iptables: pull request June-05

iptables: pull request June-05

[Jan Engelhardt]

Hi,


in another working copy I found these accumulated pieces:

	Jan Engelhardt (2):
	      DNAT/SNAT: add manpage documentation for --persistent flag
	      extensions: remove redundant casts

	Michael Granzow (1):
	      iptables: accept multiple IP address specifications for -s, -d

They have now been uploaded, so please pull once again from
	git://dev.medozas.de/iptables master

 configure.ac                 |    4 +-
 extensions/libipt_DNAT.man   |    7 +-
 extensions/libipt_SAME.man   |    2 +
 extensions/libipt_SNAT.man   |    7 +-
 extensions/libipt_realm.c    |    4 +-
 extensions/libxt_multiport.c |   12 ++--
 include/xtables.h.in         |    5 +
 ip6tables.c                  |   49 ++++++++-----
 iptables.8.in                |    7 +-
 iptables.c                   |   42 +++++++---
 xtables.c                    |  175 ++++++++++++++++++++++++++++++++++++++++++
 11 files changed, 268 insertions(+), 46 deletions(-)

[PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

From: Michael Granzow <mgranzow@zeus.com>

libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.

	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP

References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2

Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 configure.ac         |    4 +-
 include/xtables.h.in |    5 ++
 ip6tables.c          |   49 +++++++++-----
 iptables.8.in        |    7 ++-
 iptables.c           |   42 +++++++++----
 xtables.c            |  175 ++++++++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 248 insertions(+), 34 deletions(-)

diff --git a/configure.ac b/configure.ac
index f5b5571..c3a8c6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
 AC_INIT([iptables], [1.4.3.2])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=2
-libxtables_vage=0
+libxtables_vcurrent=3
+libxtables_vage=1
 
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 4d4ca0a..037fae1 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -215,6 +215,7 @@ extern void xtables_init(void);
 extern void xtables_set_nfproto(uint8_t);
 extern void *xtables_calloc(size_t, size_t);
 extern void *xtables_malloc(size_t);
+extern void *xtables_realloc(void *, size_t);
 
 extern int xtables_insmod(const char *, const char *, bool);
 extern int xtables_load_ko(const char *, bool);
@@ -260,6 +261,8 @@ extern struct in_addr *xtables_numeric_to_ipaddr(const char *);
 extern struct in_addr *xtables_numeric_to_ipmask(const char *);
 extern void xtables_ipparse_any(const char *, struct in_addr **,
 	struct in_addr *, unsigned int *);
+extern void xtables_ipparse_multiple(const char *, struct in_addr **,
+	struct in_addr **, unsigned int *);
 
 extern struct in6_addr *xtables_numeric_to_ip6addr(const char *);
 extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *);
@@ -267,6 +270,8 @@ extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *);
 extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *);
 extern void xtables_ip6parse_any(const char *, struct in6_addr **,
 	struct in6_addr *, unsigned int *);
+extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
+	struct in6_addr **, unsigned int *);
 
 /**
  * Print the specified value to standard output, quoting dangerous
diff --git a/ip6tables.c b/ip6tables.c
index 35067f8..31c4b45 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -281,9 +281,9 @@ exit_printhelp(struct xtables_rule_match *matches)
 
 "Options:\n"
 "[!] --proto	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask]\n"
+"[!] --source	-s address[/mask][,...]\n"
 "				source specification\n"
-"[!] --destination -d address[/mask]\n"
+"[!] --destination -d address[/mask][,...]\n"
 "				destination specification\n"
 "[!] --in-interface -i input name[+]\n"
 "				network interface name ([+] for wildcard)\n"
@@ -740,8 +740,10 @@ append_entry(const ip6t_chainlabel chain,
 	     struct ip6t_entry *fw,
 	     unsigned int nsaddrs,
 	     const struct in6_addr saddrs[],
+	     const struct in6_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in6_addr daddrs[],
+	     const struct in6_addr dmasks[],
 	     int verbose,
 	     struct ip6tc_handle *handle)
 {
@@ -750,8 +752,10 @@ append_entry(const ip6t_chainlabel chain,
 
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ipv6.src = saddrs[i];
+		fw->ipv6.smsk = smasks[i];
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ipv6.dst = daddrs[j];
+			fw->ipv6.dmsk = dmasks[j];
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= ip6tc_append_entry(chain, fw, handle);
@@ -784,8 +788,10 @@ insert_entry(const ip6t_chainlabel chain,
 	     unsigned int rulenum,
 	     unsigned int nsaddrs,
 	     const struct in6_addr saddrs[],
+	     const struct in6_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in6_addr daddrs[],
+	     const struct in6_addr dmasks[],
 	     int verbose,
 	     struct ip6tc_handle *handle)
 {
@@ -794,8 +800,10 @@ insert_entry(const ip6t_chainlabel chain,
 
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ipv6.src = saddrs[i];
+		fw->ipv6.smsk = smasks[i];
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ipv6.dst = daddrs[j];
+			fw->ipv6.dmsk = dmasks[j];
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= ip6tc_insert_entry(chain, fw, rulenum, handle);
@@ -806,7 +814,7 @@ insert_entry(const ip6t_chainlabel chain,
 }
 
 static unsigned char *
-make_delete_mask(struct ip6t_entry *fw, struct xtables_rule_match *matches)
+make_delete_mask(struct xtables_rule_match *matches)
 {
 	/* Establish mask for comparison */
 	unsigned int size;
@@ -843,8 +851,10 @@ delete_entry(const ip6t_chainlabel chain,
 	     struct ip6t_entry *fw,
 	     unsigned int nsaddrs,
 	     const struct in6_addr saddrs[],
+	     const struct in6_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in6_addr daddrs[],
+	     const struct in6_addr dmasks[],
 	     int verbose,
 	     struct ip6tc_handle *handle,
 	     struct xtables_rule_match *matches)
@@ -853,11 +863,13 @@ delete_entry(const ip6t_chainlabel chain,
 	int ret = 1;
 	unsigned char *mask;
 
-	mask = make_delete_mask(fw, matches);
+	mask = make_delete_mask(matches);
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ipv6.src = saddrs[i];
+		fw->ipv6.smsk = smasks[i];
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ipv6.dst = daddrs[j];
+			fw->ipv6.dmsk = dmasks[j];
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= ip6tc_delete_entry(chain, fw, mask, handle);
@@ -1291,9 +1303,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 	int invert = 0;
 	unsigned int nsaddrs = 0, ndaddrs = 0;
 	struct in6_addr *saddrs = NULL, *daddrs = NULL;
+	struct in6_addr *smasks = NULL, *dmasks = NULL;
 
 	int c, verbose = 0;
-	unsigned i;
 	const char *chain = NULL;
 	const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
 	const char *policy = NULL, *newname = NULL;
@@ -1811,12 +1823,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 	}
 
 	if (shostnetworkmask)
-		xtables_ip6parse_any(shostnetworkmask, &saddrs,
-		                         &fw.ipv6.smsk, &nsaddrs);
+		xtables_ip6parse_multiple(shostnetworkmask, &saddrs,
+					  &smasks, &nsaddrs);
 
 	if (dhostnetworkmask)
-		xtables_ip6parse_any(dhostnetworkmask, &daddrs,
-		                         &fw.ipv6.dmsk, &ndaddrs);
+		xtables_ip6parse_multiple(dhostnetworkmask, &daddrs,
+					  &dmasks, &ndaddrs);
 
 	if ((nsaddrs > 1 || ndaddrs > 1) &&
 	    (fw.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP)))
@@ -1921,13 +1933,15 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 	switch (command) {
 	case CMD_APPEND:
 		ret = append_entry(chain, e,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle);
 		break;
 	case CMD_DELETE:
 		ret = delete_entry(chain, e,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle, matches);
 		break;
@@ -1941,7 +1955,8 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 		break;
 	case CMD_INSERT:
 		ret = insert_entry(chain, e, rulenum - 1,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle);
 		break;
@@ -2001,12 +2016,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 		e = NULL;
 	}
 
-	for (i = 0; i < nsaddrs; i++)
-		free(&saddrs[i]);
-
-	for (i = 0; i < ndaddrs; i++)
-		free(&daddrs[i]);
-
+	free(saddrs);
+	free(smasks);
+	free(daddrs);
+	free(dmasks);
 	xtables_free_opts(1);
 
 	return ret;
diff --git a/iptables.8.in b/iptables.8.in
index 10dcb73..ff7954b 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -236,7 +236,7 @@ Protocol \fBall\fP
 will match with all protocols and is taken as default when this
 option is omitted.
 .TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
 Source specification. \fIAddress\fP
 can be either a network name, a hostname (please note that specifying
 any name to be resolved with a remote query such as DNS is a really bad idea),
@@ -247,8 +247,11 @@ specifying the number of 1's at the left side of the network mask.
 Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
 A "!" argument before the address specification inverts the sense of
 the address. The flag \fB\-\-src\fP is an alias for this option.
+Multiple addresses can be specified when, but this will \fBreplicate\fP the
+rule (when adding with \-A), or will cause multiple rules to be
+deleted (with \-D).
 .TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
 Destination specification. 
 See the description of the \fB\-s\fP
 (source) flag for a detailed description of the syntax.  The flag
diff --git a/iptables.c b/iptables.c
index 649baf4..7c075da 100644
--- a/iptables.c
+++ b/iptables.c
@@ -294,9 +294,9 @@ exit_printhelp(struct xtables_rule_match *matches)
 
 "Options:\n"
 "[!] --proto	-p proto	protocol: by number or name, eg. `tcp'\n"
-"[!] --source	-s address[/mask]\n"
+"[!] --source	-s address[/mask][...]\n"
 "				source specification\n"
-"[!] --destination -d address[/mask]\n"
+"[!] --destination -d address[/mask][...]\n"
 "				destination specification\n"
 "[!] --in-interface -i input name[+]\n"
 "				network interface name ([+] for wildcard)\n"
@@ -742,8 +742,10 @@ append_entry(const ipt_chainlabel chain,
 	     struct ipt_entry *fw,
 	     unsigned int nsaddrs,
 	     const struct in_addr saddrs[],
+	     const struct in_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in_addr daddrs[],
+	     const struct in_addr dmasks[],
 	     int verbose,
 	     struct iptc_handle *handle)
 {
@@ -752,8 +754,10 @@ append_entry(const ipt_chainlabel chain,
 
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ip.src.s_addr = saddrs[i].s_addr;
+		fw->ip.smsk.s_addr = smasks[i].s_addr;
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ip.dst.s_addr = daddrs[j].s_addr;
+			fw->ip.dmsk.s_addr = dmasks[j].s_addr;
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= iptc_append_entry(chain, fw, handle);
@@ -786,8 +790,10 @@ insert_entry(const ipt_chainlabel chain,
 	     unsigned int rulenum,
 	     unsigned int nsaddrs,
 	     const struct in_addr saddrs[],
+	     const struct in_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in_addr daddrs[],
+	     const struct in_addr dmasks[],
 	     int verbose,
 	     struct iptc_handle *handle)
 {
@@ -796,8 +802,10 @@ insert_entry(const ipt_chainlabel chain,
 
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ip.src.s_addr = saddrs[i].s_addr;
+		fw->ip.smsk.s_addr = smasks[i].s_addr;
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ip.dst.s_addr = daddrs[j].s_addr;
+			fw->ip.dmsk.s_addr = dmasks[j].s_addr;
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= iptc_insert_entry(chain, fw, rulenum, handle);
@@ -808,7 +816,7 @@ insert_entry(const ipt_chainlabel chain,
 }
 
 static unsigned char *
-make_delete_mask(struct ipt_entry *fw, struct xtables_rule_match *matches)
+make_delete_mask(struct xtables_rule_match *matches)
 {
 	/* Establish mask for comparison */
 	unsigned int size;
@@ -845,8 +853,10 @@ delete_entry(const ipt_chainlabel chain,
 	     struct ipt_entry *fw,
 	     unsigned int nsaddrs,
 	     const struct in_addr saddrs[],
+	     const struct in_addr smasks[],
 	     unsigned int ndaddrs,
 	     const struct in_addr daddrs[],
+	     const struct in_addr dmasks[],
 	     int verbose,
 	     struct iptc_handle *handle,
 	     struct xtables_rule_match *matches)
@@ -855,11 +865,13 @@ delete_entry(const ipt_chainlabel chain,
 	int ret = 1;
 	unsigned char *mask;
 
-	mask = make_delete_mask(fw, matches);
+	mask = make_delete_mask(matches);
 	for (i = 0; i < nsaddrs; i++) {
 		fw->ip.src.s_addr = saddrs[i].s_addr;
+		fw->ip.smsk.s_addr = smasks[i].s_addr;
 		for (j = 0; j < ndaddrs; j++) {
 			fw->ip.dst.s_addr = daddrs[j].s_addr;
+			fw->ip.dmsk.s_addr = dmasks[j].s_addr;
 			if (verbose)
 				print_firewall_line(fw, handle);
 			ret &= iptc_delete_entry(chain, fw, mask, handle);
@@ -1313,7 +1325,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	struct ipt_entry fw, *e = NULL;
 	int invert = 0;
 	unsigned int nsaddrs = 0, ndaddrs = 0;
-	struct in_addr *saddrs = NULL, *daddrs = NULL;
+	struct in_addr *saddrs = NULL, *smasks = NULL;
+	struct in_addr *daddrs = NULL, *dmasks = NULL;
 
 	int c, verbose = 0;
 	const char *chain = NULL;
@@ -1848,12 +1861,12 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	}
 
 	if (shostnetworkmask)
-		xtables_ipparse_any(shostnetworkmask, &saddrs,
-					&fw.ip.smsk, &nsaddrs);
+		xtables_ipparse_multiple(shostnetworkmask, &saddrs,
+					 &smasks, &nsaddrs);
 
 	if (dhostnetworkmask)
-		xtables_ipparse_any(dhostnetworkmask, &daddrs,
-					&fw.ip.dmsk, &ndaddrs);
+		xtables_ipparse_multiple(dhostnetworkmask, &daddrs,
+					 &dmasks, &ndaddrs);
 
 	if ((nsaddrs > 1 || ndaddrs > 1) &&
 	    (fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
@@ -1961,13 +1974,15 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	switch (command) {
 	case CMD_APPEND:
 		ret = append_entry(chain, e,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle);
 		break;
 	case CMD_DELETE:
 		ret = delete_entry(chain, e,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle, matches);
 		break;
@@ -1981,7 +1996,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 		break;
 	case CMD_INSERT:
 		ret = insert_entry(chain, e, rulenum - 1,
-				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   nsaddrs, saddrs, smasks,
+				   ndaddrs, daddrs, dmasks,
 				   options&OPT_VERBOSE,
 				   *handle);
 		break;
@@ -2042,7 +2058,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 	}
 
 	free(saddrs);
+	free(smasks);
 	free(daddrs);
+	free(dmasks);
 	xtables_free_opts(1);
 
 	return ret;
diff --git a/xtables.c b/xtables.c
index e018331..05154dd 100644
--- a/xtables.c
+++ b/xtables.c
@@ -271,6 +271,18 @@ void *xtables_malloc(size_t size)
 	return p;
 }
 
+void *xtables_realloc(void *ptr, size_t size)
+{
+	void *p;
+
+	if ((p = realloc(ptr, size)) == NULL) {
+		perror("ip[6]tables: realloc failed");
+		exit(1);
+	}
+
+	return p;
+}
+
 static char *get_modprobe(void)
 {
 	int procfile;
@@ -1133,6 +1145,86 @@ static struct in_addr *parse_ipmask(const char *mask)
 	return &maskaddr;
 }
 
+void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
+                              struct in_addr **maskpp, unsigned int *naddrs)
+{
+	struct in_addr *addrp;
+	char buf[256], *p;
+	unsigned int len, i, j, n, count = 1;
+	const char *loop = name;
+
+	while ((loop = strchr(loop, ',')) != NULL) {
+		++count;
+		++loop; /* skip ',' */
+	}
+
+	*addrpp = xtables_malloc(sizeof(struct in_addr) * count);
+	*maskpp = xtables_malloc(sizeof(struct in_addr) * count);
+
+	loop = name;
+
+	for (i = 0; i < count; ++i) {
+		if (loop == NULL)
+			break;
+		if (*loop == ',')
+			++loop;
+		if (*loop == '\0')
+			break;
+		p = strchr(loop, ',');
+		if (p != NULL)
+			len = p - loop;
+		else
+			len = strlen(loop);
+		if (len == 0 || sizeof(buf) - 1 < len)
+			break;
+
+		strncpy(buf, loop, len);
+		buf[len] = '\0';
+		loop += len;
+		if ((p = strrchr(buf, '/')) != NULL) {
+			*p = '\0';
+			addrp = parse_ipmask(p + 1);
+		} else {
+			addrp = parse_ipmask(NULL);
+		}
+		memcpy(*maskpp + i, addrp, sizeof(*addrp));
+
+		/* if a null mask is given, the name is ignored, like in "any/0" */
+		if ((*maskpp + i)->s_addr == 0)
+			/*
+			 * A bit pointless to process multiple addresses
+			 * in this case...
+			 */
+			strcpy(buf, "0.0.0.0");
+
+		addrp = ipparse_hostnetwork(buf, &n);
+		if (n > 1) {
+			count += n - 1;
+			*addrpp = xtables_realloc(*addrpp,
+			          sizeof(struct in_addr) * count);
+			*maskpp = xtables_realloc(*maskpp,
+			          sizeof(struct in_addr) * count);
+			for (j = 0; j < n; ++j)
+				/* for each new addr */
+				memcpy(*addrpp + i + j, addrp + j,
+				       sizeof(*addrp));
+			for (j = 1; j < n; ++j)
+				/* for each new mask */
+				memcpy(*maskpp + i + j, *maskpp + i,
+				       sizeof(*addrp));
+			i += n - 1;
+		} else {
+			memcpy(*addrpp + i, addrp, sizeof(*addrp));
+		}
+		/* free what ipparse_hostnetwork had allocated: */
+		free(addrp);
+	}
+	*naddrs = count;
+	for (i = 0; i < n; ++i)
+		(*addrpp+i)->s_addr &= (*maskpp+i)->s_addr;
+}
+
+
 /**
  * xtables_ipparse_any - transform arbitrary name to in_addr
  *
@@ -1364,6 +1456,89 @@ static struct in6_addr *parse_ip6mask(char *mask)
 	return &maskaddr;
 }
 
+void
+xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
+		      struct in6_addr **maskpp, unsigned int *naddrs)
+{
+	struct in6_addr *addrp;
+	char buf[256], *p;
+	unsigned int len, i, j, n, count = 1;
+	const char *loop = name;
+
+	while ((loop = strchr(loop, ',')) != NULL) {
+		++count;
+		++loop; /* skip ',' */
+	}
+
+	*addrpp = xtables_malloc(sizeof(struct in6_addr) * count);
+	*maskpp = xtables_malloc(sizeof(struct in6_addr) * count);
+
+	loop = name;
+
+	for (i = 0; i < count /*NB: count can grow*/; ++i) {
+		if (loop == NULL)
+			break;
+		if (*loop == ',')
+			++loop;
+		if (*loop == '\0')
+			break;
+		p = strchr(loop, ',');
+		if (p != NULL)
+			len = p - loop;
+		else
+			len = strlen(loop);
+		if (len == 0 || sizeof(buf) - 1 < len)
+			break;
+
+		strncpy(buf, loop, len);
+		buf[len] = '\0';
+		loop += len;
+		if ((p = strrchr(buf, '/')) != NULL) {
+			*p = '\0';
+			addrp = parse_ip6mask(p + 1);
+		} else {
+			addrp = parse_ip6mask(NULL);
+		}
+		memcpy(*maskpp + i, addrp, sizeof(*addrp));
+
+		/* if a null mask is given, the name is ignored, like in "any/0" */
+		if (memcmp(*maskpp + i, &in6addr_any, sizeof(in6addr_any)) == 0)
+			strcpy(buf, "::");
+
+		addrp = ip6parse_hostnetwork(buf, &n);
+		/* ip6parse_hostnetwork only ever returns one IP
+		address (it exits if the resolution fails).
+		Therefore, n will always be 1 here.  Leaving the
+		code below in anyway in case ip6parse_hostnetwork
+		is improved some day to behave like
+		ipparse_hostnetwork: */
+		if (n > 1) {
+			count += n - 1;
+			*addrpp = xtables_realloc(*addrpp,
+			          sizeof(struct in6_addr) * count);
+			*maskpp = xtables_realloc(*maskpp,
+			          sizeof(struct in6_addr) * count);
+			for (j = 0; j < n; ++j)
+				/* for each new addr */
+				memcpy(*addrpp + i + j, addrp + j,
+				       sizeof(*addrp));
+			for (j = 1; j < n; ++j)
+				/* for each new mask */
+				memcpy(*maskpp + i + j, *maskpp + i,
+				       sizeof(*addrp));
+			i += n - 1;
+		} else {
+			memcpy(*addrpp + i, addrp, sizeof(*addrp));
+		}
+		/* free what ip6parse_hostnetwork had allocated: */
+		free(addrp);
+	}
+	*naddrs = count;
+	for (i = 0; i < n; ++i)
+		for (j = 0; j < 4; ++j)
+			(*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
+}
+
 void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
                           struct in6_addr *maskp, unsigned int *naddrs)
 {
-- 
1.6.3.1

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Pablo Neira Ayuso]

Hi Jan,

Jan Engelhardt wrote:
> From: Michael Granzow <mgranzow@zeus.com>
> 
> libiptc already supports adding and deleting multiple rules with
> different addresses, so it only needs to be wired up to the options.
> 
> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
> 
> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2

I think this is handy for users so I can find it useful.

The only concern that I have with this is that it changes the existing
1:1 mapping between commands and iptables rules. I mean, people may get
confused because of this "rule expansion" feature, they may think that
we natively support layer 3 address sets? Probably it's a matter of
documenting this.

I'd like to know what Patrick thinks about this anyway.

Just a minor nitpick:

> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
                                       ^^^^
This sentence is incomplete? I suggest to refer to the rule expansion
feature.

> +rule (when adding with \-A), or will cause multiple rules to be
> +deleted (with \-D).

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

On Saturday 2009-06-06 08:53, Pablo Neira Ayuso wrote:
>> 
>> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>> 
>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
>
>I think this is handy for users so I can find it useful.
>
>The only concern that I have with this is that it changes the existing
>1:1 mapping between commands and iptables rules. I mean, people may get
>confused because of this "rule expansion" feature, they may think that
>we natively support layer 3 address sets? Probably it's a matter of
>documenting this.

Hence:

>> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
>                                       ^^^^
>This sentence is incomplete? I suggest to refer to the rule expansion
>feature.

Well, I think <b>replicate</b> hits the expansion pretty good.

>> +rule (when adding with \-A), or will cause multiple rules to be
>> +deleted (with \-D).

I'll remove the 'when' in a rebase.

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Saturday 2009-06-06 08:53, Pablo Neira Ayuso wrote:
>>> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>>>
>>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
>> I think this is handy for users so I can find it useful.
>>
>> The only concern that I have with this is that it changes the existing
>> 1:1 mapping between commands and iptables rules. I mean, people may get
>> confused because of this "rule expansion" feature, they may think that
>> we natively support layer 3 address sets? Probably it's a matter of
>> documenting this.
> 
> Hence:
> 
>>> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
>>                                       ^^^^
>> This sentence is incomplete? I suggest to refer to the rule expansion
>> feature.
> 
> Well, I think <b>replicate</b> hits the expansion pretty good.

To replicate means to make a copy, and this is not what this does. But,
to be frank, I really don't care.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Hi Jan,
> 
> Jan Engelhardt wrote:
>> From: Michael Granzow <mgranzow@zeus.com>
>>
>> libiptc already supports adding and deleting multiple rules with
>> different addresses, so it only needs to be wired up to the options.
>>
>> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>>
>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
> 
> I think this is handy for users so I can find it useful.
> 
> The only concern that I have with this is that it changes the existing
> 1:1 mapping between commands and iptables rules. I mean, people may get
> confused because of this "rule expansion" feature, they may think that
> we natively support layer 3 address sets? Probably it's a matter of
> documenting this.
> 
> I'd like to know what Patrick thinks about this anyway.

No objections besides that its too large for this late in the cycle.

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

On Monday 2009-06-08 15:50, Patrick McHardy wrote:
>>> From: Michael Granzow <mgranzow@zeus.com>
>>>
>>> libiptc already supports adding and deleting multiple rules with
>>> different addresses, so it only needs to be wired up to the options.
>>>
>>> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>
> No objections besides that its too large for this late in the cycle.
>
Git is not as castrated as Hg when it comes to branches, so why not
make a "stable" branch that is then regularly merged into master? :)

The concept fares well with e.g. pam_mount (look at its gitk tree from v0.43
downards); automake also considered, and now uses, this scheme.

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Patrick McHardy]

Jan Engelhardt wrote:
> On Monday 2009-06-08 15:50, Patrick McHardy wrote:
>>>> From: Michael Granzow <mgranzow@zeus.com>
>>>>
>>>> libiptc already supports adding and deleting multiple rules with
>>>> different addresses, so it only needs to be wired up to the options.
>>>>
>>>> 	# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>> No objections besides that its too large for this late in the cycle.
>>
> Git is not as castrated as Hg when it comes to branches, so why not
> make a "stable" branch that is then regularly merged into master? :)

I don't see why that would currently be necessary. We're talking
about a few days, and in fact I'd rather have people test the
current code before the release instead of hacking on new things :)

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

On   2009-06-10 12:19:59, Patrick wrote:
>On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>
>>Git is not as castrated as Hg when it comes to branches, so why not
>>make a "stable" branch that is then regularly merged into master? :)
>
>I don't see why that would currently be necessary. We're talking
>about a few days, and in fact I'd rather have people test the
>current code before the release instead of hacking on new things :)

Yeah but in general? The - judging from their version numbers -
x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
features because there is just master, in which case it should
have been the new 1.4.4 already.
So either z is bumped more often and S-versions will not
be released, or S only receives fixes, necessiting a separate branch.
Objections?

Jan

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

On Thursday 2009-06-25 19:08, Jan Engelhardt wrote:
>On   2009-06-10 12:19:59, Patrick wrote:
>>On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>>
>>>Git is not as castrated as Hg when it comes to branches, so why not
>>>make a "stable" branch that is then regularly merged into master? :)
>>
>>I don't see why that would currently be necessary. We're talking
>>about a few days, and in fact I'd rather have people test the
>>current code before the release instead of hacking on new things :)
>
>Yeah but in general? The - judging from their version numbers -
>x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>features because there is just master, in which case it should
>have been the new 1.4.4 already.
>So either z is bumped more often and S-versions will not
>be released, or S only receives fixes, necessiting a separate branch.
>Objections?

It would be cool to get an answer here so I know how to twingle 
patchbranches that I'd like to submit.

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Patrick McHardy]

Jan Engelhardt wrote:
> On Thursday 2009-06-25 19:08, Jan Engelhardt wrote:
>> On   2009-06-10 12:19:59, Patrick wrote:
>>> On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>>> Git is not as castrated as Hg when it comes to branches, so why not
>>>> make a "stable" branch that is then regularly merged into master? :)
>>> I don't see why that would currently be necessary. We're talking
>>> about a few days, and in fact I'd rather have people test the
>>> current code before the release instead of hacking on new things :)
>> Yeah but in general? The - judging from their version numbers -
>> x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>> features because there is just master, in which case it should
>> have been the new 1.4.4 already.
>> So either z is bumped more often and S-versions will not
>> be released, or S only receives fixes, necessiting a separate branch.
>> Objections?
> 
> It would be cool to get an answer here so I know how to twingle 
> patchbranches that I'd like to submit.

Well, I don't object to having a stable branch when we actually do
need to release pure bug-fix versions. But I'd say those can be
created on demand.

Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d

[Jan Engelhardt]

On Friday 2009-07-17 16:31, Patrick McHardy wrote:
>>> Yeah but in general? The - judging from their version numbers -
>>> x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>>> features because there is just master, in which case it should
>>> have been the new 1.4.4 already.
>>> So either z is bumped more often and S-versions will not
>>> be released, or S only receives fixes, necessiting a separate branch.
>>> Objections?
>> 
>> It would be cool to get an answer here so I know how to twingle 
>> patchbranches that I'd like to submit.
>
>Well, I don't object to having a stable branch when we actually do
>need to release pure bug-fix versions. But I'd say those can be
>created on demand.
>
Yes, but it requires that any bugfix commit does not have master as a
descendent (otherwise it would be perturbed by dev commits). The core
essential of a (de facto) stable branch is that solely the most
recent tag, (or stable commits), are a parent.

That is what I want to be sure of, esp. when others send commits.
Below's patches respect this.


"Please pull from..."
	git://dev.medozas.de/iptables stable

the two (2) things that Jan Engelhardt piled up:
      xt_conntrack: revision 2 for enlarged state_mask member
      libxt_helper: fix invalid passed option to check_inverse

 extensions/libxt_conntrack.c           |  175 +++++++++++++++++++++++++++-----
 extensions/libxt_helper.c              |    2 +-
 include/linux/netfilter/xt_conntrack.h |   13 +++
 3 files changed, 162 insertions(+), 28 deletions(-)

[PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_DNAT.man |    7 +++++--
 extensions/libipt_SAME.man |    2 ++
 extensions/libipt_SNAT.man |    7 +++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index 22e84c6..d1e0a3a 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -32,5 +32,8 @@ anymore.
 If option
 \fB\-\-random\fP
 is used then port mapping will be randomized (kernel >= 2.6.22).
-.RS
-.PP
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index b862aa4..a99dc73 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -1,6 +1,8 @@
 Similar to SNAT/DNAT depending on chain: it takes a range of addresses
 (`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
 source-/destination-address for each connection.
+.PP
+N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
 .TP
 \fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
 Addresses to map source to. May be specified more than once for
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index 040571b..6b828fd 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -30,5 +30,8 @@ anymore.
 If option
 \fB\-\-random\fP
 is used then port mapping will be randomized (kernel >= 2.6.21).
-.RS
-.PP
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
-- 
1.6.3.1

Re: [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag

[Patrick McHardy]

Jan Engelhardt wrote:

Applied, thanks.

[PATCH 3/3] extensions: remove redundant casts

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_realm.c    |    4 ++--
 extensions/libxt_multiport.c |   12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 0580610..c9e1760 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -86,14 +86,14 @@ static void load_realms(void)
 			continue;
 
 		/* found valid data */
-		newnm = (struct realmname*)malloc(sizeof(struct realmname));
+		newnm = malloc(sizeof(struct realmname));
 		if (newnm == NULL) {
 			perror("libipt_realm: malloc failed");
 			exit(1);
 		}
 		newnm->id = id;
 		newnm->len = nxt - cur;
-		newnm->name = (char*)malloc(newnm->len + 1);
+		newnm->name = malloc(newnm->len + 1);
 		if (newnm->name == NULL) {
 			perror("libipt_realm: malloc failed");
 			exit(1);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index c3c8bb9..9959a20 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -215,7 +215,7 @@ static int
 multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
                  const void *e, struct xt_entry_match **match)
 {
-	const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+	const struct ip6t_entry *entry = e;
 	return __multiport_parse(c, argv, invert, flags, match,
 	       entry->ipv6.proto, entry->ipv6.invflags);
 }
@@ -278,7 +278,7 @@ static int
 multiport_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
                     const void *e, struct xt_entry_match **match)
 {
-	const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+	const struct ip6t_entry *entry = e;
 	return __multiport_parse_v1(c, argv, invert, flags, match,
 	       entry->ipv6.proto, entry->ipv6.invflags);
 }
@@ -358,7 +358,7 @@ static void multiport_print(const void *ip_void,
 static void multiport_print6(const void *ip_void,
                              const struct xt_entry_match *match, int numeric)
 {
-	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+	const struct ip6t_ip6 *ip = ip_void;
 	__multiport_print(match, numeric, ip->proto);
 }
 
@@ -413,7 +413,7 @@ static void multiport_print_v1(const void *ip_void,
 static void multiport_print6_v1(const void *ip_void,
                                 const struct xt_entry_match *match, int numeric)
 {
-	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+	const struct ip6t_ip6 *ip = ip_void;
 	__multiport_print_v1(match, numeric, ip->proto);
 }
 
@@ -456,7 +456,7 @@ static void multiport_save(const void *ip_void,
 static void multiport_save6(const void *ip_void,
                             const struct xt_entry_match *match)
 {
-	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+	const struct ip6t_ip6 *ip = ip_void;
 	__multiport_save(match, ip->proto);
 }
 
@@ -505,7 +505,7 @@ static void multiport_save_v1(const void *ip_void,
 static void multiport_save6_v1(const void *ip_void,
                                const struct xt_entry_match *match)
 {
-	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+	const struct ip6t_ip6 *ip = ip_void;
 	__multiport_save_v1(match, ip->proto);
 }
 
-- 
1.6.3.1

Re: [PATCH 3/3] extensions: remove redundant casts

[Patrick McHardy]

Jan Engelhardt wrote:

Also applied, thanks.

Re: iptables: pull request June-05

[Patrick McHardy]

Jan Engelhardt wrote:
> Hi,
> 
> 
> in another working copy I found these accumulated pieces:
> 
> 	Jan Engelhardt (2):
> 	      DNAT/SNAT: add manpage documentation for --persistent flag
> 	      extensions: remove redundant casts
> 
> 	Michael Granzow (1):
> 	      iptables: accept multiple IP address specifications for -s, -d

I'll happily take 2 and 3, but 1 will have to wait until after
the release.