[iptables PATCH 00/10] Share more code with legacy

[iptables PATCH 00/10] Share more code with legacy

[Phil Sutter]

This series populates xshared.c with more code for use by both nft and
legacy variants. A prerequisite for this is to change how output
separating whitespace is printed (the old space before or after arg
issue). Patch 2 does this and paves the way for patches 3-8. Patches 9
and 10 finish with a bit of cleanup.

Phil Sutter (10):
  xshared: Merge and share parse_chain()
  nft: Change whitespace printing in save_rule callback
  xshared: Share print_iface() function
  xshared: Share save_rule_details() with legacy
  xshared: Share save_ipv{4,6}_addr() with legacy
  xshared: Share print_rule_details() with legacy
  xshared: Share print_fragment() with legacy
  xshared: Share print_header() with legacy iptables
  nft-shared: Drop unused function print_proto()
  xshared: Make load_proto() static

 iptables/ip6tables.c  | 197 ++++-------------------------------
 iptables/iptables.c   | 210 ++++----------------------------------
 iptables/nft-arp.c    |   8 +-
 iptables/nft-bridge.c |  12 ++-
 iptables/nft-ipv4.c   |  75 ++------------
 iptables/nft-ipv6.c   |  37 ++-----
 iptables/nft-shared.c | 155 ++--------------------------
 iptables/nft-shared.h |  18 +---
 iptables/nft.c        |  10 +-
 iptables/xshared.c    | 231 +++++++++++++++++++++++++++++++++++++++++-
 iptables/xshared.h    |  22 +++-
 iptables/xtables.c    |   9 +-
 12 files changed, 337 insertions(+), 647 deletions(-)

-- 
2.33.0

[iptables PATCH 01/10] xshared: Merge and share parse_chain()

[Phil Sutter]

Have a common routine to perform chain name checks, combining all
variants' requirements.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c | 26 --------------------------
 iptables/iptables.c  | 25 -------------------------
 iptables/xshared.c   | 24 ++++++++++++++++++++++++
 iptables/xshared.h   |  1 +
 iptables/xtables.c   |  9 +--------
 5 files changed, 26 insertions(+), 59 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index e967c040fd3c9..ec0ae759875e7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -233,32 +233,6 @@ static int is_exthdr(uint16_t proto)
 		proto == IPPROTO_DSTOPTS);
 }
 
-static void
-parse_chain(const char *chainname)
-{
-	const char *ptr;
-
-	if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name `%s' too long (must be under %u chars)",
-			   chainname, XT_EXTENSION_MAXNAMELEN);
-
-	if (*chainname == '-' || *chainname == '!')
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name not allowed to start "
-			   "with `%c'\n", *chainname);
-
-	if (xtables_find_target(chainname, XTF_TRY_LOAD))
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name may not clash "
-			   "with target name\n");
-
-	for (ptr = chainname; *ptr; ptr++)
-		if (isspace(*ptr))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Invalid chain name `%s'", chainname);
-}
-
 static void
 print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
 {
diff --git a/iptables/iptables.c b/iptables/iptables.c
index b925f0892e0d5..246526a55a3c9 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -223,31 +223,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 
 /* Christophe Burki wants `-p 6' to imply `-m tcp'.  */
 
-static void
-parse_chain(const char *chainname)
-{
-	const char *ptr;
-
-	if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name `%s' too long (must be under %u chars)",
-			   chainname, XT_EXTENSION_MAXNAMELEN);
-
-	if (*chainname == '-' || *chainname == '!')
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name not allowed to start "
-			   "with `%c'\n", *chainname);
-
-	if (xtables_find_target(chainname, XTF_TRY_LOAD))
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name may not clash "
-			   "with target name\n");
-
-	for (ptr = chainname; *ptr; ptr++)
-		if (isspace(*ptr))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Invalid chain name `%s'", chainname);
-}
 
 static void
 print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 2d3ef679fd765..bd545d6b31908 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -892,3 +892,27 @@ set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
 		*invflg |= inverse_for_options[i];
 	}
 }
+
+void parse_chain(const char *chainname)
+{
+	const char *ptr;
+
+	if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+		xtables_error(PARAMETER_PROBLEM,
+			      "chain name `%s' too long (must be under %u chars)",
+			      chainname, XT_EXTENSION_MAXNAMELEN);
+
+	if (*chainname == '-' || *chainname == '!')
+		xtables_error(PARAMETER_PROBLEM,
+			      "chain name not allowed to start with `%c'\n",
+			      *chainname);
+
+	if (xtables_find_target(chainname, XTF_TRY_LOAD))
+		xtables_error(PARAMETER_PROBLEM,
+			      "chain name may not clash with target name\n");
+
+	for (ptr = chainname; *ptr; ptr++)
+		if (isspace(*ptr))
+			xtables_error(PARAMETER_PROBLEM,
+				      "Invalid chain name `%s'", chainname);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index b59116ac49747..6d6acbca13da2 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -235,6 +235,7 @@ char cmd2char(int option);
 void add_command(unsigned int *cmd, const int newcmd,
 		 const int othercmds, int invert);
 int parse_rulenumber(const char *rule);
+void parse_chain(const char *chainname);
 
 void generic_opt_check(int command, int options);
 char opt2char(int option);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 5c69af7e0f1f0..32b93d2bfc8cd 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -424,14 +424,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 			break;
 
 		case 'N':
-			if (optarg && (*optarg == '-' || *optarg == '!'))
-				xtables_error(PARAMETER_PROBLEM,
-					   "chain name not allowed to start "
-					   "with `%c'\n", *optarg);
-			if (xtables_find_target(optarg, XTF_TRY_LOAD))
-				xtables_error(PARAMETER_PROBLEM,
-					   "chain name may not clash "
-					   "with target name\n");
+			parse_chain(optarg);
 			add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
 				    invert);
 			p->chain = optarg;
-- 
2.33.0

[iptables PATCH 02/10] nft: Change whitespace printing in save_rule callback

[Phil Sutter]

This aligns whitespace printing with legacy iptables' print_rule4() in
order to prepare for further code-sharing.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-arp.c    |  1 +
 iptables/nft-bridge.c | 10 ++++++++--
 iptables/nft-ipv4.c   |  6 +++---
 iptables/nft-ipv6.c   |  8 ++++----
 iptables/nft-shared.c | 26 ++++++++++++--------------
 iptables/nft.c        |  4 ++--
 6 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 32eb91add4f1e..b7536e61a255f 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -479,6 +479,7 @@ nft_arp_save_rule(const void *data, unsigned int format)
 
 	format |= FMT_NUMERIC;
 
+	printf(" ");
 	nft_arp_print_rule_details(cs, format);
 	if (cs->target && cs->target->save)
 		cs->target->save(&cs->fw, cs->target->t);
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 11f3df3582aa5..cc2a48dbf7741 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -601,7 +601,7 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
 		printf("%s ", ent->e_name);
 }
 
-static void nft_bridge_save_rule(const void *data, unsigned int format)
+static void __nft_bridge_save_rule(const void *data, unsigned int format)
 {
 	const struct iptables_command_state *cs = data;
 
@@ -652,6 +652,12 @@ static void nft_bridge_save_rule(const void *data, unsigned int format)
 		fputc('\n', stdout);
 }
 
+static void nft_bridge_save_rule(const void *data, unsigned int format)
+{
+	printf(" ");
+	__nft_bridge_save_rule(data, format);
+}
+
 static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 				  unsigned int num, unsigned int format)
 {
@@ -661,7 +667,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 		printf("%d ", num);
 
 	nft_rule_to_ebtables_command_state(h, r, &cs);
-	nft_bridge_save_rule(&cs, format);
+	__nft_bridge_save_rule(&cs, format);
 	ebt_cs_clean(&cs);
 }
 
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index febd7673af4f8..287112d0e6b99 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -303,7 +303,7 @@ static void save_ipv4_addr(char letter, const struct in_addr *addr,
 	if (!mask && !invert && !addr->s_addr)
 		return;
 
-	printf("%s-%c %s/%s ", invert ? "! " : "", letter,
+	printf("%s -%c %s/%s", invert ? " !" : "", letter,
 	       inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
 	       mask_to_str(mask));
 }
@@ -323,8 +323,8 @@ static void nft_ipv4_save_rule(const void *data, unsigned int format)
 
 	if (cs->fw.ip.flags & IPT_F_FRAG) {
 		if (cs->fw.ip.invflags & IPT_INV_FRAG)
-			printf("! ");
-		printf("-f ");
+			printf(" !");
+		printf(" -f");
 	}
 
 	save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index f0e64bbd4ab23..845937b180b06 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -234,14 +234,14 @@ static void save_ipv6_addr(char letter, const struct in6_addr *addr,
 	if (!invert && l == 0)
 		return;
 
-	printf("%s-%c %s",
-		invert ? "! " : "", letter,
+	printf("%s -%c %s",
+		invert ? " !" : "", letter,
 		inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
 
 	if (l == -1)
-		printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
+		printf("/%s", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
 	else
-		printf("/%d ", l);
+		printf("/%d", l);
 }
 
 static void nft_ipv6_save_rule(const void *data, unsigned int format)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 72727270026ee..082cc0e2df745 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -793,7 +793,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
 	if (mask[0] == 0)
 		return;
 
-	printf("%s-%c ", inv ? "! " : "", letter);
+	printf("%s -%c ", inv ? " !" : "", letter);
 
 	for (i = 0; i < IFNAMSIZ; i++) {
 		if (mask[i] != 0) {
@@ -805,8 +805,6 @@ print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
 				break;
 		}
 	}
-
-	printf(" ");
 }
 
 void save_rule_details(const struct iptables_command_state *cs,
@@ -829,12 +827,12 @@ void save_rule_details(const struct iptables_command_state *cs,
 		const char *pname = proto_to_name(proto, 0);
 
 		if (invflags & XT_INV_PROTO)
-			printf("! ");
+			printf(" !");
 
 		if (pname)
-			printf("-p %s ", pname);
+			printf(" -p %s", pname);
 		else
-			printf("-p %u ", proto);
+			printf(" -p %u", proto);
 	}
 }
 
@@ -856,33 +854,33 @@ void save_matches_and_target(const struct iptables_command_state *cs,
 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
 		if (matchp->match->alias) {
-			printf("-m %s",
+			printf(" -m %s",
 			       matchp->match->alias(matchp->match->m));
 		} else
-			printf("-m %s", matchp->match->name);
+			printf(" -m %s", matchp->match->name);
 
 		if (matchp->match->save != NULL) {
 			/* cs->fw union makes the trick */
 			matchp->match->save(fw, matchp->match->m);
 		}
-		printf(" ");
 	}
 
 	if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS)
-		printf("-c %llu %llu ",
+		printf(" -c %llu %llu",
 		       (unsigned long long)cs->counters.pcnt,
 		       (unsigned long long)cs->counters.bcnt);
 
 	if (cs->target != NULL) {
 		if (cs->target->alias) {
-			printf("-j %s", cs->target->alias(cs->target->t));
+			printf(" -j %s", cs->target->alias(cs->target->t));
 		} else
-			printf("-j %s", cs->jumpto);
+			printf(" -j %s", cs->jumpto);
 
-		if (cs->target->save != NULL)
+		if (cs->target->save != NULL) {
 			cs->target->save(fw, cs->target->t);
+		}
 	} else if (strlen(cs->jumpto) > 0) {
-		printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
+		printf(" -%c %s", goto_flag ? 'g' : 'j', cs->jumpto);
 	}
 
 	printf("\n");
diff --git a/iptables/nft.c b/iptables/nft.c
index 1d3f3a3da1cbb..282d417f3bc85 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1513,10 +1513,10 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
 	/* print chain name */
 	switch(type) {
 	case NFT_RULE_APPEND:
-		printf("-A %s ", chain);
+		printf("-A %s", chain);
 		break;
 	case NFT_RULE_DEL:
-		printf("-D %s ", chain);
+		printf("-D %s", chain);
 		break;
 	}
 
-- 
2.33.0

[iptables PATCH 03/10] xshared: Share print_iface() function

[Phil Sutter]

Merge the three identical copies into one and name it 'save_iface' (as
the printed syntax is for "save"-format). Leave arptables alone for now,
its rather complicated whitespace printing doesn't allow for use of the
shared function. Also keep ebtables' custom implementation, it is used
for the --logical-in/--logical-out long-options, too. Apart from that,
ebtables-nft does not use a mask, at all.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 30 ++----------------------------
 iptables/iptables.c   | 30 ++----------------------------
 iptables/nft-shared.c | 26 ++------------------------
 iptables/xshared.c    | 25 +++++++++++++++++++++++++
 iptables/xshared.h    |  2 ++
 5 files changed, 33 insertions(+), 80 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index ec0ae759875e7..1c9b076196e8f 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -707,32 +707,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	return found;
 }
 
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
-	    int invert)
-{
-	unsigned int i;
-
-	if (mask[0] == 0)
-		return;
-
-	printf("%s -%c ", invert ? " !" : "", letter);
-
-	for (i = 0; i < IFNAMSIZ; i++) {
-		if (mask[i] != 0) {
-			if (iface[i] != '\0')
-				printf("%c", iface[i]);
-		} else {
-			/* we can access iface[i-1] here, because
-			 * a few lines above we make sure that mask[0] != 0 */
-			if (iface[i-1] != '\0')
-				printf("+");
-			break;
-		}
-	}
-}
-
 static void print_proto(uint16_t proto, int invert)
 {
 	if (proto) {
@@ -821,10 +795,10 @@ void print_rule6(const struct ip6t_entry *e,
 	print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
 			e->ipv6.invflags & IP6T_INV_DSTIP);
 
-	print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
+	save_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
 		    e->ipv6.invflags & IP6T_INV_VIA_IN);
 
-	print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
+	save_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
 		    e->ipv6.invflags & IP6T_INV_VIA_OUT);
 
 	print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 246526a55a3c9..7802bd6d95bd0 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -720,32 +720,6 @@ static void print_proto(uint16_t proto, int invert)
 
 #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n))
 
-/* This assumes that mask is contiguous, and byte-bounded. */
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask,
-	    int invert)
-{
-	unsigned int i;
-
-	if (mask[0] == 0)
-		return;
-
-	printf("%s -%c ", invert ? " !" : "", letter);
-
-	for (i = 0; i < IFNAMSIZ; i++) {
-		if (mask[i] != 0) {
-			if (iface[i] != '\0')
-				printf("%c", iface[i]);
-		} else {
-			/* we can access iface[i-1] here, because
-			 * a few lines above we make sure that mask[0] != 0 */
-			if (iface[i-1] != '\0')
-				printf("+");
-			break;
-		}
-	}
-}
-
 static int print_match_save(const struct xt_entry_match *e,
 			const struct ipt_ip *ip)
 {
@@ -830,10 +804,10 @@ void print_rule4(const struct ipt_entry *e,
 	print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
 			e->ip.invflags & IPT_INV_DSTIP);
 
-	print_iface('i', e->ip.iniface, e->ip.iniface_mask,
+	save_iface('i', e->ip.iniface, e->ip.iniface_mask,
 		    e->ip.invflags & IPT_INV_VIA_IN);
 
-	print_iface('o', e->ip.outiface, e->ip.outiface_mask,
+	save_iface('o', e->ip.outiface, e->ip.outiface_mask,
 		    e->ip.invflags & IPT_INV_VIA_OUT);
 
 	print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 082cc0e2df745..b86cc086bed1c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -785,28 +785,6 @@ void print_rule_details(const struct iptables_command_state *cs,
 	}
 }
 
-static void
-print_iface(char letter, const char *iface, const unsigned char *mask, int inv)
-{
-	unsigned int i;
-
-	if (mask[0] == 0)
-		return;
-
-	printf("%s -%c ", inv ? " !" : "", letter);
-
-	for (i = 0; i < IFNAMSIZ; i++) {
-		if (mask[i] != 0) {
-			if (iface[i] != '\0')
-				printf("%c", iface[i]);
-			} else {
-				if (iface[i-1] != '\0')
-					printf("+");
-				break;
-		}
-	}
-}
-
 void save_rule_details(const struct iptables_command_state *cs,
 		       uint8_t invflags, uint16_t proto,
 		       const char *iniface,
@@ -815,11 +793,11 @@ void save_rule_details(const struct iptables_command_state *cs,
 		       unsigned const char *outiface_mask)
 {
 	if (iniface != NULL) {
-		print_iface('i', iniface, iniface_mask,
+		save_iface('i', iniface, iniface_mask,
 			    invflags & IPT_INV_VIA_IN);
 	}
 	if (outiface != NULL) {
-		print_iface('o', outiface, outiface_mask,
+		save_iface('o', outiface, outiface_mask,
 			    invflags & IPT_INV_VIA_OUT);
 	}
 
diff --git a/iptables/xshared.c b/iptables/xshared.c
index bd545d6b31908..db03aaaa324b0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -637,6 +637,31 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 	printf(FMT("%-6s ", "out %s "), iface);
 }
 
+/* This assumes that mask is contiguous, and byte-bounded. */
+void save_iface(char letter, const char *iface,
+		const unsigned char *mask, int invert)
+{
+	unsigned int i;
+
+	if (mask[0] == 0)
+		return;
+
+	printf("%s -%c ", invert ? " !" : "", letter);
+
+	for (i = 0; i < IFNAMSIZ; i++) {
+		if (mask[i] != 0) {
+			if (iface[i] != '\0')
+				printf("%c", iface[i]);
+		} else {
+			/* we can access iface[i-1] here, because
+			 * a few lines above we make sure that mask[0] != 0 */
+			if (iface[i-1] != '\0')
+				printf("+");
+			break;
+		}
+	}
+}
+
 void command_match(struct iptables_command_state *cs, bool invert)
 {
 	struct option *opts = xt_params->opts;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 6d6acbca13da2..3281ce584476c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -226,6 +226,8 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
 
 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 		  unsigned int format);
+void save_iface(char letter, const char *iface,
+		const unsigned char *mask, int invert);
 
 void command_match(struct iptables_command_state *cs, bool invert);
 const char *xt_parse_target(const char *targetname);
-- 
2.33.0

[iptables PATCH 04/10] xshared: Share save_rule_details() with legacy

[Phil Sutter]

The function combines printing of input and output interfaces and
protocol parameter, all being IP family independent. Extend the function
to print fragment option ('-f'), too if requested. While being at it,
drop unused iptables_command_state parameter and reorder the remaining
ones a bit.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 23 +++--------------------
 iptables/iptables.c   | 28 ++++------------------------
 iptables/nft-ipv4.c   | 13 ++++---------
 iptables/nft-ipv6.c   |  6 +++---
 iptables/nft-shared.c | 29 -----------------------------
 iptables/nft-shared.h |  6 ------
 iptables/xshared.c    | 32 ++++++++++++++++++++++++++++++++
 iptables/xshared.h    |  4 ++++
 8 files changed, 50 insertions(+), 91 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 1c9b076196e8f..eacbf704f9769 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -707,19 +707,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	return found;
 }
 
-static void print_proto(uint16_t proto, int invert)
-{
-	if (proto) {
-		const char *pname = proto_to_name(proto, 0);
-		const char *invertstr = invert ? " !" : "";
-
-		if (pname)
-			printf("%s -p %s", invertstr, pname);
-		else
-			printf("%s -p %u", invertstr, proto);
-	}
-}
-
 static int print_match_save(const struct xt_entry_match *e,
 			const struct ip6t_ip6 *ip)
 {
@@ -795,13 +782,9 @@ void print_rule6(const struct ip6t_entry *e,
 	print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
 			e->ipv6.invflags & IP6T_INV_DSTIP);
 
-	save_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask,
-		    e->ipv6.invflags & IP6T_INV_VIA_IN);
-
-	save_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask,
-		    e->ipv6.invflags & IP6T_INV_VIA_OUT);
-
-	print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO);
+	save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
+			  e->ipv6.outiface, e->ipv6.outiface_mask,
+			  e->ipv6.proto, 0, e->ipv6.invflags);
 
 #if 0
 	/* not definied in ipv6
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7802bd6d95bd0..85fb7bdcd0ca1 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -699,19 +699,6 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	return found;
 }
 
-static void print_proto(uint16_t proto, int invert)
-{
-	if (proto) {
-		const char *pname = proto_to_name(proto, 0);
-		const char *invertstr = invert ? " !" : "";
-
-		if (pname)
-			printf("%s -p %s", invertstr, pname);
-		else
-			printf("%s -p %u", invertstr, proto);
-	}
-}
-
 #define IP_PARTS_NATIVE(n)			\
 (unsigned int)((n)>>24)&0xFF,			\
 (unsigned int)((n)>>16)&0xFF,			\
@@ -804,17 +791,10 @@ void print_rule4(const struct ipt_entry *e,
 	print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
 			e->ip.invflags & IPT_INV_DSTIP);
 
-	save_iface('i', e->ip.iniface, e->ip.iniface_mask,
-		    e->ip.invflags & IPT_INV_VIA_IN);
-
-	save_iface('o', e->ip.outiface, e->ip.outiface_mask,
-		    e->ip.invflags & IPT_INV_VIA_OUT);
-
-	print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO);
-
-	if (e->ip.flags & IPT_F_FRAG)
-		printf("%s -f",
-		       e->ip.invflags & IPT_INV_FRAG ? " !" : "");
+	save_rule_details(e->ip.iniface, e->ip.iniface_mask,
+			  e->ip.outiface, e->ip.outiface_mask,
+			  e->ip.proto, e->ip.flags & IPT_F_FRAG,
+			  e->ip.invflags);
 
 	/* Print matchinfo part */
 	if (e->target_offset)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 287112d0e6b99..39d6e61232cdb 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -317,15 +317,10 @@ static void nft_ipv4_save_rule(const void *data, unsigned int format)
 	save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
 		       cs->fw.ip.invflags & IPT_INV_DSTIP);
 
-	save_rule_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
-			  cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
-			  cs->fw.ip.outiface, cs->fw.ip.outiface_mask);
-
-	if (cs->fw.ip.flags & IPT_F_FRAG) {
-		if (cs->fw.ip.invflags & IPT_INV_FRAG)
-			printf(" !");
-		printf(" -f");
-	}
+	save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
+			  cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
+			  cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG,
+			  cs->fw.ip.invflags);
 
 	save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO,
 				&cs->fw, format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 845937b180b06..0c73cedd71c96 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -253,9 +253,9 @@ static void nft_ipv6_save_rule(const void *data, unsigned int format)
 	save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
 		       cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
 
-	save_rule_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
-			  cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
-			  cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask);
+	save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
+			  cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
+			  cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags);
 
 	save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO,
 				&cs->fw6, format);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b86cc086bed1c..168c224627fd0 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -785,35 +785,6 @@ void print_rule_details(const struct iptables_command_state *cs,
 	}
 }
 
-void save_rule_details(const struct iptables_command_state *cs,
-		       uint8_t invflags, uint16_t proto,
-		       const char *iniface,
-		       unsigned const char *iniface_mask,
-		       const char *outiface,
-		       unsigned const char *outiface_mask)
-{
-	if (iniface != NULL) {
-		save_iface('i', iniface, iniface_mask,
-			    invflags & IPT_INV_VIA_IN);
-	}
-	if (outiface != NULL) {
-		save_iface('o', outiface, outiface_mask,
-			    invflags & IPT_INV_VIA_OUT);
-	}
-
-	if (proto > 0) {
-		const char *pname = proto_to_name(proto, 0);
-
-		if (invflags & XT_INV_PROTO)
-			printf(" !");
-
-		if (pname)
-			printf(" -p %s", pname);
-		else
-			printf(" -p %u", proto);
-	}
-}
-
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
 {
 	const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 339c46e7f5b06..cac5757ff0708 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -173,12 +173,6 @@ void print_rule_details(const struct iptables_command_state *cs,
 			unsigned int num, unsigned int format);
 void print_matches_and_target(struct iptables_command_state *cs,
 			      unsigned int format);
-void save_rule_details(const struct iptables_command_state *cs,
-		       uint8_t invflags, uint16_t proto,
-		       const char *iniface,
-		       unsigned const char *iniface_mask,
-		       const char *outiface,
-		       unsigned const char *outiface_mask);
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
 void save_matches_and_target(const struct iptables_command_state *cs,
 			     bool goto_flag, const void *fw,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index db03aaaa324b0..db701ead4811f 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -941,3 +941,35 @@ void parse_chain(const char *chainname)
 			xtables_error(PARAMETER_PROBLEM,
 				      "Invalid chain name `%s'", chainname);
 }
+
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+		       const char *outiface, unsigned const char *outiface_mask,
+		       uint16_t proto, int frag, uint8_t invflags)
+{
+	if (iniface != NULL) {
+		save_iface('i', iniface, iniface_mask,
+			    invflags & IPT_INV_VIA_IN);
+	}
+	if (outiface != NULL) {
+		save_iface('o', outiface, outiface_mask,
+			    invflags & IPT_INV_VIA_OUT);
+	}
+
+	if (proto > 0) {
+		const char *pname = proto_to_name(proto, 0);
+
+		if (invflags & XT_INV_PROTO)
+			printf(" !");
+
+		if (pname)
+			printf(" -p %s", pname);
+		else
+			printf(" -p %u", proto);
+	}
+
+	if (frag) {
+		if (invflags & IPT_INV_FRAG)
+			printf(" !");
+		printf(" -f");
+	}
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 3281ce584476c..484ade126404c 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -242,4 +242,8 @@ void parse_chain(const char *chainname);
 void generic_opt_check(int command, int options);
 char opt2char(int option);
 
+void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
+		       const char *outiface, unsigned const char *outiface_mask,
+		       uint16_t proto, int frag, uint8_t invflags);
+
 #endif /* IPTABLES_XSHARED_H */
-- 
2.33.0

[iptables PATCH 05/10] xshared: Share save_ipv{4,6}_addr() with legacy

[Phil Sutter]

While being at it, make save_ipv4_addr() accept an in_addr* as mask -
mask_to_str() needs it anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c | 29 ++++------------------
 iptables/iptables.c  | 36 +++-------------------------
 iptables/nft-ipv4.c  | 43 ++-------------------------------
 iptables/nft-ipv6.c  | 20 ----------------
 iptables/xshared.c   | 57 ++++++++++++++++++++++++++++++++++++++++++++
 iptables/xshared.h   |  4 ++++
 6 files changed, 70 insertions(+), 119 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index eacbf704f9769..5c118626a5d23 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -738,27 +738,6 @@ static int print_match_save(const struct xt_entry_match *e,
 	return 0;
 }
 
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, const struct in6_addr *ip,
-		     const struct in6_addr *mask, int invert)
-{
-	char buf[51];
-	int l = xtables_ip6mask_to_cidr(mask);
-
-	if (l == 0 && !invert)
-		return;
-
-	printf("%s %s %s",
-		invert ? " !" : "",
-		prefix,
-		inet_ntop(AF_INET6, ip, buf, sizeof buf));
-
-	if (l == -1)
-		printf("/%s", inet_ntop(AF_INET6, mask, buf, sizeof buf));
-	else
-		printf("/%d", l);
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
@@ -776,11 +755,11 @@ void print_rule6(const struct ip6t_entry *e,
 	printf("-A %s", chain);
 
 	/* Print IP part. */
-	print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk),
-			e->ipv6.invflags & IP6T_INV_SRCIP);
+	save_ipv6_addr('s', &e->ipv6.src, &e->ipv6.smsk,
+		       e->ipv6.invflags & IP6T_INV_SRCIP);
 
-	print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk),
-			e->ipv6.invflags & IP6T_INV_DSTIP);
+	save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk,
+		       e->ipv6.invflags & IP6T_INV_DSTIP);
 
 	save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
 			  e->ipv6.outiface, e->ipv6.outiface_mask,
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 85fb7bdcd0ca1..0d8beb04c0f99 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -738,36 +738,6 @@ static int print_match_save(const struct xt_entry_match *e,
 	return 0;
 }
 
-/* Print a given ip including mask if necessary. */
-static void print_ip(const char *prefix, uint32_t ip,
-		     uint32_t mask, int invert)
-{
-	uint32_t bits, hmask = ntohl(mask);
-	int i;
-
-	if (!mask && !ip && !invert)
-		return;
-
-	printf("%s %s %u.%u.%u.%u",
-		invert ? " !" : "",
-		prefix,
-		IP_PARTS(ip));
-
-	if (mask == 0xFFFFFFFFU) {
-		printf("/32");
-		return;
-	}
-
-	i    = 32;
-	bits = 0xFFFFFFFEU;
-	while (--i >= 0 && hmask != bits)
-		bits <<= 1;
-	if (i >= 0)
-		printf("/%u", i);
-	else
-		printf("/%u.%u.%u.%u", IP_PARTS(mask));
-}
-
 /* We want this to be readable, so only print out necessary fields.
  * Because that's the kind of world I want to live in.
  */
@@ -785,10 +755,10 @@ void print_rule4(const struct ipt_entry *e,
 	printf("-A %s", chain);
 
 	/* Print IP part. */
-	print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
-			e->ip.invflags & IPT_INV_SRCIP);
+	save_ipv4_addr('s', &e->ip.src, &e->ip.smsk,
+		       e->ip.invflags & IPT_INV_SRCIP);
 
-	print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr,
+	save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk,
 			e->ip.invflags & IPT_INV_DSTIP);
 
 	save_rule_details(e->ip.iniface, e->ip.iniface_mask,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 39d6e61232cdb..dcc009cf67a81 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -134,32 +134,6 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
 	ctx->flags &= ~NFT_XT_CTX_BITWISE;
 }
 
-static const char *mask_to_str(uint32_t mask)
-{
-	static char mask_str[INET_ADDRSTRLEN];
-	uint32_t bits, hmask = ntohl(mask);
-	struct in_addr mask_addr = {
-		.s_addr = mask,
-	};
-	int i;
-
-	if (mask == 0xFFFFFFFFU) {
-		sprintf(mask_str, "32");
-		return mask_str;
-	}
-
-	i    = 32;
-	bits = 0xFFFFFFFEU;
-	while (--i >= 0 && hmask != bits)
-		bits <<= 1;
-	if (i >= 0)
-		sprintf(mask_str, "%u", i);
-	else
-		inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
-
-	return mask_str;
-}
-
 static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 				void *data)
 {
@@ -295,26 +269,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 	nft_clear_iptables_command_state(&cs);
 }
 
-static void save_ipv4_addr(char letter, const struct in_addr *addr,
-			   uint32_t mask, int invert)
-{
-	char addrbuf[INET_ADDRSTRLEN];
-
-	if (!mask && !invert && !addr->s_addr)
-		return;
-
-	printf("%s -%c %s/%s", invert ? " !" : "", letter,
-	       inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
-	       mask_to_str(mask));
-}
-
 static void nft_ipv4_save_rule(const void *data, unsigned int format)
 {
 	const struct iptables_command_state *cs = data;
 
-	save_ipv4_addr('s', &cs->fw.ip.src, cs->fw.ip.smsk.s_addr,
+	save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk,
 		       cs->fw.ip.invflags & IPT_INV_SRCIP);
-	save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
+	save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk,
 		       cs->fw.ip.invflags & IPT_INV_DSTIP);
 
 	save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0c73cedd71c96..0b35e0457a067 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -224,26 +224,6 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 	nft_clear_iptables_command_state(&cs);
 }
 
-static void save_ipv6_addr(char letter, const struct in6_addr *addr,
-			   const struct in6_addr *mask,
-			   int invert)
-{
-	char addr_str[INET6_ADDRSTRLEN];
-	int l = xtables_ip6mask_to_cidr(mask);
-
-	if (!invert && l == 0)
-		return;
-
-	printf("%s -%c %s",
-		invert ? " !" : "", letter,
-		inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
-
-	if (l == -1)
-		printf("/%s", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
-	else
-		printf("/%d", l);
-}
-
 static void nft_ipv6_save_rule(const void *data, unsigned int format)
 {
 	const struct iptables_command_state *cs = data;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index db701ead4811f..3e06960fcf015 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -9,6 +9,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <arpa/inet.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/un.h>
@@ -578,6 +579,42 @@ void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format)
 	       ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format));
 }
 
+static const char *mask_to_str(const struct in_addr *mask)
+{
+	uint32_t bits, hmask = ntohl(mask->s_addr);
+	static char mask_str[INET_ADDRSTRLEN];
+	int i;
+
+	if (mask->s_addr == 0xFFFFFFFFU) {
+		sprintf(mask_str, "32");
+		return mask_str;
+	}
+
+	i    = 32;
+	bits = 0xFFFFFFFEU;
+	while (--i >= 0 && hmask != bits)
+		bits <<= 1;
+	if (i >= 0)
+		sprintf(mask_str, "%u", i);
+	else
+		inet_ntop(AF_INET, mask, mask_str, sizeof(mask_str));
+
+	return mask_str;
+}
+
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+		    const struct in_addr *mask, int invert)
+{
+	char addrbuf[INET_ADDRSTRLEN];
+
+	if (!mask->s_addr && !invert && !addr->s_addr)
+		return;
+
+	printf("%s -%c %s/%s", invert ? " !" : "", letter,
+	       inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
+	       mask_to_str(mask));
+}
+
 static const char *ipv6_addr_to_string(const struct in6_addr *addr,
 				       const struct in6_addr *mask,
 				       unsigned int format)
@@ -612,6 +649,26 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
 				   &fw6->ipv6.dmsk, format));
 }
 
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+		    const struct in6_addr *mask, int invert)
+{
+	int l = xtables_ip6mask_to_cidr(mask);
+	char addr_str[INET6_ADDRSTRLEN];
+
+	if (!invert && l == 0)
+		return;
+
+	printf("%s -%c %s",
+		invert ? " !" : "", letter,
+		inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
+
+	if (l == -1)
+		printf("/%s", inet_ntop(AF_INET6, mask,
+					addr_str, sizeof(addr_str)));
+	else
+		printf("/%d", l);
+}
+
 /* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT
  * have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT
  * so this function serves for both iptables and ip6tables */
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 484ade126404c..46ad5a2962c71 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -222,7 +222,11 @@ const char *ipv4_addr_to_string(const struct in_addr *addr,
 				const struct in_addr *mask,
 				unsigned int format);
 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+void save_ipv4_addr(char letter, const struct in_addr *addr,
+		    const struct in_addr *mask, int invert);
 void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+void save_ipv6_addr(char letter, const struct in6_addr *addr,
+		    const struct in6_addr *mask, int invert);
 
 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 		  unsigned int format);
-- 
2.33.0

[iptables PATCH 06/10] xshared: Share print_rule_details() with legacy

[Phil Sutter]

Have to pass pointer to counters directly since different fields are
being used for some reason.

Since proto_to_name() is not used outside of xshared.c anymore, make it
static.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 21 ++-------------------
 iptables/iptables.c   | 21 ++-------------------
 iptables/nft-ipv4.c   |  4 ++--
 iptables/nft-ipv6.c   |  5 ++---
 iptables/nft-shared.c | 27 ---------------------------
 iptables/nft-shared.h |  4 ----
 iptables/xshared.c    | 27 ++++++++++++++++++++++++++-
 iptables/xshared.h    |  4 +++-
 8 files changed, 37 insertions(+), 76 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 5c118626a5d23..e0cc4e898fe6a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -329,25 +329,8 @@ print_firewall(const struct ip6t_entry *fw,
 
 	t = ip6t_get_target((struct ip6t_entry *)fw);
 
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4u ", "%u "), num);
-
-	if (!(format & FMT_NOCOUNTS)) {
-		xtables_print_num(fw->counters.pcnt, format);
-		xtables_print_num(fw->counters.bcnt, format);
-	}
-
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ", "%s "), targname);
-
-	fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
-	{
-		const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC);
-		if (pname)
-			printf(FMT("%-5s", "%s "), pname);
-		else
-			printf(FMT("%-5hu", "%hu "), fw->ipv6.proto);
-	}
+	print_rule_details(num, &fw->counters, targname, fw->ipv6.proto,
+			   fw->ipv6.flags, fw->ipv6.invflags, format);
 
 	if (format & FMT_OPTIONS) {
 		if (format & FMT_NOTABLE)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 0d8beb04c0f99..29da40b1328d4 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -322,25 +322,8 @@ print_firewall(const struct ipt_entry *fw,
 	t = ipt_get_target((struct ipt_entry *)fw);
 	flags = fw->ip.flags;
 
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4u ", "%u "), num);
-
-	if (!(format & FMT_NOCOUNTS)) {
-		xtables_print_num(fw->counters.pcnt, format);
-		xtables_print_num(fw->counters.bcnt, format);
-	}
-
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ", "%s "), targname);
-
-	fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout);
-	{
-		const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC);
-		if (pname)
-			printf(FMT("%-5s", "%s "), pname);
-		else
-			printf(FMT("%-5hu", "%hu "), fw->ip.proto);
-	}
+	print_rule_details(num, &fw->counters, targname, fw->ip.proto,
+			   fw->ip.flags, fw->ip.invflags, format);
 
 	if (format & FMT_OPTIONS) {
 		if (format & FMT_NOTABLE)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index dcc009cf67a81..6b044642bd775 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -246,8 +246,8 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 
 	nft_rule_to_iptables_command_state(h, r, &cs);
 
-	print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags,
-			   cs.fw.ip.invflags, cs.fw.ip.proto, num, format);
+	print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto,
+			   cs.fw.ip.flags, cs.fw.ip.invflags, format);
 	print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
 	print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
 		     format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0b35e0457a067..cb83f9e132e24 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -198,9 +198,8 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 
 	nft_rule_to_iptables_command_state(h, r, &cs);
 
-	print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags,
-			   cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto,
-			   num, format);
+	print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto,
+			   cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format);
 	if (format & FMT_OPTIONS) {
 		if (format & FMT_NOTABLE)
 			fputs("opt ", stdout);
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 168c224627fd0..eb0070075d9eb 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -758,33 +758,6 @@ void print_header(unsigned int format, const char *chain, const char *pol,
 	printf("\n");
 }
 
-void print_rule_details(const struct iptables_command_state *cs,
-			const char *targname, uint8_t flags,
-			uint8_t invflags, uint8_t proto,
-			unsigned int num, unsigned int format)
-{
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4u ", "%u "), num);
-
-	if (!(format & FMT_NOCOUNTS)) {
-		xtables_print_num(cs->counters.pcnt, format);
-		xtables_print_num(cs->counters.bcnt, format);
-	}
-
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ", "%s "), targname ? targname : "");
-
-	fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
-	{
-		const char *pname =
-			proto_to_name(proto, format&FMT_NUMERIC);
-		if (pname)
-			printf(FMT("%-5s", "%s "), pname);
-		else
-			printf(FMT("%-5hu", "%hu "), proto);
-	}
-}
-
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
 {
 	const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index cac5757ff0708..e18df20d9fc38 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -167,10 +167,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs);
 void print_header(unsigned int format, const char *chain, const char *pol,
 		  const struct xt_counters *counters, bool basechain,
 		  uint32_t refs, uint32_t entries);
-void print_rule_details(const struct iptables_command_state *cs,
-			const char *targname, uint8_t flags,
-			uint8_t invflags, uint8_t proto,
-			unsigned int num, unsigned int format);
 void print_matches_and_target(struct iptables_command_state *cs,
 			      unsigned int format);
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 3e06960fcf015..7f2e1a32914b0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t,
 	}
 }
 
-const char *
+static const char *
 proto_to_name(uint16_t proto, int nolookup)
 {
 	unsigned int i;
@@ -999,6 +999,31 @@ void parse_chain(const char *chainname)
 				      "Invalid chain name `%s'", chainname);
 }
 
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+			const char *targname, uint8_t proto, uint8_t flags,
+			uint8_t invflags, unsigned int format)
+{
+	const char *pname = proto_to_name(proto, format&FMT_NUMERIC);
+
+	if (format & FMT_LINENUMBERS)
+		printf(FMT("%-4u ", "%u "), linenum);
+
+	if (!(format & FMT_NOCOUNTS)) {
+		xtables_print_num(ctrs->pcnt, format);
+		xtables_print_num(ctrs->bcnt, format);
+	}
+
+	if (!(format & FMT_NOTARGET))
+		printf(FMT("%-9s ", "%s "), targname ? targname : "");
+
+	fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout);
+
+	if (pname)
+		printf(FMT("%-5s", "%s "), pname);
+	else
+		printf(FMT("%-5hu", "%hu "), proto);
+}
+
 void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		       const char *outiface, unsigned const char *outiface_mask,
 		       uint16_t proto, int frag, uint8_t invflags)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 46ad5a2962c71..9f0fa1438bdd3 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -164,7 +164,6 @@ enum {
 
 extern void print_extension_helps(const struct xtables_target *,
 	const struct xtables_rule_match *);
-extern const char *proto_to_name(uint16_t, int);
 extern int command_default(struct iptables_command_state *,
 	struct xtables_globals *, bool invert);
 extern struct xtables_match *load_proto(struct iptables_command_state *);
@@ -246,6 +245,9 @@ void parse_chain(const char *chainname);
 void generic_opt_check(int command, int options);
 char opt2char(int option);
 
+void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
+			const char *targname, uint8_t proto, uint8_t flags,
+			uint8_t invflags, unsigned int format);
 void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
 		       const char *outiface, unsigned const char *outiface_mask,
 		       uint16_t proto, int frag, uint8_t invflags);
-- 
2.33.0

[iptables PATCH 07/10] xshared: Share print_fragment() with legacy

[Phil Sutter]

Also add a fake mode to make it suitable for ip6tables. This is required
because IPT_F_FRAG value clashes with IP6T_F_PROTO, so ip6tables rules
might seem to have IPT_F_FRAG bit set.

While being at it, drop the local variable 'flags' from
print_firewall().

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c |  8 +-------
 iptables/iptables.c  | 10 +---------
 iptables/nft-ipv4.c  | 15 +--------------
 iptables/nft-ipv6.c  |  6 +-----
 iptables/xshared.c   | 18 ++++++++++++++++++
 iptables/xshared.h   |  3 +++
 6 files changed, 25 insertions(+), 35 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index e0cc4e898fe6a..3d304d441c10a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -332,13 +332,7 @@ print_firewall(const struct ip6t_entry *fw,
 	print_rule_details(num, &fw->counters, targname, fw->ipv6.proto,
 			   fw->ipv6.flags, fw->ipv6.invflags, format);
 
-	if (format & FMT_OPTIONS) {
-		if (format & FMT_NOTABLE)
-			fputs("opt ", stdout);
-		fputc(' ', stdout); /* Invert flag of FRAG */
-		fputc(' ', stdout); /* -f */
-		fputc(' ', stdout);
-	}
+	print_fragment(fw->ipv6.flags, fw->ipv6.invflags, format, true);
 
 	print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface,
 		     fw->ipv6.invflags, format);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 29da40b1328d4..12a5423ec271d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -311,7 +311,6 @@ print_firewall(const struct ipt_entry *fw,
 {
 	struct xtables_target *target, *tg;
 	const struct xt_entry_target *t;
-	uint8_t flags;
 
 	if (!iptc_is_chain(targname, handle))
 		target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -320,18 +319,11 @@ print_firewall(const struct ipt_entry *fw,
 		         XTF_LOAD_MUST_SUCCEED);
 
 	t = ipt_get_target((struct ipt_entry *)fw);
-	flags = fw->ip.flags;
 
 	print_rule_details(num, &fw->counters, targname, fw->ip.proto,
 			   fw->ip.flags, fw->ip.invflags, format);
 
-	if (format & FMT_OPTIONS) {
-		if (format & FMT_NOTABLE)
-			fputs("opt ", stdout);
-		fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout);
-		fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
-		fputc(' ', stdout);
-	}
+	print_fragment(fw->ip.flags, fw->ip.invflags, format, false);
 
 	print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format);
 
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 6b044642bd775..f36260980e829 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -226,19 +226,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
 		cs->fw.ip.flags |= IPT_F_GOTO;
 }
 
-static void print_fragment(unsigned int flags, unsigned int invflags,
-			   unsigned int format)
-{
-	if (!(format & FMT_OPTIONS))
-		return;
-
-	if (format & FMT_NOTABLE)
-		fputs("opt ", stdout);
-	fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
-	fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
-	fputc(' ', stdout);
-}
-
 static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 				unsigned int num, unsigned int format)
 {
@@ -248,7 +235,7 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 
 	print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto,
 			   cs.fw.ip.flags, cs.fw.ip.invflags, format);
-	print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
+	print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format, false);
 	print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
 		     format);
 	print_ipv4_addresses(&cs.fw, format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index cb83f9e132e24..132130880a43a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -200,11 +200,7 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
 
 	print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto,
 			   cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format);
-	if (format & FMT_OPTIONS) {
-		if (format & FMT_NOTABLE)
-			fputs("opt ", stdout);
-		fputs("   ", stdout);
-	}
+	print_fragment(cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format, true);
 	print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface,
 		     cs.fw6.ipv6.invflags, format);
 	print_ipv6_addresses(&cs.fw6, format);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 7f2e1a32914b0..e8c8939cf8e3e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -669,6 +669,24 @@ void save_ipv6_addr(char letter, const struct in6_addr *addr,
 		printf("/%d", l);
 }
 
+void print_fragment(unsigned int flags, unsigned int invflags,
+		    unsigned int format, bool fake)
+{
+	if (!(format & FMT_OPTIONS))
+		return;
+
+	if (format & FMT_NOTABLE)
+		fputs("opt ", stdout);
+
+	if (fake) {
+		fputs("  ", stdout);
+	} else {
+		fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout);
+		fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout);
+	}
+	fputc(' ', stdout);
+}
+
 /* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT
  * have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT
  * so this function serves for both iptables and ip6tables */
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9f0fa1438bdd3..48f314cac8f45 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -232,6 +232,9 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 void save_iface(char letter, const char *iface,
 		const unsigned char *mask, int invert);
 
+void print_fragment(unsigned int flags, unsigned int invflags,
+		    unsigned int format, bool fake);
+
 void command_match(struct iptables_command_state *cs, bool invert);
 const char *xt_parse_target(const char *targetname);
 void command_jump(struct iptables_command_state *cs, const char *jumpto);
-- 
2.33.0

[iptables PATCH 08/10] xshared: Share print_header() with legacy iptables

[Phil Sutter]

Legacy iptables fetches the relevant data via libiptc before calling the
shared routine which merely prints data as requested.

Drop the 'basechain' parameter, instead make sure a policy name is
passed only with base chains. Since the function is not shared with
ebtables (which uses a very rudimental header instead), this is safe.

In order to support legacy iptables' checking of iptc_get_references()
return code (printing an error message instead of the reference count),
make refs parameter signed and print the error message if it's negative.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c  | 64 ++++++++-----------------------------------
 iptables/iptables.c   | 64 ++++++++-----------------------------------
 iptables/nft-arp.c    |  7 ++---
 iptables/nft-bridge.c |  2 +-
 iptables/nft-shared.c | 44 -----------------------------
 iptables/nft-shared.h |  7 ++---
 iptables/nft.c        |  6 ++--
 iptables/xshared.c    | 46 +++++++++++++++++++++++++++++++
 iptables/xshared.h    |  3 ++
 9 files changed, 82 insertions(+), 161 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 3d304d441c10a..5a64566eecd2a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -233,56 +233,6 @@ static int is_exthdr(uint16_t proto)
 		proto == IPPROTO_DSTOPTS);
 }
 
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
-	struct xt_counters counters;
-	const char *pol = ip6tc_get_policy(chain, &counters, handle);
-	printf("Chain %s", chain);
-	if (pol) {
-		printf(" (policy %s", pol);
-		if (!(format & FMT_NOCOUNTS)) {
-			fputc(' ', stdout);
-			xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
-			fputs("packets, ", stdout);
-			xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
-			fputs("bytes", stdout);
-		}
-		printf(")\n");
-	} else {
-		unsigned int refs;
-		if (!ip6tc_get_references(&refs, chain, handle))
-			printf(" (ERROR obtaining refs)\n");
-		else
-			printf(" (%u references)\n", refs);
-	}
-
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4s ", "%s "), "num");
-	if (!(format & FMT_NOCOUNTS)) {
-		if (format & FMT_KILOMEGAGIGA) {
-			printf(FMT("%5s ","%s "), "pkts");
-			printf(FMT("%5s ","%s "), "bytes");
-		} else {
-			printf(FMT("%8s ","%s "), "pkts");
-			printf(FMT("%10s ","%s "), "bytes");
-		}
-	}
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ","%s "), "target");
-	fputs(" prot ", stdout);
-	if (format & FMT_OPTIONS)
-		fputs("opt", stdout);
-	if (format & FMT_VIA) {
-		printf(FMT(" %-6s ","%s "), "in");
-		printf(FMT("%-6s ","%s "), "out");
-	}
-	printf(FMT(" %-19s ","%s "), "source");
-	printf(FMT(" %-19s "," %s "), "destination");
-	printf("\n");
-}
-
-
 static int
 print_match(const struct xt_entry_match *m,
 	    const struct ip6t_ip6 *ip,
@@ -662,8 +612,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 
 		if (found) printf("\n");
 
-		if (!rulenum)
-		    print_header(format, this, handle);
+		if (!rulenum) {
+			struct xt_counters counters;
+			unsigned int urefs;
+			const char *pol;
+			int refs = - 1;
+
+			pol = ip6tc_get_policy(this, &counters, handle);
+			if (!pol && ip6tc_get_references(&urefs, this, handle))
+				refs = urefs;
+
+			print_header(format, this, pol, &counters, refs, 0);
+		}
 		i = ip6tc_first_rule(this, handle);
 
 		num = 0;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 12a5423ec271d..ac51c612d92f2 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -224,56 +224,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
 /* Christophe Burki wants `-p 6' to imply `-m tcp'.  */
 
 
-static void
-print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
-{
-	struct xt_counters counters;
-	const char *pol = iptc_get_policy(chain, &counters, handle);
-	printf("Chain %s", chain);
-	if (pol) {
-		printf(" (policy %s", pol);
-		if (!(format & FMT_NOCOUNTS)) {
-			fputc(' ', stdout);
-			xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
-			fputs("packets, ", stdout);
-			xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
-			fputs("bytes", stdout);
-		}
-		printf(")\n");
-	} else {
-		unsigned int refs;
-		if (!iptc_get_references(&refs, chain, handle))
-			printf(" (ERROR obtaining refs)\n");
-		else
-			printf(" (%u references)\n", refs);
-	}
-
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4s ", "%s "), "num");
-	if (!(format & FMT_NOCOUNTS)) {
-		if (format & FMT_KILOMEGAGIGA) {
-			printf(FMT("%5s ","%s "), "pkts");
-			printf(FMT("%5s ","%s "), "bytes");
-		} else {
-			printf(FMT("%8s ","%s "), "pkts");
-			printf(FMT("%10s ","%s "), "bytes");
-		}
-	}
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ","%s "), "target");
-	fputs(" prot ", stdout);
-	if (format & FMT_OPTIONS)
-		fputs("opt", stdout);
-	if (format & FMT_VIA) {
-		printf(FMT(" %-6s ","%s "), "in");
-		printf(FMT("%-6s ","%s "), "out");
-	}
-	printf(FMT(" %-19s ","%s "), "source");
-	printf(FMT(" %-19s "," %s "), "destination");
-	printf("\n");
-}
-
-
 static int
 print_match(const struct xt_entry_match *m,
 	    const struct ipt_ip *ip,
@@ -652,8 +602,18 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 
 		if (found) printf("\n");
 
-		if (!rulenum)
-			print_header(format, this, handle);
+		if (!rulenum) {
+			struct xt_counters counters;
+			unsigned int urefs;
+			const char *pol;
+			int refs = -1;
+
+			pol = iptc_get_policy(this, &counters, handle);
+			if (!pol && iptc_get_references(&urefs, this, handle))
+				refs = urefs;
+
+			print_header(format, this, pol, &counters, refs, 0);
+		}
 		i = iptc_first_rule(this, handle);
 
 		num = 0;
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index b7536e61a255f..b211a30937db3 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -308,11 +308,10 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
 static void nft_arp_print_header(unsigned int format, const char *chain,
 				 const char *pol,
 				 const struct xt_counters *counters,
-				 bool basechain, uint32_t refs,
-				 uint32_t entries)
+				 int refs, uint32_t entries)
 {
 	printf("Chain %s", chain);
-	if (basechain && pol) {
+	if (pol) {
 		printf(" (policy %s", pol);
 		if (!(format & FMT_NOCOUNTS)) {
 			fputc(' ', stdout);
@@ -323,7 +322,7 @@ static void nft_arp_print_header(unsigned int format, const char *chain,
 		}
 		printf(")\n");
 	} else {
-		printf(" (%u references)\n", refs);
+		printf(" (%d references)\n", refs);
 	}
 }
 
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index cc2a48dbf7741..5cde302c4f189 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -534,7 +534,7 @@ static void nft_bridge_print_table_header(const char *tablename)
 static void nft_bridge_print_header(unsigned int format, const char *chain,
 				    const char *pol,
 				    const struct xt_counters *counters,
-				    bool basechain, uint32_t refs, uint32_t entries)
+				    int refs, uint32_t entries)
 {
 	printf("Bridge chain: %s, entries: %u, policy: %s\n",
 	       chain, entries, pol ?: "RETURN");
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index eb0070075d9eb..a6a79c8cda084 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -714,50 +714,6 @@ void nft_clear_iptables_command_state(struct iptables_command_state *cs)
 	}
 }
 
-void print_header(unsigned int format, const char *chain, const char *pol,
-		  const struct xt_counters *counters, bool basechain,
-		  uint32_t refs, uint32_t entries)
-{
-	printf("Chain %s", chain);
-	if (basechain) {
-		printf(" (policy %s", pol);
-		if (!(format & FMT_NOCOUNTS)) {
-			fputc(' ', stdout);
-			xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
-			fputs("packets, ", stdout);
-			xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
-			fputs("bytes", stdout);
-		}
-		printf(")\n");
-	} else {
-		printf(" (%u references)\n", refs);
-	}
-
-	if (format & FMT_LINENUMBERS)
-		printf(FMT("%-4s ", "%s "), "num");
-	if (!(format & FMT_NOCOUNTS)) {
-		if (format & FMT_KILOMEGAGIGA) {
-			printf(FMT("%5s ","%s "), "pkts");
-			printf(FMT("%5s ","%s "), "bytes");
-		} else {
-			printf(FMT("%8s ","%s "), "pkts");
-			printf(FMT("%10s ","%s "), "bytes");
-		}
-	}
-	if (!(format & FMT_NOTARGET))
-		printf(FMT("%-9s ","%s "), "target");
-	fputs(" prot ", stdout);
-	if (format & FMT_OPTIONS)
-		fputs("opt", stdout);
-	if (format & FMT_VIA) {
-		printf(FMT(" %-6s ","%s "), "in");
-		printf(FMT("%-6s ","%s "), "out");
-	}
-	printf(FMT(" %-19s ","%s "), "source");
-	printf(FMT(" %-19s "," %s "), "destination");
-	printf("\n");
-}
-
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy)
 {
 	const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e18df20d9fc38..de684374ef9e0 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -94,8 +94,8 @@ struct nft_family_ops {
 	void (*print_table_header)(const char *tablename);
 	void (*print_header)(unsigned int format, const char *chain,
 			     const char *pol,
-			     const struct xt_counters *counters, bool basechain,
-			     uint32_t refs, uint32_t entries);
+			     const struct xt_counters *counters,
+			     int refs, uint32_t entries);
 	void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
 			   unsigned int num, unsigned int format);
 	void (*save_rule)(const void *data, unsigned int format);
@@ -164,9 +164,6 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
 					const struct nftnl_rule *r,
 					struct iptables_command_state *cs);
 void nft_clear_iptables_command_state(struct iptables_command_state *cs);
-void print_header(unsigned int format, const char *chain, const char *pol,
-		  const struct xt_counters *counters, bool basechain,
-		  uint32_t refs, uint32_t entries);
 void print_matches_and_target(struct iptables_command_state *cs,
 			      unsigned int format);
 void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy);
diff --git a/iptables/nft.c b/iptables/nft.c
index 282d417f3bc85..887c735b3f6e6 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2398,7 +2398,6 @@ static void __nft_print_header(struct nft_handle *h,
 {
 	struct nftnl_chain *c = nc->nftnl;
 	const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
-	bool basechain = !!nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM);
 	uint32_t refs = nftnl_chain_get_u32(c, NFTNL_CHAIN_USE);
 	uint32_t entries = nft_rule_count(h, c);
 	struct xt_counters ctrs = {
@@ -2407,11 +2406,12 @@ static void __nft_print_header(struct nft_handle *h,
 	};
 	const char *pname = NULL;
 
-	if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
+	if (nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) &&
+	    nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
 		pname = policy_name[nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY)];
 
 	h->ops->print_header(format, chain_name, pname,
-			&ctrs, basechain, refs - entries, entries);
+			     &ctrs, refs - entries, entries);
 }
 
 struct nft_rule_list_cb_data {
diff --git a/iptables/xshared.c b/iptables/xshared.c
index e8c8939cf8e3e..37ea71068b69c 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -547,6 +547,52 @@ void debug_print_argv(struct argv_store *store)
 }
 #endif
 
+void print_header(unsigned int format, const char *chain, const char *pol,
+		  const struct xt_counters *counters,
+		  int refs, uint32_t entries)
+{
+	printf("Chain %s", chain);
+	if (pol) {
+		printf(" (policy %s", pol);
+		if (!(format & FMT_NOCOUNTS)) {
+			fputc(' ', stdout);
+			xtables_print_num(counters->pcnt, (format|FMT_NOTABLE));
+			fputs("packets, ", stdout);
+			xtables_print_num(counters->bcnt, (format|FMT_NOTABLE));
+			fputs("bytes", stdout);
+		}
+		printf(")\n");
+	} else if (refs < 0) {
+		printf(" (ERROR obtaining refs)\n");
+	} else {
+		printf(" (%d references)\n", refs);
+	}
+
+	if (format & FMT_LINENUMBERS)
+		printf(FMT("%-4s ", "%s "), "num");
+	if (!(format & FMT_NOCOUNTS)) {
+		if (format & FMT_KILOMEGAGIGA) {
+			printf(FMT("%5s ","%s "), "pkts");
+			printf(FMT("%5s ","%s "), "bytes");
+		} else {
+			printf(FMT("%8s ","%s "), "pkts");
+			printf(FMT("%10s ","%s "), "bytes");
+		}
+	}
+	if (!(format & FMT_NOTARGET))
+		printf(FMT("%-9s ","%s "), "target");
+	fputs(" prot ", stdout);
+	if (format & FMT_OPTIONS)
+		fputs("opt", stdout);
+	if (format & FMT_VIA) {
+		printf(FMT(" %-6s ","%s "), "in");
+		printf(FMT("%-6s ","%s "), "out");
+	}
+	printf(FMT(" %-19s ","%s "), "source");
+	printf(FMT(" %-19s "," %s "), "destination");
+	printf("\n");
+}
+
 const char *ipv4_addr_to_string(const struct in_addr *addr,
 				const struct in_addr *mask,
 				unsigned int format)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 48f314cac8f45..757940090dd69 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -220,6 +220,9 @@ void debug_print_argv(struct argv_store *store);
 const char *ipv4_addr_to_string(const struct in_addr *addr,
 				const struct in_addr *mask,
 				unsigned int format);
+void print_header(unsigned int format, const char *chain, const char *pol,
+		  const struct xt_counters *counters,
+		  int refs, uint32_t entries);
 void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
 void save_ipv4_addr(char letter, const struct in_addr *addr,
 		    const struct in_addr *mask, int invert);
-- 
2.33.0

[iptables PATCH 09/10] nft-shared: Drop unused function print_proto()

[Phil Sutter]

The last users vanished back in 2013. There is identical code in
save_rule_details(), but with only a single user there's not much point
in keeping the function.

Fixes: cdc78b1d6bd7b ("nft: convert rule into a command state structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-shared.c | 15 ---------------
 iptables/nft-shared.h |  1 -
 2 files changed, 16 deletions(-)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index a6a79c8cda084..b281ba2987cc3 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -373,21 +373,6 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 		ctx->h->ops->parse_match(match, ctx->cs);
 }
 
-void print_proto(uint16_t proto, int invert)
-{
-	const struct protoent *pent = getprotobynumber(proto);
-
-	if (invert)
-		printf("! ");
-
-	if (pent) {
-		printf("-p %s ", pent->p_name);
-		return;
-	}
-
-	printf("-p %u ", proto);
-}
-
 void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
 {
 	uint32_t len;
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index de684374ef9e0..bcf8486eb44c4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -158,7 +158,6 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
 		unsigned char *iniface_mask, char *outiface,
 		unsigned char *outiface_mask, uint8_t *invflags);
-void print_proto(uint16_t proto, int invert);
 void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
 void nft_rule_to_iptables_command_state(struct nft_handle *h,
 					const struct nftnl_rule *r,
-- 
2.33.0

[iptables PATCH 10/10] xshared: Make load_proto() static

[Phil Sutter]

The last outside users vanished ten years ago.

Fixes: 449cdd6bcc8d1 ("src: combine default_command functions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xshared.c | 2 +-
 iptables/xshared.h | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 37ea71068b69c..a1ca2b0fd7e3e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -107,7 +107,7 @@ static bool should_load_proto(struct iptables_command_state *cs)
 	return !cs->proto_used;
 }
 
-struct xtables_match *load_proto(struct iptables_command_state *cs)
+static struct xtables_match *load_proto(struct iptables_command_state *cs)
 {
 	if (!should_load_proto(cs))
 		return NULL;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 757940090dd69..060c62ef0b5ca 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -166,7 +166,6 @@ extern void print_extension_helps(const struct xtables_target *,
 	const struct xtables_rule_match *);
 extern int command_default(struct iptables_command_state *,
 	struct xtables_globals *, bool invert);
-extern struct xtables_match *load_proto(struct iptables_command_state *);
 extern int subcmd_main(int, char **, const struct subcommand *);
 extern void xs_init_target(struct xtables_target *);
 extern void xs_init_match(struct xtables_match *);
-- 
2.33.0