* [iptables PATCH 0/5] Merge some common code
@ 2021-04-28 17:36 Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 1/5] xtables: Make invflags 16bit wide Phil Sutter
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This is more or less fallout from a local branch merging arptables code
into xtables:
Patches 1 and 2 are dependencies of patch 3 which combines invflags
handling everywhere else than in ebtables as that is always a bit more
"special" than the others.
Patch 4 fixes an actual bug as a side-effect of removing redundant code.
Patch 5 might change iptables-nft output slightly in corner-cases but
makes it consistent with legacy.
Phil Sutter (5):
xtables: Make invflags 16bit wide
xshared: Eliminate iptables_command_state->invert
xshared: Merge invflags handling code
ebtables-translate: Use shared ebt_get_current_chain() function
Use proto_to_name() from xshared in more places
include/xtables.h | 2 +-
iptables/ip6tables.c | 161 +++++++++++---------------------
iptables/iptables.c | 160 +++++++++++--------------------
iptables/nft-arp.h | 7 --
iptables/nft-shared.c | 6 +-
iptables/nft-shared.h | 2 +-
iptables/xshared.c | 55 +++++++++--
iptables/xshared.h | 18 +++-
iptables/xtables-arp.c | 44 ---------
iptables/xtables-eb-translate.c | 19 +---
iptables/xtables-eb.c | 1 -
iptables/xtables.c | 114 +++++++---------------
12 files changed, 210 insertions(+), 379 deletions(-)
--
2.31.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [iptables PATCH 1/5] xtables: Make invflags 16bit wide
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
@ 2021-04-28 17:36 ` Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 2/5] xshared: Eliminate iptables_command_state->invert Phil Sutter
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This is needed to merge with xtables-arp which has more builtin
options and hence needs more bits in invflags.
The only adjustment needed is the set_option() call for option '-j'
which passed a pointer to cs->fw.ip.invflags. That field can't be
changed, it belongs to uAPI. Though using args->invflags instead works
fine, aside from that '-j' doesn't support inverting so this is merely a
sanity check and no real invflag value assignment will happen.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.h | 2 +-
iptables/xtables.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index da4ba9d2ba8de..cc8f3a79b369e 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -190,7 +190,7 @@ struct xtables_args {
int family;
uint16_t proto;
uint8_t flags;
- uint8_t invflags;
+ uint16_t invflags;
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
bool goto_set;
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 9779bd83d53b3..c3d82014778b2 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -239,7 +239,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
static void
-set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
+set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
int invert)
{
if (*options & option)
@@ -692,7 +692,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
#endif
case 'j':
- set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags,
+ set_option(&cs->options, OPT_JUMP, &args->invflags,
cs->invert);
command_jump(cs, optarg);
break;
--
2.31.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [iptables PATCH 2/5] xshared: Eliminate iptables_command_state->invert
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 1/5] xtables: Make invflags 16bit wide Phil Sutter
@ 2021-04-28 17:36 ` Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 3/5] xshared: Merge invflags handling code Phil Sutter
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This field is not used by routines working with struct
iptables_command_state: It is merely a temporary flag used by parsers to
carry the '!' prefix until invflags have been populated (or error
checking done if unsupported).
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 76 +++++++++++++++-----------------
iptables/iptables.c | 76 +++++++++++++++-----------------
iptables/xshared.c | 10 ++---
iptables/xshared.h | 5 +--
iptables/xtables-eb-translate.c | 1 -
iptables/xtables-eb.c | 1 -
iptables/xtables.c | 77 +++++++++++++++------------------
7 files changed, 113 insertions(+), 133 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index c95355b091568..60db11b7131e5 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1083,6 +1083,7 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
+ bool invert = false;
/* re-set optind to 0 in case do_command6 gets called
* a second time */
@@ -1111,20 +1112,17 @@ int do_command6(int argc, char *argv[], char **table,
* Command selection
*/
case 'A':
- add_command(&command, CMD_APPEND, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_APPEND, CMD_NONE, invert);
chain = optarg;
break;
case 'C':
- add_command(&command, CMD_CHECK, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_CHECK, CMD_NONE, invert);
chain = optarg;
break;
case 'D':
- add_command(&command, CMD_DELETE, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_DELETE, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv)) {
rulenum = parse_rulenumber(argv[optind++]);
@@ -1133,8 +1131,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'R':
- add_command(&command, CMD_REPLACE, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_REPLACE, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
@@ -1145,8 +1142,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'I':
- add_command(&command, CMD_INSERT, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_INSERT, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
@@ -1155,7 +1151,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'L':
add_command(&command, CMD_LIST,
- CMD_ZERO | CMD_ZERO_NUM, cs.invert);
+ CMD_ZERO | CMD_ZERO_NUM, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1165,7 +1161,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'S':
add_command(&command, CMD_LIST_RULES,
- CMD_ZERO | CMD_ZERO_NUM, cs.invert);
+ CMD_ZERO | CMD_ZERO_NUM, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1174,8 +1170,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'F':
- add_command(&command, CMD_FLUSH, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_FLUSH, CMD_NONE, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1183,7 +1178,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'Z':
add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES,
- cs.invert);
+ invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1195,14 +1190,13 @@ int do_command6(int argc, char *argv[], char **table,
case 'N':
parse_chain(optarg);
- add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_NEW_CHAIN, CMD_NONE, invert);
chain = optarg;
break;
case 'X':
add_command(&command, CMD_DELETE_CHAIN, CMD_NONE,
- cs.invert);
+ invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1210,7 +1204,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'E':
add_command(&command, CMD_RENAME_CHAIN, CMD_NONE,
- cs.invert);
+ invert);
chain = optarg;
if (xs_has_arg(argc, argv))
newname = argv[optind++];
@@ -1223,7 +1217,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'P':
add_command(&command, CMD_SET_POLICY, CMD_NONE,
- cs.invert);
+ invert);
chain = optarg;
if (xs_has_arg(argc, argv))
policy = argv[optind++];
@@ -1249,7 +1243,7 @@ int do_command6(int argc, char *argv[], char **table,
*/
case 'p':
set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
/* Canonicalize into lower case */
for (cs.protocol = optarg; *cs.protocol; cs.protocol++)
@@ -1274,20 +1268,20 @@ int do_command6(int argc, char *argv[], char **table,
case 's':
set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
shostnetworkmask = optarg;
break;
case 'd':
set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
dhostnetworkmask = optarg;
break;
#ifdef IP6T_F_GOTO
case 'g':
set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
cs.fw6.ipv6.flags |= IP6T_F_GOTO;
cs.jumpto = xt_parse_target(optarg);
break;
@@ -1295,7 +1289,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'j':
set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
command_jump(&cs, optarg);
break;
@@ -1306,7 +1300,7 @@ int do_command6(int argc, char *argv[], char **table,
"Empty interface is likely to be "
"undesired");
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
xtables_parse_interface(optarg,
cs.fw6.ipv6.iniface,
cs.fw6.ipv6.iniface_mask);
@@ -1318,7 +1312,7 @@ int do_command6(int argc, char *argv[], char **table,
"Empty interface is likely to be "
"undesired");
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
xtables_parse_interface(optarg,
cs.fw6.ipv6.outiface,
cs.fw6.ipv6.outiface_mask);
@@ -1327,7 +1321,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'v':
if (!verbose)
set_option(&cs.options, OPT_VERBOSE,
- &cs.fw6.ipv6.invflags, cs.invert);
+ &cs.fw6.ipv6.invflags, invert);
verbose++;
break;
@@ -1351,16 +1345,16 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'm':
- command_match(&cs);
+ command_match(&cs, invert);
break;
case 'n':
set_option(&cs.options, OPT_NUMERIC, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
break;
case 't':
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
if (restore && table_set)
@@ -1373,11 +1367,11 @@ int do_command6(int argc, char *argv[], char **table,
case 'x':
set_option(&cs.options, OPT_EXPANDED, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
break;
case 'V':
- if (cs.invert)
+ if (invert)
printf("Not %s ;-)\n", prog_vers);
else
printf("%s v%s (legacy)\n",
@@ -1386,7 +1380,7 @@ int do_command6(int argc, char *argv[], char **table,
case '0':
set_option(&cs.options, OPT_LINENUMBERS, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
break;
case 'M':
@@ -1396,7 +1390,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'c':
set_option(&cs.options, OPT_COUNTERS, &cs.fw6.ipv6.invflags,
- cs.invert);
+ invert);
pcnt = optarg;
bcnt = strchr(pcnt + 1, ',');
if (bcnt)
@@ -1434,11 +1428,11 @@ int do_command6(int argc, char *argv[], char **table,
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"multiple consecutive ! not"
" allowed");
- cs.invert = true;
+ invert = true;
optarg[0] = '\0';
continue;
}
@@ -1446,16 +1440,16 @@ int do_command6(int argc, char *argv[], char **table,
exit_tryhelp(2);
default:
- if (command_default(&cs, &ip6tables_globals) == 1)
+ if (command_default(&cs, &ip6tables_globals, invert))
/*
* If new options were loaded, we must retry
* getopt immediately and not allow
- * cs.invert=false to be executed.
+ * invert=false to be executed.
*/
continue;
break;
}
- cs.invert = false;
+ invert = false;
}
if (!wait && wait_interval_set)
@@ -1481,7 +1475,7 @@ int do_command6(int argc, char *argv[], char **table,
"unknown arguments found on commandline");
if (!command)
xtables_error(PARAMETER_PROBLEM, "no command specified");
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"nothing appropriate following !");
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7d6183116d265..0976017383b4d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1078,6 +1078,7 @@ int do_command4(int argc, char *argv[], char **table,
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
+ bool invert = false;
/* re-set optind to 0 in case do_command4 gets called
* a second time */
@@ -1105,20 +1106,17 @@ int do_command4(int argc, char *argv[], char **table,
* Command selection
*/
case 'A':
- add_command(&command, CMD_APPEND, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_APPEND, CMD_NONE, invert);
chain = optarg;
break;
case 'C':
- add_command(&command, CMD_CHECK, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_CHECK, CMD_NONE, invert);
chain = optarg;
break;
case 'D':
- add_command(&command, CMD_DELETE, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_DELETE, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv)) {
rulenum = parse_rulenumber(argv[optind++]);
@@ -1127,8 +1125,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'R':
- add_command(&command, CMD_REPLACE, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_REPLACE, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
@@ -1139,8 +1136,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'I':
- add_command(&command, CMD_INSERT, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_INSERT, CMD_NONE, invert);
chain = optarg;
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
@@ -1149,7 +1145,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'L':
add_command(&command, CMD_LIST,
- CMD_ZERO | CMD_ZERO_NUM, cs.invert);
+ CMD_ZERO | CMD_ZERO_NUM, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1159,7 +1155,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'S':
add_command(&command, CMD_LIST_RULES,
- CMD_ZERO|CMD_ZERO_NUM, cs.invert);
+ CMD_ZERO|CMD_ZERO_NUM, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1168,8 +1164,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'F':
- add_command(&command, CMD_FLUSH, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_FLUSH, CMD_NONE, invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1177,7 +1172,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'Z':
add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES,
- cs.invert);
+ invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1189,14 +1184,13 @@ int do_command4(int argc, char *argv[], char **table,
case 'N':
parse_chain(optarg);
- add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
- cs.invert);
+ add_command(&command, CMD_NEW_CHAIN, CMD_NONE, invert);
chain = optarg;
break;
case 'X':
add_command(&command, CMD_DELETE_CHAIN, CMD_NONE,
- cs.invert);
+ invert);
if (optarg) chain = optarg;
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
@@ -1204,7 +1198,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'E':
add_command(&command, CMD_RENAME_CHAIN, CMD_NONE,
- cs.invert);
+ invert);
chain = optarg;
if (xs_has_arg(argc, argv))
newname = argv[optind++];
@@ -1217,7 +1211,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'P':
add_command(&command, CMD_SET_POLICY, CMD_NONE,
- cs.invert);
+ invert);
chain = optarg;
if (xs_has_arg(argc, argv))
policy = argv[optind++];
@@ -1243,7 +1237,7 @@ int do_command4(int argc, char *argv[], char **table,
*/
case 'p':
set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
/* Canonicalize into lower case */
for (cs.protocol = optarg; *cs.protocol; cs.protocol++)
@@ -1260,20 +1254,20 @@ int do_command4(int argc, char *argv[], char **table,
case 's':
set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
shostnetworkmask = optarg;
break;
case 'd':
set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
dhostnetworkmask = optarg;
break;
#ifdef IPT_F_GOTO
case 'g':
set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
cs.fw.ip.flags |= IPT_F_GOTO;
cs.jumpto = xt_parse_target(optarg);
break;
@@ -1281,7 +1275,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'j':
set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
command_jump(&cs, optarg);
break;
@@ -1292,7 +1286,7 @@ int do_command4(int argc, char *argv[], char **table,
"Empty interface is likely to be "
"undesired");
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
xtables_parse_interface(optarg,
cs.fw.ip.iniface,
cs.fw.ip.iniface_mask);
@@ -1304,7 +1298,7 @@ int do_command4(int argc, char *argv[], char **table,
"Empty interface is likely to be "
"undesired");
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
xtables_parse_interface(optarg,
cs.fw.ip.outiface,
cs.fw.ip.outiface_mask);
@@ -1312,14 +1306,14 @@ int do_command4(int argc, char *argv[], char **table,
case 'f':
set_option(&cs.options, OPT_FRAGMENT, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
cs.fw.ip.flags |= IPT_F_FRAG;
break;
case 'v':
if (!verbose)
set_option(&cs.options, OPT_VERBOSE,
- &cs.fw.ip.invflags, cs.invert);
+ &cs.fw.ip.invflags, invert);
verbose++;
break;
@@ -1343,16 +1337,16 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'm':
- command_match(&cs);
+ command_match(&cs, invert);
break;
case 'n':
set_option(&cs.options, OPT_NUMERIC, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
break;
case 't':
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
if (restore && table_set)
@@ -1365,11 +1359,11 @@ int do_command4(int argc, char *argv[], char **table,
case 'x':
set_option(&cs.options, OPT_EXPANDED, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
break;
case 'V':
- if (cs.invert)
+ if (invert)
printf("Not %s ;-)\n", prog_vers);
else
printf("%s v%s (legacy)\n",
@@ -1378,7 +1372,7 @@ int do_command4(int argc, char *argv[], char **table,
case '0':
set_option(&cs.options, OPT_LINENUMBERS, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
break;
case 'M':
@@ -1388,7 +1382,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'c':
set_option(&cs.options, OPT_COUNTERS, &cs.fw.ip.invflags,
- cs.invert);
+ invert);
pcnt = optarg;
bcnt = strchr(pcnt + 1, ',');
if (bcnt)
@@ -1426,11 +1420,11 @@ int do_command4(int argc, char *argv[], char **table,
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"multiple consecutive ! not"
" allowed");
- cs.invert = true;
+ invert = true;
optarg[0] = '\0';
continue;
}
@@ -1438,12 +1432,12 @@ int do_command4(int argc, char *argv[], char **table,
exit_tryhelp(2);
default:
- if (command_default(&cs, &iptables_globals) == 1)
+ if (command_default(&cs, &iptables_globals, invert))
/* cf. ip6tables.c */
continue;
break;
}
- cs.invert = false;
+ invert = false;
}
if (!wait && wait_interval_set)
@@ -1469,7 +1463,7 @@ int do_command4(int argc, char *argv[], char **table,
"unknown arguments found on commandline");
if (!command)
xtables_error(PARAMETER_PROBLEM, "no command specified");
- if (cs.invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"nothing appropriate following !");
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 71f689901e1d4..18d8735f3211c 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -115,7 +115,7 @@ struct xtables_match *load_proto(struct iptables_command_state *cs)
}
int command_default(struct iptables_command_state *cs,
- struct xtables_globals *gl)
+ struct xtables_globals *gl, bool invert)
{
struct xtables_rule_match *matchp;
struct xtables_match *m;
@@ -124,7 +124,7 @@ int command_default(struct iptables_command_state *cs,
(cs->target->parse != NULL || cs->target->x6_parse != NULL) &&
cs->c >= cs->target->option_offset &&
cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
- xtables_option_tpcall(cs->c, cs->argv, cs->invert,
+ xtables_option_tpcall(cs->c, cs->argv, invert,
cs->target, &cs->fw);
return 0;
}
@@ -138,7 +138,7 @@ int command_default(struct iptables_command_state *cs,
if (cs->c < matchp->match->option_offset ||
cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
continue;
- xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
+ xtables_option_mpcall(cs->c, cs->argv, invert, m, &cs->fw);
return 0;
}
@@ -641,13 +641,13 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
printf(FMT("%-6s ", "out %s "), iface);
}
-void command_match(struct iptables_command_state *cs)
+void command_match(struct iptables_command_state *cs, bool invert)
{
struct option *opts = xt_params->opts;
struct xtables_match *m;
size_t size;
- if (cs->invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --match");
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9159b2b1f3768..c2ecb4aed641b 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -125,7 +125,6 @@ struct iptables_command_state {
struct ip6t_entry fw6;
struct arpt_entry arp;
};
- int invert;
int c;
unsigned int options;
struct xtables_rule_match *matches;
@@ -154,7 +153,7 @@ extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
extern const char *proto_to_name(uint8_t, int);
extern int command_default(struct iptables_command_state *,
- struct xtables_globals *);
+ struct xtables_globals *, bool invert);
extern struct xtables_match *load_proto(struct iptables_command_state *);
extern int subcmd_main(int, char **, const struct subcommand *);
extern void xs_init_target(struct xtables_target *);
@@ -212,7 +211,7 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
unsigned int format);
-void command_match(struct iptables_command_state *cs);
+void command_match(struct iptables_command_state *cs, bool invert);
const char *xt_parse_target(const char *targetname);
void command_jump(struct iptables_command_state *cs, const char *jumpto);
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 83ae77cb07fb2..04b3dfa0bf455 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -220,7 +220,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
while ((c = getopt_long(argc, argv,
"-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
cs.c = c;
- cs.invert = ebt_invert;
switch (c) {
case 'A': /* Add a rule */
case 'D': /* Delete a rule */
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 5bb34d6d292a9..6c58adaa66c1e 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -751,7 +751,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
while ((c = getopt_long(argc, argv,
"-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
cs.c = c;
- cs.invert = ebt_invert;
switch (c) {
case 'A': /* Add a rule */
diff --git a/iptables/xtables.c b/iptables/xtables.c
index c3d82014778b2..73531ca88b517 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -240,7 +240,7 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
static void
set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
- int invert)
+ bool invert)
{
if (*options & option)
xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
@@ -466,6 +466,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
struct timeval wait_interval;
struct xtables_target *t;
bool table_set = false;
+ bool invert = false;
int wait = 0;
memset(cs, 0, sizeof(*cs));
@@ -499,20 +500,17 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
* Command selection
*/
case 'A':
- add_command(&p->command, CMD_APPEND, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_APPEND, CMD_NONE, invert);
p->chain = optarg;
break;
case 'C':
- add_command(&p->command, CMD_CHECK, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_CHECK, CMD_NONE, invert);
p->chain = optarg;
break;
case 'D':
- add_command(&p->command, CMD_DELETE, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_DELETE, CMD_NONE, invert);
p->chain = optarg;
if (xs_has_arg(argc, argv)) {
p->rulenum = parse_rulenumber(argv[optind++]);
@@ -521,8 +519,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'R':
- add_command(&p->command, CMD_REPLACE, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_REPLACE, CMD_NONE, invert);
p->chain = optarg;
if (xs_has_arg(argc, argv))
p->rulenum = parse_rulenumber(argv[optind++]);
@@ -533,8 +530,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'I':
- add_command(&p->command, CMD_INSERT, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_INSERT, CMD_NONE, invert);
p->chain = optarg;
if (xs_has_arg(argc, argv))
p->rulenum = parse_rulenumber(argv[optind++]);
@@ -544,7 +540,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'L':
add_command(&p->command, CMD_LIST,
- CMD_ZERO | CMD_ZERO_NUM, cs->invert);
+ CMD_ZERO | CMD_ZERO_NUM, invert);
if (optarg)
p->chain = optarg;
else if (xs_has_arg(argc, argv))
@@ -555,7 +551,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'S':
add_command(&p->command, CMD_LIST_RULES,
- CMD_ZERO|CMD_ZERO_NUM, cs->invert);
+ CMD_ZERO|CMD_ZERO_NUM, invert);
if (optarg)
p->chain = optarg;
else if (xs_has_arg(argc, argv))
@@ -565,8 +561,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'F':
- add_command(&p->command, CMD_FLUSH, CMD_NONE,
- cs->invert);
+ add_command(&p->command, CMD_FLUSH, CMD_NONE, invert);
if (optarg)
p->chain = optarg;
else if (xs_has_arg(argc, argv))
@@ -575,7 +570,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'Z':
add_command(&p->command, CMD_ZERO,
- CMD_LIST|CMD_LIST_RULES, cs->invert);
+ CMD_LIST|CMD_LIST_RULES, invert);
if (optarg)
p->chain = optarg;
else if (xs_has_arg(argc, argv))
@@ -596,13 +591,13 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"chain name may not clash "
"with target name\n");
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
- cs->invert);
+ invert);
p->chain = optarg;
break;
case 'X':
add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE,
- cs->invert);
+ invert);
if (optarg)
p->chain = optarg;
else if (xs_has_arg(argc, argv))
@@ -611,7 +606,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'E':
add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE,
- cs->invert);
+ invert);
p->chain = optarg;
if (xs_has_arg(argc, argv))
p->newname = argv[optind++];
@@ -624,7 +619,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'P':
add_command(&p->command, CMD_SET_POLICY, CMD_NONE,
- cs->invert);
+ invert);
p->chain = optarg;
if (xs_has_arg(argc, argv))
p->policy = argv[optind++];
@@ -652,7 +647,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
*/
case 'p':
set_option(&cs->options, OPT_PROTOCOL,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
/* Canonicalize into lower case */
for (cs->protocol = optarg; *cs->protocol; cs->protocol++)
@@ -672,20 +667,20 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 's':
set_option(&cs->options, OPT_SOURCE,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
args->shostnetworkmask = optarg;
break;
case 'd':
set_option(&cs->options, OPT_DESTINATION,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
args->dhostnetworkmask = optarg;
break;
#ifdef IPT_F_GOTO
case 'g':
set_option(&cs->options, OPT_JUMP, &args->invflags,
- cs->invert);
+ invert);
args->goto_set = true;
cs->jumpto = xt_parse_target(optarg);
break;
@@ -693,7 +688,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'j':
set_option(&cs->options, OPT_JUMP, &args->invflags,
- cs->invert);
+ invert);
command_jump(cs, optarg);
break;
@@ -704,7 +699,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"Empty interface is likely to be "
"undesired");
set_option(&cs->options, OPT_VIANAMEIN,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
xtables_parse_interface(optarg,
args->iniface,
args->iniface_mask);
@@ -716,7 +711,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"Empty interface is likely to be "
"undesired");
set_option(&cs->options, OPT_VIANAMEOUT,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
xtables_parse_interface(optarg,
args->outiface,
args->outiface_mask);
@@ -729,28 +724,28 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"use -m frag instead");
}
set_option(&cs->options, OPT_FRAGMENT, &args->invflags,
- cs->invert);
+ invert);
args->flags |= IPT_F_FRAG;
break;
case 'v':
if (!p->verbose)
set_option(&cs->options, OPT_VERBOSE,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
p->verbose++;
break;
case 'm':
- command_match(cs);
+ command_match(cs, invert);
break;
case 'n':
set_option(&cs->options, OPT_NUMERIC, &args->invflags,
- cs->invert);
+ invert);
break;
case 't':
- if (cs->invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
if (p->restore && table_set)
@@ -767,11 +762,11 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'x':
set_option(&cs->options, OPT_EXPANDED, &args->invflags,
- cs->invert);
+ invert);
break;
case 'V':
- if (cs->invert)
+ if (invert)
printf("Not %s ;-)\n", prog_vers);
else
printf("%s v%s (nf_tables)\n",
@@ -801,7 +796,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case '0':
set_option(&cs->options, OPT_LINENUMBERS,
- &args->invflags, cs->invert);
+ &args->invflags, invert);
break;
case 'M':
@@ -810,7 +805,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 'c':
set_option(&cs->options, OPT_COUNTERS, &args->invflags,
- cs->invert);
+ invert);
args->pcnt = optarg;
args->bcnt = strchr(args->pcnt + 1, ',');
if (args->bcnt)
@@ -853,11 +848,11 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
- if (cs->invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"multiple consecutive ! not"
" allowed");
- cs->invert = true;
+ invert = true;
optarg[0] = '\0';
continue;
}
@@ -865,12 +860,12 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
exit_tryhelp(2);
default:
- if (command_default(cs, &xtables_globals) == 1)
+ if (command_default(cs, &xtables_globals, invert))
/* cf. ip6tables.c */
continue;
break;
}
- cs->invert = false;
+ invert = false;
}
if (strcmp(p->table, "nat") == 0 &&
@@ -896,7 +891,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
"unknown arguments found on commandline");
if (!p->command)
xtables_error(PARAMETER_PROBLEM, "no command specified");
- if (cs->invert)
+ if (invert)
xtables_error(PARAMETER_PROBLEM,
"nothing appropriate following !");
--
2.31.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [iptables PATCH 3/5] xshared: Merge invflags handling code
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 1/5] xtables: Make invflags 16bit wide Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 2/5] xshared: Eliminate iptables_command_state->invert Phil Sutter
@ 2021-04-28 17:36 ` Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 4/5] ebtables-translate: Use shared ebt_get_current_chain() function Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 5/5] Use proto_to_name() from xshared in more places Phil Sutter
4 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Join invflags handling between iptables, ip6tables, xtables and
arptables. Ebtables still has its own code which differs quite a bit.
In order to use a shared set_option() routine, iptables and ip6tables
need to provide a local 'invflags' variable which is 16bits wide.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 73 ++++++++++--------------------------------
iptables/iptables.c | 72 ++++++++++-------------------------------
iptables/nft-arp.h | 7 ----
iptables/xshared.c | 43 +++++++++++++++++++++++++
iptables/xshared.h | 11 +++++++
iptables/xtables-arp.c | 44 -------------------------
iptables/xtables.c | 37 ---------------------
7 files changed, 88 insertions(+), 199 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 60db11b7131e5..044d9a33a0266 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -96,21 +96,6 @@ struct xtables_globals ip6tables_globals = {
.compat_rev = xtables_compatible_revision,
};
-static const unsigned int inverse_for_options[NUMBER_OF_OPT] =
-{
-/* -n */ 0,
-/* -s */ IP6T_INV_SRCIP,
-/* -d */ IP6T_INV_DSTIP,
-/* -p */ XT_INV_PROTO,
-/* -j */ 0,
-/* -v */ 0,
-/* -x */ 0,
-/* -i */ IP6T_INV_VIA_IN,
-/* -o */ IP6T_INV_VIA_OUT,
-/*--line*/ 0,
-/* -c */ 0,
-};
-
#define opts ip6tables_globals.opts
#define prog_name ip6tables_globals.program_name
#define prog_vers ip6tables_globals.program_version
@@ -274,28 +259,6 @@ parse_chain(const char *chainname)
"Invalid chain name `%s'", chainname);
}
-static void
-set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
- int invert)
-{
- if (*options & option)
- xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
- opt2char(option));
- *options |= option;
-
- if (invert) {
- unsigned int i;
- for (i = 0; 1 << i != option; i++);
-
- if (!inverse_for_options[i])
- xtables_error(PARAMETER_PROBLEM,
- "cannot have ! before -%c",
- opt2char(option));
- *invflg |= inverse_for_options[i];
- }
-}
-
-
static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
@@ -1083,6 +1046,7 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
+ uint16_t invflags = 0;
bool invert = false;
/* re-set optind to 0 in case do_command6 gets called
@@ -1242,7 +1206,7 @@ int do_command6(int argc, char *argv[], char **table,
* Option selection
*/
case 'p':
- set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_PROTOCOL, &invflags,
invert);
/* Canonicalize into lower case */
@@ -1253,13 +1217,12 @@ int do_command6(int argc, char *argv[], char **table,
cs.fw6.ipv6.proto = xtables_parse_protocol(cs.protocol);
cs.fw6.ipv6.flags |= IP6T_F_PROTO;
- if (cs.fw6.ipv6.proto == 0
- && (cs.fw6.ipv6.invflags & XT_INV_PROTO))
+ if (cs.fw6.ipv6.proto == 0 && (invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
"rule would never match protocol");
if (is_exthdr(cs.fw6.ipv6.proto)
- && (cs.fw6.ipv6.invflags & XT_INV_PROTO) == 0)
+ && (invflags & XT_INV_PROTO) == 0)
fprintf(stderr,
"Warning: never matched protocol: %s. "
"use extension match instead.\n",
@@ -1267,29 +1230,26 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 's':
- set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags,
- invert);
+ set_option(&cs.options, OPT_SOURCE, &invflags, invert);
shostnetworkmask = optarg;
break;
case 'd':
- set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_DESTINATION, &invflags,
invert);
dhostnetworkmask = optarg;
break;
#ifdef IP6T_F_GOTO
case 'g':
- set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
- invert);
+ set_option(&cs.options, OPT_JUMP, &invflags, invert);
cs.fw6.ipv6.flags |= IP6T_F_GOTO;
cs.jumpto = xt_parse_target(optarg);
break;
#endif
case 'j':
- set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
- invert);
+ set_option(&cs.options, OPT_JUMP, &invflags, invert);
command_jump(&cs, optarg);
break;
@@ -1299,7 +1259,7 @@ int do_command6(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_VIANAMEIN, &invflags,
invert);
xtables_parse_interface(optarg,
cs.fw6.ipv6.iniface,
@@ -1311,7 +1271,7 @@ int do_command6(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_VIANAMEOUT, &invflags,
invert);
xtables_parse_interface(optarg,
cs.fw6.ipv6.outiface,
@@ -1321,7 +1281,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'v':
if (!verbose)
set_option(&cs.options, OPT_VERBOSE,
- &cs.fw6.ipv6.invflags, invert);
+ &invflags, invert);
verbose++;
break;
@@ -1349,8 +1309,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'n':
- set_option(&cs.options, OPT_NUMERIC, &cs.fw6.ipv6.invflags,
- invert);
+ set_option(&cs.options, OPT_NUMERIC, &invflags, invert);
break;
case 't':
@@ -1366,7 +1325,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'x':
- set_option(&cs.options, OPT_EXPANDED, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_EXPANDED, &invflags,
invert);
break;
@@ -1379,7 +1338,7 @@ int do_command6(int argc, char *argv[], char **table,
exit(0);
case '0':
- set_option(&cs.options, OPT_LINENUMBERS, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_LINENUMBERS, &invflags,
invert);
break;
@@ -1389,7 +1348,7 @@ int do_command6(int argc, char *argv[], char **table,
case 'c':
- set_option(&cs.options, OPT_COUNTERS, &cs.fw6.ipv6.invflags,
+ set_option(&cs.options, OPT_COUNTERS, &invflags,
invert);
pcnt = optarg;
bcnt = strchr(pcnt + 1, ',');
@@ -1479,6 +1438,8 @@ int do_command6(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"nothing appropriate following !");
+ cs.fw6.ipv6.invflags = invflags;
+
if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND | CMD_CHECK)) {
if (!(cs.options & OPT_DESTINATION))
dhostnetworkmask = "::0/0";
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 0976017383b4d..da67dd2e1e997 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -94,22 +94,6 @@ struct xtables_globals iptables_globals = {
.compat_rev = xtables_compatible_revision,
};
-static const int inverse_for_options[NUMBER_OF_OPT] =
-{
-/* -n */ 0,
-/* -s */ IPT_INV_SRCIP,
-/* -d */ IPT_INV_DSTIP,
-/* -p */ XT_INV_PROTO,
-/* -j */ 0,
-/* -v */ 0,
-/* -x */ 0,
-/* -i */ IPT_INV_VIA_IN,
-/* -o */ IPT_INV_VIA_OUT,
-/*--line*/ 0,
-/* -c */ 0,
-/* -f */ IPT_INV_FRAG,
-};
-
#define opts iptables_globals.opts
#define prog_name iptables_globals.program_name
#define prog_vers iptables_globals.program_version
@@ -265,27 +249,6 @@ parse_chain(const char *chainname)
"Invalid chain name `%s'", chainname);
}
-static void
-set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
- int invert)
-{
- if (*options & option)
- xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
- opt2char(option));
- *options |= option;
-
- if (invert) {
- unsigned int i;
- for (i = 0; 1 << i != option; i++);
-
- if (!inverse_for_options[i])
- xtables_error(PARAMETER_PROBLEM,
- "cannot have ! before -%c",
- opt2char(option));
- *invflg |= inverse_for_options[i];
- }
-}
-
static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
@@ -1078,6 +1041,7 @@ int do_command4(int argc, char *argv[], char **table,
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
+ uint16_t invflags = 0;
bool invert = false;
/* re-set optind to 0 in case do_command4 gets called
@@ -1236,7 +1200,7 @@ int do_command4(int argc, char *argv[], char **table,
* Option selection
*/
case 'p':
- set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_PROTOCOL, &invflags,
invert);
/* Canonicalize into lower case */
@@ -1246,36 +1210,32 @@ int do_command4(int argc, char *argv[], char **table,
cs.protocol = optarg;
cs.fw.ip.proto = xtables_parse_protocol(cs.protocol);
- if (cs.fw.ip.proto == 0
- && (cs.fw.ip.invflags & XT_INV_PROTO))
+ if (cs.fw.ip.proto == 0 && (invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
"rule would never match protocol");
break;
case 's':
- set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags,
- invert);
+ set_option(&cs.options, OPT_SOURCE, &invflags, invert);
shostnetworkmask = optarg;
break;
case 'd':
- set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_DESTINATION, &invflags,
invert);
dhostnetworkmask = optarg;
break;
#ifdef IPT_F_GOTO
case 'g':
- set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags,
- invert);
+ set_option(&cs.options, OPT_JUMP, &invflags, invert);
cs.fw.ip.flags |= IPT_F_GOTO;
cs.jumpto = xt_parse_target(optarg);
break;
#endif
case 'j':
- set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags,
- invert);
+ set_option(&cs.options, OPT_JUMP, &invflags, invert);
command_jump(&cs, optarg);
break;
@@ -1285,7 +1245,7 @@ int do_command4(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_VIANAMEIN, &invflags,
invert);
xtables_parse_interface(optarg,
cs.fw.ip.iniface,
@@ -1297,7 +1257,7 @@ int do_command4(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_VIANAMEOUT, &invflags,
invert);
xtables_parse_interface(optarg,
cs.fw.ip.outiface,
@@ -1305,7 +1265,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'f':
- set_option(&cs.options, OPT_FRAGMENT, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_FRAGMENT, &invflags,
invert);
cs.fw.ip.flags |= IPT_F_FRAG;
break;
@@ -1313,7 +1273,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'v':
if (!verbose)
set_option(&cs.options, OPT_VERBOSE,
- &cs.fw.ip.invflags, invert);
+ &invflags, invert);
verbose++;
break;
@@ -1341,7 +1301,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'n':
- set_option(&cs.options, OPT_NUMERIC, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_NUMERIC, &invflags,
invert);
break;
@@ -1358,7 +1318,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'x':
- set_option(&cs.options, OPT_EXPANDED, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_EXPANDED, &invflags,
invert);
break;
@@ -1371,7 +1331,7 @@ int do_command4(int argc, char *argv[], char **table,
exit(0);
case '0':
- set_option(&cs.options, OPT_LINENUMBERS, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_LINENUMBERS, &invflags,
invert);
break;
@@ -1381,7 +1341,7 @@ int do_command4(int argc, char *argv[], char **table,
case 'c':
- set_option(&cs.options, OPT_COUNTERS, &cs.fw.ip.invflags,
+ set_option(&cs.options, OPT_COUNTERS, &invflags,
invert);
pcnt = optarg;
bcnt = strchr(pcnt + 1, ',');
@@ -1467,6 +1427,8 @@ int do_command4(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"nothing appropriate following !");
+ cs.fw.ip.invflags = invflags;
+
if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND | CMD_CHECK)) {
if (!(cs.options & OPT_DESTINATION))
dhostnetworkmask = "0.0.0.0/0";
diff --git a/iptables/nft-arp.h b/iptables/nft-arp.h
index 0d93a31f563b1..3411fc3d7c7b3 100644
--- a/iptables/nft-arp.h
+++ b/iptables/nft-arp.h
@@ -4,11 +4,4 @@
extern char *arp_opcodes[];
#define NUMOPCODES 9
-/* define invflags which won't collide with IPT ones */
-#define IPT_INV_SRCDEVADDR 0x0080
-#define IPT_INV_TGTDEVADDR 0x0100
-#define IPT_INV_ARPHLN 0x0200
-#define IPT_INV_ARPOP 0x0400
-#define IPT_INV_ARPHRD 0x0800
-
#endif
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 18d8735f3211c..5e3a6aeb343a6 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -853,3 +853,46 @@ char opt2char(int option)
return *ptr;
}
+
+static const int inverse_for_options[NUMBER_OF_OPT] =
+{
+/* -n */ 0,
+/* -s */ IPT_INV_SRCIP,
+/* -d */ IPT_INV_DSTIP,
+/* -p */ XT_INV_PROTO,
+/* -j */ 0,
+/* -v */ 0,
+/* -x */ 0,
+/* -i */ IPT_INV_VIA_IN,
+/* -o */ IPT_INV_VIA_OUT,
+/*--line*/ 0,
+/* -c */ 0,
+/* -f */ IPT_INV_FRAG,
+/* 2 */ IPT_INV_SRCDEVADDR,
+/* 3 */ IPT_INV_TGTDEVADDR,
+/* -l */ IPT_INV_ARPHLN,
+/* 4 */ IPT_INV_ARPOP,
+/* 5 */ IPT_INV_ARPHRD,
+/* 6 */ IPT_INV_PROTO,
+};
+
+void
+set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+ bool invert)
+{
+ if (*options & option)
+ xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
+ opt2char(option));
+ *options |= option;
+
+ if (invert) {
+ unsigned int i;
+ for (i = 0; 1 << i != option; i++);
+
+ if (!inverse_for_options[i])
+ xtables_error(PARAMETER_PROBLEM,
+ "cannot have ! before -%c",
+ opt2char(option));
+ *invflg |= inverse_for_options[i];
+ }
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c2ecb4aed641b..c4de0292f4d8e 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -68,6 +68,17 @@ struct xtables_globals;
struct xtables_rule_match;
struct xtables_target;
+/* define invflags which won't collide with IPT ones */
+#define IPT_INV_SRCDEVADDR 0x0080
+#define IPT_INV_TGTDEVADDR 0x0100
+#define IPT_INV_ARPHLN 0x0200
+#define IPT_INV_ARPOP 0x0400
+#define IPT_INV_ARPHRD 0x0800
+
+void
+set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
+ bool invert);
+
/**
* xtables_afinfo - protocol family dependent information
* @kmod: kernel module basename (e.g. "ip_tables")
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 4a89ae9507051..4a351f0cab4a7 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -105,29 +105,6 @@ struct xtables_globals arptables_globals = {
.compat_rev = nft_compatible_revision,
};
-/* index relates to bit of each OPT_* value */
-static int inverse_for_options[] =
-{
-/* -n */ 0,
-/* -s */ IPT_INV_SRCIP,
-/* -d */ IPT_INV_DSTIP,
-/* -p */ 0,
-/* -j */ 0,
-/* -v */ 0,
-/* -x */ 0,
-/* -i */ IPT_INV_VIA_IN,
-/* -o */ IPT_INV_VIA_OUT,
-/*--line*/ 0,
-/* -c */ 0,
-/* -f */ 0,
-/* 2 */ IPT_INV_SRCDEVADDR,
-/* 3 */ IPT_INV_TGTDEVADDR,
-/* -l */ IPT_INV_ARPHLN,
-/* 4 */ IPT_INV_ARPOP,
-/* 5 */ IPT_INV_ARPHRD,
-/* 6 */ IPT_INV_PROTO,
-};
-
/***********************************************/
/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */
/***********************************************/
@@ -298,27 +275,6 @@ check_inverse(const char option[], int *invert, int *optidx, int argc)
return false;
}
-static void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
- int invert)
-{
- if (*options & option)
- xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
- opt2char(option));
- *options |= option;
-
- if (invert) {
- unsigned int i;
- for (i = 0; 1 << i != option; i++);
-
- if (!inverse_for_options[i])
- xtables_error(PARAMETER_PROBLEM,
- "cannot have ! before -%c",
- opt2char(option));
- *invflg |= inverse_for_options[i];
- }
-}
-
static int
list_entries(struct nft_handle *h, const char *chain, const char *table,
int rulenum, int verbose, int numeric, int expanded,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 73531ca88b517..daa9b137b5fa4 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -94,22 +94,6 @@ struct xtables_globals xtables_globals = {
.compat_rev = nft_compatible_revision,
};
-static const int inverse_for_options[NUMBER_OF_OPT] =
-{
-/* -n */ 0,
-/* -s */ IPT_INV_SRCIP,
-/* -d */ IPT_INV_DSTIP,
-/* -p */ XT_INV_PROTO,
-/* -j */ 0,
-/* -v */ 0,
-/* -x */ 0,
-/* -i */ IPT_INV_VIA_IN,
-/* -o */ IPT_INV_VIA_OUT,
-/*--line*/ 0,
-/* -c */ 0,
-/* -f */ IPT_INV_FRAG,
-};
-
#define opts xt_params->opts
#define prog_name xt_params->program_name
#define prog_vers xt_params->program_version
@@ -238,27 +222,6 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
-static void
-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
- bool invert)
-{
- if (*options & option)
- xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed",
- opt2char(option));
- *options |= option;
-
- if (invert) {
- unsigned int i;
- for (i = 0; 1 << i != option; i++);
-
- if (!inverse_for_options[i])
- xtables_error(PARAMETER_PROBLEM,
- "cannot have ! before -%c",
- opt2char(option));
- *invflg |= inverse_for_options[i];
- }
-}
-
static int
add_entry(const char *chain,
const char *table,
--
2.31.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [iptables PATCH 4/5] ebtables-translate: Use shared ebt_get_current_chain() function
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
` (2 preceding siblings ...)
2021-04-28 17:36 ` [iptables PATCH 3/5] xshared: Merge invflags handling code Phil Sutter
@ 2021-04-28 17:36 ` Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 5/5] Use proto_to_name() from xshared in more places Phil Sutter
4 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Drop the local reimplementation. It was barely different enough to
be buggy:
| % ebtables-nft -A foo -o eth0 -j ACCEPT
| % xtables-nft-multi ebtables-translate -A foo -o eth0 -j ACCEPT
| ebtables-translate v1.8.5 (nf_tables): Use -o only in OUTPUT, FORWARD and POSTROUTING chains
| Try `ebtables-translate -h' or 'ebtables-translate --help' for more information.
With this change, output is as expected:
| % xtables-nft-multi ebtables-translate -A foo -o eth0 -j ACCEPT
| nft add rule bridge filter foo oifname "eth0" counter accept
This is roughly the same issue fixed in commit e1ccd979e6849 ("ebtables:
fix over-eager -o checks on custom chains").
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xtables-eb-translate.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 04b3dfa0bf455..0539a829d3ff8 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -64,22 +64,6 @@ static int parse_rule_number(const char *rule)
return rule_nr;
}
-static int get_current_chain(const char *chain)
-{
- if (strcmp(chain, "PREROUTING") == 0)
- return NF_BR_PRE_ROUTING;
- else if (strcmp(chain, "INPUT") == 0)
- return NF_BR_LOCAL_IN;
- else if (strcmp(chain, "FORWARD") == 0)
- return NF_BR_FORWARD;
- else if (strcmp(chain, "OUTPUT") == 0)
- return NF_BR_LOCAL_OUT;
- else if (strcmp(chain, "POSTROUTING") == 0)
- return NF_BR_POST_ROUTING;
-
- return -1;
-}
-
/*
* The original ebtables parser
*/
@@ -240,7 +224,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
"Multiple commands are not allowed");
command = c;
chain = optarg;
- selected_chain = get_current_chain(chain);
+ selected_chain = ebt_get_current_chain(chain);
p.chain = chain;
flags |= OPT_COMMAND;
--
2.31.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [iptables PATCH 5/5] Use proto_to_name() from xshared in more places
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
` (3 preceding siblings ...)
2021-04-28 17:36 ` [iptables PATCH 4/5] ebtables-translate: Use shared ebt_get_current_chain() function Phil Sutter
@ 2021-04-28 17:36 ` Phil Sutter
4 siblings, 0 replies; 6+ messages in thread
From: Phil Sutter @ 2021-04-28 17:36 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Share the common proto name lookup code. While being at it, make proto
number variable 16bit, values may exceed 256.
This aligns iptables-nft '-p' argument printing with legacy iptables. In
practice, this should make a difference only in corner cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/xtables.h | 2 +-
iptables/ip6tables.c | 22 +++++-----------------
iptables/iptables.c | 20 +++++---------------
iptables/nft-shared.c | 6 +++---
iptables/xshared.c | 2 +-
iptables/xshared.h | 2 +-
6 files changed, 16 insertions(+), 38 deletions(-)
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee326643..1fd5f63ac4b69 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -395,7 +395,7 @@ struct xtables_rule_match {
*/
struct xtables_pprot {
const char *name;
- uint8_t num;
+ uint16_t num;
};
enum xtables_tryload {
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 044d9a33a0266..e967c040fd3c9 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -759,28 +759,16 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
}
}
-/* The ip6tables looks up the /etc/protocols. */
static void print_proto(uint16_t proto, int invert)
{
if (proto) {
- unsigned int i;
+ const char *pname = proto_to_name(proto, 0);
const char *invertstr = invert ? " !" : "";
- const struct protoent *pent = getprotobynumber(proto);
- if (pent) {
- printf("%s -p %s",
- invertstr, pent->p_name);
- return;
- }
-
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
- if (xtables_chain_protos[i].num == proto) {
- printf("%s -p %s",
- invertstr, xtables_chain_protos[i].name);
- return;
- }
-
- printf("%s -p %u", invertstr, proto);
+ if (pname)
+ printf("%s -p %s", invertstr, pname);
+ else
+ printf("%s -p %u", invertstr, proto);
}
}
diff --git a/iptables/iptables.c b/iptables/iptables.c
index da67dd2e1e997..b925f0892e0d5 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -727,23 +727,13 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
static void print_proto(uint16_t proto, int invert)
{
if (proto) {
- unsigned int i;
+ const char *pname = proto_to_name(proto, 0);
const char *invertstr = invert ? " !" : "";
- const struct protoent *pent = getprotobynumber(proto);
- if (pent) {
- printf("%s -p %s", invertstr, pent->p_name);
- return;
- }
-
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
- if (xtables_chain_protos[i].num == proto) {
- printf("%s -p %s",
- invertstr, xtables_chain_protos[i].name);
- return;
- }
-
- printf("%s -p %u", invertstr, proto);
+ if (pname)
+ printf("%s -p %s", invertstr, pname);
+ else
+ printf("%s -p %u", invertstr, proto);
}
}
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index c1664b50f9383..4253b08196d29 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -826,13 +826,13 @@ void save_rule_details(const struct iptables_command_state *cs,
}
if (proto > 0) {
- const struct protoent *pent = getprotobynumber(proto);
+ const char *pname = proto_to_name(proto, 0);
if (invflags & XT_INV_PROTO)
printf("! ");
- if (pent)
- printf("-p %s ", pent->p_name);
+ if (pname)
+ printf("-p %s ", pname);
else
printf("-p %u ", proto);
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 5e3a6aeb343a6..eff4898db3f9a 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t,
}
const char *
-proto_to_name(uint8_t proto, int nolookup)
+proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c4de0292f4d8e..0a029d5b20036 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -162,7 +162,7 @@ enum {
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
-extern const char *proto_to_name(uint8_t, int);
+extern const char *proto_to_name(uint16_t, int);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *, bool invert);
extern struct xtables_match *load_proto(struct iptables_command_state *);
--
2.31.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-28 17:37 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-28 17:36 [iptables PATCH 0/5] Merge some common code Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 1/5] xtables: Make invflags 16bit wide Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 2/5] xshared: Eliminate iptables_command_state->invert Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 3/5] xshared: Merge invflags handling code Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 4/5] ebtables-translate: Use shared ebt_get_current_chain() function Phil Sutter
2021-04-28 17:36 ` [iptables PATCH 5/5] Use proto_to_name() from xshared in more places Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.