summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--extensions/libxt_SET.c9
-rw-r--r--extensions/libxt_conntrack.c54
-rw-r--r--extensions/libxt_rateest.c13
-rw-r--r--extensions/libxt_sctp.c4
-rw-r--r--extensions/libxt_set.c4
-rw-r--r--extensions/libxt_tcp.c5
-rw-r--r--include/xtables.h.in2
-rw-r--r--iptables/ip6tables.c5
-rw-r--r--iptables/iptables.c5
-rw-r--r--iptables/xtables.c76
10 files changed, 65 insertions, 112 deletions
diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c
index 51c0cec6..04466037 100644
--- a/extensions/libxt_SET.c
+++ b/extensions/libxt_SET.c
@@ -67,10 +67,6 @@ parse_target_v0(char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,
"--%s can be specified only once", what);
- if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
- xtables_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
@@ -173,11 +169,6 @@ parse_target(char **argv, int invert, struct xt_set_info *info,
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
"--%s can be specified only once", what);
-
- if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
- xtables_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index e1d85755..8e1777e3 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -93,7 +93,8 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = {
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT},
+ .flags = XTOPT_INVERT,
+ XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST,
@@ -110,13 +111,45 @@ static const struct xt_option_entry conntrack_mt_opts_v0[] = {
};
#undef s
+#define s struct xt_conntrack_mtinfo2
+/* We exploit the fact that v1-v2 share the same xt_o_e layout */
+static const struct xt_option_entry conntrack2_mt_opts[] = {
+ {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
+ .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+ {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
+ .flags = XTOPT_INVERT},
+ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
+ XTOPT_TABLEEND,
+};
+#undef s
+
#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */
/* We exploit the fact that v1-v3 share the same layout */
-static const struct xt_option_entry conntrack_mt_opts[] = {
+static const struct xt_option_entry conntrack3_mt_opts[] = {
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT},
+ .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -305,8 +338,6 @@ static void conntrack_parse(struct xt_option_call *cb)
case O_CTPROTO:
if (cb->invert)
sinfo->invflags |= XT_CONNTRACK_PROTO;
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
-
if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
&& (sinfo->invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
@@ -369,7 +400,6 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
info->invert_flags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
- info->l4proto = cb->val.protocol;
if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
"never match protocol");
@@ -992,7 +1022,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt4_print,
.save = conntrack1_mt4_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1006,7 +1036,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt6_print,
.save = conntrack1_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1020,7 +1050,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt_print,
.save = conntrack2_mt_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1034,7 +1064,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt6_print,
.save = conntrack2_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1048,7 +1078,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt_print,
.save = conntrack3_mt_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack3_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1062,7 +1092,7 @@ static struct xtables_match conntrack_mt_reg[] = {
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt6_print,
.save = conntrack3_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack3_mt_opts,
},
};
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 5f42a137..86bbb06f 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -114,7 +114,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
switch (c) {
case OPT_RATEEST1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest can't be inverted");
@@ -128,7 +127,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest can't be inverted");
@@ -143,7 +141,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_BPS1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-bps can't be inverted");
@@ -167,7 +164,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_PPS1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-pps can't be inverted");
@@ -192,7 +188,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_BPS2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-bps can't be inverted");
@@ -216,7 +211,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_PPS2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-pps can't be inverted");
@@ -241,7 +235,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_DELTA:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-delta can't be inverted");
@@ -255,8 +248,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_EQ:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
@@ -268,8 +259,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_LT:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
@@ -281,8 +270,6 @@ rateest_parse(int c, char **argv, int invert, unsigned int *flags,
break;
case OPT_RATEEST_GT:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 5dbc36f5..56a4cdf2 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -257,7 +257,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,
"Only one `--source-port' allowed");
einfo->flags |= XT_SCTP_SRC_PORTS;
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_sctp_ports(optarg, einfo->spts);
if (invert)
einfo->invflags |= XT_SCTP_SRC_PORTS;
@@ -269,7 +268,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,
"Only one `--destination-port' allowed");
einfo->flags |= XT_SCTP_DEST_PORTS;
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_sctp_ports(optarg, einfo->dpts);
if (invert)
einfo->invflags |= XT_SCTP_DEST_PORTS;
@@ -280,8 +278,6 @@ sctp_parse(int c, char **argv, int invert, unsigned int *flags,
if (*flags & XT_SCTP_CHUNK_TYPES)
xtables_error(PARAMETER_PROBLEM,
"Only one `--chunk-types' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
index da722c73..6b39147e 100644
--- a/extensions/libxt_set.c
+++ b/extensions/libxt_set.c
@@ -64,8 +64,6 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
if (info->u.flags[0])
xtables_error(PARAMETER_PROBLEM,
"--match-set can be specified only once");
-
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
info->u.flags[0] |= IPSET_MATCH_INV;
@@ -151,8 +149,6 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
"--match-set can be specified only once");
-
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
info->flags |= IPSET_INV_MATCH;
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 4d914e39..3940d91e 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -148,7 +148,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags,
if (*flags & TCP_SRC_PORTS)
xtables_error(PARAMETER_PROBLEM,
"Only one `--source-port' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_ports(optarg, tcpinfo->spts);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_SRCPT;
@@ -159,7 +158,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags,
if (*flags & TCP_DST_PORTS)
xtables_error(PARAMETER_PROBLEM,
"Only one `--destination-port' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_ports(optarg, tcpinfo->dpts);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_DSTPT;
@@ -180,8 +178,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM,
"Only one of `--syn' or `--tcp-flags' "
" allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
@@ -197,7 +193,6 @@ tcp_parse(int c, char **argv, int invert, unsigned int *flags,
if (*flags & TCP_OPTION)
xtables_error(PARAMETER_PROBLEM,
"Only one `--tcp-option' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_option(optarg, &tcpinfo->option);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_OPTION;
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 0dead268..d50df79a 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -432,8 +432,6 @@ xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask);
/* this is a special 64bit data type that is 8-byte aligned */
#define aligned_u64 u_int64_t __attribute__((aligned(8)))
-int xtables_check_inverse(const char option[], int *invert,
- int *my_optind, int argc, char **argv);
extern struct xtables_globals *xt_params;
#define xtables_error (xt_params->exit_err)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index d13744ca..04e5224f 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1536,7 +1536,6 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
* Option selection
*/
case 'p':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags,
cs.invert);
@@ -1562,14 +1561,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
break;
case 's':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags,
cs.invert);
shostnetworkmask = optarg;
break;
case 'd':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags,
cs.invert);
dhostnetworkmask = optarg;
@@ -1594,7 +1591,6 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1607,7 +1603,6 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags,
cs.invert);
xtables_parse_interface(optarg,
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 6ceaf6b8..50dc1e7a 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1566,7 +1566,6 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
* Option selection
*/
case 'p':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags,
cs.invert);
@@ -1584,14 +1583,12 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
break;
case 's':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags,
cs.invert);
shostnetworkmask = optarg;
break;
case 'd':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags,
cs.invert);
dhostnetworkmask = optarg;
@@ -1616,7 +1613,6 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1629,7 +1625,6 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags,
cs.invert);
xtables_parse_interface(optarg,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index c4b1c2a8..1a5e568c 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -632,6 +632,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
/* Second and subsequent clones */
clone = xtables_malloc(sizeof(struct xtables_match));
memcpy(clone, ptr, sizeof(struct xtables_match));
+ clone->udata = NULL;
clone->mflags = 0;
/* This is a clone: */
clone->next = clone;
@@ -1299,7 +1300,7 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
struct in_addr **maskpp, unsigned int *naddrs)
{
struct in_addr *addrp;
- char buf[256], *p;
+ char buf[256], *p, *next;
unsigned int len, i, j, n, count = 1;
const char *loop = name;
@@ -1314,23 +1315,19 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
loop = name;
for (i = 0; i < count; ++i) {
- if (loop == NULL)
- break;
- if (*loop == ',')
+ while (isspace(*loop))
++loop;
- if (*loop == '\0')
- break;
- p = strchr(loop, ',');
- if (p != NULL)
- len = p - loop;
+ next = strchr(loop, ',');
+ if (next != NULL)
+ len = next - loop;
else
len = strlen(loop);
- if (len == 0 || sizeof(buf) - 1 < len)
- break;
+ if (len > sizeof(buf) - 1)
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "Hostname too long");
strncpy(buf, loop, len);
buf[len] = '\0';
- loop += len;
if ((p = strrchr(buf, '/')) != NULL) {
*p = '\0';
addrp = parse_ipmask(p + 1);
@@ -1368,6 +1365,9 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
}
/* free what ipparse_hostnetwork had allocated: */
free(addrp);
+ if (next == NULL)
+ break;
+ loop = next + 1;
}
*naddrs = count;
for (i = 0; i < count; ++i)
@@ -1616,7 +1616,7 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
{
static const struct in6_addr zero_addr;
struct in6_addr *addrp;
- char buf[256], *p;
+ char buf[256], *p, *next;
unsigned int len, i, j, n, count = 1;
const char *loop = name;
@@ -1631,23 +1631,19 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
loop = name;
for (i = 0; i < count /*NB: count can grow*/; ++i) {
- if (loop == NULL)
- break;
- if (*loop == ',')
+ while (isspace(*loop))
++loop;
- if (*loop == '\0')
- break;
- p = strchr(loop, ',');
- if (p != NULL)
- len = p - loop;
+ next = strchr(loop, ',');
+ if (next != NULL)
+ len = next - loop;
else
len = strlen(loop);
- if (len == 0 || sizeof(buf) - 1 < len)
- break;
+ if (len > sizeof(buf) - 1)
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "Hostname too long");
strncpy(buf, loop, len);
buf[len] = '\0';
- loop += len;
if ((p = strrchr(buf, '/')) != NULL) {
*p = '\0';
addrp = parse_ip6mask(p + 1);
@@ -1681,6 +1677,9 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
}
/* free what ip6parse_hostnetwork had allocated: */
free(addrp);
+ if (next == NULL)
+ break;
+ loop = next + 1;
}
*naddrs = count;
for (i = 0; i < count; ++i)
@@ -1767,35 +1766,6 @@ void xtables_save_string(const char *value)
}
}
-/**
- * Check for option-intrapositional negation.
- * Do not use in new code.
- */
-int xtables_check_inverse(const char option[], int *invert,
- int *my_optind, int argc, char **argv)
-{
- if (option == NULL || strcmp(option, "!") != 0)
- return false;
-
- fprintf(stderr, "Using intrapositioned negation "
- "(`--option ! this`) is deprecated in favor of "
- "extrapositioned (`! --option this`).\n");
-
- if (*invert)
- xt_params->exit_err(PARAMETER_PROBLEM,
- "Multiple `!' flags not allowed");
- *invert = true;
- if (my_optind != NULL) {
- optarg = argv[*my_optind];
- ++*my_optind;
- if (argc && *my_optind > argc)
- xt_params->exit_err(PARAMETER_PROBLEM,
- "no argument following `!'");
- }
-
- return true;
-}
-
const struct xtables_pprot xtables_chain_protos[] = {
{"tcp", IPPROTO_TCP},
{"sctp", IPPROTO_SCTP},