[iptables-nftables PATCH 0/3] xtables-arp fixes + libxt_mangle addition

[iptables-nftables PATCH 0/3] xtables-arp fixes + libxt_mangle addition

[Tomasz Bursztyka]

Patch 1 and 2 fixes 2 issuse (patch 2 is a very minor one).
Patch 3 adds the support of 'mangle' target for xtables-arp through libxtables.

Note: Giuseppe has a patch for nft_arp_parse_meta() also, for a bug in -D as well.

Tomasz Bursztyka (3):
  xtables: arp: Store target entry properly and compare them relevantly
  libxtables: Port libarptc mangle target into libxtables
  xtables: arp: Do not add a useless prefix for afinfo_arp

 extensions/libxt_mangle.c         | 389 ++++++++++++++++++++++++++++++++++++++
 iptables/nft-arp.c                |  44 ++---
 iptables/nft-shared.h             |   4 +-
 iptables/xtables-arp-standalone.c |   2 +-
 iptables/xtables-arp.c            |   8 +-
 5 files changed, 417 insertions(+), 30 deletions(-)
 create mode 100644 extensions/libxt_mangle.c

-- 
1.8.3.2

[iptables-nftables PATCH 1/3] xtables: arp: Store target entry properly and compare them relevantly

[Tomasz Bursztyka]

Fixes a segfault issue when deleting a rule.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft-arp.c     | 44 +++++++++++++++++++++-----------------------
 iptables/nft-shared.h  |  4 ++--
 iptables/xtables-arp.c |  8 ++++----
 3 files changed, 27 insertions(+), 29 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 10c7b63..0460066 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -276,17 +276,16 @@ static void nft_arp_parse_meta(struct nft_rule_expr *e, uint8_t key,
 	fw->arp.invflags |= ipt_to_arpt_flags(flags);
 }
 
-static void nft_arp_parse_target(struct xtables_target *t, void *data)
+static void nft_arp_parse_target(struct xtables_target *target, void *data)
 {
 	struct arpt_entry *fw = data;
-	size_t size = sizeof(struct arpt_entry);
-	struct xt_entry_target **target;
+	struct xt_entry_target **t;
 
-	fw->target_offset = size;
-	fw->next_offset = size + t->t->u.target_size;
+	fw->target_offset = offsetof(struct arpt_entry, elems);
+	fw->next_offset = fw->target_offset + target->t->u.target_size;
 
-	target = (void *) fw + fw->target_offset;
-	*target = t->t;
+	t = (void *) &fw->elems;
+	*t = target->t;
 }
 
 static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
@@ -297,10 +296,13 @@ static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
 
 	target = xtables_find_target(XT_STANDARD_TARGET,
 				     XTF_LOAD_MUST_SUCCEED);
-	size = sizeof(struct xt_entry_target) + target->size;
+
+	size = XT_ALIGN(sizeof(struct xt_entry_target)) + target->size;
+
 	target->t = xtables_calloc(1, size);
 	target->t->u.target_size = size;
 	strcpy(target->t->u.user.name, jumpto);
+	target->t->u.user.revision = target->revision;
 
 	nft_arp_parse_target(target, data);
 }
@@ -598,16 +600,11 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nft_rule *r,
 	struct arpt_entry *fw = data;
 	struct xt_entry_target *t_fw, *t_this;
 	char *targname_fw, *targname_this;
-	struct xtables_target *target_fw, *target_this;
 	struct arpt_entry this = {};
 
 	/* Delete by matching rule case */
 	nft_rule_to_arpt_entry(r, &this);
 
-	DEBUGP("comparing with... ");
-
-/*	nft_rule_print_save(&this, r, NFT_RULE_APPEND, 0); */
-
 	if (!ops->is_same(fw, &this))
 		return false;
 
@@ -617,19 +614,20 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nft_rule *r,
 	targname_fw = t_fw->u.user.name;
 	targname_this = t_this->u.user.name;
 
-	target_fw = xtables_find_target(targname_fw, XTF_TRY_LOAD);
-	target_this = xtables_find_target(targname_this, XTF_TRY_LOAD);
-
-	if (target_fw != NULL && target_this != NULL) {
-		if (!compare_targets(target_fw, target_this)) {
+	if (!strcmp(targname_fw, targname_this) &&
+	    (!strcmp(targname_fw, "mangle") ||
+	    !strcmp(targname_fw, "CLASSIFY"))) {
+		if (memcmp(t_fw->data, t_this->data,
+		    t_fw->u.user.target_size - sizeof(*t_fw)) != 0) {
 			DEBUGP("Different target\n");
 			return false;
 		}
-	} else {
-		if (strcmp(targname_fw, targname_this) != 0) {
-			DEBUGP("Different verdict\n");
-			return false;
-		}
+		return true;
+	}
+
+	if (strcmp(targname_fw, targname_this) != 0) {
+		DEBUGP("Different verdict\n");
+		return false;
 	}
 
 	return true;
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 3d1f433..7260fdd 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -178,11 +178,11 @@ extern char *opcodes[];
 
 #include <linux/netfilter_arp/arp_tables.h>
 
-static inline struct xt_entry_target *nft_arp_get_target(struct arpt_entry *fw) 
+static inline struct xt_entry_target *nft_arp_get_target(struct arpt_entry *fw)
 {
 	struct xt_entry_target **target;
 
-	target = (void *) fw + fw->target_offset;
+	target = (void *) &fw->elems;
 
 	return *target;
 }
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 407fb06..8072d90 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -819,12 +819,12 @@ generate_entry(const struct arpt_entry *fw,
 
 	size = sizeof(struct arpt_entry);
 
-	e = xtables_malloc(size + target->u.target_size);
+	e = xtables_malloc(size);
 	*e = *fw;
-	e->target_offset = size;
-	e->next_offset = size + target->u.target_size;
+	e->target_offset = offsetof(struct arpt_entry, elems);
+	e->next_offset = e->target_offset + target->u.target_size;
 
-	t = (void *) e + e->target_offset;
+	t = (void *) &e->elems;
 	*t = target;
 
 	return e;
-- 
1.8.3.2

[iptables-nftables PATCH 2/3] libxtables: Port libarptc mangle target into libxtables

[Tomasz Bursztyka]

Refactoring original code so functions fits with xtables_target
structure.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 extensions/libxt_mangle.c | 389 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 389 insertions(+)
 create mode 100644 extensions/libxt_mangle.c

diff --git a/extensions/libxt_mangle.c b/extensions/libxt_mangle.c
new file mode 100644
index 0000000..822033c
--- /dev/null
+++ b/extensions/libxt_mangle.c
@@ -0,0 +1,389 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Authors:
+ * 	Libarptc code from: Bart De Schuymer <bdschuym@pandora.be>
+ * 	Port to libxtables: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <getopt.h>
+#include <errno.h>
+#include <netinet/ether.h>
+
+#include <xtables.h>
+#include <linux/netfilter_arp/arpt_mangle.h>
+
+static void mangle_help(void)
+{
+	printf(
+"mangle target options:\n"
+"--mangle-ip-s IP address\n"
+"--mangle-ip-d IP address\n"
+"--mangle-mac-s MAC address\n"
+"--mangle-mac-d MAC address\n"
+"--mangle-target target (DROP, CONTINUE or ACCEPT -- default is ACCEPT)\n"
+	);
+}
+
+#define MANGLE_IPS    '1'
+#define MANGLE_IPT    '2'
+#define MANGLE_DEVS   '3'
+#define MANGLE_DEVT   '4'
+#define MANGLE_TARGET '5'
+static const struct xt_option_entry mangle_opts[] = {
+	{ .name = "mangle-ip-s", .id = MANGLE_IPS, .type = XTTYPE_STRING,
+	  .flags = XTOPT_MAND },
+	{ .name = "mangle-ip-d", .id = MANGLE_IPT, .type = XTTYPE_STRING,
+	  .flags = XTOPT_MAND },
+	{ .name = "mangle-mac-s", .id = MANGLE_DEVS, .type = XTTYPE_STRING,
+	  .flags = XTOPT_MAND },
+	{ .name = "mangle-mac-d", .id = MANGLE_DEVT, .type = XTTYPE_STRING,
+	  .flags = XTOPT_MAND },
+	{ .name = "mangle-target", .id = MANGLE_TARGET, .type = XTTYPE_STRING,
+	  .flags = XTOPT_MAND },
+	XTOPT_TABLEEND,
+};
+
+
+static struct in_addr *network_to_addr(const char *name)
+{
+	struct netent *net;
+	static struct in_addr addr;
+
+	if ((net = getnetbyname(name)) != NULL) {
+		if (net->n_addrtype != AF_INET)
+			return (struct in_addr *) NULL;
+		addr.s_addr = htonl((unsigned long) net->n_net);
+		return &addr;
+	}
+
+	return (struct in_addr *) NULL;
+}
+
+static void inaddrcpy(struct in_addr *dst, struct in_addr *src)
+{
+	dst->s_addr = src->s_addr;
+}
+
+static struct in_addr *host_to_addr(const char *name, unsigned int *naddr)
+{
+	struct hostent *host;
+	struct in_addr *addr;
+	unsigned int i;
+
+	*naddr = 0;
+	if ((host = gethostbyname(name)) != NULL) {
+		if (host->h_addrtype != AF_INET ||
+			host->h_length != sizeof(struct in_addr))
+			return (struct in_addr *) NULL;
+
+		while (host->h_addr_list[*naddr] != (char *) NULL)
+			(*naddr)++;
+		addr = xtables_calloc(*naddr, sizeof(struct in_addr));
+		for (i = 0; i < *naddr; i++)
+			inaddrcpy(&(addr[i]),
+				  (struct in_addr *) host->h_addr_list[i]);
+		return addr;
+	}
+
+	return (struct in_addr *) NULL;
+}
+
+static int string_to_number(const char *s, unsigned int min,
+			    unsigned int max, unsigned int *ret)
+{
+	long number;
+	char *end;
+
+	/* Handle hex, octal, etc. */
+	errno = 0;
+	number = strtol(s, &end, 0);
+	if (*end == '\0' && end != s) {
+		/* we parsed a number, let's see if we want this */
+		if (errno != ERANGE && min <= number && number <= max) {
+			*ret = number;
+			return 0;
+		}
+	}
+	return -1;
+}
+
+static struct in_addr *dotted_to_addr(const char *dotted)
+{
+	static struct in_addr addr;
+	unsigned char *addrp;
+	char *p, *q;
+	unsigned int onebyte;
+	int i;
+	char buf[20];
+
+	/* copy dotted string, because we need to modify it */
+	strncpy(buf, dotted, sizeof(buf) - 1);
+	addrp = (unsigned char *) &(addr.s_addr);
+
+	p = buf;
+	for (i = 0; i < 3; i++) {
+		if ((q = strchr(p, '.')) == NULL)
+			return (struct in_addr *) NULL;
+
+		*q = '\0';
+		if (string_to_number(p, 0, 255, &onebyte) == -1)
+			return (struct in_addr *) NULL;
+
+		addrp[i] = (unsigned char) onebyte;
+		p = q + 1;
+	}
+
+	/* we've checked 3 bytes, now we check the last one */
+	if (string_to_number(p, 0, 255, &onebyte) == -1)
+		return (struct in_addr *) NULL;
+
+	addrp[3] = (unsigned char) onebyte;
+
+	return &addr;
+}
+
+static struct in_addr *parse_hostnetwork(const char *name,
+					 unsigned int *naddrs)
+{
+	struct in_addr *addrp, *addrptmp;
+
+	if ((addrptmp = dotted_to_addr(name)) != NULL ||
+		(addrptmp = network_to_addr(name)) != NULL) {
+		addrp = xtables_malloc(sizeof(struct in_addr));
+		inaddrcpy(addrp, addrptmp);
+		*naddrs = 1;
+		return addrp;
+	}
+	if ((addrp = host_to_addr(name, naddrs)) != NULL)
+		return addrp;
+
+	xtables_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
+}
+
+static void mangle_parse(struct xt_option_call *cb)
+{
+	const struct arpt_entry *e = cb->xt_entry;
+	struct arpt_mangle *mangle =  cb->data;
+	struct in_addr *ipaddr;
+	struct ether_addr *macaddr;
+
+	/* mangle target is by default "ACCEPT". Setting it here,
+	 * since original arpt_mangle.c init() no longer exists*/
+	mangle->target = NF_ACCEPT;
+
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case MANGLE_IPS:
+/*
+		if (e->arp.arpln_mask == 0)
+			xtables_error(PARAMETER_PROBLEM, "no pln defined");
+
+		if (e->arp.invflags & ARPT_INV_ARPPLN)
+			xtables_error(PARAMETER_PROBLEM,
+				   "! pln not allowed for --mangle-ip-s");
+*/
+/*
+		if (e->arp.arpln != 4)
+			xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
+*/
+		{
+			unsigned int nr;
+			ipaddr = parse_hostnetwork(cb->arg, &nr);
+		}
+		mangle->u_s.src_ip.s_addr = ipaddr->s_addr;
+		free(ipaddr);
+		mangle->flags |= ARPT_MANGLE_SIP;
+		break;
+	case MANGLE_IPT:
+/*
+		if (e->arp.arpln_mask == 0)
+			xtables_error(PARAMETER_PROBLEM, "no pln defined");
+
+		if (e->arp.invflags & ARPT_INV_ARPPLN)
+			xtables_error(PARAMETER_PROBLEM,
+				   "! pln not allowed for --mangle-ip-d");
+*/
+/*
+		if (e->arp.arpln != 4)
+			xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
+*/
+		{
+			unsigned int nr;
+			ipaddr = parse_hostnetwork(cb->arg, &nr);
+		}
+		mangle->u_t.tgt_ip.s_addr = ipaddr->s_addr;
+		free(ipaddr);
+		mangle->flags |= ARPT_MANGLE_TIP;
+		break;
+	case MANGLE_DEVS:
+		if (e->arp.arhln_mask == 0)
+			xtables_error(PARAMETER_PROBLEM,
+				      "no --h-length defined");
+		if (e->arp.invflags & ARPT_INV_ARPHLN)
+			xtables_error(PARAMETER_PROBLEM,
+				      "! --h-length not allowed for "
+				      "--mangle-mac-s");
+		if (e->arp.arhln != 6)
+			xtables_error(PARAMETER_PROBLEM,
+				      "only --h-length 6 supported");
+		macaddr = ether_aton(cb->arg);
+		if (macaddr == NULL)
+			xtables_error(PARAMETER_PROBLEM, "invalid source MAC");
+		memcpy(mangle->src_devaddr, macaddr, e->arp.arhln);
+		mangle->flags |= ARPT_MANGLE_SDEV;
+		break;
+	case MANGLE_DEVT:
+		if (e->arp.arhln_mask == 0)
+			xtables_error(PARAMETER_PROBLEM,
+				      "no --h-length defined");
+		if (e->arp.invflags & ARPT_INV_ARPHLN)
+			xtables_error(PARAMETER_PROBLEM,
+				      "! hln not allowed for --mangle-mac-d");
+		if (e->arp.arhln != 6)
+			xtables_error(PARAMETER_PROBLEM,
+				      "only --h-length 6 supported");
+		macaddr = ether_aton(cb->arg);
+		if (macaddr == NULL)
+			xtables_error(PARAMETER_PROBLEM, "invalid target MAC");
+		memcpy(mangle->tgt_devaddr, macaddr, e->arp.arhln);
+		mangle->flags |= ARPT_MANGLE_TDEV;
+		break;
+	case MANGLE_TARGET:
+		if (!strcmp(cb->arg, "DROP"))
+			mangle->target = NF_DROP;
+		else if (!strcmp(cb->arg, "ACCEPT"))
+			mangle->target = NF_ACCEPT;
+		else if (!strcmp(cb->arg, "CONTINUE"))
+			mangle->target = ARPT_CONTINUE;
+		else
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad target for --mangle-target");
+		break;
+	}
+}
+
+static void mangle_fcheck(struct xt_fcheck_call *cb)
+{
+}
+
+static char *addr_to_dotted(const struct in_addr *addrp)
+{
+	static char buf[20];
+	const unsigned char *bytep;
+
+	bytep = (const unsigned char *) &(addrp->s_addr);
+	sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
+	return buf;
+}
+
+static char *addr_to_host(const struct in_addr *addr)
+{
+	struct hostent *host;
+
+	if ((host = gethostbyaddr((char *) addr,
+				  sizeof(struct in_addr), AF_INET)) != NULL)
+		return (char *) host->h_name;
+
+	return (char *) NULL;
+}
+
+static char *addr_to_network(const struct in_addr *addr)
+{
+	struct netent *net;
+
+	if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
+		return (char *) net->n_name;
+
+	return (char *) NULL;
+}
+
+static char *addr_to_anyname(const struct in_addr *addr)
+{
+	char *name;
+
+	if ((name = addr_to_host(addr)) != NULL ||
+		(name = addr_to_network(addr)) != NULL)
+		return name;
+
+	return addr_to_dotted(addr);
+}
+
+static void print_mac(const unsigned char *mac, int l)
+{
+	int j;
+
+	for (j = 0; j < l; j++)
+		printf("%02x%s", mac[j],
+			(j==l-1) ? "" : ":");
+}
+
+static void mangle_print(const void *ip, const struct xt_entry_target *target,
+			 int numeric)
+{
+	const struct arpt_mangle *m = (const void *)target;
+	char buf[100];
+
+	if (m->flags & ARPT_MANGLE_SIP) {
+		if (numeric)
+			sprintf(buf, "%s", addr_to_dotted(&(m->u_s.src_ip)));
+		else
+			sprintf(buf, "%s", addr_to_anyname(&(m->u_s.src_ip)));
+		printf("--mangle-ip-s %s ", buf);
+	}
+	if (m->flags & ARPT_MANGLE_SDEV) {
+		printf("--mangle-mac-s ");
+		print_mac((unsigned char *)m->src_devaddr, 6);
+		printf(" ");
+	}
+	if (m->flags & ARPT_MANGLE_TIP) {
+		if (numeric)
+			sprintf(buf, "%s", addr_to_dotted(&(m->u_t.tgt_ip)));
+		else
+			sprintf(buf, "%s", addr_to_anyname(&(m->u_t.tgt_ip)));
+		printf("--mangle-ip-d %s ", buf);
+	}
+	if (m->flags & ARPT_MANGLE_TDEV) {
+		printf("--mangle-mac-d ");
+		print_mac((unsigned char *)m->tgt_devaddr, 6);
+		printf(" ");
+	}
+	if (m->target != NF_ACCEPT) {
+		printf("--mangle-target ");
+		if (m->target == NF_DROP)
+			printf("DROP ");
+		else
+			printf("CONTINUE ");
+	}
+}
+
+static void mangle_save(const void *ip, const struct xt_entry_target *target)
+{
+}
+
+static struct xtables_target mangle_tg_reg = {
+	.family		= NFPROTO_ARP,
+	.name		= "mangle",
+	.version	= XTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct arpt_mangle)),
+	.userspacesize	= XT_ALIGN(sizeof(struct arpt_mangle)),
+	.help		= mangle_help,
+	.x6_parse	= mangle_parse,
+	.x6_fcheck	= mangle_fcheck,
+	.print		= mangle_print,
+	.save		= mangle_save,
+	.x6_options	= mangle_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&mangle_tg_reg);
+}
-- 
1.8.3.2

[iptables-nftables PATCH 3/3] xtables: arp: Do not add a useless prefix for afinfo_arp

[Tomasz Bursztyka]

Let's use libxt_ as it should, since CLASSIFY and now mangle targets
(the 2 only targets xtables-arp is going to use) are libxt_ prefixed.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/xtables-arp-standalone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/xtables-arp-standalone.c b/iptables/xtables-arp-standalone.c
index 8d4679f..a9c880f 100644
--- a/iptables/xtables-arp-standalone.c
+++ b/iptables/xtables-arp-standalone.c
@@ -47,7 +47,7 @@ extern const char *program_version, *program_name;
 static const struct xtables_afinfo afinfo_arp = {
         .kmod          = "arp_tables",
         .proc_exists   = "/proc/net/arp_tables_names",
-        .libprefix     = "libarp_",
+        .libprefix     = "libxt_",
         .family        = NFPROTO_ARP,
         .ipproto       = IPPROTO_IP,
         .so_rev_match  = -1,
-- 
1.8.3.2

Re: [iptables-nftables PATCH 1/3] xtables: arp: Store target entry properly and compare them relevantly

[Pablo Neira Ayuso]

On Thu, Oct 03, 2013 at 12:52:55PM +0300, Tomasz Bursztyka wrote:
> Fixes a segfault issue when deleting a rule.

Applied, thanks Tomasz.

Re: [iptables-nftables PATCH 2/3] libxtables: Port libarptc mangle target into libxtables

[Pablo Neira Ayuso]

On Thu, Oct 03, 2013 at 12:52:56PM +0300, Tomasz Bursztyka wrote:
> Refactoring original code so functions fits with xtables_target
> structure.

Also applied, thanks.

Re: [iptables-nftables PATCH 2/3] libxtables: Port libarptc mangle target into libxtables

[Pablo Neira Ayuso]

On Thu, Oct 03, 2013 at 12:32:29PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 03, 2013 at 12:52:56PM +0300, Tomasz Bursztyka wrote:
> > Refactoring original code so functions fits with xtables_target
> > structure.
> 
> Also applied, thanks.

We need a follow up fix for this:

xtables-arp  -A  OUTPUT  -o  eth1  --h-length  6  -j mangle --mangle-mac-s 01:00:5e:00:01:01
xtables-arp v1.4.19.1: Extension mangle uses invalid ID 49

Re: [iptables-nftables PATCH 3/3] xtables: arp: Do not add a useless prefix for afinfo_arp

[Pablo Neira Ayuso]

On Thu, Oct 03, 2013 at 12:52:57PM +0300, Tomasz Bursztyka wrote:
> Let's use libxt_ as it should, since CLASSIFY and now mangle targets
> (the 2 only targets xtables-arp is going to use) are libxt_ prefixed.

I think that .libprefix is ignored, so we don't really need this
change.

Are you noticing any problem when adding xtables-arp commands?

Re: [iptables-nftables PATCH 3/3] xtables: arp: Do not add a useless prefix for afinfo_arp

[Tomasz Bursztyka]

Hi Pablo,

> I think that .libprefix is ignored, so we don't really need this
> change.
>
> Are you noticing any problem when adding xtables-arp commands?

No indeed. It tries the prefix, and fallback to libxt_ as the default.
As you want then, this clarifies that at least we really don't have 
anything like libarp_ prefix

Tomasz

Re: [iptables-nftables PATCH 2/3] libxtables: Port libarptc mangle target into libxtables

[Tomasz Bursztyka]

Hi Pablo,

> We need a follow up fix for this:
>
> xtables-arp  -A  OUTPUT  -o  eth1  --h-length  6  -j mangle --mangle-mac-s 01:00:5e:00:01:01
> xtables-arp v1.4.19.1: Extension mangle uses invalid ID 49

Will take a look at this.

Tomasz

Re: [iptables-nftables PATCH 2/3] libxtables: Port libarptc mangle target into libxtables

[Tomasz Bursztyka]

Ok the command below gets parsed properly with the later patches I sent.

> We need a follow up fix for this:
>
> xtables-arp  -A  OUTPUT  -o  eth1  --h-length  6  -j mangle --mangle-mac-s 01:00:5e:00:01:01
> xtables-arp v1.4.19.1: Extension mangle uses invalid ID 49

However there is now an issue in the netlink message.

I see where is the bug I have a fix for it.

Tomasz