diff options
62 files changed, 1081 insertions, 1394 deletions
diff --git a/COMMIT_NOTES b/COMMIT_NOTES index 7583facd..592808c5 100644 --- a/COMMIT_NOTES +++ b/COMMIT_NOTES @@ -11,5 +11,9 @@ A quick list of rules for committing stuff into netfilter git: - If you touch any parts of libxtables (xtables.c, include/xtables.h.in), make sure the so-version is updated _appropriately_ (i.e. read the - libtool manual about Versioning:: first if need be) in configure.ac. + libtool manual about Versioning:: first, if need be) in configure.ac. Adding fields to a struct always entails a vcurrent bump. + + - Check, whether a bump (vcurrent,vage) has already been made since the + last release (no more than one per release), e.g.: + git log v1.4.4.. configure.ac @@ -41,18 +41,22 @@ Configuring and compiling It is enabled by default. +--enable-static + + Produce additional binaries, iptables-static/ip6tables-static, + which have all shipped extensions compiled in. + +--disable-shared + + Produce binaries that have dynamic loading of extensions disabled. + This implies --enable-static. + (See some details below.) + --enable-libipq This option causes libipq to be installed into ${libdir} and ${includedir}. ---enable-static - - Enable building single standalone multipurpose binaries, - (iptables-static and ip6tables-static), which contain every - extension compiled-in (and does not support additional - extensions). - --with-ksource= Xtables does not depend on kernel headers anymore, but you can @@ -74,7 +78,22 @@ The make process will automatically build multipurpose binaries. These have the core (iptables), -save, -restore and -xml code compiled into one binary, but extensions remain as modules. -If you want to build a statically linked version of the iptables binary, -without the need for loading the plugins at runtime (e.g. for an -embedded device or router-on-a-disk), you can use the --enable-static -configure flag. + +Static and shared +================= + +Basically there are three configuration modes defined: + + --disable-static --enable-shared (this is the default) + + Build a binary that relies upon dynamic loading of extensions. + + --enable-static --enable-shared + + Build a binary that has the shipped extensions built-in, but + is still capable of loading additional extensions. + + --enable-static --disable-shared + + Shipped extensions are built-in, and dynamic loading is + deactivated. diff --git a/Makefile.am b/Makefile.am index fd99098f..6bf40af3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -14,91 +14,60 @@ endif lib_LTLIBRARIES = # libiptc -lib_LTLIBRARIES += libiptc/libiptc.la -libiptc_libiptc_la_SOURCES = libiptc/libip4tc.c libiptc/libip6tc.c -libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 +lib_LTLIBRARIES += libiptc/libip4tc.la libiptc/libip6tc.la libiptc/libiptc.la +libiptc_libiptc_la_SOURCES = +libiptc_libiptc_la_LIBADD = libiptc/libip4tc.la libiptc/libip6tc.la +libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 +libiptc_libip4tc_la_SOURCES = libiptc/libip4tc.c +libiptc_libip4tc_la_LDFLAGS = -version-info 0:0:0 +libiptc_libip6tc_la_SOURCES = libiptc/libip6tc.c +libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 lib_LTLIBRARIES += libxtables.la libxtables_la_SOURCES = xtables.c libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} +if ENABLE_SHARED +libxtables_la_CFLAGS = ${AM_CFLAGS} libxtables_la_LIBADD = -ldl +else +libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1 +libxtables_la_LIBADD = +endif -# iptables, dynamic -iptables_SOURCES = iptables-standalone.c iptables.c -iptables_LDFLAGS = -rdynamic -iptables_LDADD = libiptc/libiptc.la extensions/libext4.a libxtables.la -lm - -iptables_xml_LDADD = libxtables.la iptables_multi_SOURCES = iptables-multi.c iptables-save.c \ iptables-restore.c iptables-xml.c \ - iptables-standalone.c iptables.c + iptables-standalone.c iptables.c xshared.c iptables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -iptables_multi_LDFLAGS = ${iptables_LDFLAGS} -iptables_multi_LDADD = ${iptables_LDADD} - -iptables_restore_SOURCES = iptables-restore.c iptables.c -iptables_restore_LDFLAGS = ${iptables_LDFLAGS} -iptables_restore_LDADD = ${iptables_LDADD} - -iptables_save_SOURCES = iptables-save.c iptables.c -iptables_save_LDFLAGS = ${iptables_LDFLAGS} -iptables_save_LDADD = ${iptables_LDADD} - -# iptables-multi, semi-static -iptables_static_SOURCES = ${iptables_multi_SOURCES} xtables.c -iptables_static_CFLAGS = ${iptables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -iptables_static_LDADD = libiptc/libiptc.la extensions/libext4.a -lm - -iptables_xml_SOURCES = iptables-xml.c - -# ip6tables, dynamic -ip6tables_SOURCES = ip6tables-standalone.c ip6tables.c -ip6tables_LDFLAGS = -rdynamic -ip6tables_LDADD = libiptc/libiptc.la extensions/libext6.a libxtables.la -lm +if ENABLE_STATIC +iptables_multi_CFLAGS += -DALL_INCLUSIVE +endif +iptables_multi_LDFLAGS = -rdynamic +iptables_multi_LDADD = libiptc/libip4tc.la extensions/libext4.a libxtables.la -lm ip6tables_multi_SOURCES = ip6tables-multi.c ip6tables-save.c \ ip6tables-restore.c ip6tables-standalone.c \ - ip6tables.c + ip6tables.c xshared.c ip6tables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -ip6tables_multi_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_multi_LDADD = ${ip6tables_LDADD} - -ip6tables_restore_SOURCES = ip6tables-restore.c ip6tables.c -ip6tables_restore_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_restore_LDADD = ${ip6tables_LDADD} - -ip6tables_save_SOURCES = ip6tables-save.c ip6tables.c -ip6tables_save_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_save_LDADD = ${ip6tables_LDADD} - -# iptables-multi, semi-static -ip6tables_static_SOURCES = ${ip6tables_multi_SOURCES} xtables.c -ip6tables_static_CFLAGS = ${ip6tables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -ip6tables_static_LDADD = libiptc/libiptc.la extensions/libext6.a -lm +if ENABLE_STATIC +ip6tables_multi_CFLAGS += -DALL_INCLUSIVE +endif +ip6tables_multi_LDFLAGS = -rdynamic +ip6tables_multi_LDADD = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm -bin_PROGRAMS = iptables-xml sbin_PROGRAMS = -noinst_PROGRAMS = man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.8 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 CLEANFILES = iptables.8 ip6tables.8 -if ENABLE_STATIC if ENABLE_IPV4 -sbin_PROGRAMS += iptables-static +sbin_PROGRAMS += iptables-multi +v4_bin_links = iptables-xml +v4_sbin_links = iptables iptables-restore iptables-save endif if ENABLE_IPV6 -sbin_PROGRAMS += ip6tables-static -endif -endif -if ENABLE_SHARED -if ENABLE_IPV4 -sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save -endif -if ENABLE_IPV6 -sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save -endif +sbin_PROGRAMS += ip6tables-multi +v6_sbin_links = ip6tables ip6tables-restore ip6tables-save endif iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man @@ -123,3 +92,7 @@ config.status: extensions/GNUmakefile.in \ # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; + ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; + for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done; + for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done; diff --git a/configure.ac b/configure.ac index 74c38355..bc74efee 100644 --- a/configure.ac +++ b/configure.ac @@ -2,8 +2,8 @@ AC_INIT([iptables], [1.4.4]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=2 -libxtables_vage=0 +libxtables_vcurrent=3 +libxtables_vage=1 AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index e1f1f494..709366a1 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -56,8 +56,8 @@ targets := libext4.a libext6.a matches4.man matches6.man \ targets_install := @ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} @ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} -@ENABLE_SHARED_TRUE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -@ENABLE_SHARED_TRUE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} .SECONDARY: diff --git a/extensions/libip6t_eui64.c b/extensions/libip6t_eui64.c index c92c8687..607bf86f 100644 --- a/extensions/libip6t_eui64.c +++ b/extensions/libip6t_eui64.c @@ -1,38 +1,12 @@ /* Shared library add-on to ip6tables to add EUI64 address checking support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif #include <xtables.h> -static void eui64_help(void) -{ - printf( -"eui64 match options:\n" -" This module hasn't got any option\n" -" This module checks for EUI64 IPv6 addresses\n"); -} - -static int eui64_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - static struct xtables_match eui64_mt6_reg = { .name = "eui64", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .size = XT_ALIGN(sizeof(int)), .userspacesize = XT_ALIGN(sizeof(int)), - .help = eui64_help, - .parse = eui64_parse, }; void _init(void) diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c index 81964dd7..fb78751d 100644 --- a/extensions/libipt_MIRROR.c +++ b/extensions/libipt_MIRROR.c @@ -1,32 +1,12 @@ /* Shared library add-on to iptables to add MIRROR target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - #include <xtables.h> -static void MIRROR_help(void) -{ - printf("MIRROR target takes no options\n"); -} - -static int MIRROR_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target mirror_tg_reg = { .name = "MIRROR", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = MIRROR_help, - .parse = MIRROR_parse, - .print = NULL, - .save = NULL, }; void _init(void) diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c index ecd51b51..cda70518 100644 --- a/extensions/libipt_addrtype.c +++ b/extensions/libipt_addrtype.c @@ -323,38 +323,38 @@ static const struct option addrtype_opts_v1[] = { { .name = NULL } }; -static struct xtables_match addrtype_mt_reg_v0 = { - .name = "addrtype", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .help = addrtype_help_v0, - .parse = addrtype_parse_v0, - .final_check = addrtype_check_v0, - .print = addrtype_print_v0, - .save = addrtype_save_v0, - .extra_opts = addrtype_opts_v0, -}; - -static struct xtables_match addrtype_mt_reg_v1 = { - .name = "addrtype", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .help = addrtype_help_v1, - .parse = addrtype_parse_v1, - .final_check = addrtype_check_v1, - .print = addrtype_print_v1, - .save = addrtype_save_v1, - .extra_opts = addrtype_opts_v1, - .revision = 1, +static struct xtables_match addrtype_mt_reg[] = { + { + .name = "addrtype", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .help = addrtype_help_v0, + .parse = addrtype_parse_v0, + .final_check = addrtype_check_v0, + .print = addrtype_print_v0, + .save = addrtype_save_v0, + .extra_opts = addrtype_opts_v0, + }, + { + .name = "addrtype", + .revision = 1, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .help = addrtype_help_v1, + .parse = addrtype_parse_v1, + .final_check = addrtype_check_v1, + .print = addrtype_print_v1, + .save = addrtype_save_v1, + .extra_opts = addrtype_opts_v1, + }, }; void _init(void) { - xtables_register_match(&addrtype_mt_reg_v0); - xtables_register_match(&addrtype_mt_reg_v1); + xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg)); } diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c index 93d9013e..bc4a4a08 100644 --- a/extensions/libipt_unclean.c +++ b/extensions/libipt_unclean.c @@ -1,28 +1,12 @@ /* Shared library add-on to iptables for unclean. */ -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> #include <xtables.h> -static void unclean_help(void) -{ - printf("unclean match takes no options\n"); -} - -static int unclean_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - static struct xtables_match unclean_mt_reg = { .name = "unclean", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = unclean_help, - .parse = unclean_parse, }; void _init(void) diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c index 6e42898f..3cf62f07 100644 --- a/extensions/libxt_CONNMARK.c +++ b/extensions/libxt_CONNMARK.c @@ -398,74 +398,40 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target) } } -static struct xtables_target connmark_target = { - .family = NFPROTO_IPV4, - .name = "CONNMARK", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .help = CONNMARK_help, - .init = CONNMARK_init, - .parse = CONNMARK_parse, - .final_check = connmark_tg_check, - .print = CONNMARK_print, - .save = CONNMARK_save, - .extra_opts = CONNMARK_opts, -}; - -static struct xtables_target connmark_target6 = { - .family = NFPROTO_IPV6, - .name = "CONNMARK", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .help = CONNMARK_help, - .init = CONNMARK_init, - .parse = CONNMARK_parse, - .final_check = connmark_tg_check, - .print = CONNMARK_print, - .save = CONNMARK_save, - .extra_opts = CONNMARK_opts, -}; - -static struct xtables_target connmark_tg_reg = { - .version = XTABLES_VERSION, - .name = "CONNMARK", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .help = connmark_tg_help, - .init = connmark_tg_init, - .parse = connmark_tg_parse, - .final_check = connmark_tg_check, - .print = connmark_tg_print, - .save = connmark_tg_save, - .extra_opts = connmark_tg_opts, -}; - -static struct xtables_target connmark_tg6_reg = { - .version = XTABLES_VERSION, - .name = "CONNMARK", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .help = connmark_tg_help, - .init = connmark_tg_init, - .parse = connmark_tg_parse, - .final_check = connmark_tg_check, - .print = connmark_tg_print, - .save = connmark_tg_save, - .extra_opts = connmark_tg_opts, +static struct xtables_target connmark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "CONNMARK", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), + .help = CONNMARK_help, + .init = CONNMARK_init, + .parse = CONNMARK_parse, + .final_check = connmark_tg_check, + .print = CONNMARK_print, + .save = CONNMARK_save, + .extra_opts = CONNMARK_opts, + }, + { + .version = XTABLES_VERSION, + .name = "CONNMARK", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), + .help = connmark_tg_help, + .init = connmark_tg_init, + .parse = connmark_tg_parse, + .final_check = connmark_tg_check, + .print = connmark_tg_print, + .save = connmark_tg_save, + .extra_opts = connmark_tg_opts, + }, }; void _init(void) { - xtables_register_target(&connmark_target); - xtables_register_target(&connmark_target6); - xtables_register_target(&connmark_tg_reg); - xtables_register_target(&connmark_tg6_reg); + xtables_register_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg)); } diff --git a/extensions/libxt_CONNSECMARK.c b/extensions/libxt_CONNSECMARK.c index 11ec01ab..d95339f3 100644 --- a/extensions/libxt_CONNSECMARK.c +++ b/extensions/libxt_CONNSECMARK.c @@ -107,22 +107,7 @@ CONNSECMARK_save(const void *ip, const struct xt_entry_target *target) } static struct xtables_target connsecmark_target = { - .family = NFPROTO_IPV4, - .name = "CONNSECMARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .parse = CONNSECMARK_parse, - .help = CONNSECMARK_help, - .final_check = CONNSECMARK_check, - .print = CONNSECMARK_print, - .save = CONNSECMARK_save, - .extra_opts = CONNSECMARK_opts, -}; - -static struct xtables_target connsecmark_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "CONNSECMARK", .version = XTABLES_VERSION, .revision = 0, @@ -139,5 +124,4 @@ static struct xtables_target connsecmark_target6 = { void _init(void) { xtables_register_target(&connsecmark_target); - xtables_register_target(&connsecmark_target6); } diff --git a/extensions/libxt_DSCP.c b/extensions/libxt_DSCP.c index ddb9c997..82ac10c3 100644 --- a/extensions/libxt_DSCP.c +++ b/extensions/libxt_DSCP.c @@ -130,21 +130,7 @@ static void DSCP_save(const void *ip, const struct xt_entry_target *target) } static struct xtables_target dscp_target = { - .family = NFPROTO_IPV4, - .name = "DSCP", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_DSCP_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)), - .help = DSCP_help, - .parse = DSCP_parse, - .final_check = DSCP_check, - .print = DSCP_print, - .save = DSCP_save, - .extra_opts = DSCP_opts, -}; - -static struct xtables_target dscp_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "DSCP", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_DSCP_info)), @@ -160,5 +146,4 @@ static struct xtables_target dscp_target6 = { void _init(void) { xtables_register_target(&dscp_target); - xtables_register_target(&dscp_target6); } diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index ff48a764..f6a2c5c1 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -277,70 +277,52 @@ static void mark_tg_save(const void *ip, const struct xt_entry_target *target) printf("--set-xmark 0x%x/0x%x ", info->mark, info->mask); } -static struct xtables_target mark_target_v0 = { - .family = NFPROTO_IPV4, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .help = MARK_help, - .parse = MARK_parse_v0, - .final_check = MARK_check, - .print = MARK_print_v0, - .save = MARK_save_v0, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_target_v1 = { - .family = NFPROTO_IPV4, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), - .help = MARK_help, - .parse = MARK_parse_v1, - .final_check = MARK_check, - .print = MARK_print_v1, - .save = MARK_save_v1, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_target6_v0 = { - .family = NFPROTO_IPV6, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .help = MARK_help, - .parse = MARK_parse_v0, - .final_check = MARK_check, - .print = MARK_print_v0, - .save = MARK_save_v0, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_tg_reg_v2 = { - .version = XTABLES_VERSION, - .name = "MARK", - .revision = 2, - .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), - .help = mark_tg_help, - .parse = mark_tg_parse, - .final_check = mark_tg_check, - .print = mark_tg_print, - .save = mark_tg_save, - .extra_opts = mark_tg_opts, +static struct xtables_target mark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "MARK", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), + .help = MARK_help, + .parse = MARK_parse_v0, + .final_check = MARK_check, + .print = MARK_print_v0, + .save = MARK_save_v0, + .extra_opts = MARK_opts, + }, + { + .family = NFPROTO_IPV4, + .name = "MARK", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), + .help = MARK_help, + .parse = MARK_parse_v1, + .final_check = MARK_check, + .print = MARK_print_v1, + .save = MARK_save_v1, + .extra_opts = MARK_opts, + }, + { + .version = XTABLES_VERSION, + .name = "MARK", + .revision = 2, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .help = mark_tg_help, + .parse = mark_tg_parse, + .final_check = mark_tg_check, + .print = mark_tg_print, + .save = mark_tg_save, + .extra_opts = mark_tg_opts, + }, }; void _init(void) { - xtables_register_target(&mark_target_v0); - xtables_register_target(&mark_target_v1); - xtables_register_target(&mark_target6_v0); - xtables_register_target(&mark_tg_reg_v2); + xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); } diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c index 007c7b4e..0768e885 100644 --- a/extensions/libxt_NFLOG.c +++ b/extensions/libxt_NFLOG.c @@ -139,21 +139,7 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target) } static struct xtables_target nflog_target = { - .family = NFPROTO_IPV4, - .name = "NFLOG", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_nflog_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)), - .help = NFLOG_help, - .init = NFLOG_init, - .parse = NFLOG_parse, - .print = NFLOG_print, - .save = NFLOG_save, - .extra_opts = NFLOG_opts, -}; - -static struct xtables_target nflog_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "NFLOG", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_nflog_info)), @@ -169,5 +155,4 @@ static struct xtables_target nflog_target6 = { void _init(void) { xtables_register_target(&nflog_target); - xtables_register_target(&nflog_target6); } diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c index 3ca2239f..53ecf1ca 100644 --- a/extensions/libxt_NFQUEUE.c +++ b/extensions/libxt_NFQUEUE.c @@ -78,7 +78,7 @@ static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target) } static struct xtables_target nfqueue_target = { - .family = NFPROTO_IPV4, + .family = NFPROTO_UNSPEC, .name = "NFQUEUE", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_NFQ_info)), @@ -90,21 +90,7 @@ static struct xtables_target nfqueue_target = { .extra_opts = NFQUEUE_opts }; -static struct xtables_target nfqueue_target6 = { - .family = NFPROTO_IPV6, - .name = "NFQUEUE", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_NFQ_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)), - .help = NFQUEUE_help, - .parse = NFQUEUE_parse, - .print = NFQUEUE_print, - .save = NFQUEUE_save, - .extra_opts = NFQUEUE_opts, -}; - void _init(void) { xtables_register_target(&nfqueue_target); - xtables_register_target(&nfqueue_target6); } diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c index ef266543..ca587002 100644 --- a/extensions/libxt_NOTRACK.c +++ b/extensions/libxt_NOTRACK.c @@ -1,46 +1,15 @@ /* Shared library add-on to iptables to add NOTRACK target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - #include <xtables.h> -#include <linux/netfilter/x_tables.h> - -static void NOTRACK_help(void) -{ - printf("NOTRACK target takes no options\n"); -} - -static int -NOTRACK_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} static struct xtables_target notrack_target = { - .family = NFPROTO_IPV4, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), - .help = NOTRACK_help, - .parse = NOTRACK_parse, -}; - -static struct xtables_target notrack_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "NOTRACK", .version = XTABLES_VERSION, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = NOTRACK_help, - .parse = NOTRACK_parse, }; void _init(void) { xtables_register_target(¬rack_target); - xtables_register_target(¬rack_target6); } diff --git a/extensions/libxt_TCPOPTSTRIP.c b/extensions/libxt_TCPOPTSTRIP.c index cf946fc7..a063d0d9 100644 --- a/extensions/libxt_TCPOPTSTRIP.c +++ b/extensions/libxt_TCPOPTSTRIP.c @@ -180,22 +180,7 @@ tcpoptstrip_tg_save(const void *ip, const struct xt_entry_target *target) static struct xtables_target tcpoptstrip_tg_reg = { .version = XTABLES_VERSION, .name = "TCPOPTSTRIP", - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), - .help = tcpoptstrip_tg_help, - .init = tcpoptstrip_tg_init, - .parse = tcpoptstrip_tg_parse, - .final_check = tcpoptstrip_tg_check, - .print = tcpoptstrip_tg_print, - .save = tcpoptstrip_tg_save, - .extra_opts = tcpoptstrip_tg_opts, -}; - -static struct xtables_target tcpoptstrip_tg6_reg = { - .version = XTABLES_VERSION, - .name = "TCPOPTSTRIP", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), .help = tcpoptstrip_tg_help, @@ -210,5 +195,4 @@ static struct xtables_target tcpoptstrip_tg6_reg = { void _init(void) { xtables_register_target(&tcpoptstrip_tg_reg); - xtables_register_target(&tcpoptstrip_tg6_reg); } diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c index c08f53bd..bf751a4e 100644 --- a/extensions/libxt_TOS.c +++ b/extensions/libxt_TOS.c @@ -205,54 +205,38 @@ static void tos_tg_save(const void *ip, const struct xt_entry_target *target) printf("--set-tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask); } -static struct xtables_target tos_tg_reg_v0 = { - .version = XTABLES_VERSION, - .name = "TOS", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help_v0, - .parse = tos_tg_parse_v0, - .final_check = tos_tg_check, - .print = tos_tg_print_v0, - .save = tos_tg_save_v0, - .extra_opts = tos_tg_opts_v0, -}; - -static struct xtables_target tos_tg_reg = { - .version = XTABLES_VERSION, - .name = "TOS", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help, - .parse = tos_tg_parse, - .final_check = tos_tg_check, - .print = tos_tg_print, - .save = tos_tg_save, - .extra_opts = tos_tg_opts, -}; - -static struct xtables_target tos_tg6_reg = { - .version = XTABLES_VERSION, - .name = "TOS", - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help, - .parse = tos_tg_parse, - .final_check = tos_tg_check, - .print = tos_tg_print, - .save = tos_tg_save, - .extra_opts = tos_tg_opts, +static struct xtables_target tos_tg_reg[] = { + { + .version = XTABLES_VERSION, + .name = "TOS", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .help = tos_tg_help_v0, + .parse = tos_tg_parse_v0, + .final_check = tos_tg_check, + .print = tos_tg_print_v0, + .save = tos_tg_save_v0, + .extra_opts = tos_tg_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "TOS", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .help = tos_tg_help, + .parse = tos_tg_parse, + .final_check = tos_tg_check, + .print = tos_tg_print, + .save = tos_tg_save, + .extra_opts = tos_tg_opts, + }, }; void _init(void) { - xtables_register_target(&tos_tg_reg_v0); - xtables_register_target(&tos_tg_reg); - xtables_register_target(&tos_tg6_reg); + xtables_register_targets(tos_tg_reg, ARRAY_SIZE(tos_tg_reg)); } diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c index 344b80dc..0282e6ff 100644 --- a/extensions/libxt_TRACE.c +++ b/extensions/libxt_TRACE.c @@ -7,25 +7,12 @@ #include <xtables.h> #include <linux/netfilter/x_tables.h> -static void TRACE_help(void) -{ - printf("TRACE target takes no options\n"); -} - -static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target trace_target = { .family = NFPROTO_UNSPEC, .name = "TRACE", .version = XTABLES_VERSION, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = TRACE_help, - .parse = TRACE_parse, }; void _init(void) diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c index 5f393bbf..2e665b12 100644 --- a/extensions/libxt_comment.c +++ b/extensions/libxt_comment.c @@ -89,21 +89,7 @@ comment_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match comment_match = { - .family = NFPROTO_IPV4, - .name = "comment", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_comment_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)), - .help = comment_help, - .parse = comment_parse, - .final_check = comment_check, - .print = comment_print, - .save = comment_save, - .extra_opts = comment_opts, -}; - -static struct xtables_match comment_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "comment", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_comment_info)), @@ -119,5 +105,4 @@ static struct xtables_match comment_match6 = { void _init(void) { xtables_register_match(&comment_match); - xtables_register_match(&comment_match6); } diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c index c7bdff05..d6c3b1bb 100644 --- a/extensions/libxt_connbytes.c +++ b/extensions/libxt_connbytes.c @@ -180,21 +180,7 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match connbytes_match = { - .family = NFPROTO_IPV4, - .name = "connbytes", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connbytes_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)), - .help = connbytes_help, - .parse = connbytes_parse, - .final_check = connbytes_check, - .print = connbytes_print, - .save = connbytes_save, - .extra_opts = connbytes_opts, -}; - -static struct xtables_match connbytes_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "connbytes", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_connbytes_info)), @@ -210,5 +196,4 @@ static struct xtables_match connbytes_match6 = { void _init(void) { xtables_register_match(&connbytes_match); - xtables_register_match(&connbytes_match6); } diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c index 403e7e6f..1698561d 100644 --- a/extensions/libxt_connlimit.c +++ b/extensions/libxt_connlimit.c @@ -179,38 +179,38 @@ static void connlimit_save6(const void *ip, const struct xt_entry_match *match) count_bits6(info->v6_mask)); } -static struct xtables_match connlimit_match = { - .name = "connlimit", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), - .userspacesize = offsetof(struct xt_connlimit_info, data), - .help = connlimit_help, - .init = connlimit_init, - .parse = connlimit_parse4, - .final_check = connlimit_check, - .print = connlimit_print4, - .save = connlimit_save4, - .extra_opts = connlimit_opts, -}; - -static struct xtables_match connlimit_match6 = { - .name = "connlimit", - .family = NFPROTO_IPV6, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), - .userspacesize = offsetof(struct xt_connlimit_info, data), - .help = connlimit_help, - .init = connlimit_init, - .parse = connlimit_parse6, - .final_check = connlimit_check, - .print = connlimit_print6, - .save = connlimit_save6, - .extra_opts = connlimit_opts, +static struct xtables_match connlimit_mt_reg[] = { + { + .name = "connlimit", + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = connlimit_help, + .init = connlimit_init, + .parse = connlimit_parse4, + .final_check = connlimit_check, + .print = connlimit_print4, + .save = connlimit_save4, + .extra_opts = connlimit_opts, + }, + { + .name = "connlimit", + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = connlimit_help, + .init = connlimit_init, + .parse = connlimit_parse6, + .final_check = connlimit_check, + .print = connlimit_print6, + .save = connlimit_save6, + .extra_opts = connlimit_opts, + }, }; void _init(void) { - xtables_register_match(&connlimit_match); - xtables_register_match(&connlimit_match6); + xtables_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg)); } diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c index ce2002ce..48c10b5d 100644 --- a/extensions/libxt_connmark.c +++ b/extensions/libxt_connmark.c @@ -163,70 +163,38 @@ connmark_mt_save(const void *ip, const struct xt_entry_match *match) print_mark(info->mark, info->mask); } -static struct xtables_match connmark_mt_reg_v0 = { - .family = NFPROTO_IPV4, - .name = "connmark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), - .help = connmark_mt_help, - .parse = connmark_parse, - .final_check = connmark_mt_check, - .print = connmark_print, - .save = connmark_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt6_reg_v0 = { - .family = NFPROTO_IPV6, - .name = "connmark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), - .help = connmark_mt_help, - .parse = connmark_parse, - .final_check = connmark_mt_check, - .print = connmark_print, - .save = connmark_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt_reg = { - .version = XTABLES_VERSION, - .name = "connmark", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .help = connmark_mt_help, - .parse = connmark_mt_parse, - .final_check = connmark_mt_check, - .print = connmark_mt_print, - .save = connmark_mt_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt6_reg = { - .version = XTABLES_VERSION, - .name = "connmark", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .help = connmark_mt_help, - .parse = connmark_mt_parse, - .final_check = connmark_mt_check, - .print = connmark_mt_print, - .save = connmark_mt_save, - .extra_opts = connmark_mt_opts, +static struct xtables_match connmark_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "connmark", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connmark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), + .help = connmark_mt_help, + .parse = connmark_parse, + .final_check = connmark_mt_check, + .print = connmark_print, + .save = connmark_save, + .extra_opts = connmark_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "connmark", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), + .help = connmark_mt_help, + .parse = connmark_mt_parse, + .final_check = connmark_mt_check, + .print = connmark_mt_print, + .save = connmark_mt_save, + .extra_opts = connmark_mt_opts, + }, }; void _init(void) { - xtables_register_match(&connmark_mt_reg_v0); - xtables_register_match(&connmark_mt6_reg_v0); - xtables_register_match(&connmark_mt_reg); - xtables_register_match(&connmark_mt6_reg); + xtables_register_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg)); } diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 68d40f8c..c9f8182b 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1123,86 +1123,80 @@ conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match) conntrack_dump(&up, "--", NFPROTO_IPV6, true); } -static struct xtables_match conntrack_mt_v0_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), - .help = conntrack_mt_help, - .parse = conntrack_parse, - .final_check = conntrack_mt_check, - .print = conntrack_print, - .save = conntrack_save, - .extra_opts = conntrack_mt_opts_v0, -}; - -static struct xtables_match conntrack_mt_v1_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .help = conntrack_mt_help, - .parse = conntrack1_mt4_parse, - .final_check = conntrack_mt_check, - .print = conntrack1_mt4_print, - .save = conntrack1_mt4_save, - .extra_opts = conntrack_mt_opts, -}; - -static struct xtables_match conntrack_mt6_v1_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .help = conntrack_mt_help, - .parse = conntrack1_mt6_parse, - .final_check = conntrack_mt_check, - .print = conntrack1_mt6_print, - .save = conntrack1_mt6_save, - .extra_opts = conntrack_mt_opts, -}; - -static struct xtables_match conntrack_mt_v2_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 2, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), - .help = conntrack_mt_help, - .parse = conntrack2_mt4_parse, - .final_check = conntrack_mt_check, - .print = conntrack_mt_print, - .save = conntrack_mt_save, - .extra_opts = conntrack_mt_opts, -}; - -static struct xtables_match conntrack_mt6_v2_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 2, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), - .help = conntrack_mt_help, - .parse = conntrack2_mt6_parse, - .final_check = conntrack_mt_check, - .print = conntrack_mt6_print, - .save = conntrack_mt6_save, - .extra_opts = conntrack_mt_opts, +static struct xtables_match conntrack_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .help = conntrack_mt_help, + .parse = conntrack_parse, + .final_check = conntrack_mt_check, + .print = conntrack_print, + .save = conntrack_save, + .extra_opts = conntrack_mt_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack1_mt4_parse, + .final_check = conntrack_mt_check, + .print = conntrack1_mt4_print, + .save = conntrack1_mt4_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack1_mt6_parse, + .final_check = conntrack_mt_check, + .print = conntrack1_mt6_print, + .save = conntrack1_mt6_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 2, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = conntrack_mt_help, + .parse = conntrack2_mt4_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt_print, + .save = conntrack_mt_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 2, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = conntrack_mt_help, + .parse = conntrack2_mt6_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt6_print, + .save = conntrack_mt6_save, + .extra_opts = conntrack_mt_opts, + }, }; void _init(void) { - xtables_register_match(&conntrack_mt_v0_reg); - xtables_register_match(&conntrack_mt_v1_reg); - xtables_register_match(&conntrack_mt6_v1_reg); - xtables_register_match(&conntrack_mt_v2_reg); - xtables_register_match(&conntrack_mt6_v2_reg); + xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg)); } diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c index 73211459..ae23225c 100644 --- a/extensions/libxt_dccp.c +++ b/extensions/libxt_dccp.c @@ -336,21 +336,7 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match) static struct xtables_match dccp_match = { .name = "dccp", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_dccp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)), - .help = dccp_help, - .init = dccp_init, - .parse = dccp_parse, - .print = dccp_print, - .save = dccp_save, - .extra_opts = dccp_opts, -}; - -static struct xtables_match dccp_match6 = { - .name = "dccp", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_dccp_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)), @@ -365,5 +351,4 @@ static struct xtables_match dccp_match6 = { void _init(void) { xtables_register_match(&dccp_match); - xtables_register_match(&dccp_match6); } diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c index 62fa6af5..306643e8 100644 --- a/extensions/libxt_dscp.c +++ b/extensions/libxt_dscp.c @@ -131,21 +131,7 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match dscp_match = { - .family = NFPROTO_IPV4, - .name = "dscp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_dscp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)), - .help = dscp_help, - .parse = dscp_parse, - .final_check = dscp_check, - .print = dscp_print, - .save = dscp_save, - .extra_opts = dscp_opts, -}; - -static struct xtables_match dscp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "dscp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_dscp_info)), @@ -161,5 +147,4 @@ static struct xtables_match dscp_match6 = { void _init(void) { xtables_register_match(&dscp_match); - xtables_register_match(&dscp_match6); } diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c index 5769edb5..89c3fb43 100644 --- a/extensions/libxt_esp.c +++ b/extensions/libxt_esp.c @@ -149,21 +149,7 @@ static void esp_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match esp_match = { - .family = NFPROTO_IPV4, - .name = "esp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_esp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_esp)), - .help = esp_help, - .init = esp_init, - .parse = esp_parse, - .print = esp_print, - .save = esp_save, - .extra_opts = esp_opts, -}; - -static struct xtables_match esp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "esp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_esp)), @@ -180,5 +166,4 @@ void _init(void) { xtables_register_match(&esp_match); - xtables_register_match(&esp_match6); } diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 84dd7868..cdb407ab 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -659,74 +659,55 @@ hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match) hashlimit_mt_save(info, 128); } -static struct xtables_match hashlimit_match = { - .family = NFPROTO_IPV4, - .name = "hashlimit", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), - .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), - .help = hashlimit_help, - .init = hashlimit_init, - .parse = hashlimit_parse, - .final_check = hashlimit_check, - .print = hashlimit_print, - .save = hashlimit_save, - .extra_opts = hashlimit_opts, -}; - -static struct xtables_match hashlimit_match6 = { - .family = NFPROTO_IPV6, - .name = "hashlimit", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), - .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), - .help = hashlimit_help, - .init = hashlimit_init, - .parse = hashlimit_parse, - .final_check = hashlimit_check, - .print = hashlimit_print, - .save = hashlimit_save, - .extra_opts = hashlimit_opts, -}; - -static struct xtables_match hashlimit_mt_reg = { - .version = XTABLES_VERSION, - .name = "hashlimit", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), - .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), - .help = hashlimit_mt_help, - .init = hashlimit_mt4_init, - .parse = hashlimit_mt4_parse, - .final_check = hashlimit_mt_check, - .print = hashlimit_mt4_print, - .save = hashlimit_mt4_save, - .extra_opts = hashlimit_mt_opts, -}; - -static struct xtables_match hashlimit_mt6_reg = { - .version = XTABLES_VERSION, - .name = "hashlimit", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), - .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), - .help = hashlimit_mt_help, - .init = hashlimit_mt6_init, - .parse = hashlimit_mt6_parse, - .final_check = hashlimit_mt_check, - .print = hashlimit_mt6_print, - .save = hashlimit_mt6_save, - .extra_opts = hashlimit_mt_opts, +static struct xtables_match hashlimit_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "hashlimit", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), + .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), + .help = hashlimit_help, + .init = hashlimit_init, + .parse = hashlimit_parse, + .final_check = hashlimit_check, + .print = hashlimit_print, + .save = hashlimit_save, + .extra_opts = hashlimit_opts, + }, + { + .version = XTABLES_VERSION, + .name = "hashlimit", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), + .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), + .help = hashlimit_mt_help, + .init = hashlimit_mt4_init, + .parse = hashlimit_mt4_parse, + .final_check = hashlimit_mt_check, + .print = hashlimit_mt4_print, + .save = hashlimit_mt4_save, + .extra_opts = hashlimit_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "hashlimit", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), + .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), + .help = hashlimit_mt_help, + .init = hashlimit_mt6_init, + .parse = hashlimit_mt6_parse, + .final_check = hashlimit_mt_check, + .print = hashlimit_mt6_print, + .save = hashlimit_mt6_save, + .extra_opts = hashlimit_mt_opts, + }, }; void _init(void) { - xtables_register_match(&hashlimit_match); - xtables_register_match(&hashlimit_match6); - xtables_register_match(&hashlimit_mt_reg); - xtables_register_match(&hashlimit_mt6_reg); + xtables_register_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); } diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c index b136d8a6..adced437 100644 --- a/extensions/libxt_helper.c +++ b/extensions/libxt_helper.c @@ -69,20 +69,7 @@ static void helper_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match helper_match = { - .family = NFPROTO_IPV4, - .name = "helper", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_helper_info)), - .help = helper_help, - .parse = helper_parse, - .final_check = helper_check, - .print = helper_print, - .save = helper_save, - .extra_opts = helper_opts, -}; - -static struct xtables_match helper_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "helper", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_helper_info)), @@ -97,5 +84,4 @@ static struct xtables_match helper_match6 = { void _init(void) { xtables_register_match(&helper_match); - xtables_register_match(&helper_match6); } diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c index bc5b2aeb..7b3ccc2b 100644 --- a/extensions/libxt_iprange.c +++ b/extensions/libxt_iprange.c @@ -344,54 +344,52 @@ static void iprange_mt6_save(const void *ip, const struct xt_entry_match *match) } } -static struct xtables_match iprange_match = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_iprange_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)), - .help = iprange_mt_help, - .parse = iprange_parse, - .final_check = iprange_mt_check, - .print = iprange_print, - .save = iprange_save, - .extra_opts = iprange_mt_opts, -}; - -static struct xtables_match iprange_mt_reg = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .help = iprange_mt_help, - .parse = iprange_mt4_parse, - .final_check = iprange_mt_check, - .print = iprange_mt4_print, - .save = iprange_mt4_save, - .extra_opts = iprange_mt_opts, -}; - -static struct xtables_match iprange_mt6_reg = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .help = iprange_mt_help, - .parse = iprange_mt6_parse, - .final_check = iprange_mt_check, - .print = iprange_mt6_print, - .save = iprange_mt6_save, - .extra_opts = iprange_mt_opts, +static struct xtables_match iprange_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_iprange_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)), + .help = iprange_mt_help, + .parse = iprange_parse, + .final_check = iprange_mt_check, + .print = iprange_print, + .save = iprange_save, + .extra_opts = iprange_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .help = iprange_mt_help, + .parse = iprange_mt4_parse, + .final_check = iprange_mt_check, + .print = iprange_mt4_print, + .save = iprange_mt4_save, + .extra_opts = iprange_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .help = iprange_mt_help, + .parse = iprange_mt6_parse, + .final_check = iprange_mt_check, + .print = iprange_mt6_print, + .save = iprange_mt6_save, + .extra_opts = iprange_mt_opts, + }, }; void _init(void) { - xtables_register_match(&iprange_match); - xtables_register_match(&iprange_mt_reg); - xtables_register_match(&iprange_mt6_reg); + xtables_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg)); } diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c index a57e3410..449fff92 100644 --- a/extensions/libxt_mac.c +++ b/extensions/libxt_mac.c @@ -112,21 +112,7 @@ static void mac_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match mac_match = { - .family = NFPROTO_IPV4, - .name = "mac", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_mac_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)), - .help = mac_help, - .parse = mac_parse, - .final_check = mac_check, - .print = mac_print, - .save = mac_save, - .extra_opts = mac_opts, -}; - -static struct xtables_match mac_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "mac", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_mac_info)), @@ -142,5 +128,4 @@ static struct xtables_match mac_match6 = { void _init(void) { xtables_register_match(&mac_match); - xtables_register_match(&mac_match6); } diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c index 6f8cc570..fc3d6466 100644 --- a/extensions/libxt_mark.c +++ b/extensions/libxt_mark.c @@ -143,38 +143,38 @@ mark_save(const void *ip, const struct xt_entry_match *match) print_mark(info->mark, info->mask); } -static struct xtables_match mark_match = { - .family = NFPROTO_UNSPEC, - .name = "mark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_mark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)), - .help = mark_mt_help, - .parse = mark_parse, - .final_check = mark_mt_check, - .print = mark_print, - .save = mark_save, - .extra_opts = mark_mt_opts, -}; - -static struct xtables_match mark_mt_reg = { - .version = XTABLES_VERSION, - .name = "mark", - .revision = 1, - .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), - .help = mark_mt_help, - .parse = mark_mt_parse, - .final_check = mark_mt_check, - .print = mark_mt_print, - .save = mark_mt_save, - .extra_opts = mark_mt_opts, +static struct xtables_match mark_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "mark", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_mark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)), + .help = mark_mt_help, + .parse = mark_parse, + .final_check = mark_mt_check, + .print = mark_print, + .save = mark_save, + .extra_opts = mark_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "mark", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), + .help = mark_mt_help, + .parse = mark_mt_parse, + .final_check = mark_mt_check, + .print = mark_mt_print, + .save = mark_mt_save, + .extra_opts = mark_mt_opts, + }, }; void _init(void) { - xtables_register_match(&mark_match); - xtables_register_match(&mark_mt_reg); + xtables_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg)); } diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c index 9959a20e..d9b6e741 100644 --- a/extensions/libxt_multiport.c +++ b/extensions/libxt_multiport.c @@ -509,71 +509,67 @@ static void multiport_save6_v1(const void *ip_void, __multiport_save_v1(match, ip->proto); } -static struct xtables_match multiport_match = { - .family = NFPROTO_IPV4, - .name = "multiport", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_multiport)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), - .help = multiport_help, - .parse = multiport_parse, - .final_check = multiport_check, - .print = multiport_print, - .save = multiport_save, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match6 = { - .family = NFPROTO_IPV6, - .name = "multiport", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_multiport)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), - .help = multiport_help, - .parse = multiport_parse6, - .final_check = multiport_check, - .print = multiport_print6, - .save = multiport_save6, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match_v1 = { - .family = NFPROTO_IPV4, - .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .help = multiport_help_v1, - .parse = multiport_parse_v1, - .final_check = multiport_check, - .print = multiport_print_v1, - .save = multiport_save_v1, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match6_v1 = { - .family = NFPROTO_IPV6, - .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .help = multiport_help_v1, - .parse = multiport_parse6_v1, - .final_check = multiport_check, - .print = multiport_print6_v1, - .save = multiport_save6_v1, - .extra_opts = multiport_opts, +static struct xtables_match multiport_mt_reg[] = { + { + .family = NFPROTO_IPV4, + .name = "multiport", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_multiport)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), + .help = multiport_help, + .parse = multiport_parse, + .final_check = multiport_check, + .print = multiport_print, + .save = multiport_save, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV6, + .name = "multiport", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_multiport)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), + .help = multiport_help, + .parse = multiport_parse6, + .final_check = multiport_check, + .print = multiport_print6, + .save = multiport_save6, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV4, + .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .help = multiport_help_v1, + .parse = multiport_parse_v1, + .final_check = multiport_check, + .print = multiport_print_v1, + .save = multiport_save_v1, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV6, + .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .help = multiport_help_v1, + .parse = multiport_parse6_v1, + .final_check = multiport_check, + .print = multiport_print6_v1, + .save = multiport_save6_v1, + .extra_opts = multiport_opts, + }, }; void _init(void) { - xtables_register_match(&multiport_match); - xtables_register_match(&multiport_match6); - xtables_register_match(&multiport_match_v1); - xtables_register_match(&multiport_match6_v1); + xtables_register_matches(multiport_mt_reg, ARRAY_SIZE(multiport_mt_reg)); } diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c index d27b3ae5..25441384 100644 --- a/extensions/libxt_owner.c +++ b/extensions/libxt_owner.c @@ -533,70 +533,52 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match) owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false); } -static struct xtables_match owner_mt_reg_v0 = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_owner_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)), - .help = owner_mt_help_v0, - .parse = owner_mt_parse_v0, - .final_check = owner_mt_check, - .print = owner_mt_print_v0, - .save = owner_mt_save_v0, - .extra_opts = owner_mt_opts_v0, -}; - -static struct xtables_match owner_mt6_reg_v0 = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct ip6t_owner_info)), - .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)), - .help = owner_mt6_help_v0, - .parse = owner_mt6_parse_v0, - .final_check = owner_mt_check, - .print = owner_mt6_print_v0, - .save = owner_mt6_save_v0, - .extra_opts = owner_mt6_opts_v0, -}; - -static struct xtables_match owner_mt_reg = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .help = owner_mt_help, - .parse = owner_mt_parse, - .final_check = owner_mt_check, - .print = owner_mt_print, - .save = owner_mt_save, - .extra_opts = owner_mt_opts, -}; - -static struct xtables_match owner_mt6_reg = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .help = owner_mt_help, - .parse = owner_mt_parse, - .final_check = owner_mt_check, - .print = owner_mt_print, - .save = owner_mt_save, - .extra_opts = owner_mt_opts, +static struct xtables_match owner_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_owner_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)), + .help = owner_mt_help_v0, + .parse = owner_mt_parse_v0, + .final_check = owner_mt_check, + .print = owner_mt_print_v0, + .save = owner_mt_save_v0, + .extra_opts = owner_mt_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 0, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct ip6t_owner_info)), + .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)), + .help = owner_mt6_help_v0, + .parse = owner_mt6_parse_v0, + .final_check = owner_mt_check, + .print = owner_mt6_print_v0, + .save = owner_mt6_save_v0, + .extra_opts = owner_mt6_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), + .help = owner_mt_help, + .parse = owner_mt_parse, + .final_check = owner_mt_check, + .print = owner_mt_print, + .save = owner_mt_save, + .extra_opts = owner_mt_opts, + }, }; void _init(void) { - xtables_register_match(&owner_mt_reg_v0); - xtables_register_match(&owner_mt6_reg_v0); - xtables_register_match(&owner_mt_reg); - xtables_register_match(&owner_mt6_reg); + xtables_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); } diff --git a/extensions/libxt_physdev.c b/extensions/libxt_physdev.c index 5522a325..74d311da 100644 --- a/extensions/libxt_physdev.c +++ b/extensions/libxt_physdev.c @@ -161,21 +161,7 @@ static void physdev_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match physdev_match = { - .family = NFPROTO_IPV4, - .name = "physdev", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_physdev_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)), - .help = physdev_help, - .parse = physdev_parse, - .final_check = physdev_check, - .print = physdev_print, - .save = physdev_save, - .extra_opts = physdev_opts, -}; - -static struct xtables_match physdev_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "physdev", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_physdev_info)), @@ -191,5 +177,4 @@ static struct xtables_match physdev_match6 = { void _init(void) { xtables_register_match(&physdev_match); - xtables_register_match(&physdev_match6); } diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c index d17b1bbc..858eaaad 100644 --- a/extensions/libxt_policy.c +++ b/extensions/libxt_policy.c @@ -478,36 +478,36 @@ static void policy6_save(const void *ip, const struct xt_entry_match *match) } } -static struct xtables_match policy_mt_reg = { - .name = "policy", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_policy_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), - .help = policy_help, - .parse = policy4_parse, - .final_check = policy_check, - .print = policy4_print, - .save = policy4_save, - .extra_opts = policy_opts, -}; - -static struct xtables_match policy_mt6_reg = { - .name = "policy", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_policy_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), - .help = policy_help, - .parse = policy6_parse, - .final_check = policy_check, - .print = policy6_print, - .save = policy6_save, - .extra_opts = policy_opts, +static struct xtables_match policy_mt_reg[] = { + { + .name = "policy", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_policy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), + .help = policy_help, + .parse = policy4_parse, + .final_check = policy_check, + .print = policy4_print, + .save = policy4_save, + .extra_opts = policy_opts, + }, + { + .name = "policy", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_policy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), + .help = policy_help, + .parse = policy6_parse, + .final_check = policy_check, + .print = policy6_print, + .save = policy6_save, + .extra_opts = policy_opts, + }, }; void _init(void) { - xtables_register_match(&policy_mt_reg); - xtables_register_match(&policy_mt6_reg); + xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg)); } diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index 47c35ff7..d503685c 100644 --- a/extensions/libxt_recent.c +++ b/extensions/libxt_recent.c @@ -215,7 +215,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) static struct xtables_match recent_mt_reg = { .name = "recent", .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, + .family = NFPROTO_UNSPEC, .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), .help = recent_help, @@ -227,24 +227,7 @@ static struct xtables_match recent_mt_reg = { .extra_opts = recent_opts, }; -static struct xtables_match recent_mt6_reg = { - .version = XTABLES_VERSION, - .name = "recent", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .help = recent_help, - .init = recent_init, - .parse = recent_parse, - .final_check = recent_check, - .print = recent_print, - .save = recent_save, - .extra_opts = recent_opts, -}; - void _init(void) { xtables_register_match(&recent_mt_reg); - xtables_register_match(&recent_mt6_reg); } diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index 829eade0..dfa72d3d 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -496,21 +496,7 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match) static struct xtables_match sctp_match = { .name = "sctp", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_sctp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), - .help = sctp_help, - .init = sctp_init, - .parse = sctp_parse, - .print = sctp_print, - .save = sctp_save, - .extra_opts = sctp_opts, -}; - -static struct xtables_match sctp_match6 = { - .name = "sctp", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_sctp_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), @@ -525,5 +511,4 @@ static struct xtables_match sctp_match6 = { void _init(void) { xtables_register_match(&sctp_match); - xtables_register_match(&sctp_match6); } diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index eebc7c55..1490473b 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -3,34 +3,14 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ -#include <stdio.h> -#include <getopt.h> #include <xtables.h> -static void socket_mt_help(void) -{ - printf("socket v%s has no options\n\n", XTABLES_VERSION); -} - -static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - -static void socket_mt_check(unsigned int flags) -{ -} - static struct xtables_match socket_mt_reg = { .name = "socket", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .parse = socket_mt_parse, - .final_check = socket_mt_check, - .help = socket_mt_help, }; void _init(void) diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c index 56dc2d29..c64ba297 100644 --- a/extensions/libxt_standard.c +++ b/extensions/libxt_standard.c @@ -1,10 +1,5 @@ /* Shared library add-on to iptables for standard target support. */ #include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <limits.h> -#include <getopt.h> #include <xtables.h> static void standard_help(void) @@ -14,12 +9,6 @@ static void standard_help(void) "(If target is DROP, ACCEPT, RETURN or nothing)\n"); } -static int standard_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target standard_target = { .family = NFPROTO_UNSPEC, .name = "standard", @@ -27,7 +16,6 @@ static struct xtables_target standard_target = { .size = XT_ALIGN(sizeof(int)), .userspacesize = XT_ALIGN(sizeof(int)), .help = standard_help, - .parse = standard_parse, }; void _init(void) diff --git a/extensions/libxt_state.c b/extensions/libxt_state.c index 7387e264..c8a7454a 100644 --- a/extensions/libxt_state.c +++ b/extensions/libxt_state.c @@ -139,21 +139,7 @@ static void state_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match state_match = { - .family = NFPROTO_IPV4, - .name = "state", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_state_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), - .help = state_help, - .parse = state_parse, - .final_check = state_final_check, - .print = state_print, - .save = state_save, - .extra_opts = state_opts, -}; - -static struct xtables_match state_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "state", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_state_info)), @@ -169,5 +155,4 @@ static struct xtables_match state_match6 = { void _init(void) { xtables_register_match(&state_match); - xtables_register_match(&state_match6); } diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c index 18e3ed25..62c3a97a 100644 --- a/extensions/libxt_string.c +++ b/extensions/libxt_string.c @@ -350,40 +350,40 @@ static void string_save(const void *ip, const struct xt_entry_match *match) } -static struct xtables_match string_match = { - .name = "string", - .revision = 0, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_string_info)), - .userspacesize = offsetof(struct xt_string_info, config), - .help = string_help, - .init = string_init, - .parse = string_parse, - .final_check = string_check, - .print = string_print, - .save = string_save, - .extra_opts = string_opts, -}; - -static struct xtables_match string_match_v1 = { - .name = "string", - .revision = 1, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_string_info)), - .userspacesize = offsetof(struct xt_string_info, config), - .help = string_help, - .init = string_init, - .parse = string_parse, - .final_check = string_check, - .print = string_print, - .save = string_save, - .extra_opts = string_opts, +static struct xtables_match string_mt_reg[] = { + { + .name = "string", + .revision = 0, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_string_info)), + .userspacesize = offsetof(struct xt_string_info, config), + .help = string_help, + .init = string_init, + .parse = string_parse, + .final_check = string_check, + .print = string_print, + .save = string_save, + .extra_opts = string_opts, + }, + { + .name = "string", + .revision = 1, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_string_info)), + .userspacesize = offsetof(struct xt_string_info, config), + .help = string_help, + .init = string_init, + .parse = string_parse, + .final_check = string_check, + .print = string_print, + .save = string_save, + .extra_opts = string_opts, + }, }; void _init(void) { - xtables_register_match(&string_match); - xtables_register_match(&string_match_v1); + xtables_register_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg)); } diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 5ea9ebd2..7abecc16 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -375,21 +375,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match tcp_match = { - .family = NFPROTO_IPV4, - .name = "tcp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tcp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcp)), - .help = tcp_help, - .init = tcp_init, - .parse = tcp_parse, - .print = tcp_print, - .save = tcp_save, - .extra_opts = tcp_opts, -}; - -static struct xtables_match tcp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "tcp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_tcp)), @@ -406,5 +392,4 @@ void _init(void) { xtables_register_match(&tcp_match); - xtables_register_match(&tcp_match6); } diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c index 46529f97..36785a32 100644 --- a/extensions/libxt_tcpmss.c +++ b/extensions/libxt_tcpmss.c @@ -109,21 +109,7 @@ static void tcpmss_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match tcpmss_match = { - .family = NFPROTO_IPV4, - .name = "tcpmss", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), - .help = tcpmss_help, - .parse = tcpmss_parse, - .final_check = tcpmss_check, - .print = tcpmss_print, - .save = tcpmss_save, - .extra_opts = tcpmss_opts, -}; - -static struct xtables_match tcpmss_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "tcpmss", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), @@ -139,5 +125,4 @@ static struct xtables_match tcpmss_match6 = { void _init(void) { xtables_register_match(&tcpmss_match); - xtables_register_match(&tcpmss_match6); } diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c index b810ea6d..0a81f461 100644 --- a/extensions/libxt_tos.c +++ b/extensions/libxt_tos.c @@ -137,54 +137,38 @@ static void tos_mt_save(const void *ip, const struct xt_entry_match *match) printf("--tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask); } -static struct xtables_match tos_mt_reg_v0 = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV4, - .revision = 0, - .size = XT_ALIGN(sizeof(struct ipt_tos_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)), - .help = tos_mt_help, - .parse = tos_mt_parse_v0, - .final_check = tos_mt_check, - .print = tos_mt_print_v0, - .save = tos_mt_save_v0, - .extra_opts = tos_mt_opts, -}; - -static struct xtables_match tos_mt_reg = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV4, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .help = tos_mt_help, - .parse = tos_mt_parse, - .final_check = tos_mt_check, - .print = tos_mt_print, - .save = tos_mt_save, - .extra_opts = tos_mt_opts, -}; - -static struct xtables_match tos_mt6_reg = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .help = tos_mt_help, - .parse = tos_mt_parse, - .final_check = tos_mt_check, - .print = tos_mt_print, - .save = tos_mt_save, - .extra_opts = tos_mt_opts, +static struct xtables_match tos_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "tos", + .family = NFPROTO_IPV4, + .revision = 0, + .size = XT_ALIGN(sizeof(struct ipt_tos_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)), + .help = tos_mt_help, + .parse = tos_mt_parse_v0, + .final_check = tos_mt_check, + .print = tos_mt_print_v0, + .save = tos_mt_save_v0, + .extra_opts = tos_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "tos", + .family = NFPROTO_UNSPEC, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), + .help = tos_mt_help, + .parse = tos_mt_parse, + .final_check = tos_mt_check, + .print = tos_mt_print, + .save = tos_mt_save, + .extra_opts = tos_mt_opts, + }, }; void _init(void) { - xtables_register_match(&tos_mt_reg_v0); - xtables_register_match(&tos_mt_reg); - xtables_register_match(&tos_mt6_reg); + xtables_register_matches(tos_mt_reg, ARRAY_SIZE(tos_mt_reg)); } diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c index 4b4e84fb..bf0b34fb 100644 --- a/extensions/libxt_udp.c +++ b/extensions/libxt_udp.c @@ -191,21 +191,7 @@ static void udp_save(const void *ip, const struct xt_entry_match *match) } static struct xtables_match udp_match = { - .family = NFPROTO_IPV4, - .name = "udp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_udp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_udp)), - .help = udp_help, - .init = udp_init, - .parse = udp_parse, - .print = udp_print, - .save = udp_save, - .extra_opts = udp_opts, -}; - -static struct xtables_match udp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "udp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_udp)), @@ -222,5 +208,4 @@ void _init(void) { xtables_register_match(&udp_match); - xtables_register_match(&udp_match6); } diff --git a/include/xtables.h.in b/include/xtables.h.in index 4d4ca0a6..3955716d 100644 --- a/include/xtables.h.in +++ b/include/xtables.h.in @@ -90,9 +90,7 @@ struct xtables_match unsigned int option_offset; struct xt_entry_match *m; unsigned int mflags; -#ifdef NO_SHARED_LIBS unsigned int loaded; /* simulate loading so options are merged properly */ -#endif }; struct xtables_target @@ -152,9 +150,7 @@ struct xtables_target struct xt_entry_target *t; unsigned int tflags; unsigned int used; -#ifdef NO_SHARED_LIBS unsigned int loaded; /* simulate loading so options are merged properly */ -#endif }; struct xtables_rule_match { @@ -215,6 +211,7 @@ extern void xtables_init(void); extern void xtables_set_nfproto(uint8_t); extern void *xtables_calloc(size_t, size_t); extern void *xtables_malloc(size_t); +extern void *xtables_realloc(void *, size_t); extern int xtables_insmod(const char *, const char *, bool); extern int xtables_load_ko(const char *, bool); @@ -232,7 +229,9 @@ extern struct xtables_target *xtables_find_target(const char *name, /* Your shared library should call one of these. */ extern void xtables_register_match(struct xtables_match *me); +extern void xtables_register_matches(struct xtables_match *, unsigned int); extern void xtables_register_target(struct xtables_target *me); +extern void xtables_register_targets(struct xtables_target *, unsigned int); extern bool xtables_strtoul(const char *, char **, unsigned long *, unsigned long, unsigned long); @@ -260,6 +259,8 @@ extern struct in_addr *xtables_numeric_to_ipaddr(const char *); extern struct in_addr *xtables_numeric_to_ipmask(const char *); extern void xtables_ipparse_any(const char *, struct in_addr **, struct in_addr *, unsigned int *); +extern void xtables_ipparse_multiple(const char *, struct in_addr **, + struct in_addr **, unsigned int *); extern struct in6_addr *xtables_numeric_to_ip6addr(const char *); extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *); @@ -267,6 +268,8 @@ extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *); extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *); extern void xtables_ip6parse_any(const char *, struct in6_addr **, struct in6_addr *, unsigned int *); +extern void xtables_ip6parse_multiple(const char *, struct in6_addr **, + struct in6_addr **, unsigned int *); /** * Print the specified value to standard output, quoting dangerous @@ -274,7 +277,7 @@ extern void xtables_ip6parse_any(const char *, struct in6_addr **, */ extern void xtables_save_string(const char *value); -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) # ifdef _INIT # undef _init # define _init _INIT diff --git a/ip6tables-multi.c b/ip6tables-multi.c index 3313bfdc..671558c5 100644 --- a/ip6tables-multi.c +++ b/ip6tables-multi.c @@ -7,26 +7,39 @@ int ip6tables_main(int argc, char **argv); int ip6tables_save_main(int argc, char **argv); int ip6tables_restore_main(int argc, char **argv); -int main(int argc, char **argv) { - char *progname; +int main(int argc, char **argv) +{ + char *progname; - if (argc == 0) { - fprintf(stderr, "no argv[0]?"); - exit(1); - } else { - progname = basename(argv[0]); + if (argc < 1) { + fprintf(stderr, "ERROR: This should not happen.\n"); + exit(EXIT_FAILURE); + } - if (!strcmp(progname, "ip6tables") || - strcmp(progname, "ip6tables-static") == 0) - return ip6tables_main(argc, argv); - - if (!strcmp(progname, "ip6tables-save")) - return ip6tables_save_main(argc, argv); - - if (!strcmp(progname, "ip6tables-restore")) - return ip6tables_restore_main(argc, argv); - - fprintf(stderr, "ip6tables multi-purpose version: unknown applet name %s\n", progname); - exit(1); - } + progname = basename(argv[0]); + if (strcmp(progname, "ip6tables") == 0) + return ip6tables_main(argc, argv); + if (strcmp(progname, "ip6tables-save") == 0) + return ip6tables_save_main(argc, argv); + if (strcmp(progname, "ip6tables-restore") == 0) + return ip6tables_restore_main(argc, argv); + + ++argv; + --argc; + if (argc < 1) { + fprintf(stderr, "ERROR: No subcommand given.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "main") == 0) + return ip6tables_main(argc, argv); + if (strcmp(progname, "save") == 0) + return ip6tables_save_main(argc, argv); + if (strcmp(progname, "restore") == 0) + return ip6tables_restore_main(argc, argv); + + fprintf(stderr, "ip6tables multi-purpose version: " + "unknown subcommand \"%s\"\n", progname); + exit(EXIT_FAILURE); } diff --git a/ip6tables-restore.c b/ip6tables-restore.c index 06a82aec..d0efbeed 100644 --- a/ip6tables-restore.c +++ b/ip6tables-restore.c @@ -137,7 +137,7 @@ int main(int argc, char *argv[]) ip6tables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/ip6tables-save.c b/ip6tables-save.c index c59608fb..dc189e99 100644 --- a/ip6tables-save.c +++ b/ip6tables-save.c @@ -148,7 +148,7 @@ int main(int argc, char *argv[]) ip6tables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c index 649ac3d8..8661bd9c 100644 --- a/ip6tables-standalone.c +++ b/ip6tables-standalone.c @@ -58,7 +58,7 @@ main(int argc, char *argv[]) exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/ip6tables.8.in b/ip6tables.8.in index a31887e8..8037dc7d 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -248,6 +248,9 @@ specifying the number of 1's at the left side of the network mask. A "!" argument before the address specification inverts the sense of the address. The flag \fB\-\-src\fP is an alias for this option. +Multiple addresses can be specified, but this will \fBexpand to multiple +rules\fP (when adding with \-A), or will cause multiple rules to be +deleted (with \-D). .TP [\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP] Destination specification. diff --git a/ip6tables.c b/ip6tables.c index 35067f8b..f974fb15 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -43,6 +43,7 @@ #include <sys/types.h> #include <sys/socket.h> #include "ip6tables-multi.h" +#include "xshared.h" #ifndef TRUE #define TRUE 1 @@ -235,9 +236,6 @@ exit_tryhelp(int status) static void exit_printhelp(struct xtables_rule_match *matches) { - struct xtables_rule_match *matchp = NULL; - struct xtables_target *t = NULL; - printf("%s v%s\n\n" "Usage: %s -[AD] chain rule-specification [options]\n" " %s -I chain [rulenum] rule-specification [options]\n" @@ -281,9 +279,9 @@ exit_printhelp(struct xtables_rule_match *matches) "Options:\n" "[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" -"[!] --source -s address[/mask]\n" +"[!] --source -s address[/mask][,...]\n" " source specification\n" -"[!] --destination -d address[/mask]\n" +"[!] --destination -d address[/mask][,...]\n" " destination specification\n" "[!] --in-interface -i input name[+]\n" " network interface name ([+] for wildcard)\n" @@ -307,19 +305,7 @@ exit_printhelp(struct xtables_rule_match *matches) " --set-counters PKTS BYTES set the counter during insert/append\n" "[!] --version -V print package version.\n"); - /* Print out any special helps. A user might like to be able to add a --help - to the commandline, and see expected results. So we call help for all - specified matches & targets */ - for (t = xtables_targets; t; t = t->next) { - if (t->used) { - printf("\n"); - t->help(); - } - } - for (matchp = matches; matchp; matchp = matchp->next) { - printf("\n"); - matchp->match->help(); - } + print_extension_helps(xtables_targets, matches); exit(0); } @@ -740,8 +726,10 @@ append_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle) { @@ -750,8 +738,10 @@ append_entry(const ip6t_chainlabel chain, for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_append_entry(chain, fw, handle); @@ -784,8 +774,10 @@ insert_entry(const ip6t_chainlabel chain, unsigned int rulenum, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle) { @@ -794,8 +786,10 @@ insert_entry(const ip6t_chainlabel chain, for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_insert_entry(chain, fw, rulenum, handle); @@ -806,7 +800,7 @@ insert_entry(const ip6t_chainlabel chain, } static unsigned char * -make_delete_mask(struct ip6t_entry *fw, struct xtables_rule_match *matches) +make_delete_mask(struct xtables_rule_match *matches) { /* Establish mask for comparison */ unsigned int size; @@ -843,8 +837,10 @@ delete_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle, struct xtables_rule_match *matches) @@ -853,11 +849,13 @@ delete_entry(const ip6t_chainlabel chain, int ret = 1; unsigned char *mask; - mask = make_delete_mask(fw, matches); + mask = make_delete_mask(matches); for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_delete_entry(chain, fw, mask, handle); @@ -1291,9 +1289,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand int invert = 0; unsigned int nsaddrs = 0, ndaddrs = 0; struct in6_addr *saddrs = NULL, *daddrs = NULL; + struct in6_addr *smasks = NULL, *dmasks = NULL; int c, verbose = 0; - unsigned i; const char *chain = NULL; const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; const char *policy = NULL, *newname = NULL; @@ -1687,13 +1685,14 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand exit_tryhelp(2); default: - if (!target - || !(target->parse(c - target->option_offset, + if (target == NULL || target->parse == NULL || + !target->parse(c - target->option_offset, argv, invert, &target->tflags, - &fw, &target->t))) { + &fw, &target->t)) { for (matchp = matches; matchp; matchp = matchp->next) { - if (matchp->completed) + if (matchp->completed || + matchp->match->parse == NULL) continue; if (matchp->match->parse(c - matchp->match->option_offset, argv, invert, @@ -1811,12 +1810,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand } if (shostnetworkmask) - xtables_ip6parse_any(shostnetworkmask, &saddrs, - &fw.ipv6.smsk, &nsaddrs); + xtables_ip6parse_multiple(shostnetworkmask, &saddrs, + &smasks, &nsaddrs); if (dhostnetworkmask) - xtables_ip6parse_any(dhostnetworkmask, &daddrs, - &fw.ipv6.dmsk, &ndaddrs); + xtables_ip6parse_multiple(dhostnetworkmask, &daddrs, + &dmasks, &ndaddrs); if ((nsaddrs > 1 || ndaddrs > 1) && (fw.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP))) @@ -1921,13 +1920,15 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand switch (command) { case CMD_APPEND: ret = append_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; case CMD_DELETE: ret = delete_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle, matches); break; @@ -1941,7 +1942,8 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; @@ -2001,12 +2003,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand e = NULL; } - for (i = 0; i < nsaddrs; i++) - free(&saddrs[i]); - - for (i = 0; i < ndaddrs; i++) - free(&daddrs[i]); - + free(saddrs); + free(smasks); + free(daddrs); + free(dmasks); xtables_free_opts(1); return ret; diff --git a/iptables-multi.c b/iptables-multi.c index 28c1737c..4dcc26de 100644 --- a/iptables-multi.c +++ b/iptables-multi.c @@ -8,29 +8,43 @@ int iptables_save_main(int argc, char **argv); int iptables_restore_main(int argc, char **argv); int iptables_xml_main(int argc, char **argv); -int main(int argc, char **argv) { - char *progname; +int main(int argc, char **argv) +{ + char *progname; - if (argc == 0) { - fprintf(stderr, "no argv[0]?"); - exit(1); - } else { - progname = basename(argv[0]); + if (argc < 1) { + fprintf(stderr, "ERROR: This should not happen.\n"); + exit(EXIT_FAILURE); + } - if (!strcmp(progname, "iptables") || - strcmp(progname, "iptables-static") == 0) - return iptables_main(argc, argv); - - if (!strcmp(progname, "iptables-save")) - return iptables_save_main(argc, argv); - - if (!strcmp(progname, "iptables-restore")) - return iptables_restore_main(argc, argv); - - if (!strcmp(progname, "iptables-xml")) - return iptables_xml_main(argc, argv); - - fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname); - exit(1); - } + progname = basename(argv[0]); + if (strcmp(progname, "iptables") == 0) + return iptables_main(argc, argv); + if (strcmp(progname, "iptables-save") == 0) + return iptables_save_main(argc, argv); + if (strcmp(progname, "iptables-restore") == 0) + return iptables_restore_main(argc, argv); + if (strcmp(progname, "iptables-xml") == 0) + return iptables_xml_main(argc, argv); + + ++argv; + --argc; + if (argc < 1) { + fprintf(stderr, "ERROR: No subcommand given.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "main") == 0) + return iptables_main(argc, argv); + if (strcmp(progname, "save") == 0) + return iptables_save_main(argc, argv); + if (strcmp(progname, "restore") == 0) + return iptables_restore_main(argc, argv); + if (strcmp(progname, "xml") == 0) + return iptables_xml_main(argc, argv); + + fprintf(stderr, "iptables multi-purpose version: " + "unknown subcommand \"%s\"\n", progname); + exit(EXIT_FAILURE); } diff --git a/iptables-restore.c b/iptables-restore.c index 5108fda6..86d63e28 100644 --- a/iptables-restore.c +++ b/iptables-restore.c @@ -140,7 +140,7 @@ main(int argc, char *argv[]) iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/iptables-save.c b/iptables-save.c index f63ee6b1..3bcf4227 100644 --- a/iptables-save.c +++ b/iptables-save.c @@ -148,7 +148,7 @@ main(int argc, char *argv[]) iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/iptables-standalone.c b/iptables-standalone.c index 91853884..1f60e314 100644 --- a/iptables-standalone.c +++ b/iptables-standalone.c @@ -58,7 +58,7 @@ main(int argc, char *argv[]) iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff --git a/iptables.8.in b/iptables.8.in index 10dcb734..14fc23ad 100644 --- a/iptables.8.in +++ b/iptables.8.in @@ -236,7 +236,7 @@ Protocol \fBall\fP will match with all protocols and is taken as default when this option is omitted. .TP -[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] Source specification. \fIAddress\fP can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), @@ -247,8 +247,11 @@ specifying the number of 1's at the left side of the network mask. Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP. A "!" argument before the address specification inverts the sense of the address. The flag \fB\-\-src\fP is an alias for this option. +Multiple addresses can be specified, but this will \fBexpand to multiple +rules\fP (when adding with \-A), or will cause multiple rules to be +deleted (with \-D). .TP -[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] Destination specification. See the description of the \fB\-s\fP (source) flag for a detailed description of the syntax. The flag @@ -40,6 +40,7 @@ #include <xtables.h> #include <fcntl.h> #include <sys/utsname.h> +#include "xshared.h" #ifndef TRUE #define TRUE 1 @@ -248,9 +249,6 @@ exit_tryhelp(int status) static void exit_printhelp(struct xtables_rule_match *matches) { - struct xtables_rule_match *matchp = NULL; - struct xtables_target *t = NULL; - printf("%s v%s\n\n" "Usage: %s -[AD] chain rule-specification [options]\n" " %s -I chain [rulenum] rule-specification [options]\n" @@ -294,9 +292,9 @@ exit_printhelp(struct xtables_rule_match *matches) "Options:\n" "[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" -"[!] --source -s address[/mask]\n" +"[!] --source -s address[/mask][...]\n" " source specification\n" -"[!] --destination -d address[/mask]\n" +"[!] --destination -d address[/mask][...]\n" " destination specification\n" "[!] --in-interface -i input name[+]\n" " network interface name ([+] for wildcard)\n" @@ -320,19 +318,7 @@ exit_printhelp(struct xtables_rule_match *matches) " --set-counters PKTS BYTES set the counter during insert/append\n" "[!] --version -V print package version.\n"); - /* Print out any special helps. A user might like to be able - to add a --help to the commandline, and see expected - results. So we call help for all specified matches & targets */ - for (t = xtables_targets; t ;t = t->next) { - if (t->used) { - printf("\n"); - t->help(); - } - } - for (matchp = matches; matchp; matchp = matchp->next) { - printf("\n"); - matchp->match->help(); - } + print_extension_helps(xtables_targets, matches); exit(0); } @@ -742,8 +728,10 @@ append_entry(const ipt_chainlabel chain, struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle) { @@ -752,8 +740,10 @@ append_entry(const ipt_chainlabel chain, for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_append_entry(chain, fw, handle); @@ -786,8 +776,10 @@ insert_entry(const ipt_chainlabel chain, unsigned int rulenum, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle) { @@ -796,8 +788,10 @@ insert_entry(const ipt_chainlabel chain, for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_insert_entry(chain, fw, rulenum, handle); @@ -808,7 +802,7 @@ insert_entry(const ipt_chainlabel chain, } static unsigned char * -make_delete_mask(struct ipt_entry *fw, struct xtables_rule_match *matches) +make_delete_mask(struct xtables_rule_match *matches) { /* Establish mask for comparison */ unsigned int size; @@ -845,8 +839,10 @@ delete_entry(const ipt_chainlabel chain, struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle, struct xtables_rule_match *matches) @@ -855,11 +851,13 @@ delete_entry(const ipt_chainlabel chain, int ret = 1; unsigned char *mask; - mask = make_delete_mask(fw, matches); + mask = make_delete_mask(matches); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_delete_entry(chain, fw, mask, handle); @@ -1313,7 +1311,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle struct ipt_entry fw, *e = NULL; int invert = 0; unsigned int nsaddrs = 0, ndaddrs = 0; - struct in_addr *saddrs = NULL, *daddrs = NULL; + struct in_addr *saddrs = NULL, *smasks = NULL; + struct in_addr *daddrs = NULL, *dmasks = NULL; int c, verbose = 0; const char *chain = NULL; @@ -1714,13 +1713,14 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle exit_tryhelp(2); default: - if (!target - || !(target->parse(c - target->option_offset, + if (target == NULL || target->parse == NULL || + !target->parse(c - target->option_offset, argv, invert, &target->tflags, - &fw, &target->t))) { + &fw, &target->t)) { for (matchp = matches; matchp; matchp = matchp->next) { - if (matchp->completed) + if (matchp->completed || + matchp->match->parse == NULL) continue; if (matchp->match->parse(c - matchp->match->option_offset, argv, invert, @@ -1848,12 +1848,12 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle } if (shostnetworkmask) - xtables_ipparse_any(shostnetworkmask, &saddrs, - &fw.ip.smsk, &nsaddrs); + xtables_ipparse_multiple(shostnetworkmask, &saddrs, + &smasks, &nsaddrs); if (dhostnetworkmask) - xtables_ipparse_any(dhostnetworkmask, &daddrs, - &fw.ip.dmsk, &ndaddrs); + xtables_ipparse_multiple(dhostnetworkmask, &daddrs, + &dmasks, &ndaddrs); if ((nsaddrs > 1 || ndaddrs > 1) && (fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) @@ -1961,13 +1961,15 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle switch (command) { case CMD_APPEND: ret = append_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; case CMD_DELETE: ret = delete_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle, matches); break; @@ -1981,7 +1983,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; @@ -2042,7 +2045,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle } free(saddrs); + free(smasks); free(daddrs); + free(dmasks); xtables_free_opts(1); return ret; diff --git a/xshared.c b/xshared.c new file mode 100644 index 00000000..21b5b2cb --- /dev/null +++ b/xshared.c @@ -0,0 +1,31 @@ +#include <stdio.h> +#include <xtables.h> +#include "xshared.h" + +/* + * Print out any special helps. A user might like to be able to add a --help + * to the commandline, and see expected results. So we call help for all + * specified matches and targets. + */ +void print_extension_helps(const struct xtables_target *t, + const struct xtables_rule_match *m) +{ + for (; t != NULL; t = t->next) { + if (t->used) { + printf("\n"); + if (t->help == NULL) + printf("%s does not take any options\n", + t->name); + else + t->help(); + } + } + for (; m != NULL; m = m->next) { + printf("\n"); + if (m->match->help == NULL) + printf("%s does not take any options\n", + m->match->name); + else + m->match->help(); + } +} diff --git a/xshared.h b/xshared.h new file mode 100644 index 00000000..c53b618f --- /dev/null +++ b/xshared.h @@ -0,0 +1,10 @@ +#ifndef IPTABLES_XSHARED_H +#define IPTABLES_XSHARED_H 1 + +struct xtables_rule_match; +struct xtables_target; + +extern void print_extension_helps(const struct xtables_target *, + const struct xtables_rule_match *); + +#endif /* IPTABLES_XSHARED_H */ @@ -271,6 +271,18 @@ void *xtables_malloc(size_t size) return p; } +void *xtables_realloc(void *ptr, size_t size) +{ + void *p; + + if ((p = realloc(ptr, size)) == NULL) { + perror("ip[6]tables: realloc failed"); + exit(1); + } + + return p; +} + static char *get_modprobe(void) { int procfile; @@ -712,6 +724,11 @@ void xtables_register_match(struct xtables_match *me) { struct xtables_match **i, *old; + if (me->version == NULL) { + fprintf(stderr, "%s: match %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); + exit(1); + } if (strcmp(me->version, XTABLES_VERSION) != 0) { fprintf(stderr, "%s: match \"%s\" has version \"%s\", " "but \"%s\" is required.\n", @@ -782,10 +799,22 @@ void xtables_register_match(struct xtables_match *me) me->mflags = 0; } +void xtables_register_matches(struct xtables_match *match, unsigned int n) +{ + do { + xtables_register_match(&match[--n]); + } while (n > 0); +} + void xtables_register_target(struct xtables_target *me) { struct xtables_target *old; + if (me->version == NULL) { + fprintf(stderr, "%s: target %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); + exit(1); + } if (strcmp(me->version, XTABLES_VERSION) != 0) { fprintf(stderr, "%s: target \"%s\" has version \"%s\", " "but \"%s\" is required.\n", @@ -856,6 +885,13 @@ void xtables_register_target(struct xtables_target *me) me->tflags = 0; } +void xtables_register_targets(struct xtables_target *target, unsigned int n) +{ + do { + xtables_register_target(&target[--n]); + } while (n > 0); +} + /** * xtables_param_act - act on condition * @status: a constant from enum xtables_exittype @@ -1133,6 +1169,86 @@ static struct in_addr *parse_ipmask(const char *mask) return &maskaddr; } +void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp, + struct in_addr **maskpp, unsigned int *naddrs) +{ + struct in_addr *addrp; + char buf[256], *p; + unsigned int len, i, j, n, count = 1; + const char *loop = name; + + while ((loop = strchr(loop, ',')) != NULL) { + ++count; + ++loop; /* skip ',' */ + } + + *addrpp = xtables_malloc(sizeof(struct in_addr) * count); + *maskpp = xtables_malloc(sizeof(struct in_addr) * count); + + loop = name; + + for (i = 0; i < count; ++i) { + if (loop == NULL) + break; + if (*loop == ',') + ++loop; + if (*loop == '\0') + break; + p = strchr(loop, ','); + if (p != NULL) + len = p - loop; + else + len = strlen(loop); + if (len == 0 || sizeof(buf) - 1 < len) + break; + + strncpy(buf, loop, len); + buf[len] = '\0'; + loop += len; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_ipmask(p + 1); + } else { + addrp = parse_ipmask(NULL); + } + memcpy(*maskpp + i, addrp, sizeof(*addrp)); + + /* if a null mask is given, the name is ignored, like in "any/0" */ + if ((*maskpp + i)->s_addr == 0) + /* + * A bit pointless to process multiple addresses + * in this case... + */ + strcpy(buf, "0.0.0.0"); + + addrp = ipparse_hostnetwork(buf, &n); + if (n > 1) { + count += n - 1; + *addrpp = xtables_realloc(*addrpp, + sizeof(struct in_addr) * count); + *maskpp = xtables_realloc(*maskpp, + sizeof(struct in_addr) * count); + for (j = 0; j < n; ++j) + /* for each new addr */ + memcpy(*addrpp + i + j, addrp + j, + sizeof(*addrp)); + for (j = 1; j < n; ++j) + /* for each new mask */ + memcpy(*maskpp + i + j, *maskpp + i, + sizeof(*addrp)); + i += n - 1; + } else { + memcpy(*addrpp + i, addrp, sizeof(*addrp)); + } + /* free what ipparse_hostnetwork had allocated: */ + free(addrp); + } + *naddrs = count; + for (i = 0; i < n; ++i) + (*addrpp+i)->s_addr &= (*maskpp+i)->s_addr; +} + + /** * xtables_ipparse_any - transform arbitrary name to in_addr * @@ -1364,6 +1480,89 @@ static struct in6_addr *parse_ip6mask(char *mask) return &maskaddr; } +void +xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp, + struct in6_addr **maskpp, unsigned int *naddrs) +{ + struct in6_addr *addrp; + char buf[256], *p; + unsigned int len, i, j, n, count = 1; + const char *loop = name; + + while ((loop = strchr(loop, ',')) != NULL) { + ++count; + ++loop; /* skip ',' */ + } + + *addrpp = xtables_malloc(sizeof(struct in6_addr) * count); + *maskpp = xtables_malloc(sizeof(struct in6_addr) * count); + + loop = name; + + for (i = 0; i < count /*NB: count can grow*/; ++i) { + if (loop == NULL) + break; + if (*loop == ',') + ++loop; + if (*loop == '\0') + break; + p = strchr(loop, ','); + if (p != NULL) + len = p - loop; + else + len = strlen(loop); + if (len == 0 || sizeof(buf) - 1 < len) + break; + + strncpy(buf, loop, len); + buf[len] = '\0'; + loop += len; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_ip6mask(p + 1); + } else { + addrp = parse_ip6mask(NULL); + } + memcpy(*maskpp + i, addrp, sizeof(*addrp)); + + /* if a null mask is given, the name is ignored, like in "any/0" */ + if (memcmp(*maskpp + i, &in6addr_any, sizeof(in6addr_any)) == 0) + strcpy(buf, "::"); + + addrp = ip6parse_hostnetwork(buf, &n); + /* ip6parse_hostnetwork only ever returns one IP + address (it exits if the resolution fails). + Therefore, n will always be 1 here. Leaving the + code below in anyway in case ip6parse_hostnetwork + is improved some day to behave like + ipparse_hostnetwork: */ + if (n > 1) { + count += n - 1; + *addrpp = xtables_realloc(*addrpp, + sizeof(struct in6_addr) * count); + *maskpp = xtables_realloc(*maskpp, + sizeof(struct in6_addr) * count); + for (j = 0; j < n; ++j) + /* for each new addr */ + memcpy(*addrpp + i + j, addrp + j, + sizeof(*addrp)); + for (j = 1; j < n; ++j) + /* for each new mask */ + memcpy(*maskpp + i + j, *maskpp + i, + sizeof(*addrp)); + i += n - 1; + } else { + memcpy(*addrpp + i, addrp, sizeof(*addrp)); + } + /* free what ip6parse_hostnetwork had allocated: */ + free(addrp); + } + *naddrs = count; + for (i = 0; i < n; ++i) + for (j = 0; j < 4; ++j) + (*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j]; +} + void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp, struct in6_addr *maskp, unsigned int *naddrs) { |