Option parsing fixes (t-10)

Option parsing fixes (t-10)

[Jan Engelhardt]

This goes on top of the previous series of 13.

===

The following changes since commit 11811bc2f6e7a333c32ad4b4685ac769b5f7c379:

  libxt_ipvs: restore network-byte order (2011-05-23 00:22:27 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables next

Jan Engelhardt (10):
      libxt_time: always ignore libc timezone
      libxt_time: --utc and --localtz are mutually exclusive
      doc: use .IP list for TCPMSS
      doc: remove redundant .IP calls in libxt_time
      libxt_time: remove --localtz option
      libxt_u32: --u32 option is required
      libip6t_rt: restore --rt-type storing
      libxtables: more detailed error message on multi-int parsing
      libxtables: use uintmax for xtables_strtoul
      libxtables: make multiint parser have greater range

 extensions/libip6t_rt.c     |    4 +-
 extensions/libxt_TCPMSS.man |   14 +++--------
 extensions/libxt_time.c     |   41 ++++++++++++++++++++++++-----------
 extensions/libxt_time.man   |   45 +++++++++++++++++++++++++++------------
 extensions/libxt_u32.c      |    3 +-
 include/xtables.h.in        |    4 +-
 xtables.c                   |   11 +++++----
 xtoptions.c                 |   49 +++++++++++++++++++++++++++++--------------
 8 files changed, 108 insertions(+), 63 deletions(-)

[PATCH 01/10] libxt_time: always ignore libc timezone

[Jan Engelhardt]

Since xt_time is meant to work across many months, libc doing
automatic conversion from local time to UTC (during parse) is
unwanted, especially when --utc is specified. The same goes for
dumping.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_time.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index b538476..32f0bf3 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -87,7 +87,7 @@ static time_t time_parse_date(const char *s, bool end)
 	const char *os = s;
 	struct tm tm;
 	time_t ret;
-	char *e;
+	char *e, *saved[2];
 
 	year = strtoul(s, &e, 10);
 	if ((*e != '-' && *e != '\0') || year < 1970 || year > 2038)
@@ -136,7 +136,15 @@ static time_t time_parse_date(const char *s, bool end)
 	tm.tm_min  = minute;
 	tm.tm_sec  = second;
 	tm.tm_isdst = 0;
+	/*
+	 * Offsetting, if any, is done by xt_time.ko,
+	 * so we have to disable it here in userspace.
+	 */
+	tzset();
+	memcpy(saved, tzname, sizeof(saved));
+	tzname[0] = tzname[1] = "UTC";
 	ret = mktime(&tm);
+	memcpy(tzname, saved, sizeof(saved));
 	if (ret >= 0)
 		return ret;
 	perror("mktime");
@@ -289,7 +297,7 @@ static void time_print_date(time_t date, const char *command)
 	if (date == 0 || date == LONG_MAX)
 		return;
 
-	t = localtime(&date);
+	t = gmtime(&date);
 	if (command != NULL)
 		/*
 		 * Need a contiguous string (no whitespaces), hence using
-- 
1.7.3.4

[PATCH 02/10] libxt_time: --utc and --localtz are mutually exclusive

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_time.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 32f0bf3..a666433 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -26,6 +26,8 @@ enum {
 	O_WEEKDAYS,
 	O_LOCAL_TZ,
 	O_UTC,
+	F_LOCAL_TZ  = 1 << O_LOCAL_TZ,
+	F_UTC       = 1 << O_UTC,
 };
 
 static const char *const week_days[] = {
@@ -41,8 +43,10 @@ static const struct xt_option_entry time_opts[] = {
 	 .flags = XTOPT_INVERT},
 	{.name = "monthdays", .id = O_MONTHDAYS, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
-	{.name = "localtz", .id = O_LOCAL_TZ, .type = XTTYPE_NONE},
-	{.name = "utc", .id = O_UTC, .type = XTTYPE_NONE},
+	{.name = "localtz", .id = O_LOCAL_TZ, .type = XTTYPE_NONE,
+	 .excl = F_UTC},
+	{.name = "utc", .id = O_UTC, .type = XTTYPE_NONE,
+	 .excl = F_LOCAL_TZ},
 	XTOPT_TABLEEND,
 };
 
-- 
1.7.3.4

[PATCH 03/10] doc: use .IP list for TCPMSS

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_TCPMSS.man |   14 ++++----------
 1 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
index ac8fb4e..8da8e76 100644
--- a/extensions/libxt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -11,19 +11,13 @@ packets.  The symptoms of this
 problem are that everything works fine from your Linux
 firewall/router, but machines behind it can never exchange large
 packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
+.IP 1. 4
 Web browsers connect, then hang with no data received.
-.TP
-2)
+.IP 2. 4
 Small mail works fine, but large emails hang.
-.TP
-3)
+.IP 3. 4
 ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
+.PP
 Workaround: activate this option and add a rule to your firewall
 configuration like:
 .IP
-- 
1.7.3.4

[PATCH 04/10] doc: remove redundant .IP calls in libxt_time

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_time.man |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man
index 2bceaf6..4aff7ff 100644
--- a/extensions/libxt_time.man
+++ b/extensions/libxt_time.man
@@ -4,7 +4,6 @@ options are optional, but are ANDed when specified.
 \fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
 .TP
 \fB\-\-datestop\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
-.IP
 Only match during the given time, which must be in ISO 8601 "T" notation.
 The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07.
 .IP
@@ -14,32 +13,27 @@ and 2038-01-19, respectively.
 \fB\-\-timestart\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
 .TP
 \fB\-\-timestop\fP \fIhh\fP\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]
-.IP
 Only match during the given daytime. The possible time range is 00:00:00 to
 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted
 as base-10.
 .TP
 [\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
-.IP
 Only match on the given days of the month. Possible values are \fB1\fP
 to \fB31\fP. Note that specifying \fB31\fP will of course not match
 on months which do not have a 31st day; the same goes for 28- or 29-day
 February.
 .TP
 [\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...]
-.IP
 Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
 \fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP
 to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
 \fBTu\fP, etc.).
 .TP
 \fB\-\-utc\fP
-.IP
 Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
 \fB\-\-timestart\fP and \fB\-\-timestop\fP to be UTC.
 .TP
 \fB\-\-localtz\fP
-.IP
 Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
 \fB\-\-timestart\fP and \fB\-\-timestop\fP to be local kernel time. (Default)
 .PP
-- 
1.7.3.4

[PATCH 05/10] libxt_time: remove --localtz option

[Jan Engelhardt]

Comparing against the kernel time zone has significant caveats. This
patch adds documentation about the issue, and makes --utc the default
setting for libxt_time.

Furthremore, remove recognition of the "--localtz" option, to avoid
confusion with one's shell TZ environment variable, and rename it to
"--kerneltz" to be explicit about whose timezone will be used.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_time.c   |   21 ++++++++++++---------
 extensions/libxt_time.man |   39 +++++++++++++++++++++++++++++++--------
 2 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index a666433..e91f801 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -26,8 +26,10 @@ enum {
 	O_WEEKDAYS,
 	O_LOCAL_TZ,
 	O_UTC,
+	O_KERNEL_TZ,
 	F_LOCAL_TZ  = 1 << O_LOCAL_TZ,
 	F_UTC       = 1 << O_UTC,
+	F_KERNEL_TZ = 1 << O_KERNEL_TZ,
 };
 
 static const char *const week_days[] = {
@@ -47,6 +49,8 @@ static const struct xt_option_entry time_opts[] = {
 	 .excl = F_UTC},
 	{.name = "utc", .id = O_UTC, .type = XTTYPE_NONE,
 	 .excl = F_LOCAL_TZ},
+	{.name = "kerneltz", .id = O_KERNEL_TZ, .type = XTTYPE_NONE,
+	 .excl = F_UTC},
 	XTOPT_TABLEEND,
 };
 
@@ -63,7 +67,7 @@ static void time_help(void)
 "[!] --weekdays value     List of weekdays on which to match, sep. by comma\n"
 "                         (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7\n"
 "                         Defaults to all weekdays.)\n"
-"    --localtz/--utc      Time is interpreted as UTC/local time\n");
+"    --ktz                Work with the kernel timezone instead of UTC\n");
 }
 
 static void time_init(struct xt_entry_match *m)
@@ -79,9 +83,6 @@ static void time_init(struct xt_entry_match *m)
 	/* ...and have no date-begin or date-end boundary */
 	info->date_start = 0;
 	info->date_stop  = INT_MAX;
-
-	/* local time is default */
-	info->flags |= XT_TIME_LOCAL_TZ;
 }
 
 static time_t time_parse_date(const char *s, bool end)
@@ -275,6 +276,11 @@ static void time_parse(struct xt_option_call *cb)
 		info->daytime_stop = time_parse_minutes(cb->arg);
 		break;
 	case O_LOCAL_TZ:
+		xtables_error(PARAMETER_PROBLEM,
+			"--localtz is no longer supported, see manpage "
+			"for details.");
+		break;
+	case O_KERNEL_TZ:
 		info->flags |= XT_TIME_LOCAL_TZ;
 		break;
 	case O_MONTHDAYS:
@@ -287,9 +293,6 @@ static void time_parse(struct xt_option_call *cb)
 		if (cb->invert)
 			info->weekdays_match ^= XT_TIME_ALL_WEEKDAYS;
 		break;
-	case O_UTC:
-		info->flags &= ~XT_TIME_LOCAL_TZ;
-		break;
 	}
 }
 
@@ -425,8 +428,8 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
 	}
 	time_print_date(info->date_start, "--datestart");
 	time_print_date(info->date_stop, "--datestop");
-	if (!(info->flags & XT_TIME_LOCAL_TZ))
-		printf(" --utc");
+	if (info->flags & XT_TIME_LOCAL_TZ)
+		printf(" --kerneltz");
 }
 
 static struct xtables_match time_match = {
diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man
index 4aff7ff..1d677b9 100644
--- a/extensions/libxt_time.man
+++ b/extensions/libxt_time.man
@@ -1,5 +1,6 @@
 This matches if the packet arrival time/date is within a given range. All
-options are optional, but are ANDed when specified.
+options are optional, but are ANDed when specified. All times are interpreted
+as UTC by default.
 .TP
 \fB\-\-datestart\fP \fIYYYY\fP[\fB\-\fP\fIMM\fP[\fB\-\fP\fIDD\fP[\fBT\fP\fIhh\fP[\fB:\fP\fImm\fP[\fB:\fP\fIss\fP]]]]]
 .TP
@@ -29,13 +30,35 @@ Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
 to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
 \fBTu\fP, etc.).
 .TP
-\fB\-\-utc\fP
-Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
-\fB\-\-timestart\fP and \fB\-\-timestop\fP to be UTC.
-.TP
-\fB\-\-localtz\fP
-Interpret the times given for \fB\-\-datestart\fP, \fB\-\-datestop\fP,
-\fB\-\-timestart\fP and \fB\-\-timestop\fP to be local kernel time. (Default)
+\fB\-\-kerneltz\fP
+Use the kernel timezone instead of UTC to determine whether a packet meets the
+time regulations.
+.PP
+About kernel timezones: Linux keeps the system time in UTC, and always does so.
+On boot, system time is initialized from a referential time source. Where this
+time source has no timezone information, such as the x86 CMOS RTC, UTC will be
+assumed. If the time source is however not in UTC, userspace should provide the
+correct system time and timezone to the kernel once it has the information.
+.PP
+Local time is a feature on top of the (timezone independent) system time. Each
+process has its own idea of local time, specified via the TZ environment
+variable. The kernel also has its own timezone offset variable. The TZ
+userspace environment variable specifies how the UTC-based system time is
+displayed, e.g. when you run date(1), or what you see on your desktop clock.
+The TZ string may resolve to different offsets at different dates, which is
+what enables the automatic time-jumping in userspace. when DST changes. The
+kernel's timezone offset variable is used when it has to convert between
+non-UTC sources, such as FAT filesystems, to UTC (since the latter is what the
+rest of the system uses).
+.PP
+The caveat with the kernel timezone is that Linux distributions may ignore to
+set the kernel timezone, and instead only set the system time. Even if a
+particular distribution does set the timezone at boot, it is usually does not
+keep the kernel timezone offset - which is what changes on DST - up to date.
+ntpd will not touch the kernel timezone, so running it will not resolve the
+issue. As such, one may encounter a timezone that is always +0000, or one that
+is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
+discouraged.\fP
 .PP
 EXAMPLES. To match on weekends, use:
 .IP
-- 
1.7.3.4

[PATCH 06/10] libxt_u32: --u32 option is required

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_u32.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 9198edc..774d5ea 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -23,7 +23,8 @@ enum {
 };
 
 static const struct xt_option_entry u32_opts[] = {
-	{.name = "u32", .id = O_U32, .type = XTTYPE_STRING},
+	{.name = "u32", .id = O_U32, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND},
 	XTOPT_TABLEEND,
 };
 
-- 
1.7.3.4

[PATCH 07/10] libip6t_rt: restore --rt-type storing

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_rt.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index eb30820..9e6868d 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -31,8 +31,8 @@ IP6T_RT_HOPS);
 
 #define s struct ip6t_rt
 static const struct xt_option_entry rt_opts[] = {
-	{.name = "rt-type", .id = O_RT_TYPE, .type = XTTYPE_UINT32RC,
-	 .flags = XTOPT_INVERT},
+	{.name = "rt-type", .id = O_RT_TYPE, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, rt_type)},
 	{.name = "rt-segsleft", .id = O_RT_SEGSLEFT, .type = XTTYPE_UINT32RC,
 	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, segsleft)},
 	{.name = "rt-len", .id = O_RT_LEN, .type = XTTYPE_UINT32,
-- 
1.7.3.4

[PATCH 08/10] libxtables: more detailed error message on multi-int parsing

[Jan Engelhardt]

Now shows where exactly the error is.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtoptions.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/xtoptions.c b/xtoptions.c
index ec2269b..9884b7d 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -206,13 +206,14 @@ static void xtopt_parse_mint(struct xt_option_call *cb)
 				cb->ext_name, entry->name, maxiter);
 		if (!xtables_strtoui(arg, &end, &value, 0, UINT32_MAX))
 			xt_params->exit_err(PARAMETER_PROBLEM,
-				"%s: bad value for option \"--%s\", "
-				"or out of range (0-%u).\n",
-				cb->ext_name, entry->name, UINT32_MAX);
+				"%s: bad value for option \"--%s\" near "
+				"\"%s\", or out of range (0-%u).\n",
+				cb->ext_name, entry->name, arg, UINT32_MAX);
 		if (*end != '\0' && *end != sep)
 			xt_params->exit_err(PARAMETER_PROBLEM,
 				"%s: Argument to \"--%s\" has unexpected "
-				"characters.\n", cb->ext_name, entry->name);
+				"characters near \"%s\".\n",
+				cb->ext_name, entry->name, end);
 		if (cb->nvals < ARRAY_SIZE(cb->val.u32_range)) {
 			if (entry->type == XTTYPE_UINT8RC)
 				cb->val.u8_range[cb->nvals] = value;
-- 
1.7.3.4

[PATCH 09/10] libxtables: use uintmax for xtables_strtoul

[Jan Engelhardt]

Addendum to 2305d5fb42fc059f38fc1bdf53411dbeecdb310b.

I noticed that unsigned long long is not consistently used, for
example, min/max are still just unsigned long, and strtoul is being
called.

Instead of changing it to unsigned long long, just use uintmax
functions right away so this does not need size-related changing in
the future.

Cc: JP Abgrall <jpa@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/xtables.h.in |    4 ++--
 xtables.c            |   11 ++++++-----
 xtoptions.c          |    6 +++---
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 90eb1b2..2565dd2 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -408,8 +408,8 @@ extern void xtables_register_matches(struct xtables_match *, unsigned int);
 extern void xtables_register_target(struct xtables_target *me);
 extern void xtables_register_targets(struct xtables_target *, unsigned int);
 
-extern bool xtables_strtoul(const char *, char **, unsigned long long *,
-	unsigned long, unsigned long);
+extern bool xtables_strtoul(const char *, char **, uintmax_t *,
+	uintmax_t, uintmax_t);
 extern bool xtables_strtoui(const char *, char **, unsigned int *,
 	unsigned int, unsigned int);
 extern int xtables_service_to_port(const char *name, const char *proto);
diff --git a/xtables.c b/xtables.c
index e11a77e..acfcf8b 100644
--- a/xtables.c
+++ b/xtables.c
@@ -18,6 +18,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <inttypes.h>
 #include <netdb.h>
 #include <stdarg.h>
 #include <stdbool.h>
@@ -426,10 +427,10 @@ int xtables_load_ko(const char *modprobe, bool quiet)
  * Returns true/false whether number was accepted. On failure, *value has
  * undefined contents.
  */
-bool xtables_strtoul(const char *s, char **end, unsigned long long *value,
-                     unsigned long min, unsigned long max)
+bool xtables_strtoul(const char *s, char **end, uintmax_t *value,
+                     uintmax_t min, uintmax_t max)
 {
-	unsigned long v;
+	uintmax_t v;
 	const char *p;
 	char *my_end;
 
@@ -439,7 +440,7 @@ bool xtables_strtoul(const char *s, char **end, unsigned long long *value,
 		;
 	if (*p == '-')
 		return false;
-	v = strtoul(s, &my_end, 0);
+	v = strtoumax(s, &my_end, 0);
 	if (my_end == s)
 		return false;
 	if (end != NULL)
@@ -459,7 +460,7 @@ bool xtables_strtoul(const char *s, char **end, unsigned long long *value,
 bool xtables_strtoui(const char *s, char **end, unsigned int *value,
                      unsigned int min, unsigned int max)
 {
-	unsigned long long v;
+	uintmax_t v;
 	bool ret;
 
 	ret = xtables_strtoul(s, end, &v, min, max);
diff --git a/xtoptions.c b/xtoptions.c
index 9884b7d..e9736a4 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -104,8 +104,8 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
 static void xtopt_parse_int(struct xt_option_call *cb)
 {
 	const struct xt_option_entry *entry = cb->entry;
-	unsigned long long lmin = 0, lmax = UINT32_MAX;
-	unsigned long long value;
+	uintmax_t lmin = 0, lmax = UINT32_MAX;
+	uintmax_t value;
 
 	if (entry->type == XTTYPE_UINT8)
 		lmax = UINT8_MAX;
@@ -121,7 +121,7 @@ static void xtopt_parse_int(struct xt_option_call *cb)
 	if (!xtables_strtoul(cb->arg, NULL, &value, lmin, lmax))
 		xt_params->exit_err(PARAMETER_PROBLEM,
 			"%s: bad value for option \"--%s\", "
-			"or out of range (%llu-%llu).\n",
+			"or out of range (%ju-%ju).\n",
 			cb->ext_name, entry->name, lmin, lmax);
 
 	if (entry->type == XTTYPE_UINT8) {
-- 
1.7.3.4

[PATCH 10/10] libxtables: make multiint parser have greater range

[Jan Engelhardt]

Since parse_mint can handle XTTYPE_UINT64RC, it must allow numbers
larger than UINT32_MAX.

Cc: JP Abgrall <jpa@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtoptions.c |   38 +++++++++++++++++++++++++++-----------
 1 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/xtoptions.c b/xtoptions.c
index e9736a4..1fc90ee 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -98,21 +98,35 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
 	return merge;
 }
 
+static uintmax_t xtopt_max_by_type(enum xt_option_type type)
+{
+	switch (type) {
+	case XTTYPE_UINT8:
+	case XTTYPE_UINT8RC:
+		return UINT8_MAX;
+	case XTTYPE_UINT16:
+	case XTTYPE_UINT16RC:
+		return UINT16_MAX;
+	case XTTYPE_UINT32:
+	case XTTYPE_UINT32RC:
+		return UINT32_MAX;
+	case XTTYPE_UINT64:
+	case XTTYPE_UINT64RC:
+		return UINT64_MAX;
+	default:
+		return 0;
+	}
+}
+
 /**
  * Require a simple integer.
  */
 static void xtopt_parse_int(struct xt_option_call *cb)
 {
 	const struct xt_option_entry *entry = cb->entry;
-	uintmax_t lmin = 0, lmax = UINT32_MAX;
+	uintmax_t lmin = 0, lmax = xtopt_max_by_type(entry->type);
 	uintmax_t value;
 
-	if (entry->type == XTTYPE_UINT8)
-		lmax = UINT8_MAX;
-	else if (entry->type == XTTYPE_UINT16)
-		lmax = UINT16_MAX;
-	else if (entry->type == XTTYPE_UINT64)
-		lmax = UINT64_MAX;
 	if (cb->entry->min != 0)
 		lmin = cb->entry->min;
 	if (cb->entry->max != 0)
@@ -180,8 +194,10 @@ static void xtopt_parse_mint(struct xt_option_call *cb)
 	const struct xt_option_entry *entry = cb->entry;
 	const char *arg = cb->arg;
 	size_t esize = sizeof(uint32_t);
+	uintmax_t lmax = xtopt_max_by_type(entry->type);
 	char *put = XTOPT_MKPTR(cb);
-	unsigned int maxiter, value;
+	unsigned int maxiter;
+	uintmax_t value;
 	char *end = "";
 	char sep = ':';
 
@@ -204,11 +220,11 @@ static void xtopt_parse_mint(struct xt_option_call *cb)
 			xt_params->exit_err(PARAMETER_PROBLEM, "%s: Too many "
 				"components for option \"--%s\" (max: %u)\n",
 				cb->ext_name, entry->name, maxiter);
-		if (!xtables_strtoui(arg, &end, &value, 0, UINT32_MAX))
+		if (!xtables_strtoul(arg, &end, &value, 0, lmax))
 			xt_params->exit_err(PARAMETER_PROBLEM,
 				"%s: bad value for option \"--%s\" near "
-				"\"%s\", or out of range (0-%u).\n",
-				cb->ext_name, entry->name, arg, UINT32_MAX);
+				"\"%s\", or out of range (0-%ju).\n",
+				cb->ext_name, entry->name, arg, lmax);
 		if (*end != '\0' && *end != sep)
 			xt_params->exit_err(PARAMETER_PROBLEM,
 				"%s: Argument to \"--%s\" has unexpected "
-- 
1.7.3.4