iptables: misc option edits

iptables: misc option edits

[Jan Engelhardt]

Please review! (And if ok, merge.)

===

The following changes since commit 87dc7c4c842deb1e2e3d38089ffcad9f238d98de:

  xtables: use strspn() to check if string needs to be quoted (2011-02-17 11:57:19 +0100)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (8):
      doc: fix wrong sentence about negation in xt_limit
      doc: fix misspelling of "field"
      extensions: remove redundant init functions
      Remove unused CVS expanded keywords
      libip6t_dst: remove unimplemented --dst-not-strict
      libip6t_hbh: remove unimplemented --hbh-not-strict
      extensions: add missing checks for specific flags
      libipt_ECN: set proper option flags

 extensions/libip6t_ah.c         |    4 +---
 extensions/libip6t_dst.c        |   29 -----------------------------
 extensions/libip6t_frag.c       |    6 +-----
 extensions/libip6t_hbh.c        |   25 -------------------------
 extensions/libip6t_ipv6header.c |   10 ----------
 extensions/libip6t_rt.c         |    8 +-------
 extensions/libipt_DNAT.c        |    2 +-
 extensions/libipt_ECN.c         |    6 ++----
 extensions/libipt_SAME.c        |   12 ------------
 extensions/libipt_TTL.c         |    2 --
 extensions/libipt_ttl.c         |    2 --
 extensions/libxt_NFLOG.c        |    1 -
 extensions/libxt_RATEEST.c      |    8 --------
 extensions/libxt_TCPOPTSTRIP.c  |    9 ---------
 extensions/libxt_dccp.c         |    8 --------
 extensions/libxt_hashlimit.c    |    1 -
 extensions/libxt_limit.man      |    7 +++++--
 extensions/libxt_osf.c          |    2 +-
 extensions/libxt_sctp.c         |    2 --
 extensions/libxt_string.c       |    3 +--
 ip6tables-restore.c             |    2 --
 iptables-restore.c              |    2 --
 iptables-xml.c                  |    2 --
 libipq/ipq_create_handle.3      |    2 --
 libipq/ipq_errstr.3             |    2 --
 libipq/ipq_message_type.3       |    2 --
 libipq/ipq_read.3               |    2 --
 libipq/ipq_set_mode.3           |    2 --
 libipq/ipq_set_verdict.3        |    2 --
 libipq/libipq.3                 |    2 --
 30 files changed, 13 insertions(+), 154 deletions(-)

[PATCH 1/8] doc: fix wrong sentence about negation in xt_limit

[Jan Engelhardt]

This is an update to commit v1.4.7~6.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_limit.man |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_limit.man b/extensions/libxt_limit.man
index 9f51ce3..6fb94cc 100644
--- a/extensions/libxt_limit.man
+++ b/extensions/libxt_limit.man
@@ -1,8 +1,11 @@
 This module matches at a limited rate using a token bucket filter.
-A rule using this extension will match until this limit is reached
-(unless the `!' flag is used).  It can be used in combination with the
+A rule using this extension will match until this limit is reached.
+It can be used in combination with the
 .B LOG
 target to give limited logging, for example.
+.PP
+xt_limit has no negation support - you will have to use \-m hashlimit !
+\-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
 .TP
 \fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
 Maximum average matching rate: specified as a number, with an optional
-- 
1.7.1

[PATCH 2/8] doc: fix misspelling of "field"

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_ah.c   |    2 +-
 extensions/libip6t_frag.c |    2 +-
 extensions/libip6t_rt.c   |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index 693a4f8..5fa0d2d 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -15,7 +15,7 @@ static void ah_help(void)
 "ah match options:\n"
 "[!] --ahspi spi[:spi]          match spi (range)\n"
 "[!] --ahlen length             total length of this header\n"
-" --ahres                       check the reserved filed, too\n");
+" --ahres                       check the reserved field too\n");
 }
 
 static const struct option ah_opts[] = {
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index ed13c1f..ac9bd2e 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -15,7 +15,7 @@ static void frag_help(void)
 "frag match options:\n"
 "[!] --fragid id[:id]           match the id (range)\n"
 "[!] --fraglen length           total length of this header\n"
-" --fragres                     check the reserved filed, too\n"
+" --fragres                     check the reserved field too\n"
 " --fragfirst                   matches on the first fragment\n"
 " [--fragmore|--fraglast]       there are more fragments or this\n"
 "                               is the last one\n");
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index bd2da59..ec492c1 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -22,7 +22,7 @@ static void rt_help(void)
 "[!] --rt-type type             match the type\n"
 "[!] --rt-segsleft num[:num]    match the Segments Left field (range)\n"
 "[!] --rt-len length            total length of this header\n"
-" --rt-0-res                    check the reserved filed, too (type 0)\n"
+" --rt-0-res                    check the reserved field too (type 0)\n"
 " --rt-0-addrs ADDR[,ADDR...]   Type=0 addresses (list, max: %d)\n"
 " --rt-0-not-strict             List of Type=0 addresses not a strict list\n",
 IP6T_RT_HOPS);
-- 
1.7.1

[PATCH 3/8] extensions: remove redundant init functions

[Jan Engelhardt]

The main program already zeroes the per-extension data block.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_ah.c         |    2 --
 extensions/libip6t_dst.c        |   11 -----------
 extensions/libip6t_frag.c       |    4 ----
 extensions/libip6t_hbh.c        |   11 -----------
 extensions/libip6t_ipv6header.c |   10 ----------
 extensions/libip6t_rt.c         |    6 ------
 extensions/libipt_SAME.c        |   12 ------------
 extensions/libxt_NFLOG.c        |    1 -
 extensions/libxt_RATEEST.c      |    8 --------
 extensions/libxt_TCPOPTSTRIP.c  |    9 ---------
 extensions/libxt_dccp.c         |    8 --------
 extensions/libxt_hashlimit.c    |    1 -
 extensions/libxt_sctp.c         |    2 --
 extensions/libxt_string.c       |    3 +--
 14 files changed, 1 insertions(+), 87 deletions(-)

diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index 5fa0d2d..2922047 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -73,8 +73,6 @@ static void ah_init(struct xt_entry_match *m)
 	struct ip6t_ah *ahinfo = (struct ip6t_ah *)m->data;
 
 	ahinfo->spis[1] = 0xFFFFFFFF;
-	ahinfo->hdrlen = 0;
-	ahinfo->hdrres = 0;
 }
 
 static int ah_parse(int c, char **argv, int invert, unsigned int *flags,
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 3ba804f..8b656a6 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -106,16 +106,6 @@ parse_options(const char *optsstr, uint16_t *opts)
 	return i;
 }
 
-static void dst_init(struct xt_entry_match *m)
-{
-	struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
-
-	optinfo->hdrlen = 0;
-	optinfo->flags = 0;
-	optinfo->invflags = 0;
-	optinfo->optsnr = 0;
-}
-
 static int dst_parse(int c, char **argv, int invert, unsigned int *flags,
                      const void *entry, struct xt_entry_match **match)
 {
@@ -227,7 +217,6 @@ static struct xtables_match dst_mt6_reg = {
 	.size          = XT_ALIGN(sizeof(struct ip6t_opts)),
 	.userspacesize = XT_ALIGN(sizeof(struct ip6t_opts)),
 	.help          = dst_help,
-	.init          = dst_init,
 	.parse         = dst_parse,
 	.print         = dst_print,
 	.save          = dst_save,
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index ac9bd2e..19aca4c 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -78,11 +78,7 @@ static void frag_init(struct xt_entry_match *m)
 {
 	struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
 
-	fraginfo->ids[0] = 0x0L;
 	fraginfo->ids[1] = 0xFFFFFFFF;
-	fraginfo->hdrlen = 0;
-	fraginfo->flags = 0;
-	fraginfo->invflags = 0;
 }
 
 static int frag_parse(int c, char **argv, int invert, unsigned int *flags,
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index e51569e..9eb504e 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -100,16 +100,6 @@ parse_options(const char *optsstr, uint16_t *opts)
 	return i;
 }
 
-static void hbh_init(struct xt_entry_match *m)
-{
-	struct ip6t_opts *optinfo = (struct ip6t_opts *)m->data;
-
-	optinfo->hdrlen = 0;
-	optinfo->flags = 0;
-	optinfo->invflags = 0;
-	optinfo->optsnr = 0;
-}
-
 static int hbh_parse(int c, char **argv, int invert, unsigned int *flags,
                      const void *entry, struct xt_entry_match **match)
 {
@@ -211,7 +201,6 @@ static struct xtables_match hbh_mt6_reg = {
 	.size		= XT_ALIGN(sizeof(struct ip6t_opts)),
 	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_opts)),
 	.help		= hbh_help,
-	.init		= hbh_init,
 	.parse		= hbh_parse,
 	.print		= hbh_print,
 	.save		= hbh_save,
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index da832e2..187e0a4 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -146,15 +146,6 @@ static const struct option ipv6header_opts[] = {
 	XT_GETOPT_TABLEEND,
 };
 
-static void ipv6header_init(struct xt_entry_match *m)
-{
-	struct ip6t_ipv6header_info *info = (struct ip6t_ipv6header_info *)m->data;
-
-	info->matchflags = 0x00;
-	info->invflags = 0x00;
-	info->modeflag = 0x00;
-}
-
 static unsigned int
 parse_header(const char *flags) {
         unsigned int ret = 0;
@@ -273,7 +264,6 @@ static struct xtables_match ipv6header_mt6_reg = {
 	.size		= XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_ipv6header_info)),
 	.help		= ipv6header_help,
-	.init		= ipv6header_init,
 	.parse		= ipv6header_parse,
 	.final_check	= ipv6header_check,
 	.print		= ipv6header_print,
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index ec492c1..333350d 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -140,13 +140,7 @@ static void rt_init(struct xt_entry_match *m)
 {
 	struct ip6t_rt *rtinfo = (struct ip6t_rt *)m->data;
 
-	rtinfo->rt_type = 0x0L;
-	rtinfo->segsleft[0] = 0x0L;
 	rtinfo->segsleft[1] = 0xFFFFFFFF;
-	rtinfo->hdrlen = 0;
-	rtinfo->flags = 0;
-	rtinfo->invflags = 0;
-	rtinfo->addrnr = 0;
 }
 
 static int rt_parse(int c, char **argv, int invert, unsigned int *flags,
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index 9c548f5..b18351e 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -32,17 +32,6 @@ static const struct option SAME_opts[] = {
 	XT_GETOPT_TABLEEND,
 };
 
-static void SAME_init(struct xt_entry_target *t)
-{
-	struct ipt_same_info *mr = (struct ipt_same_info *)t->data;
-
-	/* Set default to 0 */
-	mr->rangesize = 0;
-	mr->info = 0;
-	mr->ipnum = 0;
-	
-}
-
 /* Parses range of IPs */
 static void
 parse_to(char *arg, struct nf_nat_range *range)
@@ -197,7 +186,6 @@ static struct xtables_target same_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct ipt_same_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct ipt_same_info)),
 	.help		= SAME_help,
-	.init		= SAME_init,
 	.parse		= SAME_parse,
 	.final_check	= SAME_check,
 	.print		= SAME_print,
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index b4fdc48..61c9741 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -36,7 +36,6 @@ static void NFLOG_init(struct xt_entry_target *t)
 {
 	struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
 
-	info->group	= 0;
 	info->threshold	= XT_NFLOG_DEFAULT_THRESHOLD;
 }
 
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index eb3cdd9..6369e9e 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -82,13 +82,6 @@ RATEEST_print_time(unsigned int time)
 		printf(" %uus", time);
 }
 
-static void
-RATEEST_init(struct xt_entry_target *target)
-{
-	interval = 0;
-	ewma_log = 0;
-}
-
 static int
 RATEEST_parse(int c, char **argv, int invert, unsigned int *flags,
 	      const void *entry, struct xt_entry_target **target)
@@ -206,7 +199,6 @@ static struct xtables_target rateest_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct xt_rateest_target_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_rateest_target_info)),
 	.help		= RATEEST_help,
-	.init		= RATEEST_init,
 	.parse		= RATEEST_parse,
 	.final_check	= RATEEST_final_check,
 	.print		= RATEEST_print,
diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c
index 34f3562..338a311 100644
--- a/extensions/libxt_TCPOPTSTRIP.c
+++ b/extensions/libxt_TCPOPTSTRIP.c
@@ -56,14 +56,6 @@ static void tcpoptstrip_tg_help(void)
 		printf("    %-14s    strip \"%s\" option\n", w->name, w->desc);
 }
 
-static void tcpoptstrip_tg_init(struct xt_entry_target *t)
-{
-	struct xt_tcpoptstrip_target_info *info = (void *)t->data;
-
-	/* strictly necessary? play safe for now. */
-	memset(info->strip_bmap, 0, sizeof(info->strip_bmap));
-}
-
 static void parse_list(struct xt_tcpoptstrip_target_info *info, char *arg)
 {
 	unsigned int option;
@@ -184,7 +176,6 @@ static struct xtables_target tcpoptstrip_tg_reg = {
 	.size          = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)),
 	.help          = tcpoptstrip_tg_help,
-	.init          = tcpoptstrip_tg_init,
 	.parse         = tcpoptstrip_tg_parse,
 	.final_check   = tcpoptstrip_tg_check,
 	.print         = tcpoptstrip_tg_print,
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index 3b2dc6b..ee8e009 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -26,13 +26,6 @@
 #define DEBUGP(format, fist...) 
 #endif
 
-static void dccp_init(struct xt_entry_match *m)
-{
-	struct xt_dccp_info *einfo = (struct xt_dccp_info *)m->data;
-
-	memset(einfo, 0, sizeof(struct xt_dccp_info));
-}
-
 static void dccp_help(void)
 {
 	printf(
@@ -340,7 +333,6 @@ static struct xtables_match dccp_match = {
 	.size		= XT_ALIGN(sizeof(struct xt_dccp_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_dccp_info)),
 	.help		= dccp_help,
-	.init		= dccp_init,
 	.parse		= dccp_parse,
 	.print		= dccp_print,
 	.save		= dccp_save,
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index d766987..cd057c5 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -134,7 +134,6 @@ static void hashlimit_init(struct xt_entry_match *m)
 {
 	struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data;
 
-	r->cfg.mode = 0;
 	r->cfg.burst = XT_HASHLIMIT_BURST;
 	r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
 	r->cfg.expire = XT_HASHLIMIT_EXPIRE;
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 718d4c4..d3379d3 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -35,8 +35,6 @@ static void sctp_init(struct xt_entry_match *m)
 	int i;
 	struct xt_sctp_info *einfo = (struct xt_sctp_info *)m->data;
 
-	memset(einfo, 0, sizeof(struct xt_sctp_info));
-
 	for (i = 0; i < XT_NUM_SCTP_FLAGS; i++) {
 		einfo->flag_info[i].chunktype = -1;
 	}
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 4f75757..1030d2e 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -58,8 +58,7 @@ static void string_init(struct xt_entry_match *m)
 {
 	struct xt_string_info *i = (struct xt_string_info *) m->data;
 
-	if (i->to_offset == 0)
-		i->to_offset = UINT16_MAX;
+	i->to_offset = UINT16_MAX;
 }
 
 static void
-- 
1.7.1

[PATCH 4/8] Remove unused CVS expanded keywords

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_ECN.c    |    2 --
 extensions/libipt_TTL.c    |    2 --
 extensions/libipt_ttl.c    |    2 --
 ip6tables-restore.c        |    2 --
 iptables-restore.c         |    2 --
 iptables-xml.c             |    2 --
 libipq/ipq_create_handle.3 |    2 --
 libipq/ipq_errstr.3        |    2 --
 libipq/ipq_message_type.3  |    2 --
 libipq/ipq_read.3          |    2 --
 libipq/ipq_set_mode.3      |    2 --
 libipq/ipq_set_verdict.3   |    2 --
 libipq/libipq.3            |    2 --
 13 files changed, 0 insertions(+), 26 deletions(-)

diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 216a996..6bfc1b3 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -5,8 +5,6 @@
  * This program is distributed under the terms of GNU GPL v2, 1991
  *
  * libipt_ECN.c borrowed heavily from libipt_DSCP.c
- *
- * $Id$
  */
 #include <stdbool.h>
 #include <stdio.h>
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index f13d9c3..c2518f8 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -1,8 +1,6 @@
 /* Shared library add-on to iptables for the TTL target
  * (C) 2000 by Harald Welte <laforge@gnumonks.org>
  *
- * $Id$
- *
  * This program is distributed under the terms of GNU GPL
  */
 #include <stdbool.h>
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index 07fa3c4..d10eb80 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -1,8 +1,6 @@
 /* Shared library add-on to iptables to add TTL matching support 
  * (C) 2000 by Harald Welte <laforge@gnumonks.org>
  *
- * $Id$
- *
  * This program is released under the terms of GNU GPL */
 #include <stdbool.h>
 #include <stdio.h>
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 44a051f..e9a130f 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -6,8 +6,6 @@
  *      Harald Welte <laforge@gnumonks.org>
  *      Rusty Russell <rusty@linuxcare.com.au>
  * This code is distributed under the terms of GNU GPL v2
- *
- * $Id$
  */
 
 #include <getopt.h>
diff --git a/iptables-restore.c b/iptables-restore.c
index e2d1859..31ce52b 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -3,8 +3,6 @@
  * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
  *
  * This code is distributed under the terms of GNU GPL v2
- *
- * $Id$
  */
 
 #include <getopt.h>
diff --git a/iptables-xml.c b/iptables-xml.c
index 32d996a..8d67056 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -4,8 +4,6 @@
  * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
  *
  * This code is distributed under the terms of GNU GPL v2
- *
- * $Id: iptables-xml.c,v 1.4 2006/11/09 12:02:17 azez Exp $
  */
 
 #include <getopt.h>
diff --git a/libipq/ipq_create_handle.3 b/libipq/ipq_create_handle.3
index 6c0c796..11ef95c 100644
--- a/libipq/ipq_create_handle.3
+++ b/libipq/ipq_create_handle.3
@@ -1,7 +1,5 @@
 .TH IPQ_CREATE_HANDLE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-\" $Id: ipq_create_handle.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/ipq_errstr.3 b/libipq/ipq_errstr.3
index bcb3ac4..c8d67ce 100644
--- a/libipq/ipq_errstr.3
+++ b/libipq/ipq_errstr.3
@@ -1,7 +1,5 @@
 .TH IPQ_ERRSTR 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: ipq_errstr.3,v 1.1 2000/11/20 14:13:32 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/ipq_message_type.3 b/libipq/ipq_message_type.3
index 64b5220..89d8817 100644
--- a/libipq/ipq_message_type.3
+++ b/libipq/ipq_message_type.3
@@ -1,7 +1,5 @@
 .TH IPQ_MESSAGE_TYPE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: ipq_message_type.3,v 1.1 2000/11/20 14:13:32 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/ipq_read.3 b/libipq/ipq_read.3
index 171c916..26ab9f9 100644
--- a/libipq/ipq_read.3
+++ b/libipq/ipq_read.3
@@ -1,7 +1,5 @@
 .TH IPQ_READ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: ipq_read.3,v 1.2 2001/10/16 14:41:02 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/ipq_set_mode.3 b/libipq/ipq_set_mode.3
index 672ee4e..0edd3c0 100644
--- a/libipq/ipq_set_mode.3
+++ b/libipq/ipq_set_mode.3
@@ -1,7 +1,5 @@
 .TH IPQ_SET_MODE 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: ipq_set_mode.3,v 1.1 2000/11/20 14:13:32 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/ipq_set_verdict.3 b/libipq/ipq_set_verdict.3
index e9d3d3f..7771ed6 100644
--- a/libipq/ipq_set_verdict.3
+++ b/libipq/ipq_set_verdict.3
@@ -1,7 +1,5 @@
 .TH IPQ_SET_VERDICT 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: ipq_set_verdict.3,v 1.1 2000/11/20 14:13:32 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
diff --git a/libipq/libipq.3 b/libipq/libipq.3
index 0196248..611fcdf 100644
--- a/libipq/libipq.3
+++ b/libipq/libipq.3
@@ -1,7 +1,5 @@
 .TH LIBIPQ 3 "16 October 2001" "Linux iptables 1.2" "Linux Programmer's Manual" 
 .\"
-.\" $Id: libipq.3,v 1.4 2001/10/16 16:58:25 jamesm Exp $
-.\"
 .\"     Copyright (c) 2000-2001 Netfilter Core Team
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
-- 
1.7.1

[PATCH 5/8] libip6t_dst: remove unimplemented --dst-not-strict

[Jan Engelhardt]

This was never ever implemented in the kernel, so just remove it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_dst.c |   18 ------------------
 1 files changed, 0 insertions(+), 18 deletions(-)

diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index 8b656a6..74f6029 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -25,7 +25,6 @@ IP6T_OPTS_OPTSNR);
 static const struct option dst_opts[] = {
 	{.name = "dst-len",        .has_arg = true, .val = '1'},
 	{.name = "dst-opts",       .has_arg = true, .val = '2'},
-	{.name = "dst-not-strict", .has_arg = true, .val = '3'},
 	XT_GETOPT_TABLEEND,
 };
 
@@ -135,17 +134,6 @@ static int dst_parse(int c, char **argv, int invert, unsigned int *flags,
 		optinfo->flags |= IP6T_OPTS_OPTS;
 		*flags |= IP6T_OPTS_OPTS;
 		break;
-	case '3':
-		if (*flags & IP6T_OPTS_NSTRICT)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--dst-not-strict' allowed");
-		if ( !(*flags & IP6T_OPTS_OPTS) )
-			xtables_error(PARAMETER_PROBLEM,
-				   "`--dst-opts ...' required before "
-				   "`--dst-not-strict'");
-		optinfo->flags |= IP6T_OPTS_NSTRICT;
-		*flags |= IP6T_OPTS_NSTRICT;
-		break;
 	}
 
 	return 1;
@@ -183,9 +171,6 @@ static void dst_print(const void *ip, const struct xt_entry_match *match,
 
 	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
 
-	if (optinfo->flags & IP6T_OPTS_NSTRICT)
-		printf(" not-strict");
-
 	if (optinfo->invflags & ~IP6T_OPTS_INV_MASK)
 		printf(" Unknown invflags: 0x%X",
 		       optinfo->invflags & ~IP6T_OPTS_INV_MASK);
@@ -205,9 +190,6 @@ static void dst_save(const void *ip, const struct xt_entry_match *match)
 		printf(" --dst-opts");
 
 	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
-
-	if (optinfo->flags & IP6T_OPTS_NSTRICT)
-		printf(" --dst-not-strict");
 }
 
 static struct xtables_match dst_mt6_reg = {
-- 
1.7.1

[PATCH 6/8] libip6t_hbh: remove unimplemented --hbh-not-strict

[Jan Engelhardt]

Same as with ip6t_dst.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_hbh.c |   14 --------------
 1 files changed, 0 insertions(+), 14 deletions(-)

diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 9eb504e..b6a8e46 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -27,7 +27,6 @@ IP6T_OPTS_OPTSNR);
 static const struct option hbh_opts[] = {
 	{.name = "hbh-len",        .has_arg = true, .val = '1'},
 	{.name = "hbh-opts",       .has_arg = true, .val = '2'},
-	{.name = "hbh-not-strict", .has_arg = true, .val = '3'},
 	XT_GETOPT_TABLEEND,
 };
 
@@ -129,16 +128,6 @@ static int hbh_parse(int c, char **argv, int invert, unsigned int *flags,
 		optinfo->flags |= IP6T_OPTS_OPTS;
 		*flags |= IP6T_OPTS_OPTS;
 		break;
-	case '3':
-		if (*flags & IP6T_OPTS_NSTRICT)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--hbh-not-strict' allowed");
-		if ( !(*flags & IP6T_OPTS_OPTS) )
-			xtables_error(PARAMETER_PROBLEM,
-				   "`--hbh-opts ...' required before `--hbh-not-strict'");
-		optinfo->flags |= IP6T_OPTS_NSTRICT;
-		*flags |= IP6T_OPTS_NSTRICT;
-		break;
 	}
 
 	return 1;
@@ -171,7 +160,6 @@ static void hbh_print(const void *ip, const struct xt_entry_match *match,
 	}
 	if (optinfo->flags & IP6T_OPTS_OPTS) printf(" opts");
 	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
-	if (optinfo->flags & IP6T_OPTS_NSTRICT) printf(" not-strict");
 	if (optinfo->invflags & ~IP6T_OPTS_INV_MASK)
 		printf(" Unknown invflags: 0x%X",
 		       optinfo->invflags & ~IP6T_OPTS_INV_MASK);
@@ -190,8 +178,6 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match)
 	if (optinfo->flags & IP6T_OPTS_OPTS)
 		printf(" --hbh-opts");
 	print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
-	if (optinfo->flags & IP6T_OPTS_NSTRICT)
-		printf(" --hbh-not-strict");
 }
 
 static struct xtables_match hbh_mt6_reg = {
-- 
1.7.1

[PATCH 7/8] extensions: add missing checks for specific flags

[Jan Engelhardt]

With "!flags", any option will be accepted. The extensions however
want one very specific option to be used (or wrong help text).

Commits: DNAT: v1.3.8~23, osf: v1.4.6~3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_DNAT.c |    2 +-
 extensions/libipt_ECN.c  |    2 +-
 extensions/libxt_osf.c   |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 34d3777..49c74e1 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -190,7 +190,7 @@ static int DNAT_parse(int c, char **argv, int invert, unsigned int *flags,
 
 static void DNAT_check(unsigned int flags)
 {
-	if (!flags)
+	if (!(flags & IPT_DNAT_OPT_DEST))
 		xtables_error(PARAMETER_PROBLEM,
 			   "You must specify --to-destination");
 }
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 6bfc1b3..e1f29b6 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -97,7 +97,7 @@ static void ECN_check(unsigned int flags)
 {
 	if (!flags)
 		xtables_error(PARAMETER_PROBLEM,
-		           "ECN target: Parameter --ecn-tcp-remove is required");
+		           "ECN target: An operation is required");
 }
 
 static void ECN_print(const void *ip, const struct xt_entry_target *target,
diff --git a/extensions/libxt_osf.c b/extensions/libxt_osf.c
index a97884b..20acfea 100644
--- a/extensions/libxt_osf.c
+++ b/extensions/libxt_osf.c
@@ -114,7 +114,7 @@ static int osf_parse(int c, char **argv, int invert, unsigned int *flags,
 
 static void osf_final_check(unsigned int flags)
 {
-	if (!flags)
+	if (!(flags & XT_OSF_GENRE))
 		xtables_error(PARAMETER_PROBLEM,
 			      "OS fingerprint match: You must specify `--genre'");
 }
-- 
1.7.1

[PATCH 8/8] libipt_ECN: set proper option flags

[Jan Engelhardt]

When specifying --ecn-tcp-remove, *flags will be set to 1, which leads
to the ECN bits being removed from the IPv4 header, but in fact not
the TCP header.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_ECN.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index e1f29b6..2aa1a00 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -53,7 +53,7 @@ static int ECN_parse(int c, char **argv, int invert, unsigned int *flags,
 		einfo->operation = IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR;
 		einfo->proto.tcp.ece = 0;
 		einfo->proto.tcp.cwr = 0;
-		*flags = 1;
+		*flags |= IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR;
 		break;
 	case 'G':
 		if (*flags & IPT_ECN_OP_SET_CWR)
-- 
1.7.1

Re: iptables: misc option edits

[Patrick McHardy]

Am 19.02.2011 20:04, schrieb Jan Engelhardt:
> Please review! (And if ok, merge.)
> 
> ===
> 
> The following changes since commit 87dc7c4c842deb1e2e3d38089ffcad9f238d98de:
> 
>   xtables: use strspn() to check if string needs to be quoted (2011-02-17 11:57:19 +0100)
> 
> are available in the git repository at:
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (8):
>       doc: fix wrong sentence about negation in xt_limit
>       doc: fix misspelling of "field"
>       extensions: remove redundant init functions
>       Remove unused CVS expanded keywords
>       libip6t_dst: remove unimplemented --dst-not-strict
>       libip6t_hbh: remove unimplemented --hbh-not-strict
>       extensions: add missing checks for specific flags
>       libipt_ECN: set proper option flags
> 

Looks good, pulled, thanks Jan.