* Fixes to iptables-1.4.12
@ 2011-08-20 19:24 Jan Engelhardt
2011-08-20 19:24 ` [PATCH 1/6] libxt_u32: fix missing allowance for inversion Jan Engelhardt
` (6 more replies)
0 siblings, 7 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The following changes since commit 91ca4603f649a9b9fed4f2e31a8c005cdbdacd1e:
Merge branch 'master' of git://dev.medozas.de/iptables (2011-08-09 13:23:17 +0200)
are available in the git repository at:
git://dev.medozas.de/iptables master
Bernard Massot (1):
doc: fix typo in libxt_TRACE
Dwight Davis (1):
libxt_string: fix space around arguments
Jan Engelhardt (4):
libxt_u32: fix missing allowance for inversion
libxt_set: update man page about kernel support on the feature
libxt_tcp: always print the mask parts
libxt_set: put differing variable names in directly
extensions/libxt_SET.c | 13 +++----------
extensions/libxt_SET.man | 5 ++---
extensions/libxt_TRACE.man | 2 +-
extensions/libxt_set.c | 11 +++--------
extensions/libxt_set.man | 5 ++---
extensions/libxt_string.c | 4 ++--
extensions/libxt_tcp.c | 4 +---
extensions/libxt_u32.c | 2 +-
tests/options-most.rules | 3 ++-
9 files changed, 17 insertions(+), 32 deletions(-)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 1/6] libxt_u32: fix missing allowance for inversion
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
[not found] ` <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
2011-08-20 19:24 ` [PATCH 2/6] libxt_set: update man page about kernel support on the feature Jan Engelhardt
` (5 subsequent siblings)
6 siblings, 1 reply; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_u32.c | 2 +-
tests/options-most.rules | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 774d5ea..6d024fb 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -24,7 +24,7 @@ enum {
static const struct xt_option_entry u32_opts[] = {
{.name = "u32", .id = O_U32, .type = XTTYPE_STRING,
- .flags = XTOPT_MAND},
+ .flags = XTOPT_MAND | XTOPT_INVERT},
XTOPT_TABLEEND,
};
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 7298a1f..c2e30f2 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -40,7 +40,7 @@
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tos --tos 0xff/0x01
--A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
+-A INPUT -p tcp -m u32 ! --u32 "0x0=0x0" -m u32 ! --u32 "0x0=0x0"
-A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
-A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
-A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/6] libxt_set: update man page about kernel support on the feature
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
2011-08-20 19:24 ` [PATCH 1/6] libxt_u32: fix missing allowance for inversion Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
2011-08-20 19:24 ` [PATCH 3/6] libxt_tcp: always print the mask parts Jan Engelhardt
` (4 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_SET.man | 5 ++---
extensions/libxt_set.man | 5 ++---
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
index 739be41..63eb383 100644
--- a/extensions/libxt_SET.man
+++ b/extensions/libxt_SET.man
@@ -21,6 +21,5 @@ one from the set definition
when adding entry if it already exists, reset the timeout value
to the specified one or to the default from the set definition
.PP
-Use of -j SET requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -j SET requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man
index 01b115f..1ad9085 100644
--- a/extensions/libxt_set.man
+++ b/extensions/libxt_set.man
@@ -18,6 +18,5 @@ found in the specified set.
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
not clash with an option of other extensions.
.PP
-Use of -m set requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -m set requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/6] libxt_tcp: always print the mask parts
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
2011-08-20 19:24 ` [PATCH 1/6] libxt_u32: fix missing allowance for inversion Jan Engelhardt
2011-08-20 19:24 ` [PATCH 2/6] libxt_set: update man page about kernel support on the feature Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
2011-08-20 19:24 ` [PATCH 4/6] doc: fix typo in libxt_TRACE Jan Engelhardt
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_tcp.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 3940d91..e849fa2 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -357,9 +357,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
if (tcpinfo->invflags & XT_TCP_INV_FLAGS)
printf(" !");
printf(" --tcp-flags ");
- if (tcpinfo->flg_mask != 0xFF) {
- print_tcpf(tcpinfo->flg_mask);
- }
+ print_tcpf(tcpinfo->flg_mask);
printf(" ");
print_tcpf(tcpinfo->flg_cmp);
}
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 4/6] doc: fix typo in libxt_TRACE
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
` (2 preceding siblings ...)
2011-08-20 19:24 ` [PATCH 3/6] libxt_tcp: always print the mask parts Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
2011-08-20 19:24 ` [PATCH 5/6] libxt_set: put differing variable names in directly Jan Engelhardt
` (2 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Bernard Massot <bernard@massot.ath.cx>
References: http://bugzilla.netfilter.org/show_bug.cgi?id=736
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_TRACE.man | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
index ea0ce0f..8d590a5 100644
--- a/extensions/libxt_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,4 +1,4 @@
-This target marks packes so that the kernel will log every rule which match
+This target marks packets so that the kernel will log every rule which match
the packets as those traverse the tables, chains, rules.
.PP
A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 5/6] libxt_set: put differing variable names in directly
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
` (3 preceding siblings ...)
2011-08-20 19:24 ` [PATCH 4/6] doc: fix typo in libxt_TRACE Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
2011-08-20 19:24 ` [PATCH 6/6] libxt_string: fix space around arguments Jan Engelhardt
2011-08-21 9:31 ` Fixes to iptables-1.4.12 Patrick McHardy
6 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_SET.c | 13 +++----------
extensions/libxt_set.c | 11 +++--------
2 files changed, 6 insertions(+), 18 deletions(-)
diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c
index 0446603..a11db39 100644
--- a/extensions/libxt_SET.c
+++ b/extensions/libxt_SET.c
@@ -143,9 +143,6 @@ set_target_save_v0(const void *ip, const struct xt_entry_target *target)
}
/* Revision 1 */
-
-#define set_target_help_v1 set_target_help_v0
-
static void
set_target_init_v1(struct xt_entry_target *target)
{
@@ -204,8 +201,6 @@ set_target_parse_v1(int c, char **argv, int invert, unsigned int *flags,
return 1;
}
-#define set_target_check_v1 set_target_check_v0
-
static void
print_target(const char *prefix, const struct xt_set_info *info)
{
@@ -242,8 +237,6 @@ set_target_save_v1(const void *ip, const struct xt_entry_target *target)
print_target("--del-set", &info->del_set);
}
-#define set_target_opts_v1 set_target_opts_v0
-
/* Revision 2 */
static void
@@ -376,13 +369,13 @@ static struct xtables_target set_tg_reg[] = {
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
- .help = set_target_help_v1,
+ .help = set_target_help_v0,
.init = set_target_init_v1,
.parse = set_target_parse_v1,
- .final_check = set_target_check_v1,
+ .final_check = set_target_check_v0,
.print = set_target_print_v1,
.save = set_target_save_v1,
- .extra_opts = set_target_opts_v1,
+ .extra_opts = set_target_opts_v0,
},
{
.name = "SET",
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
index 6b39147..77e3f07 100644
--- a/extensions/libxt_set.c
+++ b/extensions/libxt_set.c
@@ -128,11 +128,6 @@ set_save_v0(const void *ip, const struct xt_entry_match *match)
}
/* Revision 1 */
-
-#define set_help_v1 set_help_v0
-#define set_opts_v1 set_opts_v0
-#define set_check_v1 set_check_v0
-
static int
set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
@@ -232,12 +227,12 @@ static struct xtables_match set_mt_reg[] = {
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
- .help = set_help_v1,
+ .help = set_help_v0,
.parse = set_parse_v1,
- .final_check = set_check_v1,
+ .final_check = set_check_v0,
.print = set_print_v1,
.save = set_save_v1,
- .extra_opts = set_opts_v1,
+ .extra_opts = set_opts_v0,
},
};
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 6/6] libxt_string: fix space around arguments
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
` (4 preceding siblings ...)
2011-08-20 19:24 ` [PATCH 5/6] libxt_set: put differing variable names in directly Jan Engelhardt
@ 2011-08-20 19:24 ` Jan Engelhardt
2011-08-21 9:31 ` Fixes to iptables-1.4.12 Patrick McHardy
6 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-20 19:24 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Dwight Davis <sivad_thgiwd@yahoo.ca>
Fix oversight from commit v1.4.11~80.
References: http://bugs.debian.org/637499
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_string.c | 4 ++--
tests/options-most.rules | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 8cee335..257f5f8 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -229,7 +229,7 @@ print_hex_string(const char *str, const unsigned short int len)
{
unsigned int i;
/* start hex block */
- printf("\"|");
+ printf(" \"|");
for (i=0; i < len; i++) {
/* see if we need to prepend a zero */
if ((unsigned char) str[i] <= 0x0F)
@@ -238,7 +238,7 @@ print_hex_string(const char *str, const unsigned short int len)
printf("%x", (unsigned char) str[i]);
}
/* close hex block */
- printf("|\" ");
+ printf("|\"");
}
static void
diff --git a/tests/options-most.rules b/tests/options-most.rules
index c2e30f2..4a3cd99 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -37,6 +37,7 @@
-A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
-A INPUT -p tcp -m socket --transparent
-A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m string --hex-string "|00|" --algo kmp --from 1 --to 2 --icase
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tos --tos 0xff/0x01
--
1.7.3.4
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion
[not found] ` <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
@ 2011-08-21 7:25 ` Jan Engelhardt
2011-08-22 16:31 ` Dave Taht
0 siblings, 1 reply; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-21 7:25 UTC (permalink / raw)
To: Dave Taht; +Cc: kaber, netfilter-devel
[oh, the mailing list daemon seems unresponsive for I have not
received the 2nd copy, and neither did the web crawlers...]
On Saturday 2011-08-20 23:40, Dave Taht wrote:
>I keep seeing inversion match fixes go by on this version of iptables. I ran
>across one also, on the port to cerowrt of this version of iptables, in the
>"dscp" tables matches.
>
>http://www.bufferbloat.net/issues/216#note-48
>
>but have not poked into it further (am travelling). Fixed?
This is unfortunate indeed, but somewhat owed to the fact that this was
not encoded reliably previously, in other words, negations were
sometimes erroneously allowed as each match checked for this themselves.
With the move to the Guided Option Parser, negation became centrally
checked and thus needs to be explicit mentioned. With the initial
conversion to GOP, I may have missed adding XTOPT_INVERT in some cases
because of that repetitive action.
Yeah, there are other extensions (xt_dccp) that I have come across in my
audit sweep of all extensions so far.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Fixes to iptables-1.4.12
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
` (5 preceding siblings ...)
2011-08-20 19:24 ` [PATCH 6/6] libxt_string: fix space around arguments Jan Engelhardt
@ 2011-08-21 9:31 ` Patrick McHardy
6 siblings, 0 replies; 11+ messages in thread
From: Patrick McHardy @ 2011-08-21 9:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
On 20.08.2011 21:24, Jan Engelhardt wrote:
> The following changes since commit 91ca4603f649a9b9fed4f2e31a8c005cdbdacd1e:
>
> Merge branch 'master' of git://dev.medozas.de/iptables (2011-08-09 13:23:17 +0200)
>
> are available in the git repository at:
>
> git://dev.medozas.de/iptables master
>
> Bernard Massot (1):
> doc: fix typo in libxt_TRACE
>
> Dwight Davis (1):
> libxt_string: fix space around arguments
>
> Jan Engelhardt (4):
> libxt_u32: fix missing allowance for inversion
> libxt_set: update man page about kernel support on the feature
> libxt_tcp: always print the mask parts
> libxt_set: put differing variable names in directly
>
Pulled, thanks Jan.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion
2011-08-21 7:25 ` Jan Engelhardt
@ 2011-08-22 16:31 ` Dave Taht
2011-08-23 7:34 ` Jan Engelhardt
0 siblings, 1 reply; 11+ messages in thread
From: Dave Taht @ 2011-08-22 16:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: kaber, netfilter-devel
On Sun, Aug 21, 2011 at 12:25 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> [oh, the mailing list daemon seems unresponsive for I have not
> received the 2nd copy, and neither did the web crawlers...]
>
>
No, I goofed and sent html, which it kicked back.
> On Saturday 2011-08-20 23:40, Dave Taht wrote:
>
> >I keep seeing inversion match fixes go by on this version of iptables. I ran
> >across one also, on the port to cerowrt of this version of iptables, in the
> >"dscp" tables matches.
> >
> >http://www.bufferbloat.net/issues/216#note-48
> >
> >but have not poked into it further (am travelling). Fixed?
>
> This is unfortunate indeed, but somewhat owed to the fact that this was
> not encoded reliably previously, in other words, negations were
> sometimes erroneously allowed as each match checked for this themselves.
>
> With the move to the Guided Option Parser, negation became centrally
> checked and thus needs to be explicit mentioned. With the initial
> conversion to GOP, I may have missed adding XTOPT_INVERT in some cases
> because of that repetitive action.
>
> Yeah, there are other extensions (xt_dccp) that I have come across in my
> audit sweep of all extensions so far.
I saw the fixes to dccp go by today, but where I'd hit the problem was
with the 'dscp' matches. I have a test implementation of diffserv (
https://github.com/dtaht/Diffserv ) where a quick test against this
release of iptables showed the inversion regression as per the above
bug note...
regrettably I'm away from a build machine, internet, etc for a few more days.
--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://the-edge.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion
2011-08-22 16:31 ` Dave Taht
@ 2011-08-23 7:34 ` Jan Engelhardt
0 siblings, 0 replies; 11+ messages in thread
From: Jan Engelhardt @ 2011-08-23 7:34 UTC (permalink / raw)
To: Dave Taht; +Cc: kaber, netfilter-devel
On Monday 2011-08-22 18:31, Dave Taht wrote:
>>
>> Yeah, there are other extensions (xt_dccp) that I have come across in my
>> audit sweep of all extensions so far.
>
>I saw the fixes to dccp go by today, but where I'd hit the problem was
>with the 'dscp' matches. I have a test implementation of diffserv (
>https://github.com/dtaht/Diffserv ) where a quick test against this
>release of iptables showed the inversion regression as per the above
>bug note...
The last sent batch contains fixes across the board, including
dscp, dccp, and some others.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2011-08-23 7:34 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-20 19:24 Fixes to iptables-1.4.12 Jan Engelhardt
2011-08-20 19:24 ` [PATCH 1/6] libxt_u32: fix missing allowance for inversion Jan Engelhardt
[not found] ` <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com>
2011-08-21 7:25 ` Jan Engelhardt
2011-08-22 16:31 ` Dave Taht
2011-08-23 7:34 ` Jan Engelhardt
2011-08-20 19:24 ` [PATCH 2/6] libxt_set: update man page about kernel support on the feature Jan Engelhardt
2011-08-20 19:24 ` [PATCH 3/6] libxt_tcp: always print the mask parts Jan Engelhardt
2011-08-20 19:24 ` [PATCH 4/6] doc: fix typo in libxt_TRACE Jan Engelhardt
2011-08-20 19:24 ` [PATCH 5/6] libxt_set: put differing variable names in directly Jan Engelhardt
2011-08-20 19:24 ` [PATCH 6/6] libxt_string: fix space around arguments Jan Engelhardt
2011-08-21 9:31 ` Fixes to iptables-1.4.12 Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.