diff options
70 files changed, 228 insertions, 21 deletions
@@ -17,16 +17,16 @@ That's it! ================================================================ FEELING BRAVE? -1) If you want to try some extensions, you can do the following: +1) The netfilter core team is maintaining a set of extensions / new + features which are not yet committed to the mainstream kernel tree. + +If you want to try some extensions, you can do the following: % make patch-o-matic KERNEL_DIR=<<where-your-kernel-is>> -This offers you a collection of maybe-broken maybe-cool third-part +This offers you a collection of maybe-broken maybe-cool third-party extensions. It will modify you kernel source (so back it up first!). - -2) If you want to test out `iptables-save' and `iptables-restore', you -can use - % make experimental - % make install-experimental +Most of them will require you to recompile / rebuild your kernel and +modules. ================================================================ PROBLEMS YOU MAY ENCOUNTER: @@ -42,6 +42,12 @@ PROBLEMS YOU MAY ENCOUNTER: % make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man # make BINDIR=/usr/bin LIBDIR=/usr/lib MANDIR=/usr/man install +4) If you want to build a statically linked version of the iptables binary, + without the need for loading the plugins at runtime (e.g. for an embedded + device or router-on-a-disk), please use + + % make NO_SHARED_LIBS=1 + NOTE: make sure you build with at least the correct LIBDIR= specification, otherwise iptables(8) won't know where to find the dynamic objects. @@ -1,6 +1,9 @@ # Standard part of Makefile for topdir. TOPLEVEL_INCLUDED=YES +# uncomment this to get a fully statically linked version +# NO_SHARED_LIBS = 1 + ifndef KERNEL_DIR KERNEL_DIR=/usr/src/linux endif @@ -25,8 +28,24 @@ endif COPT_FLAGS:=-O2 -DNDEBUG CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DNETFILTER_VERSION=\"$(NETFILTER_VERSION)\" #-g #-pg +ifdef NO_SHARED_LIBS +CFLAGS += -DNO_SHARED_LIBS=1 +endif + +ifndef NO_SHARED_LIBS DEPFILES = $(SHARED_LIBS:%.so=%.d) SH_CFLAGS:=$(CFLAGS) -fPIC +STATIC_LIBS = +STATIC6_LIBS = +LDFLAGS = -rdynamic +LDLIBS = -ldl +else +DEPFILES = $(EXT_OBJS:%.o=%.d) +STATIC_LIBS = extensions/libext.a +STATIC6_LIBS = extensions/libext6.a +LDFLAGS = +LDLIBS = +endif EXTRAS+=iptables iptables.o EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8 @@ -72,22 +91,22 @@ pending-patches: iptables.o: iptables.c $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $< -iptables: iptables-standalone.c iptables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +iptables: iptables-standalone.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS) $(DESTDIR)$(BINDIR)/iptables: iptables @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) cp $< $@ -iptables-save: iptables-save.c iptables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +iptables-save: iptables-save.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS) $(DESTDIR)$(BINDIR)/iptables-save: iptables-save @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) cp $< $@ -iptables-restore: iptables-restore.c iptables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +iptables-restore: iptables-restore.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS) $(DESTDIR)$(BINDIR)/iptables-restore: iptables-restore @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) @@ -96,22 +115,22 @@ $(DESTDIR)$(BINDIR)/iptables-restore: iptables-restore ip6tables.o: ip6tables.c $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $< -ip6tables: ip6tables-standalone.c ip6tables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +ip6tables: ip6tables-standalone.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS) $(DESTDIR)$(BINDIR)/ip6tables: ip6tables @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) cp $< $@ -ip6tables-save: ip6tables-save.c ip6tables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +ip6tables-save: ip6tables-save.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS) $(DESTDIR)$(BINDIR)/ip6tables-save: ip6tables-save @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) cp $< $@ -ip6tables-restore: ip6tables-restore.c ip6tables.o libiptc/libiptc.a - $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ -ldl +ip6tables-restore: ip6tables-restore.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a + $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" -rdynamic -o $@ $^ $(LD_LIBS) $(DESTDIR)$(BINDIR)/ip6tables-restore: ip6tables-restore @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) @@ -7,6 +7,7 @@ experimental: $(EXTRAS_EXP) # Have to handle extensions which no longer exist. clean: $(EXTRA_CLEANS) rm -f $(SHARED_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o) + rm -f extensions/initext.c extensions/initext6.c @find . -name '*.[ao]' -o -name '*.so' | xargs rm -f install: all $(EXTRA_INSTALLS) diff --git a/extensions/Makefile b/extensions/Makefile index d7b61733..e420aeb7 100644 --- a/extensions/Makefile +++ b/extensions/Makefile @@ -16,6 +16,7 @@ PF6_EXT_SLIB+=$(PF6_EXT_SLIB_OPTS) OPTIONALS+=$(patsubst %,IPv4:%,$(PF_EXT_SLIB_OPTS)) OPTIONALS+=$(patsubst %,IPv6:%,$(PF6_EXT_SLIB_OPTS)) +ifndef NO_SHARED_LIBS SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so) EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so) @@ -23,12 +24,57 @@ ifdef DO_IPV6 SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so) EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so) endif +else # NO_SHARED_LIBS +EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o) +EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T)) +EXT_OBJS+= extensions/initext.o +EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o) +EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T)) +EXT6_OBJS+= extensions/initext6.o +endif ifndef TOPLEVEL_INCLUDED local: cd .. && $(MAKE) $(SHARED_LIBS) endif +ifdef NO_SHARED_LIBS +extensions/libext.a: $(EXT_OBJS) + rm -f $@; ar crv $@ $(EXT_OBJS) + +extensions/libext6.a: $(EXT6_OBJS) + rm -f $@; ar crv $@ $(EXT6_OBJS) + +extensions/initext.o: extensions/initext.c +extensions/initext6.o: extensions/initext6.c + +extensions/initext.c: extensions/Makefile + echo "" > $@ + for i in $(EXT_FUNC); do \ + echo "extern void $${i}_init(void);" >> $@; \ + done + echo "void init_extensions(void) {" >> $@ + for i in $(EXT_FUNC); do \ + echo " $${i}_init();" >> $@; \ + done + echo "}" >> $@ + +extensions/initext6.c: extensions/Makefile + echo "" > $@ + for i in $(EXT6_FUNC); do \ + echo "extern void $${i}_init(void);" >> $@; \ + done + echo "void init_extensions(void) {" >> $@ + for i in $(EXT6_FUNC); do \ + echo " $${i}_init();" >> $@; \ + done + echo "}" >> $@ + +extensions/lib%.o: extensions/lib%.c + $(CC) $(CFLAGS) -D_INIT=$*_init -c -o $@ $< + +endif + $(DESTDIR)$(LIBDIR)/iptables/libipt_%.so: extensions/libipt_%.so @[ -d $(DESTDIR)$(LIBDIR)/iptables ] || mkdir -p $(DESTDIR)$(LIBDIR)/iptables cp $< $@ diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index 68003150..ef39c98d 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -239,6 +239,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) printf("--log-ip-options "); } +static struct ip6tables_target log = { NULL, "LOG", diff --git a/extensions/libip6t_MARK.c b/extensions/libip6t_MARK.c index efbb4ec0..6d2b1031 100644 --- a/extensions/libip6t_MARK.c +++ b/extensions/libip6t_MARK.c @@ -100,6 +100,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target) printf("--set-mark 0x%lx ", markinfo->mark); } +static struct ip6tables_target mark = { NULL, "MARK", diff --git a/extensions/libip6t_agr.c b/extensions/libip6t_agr.c index 676f9e6c..888fc2c9 100644 --- a/extensions/libip6t_agr.c +++ b/extensions/libip6t_agr.c @@ -65,6 +65,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match /* printf("--agr "); */ } +static struct ip6tables_match agr = { NULL, "agr", diff --git a/extensions/libip6t_icmpv6.c b/extensions/libip6t_icmpv6.c index 1b801d2d..67302eb5 100644 --- a/extensions/libip6t_icmpv6.c +++ b/extensions/libip6t_icmpv6.c @@ -258,7 +258,7 @@ static void final_check(unsigned int flags) { } -struct ip6tables_match icmpv6 +static struct ip6tables_match icmpv6 = { NULL, "icmpv6", NETFILTER_VERSION, diff --git a/extensions/libip6t_limit.c b/extensions/libip6t_limit.c index cd267ef8..837b0fe2 100644 --- a/extensions/libip6t_limit.c +++ b/extensions/libip6t_limit.c @@ -176,6 +176,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match printf("--limit-burst %u ", r->burst); } +static struct ip6tables_match limit = { NULL, "limit", diff --git a/extensions/libip6t_mac.c b/extensions/libip6t_mac.c index 283c486c..e4c43454 100644 --- a/extensions/libip6t_mac.c +++ b/extensions/libip6t_mac.c @@ -124,6 +124,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match ((struct ip6t_mac_info *)match->data)->invert); } +static struct ip6tables_match mac = { NULL, "mac", diff --git a/extensions/libip6t_mark.c b/extensions/libip6t_mark.c index e4ed9323..b344bb63 100644 --- a/extensions/libip6t_mark.c +++ b/extensions/libip6t_mark.c @@ -108,6 +108,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) ((struct ip6t_mark_info *)match->data)->invert, 0); } +static struct ip6tables_match mark = { NULL, "mark", diff --git a/extensions/libip6t_multiport.c b/extensions/libip6t_multiport.c index d58bbb97..16bbcf8e 100644 --- a/extensions/libip6t_multiport.c +++ b/extensions/libip6t_multiport.c @@ -242,6 +242,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match printf(" "); } +static struct ip6tables_match multiport = { NULL, "multiport", diff --git a/extensions/libip6t_owner.c b/extensions/libip6t_owner.c index 7648d657..4eed2513 100644 --- a/extensions/libip6t_owner.c +++ b/extensions/libip6t_owner.c @@ -199,6 +199,7 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) print_item(info, IP6T_OWNER_SID, 0, "--sid-owner "); } +static struct ip6tables_match owner = { NULL, "owner", diff --git a/extensions/libip6t_standard.c b/extensions/libip6t_standard.c index 1ffb1d7a..79414483 100644 --- a/extensions/libip6t_standard.c +++ b/extensions/libip6t_standard.c @@ -47,6 +47,7 @@ save(const struct ip6t_ip6 *ip6, const struct ip6t_entry_target *target) { } +static struct ip6tables_target standard = { NULL, "standard", diff --git a/extensions/libip6t_tcp.c b/extensions/libip6t_tcp.c index dd515f0e..f03f072a 100644 --- a/extensions/libip6t_tcp.c +++ b/extensions/libip6t_tcp.c @@ -420,6 +420,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match } } +static struct ip6tables_match tcp = { NULL, "tcp", diff --git a/extensions/libip6t_udp.c b/extensions/libip6t_udp.c index ac036167..441c8147 100644 --- a/extensions/libip6t_udp.c +++ b/extensions/libip6t_udp.c @@ -231,6 +231,7 @@ static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match } } +static struct ip6tables_match udp = { NULL, "udp", diff --git a/extensions/libipt_BALANCE.c b/extensions/libipt_BALANCE.c index abbf1b63..75f4cda8 100644 --- a/extensions/libipt_BALANCE.c +++ b/extensions/libipt_BALANCE.c @@ -131,6 +131,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("-%s ", addr_to_dotted(&a)); } +static struct iptables_target balance = { NULL, "BALANCE", diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index 8ae9a62b..3e466ae3 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -224,6 +224,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } +static struct iptables_target dnat = { NULL, "DNAT", diff --git a/extensions/libipt_FTOS.c b/extensions/libipt_FTOS.c index 48f88ec5..b9a5d696 100644 --- a/extensions/libipt_FTOS.c +++ b/extensions/libipt_FTOS.c @@ -110,6 +110,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--set-ftos 0x%02x ", finfo->ftos); } +static struct iptables_target ftos = { NULL, "FTOS", diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 9f41853f..f71f4bf8 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -239,6 +239,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--log-ip-options "); } +static struct iptables_target log = { NULL, "LOG", diff --git a/extensions/libipt_MARK.c b/extensions/libipt_MARK.c index ef7d7331..6d4c41ea 100644 --- a/extensions/libipt_MARK.c +++ b/extensions/libipt_MARK.c @@ -100,6 +100,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--set-mark 0x%lx ", markinfo->mark); } +static struct iptables_target mark = { NULL, "MARK", diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c index 2159016d..0eecba5c 100644 --- a/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c @@ -146,6 +146,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } +static struct iptables_target masq = { NULL, "MASQUERADE", diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c index b4d9a07c..632e9548 100644 --- a/extensions/libipt_MIRROR.c +++ b/extensions/libipt_MIRROR.c @@ -41,6 +41,7 @@ final_check(unsigned int flags) { } +static struct iptables_target mirror = { NULL, "MIRROR", diff --git a/extensions/libipt_NETLINK.c b/extensions/libipt_NETLINK.c index 3faf9289..104e6427 100644 --- a/extensions/libipt_NETLINK.c +++ b/extensions/libipt_NETLINK.c @@ -136,6 +136,7 @@ print(const struct ipt_ip *ip, printf("nlsize %i ", nld->size); } +static struct iptables_target netlink = { NULL, "NETLINK", NETFILTER_VERSION, diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c index 7d5ad04f..947ca8d4 100644 --- a/extensions/libipt_NETMAP.c +++ b/extensions/libipt_NETMAP.c @@ -179,6 +179,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) print(ip, target, 0); } +static struct iptables_target target_module = { NULL, MODULENAME, diff --git a/extensions/libipt_POOL.c b/extensions/libipt_POOL.c index 12d9572d..62697710 100644 --- a/extensions/libipt_POOL.c +++ b/extensions/libipt_POOL.c @@ -130,6 +130,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } +static struct iptables_target ipt_pool_target = { NULL, "POOL", diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c index 3119a700..02afacf9 100644 --- a/extensions/libipt_REDIRECT.c +++ b/extensions/libipt_REDIRECT.c @@ -147,6 +147,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } +static struct iptables_target redir = { NULL, "REDIRECT", diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c index 956805a6..eb813413 100644 --- a/extensions/libipt_REJECT.c +++ b/extensions/libipt_REJECT.c @@ -155,6 +155,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--reject-with %s ", reject_table[i].name); } +static struct iptables_target reject = { NULL, "REJECT", diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c index 84bc3c5b..4e7ef37a 100644 --- a/extensions/libipt_SAME.c +++ b/extensions/libipt_SAME.c @@ -165,6 +165,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--nodst "); } +static struct iptables_target same = { NULL, "SAME", diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c index 83f4ce9e..1af0d5ef 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -224,6 +224,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) } } +static struct iptables_target snat = { NULL, "SNAT", diff --git a/extensions/libipt_TCPMSS.c b/extensions/libipt_TCPMSS.c index d14f0c08..ebc10a79 100644 --- a/extensions/libipt_TCPMSS.c +++ b/extensions/libipt_TCPMSS.c @@ -113,6 +113,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--set-mss %u ", mssinfo->mss); } +static struct iptables_target mss = { NULL, "TCPMSS", diff --git a/extensions/libipt_TOS.c b/extensions/libipt_TOS.c index 9feba060..0e54a08f 100644 --- a/extensions/libipt_TOS.c +++ b/extensions/libipt_TOS.c @@ -14,6 +14,7 @@ struct tosinfo { }; /* TOS names and values. */ +static struct TOS_value { unsigned char TOS; @@ -152,6 +153,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) printf("--set-tos 0x%02x ", tosinfo->tos); } +static struct iptables_target tos = { NULL, "TOS", diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c index 985b9146..b04289ac 100644 --- a/extensions/libipt_TTL.c +++ b/extensions/libipt_TTL.c @@ -143,6 +143,7 @@ static struct option opts[] = { { 0 } }; +static struct iptables_target TTL = { NULL, "TTL", NETFILTER_VERSION, diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c index 9d4bad87..5de8ee0e 100644 --- a/extensions/libipt_ULOG.c +++ b/extensions/libipt_ULOG.c @@ -187,6 +187,7 @@ print(const struct ipt_ip *ip, printf("queue_threshold %d ", loginfo->qthreshold); } +static struct iptables_target ulog = { NULL, "ULOG", NETFILTER_VERSION, diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c index e779fa53..0473760f 100644 --- a/extensions/libipt_ah.c +++ b/extensions/libipt_ah.c @@ -169,6 +169,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) } +static struct iptables_match ah = { NULL, "ah", diff --git a/extensions/libipt_connlimit.c b/extensions/libipt_connlimit.c index 19928ac2..a11cf140 100644 --- a/extensions/libipt_connlimit.c +++ b/extensions/libipt_connlimit.c @@ -113,6 +113,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf("--iplimit-mask %d ",count_bits(info->mask)); } +static static struct iptables_match iplimit = { name: "iplimit", version: NETFILTER_VERSION, diff --git a/extensions/libipt_esp.c b/extensions/libipt_esp.c index d60c2a65..07d25156 100644 --- a/extensions/libipt_esp.c +++ b/extensions/libipt_esp.c @@ -169,6 +169,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) } +static struct iptables_match esp = { NULL, "esp", diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c index a8b6bd13..8d2d85d5 100644 --- a/extensions/libipt_icmp.c +++ b/extensions/libipt_icmp.c @@ -273,6 +273,7 @@ static void final_check(unsigned int flags) { } +static struct iptables_match icmp = { NULL, "icmp", diff --git a/extensions/libipt_ipv4options.c b/extensions/libipt_ipv4options.c index 89ca9fc9..e99c96c9 100644 --- a/extensions/libipt_ipv4options.c +++ b/extensions/libipt_ipv4options.c @@ -253,6 +253,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf(" "); } +static struct iptables_match ipv4options_struct = { NULL, "ipv4options", diff --git a/extensions/libipt_length.c b/extensions/libipt_length.c index ee2af943..00326c4b 100644 --- a/extensions/libipt_length.c +++ b/extensions/libipt_length.c @@ -139,6 +139,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) print_length((struct ipt_length_info *)match->data); } +static struct iptables_match length = { NULL, "length", diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c index 9aaf842a..edbc1cbf 100644 --- a/extensions/libipt_limit.c +++ b/extensions/libipt_limit.c @@ -176,6 +176,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf("--limit-burst %u ", r->burst); } +static struct iptables_match limit = { NULL, "limit", diff --git a/extensions/libipt_mac.c b/extensions/libipt_mac.c index 6d61d605..1b088a85 100644 --- a/extensions/libipt_mac.c +++ b/extensions/libipt_mac.c @@ -124,6 +124,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ((struct ipt_mac_info *)match->data)->invert); } +static struct iptables_match mac = { NULL, "mac", diff --git a/extensions/libipt_mark.c b/extensions/libipt_mark.c index aced5475..001635a6 100644 --- a/extensions/libipt_mark.c +++ b/extensions/libipt_mark.c @@ -108,6 +108,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ((struct ipt_mark_info *)match->data)->invert, 0); } +static struct iptables_match mark = { NULL, "mark", diff --git a/extensions/libipt_multiport.c b/extensions/libipt_multiport.c index 6eb5bdf0..58cf18ca 100644 --- a/extensions/libipt_multiport.c +++ b/extensions/libipt_multiport.c @@ -242,6 +242,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf(" "); } +static struct iptables_match multiport = { NULL, "multiport", diff --git a/extensions/libipt_owner.c b/extensions/libipt_owner.c index 233cd0be..953eb59a 100644 --- a/extensions/libipt_owner.c +++ b/extensions/libipt_owner.c @@ -199,6 +199,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) print_item(info, IPT_OWNER_SID, 0, "--sid-owner "); } +static struct iptables_match owner = { NULL, "owner", diff --git a/extensions/libipt_pkttype.c b/extensions/libipt_pkttype.c index f05a2316..04a43db7 100644 --- a/extensions/libipt_pkttype.c +++ b/extensions/libipt_pkttype.c @@ -153,6 +153,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) print_pkttype(info); } +static struct iptables_match pkttype = { NULL, "pkttype", diff --git a/extensions/libipt_pool.c b/extensions/libipt_pool.c index 23e2922d..3fec4634 100644 --- a/extensions/libipt_pool.c +++ b/extensions/libipt_pool.c @@ -122,6 +122,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ip_pool_get_name(buf, sizeof(buf), info->dst, 0)); } +static struct iptables_match pool = { NULL, "pool", diff --git a/extensions/libipt_psd.c b/extensions/libipt_psd.c index d5bb87e8..21b9fb88 100644 --- a/extensions/libipt_psd.c +++ b/extensions/libipt_psd.c @@ -174,6 +174,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf("--psd-hi-ports-weight %u ",psdinfo->hi_ports_weight); } +static struct iptables_match psd = { NULL, "psd", diff --git a/extensions/libipt_record_rpc.c b/extensions/libipt_record_rpc.c index f0c86bae..c40df402 100644 --- a/extensions/libipt_record_rpc.c +++ b/extensions/libipt_record_rpc.c @@ -52,6 +52,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) { } +static struct iptables_match record_rpc = { NULL, "record_rpc", diff --git a/extensions/libipt_standard.c b/extensions/libipt_standard.c index 22db24ba..c5faf189 100644 --- a/extensions/libipt_standard.c +++ b/extensions/libipt_standard.c @@ -47,6 +47,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target) { } +static struct iptables_target standard = { NULL, "standard", diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c index d21ccf16..25bc2a2c 100644 --- a/extensions/libipt_state.c +++ b/extensions/libipt_state.c @@ -142,6 +142,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) print_state(sinfo->statemask); } +static struct iptables_match state = { NULL, "state", diff --git a/extensions/libipt_string.c b/extensions/libipt_string.c index 279f9be1..b9f38d7a 100644 --- a/extensions/libipt_string.c +++ b/extensions/libipt_string.c @@ -113,6 +113,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ((struct ipt_string_info *)match->data)->invert, 0); } +static struct iptables_match string = { NULL, "string", diff --git a/extensions/libipt_tcp.c b/extensions/libipt_tcp.c index 1b0a37a3..7f172529 100644 --- a/extensions/libipt_tcp.c +++ b/extensions/libipt_tcp.c @@ -423,6 +423,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) } } +static struct iptables_match tcp = { NULL, "tcp", diff --git a/extensions/libipt_tcpmss.c b/extensions/libipt_tcpmss.c index 6cf4211f..92e05392 100644 --- a/extensions/libipt_tcpmss.c +++ b/extensions/libipt_tcpmss.c @@ -140,6 +140,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) mssinfo->invert, 0); } +static struct iptables_match tcpmss = { NULL, "tcpmss", diff --git a/extensions/libipt_time.c b/extensions/libipt_time.c index 10b37885..9d1e5597 100644 --- a/extensions/libipt_time.c +++ b/extensions/libipt_time.c @@ -288,6 +288,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) printf(" "); } +static struct iptables_match timestruct = { NULL, "time", diff --git a/extensions/libipt_tos.c b/extensions/libipt_tos.c index f1d3b2a6..a1ef4e6e 100644 --- a/extensions/libipt_tos.c +++ b/extensions/libipt_tos.c @@ -9,6 +9,7 @@ #include <linux/netfilter_ipv4/ipt_tos.h> /* TOS names and values. */ +static struct TOS_value { unsigned char TOS; @@ -151,6 +152,7 @@ save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ((struct ipt_tos_info *)match->data)->invert, 0); } +static struct iptables_match tos = { NULL, "tos", diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c index 060b2409..f1ca31c4 100644 --- a/extensions/libipt_ttl.c +++ b/extensions/libipt_ttl.c @@ -155,6 +155,7 @@ static struct option opts[] = { { 0 } }; +static struct iptables_match ttl = { NULL, "ttl", diff --git a/extensions/libipt_udp.c b/extensions/libipt_udp.c index 9b18d18b..3db35b1b 100644 --- a/extensions/libipt_udp.c +++ b/extensions/libipt_udp.c @@ -231,6 +231,7 @@ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) } } +static struct iptables_match udp = { NULL, "udp", diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c index b954e368..5e842e93 100644 --- a/extensions/libipt_unclean.c +++ b/extensions/libipt_unclean.c @@ -41,6 +41,7 @@ static void final_check(unsigned int flags) { } +static struct iptables_match unclean = { NULL, "unclean", diff --git a/include/ip6tables.h b/include/ip6tables.h index 9ac3835c..ca388f7c 100644 --- a/include/ip6tables.h +++ b/include/ip6tables.h @@ -51,6 +51,9 @@ struct ip6tables_match struct ip6t_entry_match *m; unsigned int mflags; unsigned int used; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif }; struct ip6tables_target @@ -98,6 +101,9 @@ struct ip6tables_target struct ip6t_entry_target *t; unsigned int tflags; unsigned int used; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif }; /* Your shared library should call one of these. */ diff --git a/include/iptables.h b/include/iptables.h index 719db544..ac2a6b3b 100644 --- a/include/iptables.h +++ b/include/iptables.h @@ -51,6 +51,9 @@ struct iptables_match struct ipt_entry_match *m; unsigned int mflags; unsigned int used; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif }; struct iptables_target @@ -98,6 +101,9 @@ struct iptables_target struct ipt_entry_target *t; unsigned int tflags; unsigned int used; +#ifdef NO_SHARED_LIBS + unsigned int loaded; /* simulate loading so options are merged properly */ +#endif }; /* Your shared library should call one of these. */ diff --git a/include/iptables_common.h b/include/iptables_common.h index dff849ee..12b57975 100644 --- a/include/iptables_common.h +++ b/include/iptables_common.h @@ -19,4 +19,11 @@ void exit_error(enum exittype, char *, ...)__attribute__((noreturn, format(printf,2,3))); extern const char *program_name, *program_version; +#ifdef NO_SHARED_LIBS +# ifdef _INIT +# define _init _INIT +# endif + extern void init_extensions(void); +#endif + #endif /*_IPTABLES_COMMON_H*/ diff --git a/ip6tables-restore.c b/ip6tables-restore.c index f7a94f2c..40804eef 100644 --- a/ip6tables-restore.c +++ b/ip6tables-restore.c @@ -93,6 +93,10 @@ int main(int argc, char *argv[]) program_name = "ip6tables-restore"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + while ((c = getopt_long(argc, argv, "bcvhnM:", options, NULL)) != -1) { switch (c) { case 'b': diff --git a/ip6tables-save.c b/ip6tables-save.c index c18bda21..772f786c 100644 --- a/ip6tables-save.c +++ b/ip6tables-save.c @@ -314,6 +314,10 @@ int main(int argc, char *argv[]) program_name = "ip6tables-save"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) { switch (c) { case 'b': diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c index 1120590f..f0145ce1 100644 --- a/ip6tables-standalone.c +++ b/ip6tables-standalone.c @@ -39,6 +39,10 @@ main(int argc, char *argv[]) program_name = "ip6tables"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + ret = do_command6(argc, argv, &table, &handle); if (ret) ret = ip6tc_commit(&handle); diff --git a/ip6tables.c b/ip6tables.c index 2160950e..2d13f3af 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -684,6 +684,7 @@ find_match(const char *name, enum ip6t_tryload tryload) break; } +#ifndef NO_SHARED_LIBS if (!ptr && tryload != DONT_LOAD) { char path[sizeof(IP6T_LIB_DIR) + sizeof("/libip6t_.so") + strlen(name)]; @@ -701,6 +702,14 @@ find_match(const char *name, enum ip6t_tryload tryload) exit_error(PARAMETER_PROBLEM, "Couldn't load match `%s'\n", name); } +#else + if (ptr && !ptr->loaded) { + if (tryload != DONT_LOAD) + ptr->loaded = 1; + else + ptr = NULL; + } +#endif if (ptr) ptr->used = 1; @@ -881,6 +890,7 @@ find_target(const char *name, enum ip6t_tryload tryload) break; } +#ifndef NO_SHARED_LIBS if (!ptr && tryload != DONT_LOAD) { char path[sizeof(IP6T_LIB_DIR) + sizeof("/libip6t_.so") + strlen(name)]; @@ -898,6 +908,14 @@ find_target(const char *name, enum ip6t_tryload tryload) "Couldn't load target `%s'%s\n", name, dlerror()); } +#else + if (ptr && !ptr->loaded) { + if (tryload != DONT_LOAD) + ptr->loaded = 1; + else + ptr = NULL; + } +#endif if (ptr) ptr->used = 1; diff --git a/iptables-restore.c b/iptables-restore.c index b6bcb7b7..2f4d8768 100644 --- a/iptables-restore.c +++ b/iptables-restore.c @@ -4,7 +4,7 @@ * * This coude is distributed under the terms of GNU GPL * - * $Id: iptables-restore.c,v 1.12 2001/05/26 04:41:56 laforge Exp $ + * $Id: iptables-restore.c,v 1.13 2001/06/16 18:25:25 laforge Exp $ */ #include <getopt.h> @@ -109,6 +109,10 @@ int main(int argc, char *argv[]) program_name = "iptables-restore"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + while ((c = getopt_long(argc, argv, "bcvhnM:", options, NULL)) != -1) { switch (c) { case 'b': diff --git a/iptables-save.c b/iptables-save.c index 60397146..aa3b69af 100644 --- a/iptables-save.c +++ b/iptables-save.c @@ -306,6 +306,10 @@ int main(int argc, char *argv[]) program_name = "iptables-save"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) { switch (c) { case 'b': diff --git a/iptables-standalone.c b/iptables-standalone.c index b891e974..791f9505 100644 --- a/iptables-standalone.c +++ b/iptables-standalone.c @@ -40,6 +40,10 @@ main(int argc, char *argv[]) program_name = "iptables"; program_version = NETFILTER_VERSION; +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + ret = do_command(argc, argv, &table, &handle); if (ret) ret = iptc_commit(&handle); @@ -649,6 +649,7 @@ find_match(const char *name, enum ipt_tryload tryload) break; } +#ifndef NO_SHARED_LIBS if (!ptr && tryload != DONT_LOAD) { char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so") + strlen(name)]; @@ -667,6 +668,14 @@ find_match(const char *name, enum ipt_tryload tryload) "Couldn't load match `%s':%s\n", name, dlerror()); } +#else + if (ptr && !ptr->loaded) { + if (tryload != DONT_LOAD) + ptr->loaded = 1; + else + ptr = NULL; + } +#endif if (ptr) ptr->used = 1; @@ -904,6 +913,7 @@ find_target(const char *name, enum ipt_tryload tryload) break; } +#ifndef NO_SHARED_LIBS if (!ptr && tryload != DONT_LOAD) { char path[sizeof(IPT_LIB_DIR) + sizeof("/libipt_.so") + strlen(name)]; @@ -921,6 +931,14 @@ find_target(const char *name, enum ipt_tryload tryload) "Couldn't load target `%s':%s\n", name, dlerror()); } +#else + if (ptr && !ptr->loaded) { + if (tryload != DONT_LOAD) + ptr->loaded = 1; + else + ptr = NULL; + } +#endif if (ptr) ptr->used = 1; |