From fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 9 Jul 2011 19:37:31 +0200 Subject: option: remove last traces of intrapositional negation Intrapositional negation was deprecated in 1.4.3. Signed-off-by: Jan Engelhardt --- extensions/libxt_SET.c | 9 --------- extensions/libxt_rateest.c | 13 ------------- extensions/libxt_sctp.c | 4 ---- extensions/libxt_set.c | 4 ---- extensions/libxt_tcp.c | 5 ----- 5 files changed, 35 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c index 51c0cec6..04466037 100644 --- a/extensions/libxt_SET.c +++ b/extensions/libxt_SET.c @@ -67,10 +67,6 @@ parse_target_v0(char **argv, int invert, unsigned int *flags, xtables_error(PARAMETER_PROBLEM, "--%s can be specified only once", what); - if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, @@ -173,11 +169,6 @@ parse_target(char **argv, int invert, struct xt_set_info *info, if (info->dim) xtables_error(PARAMETER_PROBLEM, "--%s can be specified only once", what); - - if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c index 5f42a137..86bbb06f 100644 --- a/extensions/libxt_rateest.c +++ b/extensions/libxt_rateest.c @@ -114,7 +114,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, switch (c) { case OPT_RATEEST1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -128,7 +127,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -143,7 +141,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_BPS1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -167,7 +164,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_PPS1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -192,7 +188,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_BPS2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -216,7 +211,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_PPS2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -241,7 +235,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_DELTA: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-delta can't be inverted"); @@ -255,8 +248,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_EQ: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); @@ -268,8 +259,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_LT: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); @@ -281,8 +270,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags, break; case OPT_RATEEST_GT: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index 5dbc36f5..56a4cdf2 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -257,7 +257,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags, xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); einfo->flags |= XT_SCTP_SRC_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_sctp_ports(optarg, einfo->spts); if (invert) einfo->invflags |= XT_SCTP_SRC_PORTS; @@ -269,7 +268,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags, xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); einfo->flags |= XT_SCTP_DEST_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_sctp_ports(optarg, einfo->dpts); if (invert) einfo->invflags |= XT_SCTP_DEST_PORTS; @@ -280,8 +278,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags, if (*flags & XT_SCTP_CHUNK_TYPES) xtables_error(PARAMETER_PROBLEM, "Only one `--chunk-types' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c index da722c73..6b39147e 100644 --- a/extensions/libxt_set.c +++ b/extensions/libxt_set.c @@ -64,8 +64,6 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags, if (info->u.flags[0]) xtables_error(PARAMETER_PROBLEM, "--match-set can be specified only once"); - - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->u.flags[0] |= IPSET_MATCH_INV; @@ -151,8 +149,6 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags, if (info->dim) xtables_error(PARAMETER_PROBLEM, "--match-set can be specified only once"); - - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->flags |= IPSET_INV_MATCH; diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 4d914e39..3940d91e 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -148,7 +148,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags, if (*flags & TCP_SRC_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_ports(optarg, tcpinfo->spts); if (invert) tcpinfo->invflags |= XT_TCP_INV_SRCPT; @@ -159,7 +158,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags, if (*flags & TCP_DST_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_ports(optarg, tcpinfo->dpts); if (invert) tcpinfo->invflags |= XT_TCP_INV_DSTPT; @@ -180,8 +178,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags, xtables_error(PARAMETER_PROBLEM, "Only one of `--syn' or `--tcp-flags' " " allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, @@ -197,7 +193,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags, if (*flags & TCP_OPTION) xtables_error(PARAMETER_PROBLEM, "Only one `--tcp-option' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_option(optarg, &tcpinfo->option); if (invert) tcpinfo->invflags |= XT_TCP_INV_OPTION; -- cgit v1.2.3 From 34d9ce1b80618eebcf63e933cf4a15cc5482c0d2 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 10 Jul 2011 12:48:42 +0200 Subject: libxt_conntrack: restore network-byte order for v1,v2 References: http://bugs.debian.org/632804 References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2 Signed-off-by: Jan Engelhardt --- extensions/libxt_conntrack.c | 46 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index e1d85755..96400a11 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -110,9 +110,41 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = { }; #undef s +#define s struct xt_conntrack_mtinfo2 /* for v1-v2 */ +/* We exploit the fact that v1-v2 share the same layout */ +static const struct xt_option_entry conntrack2_mt_opts[] = { + {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, + .flags = XTOPT_INVERT}, + {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, + .flags = XTOPT_INVERT}, + {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT | XTOPT_NBO}, + {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, +}; +#undef s + #define s struct xt_conntrack_mtinfo3 /* for v1-v3 */ /* We exploit the fact that v1-v3 share the same layout */ -static const struct xt_option_entry conntrack_mt_opts[] = { +static const struct xt_option_entry conntrack3_mt_opts[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, @@ -992,7 +1024,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt4_print, .save = conntrack1_mt4_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1006,7 +1038,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt6_print, .save = conntrack1_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1020,7 +1052,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt_print, .save = conntrack2_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1034,7 +1066,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt6_print, .save = conntrack2_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1048,7 +1080,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt_print, .save = conntrack3_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, { .version = XTABLES_VERSION, @@ -1062,7 +1094,7 @@ static struct xtables_match conntrack_mt_reg[] = { .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt6_print, .save = conntrack3_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, }; -- cgit v1.2.3 From d22ceae71eaae9f641e002074fb49cd7925a7c2f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 10 Jul 2011 13:13:49 +0200 Subject: libxt_conntrack: move more data into the xt_option_entry Signed-off-by: Jan Engelhardt --- extensions/libxt_conntrack.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'extensions') diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 96400a11..8e1777e3 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -93,7 +93,8 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, + XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST, @@ -110,13 +111,13 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = { }; #undef s -#define s struct xt_conntrack_mtinfo2 /* for v1-v2 */ -/* We exploit the fact that v1-v2 share the same layout */ +#define s struct xt_conntrack_mtinfo2 +/* We exploit the fact that v1-v2 share the same xt_o_e layout */ static const struct xt_option_entry conntrack2_mt_opts[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, @@ -148,7 +149,7 @@ static const struct xt_option_entry conntrack3_mt_opts[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, @@ -337,8 +338,6 @@ static void conntrack_parse(struct xt_option_call *cb) case O_CTPROTO: if (cb->invert) sinfo->invflags |= XT_CONNTRACK_PROTO; - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol; - if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 && (sinfo->invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, @@ -401,7 +400,6 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev) info->invert_flags |= XT_CONNTRACK_STATE; break; case O_CTPROTO: - info->l4proto = cb->val.protocol; if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " "never match protocol"); -- cgit v1.2.3