diff options
67 files changed, 1038 insertions, 818 deletions
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c index 301e0e1d..f4b638b2 100644 --- a/extensions/libipt_CLUSTERIP.c +++ b/extensions/libipt_CLUSTERIP.c @@ -144,7 +144,7 @@ static void CLUSTERIP_print(const void *ip, const struct ipt_clusterip_tgt_info *cipinfo = (const struct ipt_clusterip_tgt_info *)target->data; - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) { + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { printf(" CLUSTERIP"); return; } @@ -164,7 +164,7 @@ static void CLUSTERIP_save(const void *ip, const struct xt_entry_target *target) /* if this is not a new entry, we don't need to save target * parameters */ - if (!cipinfo->flags & CLUSTERIP_FLAG_NEW) + if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) return; printf(" --new --hashmode %s --clustermac %s --total-nodes %d --local-node %d --hash-init %u", diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index b60c57ee..a8d9dda0 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -41,7 +41,7 @@ static void realm_init(struct xt_entry_match *m) static void realm_parse(struct xt_option_call *cb) { - struct ipt_realm_info *realminfo = cb->data; + struct xt_realm_info *realminfo = cb->data; int id; char *end; @@ -87,7 +87,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric) static void realm_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -98,7 +98,7 @@ static void realm_print(const void *ip, const struct xt_entry_match *match, static void realm_save(const void *ip, const struct xt_entry_match *match) { - const struct ipt_realm_info *ri = (const void *)match->data; + const struct xt_realm_info *ri = (const void *)match->data; if (ri->invert) printf(" !"); @@ -111,8 +111,8 @@ static struct xtables_match realm_mt_reg = { .name = "realm", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_realm_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_realm_info)), + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), .help = realm_help, .init = realm_init, .print = realm_print, diff --git a/extensions/libipt_addrtype.c b/extensions/libxt_addrtype.c index 3dec626b..59072b35 100644 --- a/extensions/libipt_addrtype.c +++ b/extensions/libxt_addrtype.c @@ -4,7 +4,7 @@ #include <stdio.h> #include <string.h> #include <xtables.h> -#include <linux/netfilter_ipv4/ipt_addrtype.h> +#include <linux/netfilter/xt_addrtype.h> enum { O_SRC_TYPE = 0, @@ -98,7 +98,7 @@ static void parse_types(const char *arg, uint16_t *mask) static void addrtype_parse_v0(struct xt_option_call *cb) { - struct ipt_addrtype_info *info = cb->data; + struct xt_addrtype_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { @@ -117,25 +117,25 @@ static void addrtype_parse_v0(struct xt_option_call *cb) static void addrtype_parse_v1(struct xt_option_call *cb) { - struct ipt_addrtype_info_v1 *info = cb->data; + struct xt_addrtype_info_v1 *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_TYPE: parse_types(cb->arg, &info->source); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; + info->flags |= XT_ADDRTYPE_INVERT_SOURCE; break; case O_DST_TYPE: parse_types(cb->arg, &info->dest); if (cb->invert) - info->flags |= IPT_ADDRTYPE_INVERT_DEST; + info->flags |= XT_ADDRTYPE_INVERT_DEST; break; case O_LIMIT_IFACE_IN: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_IN; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_IN; break; case O_LIMIT_IFACE_OUT: - info->flags |= IPT_ADDRTYPE_LIMIT_IFACE_OUT; + info->flags |= XT_ADDRTYPE_LIMIT_IFACE_OUT; break; } } @@ -162,8 +162,7 @@ static void print_types(uint16_t mask) static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { @@ -183,34 +182,30 @@ static void addrtype_print_v0(const void *ip, const struct xt_entry_match *match static void addrtype_print_v1(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; printf(" ADDRTYPE match"); if (info->source) { printf(" src-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf("!"); print_types(info->source); } if (info->dest) { printf(" dst-type "); - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf("!"); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" limit-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" limit-out"); - } } static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info *info = - (struct ipt_addrtype_info *) match->data; + const struct xt_addrtype_info *info = (const void *)match->data; if (info->source) { if (info->invert_source) @@ -228,27 +223,24 @@ static void addrtype_save_v0(const void *ip, const struct xt_entry_match *match) static void addrtype_save_v1(const void *ip, const struct xt_entry_match *match) { - const struct ipt_addrtype_info_v1 *info = - (struct ipt_addrtype_info_v1 *) match->data; + const struct xt_addrtype_info_v1 *info = (const void *)match->data; if (info->source) { - if (info->flags & IPT_ADDRTYPE_INVERT_SOURCE) + if (info->flags & XT_ADDRTYPE_INVERT_SOURCE) printf(" !"); printf(" --src-type "); print_types(info->source); } if (info->dest) { - if (info->flags & IPT_ADDRTYPE_INVERT_DEST) + if (info->flags & XT_ADDRTYPE_INVERT_DEST) printf(" !"); printf(" --dst-type "); print_types(info->dest); } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) printf(" --limit-iface-in"); - } - if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { + if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) printf(" --limit-iface-out"); - } } static const struct xt_option_entry addrtype_opts_v0[] = { @@ -276,8 +268,8 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .size = XT_ALIGN(sizeof(struct xt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info)), .help = addrtype_help_v0, .print = addrtype_print_v0, .save = addrtype_save_v0, @@ -289,9 +281,9 @@ static struct xtables_match addrtype_mt_reg[] = { .name = "addrtype", .revision = 1, .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_addrtype_info_v1)), .help = addrtype_help_v1, .print = addrtype_print_v1, .save = addrtype_save_v1, diff --git a/extensions/libipt_addrtype.man b/extensions/libxt_addrtype.man index 16fd9dfd..16fd9dfd 100644 --- a/extensions/libipt_addrtype.man +++ b/extensions/libxt_addrtype.man diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index 1e1a111f..c7dce4e7 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -10,6 +10,7 @@ enum { O_UPDATE, O_REMOVE, O_SECONDS, + O_REAP, O_HITCOUNT, O_RTTL, O_NAME, @@ -19,6 +20,7 @@ enum { F_RCHECK = 1 << O_RCHECK, F_UPDATE = 1 << O_UPDATE, F_REMOVE = 1 << O_REMOVE, + F_SECONDS = 1 << O_SECONDS, F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE, }; @@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = { {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, .excl = F_ANY_OP, .flags = XTOPT_INVERT}, {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, - .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, + .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1}, + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE, + .also = F_SECONDS }, {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, @@ -57,6 +61,8 @@ static void recent_help(void) " --seconds seconds For check and update commands above.\n" " Specifies that the match will only occur if source address last seen within\n" " the last 'seconds' seconds.\n" +" --reap Purge entries older then 'seconds'.\n" +" Can only be used in conjunction with the seconds option.\n" " --hitcount hits For check and update commands above.\n" " Specifies that the match will only occur if source address seen hits times.\n" " May be used in conjunction with the seconds option.\n" @@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb) case O_RDEST: info->side = XT_RECENT_DEST; break; + case O_REAP: + info->check_set |= XT_RECENT_REAP; + break; } } static void recent_check(struct xt_fcheck_call *cb) { + struct xt_recent_mtinfo *info = cb->data; + if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " @@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, if (info->check_set & XT_RECENT_REMOVE) printf(" REMOVE"); if(info->seconds) printf(" seconds: %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" reap"); if(info->hit_count) printf(" hit_count: %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" TTL-Match"); @@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) if (info->check_set & XT_RECENT_REMOVE) printf(" --remove"); if(info->seconds) printf(" --seconds %d", info->seconds); + if (info->check_set & XT_RECENT_REAP) + printf(" --reap"); if(info->hit_count) printf(" --hitcount %d", info->hit_count); if (info->check_set & XT_RECENT_TTL) printf(" --rttl"); diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 0392c2ca..8043df4a 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP +\fB\-\-reap\fP +This option can only be used in conjunction with \fB\-\-seconds\fP. +When used, this will cause entries older than the last given number of seconds +to be purged. +.TP \fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the diff --git a/include/Makefile.am b/include/Makefile.am index 0a1abea4..6f7da598 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -9,4 +9,4 @@ endif nobase_include_HEADERS += \ libiptc/ipt_kernel_headers.h libiptc/libiptc.h \ - libiptc/libip6tc.h libiptc/libxtc.h + libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h diff --git a/include/ip6tables.h b/include/ip6tables.h index e976361f..37d2e0a3 100644 --- a/include/ip6tables.h +++ b/include/ip6tables.h @@ -8,12 +8,12 @@ /* Your shared library should call one of these. */ extern int do_command6(int argc, char *argv[], char **table, - struct ip6tc_handle **handle); + struct xtc_handle **handle); -extern int for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), int verbose, int builtinstoo, struct ip6tc_handle *handle); -extern int flush_entries6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle); -extern int delete_chain6(const ip6t_chainlabel chain, int verbose, struct ip6tc_handle *handle); -void print_rule6(const struct ip6t_entry *e, struct ip6tc_handle *h, const char *chain, int counters); +extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle); +extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); +extern int delete_chain6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); +void print_rule6(const struct ip6t_entry *e, struct xtc_handle *h, const char *chain, int counters); extern struct xtables_globals ip6tables_globals; diff --git a/include/iptables.h b/include/iptables.h index 89217e29..c42613c9 100644 --- a/include/iptables.h +++ b/include/iptables.h @@ -8,15 +8,15 @@ /* Your shared library should call one of these. */ extern int do_command4(int argc, char *argv[], char **table, - struct iptc_handle **handle); -extern int delete_chain4(const ipt_chainlabel chain, int verbose, - struct iptc_handle *handle); -extern int flush_entries4(const ipt_chainlabel chain, int verbose, - struct iptc_handle *handle); -extern int for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *), - int verbose, int builtinstoo, struct iptc_handle *handle); + struct xtc_handle **handle); +extern int delete_chain4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle); +extern int flush_entries4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle); +extern int for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), + int verbose, int builtinstoo, struct xtc_handle *handle); extern void print_rule4(const struct ipt_entry *e, - struct iptc_handle *handle, const char *chain, int counters); + struct xtc_handle *handle, const char *chain, int counters); extern struct xtables_globals iptables_globals; diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h index 4f2d1f87..c656bc43 100644 --- a/include/libiptc/libip6tc.h +++ b/include/libiptc/libip6tc.h @@ -10,10 +10,10 @@ # include <limits.h> /* INT_MAX in ip6_tables.h */ #endif #include <linux/netfilter_ipv6/ip6_tables.h> +#include <libiptc/xtcshared.h> -struct ip6tc_handle; - -typedef char ip6t_chainlabel[32]; +#define ip6tc_handle xtc_handle +#define ip6t_chainlabel xt_chainlabel #define IP6TC_LABEL_ACCEPT "ACCEPT" #define IP6TC_LABEL_DROP "DROP" @@ -21,132 +21,132 @@ typedef char ip6t_chainlabel[32]; #define IP6TC_LABEL_RETURN "RETURN" /* Does this chain exist? */ -int ip6tc_is_chain(const char *chain, struct ip6tc_handle *const handle); +int ip6tc_is_chain(const char *chain, struct xtc_handle *const handle); /* Take a snapshot of the rules. Returns NULL on error. */ -struct ip6tc_handle *ip6tc_init(const char *tablename); +struct xtc_handle *ip6tc_init(const char *tablename); /* Cleanup after ip6tc_init(). */ -void ip6tc_free(struct ip6tc_handle *h); +void ip6tc_free(struct xtc_handle *h); /* Iterator functions to run through the chains. Returns NULL at end. */ -const char *ip6tc_first_chain(struct ip6tc_handle *handle); -const char *ip6tc_next_chain(struct ip6tc_handle *handle); +const char *ip6tc_first_chain(struct xtc_handle *handle); +const char *ip6tc_next_chain(struct xtc_handle *handle); /* Get first rule in the given chain: NULL for empty chain. */ const struct ip6t_entry *ip6tc_first_rule(const char *chain, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Returns NULL when rules run out. */ const struct ip6t_entry *ip6tc_next_rule(const struct ip6t_entry *prev, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Returns a pointer to the target name of this position. */ const char *ip6tc_get_target(const struct ip6t_entry *e, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Is this a built-in chain? */ -int ip6tc_builtin(const char *chain, struct ip6tc_handle *const handle); +int ip6tc_builtin(const char *chain, struct xtc_handle *const handle); /* Get the policy of a given built-in chain */ const char *ip6tc_get_policy(const char *chain, - struct ip6t_counters *counters, - struct ip6tc_handle *handle); + struct xt_counters *counters, + struct xtc_handle *handle); /* These functions return TRUE for OK or 0 and set errno. If errno == 0, it means there was a version error (ie. upgrade libiptc). */ /* Rule numbers start at 1 for the first rule. */ /* Insert the entry `fw' in chain `chain' into position `rulenum'. */ -int ip6tc_insert_entry(const ip6t_chainlabel chain, +int ip6tc_insert_entry(const xt_chainlabel chain, const struct ip6t_entry *e, unsigned int rulenum, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Atomically replace rule `rulenum' in `chain' with `fw'. */ -int ip6tc_replace_entry(const ip6t_chainlabel chain, +int ip6tc_replace_entry(const xt_chainlabel chain, const struct ip6t_entry *e, unsigned int rulenum, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Append entry `fw' to chain `chain'. Equivalent to insert with rulenum = length of chain. */ -int ip6tc_append_entry(const ip6t_chainlabel chain, +int ip6tc_append_entry(const xt_chainlabel chain, const struct ip6t_entry *e, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Check whether a matching rule exists */ -int ip6tc_check_entry(const ip6t_chainlabel chain, +int ip6tc_check_entry(const xt_chainlabel chain, const struct ip6t_entry *origfw, unsigned char *matchmask, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Delete the first rule in `chain' which matches `fw'. */ -int ip6tc_delete_entry(const ip6t_chainlabel chain, +int ip6tc_delete_entry(const xt_chainlabel chain, const struct ip6t_entry *origfw, unsigned char *matchmask, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Delete the rule in position `rulenum' in `chain'. */ -int ip6tc_delete_num_entry(const ip6t_chainlabel chain, +int ip6tc_delete_num_entry(const xt_chainlabel chain, unsigned int rulenum, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Check the packet `fw' on chain `chain'. Returns the verdict, or NULL and sets errno. */ -const char *ip6tc_check_packet(const ip6t_chainlabel chain, +const char *ip6tc_check_packet(const xt_chainlabel chain, struct ip6t_entry *, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* Flushes the entries in the given chain (ie. empties chain). */ -int ip6tc_flush_entries(const ip6t_chainlabel chain, - struct ip6tc_handle *handle); +int ip6tc_flush_entries(const xt_chainlabel chain, + struct xtc_handle *handle); /* Zeroes the counters in a chain. */ -int ip6tc_zero_entries(const ip6t_chainlabel chain, - struct ip6tc_handle *handle); +int ip6tc_zero_entries(const xt_chainlabel chain, + struct xtc_handle *handle); /* Creates a new chain. */ -int ip6tc_create_chain(const ip6t_chainlabel chain, - struct ip6tc_handle *handle); +int ip6tc_create_chain(const xt_chainlabel chain, + struct xtc_handle *handle); /* Deletes a chain. */ -int ip6tc_delete_chain(const ip6t_chainlabel chain, - struct ip6tc_handle *handle); +int ip6tc_delete_chain(const xt_chainlabel chain, + struct xtc_handle *handle); /* Renames a chain. */ -int ip6tc_rename_chain(const ip6t_chainlabel oldname, - const ip6t_chainlabel newname, - struct ip6tc_handle *handle); +int ip6tc_rename_chain(const xt_chainlabel oldname, + const xt_chainlabel newname, + struct xtc_handle *handle); /* Sets the policy on a built-in chain. */ -int ip6tc_set_policy(const ip6t_chainlabel chain, - const ip6t_chainlabel policy, - struct ip6t_counters *counters, - struct ip6tc_handle *handle); +int ip6tc_set_policy(const xt_chainlabel chain, + const xt_chainlabel policy, + struct xt_counters *counters, + struct xtc_handle *handle); /* Get the number of references to this chain */ -int ip6tc_get_references(unsigned int *ref, const ip6t_chainlabel chain, - struct ip6tc_handle *handle); +int ip6tc_get_references(unsigned int *ref, const xt_chainlabel chain, + struct xtc_handle *handle); /* read packet and byte counters for a specific rule */ -struct ip6t_counters *ip6tc_read_counter(const ip6t_chainlabel chain, +struct xt_counters *ip6tc_read_counter(const xt_chainlabel chain, unsigned int rulenum, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* zero packet and byte counters for a specific rule */ -int ip6tc_zero_counter(const ip6t_chainlabel chain, +int ip6tc_zero_counter(const xt_chainlabel chain, unsigned int rulenum, - struct ip6tc_handle *handle); + struct xtc_handle *handle); /* set packet and byte counters for a specific rule */ -int ip6tc_set_counter(const ip6t_chainlabel chain, +int ip6tc_set_counter(const xt_chainlabel chain, unsigned int rulenum, - struct ip6t_counters *counters, - struct ip6tc_handle *handle); + struct xt_counters *counters, + struct xtc_handle *handle); /* Makes the actual changes. */ -int ip6tc_commit(struct ip6tc_handle *handle); +int ip6tc_commit(struct xtc_handle *handle); /* Get raw socket. */ int ip6tc_get_raw_socket(void); @@ -157,6 +157,8 @@ const char *ip6tc_strerror(int err); /* Return prefix length, or -1 if not contiguous */ int ipv6_prefix_length(const struct in6_addr *a); -extern void dump_entries6(struct ip6tc_handle *const); +extern void dump_entries6(struct xtc_handle *const); + +extern const struct xtc_ops ip6tc_ops; #endif /* _LIBIP6TC_H */ diff --git a/include/libiptc/libiptc.h b/include/libiptc/libiptc.h index 3497d6ae..24cdbdb7 100644 --- a/include/libiptc/libiptc.h +++ b/include/libiptc/libiptc.h @@ -10,14 +10,14 @@ # include <limits.h> /* INT_MAX in ip_tables.h */ #endif #include <linux/netfilter_ipv4/ip_tables.h> +#include <libiptc/xtcshared.h> #ifdef __cplusplus extern "C" { #endif -struct iptc_handle; - -typedef char ipt_chainlabel[32]; +#define iptc_handle xtc_handle +#define ipt_chainlabel xt_chainlabel #define IPTC_LABEL_ACCEPT "ACCEPT" #define IPTC_LABEL_DROP "DROP" @@ -25,134 +25,134 @@ typedef char ipt_chainlabel[32]; #define IPTC_LABEL_RETURN "RETURN" /* Does this chain exist? */ -int iptc_is_chain(const char *chain, struct iptc_handle *const handle); +int iptc_is_chain(const char *chain, struct xtc_handle *const handle); /* Take a snapshot of the rules. Returns NULL on error. */ -struct iptc_handle *iptc_init(const char *tablename); +struct xtc_handle *iptc_init(const char *tablename); /* Cleanup after iptc_init(). */ -void iptc_free(struct iptc_handle *h); +void iptc_free(struct xtc_handle *h); /* Iterator functions to run through the chains. Returns NULL at end. */ -const char *iptc_first_chain(struct iptc_handle *handle); -const char *iptc_next_chain(struct iptc_handle *handle); +const char *iptc_first_chain(struct xtc_handle *handle); +const char *iptc_next_chain(struct xtc_handle *handle); /* Get first rule in the given chain: NULL for empty chain. */ const struct ipt_entry *iptc_first_rule(const char *chain, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Returns NULL when rules run out. */ const struct ipt_entry *iptc_next_rule(const struct ipt_entry *prev, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Returns a pointer to the target name of this entry. */ const char *iptc_get_target(const struct ipt_entry *e, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Is this a built-in chain? */ -int iptc_builtin(const char *chain, struct iptc_handle *const handle); +int iptc_builtin(const char *chain, struct xtc_handle *const handle); /* Get the policy of a given built-in chain */ const char *iptc_get_policy(const char *chain, - struct ipt_counters *counter, - struct iptc_handle *handle); + struct xt_counters *counter, + struct xtc_handle *handle); /* These functions return TRUE for OK or 0 and set errno. If errno == 0, it means there was a version error (ie. upgrade libiptc). */ /* Rule numbers start at 1 for the first rule. */ /* Insert the entry `e' in chain `chain' into position `rulenum'. */ -int iptc_insert_entry(const ipt_chainlabel chain, +int iptc_insert_entry(const xt_chainlabel chain, const struct ipt_entry *e, unsigned int rulenum, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Atomically replace rule `rulenum' in `chain' with `e'. */ -int iptc_replace_entry(const ipt_chainlabel chain, +int iptc_replace_entry(const xt_chainlabel chain, const struct ipt_entry *e, unsigned int rulenum, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Append entry `e' to chain `chain'. Equivalent to insert with rulenum = length of chain. */ -int iptc_append_entry(const ipt_chainlabel chain, +int iptc_append_entry(const xt_chainlabel chain, const struct ipt_entry *e, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Check whether a mathching rule exists */ -int iptc_check_entry(const ipt_chainlabel chain, +int iptc_check_entry(const xt_chainlabel chain, const struct ipt_entry *origfw, unsigned char *matchmask, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Delete the first rule in `chain' which matches `e', subject to matchmask (array of length == origfw) */ -int iptc_delete_entry(const ipt_chainlabel chain, +int iptc_delete_entry(const xt_chainlabel chain, const struct ipt_entry *origfw, unsigned char *matchmask, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Delete the rule in position `rulenum' in `chain'. */ -int iptc_delete_num_entry(const ipt_chainlabel chain, +int iptc_delete_num_entry(const xt_chainlabel chain, unsigned int rulenum, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Check the packet `e' on chain `chain'. Returns the verdict, or NULL and sets errno. */ -const char *iptc_check_packet(const ipt_chainlabel chain, +const char *iptc_check_packet(const xt_chainlabel chain, struct ipt_entry *entry, - struct iptc_handle *handle); + struct xtc_handle *handle); /* Flushes the entries in the given chain (ie. empties chain). */ -int iptc_flush_entries(const ipt_chainlabel chain, - struct iptc_handle *handle); +int iptc_flush_entries(const xt_chainlabel chain, + struct xtc_handle *handle); /* Zeroes the counters in a chain. */ -int iptc_zero_entries(const ipt_chainlabel chain, - struct iptc_handle *handle); +int iptc_zero_entries(const xt_chainlabel chain, + struct xtc_handle *handle); /* Creates a new chain. */ -int iptc_create_chain(const ipt_chainlabel chain, - struct iptc_handle *handle); +int iptc_create_chain(const xt_chainlabel chain, + struct xtc_handle *handle); /* Deletes a chain. */ -int iptc_delete_chain(const ipt_chainlabel chain, - struct iptc_handle *handle); +int iptc_delete_chain(const xt_chainlabel chain, + struct xtc_handle *handle); /* Renames a chain. */ -int iptc_rename_chain(const ipt_chainlabel oldname, - const ipt_chainlabel newname, - struct iptc_handle *handle); +int iptc_rename_chain(const xt_chainlabel oldname, + const xt_chainlabel newname, + struct xtc_handle *handle); /* Sets the policy on a built-in chain. */ -int iptc_set_policy(const ipt_chainlabel chain, - const ipt_chainlabel policy, - struct ipt_counters *counters, - struct iptc_handle *handle); +int iptc_set_policy(const xt_chainlabel chain, + const xt_chainlabel policy, + struct xt_counters *counters, + struct xtc_handle *handle); /* Get the number of references to this chain */ int iptc_get_references(unsigned int *ref, - const ipt_chainlabel chain, - struct iptc_handle *handle); + const xt_chainlabel chain, + struct xtc_handle *handle); /* read packet and byte counters for a specific rule */ -struct ipt_counters *iptc_read_counter(const ipt_chainlabel chain, +struct xt_counters *iptc_read_counter(const xt_chainlabel chain, unsigned int rulenum, - struct iptc_handle *handle); + struct xtc_handle *handle); /* zero packet and byte counters for a specific rule */ -int iptc_zero_counter(const ipt_chainlabel chain, +int iptc_zero_counter(const xt_chainlabel chain, unsigned int rulenum, - struct iptc_handle *handle); + struct xtc_handle *handle); /* set packet and byte counters for a specific rule */ -int iptc_set_counter(const ipt_chainlabel chain, +int iptc_set_counter(const xt_chainlabel chain, unsigned int rulenum, - struct ipt_counters *counters, - struct iptc_handle *handle); + struct xt_counters *counters, + struct xtc_handle *handle); /* Makes the actual changes. */ -int iptc_commit(struct iptc_handle *handle); +int iptc_commit(struct xtc_handle *handle); /* Get raw socket. */ int iptc_get_raw_socket(void); @@ -160,7 +160,9 @@ int iptc_get_raw_socket(void); /* Translates errno numbers into more human-readable form than strerror. */ const char *iptc_strerror(int err); -extern void dump_entries(struct iptc_handle *const); +extern void dump_entries(struct xtc_handle *const); + +extern const struct xtc_ops iptc_ops; #ifdef __cplusplus } diff --git a/include/libiptc/xtcshared.h b/include/libiptc/xtcshared.h new file mode 100644 index 00000000..773ebc4c --- /dev/null +++ b/include/libiptc/xtcshared.h @@ -0,0 +1,20 @@ +#ifndef _LIBXTC_SHARED_H +#define _LIBXTC_SHARED_H 1 + +typedef char xt_chainlabel[32]; +struct xtc_handle; +struct xt_counters; + +struct xtc_ops { + int (*commit)(struct xtc_handle *); + void (*free)(struct xtc_handle *); + int (*builtin)(const char *, struct xtc_handle *const); + int (*is_chain)(const char *, struct xtc_handle *const); + int (*flush_entries)(const xt_chainlabel, struct xtc_handle *); + int (*create_chain)(const xt_chainlabel, struct xtc_handle *); + int (*set_policy)(const xt_chainlabel, const xt_chainlabel, + struct xt_counters *, struct xtc_handle *); + const char *(*strerror)(int); +}; + +#endif /* _LIBXTC_SHARED_H */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h index d1671a01..d4c59f65 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -8,7 +8,6 @@ #define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) - #define SI_LOAD_SHIFT 16 struct sysinfo { long uptime; /* Seconds since boot */ @@ -27,36 +26,4 @@ struct sysinfo { char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */ }; -/* Force a compilation error if condition is true */ -#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition)) - -/* Force a compilation error if condition is constant and true */ -#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)])) - -/* Force a compilation error if a constant expression is not a power of 2 */ -#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \ - BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0)) - -/* Force a compilation error if condition is true, but also produce a - result (of value 0 and type size_t), so the expression can be used - e.g. in a structure initializer (or where-ever else comma expressions - aren't permitted). */ -#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); })) -#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); })) - -/* Trap pasters of __FUNCTION__ at compile-time */ -#define __FUNCTION__ (__func__) - -/* This helps us to avoid #ifdef CONFIG_NUMA */ -#ifdef CONFIG_NUMA -#define NUMA_BUILD 1 -#else -#define NUMA_BUILD 0 -#endif - -/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */ -#ifdef CONFIG_FTRACE_MCOUNT_RECORD -# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD -#endif - #endif diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 2eb00b6c..54771312 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -3,6 +3,7 @@ #include <linux/types.h> +#include <linux/sysctl.h> /* Responses from hook functions. */ #define NF_DROP 0 @@ -14,14 +15,20 @@ #define NF_MAX_VERDICT NF_STOP /* we overload the higher bits for encoding auxiliary data such as the queue - * number. Not nice, but better than additional function arguments. */ -#define NF_VERDICT_MASK 0x0000ffff -#define NF_VERDICT_BITS 16 + * number or errno values. Not nice, but better than additional function + * arguments. */ +#define NF_VERDICT_MASK 0x000000ff + +/* extra verdict flags have mask 0x0000ff00 */ +#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000 +/* queue number (NF_QUEUE) or errno (NF_DROP) */ #define NF_VERDICT_QMASK 0xffff0000 #define NF_VERDICT_QBITS 16 -#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE) +#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE) + +#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP) /* only for userspace compatibility */ /* Generic cache responses from hook functions. @@ -29,6 +36,9 @@ #define NFC_UNKNOWN 0x4000 #define NFC_ALTERED 0x8000 +/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */ +#define NF_VERDICT_BITS 16 + enum nf_inet_hooks { NF_INET_PRE_ROUTING, NF_INET_LOCAL_IN, diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h new file mode 100644 index 00000000..79cb0779 --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set.h @@ -0,0 +1,225 @@ +#ifndef _IP_SET_H +#define _IP_SET_H + +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> + * Martin Josefsson <gandalf@wlug.westbo.se> + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include <linux/types.h> + +/* The protocol version */ +#define IPSET_PROTOCOL 6 + +/* The max length of strings including NUL: set and type identifiers */ +#define IPSET_MAXNAMELEN 32 + +/* Message types and commands */ +enum ipset_cmd { + IPSET_CMD_NONE, + IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ + IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ + IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ + IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ + IPSET_CMD_RENAME, /* 5: Rename a set */ + IPSET_CMD_SWAP, /* 6: Swap two sets */ + IPSET_CMD_LIST, /* 7: List sets */ + IPSET_CMD_SAVE, /* 8: Save sets */ + IPSET_CMD_ADD, /* 9: Add an element to a set */ + IPSET_CMD_DEL, /* 10: Delete an element from a set */ + IPSET_CMD_TEST, /* 11: Test an element in a set */ + IPSET_CMD_HEADER, /* 12: Get set header data only */ + IPSET_CMD_TYPE, /* 13: Get set type */ + IPSET_MSG_MAX, /* Netlink message commands */ + + /* Commands in userspace: */ + IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ + IPSET_CMD_HELP, /* 15: Get help */ + IPSET_CMD_VERSION, /* 16: Get program version */ + IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ + + IPSET_CMD_MAX, + + IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ +}; + +/* Attributes at command level */ +enum { + IPSET_ATTR_UNSPEC, + IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ + IPSET_ATTR_SETNAME, /* 2: Name of the set */ + IPSET_ATTR_TYPENAME, /* 3: Typename */ + IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ + IPSET_ATTR_REVISION, /* 4: Settype revision */ + IPSET_ATTR_FAMILY, /* 5: Settype family */ + IPSET_ATTR_FLAGS, /* 6: Flags at command level */ + IPSET_ATTR_DATA, /* 7: Nested attributes */ + IPSET_ATTR_ADT, /* 8: Multiple data containers */ + IPSET_ATTR_LINENO, /* 9: Restore lineno */ + IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ + IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ + __IPSET_ATTR_CMD_MAX, +}; +#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) + +/* CADT specific attributes */ +enum { + IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, + IPSET_ATTR_IP_TO, /* 2 */ + IPSET_ATTR_CIDR, /* 3 */ + IPSET_ATTR_PORT, /* 4 */ + IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, + IPSET_ATTR_PORT_TO, /* 5 */ + IPSET_ATTR_TIMEOUT, /* 6 */ + IPSET_ATTR_PROTO, /* 7 */ + IPSET_ATTR_CADT_FLAGS, /* 8 */ + IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ + /* Reserve empty slots */ + IPSET_ATTR_CADT_MAX = 16, + /* Create-only specific attributes */ + IPSET_ATTR_GC, + IPSET_ATTR_HASHSIZE, + IPSET_ATTR_MAXELEM, + IPSET_ATTR_NETMASK, + IPSET_ATTR_PROBES, + IPSET_ATTR_RESIZE, + IPSET_ATTR_SIZE, + /* Kernel-only */ + IPSET_ATTR_ELEMENTS, + IPSET_ATTR_REFERENCES, + IPSET_ATTR_MEMSIZE, + + __IPSET_ATTR_CREATE_MAX, +}; +#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) + +/* ADT specific attributes */ +enum { + IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, + IPSET_ATTR_NAME, + IPSET_ATTR_NAMEREF, + IPSET_ATTR_IP2, + IPSET_ATTR_CIDR2, + IPSET_ATTR_IP2_TO, + IPSET_ATTR_IFACE, + __IPSET_ATTR_ADT_MAX, +}; +#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) + +/* IP specific attributes */ +enum { + IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IPADDR_IPV6, + __IPSET_ATTR_IPADDR_MAX, +}; +#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) + +/* Error codes */ +enum ipset_errno { + IPSET_ERR_PRIVATE = 4096, + IPSET_ERR_PROTOCOL, + IPSET_ERR_FIND_TYPE, + IPSET_ERR_MAX_SETS, + IPSET_ERR_BUSY, + IPSET_ERR_EXIST_SETNAME2, + IPSET_ERR_TYPE_MISMATCH, + IPSET_ERR_EXIST, + IPSET_ERR_INVALID_CIDR, + IPSET_ERR_INVALID_NETMASK, + IPSET_ERR_INVALID_FAMILY, + IPSET_ERR_TIMEOUT, + IPSET_ERR_REFERENCED, + IPSET_ERR_IPADDR_IPV4, + IPSET_ERR_IPADDR_IPV6, + + /* Type specific error codes */ + IPSET_ERR_TYPE_SPECIFIC = 4352, +}; + +/* Flags at command level */ +enum ipset_cmd_flags { + IPSET_FLAG_BIT_EXIST = 0, + IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), + IPSET_FLAG_BIT_LIST_SETNAME = 1, + IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), + IPSET_FLAG_BIT_LIST_HEADER = 2, + IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), +}; + +/* Flags at CADT attribute level */ +enum ipset_cadt_flags { + IPSET_FLAG_BIT_BEFORE = 0, + IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), + IPSET_FLAG_BIT_PHYSDEV = 1, + IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), +}; + +/* Commands with settype-specific attributes */ +enum ipset_adt { + IPSET_ADD, + IPSET_DEL, + IPSET_TEST, + IPSET_ADT_MAX, + IPSET_CREATE = IPSET_ADT_MAX, + IPSET_CADT_MAX, +}; + +/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t + * and IPSET_INVALID_ID if you want to increase the max number of sets. + */ +typedef __u16 ip_set_id_t; + +#define IPSET_INVALID_ID 65535 + +enum ip_set_dim { + IPSET_DIM_ZERO = 0, + IPSET_DIM_ONE, + IPSET_DIM_TWO, + IPSET_DIM_THREE, + /* Max dimension in elements. + * If changed, new revision of iptables match/target is required. + */ + IPSET_DIM_MAX = 6, +}; + +/* Option flags for kernel operations */ +enum ip_set_kopt { + IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), + IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), + IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), + IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), +}; + + +/* Interface to iptables/ip6tables */ + +#define SO_IP_SET 83 + +union ip_set_name_index { + char name[IPSET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned op; + unsigned version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned op; + unsigned version; +}; + +#endif /*_IP_SET_H */ diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 34a7fc65..38aa52d7 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h @@ -18,6 +18,9 @@ enum ip_conntrack_info { /* >= this indicates reply direction */ IP_CT_IS_REPLY, + IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY, + IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY, + IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY, /* Number of distinct IP_CT types (no NEW in reply dirn). */ IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1 }; @@ -76,6 +79,10 @@ enum ip_conntrack_status { /* Conntrack is a template */ IPS_TEMPLATE_BIT = 11, IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), + + /* Conntrack is a fake untracked entry */ + IPS_UNTRACKED_BIT = 12, + IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), }; /* Connection tracking event types */ @@ -94,6 +101,13 @@ enum ip_conntrack_events { enum ip_conntrack_expect_events { IPEXP_NEW, /* new expectation */ + IPEXP_DESTROY, /* destroyed expectation */ }; +/* expectation flags */ +#define NF_CT_EXPECT_PERMANENT 0x1 +#define NF_CT_EXPECT_INACTIVE 0x2 +#define NF_CT_EXPECT_USERSPACE 0x4 + + #endif /* _NF_CONNTRACK_COMMON_H */ diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h index 8e145f0d..2ea22b01 100644 --- a/include/linux/netfilter/nf_conntrack_tuple_common.h +++ b/include/linux/netfilter/nf_conntrack_tuple_common.h @@ -1,8 +1,7 @@ #ifndef _NF_CONNTRACK_TUPLE_COMMON_H #define _NF_CONNTRACK_TUPLE_COMMON_H -enum ip_conntrack_dir -{ +enum ip_conntrack_dir { IP_CT_DIR_ORIGINAL, IP_CT_DIR_REPLY, IP_CT_DIR_MAX diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index fa2d9578..41209700 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -66,6 +66,11 @@ struct xt_standard_target { int verdict; }; +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision * kernel supports, if >= revision. */ struct xt_get_revision { diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h index fbf4c565..b56e7681 100644 --- a/include/linux/netfilter/xt_CT.h +++ b/include/linux/netfilter/xt_CT.h @@ -1,6 +1,8 @@ #ifndef _XT_CT_H #define _XT_CT_H +#include <linux/types.h> + #define XT_CT_NOTRACK 0x1 struct xt_ct_target_info { diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/linux/netfilter/xt_TCPOPTSTRIP.h index 342ef14b..71573184 100644 --- a/include/linux/netfilter/xt_TCPOPTSTRIP.h +++ b/include/linux/netfilter/xt_TCPOPTSTRIP.h @@ -1,6 +1,8 @@ #ifndef _XT_TCPOPTSTRIP_H #define _XT_TCPOPTSTRIP_H +#include <linux/types.h> + #define tcpoptstrip_set_bit(bmap, idx) \ (bmap[(idx) >> 5] |= 1U << (idx & 31)) #define tcpoptstrip_test_bit(bmap, idx) \ diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h index 8097e0b4..902043c2 100644 --- a/include/linux/netfilter/xt_TPROXY.h +++ b/include/linux/netfilter/xt_TPROXY.h @@ -1,6 +1,8 @@ #ifndef _XT_TPROXY_H #define _XT_TPROXY_H +#include <linux/types.h> + /* TPROXY target is capable of marking the packet to perform * redirection. We can get rid of that whenever we get support for * mutliple targets in the same rule. */ diff --git a/include/linux/netfilter/xt_addrtype.h b/include/linux/netfilter/xt_addrtype.h new file mode 100644 index 00000000..b156baa9 --- /dev/null +++ b/include/linux/netfilter/xt_addrtype.h @@ -0,0 +1,44 @@ +#ifndef _XT_ADDRTYPE_H +#define _XT_ADDRTYPE_H + +#include <linux/types.h> + +enum { + XT_ADDRTYPE_INVERT_SOURCE = 0x0001, + XT_ADDRTYPE_INVERT_DEST = 0x0002, + XT_ADDRTYPE_LIMIT_IFACE_IN = 0x0004, + XT_ADDRTYPE_LIMIT_IFACE_OUT = 0x0008, +}; + + +/* rtn_type enum values from rtnetlink.h, but shifted */ +enum { + XT_ADDRTYPE_UNSPEC = 1 << 0, + XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */ + XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */ + XT_ADDRTYPE_BROADCAST = 1 << 3, + XT_ADDRTYPE_ANYCAST = 1 << 4, + XT_ADDRTYPE_MULTICAST = 1 << 5, + XT_ADDRTYPE_BLACKHOLE = 1 << 6, + XT_ADDRTYPE_UNREACHABLE = 1 << 7, + XT_ADDRTYPE_PROHIBIT = 1 << 8, + XT_ADDRTYPE_THROW = 1 << 9, + XT_ADDRTYPE_NAT = 1 << 10, + XT_ADDRTYPE_XRESOLVE = 1 << 11, +}; + +struct xt_addrtype_info_v1 { + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 flags; +}; + +/* revision 0 */ +struct xt_addrtype_info { + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 invert_source; + __u32 invert_dest; +}; + +#endif diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h index 66cfa3c7..9b883c8f 100644 --- a/include/linux/netfilter/xt_cluster.h +++ b/include/linux/netfilter/xt_cluster.h @@ -1,6 +1,8 @@ #ifndef _XT_CLUSTER_MATCH_H #define _XT_CLUSTER_MATCH_H +#include <linux/types.h> + enum xt_cluster_flags { XT_CLUSTER_F_INV = (1 << 0) }; diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h index 92fcbb0d..f1d6c15b 100644 --- a/include/linux/netfilter/xt_connbytes.h +++ b/include/linux/netfilter/xt_connbytes.h @@ -17,8 +17,8 @@ enum xt_connbytes_direction { struct xt_connbytes_info { struct { - aligned_u64 from; /* count to be matched */ - aligned_u64 to; /* count to be matched */ + __aligned_u64 from; /* count to be matched */ + __aligned_u64 to; /* count to be matched */ } count; __u8 what; /* ipt_connbytes_what */ __u8 direction; /* ipt_connbytes_direction */ diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h index ba774d30..f9e8c67c 100644 --- a/include/linux/netfilter/xt_connlimit.h +++ b/include/linux/netfilter/xt_connlimit.h @@ -1,6 +1,8 @@ #ifndef _XT_CONNLIMIT_H #define _XT_CONNLIMIT_H +#include <linux/types.h> + struct xt_connlimit_data; enum { diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h index 8555e399..7d53660a 100644 --- a/include/linux/netfilter/xt_physdev.h +++ b/include/linux/netfilter/xt_physdev.h @@ -3,9 +3,6 @@ #include <linux/types.h> -#ifdef __KERNEL__ -#include <linux/if.h> -#endif #define XT_PHYSDEV_OP_IN 0x01 #define XT_PHYSDEV_OP_OUT 0x02 diff --git a/include/linux/netfilter/xt_policy.h b/include/linux/netfilter/xt_policy.h index be8ead05..d246eac8 100644 --- a/include/linux/netfilter/xt_policy.h +++ b/include/linux/netfilter/xt_policy.h @@ -26,30 +26,19 @@ struct xt_policy_spec { reqid:1; }; -#ifndef __KERNEL__ union xt_policy_addr { struct in_addr a4; struct in6_addr a6; }; -#endif struct xt_policy_elem { union { -#ifdef __KERNEL__ - struct { - union nf_inet_addr saddr; - union nf_inet_addr smask; - union nf_inet_addr daddr; - union nf_inet_addr dmask; - }; -#else struct { union xt_policy_addr saddr; union xt_policy_addr smask; union xt_policy_addr daddr; union xt_policy_addr dmask; }; -#endif }; __be32 spi; __u32 reqid; diff --git a/include/linux/netfilter/xt_quota.h b/include/linux/netfilter/xt_quota.h index 8bda65f0..9314723f 100644 --- a/include/linux/netfilter/xt_quota.h +++ b/include/linux/netfilter/xt_quota.h @@ -1,6 +1,8 @@ #ifndef _XT_QUOTA_H #define _XT_QUOTA_H +#include <linux/types.h> + enum xt_quota_flags { XT_QUOTA_INVERT = 0x1, }; @@ -11,7 +13,7 @@ struct xt_quota_priv; struct xt_quota_info { __u32 flags; __u32 pad; - aligned_u64 quota; + __aligned_u64 quota; /* Used internally by the kernel */ struct xt_quota_priv *master; diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h index 29287be6..a501e619 100644 --- a/include/linux/netfilter/xt_sctp.h +++ b/include/linux/netfilter/xt_sctp.h @@ -66,7 +66,7 @@ struct xt_sctp_info { #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) -static inline bool +static __inline__ bool __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) { unsigned int i; @@ -78,7 +78,7 @@ __sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) -static inline bool +static __inline__ bool __sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) { unsigned int i; diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h index 4379ce9f..e3a9978f 100644 --- a/include/linux/netfilter/xt_set.h +++ b/include/linux/netfilter/xt_set.h @@ -1,62 +1,8 @@ #ifndef _XT_SET_H #define _XT_SET_H -/* The protocol version */ -#define IPSET_PROTOCOL 5 - -/* The max length of strings including NUL: set and type identifiers */ -#define IPSET_MAXNAMELEN 32 - -/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t - * and IPSET_INVALID_ID if you want to increase the max number of sets. - */ -typedef uint16_t ip_set_id_t; - -#define IPSET_INVALID_ID 65535 - -enum ip_set_dim { - IPSET_DIM_ZERO = 0, - IPSET_DIM_ONE, - IPSET_DIM_TWO, - IPSET_DIM_THREE, - /* Max dimension in elements. - * If changed, new revision of iptables match/target is required. - */ - IPSET_DIM_MAX = 6, -}; - -/* Option flags for kernel operations */ -enum ip_set_kopt { - IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), - IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), - IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), - IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), -}; - -/* Interface to iptables/ip6tables */ - -#define SO_IP_SET 83 - -union ip_set_name_index { - char name[IPSET_MAXNAMELEN]; - ip_set_id_t index; -}; - -#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ -struct ip_set_req_get_set { - unsigned op; - unsigned version; - union ip_set_name_index set; -}; - -#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ -/* Uses ip_set_req_get_set */ - -#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ -struct ip_set_req_version { - unsigned op; - unsigned version; -}; +#include <linux/types.h> +#include <linux/netfilter/ipset/ip_set.h> /* Revision 0 interface: backward compatible with netfilter/iptables */ @@ -70,11 +16,11 @@ struct ip_set_req_version { struct xt_set_info_v0 { ip_set_id_t index; union { - u_int32_t flags[IPSET_DIM_MAX + 1]; + __u32 flags[IPSET_DIM_MAX + 1]; struct { - u_int32_t __flags[IPSET_DIM_MAX]; - u_int8_t dim; - u_int8_t flags; + __u32 __flags[IPSET_DIM_MAX]; + __u8 dim; + __u8 flags; } compat; } u; }; @@ -89,12 +35,12 @@ struct xt_set_info_target_v0 { struct xt_set_info_v0 del_set; }; -/* Revision 1 match and target */ +/* Revision 1 match and target */ struct xt_set_info { ip_set_id_t index; - u_int8_t dim; - u_int8_t flags; + __u8 dim; + __u8 flags; }; /* match and target infos */ @@ -109,16 +55,11 @@ struct xt_set_info_target_v1 { /* Revision 2 target */ -enum ipset_cmd_flags { - IPSET_FLAG_BIT_EXIST = 0, - IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), -}; - struct xt_set_info_target_v2 { struct xt_set_info add_set; struct xt_set_info del_set; - u_int32_t flags; - u_int32_t timeout; + __u32 flags; + __u32 timeout; }; #endif /*_XT_SET_H*/ diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h index 6f475b8f..26d7217b 100644 --- a/include/linux/netfilter/xt_socket.h +++ b/include/linux/netfilter/xt_socket.h @@ -1,6 +1,8 @@ #ifndef _XT_SOCKET_H #define _XT_SOCKET_H +#include <linux/types.h> + enum { XT_SOCKET_TRANSPARENT = 1 << 0, }; diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h index b8bd4568..7c37fac5 100644 --- a/include/linux/netfilter/xt_time.h +++ b/include/linux/netfilter/xt_time.h @@ -1,6 +1,8 @@ #ifndef _XT_TIME_H #define _XT_TIME_H 1 +#include <linux/types.h> + struct xt_time_info { __u32 date_start; __u32 date_stop; diff --git a/include/linux/netfilter/xt_u32.h b/include/linux/netfilter/xt_u32.h index e8c3d872..04d1bfea 100644 --- a/include/linux/netfilter/xt_u32.h +++ b/include/linux/netfilter/xt_u32.h @@ -1,6 +1,8 @@ #ifndef _XT_U32_H #define _XT_U32_H 1 +#include <linux/types.h> + enum xt_u32_ops { XT_U32_AND, XT_U32_LEFTSH, diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h index 735f4b1b..57fd82a1 100644 --- a/include/linux/netfilter_ipv4/ip_tables.h +++ b/include/linux/netfilter_ipv4/ip_tables.h @@ -27,6 +27,41 @@ #define ipt_target xt_target #define ipt_table xt_table #define ipt_get_revision xt_get_revision +#define ipt_entry_match xt_entry_match +#define ipt_entry_target xt_entry_target +#define ipt_standard_target xt_standard_target +#define ipt_error_target xt_error_target +#define ipt_counters xt_counters +#define IPT_CONTINUE XT_CONTINUE +#define IPT_RETURN XT_RETURN + +/* This group is older than old (iptables < v1.4.0-rc1~89) */ +#include <linux/netfilter/xt_tcpudp.h> +#define ipt_udp xt_udp +#define ipt_tcp xt_tcp +#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT +#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT +#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS +#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION +#define IPT_TCP_INV_MASK XT_TCP_INV_MASK +#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT +#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT +#define IPT_UDP_INV_MASK XT_UDP_INV_MASK + +/* The argument to IPT_SO_ADD_COUNTERS. */ +#define ipt_counters_info xt_counters_info +/* Standard return verdict, or do jump. */ +#define IPT_STANDARD_TARGET XT_STANDARD_TARGET +/* Error verdict. */ +#define IPT_ERROR_TARGET XT_ERROR_TARGET + +/* fn returns 0 to continue iteration */ +#define IPT_MATCH_ITERATE(e, fn, args...) \ + XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) + +/* fn returns 0 to continue iteration */ +#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) /* Yes, Virginia, you have to zero the padding. */ struct ipt_ip { @@ -46,12 +81,6 @@ struct ipt_ip { u_int8_t invflags; }; -#define ipt_entry_match xt_entry_match -#define ipt_entry_target xt_entry_target -#define ipt_standard_target xt_standard_target - -#define ipt_counters xt_counters - /* Values for "flag" field in struct ipt_ip (general ip structure). */ #define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */ #define IPT_F_GOTO 0x02 /* Set if jump is a goto */ @@ -110,23 +139,6 @@ struct ipt_entry { #define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3) #define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET -#define IPT_CONTINUE XT_CONTINUE -#define IPT_RETURN XT_RETURN - -#include <linux/netfilter/xt_tcpudp.h> -#define ipt_udp xt_udp -#define ipt_tcp xt_tcp - -#define IPT_TCP_INV_SRCPT XT_TCP_INV_SRCPT -#define IPT_TCP_INV_DSTPT XT_TCP_INV_DSTPT -#define IPT_TCP_INV_FLAGS XT_TCP_INV_FLAGS -#define IPT_TCP_INV_OPTION XT_TCP_INV_OPTION -#define IPT_TCP_INV_MASK XT_TCP_INV_MASK - -#define IPT_UDP_INV_SRCPT XT_UDP_INV_SRCPT -#define IPT_UDP_INV_DSTPT XT_UDP_INV_DSTPT -#define IPT_UDP_INV_MASK XT_UDP_INV_MASK - /* ICMP matching stuff */ struct ipt_icmp { u_int8_t type; /* type to match */ @@ -140,7 +152,7 @@ struct ipt_icmp { /* The argument to IPT_SO_GET_INFO */ struct ipt_getinfo { /* Which table: caller fills this in. */ - char name[IPT_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* Kernel fills these in. */ /* Which hook entry points are valid: bitmask */ @@ -162,7 +174,7 @@ struct ipt_getinfo { /* The argument to IPT_SO_SET_REPLACE. */ struct ipt_replace { /* Which table. */ - char name[IPT_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* Which hook entry points are valid: bitmask. You can't change this. */ @@ -190,13 +202,10 @@ struct ipt_replace { struct ipt_entry entries[0]; }; -/* The argument to IPT_SO_ADD_COUNTERS. */ -#define ipt_counters_info xt_counters_info - /* The argument to IPT_SO_GET_ENTRIES. */ struct ipt_get_entries { /* Which table: user fills this in. */ - char name[IPT_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* User fills this in: total entry size. */ unsigned int size; @@ -205,26 +214,13 @@ struct ipt_get_entries { struct ipt_entry entrytable[0]; }; -/* Standard return verdict, or do jump. */ -#define IPT_STANDARD_TARGET XT_STANDARD_TARGET -/* Error verdict. */ -#define IPT_ERROR_TARGET XT_ERROR_TARGET - /* Helper functions */ -static __inline__ struct ipt_entry_target * +static __inline__ struct xt_entry_target * ipt_get_target(struct ipt_entry *e) { return (void *)e + e->target_offset; } -/* fn returns 0 to continue iteration */ -#define IPT_MATCH_ITERATE(e, fn, args...) \ - XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args) - -/* fn returns 0 to continue iteration */ -#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args) - /* * Main firewall chains definitions and global var's definitions. */ diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h index e5a3687c..c6a204c9 100644 --- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h +++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h @@ -1,6 +1,8 @@ #ifndef _IPT_CLUSTERIP_H_target #define _IPT_CLUSTERIP_H_target +#include <linux/types.h> + enum clusterip_hashmode { CLUSTERIP_HASHMODE_SIP = 0, CLUSTERIP_HASHMODE_SIP_SPT, @@ -17,15 +19,15 @@ struct clusterip_config; struct ipt_clusterip_tgt_info { - u_int32_t flags; + __u32 flags; /* only relevant for new ones */ - u_int8_t clustermac[6]; - u_int16_t num_total_nodes; - u_int16_t num_local_nodes; - u_int16_t local_nodes[CLUSTERIP_MAX_NODES]; - u_int32_t hash_mode; - u_int32_t hash_initval; + __u8 clustermac[6]; + __u16 num_total_nodes; + __u16 num_local_nodes; + __u16 local_nodes[CLUSTERIP_MAX_NODES]; + __u32 hash_mode; + __u32 hash_initval; /* Used internally by the kernel */ struct clusterip_config *config; diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/linux/netfilter_ipv4/ipt_ECN.h index 7ca45918..bb88d531 100644 --- a/include/linux/netfilter_ipv4/ipt_ECN.h +++ b/include/linux/netfilter_ipv4/ipt_ECN.h @@ -8,6 +8,8 @@ */ #ifndef _IPT_ECN_TARGET_H #define _IPT_ECN_TARGET_H + +#include <linux/types.h> #include <linux/netfilter/xt_DSCP.h> #define IPT_ECN_IP_MASK (~XT_DSCP_MASK) @@ -19,11 +21,11 @@ #define IPT_ECN_OP_MASK 0xce struct ipt_ECN_info { - u_int8_t operation; /* bitset of operations */ - u_int8_t ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ + __u8 operation; /* bitset of operations */ + __u8 ip_ect; /* ECT codepoint of IPv4 header, pre-shifted */ union { struct { - u_int8_t ece:1, cwr:1; /* TCP ECT bits */ + __u8 ece:1, cwr:1; /* TCP ECT bits */ } tcp; } proto; }; diff --git a/include/linux/netfilter_ipv4/ipt_SAME.h b/include/linux/netfilter_ipv4/ipt_SAME.h index 2529660c..5bca7826 100644 --- a/include/linux/netfilter_ipv4/ipt_SAME.h +++ b/include/linux/netfilter_ipv4/ipt_SAME.h @@ -1,15 +1,17 @@ #ifndef _IPT_SAME_H #define _IPT_SAME_H +#include <linux/types.h> + #define IPT_SAME_MAX_RANGE 10 #define IPT_SAME_NODST 0x01 struct ipt_same_info { unsigned char info; - u_int32_t rangesize; - u_int32_t ipnum; - u_int32_t *iparray; + __u32 rangesize; + __u32 ipnum; + __u32 *iparray; /* hangs off end. */ struct nf_nat_range range[IPT_SAME_MAX_RANGE]; diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/linux/netfilter_ipv4/ipt_TTL.h index ee6611ed..f6ac169d 100644 --- a/include/linux/netfilter_ipv4/ipt_TTL.h +++ b/include/linux/netfilter_ipv4/ipt_TTL.h @@ -4,6 +4,8 @@ #ifndef _IPT_TTL_H #define _IPT_TTL_H +#include <linux/types.h> + enum { IPT_TTL_SET = 0, IPT_TTL_INC, @@ -13,8 +15,8 @@ enum { #define IPT_TTL_MAXMODE IPT_TTL_DEC struct ipt_TTL_info { - u_int8_t mode; - u_int8_t ttl; + __u8 mode; + __u8 ttl; }; diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h index 446de6ae..0da42237 100644 --- a/include/linux/netfilter_ipv4/ipt_addrtype.h +++ b/include/linux/netfilter_ipv4/ipt_addrtype.h @@ -1,6 +1,8 @@ #ifndef _IPT_ADDRTYPE_H #define _IPT_ADDRTYPE_H +#include <linux/types.h> + enum { IPT_ADDRTYPE_INVERT_SOURCE = 0x0001, IPT_ADDRTYPE_INVERT_DEST = 0x0002, @@ -9,17 +11,17 @@ enum { }; struct ipt_addrtype_info_v1 { - u_int16_t source; /* source-type mask */ - u_int16_t dest; /* dest-type mask */ - u_int32_t flags; + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 flags; }; /* revision 0 */ struct ipt_addrtype_info { - u_int16_t source; /* source-type mask */ - u_int16_t dest; /* dest-type mask */ - u_int32_t invert_source; - u_int32_t invert_dest; + __u16 source; /* source-type mask */ + __u16 dest; /* dest-type mask */ + __u32 invert_source; + __u32 invert_dest; }; #endif diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/linux/netfilter_ipv4/ipt_ah.h index 2e555b4d..4e02bb01 100644 --- a/include/linux/netfilter_ipv4/ipt_ah.h +++ b/include/linux/netfilter_ipv4/ipt_ah.h @@ -1,9 +1,11 @@ #ifndef _IPT_AH_H #define _IPT_AH_H +#include <linux/types.h> + struct ipt_ah { - u_int32_t spis[2]; /* Security Parameter Index */ - u_int8_t invflags; /* Inverse flags */ + __u32 spis[2]; /* Security Parameter Index */ + __u8 invflags; /* Inverse flags */ }; diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_ecn.h index 9945baa4..eabf95fb 100644 --- a/include/linux/netfilter_ipv4/ipt_ecn.h +++ b/include/linux/netfilter_ipv4/ipt_ecn.h @@ -8,6 +8,8 @@ */ #ifndef _IPT_ECN_H #define _IPT_ECN_H + +#include <linux/types.h> #include <linux/netfilter/xt_dscp.h> #define IPT_ECN_IP_MASK (~XT_DSCP_MASK) @@ -20,12 +22,12 @@ /* match info */ struct ipt_ecn_info { - u_int8_t operation; - u_int8_t invert; - u_int8_t ip_ect; + __u8 operation; + __u8 invert; + __u8 ip_ect; union { struct { - u_int8_t ect; + __u8 ect; } tcp; } proto; }; diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_ttl.h index ee24fd86..37bee444 100644 --- a/include/linux/netfilter_ipv4/ipt_ttl.h +++ b/include/linux/netfilter_ipv4/ipt_ttl.h @@ -4,6 +4,8 @@ #ifndef _IPT_TTL_H #define _IPT_TTL_H +#include <linux/types.h> + enum { IPT_TTL_EQ = 0, /* equals */ IPT_TTL_NE, /* not equals */ @@ -13,8 +15,8 @@ enum { struct ipt_ttl_info { - u_int8_t mode; - u_int8_t ttl; + __u8 mode; + __u8 ttl; }; diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h index 61790323..3f19a97d 100644 --- a/include/linux/netfilter_ipv6/ip6_tables.h +++ b/include/linux/netfilter_ipv6/ip6_tables.h @@ -23,11 +23,38 @@ #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN - #define ip6t_match xt_match #define ip6t_target xt_target #define ip6t_table xt_table #define ip6t_get_revision xt_get_revision +#define ip6t_entry_match xt_entry_match +#define ip6t_entry_target xt_entry_target +#define ip6t_standard_target xt_standard_target +#define ip6t_error_target xt_error_target +#define ip6t_counters xt_counters +#define IP6T_CONTINUE XT_CONTINUE +#define IP6T_RETURN XT_RETURN + +/* Pre-iptables-1.4.0 */ +#include <linux/netfilter/xt_tcpudp.h> +#define ip6t_tcp xt_tcp +#define ip6t_udp xt_udp +#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT +#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT +#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS +#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION +#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK +#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT +#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT +#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK + +#define ip6t_counters_info xt_counters_info +#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET +#define IP6T_ERROR_TARGET XT_ERROR_TARGET +#define IP6T_MATCH_ITERATE(e, fn, args...) \ + XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) +#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ + XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) /* Yes, Virginia, you have to zero the padding. */ struct ip6t_ip6 { @@ -56,12 +83,6 @@ struct ip6t_ip6 { u_int8_t invflags; }; -#define ip6t_entry_match xt_entry_match -#define ip6t_entry_target xt_entry_target -#define ip6t_standard_target xt_standard_target - -#define ip6t_counters xt_counters - /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */ #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper protocols */ @@ -106,17 +127,12 @@ struct ip6t_entry { /* Standard entry */ struct ip6t_standard { struct ip6t_entry entry; - struct ip6t_standard_target target; -}; - -struct ip6t_error_target { - struct ip6t_entry_target target; - char errorname[IP6T_FUNCTION_MAXNAMELEN]; + struct xt_standard_target target; }; struct ip6t_error { struct ip6t_entry entry; - struct ip6t_error_target target; + struct xt_error_target target; }; #define IP6T_ENTRY_INIT(__size) \ @@ -128,16 +144,16 @@ struct ip6t_error { #define IP6T_STANDARD_INIT(__verdict) \ { \ .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \ - .target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \ - sizeof(struct ip6t_standard_target)), \ + .target = XT_TARGET_INIT(XT_STANDARD_TARGET, \ + sizeof(struct xt_standard_target)), \ .target.verdict = -(__verdict) - 1, \ } #define IP6T_ERROR_INIT \ { \ .entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \ - .target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \ - sizeof(struct ip6t_error_target)), \ + .target = XT_TARGET_INIT(XT_ERROR_TARGET, \ + sizeof(struct xt_error_target)), \ .target.errorname = "ERROR", \ } @@ -160,30 +176,6 @@ struct ip6t_error { #define IP6T_SO_GET_REVISION_TARGET (IP6T_BASE_CTL + 5) #define IP6T_SO_GET_MAX IP6T_SO_GET_REVISION_TARGET -/* CONTINUE verdict for targets */ -#define IP6T_CONTINUE XT_CONTINUE - -/* For standard target */ -#define IP6T_RETURN XT_RETURN - -/* TCP/UDP matching stuff */ -#include <linux/netfilter/xt_tcpudp.h> - -#define ip6t_tcp xt_tcp -#define ip6t_udp xt_udp - -/* Values for "inv" field in struct ipt_tcp. */ -#define IP6T_TCP_INV_SRCPT XT_TCP_INV_SRCPT -#define IP6T_TCP_INV_DSTPT XT_TCP_INV_DSTPT -#define IP6T_TCP_INV_FLAGS XT_TCP_INV_FLAGS -#define IP6T_TCP_INV_OPTION XT_TCP_INV_OPTION -#define IP6T_TCP_INV_MASK XT_TCP_INV_MASK - -/* Values for "invflags" field in struct ipt_udp. */ -#define IP6T_UDP_INV_SRCPT XT_UDP_INV_SRCPT -#define IP6T_UDP_INV_DSTPT XT_UDP_INV_DSTPT -#define IP6T_UDP_INV_MASK XT_UDP_INV_MASK - /* ICMP matching stuff */ struct ip6t_icmp { u_int8_t type; /* type to match */ @@ -197,7 +189,7 @@ struct ip6t_icmp { /* The argument to IP6T_SO_GET_INFO */ struct ip6t_getinfo { /* Which table: caller fills this in. */ - char name[IP6T_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* Kernel fills these in. */ /* Which hook entry points are valid: bitmask */ @@ -219,7 +211,7 @@ struct ip6t_getinfo { /* The argument to IP6T_SO_SET_REPLACE. */ struct ip6t_replace { /* Which table. */ - char name[IP6T_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* Which hook entry points are valid: bitmask. You can't change this. */ @@ -247,13 +239,10 @@ struct ip6t_replace { struct ip6t_entry entries[0]; }; -/* The argument to IP6T_SO_ADD_COUNTERS. */ -#define ip6t_counters_info xt_counters_info - /* The argument to IP6T_SO_GET_ENTRIES. */ struct ip6t_get_entries { /* Which table: user fills this in. */ - char name[IP6T_TABLE_MAXNAMELEN]; + char name[XT_TABLE_MAXNAMELEN]; /* User fills this in: total entry size. */ unsigned int size; @@ -262,26 +251,13 @@ struct ip6t_get_entries { struct ip6t_entry entrytable[0]; }; -/* Standard return verdict, or do jump. */ -#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET -/* Error verdict. */ -#define IP6T_ERROR_TARGET XT_ERROR_TARGET - /* Helper functions */ -static __inline__ struct ip6t_entry_target * +static __inline__ struct xt_entry_target * ip6t_get_target(struct ip6t_entry *e) { return (void *)e + e->target_offset; } -/* fn returns 0 to continue iteration */ -#define IP6T_MATCH_ITERATE(e, fn, args...) \ - XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args) - -/* fn returns 0 to continue iteration */ -#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \ - XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args) - /* * Main firewall chains definitions and global var's definitions. */ diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/linux/netfilter_ipv6/ip6t_HL.h index afb7813d..ebd8ead1 100644 --- a/include/linux/netfilter_ipv6/ip6t_HL.h +++ b/include/linux/netfilter_ipv6/ip6t_HL.h @@ -5,6 +5,8 @@ #ifndef _IP6T_HL_H #define _IP6T_HL_H +#include <linux/types.h> + enum { IP6T_HL_SET = 0, IP6T_HL_INC, @@ -14,8 +16,8 @@ enum { #define IP6T_HL_MAXMODE IP6T_HL_DEC struct ip6t_HL_info { - u_int8_t mode; - u_int8_t hop_limit; + __u8 mode; + __u8 hop_limit; }; diff --git a/include/linux/netfilter_ipv6/ip6t_REJECT.h b/include/linux/netfilter_ipv6/ip6t_REJECT.h index 6be65041..205ed62e 100644 --- a/include/linux/netfilter_ipv6/ip6t_REJECT.h +++ b/include/linux/netfilter_ipv6/ip6t_REJECT.h @@ -1,6 +1,8 @@ #ifndef _IP6T_REJECT_H #define _IP6T_REJECT_H +#include <linux/types.h> + enum ip6t_reject_with { IP6T_ICMP6_NO_ROUTE, IP6T_ICMP6_ADM_PROHIBITED, @@ -12,7 +14,7 @@ enum ip6t_reject_with { }; struct ip6t_reject_info { - u_int32_t with; /* reject type */ + __u32 with; /* reject type */ }; #endif /*_IP6T_REJECT_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_ah.h b/include/linux/netfilter_ipv6/ip6t_ah.h index 17a745cf..5da2b65c 100644 --- a/include/linux/netfilter_ipv6/ip6t_ah.h +++ b/include/linux/netfilter_ipv6/ip6t_ah.h @@ -1,11 +1,13 @@ #ifndef _IP6T_AH_H #define _IP6T_AH_H +#include <linux/types.h> + struct ip6t_ah { - u_int32_t spis[2]; /* Security Parameter Index */ - u_int32_t hdrlen; /* Header Length */ - u_int8_t hdrres; /* Test of the Reserved Filed */ - u_int8_t invflags; /* Inverse flags */ + __u32 spis[2]; /* Security Parameter Index */ + __u32 hdrlen; /* Header Length */ + __u8 hdrres; /* Test of the Reserved Filed */ + __u8 invflags; /* Inverse flags */ }; #define IP6T_AH_SPI 0x01 diff --git a/include/linux/netfilter_ipv6/ip6t_frag.h b/include/linux/netfilter_ipv6/ip6t_frag.h index 3724d085..b47f61b9 100644 --- a/include/linux/netfilter_ipv6/ip6t_frag.h +++ b/include/linux/netfilter_ipv6/ip6t_frag.h @@ -1,11 +1,13 @@ #ifndef _IP6T_FRAG_H #define _IP6T_FRAG_H +#include <linux/types.h> + struct ip6t_frag { - u_int32_t ids[2]; /* Security Parameter Index */ - u_int32_t hdrlen; /* Header Length */ - u_int8_t flags; /* */ - u_int8_t invflags; /* Inverse flags */ + __u32 ids[2]; /* Security Parameter Index */ + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ }; #define IP6T_FRAG_IDS 0x01 diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/linux/netfilter_ipv6/ip6t_hl.h index 5ef91b83..6e76dbc6 100644 --- a/include/linux/netfilter_ipv6/ip6t_hl.h +++ b/include/linux/netfilter_ipv6/ip6t_hl.h @@ -5,6 +5,8 @@ #ifndef _IP6T_HL_H #define _IP6T_HL_H +#include <linux/types.h> + enum { IP6T_HL_EQ = 0, /* equals */ IP6T_HL_NE, /* not equals */ @@ -14,8 +16,8 @@ enum { struct ip6t_hl_info { - u_int8_t mode; - u_int8_t hop_limit; + __u8 mode; + __u8 hop_limit; }; diff --git a/include/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/linux/netfilter_ipv6/ip6t_ipv6header.h index 01dfd445..efae3a20 100644 --- a/include/linux/netfilter_ipv6/ip6t_ipv6header.h +++ b/include/linux/netfilter_ipv6/ip6t_ipv6header.h @@ -8,10 +8,12 @@ on whether they contain certain headers */ #ifndef __IPV6HEADER_H #define __IPV6HEADER_H +#include <linux/types.h> + struct ip6t_ipv6header_info { - u_int8_t matchflags; - u_int8_t invflags; - u_int8_t modeflag; + __u8 matchflags; + __u8 invflags; + __u8 modeflag; }; #define MASK_HOPOPTS 128 diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/linux/netfilter_ipv6/ip6t_mh.h index 18549bca..a7729a50 100644 --- a/include/linux/netfilter_ipv6/ip6t_mh.h +++ b/include/linux/netfilter_ipv6/ip6t_mh.h @@ -1,10 +1,12 @@ #ifndef _IP6T_MH_H #define _IP6T_MH_H +#include <linux/types.h> + /* MH matching stuff */ struct ip6t_mh { - u_int8_t types[2]; /* MH type range */ - u_int8_t invflags; /* Inverse flags */ + __u8 types[2]; /* MH type range */ + __u8 invflags; /* Inverse flags */ }; /* Values for "invflags" field in struct ip6t_mh. */ diff --git a/include/linux/netfilter_ipv6/ip6t_opts.h b/include/linux/netfilter_ipv6/ip6t_opts.h index 62d89bcd..17d419a8 100644 --- a/include/linux/netfilter_ipv6/ip6t_opts.h +++ b/include/linux/netfilter_ipv6/ip6t_opts.h @@ -1,14 +1,16 @@ #ifndef _IP6T_OPTS_H #define _IP6T_OPTS_H +#include <linux/types.h> + #define IP6T_OPTS_OPTSNR 16 struct ip6t_opts { - u_int32_t hdrlen; /* Header Length */ - u_int8_t flags; /* */ - u_int8_t invflags; /* Inverse flags */ - u_int16_t opts[IP6T_OPTS_OPTSNR]; /* opts */ - u_int8_t optsnr; /* Nr of OPts */ + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ + __u16 opts[IP6T_OPTS_OPTSNR]; /* opts */ + __u8 optsnr; /* Nr of OPts */ }; #define IP6T_OPTS_LEN 0x01 diff --git a/include/linux/netfilter_ipv6/ip6t_rt.h b/include/linux/netfilter_ipv6/ip6t_rt.h index ab91bfd2..7605a5ff 100644 --- a/include/linux/netfilter_ipv6/ip6t_rt.h +++ b/include/linux/netfilter_ipv6/ip6t_rt.h @@ -1,18 +1,19 @@ #ifndef _IP6T_RT_H #define _IP6T_RT_H +#include <linux/types.h> /*#include <linux/in6.h>*/ #define IP6T_RT_HOPS 16 struct ip6t_rt { - u_int32_t rt_type; /* Routing Type */ - u_int32_t segsleft[2]; /* Segments Left */ - u_int32_t hdrlen; /* Header Length */ - u_int8_t flags; /* */ - u_int8_t invflags; /* Inverse flags */ + __u32 rt_type; /* Routing Type */ + __u32 segsleft[2]; /* Segments Left */ + __u32 hdrlen; /* Header Length */ + __u8 flags; /* */ + __u8 invflags; /* Inverse flags */ struct in6_addr addrs[IP6T_RT_HOPS]; /* Hops */ - u_int8_t addrnr; /* Nr of Addresses */ + __u8 addrnr; /* Nr of Addresses */ }; #define IP6T_RT_TYP 0x01 diff --git a/include/linux/types.h b/include/linux/types.h index 8b483c80..630cd3bb 100644 --- a/include/linux/types.h +++ b/include/linux/types.h @@ -34,5 +34,18 @@ typedef __u64 __bitwise __be64; typedef __u16 __bitwise __sum16; typedef __u32 __bitwise __wsum; +/* + * aligned_u64 should be used in defining kernel<->userspace ABIs to avoid + * common 32/64-bit compat problems. + * 64-bit values align to 4-byte boundaries on x86_32 (and possibly other + * architectures) and to 8-byte boundaries on 64-bit architetures. The new + * aligned_64 type enforces 8-byte alignment so that structs containing + * aligned_64 values have the same alignment on 32-bit and 64-bit architectures. + * No conversions are necessary between 32-bit user-space and a 64-bit kernel. + */ +#define __aligned_u64 __u64 __attribute__((aligned(8))) +#define __aligned_be64 __be64 __attribute__((aligned(8))) +#define __aligned_le64 __le64 __attribute__((aligned(8))) + #endif /* __ASSEMBLY__ */ #endif /* _LINUX_TYPES_H */ diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c index 1487504b..92bdc302 100644 --- a/iptables/ip6tables-restore.c +++ b/iptables/ip6tables-restore.c @@ -56,9 +56,9 @@ static void print_usage(const char *name, const char *version) exit(1); } -static struct ip6tc_handle *create_handle(const char *tablename) +static struct xtc_handle *create_handle(const char *tablename) { - struct ip6tc_handle *handle; + struct xtc_handle *handle; handle = ip6tc_init(tablename); @@ -77,7 +77,7 @@ static struct ip6tc_handle *create_handle(const char *tablename) return handle; } -static int parse_counters(char *string, struct ip6t_counters *ctr) +static int parse_counters(char *string, struct xt_counters *ctr) { unsigned long long pcnt, bcnt; int ret; @@ -116,13 +116,14 @@ static void free_argv(void) { int ip6tables_restore_main(int argc, char *argv[]) { - struct ip6tc_handle *handle = NULL; + struct xtc_handle *handle = NULL; char buffer[10240]; int c; - char curtable[IP6T_TABLE_MAXNAMELEN + 1]; + char curtable[XT_TABLE_MAXNAMELEN + 1]; FILE *in; int in_table = 0, testing = 0; const char *tablename = NULL; + const struct xtc_ops *ops = &ip6tc_ops; line = 0; @@ -197,8 +198,8 @@ int ip6tables_restore_main(int argc, char *argv[]) } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { if (!testing) { DEBUGP("Calling commit\n"); - ret = ip6tc_commit(handle); - ip6tc_free(handle); + ret = ops->commit(handle); + ops->free(handle); handle = NULL; } else { DEBUGP("Not calling commit, testing\n"); @@ -214,17 +215,16 @@ int ip6tables_restore_main(int argc, char *argv[]) if (!table) { xtables_error(PARAMETER_PROBLEM, "%s: line %u table name invalid\n", - ip6tables_globals.program_name, - line); + xt_params->program_name, line); exit(1); } - strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN); - curtable[IP6T_TABLE_MAXNAMELEN] = '\0'; + strncpy(curtable, table, XT_TABLE_MAXNAMELEN); + curtable[XT_TABLE_MAXNAMELEN] = '\0'; if (tablename != NULL && strcmp(tablename, table) != 0) continue; if (handle) - ip6tc_free(handle); + ops->free(handle); handle = create_handle(table); if (noflush == 0) { @@ -251,8 +251,7 @@ int ip6tables_restore_main(int argc, char *argv[]) if (!chain) { xtables_error(PARAMETER_PROBLEM, "%s: line %u chain name invalid\n", - ip6tables_globals.program_name, - line); + xt_params->program_name, line); exit(1); } @@ -262,17 +261,17 @@ int ip6tables_restore_main(int argc, char *argv[]) "(%u chars max)", chain, XT_EXTENSION_MAXNAMELEN - 1); - if (ip6tc_builtin(chain, handle) <= 0) { - if (noflush && ip6tc_is_chain(chain, handle)) { + if (ops->builtin(chain, handle) <= 0) { + if (noflush && ops->is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); - if (!ip6tc_flush_entries(chain, handle)) + if (!ops->flush_entries(chain, handle)) xtables_error(PARAMETER_PROBLEM, "error flushing chain " "'%s':%s\n", chain, strerror(errno)); } else { DEBUGP("Creating new chain '%s'\n", chain); - if (!ip6tc_create_chain(chain, handle)) + if (!ops->create_chain(chain, handle)) xtables_error(PARAMETER_PROBLEM, "error creating chain " "'%s':%s\n", chain, @@ -285,13 +284,12 @@ int ip6tables_restore_main(int argc, char *argv[]) if (!policy) { xtables_error(PARAMETER_PROBLEM, "%s: line %u policy invalid\n", - ip6tables_globals.program_name, - line); + xt_params->program_name, line); exit(1); } if (strcmp(policy, "-") != 0) { - struct ip6t_counters count; + struct xt_counters count; if (counters) { char *ctrs; @@ -303,20 +301,19 @@ int ip6tables_restore_main(int argc, char *argv[]) "for chain '%s'\n", chain); } else { - memset(&count, 0, - sizeof(struct ip6t_counters)); + memset(&count, 0, sizeof(count)); } DEBUGP("Setting policy of chain %s to %s\n", chain, policy); - if (!ip6tc_set_policy(chain, policy, &count, + if (!ops->set_policy(chain, policy, &count, handle)) xtables_error(OTHER_PROBLEM, "Can't set policy `%s'" " on `%s' line %u: %s\n", policy, chain, line, - ip6tc_strerror(errno)); + ops->strerror(errno)); } ret = 1; @@ -453,15 +450,13 @@ int ip6tables_restore_main(int argc, char *argv[]) continue; if (!ret) { fprintf(stderr, "%s: line %u failed\n", - ip6tables_globals.program_name, - line); + xt_params->program_name, line); exit(1); } } if (in_table) { fprintf(stderr, "%s: COMMIT expected at line %u\n", - ip6tables_globals.program_name, - line + 1); + xt_params->program_name, line + 1); exit(1); } diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c index ad0e70f0..d819b30b 100644 --- a/iptables/ip6tables-save.c +++ b/iptables/ip6tables-save.c @@ -22,10 +22,9 @@ #include <dlfcn.h> #endif -static int show_binary = 0, show_counters = 0; +static int show_counters = 0; static const struct option options[] = { - {.name = "binary", .has_arg = false, .val = 'b'}, {.name = "counters", .has_arg = false, .val = 'c'}, {.name = "dump", .has_arg = false, .val = 'd'}, {.name = "table", .has_arg = true, .val = 't'}, @@ -39,7 +38,7 @@ static int for_each_table(int (*func)(const char *tablename)) { int ret = 1; FILE *procfile = NULL; - char tablename[IP6T_TABLE_MAXNAMELEN+1]; + char tablename[XT_TABLE_MAXNAMELEN+1]; procfile = fopen("/proc/net/ip6_tables_names", "re"); if (!procfile) @@ -61,7 +60,7 @@ static int for_each_table(int (*func)(const char *tablename)) static int do_output(const char *tablename) { - struct ip6tc_handle *h; + struct xtc_handle *h; const char *chain = NULL; if (!tablename) @@ -76,52 +75,45 @@ static int do_output(const char *tablename) xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n", ip6tc_strerror(errno)); - if (!show_binary) { - time_t now = time(NULL); - - printf("# Generated by ip6tables-save v%s on %s", - IPTABLES_VERSION, ctime(&now)); - printf("*%s\n", tablename); - - /* Dump out chain names first, - * thereby preventing dependency conflicts */ - for (chain = ip6tc_first_chain(h); - chain; - chain = ip6tc_next_chain(h)) { - - printf(":%s ", chain); - if (ip6tc_builtin(chain, h)) { - struct ip6t_counters count; - printf("%s ", - ip6tc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); - } else { - printf("- [0:0]\n"); - } + time_t now = time(NULL); + + printf("# Generated by ip6tables-save v%s on %s", + IPTABLES_VERSION, ctime(&now)); + printf("*%s\n", tablename); + + /* Dump out chain names first, + * thereby preventing dependency conflicts */ + for (chain = ip6tc_first_chain(h); + chain; + chain = ip6tc_next_chain(h)) { + + printf(":%s ", chain); + if (ip6tc_builtin(chain, h)) { + struct xt_counters count; + printf("%s ", + ip6tc_get_policy(chain, &count, h)); + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + } else { + printf("- [0:0]\n"); } + } + for (chain = ip6tc_first_chain(h); + chain; + chain = ip6tc_next_chain(h)) { + const struct ip6t_entry *e; - for (chain = ip6tc_first_chain(h); - chain; - chain = ip6tc_next_chain(h)) { - const struct ip6t_entry *e; - - /* Dump out rules */ - e = ip6tc_first_rule(chain, h); - while(e) { - print_rule6(e, h, chain, show_counters); - e = ip6tc_next_rule(e, h); - } + /* Dump out rules */ + e = ip6tc_first_rule(chain, h); + while(e) { + print_rule6(e, h, chain, show_counters); + e = ip6tc_next_rule(e, h); } - - now = time(NULL); - printf("COMMIT\n"); - printf("# Completed on %s", ctime(&now)); - } else { - /* Binary, huh? OK. */ - xtables_error(OTHER_PROBLEM, "Binary NYI\n"); } + now = time(NULL); + printf("COMMIT\n"); + printf("# Completed on %s", ctime(&now)); ip6tc_free(h); return 1; @@ -151,10 +143,6 @@ int ip6tables_save_main(int argc, char *argv[]) while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { switch (c) { - case 'b': - show_binary = 1; - break; - case 'c': show_counters = 1; break; diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c index 6b829353..21b58116 100644 --- a/iptables/ip6tables-standalone.c +++ b/iptables/ip6tables-standalone.c @@ -42,7 +42,7 @@ ip6tables_main(int argc, char *argv[]) { int ret; char *table = "filter"; - struct ip6tc_handle *handle = NULL; + struct xtc_handle *handle = NULL; ip6tables_globals.program_name = "ip6tables"; ret = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 04e5224f..b191d5df 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -172,7 +172,7 @@ static const unsigned int inverse_for_options[NUMBER_OF_OPT] = /* -n */ 0, /* -s */ IP6T_INV_SRCIP, /* -d */ IP6T_INV_DSTIP, -/* -p */ IP6T_INV_PROTO, +/* -p */ XT_INV_PROTO, /* -j */ 0, /* -v */ 0, /* -x */ 0, @@ -469,9 +469,9 @@ print_num(uint64_t number, unsigned int format) static void -print_header(unsigned int format, const char *chain, struct ip6tc_handle *handle) +print_header(unsigned int format, const char *chain, struct xtc_handle *handle) { - struct ip6t_counters counters; + struct xt_counters counters; const char *pol = ip6tc_get_policy(chain, &counters, handle); printf("Chain %s", chain); if (pol) { @@ -519,7 +519,7 @@ print_header(unsigned int format, const char *chain, struct ip6tc_handle *handle static int -print_match(const struct ip6t_entry_match *m, +print_match(const struct xt_entry_match *m, const struct ip6t_ip6 *ip, int numeric) { @@ -545,16 +545,16 @@ print_firewall(const struct ip6t_entry *fw, const char *targname, unsigned int num, unsigned int format, - struct ip6tc_handle *const handle) + struct xtc_handle *const handle) { const struct xtables_target *target = NULL; - const struct ip6t_entry_target *t; + const struct xt_entry_target *t; char buf[BUFSIZ]; if (!ip6tc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); else - target = xtables_find_target(IP6T_STANDARD_TARGET, + target = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED); t = ip6t_get_target((struct ip6t_entry *)fw); @@ -570,7 +570,7 @@ print_firewall(const struct ip6t_entry *fw, if (!(format & FMT_NOTARGET)) printf(FMT("%-9s ", "%s "), targname); - fputc(fw->ipv6.invflags & IP6T_INV_PROTO ? '!' : ' ', stdout); + fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout); { const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC); if (pname) @@ -667,16 +667,16 @@ print_firewall(const struct ip6t_entry *fw, static void print_firewall_line(const struct ip6t_entry *fw, - struct ip6tc_handle *const h) + struct xtc_handle *const h) { - struct ip6t_entry_target *t; + struct xt_entry_target *t; t = ip6t_get_target((struct ip6t_entry *)fw); print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h); } static int -append_entry(const ip6t_chainlabel chain, +append_entry(const xt_chainlabel chain, struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], @@ -685,7 +685,7 @@ append_entry(const ip6t_chainlabel chain, const struct in6_addr daddrs[], const struct in6_addr dmasks[], int verbose, - struct ip6tc_handle *handle) + struct xtc_handle *handle) { unsigned int i, j; int ret = 1; @@ -706,13 +706,13 @@ append_entry(const ip6t_chainlabel chain, } static int -replace_entry(const ip6t_chainlabel chain, +replace_entry(const xt_chainlabel chain, struct ip6t_entry *fw, unsigned int rulenum, const struct in6_addr *saddr, const struct in6_addr *smask, const struct in6_addr *daddr, const struct in6_addr *dmask, int verbose, - struct ip6tc_handle *handle) + struct xtc_handle *handle) { fw->ipv6.src = *saddr; fw->ipv6.dst = *daddr; @@ -725,7 +725,7 @@ replace_entry(const ip6t_chainlabel chain, } static int -insert_entry(const ip6t_chainlabel chain, +insert_entry(const xt_chainlabel chain, struct ip6t_entry *fw, unsigned int rulenum, unsigned int nsaddrs, @@ -735,7 +735,7 @@ insert_entry(const ip6t_chainlabel chain, const struct in6_addr daddrs[], const struct in6_addr dmasks[], int verbose, - struct ip6tc_handle *handle) + struct xtc_handle *handle) { unsigned int i, j; int ret = 1; @@ -766,10 +766,10 @@ make_delete_mask(const struct xtables_rule_match *matches, size = sizeof(struct ip6t_entry); for (matchp = matches; matchp; matchp = matchp->next) - size += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size; + size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; mask = xtables_calloc(1, size - + XT_ALIGN(sizeof(struct ip6t_entry_target)) + + XT_ALIGN(sizeof(struct xt_entry_target)) + target->size); memset(mask, 0xFF, sizeof(struct ip6t_entry)); @@ -777,20 +777,20 @@ make_delete_mask(const struct xtables_rule_match *matches, for (matchp = matches; matchp; matchp = matchp->next) { memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct ip6t_entry_match)) + XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->userspacesize); - mptr += XT_ALIGN(sizeof(struct ip6t_entry_match)) + matchp->match->size; + mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; } memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct ip6t_entry_target)) + XT_ALIGN(sizeof(struct xt_entry_target)) + target->userspacesize); return mask; } static int -delete_entry(const ip6t_chainlabel chain, +delete_entry(const xt_chainlabel chain, struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], @@ -799,7 +799,7 @@ delete_entry(const ip6t_chainlabel chain, const struct in6_addr daddrs[], const struct in6_addr dmasks[], int verbose, - struct ip6tc_handle *handle, + struct xtc_handle *handle, struct xtables_rule_match *matches, const struct xtables_target *target) { @@ -825,11 +825,11 @@ delete_entry(const ip6t_chainlabel chain, } static int -check_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, +check_entry(const xt_chainlabel chain, struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr *saddrs, const struct in6_addr *smasks, unsigned int ndaddrs, const struct in6_addr *daddrs, const struct in6_addr *dmasks, - bool verbose, struct ip6tc_handle *handle, + bool verbose, struct xtc_handle *handle, struct xtables_rule_match *matches, const struct xtables_target *target) { @@ -855,8 +855,8 @@ check_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, } int -for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), - int verbose, int builtinstoo, struct ip6tc_handle *handle) +for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), + int verbose, int builtinstoo, struct xtc_handle *handle) { int ret = 1; const char *chain; @@ -869,21 +869,21 @@ for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), chain = ip6tc_next_chain(handle); } - chains = xtables_malloc(sizeof(ip6t_chainlabel) * chaincount); + chains = xtables_malloc(sizeof(xt_chainlabel) * chaincount); i = 0; chain = ip6tc_first_chain(handle); while (chain) { - strcpy(chains + i*sizeof(ip6t_chainlabel), chain); + strcpy(chains + i*sizeof(xt_chainlabel), chain); i++; chain = ip6tc_next_chain(handle); } for (i = 0; i < chaincount; i++) { if (!builtinstoo - && ip6tc_builtin(chains + i*sizeof(ip6t_chainlabel), + && ip6tc_builtin(chains + i*sizeof(xt_chainlabel), handle) == 1) continue; - ret &= fn(chains + i*sizeof(ip6t_chainlabel), verbose, handle); + ret &= fn(chains + i*sizeof(xt_chainlabel), verbose, handle); } free(chains); @@ -891,8 +891,8 @@ for_each_chain6(int (*fn)(const ip6t_chainlabel, int, struct ip6tc_handle *), } int -flush_entries6(const ip6t_chainlabel chain, int verbose, - struct ip6tc_handle *handle) +flush_entries6(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain6(flush_entries6, verbose, 1, handle); @@ -903,8 +903,8 @@ flush_entries6(const ip6t_chainlabel chain, int verbose, } static int -zero_entries(const ip6t_chainlabel chain, int verbose, - struct ip6tc_handle *handle) +zero_entries(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain6(zero_entries, verbose, 1, handle); @@ -915,8 +915,8 @@ zero_entries(const ip6t_chainlabel chain, int verbose, } int -delete_chain6(const ip6t_chainlabel chain, int verbose, - struct ip6tc_handle *handle) +delete_chain6(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain6(delete_chain6, verbose, 0, handle); @@ -927,8 +927,8 @@ delete_chain6(const ip6t_chainlabel chain, int verbose, } static int -list_entries(const ip6t_chainlabel chain, int rulenum, int verbose, int numeric, - int expanded, int linenumbers, struct ip6tc_handle *handle) +list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, + int expanded, int linenumbers, struct xtc_handle *handle) { int found = 0; unsigned int format; @@ -1033,7 +1033,7 @@ static void print_proto(uint16_t proto, int invert) } } -static int print_match_save(const struct ip6t_entry_match *e, +static int print_match_save(const struct xt_entry_match *e, const struct ip6t_ip6 *ip) { const struct xtables_match *match = @@ -1080,9 +1080,9 @@ static void print_ip(const char *prefix, const struct in6_addr *ip, /* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ void print_rule6(const struct ip6t_entry *e, - struct ip6tc_handle *h, const char *chain, int counters) + struct xtc_handle *h, const char *chain, int counters) { - const struct ip6t_entry_target *t; + const struct xt_entry_target *t; const char *target_name; /* print counters for iptables-save */ @@ -1105,7 +1105,7 @@ void print_rule6(const struct ip6t_entry *e, print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask, e->ipv6.invflags & IP6T_INV_VIA_OUT); - print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); + print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO); #if 0 /* not definied in ipv6 @@ -1153,11 +1153,11 @@ void print_rule6(const struct ip6t_entry *e, if (target->save) target->save(&e->ipv6, t); else { - /* If the target size is greater than ip6t_entry_target + /* If the target size is greater than xt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != - sizeof(struct ip6t_entry_target)) { + sizeof(struct xt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); @@ -1169,8 +1169,8 @@ void print_rule6(const struct ip6t_entry *e, } static int -list_rules(const ip6t_chainlabel chain, int rulenum, int counters, - struct ip6tc_handle *handle) +list_rules(const xt_chainlabel chain, int rulenum, int counters, + struct xtc_handle *handle) { const char *this = NULL; int found = 0; @@ -1187,7 +1187,7 @@ list_rules(const ip6t_chainlabel chain, int rulenum, int counters, continue; if (ip6tc_builtin(this, handle)) { - struct ip6t_counters count; + struct xt_counters count; printf("-P %s %s", this, ip6tc_get_policy(this, &count, handle)); if (counters) printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); @@ -1224,7 +1224,7 @@ list_rules(const ip6t_chainlabel chain, int rulenum, int counters, static struct ip6t_entry * generate_entry(const struct ip6t_entry *fw, struct xtables_rule_match *matches, - struct ip6t_entry_target *target) + struct xt_entry_target *target) { unsigned int size; struct xtables_rule_match *matchp; @@ -1282,7 +1282,7 @@ static void command_jump(struct iptables_command_state *cs) if (cs->target == NULL) return; - size = XT_ALIGN(sizeof(struct ip6t_entry_target)) + cs->target->size; + size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; @@ -1311,7 +1311,7 @@ static void command_match(struct iptables_command_state *cs) "unexpected ! flag before --match"); m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches); - size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size; + size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); @@ -1328,7 +1328,7 @@ static void command_match(struct iptables_command_state *cs) m->extra_opts, &m->option_offset); } -int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **handle) +int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle) { struct iptables_command_state cs; struct ip6t_entry *e = NULL; @@ -1548,12 +1548,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand cs.fw6.ipv6.flags |= IP6T_F_PROTO; if (cs.fw6.ipv6.proto == 0 - && (cs.fw6.ipv6.invflags & IP6T_INV_PROTO)) + && (cs.fw6.ipv6.invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "rule would never match protocol"); if (is_exthdr(cs.fw6.ipv6.proto) - && (cs.fw6.ipv6.invflags & IP6T_INV_PROTO) == 0) + && (cs.fw6.ipv6.invflags & XT_INV_PROTO) == 0) fprintf(stderr, "Warning: never matched protocol: %s. " "use extension match instead.\n", @@ -1824,10 +1824,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand || ip6tc_is_chain(cs.jumpto, *handle))) { size_t size; - cs.target = xtables_find_target(IP6T_STANDARD_TARGET, + cs.target = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED); - size = sizeof(struct ip6t_entry_target) + size = sizeof(struct xt_entry_target) + cs.target->size; cs.target->t = xtables_calloc(1, size); cs.target->t->u.target_size = size; diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index d0bd79a9..6b1c7929 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -56,9 +56,9 @@ static void print_usage(const char *name, const char *version) exit(1); } -static struct iptc_handle *create_handle(const char *tablename) +static struct xtc_handle *create_handle(const char *tablename) { - struct iptc_handle *handle; + struct xtc_handle *handle; handle = iptc_init(tablename); @@ -76,7 +76,7 @@ static struct iptc_handle *create_handle(const char *tablename) return handle; } -static int parse_counters(char *string, struct ipt_counters *ctr) +static int parse_counters(char *string, struct xt_counters *ctr) { unsigned long long pcnt, bcnt; int ret; @@ -116,13 +116,14 @@ static void free_argv(void) { int iptables_restore_main(int argc, char *argv[]) { - struct iptc_handle *handle = NULL; + struct xtc_handle *handle = NULL; char buffer[10240]; int c; - char curtable[IPT_TABLE_MAXNAMELEN + 1]; + char curtable[XT_TABLE_MAXNAMELEN + 1]; FILE *in; int in_table = 0, testing = 0; const char *tablename = NULL; + const struct xtc_ops *ops = &iptc_ops; line = 0; @@ -197,8 +198,8 @@ iptables_restore_main(int argc, char *argv[]) } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { if (!testing) { DEBUGP("Calling commit\n"); - ret = iptc_commit(handle); - iptc_free(handle); + ret = ops->commit(handle); + ops->free(handle); handle = NULL; } else { DEBUGP("Not calling commit, testing\n"); @@ -214,16 +215,16 @@ iptables_restore_main(int argc, char *argv[]) if (!table) { xtables_error(PARAMETER_PROBLEM, "%s: line %u table name invalid\n", - prog_name, line); + xt_params->program_name, line); exit(1); } - strncpy(curtable, table, IPT_TABLE_MAXNAMELEN); - curtable[IPT_TABLE_MAXNAMELEN] = '\0'; + strncpy(curtable, table, XT_TABLE_MAXNAMELEN); + curtable[XT_TABLE_MAXNAMELEN] = '\0'; if (tablename && (strcmp(tablename, table) != 0)) continue; if (handle) - iptc_free(handle); + ops->free(handle); handle = create_handle(table); if (noflush == 0) { @@ -250,7 +251,7 @@ iptables_restore_main(int argc, char *argv[]) if (!chain) { xtables_error(PARAMETER_PROBLEM, "%s: line %u chain name invalid\n", - prog_name, line); + xt_params->program_name, line); exit(1); } @@ -260,17 +261,17 @@ iptables_restore_main(int argc, char *argv[]) "(%u chars max)", chain, XT_EXTENSION_MAXNAMELEN - 1); - if (iptc_builtin(chain, handle) <= 0) { - if (noflush && iptc_is_chain(chain, handle)) { + if (ops->builtin(chain, handle) <= 0) { + if (noflush && ops->is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); - if (!iptc_flush_entries(chain, handle)) + if (!ops->flush_entries(chain, handle)) xtables_error(PARAMETER_PROBLEM, "error flushing chain " "'%s':%s\n", chain, strerror(errno)); } else { DEBUGP("Creating new chain '%s'\n", chain); - if (!iptc_create_chain(chain, handle)) + if (!ops->create_chain(chain, handle)) xtables_error(PARAMETER_PROBLEM, "error creating chain " "'%s':%s\n", chain, @@ -283,12 +284,12 @@ iptables_restore_main(int argc, char *argv[]) if (!policy) { xtables_error(PARAMETER_PROBLEM, "%s: line %u policy invalid\n", - prog_name, line); + xt_params->program_name, line); exit(1); } if (strcmp(policy, "-") != 0) { - struct ipt_counters count; + struct xt_counters count; if (counters) { char *ctrs; @@ -300,20 +301,19 @@ iptables_restore_main(int argc, char *argv[]) "for chain '%s'\n", chain); } else { - memset(&count, 0, - sizeof(struct ipt_counters)); + memset(&count, 0, sizeof(count)); } DEBUGP("Setting policy of chain %s to %s\n", chain, policy); - if (!iptc_set_policy(chain, policy, &count, + if (!ops->set_policy(chain, policy, &count, handle)) xtables_error(OTHER_PROBLEM, "Can't set policy `%s'" " on `%s' line %u: %s\n", policy, chain, line, - iptc_strerror(errno)); + ops->strerror(errno)); } ret = 1; @@ -450,13 +450,13 @@ iptables_restore_main(int argc, char *argv[]) continue; if (!ret) { fprintf(stderr, "%s: line %u failed\n", - prog_name, line); + xt_params->program_name, line); exit(1); } } if (in_table) { fprintf(stderr, "%s: COMMIT expected at line %u\n", - prog_name, line + 1); + xt_params->program_name, line + 1); exit(1); } diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c index 73fba12a..e599fcec 100644 --- a/iptables/iptables-save.c +++ b/iptables/iptables-save.c @@ -21,10 +21,9 @@ #include <dlfcn.h> #endif -static int show_binary = 0, show_counters = 0; +static int show_counters = 0; static const struct option options[] = { - {.name = "binary", .has_arg = false, .val = 'b'}, {.name = "counters", .has_arg = false, .val = 'c'}, {.name = "dump", .has_arg = false, .val = 'd'}, {.name = "table", .has_arg = true, .val = 't'}, @@ -37,7 +36,7 @@ static int for_each_table(int (*func)(const char *tablename)) { int ret = 1; FILE *procfile = NULL; - char tablename[IPT_TABLE_MAXNAMELEN+1]; + char tablename[XT_TABLE_MAXNAMELEN+1]; procfile = fopen("/proc/net/ip_tables_names", "re"); if (!procfile) @@ -59,7 +58,7 @@ static int for_each_table(int (*func)(const char *tablename)) static int do_output(const char *tablename) { - struct iptc_handle *h; + struct xtc_handle *h; const char *chain = NULL; if (!tablename) @@ -74,52 +73,45 @@ static int do_output(const char *tablename) xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n", iptc_strerror(errno)); - if (!show_binary) { - time_t now = time(NULL); - - printf("# Generated by iptables-save v%s on %s", - IPTABLES_VERSION, ctime(&now)); - printf("*%s\n", tablename); - - /* Dump out chain names first, - * thereby preventing dependency conflicts */ - for (chain = iptc_first_chain(h); - chain; - chain = iptc_next_chain(h)) { - - printf(":%s ", chain); - if (iptc_builtin(chain, h)) { - struct ipt_counters count; - printf("%s ", - iptc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); - } else { - printf("- [0:0]\n"); - } + time_t now = time(NULL); + + printf("# Generated by iptables-save v%s on %s", + IPTABLES_VERSION, ctime(&now)); + printf("*%s\n", tablename); + + /* Dump out chain names first, + * thereby preventing dependency conflicts */ + for (chain = iptc_first_chain(h); + chain; + chain = iptc_next_chain(h)) { + + printf(":%s ", chain); + if (iptc_builtin(chain, h)) { + struct xt_counters count; + printf("%s ", + iptc_get_policy(chain, &count, h)); + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + } else { + printf("- [0:0]\n"); } + } + for (chain = iptc_first_chain(h); + chain; + chain = iptc_next_chain(h)) { + const struct ipt_entry *e; - for (chain = iptc_first_chain(h); - chain; - chain = iptc_next_chain(h)) { - const struct ipt_entry *e; - - /* Dump out rules */ - e = iptc_first_rule(chain, h); - while(e) { - print_rule4(e, h, chain, show_counters); - e = iptc_next_rule(e, h); - } + /* Dump out rules */ + e = iptc_first_rule(chain, h); + while(e) { + print_rule4(e, h, chain, show_counters); + e = iptc_next_rule(e, h); } - - now = time(NULL); - printf("COMMIT\n"); - printf("# Completed on %s", ctime(&now)); - } else { - /* Binary, huh? OK. */ - xtables_error(OTHER_PROBLEM, "Binary NYI\n"); } + now = time(NULL); + printf("COMMIT\n"); + printf("# Completed on %s", ctime(&now)); iptc_free(h); return 1; @@ -150,10 +142,6 @@ iptables_save_main(int argc, char *argv[]) while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { switch (c) { - case 'b': - show_binary = 1; - break; - case 'c': show_counters = 1; break; diff --git a/iptables/iptables-standalone.c b/iptables/iptables-standalone.c index 1ebec33d..683a44a5 100644 --- a/iptables/iptables-standalone.c +++ b/iptables/iptables-standalone.c @@ -43,7 +43,7 @@ iptables_main(int argc, char *argv[]) { int ret; char *table = "filter"; - struct iptc_handle *handle = NULL; + struct xtc_handle *handle = NULL; iptables_globals.program_name = "iptables"; ret = xtables_init_all(&iptables_globals, NFPROTO_IPV4); diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c index 4ecddcb7..4b12bd46 100644 --- a/iptables/iptables-xml.c +++ b/iptables/iptables-xml.c @@ -56,7 +56,7 @@ print_usage(const char *name, const char *version) } static int -parse_counters(char *string, struct ipt_counters *ctr) +parse_counters(char *string, struct xt_counters *ctr) { __u64 *pcnt, *bcnt; @@ -81,16 +81,16 @@ static unsigned int oldargc = 0; /* arg meta data, were they quoted, frinstance */ static int newargvattr[255]; -#define IPT_CHAIN_MAXNAMELEN IPT_TABLE_MAXNAMELEN -static char closeActionTag[IPT_TABLE_MAXNAMELEN + 1]; -static char closeRuleTag[IPT_TABLE_MAXNAMELEN + 1]; -static char curTable[IPT_TABLE_MAXNAMELEN + 1]; -static char curChain[IPT_CHAIN_MAXNAMELEN + 1]; +#define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN +static char closeActionTag[XT_TABLE_MAXNAMELEN + 1]; +static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1]; +static char curTable[XT_TABLE_MAXNAMELEN + 1]; +static char curChain[XT_CHAIN_MAXNAMELEN + 1]; struct chain { char *chain; char *policy; - struct ipt_counters count; + struct xt_counters count; int created; }; @@ -233,12 +233,12 @@ closeChain(void) } static void -openChain(char *chain, char *policy, struct ipt_counters *ctr, char close) +openChain(char *chain, char *policy, struct xt_counters *ctr, char close) { closeChain(); - strncpy(curChain, chain, IPT_CHAIN_MAXNAMELEN); - curChain[IPT_CHAIN_MAXNAMELEN] = '\0'; + strncpy(curChain, chain, XT_CHAIN_MAXNAMELEN); + curChain[XT_CHAIN_MAXNAMELEN] = '\0'; printf(" <chain "); xmlAttrS("name", curChain); @@ -287,7 +287,7 @@ needChain(char *chain) } static void -saveChain(char *chain, char *policy, struct ipt_counters *ctr) +saveChain(char *chain, char *policy, struct xt_counters *ctr) { if (nextChain >= maxChains) { xtables_error(PARAMETER_PROBLEM, @@ -332,8 +332,8 @@ openTable(char *table) { closeTable(); - strncpy(curTable, table, IPT_TABLE_MAXNAMELEN); - curTable[IPT_TABLE_MAXNAMELEN] = '\0'; + strncpy(curTable, table, XT_TABLE_MAXNAMELEN); + curTable[XT_TABLE_MAXNAMELEN] = '\0'; printf(" <table "); xmlAttrS("name", curTable); @@ -592,8 +592,8 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[]) xmlAttrS("byte-count", bcnt); printf(">\n"); - strncpy(closeRuleTag, " </rule>\n", IPT_TABLE_MAXNAMELEN); - closeRuleTag[IPT_TABLE_MAXNAMELEN] = '\0'; + strncpy(closeRuleTag, " </rule>\n", XT_TABLE_MAXNAMELEN); + closeRuleTag[XT_TABLE_MAXNAMELEN] = '\0'; /* no point in writing out condition if there isn't one */ if (argc >= 3 && !isTarget(argv[2])) { @@ -607,8 +607,8 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[]) if (!closeActionTag[0]) { printf(" <actions>\n"); strncpy(closeActionTag, " </actions>\n", - IPT_TABLE_MAXNAMELEN); - closeActionTag[IPT_TABLE_MAXNAMELEN] = '\0'; + XT_TABLE_MAXNAMELEN); + closeActionTag[XT_TABLE_MAXNAMELEN] = '\0'; } do_rule_part(NULL, NULL, 1, argc, argv, argvattr); } @@ -694,7 +694,7 @@ iptables_xml_main(int argc, char *argv[]) } else if ((buffer[0] == ':') && (curTable[0])) { /* New chain. */ char *policy, *chain; - struct ipt_counters count; + struct xt_counters count; char *ctrs; chain = strtok(buffer + 1, " \t\n"); diff --git a/iptables/iptables.c b/iptables/iptables.c index 830ddbcb..03ac63b8 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -171,7 +171,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] = /* -n */ 0, /* -s */ IPT_INV_SRCIP, /* -d */ IPT_INV_DSTIP, -/* -p */ IPT_INV_PROTO, +/* -p */ XT_INV_PROTO, /* -j */ 0, /* -v */ 0, /* -x */ 0, @@ -471,9 +471,9 @@ print_num(uint64_t number, unsigned int format) static void -print_header(unsigned int format, const char *chain, struct iptc_handle *handle) +print_header(unsigned int format, const char *chain, struct xtc_handle *handle) { - struct ipt_counters counters; + struct xt_counters counters; const char *pol = iptc_get_policy(chain, &counters, handle); printf("Chain %s", chain); if (pol) { @@ -521,7 +521,7 @@ print_header(unsigned int format, const char *chain, struct iptc_handle *handle) static int -print_match(const struct ipt_entry_match *m, +print_match(const struct xt_entry_match *m, const struct ipt_ip *ip, int numeric) { @@ -547,17 +547,17 @@ print_firewall(const struct ipt_entry *fw, const char *targname, unsigned int num, unsigned int format, - struct iptc_handle *const handle) + struct xtc_handle *const handle) { const struct xtables_target *target = NULL; - const struct ipt_entry_target *t; + const struct xt_entry_target *t; uint8_t flags; char buf[BUFSIZ]; if (!iptc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); else - target = xtables_find_target(IPT_STANDARD_TARGET, + target = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED); t = ipt_get_target((struct ipt_entry *)fw); @@ -574,7 +574,7 @@ print_firewall(const struct ipt_entry *fw, if (!(format & FMT_NOTARGET)) printf(FMT("%-9s ", "%s "), targname); - fputc(fw->ip.invflags & IPT_INV_PROTO ? '!' : ' ', stdout); + fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout); { const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC); if (pname) @@ -669,16 +669,16 @@ print_firewall(const struct ipt_entry *fw, static void print_firewall_line(const struct ipt_entry *fw, - struct iptc_handle *const h) + struct xtc_handle *const h) { - struct ipt_entry_target *t; + struct xt_entry_target *t; t = ipt_get_target((struct ipt_entry *)fw); print_firewall(fw, t->u.user.name, 0, FMT_PRINT_RULE, h); } static int -append_entry(const ipt_chainlabel chain, +append_entry(const xt_chainlabel chain, struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], @@ -687,7 +687,7 @@ append_entry(const ipt_chainlabel chain, const struct in_addr daddrs[], const struct in_addr dmasks[], int verbose, - struct iptc_handle *handle) + struct xtc_handle *handle) { unsigned int i, j; int ret = 1; @@ -708,13 +708,13 @@ append_entry(const ipt_chainlabel chain, } static int -replace_entry(const ipt_chainlabel chain, +replace_entry(const xt_chainlabel chain, struct ipt_entry *fw, unsigned int rulenum, const struct in_addr *saddr, const struct in_addr *smask, const struct in_addr *daddr, const struct in_addr *dmask, int verbose, - struct iptc_handle *handle) + struct xtc_handle *handle) { fw->ip.src.s_addr = saddr->s_addr; fw->ip.dst.s_addr = daddr->s_addr; @@ -727,7 +727,7 @@ replace_entry(const ipt_chainlabel chain, } static int -insert_entry(const ipt_chainlabel chain, +insert_entry(const xt_chainlabel chain, struct ipt_entry *fw, unsigned int rulenum, unsigned int nsaddrs, @@ -737,7 +737,7 @@ insert_entry(const ipt_chainlabel chain, const struct in_addr daddrs[], const struct in_addr dmasks[], int verbose, - struct iptc_handle *handle) + struct xtc_handle *handle) { unsigned int i, j; int ret = 1; @@ -768,10 +768,10 @@ make_delete_mask(const struct xtables_rule_match *matches, size = sizeof(struct ipt_entry); for (matchp = matches; matchp; matchp = matchp->next) - size += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size; + size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; mask = xtables_calloc(1, size - + XT_ALIGN(sizeof(struct ipt_entry_target)) + + XT_ALIGN(sizeof(struct xt_entry_target)) + target->size); memset(mask, 0xFF, sizeof(struct ipt_entry)); @@ -779,20 +779,20 @@ make_delete_mask(const struct xtables_rule_match *matches, for (matchp = matches; matchp; matchp = matchp->next) { memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct ipt_entry_match)) + XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->userspacesize); - mptr += XT_ALIGN(sizeof(struct ipt_entry_match)) + matchp->match->size; + mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; } memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct ipt_entry_target)) + XT_ALIGN(sizeof(struct xt_entry_target)) + target->userspacesize); return mask; } static int -delete_entry(const ipt_chainlabel chain, +delete_entry(const xt_chainlabel chain, struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], @@ -801,7 +801,7 @@ delete_entry(const ipt_chainlabel chain, const struct in_addr daddrs[], const struct in_addr dmasks[], int verbose, - struct iptc_handle *handle, + struct xtc_handle *handle, struct xtables_rule_match *matches, const struct xtables_target *target) { @@ -827,11 +827,11 @@ delete_entry(const ipt_chainlabel chain, } static int -check_entry(const ipt_chainlabel chain, struct ipt_entry *fw, +check_entry(const xt_chainlabel chain, struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr *saddrs, const struct in_addr *smasks, unsigned int ndaddrs, const struct in_addr *daddrs, const struct in_addr *dmasks, - bool verbose, struct iptc_handle *handle, + bool verbose, struct xtc_handle *handle, struct xtables_rule_match *matches, const struct xtables_target *target) { @@ -857,8 +857,8 @@ check_entry(const ipt_chainlabel chain, struct ipt_entry *fw, } int -for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *), - int verbose, int builtinstoo, struct iptc_handle *handle) +for_each_chain4(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), + int verbose, int builtinstoo, struct xtc_handle *handle) { int ret = 1; const char *chain; @@ -871,21 +871,21 @@ for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *), chain = iptc_next_chain(handle); } - chains = xtables_malloc(sizeof(ipt_chainlabel) * chaincount); + chains = xtables_malloc(sizeof(xt_chainlabel) * chaincount); i = 0; chain = iptc_first_chain(handle); while (chain) { - strcpy(chains + i*sizeof(ipt_chainlabel), chain); + strcpy(chains + i*sizeof(xt_chainlabel), chain); i++; chain = iptc_next_chain(handle); } for (i = 0; i < chaincount; i++) { if (!builtinstoo - && iptc_builtin(chains + i*sizeof(ipt_chainlabel), + && iptc_builtin(chains + i*sizeof(xt_chainlabel), handle) == 1) continue; - ret &= fn(chains + i*sizeof(ipt_chainlabel), verbose, handle); + ret &= fn(chains + i*sizeof(xt_chainlabel), verbose, handle); } free(chains); @@ -893,8 +893,8 @@ for_each_chain4(int (*fn)(const ipt_chainlabel, int, struct iptc_handle *), } int -flush_entries4(const ipt_chainlabel chain, int verbose, - struct iptc_handle *handle) +flush_entries4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain4(flush_entries4, verbose, 1, handle); @@ -905,8 +905,8 @@ flush_entries4(const ipt_chainlabel chain, int verbose, } static int -zero_entries(const ipt_chainlabel chain, int verbose, - struct iptc_handle *handle) +zero_entries(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain4(zero_entries, verbose, 1, handle); @@ -917,8 +917,8 @@ zero_entries(const ipt_chainlabel chain, int verbose, } int -delete_chain4(const ipt_chainlabel chain, int verbose, - struct iptc_handle *handle) +delete_chain4(const xt_chainlabel chain, int verbose, + struct xtc_handle *handle) { if (!chain) return for_each_chain4(delete_chain4, verbose, 0, handle); @@ -929,8 +929,8 @@ delete_chain4(const ipt_chainlabel chain, int verbose, } static int -list_entries(const ipt_chainlabel chain, int rulenum, int verbose, int numeric, - int expanded, int linenumbers, struct iptc_handle *handle) +list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, + int expanded, int linenumbers, struct xtc_handle *handle) { int found = 0; unsigned int format; @@ -1041,7 +1041,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask, } } -static int print_match_save(const struct ipt_entry_match *e, +static int print_match_save(const struct xt_entry_match *e, const struct ipt_ip *ip) { const struct xtables_match *match = @@ -1097,9 +1097,9 @@ static void print_ip(const char *prefix, uint32_t ip, /* We want this to be readable, so only print out neccessary fields. * Because that's the kind of world I want to live in. */ void print_rule4(const struct ipt_entry *e, - struct iptc_handle *h, const char *chain, int counters) + struct xtc_handle *h, const char *chain, int counters) { - const struct ipt_entry_target *t; + const struct xt_entry_target *t; const char *target_name; /* print counters for iptables-save */ @@ -1122,7 +1122,7 @@ void print_rule4(const struct ipt_entry *e, print_iface('o', e->ip.outiface, e->ip.outiface_mask, e->ip.invflags & IPT_INV_VIA_OUT); - print_proto(e->ip.proto, e->ip.invflags & IPT_INV_PROTO); + print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO); if (e->ip.flags & IPT_F_FRAG) printf("%s -f", @@ -1161,11 +1161,11 @@ void print_rule4(const struct ipt_entry *e, if (target->save) target->save(&e->ip, t); else { - /* If the target size is greater than ipt_entry_target + /* If the target size is greater than xt_entry_target * there is something to be saved, we just don't know * how to print it */ if (t->u.target_size != - sizeof(struct ipt_entry_target)) { + sizeof(struct xt_entry_target)) { fprintf(stderr, "Target `%s' is missing " "save function\n", t->u.user.name); @@ -1177,8 +1177,8 @@ void print_rule4(const struct ipt_entry *e, } static int -list_rules(const ipt_chainlabel chain, int rulenum, int counters, - struct iptc_handle *handle) +list_rules(const xt_chainlabel chain, int rulenum, int counters, + struct xtc_handle *handle) { const char *this = NULL; int found = 0; @@ -1195,7 +1195,7 @@ list_rules(const ipt_chainlabel chain, int rulenum, int counters, continue; if (iptc_builtin(this, handle)) { - struct ipt_counters count; + struct xt_counters count; printf("-P %s %s", this, iptc_get_policy(this, &count, handle)); if (counters) printf(" -c %llu %llu", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); @@ -1232,7 +1232,7 @@ list_rules(const ipt_chainlabel chain, int rulenum, int counters, static struct ipt_entry * generate_entry(const struct ipt_entry *fw, struct xtables_rule_match *matches, - struct ipt_entry_target *target) + struct xt_entry_target *target) { unsigned int size; struct xtables_rule_match *matchp; @@ -1290,7 +1290,7 @@ static void command_jump(struct iptables_command_state *cs) if (cs->target == NULL) return; - size = XT_ALIGN(sizeof(struct ipt_entry_target)) + size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; cs->target->t = xtables_calloc(1, size); @@ -1321,7 +1321,7 @@ static void command_match(struct iptables_command_state *cs) "unexpected ! flag before --match"); m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches); - size = XT_ALIGN(sizeof(struct ipt_entry_match)) + m->size; + size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); @@ -1340,7 +1340,7 @@ static void command_match(struct iptables_command_state *cs) xtables_error(OTHER_PROBLEM, "can't alloc memory!"); } -int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handle) +int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle) { struct iptables_command_state cs; struct ipt_entry *e = NULL; @@ -1559,7 +1559,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl cs.fw.ip.proto = xtables_parse_protocol(cs.protocol); if (cs.fw.ip.proto == 0 - && (cs.fw.ip.invflags & IPT_INV_PROTO)) + && (cs.fw.ip.invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "rule would never match protocol"); break; @@ -1837,10 +1837,10 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl || iptc_is_chain(cs.jumpto, *handle))) { size_t size; - cs.target = xtables_find_target(IPT_STANDARD_TARGET, + cs.target = xtables_find_target(XT_STANDARD_TARGET, XTF_LOAD_MUST_SUCCEED); - size = sizeof(struct ipt_entry_target) + size = sizeof(struct xt_entry_target) + cs.target->size; cs.target->t = xtables_calloc(1, size); cs.target->t->u.target_size = size; diff --git a/iptables/xshared.c b/iptables/xshared.c index 79da507d..e61c28c8 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -139,7 +139,7 @@ int command_default(struct iptables_command_state *cs, cs->proto_used = 1; - size = XT_ALIGN(sizeof(struct ip6t_entry_match)) + m->size; + size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am index c170cb21..f789d34e 100644 --- a/libiptc/Makefile.am +++ b/libiptc/Makefile.am @@ -10,6 +10,6 @@ libiptc_la_SOURCES = libiptc_la_LIBADD = libip4tc.la libip6tc.la libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} libip4tc_la_SOURCES = libip4tc.c -libip4tc_la_LDFLAGS = -version-info 0:0:0 +libip4tc_la_LDFLAGS = -version-info 1:0:1 libip6tc_la_SOURCES = libip6tc.c -libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} +libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2} diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c index cf66709e..dd599516 100644 --- a/libiptc/libip4tc.c +++ b/libiptc/libip4tc.c @@ -36,33 +36,27 @@ typedef unsigned int socklen_t; #define HOOK_FORWARD NF_IP_FORWARD #define HOOK_LOCAL_OUT NF_IP_LOCAL_OUT #define HOOK_POST_ROUTING NF_IP_POST_ROUTING -#ifdef NF_IP_DROPPING -#define HOOK_DROPPING NF_IP_DROPPING -#endif -#define STRUCT_ENTRY_TARGET struct ipt_entry_target +#define STRUCT_ENTRY_TARGET struct xt_entry_target #define STRUCT_ENTRY struct ipt_entry -#define STRUCT_ENTRY_MATCH struct ipt_entry_match +#define STRUCT_ENTRY_MATCH struct xt_entry_match #define STRUCT_GETINFO struct ipt_getinfo #define STRUCT_GET_ENTRIES struct ipt_get_entries -#define STRUCT_COUNTERS struct ipt_counters -#define STRUCT_COUNTERS_INFO struct ipt_counters_info -#define STRUCT_STANDARD_TARGET struct ipt_standard_target +#define STRUCT_COUNTERS struct xt_counters +#define STRUCT_COUNTERS_INFO struct xt_counters_info +#define STRUCT_STANDARD_TARGET struct xt_standard_target #define STRUCT_REPLACE struct ipt_replace -#define STRUCT_TC_HANDLE struct iptc_handle -#define xtc_handle iptc_handle - #define ENTRY_ITERATE IPT_ENTRY_ITERATE -#define TABLE_MAXNAMELEN IPT_TABLE_MAXNAMELEN -#define FUNCTION_MAXNAMELEN IPT_FUNCTION_MAXNAMELEN +#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN #define GET_TARGET ipt_get_target -#define ERROR_TARGET IPT_ERROR_TARGET +#define ERROR_TARGET XT_ERROR_TARGET #define NUMHOOKS NF_IP_NUMHOOKS -#define IPT_CHAINLABEL ipt_chainlabel +#define IPT_CHAINLABEL xt_chainlabel #define TC_DUMP_ENTRIES dump_entries #define TC_IS_CHAIN iptc_is_chain @@ -96,6 +90,7 @@ typedef unsigned int socklen_t; #define TC_STRERROR iptc_strerror #define TC_NUM_RULES iptc_num_rules #define TC_GET_RULE iptc_get_rule +#define TC_OPS iptc_ops #define TC_AF AF_INET #define TC_IPPROTO IPPROTO_IP @@ -106,14 +101,14 @@ typedef unsigned int socklen_t; #define SO_GET_ENTRIES IPT_SO_GET_ENTRIES #define SO_GET_VERSION IPT_SO_GET_VERSION -#define STANDARD_TARGET IPT_STANDARD_TARGET +#define STANDARD_TARGET XT_STANDARD_TARGET #define LABEL_RETURN IPTC_LABEL_RETURN #define LABEL_ACCEPT IPTC_LABEL_ACCEPT #define LABEL_DROP IPTC_LABEL_DROP #define LABEL_QUEUE IPTC_LABEL_QUEUE #define ALIGN XT_ALIGN -#define RETURN IPT_RETURN +#define RETURN XT_RETURN #include "libiptc.c" @@ -126,7 +121,7 @@ typedef unsigned int socklen_t; #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) static int -dump_entry(struct ipt_entry *e, struct iptc_handle *const handle) +dump_entry(struct ipt_entry *e, struct xtc_handle *const handle) { size_t i; STRUCT_ENTRY_TARGET *t; @@ -166,7 +161,7 @@ dump_entry(struct ipt_entry *e, struct iptc_handle *const handle) : "UNKNOWN"); else printf("verdict=%u\n", pos); - } else if (strcmp(t->u.user.name, IPT_ERROR_TARGET) == 0) + } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) printf("error=`%s'\n", t->data); printf("\n"); @@ -209,7 +204,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, unsigned char *matchmask) mptr = matchmask + sizeof(STRUCT_ENTRY); if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr)) return NULL; - mptr += XT_ALIGN(sizeof(struct ipt_entry_target)); + mptr += XT_ALIGN(sizeof(struct xt_entry_target)); return mptr; } @@ -241,7 +236,7 @@ check_match(const STRUCT_ENTRY_MATCH *m, unsigned int *off) static inline int check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, unsigned int user_offset, int *was_return, - struct iptc_handle *h) + struct xtc_handle *h) { unsigned int toff; STRUCT_STANDARD_TARGET *t; @@ -277,14 +272,14 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, idx = iptcb_entry2index(h, te); assert(strcmp(GET_TARGET(te)->u.user.name, - IPT_ERROR_TARGET) + XT_ERROR_TARGET) != 0); assert(te != e); /* Prior node must be error node, or this node. */ assert(t->verdict == iptcb_entry2offset(h, e)+e->next_offset || strcmp(GET_TARGET(index2entry(h, idx-1)) - ->u.user.name, IPT_ERROR_TARGET) + ->u.user.name, XT_ERROR_TARGET) == 0); } @@ -294,7 +289,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, *was_return = 1; else *was_return = 0; - } else if (strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0) { + } else if (strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0) { assert(t->target.u.target_size == ALIGN(sizeof(struct ipt_error_target))); @@ -307,7 +302,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, else *was_return = 0; if (*off == user_offset) - assert(strcmp(t->target.u.user.name, IPT_ERROR_TARGET) == 0); + assert(strcmp(t->target.u.user.name, XT_ERROR_TARGET) == 0); (*off) += e->next_offset; (*i)++; @@ -317,7 +312,7 @@ check_entry(const STRUCT_ENTRY *e, unsigned int *i, unsigned int *off, #ifdef IPTC_DEBUG /* Do every conceivable sanity check on the handle */ static void -do_check(struct iptc_handle *h, unsigned int line) +do_check(struct xtc_handle *h, unsigned int line) { unsigned int i, n; unsigned int user_offset; /* Offset of first user chain */ @@ -426,15 +421,6 @@ do_check(struct iptc_handle *h, unsigned int line) assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n); user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; - -#ifdef NF_IP_DROPPING - } else if (strcmp(h->info.name, "drop") == 0) { - assert(h->info.valid_hooks == (1 << NF_IP_DROPPING)); - - /* Hook should be first */ - assert(h->info.hook_entry[NF_IP_DROPPING] == 0); - user_offset = 0; -#endif } else { fprintf(stderr, "Unknown table `%s'\n", h->info.name); abort(); diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c index 0f8a889d..7128e1cf 100644 --- a/libiptc/libip6tc.c +++ b/libiptc/libip6tc.c @@ -35,29 +35,26 @@ typedef unsigned int socklen_t; #define HOOK_LOCAL_OUT NF_IP6_LOCAL_OUT #define HOOK_POST_ROUTING NF_IP6_POST_ROUTING -#define STRUCT_ENTRY_TARGET struct ip6t_entry_target +#define STRUCT_ENTRY_TARGET struct xt_entry_target #define STRUCT_ENTRY struct ip6t_entry -#define STRUCT_ENTRY_MATCH struct ip6t_entry_match +#define STRUCT_ENTRY_MATCH struct xt_entry_match #define STRUCT_GETINFO struct ip6t_getinfo #define STRUCT_GET_ENTRIES struct ip6t_get_entries -#define STRUCT_COUNTERS struct ip6t_counters -#define STRUCT_COUNTERS_INFO struct ip6t_counters_info -#define STRUCT_STANDARD_TARGET struct ip6t_standard_target +#define STRUCT_COUNTERS struct xt_counters +#define STRUCT_COUNTERS_INFO struct xt_counters_info +#define STRUCT_STANDARD_TARGET struct xt_standard_target #define STRUCT_REPLACE struct ip6t_replace -#define STRUCT_TC_HANDLE struct ip6tc_handle -#define xtc_handle ip6tc_handle - #define ENTRY_ITERATE IP6T_ENTRY_ITERATE -#define TABLE_MAXNAMELEN IP6T_TABLE_MAXNAMELEN -#define FUNCTION_MAXNAMELEN IP6T_FUNCTION_MAXNAMELEN +#define TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN +#define FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN #define GET_TARGET ip6t_get_target -#define ERROR_TARGET IP6T_ERROR_TARGET +#define ERROR_TARGET XT_ERROR_TARGET #define NUMHOOKS NF_IP6_NUMHOOKS -#define IPT_CHAINLABEL ip6t_chainlabel +#define IPT_CHAINLABEL xt_chainlabel #define TC_DUMP_ENTRIES dump_entries6 #define TC_IS_CHAIN ip6tc_is_chain @@ -91,6 +88,7 @@ typedef unsigned int socklen_t; #define TC_STRERROR ip6tc_strerror #define TC_NUM_RULES ip6tc_num_rules #define TC_GET_RULE ip6tc_get_rule +#define TC_OPS ip6tc_ops #define TC_AF AF_INET6 #define TC_IPPROTO IPPROTO_IPV6 @@ -101,14 +99,14 @@ typedef unsigned int socklen_t; #define SO_GET_ENTRIES IP6T_SO_GET_ENTRIES #define SO_GET_VERSION IP6T_SO_GET_VERSION -#define STANDARD_TARGET IP6T_STANDARD_TARGET +#define STANDARD_TARGET XT_STANDARD_TARGET #define LABEL_RETURN IP6TC_LABEL_RETURN #define LABEL_ACCEPT IP6TC_LABEL_ACCEPT #define LABEL_DROP IP6TC_LABEL_DROP #define LABEL_QUEUE IP6TC_LABEL_QUEUE #define ALIGN XT_ALIGN -#define RETURN IP6T_RETURN +#define RETURN XT_RETURN #include "libiptc.c" @@ -131,12 +129,12 @@ ipv6_prefix_length(const struct in6_addr *a) } static int -dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle) +dump_entry(struct ip6t_entry *e, struct xtc_handle *const handle) { size_t i; char buf[40]; int len; - struct ip6t_entry_target *t; + struct xt_entry_target *t; printf("Entry %u (%lu):\n", iptcb_entry2index(handle, e), iptcb_entry2offset(handle, e)); @@ -185,18 +183,18 @@ dump_entry(struct ip6t_entry *e, struct ip6tc_handle *const handle) t = ip6t_get_target(e); printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size); - if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) { + if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) { const unsigned char *data = t->data; int pos = *(const int *)data; if (pos < 0) printf("verdict=%s\n", pos == -NF_ACCEPT-1 ? "NF_ACCEPT" : pos == -NF_DROP-1 ? "NF_DROP" - : pos == IP6T_RETURN ? "RETURN" + : pos == XT_RETURN ? "RETURN" : "UNKNOWN"); else printf("verdict=%u\n", pos); - } else if (strcmp(t->u.user.name, IP6T_ERROR_TARGET) == 0) + } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) printf("error=`%s'\n", t->data); printf("\n"); @@ -241,7 +239,7 @@ is_same(const STRUCT_ENTRY *a, const STRUCT_ENTRY *b, mptr = matchmask + sizeof(STRUCT_ENTRY); if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr)) return NULL; - mptr += XT_ALIGN(sizeof(struct ip6t_entry_target)); + mptr += XT_ALIGN(sizeof(struct xt_entry_target)); return mptr; } diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 42d9784a..63fcfc2a 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -33,6 +33,7 @@ #include <sys/socket.h> #include <stdbool.h> #include <xtables.h> +#include <libiptc/xtcshared.h> #include "linux_list.h" @@ -61,18 +62,9 @@ static const char *hooknames[] = { [HOOK_FORWARD] = "FORWARD", [HOOK_LOCAL_OUT] = "OUTPUT", [HOOK_POST_ROUTING] = "POSTROUTING", -#ifdef HOOK_DROPPING - [HOOK_DROPPING] = "DROPPING" -#endif }; /* Convenience structures */ -struct ipt_error_target -{ - STRUCT_ENTRY_TARGET t; - char error[TABLE_MAXNAMELEN]; -}; - struct chain_head; struct rule_head; @@ -130,8 +122,7 @@ struct chain_head unsigned int foot_offset; /* offset in rule blob */ }; -STRUCT_TC_HANDLE -{ +struct xtc_handle { int sockfd; int changed; /* Have changes been made? */ @@ -1092,10 +1083,10 @@ static int parse_table(struct xtc_handle *h) /* Convenience structures */ struct iptcb_chain_start{ STRUCT_ENTRY e; - struct ipt_error_target name; + struct xt_error_target name; }; #define IPTCB_CHAIN_START_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + ALIGN(sizeof(struct xt_error_target))) struct iptcb_chain_foot { STRUCT_ENTRY e; @@ -1106,10 +1097,10 @@ struct iptcb_chain_foot { struct iptcb_chain_error { STRUCT_ENTRY entry; - struct ipt_error_target target; + struct xt_error_target target; }; #define IPTCB_CHAIN_ERROR_SIZE (sizeof(STRUCT_ENTRY) + \ - ALIGN(sizeof(struct ipt_error_target))) + ALIGN(sizeof(struct xt_error_target))) @@ -1152,10 +1143,10 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc head = (void *)repl->entries + c->head_offset; head->e.target_offset = sizeof(STRUCT_ENTRY); head->e.next_offset = IPTCB_CHAIN_START_SIZE; - strcpy(head->name.t.u.user.name, ERROR_TARGET); - head->name.t.u.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy(head->name.error, c->name); + strcpy(head->name.target.u.user.name, ERROR_TARGET); + head->name.target.u.target_size = + ALIGN(sizeof(struct xt_error_target)); + strcpy(head->name.errorname, c->name); } else { repl->hook_entry[c->hooknum-1] = c->head_offset; repl->underflow[c->hooknum-1] = c->foot_offset; @@ -1198,7 +1189,7 @@ static int iptcc_compile_chain_offsets(struct xtc_handle *h, struct chain_head * if (!iptcc_is_builtin(c)) { /* Chain has header */ *offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); + + ALIGN(sizeof(struct xt_error_target)); (*num)++; } @@ -1238,7 +1229,7 @@ static int iptcc_compile_table_prep(struct xtc_handle *h, unsigned int *size) /* Append one error rule at end of chain */ num++; offset += sizeof(STRUCT_ENTRY) - + ALIGN(sizeof(struct ipt_error_target)); + + ALIGN(sizeof(struct xt_error_target)); /* ruleset size is now in offset */ *size = offset; @@ -1261,10 +1252,10 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl) error = (void *)repl->entries + repl->size - IPTCB_CHAIN_ERROR_SIZE; error->entry.target_offset = sizeof(STRUCT_ENTRY); error->entry.next_offset = IPTCB_CHAIN_ERROR_SIZE; - error->target.t.u.user.target_size = - ALIGN(sizeof(struct ipt_error_target)); - strcpy((char *)&error->target.t.u.user.name, ERROR_TARGET); - strcpy((char *)&error->target.error, "ERROR"); + error->target.target.u.user.target_size = + ALIGN(sizeof(struct xt_error_target)); + strcpy((char *)&error->target.target.u.user.name, ERROR_TARGET); + strcpy((char *)&error->target.errorname, "ERROR"); return 1; } @@ -1279,7 +1270,7 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) { struct xtc_handle *h; - h = malloc(sizeof(STRUCT_TC_HANDLE)); + h = malloc(sizeof(*h)); if (!h) { errno = ENOMEM; return NULL; @@ -2741,3 +2732,14 @@ TC_STRERROR(int err) return strerror(err); } + +const struct xtc_ops TC_OPS = { + .commit = TC_COMMIT, + .free = TC_FREE, + .builtin = TC_BUILTIN, + .is_chain = TC_IS_CHAIN, + .flush_entries = TC_FLUSH_ENTRIES, + .create_chain = TC_CREATE_CHAIN, + .set_policy = TC_SET_POLICY, + .strerror = TC_STRERROR, +}; |