guided option parser, run 7

guided option parser, run 7

[Jan Engelhardt]

The following changes since commit 8075493a00e06857147263574333df4073ea671b:

  Merge branch 'opts' of git://dev.medozas.de/iptables (2011-05-11 13:43:44 +0200)

are available in the git repository at:

  git://dev.medozas.de/iptables floating/opts

Jan Engelhardt (11):
      libip6t_mh: use guided option parser
      libip6t_rt: use guided option parser
      libxtables: XTTYPE_ETHERMAC support
      libxt_mac: use guided option parser
      libipt_CLUSTERIP: use guided option parser
      libxt_iprange: use guided option parser
      libipt_DNAT: use guided option parser
      libipt_SNAT: use guided option parser
      libipt_MASQUERADE: use guided option parser
      libipt_REDIRECT: use guided option parser
      libipt_SAME: use guided option parser

 extensions/libip6t_mh.c        |   44 ++++-------
 extensions/libip6t_rt.c        |  159 +++++++++++-----------------------------
 extensions/libipt_CLUSTERIP.c  |  157 +++++++++++++--------------------------
 extensions/libipt_DNAT.c       |   88 ++++++++++------------
 extensions/libipt_MASQUERADE.c |   48 +++++-------
 extensions/libipt_REDIRECT.c   |   62 ++++++---------
 extensions/libipt_SAME.c       |   82 ++++++++-------------
 extensions/libipt_SNAT.c       |   88 ++++++++++------------
 extensions/libxt_iprange.c     |  144 ++++++++++++++----------------------
 extensions/libxt_mac.c         |   80 +++++---------------
 include/xtables.h.in           |    3 +
 xtoptions.c                    |   26 +++++++
 12 files changed, 370 insertions(+), 611 deletions(-)

[PATCH 01/11] libip6t_mh: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_mh.c |   44 +++++++++++++++++---------------------------
 1 files changed, 17 insertions(+), 27 deletions(-)

diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 460f9e4..686a293 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -11,15 +11,17 @@
  *
  * Based on libip6t_{icmpv6,udp}.c
  */
-#include <stdbool.h>
+#include <stdint.h>
 #include <stdio.h>
-#include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv6/ip6t_mh.h>
 
+enum {
+	O_MH_TYPE = 0,
+};
+
 struct mh_name {
 	const char *name;
 	uint8_t type;
@@ -122,27 +124,14 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
 	free(buffer);
 }
 
-#define MH_TYPES 0x01
-
-static int mh_parse(int c, char **argv, int invert, unsigned int *flags,
-                    const void *entry, struct xt_entry_match **match)
+static void mh_parse(struct xt_option_call *cb)
 {
-	struct ip6t_mh *mhinfo = (struct ip6t_mh *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & MH_TYPES)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--mh-type' allowed");
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		parse_mh_types(optarg, mhinfo->types);
-		if (invert)
-			mhinfo->invflags |= IP6T_MH_INV_TYPE;
-		*flags |= MH_TYPES;
-		break;
-	}
+	struct ip6t_mh *mhinfo = cb->data;
 
-	return 1;
+	xtables_option_parse(cb);
+	parse_mh_types(cb->arg, mhinfo->types);
+	if (cb->invert)
+		mhinfo->invflags |= IP6T_MH_INV_TYPE;
 }
 
 static const char *type_to_name(uint8_t type)
@@ -213,9 +202,10 @@ static void mh_save(const void *ip, const struct xt_entry_match *match)
 		printf(" --mh-type %u", mhinfo->types[0]);
 }
 
-static const struct option mh_opts[] = {
-	{.name = "mh-type", .has_arg = true, .val = '1'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry mh_opts[] = {
+	{.name = "mh-type", .id = O_MH_TYPE, .type = XTTYPE_STRING,
+	 .flags = XTOPT_INVERT},
+	XTOPT_TABLEEND,
 };
 
 static struct xtables_match mh_mt6_reg = {
@@ -226,10 +216,10 @@ static struct xtables_match mh_mt6_reg = {
 	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_mh)),
 	.help		= mh_help,
 	.init		= mh_init,
-	.parse		= mh_parse,
+	.x6_parse	= mh_parse,
 	.print		= mh_print,
 	.save		= mh_save,
-	.extra_opts	= mh_opts,
+	.x6_options	= mh_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 02/11] libip6t_rt: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libip6t_rt.c |  159 +++++++++++++----------------------------------
 1 files changed, 44 insertions(+), 115 deletions(-)

diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 1c57dbd..11bfda9 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -1,19 +1,20 @@
-/* Shared library add-on to ip6tables to add Routing header support. */
-#include <stdbool.h>
 #include <stdio.h>
-#include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
-#include <errno.h>
 #include <xtables.h>
-/*#include <linux/in6.h>*/
 #include <linux/netfilter_ipv6/ip6t_rt.h>
-#include <sys/types.h>
-#include <sys/socket.h>
 #include <arpa/inet.h>
 
-/*#define DEBUG	1*/
+enum {
+	O_RT_TYPE = 0,
+	O_RT_SEGSLEFT,
+	O_RT_LEN,
+	O_RT0RES,
+	O_RT0ADDRS,
+	O_RT0NSTRICT,
+	F_RT_TYPE  = 1 << O_RT_TYPE,
+	F_RT0ADDRS = 1 << O_RT0ADDRS,
+};
 
 static void rt_help(void)
 {
@@ -28,58 +29,20 @@ static void rt_help(void)
 IP6T_RT_HOPS);
 }
 
-static const struct option rt_opts[] = {
-	{.name = "rt-type",         .has_arg = true,  .val = '1'},
-	{.name = "rt-segsleft",     .has_arg = true,  .val = '2'},
-	{.name = "rt-len",          .has_arg = true,  .val = '3'},
-	{.name = "rt-0-res",        .has_arg = false, .val = '4'},
-	{.name = "rt-0-addrs",      .has_arg = true,  .val = '5'},
-	{.name = "rt-0-not-strict", .has_arg = false, .val = '6'},
-	XT_GETOPT_TABLEEND,
+#define s struct ip6t_rt
+static const struct xt_option_entry rt_opts[] = {
+	{.name = "rt-type", .id = O_RT_TYPE, .type = XTTYPE_UINT32RC,
+	 .flags = XTOPT_INVERT},
+	{.name = "rt-segsleft", .id = O_RT_SEGSLEFT, .type = XTTYPE_UINT32RC,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, segsleft)},
+	{.name = "rt-len", .id = O_RT_LEN, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, hdrlen)},
+	{.name = "rt-0-res", .id = O_RT0RES, .type = XTTYPE_NONE},
+	{.name = "rt-0-addrs", .id = O_RT0ADDRS, .type = XTTYPE_STRING},
+	{.name = "rt-0-not-strict", .id = O_RT0NSTRICT, .type = XTTYPE_STRING},
+	XTOPT_TABLEEND,
 };
-
-static uint32_t
-parse_rt_num(const char *idstr, const char *typestr)
-{
-	unsigned long int id;
-	char* ep;
-
-	id =  strtoul(idstr,&ep,0) ;
-
-	if ( idstr == ep ) {
-		xtables_error(PARAMETER_PROBLEM,
-			   "RT no valid digits in %s `%s'", typestr, idstr);
-	}
-	if ( id == ULONG_MAX  && errno == ERANGE ) {
-		xtables_error(PARAMETER_PROBLEM,
-			   "%s `%s' specified too big: would overflow",
-			   typestr, idstr);
-	}	
-	if ( *idstr != '\0'  && *ep != '\0' ) {
-		xtables_error(PARAMETER_PROBLEM,
-			   "RT error parsing %s `%s'", typestr, idstr);
-	}
-	return id;
-}
-
-static void
-parse_rt_segsleft(const char *idstring, uint32_t *ids)
-{
-	char *buffer;
-	char *cp;
-
-	buffer = strdup(idstring);
-	if ((cp = strchr(buffer, ':')) == NULL)
-		ids[0] = ids[1] = parse_rt_num(buffer,"segsleft");
-	else {
-		*cp = '\0';
-		cp++;
-
-		ids[0] = buffer[0] ? parse_rt_num(buffer,"segsleft") : 0;
-		ids[1] = cp[0] ? parse_rt_num(cp,"segsleft") : 0xFFFFFFFF;
-	}
-	free(buffer);
-}
+#undef s
 
 static const char *
 addr_to_numeric(const struct in6_addr *addrp)
@@ -143,83 +106,49 @@ static void rt_init(struct xt_entry_match *m)
 	rtinfo->segsleft[1] = 0xFFFFFFFF;
 }
 
-static int rt_parse(int c, char **argv, int invert, unsigned int *flags,
-                    const void *entry, struct xt_entry_match **match)
+static void rt_parse(struct xt_option_call *cb)
 {
-	struct ip6t_rt *rtinfo = (struct ip6t_rt *)(*match)->data;
+	struct ip6t_rt *rtinfo = cb->data;
 
-	switch (c) {
-	case '1':
-		if (*flags & IP6T_RT_TYP)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-type' allowed");
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		rtinfo->rt_type = parse_rt_num(optarg, "type");
-		if (invert)
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_RT_TYPE:
+		if (cb->invert)
 			rtinfo->invflags |= IP6T_RT_INV_TYP;
 		rtinfo->flags |= IP6T_RT_TYP;
-		*flags |= IP6T_RT_TYP;
 		break;
-	case '2':
-		if (*flags & IP6T_RT_SGS)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-segsleft' allowed");
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		parse_rt_segsleft(optarg, rtinfo->segsleft);
-		if (invert)
+	case O_RT_SEGSLEFT:
+		if (cb->invert)
 			rtinfo->invflags |= IP6T_RT_INV_SGS;
 		rtinfo->flags |= IP6T_RT_SGS;
-		*flags |= IP6T_RT_SGS;
 		break;
-	case '3':
-		if (*flags & IP6T_RT_LEN)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-len' allowed");
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		rtinfo->hdrlen = parse_rt_num(optarg, "length");
-		if (invert)
+	case O_RT_LEN:
+		if (cb->invert)
 			rtinfo->invflags |= IP6T_RT_INV_LEN;
 		rtinfo->flags |= IP6T_RT_LEN;
-		*flags |= IP6T_RT_LEN;
 		break;
-	case '4':
-		if (*flags & IP6T_RT_RES)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-0-res' allowed");
-		if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+	case O_RT0RES:
+		if (!(cb->xflags & F_RT_TYPE) || rtinfo->rt_type != 0 ||
+		    rtinfo->invflags & IP6T_RT_INV_TYP)
 			xtables_error(PARAMETER_PROBLEM,
 				   "`--rt-type 0' required before `--rt-0-res'");
 		rtinfo->flags |= IP6T_RT_RES;
-		*flags |= IP6T_RT_RES;
 		break;
-	case '5':
-		if (*flags & IP6T_RT_FST)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-0-addrs' allowed");
-		if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) )
+	case O_RT0ADDRS:
+		if (!(cb->xflags & F_RT_TYPE) || rtinfo->rt_type != 0 ||
+		    rtinfo->invflags & IP6T_RT_INV_TYP)
 			xtables_error(PARAMETER_PROBLEM,
 				   "`--rt-type 0' required before `--rt-0-addrs'");
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				   " '!' not allowed with `--rt-0-addrs'");
-		rtinfo->addrnr = parse_addresses(optarg, rtinfo->addrs);
+		rtinfo->addrnr = parse_addresses(cb->arg, rtinfo->addrs);
 		rtinfo->flags |= IP6T_RT_FST;
-		*flags |= IP6T_RT_FST;
 		break;
-	case '6':
-		if (*flags & IP6T_RT_FST_NSTRICT)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Only one `--rt-0-not-strict' allowed");
-		if ( !(*flags & IP6T_RT_FST) )
+	case O_RT0NSTRICT:
+		if (!(cb->xflags & F_RT0ADDRS))
 			xtables_error(PARAMETER_PROBLEM,
 				   "`--rt-0-addr ...' required before `--rt-0-not-strict'");
 		rtinfo->flags |= IP6T_RT_FST_NSTRICT;
-		*flags |= IP6T_RT_FST_NSTRICT;
 		break;
 	}
-
-	return 1;
 }
 
 static void
@@ -322,10 +251,10 @@ static struct xtables_match rt_mt6_reg = {
 	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_rt)),
 	.help		= rt_help,
 	.init		= rt_init,
-	.parse		= rt_parse,
+	.x6_parse	= rt_parse,
 	.print		= rt_print,
 	.save		= rt_save,
-	.extra_opts	= rt_opts,
+	.x6_options	= rt_opts,
 };
 
 void
-- 
1.7.1

[PATCH 03/11] libxtables: XTTYPE_ETHERMAC support

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/xtables.h.in |    3 +++
 xtoptions.c          |   26 ++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index c3996a0..0fe4b90 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -70,6 +70,7 @@ struct in_addr;
  * %XTTYPE_PORTRC_NE:	same as %XTTYPE_PORTRC, stored in network-endian
  * %XTTYPE_PLEN:	prefix length
  * %XTTYPE_PLENMASK:	prefix length (ptr: union nf_inet_addr)
+ * %XTTYPE_ETHERMAC:	Ethernet MAC address in hex form
  */
 enum xt_option_type {
 	XTTYPE_NONE,
@@ -95,6 +96,7 @@ enum xt_option_type {
 	XTTYPE_PORTRC_NE,
 	XTTYPE_PLEN,
 	XTTYPE_PLENMASK,
+	XTTYPE_ETHERMAC,
 };
 
 /**
@@ -164,6 +166,7 @@ struct xt_option_call {
 		struct {
 			uint32_t mark, mask;
 		};
+		uint8_t ethermac[6];
 	} val;
 	/* Wished for a world where the ones below were gone: */
 	union {
diff --git a/xtoptions.c b/xtoptions.c
index 70370ed..8d54dd8 100644
--- a/xtoptions.c
+++ b/xtoptions.c
@@ -672,6 +672,30 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
 	cb->arg = orig_arg;
 }
 
+static void xtopt_parse_ethermac(struct xt_option_call *cb)
+{
+	const char *arg = cb->arg;
+	unsigned int i;
+	char *end;
+
+	for (i = 0; i < ARRAY_SIZE(cb->val.ethermac) - 1; ++i) {
+		cb->val.ethermac[i] = strtoul(arg, &end, 16);
+		if (cb->val.ethermac[i] > UINT8_MAX || *end != ':')
+			goto out;
+		arg = end + 1;
+	}
+	i = ARRAY_SIZE(cb->val.ethermac) - 1;
+	cb->val.ethermac[i] = strtoul(arg, &end, 16);
+	if (cb->val.ethermac[i] > UINT8_MAX || *end != '\0')
+		goto out;
+	if (cb->entry->flags & XTOPT_PUT)
+		memcpy(XTOPT_MKPTR(cb), cb->val.ethermac,
+		       sizeof(cb->val.ethermac));
+	return;
+ out:
+	xt_params->exit_err(PARAMETER_PROBLEM, "ether");
+}
+
 static void (*const xtopt_subparse[])(struct xt_option_call *) = {
 	[XTTYPE_UINT8]       = xtopt_parse_int,
 	[XTTYPE_UINT16]      = xtopt_parse_int,
@@ -695,6 +719,7 @@ static void (*const xtopt_subparse[])(struct xt_option_call *) = {
 	[XTTYPE_PORTRC_NE]   = xtopt_parse_mport,
 	[XTTYPE_PLEN]        = xtopt_parse_plen,
 	[XTTYPE_PLENMASK]    = xtopt_parse_plenmask,
+	[XTTYPE_ETHERMAC]    = xtopt_parse_ethermac,
 };
 
 static const size_t xtopt_psize[] = {
@@ -721,6 +746,7 @@ static const size_t xtopt_psize[] = {
 	[XTTYPE_PORTRC]      = sizeof(uint16_t[2]),
 	[XTTYPE_PORTRC_NE]   = sizeof(uint16_t[2]),
 	[XTTYPE_PLENMASK]    = sizeof(union nf_inet_addr),
+	[XTTYPE_ETHERMAC]    = sizeof(uint8_t[6]),
 };
 
 /**
-- 
1.7.1

[PATCH 04/11] libxt_mac: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_mac.c |   80 ++++++++++++------------------------------------
 1 files changed, 20 insertions(+), 60 deletions(-)

diff --git a/extensions/libxt_mac.c b/extensions/libxt_mac.c
index d7e65da..f171d15 100644
--- a/extensions/libxt_mac.c
+++ b/extensions/libxt_mac.c
@@ -1,10 +1,4 @@
-/* Shared library add-on to iptables to add MAC address support. */
-#include <stdbool.h>
 #include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
 #if defined(__GLIBC__) && __GLIBC__ == 2
 #include <net/ethernet.h>
 #else
@@ -13,6 +7,10 @@
 #include <xtables.h>
 #include <linux/netfilter/xt_mac.h>
 
+enum {
+	O_MAC = 0,
+};
+
 static void mac_help(void)
 {
 	printf(
@@ -21,70 +19,33 @@ static void mac_help(void)
 "				Match source MAC address\n");
 }
 
-static const struct option mac_opts[] = {
-	{.name = "mac-source", .has_arg = true, .val = '1'},
-	XT_GETOPT_TABLEEND,
+#define s struct xt_mac_info
+static const struct xt_option_entry mac_opts[] = {
+	{.name = "mac-source", .id = O_MAC, .type = XTTYPE_ETHERMAC,
+	 .flags = XTOPT_MAND | XTOPT_INVERT | XTOPT_PUT,
+	 XTOPT_POINTER(s, srcaddr)},
+	XTOPT_TABLEEND,
 };
+#undef s
 
-static void
-parse_mac(const char *mac, struct xt_mac_info *info)
-{
-	unsigned int i = 0;
-
-	if (strlen(mac) != ETH_ALEN*3-1)
-		xtables_error(PARAMETER_PROBLEM, "Bad mac address \"%s\"", mac);
-
-	for (i = 0; i < ETH_ALEN; i++) {
-		long number;
-		char *end;
-
-		number = strtol(mac + i*3, &end, 16);
-
-		if (end == mac + i*3 + 2
-		    && number >= 0
-		    && number <= 255)
-			info->srcaddr[i] = number;
-		else
-			xtables_error(PARAMETER_PROBLEM,
-				   "Bad mac address `%s'", mac);
-	}
-}
-
-static int
-mac_parse(int c, char **argv, int invert, unsigned int *flags,
-          const void *entry, struct xt_entry_match **match)
+static void mac_parse(struct xt_option_call *cb)
 {
-	struct xt_mac_info *macinfo = (struct xt_mac_info *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		parse_mac(optarg, macinfo);
-		if (invert)
-			macinfo->invert = 1;
-		*flags = 1;
-		break;
-	}
+	struct xt_mac_info *macinfo = cb->data;
 
-	return 1;
+	xtables_option_parse(cb);
+	if (cb->invert)
+		macinfo->invert = 1;
 }
 
-static void print_mac(const unsigned char macaddress[ETH_ALEN])
+static void print_mac(const unsigned char *macaddress)
 {
 	unsigned int i;
 
 	printf(" %02X", macaddress[0]);
-	for (i = 1; i < ETH_ALEN; i++)
+	for (i = 1; i < ETH_ALEN; ++i)
 		printf(":%02X", macaddress[i]);
 }
 
-static void mac_check(unsigned int flags)
-{
-	if (!flags)
-		xtables_error(PARAMETER_PROBLEM,
-			   "You must specify `--mac-source'");
-}
-
 static void
 mac_print(const void *ip, const struct xt_entry_match *match, int numeric)
 {
@@ -115,11 +76,10 @@ static struct xtables_match mac_match = {
 	.size		= XT_ALIGN(sizeof(struct xt_mac_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_mac_info)),
 	.help		= mac_help,
-	.parse		= mac_parse,
-	.final_check	= mac_check,
+	.x6_parse	= mac_parse,
 	.print		= mac_print,
 	.save		= mac_save,
-	.extra_opts	= mac_opts,
+	.x6_options	= mac_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 05/11] libipt_CLUSTERIP: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_CLUSTERIP.c |  157 ++++++++++++++---------------------------
 1 files changed, 52 insertions(+), 105 deletions(-)

diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index f7f46d1..301e0e1 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -19,6 +19,22 @@
 #include <xtables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 
+enum {
+	O_NEW = 0,
+	O_HASHMODE,
+	O_CLUSTERMAC,
+	O_TOTAL_NODES,
+	O_LOCAL_NODE,
+	O_HASH_INIT,
+	F_NEW         = 1 << O_NEW,
+	F_HASHMODE    = 1 << O_HASHMODE,
+	F_CLUSTERMAC  = 1 << O_CLUSTERMAC,
+	F_TOTAL_NODES = 1 << O_TOTAL_NODES,
+	F_LOCAL_NODE  = 1 << O_LOCAL_NODE,
+	F_FULL        = F_NEW | F_HASHMODE | F_CLUSTERMAC |
+	                F_TOTAL_NODES | F_LOCAL_NODE,
+};
+
 static void CLUSTERIP_help(void)
 {
 	printf(
@@ -34,130 +50,61 @@ static void CLUSTERIP_help(void)
 "  --hash-init <num>		 Set init value of the Jenkins hash\n");
 }
 
-#define	PARAM_NEW	0x0001
-#define PARAM_HMODE	0x0002
-#define PARAM_MAC	0x0004
-#define PARAM_TOTALNODE	0x0008
-#define PARAM_LOCALNODE	0x0010
-#define PARAM_HASHINIT	0x0020
-
-static const struct option CLUSTERIP_opts[] = {
-	{.name = "new",         .has_arg = false, .val = '1'},
-	{.name = "hashmode",    .has_arg = true,  .val = '2'},
-	{.name = "clustermac",  .has_arg = true,  .val = '3'},
-	{.name = "total-nodes", .has_arg = true,  .val = '4'},
-	{.name = "local-node",  .has_arg = true,  .val = '5'},
-	{.name = "hash-init",   .has_arg = true,  .val = '6'},
-	XT_GETOPT_TABLEEND,
+#define s struct ipt_clusterip_tgt_info
+static const struct xt_option_entry CLUSTERIP_opts[] = {
+	{.name = "new", .id = O_NEW, .type = XTTYPE_NONE},
+	{.name = "hashmode", .id = O_HASHMODE, .type = XTTYPE_STRING,
+	 .also = O_NEW},
+	{.name = "clustermac", .id = O_CLUSTERMAC, .type = XTTYPE_ETHERMAC,
+	 .also = O_NEW, .flags = XTOPT_PUT, XTOPT_POINTER(s, clustermac)},
+	{.name = "total-nodes", .id = O_TOTAL_NODES, .type = XTTYPE_UINT16,
+	 .flags = XTOPT_PUT, XTOPT_POINTER(s, num_total_nodes),
+	 .also = O_NEW, .max = CLUSTERIP_MAX_NODES},
+	{.name = "local-node", .id = O_LOCAL_NODE, .type = XTTYPE_UINT16,
+	 .flags = XTOPT_PUT, XTOPT_POINTER(s, local_nodes[0]),
+	 .also = O_NEW, .max = CLUSTERIP_MAX_NODES},
+	{.name = "hash-init", .id = O_HASH_INIT, .type = XTTYPE_UINT32,
+	 .flags = XTOPT_PUT, XTOPT_POINTER(s, hash_initval),
+	 .also = O_NEW, .max = UINT_MAX},
+	XTOPT_TABLEEND,
 };
+#undef s
 
-static void
-parse_mac(const char *mac, char *macbuf)
+static void CLUSTERIP_parse(struct xt_option_call *cb)
 {
-	unsigned int i = 0;
-
-	if (strlen(mac) != ETH_ALEN*3-1)
-		xtables_error(PARAMETER_PROBLEM, "Bad mac address \"%s\"", mac);
-
-	for (i = 0; i < ETH_ALEN; i++) {
-		long number;
-		char *end;
+	struct ipt_clusterip_tgt_info *cipinfo = cb->data;
 
-		number = strtol(mac + i*3, &end, 16);
-
-		if (end == mac + i*3 + 2
-		    && number >= 0
-		    && number <= 255)
-			macbuf[i] = number;
-		else
-			xtables_error(PARAMETER_PROBLEM,
-				   "Bad mac address `%s'", mac);
-	}
-}
-
-static int CLUSTERIP_parse(int c, char **argv, int invert, unsigned int *flags,
-                           const void *entry, struct xt_entry_target **target)
-{
-	struct ipt_clusterip_tgt_info *cipinfo
-		= (struct ipt_clusterip_tgt_info *)(*target)->data;
-
-	switch (c) {
-		unsigned int num;
-	case '1':
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_NEW:
 		cipinfo->flags |= CLUSTERIP_FLAG_NEW;
-		if (*flags & PARAM_NEW)
-			xtables_error(PARAMETER_PROBLEM, "Can only specify \"--new\" once\n");
-		*flags |= PARAM_NEW;
 		break;
-	case '2':
-		if (!(*flags & PARAM_NEW))
-			xtables_error(PARAMETER_PROBLEM, "Can only specify hashmode combined with \"--new\"\n");
-		if (*flags & PARAM_HMODE)
-			xtables_error(PARAMETER_PROBLEM, "Can only specify hashmode once\n");
-		if (!strcmp(optarg, "sourceip"))
+	case O_HASHMODE:
+		if (strcmp(cb->arg, "sourceip") == 0)
 			cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP;
-		else if (!strcmp(optarg, "sourceip-sourceport"))
+		else if (strcmp(cb->arg, "sourceip-sourceport") == 0)
 			cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT;
-		else if (!strcmp(optarg, "sourceip-sourceport-destport"))
+		else if (strcmp(cb->arg, "sourceip-sourceport-destport") == 0)
 			cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT_DPT;
 		else
 			xtables_error(PARAMETER_PROBLEM, "Unknown hashmode \"%s\"\n",
-				   optarg);
-		*flags |= PARAM_HMODE;
+				   cb->arg);
 		break;
-	case '3':
-		if (!(*flags & PARAM_NEW))
-			xtables_error(PARAMETER_PROBLEM, "Can only specify MAC combined with \"--new\"\n");
-		if (*flags & PARAM_MAC)
-			xtables_error(PARAMETER_PROBLEM, "Can only specify MAC once\n");
-		parse_mac(optarg, (char *)cipinfo->clustermac);
+	case O_CLUSTERMAC:
 		if (!(cipinfo->clustermac[0] & 0x01))
 			xtables_error(PARAMETER_PROBLEM, "MAC has to be a multicast ethernet address\n");
-		*flags |= PARAM_MAC;
-		break;
-	case '4':
-		if (!(*flags & PARAM_NEW))
-			xtables_error(PARAMETER_PROBLEM, "Can only specify node number combined with \"--new\"\n");
-		if (*flags & PARAM_TOTALNODE)
-			xtables_error(PARAMETER_PROBLEM, "Can only specify total node number once\n");
-		if (!xtables_strtoui(optarg, NULL, &num, 1, CLUSTERIP_MAX_NODES))
-			xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
-		cipinfo->num_total_nodes = num;
-		*flags |= PARAM_TOTALNODE;
 		break;
-	case '5':
-		if (!(*flags & PARAM_NEW))
-			xtables_error(PARAMETER_PROBLEM, "Can only specify node number combined with \"--new\"\n");
-		if (*flags & PARAM_LOCALNODE)
-			xtables_error(PARAMETER_PROBLEM, "Can only specify local node number once\n");
-		if (!xtables_strtoui(optarg, NULL, &num, 1, CLUSTERIP_MAX_NODES))
-			xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
+	case O_LOCAL_NODE:
 		cipinfo->num_local_nodes = 1;
-		cipinfo->local_nodes[0] = num;
-		*flags |= PARAM_LOCALNODE;
-		break;
-	case '6':
-		if (!(*flags & PARAM_NEW))
-			xtables_error(PARAMETER_PROBLEM, "Can only specify hash init value combined with \"--new\"\n");
-		if (*flags & PARAM_HASHINIT)
-			xtables_error(PARAMETER_PROBLEM, "Can specify hash init value only once\n");
-		if (!xtables_strtoui(optarg, NULL, &num, 0, UINT_MAX))
-			xtables_error(PARAMETER_PROBLEM, "Unable to parse \"%s\"\n", optarg);
-		cipinfo->hash_initval = num;
-		*flags |= PARAM_HASHINIT;
 		break;
 	}
-
-	return 1;
 }
 
-static void CLUSTERIP_check(unsigned int flags)
+static void CLUSTERIP_check(struct xt_fcheck_call *cb)
 {
-	if (flags == 0)
+	if (cb->xflags == 0)
 		return;
-
-	if ((flags & (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE))
-		== (PARAM_NEW|PARAM_HMODE|PARAM_MAC|PARAM_TOTALNODE|PARAM_LOCALNODE))
+	if ((cb->xflags & F_FULL) == F_FULL)
 		return;
 
 	xtables_error(PARAMETER_PROBLEM, "CLUSTERIP target: Invalid parameter combination\n");
@@ -235,11 +182,11 @@ static struct xtables_target clusterip_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
 	.userspacesize	= offsetof(struct ipt_clusterip_tgt_info, config),
  	.help		= CLUSTERIP_help,
-	.parse		= CLUSTERIP_parse,
-	.final_check	= CLUSTERIP_check,
+	.x6_parse	= CLUSTERIP_parse,
+	.x6_fcheck	= CLUSTERIP_check,
 	.print		= CLUSTERIP_print,
 	.save		= CLUSTERIP_save,
-	.extra_opts	= CLUSTERIP_opts,
+	.x6_options	= CLUSTERIP_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 06/11] libxt_iprange: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_iprange.c |  144 ++++++++++++++++---------------------------
 1 files changed, 54 insertions(+), 90 deletions(-)

diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 2a91416..2c9ea99 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -1,12 +1,7 @@
-/* Shared library add-on to iptables to add IP range matching support. */
-#include <stdbool.h>
+#include <stdint.h>
 #include <stdio.h>
-#include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
-
-#include <netinet/in.h>
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/xt_iprange.h>
@@ -25,8 +20,8 @@ struct ipt_iprange_info {
 };
 
 enum {
-	F_SRCIP = 1 << 0,
-	F_DSTIP = 1 << 1,
+	O_SRC_RANGE = 0,
+	O_DST_RANGE,
 };
 
 static void iprange_mt_help(void)
@@ -37,10 +32,12 @@ static void iprange_mt_help(void)
 "[!] --dst-range ip[-ip]    Match destination IP in the specified range\n");
 }
 
-static const struct option iprange_mt_opts[] = {
-	{.name = "src-range", .has_arg = true, .val = '1'},
-	{.name = "dst-range", .has_arg = true, .val = '2'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry iprange_mt_opts[] = {
+	{.name = "src-range", .id = O_SRC_RANGE, .type = XTTYPE_STRING,
+	 .flags = XTOPT_INVERT},
+	{.name = "dst-range", .id = O_DST_RANGE, .type = XTTYPE_STRING,
+	 .flags = XTOPT_INVERT},
+	XTOPT_TABLEEND,
 };
 
 static void
@@ -73,14 +70,18 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
 	}
 }
 
-static void iprange_parse_range(char *arg, union nf_inet_addr *range,
+static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
 				uint8_t family, const char *optname)
 {
+	char *arg = strdup(oarg);
 	char *dash;
 
+	if (arg == NULL)
+		xtables_error(RESOURCE_PROBLEM, "strdup");
 	dash = strchr(arg, '-');
 	if (dash == NULL) {
 		iprange_parse_spec(arg, arg, range, family, optname);
+		free(arg);
 		return;
 	}
 
@@ -89,108 +90,71 @@ static void iprange_parse_range(char *arg, union nf_inet_addr *range,
 	if (memcmp(&range[0], &range[1], sizeof(*range)) > 0)
 		fprintf(stderr, "xt_iprange: range %s-%s is reversed and "
 			"will never match\n", arg, dash + 1);
+	free(arg);
 }
 
-static int iprange_parse(int c, char **argv, int invert, unsigned int *flags,
-                         const void *entry, struct xt_entry_match **match)
+static void iprange_parse(struct xt_option_call *cb)
 {
-	struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
+	struct ipt_iprange_info *info = cb->data;
 	union nf_inet_addr range[2];
 
-	switch (c) {
-	case '1':
-		if (*flags & IPRANGE_SRC)
-			xtables_error(PARAMETER_PROBLEM,
-				   "iprange match: Only use --src-range ONCE!");
-		*flags |= IPRANGE_SRC;
-
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_SRC_RANGE:
 		info->flags |= IPRANGE_SRC;
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		if (invert)
+		if (cb->invert)
 			info->flags |= IPRANGE_SRC_INV;
-		iprange_parse_range(optarg, range, NFPROTO_IPV4, "--src-range");
+		iprange_parse_range(cb->arg, range, NFPROTO_IPV4, "--src-range");
 		info->src.min_ip = range[0].ip;
 		info->src.max_ip = range[1].ip;
 		break;
-
-	case '2':
-		if (*flags & IPRANGE_DST)
-			xtables_error(PARAMETER_PROBLEM,
-				   "iprange match: Only use --dst-range ONCE!");
-		*flags |= IPRANGE_DST;
-
+	case O_DST_RANGE:
 		info->flags |= IPRANGE_DST;
-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-		if (invert)
+		if (cb->invert)
 			info->flags |= IPRANGE_DST_INV;
-
-		iprange_parse_range(optarg, range, NFPROTO_IPV4, "--dst-range");
+		iprange_parse_range(cb->arg, range, NFPROTO_IPV4, "--dst-range");
 		info->dst.min_ip = range[0].ip;
 		info->dst.max_ip = range[1].ip;
 		break;
 	}
-	return 1;
 }
 
-static int
-iprange_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_match **match)
+static void iprange_mt_parse(struct xt_option_call *cb, uint8_t nfproto)
 {
-	struct xt_iprange_mtinfo *info = (void *)(*match)->data;
+	struct xt_iprange_mtinfo *info = cb->data;
 
-	switch (c) {
-	case '1': /* --src-range */
-		iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV4,
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_SRC_RANGE:
+		iprange_parse_range(cb->arg, &info->src_min, nfproto,
 			"--src-range");
 		info->flags |= IPRANGE_SRC;
-		if (invert)
+		if (cb->invert)
 			info->flags |= IPRANGE_SRC_INV;
-		*flags |= F_SRCIP;
-		return true;
-
-	case '2': /* --dst-range */
-		iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV4,
+		break;
+	case O_DST_RANGE:
+		iprange_parse_range(cb->arg, &info->dst_min, nfproto,
 			"--dst-range");
 		info->flags |= IPRANGE_DST;
-		if (invert)
+		if (cb->invert)
 			info->flags |= IPRANGE_DST_INV;
-		*flags |= F_DSTIP;
-		return true;
+		break;
 	}
-	return false;
 }
 
-static int
-iprange_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_match **match)
+static void iprange_mt4_parse(struct xt_option_call *cb)
 {
-	struct xt_iprange_mtinfo *info = (void *)(*match)->data;
-
-	switch (c) {
-	case '1': /* --src-range */
-		iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV6,
-			"--src-range");
-		info->flags |= IPRANGE_SRC;
-		if (invert)
-			info->flags |= IPRANGE_SRC_INV;
-		*flags |= F_SRCIP;
-		return true;
+	iprange_mt_parse(cb, NFPROTO_IPV4);
+}
 
-	case '2': /* --dst-range */
-		iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV6,
-			"--dst-range");
-		info->flags |= IPRANGE_DST;
-		if (invert)
-			info->flags |= IPRANGE_DST_INV;
-		*flags |= F_DSTIP;
-		return true;
-	}
-	return false;
+static void iprange_mt6_parse(struct xt_option_call *cb)
+{
+	iprange_mt_parse(cb, NFPROTO_IPV6);
 }
 
-static void iprange_mt_check(unsigned int flags)
+static void iprange_mt_check(struct xt_fcheck_call *cb)
 {
-	if (flags == 0)
+	if (cb->xflags == 0)
 		xtables_error(PARAMETER_PROBLEM,
 			   "iprange match: You must specify `--src-range' or `--dst-range'");
 }
@@ -341,11 +305,11 @@ static struct xtables_match iprange_mt_reg[] = {
 		.size          = XT_ALIGN(sizeof(struct ipt_iprange_info)),
 		.userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)),
 		.help          = iprange_mt_help,
-		.parse         = iprange_parse,
-		.final_check   = iprange_mt_check,
+		.x6_parse      = iprange_parse,
+		.x6_fcheck     = iprange_mt_check,
 		.print         = iprange_print,
 		.save          = iprange_save,
-		.extra_opts    = iprange_mt_opts,
+		.x6_options    = iprange_mt_opts,
 	},
 	{
 		.version       = XTABLES_VERSION,
@@ -355,11 +319,11 @@ static struct xtables_match iprange_mt_reg[] = {
 		.size          = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
 		.userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
 		.help          = iprange_mt_help,
-		.parse         = iprange_mt4_parse,
-		.final_check   = iprange_mt_check,
+		.x6_parse      = iprange_mt4_parse,
+		.x6_fcheck     = iprange_mt_check,
 		.print         = iprange_mt4_print,
 		.save          = iprange_mt4_save,
-		.extra_opts    = iprange_mt_opts,
+		.x6_options    = iprange_mt_opts,
 	},
 	{
 		.version       = XTABLES_VERSION,
@@ -369,11 +333,11 @@ static struct xtables_match iprange_mt_reg[] = {
 		.size          = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
 		.userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)),
 		.help          = iprange_mt_help,
-		.parse         = iprange_mt6_parse,
-		.final_check   = iprange_mt_check,
+		.x6_parse      = iprange_mt6_parse,
+		.x6_fcheck     = iprange_mt_check,
 		.print         = iprange_mt6_print,
 		.save          = iprange_mt6_save,
-		.extra_opts    = iprange_mt_opts,
+		.x6_options    = iprange_mt_opts,
 	},
 };
 
-- 
1.7.1

[PATCH 07/11] libipt_DNAT: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_DNAT.c |   88 ++++++++++++++++++++-------------------------
 1 files changed, 39 insertions(+), 49 deletions(-)

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 49c74e1..e7fd7c9 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -1,18 +1,20 @@
-/* Shared library add-on to iptables to add destination-NAT support. */
-#include <stdbool.h>
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
 #include <xtables.h>
 #include <iptables.h> /* get_kernel_version */
 #include <limits.h> /* INT_MAX in ip_tables.h */
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <net/netfilter/nf_nat.h>
 
-#define IPT_DNAT_OPT_DEST 0x1
-#define IPT_DNAT_OPT_RANDOM 0x2
+enum {
+	O_TO_DEST = 0,
+	O_RANDOM,
+	O_PERSISTENT,
+	F_TO_DEST = 1 << O_TO_DEST,
+	F_RANDOM  = 1 << O_RANDOM,
+};
 
 /* Dest NAT data consists of a multi-range, indicating where to map
    to. */
@@ -31,11 +33,12 @@ static void DNAT_help(void)
 "[--random] [--persistent]\n");
 }
 
-static const struct option DNAT_opts[] = {
-	{.name = "to-destination", .has_arg = true,  .val = '1'},
-	{.name = "random",         .has_arg = false, .val = '2'},
-	{.name = "persistent",     .has_arg = false, .val = '3'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry DNAT_opts[] = {
+	{.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND | XTOPT_MULTI},
+	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+	{.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
 };
 
 static struct ipt_natinfo *
@@ -59,12 +62,15 @@ append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
 
 /* Ranges expected in network order. */
 static struct xt_entry_target *
-parse_to(char *arg, int portok, struct ipt_natinfo *info)
+parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
 {
 	struct nf_nat_range range;
-	char *colon, *dash, *error;
+	char *arg, *colon, *dash, *error;
 	const struct in_addr *ip;
 
+	arg = strdup(orig_arg);
+	if (arg == NULL)
+		xtables_error(RESOURCE_PROBLEM, "strdup");
 	memset(&range, 0, sizeof(range));
 	colon = strchr(arg, ':');
 
@@ -107,8 +113,10 @@ parse_to(char *arg, int portok, struct ipt_natinfo *info)
 			range.max.tcp.port = htons(maxport);
 		}
 		/* Starts with a colon? No IP info...*/
-		if (colon == arg)
+		if (colon == arg) {
+			free(arg);
 			return &(append_range(info, &range)->t);
+		}
 		*colon = '\0';
 	}
 
@@ -134,14 +142,14 @@ parse_to(char *arg, int portok, struct ipt_natinfo *info)
 	} else
 		range.max_ip = range.min_ip;
 
+	free(arg);
 	return &(append_range(info, &range)->t);
 }
 
-static int DNAT_parse(int c, char **argv, int invert, unsigned int *flags,
-                      const void *e, struct xt_entry_target **target)
+static void DNAT_parse(struct xt_option_call *cb)
 {
-	const struct ipt_entry *entry = e;
-	struct ipt_natinfo *info = (void *)*target;
+	const struct ipt_entry *entry = cb->xt_entry;
+	struct ipt_natinfo *info = (void *)(*cb->target);
 	int portok;
 
 	if (entry->ip.proto == IPPROTO_TCP
@@ -153,46 +161,29 @@ static int DNAT_parse(int c, char **argv, int invert, unsigned int *flags,
 	else
 		portok = 0;
 
-	switch (c) {
-	case '1':
-		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to-destination");
-
-		if (*flags & IPT_DNAT_OPT_DEST) {
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_TO_DEST:
+		if (cb->xflags & F_TO_DEST) {
 			if (!kernel_version)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
 				xtables_error(PARAMETER_PROBLEM,
 					   "Multiple --to-destination not supported");
 		}
-		*target = parse_to(optarg, portok, info);
+		*cb->target = parse_to(cb->arg, portok, info);
 		/* WTF do we need this for?? */
-		if (*flags & IPT_DNAT_OPT_RANDOM)
+		if (cb->xflags & F_RANDOM)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-		*flags |= IPT_DNAT_OPT_DEST;
-		return 1;
-
-	case '2':
-		if (*flags & IPT_DNAT_OPT_DEST) {
+		break;
+	case O_RANDOM:
+		if (cb->xflags & F_TO_DEST)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-			*flags |= IPT_DNAT_OPT_RANDOM;
-		} else
-			*flags |= IPT_DNAT_OPT_RANDOM;
-		return 1;
-
-	case '3':
+		break;
+	case O_PERSISTENT:
 		info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
-		return 1;
+		break;
 	}
-	return 0;
-}
-
-static void DNAT_check(unsigned int flags)
-{
-	if (!(flags & IPT_DNAT_OPT_DEST))
-		xtables_error(PARAMETER_PROBLEM,
-			   "You must specify --to-destination");
 }
 
 static void print_range(const struct nf_nat_range *r)
@@ -253,11 +244,10 @@ static struct xtables_target dnat_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.userspacesize	= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.help		= DNAT_help,
-	.parse		= DNAT_parse,
-	.final_check	= DNAT_check,
+	.x6_parse	= DNAT_parse,
 	.print		= DNAT_print,
 	.save		= DNAT_save,
-	.extra_opts	= DNAT_opts,
+	.x6_options	= DNAT_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 08/11] libipt_SNAT: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_SNAT.c |   88 ++++++++++++++++++++-------------------------
 1 files changed, 39 insertions(+), 49 deletions(-)

diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 532770d..97769e6 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -1,18 +1,20 @@
-/* Shared library add-on to iptables to add source-NAT support. */
-#include <stdbool.h>
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
 #include <xtables.h>
 #include <iptables.h>
 #include <limits.h> /* INT_MAX in ip_tables.h */
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <net/netfilter/nf_nat.h>
 
-#define IPT_SNAT_OPT_SOURCE 0x01
-#define IPT_SNAT_OPT_RANDOM 0x02
+enum {
+	O_TO_SRC = 0,
+	O_RANDOM,
+	O_PERSISTENT,
+	F_TO_SRC = 1 << O_TO_SRC,
+	F_RANDOM = 1 << O_RANDOM,
+};
 
 /* Source NAT data consists of a multi-range, indicating where to map
    to. */
@@ -31,11 +33,12 @@ static void SNAT_help(void)
 "[--random] [--persistent]\n");
 }
 
-static const struct option SNAT_opts[] = {
-	{.name = "to-source",  .has_arg = true,  .val = '1'},
-	{.name = "random",     .has_arg = false, .val = '2'},
-	{.name = "persistent", .has_arg = false, .val = '3'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry SNAT_opts[] = {
+	{.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND | XTOPT_MULTI},
+	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+	{.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
 };
 
 static struct ipt_natinfo *
@@ -59,12 +62,15 @@ append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
 
 /* Ranges expected in network order. */
 static struct xt_entry_target *
-parse_to(char *arg, int portok, struct ipt_natinfo *info)
+parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
 {
 	struct nf_nat_range range;
-	char *colon, *dash, *error;
+	char *arg, *colon, *dash, *error;
 	const struct in_addr *ip;
 
+	arg = strdup(orig_arg);
+	if (arg == NULL)
+		xtables_error(RESOURCE_PROBLEM, "strdup");
 	memset(&range, 0, sizeof(range));
 	colon = strchr(arg, ':');
 
@@ -107,8 +113,10 @@ parse_to(char *arg, int portok, struct ipt_natinfo *info)
 			range.max.tcp.port = htons(maxport);
 		}
 		/* Starts with a colon? No IP info...*/
-		if (colon == arg)
+		if (colon == arg) {
+			free(arg);
 			return &(append_range(info, &range)->t);
+		}
 		*colon = '\0';
 	}
 
@@ -134,14 +142,14 @@ parse_to(char *arg, int portok, struct ipt_natinfo *info)
 	} else
 		range.max_ip = range.min_ip;
 
+	free(arg);
 	return &(append_range(info, &range)->t);
 }
 
-static int SNAT_parse(int c, char **argv, int invert, unsigned int *flags,
-                      const void *e, struct xt_entry_target **target)
+static void SNAT_parse(struct xt_option_call *cb)
 {
-	const struct ipt_entry *entry = e;
-	struct ipt_natinfo *info = (void *)*target;
+	const struct ipt_entry *entry = cb->xt_entry;
+	struct ipt_natinfo *info = (void *)(*cb->target);
 	int portok;
 
 	if (entry->ip.proto == IPPROTO_TCP
@@ -153,46 +161,29 @@ static int SNAT_parse(int c, char **argv, int invert, unsigned int *flags,
 	else
 		portok = 0;
 
-	switch (c) {
-	case '1':
-		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to-source");
-
-		if (*flags & IPT_SNAT_OPT_SOURCE) {
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_TO_SRC:
+		if (cb->xflags & F_TO_SRC) {
 			if (!kernel_version)
 				get_kernel_version();
 			if (kernel_version > LINUX_VERSION(2, 6, 10))
 				xtables_error(PARAMETER_PROBLEM,
 					   "Multiple --to-source not supported");
 		}
-		*target = parse_to(optarg, portok, info);
+		*cb->target = parse_to(cb->arg, portok, info);
 		/* WTF do we need this for?? */
-		if (*flags & IPT_SNAT_OPT_RANDOM)
+		if (cb->xflags & F_RANDOM)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-		*flags |= IPT_SNAT_OPT_SOURCE;
-		return 1;
-
-	case '2':
-		if (*flags & IPT_SNAT_OPT_SOURCE) {
+		break;
+	case O_RANDOM:
+		if (cb->xflags & F_TO_SRC)
 			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-			*flags |= IPT_SNAT_OPT_RANDOM;
-		} else
-			*flags |= IPT_SNAT_OPT_RANDOM;
-		return 1;
-
-	case '3':
+		break;
+	case O_PERSISTENT:
 		info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
-		return 1;
+		break;
 	}
-	return 0;
-}
-
-static void SNAT_check(unsigned int flags)
-{
-	if (!(flags & IPT_SNAT_OPT_SOURCE))
-		xtables_error(PARAMETER_PROBLEM,
-			   "You must specify --to-source");
 }
 
 static void print_range(const struct nf_nat_range *r)
@@ -253,11 +244,10 @@ static struct xtables_target snat_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.userspacesize	= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.help		= SNAT_help,
-	.parse		= SNAT_parse,
-	.final_check	= SNAT_check,
+	.x6_parse	= SNAT_parse,
 	.print		= SNAT_print,
 	.save		= SNAT_save,
-	.extra_opts	= SNAT_opts,
+	.x6_options	= SNAT_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 09/11] libipt_MASQUERADE: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_MASQUERADE.c |   48 +++++++++++++++++----------------------
 1 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index 00baf25..7ba42df 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -1,5 +1,3 @@
-/* Shared library add-on to iptables to add masquerade support. */
-#include <stdbool.h>
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
@@ -10,6 +8,11 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <net/netfilter/nf_nat.h>
 
+enum {
+	O_TO_PORTS = 0,
+	O_RANDOM,
+};
+
 static void MASQUERADE_help(void)
 {
 	printf(
@@ -20,10 +23,10 @@ static void MASQUERADE_help(void)
 "				Randomize source port.\n");
 }
 
-static const struct option MASQUERADE_opts[] = {
-	{.name = "to-ports", .has_arg = true,  .val = '1'},
-	{.name = "random",   .has_arg = false, .val = '2'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry MASQUERADE_opts[] = {
+	{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
+	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
 };
 
 static void MASQUERADE_init(struct xt_entry_target *t)
@@ -32,7 +35,6 @@ static void MASQUERADE_init(struct xt_entry_target *t)
 
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
-
 }
 
 /* Parses ports */
@@ -69,13 +71,11 @@ parse_ports(const char *arg, struct nf_nat_multi_range *mr)
 	xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
 }
 
-static int MASQUERADE_parse(int c, char **argv, int invert, unsigned int *flags,
-                            const void *e, struct xt_entry_target **target)
+static void MASQUERADE_parse(struct xt_option_call *cb)
 {
-	const struct ipt_entry *entry = e;
+	const struct ipt_entry *entry = cb->xt_entry;
 	int portok;
-	struct nf_nat_multi_range *mr
-		= (struct nf_nat_multi_range *)(*target)->data;
+	struct nf_nat_multi_range *mr = cb->data;
 
 	if (entry->ip.proto == IPPROTO_TCP
 	    || entry->ip.proto == IPPROTO_UDP
@@ -86,24 +86,18 @@ static int MASQUERADE_parse(int c, char **argv, int invert, unsigned int *flags,
 	else
 		portok = 0;
 
-	switch (c) {
-	case '1':
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_TO_PORTS:
 		if (!portok)
 			xtables_error(PARAMETER_PROBLEM,
 				   "Need TCP, UDP, SCTP or DCCP with port specification");
-
-		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to-ports");
-
-		parse_ports(optarg, mr);
-		return 1;
-
-	case '2':
+		parse_ports(cb->arg, mr);
+		break;
+	case O_RANDOM:
 		mr->range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
-		return 1;
+		break;
 	}
-	return 0;
 }
 
 static void
@@ -148,10 +142,10 @@ static struct xtables_target masquerade_tg_reg = {
 	.userspacesize	= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.help		= MASQUERADE_help,
 	.init		= MASQUERADE_init,
-	.parse		= MASQUERADE_parse,
+	.x6_parse	= MASQUERADE_parse,
 	.print		= MASQUERADE_print,
 	.save		= MASQUERADE_save,
-	.extra_opts	= MASQUERADE_opts,
+	.x6_options	= MASQUERADE_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 10/11] libipt_REDIRECT: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_REDIRECT.c |   62 +++++++++++++++++-------------------------
 1 files changed, 25 insertions(+), 37 deletions(-)

diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 471ff29..426a746 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -1,17 +1,17 @@
-/* Shared library add-on to iptables to add redirect support. */
-#include <stdbool.h>
 #include <stdio.h>
-#include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
 #include <xtables.h>
 #include <limits.h> /* INT_MAX in ip_tables.h */
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <net/netfilter/nf_nat.h>
 
-#define IPT_REDIRECT_OPT_DEST	0x01
-#define IPT_REDIRECT_OPT_RANDOM	0x02
+enum {
+	O_TO_PORTS = 0,
+	O_RANDOM,
+	F_TO_PORTS = 1 << O_TO_PORTS,
+	F_RANDOM   = 1 << O_RANDOM,
+};
 
 static void REDIRECT_help(void)
 {
@@ -22,10 +22,11 @@ static void REDIRECT_help(void)
 " [--random]\n");
 }
 
-static const struct option REDIRECT_opts[] = {
-	{.name = "to-ports", .has_arg = true,  .val = '1'},
-	{.name = "random",   .has_arg = false, .val = '2'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry REDIRECT_opts[] = {
+	{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND},
+	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
 };
 
 static void REDIRECT_init(struct xt_entry_target *t)
@@ -34,7 +35,6 @@ static void REDIRECT_init(struct xt_entry_target *t)
 
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
-
 }
 
 /* Parses ports */
@@ -73,12 +73,10 @@ parse_ports(const char *arg, struct nf_nat_multi_range *mr)
 	xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg);
 }
 
-static int REDIRECT_parse(int c, char **argv, int invert, unsigned int *flags,
-                          const void *e, struct xt_entry_target **target)
+static void REDIRECT_parse(struct xt_option_call *cb)
 {
-	const struct ipt_entry *entry = e;
-	struct nf_nat_multi_range *mr
-		= (struct nf_nat_multi_range *)(*target)->data;
+	const struct ipt_entry *entry = cb->xt_entry;
+	struct nf_nat_multi_range *mr = (void *)(*cb->target)->data;
 	int portok;
 
 	if (entry->ip.proto == IPPROTO_TCP
@@ -90,31 +88,21 @@ static int REDIRECT_parse(int c, char **argv, int invert, unsigned int *flags,
 	else
 		portok = 0;
 
-	switch (c) {
-	case '1':
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_TO_PORTS:
 		if (!portok)
 			xtables_error(PARAMETER_PROBLEM,
 				   "Need TCP, UDP, SCTP or DCCP with port specification");
-
-		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to-ports");
-
-		parse_ports(optarg, mr);
-		if (*flags & IPT_REDIRECT_OPT_RANDOM)
+		parse_ports(cb->arg, mr);
+		if (cb->xflags & F_RANDOM)
 			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-		*flags |= IPT_REDIRECT_OPT_DEST;
-		return 1;
-
-	case '2':
-		if (*flags & IPT_REDIRECT_OPT_DEST) {
+		break;
+	case O_RANDOM:
+		if (cb->xflags & F_TO_PORTS)
 			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
-			*flags |= IPT_REDIRECT_OPT_RANDOM;
-		} else
-			*flags |= IPT_REDIRECT_OPT_RANDOM;
-		return 1;
+		break;
 	}
-	return 0;
 }
 
 static void REDIRECT_print(const void *ip, const struct xt_entry_target *target,
@@ -156,10 +144,10 @@ static struct xtables_target redirect_tg_reg = {
 	.userspacesize	= XT_ALIGN(sizeof(struct nf_nat_multi_range)),
 	.help		= REDIRECT_help,
 	.init		= REDIRECT_init,
- 	.parse		= REDIRECT_parse,
+ 	.x6_parse	= REDIRECT_parse,
 	.print		= REDIRECT_print,
 	.save		= REDIRECT_save,
-	.extra_opts	= REDIRECT_opts,
+	.x6_options	= REDIRECT_opts,
 };
 
 void _init(void)
-- 
1.7.1

[PATCH 11/11] libipt_SAME: use guided option parser

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_SAME.c |   82 +++++++++++++++++-----------------------------
 1 files changed, 30 insertions(+), 52 deletions(-)

diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index b18351e..2ff6c82 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -1,15 +1,17 @@
-/* Shared library add-on to iptables to add simple non load-balancing SNAT support. */
-#include <stdbool.h>
 #include <stdio.h>
-#include <netdb.h>
 #include <string.h>
 #include <stdlib.h>
-#include <getopt.h>
 #include <xtables.h>
 #include <net/netfilter/nf_nat.h>
-/* For 64bit kernel / 32bit userspace */
 #include <linux/netfilter_ipv4/ipt_SAME.h>
 
+enum {
+	O_TO_ADDR = 0,
+	O_NODST,
+	O_RANDOM,
+	F_RANDOM = 1 << O_RANDOM,
+};
+
 static void SAME_help(void)
 {
 	printf(
@@ -25,20 +27,23 @@ static void SAME_help(void)
 "				Randomize source port\n");
 }
 
-static const struct option SAME_opts[] = {
-	{.name = "to",     .has_arg = true,  .val = '1'},
-	{.name = "nodst",  .has_arg = false, .val = '2'},
-	{.name = "random", .has_arg = false, .val = '3'},
-	XT_GETOPT_TABLEEND,
+static const struct xt_option_entry SAME_opts[] = {
+	{.name = "to", .id = O_TO_ADDR, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND},
+	{.name = "nodst", .id = O_NODST, .type = XTTYPE_NONE},
+	{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+	XTOPT_TABLEEND,
 };
 
 /* Parses range of IPs */
-static void
-parse_to(char *arg, struct nf_nat_range *range)
+static void parse_to(const char *orig_arg, struct nf_nat_range *range)
 {
-	char *dash;
+	char *dash, *arg;
 	const struct in_addr *ip;
 
+	arg = strdup(orig_arg);
+	if (arg == NULL)
+		xtables_error(RESOURCE_PROBLEM, "strdup");
 	range->flags |= IP_NAT_RANGE_MAP_IPS;
 	dash = strchr(arg, '-');
 
@@ -62,63 +67,37 @@ parse_to(char *arg, struct nf_nat_range *range)
 		if (range->min_ip > range->max_ip)
 			xtables_error(PARAMETER_PROBLEM, "Bad IP range \"%s-%s\"\n",
 				   arg, dash+1);
+	free(arg);
 }
 
-#define IPT_SAME_OPT_TO			0x01
-#define IPT_SAME_OPT_NODST		0x02
-#define IPT_SAME_OPT_RANDOM		0x04
-
-static int SAME_parse(int c, char **argv, int invert, unsigned int *flags,
-                      const void *entry, struct xt_entry_target **target)
+static void SAME_parse(struct xt_option_call *cb)
 {
-	struct ipt_same_info *mr
-		= (struct ipt_same_info *)(*target)->data;
+	struct ipt_same_info *mr = cb->data;
 	unsigned int count;
 
-	switch (c) {
-	case '1':
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_TO_ADDR:
 		if (mr->rangesize == IPT_SAME_MAX_RANGE)
 			xtables_error(PARAMETER_PROBLEM,
 				   "Too many ranges specified, maximum "
 				   "is %i ranges.\n",
 				   IPT_SAME_MAX_RANGE);
-		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to");
-
-		parse_to(optarg, &mr->range[mr->rangesize]);
+		parse_to(cb->arg, &mr->range[mr->rangesize]);
 		/* WTF do we need this for? */
-		if (*flags & IPT_SAME_OPT_RANDOM)
+		if (cb->xflags & F_RANDOM)
 			mr->range[mr->rangesize].flags 
 				|= IP_NAT_RANGE_PROTO_RANDOM;
 		mr->rangesize++;
-		*flags |= IPT_SAME_OPT_TO;
 		break;
-		
-	case '2':
-		if (*flags & IPT_SAME_OPT_NODST)
-			xtables_error(PARAMETER_PROBLEM,
-				   "Can't specify --nodst twice");
-		
+	case O_NODST:
 		mr->info |= IPT_SAME_NODST;
-		*flags |= IPT_SAME_OPT_NODST;
 		break;
-
-	case '3':	
-		*flags |= IPT_SAME_OPT_RANDOM;
+	case O_RANDOM:
 		for (count=0; count < mr->rangesize; count++)
 			mr->range[count].flags |= IP_NAT_RANGE_PROTO_RANDOM;
 		break;
 	}
-	
-	return 1;
-}
-
-static void SAME_check(unsigned int flags)
-{
-	if (!(flags & IPT_SAME_OPT_TO))
-		xtables_error(PARAMETER_PROBLEM,
-			   "SAME needs --to");
 }
 
 static void SAME_print(const void *ip, const struct xt_entry_target *target,
@@ -186,11 +165,10 @@ static struct xtables_target same_tg_reg = {
 	.size		= XT_ALIGN(sizeof(struct ipt_same_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct ipt_same_info)),
 	.help		= SAME_help,
-	.parse		= SAME_parse,
-	.final_check	= SAME_check,
+	.x6_parse	= SAME_parse,
 	.print		= SAME_print,
 	.save		= SAME_save,
-	.extra_opts	= SAME_opts,
+	.x6_options	= SAME_opts,
 };
 
 void _init(void)
-- 
1.7.1

Re: guided option parser, run 7

[Patrick McHardy]

Am 11.05.2011 15:52, schrieb Jan Engelhardt:
> The following changes since commit 8075493a00e06857147263574333df4073ea671b:
> 
>   Merge branch 'opts' of git://dev.medozas.de/iptables (2011-05-11 13:43:44 +0200)
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/iptables floating/opts
> 
> Jan Engelhardt (11):
>       libip6t_mh: use guided option parser
>       libip6t_rt: use guided option parser
>       libxtables: XTTYPE_ETHERMAC support
>       libxt_mac: use guided option parser
>       libipt_CLUSTERIP: use guided option parser
>       libxt_iprange: use guided option parser
>       libipt_DNAT: use guided option parser
>       libipt_SNAT: use guided option parser
>       libipt_MASQUERADE: use guided option parser
>       libipt_REDIRECT: use guided option parser
>       libipt_SAME: use guided option parser

Pulled, thanks Jan.

Re: [PATCH 07/11] libipt_DNAT: use guided option parser

[Lutz Jaenicke]

Hmm.

On Wed, May 11, 2011 at 03:52:52PM +0200, Jan Engelhardt wrote:
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
>  extensions/libipt_DNAT.c |   88 ++++++++++++++++++++-------------------------
>  1 files changed, 39 insertions(+), 49 deletions(-)

> @@ -153,46 +161,29 @@ static int DNAT_parse(int c, char **argv, int invert, unsigned int *flags,
>  	else
>  		portok = 0;
>  
> -	switch (c) {
> -	case '1':
> -		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
> -			xtables_error(PARAMETER_PROBLEM,
> -				   "Unexpected `!' after --to-destination");
> -
> -		if (*flags & IPT_DNAT_OPT_DEST) {
> +	xtables_option_parse(cb);
> +	switch (cb->entry->id) {
> +	case O_TO_DEST:
> +		if (cb->xflags & F_TO_DEST) {
>  			if (!kernel_version)
>  				get_kernel_version();
>  			if (kernel_version > LINUX_VERSION(2, 6, 10))
>  				xtables_error(PARAMETER_PROBLEM,
>  					   "Multiple --to-destination not supported");
>  		}
> -		*target = parse_to(optarg, portok, info);
> +		*cb->target = parse_to(cb->arg, portok, info);
>  		/* WTF do we need this for?? */
> -		if (*flags & IPT_DNAT_OPT_RANDOM)
> +		if (cb->xflags & F_RANDOM)
>  			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
> -		*flags |= IPT_DNAT_OPT_DEST;
> -		return 1;

If I understand the logic correctly, cb->xflags will have F_TO_DEST set
if the --to-destination option is found. The additional option parsing
is only performed afterwards such that the (cb->xflags & F_TO_DEST) will
be triggered already on the first and valid call and a "Multiple ... not
supported" will be issued.
In the original code the *flags |= IPT_DNAT_OPT_DEST was only performed
at the end of the respective "case" section.

Best regards,
	Lutz
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.921028-200
fax: +49.30.921028-020
Rudower Chaussee 13
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Dirk Seewald
Chairman of the Supervisory Board: Volker Bibelhausen
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 07/11] libipt_DNAT: use guided option parser

[Jan Engelhardt]

On Wednesday 2011-05-18 15:58, Lutz Jaenicke wrote:

>> +	case O_TO_DEST:
>> +		if (cb->xflags & F_TO_DEST) {
>>  			if (!kernel_version)
>>  				get_kernel_version();
>>  			if (kernel_version > LINUX_VERSION(2, 6, 10))
>>  				xtables_error(PARAMETER_PROBLEM,
>>  					   "Multiple --to-destination not supported");
>>  		}
>> -		*target = parse_to(optarg, portok, info);
>> +		*cb->target = parse_to(cb->arg, portok, info);
>>  		/* WTF do we need this for?? */
>> -		if (*flags & IPT_DNAT_OPT_RANDOM)
>> +		if (cb->xflags & F_RANDOM)
>>  			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
>> -		*flags |= IPT_DNAT_OPT_DEST;
>> -		return 1;
>
>If I understand the logic correctly, cb->xflags will have F_TO_DEST set
>if the --to-destination option is found. The additional option parsing
>is only performed afterwards such that the (cb->xflags & F_TO_DEST) will
>be triggered already on the first and valid call and a "Multiple ... not
>supported" will be issued.

Fixed by my most recent submission (run 8), f25b235.

Re: [PATCH 07/11] libipt_DNAT: use guided option parser

[Lutz Jaenicke]

On Wed, May 18, 2011 at 04:00:56PM +0200, Jan Engelhardt wrote:
> On Wednesday 2011-05-18 15:58, Lutz Jaenicke wrote:
> 
> >> +	case O_TO_DEST:
> >> +		if (cb->xflags & F_TO_DEST) {
> >>  			if (!kernel_version)
> >>  				get_kernel_version();
> >>  			if (kernel_version > LINUX_VERSION(2, 6, 10))
> >>  				xtables_error(PARAMETER_PROBLEM,
> >>  					   "Multiple --to-destination not supported");
> >>  		}
> >> -		*target = parse_to(optarg, portok, info);
> >> +		*cb->target = parse_to(cb->arg, portok, info);
> >>  		/* WTF do we need this for?? */
> >> -		if (*flags & IPT_DNAT_OPT_RANDOM)
> >> +		if (cb->xflags & F_RANDOM)
> >>  			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
> >> -		*flags |= IPT_DNAT_OPT_DEST;
> >> -		return 1;
> >
> >If I understand the logic correctly, cb->xflags will have F_TO_DEST set
> >if the --to-destination option is found. The additional option parsing
> >is only performed afterwards such that the (cb->xflags & F_TO_DEST) will
> >be triggered already on the first and valid call and a "Multiple ... not
> >supported" will be issued.
> 
> Fixed by my most recent submission (run 8), f25b235.

I see. I was working against the git repo...

Best regards,
	Lutz
-- 
Dr.-Ing. Lutz Jänicke
CTO
Innominate Security Technologies AG  /protecting industrial networks/
tel: +49.30.921028-200
fax: +49.30.921028-020
Rudower Chaussee 13
D-12489 Berlin, Germany
www.innominate.com

Register Court: AG Charlottenburg, HR B 81603
Management Board: Dirk Seewald
Chairman of the Supervisory Board: Volker Bibelhausen
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 07/11] libipt_DNAT: use guided option parser

[Jan Engelhardt]

On Wednesday 2011-05-18 16:05, Lutz Jaenicke wrote:

>On Wed, May 18, 2011 at 04:00:56PM +0200, Jan Engelhardt wrote:
>> On Wednesday 2011-05-18 15:58, Lutz Jaenicke wrote:
>> 
>> >> +	case O_TO_DEST:
>> >> +		if (cb->xflags & F_TO_DEST) {
>> >>  			if (!kernel_version)
>> >>  				get_kernel_version();
>> >>  			if (kernel_version > LINUX_VERSION(2, 6, 10))
>> >>  				xtables_error(PARAMETER_PROBLEM,
>> >>  					   "Multiple --to-destination not supported");
>> >>  		}
>> >> -		*target = parse_to(optarg, portok, info);
>> >> +		*cb->target = parse_to(cb->arg, portok, info);
>> >>  		/* WTF do we need this for?? */
>> >> -		if (*flags & IPT_DNAT_OPT_RANDOM)
>> >> +		if (cb->xflags & F_RANDOM)
>> >>  			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
>> >> -		*flags |= IPT_DNAT_OPT_DEST;
>> >> -		return 1;
>> >
>> >If I understand the logic correctly, cb->xflags will have F_TO_DEST set
>> >if the --to-destination option is found. The additional option parsing
>> >is only performed afterwards such that the (cb->xflags & F_TO_DEST) will
>> >be triggered already on the first and valid call and a "Multiple ... not
>> >supported" will be issued.
>> 
>> Fixed by my most recent submission (run 8), f25b235.
>
>I see. I was working against the git repo...

If it is my repo, that should work.

Live maintainers for upstream iptables seem to have run out 
(in either sense) for the moment.