New upstream version 1.8.1

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for iptables 1.8.0.
+# Generated by GNU Autoconf 2.69 for iptables 1.8.1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='iptables'
 PACKAGE_TARNAME='iptables'
-PACKAGE_VERSION='1.8.0'
-PACKAGE_STRING='iptables 1.8.0'
+PACKAGE_VERSION='1.8.1'
+PACKAGE_STRING='iptables 1.8.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1413,7 +1413,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures iptables 1.8.0 to adapt to many kinds of systems.
+\`configure' configures iptables 1.8.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1484,7 +1484,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of iptables 1.8.0:";;
+     short | recursive ) echo "Configuration of iptables 1.8.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1641,7 +1641,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-iptables configure 1.8.0
+iptables configure 1.8.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2189,7 +2189,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by iptables $as_me 1.8.0, which was
+It was created by iptables $as_me 1.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2539,8 +2539,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=12
-libxtables_vage=0
+libxtables_vcurrent=13
+libxtables_vage=1
 
 ac_aux_dir=
 for ac_dir in build-aux "$srcdir"/build-aux; do
@@ -3060,7 +3060,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='iptables'
- VERSION='1.8.0'
+ VERSION='1.8.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -14154,7 +14154,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by iptables $as_me 1.8.0, which was
+This file was extended by iptables $as_me 1.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -14220,7 +14220,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-iptables config.status 1.8.0
+iptables config.status 1.8.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

 
-AC_INIT([iptables], [1.8.0])
+AC_INIT([iptables], [1.8.1])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=12
-libxtables_vage=0
+libxtables_vcurrent=13
+libxtables_vage=1
 
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])

extensions/GNUmakefile.in

@@ -40,8 +40,8 @@ endif
 #	Wildcard module list
 #
 pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
-pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
-pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
+@ENABLE_NFTABLES_TRUE@ pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c)))
+@ENABLE_NFTABLES_TRUE@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c)))
 pfx_symlinks  := NOTRACK state
 @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
 @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))

extensions/libarpt_mangle.c

@@ -139,47 +139,39 @@ static void print_mac(const unsigned char *mac, int l)
 			(j==l-1) ? "" : ":");
 }
 
+static const char *ipaddr_to(const struct in_addr *addrp, int numeric)
+{
+	if (numeric)
+		return xtables_ipaddr_to_numeric(addrp);
+	else
+		return xtables_ipaddr_to_anyname(addrp);
+}
+
 static void
 arpmangle_print(const void *ip, const struct xt_entry_target *target,
 		int numeric)
 {
 	struct arpt_mangle *m = (struct arpt_mangle *)(target->data);
-	char buf[100];
 
 	if (m->flags & ARPT_MANGLE_SIP) {
-		if (numeric)
-			sprintf(buf, "%s",
-				xtables_ipaddr_to_numeric(&(m->u_s.src_ip)));
-		else
-			sprintf(buf, "%s",
-				xtables_ipaddr_to_anyname(&(m->u_s.src_ip)));
-		printf("--mangle-ip-s %s ", buf);
+		printf(" --mangle-ip-s %s",
+		       ipaddr_to(&(m->u_s.src_ip), numeric));
 	}
 	if (m->flags & ARPT_MANGLE_SDEV) {
-		printf("--mangle-mac-s ");
+		printf(" --mangle-mac-s ");
 		print_mac((unsigned char *)m->src_devaddr, 6);
-		printf(" ");
 	}
 	if (m->flags & ARPT_MANGLE_TIP) {
-		if (numeric)
-			sprintf(buf, "%s",
-				xtables_ipaddr_to_numeric(&(m->u_t.tgt_ip)));
-		else
-			sprintf(buf, "%s",
-				xtables_ipaddr_to_anyname(&(m->u_t.tgt_ip)));
-		printf("--mangle-ip-d %s ", buf);
+		printf(" --mangle-ip-d %s",
+		       ipaddr_to(&(m->u_t.tgt_ip), numeric));
 	}
 	if (m->flags & ARPT_MANGLE_TDEV) {
-		printf("--mangle-mac-d ");
+		printf(" --mangle-mac-d ");
 		print_mac((unsigned char *)m->tgt_devaddr, 6);
-		printf(" ");
 	}
 	if (m->target != NF_ACCEPT) {
-		printf("--mangle-target ");
-		if (m->target == NF_DROP)
-			printf("DROP ");
-		else
-			printf("CONTINUE ");
+		printf(" --mangle-target %s",
+		       m->target == NF_DROP ? "DROP" : "CONTINUE");
 	}
 }
 

extensions/libebt_arp.c

@@ -14,7 +14,7 @@
 #include <xtables.h>
 #include <netinet/ether.h>
 
-#include <ebtables/ethernetdb.h>
+#include <xtables.h>
 #include <net/if_arp.h>
 #include <linux/netfilter_bridge/ebt_arp.h>
 #include "iptables/nft.h"
@@ -75,7 +75,7 @@ static void brarp_print_help(void)
 		printf(" %d = %s\n", i + 1, opcodes[i]);
 	printf(
 " hardware type string: 1 = Ethernet\n"
-" protocol type string: see "_PATH_ETHERTYPES"\n");
+" protocol type string: see "XT_PATH_ETHERTYPES"\n");
 }
 
 #define OPT_OPCODE 0x01
@@ -209,76 +209,6 @@ static int brarp_get_mac_and_mask(const char *from, unsigned char *to, unsigned
 	return 0;
 }
 
-static struct ethertypeent *brarp_getethertypeent(FILE *etherf, const char *name)
-{
-	static struct ethertypeent et_ent;
-	char *e, *found_name;
-	char line[1024];
-
-	while ((e = fgets(line, sizeof(line), etherf))) {
-		char *endptr, *cp;
-
-		if (*e == '#')
-			continue;
-
-		cp = strpbrk(e, "#\n");
-		if (cp == NULL)
-			continue;
-		*cp = '\0';
-		found_name = e;
-
-		cp = strpbrk(e, " \t");
-		if (cp == NULL)
-			continue;
-
-		*cp++ = '\0';
-		while (*cp == ' ' || *cp == '\t')
-			cp++;
-		e = strpbrk(cp, " \t");
-		if (e != NULL)
-			*e++ = '\0';
-
-		et_ent.e_ethertype = strtol(cp, &endptr, 16);
-		if (*endptr != '\0' ||
-		    (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 0xFFFF))
-			continue;
-
-		if (strcasecmp(found_name, name) == 0)
-			return (&et_ent);
-
-		if (e != NULL) {
-			cp = e;
-			while (cp && *cp) {
-				if (*cp == ' ' || *cp == '\t') {
-					cp++;
-					continue;
-				}
-				e = cp;
-				cp = strpbrk(cp, " \t");
-				if (cp != NULL)
-					*cp++ = '\0';
-				if (strcasecmp(e, name) == 0)
-					return (&et_ent);
-				e = cp;
-			}
-		}
-	}
-
-	return NULL;
-}
-
-static struct ethertypeent *brarp_getethertypebyname(const char *name)
-{
-	struct ethertypeent *e;
-	FILE *etherf;
-
-	etherf = fopen(_PATH_ETHERTYPES, "r");
-
-	e = brarp_getethertypeent(etherf, name);
-	fclose(etherf);
-	return (e);
-}
-
 static int
 brarp_parse(int c, char **argv, int invert, unsigned int *flags,
 	    const void *entry, struct xt_entry_match **match)
@@ -332,9 +262,9 @@ brarp_parse(int c, char **argv, int invert, unsigned int *flags,
 
 		i = strtol(optarg, &end, 16);
 		if (i < 0 || i >= (0x1 << 16) || *end !='\0') {
-			struct ethertypeent *ent;
+			struct xt_ethertypeent *ent;
 
-			ent = brarp_getethertypebyname(argv[optind - 1]);
+			ent = xtables_getethertypebyname(argv[optind - 1]);
 			if (!ent)
 				xtables_error(PARAMETER_PROBLEM, "Problem with specified ARP "
 								 "protocol type");

extensions/libebt_ip.c

@@ -437,10 +437,6 @@ brip_parse(int c, char **argv, int invert, unsigned int *flags,
 		if (invert)
 			info->invflags |= EBT_IP_PROTO;
 		info->protocol = xtables_parse_protocol(optarg);
-		if (info->protocol == -1)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unknown specified IP protocol - %s",
-				      optarg);
 		info->bitmask |= EBT_IP_PROTO;
 		break;
 	default:

extensions/libebt_ip6.c

@@ -376,10 +376,6 @@ brip6_parse(int c, char **argv, int invert, unsigned int *flags,
 		if (invert)
 			info->invflags |= EBT_IP6_PROTO;
 		info->protocol = xtables_parse_protocol(optarg);
-		if (info->protocol == -1)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unknown specified IP protocol - %s",
-				      optarg);
 		info->bitmask |= EBT_IP6_PROTO;
 		break;
 	default:

extensions/libebt_limit.c

-/* ebt_limit
- *
- * Authors:
- * Tom Marshall <tommy@home.tig-grr.com>
- *
- * Mostly copied from iptables' limit match.
- *
- * September, 2003
- *
- * Translated to use libxtables for ebtables-compat in 2015 by
- * Arturo Borrero Gonzalez <arturo@debian.org>
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <errno.h>
-#include <xtables.h>
-#include <linux/netfilter_bridge/ebt_limit.h>
-#include "iptables/nft.h"
-#include "iptables/nft-bridge.h"
-
-#define EBT_LIMIT_AVG	"3/hour"
-#define EBT_LIMIT_BURST	5
-
-#define FLAG_LIMIT		0x01
-#define FLAG_LIMIT_BURST	0x02
-#define ARG_LIMIT		'1'
-#define ARG_LIMIT_BURST		'2'
-
-static const struct option brlimit_opts[] =
-{
-	{ .name = "limit",	.has_arg = true,	.val = ARG_LIMIT },
-	{ .name = "limit-burst",.has_arg = true,	.val = ARG_LIMIT_BURST },
-	XT_GETOPT_TABLEEND,
-};
-
-static void brlimit_print_help(void)
-{
-	printf(
-"limit options:\n"
-"--limit avg                   : max average match rate: default "EBT_LIMIT_AVG"\n"
-"                                [Packets per second unless followed by \n"
-"                                /sec /minute /hour /day postfixes]\n"
-"--limit-burst number          : number to match in a burst, -1 < number < 10001,\n"
-"                                default %u\n", EBT_LIMIT_BURST);
-}
-
-static int parse_rate(const char *rate, uint32_t *val)
-{
-	const char *delim;
-	uint32_t r;
-	uint32_t mult = 1;  /* Seconds by default. */
-
-	delim = strchr(rate, '/');
-	if (delim) {
-		if (strlen(delim+1) == 0)
-			return 0;
-
-		if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
-			mult = 1;
-		else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
-			mult = 60;
-		else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
-			mult = 60*60;
-		else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
-			mult = 24*60*60;
-		else
-			return 0;
-	}
-	r = atoi(rate);
-	if (!r)
-		return 0;
-
-	/* This would get mapped to infinite (1/day is minimum they
-	   can specify, so we're ok at that end). */
-	if (r / mult > EBT_LIMIT_SCALE)
-		return 0;
-
-	*val = EBT_LIMIT_SCALE * mult / r;
-	return 1;
-}
-
-static void brlimit_init(struct xt_entry_match *match)
-{
-	struct ebt_limit_info *r = (struct ebt_limit_info *)match->data;
-
-	parse_rate(EBT_LIMIT_AVG, &r->avg);
-	r->burst = EBT_LIMIT_BURST;
-}
-
-static int brlimit_parse(int c, char **argv, int invert, unsigned int *flags,
-			 const void *entry, struct xt_entry_match **match)
-{
-	struct ebt_limit_info *r = (struct ebt_limit_info *)(*match)->data;
-	uintmax_t num;
-
-	switch (c) {
-	case ARG_LIMIT:
-		EBT_CHECK_OPTION(flags, FLAG_LIMIT);
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --limit");
-		if (!parse_rate(optarg, &r->avg))
-			xtables_error(PARAMETER_PROBLEM,
-				      "bad rate `%s'", optarg);
-		break;
-	case ARG_LIMIT_BURST:
-		EBT_CHECK_OPTION(flags, FLAG_LIMIT_BURST);
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --limit-burst");
-		if (!xtables_strtoul(optarg, NULL, &num, 0, 10000))
-			xtables_error(PARAMETER_PROBLEM,
-				      "bad --limit-burst `%s'", optarg);
-		r->burst = num;
-		break;
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-struct rates
-{
-	const char	*name;
-	uint32_t	mult;
-};
-
-static struct rates g_rates[] =
-{
-	{ "day",	EBT_LIMIT_SCALE*24*60*60 },
-	{ "hour",	EBT_LIMIT_SCALE*60*60 },
-	{ "minute",	EBT_LIMIT_SCALE*60 },
-	{ "second",	EBT_LIMIT_SCALE }
-};
-
-static void print_rate(uint32_t period)
-{
-	unsigned int i;
-
-	for (i = 1; i < sizeof(g_rates)/sizeof(struct rates); i++)
-		if (period > g_rates[i].mult ||
-		    g_rates[i].mult/period < g_rates[i].mult%period)
-			break;
-
-	printf("%u/%s ", g_rates[i-1].mult / period, g_rates[i-1].name);
-}
-
-static void brlimit_print(const void *ip, const struct xt_entry_match *match,
-			  int numeric)
-{
-	struct ebt_limit_info *r = (struct ebt_limit_info *)match->data;
-
-	printf("--limit ");
-	print_rate(r->avg);
-	printf("--limit-burst %u ", r->burst);
-}
-
-static void print_rate_xlate(struct xt_xlate *xl, uint32_t period)
-{
-	unsigned int i;
-
-	for (i = 1; i < sizeof(g_rates)/sizeof(struct rates); i++)
-		if (period > g_rates[i].mult ||
-		    g_rates[i].mult/period < g_rates[i].mult%period)
-			break;
-
-	xt_xlate_add(xl, "%u/%s ", g_rates[i-1].mult / period, g_rates[i-1].name);
-}
-
-static int brlimit_xlate(struct xt_xlate *xl,
-			 const struct xt_xlate_mt_params *params)
-{
-	const struct ebt_limit_info *r = (const void *)params->match->data;
-
-	xt_xlate_add(xl, "limit rate ");
-	print_rate_xlate(xl, r->avg);
-	if (r->burst != 0)
-		xt_xlate_add(xl, "burst %u packets ", r->burst);
-
-	return 1;
-}
-
-static struct xtables_match brlimit_match = {
-	.name		= "limit",
-	.revision	= 0,
-	.version	= XTABLES_VERSION,
-	.family		= NFPROTO_BRIDGE,
-	.size		= XT_ALIGN(sizeof(struct ebt_limit_info)),
-	.userspacesize	= offsetof(struct ebt_limit_info, prev),
-	.init		= brlimit_init,
-	.help		= brlimit_print_help,
-	.parse		= brlimit_parse,
-	.print		= brlimit_print,
-	.xlate		= brlimit_xlate,
-	.extra_opts	= brlimit_opts,
-};
-
-void _init(void)
-{
-	xtables_register_match(&brlimit_match);
-}

extensions/libebt_log.c

@@ -92,6 +92,14 @@ static void brlog_init(struct xt_entry_target *t)
 	loginfo->loglevel = LOG_NOTICE;
 }
 
+static unsigned int log_chk_inv(int inv, unsigned int bit, const char *suffix)
+{
+	if (inv)
+		xtables_error(PARAMETER_PROBLEM,
+			      "Unexpected `!' after --log%s", suffix);
+	return bit;
+}
+
 static int brlog_parse(int c, char **argv, int invert, unsigned int *flags,
 		       const void *entry, struct xt_entry_target **target)
 {
@@ -125,26 +133,16 @@ static int brlog_parse(int c, char **argv, int invert, unsigned int *flags,
 				      "Problem with the log-level");
 		break;
 	case LOG_IP:
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --log-ip");
-		loginfo->bitmask |= EBT_LOG_IP;
+		loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP, "-ip");
 		break;
 	case LOG_ARP:
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --log-arp");
-		loginfo->bitmask |= EBT_LOG_ARP;
+		loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_ARP, "-arp");
+		break;
 	case LOG_LOG:
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --log");
+		loginfo->bitmask |= log_chk_inv(invert, 0, "");
 		break;
 	case LOG_IP6:
-		if (invert)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Unexpected `!' after --log-ip6");
-		loginfo->bitmask |= EBT_LOG_IP6;
+		loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP6, "-ip6");
 		break;
 	default:
 		return 0;

extensions/libebt_mark.c

@@ -18,8 +18,6 @@
 #include "iptables/nft.h"
 #include "iptables/nft-bridge.h"
 
-static int mark_supplied;
-
 #define MARK_TARGET  '1'
 #define MARK_SETMARK '2'
 #define MARK_ORMARK  '3'
@@ -54,7 +52,6 @@ static void brmark_init(struct xt_entry_target *target)
 
 	info->target = EBT_ACCEPT;
 	info->mark = 0;
-	mark_supplied = 0;
 }
 
 #define OPT_MARK_TARGET   0x01
@@ -133,7 +130,6 @@ brmark_parse(int c, char **argv, int invert, unsigned int *flags,
 		xtables_error(PARAMETER_PROBLEM, "Bad MARK value '%s'",
 			      optarg);
 
-	mark_supplied = 1;
 	return 1;
 }
 
@@ -162,9 +158,6 @@ static void brmark_print(const void *ip, const struct xt_entry_target *target,
 
 static void brmark_final_check(unsigned int flags)
 {
-	if (mark_supplied == 0)
-		xtables_error(PARAMETER_PROBLEM, "No mark value supplied");
-
 	if (!flags)
 		xtables_error(PARAMETER_PROBLEM,
 			      "You must specify some option");

extensions/libebt_vlan.c

@@ -12,7 +12,6 @@
 #include <getopt.h>
 #include <ctype.h>
 #include <xtables.h>
-#include <ebtables/ethernetdb.h>
 #include <linux/netfilter_bridge/ebt_vlan.h>
 #include <linux/if_ether.h>
 #include "iptables/nft.h"
@@ -50,82 +49,12 @@ static void brvlan_print_help(void)
 "--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)\n");
 }
 
-static struct ethertypeent *vlan_getethertypeent(FILE *etherf, const char *name)
-{
-	static struct ethertypeent et_ent;
-	char *e, *found_name;
-	char line[1024];
-
-	while ((e = fgets(line, sizeof(line), etherf))) {
-		char *endptr, *cp;
-
-		if (*e == '#')
-			continue;
-
-		cp = strpbrk(e, "#\n");
-		if (cp == NULL)
-			continue;
-		*cp = '\0';
-		found_name = e;
-
-		cp = strpbrk(e, " \t");
-		if (cp == NULL)
-			continue;
-
-		*cp++ = '\0';
-		while (*cp == ' ' || *cp == '\t')
-			cp++;
-		e = strpbrk(cp, " \t");
-		if (e != NULL)
-			*e++ = '\0';
-
-		et_ent.e_ethertype = strtol(cp, &endptr, 16);
-		if (*endptr != '\0' ||
-		    (et_ent.e_ethertype < ETH_ZLEN || et_ent.e_ethertype > 0xFFFF))
-			continue; // skip invalid etherproto type entry
-
-		if (strcasecmp(found_name, name) == 0)
-			return (&et_ent);
-
-		if (e != NULL) {
-			cp = e;
-			while (cp && *cp) {
-				if (*cp == ' ' || *cp == '\t') {
-					cp++;
-					continue;
-				}
-				e = cp;
-				cp = strpbrk(cp, " \t");
-				if (cp != NULL)
-					*cp++ = '\0';
-				if (strcasecmp(e, name) == 0)
-					return (&et_ent);
-				e = cp;
-			}
-		}
-	}
-
-	return NULL;
-}
-
-static struct ethertypeent *brvlan_getethertypebyname(const char *name)
-{
-	struct ethertypeent *e;
-	FILE *etherf;
-
-	etherf = fopen(_PATH_ETHERTYPES, "r");
-
-	e = vlan_getethertypeent(etherf, name);
-	fclose(etherf);
-	return (e);
-}
-
 static int
 brvlan_parse(int c, char **argv, int invert, unsigned int *flags,
 	       const void *entry, struct xt_entry_match **match)
 {
 	struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) (*match)->data;
-	struct ethertypeent *ethent;
+	struct xt_ethertypeent *ethent;
 	char *end;
 	struct ebt_vlan_info local;
 
@@ -156,7 +85,7 @@ brvlan_parse(int c, char **argv, int invert, unsigned int *flags,
 			vlaninfo->invflags |= EBT_VLAN_ENCAP;
 		local.encap = strtoul(optarg, &end, 16);
 		if (*end != '\0') {
-			ethent = brvlan_getethertypebyname(optarg);
+			ethent = xtables_getethertypebyname(optarg);
 			if (ethent == NULL)
 				xtables_error(PARAMETER_PROBLEM, "Unknown --vlan-encap value ('%s')", optarg);
 			local.encap = ethent->e_ethertype;

extensions/libip6t_REJECT.c

@@ -13,13 +13,8 @@
 struct reject_names {
 	const char *name;
 	const char *alias;
-	enum ip6t_reject_with with;
 	const char *desc;
-};
-
-struct reject_names_xlate {
-	const char *name;
-	enum ip6t_reject_with with;
+	const char *xlate;
 };
 
 enum {
@@ -27,24 +22,50 @@ enum {
 };
 
 static const struct reject_names reject_table[] = {
-	{"icmp6-no-route", "no-route",
-		IP6T_ICMP6_NO_ROUTE, "ICMPv6 no route"},
-	{"icmp6-adm-prohibited", "adm-prohibited",
-		IP6T_ICMP6_ADM_PROHIBITED, "ICMPv6 administratively prohibited"},
+	[IP6T_ICMP6_NO_ROUTE] = {
+		"icmp6-no-route", "no-route",
+		"ICMPv6 no route",
+		"no-route",
+	},
+	[IP6T_ICMP6_ADM_PROHIBITED] = {
+		"icmp6-adm-prohibited", "adm-prohibited",
+		"ICMPv6 administratively prohibited",
+		"admin-prohibited",
+	},
 #if 0
-	{"icmp6-not-neighbor", "not-neighbor"},
-		IP6T_ICMP6_NOT_NEIGHBOR, "ICMPv6 not a neighbor"},
+	[IP6T_ICMP6_NOT_NEIGHBOR] = {
+		"icmp6-not-neighbor", "not-neighbor",
+		"ICMPv6 not a neighbor",
+	},
 #endif
-	{"icmp6-addr-unreachable", "addr-unreach",
-		IP6T_ICMP6_ADDR_UNREACH, "ICMPv6 address unreachable"},
-	{"icmp6-port-unreachable", "port-unreach",
-		IP6T_ICMP6_PORT_UNREACH, "ICMPv6 port unreachable"},
-	{"tcp-reset", "tcp-reset",
-		IP6T_TCP_RESET, "TCP RST packet"},
-	{"icmp6-policy-fail", "policy-fail",
-		IP6T_ICMP6_POLICY_FAIL, "ICMPv6 policy fail"},
-	{"icmp6-reject-route", "reject-route",
-		IP6T_ICMP6_REJECT_ROUTE, "ICMPv6 reject route"}
+	[IP6T_ICMP6_ADDR_UNREACH] = {
+		"icmp6-addr-unreachable", "addr-unreach",
+		"ICMPv6 address unreachable",
+		"addr-unreachable",
+	},
+	[IP6T_ICMP6_PORT_UNREACH] = {
+		"icmp6-port-unreachable", "port-unreach",
+		"ICMPv6 port unreachable",
+		"port-unreachable",
+	},
+#if 0
+	[IP6T_ICMP6_ECHOREPLY] = {},
+#endif
+	[IP6T_TCP_RESET] = {
+		"tcp-reset", "tcp-reset",
+		"TCP RST packet",
+		"tcp reset",
+	},
+	[IP6T_ICMP6_POLICY_FAIL] = {
+		"icmp6-policy-fail", "policy-fail",
+		"ICMPv6 policy fail",
+		"policy-fail",
+	},
+	[IP6T_ICMP6_REJECT_ROUTE] = {
+		"icmp6-reject-route", "reject-route",
+		"ICMPv6 reject route",
+		"reject-route",
+	},
 };
 
 static void
@@ -55,6 +76,8 @@ print_reject_types(void)
 	printf("Valid reject types:\n");
 
 	for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+		if (!reject_table[i].name)
+			continue;
 		printf("    %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
 		printf("    %-25s\talias\n", reject_table[i].alias);
 	}
@@ -91,14 +114,17 @@ static void REJECT_parse(struct xt_option_call *cb)
 	unsigned int i;
 
 	xtables_option_parse(cb);
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+	for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+		if (!reject_table[i].name)
+			continue;
 		if (strncasecmp(reject_table[i].name,
 		      cb->arg, strlen(cb->arg)) == 0 ||
 		    strncasecmp(reject_table[i].alias,
 		      cb->arg, strlen(cb->arg)) == 0) {
-			reject->with = reject_table[i].with;
+			reject->with = i;
 			return;
 		}
+	}
 	xtables_error(PARAMETER_PROBLEM,
 		"unknown reject type \"%s\"", cb->arg);
 }
@@ -108,55 +134,32 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
 {
 	const struct ip6t_reject_info *reject
 		= (const struct ip6t_reject_info *)target->data;
-	unsigned int i;
 
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
-		if (reject_table[i].with == reject->with)
-			break;
-	printf(" reject-with %s", reject_table[i].name);
+	printf(" reject-with %s", reject_table[reject->with].name);
 }
 
 static void REJECT_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct ip6t_reject_info *reject
 		= (const struct ip6t_reject_info *)target->data;
-	unsigned int i;
 
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
-		if (reject_table[i].with == reject->with)
-			break;
-
-	printf(" --reject-with %s", reject_table[i].name);
+	printf(" --reject-with %s", reject_table[reject->with].name);
 }
 
-static const struct reject_names_xlate reject_table_xlate[] = {
-	{"no-route",		IP6T_ICMP6_NO_ROUTE},
-	{"admin-prohibited",	IP6T_ICMP6_ADM_PROHIBITED},
-	{"addr-unreachable",	IP6T_ICMP6_ADDR_UNREACH},
-	{"port-unreachable",	IP6T_ICMP6_PORT_UNREACH},
-	{"tcp reset",		IP6T_TCP_RESET},
-	{"policy-fail",		IP6T_ICMP6_POLICY_FAIL},
-	{"reject-route",	IP6T_ICMP6_REJECT_ROUTE}
-};
-
 static int REJECT_xlate(struct xt_xlate *xl,
 			const struct xt_xlate_tg_params *params)
 {
 	const struct ip6t_reject_info *reject =
 		(const struct ip6t_reject_info *)params->target->data;
-	unsigned int i;
-
-	for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
-		if (reject_table_xlate[i].with == reject->with)
-			break;
 
 	if (reject->with == IP6T_ICMP6_PORT_UNREACH)
 		xt_xlate_add(xl, "reject");
 	else if (reject->with == IP6T_TCP_RESET)
-		xt_xlate_add(xl, "reject with %s", reject_table_xlate[i].name);
+		xt_xlate_add(xl, "reject with %s",
+			     reject_table[reject->with].xlate);
 	else
 		xt_xlate_add(xl, "reject with icmpv6 type %s",
-			   reject_table_xlate[i].name);
+			     reject_table[reject->with].xlate);
 
 	return 1;
 }

extensions/libip6t_hbh.c

@@ -5,8 +5,6 @@
 #include <xtables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>
 
-#define DEBUG		0
-
 enum {
 	O_HBH_LEN = 0,
 	O_HBH_OPTS,
@@ -83,7 +81,7 @@ parse_options(const char *optsstr, uint16_t *opts)
                         opts[i] |= (0x00FF);
 		}
 
-#if DEBUG
+#ifdef DEBUG
 		printf("opts str: %s %s\n", cp, range);
 		printf("opts opt: %04X\n", opts[i]);
 #endif
@@ -92,7 +90,7 @@ parse_options(const char *optsstr, uint16_t *opts)
 
 	free(buffer);
 
-#if DEBUG
+#ifdef DEBUG
 	printf("addr nr: %d\n", i);
 #endif
 

extensions/libip6t_mh.txlate

 ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
-nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept
+nft add rule ip6 filter INPUT meta l4proto 135 mh type 1 counter accept
 
 ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
-nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept
+nft add rule ip6 filter INPUT meta l4proto 135 mh type 1-3 counter accept

extensions/libipt_REJECT.c

@@ -20,13 +20,8 @@
 struct reject_names {
 	const char *name;
 	const char *alias;
-	enum ipt_reject_with with;
 	const char *desc;
-};
-
-struct reject_names_xlate {
-	const char *name;
-	enum ipt_reject_with with;
+	const char *xlate;
 };
 
 enum {
@@ -34,26 +29,53 @@ enum {
 };
 
 static const struct reject_names reject_table[] = {
-	{"icmp-net-unreachable", "net-unreach",
-		IPT_ICMP_NET_UNREACHABLE, "ICMP network unreachable"},
-	{"icmp-host-unreachable", "host-unreach",
-		IPT_ICMP_HOST_UNREACHABLE, "ICMP host unreachable"},
-	{"icmp-proto-unreachable", "proto-unreach",
-		IPT_ICMP_PROT_UNREACHABLE, "ICMP protocol unreachable"},
-	{"icmp-port-unreachable", "port-unreach",
-		IPT_ICMP_PORT_UNREACHABLE, "ICMP port unreachable (default)"},
+	[IPT_ICMP_NET_UNREACHABLE] = {
+		"icmp-net-unreachable", "net-unreach",
+		"ICMP network unreachable",
+		"net-unreachable",
+	},
+	[IPT_ICMP_HOST_UNREACHABLE] = {
+		"icmp-host-unreachable", "host-unreach",
+		"ICMP host unreachable",
+		"host-unreachable",
+	},
+	[IPT_ICMP_PROT_UNREACHABLE] = {
+		"icmp-proto-unreachable", "proto-unreach",
+		"ICMP protocol unreachable",
+		"prot-unreachable",
+	},
+	[IPT_ICMP_PORT_UNREACHABLE] = {
+		"icmp-port-unreachable", "port-unreach",
+		"ICMP port unreachable (default)",
+		"port-unreachable",
+	},
 #if 0
-	{"echo-reply", "echoreply",
-	 IPT_ICMP_ECHOREPLY, "for ICMP echo only: faked ICMP echo reply"},
+	[IPT_ICMP_ECHOREPLY] = {
+		"echo-reply", "echoreply",
+		"for ICMP echo only: faked ICMP echo reply",
+		"echo-reply",
+	},
 #endif
-	{"icmp-net-prohibited", "net-prohib",
-	 IPT_ICMP_NET_PROHIBITED, "ICMP network prohibited"},
-	{"icmp-host-prohibited", "host-prohib",
-	 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
-	{"tcp-reset", "tcp-rst",
-	 IPT_TCP_RESET, "TCP RST packet"},
-	{"icmp-admin-prohibited", "admin-prohib",
-	 IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
+	[IPT_ICMP_NET_PROHIBITED] = {
+		"icmp-net-prohibited", "net-prohib",
+		"ICMP network prohibited",
+		"net-prohibited",
+	},
+	[IPT_ICMP_HOST_PROHIBITED] = {
+		"icmp-host-prohibited", "host-prohib",
+		"ICMP host prohibited",
+		"host-prohibited",
+	},
+	[IPT_TCP_RESET] = {
+		"tcp-reset", "tcp-rst",
+		"TCP RST packet",
+		"tcp reset",
+	},
+	[IPT_ICMP_ADMIN_PROHIBITED] = {
+		"icmp-admin-prohibited", "admin-prohib",
+		"ICMP administratively prohibited (*)",
+		"admin-prohibited",
+	},
 };
 
 static void
@@ -64,6 +86,8 @@ print_reject_types(void)
 	printf("Valid reject types:\n");
 
 	for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+		if (!reject_table[i].name)
+			continue;
 		printf("    %-25s\t%s\n", reject_table[i].name, reject_table[i].desc);
 		printf("    %-25s\talias\n", reject_table[i].alias);
 	}
@@ -102,14 +126,17 @@ static void REJECT_parse(struct xt_option_call *cb)
 	unsigned int i;
 
 	xtables_option_parse(cb);
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
+	for (i = 0; i < ARRAY_SIZE(reject_table); ++i) {
+		if (!reject_table[i].name)
+			continue;
 		if (strncasecmp(reject_table[i].name,
 		      cb->arg, strlen(cb->arg)) == 0 ||
 		    strncasecmp(reject_table[i].alias,
 		      cb->arg, strlen(cb->arg)) == 0) {
-			reject->with = reject_table[i].with;
+			reject->with = i;
 			return;
 		}
+	}
 	/* This due to be dropped late in 2.4 pre-release cycle --RR */
 	if (strncasecmp("echo-reply", cb->arg, strlen(cb->arg)) == 0 ||
 	    strncasecmp("echoreply", cb->arg, strlen(cb->arg)) == 0)
@@ -124,61 +151,32 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
 {
 	const struct ipt_reject_info *reject
 		= (const struct ipt_reject_info *)target->data;
-	unsigned int i;
 
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
-		if (reject_table[i].with == reject->with)
-			break;
-	printf(" reject-with %s", reject_table[i].name);
+	printf(" reject-with %s", reject_table[reject->with].name);
 }
 
 static void REJECT_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct ipt_reject_info *reject =
 		(const struct ipt_reject_info *)target->data;
-	unsigned int i;
-
-	for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
-		if (reject_table[i].with == reject->with)
-			break;
 
-	printf(" --reject-with %s", reject_table[i].name);
+	printf(" --reject-with %s", reject_table[reject->with].name);
 }
 
-static const struct reject_names_xlate reject_table_xlate[] = {
-	{"net-unreachable",	IPT_ICMP_NET_UNREACHABLE},
-	{"host-unreachable",	IPT_ICMP_HOST_UNREACHABLE},
-	{"prot-unreachable",	IPT_ICMP_PROT_UNREACHABLE},
-	{"port-unreachable",	IPT_ICMP_PORT_UNREACHABLE},
-#if 0
-	{"echo-reply",		IPT_ICMP_ECHOREPLY},
-#endif
-	{"net-prohibited",	IPT_ICMP_NET_PROHIBITED},
-	{"host-prohibited",	IPT_ICMP_HOST_PROHIBITED},
-	{"tcp reset",		IPT_TCP_RESET},
-	{"admin-prohibited",	IPT_ICMP_ADMIN_PROHIBITED}
-};
-
 static int REJECT_xlate(struct xt_xlate *xl,
 			const struct xt_xlate_tg_params *params)
 {
 	const struct ipt_reject_info *reject =
 		(const struct ipt_reject_info *)params->target->data;
-	unsigned int i;
-
-	for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i) {
-		if (reject_table_xlate[i].with == reject->with)
-			break;
-	}
 
 	if (reject->with == IPT_ICMP_PORT_UNREACHABLE)
 		xt_xlate_add(xl, "reject");
 	else if (reject->with == IPT_TCP_RESET)
 		xt_xlate_add(xl, "reject with %s",
-			   reject_table_xlate[i].name);
+			     reject_table[reject->with].xlate);
 	else
 		xt_xlate_add(xl, "reject with icmp type %s",
-			   reject_table_xlate[i].name);
+			     reject_table[reject->with].xlate);
 
 	return 1;
 }

extensions/libxt_AUDIT.c

@@ -82,6 +82,16 @@ static void audit_save(const void *ip, const struct xt_entry_target *target)
 	}
 }
 
+static int audit_xlate(struct xt_xlate *xl,
+		       const struct xt_xlate_tg_params *params)
+{
+	/* audit type is merely sanity checked by xt_AUDIT.ko,
+	 * so nftables doesn't even support it */
+
+	xt_xlate_add(xl, "log level audit");
+	return 1;
+}
+
 static struct xtables_target audit_tg_reg = {
 	.name		= "AUDIT",
 	.version	= XTABLES_VERSION,
@@ -93,6 +103,7 @@ static struct xtables_target audit_tg_reg = {
 	.save		= audit_save,
 	.x6_parse	= audit_parse,
 	.x6_options	= audit_opts,
+	.xlate		= audit_xlate,
 };
 
 void _init(void)

extensions/libxt_AUDIT.txlate

+iptables-translate -t filter -A INPUT -j AUDIT --type accept
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type drop
+nft add rule ip filter INPUT counter log level audit
+
+iptables-translate -t filter -A INPUT -j AUDIT --type reject
+nft add rule ip filter INPUT counter log level audit

extensions/libxt_LED.c

@@ -53,8 +53,7 @@ static void LED_parse(struct xt_option_call *cb)
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_LED_TRIGGER_ID:
-		strcpy(led->id, "netfilter-");
-		strcat(led->id, cb->arg);
+		snprintf(led->id, sizeof(led->id), "netfilter-%s", cb->arg);
 		break;
 	case O_LED_DELAY:
 		if (strncasecmp(cb->arg, "inf", 3) == 0)

extensions/libxt_cgroup.c

@@ -51,6 +51,24 @@ static const struct xt_option_entry cgroup_opts_v1[] = {
 	XTOPT_TABLEEND,
 };
 
+static const struct xt_option_entry cgroup_opts_v2[] = {
+	{
+		.name = "path",
+		.id = O_PATH,
+		.type = XTTYPE_STRING,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v2, path)
+	},
+	{
+		.name = "cgroup",
+		.id = O_CLASSID,
+		.type = XTTYPE_UINT32,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v2, classid)
+	},
+	XTOPT_TABLEEND,
+};
+
 static void cgroup_parse_v0(struct xt_option_call *cb)
 {
 	struct xt_cgroup_info_v0 *cgroupinfo = cb->data;
@@ -80,6 +98,26 @@ static void cgroup_parse_v1(struct xt_option_call *cb)
 	}
 }
 
+static void cgroup_parse_v2(struct xt_option_call *cb)
+{
+	struct xt_cgroup_info_v2 *info = cb->data;
+
+	xtables_option_parse(cb);
+
+	switch (cb->entry->id) {
+	case O_PATH:
+		info->has_path = true;
+		if (cb->invert)
+			info->invert_path = true;
+		break;
+	case O_CLASSID:
+		info->has_classid = true;
+		if (cb->invert)
+			info->invert_classid = true;
+		break;
+	}
+}
+
 static void
 cgroup_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
 {
@@ -121,6 +159,32 @@ static void cgroup_save_v1(const void *ip, const struct xt_entry_match *match)
 		       info->classid);
 }
 
+static void
+cgroup_print_v2(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+	printf(" cgroup");
+	if (info->has_path)
+		printf(" %s%s", info->invert_path ? "! ":"", info->path);
+	if (info->has_classid)
+		printf(" %s%u", info->invert_classid ? "! ":"", info->classid);
+}
+
+static void cgroup_save_v2(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+	if (info->has_path) {
+		printf("%s --path", info->invert_path ? " !" : "");
+		xtables_save_string(info->path);
+	}
+
+	if (info->has_classid)
+		printf("%s --cgroup %u", info->invert_classid ? " !" : "",
+		       info->classid);
+}
+
 static int cgroup_xlate_v0(struct xt_xlate *xl,
 			   const struct xt_xlate_mt_params *params)
 {
@@ -147,6 +211,22 @@ static int cgroup_xlate_v1(struct xt_xlate *xl,
 	return 1;
 }
 
+static int cgroup_xlate_v2(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)params->match->data;
+
+	if (info->has_path)
+		return 0;
+
+	if (info->has_classid)
+		xt_xlate_add(xl, "meta cgroup %s%u",
+			     info->invert_classid ? "!= " : "",
+			     info->classid);
+
+	return 1;
+}
+
 static struct xtables_match cgroup_match[] = {
 	{
 		.family		= NFPROTO_UNSPEC,
@@ -176,6 +256,20 @@ static struct xtables_match cgroup_match[] = {
 		.x6_options	= cgroup_opts_v1,
 		.xlate		= cgroup_xlate_v1,
 	},
+	{
+		.family		= NFPROTO_UNSPEC,
+		.revision	= 2,
+		.name		= "cgroup",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_cgroup_info_v2)),
+		.userspacesize	= offsetof(struct xt_cgroup_info_v2, priv),
+		.help		= cgroup_help_v1,
+		.print		= cgroup_print_v2,
+		.save		= cgroup_save_v2,
+		.x6_parse	= cgroup_parse_v2,
+		.x6_options	= cgroup_opts_v2,
+		.xlate		= cgroup_xlate_v2,
+	},
 };
 
 void _init(void)

extensions/libxt_conntrack.c

@@ -673,20 +673,20 @@ static void
 print_addr(const struct in_addr *addr, const struct in_addr *mask,
            int inv, int numeric)
 {
-	char buf[BUFSIZ];
-
 	if (inv)
 		printf(" !");
 
 	if (mask->s_addr == 0L && !numeric)
-		printf(" %s", "anywhere");
+		printf(" anywhere");
 	else {
 		if (numeric)
-			strcpy(buf, xtables_ipaddr_to_numeric(addr));
+			printf(" %s%s",
+			       xtables_ipaddr_to_numeric(addr),
+			       xtables_ipmask_to_numeric(mask));
 		else
-			strcpy(buf, xtables_ipaddr_to_anyname(addr));
-		strcat(buf, xtables_ipmask_to_numeric(mask));
-		printf(" %s", buf);
+			printf(" %s%s",
+			       xtables_ipaddr_to_anyname(addr),
+			       xtables_ipmask_to_numeric(mask));
 	}
 }
 
@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
         	else
 			printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max);
 	}
-
-	if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
-		if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
-			printf(" %sctdir REPLY", optpfx);
-		else
-			printf(" %sctdir ORIGINAL", optpfx);
-	}
-
 }
 
 static void