Guided option parser run 8

Guided option parser run 8

[Jan Engelhardt]

The following changes since commit 59ce5bd1d05225911051a4c46ce5ccdd7c1ed078:

  Merge branch 'floating/opts' of git://dev.medozas.de/iptables (2011-05-12 11:11:51 +0200)

are available in the git repository at:

  git://dev.medozas.de/iptables master

Jan Engelhardt (12):
      src: replace old IP*T_ALIGN macros
      src: combine default_command functions
      libxt_policy: option table fixes, improved error tracking
      libxtables: avoid running into .also checks when option not used
      libxt_policy: use XTTYPE_PROTOCOL type
      libxtables: collapse double protocol parsing
      libipt_[SD]NAT: flag up module name on error
      libipt_[SD]NAT: avoid false error about multiple destinations specified
      libxt_conntrack: correct printed module name
      libxt_conntrack: fix assignment to wrong member
      libxt_conntrack: resolve erroneous rev-2 port range message
      libip6t_rt: rt-0-not-strict should take no arg

 extensions/libip6t_rt.c      |    2 +-
 extensions/libipt_DNAT.c     |   11 +++--
 extensions/libipt_SNAT.c     |   11 +++--
 extensions/libxt_conntrack.c |   24 +++++++-----
 extensions/libxt_policy.c    |   37 +++++++++++++-----
 extensions/libxt_policy.man  |    7 +++-
 include/libiptc/libip6tc.h   |    5 --
 include/libiptc/libiptc.h    |    9 ----
 ip6tables.c                  |   83 ++++-------------------------------------
 iptables.c                   |   84 ++++--------------------------------------
 libiptc/libip4tc.c           |    4 +-
 libiptc/libip6tc.c           |    4 +-
 xshared.c                    |   70 +++++++++++++++++++++++++++++++++++
 xshared.h                    |    3 +
 xtables.c                    |   49 ++++++++++--------------
 xtoptions.c                  |   17 ++------
 16 files changed, 180 insertions(+), 240 deletions(-)

[PATCH 01/12] src: replace old IP*T_ALIGN macros

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/libiptc/libip6tc.h |    5 -----
 include/libiptc/libiptc.h  |    9 ---------
 ip6tables.c                |   16 ++++++++--------
 iptables.c                 |   16 ++++++++--------
 libiptc/libip4tc.c         |    4 ++--
 libiptc/libip6tc.c         |    4 ++--
 6 files changed, 20 insertions(+), 34 deletions(-)

diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 9796574..4f2d1f8 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -11,11 +11,6 @@
 #endif
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
-#ifndef IP6T_MIN_ALIGN
-#define IP6T_MIN_ALIGN (__alignof__(struct ip6t_entry))
-#endif
-#define IP6T_ALIGN(s) (((s) + (IP6T_MIN_ALIGN-1)) & ~(IP6T_MIN_ALIGN-1))
-
 struct ip6tc_handle;
 
 typedef char ip6t_chainlabel[32];
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 4355ac9..3497d6a 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -15,15 +15,6 @@
 extern "C" {
 #endif
 
-#ifndef IPT_MIN_ALIGN
-/* ipt_entry has pointers and u_int64_t's in it, so if you align to
-   it, you'll also align to any crazy matches and targets someone
-   might write */
-#define IPT_MIN_ALIGN (__alignof__(struct ipt_entry))
-#endif
-
-#define IPT_ALIGN(s) (((s) + ((IPT_MIN_ALIGN)-1)) & ~((IPT_MIN_ALIGN)-1))
-
 struct iptc_handle;
 
 typedef char ipt_chainlabel[32];
diff --git a/ip6tables.c b/ip6tables.c
index 967a5f8..58c7e2d 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -768,10 +768,10 @@ make_delete_mask(const struct xtables_rule_match *matches,
 
 	size = sizeof(struct ip6t_entry);
 	for (matchp = matches; matchp; matchp = matchp->next)
-		size += IP6T_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
+		size += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
 
 	mask = xtables_calloc(1, size
-			 + IP6T_ALIGN(sizeof(struct ip6t_entry_target))
+			 + XT_ALIGN(sizeof(struct ip6t_entry_target))
 			 + target->size);
 
 	memset(mask, 0xFF, sizeof(struct ip6t_entry));
@@ -779,13 +779,13 @@ make_delete_mask(const struct xtables_rule_match *matches,
 
 	for (matchp = matches; matchp; matchp = matchp->next) {
 		memset(mptr, 0xFF,
-		       IP6T_ALIGN(sizeof(struct ip6t_entry_match))
+		       XT_ALIGN(sizeof(struct ip6t_entry_match))
 		       + matchp->match->userspacesize);
-		mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
+		mptr += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
 	}
 
 	memset(mptr, 0xFF,
-	       IP6T_ALIGN(sizeof(struct ip6t_entry_target))
+	       XT_ALIGN(sizeof(struct ip6t_entry_target))
 	       + target->userspacesize);
 
 	return mask;
@@ -1306,7 +1306,7 @@ static void command_default(struct iptables_command_state *cs)
 
 		cs->proto_used = 1;
 
-		size = IP6T_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+		size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
 
 		m->m = xtables_calloc(1, size);
 		m->m->u.match_size = size;
@@ -1351,7 +1351,7 @@ static void command_jump(struct iptables_command_state *cs)
 	if (cs->target == NULL)
 		return;
 
-	size = IP6T_ALIGN(sizeof(struct ip6t_entry_target)) + cs->target->size;
+	size = XT_ALIGN(sizeof(struct ip6t_entry_target)) + cs->target->size;
 
 	cs->target->t = xtables_calloc(1, size);
 	cs->target->t->u.target_size = size;
@@ -1381,7 +1381,7 @@ static void command_match(struct iptables_command_state *cs)
 			   "unexpected ! flag before --match");
 
 	m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
-	size = IP6T_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+	size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
 	m->m = xtables_calloc(1, size);
 	m->m->u.match_size = size;
 	strcpy(m->m->u.user.name, m->name);
diff --git a/iptables.c b/iptables.c
index cc7525a..d01e828 100644
--- a/iptables.c
+++ b/iptables.c
@@ -771,10 +771,10 @@ make_delete_mask(const struct xtables_rule_match *matches,
 
 	size = sizeof(struct ipt_entry);
 	for (matchp = matches; matchp; matchp = matchp->next)
-		size += IPT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
+		size += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
 
 	mask = xtables_calloc(1, size
-			 + IPT_ALIGN(sizeof(struct ipt_entry_target))
+			 + XT_ALIGN(sizeof(struct ipt_entry_target))
 			 + target->size);
 
 	memset(mask, 0xFF, sizeof(struct ipt_entry));
@@ -782,13 +782,13 @@ make_delete_mask(const struct xtables_rule_match *matches,
 
 	for (matchp = matches; matchp; matchp = matchp->next) {
 		memset(mptr, 0xFF,
-		       IPT_ALIGN(sizeof(struct ipt_entry_match))
+		       XT_ALIGN(sizeof(struct ipt_entry_match))
 		       + matchp->match->userspacesize);
-		mptr += IPT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
+		mptr += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
 	}
 
 	memset(mptr, 0xFF,
-	       IPT_ALIGN(sizeof(struct ipt_entry_target))
+	       XT_ALIGN(sizeof(struct ipt_entry_target))
 	       + target->userspacesize);
 
 	return mask;
@@ -1330,7 +1330,7 @@ static void command_default(struct iptables_command_state *cs)
 
 		cs->proto_used = 1;
 
-		size = IPT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
+		size = XT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
 
 		m->m = xtables_calloc(1, size);
 		m->m->u.match_size = size;
@@ -1376,7 +1376,7 @@ static void command_jump(struct iptables_command_state *cs)
 	if (cs->target == NULL)
 		return;
 
-	size = IPT_ALIGN(sizeof(struct ipt_entry_target))
+	size = XT_ALIGN(sizeof(struct ipt_entry_target))
 		+ cs->target->size;
 
 	cs->target->t = xtables_calloc(1, size);
@@ -1407,7 +1407,7 @@ static void command_match(struct iptables_command_state *cs)
 			   "unexpected ! flag before --match");
 
 	m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
-	size = IPT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
+	size = XT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
 	m->m = xtables_calloc(1, size);
 	m->m->u.match_size = size;
 	strcpy(m->m->u.user.name, m->name);
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index e2d2a5e..cf66709 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -112,7 +112,7 @@ typedef unsigned int socklen_t;
 #define LABEL_DROP		IPTC_LABEL_DROP
 #define LABEL_QUEUE		IPTC_LABEL_QUEUE
 
-#define ALIGN			IPT_ALIGN
+#define ALIGN			XT_ALIGN
 #define RETURN			IPT_RETURN
 
 #include "libiptc.c"
@@ -209,7 +209,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
 	mptr = matchmask + sizeof(STRUCT_ENTRY);
 	if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
 		return NULL;
-	mptr += IPT_ALIGN(sizeof(struct ipt_entry_target));
+	mptr += XT_ALIGN(sizeof(struct ipt_entry_target));
 
 	return mptr;
 }
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index c1508cd..0f8a889 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -107,7 +107,7 @@ typedef unsigned int socklen_t;
 #define LABEL_DROP		IP6TC_LABEL_DROP
 #define LABEL_QUEUE		IP6TC_LABEL_QUEUE
 
-#define ALIGN			IP6T_ALIGN
+#define ALIGN			XT_ALIGN
 #define RETURN			IP6T_RETURN
 
 #include "libiptc.c"
@@ -241,7 +241,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
 	mptr = matchmask + sizeof(STRUCT_ENTRY);
 	if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
 		return NULL;
-	mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_target));
+	mptr += XT_ALIGN(sizeof(struct ip6t_entry_target));
 
 	return mptr;
 }
-- 
1.7.1

[PATCH 02/12] src: combine default_command functions

[Jan Engelhardt]

---
 ip6tables.c |   69 +---------------------------------------------------------
 iptables.c  |   70 +----------------------------------------------------------
 xshared.c   |   70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 xshared.h   |    3 ++
 4 files changed, 75 insertions(+), 137 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 58c7e2d..a74238c 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1272,73 +1272,6 @@ static void clear_rule_matches(struct xtables_rule_match **matches)
 	*matches = NULL;
 }
 
-static void command_default(struct iptables_command_state *cs)
-{
-	struct xtables_rule_match *matchp;
-	struct xtables_match *m;
-
-	if (cs->target != NULL &&
-	    (cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
-	    cs->c >= cs->target->option_offset &&
-	    cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
-		xtables_option_tpcall(cs->c, cs->argv, cs->invert,
-				      cs->target, &cs->fw);
-		return;
-	}
-
-	for (matchp = cs->matches; matchp; matchp = matchp->next) {
-		m = matchp->match;
-
-		if (matchp->completed ||
-		    (m->x6_parse == NULL && m->parse == NULL))
-			continue;
-		if (cs->c < matchp->match->option_offset ||
-		    cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
-			continue;
-		xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
-		return;
-	}
-
-	/* Try loading protocol */
-	m = load_proto(cs);
-	if (m != NULL) {
-		size_t size;
-
-		cs->proto_used = 1;
-
-		size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
-
-		m->m = xtables_calloc(1, size);
-		m->m->u.match_size = size;
-		strcpy(m->m->u.user.name, m->name);
-		m->m->u.user.revision = m->revision;
-		if (m->init != NULL)
-			m->init(m->m);
-
-		if (m->x6_options != NULL)
-			opts = xtables_options_xfrm(ip6tables_globals.orig_opts,
-						    opts, m->x6_options,
-						    &m->option_offset);
-		else
-			opts = xtables_merge_options(ip6tables_globals.orig_opts,
-						     opts,
-						     m->extra_opts,
-						     &m->option_offset);
-		if (opts == NULL)
-			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
-		optind--;
-		return;
-	}
-
-	if (cs->c == ':')
-		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
-		              "requires an argument", cs->argv[optind-1]);
-	if (cs->c == '?')
-		xtables_error(PARAMETER_PROBLEM, "unknown option "
-			      "\"%s\"", cs->argv[optind-1]);
-	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
-}
-
 static void command_jump(struct iptables_command_state *cs)
 {
 	size_t size;
@@ -1785,7 +1718,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			exit_tryhelp(2);
 
 		default:
-			command_default(&cs);
+			command_default(&cs, &ip6tables_globals);
 			break;
 		}
 		cs.invert = FALSE;
diff --git a/iptables.c b/iptables.c
index d01e828..d9c6436 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1296,74 +1296,6 @@ get_kernel_version(void) {
 	kernel_version = LINUX_VERSION(x, y, z);
 }
 
-static void command_default(struct iptables_command_state *cs)
-{
-	struct xtables_rule_match *matchp;
-	struct xtables_match *m;
-
-	if (cs->target != NULL &&
-	    (cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
-	    cs->c >= cs->target->option_offset &&
-	    cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
-		xtables_option_tpcall(cs->c, cs->argv, cs->invert,
-				      cs->target, &cs->fw);
-		return;
-	}
-
-	for (matchp = cs->matches; matchp; matchp = matchp->next) {
-		m = matchp->match;
-
-		if (matchp->completed ||
-		    (m->x6_parse == NULL && m->parse == NULL))
-			continue;
-		if (cs->c < m->option_offset ||
-		    cs->c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
-			continue;
-		xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
-		return;
-	}
-
-	/* Try loading protocol */
-	m = load_proto(cs);
-	if (m != NULL) {
-		size_t size;
-
-		cs->proto_used = 1;
-
-		size = XT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
-
-		m->m = xtables_calloc(1, size);
-		m->m->u.match_size = size;
-		strcpy(m->m->u.user.name, m->name);
-		m->m->u.user.revision = m->revision;
-		if (m->init != NULL)
-			m->init(m->m);
-
-		if (m->x6_options != NULL)
-			opts = xtables_options_xfrm(iptables_globals.orig_opts,
-						    opts, m->x6_options,
-						    &m->option_offset);
-		else
-			opts = xtables_merge_options(iptables_globals.orig_opts,
-						     opts,
-						     m->extra_opts,
-						     &m->option_offset);
-		if (opts == NULL)
-			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
-
-		optind--;
-		return;
-	}
-
-	if (cs->c == ':')
-		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
-		              "requires an argument", cs->argv[optind-1]);
-	if (cs->c == '?')
-		xtables_error(PARAMETER_PROBLEM, "unknown option "
-			      "\"%s\"", cs->argv[optind-1]);
-	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
-}
-
 static void command_jump(struct iptables_command_state *cs)
 {
 	size_t size;
@@ -1811,7 +1743,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
 			exit_tryhelp(2);
 
 		default:
-			command_default(&cs);
+			command_default(&cs, &iptables_globals);
 			break;
 		}
 		cs.invert = FALSE;
diff --git a/xshared.c b/xshared.c
index 87402b4..4651888 100644
--- a/xshared.c
+++ b/xshared.c
@@ -1,3 +1,4 @@
+#include <getopt.h>
 #include <libgen.h>
 #include <netdb.h>
 #include <stdbool.h>
@@ -103,6 +104,75 @@ struct xtables_match *load_proto(struct iptables_command_state *cs)
 			  cs->options & OPT_NUMERIC, &cs->matches);
 }
 
+void command_default(struct iptables_command_state *cs,
+		     struct xtables_globals *gl)
+{
+	struct xtables_rule_match *matchp;
+	struct xtables_match *m;
+
+	if (cs->target != NULL &&
+	    (cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
+	    cs->c >= cs->target->option_offset &&
+	    cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
+		xtables_option_tpcall(cs->c, cs->argv, cs->invert,
+				      cs->target, &cs->fw);
+		return;
+	}
+
+	for (matchp = cs->matches; matchp; matchp = matchp->next) {
+		m = matchp->match;
+
+		if (matchp->completed ||
+		    (m->x6_parse == NULL && m->parse == NULL))
+			continue;
+		if (cs->c < matchp->match->option_offset ||
+		    cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+			continue;
+		xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
+		return;
+	}
+
+	/* Try loading protocol */
+	m = load_proto(cs);
+	if (m != NULL) {
+		size_t size;
+
+		cs->proto_used = 1;
+
+		size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+
+		m->m = xtables_calloc(1, size);
+		m->m->u.match_size = size;
+		strcpy(m->m->u.user.name, m->name);
+		m->m->u.user.revision = m->revision;
+		if (m->init != NULL)
+			m->init(m->m);
+
+		if (m->x6_options != NULL)
+			gl->opts = xtables_options_xfrm(gl->orig_opts,
+							gl->opts,
+							m->x6_options,
+							&m->option_offset);
+		else
+			gl->opts = xtables_merge_options(gl->orig_opts,
+							 gl->opts,
+							 m->extra_opts,
+							 &m->option_offset);
+		if (gl->opts == NULL)
+			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
+		optind--;
+		return;
+	}
+
+	if (cs->c == ':')
+		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+		              "requires an argument", cs->argv[optind-1]);
+	if (cs->c == '?')
+		xtables_error(PARAMETER_PROBLEM, "unknown option "
+			      "\"%s\"", cs->argv[optind-1]);
+	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+}
+
 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb)
 {
 	for (; cb->name != NULL; ++cb)
diff --git a/xshared.h b/xshared.h
index 34f3265..d868c06 100644
--- a/xshared.h
+++ b/xshared.h
@@ -23,6 +23,7 @@ enum {
 	OPT_COUNTERS    = 1 << 10,
 };
 
+struct xtables_globals;
 struct xtables_rule_match;
 struct xtables_target;
 
@@ -76,6 +77,8 @@ enum {
 extern void print_extension_helps(const struct xtables_target *,
 	const struct xtables_rule_match *);
 extern const char *proto_to_name(uint8_t, int);
+extern void command_default(struct iptables_command_state *,
+	struct xtables_globals *);
 extern struct xtables_match *load_proto(struct iptables_command_state *);
 extern int subcmd_main(int, char **, const struct subcommand *);
 
-- 
1.7.1

[PATCH 03/12] libxt_policy: option table fixes, improved error tracking

[Jan Engelhardt]

Most of the flags are multi-use in this extension. Also transfer
--next => --strict requirement to option table.

Furthermore, augment the error messages emitted from fcheck to contain
the policy element number, and elaborate on what an "empty policy
element" is.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_policy.c   |   35 ++++++++++++++++++++++++++---------
 extensions/libxt_policy.man |    7 ++++++-
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c
index a514246..7affd1b 100644
--- a/extensions/libxt_policy.c
+++ b/extensions/libxt_policy.c
@@ -16,7 +16,8 @@ enum {
 	O_MODE,
 	O_TUNNELSRC,
 	O_TUNNELDST,
-	O_NEXT
+	O_NEXT,
+	F_STRICT = 1 << O_STRICT,
 };
 
 static void policy_help(void)
@@ -28,6 +29,7 @@ static void policy_help(void)
 "  --pol none|ipsec		match policy\n"
 "  --strict 			match entire policy instead of single element\n"
 "				at any position\n"
+"These options may be used repeatedly, to describe policy elements:\n"
 "[!] --reqid reqid		match reqid\n"
 "[!] --spi spi			match SPI\n"
 "[!] --proto proto		match protocol (ah/esp/ipcomp)\n"
@@ -42,13 +44,20 @@ static const struct xt_option_entry policy_opts[] = {
 	 .flags = XTOPT_INVERT},
 	{.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
 	{.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
-	{.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32},
-	{.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32},
-	{.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK},
-	{.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK},
-	{.name = "proto", .id = O_PROTO, .type = XTTYPE_STRING},
-	{.name = "mode", .id = O_MODE, .type = XTTYPE_STRING},
-	{.name = "next", .id = O_NEXT, .type = XTTYPE_NONE},
+	{.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "spi", .id = O_SPI, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "tunnel-src", .id = O_TUNNELSRC, .type = XTTYPE_HOSTMASK,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "proto", .id = O_PROTO, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "mode", .id = O_MODE, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MULTI | XTOPT_INVERT},
+	{.name = "next", .id = O_NEXT, .type = XTTYPE_NONE,
+	 .flags = XTOPT_MULTI, .also = F_STRICT},
 	XTOPT_TABLEEND,
 };
 
@@ -183,9 +192,14 @@ static void policy_check(struct xt_fcheck_call *cb)
 	} else
 		info->len++;	/* increase len by 1, no --next after last element */
 
+	/*
+	 * This is already represented with O_NEXT requiring F_STRICT in the
+	 * options table, but will keep this code as a comment for reference.
+	 *
 	if (!(info->flags & XT_POLICY_MATCH_STRICT) && info->len > 1)
 		xtables_error(PARAMETER_PROBLEM,
 		           "policy match: multiple elements but no --strict");
+	 */
 
 	for (i = 0; i < info->len; i++) {
 		e = &info->pol[i];
@@ -194,7 +208,10 @@ static void policy_check(struct xt_fcheck_call *cb)
 		    !(e->match.reqid || e->match.spi || e->match.saddr ||
 		      e->match.daddr || e->match.proto || e->match.mode))
 			xtables_error(PARAMETER_PROBLEM,
-			           "policy match: empty policy element");
+				"policy match: empty policy element %u. "
+				"--strict is in effect, but at least one of "
+				"reqid, spi, tunnel-src, tunnel-dst, proto or "
+				"mode is required.", i);
 
 		if ((e->match.saddr || e->match.daddr)
 		    && ((e->mode == XT_POLICY_MODE_TUNNEL && e->invert.mode) ||
diff --git a/extensions/libxt_policy.man b/extensions/libxt_policy.man
index 3500025..1b834fa 100644
--- a/extensions/libxt_policy.man
+++ b/extensions/libxt_policy.man
@@ -13,11 +13,16 @@ is valid in the
 chains.
 .TP
 \fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
-Matches if the packet is subject to IPsec processing.
+Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
+cannot be combined with \fB\-\-strict\fP.
 .TP
 \fB\-\-strict\fP
 Selects whether to match the exact policy or match if any rule of
 the policy matches the given policy.
+.PP
+For each policy element that is to be described, one can use one or more of
+the following options. When \fB\-\-strict\fP is in effect, at least one must be
+used per element.
 .TP
 [\fB!\fP] \fB\-\-reqid\fP \fIid\fP
 Matches the reqid of the policy rule. The reqid can be specified with
-- 
1.7.1

[PATCH 04/12] libxtables: avoid running into .also checks when option not used

[Jan Engelhardt]

If a particular option was not specified, it should not be subject to
.also checks in xtables_option_fcheck2 either.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtoptions.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/xtoptions.c b/xtoptions.c
index 8d54dd8..9e19250 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -949,6 +949,9 @@ void xtables_options_fcheck(const char *name, unsigned int xflags,
 			xt_params->exit_err(PARAMETER_PROBLEM,
 				"%s: option \"--%s\" must be specified\n",
 				name, entry->name);
+		if (!(xflags & (1 << entry->id)))
+			/* Not required, not specified, thus skip. */
+			continue;
 
 		for (i = 0; i < CHAR_BIT * sizeof(entry->id); ++i) {
 			if (entry->id == i)
-- 
1.7.1

[PATCH 05/12] libxt_policy: use XTTYPE_PROTOCOL type

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_policy.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c
index 7affd1b..97722d6 100644
--- a/extensions/libxt_policy.c
+++ b/extensions/libxt_policy.c
@@ -52,7 +52,7 @@ static const struct xt_option_entry policy_opts[] = {
 	 .flags = XTOPT_MULTI | XTOPT_INVERT},
 	{.name = "tunnel-dst", .id = O_TUNNELDST, .type = XTTYPE_HOSTMASK,
 	 .flags = XTOPT_MULTI | XTOPT_INVERT},
-	{.name = "proto", .id = O_PROTO, .type = XTTYPE_STRING,
+	{.name = "proto", .id = O_PROTO, .type = XTTYPE_PROTOCOL,
 	 .flags = XTOPT_MULTI | XTOPT_INVERT},
 	{.name = "mode", .id = O_MODE, .type = XTTYPE_STRING,
 	 .flags = XTOPT_MULTI | XTOPT_INVERT},
@@ -143,7 +143,7 @@ static void policy_parse(struct xt_option_call *cb)
 		if (e->match.proto)
 			xtables_error(PARAMETER_PROBLEM,
 			           "policy match: double --proto option");
-		e->proto = xtables_parse_protocol(cb->arg);
+		e->proto = cb->val.protocol;
 		if (e->proto != IPPROTO_AH && e->proto != IPPROTO_ESP &&
 		    e->proto != IPPROTO_COMP)
 			xtables_error(PARAMETER_PROBLEM,
-- 
1.7.1

[PATCH 06/12] libxtables: collapse double protocol parsing

[Jan Engelhardt]

Un-dent xtables_parse_protocol, and make xtopt_parse_protocol make use
of it.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtables.c   |   49 +++++++++++++++++++++----------------------------
 xtoptions.c |   14 +-------------
 2 files changed, 22 insertions(+), 41 deletions(-)

diff --git a/xtables.c b/xtables.c
index 9038f89..f10cdb7 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1797,37 +1797,30 @@ const struct xtables_pprot xtables_chain_protos[] = {
 uint16_t
 xtables_parse_protocol(const char *s)
 {
-	unsigned int proto;
+	const struct protoent *pent;
+	unsigned int proto, i;
 
-	if (!xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX)) {
-		struct protoent *pent;
+	if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX))
+		return proto;
 
-		/* first deal with the special case of 'all' to prevent
-		 * people from being able to redefine 'all' in nsswitch
-		 * and/or provoke expensive [not working] ldap/nis/...
-		 * lookups */
-		if (!strcmp(s, "all"))
-			return 0;
+	/* first deal with the special case of 'all' to prevent
+	 * people from being able to redefine 'all' in nsswitch
+	 * and/or provoke expensive [not working] ldap/nis/...
+	 * lookups */
+	if (strcmp(s, "all") == 0)
+		return 0;
 
-		if ((pent = getprotobyname(s)))
-			proto = pent->p_proto;
-		else {
-			unsigned int i;
-			for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) {
-				if (xtables_chain_protos[i].name == NULL)
-					continue;
+	pent = getprotobyname(s);
+	if (pent != NULL)
+		return pent->p_proto;
 
-				if (strcmp(s, xtables_chain_protos[i].name) == 0) {
-					proto = xtables_chain_protos[i].num;
-					break;
-				}
-			}
-			if (i == ARRAY_SIZE(xtables_chain_protos))
-				xt_params->exit_err(PARAMETER_PROBLEM,
-					   "unknown protocol `%s' specified",
-					   s);
-		}
+	for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) {
+		if (xtables_chain_protos[i].name == NULL)
+			continue;
+		if (strcmp(s, xtables_chain_protos[i].name) == 0)
+			return xtables_chain_protos[i].num;
 	}
-
-	return proto;
+	xt_params->exit_err(PARAMETER_PROBLEM,
+		"unknown protocol \"%s\" specified", s);
+	return -1;
 }
diff --git a/xtoptions.c b/xtoptions.c
index 9e19250..eb9e4e6 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -498,19 +498,7 @@ static int xtables_getportbyname(const char *name)
  */
 static void xtopt_parse_protocol(struct xt_option_call *cb)
 {
-	const struct protoent *entry;
-	unsigned int value = -1;
-
-	if (xtables_strtoui(cb->arg, NULL, &value, 0, UINT8_MAX)) {
-		cb->val.protocol = value;
-		return;
-	}
-	entry = getprotobyname(cb->arg);
-	if (entry == NULL)
-		xt_params->exit_err(PARAMETER_PROBLEM,
-			"Protocol \"%s\" does not resolve to anything.\n",
-			cb->arg);
-	cb->val.protocol = entry->p_proto;
+	cb->val.protocol = xtables_parse_protocol(cb->arg);
 	if (cb->entry->flags & XTOPT_PUT)
 		*(uint8_t *)XTOPT_MKPTR(cb) = cb->val.protocol;
 }
-- 
1.7.1

[PATCH 07/12] libipt_[SD]NAT: flag up module name on error

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_DNAT.c |    2 +-
 extensions/libipt_SNAT.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 6a46f10..8c4c9c2 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -169,7 +169,7 @@ static void DNAT_parse(struct xt_option_call *cb)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
 				xtables_error(PARAMETER_PROBLEM,
-					   "Multiple --to-destination not supported");
+					   "DNAT: Multiple --to-destination not supported");
 		}
 		*cb->target = parse_to(cb->arg, portok, info);
 		/* WTF do we need this for?? */
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 9156a7b..3691041 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -169,7 +169,7 @@ static void SNAT_parse(struct xt_option_call *cb)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
 				xtables_error(PARAMETER_PROBLEM,
-					   "Multiple --to-source not supported");
+					   "SNAT: Multiple --to-source not supported");
 		}
 		*cb->target = parse_to(cb->arg, portok, info);
 		/* WTF do we need this for?? */
-- 
1.7.1

[PATCH 08/12] libipt_[SD]NAT: avoid false error about multiple destinations specified

[Jan Engelhardt]

iptables-restore v1.4.10: DNAT: Multiple --to-destination not supported

xtables_option_parse sets cb->xflags already, so that it cannot be
directly used to test whether an option is being used for the second
time. Thus use a private option/flag (X_TO_DEST/SRC) that is not under
the control of xtables_option_parse.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_DNAT.c |    9 ++++++---
 extensions/libipt_SNAT.c |    9 ++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 8c4c9c2..3b55c69 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -12,8 +12,10 @@ enum {
 	O_TO_DEST = 0,
 	O_RANDOM,
 	O_PERSISTENT,
-	F_TO_DEST = 1 << O_TO_DEST,
-	F_RANDOM  = 1 << O_RANDOM,
+	O_X_TO_DEST, /* hidden flag */
+	F_TO_DEST   = 1 << O_TO_DEST,
+	F_RANDOM    = 1 << O_RANDOM,
+	F_X_TO_DEST = 1 << O_X_TO_DEST,
 };
 
 /* Dest NAT data consists of a multi-range, indicating where to map
@@ -164,7 +166,7 @@ static void DNAT_parse(struct xt_option_call *cb)
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_TO_DEST:
-		if (cb->xflags & F_TO_DEST) {
+		if (cb->xflags & F_X_TO_DEST) {
 			if (!kernel_version)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
@@ -175,6 +177,7 @@ static void DNAT_parse(struct xt_option_call *cb)
 		/* WTF do we need this for?? */
 		if (cb->xflags & F_RANDOM)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		cb->xflags |= F_X_TO_DEST;
 		break;
 	case O_RANDOM:
 		if (cb->xflags & F_TO_DEST)
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 3691041..8023306 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -12,8 +12,10 @@ enum {
 	O_TO_SRC = 0,
 	O_RANDOM,
 	O_PERSISTENT,
-	F_TO_SRC = 1 << O_TO_SRC,
-	F_RANDOM = 1 << O_RANDOM,
+	O_X_TO_SRC,
+	F_TO_SRC   = 1 << O_TO_SRC,
+	F_RANDOM   = 1 << O_RANDOM,
+	F_X_TO_SRC = 1 << O_X_TO_SRC,
 };
 
 /* Source NAT data consists of a multi-range, indicating where to map
@@ -164,7 +166,7 @@ static void SNAT_parse(struct xt_option_call *cb)
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_TO_SRC:
-		if (cb->xflags & F_TO_SRC) {
+		if (cb->xflags & F_X_TO_SRC) {
 			if (!kernel_version)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
@@ -175,6 +177,7 @@ static void SNAT_parse(struct xt_option_call *cb)
 		/* WTF do we need this for?? */
 		if (cb->xflags & F_RANDOM)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		cb->xflags |= F_X_TO_SRC;
 		break;
 	case O_RANDOM:
 		if (cb->xflags & F_TO_SRC)
-- 
1.7.1

[PATCH 09/12] libxt_conntrack: correct printed module name

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 2fb3644..6d16ccf 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -545,7 +545,7 @@ static void conntrack1_mt_parse(struct xt_option_call *cb)
 	    up.replsrc_port != up.replsrc_port_high ||
 	    up.repldst_port != up.repldst_port_high)
 		xtables_error(PARAMETER_PROBLEM,
-			"connlimit rev 1 does not support port ranges");
+			"conntrack rev 1 does not support port ranges");
 	cinfo_transform(info, &up);
 	cb->data = info;
 }
@@ -567,7 +567,7 @@ static void conntrack2_mt_parse(struct xt_option_call *cb)
 	    up.replsrc_port != up.replsrc_port_high ||
 	    up.repldst_port != up.repldst_port_high)
 		xtables_error(PARAMETER_PROBLEM,
-			"connlimit rev 2 does not support port ranges");
+			"conntrack rev 2 does not support port ranges");
 	memcpy(info, &up, sizeof(*info));
 	cb->data = info;
 #undef cinfo2_transform
-- 
1.7.1

[PATCH 10/12] libxt_conntrack: fix assignment to wrong member

[Jan Engelhardt]

Of course the range end ought to be set, not doing the start value
twice.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |   12 ++++--------
 1 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 6d16ccf..0262b01 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -480,32 +480,28 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
 		break;
 	case O_CTORIGSRCPORT:
 		info->origsrc_port = cb->val.port_range[0];
-		info->origsrc_port = (cb->nvals == 2) ? cb->val.port_range[1] :
-		                     cb->val.port_range[0];
+		info->origsrc_port_high = cb->val.port_range[cb->nvals >= 2];
 		info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
 		if (cb->invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
 		break;
 	case O_CTORIGDSTPORT:
 		info->origdst_port = cb->val.port_range[0];
-		info->origdst_port = (cb->nvals == 2) ? cb->val.port_range[1] :
-		                     cb->val.port_range[0];
+		info->origdst_port_high = cb->val.port_range[cb->nvals >= 2];
 		info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
 		if (cb->invert)
 			info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
 		break;
 	case O_CTREPLSRCPORT:
 		info->replsrc_port = cb->val.port_range[0];
-		info->replsrc_port = (cb->nvals == 2) ? cb->val.port_range[1] :
-		                     cb->val.port_range[0];
+		info->replsrc_port_high = cb->val.port_range[cb->nvals >= 2];
 		info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
 		if (cb->invert)
 			info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
 		break;
 	case O_CTREPLDSTPORT:
 		info->repldst_port = cb->val.port_range[0];
-		info->repldst_port = (cb->nvals == 2) ? cb->val.port_range[1] :
-		                     cb->val.port_range[0];
+		info->repldst_port_high = cb->val.port_range[cb->nvals >= 2];
 		info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
 		if (cb->invert)
 			info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
-- 
1.7.1

[PATCH 11/12] libxt_conntrack: resolve erroneous rev-2 port range message

[Jan Engelhardt]

  --ctorigdstport 13
ip6tables-restore v1.4.10: conntrack rev 2 does not support port ranges

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 0262b01..ed0bd93 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -534,6 +534,10 @@ static void conntrack1_mt_parse(struct xt_option_call *cb)
 
 	memset(&up, 0, sizeof(up));
 	cinfo_transform(&up, info);
+	up.origsrc_port_high = up.origsrc_port;
+	up.origdst_port_high = up.origdst_port;
+	up.replsrc_port_high = up.replsrc_port;
+	up.repldst_port_high = up.repldst_port;
 	cb->data = &up;
 	conntrack_mt_parse(cb, 3);
 	if (up.origsrc_port != up.origsrc_port_high ||
@@ -556,6 +560,10 @@ static void conntrack2_mt_parse(struct xt_option_call *cb)
 
 	memset(&up, 0, sizeof(up));
 	memcpy(&up, info, sizeof(*info));
+	up.origsrc_port_high = up.origsrc_port;
+	up.origdst_port_high = up.origdst_port;
+	up.replsrc_port_high = up.replsrc_port;
+	up.repldst_port_high = up.repldst_port;
 	cb->data = &up;
 	conntrack_mt_parse(cb, 3);
 	if (up.origsrc_port != up.origsrc_port_high ||
-- 
1.7.1

[PATCH 12/12] libip6t_rt: rt-0-not-strict should take no arg

[Jan Engelhardt]

This unfortunately got mixed up during the getopt -> guided parser
move.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_rt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 11bfda9..eb30820 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -39,7 +39,7 @@ static const struct xt_option_entry rt_opts[] = {
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdrlen)},
 	{.name = "rt-0-res", .id = O_RT0RES, .type = XTTYPE_NONE},
 	{.name = "rt-0-addrs", .id = O_RT0ADDRS, .type = XTTYPE_STRING},
-	{.name = "rt-0-not-strict", .id = O_RT0NSTRICT, .type = XTTYPE_STRING},
+	{.name = "rt-0-not-strict", .id = O_RT0NSTRICT, .type = XTTYPE_NONE},
 	XTOPT_TABLEEND,
 };
 #undef s
-- 
1.7.1

Re: Guided option parser run 8

[Patrick McHardy]

On 13.05.2011 02:47, Jan Engelhardt wrote:
> The following changes since commit 59ce5bd1d05225911051a4c46ce5ccdd7c1ed078:
> 
>   Merge branch 'floating/opts' of git://dev.medozas.de/iptables (2011-05-12 11:11:51 +0200)
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (12):
>       src: replace old IP*T_ALIGN macros
>       src: combine default_command functions
>       libxt_policy: option table fixes, improved error tracking
>       libxtables: avoid running into .also checks when option not used
>       libxt_policy: use XTTYPE_PROTOCOL type
>       libxtables: collapse double protocol parsing
>       libipt_[SD]NAT: flag up module name on error
>       libipt_[SD]NAT: avoid false error about multiple destinations specified
>       libxt_conntrack: correct printed module name
>       libxt_conntrack: fix assignment to wrong member
>       libxt_conntrack: resolve erroneous rev-2 port range message
>       libip6t_rt: rt-0-not-strict should take no arg

Pulled, thanks Jan.