diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/GNUmakefile.in | 59 | ||||
| -rw-r--r-- | extensions/libipt_DNAT.c | 2 | ||||
| -rw-r--r-- | extensions/libipt_DNAT.man | 2 | ||||
| -rw-r--r-- | extensions/libipt_SNAT.c | 2 | ||||
| -rw-r--r-- | extensions/libipt_SNAT.man | 2 | ||||
| -rw-r--r-- | extensions/libxt_SET.c | 207 | ||||
| -rw-r--r-- | extensions/libxt_SET.man | 8 | ||||
| -rw-r--r-- | extensions/libxt_set.c | 52 | ||||
| -rw-r--r-- | extensions/libxt_set.h | 7 |
9 files changed, 260 insertions, 81 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index b96bd11f..a511a39a 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -51,11 +51,13 @@ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) # # Building blocks # -targets := libext4.a libext6.a matches4.man matches6.man \ +targets := libext.a libext4.a libext6.a \ + matches4.man matches6.man \ targets4.man targets6.man targets_install := -@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} -@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} +@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} +@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} +@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} @ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} @ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} @@ -70,7 +72,7 @@ install: ${targets_install} if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext4.c initext6.c; + rm -f *.o *.oo *.so *.a {matches,targets}[46].man initext.c initext4.c initext6.c; distclean: clean rm -f .*.d .*.dd; @@ -101,26 +103,35 @@ lib%.oo: ${srcdir}/lib%.c lib%.o: ${srcdir}/lib%.c ${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<; +libext.a: initext.o ${libext_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + libext4.a: initext4.o ${libext4_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; libext6.a: initext6.o ${libext6_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; -initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod}) -initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod}) +initext_func := $(addprefix xt_,${pfx_build_mod}) +initext4_func := $(addprefix ipt_,${pf4_build_mod}) +initext6_func := $(addprefix ip6t_,${pf6_build_mod}) -.initext4.dd: FORCE +.initext.dd: FORCE @echo "${initext_func}" >$@.tmp; \ cmp -s $@ $@.tmp || mv $@.tmp $@; \ rm -f $@.tmp; +.initext4.dd: FORCE + @echo "${initext4_func}" >$@.tmp; \ + cmp -s $@ $@.tmp || mv $@.tmp $@; \ + rm -f $@.tmp; + .initext6.dd: FORCE @echo "${initext6_func}" >$@.tmp; \ cmp -s $@ $@.tmp || mv $@.tmp $@; \ rm -f $@.tmp; -initext4.c: .initext4.dd +initext.c: .initext.dd ${AM_VERBOSE_GEN} @( \ echo "" >$@; \ @@ -136,6 +147,22 @@ initext4.c: .initext4.dd echo "}" >>$@; \ ); +initext4.c: .initext4.dd + ${AM_VERBOSE_GEN} + @( \ + echo "" >$@; \ + for i in ${initext4_func}; do \ + echo "extern void lib$${i}_init(void);" >>$@; \ + done; \ + echo "void init_extensions4(void);" >>$@; \ + echo "void init_extensions4(void)" >>$@; \ + echo "{" >>$@; \ + for i in ${initext4_func}; do \ + echo " ""lib$${i}_init();" >>$@; \ + done; \ + echo "}" >>$@; \ + ); + initext6.c: .initext6.dd ${AM_VERBOSE_GEN} @( \ @@ -143,8 +170,8 @@ initext6.c: .initext6.dd for i in ${initext6_func}; do \ echo "extern void lib$${i}_init(void);" >>$@; \ done; \ - echo "void init_extensions(void);" >>$@; \ - echo "void init_extensions(void)" >>$@; \ + echo "void init_extensions6(void);" >>$@; \ + echo "void init_extensions6(void)" >>$@; \ echo "{" >>$@; \ for i in ${initext6_func}; do \ echo " ""lib$${i}_init();" >>$@; \ @@ -155,8 +182,8 @@ initext6.c: .initext6.dd # # Manual pages # -ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]_]+\b')) -ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:alnum:]_]+\b')) +ex_matches = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:lower:][:digit:]_]+\b')) +ex_targets = $(sort $(shell echo $(1) | LC_ALL=POSIX grep -Eo '\b[[:upper:][:digit:]_]+\b')) man_run = \ ${AM_VERBOSE_GEN} \ for ext in $(1); do \ @@ -177,14 +204,14 @@ man_run = \ fi; \ done >$@; -matches4.man: .initext4.dd $(wildcard ${srcdir}/lib*.man) +matches4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) -matches6.man: .initext6.dd $(wildcard ${srcdir}/lib*.man) +matches6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) -targets4.man: .initext4.dd $(wildcard ${srcdir}/lib*.man) +targets4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) -targets6.man: .initext6.dd $(wildcard ${srcdir}/lib*.man) +targets6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index e7fd7c92..6a46f109 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -28,7 +28,7 @@ static void DNAT_help(void) { printf( "DNAT target options:\n" -" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n" +" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]\n" " Address to map destination to.\n" "[--random] [--persistent]\n"); } diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man index d1e0a3a1..d5ded35b 100644 --- a/extensions/libipt_DNAT.man +++ b/extensions/libipt_DNAT.man @@ -10,7 +10,7 @@ should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: .TP -\fB\-\-to\-destination\fP [\fIipaddr\fP][\fB\-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] +\fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c index 97769e68..9156a7b7 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -28,7 +28,7 @@ static void SNAT_help(void) { printf( "SNAT target options:\n" -" --to-source <ipaddr>[-<ipaddr>][:port-port]\n" +" --to-source [<ipaddr>[-<ipaddr>]][:port[-port]]\n" " Address to map source to.\n" "[--random] [--persistent]\n"); } diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man index 6b828fd4..80e2cb91 100644 --- a/extensions/libipt_SNAT.man +++ b/extensions/libipt_SNAT.man @@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: .TP -\fB\-\-to\-source\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] +\fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c index 2f915bcd..51c0cec6 100644 --- a/extensions/libxt_SET.c +++ b/extensions/libxt_SET.c @@ -21,8 +21,10 @@ #include <linux/netfilter/xt_set.h> #include "libxt_set.h" +/* Revision 0 */ + static void -set_target_help(void) +set_target_help_v0(void) { printf("SET target options:\n" " --add-set name flags\n" @@ -32,14 +34,14 @@ set_target_help(void) " 'src' and 'dst' specifications.\n"); } -static const struct option set_target_opts[] = { +static const struct option set_target_opts_v0[] = { {.name = "add-set", .has_arg = true, .val = '1'}, {.name = "del-set", .has_arg = true, .val = '2'}, XT_GETOPT_TABLEEND, }; static void -set_target_check(unsigned int flags) +set_target_check_v0(unsigned int flags) { if (!flags) xtables_error(PARAMETER_PROBLEM, @@ -144,20 +146,29 @@ set_target_save_v0(const void *ip, const struct xt_entry_target *target) print_target_v0("--del-set", &info->del_set); } +/* Revision 1 */ + +#define set_target_help_v1 set_target_help_v0 + static void -set_target_init(struct xt_entry_target *target) +set_target_init_v1(struct xt_entry_target *target) { - struct xt_set_info_target *info = - (struct xt_set_info_target *) target->data; + struct xt_set_info_target_v1 *info = + (struct xt_set_info_target_v1 *) target->data; info->add_set.index = info->del_set.index = IPSET_INVALID_ID; } +#define SET_TARGET_ADD 0x1 +#define SET_TARGET_DEL 0x2 +#define SET_TARGET_EXIST 0x4 +#define SET_TARGET_TIMEOUT 0x8 + static void -parse_target(char **argv, int invert, unsigned int *flags, - struct xt_set_info *info, const char *what) +parse_target(char **argv, int invert, struct xt_set_info *info, + const char *what) { if (info->dim) xtables_error(PARAMETER_PROBLEM, @@ -180,30 +191,30 @@ parse_target(char **argv, int invert, unsigned int *flags, get_set_byname(optarg, info); parse_dirs(argv[optind], info); optind++; - - *flags = 1; } static int -set_target_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) +set_target_parse_v1(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) { - struct xt_set_info_target *myinfo = - (struct xt_set_info_target *) (*target)->data; + struct xt_set_info_target_v1 *myinfo = + (struct xt_set_info_target_v1 *) (*target)->data; switch (c) { case '1': /* --add-set <set> <flags> */ - parse_target(argv, invert, flags, - &myinfo->add_set, "add-set"); + parse_target(argv, invert, &myinfo->add_set, "add-set"); + *flags |= SET_TARGET_ADD; break; case '2': /* --del-set <set>[:<flags>] <flags> */ - parse_target(argv, invert, flags, - &myinfo->del_set, "del-set"); + parse_target(argv, invert, &myinfo->del_set, "del-set"); + *flags |= SET_TARGET_DEL; break; } return 1; } +#define set_target_check_v1 set_target_check_v0 + static void print_target(const char *prefix, const struct xt_set_info *info) { @@ -222,21 +233,132 @@ print_target(const char *prefix, const struct xt_set_info *info) } static void -set_target_print(const void *ip, const struct xt_entry_target *target, - int numeric) +set_target_print_v1(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_set_info_target_v1 *info = (const void *)target->data; + + print_target("add-set", &info->add_set); + print_target("del-set", &info->del_set); +} + +static void +set_target_save_v1(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_set_info_target_v1 *info = (const void *)target->data; + + print_target("--add-set", &info->add_set); + print_target("--del-set", &info->del_set); +} + +#define set_target_opts_v1 set_target_opts_v0 + +/* Revision 2 */ + +static void +set_target_help_v2(void) +{ + printf("SET target options:\n" + " --add-set name flags [--exist] [--timeout n]\n" + " --del-set name flags\n" + " add/del src/dst IP/port from/to named sets,\n" + " where flags are the comma separated list of\n" + " 'src' and 'dst' specifications.\n"); +} + +static const struct option set_target_opts_v2[] = { + {.name = "add-set", .has_arg = true, .val = '1'}, + {.name = "del-set", .has_arg = true, .val = '2'}, + {.name = "exist", .has_arg = false, .val = '3'}, + {.name = "timeout", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, +}; + +static void +set_target_check_v2(unsigned int flags) +{ + if (!(flags & (SET_TARGET_ADD|SET_TARGET_DEL))) + xtables_error(PARAMETER_PROBLEM, + "You must specify either `--add-set' or `--del-set'"); + if (!(flags & SET_TARGET_ADD)) { + if (flags & SET_TARGET_EXIST) + xtables_error(PARAMETER_PROBLEM, + "Flag `--exist' can be used with `--add-set' only"); + if (flags & SET_TARGET_TIMEOUT) + xtables_error(PARAMETER_PROBLEM, + "Option `--timeout' can be used with `--add-set' only"); + } +} + + +static void +set_target_init_v2(struct xt_entry_target *target) { - const struct xt_set_info_target *info = (const void *)target->data; + struct xt_set_info_target_v2 *info = + (struct xt_set_info_target_v2 *) target->data; + + info->add_set.index = + info->del_set.index = IPSET_INVALID_ID; + info->timeout = UINT32_MAX; +} + +static int +set_target_parse_v2(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_set_info_target_v2 *myinfo = + (struct xt_set_info_target_v2 *) (*target)->data; + unsigned int timeout; + + switch (c) { + case '1': /* --add-set <set> <flags> */ + parse_target(argv, invert, &myinfo->add_set, "add-set"); + *flags |= SET_TARGET_ADD; + break; + case '2': /* --del-set <set>[:<flags>] <flags> */ + parse_target(argv, invert, &myinfo->del_set, "del-set"); + *flags |= SET_TARGET_DEL; + break; + case '3': + myinfo->flags |= IPSET_FLAG_EXIST; + *flags |= SET_TARGET_EXIST; + break; + case '4': + if (!xtables_strtoui(optarg, NULL, &timeout, 0, UINT32_MAX - 1)) + xtables_error(PARAMETER_PROBLEM, + "Invalid value for option --timeout " + "or out of range 0-%u", UINT32_MAX - 1); + myinfo->timeout = timeout; + *flags |= SET_TARGET_TIMEOUT; + break; + } + return 1; +} + +static void +set_target_print_v2(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_set_info_target_v2 *info = (const void *)target->data; print_target("add-set", &info->add_set); + if (info->flags & IPSET_FLAG_EXIST) + printf(" exist"); + if (info->timeout != UINT32_MAX) + printf(" timeout %u", info->timeout); print_target("del-set", &info->del_set); } static void -set_target_save(const void *ip, const struct xt_entry_target *target) +set_target_save_v2(const void *ip, const struct xt_entry_target *target) { - const struct xt_set_info_target *info = (const void *)target->data; + const struct xt_set_info_target_v2 *info = (const void *)target->data; print_target("--add-set", &info->add_set); + if (info->flags & IPSET_FLAG_EXIST) + printf(" --exist"); + if (info->timeout != UINT32_MAX) + printf(" --timeout %u", info->timeout); print_target("--del-set", &info->del_set); } @@ -248,28 +370,43 @@ static struct xtables_target set_tg_reg[] = { .family = NFPROTO_IPV4, .size = XT_ALIGN(sizeof(struct xt_set_info_target_v0)), .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v0)), - .help = set_target_help, + .help = set_target_help_v0, .init = set_target_init_v0, .parse = set_target_parse_v0, - .final_check = set_target_check, + .final_check = set_target_check_v0, .print = set_target_print_v0, .save = set_target_save_v0, - .extra_opts = set_target_opts, + .extra_opts = set_target_opts_v0, }, { .name = "SET", .revision = 1, .version = XTABLES_VERSION, .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_set_info_target)), - .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target)), - .help = set_target_help, - .init = set_target_init, - .parse = set_target_parse, - .final_check = set_target_check, - .print = set_target_print, - .save = set_target_save, - .extra_opts = set_target_opts, + .size = XT_ALIGN(sizeof(struct xt_set_info_target_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v1)), + .help = set_target_help_v1, + .init = set_target_init_v1, + .parse = set_target_parse_v1, + .final_check = set_target_check_v1, + .print = set_target_print_v1, + .save = set_target_save_v1, + .extra_opts = set_target_opts_v1, + }, + { + .name = "SET", + .revision = 2, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_set_info_target_v2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v2)), + .help = set_target_help_v2, + .init = set_target_init_v2, + .parse = set_target_parse_v2, + .final_check = set_target_check_v2, + .print = set_target_print_v2, + .save = set_target_save_v2, + .extra_opts = set_target_opts_v2, }, }; diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man index ea80c2a1..739be414 100644 --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -12,6 +12,14 @@ where flags are and/or .BR "dst" specifications and there can be no more than six of them. +.TP +\fB\-\-timeout\fP \fIvalue\fP +when adding entry, the timeout value to use instead of the default +one from the set definition +.TP +\fB\-\-exist\fP +when adding entry if it already exists, reset the timeout value +to the specified one or to the default from the set definition .PP Use of -j SET requires that ipset kernel support is provided. As standard kernels do not ship this currently, the ipset or Xtables-addons package needs diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c index 78bf7c10..da722c73 100644 --- a/extensions/libxt_set.c +++ b/extensions/libxt_set.c @@ -22,8 +22,10 @@ #include <linux/netfilter/xt_set.h> #include "libxt_set.h" +/* Revision 0 */ + static void -set_help(void) +set_help_v0(void) { printf("set match options:\n" " [!] --match-set name flags\n" @@ -32,14 +34,14 @@ set_help(void) " 'src' and 'dst' specifications.\n"); } -static const struct option set_opts[] = { +static const struct option set_opts_v0[] = { {.name = "match-set", .has_arg = true, .val = '1'}, {.name = "set", .has_arg = true, .val = '2'}, XT_GETOPT_TABLEEND, }; static void -set_check(unsigned int flags) +set_check_v0(unsigned int flags) { if (!flags) xtables_error(PARAMETER_PROBLEM, @@ -127,12 +129,18 @@ set_save_v0(const void *ip, const struct xt_entry_match *match) print_match_v0("--match-set", &info->match_set); } +/* Revision 1 */ + +#define set_help_v1 set_help_v0 +#define set_opts_v1 set_opts_v0 +#define set_check_v1 set_check_v0 + static int -set_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) +set_parse_v1(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) { - struct xt_set_info_match *myinfo = - (struct xt_set_info_match *) (*match)->data; + struct xt_set_info_match_v1 *myinfo = + (struct xt_set_info_match_v1 *) (*match)->data; struct xt_set_info *info = &myinfo->match_set; switch (c) { @@ -191,17 +199,17 @@ print_match(const char *prefix, const struct xt_set_info *info) /* Prints out the matchinfo. */ static void -set_print(const void *ip, const struct xt_entry_match *match, int numeric) +set_print_v1(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct xt_set_info_match *info = (const void *)match->data; + const struct xt_set_info_match_v1 *info = (const void *)match->data; print_match("match-set", &info->match_set); } static void -set_save(const void *ip, const struct xt_entry_match *match) +set_save_v1(const void *ip, const struct xt_entry_match *match) { - const struct xt_set_info_match *info = (const void *)match->data; + const struct xt_set_info_match_v1 *info = (const void *)match->data; print_match("--match-set", &info->match_set); } @@ -214,26 +222,26 @@ static struct xtables_match set_mt_reg[] = { .family = NFPROTO_IPV4, .size = XT_ALIGN(sizeof(struct xt_set_info_match_v0)), .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v0)), - .help = set_help, + .help = set_help_v0, .parse = set_parse_v0, - .final_check = set_check, + .final_check = set_check_v0, .print = set_print_v0, .save = set_save_v0, - .extra_opts = set_opts, + .extra_opts = set_opts_v0, }, { .name = "set", .revision = 1, .version = XTABLES_VERSION, .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_set_info_match)), - .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match)), - .help = set_help, - .parse = set_parse, - .final_check = set_check, - .print = set_print, - .save = set_save, - .extra_opts = set_opts, + .size = XT_ALIGN(sizeof(struct xt_set_info_match_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v1)), + .help = set_help_v1, + .parse = set_parse_v1, + .final_check = set_check_v1, + .print = set_print_v1, + .save = set_save_v1, + .extra_opts = set_opts_v1, }, }; diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h index 6b936911..4ac84fa9 100644 --- a/extensions/libxt_set.h +++ b/extensions/libxt_set.h @@ -114,7 +114,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) if (tmp) xtables_error(PARAMETER_PROBLEM, "Can't be more src/dst options than %i.", - IPSET_DIM_MAX - 1); + IPSET_DIM_MAX); free(saved); } @@ -124,9 +124,8 @@ parse_dirs(const char *opt_arg, struct xt_set_info *info) { char *saved = strdup(opt_arg); char *ptr, *tmp = saved; - int i = 0; - while (i < (IPSET_DIM_MAX - 1) && tmp != NULL) { + while (info->dim < IPSET_DIM_MAX && tmp != NULL) { info->dim++; ptr = strsep(&tmp, ","); if (strncmp(ptr, "src", 3) == 0) @@ -139,7 +138,7 @@ parse_dirs(const char *opt_arg, struct xt_set_info *info) if (tmp) xtables_error(PARAMETER_PROBLEM, "Can't be more src/dst options than %i.", - IPSET_DIM_MAX - 1); + IPSET_DIM_MAX); free(saved); } |