[PATCH 1/7] Use %u format specifiers

[PATCH 1/7] Use %u format specifiers

[Jan Engelhardt]

Use %u format specifiers as ->family is unsigned.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    2 +-
 net/netfilter/xt_CONNMARK.c        |    2 +-
 net/netfilter/xt_CONNSECMARK.c     |    2 +-
 net/netfilter/xt_connbytes.c       |    2 +-
 net/netfilter/xt_connmark.c        |    2 +-
 net/netfilter/xt_conntrack.c       |    2 +-
 net/netfilter/xt_helper.c          |    2 +-
 net/netfilter/xt_state.c           |    2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

Index: linux-2.6/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -414,7 +414,7 @@ clusterip_tg_check(const char *tablename
 
 	if (nf_ct_l3proto_try_module_get(target->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", target->family);
+				    "proto=%u\n", target->family);
 		return false;
 	}
 
Index: linux-2.6/net/netfilter/xt_CONNMARK.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_CONNMARK.c
+++ linux-2.6/net/netfilter/xt_CONNMARK.c
@@ -95,7 +95,7 @@ connmark_tg_check(const char *tablename,
 	}
 	if (nf_ct_l3proto_try_module_get(target->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", target->family);
+				    "proto=%u\n", target->family);
 		return false;
 	}
 	return true;
Index: linux-2.6/net/netfilter/xt_CONNSECMARK.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_CONNSECMARK.c
+++ linux-2.6/net/netfilter/xt_CONNSECMARK.c
@@ -103,7 +103,7 @@ connsecmark_tg_check(const char *tablena
 
 	if (nf_ct_l3proto_try_module_get(target->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", target->family);
+				    "proto=%u\n", target->family);
 		return false;
 	}
 	return true;
Index: linux-2.6/net/netfilter/xt_connbytes.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connbytes.c
+++ linux-2.6/net/netfilter/xt_connbytes.c
@@ -111,7 +111,7 @@ connbytes_mt_check(const char *tablename
 
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", match->family);
+				    "proto=%u\n", match->family);
 		return false;
 	}
 
Index: linux-2.6/net/netfilter/xt_connmark.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connmark.c
+++ linux-2.6/net/netfilter/xt_connmark.c
@@ -61,7 +61,7 @@ connmark_mt_check(const char *tablename,
 	}
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", match->family);
+				    "proto=%u\n", match->family);
 		return false;
 	}
 	return true;
Index: linux-2.6/net/netfilter/xt_conntrack.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_conntrack.c
+++ linux-2.6/net/netfilter/xt_conntrack.c
@@ -117,7 +117,7 @@ conntrack_mt_check(const char *tablename
 {
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", match->family);
+				    "proto=%u\n", match->family);
 		return false;
 	}
 	return true;
Index: linux-2.6/net/netfilter/xt_helper.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_helper.c
+++ linux-2.6/net/netfilter/xt_helper.c
@@ -66,7 +66,7 @@ helper_mt_check(const char *tablename, c
 
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", match->family);
+				    "proto=%u\n", match->family);
 		return false;
 	}
 	info->name[29] = '\0';
Index: linux-2.6/net/netfilter/xt_state.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_state.c
+++ linux-2.6/net/netfilter/xt_state.c
@@ -47,7 +47,7 @@ state_mt_check(const char *tablename, co
 {
 	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 		printk(KERN_WARNING "can't load conntrack support for "
-				    "proto=%d\n", match->family);
+				    "proto=%u\n", match->family);
 		return false;
 	}
 	return true;

[PATCH 2/7] Introduce nf_inet_address

[Jan Engelhardt]

A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that in this patch series.

(1/4): Rename union nf_conntrack_address to union nf_inet_addr and
move it to x_tables.h.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/nf_conntrack_h323.h |    6 ++--
 include/linux/netfilter/x_tables.h          |    6 ++++
 include/net/netfilter/nf_conntrack_expect.h |    4 +--
 include/net/netfilter/nf_conntrack_tuple.h  |   17 ++++----------
 net/ipv4/netfilter/nf_nat_h323.c            |   10 ++++----
 net/netfilter/nf_conntrack_expect.c         |    4 +--
 net/netfilter/nf_conntrack_ftp.c            |    2 -
 net/netfilter/nf_conntrack_h323_main.c      |   34 ++++++++++++++--------------
 net/netfilter/nf_conntrack_sip.c            |    8 +++---
 net/netfilter/xt_connlimit.c                |   20 ++++++++--------
 10 files changed, 55 insertions(+), 56 deletions(-)

Index: linux-2.6/include/linux/netfilter/nf_conntrack_h323.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/nf_conntrack_h323.h
+++ linux-2.6/include/linux/netfilter/nf_conntrack_h323.h
@@ -31,7 +31,7 @@ struct nf_conn;
 
 extern int get_h225_addr(struct nf_conn *ct, unsigned char *data,
 			 TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 *port);
+			 union nf_inet_addr *addr, __be16 *port);
 extern void nf_conntrack_h245_expect(struct nf_conn *new,
 				     struct nf_conntrack_expect *this);
 extern void nf_conntrack_q931_expect(struct nf_conn *new,
@@ -39,12 +39,12 @@ extern void nf_conntrack_q931_expect(str
 extern int (*set_h245_addr_hook) (struct sk_buff *skb,
 				  unsigned char **data, int dataoff,
 				  H245_TransportAddress *taddr,
-				  union nf_conntrack_address *addr,
+				  union nf_inet_addr *addr,
 				  __be16 port);
 extern int (*set_h225_addr_hook) (struct sk_buff *skb,
 				  unsigned char **data, int dataoff,
 				  TransportAddress *taddr,
-				  union nf_conntrack_address *addr,
+				  union nf_inet_addr *addr,
 				  __be16 port);
 extern int (*set_sig_addr_hook) (struct sk_buff *skb,
 				 struct nf_conn *ct,
Index: linux-2.6/include/linux/netfilter/x_tables.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/x_tables.h
+++ linux-2.6/include/linux/netfilter/x_tables.h
@@ -126,6 +126,12 @@ struct xt_counters_info
 
 #define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
 
+union nf_inet_addr {
+	u_int32_t all[4];
+	__be32 ip;
+	__be32 ip6[4];
+};
+
 #ifdef __KERNEL__
 
 #include <linux/netdevice.h>
Index: linux-2.6/include/net/netfilter/nf_conntrack_expect.h
===================================================================
--- linux-2.6.orig/include/net/netfilter/nf_conntrack_expect.h
+++ linux-2.6/include/net/netfilter/nf_conntrack_expect.h
@@ -73,8 +73,8 @@ void nf_ct_unexpect_related(struct nf_co
    nf_ct_expect_related.  You will have to call put afterwards. */
 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
 void nf_ct_expect_init(struct nf_conntrack_expect *, int,
-		       union nf_conntrack_address *,
-		       union nf_conntrack_address *,
+		       union nf_inet_addr *,
+		       union nf_inet_addr *,
 		       u_int8_t, __be16 *, __be16 *);
 void nf_ct_expect_put(struct nf_conntrack_expect *exp);
 int nf_ct_expect_related(struct nf_conntrack_expect *expect);
Index: linux-2.6/include/net/netfilter/nf_conntrack_tuple.h
===================================================================
--- linux-2.6.orig/include/net/netfilter/nf_conntrack_tuple.h
+++ linux-2.6/include/net/netfilter/nf_conntrack_tuple.h
@@ -10,6 +10,7 @@
 #ifndef _NF_CONNTRACK_TUPLE_H
 #define _NF_CONNTRACK_TUPLE_H
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 
 /* A `tuple' is a structure containing the information to uniquely
@@ -20,15 +21,7 @@
   "non-manipulatable" lines, for the benefit of the NAT code.
 */
 
-#define NF_CT_TUPLE_L3SIZE	4
-
-/* The l3 protocol-specific manipulable parts of the tuple: always in
-   network order! */
-union nf_conntrack_address {
-	u_int32_t all[NF_CT_TUPLE_L3SIZE];
-	__be32 ip;
-	__be32 ip6[4];
-};
+#define NF_CT_TUPLE_L3SIZE	ARRAY_SIZE(((union nf_inet_addr *)NULL)->all)
 
 /* The protocol-specific manipulable parts of the tuple: always in
    network order! */
@@ -57,7 +50,7 @@ union nf_conntrack_man_proto
 /* The manipulable part of the tuple. */
 struct nf_conntrack_man
 {
-	union nf_conntrack_address u3;
+	union nf_inet_addr u3;
 	union nf_conntrack_man_proto u;
 	/* Layer 3 protocol */
 	u_int16_t l3num;
@@ -70,7 +63,7 @@ struct nf_conntrack_tuple
 
 	/* These are the parts of the tuple which are fixed. */
 	struct {
-		union nf_conntrack_address u3;
+		union nf_inet_addr u3;
 		union {
 			/* Add other protocols here. */
 			__be16 all;
@@ -103,7 +96,7 @@ struct nf_conntrack_tuple
 struct nf_conntrack_tuple_mask
 {
 	struct {
-		union nf_conntrack_address u3;
+		union nf_inet_addr u3;
 		union nf_conntrack_man_proto u;
 	} src;
 };
Index: linux-2.6/net/ipv4/netfilter/nf_nat_h323.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/nf_nat_h323.c
+++ linux-2.6/net/ipv4/netfilter/nf_nat_h323.c
@@ -76,7 +76,7 @@ static int set_addr(struct sk_buff *skb,
 static int set_h225_addr(struct sk_buff *skb,
 			 unsigned char **data, int dataoff,
 			 TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 port)
+			 union nf_inet_addr *addr, __be16 port)
 {
 	return set_addr(skb, data, dataoff, taddr->ipAddress.ip,
 			addr->ip, port);
@@ -86,7 +86,7 @@ static int set_h225_addr(struct sk_buff 
 static int set_h245_addr(struct sk_buff *skb,
 			 unsigned char **data, int dataoff,
 			 H245_TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 port)
+			 union nf_inet_addr *addr, __be16 port)
 {
 	return set_addr(skb, data, dataoff,
 			taddr->unicastAddress.iPAddress.network,
@@ -103,7 +103,7 @@ static int set_sig_addr(struct sk_buff *
 	int dir = CTINFO2DIR(ctinfo);
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	for (i = 0; i < count; i++) {
 		if (get_h225_addr(ct, *data, &taddr[i], &addr, &port)) {
@@ -155,7 +155,7 @@ static int set_ras_addr(struct sk_buff *
 	int dir = CTINFO2DIR(ctinfo);
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	for (i = 0; i < count; i++) {
 		if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
@@ -412,7 +412,7 @@ static int nat_q931(struct sk_buff *skb,
 	struct nf_ct_h323_master *info = &nfct_help(ct)->help.ct_h323_info;
 	int dir = CTINFO2DIR(ctinfo);
 	u_int16_t nated_port = ntohs(port);
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	/* Set expectations for NAT */
 	exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
Index: linux-2.6/net/netfilter/nf_conntrack_expect.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_expect.c
+++ linux-2.6/net/netfilter/nf_conntrack_expect.c
@@ -226,8 +226,8 @@ struct nf_conntrack_expect *nf_ct_expect
 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 
 void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
-		       union nf_conntrack_address *saddr,
-		       union nf_conntrack_address *daddr,
+		       union nf_inet_addr *saddr,
+		       union nf_inet_addr *daddr,
 		       u_int8_t proto, __be16 *src, __be16 *dst)
 {
 	int len;
Index: linux-2.6/net/netfilter/nf_conntrack_ftp.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_ftp.c
+++ linux-2.6/net/netfilter/nf_conntrack_ftp.c
@@ -358,7 +358,7 @@ static int help(struct sk_buff *skb,
 	unsigned int matchlen, matchoff;
 	struct nf_ct_ftp_master *ct_ftp_info = &nfct_help(ct)->help.ct_ftp_info;
 	struct nf_conntrack_expect *exp;
-	union nf_conntrack_address *daddr;
+	union nf_inet_addr *daddr;
 	struct nf_conntrack_man cmd = {};
 	unsigned int i;
 	int found = 0, ends_in_nl;
Index: linux-2.6/net/netfilter/nf_conntrack_h323_main.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_h323_main.c
+++ linux-2.6/net/netfilter/nf_conntrack_h323_main.c
@@ -50,12 +50,12 @@ MODULE_PARM_DESC(callforward_filter, "on
 int (*set_h245_addr_hook) (struct sk_buff *skb,
 			   unsigned char **data, int dataoff,
 			   H245_TransportAddress *taddr,
-			   union nf_conntrack_address *addr, __be16 port)
+			   union nf_inet_addr *addr, __be16 port)
 			   __read_mostly;
 int (*set_h225_addr_hook) (struct sk_buff *skb,
 			   unsigned char **data, int dataoff,
 			   TransportAddress *taddr,
-			   union nf_conntrack_address *addr, __be16 port)
+			   union nf_inet_addr *addr, __be16 port)
 			   __read_mostly;
 int (*set_sig_addr_hook) (struct sk_buff *skb,
 			  struct nf_conn *ct,
@@ -214,7 +214,7 @@ static int get_tpkt_data(struct sk_buff 
 /****************************************************************************/
 static int get_h245_addr(struct nf_conn *ct, unsigned char *data,
 			 H245_TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 *port)
+			 union nf_inet_addr *addr, __be16 *port)
 {
 	unsigned char *p;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -257,7 +257,7 @@ static int expect_rtp_rtcp(struct sk_buf
 	int ret = 0;
 	__be16 port;
 	__be16 rtp_port, rtcp_port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *rtp_exp;
 	struct nf_conntrack_expect *rtcp_exp;
 	typeof(nat_rtp_rtcp_hook) nat_rtp_rtcp;
@@ -330,7 +330,7 @@ static int expect_t120(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_t120_hook) nat_t120;
 
@@ -623,7 +623,7 @@ static struct nf_conntrack_helper nf_con
 /****************************************************************************/
 int get_h225_addr(struct nf_conn *ct, unsigned char *data,
 		  TransportAddress *taddr,
-		  union nf_conntrack_address *addr, __be16 *port)
+		  union nf_inet_addr *addr, __be16 *port)
 {
 	unsigned char *p;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -662,7 +662,7 @@ static int expect_h245(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_h245_hook) nat_h245;
 
@@ -704,8 +704,8 @@ static int expect_h245(struct sk_buff *s
 
 /* If the calling party is on the same side of the forward-to party,
  * we don't need to track the second call */
-static int callforward_do_filter(union nf_conntrack_address *src,
-				 union nf_conntrack_address *dst,
+static int callforward_do_filter(union nf_inet_addr *src,
+				 union nf_inet_addr *dst,
 				 int family)
 {
 	struct nf_afinfo *afinfo;
@@ -772,7 +772,7 @@ static int expect_callforwarding(struct 
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_callforwarding_hook) nat_callforwarding;
 
@@ -828,7 +828,7 @@ static int process_setup(struct sk_buff 
 	int ret;
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	typeof(set_h225_addr_hook) set_h225_addr;
 
 	pr_debug("nf_ct_q931: Setup\n");
@@ -1200,7 +1200,7 @@ static unsigned char *get_udp_data(struc
 
 /****************************************************************************/
 static struct nf_conntrack_expect *find_expect(struct nf_conn *ct,
-					       union nf_conntrack_address *addr,
+					       union nf_inet_addr *addr,
 					       __be16 port)
 {
 	struct nf_conntrack_expect *exp;
@@ -1242,7 +1242,7 @@ static int expect_q931(struct sk_buff *s
 	int ret = 0;
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_q931_hook) nat_q931;
 
@@ -1311,7 +1311,7 @@ static int process_gcf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 
 	pr_debug("nf_ct_ras: GCF\n");
@@ -1471,7 +1471,7 @@ static int process_arq(struct sk_buff *s
 	struct nf_ct_h323_master *info = &nfct_help(ct)->help.ct_h323_info;
 	int dir = CTINFO2DIR(ctinfo);
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	typeof(set_h225_addr_hook) set_h225_addr;
 
 	pr_debug("nf_ct_ras: ARQ\n");
@@ -1513,7 +1513,7 @@ static int process_acf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(set_sig_addr_hook) set_sig_addr;
 
@@ -1576,7 +1576,7 @@ static int process_lcf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 
 	pr_debug("nf_ct_ras: LCF\n");
Index: linux-2.6/net/netfilter/nf_conntrack_sip.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_sip.c
+++ linux-2.6/net/netfilter/nf_conntrack_sip.c
@@ -247,7 +247,7 @@ static int skp_digits_len(struct nf_conn
 }
 
 static int parse_addr(struct nf_conn *ct, const char *cp, const char **endp,
-		      union nf_conntrack_address *addr, const char *limit)
+		      union nf_inet_addr *addr, const char *limit)
 {
 	const char *end;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -275,7 +275,7 @@ static int parse_addr(struct nf_conn *ct
 static int epaddr_len(struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
 {
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	const char *aux = dptr;
 
 	if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
@@ -366,7 +366,7 @@ EXPORT_SYMBOL_GPL(ct_sip_get_info);
 static int set_expected_rtp(struct sk_buff *skb,
 			    struct nf_conn *ct,
 			    enum ip_conntrack_info ctinfo,
-			    union nf_conntrack_address *addr,
+			    union nf_inet_addr *addr,
 			    __be16 port,
 			    const char *dptr)
 {
@@ -403,7 +403,7 @@ static int sip_help(struct sk_buff *skb,
 		    enum ip_conntrack_info ctinfo)
 {
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	unsigned int dataoff, datalen;
 	const char *dptr;
 	int ret = NF_ACCEPT;
Index: linux-2.6/net/netfilter/xt_connlimit.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connlimit.c
+++ linux-2.6/net/netfilter/xt_connlimit.c
@@ -53,10 +53,10 @@ static inline unsigned int connlimit_iph
 }
 
 static inline unsigned int
-connlimit_iphash6(const union nf_conntrack_address *addr,
-                  const union nf_conntrack_address *mask)
+connlimit_iphash6(const union nf_inet_addr *addr,
+                  const union nf_inet_addr *mask)
 {
-	union nf_conntrack_address res;
+	union nf_inet_addr res;
 	unsigned int i;
 
 	if (unlikely(!connlimit_rnd_inited)) {
@@ -81,14 +81,14 @@ static inline bool already_closed(const 
 }
 
 static inline unsigned int
-same_source_net(const union nf_conntrack_address *addr,
-		const union nf_conntrack_address *mask,
-		const union nf_conntrack_address *u3, unsigned int family)
+same_source_net(const union nf_inet_addr *addr,
+		const union nf_inet_addr *mask,
+		const union nf_inet_addr *u3, unsigned int family)
 {
 	if (family == AF_INET) {
 		return (addr->ip & mask->ip) == (u3->ip & mask->ip);
 	} else {
-		union nf_conntrack_address lh, rh;
+		union nf_inet_addr lh, rh;
 		unsigned int i;
 
 		for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i) {
@@ -102,8 +102,8 @@ same_source_net(const union nf_conntrack
 
 static int count_them(struct xt_connlimit_data *data,
 		      const struct nf_conntrack_tuple *tuple,
-		      const union nf_conntrack_address *addr,
-		      const union nf_conntrack_address *mask,
+		      const union nf_inet_addr *addr,
+		      const union nf_inet_addr *mask,
 		      const struct xt_match *match)
 {
 	struct nf_conntrack_tuple_hash *found;
@@ -185,7 +185,7 @@ connlimit_mt(const struct sk_buff *skb, 
              bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
-	union nf_conntrack_address addr, mask;
+	union nf_inet_addr addr, mask;
 	struct nf_conntrack_tuple tuple;
 	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
 	enum ip_conntrack_info ctinfo;

[PATCH 3/7] xt_connlimit rev 1

[Jan Engelhardt]

Make xt_connlimit use the new union nf_inet_addr in revision 1.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_connlimit.h |   10 ++
 net/netfilter/xt_connlimit.c           |  153 +++++++++++++++++++++++++++------
 2 files changed, 136 insertions(+), 27 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_connlimit.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_connlimit.h
+++ linux-2.6/include/linux/netfilter/xt_connlimit.h
@@ -1,6 +1,8 @@
 #ifndef _XT_CONNLIMIT_H
 #define _XT_CONNLIMIT_H
 
+#include <linux/netfilter/x_tables.h>
+
 struct xt_connlimit_data;
 
 struct xt_connlimit_info {
@@ -14,4 +16,12 @@ struct xt_connlimit_info {
 	struct xt_connlimit_data *data __attribute__((aligned(8)));
 };
 
+struct xt_connlimit_match_info_v1 {
+	union nf_inet_addr mask;
+	u_int32_t limit;
+	u_int8_t invert;
+
+	struct xt_connlimit_data *data __attribute__((aligned(8)));
+};
+
 #endif /* _XT_CONNLIMIT_H */
Index: linux-2.6/net/netfilter/xt_connlimit.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connlimit.c
+++ linux-2.6/net/netfilter/xt_connlimit.c
@@ -179,10 +179,10 @@ static int count_them(struct xt_connlimi
 }
 
 static bool
-connlimit_mt(const struct sk_buff *skb, const struct net_device *in,
-             const struct net_device *out, const struct xt_match *match,
-             const void *matchinfo, int offset, unsigned int protoff,
-             bool *hotdrop)
+connlimit_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+                const struct net_device *out, const struct xt_match *match,
+                const void *matchinfo, int offset, unsigned int protoff,
+                bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
 	union nf_inet_addr addr, mask;
@@ -227,57 +227,155 @@ connlimit_mt(const struct sk_buff *skb, 
 }
 
 static bool
-connlimit_mt_check(const char *tablename, const void *ip,
-                   const struct xt_match *match, void *matchinfo,
-                   unsigned int hook_mask)
+connlimit_mt(const struct sk_buff *skb, const struct net_device *in,
+             const struct net_device *out, const struct xt_match *match,
+             const void *matchinfo, int offset, unsigned int protoff,
+             bool *hotdrop)
 {
-	struct xt_connlimit_info *info = matchinfo;
+	const struct xt_connlimit_match_info_v1 *info = matchinfo;
+	struct nf_conntrack_tuple tuple;
+	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
+	enum ip_conntrack_info ctinfo;
+	const struct nf_conn *ct;
+	union nf_inet_addr addr;
+	int connections;
+
+	ct = nf_ct_get(skb, &ctinfo);
+	if (ct != NULL)
+		tuple_ptr = &ct->tuplehash[0].tuple;
+	else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
+				    match->family, &tuple))
+		goto hotdrop;
+
+	if (match->family == AF_INET6) {
+		const struct ipv6hdr *iph = ipv6_hdr(skb);
+		memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr));
+	} else {
+		const struct iphdr *iph = ip_hdr(skb);
+		addr.ip = iph->saddr;
+	}
+
+	spin_lock_bh(&info->data->lock);
+	connections = count_them(info->data, tuple_ptr, &addr,
+	                         &info->mask, match);
+	spin_unlock_bh(&info->data->lock);
+
+	if (connections < 0) {
+		/* kmalloc failed, drop it entirely */
+		*hotdrop = true;
+		return false;
+	}
+
+	return (connections > info->limit) ^ info->invert;
+
+ hotdrop:
+	*hotdrop = true;
+	return false;
+}
+
+static struct xt_connlimit_data *
+connlimit_mt_check_generic(unsigned int family)
+{
+	struct xt_connlimit_data *data;
 	unsigned int i;
 
-	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+	if (nf_ct_l3proto_try_module_get(family) < 0) {
 		printk(KERN_WARNING "cannot load conntrack support for "
-		       "address family %u\n", match->family);
-		return false;
+		       "address family %u\n", family);
+		return NULL;
 	}
 
 	/* init private data */
-	info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
-	if (info->data == NULL) {
-		nf_ct_l3proto_module_put(match->family);
-		return false;
+	data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
+	if (data == NULL) {
+		nf_ct_l3proto_module_put(family);
+		return NULL;
 	}
 
-	spin_lock_init(&info->data->lock);
-	for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
-		INIT_LIST_HEAD(&info->data->iphash[i]);
+	spin_lock_init(&data->lock);
+	for (i = 0; i < ARRAY_SIZE(data->iphash); ++i)
+		INIT_LIST_HEAD(&data->iphash[i]);
 
-	return true;
+	return data;;
 }
 
-static void
-connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
+static bool
+connlimit_mt_check_v0(const char *tablename, const void *ip,
+                      const struct xt_match *match, void *matchinfo,
+                      unsigned int hook_mask)
 {
 	struct xt_connlimit_info *info = matchinfo;
+	info->data = connlimit_mt_check_generic(match->family);
+	return info->data != NULL;
+}
+
+static bool
+connlimit_mt_check(const char *tablename, const void *ip,
+                   const struct xt_match *match, void *matchinfo,
+                   unsigned int hook_mask)
+{
+	struct xt_connlimit_match_info_v1 *info = matchinfo;
+	info->data = connlimit_mt_check_generic(match->family);
+	return info->data != NULL;
+}
+
+static void
+connlimit_mt_destroy_generic(struct xt_connlimit_data *data)
+{
 	struct xt_connlimit_conn *conn;
 	struct xt_connlimit_conn *tmp;
-	struct list_head *hash = info->data->iphash;
+	struct list_head *hash = data->iphash;
 	unsigned int i;
 
-	nf_ct_l3proto_module_put(match->family);
-
-	for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) {
+	for (i = 0; i < ARRAY_SIZE(data->iphash); ++i)
 		list_for_each_entry_safe(conn, tmp, &hash[i], list) {
 			list_del(&conn->list);
 			kfree(conn);
 		}
-	}
 
-	kfree(info->data);
+	kfree(data);
+}
+
+static void
+connlimit_mt_destroy_v0(const struct xt_match *match, void *matchinfo)
+{
+	struct xt_connlimit_info *info = matchinfo;
+	nf_ct_l3proto_module_put(match->family);
+	connlimit_mt_destroy_generic(info->data);
+}
+
+static void
+connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
+{
+	struct xt_connlimit_match_info_v1 *info = matchinfo;
+	nf_ct_l3proto_module_put(match->family);
+	connlimit_mt_destroy_generic(info->data);
 }
 
 static struct xt_match connlimit_mt_reg[] __read_mostly = {
 	{
 		.name       = "connlimit",
+		.revision   = 0,
+		.family     = AF_INET,
+		.checkentry = connlimit_mt_check_v0,
+		.match      = connlimit_mt_v0,
+		.matchsize  = sizeof(struct xt_connlimit_info),
+		.destroy    = connlimit_mt_destroy_v0,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "connlimit",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.checkentry = connlimit_mt_check_v0,
+		.match      = connlimit_mt_v0,
+		.matchsize  = sizeof(struct xt_connlimit_info),
+		.destroy    = connlimit_mt_destroy_v0,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "connlimit",
+		.revision   = 1,
 		.family     = AF_INET,
 		.checkentry = connlimit_mt_check,
 		.match      = connlimit_mt,
@@ -287,6 +385,7 @@ static struct xt_match connlimit_mt_reg[
 	},
 	{
 		.name       = "connlimit",
+		.revision   = 1,
 		.family     = AF_INET6,
 		.checkentry = connlimit_mt_check,
 		.match      = connlimit_mt,

[PATCH 4/7] xt_mark match rev 1

[Jan Engelhardt]

Introduce the xt_mark match revision 1. It uses fixed types,
with the goal of obsoleting revision 0 some day (uses nonfixed types).

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_mark.h |    5 +++
 net/netfilter/xt_mark.c           |   53 +++++++++++++++++++++++++++++---------
 2 files changed, 46 insertions(+), 12 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_mark.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_mark.h
+++ linux-2.6/include/linux/netfilter/xt_mark.h
@@ -6,4 +6,9 @@ struct xt_mark_info {
     u_int8_t invert;
 };
 
+struct xt_mark_match_info {
+	u_int32_t mark, mask;
+	u_int8_t invert;
+};
+
 #endif /*_XT_MARK_H*/
Index: linux-2.6/net/netfilter/xt_mark.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_mark.c
+++ linux-2.6/net/netfilter/xt_mark.c
@@ -20,19 +20,30 @@ MODULE_ALIAS("ipt_mark");
 MODULE_ALIAS("ip6t_mark");
 
 static bool
+mark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+           const struct net_device *out, const struct xt_match *match,
+           const void *matchinfo, int offset, unsigned int protoff,
+           bool *hotdrop)
+{
+	const struct xt_mark_info *info = matchinfo;
+
+	return ((skb->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
 mark_mt(const struct sk_buff *skb, const struct net_device *in,
         const struct net_device *out, const struct xt_match *match,
         const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
 {
-	const struct xt_mark_info *info = matchinfo;
+	const struct xt_mark_match_info *info = matchinfo;
 
 	return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
 
 static bool
-mark_mt_check(const char *tablename, const void *entry,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
+mark_mt_check_v0(const char *tablename, const void *entry,
+                 const struct xt_match *match, void *matchinfo,
+                 unsigned int hook_mask)
 {
 	const struct xt_mark_info *minfo = matchinfo;
 
@@ -51,7 +62,7 @@ struct compat_xt_mark_info {
 	u_int16_t	__pad2;
 };
 
-static void mark_mt_compat_from_user(void *dst, void *src)
+static void mark_mt_compat_from_user_v0(void *dst, void *src)
 {
 	const struct compat_xt_mark_info *cm = src;
 	struct xt_mark_info m = {
@@ -62,7 +73,7 @@ static void mark_mt_compat_from_user(voi
 	memcpy(dst, &m, sizeof(m));
 }
 
-static int mark_mt_compat_to_user(void __user *dst, void *src)
+static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
 {
 	const struct xt_mark_info *m = src;
 	struct compat_xt_mark_info cm = {
@@ -77,25 +88,43 @@ static int mark_mt_compat_to_user(void _
 static struct xt_match mark_mt_reg[] __read_mostly = {
 	{
 		.name		= "mark",
+		.revision	= 0,
 		.family		= AF_INET,
-		.checkentry	= mark_mt_check,
-		.match		= mark_mt,
+		.checkentry	= mark_mt_check_v0,
+		.match		= mark_mt_v0,
 		.matchsize	= sizeof(struct xt_mark_info),
 #ifdef CONFIG_COMPAT
 		.compatsize	= sizeof(struct compat_xt_mark_info),
-		.compat_from_user = mark_mt_compat_from_user,
-		.compat_to_user	= mark_mt_compat_to_user,
+		.compat_from_user = mark_mt_compat_from_user_v0,
+		.compat_to_user	= mark_mt_compat_to_user_v0,
 #endif
 		.me		= THIS_MODULE,
 	},
 	{
 		.name		= "mark",
+		.revision	= 0,
 		.family		= AF_INET6,
-		.checkentry	= mark_mt_check,
-		.match		= mark_mt,
+		.checkentry	= mark_mt_check_v0,
+		.match		= mark_mt_v0,
 		.matchsize	= sizeof(struct xt_mark_info),
 		.me		= THIS_MODULE,
 	},
+	{
+		.name      = "mark",
+		.revision  = 1,
+		.family    = AF_INET,
+		.match     = mark_mt,
+		.matchsize = sizeof(struct xt_mark_match_info),
+		.me        = THIS_MODULE,
+	},
+	{
+		.name      = "mark",
+		.revision  = 1,
+		.family    = AF_INET6,
+		.match     = mark_mt,
+		.matchsize = sizeof(struct xt_mark_match_info),
+		.me        = THIS_MODULE,
+	},
 };
 
 static int __init mark_mt_init(void)

[PATCH 5/7] xt_MARK target rev 2

[Jan Engelhardt]

Introduce the xt_MARK target revision 2. It uses fixed types, with the
goal of obsoleting revision 0 and 1 some day (uses nonfixed types).
xt_MARK rev 2 also uses more expressive XOR logic.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_MARK.h |    4 ++
 net/netfilter/xt_MARK.c           |   51 +++++++++++++++++++++++++++++---------
 2 files changed, 43 insertions(+), 12 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_MARK.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_MARK.h
+++ linux-2.6/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
 	u_int8_t mode;
 };
 
+struct xt_mark_target_info_v2 {
+	u_int32_t mark, mask;
+};
+
 #endif /*_XT_MARK_H_target */
Index: linux-2.6/net/netfilter/xt_MARK.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_MARK.c
+++ linux-2.6/net/netfilter/xt_MARK.c
@@ -33,9 +33,9 @@ mark_tg_v0(struct sk_buff *skb, const st
 }
 
 static unsigned int
-mark_tg(struct sk_buff *skb, const struct net_device *in,
-        const struct net_device *out, unsigned int hooknum,
-        const struct xt_target *target, const void *targinfo)
+mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
+           const struct net_device *out, unsigned int hooknum,
+           const struct xt_target *target, const void *targinfo)
 {
 	const struct xt_mark_target_info_v1 *markinfo = targinfo;
 	int mark = 0;
@@ -58,6 +58,17 @@ mark_tg(struct sk_buff *skb, const struc
 	return XT_CONTINUE;
 }
 
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct net_device *in,
+        const struct net_device *out, unsigned int hooknum,
+        const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_mark_target_info_v2 *info = targinfo;
+
+	skb->mark = (skb->mark & info->mask) ^ info->mark;
+	return XT_CONTINUE;
+}
+
 static bool
 mark_tg_check_v0(const char *tablename, const void *entry,
                  const struct xt_target *target, void *targinfo,
@@ -73,9 +84,9 @@ mark_tg_check_v0(const char *tablename, 
 }
 
 static bool
-mark_tg_check(const char *tablename, const void *entry,
-              const struct xt_target *target, void *targinfo,
-              unsigned int hook_mask)
+mark_tg_check_v1(const char *tablename, const void *entry,
+                 const struct xt_target *target, void *targinfo,
+                 unsigned int hook_mask)
 {
 	const struct xt_mark_target_info_v1 *markinfo = targinfo;
 
@@ -101,7 +112,7 @@ struct compat_xt_mark_target_info_v1 {
 	u_int16_t	__pad2;
 };
 
-static void mark_tg_compat_from_user(void *dst, void *src)
+static void mark_tg_compat_from_user_v1(void *dst, void *src)
 {
 	const struct compat_xt_mark_target_info_v1 *cm = src;
 	struct xt_mark_target_info_v1 m = {
@@ -111,7 +122,7 @@ static void mark_tg_compat_from_user(voi
 	memcpy(dst, &m, sizeof(m));
 }
 
-static int mark_tg_compat_to_user(void __user *dst, void *src)
+static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
 {
 	const struct xt_mark_target_info_v1 *m = src;
 	struct compat_xt_mark_target_info_v1 cm = {
@@ -137,13 +148,13 @@ static struct xt_target mark_tg_reg[] __
 		.name		= "MARK",
 		.family		= AF_INET,
 		.revision	= 1,
-		.checkentry	= mark_tg_check,
-		.target		= mark_tg,
+		.checkentry	= mark_tg_check_v1,
+		.target		= mark_tg_v1,
 		.targetsize	= sizeof(struct xt_mark_target_info_v1),
 #ifdef CONFIG_COMPAT
 		.compatsize	= sizeof(struct compat_xt_mark_target_info_v1),
-		.compat_from_user = mark_tg_compat_from_user,
-		.compat_to_user	= mark_tg_compat_to_user,
+		.compat_from_user = mark_tg_compat_from_user_v1,
+		.compat_to_user	= mark_tg_compat_to_user_v1,
 #endif
 		.table		= "mangle",
 		.me		= THIS_MODULE,
@@ -158,6 +169,22 @@ static struct xt_target mark_tg_reg[] __
 		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
+	{
+		.name       = "MARK",
+		.revision   = 2,
+		.family     = AF_INET,
+		.target     = mark_tg,
+		.targetsize = sizeof(struct xt_mark_target_info_v2),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "MARK",
+		.revision   = 2,
+		.family     = AF_INET6,
+		.target     = mark_tg,
+		.targetsize = sizeof(struct xt_mark_target_info_v2),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init mark_tg_init(void)

[PATCH 6/7] xt_connmark rev 1

[Jan Engelhardt]

Introduce the xt_connmark match revision 1. It uses fixed types,
with the goal of obsoleting revision 0 some day (uses nonfixed types).

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_connmark.h |    5 ++
 net/netfilter/xt_connmark.c           |   74 ++++++++++++++++++++++++++++------
 2 files changed, 68 insertions(+), 11 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_connmark.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_connmark.h
+++ linux-2.6/include/linux/netfilter/xt_connmark.h
@@ -15,4 +15,9 @@ struct xt_connmark_info {
 	u_int8_t invert;
 };
 
+struct xt_connmark_match_info {
+	u_int32_t mark, mask;
+	u_int8_t invert;
+};
+
 #endif /*_XT_CONNMARK_H*/
Index: linux-2.6/net/netfilter/xt_connmark.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connmark.c
+++ linux-2.6/net/netfilter/xt_connmark.c
@@ -37,6 +37,23 @@ connmark_mt(const struct sk_buff *skb, c
             const void *matchinfo, int offset, unsigned int protoff,
             bool *hotdrop)
 {
+	const struct xt_connmark_match_info *info = matchinfo;
+	enum ip_conntrack_info ctinfo;
+	const struct nf_conn *ct;
+
+	ct = nf_ct_get(skb, &ctinfo);
+	if (ct == NULL)
+		return false;
+
+	return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static bool
+connmark_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, const struct xt_match *match,
+               const void *matchinfo, int offset, unsigned int protoff,
+               bool *hotdrop)
+{
 	const struct xt_connmark_info *info = matchinfo;
 	const struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
@@ -49,9 +66,9 @@ connmark_mt(const struct sk_buff *skb, c
 }
 
 static bool
-connmark_mt_check(const char *tablename, const void *ip,
-                  const struct xt_match *match, void *matchinfo,
-                  unsigned int hook_mask)
+connmark_mt_check_v0(const char *tablename, const void *ip,
+                     const struct xt_match *match, void *matchinfo,
+                     unsigned int hook_mask)
 {
 	const struct xt_connmark_info *cm = matchinfo;
 
@@ -67,6 +84,19 @@ connmark_mt_check(const char *tablename,
 	return true;
 }
 
+static bool
+connmark_mt_check(const char *tablename, const void *ip,
+                  const struct xt_match *match, void *matchinfo,
+                  unsigned int hook_mask)
+{
+	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+		printk(KERN_WARNING "cannot load conntrack support for "
+		       "proto=%u\n", match->family);
+		return false;
+	}
+	return true;
+}
+
 static void
 connmark_mt_destroy(const struct xt_match *match, void *matchinfo)
 {
@@ -81,7 +111,7 @@ struct compat_xt_connmark_info {
 	u_int16_t	__pad2;
 };
 
-static void connmark_mt_compat_from_user(void *dst, void *src)
+static void connmark_mt_compat_from_user_v0(void *dst, void *src)
 {
 	const struct compat_xt_connmark_info *cm = src;
 	struct xt_connmark_info m = {
@@ -92,7 +122,7 @@ static void connmark_mt_compat_from_user
 	memcpy(dst, &m, sizeof(m));
 }
 
-static int connmark_mt_compat_to_user(void __user *dst, void *src)
+static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
 {
 	const struct xt_connmark_info *m = src;
 	struct compat_xt_connmark_info cm = {
@@ -107,27 +137,49 @@ static int connmark_mt_compat_to_user(vo
 static struct xt_match connmark_mt_reg[] __read_mostly = {
 	{
 		.name		= "connmark",
+		.revision	= 0,
 		.family		= AF_INET,
-		.checkentry	= connmark_mt_check,
-		.match		= connmark_mt,
+		.checkentry	= connmark_mt_check_v0,
+		.match		= connmark_mt_v0,
 		.destroy	= connmark_mt_destroy,
 		.matchsize	= sizeof(struct xt_connmark_info),
 #ifdef CONFIG_COMPAT
 		.compatsize	= sizeof(struct compat_xt_connmark_info),
-		.compat_from_user = connmark_mt_compat_from_user,
-		.compat_to_user	= connmark_mt_compat_to_user,
+		.compat_from_user = connmark_mt_compat_from_user_v0,
+		.compat_to_user	= connmark_mt_compat_to_user_v0,
 #endif
 		.me		= THIS_MODULE
 	},
 	{
 		.name		= "connmark",
+		.revision	= 0,
 		.family		= AF_INET6,
-		.checkentry	= connmark_mt_check,
-		.match		= connmark_mt,
+		.checkentry	= connmark_mt_check_v0,
+		.match		= connmark_mt_v0,
 		.destroy	= connmark_mt_destroy,
 		.matchsize	= sizeof(struct xt_connmark_info),
 		.me		= THIS_MODULE
 	},
+	{
+		.name       = "connmark",
+		.revision   = 1,
+		.family     = AF_INET,
+		.checkentry = connmark_mt_check,
+		.match      = connmark_mt,
+		.matchsize  = sizeof(struct xt_connmark_match_info),
+		.destroy    = connmark_mt_destroy,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "connmark",
+		.revision   = 1,
+		.family     = AF_INET6,
+		.checkentry = connmark_mt_check,
+		.match      = connmark_mt,
+		.matchsize  = sizeof(struct xt_connmark_match_info),
+		.destroy    = connmark_mt_destroy,
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init connmark_mt_init(void)

[PATCH 7/7] xt_CONNMARK rev 1

[Jan Engelhardt]

Introduce the xt_CONNMARK target revision 1. It uses fixed types, with
the goal of obsoleting revision 0 and 1 some day (uses nonfixed
types). xt_CONNMARK rev 1 also uses more expressive XOR logic and
allows to selectively pick bits from both the ct mark and the nf mark
in operations.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_CONNMARK.h |    5 +
 net/netfilter/xt_CONNMARK.c           |  103 +++++++++++++++++++++++++++++-----
 2 files changed, 94 insertions(+), 14 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_CONNMARK.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_CONNMARK.h
+++ linux-2.6/include/linux/netfilter/xt_CONNMARK.h
@@ -22,4 +22,9 @@ struct xt_connmark_target_info {
 	u_int8_t mode;
 };
 
+struct xt_connmark_target_info_v2 {
+	u_int32_t ctmark, ctmask, nfmask;
+	u_int8_t mode;
+};
+
 #endif /*_XT_CONNMARK_H_target*/
Index: linux-2.6/net/netfilter/xt_CONNMARK.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_CONNMARK.c
+++ linux-2.6/net/netfilter/xt_CONNMARK.c
@@ -34,9 +34,9 @@ MODULE_ALIAS("ip6t_CONNMARK");
 #include <net/netfilter/nf_conntrack_ecache.h>
 
 static unsigned int
-connmark_tg(struct sk_buff *skb, const struct net_device *in,
-            const struct net_device *out, unsigned int hooknum,
-            const struct xt_target *target, const void *targinfo)
+connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
+               const struct net_device *out, unsigned int hooknum,
+               const struct xt_target *target, const void *targinfo)
 {
 	const struct xt_connmark_target_info *markinfo = targinfo;
 	struct nf_conn *ct;
@@ -74,10 +74,50 @@ connmark_tg(struct sk_buff *skb, const s
 	return XT_CONTINUE;
 }
 
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_connmark_target_info_v2 *info = targinfo;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn *ct;
+	u_int32_t newmark;
+
+	ct = nf_ct_get(skb, &ctinfo);
+	if (ct == NULL)
+		return XT_CONTINUE;
+
+	switch (info->mode) {
+		case XT_CONNMARK_SET:
+			newmark = (ct->mark & info->ctmask) ^ info->ctmark;
+			if (ct->mark != newmark) {
+				ct->mark = newmark;
+				nf_conntrack_event_cache(IPCT_MARK, skb);
+			}
+			break;
+		case XT_CONNMARK_SAVE:
+			newmark = (ct->mark & info->ctmask) ^
+			          (skb->mark & info->nfmask);
+			if (ct->mark != newmark) {
+				ct->mark = newmark;
+				nf_conntrack_event_cache(IPCT_MARK, skb);
+			}
+			break;
+		case XT_CONNMARK_RESTORE:
+			newmark = (skb->mark & info->nfmask) ^
+			          (ct->mark & info->ctmask);
+			skb->mark = newmark;
+			break;
+	}
+
+	return XT_CONTINUE;
+}
+
 static bool
-connmark_tg_check(const char *tablename, const void *entry,
-                  const struct xt_target *target, void *targinfo,
-                  unsigned int hook_mask)
+connmark_tg_check_v0(const char *tablename, const void *entry,
+                     const struct xt_target *target, void *targinfo,
+                     unsigned int hook_mask)
 {
 	const struct xt_connmark_target_info *matchinfo = targinfo;
 
@@ -101,6 +141,19 @@ connmark_tg_check(const char *tablename,
 	return true;
 }
 
+static bool
+connmark_tg_check(const char *tablename, const void *entry,
+                  const struct xt_target *target, void *targinfo,
+                  unsigned int hook_mask)
+{
+	if (nf_ct_l3proto_try_module_get(target->family) < 0) {
+		printk(KERN_WARNING "cannot load conntrack support for "
+		       "proto=%u\n", target->family);
+		return false;
+	}
+	return true;
+}
+
 static void
 connmark_tg_destroy(const struct xt_target *target, void *targinfo)
 {
@@ -115,7 +168,7 @@ struct compat_xt_connmark_target_info {
 	u_int16_t	__pad2;
 };
 
-static void connmark_tg_compat_from_user(void *dst, void *src)
+static void connmark_tg_compat_from_user_v0(void *dst, void *src)
 {
 	const struct compat_xt_connmark_target_info *cm = src;
 	struct xt_connmark_target_info m = {
@@ -126,7 +179,7 @@ static void connmark_tg_compat_from_user
 	memcpy(dst, &m, sizeof(m));
 }
 
-static int connmark_tg_compat_to_user(void __user *dst, void *src)
+static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
 {
 	const struct xt_connmark_target_info *m = src;
 	struct compat_xt_connmark_target_info cm = {
@@ -141,27 +194,49 @@ static int connmark_tg_compat_to_user(vo
 static struct xt_target connmark_tg_reg[] __read_mostly = {
 	{
 		.name		= "CONNMARK",
+		.revision	= 0,
 		.family		= AF_INET,
-		.checkentry	= connmark_tg_check,
+		.checkentry	= connmark_tg_check_v0,
 		.destroy	= connmark_tg_destroy,
-		.target		= connmark_tg,
+		.target		= connmark_tg_v0,
 		.targetsize	= sizeof(struct xt_connmark_target_info),
 #ifdef CONFIG_COMPAT
 		.compatsize	= sizeof(struct compat_xt_connmark_target_info),
-		.compat_from_user = connmark_tg_compat_from_user,
-		.compat_to_user	= connmark_tg_compat_to_user,
+		.compat_from_user = connmark_tg_compat_from_user_v0,
+		.compat_to_user	= connmark_tg_compat_to_user_v0,
 #endif
 		.me		= THIS_MODULE
 	},
 	{
 		.name		= "CONNMARK",
+		.revision	= 0,
 		.family		= AF_INET6,
-		.checkentry	= connmark_tg_check,
+		.checkentry	= connmark_tg_check_v0,
 		.destroy	= connmark_tg_destroy,
-		.target		= connmark_tg,
+		.target		= connmark_tg_v0,
 		.targetsize	= sizeof(struct xt_connmark_target_info),
 		.me		= THIS_MODULE
 	},
+	{
+		.name       = "CONNMARK",
+		.revision   = 1,
+		.family     = AF_INET,
+		.checkentry = connmark_tg_check,
+		.target     = connmark_tg,
+		.targetsize = sizeof(struct xt_connmark_target_info_v2),
+		.destroy    = connmark_tg_destroy,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "CONNMARK",
+		.revision   = 1,
+		.family     = AF_INET6,
+		.checkentry = connmark_tg_check,
+		.target     = connmark_tg,
+		.targetsize = sizeof(struct xt_connmark_target_info_v2),
+		.destroy    = connmark_tg_destroy,
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init connmark_tg_init(void)

Re: [PATCH 1/7] Use %u format specifiers

[Patrick McHardy]

Jan Engelhardt wrote:
> Use %u format specifiers as ->family is unsigned.


Applied, thanks Jan.

Re: [PATCH 2/7] Introduce nf_inet_address

[Patrick McHardy]

Jan Engelhardt wrote:
> A few netfilter modules provide their own union of IPv4 and IPv6
> address storage. Will unify that in this patch series.
> 
> (1/4): Rename union nf_conntrack_address to union nf_inet_addr and
> move it to x_tables.h.

netfilter.h seems more appropriate for this than x_tables.h,
so I'll move it unless there are good reasons not to.

Re: [PATCH 3/7] xt_connlimit rev 1

[Patrick McHardy]

Jan Engelhardt wrote:
> Make xt_connlimit use the new union nf_inet_addr in revision 1.


> +struct xt_connlimit_match_info_v1 {
> +	union nf_inet_addr mask;
> +	u_int32_t limit;
> +	u_int8_t invert;
> +
> +	struct xt_connlimit_data *data __attribute__((aligned(8)));
> +};
> +


No way I'm adding patches to intoduce new revisions for this,
the layout is exactly the same as before :) There must be
a better way, like an anonymous union:

struct xt_connlimit_info { 

         union {
		union nf_inet_addr mask;
		union {
			__be32 v4_mask;
			__be32 v6_mask[4];
		}
	};
	...
};

Re: [PATCH 4/7] xt_mark match rev 1

[Patrick McHardy]

Jan Engelhardt wrote:
> Introduce the xt_mark match revision 1. It uses fixed types,
> with the goal of obsoleting revision 0 some day (uses nonfixed types).


I don't know. We already have all this compat crap because
we specifically don't want to obsolete old userspace binaries,
so the only benefit I see is a minor decrease in overhead
when loading rules.

Re: [PATCH 5/7] xt_MARK target rev 2

[Patrick McHardy]

Jan Engelhardt wrote:
> Introduce the xt_MARK target revision 2. It uses fixed types, with the
> goal of obsoleting revision 0 and 1 some day (uses nonfixed types).
> xt_MARK rev 2 also uses more expressive XOR logic.

Can I see a userspace patch for this please? :)

> @@ -158,6 +169,22 @@ static struct xt_target mark_tg_reg[] __
>  		.table		= "mangle",
>  		.me		= THIS_MODULE,
>  	},
> +	{
> +		.name       = "MARK",
> +		.revision   = 2,
> +		.family     = AF_INET,
> +		.target     = mark_tg,
> +		.targetsize = sizeof(struct xt_mark_target_info_v2),
> +		.me         = THIS_MODULE,
> +	},

And please keep this aligned to the already existing ones.

Re: [PATCH 2/7] Introduce nf_inet_address

[Jan Engelhardt]

On Dec 11 2007 11:16, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> A few netfilter modules provide their own union of IPv4 and IPv6
>> address storage. Will unify that in this patch series.
>> 
>> (1/4): Rename union nf_conntrack_address to union nf_inet_addr and
>> move it to x_tables.h.
>
> netfilter.h seems more appropriate for this than x_tables.h,
> so I'll move it unless there are good reasons not to.
>

Userspace iptables does not seem to properly cope with it, though:

In file included from /ws/linux-2.6/include/linux/netfilter_ipv4.h:8,
                 from 
/ws/linux-2.6/include/linux/netfilter_ipv4/ip_tables.h:26,
                 from include/libiptc/libiptc.h:6,
                 from libiptc/libip4tc.c:29:
/ws/linux-2.6/include/linux/netfilter.h:53: error: expected 
specifier-qualifier-list before ‘__be32’
make: *** [libiptc/libip4tc.o] Error 1


=== 

A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that over time.

This patch will rename union nf_conntrack_address to
union nf_inet_addr and move it to <linux/netfilter.h>.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter.h                   |    6 ++++
 include/linux/netfilter/nf_conntrack_h323.h |    6 ++--
 include/net/netfilter/nf_conntrack_expect.h |    4 +--
 include/net/netfilter/nf_conntrack_tuple.h  |   17 ++++----------
 net/ipv4/netfilter/nf_nat_h323.c            |   10 ++++----
 net/netfilter/nf_conntrack_expect.c         |    4 +--
 net/netfilter/nf_conntrack_ftp.c            |    2 -
 net/netfilter/nf_conntrack_h323_main.c      |   34 ++++++++++++++--------------
 net/netfilter/nf_conntrack_sip.c            |    8 +++---
 net/netfilter/xt_connlimit.c                |   20 ++++++++--------
 10 files changed, 55 insertions(+), 56 deletions(-)

Index: linux-2.6/include/linux/netfilter.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter.h
+++ linux-2.6/include/linux/netfilter.h
@@ -48,6 +48,12 @@ enum nf_inet_hooks {
 	NF_INET_NUMHOOKS
 };
 
+union nf_inet_addr {
+	u_int32_t all[4];
+	__be32 ip;
+	__be32 ip6[4];
+};
+
 #ifdef __KERNEL__
 #ifdef CONFIG_NETFILTER
 
Index: linux-2.6/include/linux/netfilter/nf_conntrack_h323.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/nf_conntrack_h323.h
+++ linux-2.6/include/linux/netfilter/nf_conntrack_h323.h
@@ -31,7 +31,7 @@ struct nf_conn;
 
 extern int get_h225_addr(struct nf_conn *ct, unsigned char *data,
 			 TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 *port);
+			 union nf_inet_addr *addr, __be16 *port);
 extern void nf_conntrack_h245_expect(struct nf_conn *new,
 				     struct nf_conntrack_expect *this);
 extern void nf_conntrack_q931_expect(struct nf_conn *new,
@@ -39,12 +39,12 @@ extern void nf_conntrack_q931_expect(str
 extern int (*set_h245_addr_hook) (struct sk_buff *skb,
 				  unsigned char **data, int dataoff,
 				  H245_TransportAddress *taddr,
-				  union nf_conntrack_address *addr,
+				  union nf_inet_addr *addr,
 				  __be16 port);
 extern int (*set_h225_addr_hook) (struct sk_buff *skb,
 				  unsigned char **data, int dataoff,
 				  TransportAddress *taddr,
-				  union nf_conntrack_address *addr,
+				  union nf_inet_addr *addr,
 				  __be16 port);
 extern int (*set_sig_addr_hook) (struct sk_buff *skb,
 				 struct nf_conn *ct,
Index: linux-2.6/include/net/netfilter/nf_conntrack_expect.h
===================================================================
--- linux-2.6.orig/include/net/netfilter/nf_conntrack_expect.h
+++ linux-2.6/include/net/netfilter/nf_conntrack_expect.h
@@ -73,8 +73,8 @@ void nf_ct_unexpect_related(struct nf_co
    nf_ct_expect_related.  You will have to call put afterwards. */
 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
 void nf_ct_expect_init(struct nf_conntrack_expect *, int,
-		       union nf_conntrack_address *,
-		       union nf_conntrack_address *,
+		       union nf_inet_addr *,
+		       union nf_inet_addr *,
 		       u_int8_t, __be16 *, __be16 *);
 void nf_ct_expect_put(struct nf_conntrack_expect *exp);
 int nf_ct_expect_related(struct nf_conntrack_expect *expect);
Index: linux-2.6/include/net/netfilter/nf_conntrack_tuple.h
===================================================================
--- linux-2.6.orig/include/net/netfilter/nf_conntrack_tuple.h
+++ linux-2.6/include/net/netfilter/nf_conntrack_tuple.h
@@ -10,6 +10,7 @@
 #ifndef _NF_CONNTRACK_TUPLE_H
 #define _NF_CONNTRACK_TUPLE_H
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 
 /* A `tuple' is a structure containing the information to uniquely
@@ -20,15 +21,7 @@
   "non-manipulatable" lines, for the benefit of the NAT code.
 */
 
-#define NF_CT_TUPLE_L3SIZE	4
-
-/* The l3 protocol-specific manipulable parts of the tuple: always in
-   network order! */
-union nf_conntrack_address {
-	u_int32_t all[NF_CT_TUPLE_L3SIZE];
-	__be32 ip;
-	__be32 ip6[4];
-};
+#define NF_CT_TUPLE_L3SIZE	ARRAY_SIZE(((union nf_inet_addr *)NULL)->all)
 
 /* The protocol-specific manipulable parts of the tuple: always in
    network order! */
@@ -57,7 +50,7 @@ union nf_conntrack_man_proto
 /* The manipulable part of the tuple. */
 struct nf_conntrack_man
 {
-	union nf_conntrack_address u3;
+	union nf_inet_addr u3;
 	union nf_conntrack_man_proto u;
 	/* Layer 3 protocol */
 	u_int16_t l3num;
@@ -70,7 +63,7 @@ struct nf_conntrack_tuple
 
 	/* These are the parts of the tuple which are fixed. */
 	struct {
-		union nf_conntrack_address u3;
+		union nf_inet_addr u3;
 		union {
 			/* Add other protocols here. */
 			__be16 all;
@@ -103,7 +96,7 @@ struct nf_conntrack_tuple
 struct nf_conntrack_tuple_mask
 {
 	struct {
-		union nf_conntrack_address u3;
+		union nf_inet_addr u3;
 		union nf_conntrack_man_proto u;
 	} src;
 };
Index: linux-2.6/net/ipv4/netfilter/nf_nat_h323.c
===================================================================
--- linux-2.6.orig/net/ipv4/netfilter/nf_nat_h323.c
+++ linux-2.6/net/ipv4/netfilter/nf_nat_h323.c
@@ -76,7 +76,7 @@ static int set_addr(struct sk_buff *skb,
 static int set_h225_addr(struct sk_buff *skb,
 			 unsigned char **data, int dataoff,
 			 TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 port)
+			 union nf_inet_addr *addr, __be16 port)
 {
 	return set_addr(skb, data, dataoff, taddr->ipAddress.ip,
 			addr->ip, port);
@@ -86,7 +86,7 @@ static int set_h225_addr(struct sk_buff 
 static int set_h245_addr(struct sk_buff *skb,
 			 unsigned char **data, int dataoff,
 			 H245_TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 port)
+			 union nf_inet_addr *addr, __be16 port)
 {
 	return set_addr(skb, data, dataoff,
 			taddr->unicastAddress.iPAddress.network,
@@ -103,7 +103,7 @@ static int set_sig_addr(struct sk_buff *
 	int dir = CTINFO2DIR(ctinfo);
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	for (i = 0; i < count; i++) {
 		if (get_h225_addr(ct, *data, &taddr[i], &addr, &port)) {
@@ -155,7 +155,7 @@ static int set_ras_addr(struct sk_buff *
 	int dir = CTINFO2DIR(ctinfo);
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	for (i = 0; i < count; i++) {
 		if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
@@ -412,7 +412,7 @@ static int nat_q931(struct sk_buff *skb,
 	struct nf_ct_h323_master *info = &nfct_help(ct)->help.ct_h323_info;
 	int dir = CTINFO2DIR(ctinfo);
 	u_int16_t nated_port = ntohs(port);
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 
 	/* Set expectations for NAT */
 	exp->saved_proto.tcp.port = exp->tuple.dst.u.tcp.port;
Index: linux-2.6/net/netfilter/nf_conntrack_expect.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_expect.c
+++ linux-2.6/net/netfilter/nf_conntrack_expect.c
@@ -226,8 +226,8 @@ struct nf_conntrack_expect *nf_ct_expect
 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 
 void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
-		       union nf_conntrack_address *saddr,
-		       union nf_conntrack_address *daddr,
+		       union nf_inet_addr *saddr,
+		       union nf_inet_addr *daddr,
 		       u_int8_t proto, __be16 *src, __be16 *dst)
 {
 	int len;
Index: linux-2.6/net/netfilter/nf_conntrack_ftp.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_ftp.c
+++ linux-2.6/net/netfilter/nf_conntrack_ftp.c
@@ -358,7 +358,7 @@ static int help(struct sk_buff *skb,
 	unsigned int matchlen, matchoff;
 	struct nf_ct_ftp_master *ct_ftp_info = &nfct_help(ct)->help.ct_ftp_info;
 	struct nf_conntrack_expect *exp;
-	union nf_conntrack_address *daddr;
+	union nf_inet_addr *daddr;
 	struct nf_conntrack_man cmd = {};
 	unsigned int i;
 	int found = 0, ends_in_nl;
Index: linux-2.6/net/netfilter/nf_conntrack_h323_main.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_h323_main.c
+++ linux-2.6/net/netfilter/nf_conntrack_h323_main.c
@@ -50,12 +50,12 @@ MODULE_PARM_DESC(callforward_filter, "on
 int (*set_h245_addr_hook) (struct sk_buff *skb,
 			   unsigned char **data, int dataoff,
 			   H245_TransportAddress *taddr,
-			   union nf_conntrack_address *addr, __be16 port)
+			   union nf_inet_addr *addr, __be16 port)
 			   __read_mostly;
 int (*set_h225_addr_hook) (struct sk_buff *skb,
 			   unsigned char **data, int dataoff,
 			   TransportAddress *taddr,
-			   union nf_conntrack_address *addr, __be16 port)
+			   union nf_inet_addr *addr, __be16 port)
 			   __read_mostly;
 int (*set_sig_addr_hook) (struct sk_buff *skb,
 			  struct nf_conn *ct,
@@ -214,7 +214,7 @@ static int get_tpkt_data(struct sk_buff 
 /****************************************************************************/
 static int get_h245_addr(struct nf_conn *ct, unsigned char *data,
 			 H245_TransportAddress *taddr,
-			 union nf_conntrack_address *addr, __be16 *port)
+			 union nf_inet_addr *addr, __be16 *port)
 {
 	unsigned char *p;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -257,7 +257,7 @@ static int expect_rtp_rtcp(struct sk_buf
 	int ret = 0;
 	__be16 port;
 	__be16 rtp_port, rtcp_port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *rtp_exp;
 	struct nf_conntrack_expect *rtcp_exp;
 	typeof(nat_rtp_rtcp_hook) nat_rtp_rtcp;
@@ -330,7 +330,7 @@ static int expect_t120(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_t120_hook) nat_t120;
 
@@ -623,7 +623,7 @@ static struct nf_conntrack_helper nf_con
 /****************************************************************************/
 int get_h225_addr(struct nf_conn *ct, unsigned char *data,
 		  TransportAddress *taddr,
-		  union nf_conntrack_address *addr, __be16 *port)
+		  union nf_inet_addr *addr, __be16 *port)
 {
 	unsigned char *p;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -662,7 +662,7 @@ static int expect_h245(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_h245_hook) nat_h245;
 
@@ -704,8 +704,8 @@ static int expect_h245(struct sk_buff *s
 
 /* If the calling party is on the same side of the forward-to party,
  * we don't need to track the second call */
-static int callforward_do_filter(union nf_conntrack_address *src,
-				 union nf_conntrack_address *dst,
+static int callforward_do_filter(union nf_inet_addr *src,
+				 union nf_inet_addr *dst,
 				 int family)
 {
 	struct nf_afinfo *afinfo;
@@ -772,7 +772,7 @@ static int expect_callforwarding(struct 
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_callforwarding_hook) nat_callforwarding;
 
@@ -828,7 +828,7 @@ static int process_setup(struct sk_buff 
 	int ret;
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	typeof(set_h225_addr_hook) set_h225_addr;
 
 	pr_debug("nf_ct_q931: Setup\n");
@@ -1200,7 +1200,7 @@ static unsigned char *get_udp_data(struc
 
 /****************************************************************************/
 static struct nf_conntrack_expect *find_expect(struct nf_conn *ct,
-					       union nf_conntrack_address *addr,
+					       union nf_inet_addr *addr,
 					       __be16 port)
 {
 	struct nf_conntrack_expect *exp;
@@ -1242,7 +1242,7 @@ static int expect_q931(struct sk_buff *s
 	int ret = 0;
 	int i;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(nat_q931_hook) nat_q931;
 
@@ -1311,7 +1311,7 @@ static int process_gcf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 
 	pr_debug("nf_ct_ras: GCF\n");
@@ -1471,7 +1471,7 @@ static int process_arq(struct sk_buff *s
 	struct nf_ct_h323_master *info = &nfct_help(ct)->help.ct_h323_info;
 	int dir = CTINFO2DIR(ctinfo);
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	typeof(set_h225_addr_hook) set_h225_addr;
 
 	pr_debug("nf_ct_ras: ARQ\n");
@@ -1513,7 +1513,7 @@ static int process_acf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 	typeof(set_sig_addr_hook) set_sig_addr;
 
@@ -1576,7 +1576,7 @@ static int process_lcf(struct sk_buff *s
 	int dir = CTINFO2DIR(ctinfo);
 	int ret = 0;
 	__be16 port;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	struct nf_conntrack_expect *exp;
 
 	pr_debug("nf_ct_ras: LCF\n");
Index: linux-2.6/net/netfilter/nf_conntrack_sip.c
===================================================================
--- linux-2.6.orig/net/netfilter/nf_conntrack_sip.c
+++ linux-2.6/net/netfilter/nf_conntrack_sip.c
@@ -247,7 +247,7 @@ static int skp_digits_len(struct nf_conn
 }
 
 static int parse_addr(struct nf_conn *ct, const char *cp, const char **endp,
-		      union nf_conntrack_address *addr, const char *limit)
+		      union nf_inet_addr *addr, const char *limit)
 {
 	const char *end;
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
@@ -275,7 +275,7 @@ static int parse_addr(struct nf_conn *ct
 static int epaddr_len(struct nf_conn *ct, const char *dptr,
 		      const char *limit, int *shift)
 {
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	const char *aux = dptr;
 
 	if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
@@ -366,7 +366,7 @@ EXPORT_SYMBOL_GPL(ct_sip_get_info);
 static int set_expected_rtp(struct sk_buff *skb,
 			    struct nf_conn *ct,
 			    enum ip_conntrack_info ctinfo,
-			    union nf_conntrack_address *addr,
+			    union nf_inet_addr *addr,
 			    __be16 port,
 			    const char *dptr)
 {
@@ -403,7 +403,7 @@ static int sip_help(struct sk_buff *skb,
 		    enum ip_conntrack_info ctinfo)
 {
 	int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
-	union nf_conntrack_address addr;
+	union nf_inet_addr addr;
 	unsigned int dataoff, datalen;
 	const char *dptr;
 	int ret = NF_ACCEPT;
Index: linux-2.6/net/netfilter/xt_connlimit.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connlimit.c
+++ linux-2.6/net/netfilter/xt_connlimit.c
@@ -53,10 +53,10 @@ static inline unsigned int connlimit_iph
 }
 
 static inline unsigned int
-connlimit_iphash6(const union nf_conntrack_address *addr,
-                  const union nf_conntrack_address *mask)
+connlimit_iphash6(const union nf_inet_addr *addr,
+                  const union nf_inet_addr *mask)
 {
-	union nf_conntrack_address res;
+	union nf_inet_addr res;
 	unsigned int i;
 
 	if (unlikely(!connlimit_rnd_inited)) {
@@ -81,14 +81,14 @@ static inline bool already_closed(const 
 }
 
 static inline unsigned int
-same_source_net(const union nf_conntrack_address *addr,
-		const union nf_conntrack_address *mask,
-		const union nf_conntrack_address *u3, unsigned int family)
+same_source_net(const union nf_inet_addr *addr,
+		const union nf_inet_addr *mask,
+		const union nf_inet_addr *u3, unsigned int family)
 {
 	if (family == AF_INET) {
 		return (addr->ip & mask->ip) == (u3->ip & mask->ip);
 	} else {
-		union nf_conntrack_address lh, rh;
+		union nf_inet_addr lh, rh;
 		unsigned int i;
 
 		for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i) {
@@ -102,8 +102,8 @@ same_source_net(const union nf_conntrack
 
 static int count_them(struct xt_connlimit_data *data,
 		      const struct nf_conntrack_tuple *tuple,
-		      const union nf_conntrack_address *addr,
-		      const union nf_conntrack_address *mask,
+		      const union nf_inet_addr *addr,
+		      const union nf_inet_addr *mask,
 		      const struct xt_match *match)
 {
 	struct nf_conntrack_tuple_hash *found;
@@ -185,7 +185,7 @@ connlimit_mt(const struct sk_buff *skb, 
              bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
-	union nf_conntrack_address addr, mask;
+	union nf_inet_addr addr, mask;
 	struct nf_conntrack_tuple tuple;
 	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
 	enum ip_conntrack_info ctinfo;
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/7] Let xt_connlimit use nf_inet_addr

[Jan Engelhardt]

On Dec 11 2007 11:19, Patrick McHardy wrote:
>
> No way I'm adding patches to intoduce new revisions for this,
> the layout is exactly the same as before :) There must be
> a better way, like an anonymous union:
>
> struct xt_connlimit_info { 
>        union {
> 		union nf_inet_addr mask;
> 		union {
> 			__be32 v4_mask;
> 			__be32 v6_mask[4];
> 		}
> 	};
> 	...
> };
>

===

Make xt_connlimit use the new union nf_inet_addr.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_connlimit.h |    9 +++++++--
 net/netfilter/xt_connlimit.c           |    7 +++----
 2 files changed, 10 insertions(+), 6 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_connlimit.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_connlimit.h
+++ linux-2.6/include/linux/netfilter/xt_connlimit.h
@@ -5,8 +5,13 @@ struct xt_connlimit_data;
 
 struct xt_connlimit_info {
 	union {
-		__be32 v4_mask;
-		__be32 v6_mask[4];
+		union nf_inet_addr mask;
+#ifndef __KERNEL__
+		union {
+			__be32 v4_mask;
+			__be32 v6_mask[4];
+		};
+#endif
 	};
 	unsigned int limit, inverse;
 
Index: linux-2.6/net/netfilter/xt_connlimit.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_connlimit.c
+++ linux-2.6/net/netfilter/xt_connlimit.c
@@ -185,7 +185,7 @@ connlimit_mt(const struct sk_buff *skb, 
              bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
-	union nf_inet_addr addr, mask;
+	union nf_inet_addr addr;
 	struct nf_conntrack_tuple tuple;
 	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
 	enum ip_conntrack_info ctinfo;
@@ -202,15 +202,14 @@ connlimit_mt(const struct sk_buff *skb, 
 	if (match->family == AF_INET6) {
 		const struct ipv6hdr *iph = ipv6_hdr(skb);
 		memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr));
-		memcpy(&mask.ip6, info->v6_mask, sizeof(info->v6_mask));
 	} else {
 		const struct iphdr *iph = ip_hdr(skb);
 		addr.ip = iph->saddr;
-		mask.ip = info->v4_mask;
 	}
 
 	spin_lock_bh(&info->data->lock);
-	connections = count_them(info->data, tuple_ptr, &addr, &mask, match);
+	connections = count_them(info->data, tuple_ptr, &addr,
+	                         &info->mask, match);
 	spin_unlock_bh(&info->data->lock);
 
 	if (connections < 0) {

Re: [PATCH 4/7] xt_mark match rev 1

[Jan Engelhardt]

On Dec 11 2007 11:25, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Introduce the xt_mark match revision 1. It uses fixed types,
>> with the goal of obsoleting revision 0 some day (uses nonfixed types).
>
> I don't know. We already have all this compat crap because
> we specifically don't want to obsolete old userspace binaries,
> so the only benefit I see is a minor decrease in overhead
> when loading rules.
>
There are two sorts of compatibility.

* "Post-breakage fixes" like ->compat_from_user and ->compat_to_user
  which have to deal with 32-bit user / 64-bit kernel

* ->revision which is a good architecture to keep older interfaces a
  little longer.

The ->revision game is ok IMHO; there will always be revision
differences between user- and k-space, and it is a nice architecture
for new-behavior revisions. But the ->compat* fluff is not really
needed anymore once switched to fixed types everywhere (reasonable
time needed).

Old revisions should be purged after a "reasonable time" (whatever
that means for everyone), or perhaps whenever there is a Linux kernel
version with a trailing .0 (2.7.0, 2.8.0), or when great new things
appear (pkttables, or whatever is in the works).

I think the step should better be made now than later, or this cruft
will be carried for the next 10 instead of 5 years.

Re: [PATCH 5/7] xt_MARK target rev 2

[Jan Engelhardt]

On Dec 11 2007 11:27, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Introduce the xt_MARK target revision 2. It uses fixed types, with the
>> goal of obsoleting revision 0 and 1 some day (uses nonfixed types).
>> xt_MARK rev 2 also uses more expressive XOR logic.
>
> Can I see a userspace patch for this please? :)
>
Yes, it will be a reply to this mail (which contains a small update
to the kernel part.)

===

Introduce the xt_MARK target revision 2. It uses fixed types, with the
goal of obsoleting revision 0 and 1 some day (uses nonfixed types).
xt_MARK rev 2 also uses more expressive XOR logic.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/linux/netfilter/xt_MARK.h |    4 ++
 net/netfilter/xt_MARK.c           |   51 +++++++++++++++++++++++++++++---------
 2 files changed, 43 insertions(+), 12 deletions(-)

Index: linux-2.6/include/linux/netfilter/xt_MARK.h
===================================================================
--- linux-2.6.orig/include/linux/netfilter/xt_MARK.h
+++ linux-2.6/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
 	u_int8_t mode;
 };
 
+struct xt_mark_target_info_v2 {
+	u_int32_t mark, mask;
+};
+
 #endif /*_XT_MARK_H_target */
Index: linux-2.6/net/netfilter/xt_MARK.c
===================================================================
--- linux-2.6.orig/net/netfilter/xt_MARK.c
+++ linux-2.6/net/netfilter/xt_MARK.c
@@ -33,9 +33,9 @@ mark_tg_v0(struct sk_buff *skb, const st
 }
 
 static unsigned int
-mark_tg(struct sk_buff *skb, const struct net_device *in,
-        const struct net_device *out, unsigned int hooknum,
-        const struct xt_target *target, const void *targinfo)
+mark_tg_v1(struct sk_buff *skb, const struct net_device *in,
+           const struct net_device *out, unsigned int hooknum,
+           const struct xt_target *target, const void *targinfo)
 {
 	const struct xt_mark_target_info_v1 *markinfo = targinfo;
 	int mark = 0;
@@ -58,6 +58,17 @@ mark_tg(struct sk_buff *skb, const struc
 	return XT_CONTINUE;
 }
 
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct net_device *in,
+        const struct net_device *out, unsigned int hooknum,
+        const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_mark_target_info_v2 *info = targinfo;
+
+	skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+	return XT_CONTINUE;
+}
+
 static bool
 mark_tg_check_v0(const char *tablename, const void *entry,
                  const struct xt_target *target, void *targinfo,
@@ -73,9 +84,9 @@ mark_tg_check_v0(const char *tablename, 
 }
 
 static bool
-mark_tg_check(const char *tablename, const void *entry,
-              const struct xt_target *target, void *targinfo,
-              unsigned int hook_mask)
+mark_tg_check_v1(const char *tablename, const void *entry,
+                 const struct xt_target *target, void *targinfo,
+                 unsigned int hook_mask)
 {
 	const struct xt_mark_target_info_v1 *markinfo = targinfo;
 
@@ -101,7 +112,7 @@ struct compat_xt_mark_target_info_v1 {
 	u_int16_t	__pad2;
 };
 
-static void mark_tg_compat_from_user(void *dst, void *src)
+static void mark_tg_compat_from_user_v1(void *dst, void *src)
 {
 	const struct compat_xt_mark_target_info_v1 *cm = src;
 	struct xt_mark_target_info_v1 m = {
@@ -111,7 +122,7 @@ static void mark_tg_compat_from_user(voi
 	memcpy(dst, &m, sizeof(m));
 }
 
-static int mark_tg_compat_to_user(void __user *dst, void *src)
+static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
 {
 	const struct xt_mark_target_info_v1 *m = src;
 	struct compat_xt_mark_target_info_v1 cm = {
@@ -137,13 +148,13 @@ static struct xt_target mark_tg_reg[] __
 		.name		= "MARK",
 		.family		= AF_INET,
 		.revision	= 1,
-		.checkentry	= mark_tg_check,
-		.target		= mark_tg,
+		.checkentry	= mark_tg_check_v1,
+		.target		= mark_tg_v1,
 		.targetsize	= sizeof(struct xt_mark_target_info_v1),
 #ifdef CONFIG_COMPAT
 		.compatsize	= sizeof(struct compat_xt_mark_target_info_v1),
-		.compat_from_user = mark_tg_compat_from_user,
-		.compat_to_user	= mark_tg_compat_to_user,
+		.compat_from_user = mark_tg_compat_from_user_v1,
+		.compat_to_user	= mark_tg_compat_to_user_v1,
 #endif
 		.table		= "mangle",
 		.me		= THIS_MODULE,
@@ -158,6 +169,22 @@ static struct xt_target mark_tg_reg[] __
 		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = AF_INET,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_target_info_v2),
+		.me             = THIS_MODULE,
+	},
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = AF_INET6,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_target_info_v2),
+		.me             = THIS_MODULE,
+	},
 };
 
 static int __init mark_tg_init(void)

Re: [PATCH 5/7] xt_MARK target rev 2

[Jan Engelhardt]

On Dec 15 2007 14:59, Jan Engelhardt wrote:
>On Dec 11 2007 11:27, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> Introduce the xt_MARK target revision 2. It uses fixed types, with the
>>> goal of obsoleting revision 0 and 1 some day (uses nonfixed types).
>>> xt_MARK rev 2 also uses more expressive XOR logic.
>>
>> Can I see a userspace patch for this please? :)
>>


libxt_MARK revision 2 support.
Also consolidates libip6t_MARK.man and libipt_MARK.man.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/libip6t_MARK.man       |    6 -
 extensions/libipt_MARK.man        |   13 ---
 extensions/libxt_MARK.c           |  139 ++++++++++++++++++++++++++++++++++++++
 extensions/libxt_MARK.man         |   20 +++++
 include/linux/netfilter/xt_MARK.h |    4 +
 5 files changed, 163 insertions(+), 19 deletions(-)

Index: iptables-modules/extensions/libip6t_MARK.man
===================================================================
--- iptables-modules.orig/extensions/libip6t_MARK.man
+++ /dev/null
@@ -1,6 +0,0 @@
-This is used to set the netfilter mark value associated with the
-packet.  It is only valid in the
-.B mangle
-table.
-.TP
-.BI "--set-mark " "mark"
Index: iptables-modules/extensions/libipt_MARK.man
===================================================================
--- iptables-modules.orig/extensions/libipt_MARK.man
+++ /dev/null
@@ -1,13 +0,0 @@
-This is used to set the netfilter mark value associated with the
-packet.  It is only valid in the
-.B mangle
-table.  It can for example be used in conjunction with iproute2.
-.TP
-.BI "--set-mark " "value"
-Set nfmark value
-.TP
-.BI "--and-mark " "value"
-Binary AND the nfmark with value
-.TP
-.BI "--or-mark " "value"
-Binary OR  the nfmark with value
Index: iptables-modules/extensions/libxt_MARK.c
===================================================================
--- iptables-modules.orig/extensions/libxt_MARK.c
+++ iptables-modules/extensions/libxt_MARK.c
@@ -1,4 +1,5 @@
 /* Shared library add-on to iptables to add MARK target support. */
+#include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -8,6 +9,10 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_MARK.h>
 
+enum {
+	F_MARK = 1 << 0,
+};
+
 /* Function which prints out usage message. */
 static void MARK_help(void)
 {
@@ -27,6 +32,26 @@ static const struct option MARK_opts[] =
 	{ }
 };
 
+static const struct option mark_tg_opts[] = {
+	{.name = "set-xmark", .has_arg = true, .val = 'X'},
+	{.name = "set-mark",  .has_arg = true, .val = '='},
+	{.name = "and-mark",  .has_arg = true, .val = '&'},
+	{.name = "or-mark",   .has_arg = true, .val = '|'},
+	{},
+};
+
+static void mark_tg_help(void)
+{
+	printf(
+	"MARK target v%s options:\n"
+	"  --set-xmark value[/mask]  Clear bits in mask and XOR value into nfmark\n"
+	"  --set-mark value[/mask]   Clear bits in mask and OR value into nfmark\n"
+	"  --and-mark mask           Binary AND the nfmark with bits in mask\n"
+	"  --or-mark mask            Binary OR the nfmark with bits in mask\n"
+	"\n",
+	IPTABLES_VERSION);
+}
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -101,6 +126,73 @@ MARK_parse_v1(int c, char **argv, int in
 	return 1;
 }
 
+static int mark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_mark_target_info_v2 *info = (void *)(*target)->data;
+	unsigned int value, mask = ~0U;
+	char *end;
+
+	switch (c) {
+	case 'X': /* --set-xmark */
+	case '=': /* --set-mark */
+		if (*flags & F_MARK)
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Only one MARK option allowed\n");
+		if (!bound_strtou(optarg, &end, &value, 0, ~0U))
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Illegal value");
+		if (*end == '/')
+			if (!bound_strtou(optarg, &end, &mask, 0, ~0U))
+				exit_error(PARAMETER_PROBLEM,
+				           "MARK target: Illegal mask");
+		if (*end != '\0')
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Illegal specifcation");
+		info->mark = value;
+		info->mask = mask;
+
+		if (c == '=')
+			info->mask = value | mask;
+		break;
+
+	case '&': /* --and-mark */
+		if (*flags & F_MARK)
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Only one MARK option allowed\n");
+		if (!bound_strtou(optarg, &end, &mask, 0, ~0U))
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Illegal value");
+		info->mark = 0;
+		info->mask = ~mask;
+		break;
+
+	case '|': /* --or-mark */
+		if (*flags & F_MARK)
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Only one MARK option allowed\n");
+		if (!bound_strtou(optarg, &end, &value, 0, ~0U))
+			exit_error(PARAMETER_PROBLEM,
+			           "MARK target: Illegal value");
+		info->mark = value;
+		info->mask = value;
+		break;
+
+	default:
+		return false;
+	}
+
+	*flags |= F_MARK;
+	return true;
+}
+
+static void mark_tg_check(unsigned int flags)
+{
+	if (!(flags & F_MARK))
+		exit_error(PARAMETER_PROBLEM,
+		           "MARK target: Parameter --set-mark is required");
+}
+
 static void
 print_mark(unsigned long mark)
 {
@@ -148,6 +240,14 @@ static void MARK_print_v1(const void *ip
 	print_mark(markinfo->mark);
 }
 
+static void mark_tg_print(const void *ip, const struct xt_entry_target *target,
+                          int numeric)
+{
+	const struct xt_mark_target_info_v2 *info = (const void *)target->data;
+
+	printf("MARK xor 0x%x/0x%x ", info->mark, info->mask);
+}
+
 /* Saves the union ipt_targinfo in parsable form to stdout. */
 static void MARK_save_v1(const void *ip, const struct xt_entry_target *target)
 {
@@ -168,6 +268,13 @@ static void MARK_save_v1(const void *ip,
 	print_mark(markinfo->mark);
 }
 
+static void mark_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_mark_target_info_v2 *info = (const void *)target->data;
+
+	printf("--set-xmark 0x%x/0x%x ", info->mark, info->mask);
+}
+
 static struct xtables_target mark_target_v0 = {
 	.family		= AF_INET,
 	.name		= "MARK",
@@ -213,9 +320,41 @@ static struct xtables_target mark_target
 	.extra_opts	= MARK_opts,
 };
 
+static struct xtables_target mark_tg_reg_v2 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "MARK",
+	.revision      = 2,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_mark_target_info_v2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v2)),
+	.help          = mark_tg_help,
+	.parse         = mark_tg_parse,
+	.final_check   = mark_tg_check,
+	.print         = mark_tg_print,
+	.save          = mark_tg_save,
+	.extra_opts    = mark_tg_opts,
+};
+
+static struct xtables_target mark_tg6_reg_v2 = {
+	.version       = IPTABLES_VERSION,
+	.name          = "MARK",
+	.revision      = 2,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_mark_target_info_v2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v2)),
+	.help          = mark_tg_help,
+	.parse         = mark_tg_parse,
+	.final_check   = mark_tg_check,
+	.print         = mark_tg_print,
+	.save          = mark_tg_save,
+	.extra_opts    = mark_tg_opts,
+};
+
 void _init(void)
 {
 	xtables_register_target(&mark_target_v0);
 	xtables_register_target(&mark_target_v1);
 	xtables_register_target(&mark_target6_v0);
+	xtables_register_target(&mark_tg_reg_v2);
+	xtables_register_target(&mark_tg6_reg_v2);
 }
Index: iptables-modules/extensions/libxt_MARK.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_MARK.man
@@ -0,0 +1,20 @@
+This is used to set the netfilter mark value associated with the packet. It is
+only valid in the \fBmangle\fR table. It can for example be used in conjunction
+with iproute2.
+.TP
+\fB--set-xmark\fR \fIvalue\fR[\fB/\fR\fImask\fR]
+Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the packet
+mark ("nfmark"). If \fImask\fR is omitted, all bits in the nfmark are zeroed,
+i.e. \fImask\fR is implicitly assumed to be 0xFFFFFFFF.
+.PP
+The following options are for backwards-compatibility and convenience, and will
+be transformed into xmark internally.
+.TP
+\fB--and-mark\fR \fImask\fR
+Binary AND the nfmark with \fImask\fR. This is equivalent to zeroing
+\fIinvmask\fR (i.e. \fB~\fR\fImask\fR) and hence equivalent to \fB--set-xmark
+0x0/\fR\fIinvmask\fR.
+.TP
+\fB--or-mark\fR \fImask\fR
+Binary OR the nfmark with \fImask\fR. This is equivalent to \fB--set-xmark\fR
+\fImask\fR/\fImask\fR.
Index: iptables-modules/include/linux/netfilter/xt_MARK.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter/xt_MARK.h
+++ iptables-modules/include/linux/netfilter/xt_MARK.h
@@ -18,4 +18,8 @@ struct xt_mark_target_info_v1 {
 	u_int8_t mode;
 };
 
+struct xt_mark_target_info_v2 {
+	u_int32_t mark, mask;
+};
+
 #endif /*_XT_MARK_H_target */

Re: [PATCH 4/7] xt_mark match rev 1

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Dec 11 2007 11:25, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> Introduce the xt_mark match revision 1. It uses fixed types,
>>> with the goal of obsoleting revision 0 some day (uses nonfixed types).
>> I don't know. We already have all this compat crap because
>> we specifically don't want to obsolete old userspace binaries,
>> so the only benefit I see is a minor decrease in overhead
>> when loading rules.
>>
> There are two sorts of compatibility.
> 
> * "Post-breakage fixes" like ->compat_from_user and ->compat_to_user
>   which have to deal with 32-bit user / 64-bit kernel
> 
> * ->revision which is a good architecture to keep older interfaces a
>   little longer.
> 
> The ->revision game is ok IMHO; there will always be revision
> differences between user- and k-space, and it is a nice architecture
> for new-behavior revisions. But the ->compat* fluff is not really
> needed anymore once switched to fixed types everywhere (reasonable
> time needed).

The revision thing was a hack that I introduced myself to let us add
several improvements that we really needed at that time, actually it is
not something we should abuse IMO.

> Old revisions should be purged after a "reasonable time" (whatever
> that means for everyone), or perhaps whenever there is a Linux kernel
> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
> appear (pkttables, or whatever is in the works).
> 
> I think the step should better be made now than later, or this cruft
> will be carried for the next 10 instead of 5 years.

I hope that we'll get that long-awaited netlink interface for iptables
before those 10 years goes by and we all become museum pieces :)

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 4/7] xt_mark match rev 1

[Jan Engelhardt]

On Dec 15 2007 16:55, Pablo Neira Ayuso wrote:
>
>The revision thing was a hack that I introduced myself to let us add
>several improvements that we really needed at that time, actually it is
>not something we should abuse IMO.
>
But it looks like the cleanest way to do things. If you think it is abuse,
do you have a better way?

>> Old revisions should be purged after a "reasonable time" (whatever
>> that means for everyone), or perhaps whenever there is a Linux kernel
>> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
>> appear (pkttables, or whatever is in the works).
>> 
>> I think the step should better be made now than later, or this cruft
>> will be carried for the next 10 instead of 5 years.
>
>I hope that we'll get that long-awaited netlink interface for iptables
>before those 10 years goes by and we all become museum pieces :)
>
What will netlink bring us, with respect to the two states:
- old iptables, new kernel
- new iptables, old kernel
so matching some UUIDs (and .revision is one, more or less) seems like the way
to go.

Re: [PATCH 2/7] Introduce nf_inet_address

[Jan Engelhardt]

On Dec 15 2007 13:06, Jan Engelhardt wrote:
>Userspace iptables does not seem to properly cope with it, though:
>
>In file included from /ws/linux-2.6/include/linux/netfilter_ipv4.h:8,
>                 from 
>/ws/linux-2.6/include/linux/netfilter_ipv4/ip_tables.h:26,
>                 from include/libiptc/libiptc.h:6,
>                 from libiptc/libip4tc.c:29:
>/ws/linux-2.6/include/linux/netfilter.h:53: error: expected 
>specifier-qualifier-list before ‘__be32’
>make: *** [libiptc/libip4tc.o] Error 1

Fix for iptables:

===


Add __beXX types to libiptc.
Also add __be64/__le64 for completeness.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/libiptc/libip6tc.h |    8 ++++++++
 include/libiptc/libiptc.h  |    9 +++++++++
 include/xtables.h          |   12 ++++++++----
 3 files changed, 25 insertions(+), 4 deletions(-)

Index: iptables-modules/include/libiptc/libip6tc.h
===================================================================
--- iptables-modules.orig/include/libiptc/libip6tc.h
+++ iptables-modules/include/libiptc/libip6tc.h
@@ -2,6 +2,14 @@
 #define _LIBIP6TC_H
 /* Library which manipulates firewall rules. Version 0.2. */
 
+#ifndef __be32
+#	define __be64	u_int64_t
+#	define __le64	u_int64_t
+#	define __be32	u_int32_t
+#	define __le32	u_int32_t
+#	define __be16	u_int16_t
+#	define __le16	u_int16_t
+#endif
 #include <libiptc/ipt_kernel_headers.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
Index: iptables-modules/include/libiptc/libiptc.h
===================================================================
--- iptables-modules.orig/include/libiptc/libiptc.h
+++ iptables-modules/include/libiptc/libiptc.h
@@ -2,6 +2,15 @@
 #define _LIBIPTC_H
 /* Library which manipulates filtering rules. */
 
+#ifndef __be32
+#	define __be64	u_int64_t
+#	define __le64	u_int64_t
+#	define __be32	u_int32_t
+#	define __le32	u_int32_t
+#	define __be16	u_int16_t
+#	define __le16	u_int16_t
+#endif
+
 #include <libiptc/ipt_kernel_headers.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -234,9 +234,13 @@ extern const char *program_name, *progra
   extern void init_extensions(void);
 #endif
 
-#define __be32	u_int32_t
-#define __le32	u_int32_t
-#define __be16	u_int16_t
-#define __le16	u_int16_t
+#ifndef __be32
+#	define __be64	u_int64_t
+#	define __le64	u_int64_t
+#	define __be32	u_int32_t
+#	define __le32	u_int32_t
+#	define __be16	u_int16_t
+#	define __le16	u_int16_t
+#endif
 
 #endif /* _XTABLES_H */
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 4/7] xt_mark match rev 1

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Dec 15 2007 16:55, Pablo Neira Ayuso wrote:
>> The revision thing was a hack that I introduced myself to let us add
>> several improvements that we really needed at that time, actually it is
>> not something we should abuse IMO.
>>
> But it looks like the cleanest way to do things. If you think it is abuse,
> do you have a better way?

Indeed, it is the best way to do things as for now but I don't think
that we should pollute the code with tons of revisions unless that it is
necessary.

>>> Old revisions should be purged after a "reasonable time" (whatever
>>> that means for everyone), or perhaps whenever there is a Linux kernel
>>> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
>>> appear (pkttables, or whatever is in the works).
>>>
>>> I think the step should better be made now than later, or this cruft
>>> will be carried for the next 10 instead of 5 years.
>> I hope that we'll get that long-awaited netlink interface for iptables
>> before those 10 years goes by and we all become museum pieces :)
>>
> What will netlink bring us, with respect to the two states:
> - old iptables, new kernel
> - new iptables, old kernel
> so matching some UUIDs (and .revision is one, more or less) seems like the way
> to go.

Netlink doesn't stick us to fixed structure layouts as it happens to the
current interface since we represent the messages kernel <-> userspace
in TLV (type-length-value) format. Thus, userspace and kernel won't
share structures and new features just require a new type. For that
reason, the netlink interface won't require such revision infrastructure.

Not that I'm against your patches, I'm just stating the right direction
to go for those 5-10 years that you have mentioned. And of course, we
don't have a single line of such interface at the moment :)

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 4/7] xt_mark match rev 1

[Jan Engelhardt]

On Dec 15 2007 17:42, Pablo Neira Ayuso wrote:
>Jan Engelhardt wrote:
>> On Dec 15 2007 16:55, Pablo Neira Ayuso wrote:
>>> The revision thing was a hack that I introduced myself to let us add
>>> several improvements that we really needed at that time, actually it is
>>> not something we should abuse IMO.
>>>
>> But it looks like the cleanest way to do things. If you think it is abuse,
>> do you have a better way?
>
>Indeed, it is the best way to do things as for now but I don't think
>that we should pollute the code with tons of revisions unless that it is
>necessary.
>
Pollution is the result of not throwing away old things. Windows is
probably best example of that.

Granted that old revisions need some time to go away, but that does
not mean we should really wait for the next linux 2.x.0 for all old
revisions to purge, _should_ the revision number be very big. And
they are not very big right now.

Taking all floating patches into account, 1 module is at revision 2
(MARK), 6 modules at revision 1 (TOS, tos, multiport, owner,
CONNMARK, connmark) and all others at 0.


>>>> Old revisions should be purged after a "reasonable time" (whatever
>>>> that means for everyone), or perhaps whenever there is a Linux kernel
>>>> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
>>>> appear (pkttables, or whatever is in the works).
>>>>
>>>> I think the step should better be made now than later, or this cruft
>>>> will be carried for the next 10 instead of 5 years.
>>> I hope that we'll get that long-awaited netlink interface for iptables
>>> before those 10 years goes by and we all become museum pieces :)
>>>
>> What will netlink bring us, with respect to the two states:
>> - old iptables, new kernel
>> - new iptables, old kernel
>> so matching some UUIDs (and .revision is one, more or less) seems like the way
>> to go.
>
>Netlink doesn't stick us to fixed structure layouts as it happens to the
>current interface since we represent the messages kernel <-> userspace
>in TLV (type-length-value) format. Thus, userspace and kernel won't
>share structures and new features just require a new type. For that
>reason, the netlink interface won't require such revision infrastructure.
>
Please explain the TLV thing. How would something like
struct ipt_tos_target_info (revision 0, in net-2.6.25/xt_DSCP.c) and
struct xt_tos_target_info (revision 1, in net-2.6.25/xt_DSCP.c) be
encoded?
Does the mere presence of a TLV block (sending it over netlink) indicate
a certain revision?

>Not that I'm against your patches, I'm just stating the right direction
>to go for those 5-10 years that you have mentioned. And of course, we
>don't have a single line of such interface at the moment :)
>
Which is why you can't be against the patches by definition and they
should go in. :p

Re: [PATCH 2/7] Introduce nf_inet_address

[Patrick McHardy]

Jan Engelhardt wrote:
> On Dec 11 2007 11:16, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> A few netfilter modules provide their own union of IPv4 and IPv6
>>> address storage. Will unify that in this patch series.
>>>
>>> (1/4): Rename union nf_conntrack_address to union nf_inet_addr and
>>> move it to x_tables.h.
>> netfilter.h seems more appropriate for this than x_tables.h,
>> so I'll move it unless there are good reasons not to.
>>
> 
> Userspace iptables does not seem to properly cope with it, though:
> 
> In file included from /ws/linux-2.6/include/linux/netfilter_ipv4.h:8,
>                  from 
> /ws/linux-2.6/include/linux/netfilter_ipv4/ip_tables.h:26,
>                  from include/libiptc/libiptc.h:6,
>                  from libiptc/libip4tc.c:29:
> /ws/linux-2.6/include/linux/netfilter.h:53: error: expected 
> specifier-qualifier-list before ‘__be32’
> make: *** [libiptc/libip4tc.o] Error 1


Userspace has to deal with these types, they're already used
in many other structures. I've already added the necessary
defines or typedefs to the iptables headers some time ago.
We should probably just include <linux/types.h> to fix it
though. Could you give that a try?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/7] Let xt_connlimit use nf_inet_addr

[Patrick McHardy]

Jan Engelhardt wrote:
> Make xt_connlimit use the new union nf_inet_addr.

Applied, thanks. Could you make your subjects follow the
naming convention for netfilter patches please? That
would avoid the need to edit them every time I apply
a patch:

[NETFILTER]: xt_connlimit: use the new union nf_inet_addr

Somewhere in the email itself would also be fine.

Re: [PATCH 4/7] xt_mark match rev 1

[Patrick McHardy]

Jan Engelhardt wrote:
> On Dec 11 2007 11:25, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> Introduce the xt_mark match revision 1. It uses fixed types,
>>> with the goal of obsoleting revision 0 some day (uses nonfixed types).
>> I don't know. We already have all this compat crap because
>> we specifically don't want to obsolete old userspace binaries,
>> so the only benefit I see is a minor decrease in overhead
>> when loading rules.
>>
> There are two sorts of compatibility.
> 
> * "Post-breakage fixes" like ->compat_from_user and ->compat_to_user
>   which have to deal with 32-bit user / 64-bit kernel
> 
> * ->revision which is a good architecture to keep older interfaces a
>   little longer.
> 
> The ->revision game is ok IMHO; there will always be revision
> differences between user- and k-space, and it is a nice architecture
> for new-behavior revisions. But the ->compat* fluff is not really
> needed anymore once switched to fixed types everywhere (reasonable
> time needed).


I actually just added compat support for MARK v1 since we
need that for old ip6tables binaries.

> Old revisions should be purged after a "reasonable time" (whatever
> that means for everyone), or perhaps whenever there is a Linux kernel
> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
> appear (pkttables, or whatever is in the works).
> 
> I think the step should better be made now than later, or this cruft
> will be carried for the next 10 instead of 5 years.


Mhh .. well, I guess I would apply patches that fix the types
for all matches and targets and adds the old revisions to 
feature-removal-schedule with a timeframe of maybe two years.
But this should happen for all of them at once, we don't
want 20 different dates for removal.

Re: [PATCH 4/7] xt_mark match rev 1

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Jan Engelhardt wrote:
>> What will netlink bring us, with respect to the two states:
>> - old iptables, new kernel
>> - new iptables, old kernel
>> so matching some UUIDs (and .revision is one, more or less) seems like the way
>> to go.
> 
> Netlink doesn't stick us to fixed structure layouts as it happens to the
> current interface since we represent the messages kernel <-> userspace
> in TLV (type-length-value) format. Thus, userspace and kernel won't
> share structures and new features just require a new type. For that
> reason, the netlink interface won't require such revision infrastructure.
> 
> Not that I'm against your patches, I'm just stating the right direction
> to go for those 5-10 years that you have mentioned. And of course, we
> don't have a single line of such interface at the moment :)


Actually we do, I've been working on it, but had to interrupt
for some other stuff. I hope to get back to it over christmas
and beginning of next year. The goal is to add a compat layer
for old iptables userspace, but I don't really care about how
ugly it gets since we hopefully never have to look at it again
until its removal :)

Re: [PATCH 4/7] xt_mark match rev 1

[Patrick McHardy]

Jan Engelhardt wrote:
> On Dec 15 2007 17:42, Pablo Neira Ayuso wrote:
>
>> Netlink doesn't stick us to fixed structure layouts as it happens to the
>> current interface since we represent the messages kernel <-> userspace
>> in TLV (type-length-value) format. Thus, userspace and kernel won't
>> share structures and new features just require a new type. For that
>> reason, the netlink interface won't require such revision infrastructure.
>>
> Please explain the TLV thing. How would something like
> struct ipt_tos_target_info (revision 0, in net-2.6.25/xt_DSCP.c) and
> struct xt_tos_target_info (revision 1, in net-2.6.25/xt_DSCP.c) be
> encoded?
> Does the mere presence of a TLV block (sending it over netlink) indicate
> a certain revision?


Since the kernel doesn't share structures with userspace anymore,
you can simply use the most generic form within the kernel and
put the userspace-data in the required form during initialization.

Re: [PATCH 2/7] Introduce nf_inet_address

[Jan Engelhardt]

On Dec 17 2007 13:28, Patrick McHardy wrote:
>
> Userspace has to deal with these types, they're already used
> in many other structures. I've already added the necessary
> defines or typedefs to the iptables headers some time ago.

Yeah, but these defines were missing from libiptc, so I copied
them there (see patch).

> We should probably just include <linux/types.h> to fix it
> though. Could you give that a try?

It works, so please use this one:
===

Remove our own definitions of the Linux types and use <linux/types.h>
instead. libiptc needs it too, or otherwise will choke on union
nf_inet_addr.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 include/libiptc/libip6tc.h |    1 +
 include/libiptc/libiptc.h  |    1 +
 include/xtables.h          |    6 +-----
 3 files changed, 3 insertions(+), 5 deletions(-)

Index: iptables-modules/include/libiptc/libip6tc.h
===================================================================
--- iptables-modules.orig/include/libiptc/libip6tc.h
+++ iptables-modules/include/libiptc/libip6tc.h
@@ -2,6 +2,7 @@
 #define _LIBIP6TC_H
 /* Library which manipulates firewall rules. Version 0.2. */
 
+#include <linux/types.h>
 #include <libiptc/ipt_kernel_headers.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
Index: iptables-modules/include/libiptc/libiptc.h
===================================================================
--- iptables-modules.orig/include/libiptc/libiptc.h
+++ iptables-modules/include/libiptc/libiptc.h
@@ -2,6 +2,7 @@
 #define _LIBIPTC_H
 /* Library which manipulates filtering rules. */
 
+#include <linux/types.h>
 #include <libiptc/ipt_kernel_headers.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
Index: iptables-modules/include/xtables.h
===================================================================
--- iptables-modules.orig/include/xtables.h
+++ iptables-modules/include/xtables.h
@@ -2,6 +2,7 @@
 #define _XTABLES_H
 
 #include <sys/types.h>
+#include <linux/types.h>
 #include <linux/netfilter/x_tables.h>
 #include <libiptc/libxtc.h>
 
@@ -234,9 +235,4 @@ extern const char *program_name, *progra
   extern void init_extensions(void);
 #endif
 
-#define __be32	u_int32_t
-#define __le32	u_int32_t
-#define __be16	u_int16_t
-#define __le16	u_int16_t
-
 #endif /* _XTABLES_H */

Re: [PATCH 2/7] Introduce nf_inet_address

[Patrick McHardy]

Jan Engelhardt wrote:
> Add __beXX types to libiptc.
> Also add __be64/__le64 for completeness.

Doesn't compile here:

Extensions found:
cc -O2 -Wall -Wunused -I"/lib/modules/2.6.24-rc3/build"/include 
-I"/lib/modules/2.6.24-rc3/source"/include -Iinclude/ 
-DIPTABLES_VERSION=\"1.4.0rc1\"  -fPIC -o extensions/libipt_iprange_sh.o 
-c extensions/libipt_iprange.c
In file included from 
/lib/modules/2.6.24-rc3/build/include/linux/netfilter_ipv4/ipt_iprange.h:5,
                  from extensions/libipt_iprange.c:10:
/lib/modules/2.6.24-rc3/build/include/linux/types.h:185: error: 
conflicting types for 'u_int64_t'
/usr/include/sys/types.h:204: error: previous declaration of 'u_int64_t' 
was here
/lib/modules/2.6.24-rc3/build/include/linux/types.h:186: error: 
redefinition of typedef 'u_int64_t'
/lib/modules/2.6.24-rc3/build/include/linux/types.h:185: error: previous 
declaration of 'u_int64_t' was here
make: *** [extensions/libipt_iprange_sh.o] Error 1

I guess we still should add the missing <linux/types.h> inlucdes
to the netfilter headers for old userspace sources.

Re: [PATCH 3/7] Let xt_connlimit use nf_inet_addr

[Jan Engelhardt]

On Dec 17 2007 13:33, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> Make xt_connlimit use the new union nf_inet_addr.
>
> Applied, thanks. Could you make your subjects follow the
> naming convention for netfilter patches please? That
> would avoid the need to edit them every time I apply
> a patch:
>
> [NETFILTER]: xt_connlimit: use the new union nf_inet_addr

Ok!

> Somewhere in the email itself would also be fine.
>
That generally does not work :P  - the git changelog then
has the same line twice. (Look at `git log
67b4af297033f5f65999885542f95ba7b562848a` - there is twice
"Fix forgotten module release")

Re: [PATCH 3/7] Let xt_connlimit use nf_inet_addr

[Patrick McHardy]

Jan Engelhardt wrote:
> On Dec 17 2007 13:33, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> Make xt_connlimit use the new union nf_inet_addr.
>> Applied, thanks. Could you make your subjects follow the
>> naming convention for netfilter patches please? That
>> would avoid the need to edit them every time I apply
>> a patch:
>>
>> [NETFILTER]: xt_connlimit: use the new union nf_inet_addr
> 
> Ok!
> 
>> Somewhere in the email itself would also be fine.
>>
> That generally does not work :P  - the git changelog then
> has the same line twice. (Look at `git log
> 67b4af297033f5f65999885542f95ba7b562848a` - there is twice
> "Fix forgotten module release")


Thats fine, I apply patches using stg import -m -e, so I go
over them in an editor anyway (and can delete duplicate
lines if I notice). Not having the edit the entire message
is just a time saver :)

Re: [PATCH 4/7] xt_mark match rev 1

[Jan Engelhardt]

On Dec 17 2007 13:37, Patrick McHardy wrote:
>> Old revisions should be purged after a "reasonable time" (whatever
>> that means for everyone), or perhaps whenever there is a Linux kernel
>> version with a trailing .0 (2.7.0, 2.8.0), or when great new things
>> appear (pkttables, or whatever is in the works).
>> 
>> I think the step should better be made now than later, or this cruft
>> will be carried for the next 10 instead of 5 years.
>
>
> Mhh .. well, I guess I would apply patches that fix the types
> for all matches and targets and adds the old revisions to
> feature-removal-schedule with a timeframe of maybe two years.
> But this should happen for all of them at once, we don't
> want 20 different dates for removal.
>
>
I am working my way through... I just began with MARK because that
was most obvious.

Not all matches/targets are conversion-only. E.g. MARK where I done
both use-fixed-types and implement-XOR as a single revision/update,
which is, IMO, a good thing.

Re: [PATCH 2/7] Introduce nf_inet_address

[Patrick McHardy]

Jan Engelhardt wrote:
> On Dec 17 2007 13:28, Patrick McHardy wrote:
>> Userspace has to deal with these types, they're already used
>> in many other structures. I've already added the necessary
>> defines or typedefs to the iptables headers some time ago.
> 
> Yeah, but these defines were missing from libiptc, so I copied
> them there (see patch).
> 
>> We should probably just include <linux/types.h> to fix it
>> though. Could you give that a try?
> 
> It works, so please use this one:
> ===
> 
> Remove our own definitions of the Linux types and use <linux/types.h>
> instead. libiptc needs it too, or otherwise will choke on union
> nf_inet_addr.


This one works fine, thanks. Applied.

Re: [PATCH 4/7] xt_mark match rev 1

[Pablo Neira Ayuso]

Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> Jan Engelhardt wrote:
>>> What will netlink bring us, with respect to the two states:
>>> - old iptables, new kernel
>>> - new iptables, old kernel
>>> so matching some UUIDs (and .revision is one, more or less) seems
>>> like the way
>>> to go.
>>
>> Netlink doesn't stick us to fixed structure layouts as it happens to the
>> current interface since we represent the messages kernel <-> userspace
>> in TLV (type-length-value) format. Thus, userspace and kernel won't
>> share structures and new features just require a new type. For that
>> reason, the netlink interface won't require such revision infrastructure.
>>
>> Not that I'm against your patches, I'm just stating the right direction
>> to go for those 5-10 years that you have mentioned. And of course, we
>> don't have a single line of such interface at the moment :)
> 
> 
> Actually we do, I've been working on it, but had to interrupt
> for some other stuff. I hope to get back to it over christmas
> and beginning of next year. The goal is to add a compat layer
> for old iptables userspace, but I don't really care about how
> ugly it gets since we hopefully never have to look at it again
> until its removal :)

Cool, consider putting it somewhere, I'm willing to contribute to it ;).
BTW, if nobody complains I'll release iptables 1.4.0 final between today
and tomorrow.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [PATCH 4/7] xt_mark match rev 1

[Patrick McHardy]

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>> Pablo Neira Ayuso wrote:
>
>>> Not that I'm against your patches, I'm just stating the right direction
>>> to go for those 5-10 years that you have mentioned. And of course, we
>>> don't have a single line of such interface at the moment :)
>>
>> Actually we do, I've been working on it, but had to interrupt
>> for some other stuff. I hope to get back to it over christmas
>> and beginning of next year. The goal is to add a compat layer
>> for old iptables userspace, but I don't really care about how
>> ugly it gets since we hopefully never have to look at it again
>> until its removal :)
> 
> Cool, consider putting it somewhere, I'm willing to contribute to it ;).

Its not really in a state for that yet, but I will as soon as it is.

> BTW, if nobody complains I'll release iptables 1.4.0 final between today
> and tomorrow.

Great, thanks.