);
+		return &addr;
+	}
+
+	return NULL;
+}
+
+static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
+{
+	struct hostent *host;
+	struct in_addr *addr;
+	unsigned int i;
+
+	*naddr = 0;
+	if ((host = gethostbyname(name)) != NULL) {
+		if (host->h_addrtype != AF_INET ||
+		    host->h_length != sizeof(struct in_addr))
+			return NULL;
+
+		while (host->h_addr_list[*naddr] != NULL)
+			++*naddr;
+		addr = fw_calloc(*naddr, sizeof(struct in_addr) * *naddr);
+		for (i = 0; i < *naddr; i++)
+			memcpy(&addr[i], host->h_addr_list[i],
+			       sizeof(struct in_addr));
+		return addr;
+	}
+
+	return NULL;
+}
+
+static struct in_addr *
+ipparse_hostnetwork(const char *name, unsigned int *naddrs)
+{
+	struct in_addr *addrptmp, *addrp;
+
+	if ((addrptmp = numeric_to_ipaddr(name)) != NULL ||
+	    (addrptmp = network_to_ipaddr(name)) != NULL) {
+		addrp = fw_malloc(sizeof(struct in_addr));
+		memcpy(addrp, addrptmp, sizeof(*addrp));
+		*naddrs = 1;
+		return addrp;
+	}
+	if ((addrptmp = host_to_ipaddr(name, naddrs)) != NULL)
+		return addrptmp;
+
+	exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
+}
+
+static struct in_addr *parse_ipmask(const char *mask)
+{
+	static struct in_addr maskaddr;
+	struct in_addr *addrp;
+	unsigned int bits;
+
+	if (mask == NULL) {
+		/* no mask at all defaults to 32 bits */
+		maskaddr.s_addr = 0xFFFFFFFF;
+		return &maskaddr;
+	}
+	if ((addrp = numeric_to_ipmask(mask)) != NULL)
+		/* dotted_to_addr already returns a network byte order addr */
+		return addrp;
+	if (string_to_number(mask, 0, 32, &bits) == -1)
+		exit_error(PARAMETER_PROBLEM,
+			   "invalid mask `%s' specified", mask);
+	if (bits != 0) {
+		maskaddr.s_addr = htonl(0xFFFFFFFF << (32 - bits));
+		return &maskaddr;
+	}
+
+	maskaddr.s_addr = 0U;
+	return &maskaddr;
+}
+
+void ipparse_hostnetworkmask(const char *name, struct in_addr **addrpp,
+                             struct in_addr *maskp, unsigned int *naddrs)
+{
+	unsigned int i, j, k, n;
+	struct in_addr *addrp;
+	char buf[256], *p;
+
+	strncpy(buf, name, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = '\0';
+	if ((p = strrchr(buf, '/')) != NULL) {
+		*p = '\0';
+		addrp = parse_ipmask(p + 1);
+	} else {
+		addrp = parse_ipmask(NULL);
+	}
+	memcpy(maskp, addrp, sizeof(*maskp));
+
+	/* if a null mask is given, the name is ignored, like in "any/0" */
+	if (maskp->s_addr == 0U)
+		strcpy(buf, "0.0.0.0");
+
+	addrp = *addrpp = ipparse_hostnetwork(buf, naddrs);
+	n = *naddrs;
+	for (i = 0, j = 0; i < n; ++i) {
+		addrp[j++].s_addr &= maskp->s_addr;
+		for (k = 0; k < j - 1; ++k)
+			if (addrp[k].s_addr == addrp[j-1].s_addr) {
+				--*naddrs;
+				--j;
+				break;
+			}
+	}
+}
+
 const char *ip6addr_to_numeric(const struct in6_addr *addrp)
 {
 	/* 0000:0000:0000:0000:0000:000.000.000.000
@@ -850,3 +1023,148 @@ const char *ip6mask_to_numeric(const str
 	sprintf(buf, "/%d", l);
 	return buf;
 }
+
+struct in6_addr *numeric_to_ip6addr(const char *num)
+{
+	static struct in6_addr ap;
+	int err;
+
+	if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
+		return &ap;
+#ifdef DEBUG
+	fprintf(stderr, "\nnumeric2addr: %d\n", err);
+#endif
+	return NULL;
+}
+
+static struct in6_addr *
+host_to_ip6addr(const char *name, unsigned int *naddr)
+{
+	static struct in6_addr *addr;
+	struct addrinfo hints;
+	struct addrinfo *res;
+	int err;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags    = AI_CANONNAME;
+	hints.ai_family   = AF_INET6;
+	hints.ai_socktype = SOCK_RAW;
+	hints.ai_protocol = IPPROTO_IPV6;
+	hints.ai_next     = NULL;
+
+	*naddr = 0;
+	if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) {
+#ifdef DEBUG
+		fprintf(stderr,"Name2IP: %s\n",gai_strerror(err));
+#endif
+		return NULL;
+	} else {
+		if (res->ai_family != AF_INET6 ||
+		    res->ai_addrlen != sizeof(struct sockaddr_in6))
+			return NULL;
+
+#ifdef DEBUG
+		fprintf(stderr, "resolved: len=%d  %s ", res->ai_addrlen,
+		        ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr));
+#endif
+		/* Get the first element of the address-chain */
+		addr = fw_malloc(sizeof(struct in6_addr));
+		memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
+		       sizeof(struct in6_addr));
+		freeaddrinfo(res);
+		*naddr = 1;
+		return addr;
+	}
+
+	return NULL;
+}
+
+static struct in6_addr *network_to_ip6addr(const char *name)
+{
+	/*	abort();*/
+	/* TODO: not implemented yet, but the exception breaks the
+	 *       name resolvation */
+	return NULL;
+}
+
+static struct in6_addr *
+ip6parse_hostnetwork(const char *name, unsigned int *naddrs)
+{
+	struct in6_addr *addrp, *addrptmp;
+
+	if ((addrptmp = numeric_to_ip6addr(name)) != NULL ||
+	    (addrptmp = network_to_ip6addr(name)) != NULL) {
+		addrp = fw_malloc(sizeof(struct in6_addr));
+		memcpy(addrp, addrptmp, sizeof(*addrp));
+		*naddrs = 1;
+		return addrp;
+	}
+	if ((addrp = host_to_ip6addr(name, naddrs)) != NULL)
+		return addrp;
+
+	exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
+}
+
+static struct in6_addr *parse_ip6mask(char *mask)
+{
+	static struct in6_addr maskaddr;
+	struct in6_addr *addrp;
+	unsigned int bits;
+
+	if (mask == NULL) {
+		/* no mask at all defaults to 128 bits */
+		memset(&maskaddr, 0xff, sizeof maskaddr);
+		return &maskaddr;
+	}
+	if ((addrp = numeric_to_ip6addr(mask)) != NULL)
+		return addrp;
+	if (string_to_number(mask, 0, 128, &bits) == -1)
+		exit_error(PARAMETER_PROBLEM,
+			   "invalid mask `%s' specified", mask);
+	if (bits != 0) {
+		char *p = (void *)&maskaddr;
+		memset(p, 0xff, bits / 8);
+		memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
+		p[bits/8] = 0xff << (8 - (bits & 7));
+		return &maskaddr;
+	}
+
+	memset(&maskaddr, 0, sizeof(maskaddr));
+	return &maskaddr;
+}
+
+void ip6parse_hostnetworkmask(const char *name, struct in6_addr **addrpp,
+                              struct in6_addr *maskp, unsigned int *naddrs)
+{
+	struct in6_addr *addrp;
+	unsigned int i, j, k, n;
+	char buf[256], *p;
+
+	strncpy(buf, name, sizeof(buf) - 1);
+	buf[sizeof(buf)-1] = '\0';
+	if ((p = strrchr(buf, '/')) != NULL) {
+		*p = '\0';
+		addrp = parse_ip6mask(p + 1);
+	} else {
+		addrp = parse_ip6mask(NULL);
+	}
+	memcpy(maskp, addrp, sizeof(*maskp));
+
+	/* if a null mask is given, the name is ignored, like in "any/0" */
+	if (memcmp(maskp, &in6addr_any, sizeof(in6addr_any)) == 0)
+		strcpy(buf, "::");
+
+	addrp = *addrpp = ip6parse_hostnetwork(buf, naddrs);
+	n = *naddrs;
+	for (i = 0, j = 0; i < n; ++i) {
+		for (k = 0; k < 4; ++k)
+			addrp[j].in6_u.u6_addr32[k] &= maskp->in6_u.u6_addr32[k];
+		++j;
+		for (k = 0; k < j - 1; ++k)
+			if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) {
+				--*naddrs;
+				--j;
+				break;
+			}
+	}
+}

Re: [13/19] rename overlapping function names

[Patrick McHardy]

Jan Engelhardt wrote:
> Rename overlapping function names.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libip6t_policy.c  |    6 
>  extensions/libipt_DNAT.c     |    6 
>  extensions/libipt_NETMAP.c   |    6 
>  extensions/libipt_SAME.c     |    6 
>  extensions/libipt_SNAT.c     |    6 
>  extensions/libipt_iprange.c  |    6 
>  extensions/libipt_policy.c   |    4 
>  extensions/libxt_conntrack.c |    8 -
>  include/iptables.h           |    5 
>  include/xtables.h            |    7 
>  ip6tables.c                  |  159 ---------------------
>  iptables.c                   |  198 --------------------------
>  xtables.c                    |  318 +++++++++++++++++++++++++++++++++++++++++++
>  13 files changed, 356 insertions(+), 379 deletions(-)


This patch could have used a better description, it also
moves some functions to xtables.c. Anyways, applied.

[14/19] libxt_hashlimit checks

[Jan Engelhardt]

Add checks for libxt_hashlimit so that options cannot be passed twice

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_hashlimit.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Index: iptables-modules/extensions/libxt_hashlimit.c
===================================================================
--- iptables-modules.orig/extensions/libxt_hashlimit.c
+++ iptables-modules/extensions/libxt_hashlimit.c
@@ -157,6 +157,8 @@ hashlimit_parse(int c, char **argv, int 
 
 	switch(c) {
 	case '%':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit",
+		          *flags & PARAM_LIMIT);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (!parse_rate(optarg, &r->cfg.avg))
 			exit_error(PARAMETER_PROBLEM,
@@ -165,6 +167,8 @@ hashlimit_parse(int c, char **argv, int 
 		break;
 
 	case '$':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-burst",
+		          *flags & PARAM_BURST);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (string_to_number(optarg, 0, 10000, &num) == -1)
 			exit_error(PARAMETER_PROBLEM,
@@ -173,6 +177,8 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_BURST;
 		break;
 	case '&':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size",
+		          *flags & PARAM_SIZE);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
 			exit_error(PARAMETER_PROBLEM,
@@ -181,6 +187,8 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_SIZE;
 		break;
 	case '*':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max",
+		          *flags & PARAM_MAX);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
 			exit_error(PARAMETER_PROBLEM,
@@ -189,6 +197,9 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_MAX;
 		break;
 	case '(':
+		param_act(P_ONLY_ONCE, "hashlimit",
+		          "--hashlimit-htable-gcinterval",
+		          *flags & PARAM_GCINTERVAL);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
 			exit_error(PARAMETER_PROBLEM,
@@ -199,6 +210,8 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_GCINTERVAL;
 		break;
 	case ')':
+		param_act(P_ONLY_ONCE, "hashlimit",
+		          "--hashlimit-htable-expire", *flags & PARAM_EXPIRE);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
 			exit_error(PARAMETER_PROBLEM,
@@ -208,6 +221,8 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_EXPIRE;
 		break;
 	case '_':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-mode",
+		          *flags & PARAM_MODE);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (parse_mode(r, optarg) < 0)
 			exit_error(PARAMETER_PROBLEM, 
@@ -215,6 +230,8 @@ hashlimit_parse(int c, char **argv, int 
 		*flags |= PARAM_MODE;
 		break;
 	case '"':
+		param_act(P_ONLY_ONCE, "hashlimit", "--hashlimit-name",
+		          *flags & PARAM_NAME);
 		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
 		if (strlen(optarg) == 0)
 			exit_error(PARAMETER_PROBLEM, "Zero-length name?");

Re: [14/19] libxt_hashlimit checks

[Patrick McHardy]

Jan Engelhardt wrote:
> Add checks for libxt_hashlimit so that options cannot be passed twice
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libxt_hashlimit.c |   17 +++++++++++++++++
>  1 file changed, 17 insertions(+)

Applied, thanks.

[15/19] libxt_mark r1

[Jan Engelhardt]

Introduce libxt_mark match revision 1 support.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_mark.c           |  140 ++++++++++++++++++++++++++++++--------
 include/linux/netfilter/xt_mark.h |    7 +
 2 files changed, 118 insertions(+), 29 deletions(-)

Index: iptables-modules/extensions/libxt_mark.c
===================================================================
--- iptables-modules.orig/extensions/libxt_mark.c
+++ iptables-modules/extensions/libxt_mark.c
@@ -1,4 +1,5 @@
 /* Shared library add-on to iptables to add NFMARK matching support. */
+#include <stdbool.h>
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
@@ -6,24 +7,53 @@
 #include <getopt.h>
 
 #include <xtables.h>
-/* For 64bit kernel / 32bit userspace */
-#include "../include/linux/netfilter/xt_mark.h"
+#include <linux/netfilter/xt_mark.h>
 
-/* Function which prints out usage message. */
-static void mark_help(void)
+enum {
+	F_MARK = 1 << 0,
+};
+
+static void mark_mt_help(void)
 {
 	printf(
-"MARK match v%s options:\n"
-"[!] --mark value[/mask]         Match nfmark value with optional mask\n"
-"\n",
-IPTABLES_VERSION);
+"mark match options:\n"
+"[!] --mark value[/mask]    Match nfmark value with optional mask\n"
+"\n");
 }
 
-static const struct option mark_opts[] = {
-	{ "mark", 1, NULL, '1' },
-	{ }
+static const struct option mark_mt_opts[] = {
+	{.name = "mark", .has_arg = true, .val = '1'},
+	{},
 };
 
+static int mark_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+{
+	struct xt_mark_mtinfo1 *info = (void *)(*match)->data;
+	unsigned int mark, mask = ~0U;
+	char *end;
+
+	switch (c) {
+	case '1': /* --mark */
+		param_act(P_ONLY_ONCE, "mark", "--mark", *flags & F_MARK);
+		if (!strtonum(optarg, &end, &mark, 0, ~0U))
+			param_act(P_BAD_VALUE, "mark", "--mark", optarg);
+		if (*end == '/')
+			if (!strtonum(end + 1, &end, &mask, 0, ~0U))
+				param_act(P_BAD_VALUE, "mark", "--mark", optarg);
+		if (*end != '\0')
+			param_act(P_BAD_VALUE, "mark", "--mark", optarg);
+
+		if (invert)
+			info->invert = true;
+		info->mark = mark;
+		info->mask = mask;
+		*flags    |= F_MARK;
+		return true;
+	}
+	return false;
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -54,21 +84,30 @@ mark_parse(int c, char **argv, int inver
 	return 1;
 }
 
-static void
-print_mark(unsigned long mark, unsigned long mask, int numeric)
+static void print_mark(unsigned int mark, unsigned int mask)
 {
-	if(mask != 0xffffffff)
-		printf("0x%lx/0x%lx ", mark, mask);
+	if (mask != 0xffffffffU)
+		printf("0x%x/0x%x ", mark, mask);
 	else
-		printf("0x%lx ", mark);
+		printf("0x%x ", mark);
 }
 
-/* Final check; must have specified --mark. */
-static void mark_check(unsigned int flags)
+static void mark_mt_check(unsigned int flags)
 {
-	if (!flags)
+	if (flags == 0)
 		exit_error(PARAMETER_PROBLEM,
-			   "MARK match: You must specify `--mark'");
+			   "mark match: The --mark option is required");
+}
+
+static void
+mark_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_mark_mtinfo1 *info = (const void *)match->data;
+
+	printf("mark match ");
+	if (info->invert)
+		printf("!");
+	print_mark(info->mark, info->mask);
 }
 
 /* Prints out the matchinfo. */
@@ -82,7 +121,18 @@ mark_print(const void *ip, const struct 
 	if (info->invert)
 		printf("!");
 	
-	print_mark(info->mark, info->mask, numeric);
+	print_mark(info->mark, info->mask);
+}
+
+static void mark_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_mark_mtinfo1 *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("!");
+
+	printf("--mark ");
+	print_mark(info->mark, info->mask);
 }
 
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -95,39 +145,73 @@ mark_save(const void *ip, const struct x
 		printf("! ");
 	
 	printf("--mark ");
-	print_mark(info->mark, info->mask, 0);
+	print_mark(info->mark, info->mask);
 }
 
 static struct xtables_match mark_match = {
 	.family		= AF_INET,
 	.name		= "mark",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_mark_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_mark_info)),
-	.help		= mark_help,
+	.help		= mark_mt_help,
 	.parse		= mark_parse,
-	.final_check	= mark_check,
+	.final_check	= mark_mt_check,
 	.print		= mark_print,
 	.save		= mark_save,
-	.extra_opts	= mark_opts,
+	.extra_opts	= mark_mt_opts,
 };
 
 static struct xtables_match mark_match6 = {
 	.family		= AF_INET6,
 	.name		= "mark",
+	.revision	= 0,
 	.version	= IPTABLES_VERSION,
 	.size		= XT_ALIGN(sizeof(struct xt_mark_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_mark_info)),
-	.help		= mark_help,
+	.help		= mark_mt_help,
 	.parse		= mark_parse,
-	.final_check	= mark_check,
+	.final_check	= mark_mt_check,
 	.print		= mark_print,
 	.save		= mark_save,
-	.extra_opts	= mark_opts,
+	.extra_opts	= mark_mt_opts,
+};
+
+static struct xtables_match mark_mt_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "mark",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+	.help           = mark_mt_help,
+	.parse          = mark_mt_parse,
+	.final_check    = mark_mt_check,
+	.print          = mark_mt_print,
+	.save           = mark_mt_save,
+	.extra_opts     = mark_mt_opts,
+};
+
+static struct xtables_match mark_mt6_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "mark",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
+	.help           = mark_mt_help,
+	.parse          = mark_mt_parse,
+	.final_check    = mark_mt_check,
+	.print          = mark_mt_print,
+	.save           = mark_mt_save,
+	.extra_opts     = mark_mt_opts,
 };
 
 void _init(void)
 {
 	xtables_register_match(&mark_match);
 	xtables_register_match(&mark_match6);
+	xtables_register_match(&mark_mt_reg);
+	xtables_register_match(&mark_mt6_reg);
 }
Index: iptables-modules/include/linux/netfilter/xt_mark.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_mark.h
+++ iptables-modules/include/linux/netfilter/xt_mark.h
@@ -2,7 +2,12 @@
 #define _XT_MARK_H
 
 struct xt_mark_info {
-	unsigned long mark, mask;
+    unsigned long mark, mask;
+    u_int8_t invert;
+};
+
+struct xt_mark_mtinfo1 {
+	u_int32_t mark, mask;
 	u_int8_t invert;
 };
 

Re: [15/19] libxt_mark r1

[Patrick McHardy]

Jan Engelhardt wrote:
> Introduce libxt_mark match revision 1 support.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libxt_mark.c           |  140 ++++++++++++++++++++++++++++++--------
>  include/linux/netfilter/xt_mark.h |    7 +
>  2 files changed, 118 insertions(+), 29 deletions(-)
> 

Applied, thanks.

> +static void mark_mt_help(void)
>  {
>  	printf(
> -"MARK match v%s options:\n"
> -"[!] --mark value[/mask]         Match nfmark value with optional mask\n"
> -"\n",
> -IPTABLES_VERSION);
> +"mark match options:\n"
> +"[!] --mark value[/mask]    Match nfmark value with optional mask\n"
> +"\n");

Not that the version number is particulary useful (only extensions
with matching version numbers are loaded anyways), but this is
kind of the opposite direction of your message unification efforts.
Are you planning to remove them from the other extensions as well?

[16/19] libxt_iprange r0

[Jan Engelhardt]

Move libipt_iprange to libxt_iprange.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libipt_iprange.c                |  175 -----------------------------
 extensions/libipt_iprange.man              |    7 -
 extensions/libxt_iprange.c                 |  170 ++++++++++++++++++++++++++++
 extensions/libxt_iprange.man               |    7 +
 include/linux/netfilter/xt_iprange.h       |   17 ++
 include/linux/netfilter_ipv4/ipt_iprange.h |    8 -
 7 files changed, 198 insertions(+), 188 deletions(-)

Index: iptables-modules/extensions/libipt_iprange.c
===================================================================
--- iptables-modules.orig/extensions/libipt_iprange.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/* Shared library add-on to iptables to add IP range matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_iprange.h>
-
-/* Function which prints out usage message. */
-static void iprange_help(void)
-{
-	printf(
-"iprange match v%s options:\n"
-"[!] --src-range ip-ip        Match source IP in the specified range\n"
-"[!] --dst-range ip-ip        Match destination IP in the specified range\n"
-"\n",
-IPTABLES_VERSION);
-}
-
-static const struct option iprange_opts[] = {
-	{ "src-range", 1, NULL, '1' },
-	{ "dst-range", 1, NULL, '2' },
-	{ }
-};
-
-static void
-parse_iprange(char *arg, struct ipt_iprange *range)
-{
-	char *dash;
-	const struct in_addr *ip;
-
-	dash = strchr(arg, '-');
-	if (dash)
-		*dash = '\0';
-		
-	ip = numeric_to_ipaddr(arg);
-	if (!ip)
-		exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n", 
-			   arg);
-	range->min_ip = ip->s_addr;
-
-	if (dash) {
-		ip = numeric_to_ipaddr(dash+1);
-		if (!ip)
-			exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
-				   dash+1);
-		range->max_ip = ip->s_addr;
-	} else
-		range->max_ip = range->min_ip;
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int iprange_parse(int c, char **argv, int invert, unsigned int *flags,
-                         const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & IPRANGE_SRC)
-			exit_error(PARAMETER_PROBLEM,
-				   "iprange match: Only use --src-range ONCE!");
-		*flags |= IPRANGE_SRC;
-
-		info->flags |= IPRANGE_SRC;
-		check_inverse(optarg, &invert, &optind, 0);
-		if (invert) {
-			info->flags |= IPRANGE_SRC_INV;
-		}
-		parse_iprange(optarg, &info->src);		
-
-		break;
-
-	case '2':
-		if (*flags & IPRANGE_DST)
-			exit_error(PARAMETER_PROBLEM,
-				   "iprange match: Only use --dst-range ONCE!");
-		*flags |= IPRANGE_DST;
-
-		info->flags |= IPRANGE_DST;
-		check_inverse(optarg, &invert, &optind, 0);
-		if (invert)
-			info->flags |= IPRANGE_DST_INV;
-
-		parse_iprange(optarg, &info->dst);		
-
-		break;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; must have specified --src-range or --dst-range. */
-static void iprange_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "iprange match: You must specify `--src-range' or `--dst-range'");
-}
-
-static void
-print_iprange(const struct ipt_iprange *range)
-{
-	const unsigned char *byte_min, *byte_max;
-
-	byte_min = (const unsigned char *) &(range->min_ip);
-	byte_max = (const unsigned char *) &(range->max_ip);
-	printf("%d.%d.%d.%d-%d.%d.%d.%d ", 
-		byte_min[0], byte_min[1], byte_min[2], byte_min[3],
-		byte_max[0], byte_max[1], byte_max[2], byte_max[3]);
-}
-
-/* Prints out the info. */
-static void iprange_print(const void *ip, const struct xt_entry_match *match,
-                          int numeric)
-{
-	struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data;
-
-	if (info->flags & IPRANGE_SRC) {
-		printf("source IP range ");
-		if (info->flags & IPRANGE_SRC_INV)
-			printf("! ");
-		print_iprange(&info->src);
-	}
-	if (info->flags & IPRANGE_DST) {
-		printf("destination IP range ");
-		if (info->flags & IPRANGE_DST_INV)
-			printf("! ");
-		print_iprange(&info->dst);
-	}
-}
-
-/* Saves the union ipt_info in parsable form to stdout. */
-static void iprange_save(const void *ip, const struct xt_entry_match *match)
-{
-	struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data;
-
-	if (info->flags & IPRANGE_SRC) {
-		if (info->flags & IPRANGE_SRC_INV)
-			printf("! ");
-		printf("--src-range ");
-		print_iprange(&info->src);
-		if (info->flags & IPRANGE_DST)
-			fputc(' ', stdout);
-	}
-	if (info->flags & IPRANGE_DST) {
-		if (info->flags & IPRANGE_DST_INV)
-			printf("! ");
-		printf("--dst-range ");
-		print_iprange(&info->dst);
-	}
-}
-
-static struct iptables_match iprange_match = {
-	.name		= "iprange",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_iprange_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_iprange_info)),
-	.help		= iprange_help,
-	.parse		= iprange_parse,
-	.final_check	= iprange_check,
-	.print		= iprange_print,
-	.save		= iprange_save,
-	.extra_opts	= iprange_opts,
-};
-
-void _init(void)
-{
-	register_match(&iprange_match);
-}
Index: iptables-modules/extensions/libipt_iprange.man
===================================================================
--- iptables-modules.orig/extensions/libipt_iprange.man
+++ /dev/null
@@ -1,7 +0,0 @@
-This matches on a given arbitrary range of IPv4 addresses
-.TP
-.BI "[!]" "--src-range " "ip-ip"
-Match source IP in the specified range.
-.TP
-.BI "[!]" "--dst-range " "ip-ip"
-Match destination IP in the specified range.
Index: iptables-modules/extensions/libxt_iprange.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_iprange.c
@@ -0,0 +1,170 @@
+/* Shared library add-on to iptables to add IP range matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_iprange.h>
+
+static void iprange_mt_help(void)
+{
+	printf(
+"iprange match options:\n"
+"[!] --src-range ip-ip        Match source IP in the specified range\n"
+"[!] --dst-range ip-ip        Match destination IP in the specified range\n"
+"\n");
+}
+
+static const struct option iprange_mt_opts[] = {
+	{.name = "src-range", .has_arg = true, .val = '1'},
+	{.name = "dst-range", .has_arg = true, .val = '2'},
+	{},
+};
+
+static void
+parse_iprange(char *arg, struct ipt_iprange *range)
+{
+	char *dash;
+	const struct in_addr *ip;
+
+	dash = strchr(arg, '-');
+	if (dash != NULL)
+		*dash = '\0';
+
+	ip = numeric_to_ipaddr(arg);
+	if (ip != NULL)
+		exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
+			   arg);
+	range->min_ip = ip->s_addr;
+
+	if (dash != NULL) {
+		ip = numeric_to_ipaddr(dash+1);
+		if (ip != NULL)
+			exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
+				   dash+1);
+		range->max_ip = ip->s_addr;
+	} else {
+		range->max_ip = range->min_ip;
+	}
+}
+
+static int iprange_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+{
+	struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags & IPRANGE_SRC)
+			exit_error(PARAMETER_PROBLEM,
+				   "iprange match: Only use --src-range ONCE!");
+		*flags |= IPRANGE_SRC;
+
+		info->flags |= IPRANGE_SRC;
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->flags |= IPRANGE_SRC_INV;
+		parse_iprange(optarg, &info->src);
+
+		break;
+
+	case '2':
+		if (*flags & IPRANGE_DST)
+			exit_error(PARAMETER_PROBLEM,
+				   "iprange match: Only use --dst-range ONCE!");
+		*flags |= IPRANGE_DST;
+
+		info->flags |= IPRANGE_DST;
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			info->flags |= IPRANGE_DST_INV;
+
+		parse_iprange(optarg, &info->dst);
+
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void iprange_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+			   "iprange match: You must specify `--src-range' or `--dst-range'");
+}
+
+static void
+print_iprange(const struct ipt_iprange *range)
+{
+	const unsigned char *byte_min, *byte_max;
+
+	byte_min = (const unsigned char *)&range->min_ip;
+	byte_max = (const unsigned char *)&range->max_ip;
+	printf("%u.%u.%u.%u-%u.%u.%u.%u ",
+		byte_min[0], byte_min[1], byte_min[2], byte_min[3],
+		byte_max[0], byte_max[1], byte_max[2], byte_max[3]);
+}
+
+static void iprange_print(const void *ip, const struct xt_entry_match *match,
+                          int numeric)
+{
+	const struct ipt_iprange_info *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		printf("source IP range ");
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		print_iprange(&info->src);
+	}
+	if (info->flags & IPRANGE_DST) {
+		printf("destination IP range ");
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		print_iprange(&info->dst);
+	}
+}
+
+static void iprange_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct ipt_iprange_info *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		printf("--src-range ");
+		print_iprange(&info->src);
+		if (info->flags & IPRANGE_DST)
+			fputc(' ', stdout);
+	}
+	if (info->flags & IPRANGE_DST) {
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		printf("--dst-range ");
+		print_iprange(&info->dst);
+	}
+}
+
+static struct xtables_match iprange_match = {
+	.version       = IPTABLES_VERSION,
+	.name          = "iprange",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct ipt_iprange_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)),
+	.help          = iprange_mt_help,
+	.parse         = iprange_parse,
+	.final_check   = iprange_mt_check,
+	.print         = iprange_print,
+	.save          = iprange_save,
+	.extra_opts    = iprange_mt_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&iprange_match);
+}
Index: iptables-modules/extensions/libxt_iprange.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_iprange.man
@@ -0,0 +1,7 @@
+This matches on a given arbitrary range of IP addresses.
+.TP
+[\fB!\fR] \fB--src-range\fR \fIfrom\fR-\fIto\fR
+Match source IP in the specified range.
+.TP
+[\fB!\fR] \fB--dst-range\fR \fIfrom\fR-\fIto\fR
+Match destination IP in the specified range.
Index: iptables-modules/include/linux/netfilter/xt_iprange.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_iprange.h
@@ -0,0 +1,17 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+enum {
+	IPRANGE_SRC     = 1 << 0,	/* match source IP address */
+	IPRANGE_DST     = 1 << 1,	/* match destination IP address */
+	IPRANGE_SRC_INV = 1 << 4,	/* negate the condition */
+	IPRANGE_DST_INV = 1 << 5,	/* -"- */
+};
+
+struct xt_iprange_mtinfo {
+	union nf_inet_addr src_min, src_max;
+	union nf_inet_addr dst_min, dst_max;
+	u_int8_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h
+++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
@@ -1,14 +1,12 @@
 #ifndef _IPT_IPRANGE_H
 #define _IPT_IPRANGE_H
 
-#define IPRANGE_SRC		0x01	/* Match source IP address */
-#define IPRANGE_DST		0x02	/* Match destination IP address */
-#define IPRANGE_SRC_INV		0x10	/* Negate the condition */
-#define IPRANGE_DST_INV		0x20	/* Negate the condition */
+#include <linux/types.h>
+#include <linux/netfilter/xt_iprange.h>
 
 struct ipt_iprange {
 	/* Inclusive: network order. */
-	u_int32_t min_ip, max_ip;
+	__be32 min_ip, max_ip;
 };
 
 struct ipt_iprange_info

Re: [16/19] libxt_iprange r0

[Patrick McHardy]

Jan Engelhardt wrote:
> Move libipt_iprange to libxt_iprange.
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> 
> ---
>  extensions/libipt_iprange.c                |  175 -----------------------------
>  extensions/libipt_iprange.man              |    7 -
>  extensions/libxt_iprange.c                 |  170 ++++++++++++++++++++++++++++
>  extensions/libxt_iprange.man               |    7 +
>  include/linux/netfilter/xt_iprange.h       |   17 ++
>  include/linux/netfilter_ipv4/ipt_iprange.h |    8 -
>  7 files changed, 198 insertions(+), 188 deletions(-)

Applied.

> Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
> ===================================================================
> --- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h
> +++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
> @@ -1,14 +1,12 @@
>  #ifndef _IPT_IPRANGE_H
>  #define _IPT_IPRANGE_H
>  
> -#define IPRANGE_SRC		0x01	/* Match source IP address */
> -#define IPRANGE_DST		0x02	/* Match destination IP address */
> -#define IPRANGE_SRC_INV		0x10	/* Negate the condition */
> -#define IPRANGE_DST_INV		0x20	/* Negate the condition */
> +#include <linux/types.h>
> +#include <linux/netfilter/xt_iprange.h>
>  
>  struct ipt_iprange {
>  	/* Inclusive: network order. */
> -	u_int32_t min_ip, max_ip;
> +	__be32 min_ip, max_ip;
>  };
>  
>  struct ipt_iprange_info
> 

Do we really want to keep this file?

Re: [16/19] libxt_iprange r0

[Jan Engelhardt]

On Jan 20 2008 14:42, Patrick McHardy wrote:
>> Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>> ===================================================================
>> --- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h
>> +++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>
> Do we really want to keep this file?
>
If you value compatibilty, then yes.

(Did I understand that correctly?)

Re: [16/19] libxt_iprange r0

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 20 2008 14:42, Patrick McHardy wrote:
>>> Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>>> ===================================================================
>>> --- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h
>>> +++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>> Do we really want to keep this file?
>>
> If you value compatibilty, then yes.
> 
> (Did I understand that correctly?)

I thought the xt_iprange file included the old options, if thats
not the case then ignore my question.

Re: [16/19] libxt_iprange r0

[Jan Engelhardt]

On Jan 20 2008 18:19, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Jan 20 2008 14:42, Patrick McHardy wrote:
>> > > Index: iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>> > > ===================================================================
>> > > --- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_iprange.h
>> > > +++ iptables-modules/include/linux/netfilter_ipv4/ipt_iprange.h
>> > Do we really want to keep this file?
>> >
>> If you value compatibilty, then yes.
>> 
>> (Did I understand that correctly?)
>
> I thought the xt_iprange file included the old options, if thats
> not the case then ignore my question.
>
>
Options?

xt_iprange r0 is the same as ipt_iprange, including binary layout
of the struct and that. So we need to keep ipt_iprange.h. Or rather,
keep struct ipt_iprange.

I would not want to move struct ipt_iprange to xt_iprange.h because
that means more maintenance overhead.

[17/19] libxt_iprange r1

[Jan Engelhardt]

Add support for xt_iprange revision 1

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_iprange.c |  223 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 222 insertions(+), 1 deletion(-)

Index: iptables-modules/extensions/libxt_iprange.c
===================================================================
--- iptables-modules.orig/extensions/libxt_iprange.c
+++ iptables-modules/extensions/libxt_iprange.c
@@ -5,9 +5,16 @@
 #include <stdlib.h>
 #include <getopt.h>
 
-#include <iptables.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_iprange.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
+enum {
+	F_SRCIP = 1 << 0,
+	F_DSTIP = 1 << 1,
+};
+
 static void iprange_mt_help(void)
 {
 	printf(
@@ -91,6 +98,100 @@ static int iprange_parse(int c, char **a
 	return 1;
 }
 
+static int
+iprange_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_match **match)
+{
+	struct xt_iprange_mtinfo *info = (void *)(*match)->data;
+	const struct in_addr *ia;
+	char *end;
+
+	switch (c) {
+	case '1': /* --src-ip */
+		end = strchr(optarg, '-');
+		if (end == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", optarg);
+		*end = '\0';
+		ia = numeric_to_ipaddr(optarg);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", optarg);
+		memcpy(&info->src_min.in, ia, sizeof(*ia));
+		ia = numeric_to_ipaddr(end+1);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", end + 1);
+		memcpy(&info->src_max.in, ia, sizeof(*ia));
+		*flags |= F_SRCIP;
+		return true;
+
+	case '2': /* --dst-ip */
+		end = strchr(optarg, '-');
+		if (end == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", optarg);
+		*end = '\0';
+		ia = numeric_to_ipaddr(optarg);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", optarg);
+		memcpy(&info->dst_min.in, ia, sizeof(*ia));
+		ia = numeric_to_ipaddr(end + 1);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", end + 1);
+		memcpy(&info->dst_max.in, ia, sizeof(*ia));
+		*flags |= F_DSTIP;
+		return true;
+	}
+	return false;
+}
+
+static int
+iprange_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_match **match)
+{
+	struct xt_iprange_mtinfo *info = (void *)(*match)->data;
+	const struct in6_addr *ia;
+	char *end;
+
+	switch (c) {
+	case '1': /* --src-ip */
+		end = strchr(optarg, '-');
+		if (end == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", optarg);
+		*end = '\0';
+		ia = numeric_to_ip6addr(optarg);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", optarg);
+		memcpy(&info->src_min.in, ia, sizeof(*ia));
+		ia = numeric_to_ip6addr(end+1);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--src-ip", end + 1);
+		memcpy(&info->src_max.in, ia, sizeof(*ia));
+		info->flags |= IPRANGE_SRC;
+		if (invert)
+			info->flags |= IPRANGE_SRC_INV;
+		*flags |= F_SRCIP;
+		return true;
+
+	case '2': /* --dst-ip */
+		end = strchr(optarg, '-');
+		if (end == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", optarg);
+		*end = '\0';
+		ia = numeric_to_ip6addr(optarg);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", optarg);
+		memcpy(&info->dst_min.in, ia, sizeof(*ia));
+		ia = numeric_to_ip6addr(end + 1);
+		if (ia == NULL)
+			param_act(P_BAD_VALUE, "iprange", "--dst-ip", end + 1);
+		memcpy(&info->dst_max.in, ia, sizeof(*ia));
+		info->flags |= IPRANGE_DST;
+		if (invert)
+			info->flags |= IPRANGE_DST_INV;
+		*flags |= F_DSTIP;
+		return true;
+	}
+	return false;
+}
+
 static void iprange_mt_check(unsigned int flags)
 {
 	if (flags == 0)
@@ -129,6 +230,58 @@ static void iprange_print(const void *ip
 	}
 }
 
+static void
+iprange_mt4_print(const void *ip, const struct xt_entry_match *match,
+                  int numeric)
+{
+	const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		printf("source IP range ");
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		/*
+		 * ipaddr_to_numeric() uses a static buffer, so cannot
+		 * combine the printf() calls.
+		 */
+		printf("%s", ipaddr_to_numeric(&info->src_min.in));
+		printf("-%s ", ipaddr_to_numeric(&info->src_max.in));
+	}
+	if (info->flags & IPRANGE_DST) {
+		printf("destination IP range ");
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		printf("%s", ipaddr_to_numeric(&info->dst_min.in));
+		printf("-%s ", ipaddr_to_numeric(&info->dst_max.in));
+	}
+}
+
+static void
+iprange_mt6_print(const void *ip, const struct xt_entry_match *match,
+                  int numeric)
+{
+	const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		printf("source IP range ");
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		/*
+		 * ipaddr_to_numeric() uses a static buffer, so cannot
+		 * combine the printf() calls.
+		 */
+		printf("%s", ip6addr_to_numeric(&info->src_min.in6));
+		printf("-%s ", ip6addr_to_numeric(&info->src_max.in6));
+	}
+	if (info->flags & IPRANGE_DST) {
+		printf("destination IP range ");
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		printf("%s", ip6addr_to_numeric(&info->dst_min.in6));
+		printf("-%s ", ip6addr_to_numeric(&info->dst_max.in6));
+	}
+}
+
 static void iprange_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct ipt_iprange_info *info = (const void *)match->data;
@@ -149,6 +302,42 @@ static void iprange_save(const void *ip,
 	}
 }
 
+static void iprange_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		printf("--src-range %s", ipaddr_to_numeric(&info->src_min.in));
+		printf("-%s ", ipaddr_to_numeric(&info->src_max.in));
+	}
+	if (info->flags & IPRANGE_DST) {
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		printf("--dst-range %s", ipaddr_to_numeric(&info->dst_min.in));
+		printf("-%s ", ipaddr_to_numeric(&info->dst_max.in));
+	}
+}
+
+static void iprange_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_iprange_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & IPRANGE_SRC) {
+		if (info->flags & IPRANGE_SRC_INV)
+			printf("! ");
+		printf("--src-range %s", ip6addr_to_numeric(&info->src_min.in6));
+		printf("-%s ", ip6addr_to_numeric(&info->src_max.in6));
+	}
+	if (info->flags & IPRANGE_DST) {
+		if (info->flags & IPRANGE_DST_INV)
+			printf("! ");
+		printf("--dst-range %s", ip6addr_to_numeric(&info->dst_min.in6));
+		printf("-%s ", ip6addr_to_numeric(&info->dst_max.in6));
+	}
+}
+
 static struct xtables_match iprange_match = {
 	.version       = IPTABLES_VERSION,
 	.name          = "iprange",
@@ -164,7 +353,39 @@ static struct xtables_match iprange_matc
 	.extra_opts    = iprange_mt_opts,
 };
 
+static struct xtables_match iprange_mt_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "iprange",
+	.revision       = 1,
+	.family         = AF_INET,
+	.size           = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+	.help           = iprange_mt_help,
+	.parse          = iprange_mt4_parse,
+	.final_check    = iprange_mt_check,
+	.print          = iprange_mt4_print,
+	.save           = iprange_mt4_save,
+	.extra_opts     = iprange_mt_opts,
+};
+
+static struct xtables_match iprange_mt6_reg = {
+	.version        = IPTABLES_VERSION,
+	.name           = "iprange",
+	.revision       = 1,
+	.family         = AF_INET6,
+	.size           = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
+	.help           = iprange_mt_help,
+	.parse          = iprange_mt6_parse,
+	.final_check    = iprange_mt_check,
+	.print          = iprange_mt6_print,
+	.save           = iprange_mt6_save,
+	.extra_opts     = iprange_mt_opts,
+};
+
 void _init(void)
 {
 	xtables_register_match(&iprange_match);
+	xtables_register_match(&iprange_mt_reg);
+	xtables_register_match(&iprange_mt6_reg);
 }

Re: [17/19] libxt_iprange r1

[Patrick McHardy]

Jan Engelhardt wrote:
> Add support for xt_iprange revision 1
> 
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

Applied, thanks.

[18/19] libxt_TCPOPTSTRIP

[Jan Engelhardt]

Import libxt_TCPOPTSTRIP into iptables.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Sven Schnelle <svens@bitebene.org>

---
 extensions/libxt_TCPOPTSTRIP.c           |  212 +++++++++++++++++++++++++++++++
 extensions/libxt_TCPOPTSTRIP.man         |    7 +
 include/linux/netfilter/xt_TCPOPTSTRIP.h |   13 +
 4 files changed, 233 insertions(+)

Index: iptables-modules/extensions/libxt_TCPOPTSTRIP.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TCPOPTSTRIP.c
@@ -0,0 +1,212 @@
+/*
+ * Shared library add-on to iptables to add TCPOPTSTRIP target support.
+ * Copyright (c) 2007 Sven Schnelle <svens@bitebene.org>
+ * Copyright © CC Computer Consultants GmbH, 2007
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TCPOPTSTRIP.h>
+#ifndef TCPOPT_MD5SIG
+#	define TCPOPT_MD5SIG 19
+#endif
+
+enum {
+	FLAG_STRIP = 1 << 0,
+};
+
+struct tcp_optionmap {
+	const char *name, *desc;
+	const int option;
+};
+
+static const struct option tcpoptstrip_tg_opts[] = {
+	{.name = "strip-options", .has_arg = true, .val = 's'},
+	{},
+};
+
+static const struct tcp_optionmap tcp_optionmap[] = {
+	{"wscale",         "Window scale",         TCPOPT_WINDOW},
+	{"mss",            "Maximum Segment Size", TCPOPT_MAXSEG},
+	{"sack-permitted", "SACK permitted",       TCPOPT_SACK_PERMITTED},
+	{"sack",           "Selective ACK",        TCPOPT_SACK},
+	{"timestamp",      "Timestamp",            TCPOPT_TIMESTAMP},
+	{"md5",            "MD5 signature",        TCPOPT_MD5SIG},
+	{NULL},
+};
+
+static void tcpoptstrip_tg_help(void)
+{
+	const struct tcp_optionmap *w;
+
+	printf(
+"TCPOPTSTRIP target options:\n"
+"  --strip-options value     strip specified TCP options denoted by value\n"
+"                            (separated by comma) from TCP header\n"
+"  Instead of the numeric value, you can also use the following names:\n"
+	);
+
+	for (w = tcp_optionmap; w->name != NULL; ++w)
+		printf("    %-14s    strip \"%s\" option\n", w->name, w->desc);
+}
+
+static void tcpoptstrip_tg_init(struct xt_entry_target *t)
+{
+	struct xt_tcpoptstrip_target_info *info = (void *)t->data;
+
+	/* strictly necessary? play safe for now. */
+	memset(info->strip_bmap, 0, sizeof(info->strip_bmap));
+}
+
+static void parse_list(struct xt_tcpoptstrip_target_info *info, char *arg)
+{
+	unsigned int option;
+	char *p;
+	int i;
+
+	while (true) {
+		p = strchr(arg, ',');
+		if (p != NULL)
+			*p = '\0';
+
+		option = 0;
+		for (i = 0; tcp_optionmap[i].name != NULL; ++i)
+			if (strcmp(tcp_optionmap[i].name, arg) == 0) {
+				option = tcp_optionmap[i].option;
+				break;
+			}
+
+		if (option == 0 && string_to_number(arg, 0, 255, &option) == -1)
+			exit_error(PARAMETER_PROBLEM,
+			           "Bad TCP option value \"%s\"", arg);
+
+		if (option < 2)
+			exit_error(PARAMETER_PROBLEM,
+			           "Option value may not be 0 or 1");
+
+		if (tcpoptstrip_test_bit(info->strip_bmap, option))
+			exit_error(PARAMETER_PROBLEM,
+			           "Option \"%s\" already specified", arg);
+
+		tcpoptstrip_set_bit(info->strip_bmap, option);
+		if (p == NULL)
+			break;
+		arg = p + 1;
+	}
+}
+
+static int tcpoptstrip_tg_parse(int c, char **argv, int invert,
+                                unsigned int *flags, const void *entry,
+                                struct xt_entry_target **target)
+{
+	struct xt_tcpoptstrip_target_info *info = (void *)(*target)->data;
+
+	switch (c) {
+	case 's':
+		if (*flags & FLAG_STRIP)
+			exit_error(PARAMETER_PROBLEM,
+			           "You can specify --strip-options only once");
+		parse_list(info, optarg);
+		*flags |= FLAG_STRIP;
+		return true;
+	}
+
+	return false;
+}
+
+static void tcpoptstrip_tg_check(unsigned int flags)
+{
+	if (flags == 0)
+		exit_error(PARAMETER_PROBLEM,
+		           "TCPOPTSTRIP: --strip-options parameter required");
+}
+
+static void
+tcpoptstrip_print_list(const struct xt_tcpoptstrip_target_info *info,
+                       bool numeric)
+{
+	unsigned int i, j;
+	const char *name;
+	bool first = true;
+
+	for (i = 0; i < 256; ++i) {
+		if (!tcpoptstrip_test_bit(info->strip_bmap, i))
+			continue;
+		if (!first)
+			printf(",");
+
+		first = false;
+		name  = NULL;
+		if (!numeric)
+			for (j = 0; tcp_optionmap[j].name != NULL; ++j)
+				if (tcp_optionmap[j].option == i)
+					name = tcp_optionmap[j].name;
+
+		if (name != NULL)
+			printf("%s", name);
+		else
+			printf("%u", i);
+	}
+}
+
+static void
+tcpoptstrip_tg_print(const void *ip, const struct xt_entry_target *target,
+                     int numeric)
+{
+	const struct xt_tcpoptstrip_target_info *info =
+		(const void *)target->data;
+
+	printf("TCPOPTSTRIP options ");
+	tcpoptstrip_print_list(info, numeric);
+}
+
+static void
+tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tcpoptstrip_target_info *info =
+		(const void *)target->data;
+
+	printf("--strip-options ");
+	tcpoptstrip_print_list(info, true);
+}
+
+static struct xtables_target tcpoptstrip_tg_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TCPOPTSTRIP",
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+	.help          = tcpoptstrip_tg_help,
+	.init          = tcpoptstrip_tg_init,
+	.parse         = tcpoptstrip_tg_parse,
+	.final_check   = tcpoptstrip_tg_check,
+	.print         = tcpoptstrip_tg_print,
+	.save          = tcpoptstrip_tg_save,
+	.extra_opts    = tcpoptstrip_tg_opts,
+};
+
+static struct xtables_target tcpoptstrip_tg6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "TCPOPTSTRIP",
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
+	.help          = tcpoptstrip_tg_help,
+	.init          = tcpoptstrip_tg_init,
+	.parse         = tcpoptstrip_tg_parse,
+	.final_check   = tcpoptstrip_tg_check,
+	.print         = tcpoptstrip_tg_print,
+	.save          = tcpoptstrip_tg_save,
+	.extra_opts    = tcpoptstrip_tg_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&tcpoptstrip_tg_reg);
+	xtables_register_target(&tcpoptstrip_tg6_reg);
+}
Index: iptables-modules/extensions/libxt_TCPOPTSTRIP.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_TCPOPTSTRIP.man
@@ -0,0 +1,7 @@
+This target will strip TCP options off a TCP packet. (It will actually replace
+them by NO-OPs.) As such, you will need to add the \fB-p tcp\fR parameters.
+.TP
+\fB--strip-options\fR \fIoption\fR[\fB,\fR\fI...\fR]
+Strip the given option(s). The options may be specified by TCP option number or
+by symbolic name. The list of recognized options can be obtained by calling
+iptables with \fB-j TCPOPTSTRIP -h\fR.
Index: iptables-modules/include/linux/netfilter/xt_TCPOPTSTRIP.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -0,0 +1,13 @@
+#ifndef _XT_TCPOPTSTRIP_H
+#define _XT_TCPOPTSTRIP_H
+
+#define tcpoptstrip_set_bit(bmap, idx) \
+	(bmap[(idx) >> 5] |= 1U << (idx & 31))
+#define tcpoptstrip_test_bit(bmap, idx) \
+	(((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
+
+struct xt_tcpoptstrip_target_info {
+	u_int32_t strip_bmap[8];
+};
+
+#endif /* _XT_TCPOPTSTRIP_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [18/19] libxt_TCPOPTSTRIP

[Sven Schnelle]

[-- Attachment #1: Type: text/plain, Size: 334 bytes --]

Jan Engelhardt <jengelh@computergmbh.de> writes:

> Import libxt_TCPOPTSTRIP into iptables.
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
> Cc: Sven Schnelle <svens@bitebene.org>
  ^--- I think this should also be a Signed-off-by:. Cc sounds like i
  only want to know about state of that part of iptables.

Thx,

Sven.

[-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

Re: [18/19] libxt_TCPOPTSTRIP

[Patrick McHardy]

Sven Schnelle wrote:
> Jan Engelhardt <jengelh@computergmbh.de> writes:
> 
>> Import libxt_TCPOPTSTRIP into iptables.
>>
>> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>> Cc: Sven Schnelle <svens@bitebene.org>
>   ^--- I think this should also be a Signed-off-by:. Cc sounds like i
>   only want to know about state of that part of iptables.


I've applied the patch and added a Signed-off-by: line for you.
Thanks.

[19/19] xt_conntrack r1

[Jan Engelhardt]

Add support for xt_conntrack match revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libxt_conntrack.c   |  547 ++++++++++++++++++++++++++++++++++++++++-
 extensions/libxt_conntrack.man |    4 
 2 files changed, 538 insertions(+), 13 deletions(-)

Index: iptables-modules/extensions/libxt_conntrack.c
===================================================================
--- iptables-modules.orig/extensions/libxt_conntrack.c
+++ iptables-modules/extensions/libxt_conntrack.c
@@ -1,10 +1,17 @@
-/* Shared library add-on to iptables for conntrack matching support.
- * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+/*
+ *	libxt_conntrack
+ *	Shared library add-on to iptables for conntrack matching support.
+ *
+ *	GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ *	Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ *	Jan Engelhardt <jengelh@computergmbh.de>
  */
-
+#include <sys/socket.h>
+#include <sys/types.h>
 #include <ctype.h>
 #include <getopt.h>
 #include <netdb.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -13,6 +20,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/xt_conntrack.h>
 #include <linux/netfilter/nf_conntrack_common.h>
+#include <arpa/inet.h>
 
 /* Function which prints out usage message. */
 static void conntrack_mt_help(void)
@@ -27,14 +35,20 @@ static void conntrack_mt_help(void)
 "[!] --ctreplsrc address[/mask]\n"
 "[!] --ctrepldst address[/mask]\n"
 "                               Original/Reply source/destination address\n"
+"[!] --ctorigsrcport port\n"
+"[!] --ctorigdstport port\n"
+"[!] --ctreplsrcport port\n"
+"[!] --ctrepldstport port\n"
+"                               TCP/UDP/SCTP orig./reply source/destination port\n"
 "[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
 "                               Status(es) to match\n"
 "[!] --ctexpire time[:time]     Match remaining lifetime in seconds against\n"
 "                               value or range of values (inclusive)\n"
+"    --ctdir {ORIGINAL|REPLY}   Flow direction of packet\n"
 "\n");
 }
 
-static const struct option conntrack_mt_opts[] = {
+static const struct option conntrack_mt_opts_v0[] = {
 	{.name = "ctstate",   .has_arg = true, .val = '1'},
 	{.name = "ctproto",   .has_arg = true, .val = '2'},
 	{.name = "ctorigsrc", .has_arg = true, .val = '3'},
@@ -46,6 +60,23 @@ static const struct option conntrack_mt_
 	{},
 };
 
+static const struct option conntrack_mt_opts[] = {
+	{.name = "ctstate",       .has_arg = true, .val = '1'},
+	{.name = "ctproto",       .has_arg = true, .val = '2'},
+	{.name = "ctorigsrc",     .has_arg = true, .val = '3'},
+	{.name = "ctorigdst",     .has_arg = true, .val = '4'},
+	{.name = "ctreplsrc",     .has_arg = true, .val = '5'},
+	{.name = "ctrepldst",     .has_arg = true, .val = '6'},
+	{.name = "ctstatus",      .has_arg = true, .val = '7'},
+	{.name = "ctexpire",      .has_arg = true, .val = '8'},
+	{.name = "ctorigsrcport", .has_arg = true, .val = 'a'},
+	{.name = "ctorigdstport", .has_arg = true, .val = 'b'},
+	{.name = "ctreplsrcport", .has_arg = true, .val = 'c'},
+	{.name = "ctrepldstport", .has_arg = true, .val = 'd'},
+	{.name = "ctdir",         .has_arg = true, .val = 'e'},
+	{},
+};
+
 static int
 parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
 {
@@ -83,6 +114,45 @@ parse_states(const char *arg, struct xt_
 		exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
 }
 
+static bool
+conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state,
+                   size_t z)
+{
+	if (strncasecmp(state, "INVALID", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_INVALID;
+	else if (strncasecmp(state, "NEW", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
+	else if (strncasecmp(state, "ESTABLISHED", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
+	else if (strncasecmp(state, "RELATED", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+	else if (strncasecmp(state, "UNTRACKED", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
+	else if (strncasecmp(state, "SNAT", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_SNAT;
+	else if (strncasecmp(state, "DNAT", z) == 0)
+		info->state_mask |= XT_CONNTRACK_STATE_DNAT;
+	else
+		return false;
+	return true;
+}
+
+static void
+conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
+{
+	const char *comma;
+
+	while ((comma = strchr(arg, ',')) != NULL) {
+		if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
+			exit_error(PARAMETER_PROBLEM,
+			           "Bad ctstate \"%s\"", arg);
+		arg = comma + 1;
+	}
+
+	if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
+		exit_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
+}
+
 static int
 parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
 {
@@ -96,7 +166,7 @@ parse_status(const char *status, size_t 
 		sinfo->statusmask |= IPS_ASSURED;
 #ifdef IPS_CONFIRMED
 	else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
-		sinfo->stausmask |= IPS_CONFIRMED;
+		sinfo->statusmask |= IPS_CONFIRMED;
 #endif
 	else
 		return 0;
@@ -118,6 +188,41 @@ parse_statuses(const char *arg, struct x
 		exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
 }
 
+static bool
+conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status,
+                    size_t z)
+{
+	if (strncasecmp(status, "NONE", z) == 0)
+		info->status_mask |= 0;
+	else if (strncasecmp(status, "EXPECTED", z) == 0)
+		info->status_mask |= IPS_EXPECTED;
+	else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
+		info->status_mask |= IPS_SEEN_REPLY;
+	else if (strncasecmp(status, "ASSURED", z) == 0)
+		info->status_mask |= IPS_ASSURED;
+	else if (strncasecmp(status, "CONFIRMED", z) == 0)
+		info->status_mask |= IPS_CONFIRMED;
+	else
+		return false;
+	return true;
+}
+
+static void
+conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg)
+{
+	const char *comma;
+
+	while ((comma = strchr(arg, ',')) != NULL) {
+		if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
+			exit_error(PARAMETER_PROBLEM,
+			           "Bad ctstatus \"%s\"", arg);
+		arg = comma + 1;
+	}
+
+	if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
+		exit_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
+}
+
 static unsigned long
 parse_expire(const char *s)
 {
@@ -138,7 +243,8 @@ parse_expires(const char *s, struct xt_c
 
 	buffer = strdup(s);
 	if ((cp = strchr(buffer, ':')) == NULL)
-		sinfo->expires_min = sinfo->expires_max = parse_expire(buffer);
+		sinfo->expires_min = sinfo->expires_max =
+			parse_expire(buffer);
 	else {
 		*cp = '\0';
 		cp++;
@@ -154,6 +260,30 @@ parse_expires(const char *s, struct xt_c
 		           "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
 }
 
+static void
+conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s)
+{
+	unsigned int min, max;
+	char *end;
+
+	if (!strtonum(s, &end, &min, 0, ~0))
+		param_act(P_BAD_VALUE, "conntrack", "--expires", s);
+	max = min;
+	if (*end == ':')
+		if (!strtonum(s, &end, &max, 0, ~0U))
+			param_act(P_BAD_VALUE, "conntrack", "--expires", s);
+	if (*end != '\0')
+		param_act(P_BAD_VALUE, "conntrack", "--expires", s);
+
+	if (min > max)
+		exit_error(PARAMETER_PROBLEM,
+		           "expire min. range value \"%u\" greater than max. "
+		           "range value \"%u\"", min, max);
+
+	info->expires_min = min;
+	info->expires_max = max;
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -305,10 +435,257 @@ static int conntrack_parse(int c, char *
 	return 1;
 }
 
+static int
+conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                   struct xt_entry_match **match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+	unsigned int port;
+	char *p;
+
+	switch (c) {
+	case '1': /* --ctstate */
+		conntrack_ps_states(info, optarg);
+		info->match_flags |= XT_CONNTRACK_STATE;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_STATE;
+		break;
+
+	case '2': /* --ctproto */
+		/* Canonicalize into lower case */
+		for (p = optarg; *p != '\0'; ++p)
+			*p = tolower(*p);
+		info->l4proto = parse_protocol(optarg);
+
+		if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
+			exit_error(PARAMETER_PROBLEM, "conntrack: rule would "
+			           "never match protocol");
+
+		info->match_flags |= XT_CONNTRACK_PROTO;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_PROTO;
+		break;
+
+	case '7': /* --ctstatus */
+		conntrack_ps_statuses(info, optarg);
+		info->match_flags |= XT_CONNTRACK_STATUS;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_STATUS;
+		break;
+
+	case '8': /* --ctexpire */
+		conntrack_ps_expires(info, optarg);
+		info->match_flags |= XT_CONNTRACK_EXPIRES;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_EXPIRES;
+		break;
+
+	case 'a': /* --ctorigsrcport */
+		if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
+			param_act(P_BAD_VALUE, "conntrack",
+			          "--ctorigsrcport", optarg);
+		info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
+		info->origsrc_port = port;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
+		break;
+
+	case 'b': /* --ctorigdstport */
+		if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
+			param_act(P_BAD_VALUE, "conntrack",
+			          "--ctorigdstport", optarg);
+		info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
+		info->origdst_port = port;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
+		break;
+
+	case 'c': /* --ctreplsrcport */
+		if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
+			param_act(P_BAD_VALUE, "conntrack",
+			          "--ctreplsrcport", optarg);
+		info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
+		info->replsrc_port = port;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
+		break;
+
+	case 'd': /* --ctrepldstport */
+		if (!strtonum(optarg, NULL, &port, 0, ~(u_int16_t)0))
+			param_act(P_BAD_VALUE, "conntrack",
+			          "--ctrepldstport", optarg);
+		info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
+		info->repldst_port = port;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
+		break;
+
+	case 'e': /* --ctdir */
+		param_act(P_NO_INVERT, "conntrack", "--ctdir", invert);
+		if (strcasecmp(optarg, "ORIGINAL") == 0) {
+			info->match_flags  |= XT_CONNTRACK_DIRECTION;
+			info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
+		} else if (strcasecmp(optarg, "REPLY") == 0) {
+			info->match_flags  |= XT_CONNTRACK_DIRECTION;
+			info->invert_flags |= XT_CONNTRACK_DIRECTION;
+		} else {
+			param_act(P_BAD_VALUE, "conntrack", "--ctdir", optarg);
+		}
+		break;
+
+	default:
+		return false;
+	}
+
+	*flags = info->match_flags;
+	return true;
+}
+
+static int
+conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+                    const void *entry, struct xt_entry_match **match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+	struct in_addr *addr = NULL;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case '3': /* --ctorigsrc */
+		ipparse_hostnetworkmask(optarg, &addr, &info->origsrc_mask.in,
+		                        &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->origsrc_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_ORIGSRC;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGSRC;
+		break;
+
+	case '4': /* --ctorigdst */
+		ipparse_hostnetworkmask(optarg, &addr, &info->origdst_mask.in,
+		                        &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_ORIGDST;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGDST;
+		break;
+
+	case '5': /* --ctreplsrc */
+		ipparse_hostnetworkmask(optarg, &addr, &info->replsrc_mask.in,
+		                        &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_REPLSRC;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLSRC;
+		break;
+
+	case '6': /* --ctrepldst */
+		ipparse_hostnetworkmask(optarg, &addr, &info->repldst_mask.in,
+		                        &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_REPLDST;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLDST;
+		break;
+
+
+	default:
+		return conntrack_mt_parse(c, argv, invert, flags, match);
+	}
+
+	*flags = info->match_flags;
+	return true;
+}
+
+static int
+conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                    const void *entry, struct xt_entry_match **match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+	struct in6_addr *addr = NULL;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case '3': /* --ctorigsrc */
+		ip6parse_hostnetworkmask(optarg, &addr,
+		                         &info->origsrc_mask.in6, &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->origsrc_addr.in6, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_ORIGSRC;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGSRC;
+		break;
+
+	case '4': /* --ctorigdst */
+		ip6parse_hostnetworkmask(optarg, &addr,
+		                         &info->origdst_mask.in6, &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->origdst_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_ORIGDST;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_ORIGDST;
+		break;
+
+	case '5': /* --ctreplsrc */
+		ip6parse_hostnetworkmask(optarg, &addr,
+		                         &info->replsrc_mask.in6, &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->replsrc_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_REPLSRC;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLSRC;
+		break;
+
+	case '6': /* --ctrepldst */
+		ip6parse_hostnetworkmask(optarg, &addr,
+		                         &info->repldst_mask.in6, &naddrs);
+		if (naddrs > 1)
+			exit_error(PARAMETER_PROBLEM,
+			           "multiple IP addresses not allowed");
+		if (naddrs == 1)
+			memcpy(&info->repldst_addr.in, addr, sizeof(*addr));
+		info->match_flags |= XT_CONNTRACK_REPLDST;
+		if (invert)
+			info->invert_flags |= XT_CONNTRACK_REPLDST;
+		break;
+
+
+	default:
+		return conntrack_mt_parse(c, argv, invert, flags, match);
+	}
+
+	*flags = info->match_flags;
+	return true;
+}
+
 static void conntrack_mt_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "You must specify one or more options");
+		exit_error(PARAMETER_PROBLEM, "conntrack: At least one option "
+		           "is required");
 }
 
 static void
@@ -364,20 +741,37 @@ print_status(unsigned int statusmask)
 		printf("%sASSURED", sep);
 		sep = ",";
 	}
-#ifdef IPS_CONFIRMED
 	if (statusmask & IPS_CONFIRMED) {
 		printf("%sCONFIRMED", sep);
-		sep =",";
-	}
-#endif
-	if (statusmask == 0) {
-		printf("%sNONE", sep);
 		sep = ",";
 	}
+	if (statusmask == 0)
+		printf("%sNONE", sep);
 	printf(" ");
 }
 
 static void
+conntrack_dump_addr(const union nf_inet_addr *addr,
+                    const union nf_inet_addr *mask,
+                    unsigned int family, bool numeric)
+{
+	if (family == AF_INET) {
+		if (!numeric && addr->ip == 0) {
+			printf("anywhere ");
+			return;
+		}
+		printf("%s ", ipaddr_to_anyname(&addr->in));
+	} else if (family == AF_INET6) {
+		if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
+		    addr->ip6[2] == 0 && addr->ip6[3] == 0) {
+			printf("anywhere ");
+			return;
+		}
+		printf("%s ", ip6addr_to_anyname(&addr->in6));
+	}
+}
+
+static void
 print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
 {
 	char buf[BUFSIZ];
@@ -484,6 +878,75 @@ matchinfo_print(const void *ip, const st
 	}
 }
 
+static void
+conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
+               unsigned int family, bool numeric)
+{
+	if (info->match_flags & XT_CONNTRACK_STATE) {
+		if (info->invert_flags & XT_CONNTRACK_STATE)
+			printf("! ");
+		printf("%sctstate ", prefix);
+		print_state(info->state_mask);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_PROTO) {
+		if (info->invert_flags & XT_CONNTRACK_PROTO)
+			printf("! ");
+		printf("%sctproto %u ", prefix, info->l4proto);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
+		if (info->invert_flags & XT_CONNTRACK_PROTO)
+			printf("! ");
+		printf("%sctorigsrc ", prefix);
+		conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
+		                    family, numeric);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_ORIGDST) {
+		if (info->invert_flags & XT_CONNTRACK_PROTO)
+			printf("! ");
+		printf("%sctorigdst ", prefix);
+		conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
+		                    family, numeric);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_REPLSRC) {
+		if (info->invert_flags & XT_CONNTRACK_PROTO)
+			printf("! ");
+		printf("%sctreplsrc ", prefix);
+		conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
+		                    family, numeric);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_REPLDST) {
+		if (info->invert_flags & XT_CONNTRACK_PROTO)
+			printf("! ");
+		printf("%sctrepldst ", prefix);
+		conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
+		                    family, numeric);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_STATUS) {
+		if (info->invert_flags & XT_CONNTRACK_STATUS)
+			printf("! ");
+		printf("%sctstatus ", prefix);
+		print_status(info->status_mask);
+	}
+
+	if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+		if (info->invert_flags & XT_CONNTRACK_EXPIRES)
+			printf("! ");
+		printf("%sctexpire ", prefix);
+
+		if (info->expires_max == info->expires_min)
+			printf("%u ", (unsigned int)info->expires_min);
+		else
+			printf("%u:%u ", (unsigned int)info->expires_min,
+			       (unsigned int)info->expires_max);
+	}
+}
+
 /* Prints out the matchinfo. */
 static void conntrack_print(const void *ip, const struct xt_entry_match *match,
                             int numeric)
@@ -491,12 +954,38 @@ static void conntrack_print(const void *
 	matchinfo_print(ip, match, numeric, "");
 }
 
+static void
+conntrack_mt_print(const void *ip, const struct xt_entry_match *match,
+                   int numeric)
+{
+	conntrack_dump((const void *)match->data, "", AF_INET, numeric);
+}
+
+static void
+conntrack_mt6_print(const void *ip, const struct xt_entry_match *match,
+                    int numeric)
+{
+	conntrack_dump((const void *)match->data, "", AF_INET6, numeric);
+}
+
 /* Saves the matchinfo in parsable form to stdout. */
 static void conntrack_save(const void *ip, const struct xt_entry_match *match)
 {
 	matchinfo_print(ip, match, 1, "--");
 }
 
+static void conntrack_mt_save(const void *ip,
+                              const struct xt_entry_match *match)
+{
+	conntrack_dump((const void *)match->data, "--", AF_INET, true);
+}
+
+static void conntrack_mt6_save(const void *ip,
+                               const struct xt_entry_match *match)
+{
+	conntrack_dump((const void *)match->data, "--", AF_INET6, true);
+}
+
 static struct xtables_match conntrack_match = {
 	.version       = IPTABLES_VERSION,
 	.name          = "conntrack",
@@ -509,10 +998,42 @@ static struct xtables_match conntrack_ma
 	.final_check   = conntrack_mt_check,
 	.print         = conntrack_print,
 	.save          = conntrack_save,
+	.extra_opts    = conntrack_mt_opts_v0,
+};
+
+static struct xtables_match conntrack_mt_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "conntrack",
+	.revision      = 1,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+	.help          = conntrack_mt_help,
+	.parse         = conntrack_mt4_parse,
+	.final_check   = conntrack_mt_check,
+	.print         = conntrack_mt_print,
+	.save          = conntrack_mt_save,
+	.extra_opts    = conntrack_mt_opts,
+};
+
+static struct xtables_match conntrack_mt6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "conntrack",
+	.revision      = 1,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
+	.help          = conntrack_mt_help,
+	.parse         = conntrack_mt6_parse,
+	.final_check   = conntrack_mt_check,
+	.print         = conntrack_mt6_print,
+	.save          = conntrack_mt6_save,
 	.extra_opts    = conntrack_mt_opts,
 };
 
 void _init(void)
 {
 	xtables_register_match(&conntrack_match);
+	xtables_register_match(&conntrack_mt_reg);
+	xtables_register_match(&conntrack_mt6_reg);
 }
Index: iptables-modules/extensions/libxt_conntrack.man
===================================================================
--- iptables-modules.orig/extensions/libxt_conntrack.man
+++ iptables-modules/extensions/libxt_conntrack.man
@@ -27,6 +27,10 @@ Possible statuses are listed below.
 [\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR]
 Match remaining lifetime in seconds against given value or range of values
 (inclusive)
+.TP
+\fB--ctdir\fR {\fBORIGINAL\fR|\fBREPLY\fR}
+Match packets that are flowing in the specified direction. If this flag is not
+specified at all, matches packets in both directions.
 .PP
 States for \fB--ctstate\fR:
 .TP
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [19/19] xt_conntrack r1

[Patrick McHardy]

Jan Engelhardt wrote:
> Add support for xt_conntrack match revision 1.


I'll wait with applying this until we've sorted out the port
range question.