summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--INSTALL20
-rw-r--r--Makefile43
-rw-r--r--Rules.make1
-rw-r--r--extensions/Makefile46
-rw-r--r--extensions/libip6t_LOG.c1
-rw-r--r--extensions/libip6t_MARK.c1
-rw-r--r--extensions/libip6t_agr.c1
-rw-r--r--extensions/libip6t_icmpv6.c2
-rw-r--r--extensions/libip6t_limit.c1
-rw-r--r--extensions/libip6t_mac.c1
-rw-r--r--extensions/libip6t_mark.c1
-rw-r--r--extensions/libip6t_multiport.c1
-rw-r--r--extensions/libip6t_owner.c1
-rw-r--r--extensions/libip6t_standard.c1
-rw-r--r--extensions/libip6t_tcp.c1
-rw-r--r--extensions/libip6t_udp.c1
-rw-r--r--extensions/libipt_BALANCE.c1
-rw-r--r--extensions/libipt_DNAT.c1
-rw-r--r--extensions/libipt_FTOS.c1
-rw-r--r--extensions/libipt_LOG.c1
-rw-r--r--extensions/libipt_MARK.c1
-rw-r--r--extensions/libipt_MASQUERADE.c1
-rw-r--r--extensions/libipt_MIRROR.c1
-rw-r--r--extensions/libipt_NETLINK.c1
-rw-r--r--extensions/libipt_NETMAP.c1
-rw-r--r--extensions/libipt_POOL.c1
-rw-r--r--extensions/libipt_REDIRECT.c1
-rw-r--r--extensions/libipt_REJECT.c1
-rw-r--r--extensions/libipt_SAME.c1
-rw-r--r--extensions/libipt_SNAT.c1
-rw-r--r--extensions/libipt_TCPMSS.c1
-rw-r--r--extensions/libipt_TOS.c2
-rw-r--r--extensions/libipt_TTL.c1
-rw-r--r--extensions/libipt_ULOG.c1
-rw-r--r--extensions/libipt_ah.c1
-rw-r--r--extensions/libipt_connlimit.c1
-rw-r--r--extensions/libipt_esp.c1
-rw-r--r--extensions/libipt_icmp.c1
-rw-r--r--extensions/libipt_ipv4options.c1
-rw-r--r--extensions/libipt_length.c1
-rw-r--r--extensions/libipt_limit.c1
-rw-r--r--extensions/libipt_mac.c1
-rw-r--r--extensions/libipt_mark.c1
-rw-r--r--extensions/libipt_multiport.c1
-rw-r--r--extensions/libipt_owner.c1
-rw-r--r--extensions/libipt_pkttype.c1
-rw-r--r--extensions/libipt_pool.c1
-rw-r--r--extensions/libipt_psd.c1
-rw-r--r--extensions/libipt_record_rpc.c1
-rw-r--r--extensions/libipt_standard.c1
-rw-r--r--extensions/libipt_state.c1
-rw-r--r--extensions/libipt_string.c1
-rw-r--r--extensions/libipt_tcp.c1
-rw-r--r--extensions/libipt_tcpmss.c1
-rw-r--r--extensions/libipt_time.c1
-rw-r--r--extensions/libipt_tos.c2
-rw-r--r--extensions/libipt_ttl.c1
-rw-r--r--extensions/libipt_udp.c1
-rw-r--r--extensions/libipt_unclean.c1
-rw-r--r--include/ip6tables.h6
-rw-r--r--include/iptables.h6
-rw-r--r--include/iptables_common.h7
-rw-r--r--ip6tables-restore.c4
-rw-r--r--ip6tables-save.c4
-rw-r--r--ip6tables-standalone.c4
-rw-r--r--ip6tables.c18
-rw-r--r--iptables-restore.c6
-rw-r--r--iptables-save.c4
-rw-r--r--iptables-standalone.c4
-rw-r--r--iptables.c18
70 files changed, 228 insertions, 21 deletions
diff --git a/INSTALL b/INSTALL
index 738dd993..59fe5efa 100644
--- a/INSTALL
+++ b/INSTALL
@@ -17,16 +17,16 @@ That's it!
================================================================
FEELING BRAVE?
-1) If you want to try some extensions, you can do the following:
+1) The netfilter core team is maintaining a set of extensions / new
+ features which are not yet committed to the mainstream kernel tree.
+
+If you want to try some extensions, you can do the following:
% make patch-o-matic KERNEL_DIR=<<where-your-kernel-is>>
-This offers you a collection of maybe-broken maybe-cool third-part
+This offers you a collection of maybe-broken maybe-cool third-party
extensions. It will modify you kernel source (so back it up first!).
-
-2) If you want to test out `iptables-save' and `iptables-restore', you
-can use
- % make experimental
- % make install-experimental
+Most of them will require you to recompile / rebuild your kernel and
+modules.
================================================================
PROBLEMS YOU MAY ENCOUNTER:
@@ -42,6 +42,12 @@ PROBLEMS YOU MAY ENCOUNTER:
% make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man
# make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man install
+4) If you want to build a statically linked version of the iptables binary,
+ without the need for loading the plugins at runtime (e.g. for an embedded
+ device or router-on-a-disk), please use
+
+ % make NO_SHARED_LIBS=1
+
NOTE: make sure you build with at least the correct LIBDIR=
specification, otherwise iptables(8) won't know where to find the
dynamic objects.
diff --git a/Makefile b/Makefile
index 54461777..238c34a0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,9 @@
# Standard part of Makefile for topdir.
TOPLEVEL_INCLUDED=YES
+# uncomment this to get a fully statically linked version
+# NO_SHARED_LIBS = 1
+
ifndef KERNEL_DIR
KERNEL_DIR=/usr/src/linux
endif
@@ -25,8 +28,24 @@ endif
COPT_FLAGS:=-O2 -DNDEBUG
CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg
+ifdef NO_SHARED_LIBS
+CFLAGS += -DNO_SHARED_LIBS=1
+endif
+
+ifndef NO_SHARED_LIBS
DEPFILES = $(SHARED_LIBS:%.so=%.d)
SH_CFLAGS:=$(CFLAGS) -fPIC
+STATIC_LIBS =
+STATIC6_LIBS =
+LDFLAGS = -rdynamic
+LDLIBS = -ldl
+else
+DEPFILES = $(EXT_OBJS:%.o=%.d)
+STATIC_LIBS = extensions/libext.a
+STATIC6_LIBS = extensions/libext6.a
+LDFLAGS =
+LDLIBS =
+endif
EXTRAS+=iptables iptables.o
EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8
@@ -72,22 +91,22 @@ pending-patches:
iptables.o: iptables.c
$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $<
-iptables: iptables-standalone.c iptables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+iptables: iptables-standalone.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
$(DESTDIR)$(BINDIR)/iptables: iptables
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
cp $< $@
-iptables-save: iptables-save.c iptables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+iptables-save: iptables-save.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
$(DESTDIR)$(BINDIR)/iptables-save: iptables-save
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
cp $< $@
-iptables-restore: iptables-restore.c iptables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+iptables-restore: iptables-restore.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
$(DESTDIR)$(BINDIR)/iptables-restore: iptables-restore
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
@@ -96,22 +115,22 @@ $(DESTDIR)$(BINDIR)/iptables-restore: iptables-restore
ip6tables.o: ip6tables.c
$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $<
-ip6tables: ip6tables-standalone.c ip6tables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+ip6tables: ip6tables-standalone.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS)
$(DESTDIR)$(BINDIR)/ip6tables: ip6tables
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
cp $< $@
-ip6tables-save: ip6tables-save.c ip6tables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+ip6tables-save: ip6tables-save.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS)
$(DESTDIR)$(BINDIR)/ip6tables-save: ip6tables-save
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
cp $< $@
-ip6tables-restore: ip6tables-restore.c ip6tables.o libiptc/libiptc.a
- $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl
+ip6tables-restore: ip6tables-restore.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS)
$(DESTDIR)$(BINDIR)/ip6tables-restore: ip6tables-restore
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
diff --git a/Rules.make b/Rules.make
index 7c84143f..8c04caf2 100644
--- a/Rules.make
+++ b/Rules.make
@@ -7,6 +7,7 @@ experimental: $(EXTRAS_EXP)
# Have to handle extensions which no longer exist.
clean: $(EXTRA_CLEANS)
rm -f $(SHARED_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o)
+ rm -f extensions/initext.c extensions/initext6.c
@find . -name '*.[ao]' -o -name '*.so' | xargs rm -f
install: all $(EXTRA_INSTALLS)
diff --git a/extensions/Makefile b/extensions/Makefile
index d7b61733..e420aeb7 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -16,6 +16,7 @@ PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS)
OPTIONALS+=$(patsubst %,IPv4:%,$(PF_EXT_SLIB_OPTS))
OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT_SLIB_OPTS))
+ifndef NO_SHARED_LIBS
SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
@@ -23,12 +24,57 @@ ifdef DO_IPV6
SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
endif
+else # NO_SHARED_LIBS
+EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o)
+EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
+EXT_OBJS+= extensions/initext.o
+EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o)
+EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T))
+EXT6_OBJS+= extensions/initext6.o
+endif
ifndef TOPLEVEL_INCLUDED
local:
cd .. && $(MAKE) $(SHARED_LIBS)
endif
+ifdef NO_SHARED_LIBS
+extensions/libext.a: $(EXT_OBJS)
+ rm -f $@; ar crv $@ $(EXT_OBJS)
+
+extensions/libext6.a: $(EXT6_OBJS)
+ rm -f $@; ar crv $@ $(EXT6_OBJS)
+
+extensions/initext.o: extensions/initext.c
+extensions/initext6.o: extensions/initext6.c
+
+extensions/initext.c: extensions/Makefile
+ echo "" > $@
+ for i in $(EXT_FUNC); do \
+ echo "extern void $${i}_init(void);" >> $@; \
+ done
+ echo "void init_extensions(void) {" >> $@
+ for i in $(EXT_FUNC); do \
+ echo " $${i}_init();" >> $@; \
+ done
+ echo "}" >> $@
+
+extensions/initext6.c: extensions/Makefile
+ echo "" > $@
+ for i in $(EXT6_FUNC); do \
+ echo "extern void $${i}_init(void);" >> $@; \
+ done
+ echo "void init_extensions(void) {" >> $@
+ for i in $(EXT6_FUNC); do \
+ echo " $${i}_init();" >> $@; \
+ done
+ echo "}" >> $@
+
+extensions/lib%.o: extensions/lib%.c
+ $(CC) $(CFLAGS) -D_INIT=$*_init -c -o $@ $<
+
+endif
+
$(DESTDIR)$(LIBDIR)/iptables/libipt_%.so: extensions/libipt_%.so
@[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables
cp $< $@
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 68003150..ef39c98d 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -239,6 +239,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
printf("--log-ip-options ");
}
+static
struct ip6tables_target log
= { NULL,
"LOG",
diff --git a/extensions/libip6t_MARK.c b/extensions/libip6t_MARK.c
index efbb4ec0..6d2b1031 100644
--- a/extensions/libip6t_MARK.c
+++ b/extensions/libip6t_MARK.c
@@ -100,6 +100,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
printf("--set-mark 0x%lx ", markinfo->mark);
}
+static
struct ip6tables_target mark
= { NULL,
"MARK",
diff --git a/extensions/libip6t_agr.c b/extensions/libip6t_agr.c
index 676f9e6c..888fc2c9 100644
--- a/extensions/libip6t_agr.c
+++ b/extensions/libip6t_agr.c
@@ -65,6 +65,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
/* printf("--agr "); */
}
+static
struct ip6tables_match agr
= { NULL,
"agr",
diff --git a/extensions/libip6t_icmpv6.c b/extensions/libip6t_icmpv6.c
index 1b801d2d..67302eb5 100644
--- a/extensions/libip6t_icmpv6.c
+++ b/extensions/libip6t_icmpv6.c
@@ -258,7 +258,7 @@ static void final_check(unsigned int flags)
{
}
-struct ip6tables_match icmpv6
+static struct ip6tables_match icmpv6
= { NULL,
"icmpv6",
NETFILTER_VERSION,
diff --git a/extensions/libip6t_limit.c b/extensions/libip6t_limit.c
index cd267ef8..837b0fe2 100644
--- a/extensions/libip6t_limit.c
+++ b/extensions/libip6t_limit.c
@@ -176,6 +176,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
printf("--limit-burst %u ", r->burst);
}
+static
struct ip6tables_match limit
= { NULL,
"limit",
diff --git a/extensions/libip6t_mac.c b/extensions/libip6t_mac.c
index 283c486c..e4c43454 100644
--- a/extensions/libip6t_mac.c
+++ b/extensions/libip6t_mac.c
@@ -124,6 +124,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
((struct ip6t_mac_info *)match->data)->invert);
}
+static
struct ip6tables_match mac
= { NULL,
"mac",
diff --git a/extensions/libip6t_mark.c b/extensions/libip6t_mark.c
index e4ed9323..b344bb63 100644
--- a/extensions/libip6t_mark.c
+++ b/extensions/libip6t_mark.c
@@ -108,6 +108,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
((struct ip6t_mark_info *)match->data)->invert, 0);
}
+static
struct ip6tables_match mark
= { NULL,
"mark",
diff --git a/extensions/libip6t_multiport.c b/extensions/libip6t_multiport.c
index d58bbb97..16bbcf8e 100644
--- a/extensions/libip6t_multiport.c
+++ b/extensions/libip6t_multiport.c
@@ -242,6 +242,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
printf(" ");
}
+static
struct ip6tables_match multiport
= { NULL,
"multiport",
diff --git a/extensions/libip6t_owner.c b/extensions/libip6t_owner.c
index 7648d657..4eed2513 100644
--- a/extensions/libip6t_owner.c
+++ b/extensions/libip6t_owner.c
@@ -199,6 +199,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
print_item(info, IP6T_OWNER_SID, 0, "--sid-owner ");
}
+static
struct ip6tables_match owner
= { NULL,
"owner",
diff --git a/extensions/libip6t_standard.c b/extensions/libip6t_standard.c
index 1ffb1d7a..79414483 100644
--- a/extensions/libip6t_standard.c
+++ b/extensions/libip6t_standard.c
@@ -47,6 +47,7 @@ save(const struct ip6t_ip6 *ip6, const struct ip6t_entry_target *target)
{
}
+static
struct ip6tables_target standard
= { NULL,
"standard",
diff --git a/extensions/libip6t_tcp.c b/extensions/libip6t_tcp.c
index dd515f0e..f03f072a 100644
--- a/extensions/libip6t_tcp.c
+++ b/extensions/libip6t_tcp.c
@@ -420,6 +420,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
}
}
+static
struct ip6tables_match tcp
= { NULL,
"tcp",
diff --git a/extensions/libip6t_udp.c b/extensions/libip6t_udp.c
index ac036167..441c8147 100644
--- a/extensions/libip6t_udp.c
+++ b/extensions/libip6t_udp.c
@@ -231,6 +231,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match
}
}
+static
struct ip6tables_match udp
= { NULL,
"udp",
diff --git a/extensions/libipt_BALANCE.c b/extensions/libipt_BALANCE.c
index abbf1b63..75f4cda8 100644
--- a/extensions/libipt_BALANCE.c
+++ b/extensions/libipt_BALANCE.c
@@ -131,6 +131,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("-%s ", addr_to_dotted(&a));
}
+static
struct iptables_target balance
= { NULL,
"BALANCE",
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 8ae9a62b..3e466ae3 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -224,6 +224,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
}
}
+static
struct iptables_target dnat
= { NULL,
"DNAT",
diff --git a/extensions/libipt_FTOS.c b/extensions/libipt_FTOS.c
index 48f88ec5..b9a5d696 100644
--- a/extensions/libipt_FTOS.c
+++ b/extensions/libipt_FTOS.c
@@ -110,6 +110,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--set-ftos 0x%02x ", finfo->ftos);
}
+static
struct iptables_target ftos
= { NULL,
"FTOS",
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 9f41853f..f71f4bf8 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -239,6 +239,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--log-ip-options ");
}
+static
struct iptables_target log
= { NULL,
"LOG",
diff --git a/extensions/libipt_MARK.c b/extensions/libipt_MARK.c
index ef7d7331..6d4c41ea 100644
--- a/extensions/libipt_MARK.c
+++ b/extensions/libipt_MARK.c
@@ -100,6 +100,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--set-mark 0x%lx ", markinfo->mark);
}
+static
struct iptables_target mark
= { NULL,
"MARK",
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index 2159016d..0eecba5c 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -146,6 +146,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
}
}
+static
struct iptables_target masq
= { NULL,
"MASQUERADE",
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index b4d9a07c..632e9548 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -41,6 +41,7 @@ final_check(unsigned int flags)
{
}
+static
struct iptables_target mirror
= { NULL,
"MIRROR",
diff --git a/extensions/libipt_NETLINK.c b/extensions/libipt_NETLINK.c
index 3faf9289..104e6427 100644
--- a/extensions/libipt_NETLINK.c
+++ b/extensions/libipt_NETLINK.c
@@ -136,6 +136,7 @@ print(const struct ipt_ip *ip,
printf("nlsize %i ", nld->size);
}
+static
struct iptables_target netlink = { NULL,
"NETLINK",
NETFILTER_VERSION,
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index 7d5ad04f..947ca8d4 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -179,6 +179,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
print(ip, target, 0);
}
+static
struct iptables_target target_module
= { NULL,
MODULENAME,
diff --git a/extensions/libipt_POOL.c b/extensions/libipt_POOL.c
index 12d9572d..62697710 100644
--- a/extensions/libipt_POOL.c
+++ b/extensions/libipt_POOL.c
@@ -130,6 +130,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
}
}
+static
struct iptables_target ipt_pool_target
= { NULL,
"POOL",
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 3119a700..02afacf9 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -147,6 +147,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
}
}
+static
struct iptables_target redir
= { NULL,
"REDIRECT",
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 956805a6..eb813413 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -155,6 +155,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--reject-with %s ", reject_table[i].name);
}
+static
struct iptables_target reject
= { NULL,
"REJECT",
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index 84bc3c5b..4e7ef37a 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -165,6 +165,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--nodst ");
}
+static
struct iptables_target same
= { NULL,
"SAME",
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 83f4ce9e..1af0d5ef 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -224,6 +224,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
}
}
+static
struct iptables_target snat
= { NULL,
"SNAT",
diff --git a/extensions/libipt_TCPMSS.c b/extensions/libipt_TCPMSS.c
index d14f0c08..ebc10a79 100644
--- a/extensions/libipt_TCPMSS.c
+++ b/extensions/libipt_TCPMSS.c
@@ -113,6 +113,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--set-mss %u ", mssinfo->mss);
}
+static
struct iptables_target mss
= { NULL,
"TCPMSS",
diff --git a/extensions/libipt_TOS.c b/extensions/libipt_TOS.c
index 9feba060..0e54a08f 100644
--- a/extensions/libipt_TOS.c
+++ b/extensions/libipt_TOS.c
@@ -14,6 +14,7 @@ struct tosinfo {
};
/* TOS names and values. */
+static
struct TOS_value
{
unsigned char TOS;
@@ -152,6 +153,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--set-tos 0x%02x ", tosinfo->tos);
}
+static
struct iptables_target tos
= { NULL,
"TOS",
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index 985b9146..b04289ac 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -143,6 +143,7 @@ static struct option opts[] = {
{ 0 }
};
+static
struct iptables_target TTL = { NULL,
"TTL",
NETFILTER_VERSION,
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index 9d4bad87..5de8ee0e 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -187,6 +187,7 @@ print(const struct ipt_ip *ip,
printf("queue_threshold %d ", loginfo->qthreshold);
}
+static
struct iptables_target ulog = { NULL,
"ULOG",
NETFILTER_VERSION,
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index e779fa53..0473760f 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -169,6 +169,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
}
+static
struct iptables_match ah
= { NULL,
"ah",
diff --git a/extensions/libipt_connlimit.c b/extensions/libipt_connlimit.c
index 19928ac2..a11cf140 100644
--- a/extensions/libipt_connlimit.c
+++ b/extensions/libipt_connlimit.c
@@ -113,6 +113,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf("--iplimit-mask %d ",count_bits(info->mask));
}
+static
static struct iptables_match iplimit = {
name: "iplimit",
version: NETFILTER_VERSION,
diff --git a/extensions/libipt_esp.c b/extensions/libipt_esp.c
index d60c2a65..07d25156 100644
--- a/extensions/libipt_esp.c
+++ b/extensions/libipt_esp.c
@@ -169,6 +169,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
}
+static
struct iptables_match esp
= { NULL,
"esp",
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index a8b6bd13..8d2d85d5 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -273,6 +273,7 @@ static void final_check(unsigned int flags)
{
}
+static
struct iptables_match icmp
= { NULL,
"icmp",
diff --git a/extensions/libipt_ipv4options.c b/extensions/libipt_ipv4options.c
index 89ca9fc9..e99c96c9 100644
--- a/extensions/libipt_ipv4options.c
+++ b/extensions/libipt_ipv4options.c
@@ -253,6 +253,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf(" ");
}
+static
struct iptables_match ipv4options_struct
= { NULL,
"ipv4options",
diff --git a/extensions/libipt_length.c b/extensions/libipt_length.c
index ee2af943..00326c4b 100644
--- a/extensions/libipt_length.c
+++ b/extensions/libipt_length.c
@@ -139,6 +139,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
print_length((struct ipt_length_info *)match->data);
}
+static
struct iptables_match length
= { NULL,
"length",
diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c
index 9aaf842a..edbc1cbf 100644
--- a/extensions/libipt_limit.c
+++ b/extensions/libipt_limit.c
@@ -176,6 +176,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf("--limit-burst %u ", r->burst);
}
+static
struct iptables_match limit
= { NULL,
"limit",
diff --git a/extensions/libipt_mac.c b/extensions/libipt_mac.c
index 6d61d605..1b088a85 100644
--- a/extensions/libipt_mac.c
+++ b/extensions/libipt_mac.c
@@ -124,6 +124,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
((struct ipt_mac_info *)match->data)->invert);
}
+static
struct iptables_match mac
= { NULL,
"mac",
diff --git a/extensions/libipt_mark.c b/extensions/libipt_mark.c
index aced5475..001635a6 100644
--- a/extensions/libipt_mark.c
+++ b/extensions/libipt_mark.c
@@ -108,6 +108,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
((struct ipt_mark_info *)match->data)->invert, 0);
}
+static
struct iptables_match mark
= { NULL,
"mark",
diff --git a/extensions/libipt_multiport.c b/extensions/libipt_multiport.c
index 6eb5bdf0..58cf18ca 100644
--- a/extensions/libipt_multiport.c
+++ b/extensions/libipt_multiport.c
@@ -242,6 +242,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf(" ");
}
+static
struct iptables_match multiport
= { NULL,
"multiport",
diff --git a/extensions/libipt_owner.c b/extensions/libipt_owner.c
index 233cd0be..953eb59a 100644
--- a/extensions/libipt_owner.c
+++ b/extensions/libipt_owner.c
@@ -199,6 +199,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
print_item(info, IPT_OWNER_SID, 0, "--sid-owner ");
}
+static
struct iptables_match owner
= { NULL,
"owner",
diff --git a/extensions/libipt_pkttype.c b/extensions/libipt_pkttype.c
index f05a2316..04a43db7 100644
--- a/extensions/libipt_pkttype.c
+++ b/extensions/libipt_pkttype.c
@@ -153,6 +153,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
print_pkttype(info);
}
+static
struct iptables_match pkttype = {
NULL,
"pkttype",
diff --git a/extensions/libipt_pool.c b/extensions/libipt_pool.c
index 23e2922d..3fec4634 100644
--- a/extensions/libipt_pool.c
+++ b/extensions/libipt_pool.c
@@ -122,6 +122,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
ip_pool_get_name(buf, sizeof(buf), info->dst, 0));
}
+static
struct iptables_match pool
= { NULL,
"pool",
diff --git a/extensions/libipt_psd.c b/extensions/libipt_psd.c
index d5bb87e8..21b9fb88 100644
--- a/extensions/libipt_psd.c
+++ b/extensions/libipt_psd.c
@@ -174,6 +174,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf("--psd-hi-ports-weight %u ",psdinfo->hi_ports_weight);
}
+static
struct iptables_match psd
= { NULL,
"psd",
diff --git a/extensions/libipt_record_rpc.c b/extensions/libipt_record_rpc.c
index f0c86bae..c40df402 100644
--- a/extensions/libipt_record_rpc.c
+++ b/extensions/libipt_record_rpc.c
@@ -52,6 +52,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
{
}
+static
struct iptables_match record_rpc
= { NULL,
"record_rpc",
diff --git a/extensions/libipt_standard.c b/extensions/libipt_standard.c
index 22db24ba..c5faf189 100644
--- a/extensions/libipt_standard.c
+++ b/extensions/libipt_standard.c
@@ -47,6 +47,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
{
}
+static
struct iptables_target standard
= { NULL,
"standard",
diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c
index d21ccf16..25bc2a2c 100644
--- a/extensions/libipt_state.c
+++ b/extensions/libipt_state.c
@@ -142,6 +142,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
print_state(sinfo->statemask);
}
+static
struct iptables_match state
= { NULL,
"state",
diff --git a/extensions/libipt_string.c b/extensions/libipt_string.c
index 279f9be1..b9f38d7a 100644
--- a/extensions/libipt_string.c
+++ b/extensions/libipt_string.c
@@ -113,6 +113,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
((struct ipt_string_info *)match->data)->invert, 0);
}
+static
struct iptables_match string
= { NULL,
"string",
diff --git a/extensions/libipt_tcp.c b/extensions/libipt_tcp.c
index 1b0a37a3..7f172529 100644
--- a/extensions/libipt_tcp.c
+++ b/extensions/libipt_tcp.c
@@ -423,6 +423,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
}
}
+static
struct iptables_match tcp
= { NULL,
"tcp",
diff --git a/extensions/libipt_tcpmss.c b/extensions/libipt_tcpmss.c
index 6cf4211f..92e05392 100644
--- a/extensions/libipt_tcpmss.c
+++ b/extensions/libipt_tcpmss.c
@@ -140,6 +140,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
mssinfo->invert, 0);
}
+static
struct iptables_match tcpmss
= { NULL,
"tcpmss",
diff --git a/extensions/libipt_time.c b/extensions/libipt_time.c
index 10b37885..9d1e5597 100644
--- a/extensions/libipt_time.c
+++ b/extensions/libipt_time.c
@@ -288,6 +288,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
printf(" ");
}
+static
struct iptables_match timestruct
= { NULL,
"time",
diff --git a/extensions/libipt_tos.c b/extensions/libipt_tos.c
index f1d3b2a6..a1ef4e6e 100644
--- a/extensions/libipt_tos.c
+++ b/extensions/libipt_tos.c
@@ -9,6 +9,7 @@
#include <linux/netfilter_ipv4/ipt_tos.h>
/* TOS names and values. */
+static
struct TOS_value
{
unsigned char TOS;
@@ -151,6 +152,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
((struct ipt_tos_info *)match->data)->invert, 0);
}
+static
struct iptables_match tos
= { NULL,
"tos",
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
index 060b2409..f1ca31c4 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_ttl.c
@@ -155,6 +155,7 @@ static struct option opts[] = {
{ 0 }
};
+static
struct iptables_match ttl = {
NULL,
"ttl",
diff --git a/extensions/libipt_udp.c b/extensions/libipt_udp.c
index 9b18d18b..3db35b1b 100644
--- a/extensions/libipt_udp.c
+++ b/extensions/libipt_udp.c
@@ -231,6 +231,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
}
}
+static
struct iptables_match udp
= { NULL,
"udp",
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index b954e368..5e842e93 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -41,6 +41,7 @@ static void final_check(unsigned int flags)
{
}
+static
struct iptables_match unclean
= { NULL,
"unclean",
diff --git a/include/ip6tables.h b/include/ip6tables.h
index 9ac3835c..ca388f7c 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -51,6 +51,9 @@ struct ip6tables_match
struct ip6t_entry_match *m;
unsigned int mflags;
unsigned int used;
+#ifdef NO_SHARED_LIBS
+ unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
};
struct ip6tables_target
@@ -98,6 +101,9 @@ struct ip6tables_target
struct ip6t_entry_target *t;
unsigned int tflags;
unsigned int used;
+#ifdef NO_SHARED_LIBS
+ unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
};
/* Your shared library should call one of these. */
diff --git a/include/iptables.h b/include/iptables.h
index 719db544..ac2a6b3b 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -51,6 +51,9 @@ struct iptables_match
struct ipt_entry_match *m;
unsigned int mflags;
unsigned int used;
+#ifdef NO_SHARED_LIBS
+ unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
};
struct iptables_target
@@ -98,6 +101,9 @@ struct iptables_target
struct ipt_entry_target *t;
unsigned int tflags;
unsigned int used;
+#ifdef NO_SHARED_LIBS
+ unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
};
/* Your shared library should call one of these. */
diff --git a/include/iptables_common.h b/include/iptables_common.h
index dff849ee..12b57975 100644
--- a/include/iptables_common.h
+++ b/include/iptables_common.h
@@ -19,4 +19,11 @@ void exit_error(enum exittype, char *, ...)__attribute__((noreturn,
format(printf,2,3)));
extern const char *program_name, *program_version;
+#ifdef NO_SHARED_LIBS
+# ifdef _INIT
+# define _init _INIT
+# endif
+ extern void init_extensions(void);
+#endif
+
#endif /*_IPTABLES_COMMON_H*/
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index f7a94f2c..40804eef 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -93,6 +93,10 @@ int main(int argc, char *argv[])
program_name = "ip6tables-restore";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
while ((c = getopt_long(argc, argv, "bcvhnM:", options, NULL)) != -1) {
switch (c) {
case 'b':
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c18bda21..772f786c 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -314,6 +314,10 @@ int main(int argc, char *argv[])
program_name = "ip6tables-save";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) {
switch (c) {
case 'b':
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 1120590f..f0145ce1 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -39,6 +39,10 @@ main(int argc, char *argv[])
program_name = "ip6tables";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
ret = do_command6(argc, argv, &table, &handle);
if (ret)
ret = ip6tc_commit(&handle);
diff --git a/ip6tables.c b/ip6tables.c
index 2160950e..2d13f3af 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -684,6 +684,7 @@ find_match(const char *name, enum ip6t_tryload tryload)
break;
}
+#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD) {
char path[sizeof(IP6T_LIB_DIR) + sizeof("/libip6t_.so")
+ strlen(name)];
@@ -701,6 +702,14 @@ find_match(const char *name, enum ip6t_tryload tryload)
exit_error(PARAMETER_PROBLEM,
"Couldn't load match `%s'\n", name);
}
+#else
+ if (ptr && !ptr->loaded) {
+ if (tryload != DONT_LOAD)
+ ptr->loaded = 1;
+ else
+ ptr = NULL;
+ }
+#endif
if (ptr)
ptr->used = 1;
@@ -881,6 +890,7 @@ find_target(const char *name, enum ip6t_tryload tryload)
break;
}
+#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD) {
char path[sizeof(IP6T_LIB_DIR) + sizeof("/libip6t_.so")
+ strlen(name)];
@@ -898,6 +908,14 @@ find_target(const char *name, enum ip6t_tryload tryload)
"Couldn't load target `%s'%s\n",
name, dlerror());
}
+#else
+ if (ptr && !ptr->loaded) {
+ if (tryload != DONT_LOAD)
+ ptr->loaded = 1;
+ else
+ ptr = NULL;
+ }
+#endif
if (ptr)
ptr->used = 1;
diff --git a/iptables-restore.c b/iptables-restore.c
index b6bcb7b7..2f4d8768 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -4,7 +4,7 @@
*
* This coude is distributed under the terms of GNU GPL
*
- * $Id: iptables-restore.c,v 1.12 2001/05/26 04:41:56 laforge Exp $
+ * $Id: iptables-restore.c,v 1.13 2001/06/16 18:25:25 laforge Exp $
*/
#include <getopt.h>
@@ -109,6 +109,10 @@ int main(int argc, char *argv[])
program_name = "iptables-restore";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
while ((c = getopt_long(argc, argv, "bcvhnM:", options, NULL)) != -1) {
switch (c) {
case 'b':
diff --git a/iptables-save.c b/iptables-save.c
index 60397146..aa3b69af 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -306,6 +306,10 @@ int main(int argc, char *argv[])
program_name = "iptables-save";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) {
switch (c) {
case 'b':
diff --git a/iptables-standalone.c b/iptables-standalone.c
index b891e974..791f9505 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -40,6 +40,10 @@ main(int argc, char *argv[])
program_name = "iptables";
program_version = NETFILTER_VERSION;
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+
ret = do_command(argc, argv, &table, &handle);
if (ret)
ret = iptc_commit(&handle);
diff --git a/iptables.c b/iptables.c
index 55420ab9..7f4c8926 100644
--- a/iptables.c
+++ b/iptables.c
@@ -649,6 +649,7 @@ find_match(const char *name, enum ipt_tryload tryload)
break;
}
+#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD) {
char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so")
+ strlen(name)];
@@ -667,6 +668,14 @@ find_match(const char *name, enum ipt_tryload tryload)
"Couldn't load match `%s':%s\n",
name, dlerror());
}
+#else
+ if (ptr && !ptr->loaded) {
+ if (tryload != DONT_LOAD)
+ ptr->loaded = 1;
+ else
+ ptr = NULL;
+ }
+#endif
if (ptr)
ptr->used = 1;
@@ -904,6 +913,7 @@ find_target(const char *name, enum ipt_tryload tryload)
break;
}
+#ifndef NO_SHARED_LIBS
if (!ptr && tryload != DONT_LOAD) {
char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so")
+ strlen(name)];
@@ -921,6 +931,14 @@ find_target(const char *name, enum ipt_tryload tryload)
"Couldn't load target `%s':%s\n",
name, dlerror());
}
+#else
+ if (ptr && !ptr->loaded) {
+ if (tryload != DONT_LOAD)
+ ptr->loaded = 1;
+ else
+ ptr = NULL;
+ }
+#endif
if (ptr)
ptr->used = 1;