diff options
| author | Florian Westphal <fw@strlen.de> | 2018-05-08 09:41:47 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-05-10 02:31:05 +0200 |
| commit | 0ae81d09c93a6c27573ae561f2af09153a5f3e51 (patch) | |
| tree | d737e5deb49aa62cde09959f5b726db5f8d20fe0 /iptables | |
| parent | 651cfee91a8f42336b9d794c838b9f4f480308c9 (diff) | |
xtables-compat: ebtables: kill ebtables_command_state
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/nft-bridge.c | 190 | ||||
| -rw-r--r-- | iptables/nft-bridge.h | 56 | ||||
| -rw-r--r-- | iptables/nft-shared.c | 7 | ||||
| -rw-r--r-- | iptables/nft-shared.h | 1 | ||||
| -rw-r--r-- | iptables/xshared.h | 35 | ||||
| -rw-r--r-- | iptables/xtables-eb-translate.c | 54 | ||||
| -rw-r--r-- | iptables/xtables-eb.c | 60 |
7 files changed, 172 insertions, 231 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 0ff1ec1c..1887586c 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -22,7 +22,7 @@ #include "nft-bridge.h" #include "nft.h" -void ebt_cs_clean(struct ebtables_command_state *cs) +void ebt_cs_clean(struct iptables_command_state *cs) { struct ebt_match *m, *nm; @@ -131,7 +131,7 @@ static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op) /* TODO: Use generic add_action() once we convert this to use * iptables_command_state. */ -static int _add_action(struct nftnl_rule *r, struct ebtables_command_state *cs) +static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) { int ret = 0; @@ -159,9 +159,9 @@ static int _add_action(struct nftnl_rule *r, struct ebtables_command_state *cs) static int nft_bridge_add(struct nftnl_rule *r, void *data) { - struct ebtables_command_state *cs = data; + struct iptables_command_state *cs = data; struct ebt_match *iter; - struct ebt_entry *fw = &cs->fw; + struct ebt_entry *fw = &cs->eb; uint32_t op; char *addr; @@ -233,8 +233,8 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data) static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data) { - struct ebtables_command_state *cs = data; - struct ebt_entry *fw = &cs->fw; + struct iptables_command_state *cs = data; + struct ebt_entry *fw = &cs->eb; uint8_t flags = 0; int iface = 0; const void *ifname; @@ -287,8 +287,8 @@ out: static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data) { - struct ebtables_command_state *cs = data; - struct ebt_entry *fw = &cs->fw; + struct iptables_command_state *cs = data; + struct ebt_entry *fw = &cs->eb; unsigned char addr[ETH_ALEN]; unsigned short int ethproto; bool inv; @@ -334,7 +334,7 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto, void *data) { - struct ebtables_command_state *cs = data; + struct iptables_command_state *cs = data; cs->jumpto = jumpto; } @@ -362,14 +362,14 @@ static void parse_watcher(void *object, struct ebt_match **match_list, static void nft_bridge_parse_match(struct xtables_match *m, void *data) { - struct ebtables_command_state *cs = data; + struct iptables_command_state *cs = data; parse_watcher(m, &cs->match_list, true); } static void nft_bridge_parse_target(struct xtables_target *t, void *data) { - struct ebtables_command_state *cs = data; + struct iptables_command_state *cs = data; /* harcoded names :-( */ if (strcmp(t->name, "log") == 0 || @@ -381,55 +381,11 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data) cs->target = t; } -void nft_rule_to_ebtables_command_state(struct nftnl_rule *r, - struct ebtables_command_state *cs) +static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r, + struct iptables_command_state *cs) { - struct nftnl_expr_iter *iter; - struct nftnl_expr *expr; - int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY); - struct nft_xt_ctx ctx = { - .state.cs_eb = cs, - .family = family, - }; - - iter = nftnl_expr_iter_create(r); - if (iter == NULL) - return; - - expr = nftnl_expr_iter_next(iter); - while (expr != NULL) { - const char *name = - nftnl_expr_get_str(expr, NFTNL_EXPR_NAME); - - if (strcmp(name, "counter") == 0) - nft_parse_counter(expr, &cs->counters); - else if (strcmp(name, "payload") == 0) - nft_parse_payload(&ctx, expr); - else if (strcmp(name, "meta") == 0) - nft_parse_meta(&ctx, expr); - else if (strcmp(name, "bitwise") == 0) - nft_parse_bitwise(&ctx, expr); - else if (strcmp(name, "cmp") == 0) - nft_parse_cmp(&ctx, expr); - else if (strcmp(name, "immediate") == 0) - nft_parse_immediate(&ctx, expr); - else if (strcmp(name, "match") == 0) - nft_parse_match(&ctx, expr); - else if (strcmp(name, "target") == 0) - nft_parse_target(&ctx, expr); - - expr = nftnl_expr_iter_next(iter); - } - - nftnl_expr_iter_destroy(iter); - - if (cs->jumpto != NULL) - return; - - if (cs->target != NULL && cs->target->name != NULL) - cs->target = xtables_find_target(cs->target->name, XTF_TRY_LOAD); - else - cs->jumpto = "CONTINUE"; + cs->eb.bitmask = EBT_NOPROTO; + nft_rule_to_iptables_command_state(r, cs); } static void print_iface(const char *iface) @@ -463,7 +419,7 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num, struct xtables_match *matchp; struct xtables_target *watcherp; struct ebt_match *m; - struct ebtables_command_state cs = {}; + struct iptables_command_state cs = {}; char *addr; nft_rule_to_ebtables_command_state(r, &cs); @@ -473,67 +429,67 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num, /* Dont print anything about the protocol if no protocol was * specified, obviously this means any protocol will do. */ - if (cs.fw.ethproto != 0) { + if (cs.eb.ethproto != 0) { printf("-p "); - if (cs.fw.invflags & EBT_IPROTO) + if (cs.eb.invflags & EBT_IPROTO) printf("! "); - if (cs.fw.bitmask & EBT_802_3) + if (cs.eb.bitmask & EBT_802_3) printf("Length "); else { struct ethertypeent *ent; - ent = getethertypebynumber(ntohs(cs.fw.ethproto)); + ent = getethertypebynumber(ntohs(cs.eb.ethproto)); if (!ent) - printf("0x%x ", ntohs(cs.fw.ethproto)); + printf("0x%x ", ntohs(cs.eb.ethproto)); else printf("%s ", ent->e_name); } } - addr = ether_ntoa((struct ether_addr *) cs.fw.sourcemac); + addr = ether_ntoa((struct ether_addr *) cs.eb.sourcemac); if (strcmp(addr, "0:0:0:0:0:0") != 0) { printf("-s "); - if (cs.fw.invflags & EBT_ISOURCE) + if (cs.eb.invflags & EBT_ISOURCE) printf("! "); - ebt_print_mac_and_mask(cs.fw.sourcemac, cs.fw.sourcemsk); + ebt_print_mac_and_mask(cs.eb.sourcemac, cs.eb.sourcemsk); printf(" "); } - addr = ether_ntoa((struct ether_addr *) cs.fw.destmac); + addr = ether_ntoa((struct ether_addr *) cs.eb.destmac); if (strcmp(addr, "0:0:0:0:0:0") != 0) { printf("-d "); - if (cs.fw.invflags & EBT_IDEST) + if (cs.eb.invflags & EBT_IDEST) printf("! "); - ebt_print_mac_and_mask(cs.fw.destmac, cs.fw.destmsk); + ebt_print_mac_and_mask(cs.eb.destmac, cs.eb.destmsk); printf(" "); } - if (cs.fw.in[0] != '\0') { + if (cs.eb.in[0] != '\0') { printf("-i "); - if (cs.fw.invflags & EBT_IIN) + if (cs.eb.invflags & EBT_IIN) printf("! "); - print_iface(cs.fw.in); + print_iface(cs.eb.in); } - if (cs.fw.logical_in[0] != '\0') { + if (cs.eb.logical_in[0] != '\0') { printf("--logical-in "); - if (cs.fw.invflags & EBT_ILOGICALIN) + if (cs.eb.invflags & EBT_ILOGICALIN) printf("! "); - print_iface(cs.fw.logical_in); + print_iface(cs.eb.logical_in); } - if (cs.fw.logical_out[0] != '\0') { + if (cs.eb.logical_out[0] != '\0') { printf("--logical-out "); - if (cs.fw.invflags & EBT_ILOGICALOUT) + if (cs.eb.invflags & EBT_ILOGICALOUT) printf("! "); - print_iface(cs.fw.logical_out); + print_iface(cs.eb.logical_out); } - if (cs.fw.out[0] != '\0') { + if (cs.eb.out[0] != '\0') { printf("-o "); - if (cs.fw.invflags & EBT_IOUT) + if (cs.eb.invflags & EBT_IOUT) printf("! "); - print_iface(cs.fw.out); + print_iface(cs.eb.out); } for (m = cs.match_list; m; m = m->next) { @@ -554,8 +510,12 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num, printf("-j "); - if (cs.jumpto != NULL) - printf("%s", cs.jumpto); + if (cs.jumpto != NULL) { + if (strcmp(cs.jumpto, "") != 0) + printf("%s", cs.jumpto); + else + printf("CONTINUE"); + } else if (cs.target != NULL && cs.target->print != NULL) cs.target->print(&cs.fw, cs.target->t, format & FMT_NUMERIC); @@ -623,8 +583,8 @@ static bool nft_bridge_is_same(const void *data_a, const void *data_b) static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r, void *data) { - struct ebtables_command_state *cs = data; - struct ebtables_command_state this = {}; + struct iptables_command_state *cs = data; + struct iptables_command_state this = {}; nft_rule_to_ebtables_command_state(r, &this); @@ -651,7 +611,7 @@ static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule * return true; } -static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xlate *xl) +static int xlate_ebmatches(const struct iptables_command_state *cs, struct xt_xlate *xl) { int ret = 1, numeric = cs->options & OPT_NUMERIC; struct ebt_match *m; @@ -660,7 +620,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl if (m->ismatch) { struct xtables_match *matchp = m->u.match; struct xt_xlate_mt_params mt_params = { - .ip = (const void *)&cs->fw, + .ip = (const void *)&cs->eb, .numeric = numeric, .escape_quotes = false, .match = matchp->m, @@ -673,7 +633,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl } else { struct xtables_target *watcherp = m->u.watcher; struct xt_xlate_tg_params wt_params = { - .ip = (const void *)&cs->fw, + .ip = (const void *)&cs->eb, .numeric = numeric, .escape_quotes = false, .target = watcherp->t, @@ -692,7 +652,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl return ret; } -static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xlate *xl) +static int xlate_ebaction(const struct iptables_command_state *cs, struct xt_xlate *xl) { int ret = 1, numeric = cs->options & OPT_NUMERIC; @@ -708,7 +668,7 @@ static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xla else if (cs->target->xlate) { xt_xlate_add(xl, " "); struct xt_xlate_tg_params params = { - .ip = (const void *)&cs->fw, + .ip = (const void *)&cs->eb, .target = cs->target->t, .numeric = numeric, }; @@ -726,51 +686,51 @@ static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xla static int nft_bridge_xlate(const void *data, struct xt_xlate *xl) { - const struct ebtables_command_state *cs = data; + const struct iptables_command_state *cs = data; char one_msk[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; char zero_msk[ETH_ALEN] = {}; const char *addr; int ret; - xlate_ifname(xl, "iifname", cs->fw.in, - cs->fw.invflags & EBT_IIN); - xlate_ifname(xl, "oifname", cs->fw.out, - cs->fw.invflags & EBT_IOUT); + xlate_ifname(xl, "iifname", cs->eb.in, + cs->eb.invflags & EBT_IIN); + xlate_ifname(xl, "oifname", cs->eb.out, + cs->eb.invflags & EBT_IOUT); - xlate_ifname(xl, "meta ibridgename", cs->fw.logical_in, - cs->fw.invflags & EBT_ILOGICALIN); - xlate_ifname(xl, "meta obridgename", cs->fw.logical_out, - cs->fw.invflags & EBT_ILOGICALOUT); + xlate_ifname(xl, "meta ibridgename", cs->eb.logical_in, + cs->eb.invflags & EBT_ILOGICALIN); + xlate_ifname(xl, "meta obridgename", cs->eb.logical_out, + cs->eb.invflags & EBT_ILOGICALOUT); - if (cs->fw.ethproto != 0) { + if (cs->eb.ethproto != 0) { xt_xlate_add(xl, "ether type %s 0x%x ", - cs->fw.invflags & EBT_IPROTO ? "!= " : "", - ntohs(cs->fw.ethproto)); + cs->eb.invflags & EBT_IPROTO ? "!= " : "", + ntohs(cs->eb.ethproto)); } - if (cs->fw.bitmask & EBT_802_3) + if (cs->eb.bitmask & EBT_802_3) return 0; - if (memcmp(cs->fw.sourcemac, zero_msk, sizeof(cs->fw.sourcemac))) { - addr = ether_ntoa((struct ether_addr *) cs->fw.sourcemac); + if (memcmp(cs->eb.sourcemac, zero_msk, sizeof(cs->eb.sourcemac))) { + addr = ether_ntoa((struct ether_addr *) cs->eb.sourcemac); xt_xlate_add(xl, "ether saddr %s%s ", - cs->fw.invflags & EBT_ISOURCE ? "!= " : "", addr); + cs->eb.invflags & EBT_ISOURCE ? "!= " : "", addr); - if (memcmp(cs->fw.sourcemsk, one_msk, sizeof(cs->fw.sourcemsk))) { - addr = ether_ntoa((struct ether_addr *) cs->fw.sourcemsk); + if (memcmp(cs->eb.sourcemsk, one_msk, sizeof(cs->eb.sourcemsk))) { + addr = ether_ntoa((struct ether_addr *) cs->eb.sourcemsk); xt_xlate_add(xl, "and %s ", addr); } } - if (memcmp(cs->fw.destmac, zero_msk, sizeof(cs->fw.destmac))) { - addr = ether_ntoa((struct ether_addr *) cs->fw.destmac); + if (memcmp(cs->eb.destmac, zero_msk, sizeof(cs->eb.destmac))) { + addr = ether_ntoa((struct ether_addr *) cs->eb.destmac); xt_xlate_add(xl, "ether daddr %s %s ", - cs->fw.invflags & EBT_ISOURCE ? "!= " : "", addr); + cs->eb.invflags & EBT_ISOURCE ? "!= " : "", addr); - if (memcmp(cs->fw.destmsk, one_msk, sizeof(cs->fw.destmsk))) { - addr = ether_ntoa((struct ether_addr *) cs->fw.destmsk); + if (memcmp(cs->eb.destmsk, one_msk, sizeof(cs->eb.destmsk))) { + addr = ether_ntoa((struct ether_addr *) cs->eb.destmsk); xt_xlate_add(xl, "and %s ", addr); } } diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index 9217d633..3ee04640 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -70,57 +70,7 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas */ #define EBT_VERDICT_BITS 0x0000000F -/* Fake ebt_entry */ -struct ebt_entry { - /* this needs to be the first field */ - unsigned int bitmask; - unsigned int invflags; - uint16_t ethproto; - /* the physical in-dev */ - char in[IFNAMSIZ]; - /* the logical in-dev */ - char logical_in[IFNAMSIZ]; - /* the physical out-dev */ - char out[IFNAMSIZ]; - /* the logical out-dev */ - char logical_out[IFNAMSIZ]; - unsigned char sourcemac[ETH_ALEN]; - unsigned char sourcemsk[ETH_ALEN]; - unsigned char destmac[ETH_ALEN]; - unsigned char destmsk[ETH_ALEN]; - - unsigned char in_mask[IFNAMSIZ]; - unsigned char out_mask[IFNAMSIZ]; -}; - -/* trick for ebtables-compat, since watchers are targets */ -struct ebt_match { - struct ebt_match *next; - union { - struct xtables_match *match; - struct xtables_target *watcher; - } u; - bool ismatch; -}; - -struct ebtables_command_state { - struct ebt_entry fw; - struct xtables_target *target; - struct xtables_rule_match *matches; - struct ebt_match *match_list; - const char *jumpto; - struct xt_counters counters; - int invert; - int c; - char **argv; - int proto_used; - char *protocol; - unsigned int options; -}; - struct nftnl_rule; -void nft_rule_to_ebtables_command_state(struct nftnl_rule *r, - struct ebtables_command_state *cs); static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { "ACCEPT", @@ -167,11 +117,11 @@ static inline const char *ebt_target_name(unsigned int verdict) *flags |= mask; \ }) \ -void ebt_cs_clean(struct ebtables_command_state *cs); +void ebt_cs_clean(struct iptables_command_state *cs); void ebt_load_match_extensions(void); void ebt_add_match(struct xtables_match *m, - struct ebtables_command_state *cs); + struct iptables_command_state *cs); void ebt_add_watcher(struct xtables_target *watcher, - struct ebtables_command_state *cs); + struct iptables_command_state *cs); #endif diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index ecc54024..76fd8e49 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -294,11 +294,10 @@ static void *nft_get_data(struct nft_xt_ctx *ctx) switch(ctx->family) { case NFPROTO_IPV4: case NFPROTO_IPV6: + case NFPROTO_BRIDGE: return ctx->state.cs; case NFPROTO_ARP: return ctx->state.cs_arp; - case NFPROTO_BRIDGE: - return ctx->state.cs_eb; default: /* Should not happen */ return NULL; @@ -351,10 +350,8 @@ void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e) switch (ctx->family) { case NFPROTO_IPV4: case NFPROTO_IPV6: - matches = &ctx->state.cs->matches; - break; case NFPROTO_BRIDGE: - matches = &ctx->state.cs_eb->matches; + matches = &ctx->state.cs->matches; break; default: fprintf(stderr, "BUG: nft_parse_match() unknown family %d\n", diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 34027af9..0108b7f9 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -49,7 +49,6 @@ struct nft_xt_ctx { union { struct iptables_command_state *cs; struct arptables_command_state *cs_arp; - struct ebtables_command_state *cs_eb; } state; struct nftnl_expr_iter *iter; int family; diff --git a/iptables/xshared.h b/iptables/xshared.h index 7e6d0859..cec5a08a 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -48,8 +48,42 @@ struct xtables_afinfo { int so_rev_target; }; +/* trick for ebtables-compat, since watchers are targets */ +struct ebt_match { + struct ebt_match *next; + union { + struct xtables_match *match; + struct xtables_target *watcher; + } u; + bool ismatch; +}; + +/* Fake ebt_entry */ +struct ebt_entry { + /* this needs to be the first field */ + unsigned int bitmask; + unsigned int invflags; + uint16_t ethproto; + /* the physical in-dev */ + char in[IFNAMSIZ]; + /* the logical in-dev */ + char logical_in[IFNAMSIZ]; + /* the physical out-dev */ + char out[IFNAMSIZ]; + /* the logical out-dev */ + char logical_out[IFNAMSIZ]; + unsigned char sourcemac[6]; + unsigned char sourcemsk[6]; + unsigned char destmac[6]; + unsigned char destmsk[6]; + + unsigned char in_mask[IFNAMSIZ]; + unsigned char out_mask[IFNAMSIZ]; +}; + struct iptables_command_state { union { + struct ebt_entry eb; struct ipt_entry fw; struct ip6t_entry fw6; }; @@ -57,6 +91,7 @@ struct iptables_command_state { int c; unsigned int options; struct xtables_rule_match *matches; + struct ebt_match *match_list; struct xtables_target *target; struct xt_counters counters; char *protocol; diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c index 42db2d01..5b0bbb41 100644 --- a/iptables/xtables-eb-translate.c +++ b/iptables/xtables-eb-translate.c @@ -165,7 +165,7 @@ static struct option *merge_options(struct option *oldopts, /* * More glue code. */ -static struct xtables_target *command_jump(struct ebtables_command_state *cs, +static struct xtables_target *command_jump(struct iptables_command_state *cs, const char *jumpto) { struct xtables_target *target; @@ -234,7 +234,7 @@ static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end) /* Incrementing or decrementing rules in daemon mode is not supported as the * involved code overload is not worth it (too annoying to take the increased * counters in the kernel into account). */ -static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct ebtables_command_state *cs) +static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct iptables_command_state *cs) { char *buffer; int ret = 0; @@ -321,7 +321,7 @@ static void print_ebt_cmd(int argc, char *argv[]) } static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct nft_xt_cmd_parse *p, - const struct ebtables_command_state *cs, bool append) + const struct iptables_command_state *cs, bool append) { struct xt_xlate *xl = xt_xlate_alloc(10240); int ret; @@ -352,7 +352,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char unsigned int flags = 0; struct xtables_target *t, *w; struct xtables_match *m; - struct ebtables_command_state cs; + struct iptables_command_state cs; char command = 'h'; const char *chain = NULL; int exec_style = EXEC_STYLE_PRG; @@ -537,14 +537,14 @@ print_zero: xtables_error(PARAMETER_PROBLEM, "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IIN; + cs.eb.invflags |= EBT_IIN; if (strlen(optarg) >= IFNAMSIZ) big_iface_length: xtables_error(PARAMETER_PROBLEM, "Interface name length cannot exceed %d characters", IFNAMSIZ - 1); - xtables_parse_interface(optarg, cs.fw.in, cs.fw.in_mask); + xtables_parse_interface(optarg, cs.eb.in, cs.eb.in_mask); break; } else if (c == 2) { ebt_check_option2(&flags, OPT_LOGICALIN); @@ -552,12 +552,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ILOGICALIN; + cs.eb.invflags |= EBT_ILOGICALIN; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - strcpy(cs.fw.logical_in, optarg); - if (parse_iface(cs.fw.logical_in, "--logical-in")) + strcpy(cs.eb.logical_in, optarg); + if (parse_iface(cs.eb.logical_in, "--logical-in")) return -1; break; } else if (c == 'o') { @@ -566,12 +566,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IOUT; + cs.eb.invflags |= EBT_IOUT; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - xtables_parse_interface(optarg, cs.fw.out, cs.fw.out_mask); + xtables_parse_interface(optarg, cs.eb.out, cs.eb.out_mask); break; } else if (c == 3) { ebt_check_option2(&flags, OPT_LOGICALOUT); @@ -579,12 +579,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ILOGICALOUT; + cs.eb.invflags |= EBT_ILOGICALOUT; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - strcpy(cs.fw.logical_out, optarg); - if (parse_iface(cs.fw.logical_out, "--logical-out")) + strcpy(cs.eb.logical_out, optarg); + if (parse_iface(cs.eb.logical_out, "--logical-out")) return -1; break; } else if (c == 'j') { @@ -595,20 +595,20 @@ big_iface_length: } else if (c == 's') { ebt_check_option2(&flags, OPT_SOURCE); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ISOURCE; + cs.eb.invflags |= EBT_ISOURCE; - if (ebt_get_mac_and_mask(optarg, cs.fw.sourcemac, cs.fw.sourcemsk)) + if (ebt_get_mac_and_mask(optarg, cs.eb.sourcemac, cs.eb.sourcemsk)) xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg); - cs.fw.bitmask |= EBT_SOURCEMAC; + cs.eb.bitmask |= EBT_SOURCEMAC; break; } else if (c == 'd') { ebt_check_option2(&flags, OPT_DEST); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IDEST; + cs.eb.invflags |= EBT_IDEST; - if (ebt_get_mac_and_mask(optarg, cs.fw.destmac, cs.fw.destmsk)) + if (ebt_get_mac_and_mask(optarg, cs.eb.destmac, cs.eb.destmsk)) xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg); - cs.fw.bitmask |= EBT_DESTMAC; + cs.eb.bitmask |= EBT_DESTMAC; break; } else if (c == 'c') { ebt_check_option2(&flags, OPT_COUNT); @@ -634,9 +634,9 @@ big_iface_length: } ebt_check_option2(&flags, OPT_PROTOCOL); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IPROTO; + cs.eb.invflags |= EBT_IPROTO; - cs.fw.bitmask &= ~((unsigned int)EBT_NOPROTO); + cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO); i = strtol(optarg, &buffer, 16); if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) xtables_error(PARAMETER_PROBLEM, @@ -645,18 +645,18 @@ big_iface_length: struct ethertypeent *ent; if (!strcasecmp(optarg, "LENGTH")) { - cs.fw.bitmask |= EBT_802_3; + cs.eb.bitmask |= EBT_802_3; break; } ent = getethertypebyname(optarg); if (!ent) xtables_error(PARAMETER_PROBLEM, "Problem with the specified Ethernet protocol '%s', perhaps "_PATH_ETHERTYPES " is missing", optarg); - cs.fw.ethproto = ent->e_ethertype; + cs.eb.ethproto = ent->e_ethertype; } else - cs.fw.ethproto = i; + cs.eb.ethproto = i; - if (cs.fw.ethproto < 0x0600) + if (cs.eb.ethproto < 0x0600) xtables_error(PARAMETER_PROBLEM, "Sorry, protocols have values above or equal to 0x0600"); break; @@ -757,7 +757,7 @@ check_extension: xtables_option_tfcall(cs.target); } - cs.fw.ethproto = htons(cs.fw.ethproto); + cs.eb.ethproto = htons(cs.eb.ethproto); if (command == 'P') { return 0; diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 1a95eef4..a6cb3f1f 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -168,7 +168,7 @@ static int append_entry(struct nft_handle *h, const char *chain, const char *table, - struct ebtables_command_state *cs, + struct iptables_command_state *cs, int rule_nr, bool verbose, bool append) { @@ -186,7 +186,7 @@ static int delete_entry(struct nft_handle *h, const char *chain, const char *table, - struct ebtables_command_state *cs, + struct iptables_command_state *cs, int rule_nr, int rule_nr_end, bool verbose) @@ -380,7 +380,7 @@ static struct option *merge_options(struct option *oldopts, /* * More glue code. */ -static struct xtables_target *command_jump(struct ebtables_command_state *cs, +static struct xtables_target *command_jump(struct iptables_command_state *cs, const char *jumpto) { struct xtables_target *target; @@ -524,7 +524,7 @@ static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end) /* Incrementing or decrementing rules in daemon mode is not supported as the * involved code overload is not worth it (too annoying to take the increased * counters in the kernel into account). */ -static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct ebtables_command_state *cs) +static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct iptables_command_state *cs) { char *buffer; int ret = 0; @@ -679,7 +679,7 @@ void ebt_load_match_extensions(void) } void ebt_add_match(struct xtables_match *m, - struct ebtables_command_state *cs) + struct iptables_command_state *cs) { struct xtables_rule_match *i, **rule_matches = &cs->matches; struct xtables_match *newm; @@ -715,7 +715,7 @@ void ebt_add_match(struct xtables_match *m, } void ebt_add_watcher(struct xtables_target *watcher, - struct ebtables_command_state *cs) + struct iptables_command_state *cs) { struct ebt_match *i, *newnode; @@ -753,7 +753,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) unsigned int flags = 0; struct xtables_target *t, *w; struct xtables_match *m; - struct ebtables_command_state cs; + struct iptables_command_state cs; char command = 'h'; const char *chain = NULL; const char *policy = NULL; @@ -1006,14 +1006,14 @@ print_zero: xtables_error(PARAMETER_PROBLEM, "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IIN; + cs.eb.invflags |= EBT_IIN; if (strlen(optarg) >= IFNAMSIZ) big_iface_length: xtables_error(PARAMETER_PROBLEM, "Interface name length cannot exceed %d characters", IFNAMSIZ - 1); - xtables_parse_interface(optarg, cs.fw.in, cs.fw.in_mask); + xtables_parse_interface(optarg, cs.eb.in, cs.eb.in_mask); break; } else if (c == 2) { ebt_check_option2(&flags, OPT_LOGICALIN); @@ -1021,12 +1021,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ILOGICALIN; + cs.eb.invflags |= EBT_ILOGICALIN; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - strcpy(cs.fw.logical_in, optarg); - if (parse_iface(cs.fw.logical_in, "--logical-in")) + strcpy(cs.eb.logical_in, optarg); + if (parse_iface(cs.eb.logical_in, "--logical-in")) return -1; break; } else if (c == 'o') { @@ -1035,12 +1035,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IOUT; + cs.eb.invflags |= EBT_IOUT; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - xtables_parse_interface(optarg, cs.fw.out, cs.fw.out_mask); + xtables_parse_interface(optarg, cs.eb.out, cs.eb.out_mask); break; } else if (c == 3) { ebt_check_option2(&flags, OPT_LOGICALOUT); @@ -1048,12 +1048,12 @@ big_iface_length: xtables_error(PARAMETER_PROBLEM, "Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains"); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ILOGICALOUT; + cs.eb.invflags |= EBT_ILOGICALOUT; if (strlen(optarg) >= IFNAMSIZ) goto big_iface_length; - strcpy(cs.fw.logical_out, optarg); - if (parse_iface(cs.fw.logical_out, "--logical-out")) + strcpy(cs.eb.logical_out, optarg); + if (parse_iface(cs.eb.logical_out, "--logical-out")) return -1; break; } else if (c == 'j') { @@ -1064,20 +1064,20 @@ big_iface_length: } else if (c == 's') { ebt_check_option2(&flags, OPT_SOURCE); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_ISOURCE; + cs.eb.invflags |= EBT_ISOURCE; - if (ebt_get_mac_and_mask(optarg, cs.fw.sourcemac, cs.fw.sourcemsk)) + if (ebt_get_mac_and_mask(optarg, cs.eb.sourcemac, cs.eb.sourcemsk)) xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg); - cs.fw.bitmask |= EBT_SOURCEMAC; + cs.eb.bitmask |= EBT_SOURCEMAC; break; } else if (c == 'd') { ebt_check_option2(&flags, OPT_DEST); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IDEST; + cs.eb.invflags |= EBT_IDEST; - if (ebt_get_mac_and_mask(optarg, cs.fw.destmac, cs.fw.destmsk)) + if (ebt_get_mac_and_mask(optarg, cs.eb.destmac, cs.eb.destmsk)) xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg); - cs.fw.bitmask |= EBT_DESTMAC; + cs.eb.bitmask |= EBT_DESTMAC; break; } else if (c == 'c') { ebt_check_option2(&flags, OPT_COUNT); @@ -1103,9 +1103,9 @@ big_iface_length: } ebt_check_option2(&flags, OPT_PROTOCOL); if (ebt_check_inverse2(optarg, argc, argv)) - cs.fw.invflags |= EBT_IPROTO; + cs.eb.invflags |= EBT_IPROTO; - cs.fw.bitmask &= ~((unsigned int)EBT_NOPROTO); + cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO); i = strtol(optarg, &buffer, 16); if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) xtables_error(PARAMETER_PROBLEM, @@ -1114,18 +1114,18 @@ big_iface_length: struct ethertypeent *ent; if (!strcasecmp(optarg, "LENGTH")) { - cs.fw.bitmask |= EBT_802_3; + cs.eb.bitmask |= EBT_802_3; break; } ent = getethertypebyname(optarg); if (!ent) xtables_error(PARAMETER_PROBLEM, "Problem with the specified Ethernet protocol '%s', perhaps "_PATH_ETHERTYPES " is missing", optarg); - cs.fw.ethproto = ent->e_ethertype; + cs.eb.ethproto = ent->e_ethertype; } else - cs.fw.ethproto = i; + cs.eb.ethproto = i; - if (cs.fw.ethproto < 0x0600) + if (cs.eb.ethproto < 0x0600) xtables_error(PARAMETER_PROBLEM, "Sorry, protocols have values above or equal to 0x0600"); break; @@ -1331,7 +1331,7 @@ check_extension: } /* So, the extensions can work with the host endian. * The kernel does not have to do this of course */ - cs.fw.ethproto = htons(cs.fw.ethproto); + cs.eb.ethproto = htons(cs.eb.ethproto); if (command == 'P') { if (selected_chain < 0) { |