New upstream version 1.8.2

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for iptables 1.8.1.
+# Generated by GNU Autoconf 2.69 for iptables 1.8.2.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='iptables'
 PACKAGE_TARNAME='iptables'
-PACKAGE_VERSION='1.8.1'
-PACKAGE_STRING='iptables 1.8.1'
+PACKAGE_VERSION='1.8.2'
+PACKAGE_STRING='iptables 1.8.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1413,7 +1413,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures iptables 1.8.1 to adapt to many kinds of systems.
+\`configure' configures iptables 1.8.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1484,7 +1484,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of iptables 1.8.1:";;
+     short | recursive ) echo "Configuration of iptables 1.8.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1641,7 +1641,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-iptables configure 1.8.1
+iptables configure 1.8.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2189,7 +2189,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by iptables $as_me 1.8.1, which was
+It was created by iptables $as_me 1.8.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2539,8 +2539,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=13
-libxtables_vage=1
+libxtables_vcurrent=14
+libxtables_vage=2
 
 ac_aux_dir=
 for ac_dir in build-aux "$srcdir"/build-aux; do
@@ -3060,7 +3060,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='iptables'
- VERSION='1.8.1'
+ VERSION='1.8.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14154,7 +14154,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by iptables $as_me 1.8.1, which was
+This file was extended by iptables $as_me 1.8.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -14220,7 +14220,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-iptables config.status 1.8.1
+iptables config.status 1.8.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

 
-AC_INIT([iptables], [1.8.1])
+AC_INIT([iptables], [1.8.2])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=13
-libxtables_vage=1
+libxtables_vcurrent=14
+libxtables_vage=2
 
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])

extensions/libarpt_mangle.c

@@ -175,6 +175,11 @@ arpmangle_print(const void *ip, const struct xt_entry_target *target,
 	}
 }
 
+static void arpmangle_save(const void *ip, const struct xt_entry_target *target)
+{
+	arpmangle_print(ip, target, 0);
+}
+
 static struct xtables_target arpmangle_target = {
 	.name		= "mangle",
 	.revision	= 0,
@@ -187,6 +192,7 @@ static struct xtables_target arpmangle_target = {
 	.parse		= arpmangle_parse,
 	.final_check	= arpmangle_final_check,
 	.print		= arpmangle_print,
+	.save		= arpmangle_save,
 	.extra_opts	= arpmangle_opts,
 };
 

extensions/libebt_802_3.c

@@ -98,15 +98,15 @@ static void br802_3_print(const void *ip, const struct xt_entry_match *match,
 	struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data;
 
 	if (info->bitmask & EBT_802_3_SAP) {
-		printf("--802_3-sap ");
 		if (info->invflags & EBT_802_3_SAP)
 			printf("! ");
+		printf("--802_3-sap ");
 		printf("0x%.2x ", info->sap);
 	}
 	if (info->bitmask & EBT_802_3_TYPE) {
-		printf("--802_3-type ");
 		if (info->invflags & EBT_802_3_TYPE)
 			printf("! ");
+		printf("--802_3-type ");
 		printf("0x%.4x ", ntohs(info->type));
 	}
 }

extensions/libebt_arp.c

@@ -332,67 +332,58 @@ brarp_parse(int c, char **argv, int invert, unsigned int *flags,
 	return 1;
 }
 
-static void brarp_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask)
-{
-	char hlpmsk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
-
-	printf("%s", ether_ntoa((struct ether_addr *) mac));
-	if (memcmp(mask, hlpmsk, 6))
-	        printf("/%s", ether_ntoa((struct ether_addr *) mask));
-}
-
 static void brarp_print(const void *ip, const struct xt_entry_match *match, int numeric)
 {
 	const struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)match->data;
 
 	if (arpinfo->bitmask & EBT_ARP_OPCODE) {
 		int opcode = ntohs(arpinfo->opcode);
-		printf("--arp-op ");
 		if (arpinfo->invflags & EBT_ARP_OPCODE)
 			printf("! ");
+		printf("--arp-op ");
 		if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes))
 			printf("%s ", opcodes[opcode - 1]);
 		else
 			printf("%d ", opcode);
 	}
 	if (arpinfo->bitmask & EBT_ARP_HTYPE) {
-		printf("--arp-htype ");
 		if (arpinfo->invflags & EBT_ARP_HTYPE)
 			printf("! ");
+		printf("--arp-htype ");
 		printf("%d ", ntohs(arpinfo->htype));
 	}
 	if (arpinfo->bitmask & EBT_ARP_PTYPE) {
-		printf("--arp-ptype ");
 		if (arpinfo->invflags & EBT_ARP_PTYPE)
 			printf("! ");
+		printf("--arp-ptype ");
 		printf("0x%x ", ntohs(arpinfo->ptype));
 	}
 	if (arpinfo->bitmask & EBT_ARP_SRC_IP) {
-		printf("--arp-ip-src ");
 		if (arpinfo->invflags & EBT_ARP_SRC_IP)
 			printf("! ");
+		printf("--arp-ip-src ");
 		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr),
 		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk));
 	}
 	if (arpinfo->bitmask & EBT_ARP_DST_IP) {
-		printf("--arp-ip-dst ");
 		if (arpinfo->invflags & EBT_ARP_DST_IP)
 			printf("! ");
+		printf("--arp-ip-dst ");
 		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr),
 		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk));
 	}
 	if (arpinfo->bitmask & EBT_ARP_SRC_MAC) {
-		printf("--arp-mac-src ");
 		if (arpinfo->invflags & EBT_ARP_SRC_MAC)
 			printf("! ");
-		brarp_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
+		printf("--arp-mac-src ");
+		xtables_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);
 		printf(" ");
 	}
 	if (arpinfo->bitmask & EBT_ARP_DST_MAC) {
-		printf("--arp-mac-dst ");
 		if (arpinfo->invflags & EBT_ARP_DST_MAC)
 			printf("! ");
-		brarp_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
+		printf("--arp-mac-dst ");
+		xtables_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);
 		printf(" ");
 	}
 	if (arpinfo->bitmask & EBT_ARP_GRAT) {

extensions/libebt_arpreply.c

+/* ebt_arpreply
+ *
+ * Authors:
+ * Grzegorz Borowiak <grzes@gnu.univ.gda.pl>
+ * Bart De Schuymer <bdschuym@pandora.be>
+ *
+ *  August, 2003
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <netinet/ether.h>
+#include <linux/netfilter_bridge/ebt_arpreply.h>
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
+
+#define OPT_REPLY_MAC     0x01
+#define OPT_REPLY_TARGET  0x02
+
+#define REPLY_MAC '1'
+#define REPLY_TARGET '2'
+static const struct option brarpreply_opts[] = {
+	{ "arpreply-mac" ,    required_argument, 0, REPLY_MAC    },
+	{ "arpreply-target" , required_argument, 0, REPLY_TARGET },
+	XT_GETOPT_TABLEEND,
+};
+
+static void brarpreply_print_help(void)
+{
+	printf(
+	"arpreply target options:\n"
+	" --arpreply-mac address           : source MAC of generated reply\n"
+	" --arpreply-target target         : ACCEPT, DROP, RETURN or CONTINUE\n"
+	"                                    (standard target is DROP)\n");
+}
+
+static void brarpreply_init(struct xt_entry_target *target)
+{
+	struct ebt_arpreply_info *replyinfo = (void *)target->data;
+
+	replyinfo->target = EBT_DROP;
+}
+
+static int
+brarpreply_parse(int c, char **argv, int invert, unsigned int *flags,
+	    const void *entry, struct xt_entry_target **tg)
+
+{
+	struct ebt_arpreply_info *replyinfo = (void *)(*tg)->data;
+	struct ether_addr *addr;
+
+	switch (c) {
+	case REPLY_MAC:
+		EBT_CHECK_OPTION(flags, OPT_REPLY_MAC);
+		if (!(addr = ether_aton(optarg)))
+			xtables_error(PARAMETER_PROBLEM, "Problem with specified --arpreply-mac mac");
+		memcpy(replyinfo->mac, addr, ETH_ALEN);
+		break;
+	case REPLY_TARGET:
+		EBT_CHECK_OPTION(flags, OPT_REPLY_TARGET);
+		if (ebt_fill_target(optarg, (unsigned int *)&replyinfo->target))
+			xtables_error(PARAMETER_PROBLEM, "Illegal --arpreply-target target");
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void brarpreply_print(const void *ip, const struct xt_entry_target *t, int numeric)
+{
+	struct ebt_arpreply_info *replyinfo = (void *)t->data;
+
+	printf("--arpreply-mac ");
+	xtables_print_mac(replyinfo->mac);
+	if (replyinfo->target == EBT_DROP)
+		return;
+	printf(" --arpreply-target %s", ebt_target_name(replyinfo->target));
+}
+
+static struct xtables_target arpreply_target = {
+	.name		= "arpreply",
+	.version	= XTABLES_VERSION,
+	.family		= NFPROTO_BRIDGE,
+	.init		= brarpreply_init,
+	.size		= XT_ALIGN(sizeof(struct ebt_arpreply_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct ebt_arpreply_info)),
+	.help		= brarpreply_print_help,
+	.parse		= brarpreply_parse,
+	.print		= brarpreply_print,
+	.extra_opts	= brarpreply_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&arpreply_target);
+}

extensions/libebt_dnat.c

@@ -74,17 +74,12 @@ static void brdnat_final_check(unsigned int flags)
 			      "You must specify proper arguments");
 }
 
-static void ebt_print_mac(const unsigned char *mac)
-{
-	printf("%s", ether_ntoa((struct ether_addr *) mac));
-}
-
 static void brdnat_print(const void *ip, const struct xt_entry_target *target, int numeric)
 {
 	struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
 
 	printf("--to-dst ");
-	ebt_print_mac(natinfo->mac);
+	xtables_print_mac(natinfo->mac);
 	printf(" --dnat-target %s", ebt_target_name(natinfo->target));
 }
 

extensions/libebt_ip.c

@@ -424,14 +424,17 @@ brip_parse(int c, char **argv, int invert, unsigned int *flags,
 			       info->igmp_type, NULL);
 		info->bitmask |= EBT_IP_IGMP;
 		break;
-	case IP_EBT_TOS:
+	case IP_EBT_TOS: {
+		uintmax_t tosvalue;
+
 		if (invert)
 			info->invflags |= EBT_IP_TOS;
-		if (!xtables_strtoul(optarg, NULL, (uintmax_t *)&info->tos,
-				     0, 255))
+		if (!xtables_strtoul(optarg, NULL, &tosvalue, 0, 255))
 			xtables_error(PARAMETER_PROBLEM,
 				      "Problem with specified IP tos");
+		info->tos = tosvalue;
 		info->bitmask |= EBT_IP_TOS;
+	}
 		break;
 	case IP_PROTO:
 		if (invert)
@@ -469,35 +472,35 @@ static void brip_print(const void *ip, const struct xt_entry_match *match,
 	struct in_addr *addrp, *maskp;
 
 	if (info->bitmask & EBT_IP_SOURCE) {
-		printf("--ip-src ");
 		if (info->invflags & EBT_IP_SOURCE)
 			printf("! ");
+		printf("--ip-src ");
 		addrp = (struct in_addr *)&info->saddr;
 		maskp = (struct in_addr *)&info->smsk;
 		printf("%s%s ", xtables_ipaddr_to_numeric(addrp),
 		       xtables_ipmask_to_numeric(maskp));
 	}
 	if (info->bitmask & EBT_IP_DEST) {
-		printf("--ip-dst ");
 		if (info->invflags & EBT_IP_DEST)
 			printf("! ");
+		printf("--ip-dst ");
 		addrp = (struct in_addr *)&info->daddr;
 		maskp = (struct in_addr *)&info->dmsk;
 		printf("%s%s ", xtables_ipaddr_to_numeric(addrp),
 		       xtables_ipmask_to_numeric(maskp));
 	}
 	if (info->bitmask & EBT_IP_TOS) {
-		printf("--ip-tos ");
 		if (info->invflags & EBT_IP_TOS)
 			printf("! ");
+		printf("--ip-tos ");
 		printf("0x%02X ", info->tos);
 	}
 	if (info->bitmask & EBT_IP_PROTO) {
 		struct protoent *pe;
 
-		printf("--ip-proto ");
 		if (info->invflags & EBT_IP_PROTO)
 			printf("! ");
+		printf("--ip-proto ");
 		pe = getprotobynumber(info->protocol);
 		if (pe == NULL) {
 			printf("%d ", info->protocol);
@@ -506,28 +509,28 @@ static void brip_print(const void *ip, const struct xt_entry_match *match,
 		}
 	}
 	if (info->bitmask & EBT_IP_SPORT) {
-		printf("--ip-sport ");
 		if (info->invflags & EBT_IP_SPORT)
 			printf("! ");
+		printf("--ip-sport ");
 		print_port_range(info->sport);
 	}
 	if (info->bitmask & EBT_IP_DPORT) {
-		printf("--ip-dport ");
 		if (info->invflags & EBT_IP_DPORT)
 			printf("! ");
+		printf("--ip-dport ");
 		print_port_range(info->dport);
 	}
 	if (info->bitmask & EBT_IP_ICMP) {
-		printf("--ip-icmp-type ");
 		if (info->invflags & EBT_IP_ICMP)
 			printf("! ");
+		printf("--ip-icmp-type ");
 		ebt_print_icmp_type(icmp_codes, ARRAY_SIZE(icmp_codes),
 				    info->icmp_type, info->icmp_code);
 	}
 	if (info->bitmask & EBT_IP_IGMP) {
-		printf("--ip-igmp-type ");
 		if (info->invflags & EBT_IP_IGMP)
 			printf("! ");
+		printf("--ip-igmp-type ");
 		ebt_print_icmp_type(igmp_types, ARRAY_SIZE(igmp_types),
 				    info->igmp_type, NULL);
 	}

extensions/libebt_ip6.c

@@ -353,7 +353,7 @@ brip6_parse(int c, char **argv, int invert, unsigned int *flags,
 		break;
 	case IP_DPORT:
 		if (invert)
-			info->invflags |= EBT_IP6_DEST;
+			info->invflags |= EBT_IP6_DPORT;
 		parse_port_range(NULL, optarg, info->dport);
 		info->bitmask |= EBT_IP6_DPORT;
 		break;
@@ -399,31 +399,31 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match,
 	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data;
 
 	if (ipinfo->bitmask & EBT_IP6_SOURCE) {
-		printf("--ip6-src ");
 		if (ipinfo->invflags & EBT_IP6_SOURCE)
 			printf("! ");
+		printf("--ip6-src ");
 		printf("%s", xtables_ip6addr_to_numeric(&ipinfo->saddr));
 		printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->smsk));
 	}
 	if (ipinfo->bitmask & EBT_IP6_DEST) {
-		printf("--ip6-dst ");
 		if (ipinfo->invflags & EBT_IP6_DEST)
 			printf("! ");
+		printf("--ip6-dst ");
 		printf("%s", xtables_ip6addr_to_numeric(&ipinfo->daddr));
 		printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->dmsk));
 	}
 	if (ipinfo->bitmask & EBT_IP6_TCLASS) {
-		printf("--ip6-tclass ");
 		if (ipinfo->invflags & EBT_IP6_TCLASS)
 			printf("! ");
+		printf("--ip6-tclass ");
 		printf("0x%02X ", ipinfo->tclass);
 	}
 	if (ipinfo->bitmask & EBT_IP6_PROTO) {
 		struct protoent *pe;
 
-		printf("--ip6-proto ");
 		if (ipinfo->invflags & EBT_IP6_PROTO)
 			printf("! ");
+		printf("--ip6-proto ");
 		pe = getprotobynumber(ipinfo->protocol);
 		if (pe == NULL) {
 			printf("%d ", ipinfo->protocol);
@@ -432,21 +432,21 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match,
 		}
 	}
 	if (ipinfo->bitmask & EBT_IP6_SPORT) {
-		printf("--ip6-sport ");
 		if (ipinfo->invflags & EBT_IP6_SPORT)
 			printf("! ");
+		printf("--ip6-sport ");
 		print_port_range(ipinfo->sport);
 	}
 	if (ipinfo->bitmask & EBT_IP6_DPORT) {
-		printf("--ip6-dport ");
 		if (ipinfo->invflags & EBT_IP6_DPORT)
 			printf("! ");
+		printf("--ip6-dport ");
 		print_port_range(ipinfo->dport);
 	}
 	if (ipinfo->bitmask & EBT_IP6_ICMP6) {
-		printf("--ip6-icmp-type ");
 		if (ipinfo->invflags & EBT_IP6_ICMP6)
 			printf("! ");
+		printf("--ip6-icmp-type ");
 		print_icmp_type(ipinfo->icmpv6_type, ipinfo->icmpv6_code);
 	}
 }

extensions/libebt_mark_m.c

@@ -86,9 +86,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match,
 {
 	struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data;
 
-	printf("--mark ");
 	if (info->invert)
 		printf("! ");
+	printf("--mark ");
 	if (info->bitmask == EBT_MARK_OR)
 		printf("/0x%lx ", info->mask);
 	else if (info->mask != 0xffffffff)
@@ -109,14 +109,14 @@ static int brmark_m_xlate(struct xt_xlate *xl,
 	xt_xlate_add(xl, "meta mark ");
 
 	if (info->bitmask == EBT_MARK_OR) {
-		xt_xlate_add(xl, "and 0x%x %s0 ", info->mask,
+		xt_xlate_add(xl, "and 0x%x %s0 ", (uint32_t)info->mask,
 			     info->invert ? "" : "!= ");
 	} else if (info->mask != 0xffffffffU) {
-		xt_xlate_add(xl, "and 0x%x %s0x%x ", info->mask,
-			   op == XT_OP_EQ ? "" : "!= ", info->mark);
+		xt_xlate_add(xl, "and 0x%x %s0x%x ", (uint32_t)info->mask,
+			   op == XT_OP_EQ ? "" : "!= ", (uint32_t)info->mark);
 	} else {
 		xt_xlate_add(xl, "%s0x%x ",
-			   op == XT_OP_EQ ? "" : "!= ", info->mark);
+			   op == XT_OP_EQ ? "" : "!= ", (uint32_t)info->mark);
 	}
 
 	return 1;

extensions/libebt_pkttype.c

@@ -75,7 +75,10 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match,
 {
 	struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data;
 
-	printf("--pkttype-type %s", pt->invert ? "! " : "");
+	if (pt->invert)
+		printf("! ");
+
+	printf("--pkttype-type ");
 
 	if (pt->pkt_type < ARRAY_SIZE(classes))
 		printf("%s ", classes[pt->pkt_type]);

extensions/libebt_redirect.c

@@ -63,7 +63,7 @@ static void brredir_print(const void *ip, const struct xt_entry_target *target,
 
 	if (redirectinfo->target == EBT_ACCEPT)
 		return;
-	printf(" --redirect-target %s", ebt_target_name(redirectinfo->target));
+	printf("--redirect-target %s", ebt_target_name(redirectinfo->target));
 }
 
 static const char* brredir_verdict(int verdict)

extensions/libebt_snat.c

@@ -85,17 +85,12 @@ static void brsnat_final_check(unsigned int flags)
 			      "You must specify proper arguments");
 }
 
-static void ebt_print_mac(const unsigned char *mac)
-{
-	printf("%s", ether_ntoa((struct ether_addr *) mac));
-}
-
 static void brsnat_print(const void *ip, const struct xt_entry_target *target, int numeric)
 {
 	struct ebt_nat_info *natinfo = (struct ebt_nat_info *)target->data;
 
 	printf("--to-src ");
-	ebt_print_mac(natinfo->mac);
+	xtables_print_mac(natinfo->mac);
 	if (!(natinfo->target&NAT_ARP_BIT))
 		printf(" --snat-arp");
 	printf(" --snat-target %s", ebt_target_name((natinfo->target|~EBT_VERDICT_BITS)));

extensions/libebt_stp.c

@@ -297,31 +297,6 @@ brstp_parse(int c, char **argv, int invert, unsigned int *flags,
 	return 1;
 }
 
-static void ebt_print_mac(const unsigned char *mac)
-{
-	int j;
-	for (j = 0; j < ETH_ALEN; j++)
-		printf("%02x%s", mac[j],
-			(j==ETH_ALEN-1) ? "" : ":");
-}
-
-static bool mac_all_ones(const unsigned char *mac)
-{
-	static const char hlpmsk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
-
-	return memcmp(mac, hlpmsk, sizeof(hlpmsk)) == 0;
-}
-
-static void ebt_print_mac_and_mask(const unsigned char *mac, const unsigned char *mask)
-{
-
-	ebt_print_mac(mac);
-	if (!mac_all_ones(mask)) {
-		printf("/");
-		ebt_print_mac(mask);
-	}
-}
-
 static void brstp_print(const void *ip, const struct xt_entry_match *match,
 			 int numeric)
 {
@@ -332,8 +307,9 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match,
 	for (i = 0; i < STP_NUMOPS; i++) {
 		if (!(stpinfo->bitmask & (1 << i)))
 			continue;
-		printf("--%s %s", brstp_opts[i].name,
-		       (stpinfo->invflags & (1 << i)) ? "! " : "");
+		if (stpinfo->invflags & (1 << i))
+			printf("! ");
+		printf("--%s ", brstp_opts[i].name);
 		if (EBT_STP_TYPE == (1 << i)) {
 			if (stpinfo->type == BPDU_TYPE_CONFIG)
 				printf("%s", BPDU_TYPE_CONFIG_STRING);
@@ -351,14 +327,14 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match,
 		} else if (EBT_STP_ROOTPRIO == (1 << i))
 			print_range(c->root_priol, c->root_priou);
 		else if (EBT_STP_ROOTADDR == (1 << i))
-			ebt_print_mac_and_mask((unsigned char *)c->root_addr,
+			xtables_print_mac_and_mask((unsigned char *)c->root_addr,
 			   (unsigned char*)c->root_addrmsk);
 		else if (EBT_STP_ROOTCOST == (1 << i))
 			print_range(c->root_costl, c->root_costu);
 		else if (EBT_STP_SENDERPRIO == (1 << i))
 			print_range(c->sender_priol, c->sender_priou);
 		else if (EBT_STP_SENDERADDR == (1 << i))
-			ebt_print_mac_and_mask((unsigned char *)c->sender_addr,
+			xtables_print_mac_and_mask((unsigned char *)c->sender_addr,
 			   (unsigned char *)c->sender_addrmsk);
 		else if (EBT_STP_PORT == (1 << i))
 			print_range(c->portl, c->portu);

extensions/libebt_vlan.c

@@ -108,14 +108,19 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match,
 	struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data;
 
 	if (vlaninfo->bitmask & EBT_VLAN_ID) {
-		printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id);
+		if (vlaninfo->invflags & EBT_VLAN_ID)
+			printf("! ");
+		printf("--vlan-id %d ", vlaninfo->id);
 	}
 	if (vlaninfo->bitmask & EBT_VLAN_PRIO) {
-		printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio);
+		if (vlaninfo->invflags & EBT_VLAN_PRIO)
+			printf("! ");
+		printf("--vlan-prio %d ", vlaninfo->prio);
 	}
 	if (vlaninfo->bitmask & EBT_VLAN_ENCAP) {
-		printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : "");
-		printf("%4.4X ", ntohs(vlaninfo->encap));
+		if (vlaninfo->invflags & EBT_VLAN_ENCAP)
+			printf("! ");
+		printf("--vlan-encap %4.4X ", ntohs(vlaninfo->encap));
 	}
 }
 

extensions/libxt_CLASSIFY.c

@@ -73,13 +73,6 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
 	       TC_H_MAJ(clinfo->priority)>>16, TC_H_MIN(clinfo->priority));
 }
 
-static void
-arpCLASSIFY_print(const void *ip, const struct xt_entry_target *target,
-		  int numeric)
-{
-	CLASSIFY_save(ip, target);
-}
-
 static int CLASSIFY_xlate(struct xt_xlate *xl,
 			  const struct xt_xlate_tg_params *params)
 {
@@ -105,35 +98,21 @@ static int CLASSIFY_xlate(struct xt_xlate *xl,
 	return 1;
 }
 
-static struct xtables_target classify_target[] = {
-	{
-		.family		= NFPROTO_UNSPEC,
-		.name		= "CLASSIFY",
-		.version	= XTABLES_VERSION,
-		.size		= XT_ALIGN(sizeof(struct xt_classify_target_info)),
-		.userspacesize	= XT_ALIGN(sizeof(struct xt_classify_target_info)),
-		.help		= CLASSIFY_help,
-		.print		= CLASSIFY_print,
-		.save		= CLASSIFY_save,
-		.x6_parse	= CLASSIFY_parse,
-		.x6_options	= CLASSIFY_opts,
-		.xlate		= CLASSIFY_xlate,
-	},
-	{
-		.family		= NFPROTO_ARP,
-		.name		= "CLASSIFY",
-		.version	= XTABLES_VERSION,
-		.size		= XT_ALIGN(sizeof(struct xt_classify_target_info)),
-		.userspacesize	= XT_ALIGN(sizeof(struct xt_classify_target_info)),
-		.help		= CLASSIFY_help,
-		.print		= arpCLASSIFY_print,
-		.x6_parse	= CLASSIFY_parse,
-		.x6_options	= CLASSIFY_opts,
-		.xlate		= CLASSIFY_xlate,
-	},
+static struct xtables_target classify_target = { 
+	.family		= NFPROTO_UNSPEC,
+	.name		= "CLASSIFY",
+	.version	= XTABLES_VERSION,
+	.size		= XT_ALIGN(sizeof(struct xt_classify_target_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_classify_target_info)),
+	.help		= CLASSIFY_help,
+	.print		= CLASSIFY_print,
+	.save		= CLASSIFY_save,
+	.x6_parse	= CLASSIFY_parse,
+	.x6_options	= CLASSIFY_opts,
+	.xlate          = CLASSIFY_xlate,
 };
 
 void _init(void)
 {
-	xtables_register_targets(classify_target, ARRAY_SIZE(classify_target));
+	xtables_register_target(&classify_target);
 }

extensions/libxt_MARK.c

@@ -277,13 +277,13 @@ static int MARK_xlate(struct xt_xlate *xl,
 
 	switch(markinfo->mode) {
 	case XT_MARK_SET:
-		xt_xlate_add(xl, "0x%x ", markinfo->mark);
+		xt_xlate_add(xl, "0x%x ", (uint32_t)markinfo->mark);
 		break;
 	case XT_MARK_AND:
-		xt_xlate_add(xl, "mark and 0x%x ", markinfo->mark);
+		xt_xlate_add(xl, "mark and 0x%x ", (uint32_t)markinfo->mark);
 		break;
 	case XT_MARK_OR:
-		xt_xlate_add(xl, "mark or 0x%x ", markinfo->mark);
+		xt_xlate_add(xl, "mark or 0x%x ", (uint32_t)markinfo->mark);
 		break;
 	}
 

extensions/libxt_conntrack.c

@@ -1271,9 +1271,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
 			     sinfo->invert_flags & XT_CONNTRACK_EXPIRES ?
 			     "!= " : "");
 		if (sinfo->expires_max == sinfo->expires_min)
-			xt_xlate_add(xl, "%lu", sinfo->expires_min);
+			xt_xlate_add(xl, "%u", sinfo->expires_min);
 		else
-			xt_xlate_add(xl, "%lu-%lu", sinfo->expires_min,
+			xt_xlate_add(xl, "%u-%u", sinfo->expires_min,
 				     sinfo->expires_max);
 		space = " ";
 	}
@@ -1365,7 +1365,7 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
 	if (sinfo->match_flags & XT_CONNTRACK_REPLDST_PORT) {
 		xt_xlate_add(xl, "%sct reply proto-dst %s", space,
 			     sinfo->invert_flags & XT_CONNTRACK_REPLDST_PORT ?
-			     "!= " : "", sinfo->repldst_port);
+			     "!= " : "");
 		if (sinfo->repldst_port == sinfo->repldst_port_high)
 			xt_xlate_add(xl, "%u", sinfo->repldst_port);
 		else

extensions/libxt_hashlimit.c

@@ -1221,7 +1221,7 @@ static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg,
 		    _rates[i].mult / avg < _rates[i].mult % avg)
 			break;
 
-	xt_xlate_add(xl, " %llu/%s ",
+	xt_xlate_add(xl, " %" PRIu64 "/%s ",
 		     _rates[i-1].mult / avg, _rates[i-1].name);
 }
 
@@ -1354,7 +1354,7 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
 	else {
 		print_packets_rate_xlate(xl, cfg->avg, revision);
 		if (cfg->burst != XT_HASHLIMIT_BURST)
-			xt_xlate_add(xl, "burst %lu packets", cfg->burst);
+			xt_xlate_add(xl, "burst %" PRIu64 " packets", (uint64_t)cfg->burst);
 
 	}
 	xt_xlate_add(xl, "}");
@@ -1372,7 +1372,7 @@ static int hashlimit_xlate(struct xt_xlate *xl,
 	ret = hashlimit_mode_xlate(xl, info->cfg.mode, NFPROTO_IPV4, 32, 32);
 	xt_xlate_add(xl, " timeout %us limit rate", info->cfg.expire / 1000);
 	print_packets_rate_xlate(xl, info->cfg.avg, 1);
-	xt_xlate_add(xl, " burst %lu packets", info->cfg.burst);
+	xt_xlate_add(xl, " burst %u packets", info->cfg.burst);
 	xt_xlate_add(xl, "}");
 
 	return ret;

extensions/libxt_limit.c

@@ -15,7 +15,6 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_limit.h>
-#include "iptables/nft.h"
 #include "iptables/nft-bridge.h"
 
 #define XT_LIMIT_AVG	"3/hour"