summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--extensions/libipt_CLUSTERIP.c4
-rw-r--r--extensions/libipt_realm.c10
-rw-r--r--extensions/libxt_addrtype.c (renamed from extensions/libipt_addrtype.c)56
-rw-r--r--extensions/libxt_addrtype.man (renamed from extensions/libipt_addrtype.man)0
-rw-r--r--extensions/libxt_recent.c17
-rw-r--r--extensions/libxt_recent.man5
-rw-r--r--include/Makefile.am2
-rw-r--r--include/ip6tables.h10
-rw-r--r--include/iptables.h16
-rw-r--r--include/libiptc/libip6tc.h110
-rw-r--r--include/libiptc/libiptc.h110
-rw-r--r--include/libiptc/xtcshared.h20
-rw-r--r--include/linux/kernel.h33
-rw-r--r--include/linux/netfilter.h18
-rw-r--r--include/linux/netfilter/ipset/ip_set.h225
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h14
-rw-r--r--include/linux/netfilter/nf_conntrack_tuple_common.h3
-rw-r--r--include/linux/netfilter/x_tables.h5
-rw-r--r--include/linux/netfilter/xt_CT.h2
-rw-r--r--include/linux/netfilter/xt_TCPOPTSTRIP.h2
-rw-r--r--include/linux/netfilter/xt_TPROXY.h2
-rw-r--r--include/linux/netfilter/xt_addrtype.h44
-rw-r--r--include/linux/netfilter/xt_cluster.h2
-rw-r--r--include/linux/netfilter/xt_connbytes.h4
-rw-r--r--include/linux/netfilter/xt_connlimit.h2
-rw-r--r--include/linux/netfilter/xt_physdev.h3
-rw-r--r--include/linux/netfilter/xt_policy.h11
-rw-r--r--include/linux/netfilter/xt_quota.h4
-rw-r--r--include/linux/netfilter/xt_sctp.h4
-rw-r--r--include/linux/netfilter/xt_set.h81
-rw-r--r--include/linux/netfilter/xt_socket.h2
-rw-r--r--include/linux/netfilter/xt_time.h2
-rw-r--r--include/linux/netfilter/xt_u32.h2
-rw-r--r--include/linux/netfilter_ipv4/ip_tables.h82
-rw-r--r--include/linux/netfilter_ipv4/ipt_CLUSTERIP.h16
-rw-r--r--include/linux/netfilter_ipv4/ipt_ECN.h8
-rw-r--r--include/linux/netfilter_ipv4/ipt_SAME.h8
-rw-r--r--include/linux/netfilter_ipv4/ipt_TTL.h6
-rw-r--r--include/linux/netfilter_ipv4/ipt_addrtype.h16
-rw-r--r--include/linux/netfilter_ipv4/ipt_ah.h6
-rw-r--r--include/linux/netfilter_ipv4/ipt_ecn.h10
-rw-r--r--include/linux/netfilter_ipv4/ipt_ttl.h6
-rw-r--r--include/linux/netfilter_ipv6/ip6_tables.h100
-rw-r--r--include/linux/netfilter_ipv6/ip6t_HL.h6
-rw-r--r--include/linux/netfilter_ipv6/ip6t_REJECT.h4
-rw-r--r--include/linux/netfilter_ipv6/ip6t_ah.h10
-rw-r--r--include/linux/netfilter_ipv6/ip6t_frag.h10
-rw-r--r--include/linux/netfilter_ipv6/ip6t_hl.h6
-rw-r--r--include/linux/netfilter_ipv6/ip6t_ipv6header.h8
-rw-r--r--include/linux/netfilter_ipv6/ip6t_mh.h6
-rw-r--r--include/linux/netfilter_ipv6/ip6t_opts.h12
-rw-r--r--include/linux/netfilter_ipv6/ip6t_rt.h13
-rw-r--r--include/linux/types.h13
-rw-r--r--iptables/ip6tables-restore.c53
-rw-r--r--iptables/ip6tables-save.c84
-rw-r--r--iptables/ip6tables-standalone.c2
-rw-r--r--iptables/ip6tables.c112
-rw-r--r--iptables/iptables-restore.c48
-rw-r--r--iptables/iptables-save.c84
-rw-r--r--iptables/iptables-standalone.c2
-rw-r--r--iptables/iptables-xml.c36
-rw-r--r--iptables/iptables.c110
-rw-r--r--iptables/xshared.c2
-rw-r--r--libiptc/Makefile.am4
-rw-r--r--libiptc/libip4tc.c56
-rw-r--r--libiptc/libip6tc.c38
-rw-r--r--libiptc/libiptc.c54
67 files changed, 1038 insertions, 818 deletions
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index 301e0e1d..f4b638b2 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -144,7 +144,7 @@ static void CLUSTERIP_print(const void *ip,
const struct ipt_clusterip_tgt_info *cipinfo =
(const struct ipt_clusterip_tgt_info *)target->data;
- if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) {
+ if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
printf(" CLUSTERIP");
return;
}
@@ -164,7 +164,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target)
/* if this is not a new entry, we don't need to save target
* parameters */
- if (!cipinfo->flags & CLUSTERIP_FLAG_NEW)
+ if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW))
return;
printf(" --new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u",
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index b60c57ee..a8d9dda0 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -41,7 +41,7 @@ static void realm_init(struct xt_entry_match *m)
static void realm_parse(struct xt_option_call *cb)
{
- struct ipt_realm_info *realminfo = cb->data;
+ struct xt_realm_info *realminfo = cb->data;
int id;
char *end;
@@ -87,7 +87,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric)
static void realm_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- const struct ipt_realm_info *ri = (const void *)match->data;
+ const struct xt_realm_info *ri = (const void *)match->data;
if (ri->invert)
printf(" !");
@@ -98,7 +98,7 @@ static void realm_print(const void *ip, const struct xt_entry_match *match,
static void realm_save(const void *ip, const struct xt_entry_match *match)
{
- const struct ipt_realm_info *ri = (const void *)match->data;
+ const struct xt_realm_info *ri = (const void *)match->data;
if (ri->invert)
printf(" !");
@@ -111,8 +111,8 @@ static struct xtables_match realm_mt_reg = {
.name = "realm",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_realm_info)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)),
+ .size = XT_ALIGN(sizeof(struct xt_realm_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)),
.help = realm_help,
.init = realm_init,
.print = realm_print,
diff --git a/extensions/libipt_addrtype.c b/extensions/libxt_addrtype.c
index 3dec626b..59072b35 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libxt_addrtype.c
@@ -4,7 +4,7 @@
#include <stdio.h>
#include <string.h>
#include <xtables.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
+#include <linux/netfilter/xt_addrtype.h>
enum {
O_SRC_TYPE = 0,
@@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask)
static void addrtype_parse_v0(struct xt_option_call *cb)
{
- struct ipt_addrtype_info *info = cb->data;
+ struct xt_addrtype_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
@@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb)
static void addrtype_parse_v1(struct xt_option_call *cb)
{
- struct ipt_addrtype_info_v1 *info = cb->data;
+ struct xt_addrtype_info_v1 *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_SRC_TYPE:
parse_types(cb->arg, &info->source);
if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_SOURCE;
+ info->flags |= XT_ADDRTYPE_INVERT_SOURCE;
break;
case O_DST_TYPE:
parse_types(cb->arg, &info->dest);
if (cb->invert)
- info->flags |= IPT_ADDRTYPE_INVERT_DEST;
+ info->flags |= XT_ADDRTYPE_INVERT_DEST;
break;
case O_LIMIT_IFACE_IN:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN;
+ info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN;
break;
case O_LIMIT_IFACE_OUT:
- info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT;
+ info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT;
break;
}
}
@@ -162,8 +162,7 @@ static void print_types(uint16_t mask)
static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
+ const struct xt_addrtype_info *info = (const void *)match->data;
printf(" ADDRTYPE match");
if (info->source) {
@@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match
static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match,
int numeric)
{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
+ const struct xt_addrtype_info_v1 *info = (const void *)match->data;
printf(" ADDRTYPE match");
if (info->source) {
printf(" src-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
printf("!");
print_types(info->source);
}
if (info->dest) {
printf(" dst-type ");
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ if (info->flags & XT_ADDRTYPE_INVERT_DEST)
printf("!");
print_types(info->dest);
}
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
printf(" limit-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
printf(" limit-out");
- }
}
static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
{
- const struct ipt_addrtype_info *info =
- (struct ipt_addrtype_info *) match->data;
+ const struct xt_addrtype_info *info = (const void *)match->data;
if (info->source) {
if (info->invert_source)
@@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match)
static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match)
{
- const struct ipt_addrtype_info_v1 *info =
- (struct ipt_addrtype_info_v1 *) match->data;
+ const struct xt_addrtype_info_v1 *info = (const void *)match->data;
if (info->source) {
- if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE)
+ if (info->flags & XT_ADDRTYPE_INVERT_SOURCE)
printf(" !");
printf(" --src-type ");
print_types(info->source);
}
if (info->dest) {
- if (info->flags & IPT_ADDRTYPE_INVERT_DEST)
+ if (info->flags & XT_ADDRTYPE_INVERT_DEST)
printf(" !");
printf(" --dst-type ");
print_types(info->dest);
}
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
printf(" --limit-iface-in");
- }
- if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
+ if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
printf(" --limit-iface-out");
- }
}
static const struct xt_option_entry addrtype_opts_v0[] = {
@@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = {
.name = "addrtype",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)),
+ .size = XT_ALIGN(sizeof(struct xt_addrtype_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)),
.help = addrtype_help_v0,
.print = addrtype_print_v0,
.save = addrtype_save_v0,
@@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = {
.name = "addrtype",
.revision = 1,
.version = XTABLES_VERSION,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
- .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)),
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)),
.help = addrtype_help_v1,
.print = addrtype_print_v1,
.save = addrtype_save_v1,
diff --git a/extensions/libipt_addrtype.man b/extensions/libxt_addrtype.man
index 16fd9dfd..16fd9dfd 100644
--- a/extensions/libipt_addrtype.man
+++ b/extensions/libxt_addrtype.man
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 1e1a111f..c7dce4e7 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -10,6 +10,7 @@ enum {
O_UPDATE,
O_REMOVE,
O_SECONDS,
+ O_REAP,
O_HITCOUNT,
O_RTTL,
O_NAME,
@@ -19,6 +20,7 @@ enum {
F_RCHECK = 1 << O_RCHECK,
F_UPDATE = 1 << O_UPDATE,
F_REMOVE = 1 << O_REMOVE,
+ F_SECONDS = 1 << O_SECONDS,
F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
};
@@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = {
{.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
.excl = F_ANY_OP, .flags = XTOPT_INVERT},
{.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
- .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
+ {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
+ .also = F_SECONDS },
{.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
.flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
{.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
@@ -57,6 +61,8 @@ static void recent_help(void)
" --seconds seconds For check and update commands above.\n"
" Specifies that the match will only occur if source address last seen within\n"
" the last 'seconds' seconds.\n"
+" --reap Purge entries older then 'seconds'.\n"
+" Can only be used in conjunction with the seconds option.\n"
" --hitcount hits For check and update commands above.\n"
" Specifies that the match will only occur if source address seen hits times.\n"
" May be used in conjunction with the seconds option.\n"
@@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb)
case O_RDEST:
info->side = XT_RECENT_DEST;
break;
+ case O_REAP:
+ info->check_set |= XT_RECENT_REAP;
+ break;
}
}
static void recent_check(struct xt_fcheck_call *cb)
{
+ struct xt_recent_mtinfo *info = cb->data;
+
if (!(cb->xflags & F_ANY_OP))
xtables_error(PARAMETER_PROBLEM,
"recent: you must specify one of `--set', `--rcheck' "
@@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
if (info->check_set & XT_RECENT_REMOVE)
printf(" REMOVE");
if(info->seconds) printf(" seconds: %d", info->seconds);
+ if (info->check_set & XT_RECENT_REAP)
+ printf(" reap");
if(info->hit_count) printf(" hit_count: %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" TTL-Match");
@@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
if (info->check_set & XT_RECENT_REMOVE)
printf(" --remove");
if(info->seconds) printf(" --seconds %d", info->seconds);
+ if (info->check_set & XT_RECENT_REAP)
+ printf(" --reap");
if(info->hit_count) printf(" --hitcount %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" --rttl");
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 0392c2ca..8043df4a 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
+\fB\-\-reap\fP
+This option can only be used in conjunction with \fB\-\-seconds\fP.
+When used, this will cause entries older than the last given number of seconds
+to be purged.
+.TP
\fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
diff --git a/include/Makefile.am b/include/Makefile.am
index 0a1abea4..6f7da598 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -9,4 +9,4 @@ endif
nobase_include_HEADERS += \
libiptc/ipt_kernel_headers.h libiptc/libiptc.h \
- libiptc/libip6tc.h libiptc/libxtc.h
+ libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h
diff --git a/include/ip6tables.h b/include/ip6tables.h
index e976361f..37d2e0a3 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -8,12 +8,12 @@
/* Your shared library should call one of these. */
extern int do_command6(int argc, char *argv[], char **table,
- struct ip6tc_handle **handle);
+ struct xtc_handle **handle);
-extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle);
-extern int flush_entries6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
-extern int delete_chain6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle);
-void print_rule6(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters);
+extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle);
+extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
+extern int delete_chain6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
+void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h, const char *chain, int counters);
extern struct xtables_globals ip6tables_globals;
diff --git a/include/iptables.h b/include/iptables.h
index 89217e29..c42613c9 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -8,15 +8,15 @@
/* Your shared library should call one of these. */
extern int do_command4(int argc, char *argv[], char **table,
- struct iptc_handle **handle);
-extern int delete_chain4(const ipt_chainlabel chain, int verbose,
- struct iptc_handle *handle);
-extern int flush_entries4(const ipt_chainlabel chain, int verbose,
- struct iptc_handle *handle);
-extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
- int verbose, int builtinstoo, struct iptc_handle *handle);
+ struct xtc_handle **handle);
+extern int delete_chain4(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle);
+extern int flush_entries4(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle);
+extern int for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *),
+ int verbose, int builtinstoo, struct xtc_handle *handle);
extern void print_rule4(const struct ipt_entry *e,
- struct iptc_handle *handle, const char *chain, int counters);
+ struct xtc_handle *handle, const char *chain, int counters);
extern struct xtables_globals iptables_globals;
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index 4f2d1f87..c656bc43 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -10,10 +10,10 @@
# include <limits.h> /* INT_MAX in ip6_tables.h */
#endif
#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <libiptc/xtcshared.h>
-struct ip6tc_handle;
-
-typedef char ip6t_chainlabel[32];
+#define ip6tc_handle xtc_handle
+#define ip6t_chainlabel xt_chainlabel
#define IP6TC_LABEL_ACCEPT "ACCEPT"
#define IP6TC_LABEL_DROP "DROP"
@@ -21,132 +21,132 @@ typedef char ip6t_chainlabel[32];
#define IP6TC_LABEL_RETURN "RETURN"
/* Does this chain exist? */
-int ip6tc_is_chain(const char *chain, struct ip6tc_handle *const handle);
+int ip6tc_is_chain(const char *chain, struct xtc_handle *const handle);
/* Take a snapshot of the rules. Returns NULL on error. */
-struct ip6tc_handle *ip6tc_init(const char *tablename);
+struct xtc_handle *ip6tc_init(const char *tablename);
/* Cleanup after ip6tc_init(). */
-void ip6tc_free(struct ip6tc_handle *h);
+void ip6tc_free(struct xtc_handle *h);
/* Iterator functions to run through the chains. Returns NULL at end. */
-const char *ip6tc_first_chain(struct ip6tc_handle *handle);
-const char *ip6tc_next_chain(struct ip6tc_handle *handle);
+const char *ip6tc_first_chain(struct xtc_handle *handle);
+const char *ip6tc_next_chain(struct xtc_handle *handle);
/* Get first rule in the given chain: NULL for empty chain. */
const struct ip6t_entry *ip6tc_first_rule(const char *chain,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Returns NULL when rules run out. */
const struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Returns a pointer to the target name of this position. */
const char *ip6tc_get_target(const struct ip6t_entry *e,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Is this a built-in chain? */
-int ip6tc_builtin(const char *chain, struct ip6tc_handle *const handle);
+int ip6tc_builtin(const char *chain, struct xtc_handle *const handle);
/* Get the policy of a given built-in chain */
const char *ip6tc_get_policy(const char *chain,
- struct ip6t_counters *counters,
- struct ip6tc_handle *handle);
+ struct xt_counters *counters,
+ struct xtc_handle *handle);
/* These functions return TRUE for OK or 0 and set errno. If errno ==
0, it means there was a version error (ie. upgrade libiptc). */
/* Rule numbers start at 1 for the first rule. */
/* Insert the entry `fw' in chain `chain' into position `rulenum'. */
-int ip6tc_insert_entry(const ip6t_chainlabel chain,
+int ip6tc_insert_entry(const xt_chainlabel chain,
const struct ip6t_entry *e,
unsigned int rulenum,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Atomically replace rule `rulenum' in `chain' with `fw'. */
-int ip6tc_replace_entry(const ip6t_chainlabel chain,
+int ip6tc_replace_entry(const xt_chainlabel chain,
const struct ip6t_entry *e,
unsigned int rulenum,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Append entry `fw' to chain `chain'. Equivalent to insert with
rulenum = length of chain. */
-int ip6tc_append_entry(const ip6t_chainlabel chain,
+int ip6tc_append_entry(const xt_chainlabel chain,
const struct ip6t_entry *e,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Check whether a matching rule exists */
-int ip6tc_check_entry(const ip6t_chainlabel chain,
+int ip6tc_check_entry(const xt_chainlabel chain,
const struct ip6t_entry *origfw,
unsigned char *matchmask,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Delete the first rule in `chain' which matches `fw'. */
-int ip6tc_delete_entry(const ip6t_chainlabel chain,
+int ip6tc_delete_entry(const xt_chainlabel chain,
const struct ip6t_entry *origfw,
unsigned char *matchmask,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Delete the rule in position `rulenum' in `chain'. */
-int ip6tc_delete_num_entry(const ip6t_chainlabel chain,
+int ip6tc_delete_num_entry(const xt_chainlabel chain,
unsigned int rulenum,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Check the packet `fw' on chain `chain'. Returns the verdict, or
NULL and sets errno. */
-const char *ip6tc_check_packet(const ip6t_chainlabel chain,
+const char *ip6tc_check_packet(const xt_chainlabel chain,
struct ip6t_entry *,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* Flushes the entries in the given chain (ie. empties chain). */
-int ip6tc_flush_entries(const ip6t_chainlabel chain,
- struct ip6tc_handle *handle);
+int ip6tc_flush_entries(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Zeroes the counters in a chain. */
-int ip6tc_zero_entries(const ip6t_chainlabel chain,
- struct ip6tc_handle *handle);
+int ip6tc_zero_entries(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Creates a new chain. */
-int ip6tc_create_chain(const ip6t_chainlabel chain,
- struct ip6tc_handle *handle);
+int ip6tc_create_chain(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Deletes a chain. */
-int ip6tc_delete_chain(const ip6t_chainlabel chain,
- struct ip6tc_handle *handle);
+int ip6tc_delete_chain(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Renames a chain. */
-int ip6tc_rename_chain(const ip6t_chainlabel oldname,
- const ip6t_chainlabel newname,
- struct ip6tc_handle *handle);
+int ip6tc_rename_chain(const xt_chainlabel oldname,
+ const xt_chainlabel newname,
+ struct xtc_handle *handle);
/* Sets the policy on a built-in chain. */
-int ip6tc_set_policy(const ip6t_chainlabel chain,
- const ip6t_chainlabel policy,
- struct ip6t_counters *counters,
- struct ip6tc_handle *handle);
+int ip6tc_set_policy(const xt_chainlabel chain,
+ const xt_chainlabel policy,
+ struct xt_counters *counters,
+ struct xtc_handle *handle);
/* Get the number of references to this chain */
-int ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain,
- struct ip6tc_handle *handle);
+int ip6tc_get_references(unsigned int *ref, const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* read packet and byte counters for a specific rule */
-struct ip6t_counters *ip6tc_read_counter(const ip6t_chainlabel chain,
+struct xt_counters *ip6tc_read_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* zero packet and byte counters for a specific rule */
-int ip6tc_zero_counter(const ip6t_chainlabel chain,
+int ip6tc_zero_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct ip6tc_handle *handle);
+ struct xtc_handle *handle);
/* set packet and byte counters for a specific rule */
-int ip6tc_set_counter(const ip6t_chainlabel chain,
+int ip6tc_set_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct ip6t_counters *counters,
- struct ip6tc_handle *handle);
+ struct xt_counters *counters,
+ struct xtc_handle *handle);
/* Makes the actual changes. */
-int ip6tc_commit(struct ip6tc_handle *handle);
+int ip6tc_commit(struct xtc_handle *handle);
/* Get raw socket. */
int ip6tc_get_raw_socket(void);
@@ -157,6 +157,8 @@ const char *ip6tc_strerror(int err);
/* Return prefix length, or -1 if not contiguous */
int ipv6_prefix_length(const struct in6_addr *a);
-extern void dump_entries6(struct ip6tc_handle *const);
+extern void dump_entries6(struct xtc_handle *const);
+
+extern const struct xtc_ops ip6tc_ops;
#endif /* _LIBIP6TC_H */
diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h
index 3497d6ae..24cdbdb7 100644
--- a/include/libiptc/libiptc.h
+++ b/include/libiptc/libiptc.h
@@ -10,14 +10,14 @@
# include <limits.h> /* INT_MAX in ip_tables.h */
#endif
#include <linux/netfilter_ipv4/ip_tables.h>
+#include <libiptc/xtcshared.h>
#ifdef __cplusplus
extern "C" {
#endif
-struct iptc_handle;
-
-typedef char ipt_chainlabel[32];
+#define iptc_handle xtc_handle
+#define ipt_chainlabel xt_chainlabel
#define IPTC_LABEL_ACCEPT "ACCEPT"
#define IPTC_LABEL_DROP "DROP"
@@ -25,134 +25,134 @@ typedef char ipt_chainlabel[32];
#define IPTC_LABEL_RETURN "RETURN"
/* Does this chain exist? */
-int iptc_is_chain(const char *chain, struct iptc_handle *const handle);
+int iptc_is_chain(const char *chain, struct xtc_handle *const handle);
/* Take a snapshot of the rules. Returns NULL on error. */
-struct iptc_handle *iptc_init(const char *tablename);
+struct xtc_handle *iptc_init(const char *tablename);
/* Cleanup after iptc_init(). */
-void iptc_free(struct iptc_handle *h);
+void iptc_free(struct xtc_handle *h);
/* Iterator functions to run through the chains. Returns NULL at end. */
-const char *iptc_first_chain(struct iptc_handle *handle);
-const char *iptc_next_chain(struct iptc_handle *handle);
+const char *iptc_first_chain(struct xtc_handle *handle);
+const char *iptc_next_chain(struct xtc_handle *handle);
/* Get first rule in the given chain: NULL for empty chain. */
const struct ipt_entry *iptc_first_rule(const char *chain,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Returns NULL when rules run out. */
const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Returns a pointer to the target name of this entry. */
const char *iptc_get_target(const struct ipt_entry *e,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Is this a built-in chain? */
-int iptc_builtin(const char *chain, struct iptc_handle *const handle);
+int iptc_builtin(const char *chain, struct xtc_handle *const handle);
/* Get the policy of a given built-in chain */
const char *iptc_get_policy(const char *chain,
- struct ipt_counters *counter,
- struct iptc_handle *handle);
+ struct xt_counters *counter,
+ struct xtc_handle *handle);
/* These functions return TRUE for OK or 0 and set errno. If errno ==
0, it means there was a version error (ie. upgrade libiptc). */
/* Rule numbers start at 1 for the first rule. */
/* Insert the entry `e' in chain `chain' into position `rulenum'. */
-int iptc_insert_entry(const ipt_chainlabel chain,
+int iptc_insert_entry(const xt_chainlabel chain,
const struct ipt_entry *e,
unsigned int rulenum,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Atomically replace rule `rulenum' in `chain' with `e'. */
-int iptc_replace_entry(const ipt_chainlabel chain,
+int iptc_replace_entry(const xt_chainlabel chain,
const struct ipt_entry *e,
unsigned int rulenum,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Append entry `e' to chain `chain'. Equivalent to insert with
rulenum = length of chain. */
-int iptc_append_entry(const ipt_chainlabel chain,
+int iptc_append_entry(const xt_chainlabel chain,
const struct ipt_entry *e,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Check whether a mathching rule exists */
-int iptc_check_entry(const ipt_chainlabel chain,
+int iptc_check_entry(const xt_chainlabel chain,
const struct ipt_entry *origfw,
unsigned char *matchmask,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Delete the first rule in `chain' which matches `e', subject to
matchmask (array of length == origfw) */
-int iptc_delete_entry(const ipt_chainlabel chain,
+int iptc_delete_entry(const xt_chainlabel chain,
const struct ipt_entry *origfw,
unsigned char *matchmask,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Delete the rule in position `rulenum' in `chain'. */
-int iptc_delete_num_entry(const ipt_chainlabel chain,
+int iptc_delete_num_entry(const xt_chainlabel chain,
unsigned int rulenum,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Check the packet `e' on chain `chain'. Returns the verdict, or
NULL and sets errno. */
-const char *iptc_check_packet(const ipt_chainlabel chain,
+const char *iptc_check_packet(const xt_chainlabel chain,
struct ipt_entry *entry,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* Flushes the entries in the given chain (ie. empties chain). */
-int iptc_flush_entries(const ipt_chainlabel chain,
- struct iptc_handle *handle);
+int iptc_flush_entries(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Zeroes the counters in a chain. */
-int iptc_zero_entries(const ipt_chainlabel chain,
- struct iptc_handle *handle);
+int iptc_zero_entries(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Creates a new chain. */
-int iptc_create_chain(const ipt_chainlabel chain,
- struct iptc_handle *handle);
+int iptc_create_chain(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Deletes a chain. */
-int iptc_delete_chain(const ipt_chainlabel chain,
- struct iptc_handle *handle);
+int iptc_delete_chain(const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* Renames a chain. */
-int iptc_rename_chain(const ipt_chainlabel oldname,
- const ipt_chainlabel newname,
- struct iptc_handle *handle);
+int iptc_rename_chain(const xt_chainlabel oldname,
+ const xt_chainlabel newname,
+ struct xtc_handle *handle);
/* Sets the policy on a built-in chain. */
-int iptc_set_policy(const ipt_chainlabel chain,
- const ipt_chainlabel policy,
- struct ipt_counters *counters,
- struct iptc_handle *handle);
+int iptc_set_policy(const xt_chainlabel chain,
+ const xt_chainlabel policy,
+ struct xt_counters *counters,
+ struct xtc_handle *handle);
/* Get the number of references to this chain */
int iptc_get_references(unsigned int *ref,
- const ipt_chainlabel chain,
- struct iptc_handle *handle);
+ const xt_chainlabel chain,
+ struct xtc_handle *handle);
/* read packet and byte counters for a specific rule */
-struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain,
+struct xt_counters *iptc_read_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* zero packet and byte counters for a specific rule */
-int iptc_zero_counter(const ipt_chainlabel chain,
+int iptc_zero_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct iptc_handle *handle);
+ struct xtc_handle *handle);
/* set packet and byte counters for a specific rule */
-int iptc_set_counter(const ipt_chainlabel chain,
+int iptc_set_counter(const xt_chainlabel chain,
unsigned int rulenum,
- struct ipt_counters *counters,
- struct iptc_handle *handle);
+ struct xt_counters *counters,
+ struct xtc_handle *handle);
/* Makes the actual changes. */
-int iptc_commit(struct iptc_handle *handle);
+int iptc_commit(struct xtc_handle *handle);
/* Get raw socket. */
int iptc_get_raw_socket(void);
@@ -160,7 +160,9 @@ int iptc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *iptc_strerror(int err);
-extern void dump_entries(struct iptc_handle *const);
+extern void dump_entries(struct xtc_handle *const);
+
+extern const struct xtc_ops iptc_ops;
#ifdef __cplusplus
}
diff --git a/include/libiptc/xtcshared.h b/include/libiptc/xtcshared.h
new file mode 100644
index 00000000..773ebc4c
--- /dev/null
+++ b/include/libiptc/xtcshared.h
@@ -0,0 +1,20 @@
+#ifndef _LIBXTC_SHARED_H
+#define _LIBXTC_SHARED_H 1
+
+typedef char xt_chainlabel[32];
+struct xtc_handle;
+struct xt_counters;
+
+struct xtc_ops {
+ int (*commit)(struct xtc_handle *);
+ void (*free)(struct xtc_handle *);
+ int (*builtin)(const char *, struct xtc_handle *const);
+ int (*is_chain)(const char *, struct xtc_handle *const);
+ int (*flush_entries)(const xt_chainlabel, struct xtc_handle *);
+ int (*create_chain)(const xt_chainlabel, struct xtc_handle *);
+ int (*set_policy)(const xt_chainlabel, const xt_chainlabel,
+ struct xt_counters *, struct xtc_handle *);
+ const char *(*strerror)(int);
+};
+
+#endif /* _LIBXTC_SHARED_H */
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index d1671a01..d4c59f65 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -8,7 +8,6 @@
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
-
#define SI_LOAD_SHIFT 16
struct sysinfo {
long uptime; /* Seconds since boot */
@@ -27,36 +26,4 @@ struct sysinfo {
char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */
};
-/* Force a compilation error if condition is true */
-#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition))
-
-/* Force a compilation error if condition is constant and true */
-#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)]))
-
-/* Force a compilation error if a constant expression is not a power of 2 */
-#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \
- BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
-
-/* Force a compilation error if condition is true, but also produce a
- result (of value 0 and type size_t), so the expression can be used
- e.g. in a structure initializer (or where-ever else comma expressions
- aren't permitted). */
-#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
-#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
-
-/* Trap pasters of __FUNCTION__ at compile-time */
-#define __FUNCTION__ (__func__)
-
-/* This helps us to avoid #ifdef CONFIG_NUMA */
-#ifdef CONFIG_NUMA
-#define NUMA_BUILD 1
-#else
-#define NUMA_BUILD 0
-#endif
-
-/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */
-#ifdef CONFIG_FTRACE_MCOUNT_RECORD
-# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD
-#endif
-
#endif
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 2eb00b6c..54771312 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -3,6 +3,7 @@
#include <linux/types.h>
+#include <linux/sysctl.h>
/* Responses from hook functions. */
#define NF_DROP 0
@@ -14,14 +15,20 @@
#define NF_MAX_VERDICT NF_STOP
/* we overload the higher bits for encoding auxiliary data such as the queue
- * number. Not nice, but better than additional function arguments. */
-#define NF_VERDICT_MASK 0x0000ffff
-#define NF_VERDICT_BITS 16
+ * number or errno values. Not nice, but better than additional function
+ * arguments. */
+#define NF_VERDICT_MASK 0x000000ff
+
+/* extra verdict flags have mask 0x0000ff00 */
+#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000
+/* queue number (NF_QUEUE) or errno (NF_DROP) */
#define NF_VERDICT_QMASK 0xffff0000
#define NF_VERDICT_QBITS 16
-#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
+#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE)
+
+#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP)
/* only for userspace compatibility */
/* Generic cache responses from hook functions.
@@ -29,6 +36,9 @@
#define NFC_UNKNOWN 0x4000
#define NFC_ALTERED 0x8000
+/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */
+#define NF_VERDICT_BITS 16
+
enum nf_inet_hooks {
NF_INET_PRE_ROUTING,
NF_INET_LOCAL_IN,
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 00000000..79cb0779
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,225 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ * Patrick Schaaf <bof@bof.de>
+ * Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/types.h>
+
+/* The protocol version */
+#define IPSET_PROTOCOL 6
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN 32
+
+/* Message types and commands */
+enum ipset_cmd {
+ IPSET_CMD_NONE,
+ IPSET_CMD_PROTOCOL, /* 1: Return protocol version */
+ IPSET_CMD_CREATE, /* 2: Create a new (empty) set */
+ IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */
+ IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */
+ IPSET_CMD_RENAME, /* 5: Rename a set */
+ IPSET_CMD_SWAP, /* 6: Swap two sets */
+ IPSET_CMD_LIST, /* 7: List sets */
+ IPSET_CMD_SAVE, /* 8: Save sets */
+ IPSET_CMD_ADD, /* 9: Add an element to a set */
+ IPSET_CMD_DEL, /* 10: Delete an element from a set */
+ IPSET_CMD_TEST, /* 11: Test an element in a set */
+ IPSET_CMD_HEADER, /* 12: Get set header data only */
+ IPSET_CMD_TYPE, /* 13: Get set type */
+ IPSET_MSG_MAX, /* Netlink message commands */
+
+ /* Commands in userspace: */
+ IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+ IPSET_CMD_HELP, /* 15: Get help */
+ IPSET_CMD_VERSION, /* 16: Get program version */
+ IPSET_CMD_QUIT, /* 17: Quit from interactive mode */
+
+ IPSET_CMD_MAX,
+
+ IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+ IPSET_ATTR_UNSPEC,
+ IPSET_ATTR_PROTOCOL, /* 1: Protocol version */
+ IPSET_ATTR_SETNAME, /* 2: Name of the set */
+ IPSET_ATTR_TYPENAME, /* 3: Typename */
+ IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+ IPSET_ATTR_REVISION, /* 4: Settype revision */
+ IPSET_ATTR_FAMILY, /* 5: Settype family */
+ IPSET_ATTR_FLAGS, /* 6: Flags at command level */
+ IPSET_ATTR_DATA, /* 7: Nested attributes */
+ IPSET_ATTR_ADT, /* 8: Multiple data containers */
+ IPSET_ATTR_LINENO, /* 9: Restore lineno */
+ IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+ IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+ __IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+ IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+ IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+ IPSET_ATTR_IP_TO, /* 2 */
+ IPSET_ATTR_CIDR, /* 3 */
+ IPSET_ATTR_PORT, /* 4 */
+ IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+ IPSET_ATTR_PORT_TO, /* 5 */
+ IPSET_ATTR_TIMEOUT, /* 6 */
+ IPSET_ATTR_PROTO, /* 7 */
+ IPSET_ATTR_CADT_FLAGS, /* 8 */
+ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
+ /* Reserve empty slots */
+ IPSET_ATTR_CADT_MAX = 16,
+ /* Create-only specific attributes */
+ IPSET_ATTR_GC,
+ IPSET_ATTR_HASHSIZE,
+ IPSET_ATTR_MAXELEM,
+ IPSET_ATTR_NETMASK,
+ IPSET_ATTR_PROBES,
+ IPSET_ATTR_RESIZE,
+ IPSET_ATTR_SIZE,
+ /* Kernel-only */
+ IPSET_ATTR_ELEMENTS,
+ IPSET_ATTR_REFERENCES,
+ IPSET_ATTR_MEMSIZE,
+
+ __IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+ IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+ IPSET_ATTR_NAME,
+ IPSET_ATTR_NAMEREF,
+ IPSET_ATTR_IP2,
+ IPSET_ATTR_CIDR2,
+ IPSET_ATTR_IP2_TO,
+ IPSET_ATTR_IFACE,
+ __IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+ IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+ IPSET_ATTR_IPADDR_IPV6,
+ __IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+ IPSET_ERR_PRIVATE = 4096,
+ IPSET_ERR_PROTOCOL,
+ IPSET_ERR_FIND_TYPE,
+ IPSET_ERR_MAX_SETS,
+ IPSET_ERR_BUSY,
+ IPSET_ERR_EXIST_SETNAME2,
+ IPSET_ERR_TYPE_MISMATCH,
+ IPSET_ERR_EXIST,
+ IPSET_ERR_INVALID_CIDR,
+ IPSET_ERR_INVALID_NETMASK,
+ IPSET_ERR_INVALID_FAMILY,
+ IPSET_ERR_TIMEOUT,
+ IPSET_ERR_REFERENCED,
+ IPSET_ERR_IPADDR_IPV4,
+ IPSET_ERR_IPADDR_IPV6,
+
+ /* Type specific error codes */
+ IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+ IPSET_FLAG_BIT_EXIST = 0,
+ IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
+ IPSET_FLAG_BIT_LIST_SETNAME = 1,
+ IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+ IPSET_FLAG_BIT_LIST_HEADER = 2,
+ IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER),
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+ IPSET_FLAG_BIT_BEFORE = 0,
+ IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE),
+ IPSET_FLAG_BIT_PHYSDEV = 1,
+ IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV),
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+ IPSET_ADD,
+ IPSET_DEL,
+ IPSET_TEST,
+ IPSET_ADT_MAX,
+ IPSET_CREATE = IPSET_ADT_MAX,
+ IPSET_CADT_MAX,
+};
+
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID 65535
+
+enum ip_set_dim {
+ IPSET_DIM_ZERO = 0,
+ IPSET_DIM_ONE,
+ IPSET_DIM_TWO,
+ IPSET_DIM_THREE,
+ /* Max dimension in elements.
+ * If changed, new revision of iptables match/target is required.
+ */
+ IPSET_DIM_MAX = 6,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+ IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+ IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+ IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+ IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+};
+
+
+/* Interface to iptables/ip6tables */
+
+#define SO_IP_SET 83
+
+union ip_set_name_index {
+ char name[IPSET_MAXNAMELEN];
+ ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
+struct ip_set_req_get_set {
+ unsigned op;
+ unsigned version;
+ union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
+struct ip_set_req_version {
+ unsigned op;
+ unsigned version;
+};
+
+#endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 34a7fc65..38aa52d7 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
/* >= this indicates reply direction */
IP_CT_IS_REPLY,
+ IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+ IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+ IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
/* Number of distinct IP_CT types (no NEW in reply dirn). */
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
};
@@ -76,6 +79,10 @@ enum ip_conntrack_status {
/* Conntrack is a template */
IPS_TEMPLATE_BIT = 11,
IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+
+ /* Conntrack is a fake untracked entry */
+ IPS_UNTRACKED_BIT = 12,
+ IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
};
/* Connection tracking event types */
@@ -94,6 +101,13 @@ enum ip_conntrack_events {
enum ip_conntrack_expect_events {
IPEXP_NEW, /* new expectation */
+ IPEXP_DESTROY, /* destroyed expectation */
};
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT 0x1
+#define NF_CT_EXPECT_INACTIVE 0x2
+#define NF_CT_EXPECT_USERSPACE 0x4
+
+
#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0d..2ea22b01 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,8 +1,7 @@
#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
#define _NF_CONNTRACK_TUPLE_COMMON_H
-enum ip_conntrack_dir
-{
+enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
IP_CT_DIR_REPLY,
IP_CT_DIR_MAX
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index fa2d9578..41209700 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -66,6 +66,11 @@ struct xt_standard_target {
int verdict;
};
+struct xt_error_target {
+ struct xt_entry_target target;
+ char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
* kernel supports, if >= revision. */
struct xt_get_revision {
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
index fbf4c565..b56e7681 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/linux/netfilter/xt_CT.h
@@ -1,6 +1,8 @@
#ifndef _XT_CT_H
#define _XT_CT_H
+#include <linux/types.h>
+
#define XT_CT_NOTRACK 0x1
struct xt_ct_target_info {
diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h
index 342ef14b..71573184 100644
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -1,6 +1,8 @@
#ifndef _XT_TCPOPTSTRIP_H
#define _XT_TCPOPTSTRIP_H
+#include <linux/types.h>
+
#define tcpoptstrip_set_bit(bmap, idx) \
(bmap[(idx) >> 5] |= 1U << (idx & 31))
#define tcpoptstrip_test_bit(bmap, idx) \
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 8097e0b4..902043c2 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,6 +1,8 @@
#ifndef _XT_TPROXY_H
#define _XT_TPROXY_H
+#include <linux/types.h>
+
/* TPROXY target is capable of marking the packet to perform
* redirection. We can get rid of that whenever we get support for
* mutliple targets in the same rule. */
diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h
new file mode 100644
index 00000000..b156baa9
--- /dev/null
+++ b/include/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+ XT_ADDRTYPE_INVERT_SOURCE = 0x0001,
+ XT_ADDRTYPE_INVERT_DEST = 0x0002,
+ XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004,
+ XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008,
+};
+
+
+/* rtn_type enum values from rtnetlink.h, but shifted */
+enum {
+ XT_ADDRTYPE_UNSPEC = 1 << 0,
+ XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
+ XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
+ XT_ADDRTYPE_BROADCAST = 1 << 3,
+ XT_ADDRTYPE_ANYCAST = 1 << 4,
+ XT_ADDRTYPE_MULTICAST = 1 << 5,
+ XT_ADDRTYPE_BLACKHOLE = 1 << 6,
+ XT_ADDRTYPE_UNREACHABLE = 1 << 7,
+ XT_ADDRTYPE_PROHIBIT = 1 << 8,
+ XT_ADDRTYPE_THROW = 1 << 9,
+ XT_ADDRTYPE_NAT = 1 << 10,
+ XT_ADDRTYPE_XRESOLVE = 1 << 11,
+};
+
+struct xt_addrtype_info_v1 {
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 flags;
+};
+
+/* revision 0 */
+struct xt_addrtype_info {
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 invert_source;
+ __u32 invert_dest;
+};
+
+#endif
diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 66cfa3c7..9b883c8f 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -1,6 +1,8 @@
#ifndef _XT_CLUSTER_MATCH_H
#define _XT_CLUSTER_MATCH_H
+#include <linux/types.h>
+
enum xt_cluster_flags {
XT_CLUSTER_F_INV = (1 << 0)
};
diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h
index 92fcbb0d..f1d6c15b 100644
--- a/include/linux/netfilter/xt_connbytes.h
+++ b/include/linux/netfilter/xt_connbytes.h
@@ -17,8 +17,8 @@ enum xt_connbytes_direction {
struct xt_connbytes_info {
struct {
- aligned_u64 from; /* count to be matched */
- aligned_u64 to; /* count to be matched */
+ __aligned_u64 from; /* count to be matched */
+ __aligned_u64 to; /* count to be matched */
} count;
__u8 what; /* ipt_connbytes_what */
__u8 direction; /* ipt_connbytes_direction */
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index ba774d30..f9e8c67c 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -1,6 +1,8 @@
#ifndef _XT_CONNLIMIT_H
#define _XT_CONNLIMIT_H
+#include <linux/types.h>
+
struct xt_connlimit_data;
enum {
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 8555e399..7d53660a 100644
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -3,9 +3,6 @@
#include <linux/types.h>
-#ifdef __KERNEL__
-#include <linux/if.h>
-#endif
#define XT_PHYSDEV_OP_IN 0x01
#define XT_PHYSDEV_OP_OUT 0x02
diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h
index be8ead05..d246eac8 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/linux/netfilter/xt_policy.h
@@ -26,30 +26,19 @@ struct xt_policy_spec {
reqid:1;
};
-#ifndef __KERNEL__
union xt_policy_addr {
struct in_addr a4;
struct in6_addr a6;
};
-#endif
struct xt_policy_elem {
union {
-#ifdef __KERNEL__
- struct {
- union nf_inet_addr saddr;
- union nf_inet_addr smask;
- union nf_inet_addr daddr;
- union nf_inet_addr dmask;
- };
-#else
struct {
union xt_policy_addr saddr;
union xt_policy_addr smask;
union xt_policy_addr daddr;
union xt_policy_addr dmask;
};
-#endif
};
__be32 spi;
__u32 reqid;
diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h
index 8bda65f0..9314723f 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/linux/netfilter/xt_quota.h
@@ -1,6 +1,8 @@
#ifndef _XT_QUOTA_H
#define _XT_QUOTA_H
+#include <linux/types.h>
+
enum xt_quota_flags {
XT_QUOTA_INVERT = 0x1,
};
@@ -11,7 +13,7 @@ struct xt_quota_priv;
struct xt_quota_info {
__u32 flags;
__u32 pad;
- aligned_u64 quota;
+ __aligned_u64 quota;
/* Used internally by the kernel */
struct xt_quota_priv *master;
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index 29287be6..a501e619 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -66,7 +66,7 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
__sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
+static __inline__ bool
__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
@@ -78,7 +78,7 @@ __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
__sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
-static inline bool
+static __inline__ bool
__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
{
unsigned int i;
diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h
index 4379ce9f..e3a9978f 100644
--- a/include/linux/netfilter/xt_set.h
+++ b/include/linux/netfilter/xt_set.h
@@ -1,62 +1,8 @@
#ifndef _XT_SET_H
#define _XT_SET_H
-/* The protocol version */
-#define IPSET_PROTOCOL 5
-
-/* The max length of strings including NUL: set and type identifiers */
-#define IPSET_MAXNAMELEN 32
-
-/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
- * and IPSET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef uint16_t ip_set_id_t;
-
-#define IPSET_INVALID_ID 65535
-
-enum ip_set_dim {
- IPSET_DIM_ZERO = 0,
- IPSET_DIM_ONE,
- IPSET_DIM_TWO,
- IPSET_DIM_THREE,
- /* Max dimension in elements.
- * If changed, new revision of iptables match/target is required.
- */
- IPSET_DIM_MAX = 6,
-};
-
-/* Option flags for kernel operations */
-enum ip_set_kopt {
- IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
- IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
- IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
- IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
-};
-
-/* Interface to iptables/ip6tables */
-
-#define SO_IP_SET 83
-
-union ip_set_name_index {
- char name[IPSET_MAXNAMELEN];
- ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
-struct ip_set_req_get_set {
- unsigned op;
- unsigned version;
- union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
-struct ip_set_req_version {
- unsigned op;
- unsigned version;
-};
+#include <linux/types.h>
+#include <linux/netfilter/ipset/ip_set.h>
/* Revision 0 interface: backward compatible with netfilter/iptables */
@@ -70,11 +16,11 @@ struct ip_set_req_version {
struct xt_set_info_v0 {
ip_set_id_t index;
union {
- u_int32_t flags[IPSET_DIM_MAX + 1];
+ __u32 flags[IPSET_DIM_MAX + 1];
struct {
- u_int32_t __flags[IPSET_DIM_MAX];
- u_int8_t dim;
- u_int8_t flags;
+ __u32 __flags[IPSET_DIM_MAX];
+ __u8 dim;
+ __u8 flags;
} compat;
} u;
};
@@ -89,12 +35,12 @@ struct xt_set_info_target_v0 {
struct xt_set_info_v0 del_set;
};
-/* Revision 1 match and target */
+/* Revision 1 match and target */
struct xt_set_info {
ip_set_id_t index;
- u_int8_t dim;
- u_int8_t flags;
+ __u8 dim;
+ __u8 flags;
};
/* match and target infos */
@@ -109,16 +55,11 @@ struct xt_set_info_target_v1 {
/* Revision 2 target */
-enum ipset_cmd_flags {
- IPSET_FLAG_BIT_EXIST = 0,
- IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
-};
-
struct xt_set_info_target_v2 {
struct xt_set_info add_set;
struct xt_set_info del_set;
- u_int32_t flags;
- u_int32_t timeout;
+ __u32 flags;
+ __u32 timeout;
};
#endif /*_XT_SET_H*/
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
index 6f475b8f..26d7217b 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/linux/netfilter/xt_socket.h
@@ -1,6 +1,8 @@
#ifndef _XT_SOCKET_H
#define _XT_SOCKET_H
+#include <linux/types.h>
+
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
};
diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
index b8bd4568..7c37fac5 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/linux/netfilter/xt_time.h
@@ -1,6 +1,8 @@
#ifndef _XT_TIME_H
#define _XT_TIME_H 1
+#include <linux/types.h>
+
struct xt_time_info {
__u32 date_start;
__u32 date_stop;
diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h
index e8c3d872..04d1bfea 100644
--- a/include/linux/netfilter/xt_u32.h
+++ b/include/linux/netfilter/xt_u32.h
@@ -1,6 +1,8 @@
#ifndef _XT_U32_H
#define _XT_U32_H 1
+#include <linux/types.h>
+
enum xt_u32_ops {
XT_U32_AND,
XT_U32_LEFTSH,
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 735f4b1b..57fd82a1 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -27,6 +27,41 @@
#define ipt_target xt_target
#define ipt_table xt_table
#define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
/* Yes, Virginia, you have to zero the padding. */
struct ipt_ip {
@@ -46,12 +81,6 @@ struct ipt_ip {
u_int8_t invflags;
};
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-
-#define ipt_counters xt_counters
-
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
@@ -110,23 +139,6 @@ struct ipt_entry {
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-
-#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK XT_TCP_INV_MASK
-
-#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK XT_UDP_INV_MASK
-
/* ICMP matching stuff */
struct ipt_icmp {
u_int8_t type; /* type to match */
@@ -140,7 +152,7 @@ struct ipt_icmp {
/* The argument to IPT_SO_GET_INFO */
struct ipt_getinfo {
/* Which table: caller fills this in. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
@@ -162,7 +174,7 @@ struct ipt_getinfo {
/* The argument to IPT_SO_SET_REPLACE. */
struct ipt_replace {
/* Which table. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
@@ -190,13 +202,10 @@ struct ipt_replace {
struct ipt_entry entries[0];
};
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-
/* The argument to IPT_SO_GET_ENTRIES. */
struct ipt_get_entries {
/* Which table: user fills this in. */
- char name[IPT_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
@@ -205,26 +214,13 @@ struct ipt_get_entries {
struct ipt_entry entrytable[0];
};
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-
/* Helper functions */
-static __inline__ struct ipt_entry_target *
+static __inline__ struct xt_entry_target *
ipt_get_target(struct ipt_entry *e)
{
return (void *)e + e->target_offset;
}
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-
/*
* Main firewall chains definitions and global var's definitions.
*/
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
index e5a3687c..c6a204c9 100644
--- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -1,6 +1,8 @@
#ifndef _IPT_CLUSTERIP_H_target
#define _IPT_CLUSTERIP_H_target
+#include <linux/types.h>
+
enum clusterip_hashmode {
CLUSTERIP_HASHMODE_SIP = 0,
CLUSTERIP_HASHMODE_SIP_SPT,
@@ -17,15 +19,15 @@ struct clusterip_config;
struct ipt_clusterip_tgt_info {
- u_int32_t flags;
+ __u32 flags;
/* only relevant for new ones */
- u_int8_t clustermac[6];
- u_int16_t num_total_nodes;
- u_int16_t num_local_nodes;
- u_int16_t local_nodes[CLUSTERIP_MAX_NODES];
- u_int32_t hash_mode;
- u_int32_t hash_initval;
+ __u8 clustermac[6];
+ __u16 num_total_nodes;
+ __u16 num_local_nodes;
+ __u16 local_nodes[CLUSTERIP_MAX_NODES];
+ __u32 hash_mode;
+ __u32 hash_initval;
/* Used internally by the kernel */
struct clusterip_config *config;
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h
index 7ca45918..bb88d531 100644
--- a/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/include/linux/netfilter_ipv4/ipt_ECN.h
@@ -8,6 +8,8 @@
*/
#ifndef _IPT_ECN_TARGET_H
#define _IPT_ECN_TARGET_H
+
+#include <linux/types.h>
#include <linux/netfilter/xt_DSCP.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
@@ -19,11 +21,11 @@
#define IPT_ECN_OP_MASK 0xce
struct ipt_ECN_info {
- u_int8_t operation; /* bitset of operations */
- u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
+ __u8 operation; /* bitset of operations */
+ __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */
union {
struct {
- u_int8_t ece:1, cwr:1; /* TCP ECT bits */
+ __u8 ece:1, cwr:1; /* TCP ECT bits */
} tcp;
} proto;
};
diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h
index 2529660c..5bca7826 100644
--- a/include/linux/netfilter_ipv4/ipt_SAME.h
+++ b/include/linux/netfilter_ipv4/ipt_SAME.h
@@ -1,15 +1,17 @@
#ifndef _IPT_SAME_H
#define _IPT_SAME_H
+#include <linux/types.h>
+
#define IPT_SAME_MAX_RANGE 10
#define IPT_SAME_NODST 0x01
struct ipt_same_info {
unsigned char info;
- u_int32_t rangesize;
- u_int32_t ipnum;
- u_int32_t *iparray;
+ __u32 rangesize;
+ __u32 ipnum;
+ __u32 *iparray;
/* hangs off end. */
struct nf_nat_range range[IPT_SAME_MAX_RANGE];
diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h
index ee6611ed..f6ac169d 100644
--- a/include/linux/netfilter_ipv4/ipt_TTL.h
+++ b/include/linux/netfilter_ipv4/ipt_TTL.h
@@ -4,6 +4,8 @@
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
+#include <linux/types.h>
+
enum {
IPT_TTL_SET = 0,
IPT_TTL_INC,
@@ -13,8 +15,8 @@ enum {
#define IPT_TTL_MAXMODE IPT_TTL_DEC
struct ipt_TTL_info {
- u_int8_t mode;
- u_int8_t ttl;
+ __u8 mode;
+ __u8 ttl;
};
diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h
index 446de6ae..0da42237 100644
--- a/include/linux/netfilter_ipv4/ipt_addrtype.h
+++ b/include/linux/netfilter_ipv4/ipt_addrtype.h
@@ -1,6 +1,8 @@
#ifndef _IPT_ADDRTYPE_H
#define _IPT_ADDRTYPE_H
+#include <linux/types.h>
+
enum {
IPT_ADDRTYPE_INVERT_SOURCE = 0x0001,
IPT_ADDRTYPE_INVERT_DEST = 0x0002,
@@ -9,17 +11,17 @@ enum {
};
struct ipt_addrtype_info_v1 {
- u_int16_t source; /* source-type mask */
- u_int16_t dest; /* dest-type mask */
- u_int32_t flags;
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 flags;
};
/* revision 0 */
struct ipt_addrtype_info {
- u_int16_t source; /* source-type mask */
- u_int16_t dest; /* dest-type mask */
- u_int32_t invert_source;
- u_int32_t invert_dest;
+ __u16 source; /* source-type mask */
+ __u16 dest; /* dest-type mask */
+ __u32 invert_source;
+ __u32 invert_dest;
};
#endif
diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h
index 2e555b4d..4e02bb01 100644
--- a/include/linux/netfilter_ipv4/ipt_ah.h
+++ b/include/linux/netfilter_ipv4/ipt_ah.h
@@ -1,9 +1,11 @@
#ifndef _IPT_AH_H
#define _IPT_AH_H
+#include <linux/types.h>
+
struct ipt_ah {
- u_int32_t spis[2]; /* Security Parameter Index */
- u_int8_t invflags; /* Inverse flags */
+ __u32 spis[2]; /* Security Parameter Index */
+ __u8 invflags; /* Inverse flags */
};
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h
index 9945baa4..eabf95fb 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_ecn.h
@@ -8,6 +8,8 @@
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
+
+#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
@@ -20,12 +22,12 @@
/* match info */
struct ipt_ecn_info {
- u_int8_t operation;
- u_int8_t invert;
- u_int8_t ip_ect;
+ __u8 operation;
+ __u8 invert;
+ __u8 ip_ect;
union {
struct {
- u_int8_t ect;
+ __u8 ect;
} tcp;
} proto;
};
diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h
index ee24fd86..37bee444 100644
--- a/include/linux/netfilter_ipv4/ipt_ttl.h
+++ b/include/linux/netfilter_ipv4/ipt_ttl.h
@@ -4,6 +4,8 @@
#ifndef _IPT_TTL_H
#define _IPT_TTL_H
+#include <linux/types.h>
+
enum {
IPT_TTL_EQ = 0, /* equals */
IPT_TTL_NE, /* not equals */
@@ -13,8 +15,8 @@ enum {
struct ipt_ttl_info {
- u_int8_t mode;
- u_int8_t ttl;
+ __u8 mode;
+ __u8 ttl;
};
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 61790323..3f19a97d 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -23,11 +23,38 @@
#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
#define ip6t_match xt_match
#define ip6t_target xt_target
#define ip6t_table xt_table
#define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
+
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
/* Yes, Virginia, you have to zero the padding. */
struct ip6t_ip6 {
@@ -56,12 +83,6 @@ struct ip6t_ip6 {
u_int8_t invflags;
};
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-
-#define ip6t_counters xt_counters
-
/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
#define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
protocols */
@@ -106,17 +127,12 @@ struct ip6t_entry {
/* Standard entry */
struct ip6t_standard {
struct ip6t_entry entry;
- struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target {
- struct ip6t_entry_target target;
- char errorname[IP6T_FUNCTION_MAXNAMELEN];
+ struct xt_standard_target target;
};
struct ip6t_error {
struct ip6t_entry entry;
- struct ip6t_error_target target;
+ struct xt_error_target target;
};
#define IP6T_ENTRY_INIT(__size) \
@@ -128,16 +144,16 @@ struct ip6t_error {
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
- .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
- sizeof(struct ip6t_standard_target)), \
+ .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \
+ sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
- .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
- sizeof(struct ip6t_error_target)), \
+ .target = XT_TARGET_INIT(XT_ERROR_TARGET, \
+ sizeof(struct xt_error_target)), \
.target.errorname = "ERROR", \
}
@@ -160,30 +176,6 @@ struct ip6t_error {
#define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5)
#define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET
-/* CONTINUE verdict for targets */
-#define IP6T_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define IP6T_RETURN XT_RETURN
-
-/* TCP/UDP matching stuff */
-#include <linux/netfilter/xt_tcpudp.h>
-
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK
-
-/* Values for "invflags" field in struct ipt_udp. */
-#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK
-
/* ICMP matching stuff */
struct ip6t_icmp {
u_int8_t type; /* type to match */
@@ -197,7 +189,7 @@ struct ip6t_icmp {
/* The argument to IP6T_SO_GET_INFO */
struct ip6t_getinfo {
/* Which table: caller fills this in. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Kernel fills these in. */
/* Which hook entry points are valid: bitmask */
@@ -219,7 +211,7 @@ struct ip6t_getinfo {
/* The argument to IP6T_SO_SET_REPLACE. */
struct ip6t_replace {
/* Which table. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* Which hook entry points are valid: bitmask. You can't
change this. */
@@ -247,13 +239,10 @@ struct ip6t_replace {
struct ip6t_entry entries[0];
};
-/* The argument to IP6T_SO_ADD_COUNTERS. */
-#define ip6t_counters_info xt_counters_info
-
/* The argument to IP6T_SO_GET_ENTRIES. */
struct ip6t_get_entries {
/* Which table: user fills this in. */
- char name[IP6T_TABLE_MAXNAMELEN];
+ char name[XT_TABLE_MAXNAMELEN];
/* User fills this in: total entry size. */
unsigned int size;
@@ -262,26 +251,13 @@ struct ip6t_get_entries {
struct ip6t_entry entrytable[0];
};
-/* Standard return verdict, or do jump. */
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-
/* Helper functions */
-static __inline__ struct ip6t_entry_target *
+static __inline__ struct xt_entry_target *
ip6t_get_target(struct ip6t_entry *e)
{
return (void *)e + e->target_offset;
}
-/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
- XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
- XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-
/*
* Main firewall chains definitions and global var's definitions.
*/
diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/linux/netfilter_ipv6/ip6t_HL.h
index afb7813d..ebd8ead1 100644
--- a/include/linux/netfilter_ipv6/ip6t_HL.h
+++ b/include/linux/netfilter_ipv6/ip6t_HL.h
@@ -5,6 +5,8 @@
#ifndef _IP6T_HL_H
#define _IP6T_HL_H
+#include <linux/types.h>
+
enum {
IP6T_HL_SET = 0,
IP6T_HL_INC,
@@ -14,8 +16,8 @@ enum {
#define IP6T_HL_MAXMODE IP6T_HL_DEC
struct ip6t_HL_info {
- u_int8_t mode;
- u_int8_t hop_limit;
+ __u8 mode;
+ __u8 hop_limit;
};
diff --git a/include/linux/netfilter_ipv6/ip6t_REJECT.h b/include/linux/netfilter_ipv6/ip6t_REJECT.h
index 6be65041..205ed62e 100644
--- a/include/linux/netfilter_ipv6/ip6t_REJECT.h
+++ b/include/linux/netfilter_ipv6/ip6t_REJECT.h
@@ -1,6 +1,8 @@
#ifndef _IP6T_REJECT_H
#define _IP6T_REJECT_H
+#include <linux/types.h>
+
enum ip6t_reject_with {
IP6T_ICMP6_NO_ROUTE,
IP6T_ICMP6_ADM_PROHIBITED,
@@ -12,7 +14,7 @@ enum ip6t_reject_with {
};
struct ip6t_reject_info {
- u_int32_t with; /* reject type */
+ __u32 with; /* reject type */
};
#endif /*_IP6T_REJECT_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_ah.h b/include/linux/netfilter_ipv6/ip6t_ah.h
index 17a745cf..5da2b65c 100644
--- a/include/linux/netfilter_ipv6/ip6t_ah.h
+++ b/include/linux/netfilter_ipv6/ip6t_ah.h
@@ -1,11 +1,13 @@
#ifndef _IP6T_AH_H
#define _IP6T_AH_H
+#include <linux/types.h>
+
struct ip6t_ah {
- u_int32_t spis[2]; /* Security Parameter Index */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t hdrres; /* Test of the Reserved Filed */
- u_int8_t invflags; /* Inverse flags */
+ __u32 spis[2]; /* Security Parameter Index */
+ __u32 hdrlen; /* Header Length */
+ __u8 hdrres; /* Test of the Reserved Filed */
+ __u8 invflags; /* Inverse flags */
};
#define IP6T_AH_SPI 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_frag.h b/include/linux/netfilter_ipv6/ip6t_frag.h
index 3724d085..b47f61b9 100644
--- a/include/linux/netfilter_ipv6/ip6t_frag.h
+++ b/include/linux/netfilter_ipv6/ip6t_frag.h
@@ -1,11 +1,13 @@
#ifndef _IP6T_FRAG_H
#define _IP6T_FRAG_H
+#include <linux/types.h>
+
struct ip6t_frag {
- u_int32_t ids[2]; /* Security Parameter Index */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
+ __u32 ids[2]; /* Security Parameter Index */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
};
#define IP6T_FRAG_IDS 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/linux/netfilter_ipv6/ip6t_hl.h
index 5ef91b83..6e76dbc6 100644
--- a/include/linux/netfilter_ipv6/ip6t_hl.h
+++ b/include/linux/netfilter_ipv6/ip6t_hl.h
@@ -5,6 +5,8 @@
#ifndef _IP6T_HL_H
#define _IP6T_HL_H
+#include <linux/types.h>
+
enum {
IP6T_HL_EQ = 0, /* equals */
IP6T_HL_NE, /* not equals */
@@ -14,8 +16,8 @@ enum {
struct ip6t_hl_info {
- u_int8_t mode;
- u_int8_t hop_limit;
+ __u8 mode;
+ __u8 hop_limit;
};
diff --git a/include/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/linux/netfilter_ipv6/ip6t_ipv6header.h
index 01dfd445..efae3a20 100644
--- a/include/linux/netfilter_ipv6/ip6t_ipv6header.h
+++ b/include/linux/netfilter_ipv6/ip6t_ipv6header.h
@@ -8,10 +8,12 @@ on whether they contain certain headers */
#ifndef __IPV6HEADER_H
#define __IPV6HEADER_H
+#include <linux/types.h>
+
struct ip6t_ipv6header_info {
- u_int8_t matchflags;
- u_int8_t invflags;
- u_int8_t modeflag;
+ __u8 matchflags;
+ __u8 invflags;
+ __u8 modeflag;
};
#define MASK_HOPOPTS 128
diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/linux/netfilter_ipv6/ip6t_mh.h
index 18549bca..a7729a50 100644
--- a/include/linux/netfilter_ipv6/ip6t_mh.h
+++ b/include/linux/netfilter_ipv6/ip6t_mh.h
@@ -1,10 +1,12 @@
#ifndef _IP6T_MH_H
#define _IP6T_MH_H
+#include <linux/types.h>
+
/* MH matching stuff */
struct ip6t_mh {
- u_int8_t types[2]; /* MH type range */
- u_int8_t invflags; /* Inverse flags */
+ __u8 types[2]; /* MH type range */
+ __u8 invflags; /* Inverse flags */
};
/* Values for "invflags" field in struct ip6t_mh. */
diff --git a/include/linux/netfilter_ipv6/ip6t_opts.h b/include/linux/netfilter_ipv6/ip6t_opts.h
index 62d89bcd..17d419a8 100644
--- a/include/linux/netfilter_ipv6/ip6t_opts.h
+++ b/include/linux/netfilter_ipv6/ip6t_opts.h
@@ -1,14 +1,16 @@
#ifndef _IP6T_OPTS_H
#define _IP6T_OPTS_H
+#include <linux/types.h>
+
#define IP6T_OPTS_OPTSNR 16
struct ip6t_opts {
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
- u_int16_t opts[IP6T_OPTS_OPTSNR]; /* opts */
- u_int8_t optsnr; /* Nr of OPts */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
+ __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */
+ __u8 optsnr; /* Nr of OPts */
};
#define IP6T_OPTS_LEN 0x01
diff --git a/include/linux/netfilter_ipv6/ip6t_rt.h b/include/linux/netfilter_ipv6/ip6t_rt.h
index ab91bfd2..7605a5ff 100644
--- a/include/linux/netfilter_ipv6/ip6t_rt.h
+++ b/include/linux/netfilter_ipv6/ip6t_rt.h
@@ -1,18 +1,19 @@
#ifndef _IP6T_RT_H
#define _IP6T_RT_H
+#include <linux/types.h>
/*#include <linux/in6.h>*/
#define IP6T_RT_HOPS 16
struct ip6t_rt {
- u_int32_t rt_type; /* Routing Type */
- u_int32_t segsleft[2]; /* Segments Left */
- u_int32_t hdrlen; /* Header Length */
- u_int8_t flags; /* */
- u_int8_t invflags; /* Inverse flags */
+ __u32 rt_type; /* Routing Type */
+ __u32 segsleft[2]; /* Segments Left */
+ __u32 hdrlen; /* Header Length */
+ __u8 flags; /* */
+ __u8 invflags; /* Inverse flags */
struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */
- u_int8_t addrnr; /* Nr of Addresses */
+ __u8 addrnr; /* Nr of Addresses */
};
#define IP6T_RT_TYP 0x01
diff --git a/include/linux/types.h b/include/linux/types.h
index 8b483c80..630cd3bb 100644
--- a/include/linux/types.h
+++ b/include/linux/types.h
@@ -34,5 +34,18 @@ typedef __u64 __bitwise __be64;
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
+/*
+ * aligned_u64 should be used in defining kernel<->userspace ABIs to avoid
+ * common 32/64-bit compat problems.
+ * 64-bit values align to 4-byte boundaries on x86_32 (and possibly other
+ * architectures) and to 8-byte boundaries on 64-bit architetures. The new
+ * aligned_64 type enforces 8-byte alignment so that structs containing
+ * aligned_64 values have the same alignment on 32-bit and 64-bit architectures.
+ * No conversions are necessary between 32-bit user-space and a 64-bit kernel.
+ */
+#define __aligned_u64 __u64 __attribute__((aligned(8)))
+#define __aligned_be64 __be64 __attribute__((aligned(8)))
+#define __aligned_le64 __le64 __attribute__((aligned(8)))
+
#endif /* __ASSEMBLY__ */
#endif /* _LINUX_TYPES_H */
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 1487504b..92bdc302 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -56,9 +56,9 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-static struct ip6tc_handle *create_handle(const char *tablename)
+static struct xtc_handle *create_handle(const char *tablename)
{
- struct ip6tc_handle *handle;
+ struct xtc_handle *handle;
handle = ip6tc_init(tablename);
@@ -77,7 +77,7 @@ static struct ip6tc_handle *create_handle(const char *tablename)
return handle;
}
-static int parse_counters(char *string, struct ip6t_counters *ctr)
+static int parse_counters(char *string, struct xt_counters *ctr)
{
unsigned long long pcnt, bcnt;
int ret;
@@ -116,13 +116,14 @@ static void free_argv(void) {
int ip6tables_restore_main(int argc, char *argv[])
{
- struct ip6tc_handle *handle = NULL;
+ struct xtc_handle *handle = NULL;
char buffer[10240];
int c;
- char curtable[IP6T_TABLE_MAXNAMELEN + 1];
+ char curtable[XT_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
+ const struct xtc_ops *ops = &ip6tc_ops;
line = 0;
@@ -197,8 +198,8 @@ int ip6tables_restore_main(int argc, char *argv[])
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
DEBUGP("Calling commit\n");
- ret = ip6tc_commit(handle);
- ip6tc_free(handle);
+ ret = ops->commit(handle);
+ ops->free(handle);
handle = NULL;
} else {
DEBUGP("Not calling commit, testing\n");
@@ -214,17 +215,16 @@ int ip6tables_restore_main(int argc, char *argv[])
if (!table) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
- ip6tables_globals.program_name,
- line);
+ xt_params->program_name, line);
exit(1);
}
- strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
- curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
+ strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
+ curtable[XT_TABLE_MAXNAMELEN] = '\0';
if (tablename != NULL && strcmp(tablename, table) != 0)
continue;
if (handle)
- ip6tc_free(handle);
+ ops->free(handle);
handle = create_handle(table);
if (noflush == 0) {
@@ -251,8 +251,7 @@ int ip6tables_restore_main(int argc, char *argv[])
if (!chain) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
- ip6tables_globals.program_name,
- line);
+ xt_params->program_name, line);
exit(1);
}
@@ -262,17 +261,17 @@ int ip6tables_restore_main(int argc, char *argv[])
"(%u chars max)",
chain, XT_EXTENSION_MAXNAMELEN - 1);
- if (ip6tc_builtin(chain, handle) <= 0) {
- if (noflush && ip6tc_is_chain(chain, handle)) {
+ if (ops->builtin(chain, handle) <= 0) {
+ if (noflush && ops->is_chain(chain, handle)) {
DEBUGP("Flushing existing user defined chain '%s'\n", chain);
- if (!ip6tc_flush_entries(chain, handle))
+ if (!ops->flush_entries(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error flushing chain "
"'%s':%s\n", chain,
strerror(errno));
} else {
DEBUGP("Creating new chain '%s'\n", chain);
- if (!ip6tc_create_chain(chain, handle))
+ if (!ops->create_chain(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error creating chain "
"'%s':%s\n", chain,
@@ -285,13 +284,12 @@ int ip6tables_restore_main(int argc, char *argv[])
if (!policy) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
- ip6tables_globals.program_name,
- line);
+ xt_params->program_name, line);
exit(1);
}
if (strcmp(policy, "-") != 0) {
- struct ip6t_counters count;
+ struct xt_counters count;
if (counters) {
char *ctrs;
@@ -303,20 +301,19 @@ int ip6tables_restore_main(int argc, char *argv[])
"for chain '%s'\n", chain);
} else {
- memset(&count, 0,
- sizeof(struct ip6t_counters));
+ memset(&count, 0, sizeof(count));
}
DEBUGP("Setting policy of chain %s to %s\n",
chain, policy);
- if (!ip6tc_set_policy(chain, policy, &count,
+ if (!ops->set_policy(chain, policy, &count,
handle))
xtables_error(OTHER_PROBLEM,
"Can't set policy `%s'"
" on `%s' line %u: %s\n",
policy, chain, line,
- ip6tc_strerror(errno));
+ ops->strerror(errno));
}
ret = 1;
@@ -453,15 +450,13 @@ int ip6tables_restore_main(int argc, char *argv[])
continue;
if (!ret) {
fprintf(stderr, "%s: line %u failed\n",
- ip6tables_globals.program_name,
- line);
+ xt_params->program_name, line);
exit(1);
}
}
if (in_table) {
fprintf(stderr, "%s: COMMIT expected at line %u\n",
- ip6tables_globals.program_name,
- line + 1);
+ xt_params->program_name, line + 1);
exit(1);
}
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index ad0e70f0..d819b30b 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -22,10 +22,9 @@
#include <dlfcn.h>
#endif
-static int show_binary = 0, show_counters = 0;
+static int show_counters = 0;
static const struct option options[] = {
- {.name = "binary", .has_arg = false, .val = 'b'},
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
@@ -39,7 +38,7 @@ static int for_each_table(int (*func)(const char *tablename))
{
int ret = 1;
FILE *procfile = NULL;
- char tablename[IP6T_TABLE_MAXNAMELEN+1];
+ char tablename[XT_TABLE_MAXNAMELEN+1];
procfile = fopen("/proc/net/ip6_tables_names", "re");
if (!procfile)
@@ -61,7 +60,7 @@ static int for_each_table(int (*func)(const char *tablename))
static int do_output(const char *tablename)
{
- struct ip6tc_handle *h;
+ struct xtc_handle *h;
const char *chain = NULL;
if (!tablename)
@@ -76,52 +75,45 @@ static int do_output(const char *tablename)
xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
ip6tc_strerror(errno));
- if (!show_binary) {
- time_t now = time(NULL);
-
- printf("# Generated by ip6tables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
- printf("*%s\n", tablename);
-
- /* Dump out chain names first,
- * thereby preventing dependency conflicts */
- for (chain = ip6tc_first_chain(h);
- chain;
- chain = ip6tc_next_chain(h)) {
-
- printf(":%s ", chain);
- if (ip6tc_builtin(chain, h)) {
- struct ip6t_counters count;
- printf("%s ",
- ip6tc_get_policy(chain, &count, h));
- printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
- } else {
- printf("- [0:0]\n");
- }
+ time_t now = time(NULL);
+
+ printf("# Generated by ip6tables-save v%s on %s",
+ IPTABLES_VERSION, ctime(&now));
+ printf("*%s\n", tablename);
+
+ /* Dump out chain names first,
+ * thereby preventing dependency conflicts */
+ for (chain = ip6tc_first_chain(h);
+ chain;
+ chain = ip6tc_next_chain(h)) {
+
+ printf(":%s ", chain);
+ if (ip6tc_builtin(chain, h)) {
+ struct xt_counters count;
+ printf("%s ",
+ ip6tc_get_policy(chain, &count, h));
+ printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+ } else {
+ printf("- [0:0]\n");
}
+ }
+ for (chain = ip6tc_first_chain(h);
+ chain;
+ chain = ip6tc_next_chain(h)) {
+ const struct ip6t_entry *e;
- for (chain = ip6tc_first_chain(h);
- chain;
- chain = ip6tc_next_chain(h)) {
- const struct ip6t_entry *e;
-
- /* Dump out rules */
- e = ip6tc_first_rule(chain, h);
- while(e) {
- print_rule6(e, h, chain, show_counters);
- e = ip6tc_next_rule(e, h);
- }
+ /* Dump out rules */
+ e = ip6tc_first_rule(chain, h);
+ while(e) {
+ print_rule6(e, h, chain, show_counters);
+ e = ip6tc_next_rule(e, h);
}
-
- now = time(NULL);
- printf("COMMIT\n");
- printf("# Completed on %s", ctime(&now));
- } else {
- /* Binary, huh? OK. */
- xtables_error(OTHER_PROBLEM, "Binary NYI\n");
}
+ now = time(NULL);
+ printf("COMMIT\n");
+ printf("# Completed on %s", ctime(&now));
ip6tc_free(h);
return 1;
@@ -151,10 +143,6 @@ int ip6tables_save_main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
- case 'b':
- show_binary = 1;
- break;
-
case 'c':
show_counters = 1;
break;
diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
index 6b829353..21b58116 100644
--- a/iptables/ip6tables-standalone.c
+++ b/iptables/ip6tables-standalone.c
@@ -42,7 +42,7 @@ ip6tables_main(int argc, char *argv[])
{
int ret;
char *table = "filter";
- struct ip6tc_handle *handle = NULL;
+ struct xtc_handle *handle = NULL;
ip6tables_globals.program_name = "ip6tables";
ret = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 04e5224f..b191d5df 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -172,7 +172,7 @@ static const unsigned int inverse_for_options[NUMBER_OF_OPT] =
/* -n */ 0,
/* -s */ IP6T_INV_SRCIP,
/* -d */ IP6T_INV_DSTIP,
-/* -p */ IP6T_INV_PROTO,
+/* -p */ XT_INV_PROTO,
/* -j */ 0,
/* -v */ 0,
/* -x */ 0,
@@ -469,9 +469,9 @@ print_num(uint64_t number, unsigned int format)
static void
-print_header(unsigned int format, const char *chain, struct ip6tc_handle *handle)
+print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
- struct ip6t_counters counters;
+ struct xt_counters counters;
const char *pol = ip6tc_get_policy(chain, &counters, handle);
printf("Chain %s", chain);
if (pol) {
@@ -519,7 +519,7 @@ print_header(unsigned int format, const char *chain, struct ip6tc_handle *handle
static int
-print_match(const struct ip6t_entry_match *m,
+print_match(const struct xt_entry_match *m,
const struct ip6t_ip6 *ip,
int numeric)
{
@@ -545,16 +545,16 @@ print_firewall(const struct ip6t_entry *fw,
const char *targname,
unsigned int num,
unsigned int format,
- struct ip6tc_handle *const handle)
+ struct xtc_handle *const handle)
{
const struct xtables_target *target = NULL;
- const struct ip6t_entry_target *t;
+ const struct xt_entry_target *t;
char buf[BUFSIZ];
if (!ip6tc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
else
- target = xtables_find_target(IP6T_STANDARD_TARGET,
+ target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
t = ip6t_get_target((struct ip6t_entry *)fw);
@@ -570,7 +570,7 @@ print_firewall(const struct ip6t_entry *fw,
if (!(format & FMT_NOTARGET))
printf(FMT("%-9s ", "%s "), targname);
- fputc(fw->ipv6.invflags & IP6T_INV_PROTO ? '!' : ' ', stdout);
+ fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
{
const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC);
if (pname)
@@ -667,16 +667,16 @@ print_firewall(const struct ip6t_entry *fw,
static void
print_firewall_line(const struct ip6t_entry *fw,
- struct ip6tc_handle *const h)
+ struct xtc_handle *const h)
{
- struct ip6t_entry_target *t;
+ struct xt_entry_target *t;
t = ip6t_get_target((struct ip6t_entry *)fw);
print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h);
}
static int
-append_entry(const ip6t_chainlabel chain,
+append_entry(const xt_chainlabel chain,
struct ip6t_entry *fw,
unsigned int nsaddrs,
const struct in6_addr saddrs[],
@@ -685,7 +685,7 @@ append_entry(const ip6t_chainlabel chain,
const struct in6_addr daddrs[],
const struct in6_addr dmasks[],
int verbose,
- struct ip6tc_handle *handle)
+ struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
@@ -706,13 +706,13 @@ append_entry(const ip6t_chainlabel chain,
}
static int
-replace_entry(const ip6t_chainlabel chain,
+replace_entry(const xt_chainlabel chain,
struct ip6t_entry *fw,
unsigned int rulenum,
const struct in6_addr *saddr, const struct in6_addr *smask,
const struct in6_addr *daddr, const struct in6_addr *dmask,
int verbose,
- struct ip6tc_handle *handle)
+ struct xtc_handle *handle)
{
fw->ipv6.src = *saddr;
fw->ipv6.dst = *daddr;
@@ -725,7 +725,7 @@ replace_entry(const ip6t_chainlabel chain,
}
static int
-insert_entry(const ip6t_chainlabel chain,
+insert_entry(const xt_chainlabel chain,
struct ip6t_entry *fw,
unsigned int rulenum,
unsigned int nsaddrs,
@@ -735,7 +735,7 @@ insert_entry(const ip6t_chainlabel chain,
const struct in6_addr daddrs[],
const struct in6_addr dmasks[],
int verbose,
- struct ip6tc_handle *handle)
+ struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
@@ -766,10 +766,10 @@ make_delete_mask(const struct xtables_rule_match *matches,
size = sizeof(struct ip6t_entry);
for (matchp = matches; matchp; matchp = matchp->next)
- size += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
+ size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
mask = xtables_calloc(1, size
- + XT_ALIGN(sizeof(struct ip6t_entry_target))
+ + XT_ALIGN(sizeof(struct xt_entry_target))
+ target->size);
memset(mask, 0xFF, sizeof(struct ip6t_entry));
@@ -777,20 +777,20 @@ make_delete_mask(const struct xtables_rule_match *matches,
for (matchp = matches; matchp; matchp = matchp->next) {
memset(mptr, 0xFF,
- XT_ALIGN(sizeof(struct ip6t_entry_match))
+ XT_ALIGN(sizeof(struct xt_entry_match))
+ matchp->match->userspacesize);
- mptr += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size;
+ mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
}
memset(mptr, 0xFF,
- XT_ALIGN(sizeof(struct ip6t_entry_target))
+ XT_ALIGN(sizeof(struct xt_entry_target))
+ target->userspacesize);
return mask;
}
static int
-delete_entry(const ip6t_chainlabel chain,
+delete_entry(const xt_chainlabel chain,
struct ip6t_entry *fw,
unsigned int nsaddrs,
const struct in6_addr saddrs[],
@@ -799,7 +799,7 @@ delete_entry(const ip6t_chainlabel chain,
const struct in6_addr daddrs[],
const struct in6_addr dmasks[],
int verbose,
- struct ip6tc_handle *handle,
+ struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
@@ -825,11 +825,11 @@ delete_entry(const ip6t_chainlabel chain,
}
static int
-check_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw,
+check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
unsigned int nsaddrs, const struct in6_addr *saddrs,
const struct in6_addr *smasks, unsigned int ndaddrs,
const struct in6_addr *daddrs, const struct in6_addr *dmasks,
- bool verbose, struct ip6tc_handle *handle,
+ bool verbose, struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
@@ -855,8 +855,8 @@ check_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw,
}
int
-for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
- int verbose, int builtinstoo, struct ip6tc_handle *handle)
+for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *),
+ int verbose, int builtinstoo, struct xtc_handle *handle)
{
int ret = 1;
const char *chain;
@@ -869,21 +869,21 @@ for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
chain = ip6tc_next_chain(handle);
}
- chains = xtables_malloc(sizeof(ip6t_chainlabel) * chaincount);
+ chains = xtables_malloc(sizeof(xt_chainlabel) * chaincount);
i = 0;
chain = ip6tc_first_chain(handle);
while (chain) {
- strcpy(chains + i*sizeof(ip6t_chainlabel), chain);
+ strcpy(chains + i*sizeof(xt_chainlabel), chain);
i++;
chain = ip6tc_next_chain(handle);
}
for (i = 0; i < chaincount; i++) {
if (!builtinstoo
- && ip6tc_builtin(chains + i*sizeof(ip6t_chainlabel),
+ && ip6tc_builtin(chains + i*sizeof(xt_chainlabel),
handle) == 1)
continue;
- ret &= fn(chains + i*sizeof(ip6t_chainlabel), verbose, handle);
+ ret &= fn(chains + i*sizeof(xt_chainlabel), verbose, handle);
}
free(chains);
@@ -891,8 +891,8 @@ for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *),
}
int
-flush_entries6(const ip6t_chainlabel chain, int verbose,
- struct ip6tc_handle *handle)
+flush_entries6(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain6(flush_entries6, verbose, 1, handle);
@@ -903,8 +903,8 @@ flush_entries6(const ip6t_chainlabel chain, int verbose,
}
static int
-zero_entries(const ip6t_chainlabel chain, int verbose,
- struct ip6tc_handle *handle)
+zero_entries(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain6(zero_entries, verbose, 1, handle);
@@ -915,8 +915,8 @@ zero_entries(const ip6t_chainlabel chain, int verbose,
}
int
-delete_chain6(const ip6t_chainlabel chain, int verbose,
- struct ip6tc_handle *handle)
+delete_chain6(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain6(delete_chain6, verbose, 0, handle);
@@ -927,8 +927,8 @@ delete_chain6(const ip6t_chainlabel chain, int verbose,
}
static int
-list_entries(const ip6t_chainlabel chain, int rulenum, int verbose, int numeric,
- int expanded, int linenumbers, struct ip6tc_handle *handle)
+list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
+ int expanded, int linenumbers, struct xtc_handle *handle)
{
int found = 0;
unsigned int format;
@@ -1033,7 +1033,7 @@ static void print_proto(uint16_t proto, int invert)
}
}
-static int print_match_save(const struct ip6t_entry_match *e,
+static int print_match_save(const struct xt_entry_match *e,
const struct ip6t_ip6 *ip)
{
const struct xtables_match *match =
@@ -1080,9 +1080,9 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
void print_rule6(const struct ip6t_entry *e,
- struct ip6tc_handle *h, const char *chain, int counters)
+ struct xtc_handle *h, const char *chain, int counters)
{
- const struct ip6t_entry_target *t;
+ const struct xt_entry_target *t;
const char *target_name;
/* print counters for iptables-save */
@@ -1105,7 +1105,7 @@ void print_rule6(const struct ip6t_entry *e,
print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
e->ipv6.invflags & IP6T_INV_VIA_OUT);
- print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
+ print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
#if 0
/* not definied in ipv6
@@ -1153,11 +1153,11 @@ void print_rule6(const struct ip6t_entry *e,
if (target->save)
target->save(&e->ipv6, t);
else {
- /* If the target size is greater than ip6t_entry_target
+ /* If the target size is greater than xt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
- sizeof(struct ip6t_entry_target)) {
+ sizeof(struct xt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
@@ -1169,8 +1169,8 @@ void print_rule6(const struct ip6t_entry *e,
}
static int
-list_rules(const ip6t_chainlabel chain, int rulenum, int counters,
- struct ip6tc_handle *handle)
+list_rules(const xt_chainlabel chain, int rulenum, int counters,
+ struct xtc_handle *handle)
{
const char *this = NULL;
int found = 0;
@@ -1187,7 +1187,7 @@ list_rules(const ip6t_chainlabel chain, int rulenum, int counters,
continue;
if (ip6tc_builtin(this, handle)) {
- struct ip6t_counters count;
+ struct xt_counters count;
printf("-P %s %s", this, ip6tc_get_policy(this, &count, handle));
if (counters)
printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
@@ -1224,7 +1224,7 @@ list_rules(const ip6t_chainlabel chain, int rulenum, int counters,
static struct ip6t_entry *
generate_entry(const struct ip6t_entry *fw,
struct xtables_rule_match *matches,
- struct ip6t_entry_target *target)
+ struct xt_entry_target *target)
{
unsigned int size;
struct xtables_rule_match *matchp;
@@ -1282,7 +1282,7 @@ static void command_jump(struct iptables_command_state *cs)
if (cs->target == NULL)
return;
- size = XT_ALIGN(sizeof(struct ip6t_entry_target)) + cs->target->size;
+ size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
@@ -1311,7 +1311,7 @@ static void command_match(struct iptables_command_state *cs)
"unexpected ! flag before --match");
m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
- size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+ size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
m->m = xtables_calloc(1, size);
m->m->u.match_size = size;
strcpy(m->m->u.user.name, m->name);
@@ -1328,7 +1328,7 @@ static void command_match(struct iptables_command_state *cs)
m->extra_opts, &m->option_offset);
}
-int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **handle)
+int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle)
{
struct iptables_command_state cs;
struct ip6t_entry *e = NULL;
@@ -1548,12 +1548,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
cs.fw6.ipv6.flags |= IP6T_F_PROTO;
if (cs.fw6.ipv6.proto == 0
- && (cs.fw6.ipv6.invflags & IP6T_INV_PROTO))
+ && (cs.fw6.ipv6.invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
"rule would never match protocol");
if (is_exthdr(cs.fw6.ipv6.proto)
- && (cs.fw6.ipv6.invflags & IP6T_INV_PROTO) == 0)
+ && (cs.fw6.ipv6.invflags & XT_INV_PROTO) == 0)
fprintf(stderr,
"Warning: never matched protocol: %s. "
"use extension match instead.\n",
@@ -1824,10 +1824,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
|| ip6tc_is_chain(cs.jumpto, *handle))) {
size_t size;
- cs.target = xtables_find_target(IP6T_STANDARD_TARGET,
+ cs.target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
- size = sizeof(struct ip6t_entry_target)
+ size = sizeof(struct xt_entry_target)
+ cs.target->size;
cs.target->t = xtables_calloc(1, size);
cs.target->t->u.target_size = size;
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index d0bd79a9..6b1c7929 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -56,9 +56,9 @@ static void print_usage(const char *name, const char *version)
exit(1);
}
-static struct iptc_handle *create_handle(const char *tablename)
+static struct xtc_handle *create_handle(const char *tablename)
{
- struct iptc_handle *handle;
+ struct xtc_handle *handle;
handle = iptc_init(tablename);
@@ -76,7 +76,7 @@ static struct iptc_handle *create_handle(const char *tablename)
return handle;
}
-static int parse_counters(char *string, struct ipt_counters *ctr)
+static int parse_counters(char *string, struct xt_counters *ctr)
{
unsigned long long pcnt, bcnt;
int ret;
@@ -116,13 +116,14 @@ static void free_argv(void) {
int
iptables_restore_main(int argc, char *argv[])
{
- struct iptc_handle *handle = NULL;
+ struct xtc_handle *handle = NULL;
char buffer[10240];
int c;
- char curtable[IPT_TABLE_MAXNAMELEN + 1];
+ char curtable[XT_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
+ const struct xtc_ops *ops = &iptc_ops;
line = 0;
@@ -197,8 +198,8 @@ iptables_restore_main(int argc, char *argv[])
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
DEBUGP("Calling commit\n");
- ret = iptc_commit(handle);
- iptc_free(handle);
+ ret = ops->commit(handle);
+ ops->free(handle);
handle = NULL;
} else {
DEBUGP("Not calling commit, testing\n");
@@ -214,16 +215,16 @@ iptables_restore_main(int argc, char *argv[])
if (!table) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
- prog_name, line);
+ xt_params->program_name, line);
exit(1);
}
- strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
- curtable[IPT_TABLE_MAXNAMELEN] = '\0';
+ strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
+ curtable[XT_TABLE_MAXNAMELEN] = '\0';
if (tablename && (strcmp(tablename, table) != 0))
continue;
if (handle)
- iptc_free(handle);
+ ops->free(handle);
handle = create_handle(table);
if (noflush == 0) {
@@ -250,7 +251,7 @@ iptables_restore_main(int argc, char *argv[])
if (!chain) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
- prog_name, line);
+ xt_params->program_name, line);
exit(1);
}
@@ -260,17 +261,17 @@ iptables_restore_main(int argc, char *argv[])
"(%u chars max)",
chain, XT_EXTENSION_MAXNAMELEN - 1);
- if (iptc_builtin(chain, handle) <= 0) {
- if (noflush && iptc_is_chain(chain, handle)) {
+ if (ops->builtin(chain, handle) <= 0) {
+ if (noflush && ops->is_chain(chain, handle)) {
DEBUGP("Flushing existing user defined chain '%s'\n", chain);
- if (!iptc_flush_entries(chain, handle))
+ if (!ops->flush_entries(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error flushing chain "
"'%s':%s\n", chain,
strerror(errno));
} else {
DEBUGP("Creating new chain '%s'\n", chain);
- if (!iptc_create_chain(chain, handle))
+ if (!ops->create_chain(chain, handle))
xtables_error(PARAMETER_PROBLEM,
"error creating chain "
"'%s':%s\n", chain,
@@ -283,12 +284,12 @@ iptables_restore_main(int argc, char *argv[])
if (!policy) {
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
- prog_name, line);
+ xt_params->program_name, line);
exit(1);
}
if (strcmp(policy, "-") != 0) {
- struct ipt_counters count;
+ struct xt_counters count;
if (counters) {
char *ctrs;
@@ -300,20 +301,19 @@ iptables_restore_main(int argc, char *argv[])
"for chain '%s'\n", chain);
} else {
- memset(&count, 0,
- sizeof(struct ipt_counters));
+ memset(&count, 0, sizeof(count));
}
DEBUGP("Setting policy of chain %s to %s\n",
chain, policy);
- if (!iptc_set_policy(chain, policy, &count,
+ if (!ops->set_policy(chain, policy, &count,
handle))
xtables_error(OTHER_PROBLEM,
"Can't set policy `%s'"
" on `%s' line %u: %s\n",
policy, chain, line,
- iptc_strerror(errno));
+ ops->strerror(errno));
}
ret = 1;
@@ -450,13 +450,13 @@ iptables_restore_main(int argc, char *argv[])
continue;
if (!ret) {
fprintf(stderr, "%s: line %u failed\n",
- prog_name, line);
+ xt_params->program_name, line);
exit(1);
}
}
if (in_table) {
fprintf(stderr, "%s: COMMIT expected at line %u\n",
- prog_name, line + 1);
+ xt_params->program_name, line + 1);
exit(1);
}
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 73fba12a..e599fcec 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -21,10 +21,9 @@
#include <dlfcn.h>
#endif
-static int show_binary = 0, show_counters = 0;
+static int show_counters = 0;
static const struct option options[] = {
- {.name = "binary", .has_arg = false, .val = 'b'},
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
@@ -37,7 +36,7 @@ static int for_each_table(int (*func)(const char *tablename))
{
int ret = 1;
FILE *procfile = NULL;
- char tablename[IPT_TABLE_MAXNAMELEN+1];
+ char tablename[XT_TABLE_MAXNAMELEN+1];
procfile = fopen("/proc/net/ip_tables_names", "re");
if (!procfile)
@@ -59,7 +58,7 @@ static int for_each_table(int (*func)(const char *tablename))
static int do_output(const char *tablename)
{
- struct iptc_handle *h;
+ struct xtc_handle *h;
const char *chain = NULL;
if (!tablename)
@@ -74,52 +73,45 @@ static int do_output(const char *tablename)
xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
iptc_strerror(errno));
- if (!show_binary) {
- time_t now = time(NULL);
-
- printf("# Generated by iptables-save v%s on %s",
- IPTABLES_VERSION, ctime(&now));
- printf("*%s\n", tablename);
-
- /* Dump out chain names first,
- * thereby preventing dependency conflicts */
- for (chain = iptc_first_chain(h);
- chain;
- chain = iptc_next_chain(h)) {
-
- printf(":%s ", chain);
- if (iptc_builtin(chain, h)) {
- struct ipt_counters count;
- printf("%s ",
- iptc_get_policy(chain, &count, h));
- printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
- } else {
- printf("- [0:0]\n");
- }
+ time_t now = time(NULL);
+
+ printf("# Generated by iptables-save v%s on %s",
+ IPTABLES_VERSION, ctime(&now));
+ printf("*%s\n", tablename);
+
+ /* Dump out chain names first,
+ * thereby preventing dependency conflicts */
+ for (chain = iptc_first_chain(h);
+ chain;
+ chain = iptc_next_chain(h)) {
+
+ printf(":%s ", chain);
+ if (iptc_builtin(chain, h)) {
+ struct xt_counters count;
+ printf("%s ",
+ iptc_get_policy(chain, &count, h));
+ printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+ } else {
+ printf("- [0:0]\n");
}
+ }
+ for (chain = iptc_first_chain(h);
+ chain;
+ chain = iptc_next_chain(h)) {
+ const struct ipt_entry *e;
- for (chain = iptc_first_chain(h);
- chain;
- chain = iptc_next_chain(h)) {
- const struct ipt_entry *e;
-
- /* Dump out rules */
- e = iptc_first_rule(chain, h);
- while(e) {
- print_rule4(e, h, chain, show_counters);
- e = iptc_next_rule(e, h);
- }
+ /* Dump out rules */
+ e = iptc_first_rule(chain, h);
+ while(e) {
+ print_rule4(e, h, chain, show_counters);
+ e = iptc_next_rule(e, h);
}
-
- now = time(NULL);
- printf("COMMIT\n");
- printf("# Completed on %s", ctime(&now));
- } else {
- /* Binary, huh? OK. */
- xtables_error(OTHER_PROBLEM, "Binary NYI\n");
}
+ now = time(NULL);
+ printf("COMMIT\n");
+ printf("# Completed on %s", ctime(&now));
iptc_free(h);
return 1;
@@ -150,10 +142,6 @@ iptables_save_main(int argc, char *argv[])
while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
- case 'b':
- show_binary = 1;
- break;
-
case 'c':
show_counters = 1;
break;
diff --git a/iptables/iptables-standalone.c b/iptables/iptables-standalone.c
index 1ebec33d..683a44a5 100644
--- a/iptables/iptables-standalone.c
+++ b/iptables/iptables-standalone.c
@@ -43,7 +43,7 @@ iptables_main(int argc, char *argv[])
{
int ret;
char *table = "filter";
- struct iptc_handle *handle = NULL;
+ struct xtc_handle *handle = NULL;
iptables_globals.program_name = "iptables";
ret = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 4ecddcb7..4b12bd46 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -56,7 +56,7 @@ print_usage(const char *name, const char *version)
}
static int
-parse_counters(char *string, struct ipt_counters *ctr)
+parse_counters(char *string, struct xt_counters *ctr)
{
__u64 *pcnt, *bcnt;
@@ -81,16 +81,16 @@ static unsigned int oldargc = 0;
/* arg meta data, were they quoted, frinstance */
static int newargvattr[255];
-#define IPT_CHAIN_MAXNAMELEN IPT_TABLE_MAXNAMELEN
-static char closeActionTag[IPT_TABLE_MAXNAMELEN + 1];
-static char closeRuleTag[IPT_TABLE_MAXNAMELEN + 1];
-static char curTable[IPT_TABLE_MAXNAMELEN + 1];
-static char curChain[IPT_CHAIN_MAXNAMELEN + 1];
+#define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN
+static char closeActionTag[XT_TABLE_MAXNAMELEN + 1];
+static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1];
+static char curTable[XT_TABLE_MAXNAMELEN + 1];
+static char curChain[XT_CHAIN_MAXNAMELEN + 1];
struct chain {
char *chain;
char *policy;
- struct ipt_counters count;
+ struct xt_counters count;
int created;
};
@@ -233,12 +233,12 @@ closeChain(void)
}
static void
-openChain(char *chain, char *policy, struct ipt_counters *ctr, char close)
+openChain(char *chain, char *policy, struct xt_counters *ctr, char close)
{
closeChain();
- strncpy(curChain, chain, IPT_CHAIN_MAXNAMELEN);
- curChain[IPT_CHAIN_MAXNAMELEN] = '\0';
+ strncpy(curChain, chain, XT_CHAIN_MAXNAMELEN);
+ curChain[XT_CHAIN_MAXNAMELEN] = '\0';
printf(" <chain ");
xmlAttrS("name", curChain);
@@ -287,7 +287,7 @@ needChain(char *chain)
}
static void
-saveChain(char *chain, char *policy, struct ipt_counters *ctr)
+saveChain(char *chain, char *policy, struct xt_counters *ctr)
{
if (nextChain >= maxChains) {
xtables_error(PARAMETER_PROBLEM,
@@ -332,8 +332,8 @@ openTable(char *table)
{
closeTable();
- strncpy(curTable, table, IPT_TABLE_MAXNAMELEN);
- curTable[IPT_TABLE_MAXNAMELEN] = '\0';
+ strncpy(curTable, table, XT_TABLE_MAXNAMELEN);
+ curTable[XT_TABLE_MAXNAMELEN] = '\0';
printf(" <table ");
xmlAttrS("name", curTable);
@@ -592,8 +592,8 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
xmlAttrS("byte-count", bcnt);
printf(">\n");
- strncpy(closeRuleTag, " </rule>\n", IPT_TABLE_MAXNAMELEN);
- closeRuleTag[IPT_TABLE_MAXNAMELEN] = '\0';
+ strncpy(closeRuleTag, " </rule>\n", XT_TABLE_MAXNAMELEN);
+ closeRuleTag[XT_TABLE_MAXNAMELEN] = '\0';
/* no point in writing out condition if there isn't one */
if (argc >= 3 && !isTarget(argv[2])) {
@@ -607,8 +607,8 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
if (!closeActionTag[0]) {
printf(" <actions>\n");
strncpy(closeActionTag, " </actions>\n",
- IPT_TABLE_MAXNAMELEN);
- closeActionTag[IPT_TABLE_MAXNAMELEN] = '\0';
+ XT_TABLE_MAXNAMELEN);
+ closeActionTag[XT_TABLE_MAXNAMELEN] = '\0';
}
do_rule_part(NULL, NULL, 1, argc, argv, argvattr);
}
@@ -694,7 +694,7 @@ iptables_xml_main(int argc, char *argv[])
} else if ((buffer[0] == ':') && (curTable[0])) {
/* New chain. */
char *policy, *chain;
- struct ipt_counters count;
+ struct xt_counters count;
char *ctrs;
chain = strtok(buffer + 1, " \t\n");
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 830ddbcb..03ac63b8 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -171,7 +171,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
/* -n */ 0,
/* -s */ IPT_INV_SRCIP,
/* -d */ IPT_INV_DSTIP,
-/* -p */ IPT_INV_PROTO,
+/* -p */ XT_INV_PROTO,
/* -j */ 0,
/* -v */ 0,
/* -x */ 0,
@@ -471,9 +471,9 @@ print_num(uint64_t number, unsigned int format)
static void
-print_header(unsigned int format, const char *chain, struct iptc_handle *handle)
+print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
- struct ipt_counters counters;
+ struct xt_counters counters;
const char *pol = iptc_get_policy(chain, &counters, handle);
printf("Chain %s", chain);
if (pol) {
@@ -521,7 +521,7 @@ print_header(unsigned int format, const char *chain, struct iptc_handle *handle)
static int
-print_match(const struct ipt_entry_match *m,
+print_match(const struct xt_entry_match *m,
const struct ipt_ip *ip,
int numeric)
{
@@ -547,17 +547,17 @@ print_firewall(const struct ipt_entry *fw,
const char *targname,
unsigned int num,
unsigned int format,
- struct iptc_handle *const handle)
+ struct xtc_handle *const handle)
{
const struct xtables_target *target = NULL;
- const struct ipt_entry_target *t;
+ const struct xt_entry_target *t;
uint8_t flags;
char buf[BUFSIZ];
if (!iptc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
else
- target = xtables_find_target(IPT_STANDARD_TARGET,
+ target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
t = ipt_get_target((struct ipt_entry *)fw);
@@ -574,7 +574,7 @@ print_firewall(const struct ipt_entry *fw,
if (!(format & FMT_NOTARGET))
printf(FMT("%-9s ", "%s "), targname);
- fputc(fw->ip.invflags & IPT_INV_PROTO ? '!' : ' ', stdout);
+ fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
{
const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
if (pname)
@@ -669,16 +669,16 @@ print_firewall(const struct ipt_entry *fw,
static void
print_firewall_line(const struct ipt_entry *fw,
- struct iptc_handle *const h)
+ struct xtc_handle *const h)
{
- struct ipt_entry_target *t;
+ struct xt_entry_target *t;
t = ipt_get_target((struct ipt_entry *)fw);
print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h);
}
static int
-append_entry(const ipt_chainlabel chain,
+append_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
@@ -687,7 +687,7 @@ append_entry(const ipt_chainlabel chain,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
- struct iptc_handle *handle)
+ struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
@@ -708,13 +708,13 @@ append_entry(const ipt_chainlabel chain,
}
static int
-replace_entry(const ipt_chainlabel chain,
+replace_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int rulenum,
const struct in_addr *saddr, const struct in_addr *smask,
const struct in_addr *daddr, const struct in_addr *dmask,
int verbose,
- struct iptc_handle *handle)
+ struct xtc_handle *handle)
{
fw->ip.src.s_addr = saddr->s_addr;
fw->ip.dst.s_addr = daddr->s_addr;
@@ -727,7 +727,7 @@ replace_entry(const ipt_chainlabel chain,
}
static int
-insert_entry(const ipt_chainlabel chain,
+insert_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int rulenum,
unsigned int nsaddrs,
@@ -737,7 +737,7 @@ insert_entry(const ipt_chainlabel chain,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
- struct iptc_handle *handle)
+ struct xtc_handle *handle)
{
unsigned int i, j;
int ret = 1;
@@ -768,10 +768,10 @@ make_delete_mask(const struct xtables_rule_match *matches,
size = sizeof(struct ipt_entry);
for (matchp = matches; matchp; matchp = matchp->next)
- size += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
+ size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
mask = xtables_calloc(1, size
- + XT_ALIGN(sizeof(struct ipt_entry_target))
+ + XT_ALIGN(sizeof(struct xt_entry_target))
+ target->size);
memset(mask, 0xFF, sizeof(struct ipt_entry));
@@ -779,20 +779,20 @@ make_delete_mask(const struct xtables_rule_match *matches,
for (matchp = matches; matchp; matchp = matchp->next) {
memset(mptr, 0xFF,
- XT_ALIGN(sizeof(struct ipt_entry_match))
+ XT_ALIGN(sizeof(struct xt_entry_match))
+ matchp->match->userspacesize);
- mptr += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size;
+ mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size;
}
memset(mptr, 0xFF,
- XT_ALIGN(sizeof(struct ipt_entry_target))
+ XT_ALIGN(sizeof(struct xt_entry_target))
+ target->userspacesize);
return mask;
}
static int
-delete_entry(const ipt_chainlabel chain,
+delete_entry(const xt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
@@ -801,7 +801,7 @@ delete_entry(const ipt_chainlabel chain,
const struct in_addr daddrs[],
const struct in_addr dmasks[],
int verbose,
- struct iptc_handle *handle,
+ struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
@@ -827,11 +827,11 @@ delete_entry(const ipt_chainlabel chain,
}
static int
-check_entry(const ipt_chainlabel chain, struct ipt_entry *fw,
+check_entry(const xt_chainlabel chain, struct ipt_entry *fw,
unsigned int nsaddrs, const struct in_addr *saddrs,
const struct in_addr *smasks, unsigned int ndaddrs,
const struct in_addr *daddrs, const struct in_addr *dmasks,
- bool verbose, struct iptc_handle *handle,
+ bool verbose, struct xtc_handle *handle,
struct xtables_rule_match *matches,
const struct xtables_target *target)
{
@@ -857,8 +857,8 @@ check_entry(const ipt_chainlabel chain, struct ipt_entry *fw,
}
int
-for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
- int verbose, int builtinstoo, struct iptc_handle *handle)
+for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *),
+ int verbose, int builtinstoo, struct xtc_handle *handle)
{
int ret = 1;
const char *chain;
@@ -871,21 +871,21 @@ for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
chain = iptc_next_chain(handle);
}
- chains = xtables_malloc(sizeof(ipt_chainlabel) * chaincount);
+ chains = xtables_malloc(sizeof(xt_chainlabel) * chaincount);
i = 0;
chain = iptc_first_chain(handle);
while (chain) {
- strcpy(chains + i*sizeof(ipt_chainlabel), chain);
+ strcpy(chains + i*sizeof(xt_chainlabel), chain);
i++;
chain = iptc_next_chain(handle);
}
for (i = 0; i < chaincount; i++) {
if (!builtinstoo
- && iptc_builtin(chains + i*sizeof(ipt_chainlabel),
+ && iptc_builtin(chains + i*sizeof(xt_chainlabel),
handle) == 1)
continue;
- ret &= fn(chains + i*sizeof(ipt_chainlabel), verbose, handle);
+ ret &= fn(chains + i*sizeof(xt_chainlabel), verbose, handle);
}
free(chains);
@@ -893,8 +893,8 @@ for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *),
}
int
-flush_entries4(const ipt_chainlabel chain, int verbose,
- struct iptc_handle *handle)
+flush_entries4(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(flush_entries4, verbose, 1, handle);
@@ -905,8 +905,8 @@ flush_entries4(const ipt_chainlabel chain, int verbose,
}
static int
-zero_entries(const ipt_chainlabel chain, int verbose,
- struct iptc_handle *handle)
+zero_entries(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(zero_entries, verbose, 1, handle);
@@ -917,8 +917,8 @@ zero_entries(const ipt_chainlabel chain, int verbose,
}
int
-delete_chain4(const ipt_chainlabel chain, int verbose,
- struct iptc_handle *handle)
+delete_chain4(const xt_chainlabel chain, int verbose,
+ struct xtc_handle *handle)
{
if (!chain)
return for_each_chain4(delete_chain4, verbose, 0, handle);
@@ -929,8 +929,8 @@ delete_chain4(const ipt_chainlabel chain, int verbose,
}
static int
-list_entries(const ipt_chainlabel chain, int rulenum, int verbose, int numeric,
- int expanded, int linenumbers, struct iptc_handle *handle)
+list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
+ int expanded, int linenumbers, struct xtc_handle *handle)
{
int found = 0;
unsigned int format;
@@ -1041,7 +1041,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
}
}
-static int print_match_save(const struct ipt_entry_match *e,
+static int print_match_save(const struct xt_entry_match *e,
const struct ipt_ip *ip)
{
const struct xtables_match *match =
@@ -1097,9 +1097,9 @@ static void print_ip(const char *prefix, uint32_t ip,
/* We want this to be readable, so only print out neccessary fields.
* Because that's the kind of world I want to live in. */
void print_rule4(const struct ipt_entry *e,
- struct iptc_handle *h, const char *chain, int counters)
+ struct xtc_handle *h, const char *chain, int counters)
{
- const struct ipt_entry_target *t;
+ const struct xt_entry_target *t;
const char *target_name;
/* print counters for iptables-save */
@@ -1122,7 +1122,7 @@ void print_rule4(const struct ipt_entry *e,
print_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
- print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
+ print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
if (e->ip.flags & IPT_F_FRAG)
printf("%s -f",
@@ -1161,11 +1161,11 @@ void print_rule4(const struct ipt_entry *e,
if (target->save)
target->save(&e->ip, t);
else {
- /* If the target size is greater than ipt_entry_target
+ /* If the target size is greater than xt_entry_target
* there is something to be saved, we just don't know
* how to print it */
if (t->u.target_size !=
- sizeof(struct ipt_entry_target)) {
+ sizeof(struct xt_entry_target)) {
fprintf(stderr, "Target `%s' is missing "
"save function\n",
t->u.user.name);
@@ -1177,8 +1177,8 @@ void print_rule4(const struct ipt_entry *e,
}
static int
-list_rules(const ipt_chainlabel chain, int rulenum, int counters,
- struct iptc_handle *handle)
+list_rules(const xt_chainlabel chain, int rulenum, int counters,
+ struct xtc_handle *handle)
{
const char *this = NULL;
int found = 0;
@@ -1195,7 +1195,7 @@ list_rules(const ipt_chainlabel chain, int rulenum, int counters,
continue;
if (iptc_builtin(this, handle)) {
- struct ipt_counters count;
+ struct xt_counters count;
printf("-P %s %s", this, iptc_get_policy(this, &count, handle));
if (counters)
printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
@@ -1232,7 +1232,7 @@ list_rules(const ipt_chainlabel chain, int rulenum, int counters,
static struct ipt_entry *
generate_entry(const struct ipt_entry *fw,
struct xtables_rule_match *matches,
- struct ipt_entry_target *target)
+ struct xt_entry_target *target)
{
unsigned int size;
struct xtables_rule_match *matchp;
@@ -1290,7 +1290,7 @@ static void command_jump(struct iptables_command_state *cs)
if (cs->target == NULL)
return;
- size = XT_ALIGN(sizeof(struct ipt_entry_target))
+ size = XT_ALIGN(sizeof(struct xt_entry_target))
+ cs->target->size;
cs->target->t = xtables_calloc(1, size);
@@ -1321,7 +1321,7 @@ static void command_match(struct iptables_command_state *cs)
"unexpected ! flag before --match");
m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
- size = XT_ALIGN(sizeof(struct ipt_entry_match)) + m->size;
+ size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
m->m = xtables_calloc(1, size);
m->m->u.match_size = size;
strcpy(m->m->u.user.name, m->name);
@@ -1340,7 +1340,7 @@ static void command_match(struct iptables_command_state *cs)
xtables_error(OTHER_PROBLEM, "can't alloc memory!");
}
-int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handle)
+int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle)
{
struct iptables_command_state cs;
struct ipt_entry *e = NULL;
@@ -1559,7 +1559,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
cs.fw.ip.proto = xtables_parse_protocol(cs.protocol);
if (cs.fw.ip.proto == 0
- && (cs.fw.ip.invflags & IPT_INV_PROTO))
+ && (cs.fw.ip.invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
"rule would never match protocol");
break;
@@ -1837,10 +1837,10 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
|| iptc_is_chain(cs.jumpto, *handle))) {
size_t size;
- cs.target = xtables_find_target(IPT_STANDARD_TARGET,
+ cs.target = xtables_find_target(XT_STANDARD_TARGET,
XTF_LOAD_MUST_SUCCEED);
- size = sizeof(struct ipt_entry_target)
+ size = sizeof(struct xt_entry_target)
+ cs.target->size;
cs.target->t = xtables_calloc(1, size);
cs.target->t->u.target_size = size;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 79da507d..e61c28c8 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -139,7 +139,7 @@ int command_default(struct iptables_command_state *cs,
cs->proto_used = 1;
- size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size;
+ size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
m->m = xtables_calloc(1, size);
m->m->u.match_size = size;
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am
index c170cb21..f789d34e 100644
--- a/libiptc/Makefile.am
+++ b/libiptc/Makefile.am
@@ -10,6 +10,6 @@ libiptc_la_SOURCES =
libiptc_la_LIBADD = libip4tc.la libip6tc.la
libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
libip4tc_la_SOURCES = libip4tc.c
-libip4tc_la_LDFLAGS = -version-info 0:0:0
+libip4tc_la_LDFLAGS = -version-info 1:0:1
libip6tc_la_SOURCES = libip6tc.c
-libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
+libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2}
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index cf66709e..dd599516 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -36,33 +36,27 @@ typedef unsigned int socklen_t;
#define HOOK_FORWARD NF_IP_FORWARD
#define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT
#define HOOK_POST_ROUTING NF_IP_POST_ROUTING
-#ifdef NF_IP_DROPPING
-#define HOOK_DROPPING NF_IP_DROPPING
-#endif
-#define STRUCT_ENTRY_TARGET struct ipt_entry_target
+#define STRUCT_ENTRY_TARGET struct xt_entry_target
#define STRUCT_ENTRY struct ipt_entry
-#define STRUCT_ENTRY_MATCH struct ipt_entry_match
+#define STRUCT_ENTRY_MATCH struct xt_entry_match
#define STRUCT_GETINFO struct ipt_getinfo
#define STRUCT_GET_ENTRIES struct ipt_get_entries
-#define STRUCT_COUNTERS struct ipt_counters
-#define STRUCT_COUNTERS_INFO struct ipt_counters_info
-#define STRUCT_STANDARD_TARGET struct ipt_standard_target
+#define STRUCT_COUNTERS struct xt_counters
+#define STRUCT_COUNTERS_INFO struct xt_counters_info
+#define STRUCT_STANDARD_TARGET struct xt_standard_target
#define STRUCT_REPLACE struct ipt_replace
-#define STRUCT_TC_HANDLE struct iptc_handle
-#define xtc_handle iptc_handle
-
#define ENTRY_ITERATE IPT_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN
+#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define GET_TARGET ipt_get_target
-#define ERROR_TARGET IPT_ERROR_TARGET
+#define ERROR_TARGET XT_ERROR_TARGET
#define NUMHOOKS NF_IP_NUMHOOKS
-#define IPT_CHAINLABEL ipt_chainlabel
+#define IPT_CHAINLABEL xt_chainlabel
#define TC_DUMP_ENTRIES dump_entries
#define TC_IS_CHAIN iptc_is_chain
@@ -96,6 +90,7 @@ typedef unsigned int socklen_t;
#define TC_STRERROR iptc_strerror
#define TC_NUM_RULES iptc_num_rules
#define TC_GET_RULE iptc_get_rule
+#define TC_OPS iptc_ops
#define TC_AF AF_INET
#define TC_IPPROTO IPPROTO_IP
@@ -106,14 +101,14 @@ typedef unsigned int socklen_t;
#define SO_GET_ENTRIES IPT_SO_GET_ENTRIES
#define SO_GET_VERSION IPT_SO_GET_VERSION
-#define STANDARD_TARGET IPT_STANDARD_TARGET
+#define STANDARD_TARGET XT_STANDARD_TARGET
#define LABEL_RETURN IPTC_LABEL_RETURN
#define LABEL_ACCEPT IPTC_LABEL_ACCEPT
#define LABEL_DROP IPTC_LABEL_DROP
#define LABEL_QUEUE IPTC_LABEL_QUEUE
#define ALIGN XT_ALIGN
-#define RETURN IPT_RETURN
+#define RETURN XT_RETURN
#include "libiptc.c"
@@ -126,7 +121,7 @@ typedef unsigned int socklen_t;
#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
static int
-dump_entry(struct ipt_entry *e, struct iptc_handle *const handle)
+dump_entry(struct ipt_entry *e, struct xtc_handle *const handle)
{
size_t i;
STRUCT_ENTRY_TARGET *t;
@@ -166,7 +161,7 @@ dump_entry(struct ipt_entry *e, struct iptc_handle *const handle)
: "UNKNOWN");
else
printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0)
+ } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
printf("error=`%s'\n", t->data);
printf("\n");
@@ -209,7 +204,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask)
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
- mptr += XT_ALIGN(sizeof(struct ipt_entry_target));
+ mptr += XT_ALIGN(sizeof(struct xt_entry_target));
return mptr;
}
@@ -241,7 +236,7 @@ check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off)
static inline int
check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
unsigned int user_offset, int *was_return,
- struct iptc_handle *h)
+ struct xtc_handle *h)
{
unsigned int toff;
STRUCT_STANDARD_TARGET *t;
@@ -277,14 +272,14 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
idx = iptcb_entry2index(h, te);
assert(strcmp(GET_TARGET(te)->u.user.name,
- IPT_ERROR_TARGET)
+ XT_ERROR_TARGET)
!= 0);
assert(te != e);
/* Prior node must be error node, or this node. */
assert(t->verdict == iptcb_entry2offset(h, e)+e->next_offset
|| strcmp(GET_TARGET(index2entry(h, idx-1))
- ->u.user.name, IPT_ERROR_TARGET)
+ ->u.user.name, XT_ERROR_TARGET)
== 0);
}
@@ -294,7 +289,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
*was_return = 1;
else
*was_return = 0;
- } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) {
+ } else if (strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0) {
assert(t->target.u.target_size
== ALIGN(sizeof(struct ipt_error_target)));
@@ -307,7 +302,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
else *was_return = 0;
if (*off == user_offset)
- assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0);
+ assert(strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0);
(*off) += e->next_offset;
(*i)++;
@@ -317,7 +312,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off,
#ifdef IPTC_DEBUG
/* Do every conceivable sanity check on the handle */
static void
-do_check(struct iptc_handle *h, unsigned int line)
+do_check(struct xtc_handle *h, unsigned int line)
{
unsigned int i, n;
unsigned int user_offset; /* Offset of first user chain */
@@ -426,15 +421,6 @@ do_check(struct iptc_handle *h, unsigned int line)
assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
-
-#ifdef NF_IP_DROPPING
- } else if (strcmp(h->info.name, "drop") == 0) {
- assert(h->info.valid_hooks == (1 << NF_IP_DROPPING));
-
- /* Hook should be first */
- assert(h->info.hook_entry[NF_IP_DROPPING] == 0);
- user_offset = 0;
-#endif
} else {
fprintf(stderr, "Unknown table `%s'\n", h->info.name);
abort();
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 0f8a889d..7128e1cf 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -35,29 +35,26 @@ typedef unsigned int socklen_t;
#define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT
#define HOOK_POST_ROUTING NF_IP6_POST_ROUTING
-#define STRUCT_ENTRY_TARGET struct ip6t_entry_target
+#define STRUCT_ENTRY_TARGET struct xt_entry_target
#define STRUCT_ENTRY struct ip6t_entry
-#define STRUCT_ENTRY_MATCH struct ip6t_entry_match
+#define STRUCT_ENTRY_MATCH struct xt_entry_match
#define STRUCT_GETINFO struct ip6t_getinfo
#define STRUCT_GET_ENTRIES struct ip6t_get_entries
-#define STRUCT_COUNTERS struct ip6t_counters
-#define STRUCT_COUNTERS_INFO struct ip6t_counters_info
-#define STRUCT_STANDARD_TARGET struct ip6t_standard_target
+#define STRUCT_COUNTERS struct xt_counters
+#define STRUCT_COUNTERS_INFO struct xt_counters_info
+#define STRUCT_STANDARD_TARGET struct xt_standard_target
#define STRUCT_REPLACE struct ip6t_replace
-#define STRUCT_TC_HANDLE struct ip6tc_handle
-#define xtc_handle ip6tc_handle
-
#define ENTRY_ITERATE IP6T_ENTRY_ITERATE
-#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN
-#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN
+#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
#define GET_TARGET ip6t_get_target
-#define ERROR_TARGET IP6T_ERROR_TARGET
+#define ERROR_TARGET XT_ERROR_TARGET
#define NUMHOOKS NF_IP6_NUMHOOKS
-#define IPT_CHAINLABEL ip6t_chainlabel
+#define IPT_CHAINLABEL xt_chainlabel
#define TC_DUMP_ENTRIES dump_entries6
#define TC_IS_CHAIN ip6tc_is_chain
@@ -91,6 +88,7 @@ typedef unsigned int socklen_t;
#define TC_STRERROR ip6tc_strerror
#define TC_NUM_RULES ip6tc_num_rules
#define TC_GET_RULE ip6tc_get_rule
+#define TC_OPS ip6tc_ops
#define TC_AF AF_INET6
#define TC_IPPROTO IPPROTO_IPV6
@@ -101,14 +99,14 @@ typedef unsigned int socklen_t;
#define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES
#define SO_GET_VERSION IP6T_SO_GET_VERSION
-#define STANDARD_TARGET IP6T_STANDARD_TARGET
+#define STANDARD_TARGET XT_STANDARD_TARGET
#define LABEL_RETURN IP6TC_LABEL_RETURN
#define LABEL_ACCEPT IP6TC_LABEL_ACCEPT
#define LABEL_DROP IP6TC_LABEL_DROP
#define LABEL_QUEUE IP6TC_LABEL_QUEUE
#define ALIGN XT_ALIGN
-#define RETURN IP6T_RETURN
+#define RETURN XT_RETURN
#include "libiptc.c"
@@ -131,12 +129,12 @@ ipv6_prefix_length(const struct in6_addr *a)
}
static int
-dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle)
+dump_entry(struct ip6t_entry *e, struct xtc_handle *const handle)
{
size_t i;
char buf[40];
int len;
- struct ip6t_entry_target *t;
+ struct xt_entry_target *t;
printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e),
iptcb_entry2offset(handle, e));
@@ -185,18 +183,18 @@ dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle)
t = ip6t_get_target(e);
printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size);
- if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) {
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
const unsigned char *data = t->data;
int pos = *(const int *)data;
if (pos < 0)
printf("verdict=%s\n",
pos == -NF_ACCEPT-1 ? "NF_ACCEPT"
: pos == -NF_DROP-1 ? "NF_DROP"
- : pos == IP6T_RETURN ? "RETURN"
+ : pos == XT_RETURN ? "RETURN"
: "UNKNOWN");
else
printf("verdict=%u\n", pos);
- } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0)
+ } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0)
printf("error=`%s'\n", t->data);
printf("\n");
@@ -241,7 +239,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b,
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
- mptr += XT_ALIGN(sizeof(struct ip6t_entry_target));
+ mptr += XT_ALIGN(sizeof(struct xt_entry_target));
return mptr;
}
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 42d9784a..63fcfc2a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -33,6 +33,7 @@
#include <sys/socket.h>
#include <stdbool.h>
#include <xtables.h>
+#include <libiptc/xtcshared.h>
#include "linux_list.h"
@@ -61,18 +62,9 @@ static const char *hooknames[] = {
[HOOK_FORWARD] = "FORWARD",
[HOOK_LOCAL_OUT] = "OUTPUT",
[HOOK_POST_ROUTING] = "POSTROUTING",
-#ifdef HOOK_DROPPING
- [HOOK_DROPPING] = "DROPPING"
-#endif
};
/* Convenience structures */
-struct ipt_error_target
-{
- STRUCT_ENTRY_TARGET t;
- char error[TABLE_MAXNAMELEN];
-};
-
struct chain_head;
struct rule_head;
@@ -130,8 +122,7 @@ struct chain_head
unsigned int foot_offset; /* offset in rule blob */
};
-STRUCT_TC_HANDLE
-{
+struct xtc_handle {
int sockfd;
int changed; /* Have changes been made? */
@@ -1092,10 +1083,10 @@ static int parse_table(struct xtc_handle *h)
/* Convenience structures */
struct iptcb_chain_start{
STRUCT_ENTRY e;
- struct ipt_error_target name;
+ struct xt_error_target name;
};
#define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
+ ALIGN(sizeof(struct xt_error_target)))
struct iptcb_chain_foot {
STRUCT_ENTRY e;
@@ -1106,10 +1097,10 @@ struct iptcb_chain_foot {
struct iptcb_chain_error {
STRUCT_ENTRY entry;
- struct ipt_error_target target;
+ struct xt_error_target target;
};
#define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \
- ALIGN(sizeof(struct ipt_error_target)))
+ ALIGN(sizeof(struct xt_error_target)))
@@ -1152,10 +1143,10 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
head = (void *)repl->entries + c->head_offset;
head->e.target_offset = sizeof(STRUCT_ENTRY);
head->e.next_offset = IPTCB_CHAIN_START_SIZE;
- strcpy(head->name.t.u.user.name, ERROR_TARGET);
- head->name.t.u.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy(head->name.error, c->name);
+ strcpy(head->name.target.u.user.name, ERROR_TARGET);
+ head->name.target.u.target_size =
+ ALIGN(sizeof(struct xt_error_target));
+ strcpy(head->name.errorname, c->name);
} else {
repl->hook_entry[c->hooknum-1] = c->head_offset;
repl->underflow[c->hooknum-1] = c->foot_offset;
@@ -1198,7 +1189,7 @@ static int iptcc_compile_chain_offsets(struct xtc_handle *h, struct chain_head *
if (!iptcc_is_builtin(c)) {
/* Chain has header */
*offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
+ + ALIGN(sizeof(struct xt_error_target));
(*num)++;
}
@@ -1238,7 +1229,7 @@ static int iptcc_compile_table_prep(struct xtc_handle *h, unsigned int *size)
/* Append one error rule at end of chain */
num++;
offset += sizeof(STRUCT_ENTRY)
- + ALIGN(sizeof(struct ipt_error_target));
+ + ALIGN(sizeof(struct xt_error_target));
/* ruleset size is now in offset */
*size = offset;
@@ -1261,10 +1252,10 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl)
error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE;
error->entry.target_offset = sizeof(STRUCT_ENTRY);
error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE;
- error->target.t.u.user.target_size =
- ALIGN(sizeof(struct ipt_error_target));
- strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET);
- strcpy((char *)&error->target.error, "ERROR");
+ error->target.target.u.user.target_size =
+ ALIGN(sizeof(struct xt_error_target));
+ strcpy((char *)&error->target.target.u.user.name, ERROR_TARGET);
+ strcpy((char *)&error->target.errorname, "ERROR");
return 1;
}
@@ -1279,7 +1270,7 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
{
struct xtc_handle *h;
- h = malloc(sizeof(STRUCT_TC_HANDLE));
+ h = malloc(sizeof(*h));
if (!h) {
errno = ENOMEM;
return NULL;
@@ -2741,3 +2732,14 @@ TC_STRERROR(int err)
return strerror(err);
}
+
+const struct xtc_ops TC_OPS = {
+ .commit = TC_COMMIT,
+ .free = TC_FREE,
+ .builtin = TC_BUILTIN,
+ .is_chain = TC_IS_CHAIN,
+ .flush_entries = TC_FLUSH_ENTRIES,
+ .create_chain = TC_CREATE_CHAIN,
+ .set_policy = TC_SET_POLICY,
+ .strerror = TC_STRERROR,
+};