iptables: headers, chain length

iptables: headers, chain length

[Jan Engelhardt]

The following changes since commit d40f1628c3717daebc437a398a285e371b5b6f7f:

  libxt_set: new revision added (2010-06-16 12:45:33 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (3):
      includes: sync header files from Linux 2.6.35-rc1
      xtables: another try at chain name length checking
      xtables: remove xtables_set_revision function

 configure.ac                          |    2 +-
 include/linux/kernel.h                |   62 +++++++++++++++++++++++++++++++++
 include/linux/netfilter/x_tables.h    |   30 +++++++++++-----
 include/linux/netfilter/xt_CONNMARK.h |   22 +-----------
 include/linux/netfilter/xt_MARK.h     |    6 +---
 include/linux/netfilter/xt_TEE.h      |    3 ++
 include/linux/netfilter/xt_connmark.h |   11 ++++++
 include/linux/netfilter/xt_mark.h     |    4 ++
 include/linux/netfilter/xt_recent.h   |    7 ++++
 include/linux/netfilter_ipv6.h        |    1 +
 include/xtables.h.in                  |    1 -
 ip6tables-restore.c                   |    4 +-
 ip6tables.c                           |   12 +++----
 iptables-restore.c                    |    4 +-
 iptables.c                            |   15 +++-----
 xtables.c                             |   18 ++-------
 16 files changed, 131 insertions(+), 71 deletions(-)
 create mode 100644 include/linux/kernel.h

[PATCH 1/3] includes: sync header files from Linux 2.6.35-rc1

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/linux/kernel.h                |   62 +++++++++++++++++++++++++++++++++
 include/linux/netfilter/x_tables.h    |   30 +++++++++++-----
 include/linux/netfilter/xt_CONNMARK.h |   22 +-----------
 include/linux/netfilter/xt_MARK.h     |    6 +---
 include/linux/netfilter/xt_TEE.h      |    3 ++
 include/linux/netfilter/xt_connmark.h |   11 ++++++
 include/linux/netfilter/xt_mark.h     |    4 ++
 include/linux/netfilter/xt_recent.h   |    7 ++++
 include/linux/netfilter_ipv6.h        |    1 +
 9 files changed, 111 insertions(+), 35 deletions(-)
 create mode 100644 include/linux/kernel.h

diff --git a/include/linux/kernel.h b/include/linux/kernel.h
new file mode 100644
index 0000000..d1671a0
--- /dev/null
+++ b/include/linux/kernel.h
@@ -0,0 +1,62 @@
+#ifndef _LINUX_KERNEL_H
+#define _LINUX_KERNEL_H
+
+/*
+ * 'kernel.h' contains some often-used function prototypes etc
+ */
+#define __ALIGN_KERNEL(x, a)		__ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
+#define __ALIGN_KERNEL_MASK(x, mask)	(((x) + (mask)) & ~(mask))
+
+
+
+#define SI_LOAD_SHIFT	16
+struct sysinfo {
+	long uptime;			/* Seconds since boot */
+	unsigned long loads[3];		/* 1, 5, and 15 minute load averages */
+	unsigned long totalram;		/* Total usable main memory size */
+	unsigned long freeram;		/* Available memory size */
+	unsigned long sharedram;	/* Amount of shared memory */
+	unsigned long bufferram;	/* Memory used by buffers */
+	unsigned long totalswap;	/* Total swap space size */
+	unsigned long freeswap;		/* swap space still available */
+	unsigned short procs;		/* Number of current processes */
+	unsigned short pad;		/* explicit padding for m68k */
+	unsigned long totalhigh;	/* Total high memory size */
+	unsigned long freehigh;		/* Available high memory size */
+	unsigned int mem_unit;		/* Memory unit size in bytes */
+	char _f[20-2*sizeof(long)-sizeof(int)];	/* Padding: libc5 uses this.. */
+};
+
+/* Force a compilation error if condition is true */
+#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition))
+
+/* Force a compilation error if condition is constant and true */
+#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))
+
+/* Force a compilation error if a constant expression is not a power of 2 */
+#define BUILD_BUG_ON_NOT_POWER_OF_2(n)			\
+	BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
+
+/* Force a compilation error if condition is true, but also produce a
+   result (of value 0 and type size_t), so the expression can be used
+   e.g. in a structure initializer (or where-ever else comma expressions
+   aren't permitted). */
+#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
+#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
+
+/* Trap pasters of __FUNCTION__ at compile-time */
+#define __FUNCTION__ (__func__)
+
+/* This helps us to avoid #ifdef CONFIG_NUMA */
+#ifdef CONFIG_NUMA
+#define NUMA_BUILD 1
+#else
+#define NUMA_BUILD 0
+#endif
+
+/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */
+#ifdef CONFIG_FTRACE_MCOUNT_RECORD
+# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD
+#endif
+
+#endif
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index ccb5641..fa2d957 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,9 +1,10 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
-
+#include <linux/kernel.h>
 #include <linux/types.h>
 
 #define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
 #define XT_TABLE_MAXNAMELEN 32
 
 struct xt_entry_match {
@@ -12,8 +13,7 @@ struct xt_entry_match {
 			__u16 match_size;
 
 			/* Used by userspace */
-			char name[XT_FUNCTION_MAXNAMELEN-1];
-
+			char name[XT_EXTENSION_MAXNAMELEN];
 			__u8 revision;
 		} user;
 		struct {
@@ -36,8 +36,7 @@ struct xt_entry_target {
 			__u16 target_size;
 
 			/* Used by userspace */
-			char name[XT_FUNCTION_MAXNAMELEN-1];
-
+			char name[XT_EXTENSION_MAXNAMELEN];
 			__u8 revision;
 		} user;
 		struct {
@@ -70,8 +69,7 @@ struct xt_standard_target {
 /* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
  * kernel supports, if >= revision. */
 struct xt_get_revision {
-	char name[XT_FUNCTION_MAXNAMELEN-1];
-
+	char name[XT_EXTENSION_MAXNAMELEN];
 	__u8 revision;
 };
 
@@ -93,8 +91,7 @@ struct _xt_align {
 	__u64 u64;
 };
 
-#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) 	\
-			& ~(__alignof__(struct _xt_align)-1))
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
 
 /* Standard return verdict, or do jump. */
 #define XT_STANDARD_TARGET ""
@@ -165,4 +162,19 @@ struct xt_counters_info {
 	XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
 
 
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+	for ((pos) = (typeof(pos))(ehead); \
+	     (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+	     (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+	for ((pos) = (struct xt_entry_match *)entry->elems; \
+	     (pos) < (struct xt_entry_match *)((char *)(entry) + \
+	             (entry)->target_offset); \
+	     (pos) = (struct xt_entry_match *)((char *)(pos) + \
+	             (pos)->u.match_size))
+
+
 #endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 0a85458..2f2e48e 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -1,26 +1,6 @@
 #ifndef _XT_CONNMARK_H_target
 #define _XT_CONNMARK_H_target
 
-#include <linux/types.h>
-
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-enum {
-	XT_CONNMARK_SET = 0,
-	XT_CONNMARK_SAVE,
-	XT_CONNMARK_RESTORE
-};
-
-struct xt_connmark_tginfo1 {
-	__u32 ctmark, ctmask, nfmask;
-	__u8 mode;
-};
+#include <linux/netfilter/xt_connmark.h>
 
 #endif /*_XT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index bc9561b..41c456d 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,10 +1,6 @@
 #ifndef _XT_MARK_H_target
 #define _XT_MARK_H_target
 
-#include <linux/types.h>
-
-struct xt_mark_tginfo2 {
-	__u32 mark, mask;
-};
+#include <linux/netfilter/xt_mark.h>
 
 #endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
index 55d4a50..5c21d5c 100644
--- a/include/linux/netfilter/xt_TEE.h
+++ b/include/linux/netfilter/xt_TEE.h
@@ -4,6 +4,9 @@
 struct xt_tee_tginfo {
 	union nf_inet_addr gw;
 	char oif[16];
+
+	/* used internally by the kernel */
+	struct xt_tee_priv *priv __attribute__((aligned(8)));
 };
 
 #endif /* _XT_TEE_TARGET_H */
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index 619e47c..efc17a8 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -12,6 +12,17 @@
  * (at your option) any later version.
  */
 
+enum {
+	XT_CONNMARK_SET = 0,
+	XT_CONNMARK_SAVE,
+	XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+	__u32 ctmark, ctmask, nfmask;
+	__u8 mode;
+};
+
 struct xt_connmark_mtinfo1 {
 	__u32 mark, mask;
 	__u8 invert;
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6607c8f..ecadc40 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,6 +3,10 @@
 
 #include <linux/types.h>
 
+struct xt_mark_tginfo2 {
+	__u32 mark, mask;
+};
+
 struct xt_mark_mtinfo1 {
 	__u32 mark, mask;
 	__u8 invert;
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
index d2c2766..83318e0 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -9,6 +9,7 @@ enum {
 	XT_RECENT_UPDATE   = 1 << 2,
 	XT_RECENT_REMOVE   = 1 << 3,
 	XT_RECENT_TTL      = 1 << 4,
+	XT_RECENT_REAP     = 1 << 5,
 
 	XT_RECENT_SOURCE   = 0,
 	XT_RECENT_DEST     = 1,
@@ -16,6 +17,12 @@ enum {
 	XT_RECENT_NAME_LEN = 200,
 };
 
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+			       XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
 struct xt_recent_mtinfo {
 	__u32 seconds;
 	__u32 hit_count;
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 7430b39..f155b9d 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -57,6 +57,7 @@
 enum nf_ip6_hook_priorities {
 	NF_IP6_PRI_FIRST = INT_MIN,
 	NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
+	NF_IP6_PRI_RAW = -300,
 	NF_IP6_PRI_SELINUX_FIRST = -225,
 	NF_IP6_PRI_CONNTRACK = -200,
 	NF_IP6_PRI_MANGLE = -150,
-- 
1.7.1

[PATCH 2/3] xtables: another try at chain name length checking

[Jan Engelhardt]

Since XT_EXTENSION_MAXNAMELEN is now available, make use of it
and clear the confusion.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables-restore.c |    4 ++--
 ip6tables.c         |    4 ++--
 iptables-restore.c  |    4 ++--
 iptables.c          |    4 ++--
 xtables.c           |   10 ++++------
 5 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index f0725d1..008566c 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -253,11 +253,11 @@ int main(int argc, char *argv[])
 				exit(1);
 			}
 
-			if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1)
+			if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 				xtables_error(PARAMETER_PROBLEM,
 					   "Invalid chain name `%s' "
 					   "(%u chars max)",
-					   chain, XT_FUNCTION_MAXNAMELEN - 1);
+					   chain, XT_EXTENSION_MAXNAMELEN - 1);
 
 			if (ip6tc_builtin(chain, handle) <= 0) {
 				if (noflush && ip6tc_is_chain(chain, handle)) {
diff --git a/ip6tables.c b/ip6tables.c
index 4e73d34..2fff21b 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -456,10 +456,10 @@ parse_target(const char *targetname)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name (too short)");
 
-	if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1)
+	if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name `%s' (%u chars max)",
-			   targetname, XT_FUNCTION_MAXNAMELEN - 1);
+			   targetname, XT_EXTENSION_MAXNAMELEN - 1);
 
 	for (ptr = targetname; *ptr; ptr++)
 		if (isspace(*ptr))
diff --git a/iptables-restore.c b/iptables-restore.c
index 4a74485..8c6648e 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -259,11 +259,11 @@ main(int argc, char *argv[])
 				exit(1);
 			}
 
-			if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1)
+			if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 				xtables_error(PARAMETER_PROBLEM,
 					   "Invalid chain name `%s' "
 					   "(%u chars max)",
-					   chain, XT_FUNCTION_MAXNAMELEN - 1);
+					   chain, XT_EXTENSION_MAXNAMELEN - 1);
 
 			if (iptc_builtin(chain, handle) <= 0) {
 				if (noflush && iptc_is_chain(chain, handle)) {
diff --git a/iptables.c b/iptables.c
index 19c2af5..efe993e 100644
--- a/iptables.c
+++ b/iptables.c
@@ -460,10 +460,10 @@ parse_target(const char *targetname)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name (too short)");
 
-	if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1)
+	if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name `%s' (%u chars max)",
-			   targetname, XT_FUNCTION_MAXNAMELEN - 1);
+			   targetname, XT_EXTENSION_MAXNAMELEN - 1);
 
 	for (ptr = targetname; *ptr; ptr++)
 		if (isspace(*ptr))
diff --git a/xtables.c b/xtables.c
index 440b2e1..b4c4f6b 100644
--- a/xtables.c
+++ b/xtables.c
@@ -545,10 +545,10 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
-	if (strlen(name) > XT_FUNCTION_MAXNAMELEN - 1)
+	if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid match name \"%s\" (%u chars max)",
-			   name, XT_FUNCTION_MAXNAMELEN - 1);
+			   name, XT_EXTENSION_MAXNAMELEN - 1);
 
 	/* This is ugly as hell. Nonetheless, there is no way of changing
 	 * this without hurting backwards compatibility */
@@ -741,8 +741,7 @@ void xtables_register_match(struct xtables_match *me)
 		exit(1);
 	}
 
-	/* Revision field stole a char from name. */
-	if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
+	if (strlen(me->name) >= XT_EXTENSION_MAXNAMELEN) {
 		fprintf(stderr, "%s: target `%s' has invalid name\n",
 			xt_params->program_name, me->name);
 		exit(1);
@@ -827,8 +826,7 @@ void xtables_register_target(struct xtables_target *me)
 		exit(1);
 	}
 
-	/* Revision field stole a char from name. */
-	if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) {
+	if (strlen(me->name) >= XT_EXTENSION_MAXNAMELEN) {
 		fprintf(stderr, "%s: target `%s' has invalid name\n",
 			xt_params->program_name, me->name);
 		exit(1);
-- 
1.7.1

[PATCH 3/3] xtables: remove xtables_set_revision function

[Jan Engelhardt]

Since iptables uses its own copies of the header files anyway where the
revision field is exposed, there is no reach to access name[] beyond its
size.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 configure.ac         |    2 +-
 include/xtables.h.in |    1 -
 ip6tables.c          |    8 +++-----
 iptables.c           |   11 ++++-------
 xtables.c            |    8 --------
 5 files changed, 8 insertions(+), 22 deletions(-)

diff --git a/configure.ac b/configure.ac
index ba723bf..dd74a89 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
 AC_INIT([iptables], [1.4.8])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=4
+libxtables_vcurrent=5
 libxtables_vage=0
 
 AC_CONFIG_HEADERS([config.h])
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 788ad7d..2d7df32 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -216,7 +216,6 @@ extern void *xtables_realloc(void *, size_t);
 extern int xtables_insmod(const char *, const char *, bool);
 extern int xtables_load_ko(const char *, bool);
 extern int xtables_set_params(struct xtables_globals *xtp);
-extern void xtables_set_revision(char *name, u_int8_t revision);
 extern void xtables_free_opts(int reset_offset);
 extern struct option *xtables_merge_options(struct option *oldopts,
 	const struct option *newopts, unsigned int *option_offset);
diff --git a/ip6tables.c b/ip6tables.c
index 2fff21b..6c5d124 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1558,8 +1558,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 				target->t = xtables_calloc(1, size);
 				target->t->u.target_size = size;
 				strcpy(target->t->u.user.name, jumpto);
-				xtables_set_revision(target->t->u.user.name,
-					     target->revision);
+				target->t->u.user.revision = target->revision;
 				if (target->init != NULL)
 					target->init(target->t);
 				opts = xtables_merge_options(opts,
@@ -1611,7 +1610,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			m->m = xtables_calloc(1, size);
 			m->m->u.match_size = size;
 			strcpy(m->m->u.user.name, m->name);
-			xtables_set_revision(m->m->u.user.name, m->revision);
+			m->m->u.user.revision = m->revision;
 			if (m->init != NULL)
 				m->init(m->m);
 			if (m != m->next)
@@ -1759,8 +1758,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 					m->m = xtables_calloc(1, size);
 					m->m->u.match_size = size;
 					strcpy(m->m->u.user.name, m->name);
-					xtables_set_revision(m->m->u.user.name,
-						     m->revision);
+					m->m->u.user.revision = m->revision;
 					if (m->init != NULL)
 						m->init(m->m);
 
diff --git a/iptables.c b/iptables.c
index efe993e..19f6d4f 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1573,8 +1573,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 				target->t = xtables_calloc(1, size);
 				target->t->u.target_size = size;
 				strcpy(target->t->u.user.name, jumpto);
-				xtables_set_revision(target->t->u.user.name,
-					     target->revision);
+				target->t->u.user.revision = target->revision;
 				if (target->init != NULL)
 					target->init(target->t);
 				opts = xtables_merge_options(opts,
@@ -1632,7 +1631,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			m->m = xtables_calloc(1, size);
 			m->m->u.match_size = size;
 			strcpy(m->m->u.user.name, m->name);
-			xtables_set_revision(m->m->u.user.name, m->revision);
+			m->m->u.user.revision = m->revision;
 			if (m->init != NULL)
 				m->init(m->m);
 			if (m != m->next) {
@@ -1787,8 +1786,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 					m->m = xtables_calloc(1, size);
 					m->m->u.match_size = size;
 					strcpy(m->m->u.user.name, m->name);
-					xtables_set_revision(m->m->u.user.name,
-						     m->revision);
+					m->m->u.user.revision = m->revision;
 					if (m->init != NULL)
 						m->init(m->m);
 
@@ -1947,8 +1945,7 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 			target->t->u.target_size = size;
 			strcpy(target->t->u.user.name, jumpto);
 			if (!iptc_is_chain(jumpto, *handle))
-				xtables_set_revision(target->t->u.user.name,
-					     target->revision);
+				target->t->u.user.revision = target->revision;
 			if (target->init != NULL)
 				target->init(target->t);
 		}
diff --git a/xtables.c b/xtables.c
index b4c4f6b..ed082f3 100644
--- a/xtables.c
+++ b/xtables.c
@@ -114,14 +114,6 @@ struct option *xtables_merge_options(struct option *oldopts,
 	return merge;
 }
 
-void xtables_set_revision(char *name, u_int8_t revision)
-{
-	/* Old kernel sources don't have ".revision" field,
-	*            but we stole a byte from name. */
-	name[XT_FUNCTION_MAXNAMELEN - 2] = '\0';
-	name[XT_FUNCTION_MAXNAMELEN - 1] = revision;
-}
-
 /**
  * xtables_afinfo - protocol family dependent information
  * @kmod:		kernel module basename (e.g. "ip_tables")
-- 
1.7.1

Re: iptables: headers, chain length

[Patrick McHardy]

Jan Engelhardt wrote:
> The following changes since commit d40f1628c3717daebc437a398a285e371b5b6f7f:
>
>   libxt_set: new revision added (2010-06-16 12:45:33 +0200)
>
> are available in the git repository at:
>   git://dev.medozas.de/iptables master
>
> Jan Engelhardt (3):
>       includes: sync header files from Linux 2.6.35-rc1
>       xtables: another try at chain name length checking
>       xtables: remove xtables_set_revision function

Pulled, thanks Jan.