ipset 2 related updates (JK)

1 files changed, 47 insertions, 30 deletions

diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
index 06691f35..7ab78ff7 100644
--- a/extensions/libipt_set.c
+++ b/extensions/libipt_set.c
@@ -1,4 +1,14 @@
-/* Shared library add-on to iptables to add IP address set matching. */
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+/* Shared library add-on to iptables to add IP set matching. */
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
@@ -10,14 +20,14 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <linux/netfilter_ipv4/ipt_set.h>
-#include "../ipset/libipt_set.h"
+#include "libipt_set.h"
 
 /* Function which prints out usage message. */
 static void help(void)
 {
 	printf("set v%s options:\n"
-	       " [!] --set     name[:flags] flags\n"
-	       "		'name' is the set name from to match.\n" 
+	       " [!] --set     name flags\n"
+	       "		'name' is the set name from to match,\n" 
 	       "		'flags' are the comma separated list of\n"
 	       "		'src' and 'dst'.\n"
 	       "\n", IPTABLES_VERSION);
@@ -36,7 +46,6 @@ static void init(struct ipt_entry_match *match, unsigned int *nfcache)
 	
 
 	memset(info, 0, sizeof(struct ipt_set_info_match));
-	info->match.id = -1;
 
 	/* Can't cache this - XXX */
 	*nfcache |= NFC_UNKNOWN;
@@ -50,23 +59,33 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 {
 	struct ipt_set_info_match *myinfo = 
 		(struct ipt_set_info_match *) (*match)->data;
-	struct ipt_set_info *info = &myinfo->match;
+	struct ipt_set_info *info = &myinfo->match_set;
 
 	switch (c) {
-	case '1':		/* --set <set>[:<flags>] <flags> */
+	case '1':		/* --set <set> <flag>[,<flag> */
+		if (info->flags[0])
+			exit_error(PARAMETER_PROBLEM,
+				   "--set can be specified only once");
+
 		check_inverse(optarg, &invert, &optind, 0);
 		if (invert)
 			info->flags[0] |= IPSET_MATCH_INV;
 
 		if (!argv[optind]
-		    || argv[optind][0] == '-' || argv[optind][0] == '!')
+		    || argv[optind][0] == '-'
+		    || argv[optind][0] == '!')
 			exit_error(PARAMETER_PROBLEM,
 				   "--set requires two args.");
 
-		parse_pool(argv[optind - 1], info);
-		if (parse_ipflags(argv[optind++], info))
+		if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
 			exit_error(PARAMETER_PROBLEM,
-				   "Can't use overwrite flag with --set.");
+				   "setname `%s' too long, max %d characters.",
+				   argv[optind-1], IP_SET_MAXNAMELEN - 1);
+
+		get_set_byname(argv[optind - 1], info);
+		parse_bindings(argv[optind], info);
+		DEBUGP("parse: set index %u\n", info->index);
+		optind++;
 		
 		*flags = 1;
 		break;
@@ -83,7 +102,8 @@ static void final_check(unsigned int flags)
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
-			   "You must specify either `--set'");
+			   "You must specify `--set' with proper arguments");
+	DEBUGP("final check OK\n");
 }
 
 static void
@@ -92,22 +112,19 @@ print_match(const char *prefix, const struct ipt_set_info *info)
 	int i;
 	char setname[IP_SET_MAXNAMELEN];
 
-	if (info->id >= 0) {
-		get_set_byid(setname, info->id);
-		printf("%s%s %s", 
-		       (info->flags[0] & IPSET_MATCH_INV) ? "!" : "",
-		       prefix,
-		       setname); 
-		for (i = 0; i < info->set_level; i++)
-			printf("%s%s",
-			       i == 0 ? ":" : ",",
-			       info->flags[i] & IPSET_SRC ? "src" : "dst");
-		for (i = info->set_level; i < info->ip_level; i++)
-			printf("%s%s",
-			       i == info->set_level ? " " : ",",
-			       info->flags[i] & IPSET_SRC ? "src" : "dst");
-		printf(" ");
+	get_set_byid(setname, info->index);
+	printf("%s%s %s", 
+	       (info->flags[0] & IPSET_MATCH_INV) ? "!" : "",
+	       prefix,
+	       setname); 
+	for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
+		if (!info->flags[i])
+			break;		
+		printf("%s%s",
+		       i == 0 ? " " : ",",
+		       info->flags[i] & IPSET_SRC ? "src" : "dst");
 	}
+	printf(" ");
 }
 
 /* Prints out the matchinfo. */
@@ -118,7 +135,7 @@ print(const struct ipt_ip *ip,
 	struct ipt_set_info_match *info = 
 		(struct ipt_set_info_match *) match->data;
 
-	print_match("set", &info->match);
+	print_match("set", &info->match_set);
 }
 
 /* Saves the matchinfo in parsable form to stdout. */
@@ -128,11 +145,11 @@ static void save(const struct ipt_ip *ip,
 	struct ipt_set_info_match *info = 
 		(struct ipt_set_info_match *) match->data;
 
-	print_match("--set", &info->match);
+	print_match("--set", &info->match_set);
 }
 
 static
-struct iptables_match set = { NULL,
+struct iptables_match set = {
 	.name		= "set",
 	.version	= IPTABLES_VERSION,
 	.size		= IPT_ALIGN(sizeof(struct ipt_set_info_match)),