* [iptables PATCH 00/10] Share more code with legacy
@ 2021-11-06 20:57 Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 01/10] xshared: Merge and share parse_chain() Phil Sutter
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This series populates xshared.c with more code for use by both nft and
legacy variants. A prerequisite for this is to change how output
separating whitespace is printed (the old space before or after arg
issue). Patch 2 does this and paves the way for patches 3-8. Patches 9
and 10 finish with a bit of cleanup.
Phil Sutter (10):
xshared: Merge and share parse_chain()
nft: Change whitespace printing in save_rule callback
xshared: Share print_iface() function
xshared: Share save_rule_details() with legacy
xshared: Share save_ipv{4,6}_addr() with legacy
xshared: Share print_rule_details() with legacy
xshared: Share print_fragment() with legacy
xshared: Share print_header() with legacy iptables
nft-shared: Drop unused function print_proto()
xshared: Make load_proto() static
iptables/ip6tables.c | 197 ++++-------------------------------
iptables/iptables.c | 210 ++++----------------------------------
iptables/nft-arp.c | 8 +-
iptables/nft-bridge.c | 12 ++-
iptables/nft-ipv4.c | 75 ++------------
iptables/nft-ipv6.c | 37 ++-----
iptables/nft-shared.c | 155 ++--------------------------
iptables/nft-shared.h | 18 +---
iptables/nft.c | 10 +-
iptables/xshared.c | 231 +++++++++++++++++++++++++++++++++++++++++-
iptables/xshared.h | 22 +++-
iptables/xtables.c | 9 +-
12 files changed, 337 insertions(+), 647 deletions(-)
--
2.33.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [iptables PATCH 01/10] xshared: Merge and share parse_chain()
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 02/10] nft: Change whitespace printing in save_rule callback Phil Sutter
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Have a common routine to perform chain name checks, combining all
variants' requirements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 26 --------------------------
iptables/iptables.c | 25 -------------------------
iptables/xshared.c | 24 ++++++++++++++++++++++++
iptables/xshared.h | 1 +
iptables/xtables.c | 9 +--------
5 files changed, 26 insertions(+), 59 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index e967c040fd3c9..ec0ae759875e7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -233,32 +233,6 @@ static int is_exthdr(uint16_t proto)
proto == IPPROTO_DSTOPTS);
}
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
-
static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
diff --git a/iptables/iptables.c b/iptables/iptables.c
index b925f0892e0d5..246526a55a3c9 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -223,31 +223,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 2d3ef679fd765..bd545d6b31908 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -892,3 +892,27 @@ set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
*invflg |= inverse_for_options[i];
}
}
+
+void parse_chain(const char *chainname)
+{
+ const char *ptr;
+
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name `%s' too long (must be under %u chars)",
+ chainname, XT_EXTENSION_MAXNAMELEN);
+
+ if (*chainname == '-' || *chainname == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name not allowed to start with `%c'\n",
+ *chainname);
+
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name may not clash with target name\n");
+
+ for (ptr = chainname; *ptr; ptr++)
+ if (isspace(*ptr))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid chain name `%s'", chainname);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index b59116ac49747..6d6acbca13da2 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -235,6 +235,7 @@ char cmd2char(int option);
void add_command(unsigned int *cmd, const int newcmd,
const int othercmds, int invert);
int parse_rulenumber(const char *rule);
+void parse_chain(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 5c69af7e0f1f0..32b93d2bfc8cd 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -424,14 +424,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'N':
- if (optarg && (*optarg == '-' || *optarg == '!'))
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *optarg);
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
+ parse_chain(optarg);
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
invert);
p->chain = optarg;
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 02/10] nft: Change whitespace printing in save_rule callback
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 01/10] xshared: Merge and share parse_chain() Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 03/10] xshared: Share print_iface() function Phil Sutter
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This aligns whitespace printing with legacy iptables' print_rule4() in
order to prepare for further code-sharing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-arp.c | 1 +
iptables/nft-bridge.c | 10 ++++++++--
iptables/nft-ipv4.c | 6 +++---
iptables/nft-ipv6.c | 8 ++++----
iptables/nft-shared.c | 26 ++++++++++++--------------
iptables/nft.c | 4 ++--
6 files changed, 30 insertions(+), 25 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 32eb91add4f1e..b7536e61a255f 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -479,6 +479,7 @@ nft_arp_save_rule(const void *data, unsigned int format)
format |= FMT_NUMERIC;
+ printf(" ");
nft_arp_print_rule_details(cs, format);
if (cs->target && cs->target->save)
cs->target->save(&cs->fw, cs->target->t);
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 11f3df3582aa5..cc2a48dbf7741 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -601,7 +601,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
printf("%s ", ent->e_name);
}
-static void nft_bridge_save_rule(const void *data, unsigned int format)
+static void __nft_bridge_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
@@ -652,6 +652,12 @@ static void nft_bridge_save_rule(const void *data, unsigned int format)
fputc('\n', stdout);
}
+static void nft_bridge_save_rule(const void *data, unsigned int format)
+{
+ printf(" ");
+ __nft_bridge_save_rule(data, format);
+}
+
static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
@@ -661,7 +667,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
printf("%d ", num);
nft_rule_to_ebtables_command_state(h, r, &cs);
- nft_bridge_save_rule(&cs, format);
+ __nft_bridge_save_rule(&cs, format);
ebt_cs_clean(&cs);
}
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index febd7673af4f8..287112d0e6b99 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -303,7 +303,7 @@ static void save_ipv4_addr(char letter, const struct in_addr *addr,
if (!mask && !invert && !addr->s_addr)
return;
- printf("%s-%c %s/%s ", invert ? "! " : "", letter,
+ printf("%s -%c %s/%s", invert ? " !" : "", letter,
inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
mask_to_str(mask));
}
@@ -323,8 +323,8 @@ static void nft_ipv4_save_rule(const void *data, unsigned int format)
if (cs->fw.ip.flags & IPT_F_FRAG) {
if (cs->fw.ip.invflags & IPT_INV_FRAG)
- printf("! ");
- printf("-f ");
+ printf(" !");
+ printf(" -f");
}
save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index f0e64bbd4ab23..845937b180b06 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -234,14 +234,14 @@ static void save_ipv6_addr(char letter, const struct in6_addr *addr,
if (!invert && l == 0)
return;
- printf("%s-%c %s",
- invert ? "! " : "", letter,
+ printf("%s -%c %s",
+ invert ? " !" : "", letter,
inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
if (l == -1)
- printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
+ printf("/%s", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
else
- printf("/%d ", l);
+ printf("/%d", l);
}
static void nft_ipv6_save_rule(const void *data, unsigned int format)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 72727270026ee..082cc0e2df745 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -793,7 +793,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
if (mask[0] == 0)
return;
- printf("%s-%c ", inv ? "! " : "", letter);
+ printf("%s -%c ", inv ? " !" : "", letter);
for (i = 0; i < IFNAMSIZ; i++) {
if (mask[i] != 0) {
@@ -805,8 +805,6 @@ print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
break;
}
}
-
- printf(" ");
}
void save_rule_details(const struct iptables_command_state *cs,
@@ -829,12 +827,12 @@ void save_rule_details(const struct iptables_command_state *cs,
const char *pname = proto_to_name(proto, 0);
if (invflags & XT_INV_PROTO)
- printf("! ");
+ printf(" !");
if (pname)
- printf("-p %s ", pname);
+ printf(" -p %s", pname);
else
- printf("-p %u ", proto);
+ printf(" -p %u", proto);
}
}
@@ -856,33 +854,33 @@ void save_matches_and_target(const struct iptables_command_state *cs,
for (matchp = cs->matches; matchp; matchp = matchp->next) {
if (matchp->match->alias) {
- printf("-m %s",
+ printf(" -m %s",
matchp->match->alias(matchp->match->m));
} else
- printf("-m %s", matchp->match->name);
+ printf(" -m %s", matchp->match->name);
if (matchp->match->save != NULL) {
/* cs->fw union makes the trick */
matchp->match->save(fw, matchp->match->m);
}
- printf(" ");
}
if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS)
- printf("-c %llu %llu ",
+ printf(" -c %llu %llu",
(unsigned long long)cs->counters.pcnt,
(unsigned long long)cs->counters.bcnt);
if (cs->target != NULL) {
if (cs->target->alias) {
- printf("-j %s", cs->target->alias(cs->target->t));
+ printf(" -j %s", cs->target->alias(cs->target->t));
} else
- printf("-j %s", cs->jumpto);
+ printf(" -j %s", cs->jumpto);
- if (cs->target->save != NULL)
+ if (cs->target->save != NULL) {
cs->target->save(fw, cs->target->t);
+ }
} else if (strlen(cs->jumpto) > 0) {
- printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
+ printf(" -%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
}
printf("\n");
diff --git a/iptables/nft.c b/iptables/nft.c
index 1d3f3a3da1cbb..282d417f3bc85 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1513,10 +1513,10 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
/* print chain name */
switch(type) {
case NFT_RULE_APPEND:
- printf("-A %s ", chain);
+ printf("-A %s", chain);
break;
case NFT_RULE_DEL:
- printf("-D %s ", chain);
+ printf("-D %s", chain);
break;
}
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 03/10] xshared: Share print_iface() function
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 01/10] xshared: Merge and share parse_chain() Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 02/10] nft: Change whitespace printing in save_rule callback Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 04/10] xshared: Share save_rule_details() with legacy Phil Sutter
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Merge the three identical copies into one and name it 'save_iface' (as
the printed syntax is for "save"-format). Leave arptables alone for now,
its rather complicated whitespace printing doesn't allow for use of the
shared function. Also keep ebtables' custom implementation, it is used
for the --logical-in/--logical-out long-options, too. Apart from that,
ebtables-nft does not use a mask, at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 30 ++----------------------------
iptables/iptables.c | 30 ++----------------------------
iptables/nft-shared.c | 26 ++------------------------
iptables/xshared.c | 25 +++++++++++++++++++++++++
iptables/xshared.h | 2 ++
5 files changed, 33 insertions(+), 80 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index ec0ae759875e7..1c9b076196e8f 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -707,32 +707,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
return found;
}
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
- int invert)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s -%c ", invert ? " !" : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- /* we can access iface[i-1] here, because
- * a few lines above we make sure that mask[0] != 0 */
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-}
-
static void print_proto(uint16_t proto, int invert)
{
if (proto) {
@@ -821,10 +795,10 @@ void print_rule6(const struct ip6t_entry *e,
print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
e->ipv6.invflags & IP6T_INV_DSTIP);
- print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
+ save_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
e->ipv6.invflags & IP6T_INV_VIA_IN);
- print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
+ save_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
e->ipv6.invflags & IP6T_INV_VIA_OUT);
print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 246526a55a3c9..7802bd6d95bd0 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -720,32 +720,6 @@ static void print_proto(uint16_t proto, int invert)
#define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
- int invert)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s -%c ", invert ? " !" : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- /* we can access iface[i-1] here, because
- * a few lines above we make sure that mask[0] != 0 */
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-}
-
static int print_match_save(const struct xt_entry_match *e,
const struct ipt_ip *ip)
{
@@ -830,10 +804,10 @@ void print_rule4(const struct ipt_entry *e,
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
- print_iface('i', e->ip.iniface, e->ip.iniface_mask,
+ save_iface('i', e->ip.iniface, e->ip.iniface_mask,
e->ip.invflags & IPT_INV_VIA_IN);
- print_iface('o', e->ip.outiface, e->ip.outiface_mask,
+ save_iface('o', e->ip.outiface, e->ip.outiface_mask,
e->ip.invflags & IPT_INV_VIA_OUT);
print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 082cc0e2df745..b86cc086bed1c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -785,28 +785,6 @@ void print_rule_details(const struct iptables_command_state *cs,
}
}
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
-{
- unsigned int i;
-
- if (mask[0] == 0)
- return;
-
- printf("%s -%c ", inv ? " !" : "", letter);
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (mask[i] != 0) {
- if (iface[i] != '\0')
- printf("%c", iface[i]);
- } else {
- if (iface[i-1] != '\0')
- printf("+");
- break;
- }
- }
-}
-
void save_rule_details(const struct iptables_command_state *cs,
uint8_t invflags, uint16_t proto,
const char *iniface,
@@ -815,11 +793,11 @@ void save_rule_details(const struct iptables_command_state *cs,
unsigned const char *outiface_mask)
{
if (iniface != NULL) {
- print_iface('i', iniface, iniface_mask,
+ save_iface('i', iniface, iniface_mask,
invflags & IPT_INV_VIA_IN);
}
if (outiface != NULL) {
- print_iface('o', outiface, outiface_mask,
+ save_iface('o', outiface, outiface_mask,
invflags & IPT_INV_VIA_OUT);
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index bd545d6b31908..db03aaaa324b0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -637,6 +637,31 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
printf(FMT("%-6s ", "out %s "), iface);
}
+/* This assumes that mask is contiguous, and byte-bounded. */
+void save_iface(char letter, const char *iface,
+ const unsigned char *mask, int invert)
+{
+ unsigned int i;
+
+ if (mask[0] == 0)
+ return;
+
+ printf("%s -%c ", invert ? " !" : "", letter);
+
+ for (i = 0; i < IFNAMSIZ; i++) {
+ if (mask[i] != 0) {
+ if (iface[i] != '\0')
+ printf("%c", iface[i]);
+ } else {
+ /* we can access iface[i-1] here, because
+ * a few lines above we make sure that mask[0] != 0 */
+ if (iface[i-1] != '\0')
+ printf("+");
+ break;
+ }
+ }
+}
+
void command_match(struct iptables_command_state *cs, bool invert)
{
struct option *opts = xt_params->opts;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 6d6acbca13da2..3281ce584476c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -226,6 +226,8 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
unsigned int format);
+void save_iface(char letter, const char *iface,
+ const unsigned char *mask, int invert);
void command_match(struct iptables_command_state *cs, bool invert);
const char *xt_parse_target(const char *targetname);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 04/10] xshared: Share save_rule_details() with legacy
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (2 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 03/10] xshared: Share print_iface() function Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 05/10] xshared: Share save_ipv{4,6}_addr() " Phil Sutter
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
The function combines printing of input and output interfaces and
protocol parameter, all being IP family independent. Extend the function
to print fragment option ('-f'), too if requested. While being at it,
drop unused iptables_command_state parameter and reorder the remaining
ones a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 23 +++--------------------
iptables/iptables.c | 28 ++++------------------------
iptables/nft-ipv4.c | 13 ++++---------
iptables/nft-ipv6.c | 6 +++---
iptables/nft-shared.c | 29 -----------------------------
iptables/nft-shared.h | 6 ------
iptables/xshared.c | 32 ++++++++++++++++++++++++++++++++
iptables/xshared.h | 4 ++++
8 files changed, 50 insertions(+), 91 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 1c9b076196e8f..eacbf704f9769 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -707,19 +707,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
return found;
}
-static void print_proto(uint16_t proto, int invert)
-{
- if (proto) {
- const char *pname = proto_to_name(proto, 0);
- const char *invertstr = invert ? " !" : "";
-
- if (pname)
- printf("%s -p %s", invertstr, pname);
- else
- printf("%s -p %u", invertstr, proto);
- }
-}
-
static int print_match_save(const struct xt_entry_match *e,
const struct ip6t_ip6 *ip)
{
@@ -795,13 +782,9 @@ void print_rule6(const struct ip6t_entry *e,
print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
e->ipv6.invflags & IP6T_INV_DSTIP);
- save_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
- e->ipv6.invflags & IP6T_INV_VIA_IN);
-
- save_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
- e->ipv6.invflags & IP6T_INV_VIA_OUT);
-
- print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
+ save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
+ e->ipv6.outiface, e->ipv6.outiface_mask,
+ e->ipv6.proto, 0, e->ipv6.invflags);
#if 0
/* not definied in ipv6
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7802bd6d95bd0..85fb7bdcd0ca1 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -699,19 +699,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
return found;
}
-static void print_proto(uint16_t proto, int invert)
-{
- if (proto) {
- const char *pname = proto_to_name(proto, 0);
- const char *invertstr = invert ? " !" : "";
-
- if (pname)
- printf("%s -p %s", invertstr, pname);
- else
- printf("%s -p %u", invertstr, proto);
- }
-}
-
#define IP_PARTS_NATIVE(n) \
(unsigned int)((n)>>24)&0xFF, \
(unsigned int)((n)>>16)&0xFF, \
@@ -804,17 +791,10 @@ void print_rule4(const struct ipt_entry *e,
print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
e->ip.invflags & IPT_INV_DSTIP);
- save_iface('i', e->ip.iniface, e->ip.iniface_mask,
- e->ip.invflags & IPT_INV_VIA_IN);
-
- save_iface('o', e->ip.outiface, e->ip.outiface_mask,
- e->ip.invflags & IPT_INV_VIA_OUT);
-
- print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
-
- if (e->ip.flags & IPT_F_FRAG)
- printf("%s -f",
- e->ip.invflags & IPT_INV_FRAG ? " !" : "");
+ save_rule_details(e->ip.iniface, e->ip.iniface_mask,
+ e->ip.outiface, e->ip.outiface_mask,
+ e->ip.proto, e->ip.flags & IPT_F_FRAG,
+ e->ip.invflags);
/* Print matchinfo part */
if (e->target_offset)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 287112d0e6b99..39d6e61232cdb 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -317,15 +317,10 @@ static void nft_ipv4_save_rule(const void *data, unsigned int format)
save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
cs->fw.ip.invflags & IPT_INV_DSTIP);
- save_rule_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
- cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
- cs->fw.ip.outiface, cs->fw.ip.outiface_mask);
-
- if (cs->fw.ip.flags & IPT_F_FRAG) {
- if (cs->fw.ip.invflags & IPT_INV_FRAG)
- printf(" !");
- printf(" -f");
- }
+ save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
+ cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
+ cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG,
+ cs->fw.ip.invflags);
save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO,
&cs->fw, format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 845937b180b06..0c73cedd71c96 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -253,9 +253,9 @@ static void nft_ipv6_save_rule(const void *data, unsigned int format)
save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
- save_rule_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
- cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
- cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask);
+ save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
+ cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
+ cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags);
save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO,
&cs->fw6, format);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b86cc086bed1c..168c224627fd0 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -785,35 +785,6 @@ void print_rule_details(const struct iptables_command_state *cs,
}
}
-void save_rule_details(const struct iptables_command_state *cs,
- uint8_t invflags, uint16_t proto,
- const char *iniface,
- unsigned const char *iniface_mask,
- const char *outiface,
- unsigned const char *outiface_mask)
-{
- if (iniface != NULL) {
- save_iface('i', iniface, iniface_mask,
- invflags & IPT_INV_VIA_IN);
- }
- if (outiface != NULL) {
- save_iface('o', outiface, outiface_mask,
- invflags & IPT_INV_VIA_OUT);
- }
-
- if (proto > 0) {
- const char *pname = proto_to_name(proto, 0);
-
- if (invflags & XT_INV_PROTO)
- printf(" !");
-
- if (pname)
- printf(" -p %s", pname);
- else
- printf(" -p %u", proto);
- }
-}
-
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
{
const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 339c46e7f5b06..cac5757ff0708 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -173,12 +173,6 @@ void print_rule_details(const struct iptables_command_state *cs,
unsigned int num, unsigned int format);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
-void save_rule_details(const struct iptables_command_state *cs,
- uint8_t invflags, uint16_t proto,
- const char *iniface,
- unsigned const char *iniface_mask,
- const char *outiface,
- unsigned const char *outiface_mask);
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
void save_matches_and_target(const struct iptables_command_state *cs,
bool goto_flag, const void *fw,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index db03aaaa324b0..db701ead4811f 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -941,3 +941,35 @@ void parse_chain(const char *chainname)
xtables_error(PARAMETER_PROBLEM,
"Invalid chain name `%s'", chainname);
}
+
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+ const char *outiface, unsigned const char *outiface_mask,
+ uint16_t proto, int frag, uint8_t invflags)
+{
+ if (iniface != NULL) {
+ save_iface('i', iniface, iniface_mask,
+ invflags & IPT_INV_VIA_IN);
+ }
+ if (outiface != NULL) {
+ save_iface('o', outiface, outiface_mask,
+ invflags & IPT_INV_VIA_OUT);
+ }
+
+ if (proto > 0) {
+ const char *pname = proto_to_name(proto, 0);
+
+ if (invflags & XT_INV_PROTO)
+ printf(" !");
+
+ if (pname)
+ printf(" -p %s", pname);
+ else
+ printf(" -p %u", proto);
+ }
+
+ if (frag) {
+ if (invflags & IPT_INV_FRAG)
+ printf(" !");
+ printf(" -f");
+ }
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 3281ce584476c..484ade126404c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -242,4 +242,8 @@ void parse_chain(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+ const char *outiface, unsigned const char *outiface_mask,
+ uint16_t proto, int frag, uint8_t invflags);
+
#endif /* IPTABLES_XSHARED_H */
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 05/10] xshared: Share save_ipv{4,6}_addr() with legacy
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (3 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 04/10] xshared: Share save_rule_details() with legacy Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 06/10] xshared: Share print_rule_details() " Phil Sutter
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
While being at it, make save_ipv4_addr() accept an in_addr* as mask -
mask_to_str() needs it anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 29 ++++------------------
iptables/iptables.c | 36 +++-------------------------
iptables/nft-ipv4.c | 43 ++-------------------------------
iptables/nft-ipv6.c | 20 ----------------
iptables/xshared.c | 57 ++++++++++++++++++++++++++++++++++++++++++++
iptables/xshared.h | 4 ++++
6 files changed, 70 insertions(+), 119 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index eacbf704f9769..5c118626a5d23 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -738,27 +738,6 @@ static int print_match_save(const struct xt_entry_match *e,
return 0;
}
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, const struct in6_addr *ip,
- const struct in6_addr *mask, int invert)
-{
- char buf[51];
- int l = xtables_ip6mask_to_cidr(mask);
-
- if (l == 0 && !invert)
- return;
-
- printf("%s %s %s",
- invert ? " !" : "",
- prefix,
- inet_ntop(AF_INET6, ip, buf, sizeof buf));
-
- if (l == -1)
- printf("/%s", inet_ntop(AF_INET6, mask, buf, sizeof buf));
- else
- printf("/%d", l);
-}
-
/* We want this to be readable, so only print out necessary fields.
* Because that's the kind of world I want to live in.
*/
@@ -776,11 +755,11 @@ void print_rule6(const struct ip6t_entry *e,
printf("-A %s", chain);
/* Print IP part. */
- print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk),
- e->ipv6.invflags & IP6T_INV_SRCIP);
+ save_ipv6_addr('s', &e->ipv6.src, &e->ipv6.smsk,
+ e->ipv6.invflags & IP6T_INV_SRCIP);
- print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
- e->ipv6.invflags & IP6T_INV_DSTIP);
+ save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk,
+ e->ipv6.invflags & IP6T_INV_DSTIP);
save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
e->ipv6.outiface, e->ipv6.outiface_mask,
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 85fb7bdcd0ca1..0d8beb04c0f99 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -738,36 +738,6 @@ static int print_match_save(const struct xt_entry_match *e,
return 0;
}
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, uint32_t ip,
- uint32_t mask, int invert)
-{
- uint32_t bits, hmask = ntohl(mask);
- int i;
-
- if (!mask && !ip && !invert)
- return;
-
- printf("%s %s %u.%u.%u.%u",
- invert ? " !" : "",
- prefix,
- IP_PARTS(ip));
-
- if (mask == 0xFFFFFFFFU) {
- printf("/32");
- return;
- }
-
- i = 32;
- bits = 0xFFFFFFFEU;
- while (--i >= 0 && hmask != bits)
- bits <<= 1;
- if (i >= 0)
- printf("/%u", i);
- else
- printf("/%u.%u.%u.%u", IP_PARTS(mask));
-}
-
/* We want this to be readable, so only print out necessary fields.
* Because that's the kind of world I want to live in.
*/
@@ -785,10 +755,10 @@ void print_rule4(const struct ipt_entry *e,
printf("-A %s", chain);
/* Print IP part. */
- print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
- e->ip.invflags & IPT_INV_SRCIP);
+ save_ipv4_addr('s', &e->ip.src, &e->ip.smsk,
+ e->ip.invflags & IPT_INV_SRCIP);
- print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
+ save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk,
e->ip.invflags & IPT_INV_DSTIP);
save_rule_details(e->ip.iniface, e->ip.iniface_mask,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 39d6e61232cdb..dcc009cf67a81 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -134,32 +134,6 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
ctx->flags &= ~NFT_XT_CTX_BITWISE;
}
-static const char *mask_to_str(uint32_t mask)
-{
- static char mask_str[INET_ADDRSTRLEN];
- uint32_t bits, hmask = ntohl(mask);
- struct in_addr mask_addr = {
- .s_addr = mask,
- };
- int i;
-
- if (mask == 0xFFFFFFFFU) {
- sprintf(mask_str, "32");
- return mask_str;
- }
-
- i = 32;
- bits = 0xFFFFFFFEU;
- while (--i >= 0 && hmask != bits)
- bits <<= 1;
- if (i >= 0)
- sprintf(mask_str, "%u", i);
- else
- inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
-
- return mask_str;
-}
-
static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
void *data)
{
@@ -295,26 +269,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_clear_iptables_command_state(&cs);
}
-static void save_ipv4_addr(char letter, const struct in_addr *addr,
- uint32_t mask, int invert)
-{
- char addrbuf[INET_ADDRSTRLEN];
-
- if (!mask && !invert && !addr->s_addr)
- return;
-
- printf("%s -%c %s/%s", invert ? " !" : "", letter,
- inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
- mask_to_str(mask));
-}
-
static void nft_ipv4_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
- save_ipv4_addr('s', &cs->fw.ip.src, cs->fw.ip.smsk.s_addr,
+ save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk,
cs->fw.ip.invflags & IPT_INV_SRCIP);
- save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
+ save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk,
cs->fw.ip.invflags & IPT_INV_DSTIP);
save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0c73cedd71c96..0b35e0457a067 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -224,26 +224,6 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_clear_iptables_command_state(&cs);
}
-static void save_ipv6_addr(char letter, const struct in6_addr *addr,
- const struct in6_addr *mask,
- int invert)
-{
- char addr_str[INET6_ADDRSTRLEN];
- int l = xtables_ip6mask_to_cidr(mask);
-
- if (!invert && l == 0)
- return;
-
- printf("%s -%c %s",
- invert ? " !" : "", letter,
- inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
-
- if (l == -1)
- printf("/%s", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
- else
- printf("/%d", l);
-}
-
static void nft_ipv6_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index db701ead4811f..3e06960fcf015 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <arpa/inet.h>
#include <sys/file.h>
#include <sys/socket.h>
#include <sys/un.h>
@@ -578,6 +579,42 @@ void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format)
ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format));
}
+static const char *mask_to_str(const struct in_addr *mask)
+{
+ uint32_t bits, hmask = ntohl(mask->s_addr);
+ static char mask_str[INET_ADDRSTRLEN];
+ int i;
+
+ if (mask->s_addr == 0xFFFFFFFFU) {
+ sprintf(mask_str, "32");
+ return mask_str;
+ }
+
+ i = 32;
+ bits = 0xFFFFFFFEU;
+ while (--i >= 0 && hmask != bits)
+ bits <<= 1;
+ if (i >= 0)
+ sprintf(mask_str, "%u", i);
+ else
+ inet_ntop(AF_INET, mask, mask_str, sizeof(mask_str));
+
+ return mask_str;
+}
+
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+ const struct in_addr *mask, int invert)
+{
+ char addrbuf[INET_ADDRSTRLEN];
+
+ if (!mask->s_addr && !invert && !addr->s_addr)
+ return;
+
+ printf("%s -%c %s/%s", invert ? " !" : "", letter,
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
+ mask_to_str(mask));
+}
+
static const char *ipv6_addr_to_string(const struct in6_addr *addr,
const struct in6_addr *mask,
unsigned int format)
@@ -612,6 +649,26 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
&fw6->ipv6.dmsk, format));
}
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+ const struct in6_addr *mask, int invert)
+{
+ int l = xtables_ip6mask_to_cidr(mask);
+ char addr_str[INET6_ADDRSTRLEN];
+
+ if (!invert && l == 0)
+ return;
+
+ printf("%s -%c %s",
+ invert ? " !" : "", letter,
+ inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
+
+ if (l == -1)
+ printf("/%s", inet_ntop(AF_INET6, mask,
+ addr_str, sizeof(addr_str)));
+ else
+ printf("/%d", l);
+}
+
/* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT
* have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT
* so this function serves for both iptables and ip6tables */
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 484ade126404c..46ad5a2962c71 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -222,7 +222,11 @@ const char *ipv4_addr_to_string(const struct in_addr *addr,
const struct in_addr *mask,
unsigned int format);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+ const struct in_addr *mask, int invert);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+ const struct in6_addr *mask, int invert);
void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
unsigned int format);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 06/10] xshared: Share print_rule_details() with legacy
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (4 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 05/10] xshared: Share save_ipv{4,6}_addr() " Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 07/10] xshared: Share print_fragment() " Phil Sutter
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Have to pass pointer to counters directly since different fields are
being used for some reason.
Since proto_to_name() is not used outside of xshared.c anymore, make it
static.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 21 ++-------------------
iptables/iptables.c | 21 ++-------------------
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 5 ++---
iptables/nft-shared.c | 27 ---------------------------
iptables/nft-shared.h | 4 ----
iptables/xshared.c | 27 ++++++++++++++++++++++++++-
iptables/xshared.h | 4 +++-
8 files changed, 37 insertions(+), 76 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 5c118626a5d23..e0cc4e898fe6a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -329,25 +329,8 @@ print_firewall(const struct ip6t_entry *fw,
t = ip6t_get_target((struct ip6t_entry *)fw);
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(fw->counters.pcnt, format);
- xtables_print_num(fw->counters.bcnt, format);
- }
-
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname);
-
- fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), fw->ipv6.proto);
- }
+ print_rule_details(num, &fw->counters, targname, fw->ipv6.proto,
+ fw->ipv6.flags, fw->ipv6.invflags, format);
if (format & FMT_OPTIONS) {
if (format & FMT_NOTABLE)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 0d8beb04c0f99..29da40b1328d4 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -322,25 +322,8 @@ print_firewall(const struct ipt_entry *fw,
t = ipt_get_target((struct ipt_entry *)fw);
flags = fw->ip.flags;
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(fw->counters.pcnt, format);
- xtables_print_num(fw->counters.bcnt, format);
- }
-
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname);
-
- fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), fw->ip.proto);
- }
+ print_rule_details(num, &fw->counters, targname, fw->ip.proto,
+ fw->ip.flags, fw->ip.invflags, format);
if (format & FMT_OPTIONS) {
if (format & FMT_NOTABLE)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index dcc009cf67a81..6b044642bd775 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -246,8 +246,8 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_rule_to_iptables_command_state(h, r, &cs);
- print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags,
- cs.fw.ip.invflags, cs.fw.ip.proto, num, format);
+ print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto,
+ cs.fw.ip.flags, cs.fw.ip.invflags, format);
print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0b35e0457a067..cb83f9e132e24 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -198,9 +198,8 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
nft_rule_to_iptables_command_state(h, r, &cs);
- print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags,
- cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto,
- num, format);
+ print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto,
+ cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format);
if (format & FMT_OPTIONS) {
if (format & FMT_NOTABLE)
fputs("opt ", stdout);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 168c224627fd0..eb0070075d9eb 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -758,33 +758,6 @@ void print_header(unsigned int format, const char *chain, const char *pol,
printf("\n");
}
-void print_rule_details(const struct iptables_command_state *cs,
- const char *targname, uint8_t flags,
- uint8_t invflags, uint8_t proto,
- unsigned int num, unsigned int format)
-{
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4u ", "%u "), num);
-
- if (!(format & FMT_NOCOUNTS)) {
- xtables_print_num(cs->counters.pcnt, format);
- xtables_print_num(cs->counters.bcnt, format);
- }
-
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ", "%s "), targname ? targname : "");
-
- fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
- {
- const char *pname =
- proto_to_name(proto, format&FMT_NUMERIC);
- if (pname)
- printf(FMT("%-5s", "%s "), pname);
- else
- printf(FMT("%-5hu", "%hu "), proto);
- }
-}
-
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
{
const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index cac5757ff0708..e18df20d9fc38 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -167,10 +167,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs);
void print_header(unsigned int format, const char *chain, const char *pol,
const struct xt_counters *counters, bool basechain,
uint32_t refs, uint32_t entries);
-void print_rule_details(const struct iptables_command_state *cs,
- const char *targname, uint8_t flags,
- uint8_t invflags, uint8_t proto,
- unsigned int num, unsigned int format);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 3e06960fcf015..7f2e1a32914b0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t,
}
}
-const char *
+static const char *
proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
@@ -999,6 +999,31 @@ void parse_chain(const char *chainname)
"Invalid chain name `%s'", chainname);
}
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+ const char *targname, uint8_t proto, uint8_t flags,
+ uint8_t invflags, unsigned int format)
+{
+ const char *pname = proto_to_name(proto, format&FMT_NUMERIC);
+
+ if (format & FMT_LINENUMBERS)
+ printf(FMT("%-4u ", "%u "), linenum);
+
+ if (!(format & FMT_NOCOUNTS)) {
+ xtables_print_num(ctrs->pcnt, format);
+ xtables_print_num(ctrs->bcnt, format);
+ }
+
+ if (!(format & FMT_NOTARGET))
+ printf(FMT("%-9s ", "%s "), targname ? targname : "");
+
+ fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
+
+ if (pname)
+ printf(FMT("%-5s", "%s "), pname);
+ else
+ printf(FMT("%-5hu", "%hu "), proto);
+}
+
void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
const char *outiface, unsigned const char *outiface_mask,
uint16_t proto, int frag, uint8_t invflags)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 46ad5a2962c71..9f0fa1438bdd3 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -164,7 +164,6 @@ enum {
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
-extern const char *proto_to_name(uint16_t, int);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *, bool invert);
extern struct xtables_match *load_proto(struct iptables_command_state *);
@@ -246,6 +245,9 @@ void parse_chain(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+ const char *targname, uint8_t proto, uint8_t flags,
+ uint8_t invflags, unsigned int format);
void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
const char *outiface, unsigned const char *outiface_mask,
uint16_t proto, int frag, uint8_t invflags);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 07/10] xshared: Share print_fragment() with legacy
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (5 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 06/10] xshared: Share print_rule_details() " Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 08/10] xshared: Share print_header() with legacy iptables Phil Sutter
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Also add a fake mode to make it suitable for ip6tables. This is required
because IPT_F_FRAG value clashes with IP6T_F_PROTO, so ip6tables rules
might seem to have IPT_F_FRAG bit set.
While being at it, drop the local variable 'flags' from
print_firewall().
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 8 +-------
iptables/iptables.c | 10 +---------
iptables/nft-ipv4.c | 15 +--------------
iptables/nft-ipv6.c | 6 +-----
iptables/xshared.c | 18 ++++++++++++++++++
iptables/xshared.h | 3 +++
6 files changed, 25 insertions(+), 35 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index e0cc4e898fe6a..3d304d441c10a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -332,13 +332,7 @@ print_firewall(const struct ip6t_entry *fw,
print_rule_details(num, &fw->counters, targname, fw->ipv6.proto,
fw->ipv6.flags, fw->ipv6.invflags, format);
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(' ', stdout); /* Invert flag of FRAG */
- fputc(' ', stdout); /* -f */
- fputc(' ', stdout);
- }
+ print_fragment(fw->ipv6.flags, fw->ipv6.invflags, format, true);
print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface,
fw->ipv6.invflags, format);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 29da40b1328d4..12a5423ec271d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -311,7 +311,6 @@ print_firewall(const struct ipt_entry *fw,
{
struct xtables_target *target, *tg;
const struct xt_entry_target *t;
- uint8_t flags;
if (!iptc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -320,18 +319,11 @@ print_firewall(const struct ipt_entry *fw,
XTF_LOAD_MUST_SUCCEED);
t = ipt_get_target((struct ipt_entry *)fw);
- flags = fw->ip.flags;
print_rule_details(num, &fw->counters, targname, fw->ip.proto,
fw->ip.flags, fw->ip.invflags, format);
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout);
- fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
- fputc(' ', stdout);
- }
+ print_fragment(fw->ip.flags, fw->ip.invflags, format, false);
print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format);
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 6b044642bd775..f36260980e829 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -226,19 +226,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
cs->fw.ip.flags |= IPT_F_GOTO;
}
-static void print_fragment(unsigned int flags, unsigned int invflags,
- unsigned int format)
-{
- if (!(format & FMT_OPTIONS))
- return;
-
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
- fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
- fputc(' ', stdout);
-}
-
static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
@@ -248,7 +235,7 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto,
cs.fw.ip.flags, cs.fw.ip.invflags, format);
- print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
+ print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format, false);
print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
format);
print_ipv4_addresses(&cs.fw, format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index cb83f9e132e24..132130880a43a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -200,11 +200,7 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto,
cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format);
- if (format & FMT_OPTIONS) {
- if (format & FMT_NOTABLE)
- fputs("opt ", stdout);
- fputs(" ", stdout);
- }
+ print_fragment(cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format, true);
print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface,
cs.fw6.ipv6.invflags, format);
print_ipv6_addresses(&cs.fw6, format);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 7f2e1a32914b0..e8c8939cf8e3e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -669,6 +669,24 @@ void save_ipv6_addr(char letter, const struct in6_addr *addr,
printf("/%d", l);
}
+void print_fragment(unsigned int flags, unsigned int invflags,
+ unsigned int format, bool fake)
+{
+ if (!(format & FMT_OPTIONS))
+ return;
+
+ if (format & FMT_NOTABLE)
+ fputs("opt ", stdout);
+
+ if (fake) {
+ fputs(" ", stdout);
+ } else {
+ fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
+ fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
+ }
+ fputc(' ', stdout);
+}
+
/* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT
* have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT
* so this function serves for both iptables and ip6tables */
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9f0fa1438bdd3..48f314cac8f45 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -232,6 +232,9 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
void save_iface(char letter, const char *iface,
const unsigned char *mask, int invert);
+void print_fragment(unsigned int flags, unsigned int invflags,
+ unsigned int format, bool fake);
+
void command_match(struct iptables_command_state *cs, bool invert);
const char *xt_parse_target(const char *targetname);
void command_jump(struct iptables_command_state *cs, const char *jumpto);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 08/10] xshared: Share print_header() with legacy iptables
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (6 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 07/10] xshared: Share print_fragment() " Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 09/10] nft-shared: Drop unused function print_proto() Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 10/10] xshared: Make load_proto() static Phil Sutter
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Legacy iptables fetches the relevant data via libiptc before calling the
shared routine which merely prints data as requested.
Drop the 'basechain' parameter, instead make sure a policy name is
passed only with base chains. Since the function is not shared with
ebtables (which uses a very rudimental header instead), this is safe.
In order to support legacy iptables' checking of iptc_get_references()
return code (printing an error message instead of the reference count),
make refs parameter signed and print the error message if it's negative.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/ip6tables.c | 64 ++++++++-----------------------------------
iptables/iptables.c | 64 ++++++++-----------------------------------
iptables/nft-arp.c | 7 ++---
iptables/nft-bridge.c | 2 +-
iptables/nft-shared.c | 44 -----------------------------
iptables/nft-shared.h | 7 ++---
iptables/nft.c | 6 ++--
iptables/xshared.c | 46 +++++++++++++++++++++++++++++++
iptables/xshared.h | 3 ++
9 files changed, 82 insertions(+), 161 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 3d304d441c10a..5a64566eecd2a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -233,56 +233,6 @@ static int is_exthdr(uint16_t proto)
proto == IPPROTO_DSTOPTS);
}
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
- struct xt_counters counters;
- const char *pol = ip6tc_get_policy(chain, &counters, handle);
- printf("Chain %s", chain);
- if (pol) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- unsigned int refs;
- if (!ip6tc_get_references(&refs, chain, handle))
- printf(" (ERROR obtaining refs)\n");
- else
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
-
static int
print_match(const struct xt_entry_match *m,
const struct ip6t_ip6 *ip,
@@ -662,8 +612,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
if (found) printf("\n");
- if (!rulenum)
- print_header(format, this, handle);
+ if (!rulenum) {
+ struct xt_counters counters;
+ unsigned int urefs;
+ const char *pol;
+ int refs = - 1;
+
+ pol = ip6tc_get_policy(this, &counters, handle);
+ if (!pol && ip6tc_get_references(&urefs, this, handle))
+ refs = urefs;
+
+ print_header(format, this, pol, &counters, refs, 0);
+ }
i = ip6tc_first_rule(this, handle);
num = 0;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 12a5423ec271d..ac51c612d92f2 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -224,56 +224,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
- struct xt_counters counters;
- const char *pol = iptc_get_policy(chain, &counters, handle);
- printf("Chain %s", chain);
- if (pol) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- unsigned int refs;
- if (!iptc_get_references(&refs, chain, handle))
- printf(" (ERROR obtaining refs)\n");
- else
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
-
static int
print_match(const struct xt_entry_match *m,
const struct ipt_ip *ip,
@@ -652,8 +602,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
if (found) printf("\n");
- if (!rulenum)
- print_header(format, this, handle);
+ if (!rulenum) {
+ struct xt_counters counters;
+ unsigned int urefs;
+ const char *pol;
+ int refs = -1;
+
+ pol = iptc_get_policy(this, &counters, handle);
+ if (!pol && iptc_get_references(&urefs, this, handle))
+ refs = urefs;
+
+ print_header(format, this, pol, &counters, refs, 0);
+ }
i = iptc_first_rule(this, handle);
num = 0;
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index b7536e61a255f..b211a30937db3 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -308,11 +308,10 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
static void nft_arp_print_header(unsigned int format, const char *chain,
const char *pol,
const struct xt_counters *counters,
- bool basechain, uint32_t refs,
- uint32_t entries)
+ int refs, uint32_t entries)
{
printf("Chain %s", chain);
- if (basechain && pol) {
+ if (pol) {
printf(" (policy %s", pol);
if (!(format & FMT_NOCOUNTS)) {
fputc(' ', stdout);
@@ -323,7 +322,7 @@ static void nft_arp_print_header(unsigned int format, const char *chain,
}
printf(")\n");
} else {
- printf(" (%u references)\n", refs);
+ printf(" (%d references)\n", refs);
}
}
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index cc2a48dbf7741..5cde302c4f189 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -534,7 +534,7 @@ static void nft_bridge_print_table_header(const char *tablename)
static void nft_bridge_print_header(unsigned int format, const char *chain,
const char *pol,
const struct xt_counters *counters,
- bool basechain, uint32_t refs, uint32_t entries)
+ int refs, uint32_t entries)
{
printf("Bridge chain: %s, entries: %u, policy: %s\n",
chain, entries, pol ?: "RETURN");
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index eb0070075d9eb..a6a79c8cda084 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -714,50 +714,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs)
}
}
-void print_header(unsigned int format, const char *chain, const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries)
-{
- printf("Chain %s", chain);
- if (basechain) {
- printf(" (policy %s", pol);
- if (!(format & FMT_NOCOUNTS)) {
- fputc(' ', stdout);
- xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
- fputs("packets, ", stdout);
- xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
- fputs("bytes", stdout);
- }
- printf(")\n");
- } else {
- printf(" (%u references)\n", refs);
- }
-
- if (format & FMT_LINENUMBERS)
- printf(FMT("%-4s ", "%s "), "num");
- if (!(format & FMT_NOCOUNTS)) {
- if (format & FMT_KILOMEGAGIGA) {
- printf(FMT("%5s ","%s "), "pkts");
- printf(FMT("%5s ","%s "), "bytes");
- } else {
- printf(FMT("%8s ","%s "), "pkts");
- printf(FMT("%10s ","%s "), "bytes");
- }
- }
- if (!(format & FMT_NOTARGET))
- printf(FMT("%-9s ","%s "), "target");
- fputs(" prot ", stdout);
- if (format & FMT_OPTIONS)
- fputs("opt", stdout);
- if (format & FMT_VIA) {
- printf(FMT(" %-6s ","%s "), "in");
- printf(FMT("%-6s ","%s "), "out");
- }
- printf(FMT(" %-19s ","%s "), "source");
- printf(FMT(" %-19s "," %s "), "destination");
- printf("\n");
-}
-
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
{
const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e18df20d9fc38..de684374ef9e0 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -94,8 +94,8 @@ struct nft_family_ops {
void (*print_table_header)(const char *tablename);
void (*print_header)(unsigned int format, const char *chain,
const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries);
+ const struct xt_counters *counters,
+ int refs, uint32_t entries);
void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format);
void (*save_rule)(const void *data, unsigned int format);
@@ -164,9 +164,6 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
struct iptables_command_state *cs);
void nft_clear_iptables_command_state(struct iptables_command_state *cs);
-void print_header(unsigned int format, const char *chain, const char *pol,
- const struct xt_counters *counters, bool basechain,
- uint32_t refs, uint32_t entries);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
diff --git a/iptables/nft.c b/iptables/nft.c
index 282d417f3bc85..887c735b3f6e6 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2398,7 +2398,6 @@ static void __nft_print_header(struct nft_handle *h,
{
struct nftnl_chain *c = nc->nftnl;
const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
- bool basechain = !!nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM);
uint32_t refs = nftnl_chain_get_u32(c, NFTNL_CHAIN_USE);
uint32_t entries = nft_rule_count(h, c);
struct xt_counters ctrs = {
@@ -2407,11 +2406,12 @@ static void __nft_print_header(struct nft_handle *h,
};
const char *pname = NULL;
- if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
+ if (nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) &&
+ nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
pname = policy_name[nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY)];
h->ops->print_header(format, chain_name, pname,
- &ctrs, basechain, refs - entries, entries);
+ &ctrs, refs - entries, entries);
}
struct nft_rule_list_cb_data {
diff --git a/iptables/xshared.c b/iptables/xshared.c
index e8c8939cf8e3e..37ea71068b69c 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -547,6 +547,52 @@ void debug_print_argv(struct argv_store *store)
}
#endif
+void print_header(unsigned int format, const char *chain, const char *pol,
+ const struct xt_counters *counters,
+ int refs, uint32_t entries)
+{
+ printf("Chain %s", chain);
+ if (pol) {
+ printf(" (policy %s", pol);
+ if (!(format & FMT_NOCOUNTS)) {
+ fputc(' ', stdout);
+ xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
+ fputs("packets, ", stdout);
+ xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
+ fputs("bytes", stdout);
+ }
+ printf(")\n");
+ } else if (refs < 0) {
+ printf(" (ERROR obtaining refs)\n");
+ } else {
+ printf(" (%d references)\n", refs);
+ }
+
+ if (format & FMT_LINENUMBERS)
+ printf(FMT("%-4s ", "%s "), "num");
+ if (!(format & FMT_NOCOUNTS)) {
+ if (format & FMT_KILOMEGAGIGA) {
+ printf(FMT("%5s ","%s "), "pkts");
+ printf(FMT("%5s ","%s "), "bytes");
+ } else {
+ printf(FMT("%8s ","%s "), "pkts");
+ printf(FMT("%10s ","%s "), "bytes");
+ }
+ }
+ if (!(format & FMT_NOTARGET))
+ printf(FMT("%-9s ","%s "), "target");
+ fputs(" prot ", stdout);
+ if (format & FMT_OPTIONS)
+ fputs("opt", stdout);
+ if (format & FMT_VIA) {
+ printf(FMT(" %-6s ","%s "), "in");
+ printf(FMT("%-6s ","%s "), "out");
+ }
+ printf(FMT(" %-19s ","%s "), "source");
+ printf(FMT(" %-19s "," %s "), "destination");
+ printf("\n");
+}
+
const char *ipv4_addr_to_string(const struct in_addr *addr,
const struct in_addr *mask,
unsigned int format)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 48f314cac8f45..757940090dd69 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -220,6 +220,9 @@ void debug_print_argv(struct argv_store *store);
const char *ipv4_addr_to_string(const struct in_addr *addr,
const struct in_addr *mask,
unsigned int format);
+void print_header(unsigned int format, const char *chain, const char *pol,
+ const struct xt_counters *counters,
+ int refs, uint32_t entries);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
void save_ipv4_addr(char letter, const struct in_addr *addr,
const struct in_addr *mask, int invert);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 09/10] nft-shared: Drop unused function print_proto()
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (7 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 08/10] xshared: Share print_header() with legacy iptables Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 10/10] xshared: Make load_proto() static Phil Sutter
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
The last users vanished back in 2013. There is identical code in
save_rule_details(), but with only a single user there's not much point
in keeping the function.
Fixes: cdc78b1d6bd7b ("nft: convert rule into a command state structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 15 ---------------
iptables/nft-shared.h | 1 -
2 files changed, 16 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index a6a79c8cda084..b281ba2987cc3 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -373,21 +373,6 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
ctx->h->ops->parse_match(match, ctx->cs);
}
-void print_proto(uint16_t proto, int invert)
-{
- const struct protoent *pent = getprotobynumber(proto);
-
- if (invert)
- printf("! ");
-
- if (pent) {
- printf("-p %s ", pent->p_name);
- return;
- }
-
- printf("-p %u ", proto);
-}
-
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
{
uint32_t len;
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index de684374ef9e0..bcf8486eb44c4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -158,7 +158,6 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
unsigned char *iniface_mask, char *outiface,
unsigned char *outiface_mask, uint8_t *invflags);
-void print_proto(uint16_t proto, int invert);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
void nft_rule_to_iptables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [iptables PATCH 10/10] xshared: Make load_proto() static
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
` (8 preceding siblings ...)
2021-11-06 20:57 ` [iptables PATCH 09/10] nft-shared: Drop unused function print_proto() Phil Sutter
@ 2021-11-06 20:57 ` Phil Sutter
9 siblings, 0 replies; 11+ messages in thread
From: Phil Sutter @ 2021-11-06 20:57 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
The last outside users vanished ten years ago.
Fixes: 449cdd6bcc8d1 ("src: combine default_command functions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xshared.c | 2 +-
iptables/xshared.h | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 37ea71068b69c..a1ca2b0fd7e3e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -107,7 +107,7 @@ static bool should_load_proto(struct iptables_command_state *cs)
return !cs->proto_used;
}
-struct xtables_match *load_proto(struct iptables_command_state *cs)
+static struct xtables_match *load_proto(struct iptables_command_state *cs)
{
if (!should_load_proto(cs))
return NULL;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 757940090dd69..060c62ef0b5ca 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -166,7 +166,6 @@ extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *, bool invert);
-extern struct xtables_match *load_proto(struct iptables_command_state *);
extern int subcmd_main(int, char **, const struct subcommand *);
extern void xs_init_target(struct xtables_target *);
extern void xs_init_match(struct xtables_match *);
--
2.33.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-11-06 20:59 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-06 20:57 [iptables PATCH 00/10] Share more code with legacy Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 01/10] xshared: Merge and share parse_chain() Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 02/10] nft: Change whitespace printing in save_rule callback Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 03/10] xshared: Share print_iface() function Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 04/10] xshared: Share save_rule_details() with legacy Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 05/10] xshared: Share save_ipv{4,6}_addr() " Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 06/10] xshared: Share print_rule_details() " Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 07/10] xshared: Share print_fragment() " Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 08/10] xshared: Share print_header() with legacy iptables Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 09/10] nft-shared: Drop unused function print_proto() Phil Sutter
2021-11-06 20:57 ` [iptables PATCH 10/10] xshared: Make load_proto() static Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.