New upstream version 1.8.1

extensions/libxt_hashlimit.c

@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
 	{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
 	{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
 	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
+	XTOPT_TABLEEND,
 };
 #undef s
 

extensions/libxt_ipvs.c

@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
 			      const union nf_inet_addr *mask,
 			      unsigned int family, bool numeric)
 {
-	char buf[BUFSIZ];
-
 	if (family == NFPROTO_IPV4) {
 		if (!numeric && addr->ip == 0) {
 			printf(" anywhere");
 			return;
 		}
 		if (numeric)
-			strcpy(buf, xtables_ipaddr_to_numeric(&addr->in));
+			printf(" %s%s",
+			       xtables_ipaddr_to_numeric(&addr->in),
+			       xtables_ipmask_to_numeric(&mask->in));
 		else
-			strcpy(buf, xtables_ipaddr_to_anyname(&addr->in));
-		strcat(buf, xtables_ipmask_to_numeric(&mask->in));
-		printf(" %s", buf);
+			printf(" %s%s",
+			       xtables_ipaddr_to_anyname(&addr->in),
+			       xtables_ipmask_to_numeric(&mask->in));
 	} else if (family == NFPROTO_IPV6) {
 		if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
 		    addr->ip6[2] == 0 && addr->ip6[3] == 0) {
@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
 			return;
 		}
 		if (numeric)
-			strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6));
+			printf(" %s%s",
+			       xtables_ip6addr_to_numeric(&addr->in6),
+			       xtables_ip6mask_to_numeric(&mask->in6));
 		else
-			strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6));
-		strcat(buf, xtables_ip6mask_to_numeric(&mask->in6));
-		printf(" %s", buf);
+			printf(" %s%s",
+			       xtables_ip6addr_to_anyname(&addr->in6),
+			       xtables_ip6mask_to_numeric(&mask->in6));
 	}
 }
 

extensions/libxt_limit.c

@@ -6,6 +6,8 @@
 #define _BSD_SOURCE 1
 #define _DEFAULT_SOURCE 1
 #define _ISOC99_SOURCE 1
+#include <errno.h>
+#include <getopt.h>
 #include <math.h>
 #include <stdio.h>
 #include <string.h>
@@ -13,6 +15,8 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_limit.h>
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
 
 #define XT_LIMIT_AVG	"3/hour"
 #define XT_LIMIT_BURST	5
@@ -191,7 +195,71 @@ static int limit_xlate(struct xt_xlate *xl,
 	return 1;
 }
 
-static struct xtables_match limit_match = {
+static int limit_xlate_eb(struct xt_xlate *xl,
+			  const struct xt_xlate_mt_params *params)
+{
+	limit_xlate(xl, params);
+	xt_xlate_add(xl, " ");
+	return 1;
+}
+
+#define FLAG_LIMIT		0x01
+#define FLAG_LIMIT_BURST	0x02
+#define ARG_LIMIT		'1'
+#define ARG_LIMIT_BURST		'2'
+
+static int brlimit_parse(int c, char **argv, int invert, unsigned int *flags,
+			 const void *entry, struct xt_entry_match **match)
+{
+	struct xt_rateinfo *r = (struct xt_rateinfo *)(*match)->data;
+	uintmax_t num;
+
+	switch (c) {
+	case ARG_LIMIT:
+		EBT_CHECK_OPTION(flags, FLAG_LIMIT);
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Unexpected `!' after --limit");
+		if (!parse_rate(optarg, &r->avg))
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad rate `%s'", optarg);
+		break;
+	case ARG_LIMIT_BURST:
+		EBT_CHECK_OPTION(flags, FLAG_LIMIT_BURST);
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Unexpected `!' after --limit-burst");
+		if (!xtables_strtoul(optarg, NULL, &num, 0, 10000))
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad --limit-burst `%s'", optarg);
+		r->burst = num;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void brlimit_print(const void *ip, const struct xt_entry_match *match,
+			  int numeric)
+{
+	const struct xt_rateinfo *r = (struct xt_rateinfo *)match->data;
+
+	printf("--limit");
+	print_rate(r->avg);
+	printf(" --limit-burst %u ", r->burst);
+}
+
+static const struct option brlimit_opts[] =
+{
+	{ .name = "limit",	.has_arg = true,	.val = ARG_LIMIT },
+	{ .name = "limit-burst",.has_arg = true,	.val = ARG_LIMIT_BURST },
+	XT_GETOPT_TABLEEND,
+};
+
+static struct xtables_match limit_match[] = {
+	{
 		.family		= NFPROTO_UNSPEC,
 		.name		= "limit",
 		.version	= XTABLES_VERSION,
@@ -204,9 +272,23 @@ static struct xtables_match limit_match = {
 		.save		= limit_save,
 		.x6_options	= limit_opts,
 		.xlate		= limit_xlate,
+	},
+	{
+		.family		= NFPROTO_BRIDGE,
+		.name		= "limit",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_rateinfo)),
+		.userspacesize	= offsetof(struct xt_rateinfo, prev),
+		.help		= limit_help,
+		.init		= limit_init,
+		.parse		= brlimit_parse,
+		.print		= brlimit_print,
+		.extra_opts	= brlimit_opts,
+		.xlate		= limit_xlate_eb,
+	},
 };
 
 void _init(void)
 {
-	xtables_register_match(&limit_match);
+	xtables_register_matches(limit_match, ARRAY_SIZE(limit_match));
 }

extensions/libxt_mangle.c

-/*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published
- * by the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * Authors:
- * 	Libarptc code from: Bart De Schuymer <bdschuym@pandora.be>
- * 	Port to libxtables: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <getopt.h>
-#include <errno.h>
-#include <netinet/ether.h>
-
-#include <xtables.h>
-#include <linux/netfilter_arp/arpt_mangle.h>
-
-static void mangle_help(void)
-{
-	printf(
-"mangle target options:\n"
-"--mangle-ip-s IP address\n"
-"--mangle-ip-d IP address\n"
-"--mangle-mac-s MAC address\n"
-"--mangle-mac-d MAC address\n"
-"--mangle-target target (DROP, CONTINUE or ACCEPT -- default is ACCEPT)\n"
-	);
-}
-
-enum {
-	MANGLE_IPS    = 0,
-	MANGLE_IPT    = 1,
-	MANGLE_DEVS   = 2,
-	MANGLE_DEVT   = 3,
-	MANGLE_TARGET = 4,
-};
-
-static const struct xt_option_entry mangle_opts[] = {
-	{ .name = "mangle-ip-s", .id = MANGLE_IPS, .type = XTTYPE_STRING },
-	{ .name = "mangle-ip-d", .id = MANGLE_IPT, .type = XTTYPE_STRING },
-	{ .name = "mangle-mac-s", .id = MANGLE_DEVS, .type = XTTYPE_STRING },
-	{ .name = "mangle-mac-d", .id = MANGLE_DEVT, .type = XTTYPE_STRING },
-	{ .name = "mangle-target", .id = MANGLE_TARGET,
-	  .type = XTTYPE_STRING },
-	XTOPT_TABLEEND,
-};
-
-
-static struct in_addr *network_to_addr(const char *name)
-{
-	struct netent *net;
-	static struct in_addr addr;
-
-	if ((net = getnetbyname(name)) != NULL) {
-		if (net->n_addrtype != AF_INET)
-			return (struct in_addr *) NULL;
-		addr.s_addr = htonl((unsigned long) net->n_net);
-		return &addr;
-	}
-
-	return (struct in_addr *) NULL;
-}
-
-static void inaddrcpy(struct in_addr *dst, struct in_addr *src)
-{
-	dst->s_addr = src->s_addr;
-}
-
-static struct in_addr *host_to_addr(const char *name, unsigned int *naddr)
-{
-	struct in_addr *addr;
-	struct addrinfo hints;
-	struct addrinfo *res, *p;
-	int err;
-	unsigned int i;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_flags	  = AI_CANONNAME;
-	hints.ai_family	  = AF_INET;
-	hints.ai_socktype = SOCK_RAW;
-
-	*naddr = 0;
-	err = getaddrinfo(name, NULL, &hints, &res);
-	if (err != 0)
-		return NULL;
-	else {
-		for (p = res; p != NULL; p = p->ai_next)
-			(*naddr)++;
-		addr = xtables_calloc(*naddr, sizeof(struct in_addr));
-		for (i = 0, p = res; p != NULL; p = p->ai_next)
-			memcpy(&addr[i++],
-			       &((const struct sockaddr_in *)p->ai_addr)->sin_addr,
-			       sizeof(struct in_addr));
-		freeaddrinfo(res);
-		return addr;
-	}
-
-	return (struct in_addr *) NULL;
-}
-
-static int string_to_number(const char *s, unsigned int min,
-			    unsigned int max, unsigned int *ret)
-{
-	long number;
-	char *end;
-
-	/* Handle hex, octal, etc. */
-	errno = 0;
-	number = strtol(s, &end, 0);
-	if (*end == '\0' && end != s) {
-		/* we parsed a number, let's see if we want this */
-		if (errno != ERANGE && min <= number && number <= max) {
-			*ret = number;
-			return 0;
-		}
-	}
-	return -1;
-}
-
-static struct in_addr *dotted_to_addr(const char *dotted)
-{
-	static struct in_addr addr;
-	unsigned char *addrp;
-	char *p, *q;
-	unsigned int onebyte;
-	int i;
-	char buf[20];
-
-	/* copy dotted string, because we need to modify it */
-	strncpy(buf, dotted, sizeof(buf) - 1);
-	addrp = (unsigned char *) &(addr.s_addr);
-
-	p = buf;
-	for (i = 0; i < 3; i++) {
-		if ((q = strchr(p, '.')) == NULL)
-			return (struct in_addr *) NULL;
-
-		*q = '\0';
-		if (string_to_number(p, 0, 255, &onebyte) == -1)
-			return (struct in_addr *) NULL;
-
-		addrp[i] = (unsigned char) onebyte;
-		p = q + 1;
-	}
-
-	/* we've checked 3 bytes, now we check the last one */
-	if (string_to_number(p, 0, 255, &onebyte) == -1)
-		return (struct in_addr *) NULL;
-
-	addrp[3] = (unsigned char) onebyte;
-
-	return &addr;
-}
-
-static struct in_addr *parse_hostnetwork(const char *name,
-					 unsigned int *naddrs)
-{
-	struct in_addr *addrp, *addrptmp;
-
-	if ((addrptmp = dotted_to_addr(name)) != NULL ||
-		(addrptmp = network_to_addr(name)) != NULL) {
-		addrp = xtables_malloc(sizeof(struct in_addr));
-		inaddrcpy(addrp, addrptmp);
-		*naddrs = 1;
-		return addrp;
-	}
-	if ((addrp = host_to_addr(name, naddrs)) != NULL)
-		return addrp;
-
-	xtables_error(PARAMETER_PROBLEM, "host/network `%s' not found", name);
-}
-
-static void mangle_parse(struct xt_option_call *cb)
-{
-	const struct arpt_entry *e = cb->xt_entry;
-	struct arpt_mangle *mangle =  cb->data;
-	struct in_addr *ipaddr;
-	struct ether_addr *macaddr;
-
-	/* mangle target is by default "ACCEPT". Setting it here,
-	 * since original arpt_mangle.c init() no longer exists*/
-	mangle->target = NF_ACCEPT;
-
-	xtables_option_parse(cb);
-	switch (cb->entry->id) {
-	case MANGLE_IPS:
-/*
-		if (e->arp.arpln_mask == 0)
-			xtables_error(PARAMETER_PROBLEM, "no pln defined");
-
-		if (e->arp.invflags & ARPT_INV_ARPPLN)
-			xtables_error(PARAMETER_PROBLEM,
-				   "! pln not allowed for --mangle-ip-s");
-*/
-/*
-		if (e->arp.arpln != 4)
-			xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
-*/
-		{
-			unsigned int nr;
-			ipaddr = parse_hostnetwork(cb->arg, &nr);
-		}
-		mangle->u_s.src_ip.s_addr = ipaddr->s_addr;
-		free(ipaddr);
-		mangle->flags |= ARPT_MANGLE_SIP;
-		break;
-	case MANGLE_IPT:
-/*
-		if (e->arp.arpln_mask == 0)
-			xtables_error(PARAMETER_PROBLEM, "no pln defined");
-
-		if (e->arp.invflags & ARPT_INV_ARPPLN)
-			xtables_error(PARAMETER_PROBLEM,
-				   "! pln not allowed for --mangle-ip-d");
-*/
-/*
-		if (e->arp.arpln != 4)
-			xtables_error(PARAMETER_PROBLEM, "only pln=4 supported");
-*/
-		{
-			unsigned int nr;
-			ipaddr = parse_hostnetwork(cb->arg, &nr);
-		}
-		mangle->u_t.tgt_ip.s_addr = ipaddr->s_addr;
-		free(ipaddr);
-		mangle->flags |= ARPT_MANGLE_TIP;
-		break;
-	case MANGLE_DEVS:
-		if (e->arp.arhln_mask == 0)
-			xtables_error(PARAMETER_PROBLEM,
-				      "no --h-length defined");
-		if (e->arp.invflags & ARPT_INV_ARPHLN)
-			xtables_error(PARAMETER_PROBLEM,
-				      "! --h-length not allowed for "
-				      "--mangle-mac-s");
-		if (e->arp.arhln != 6)
-			xtables_error(PARAMETER_PROBLEM,
-				      "only --h-length 6 supported");
-		macaddr = ether_aton(cb->arg);
-		if (macaddr == NULL)
-			xtables_error(PARAMETER_PROBLEM, "invalid source MAC");
-		memcpy(mangle->src_devaddr, macaddr, e->arp.arhln);
-		mangle->flags |= ARPT_MANGLE_SDEV;
-		break;
-	case MANGLE_DEVT:
-		if (e->arp.arhln_mask == 0)
-			xtables_error(PARAMETER_PROBLEM,
-				      "no --h-length defined");
-		if (e->arp.invflags & ARPT_INV_ARPHLN)
-			xtables_error(PARAMETER_PROBLEM,
-				      "! hln not allowed for --mangle-mac-d");
-		if (e->arp.arhln != 6)
-			xtables_error(PARAMETER_PROBLEM,
-				      "only --h-length 6 supported");
-		macaddr = ether_aton(cb->arg);
-		if (macaddr == NULL)
-			xtables_error(PARAMETER_PROBLEM, "invalid target MAC");
-		memcpy(mangle->tgt_devaddr, macaddr, e->arp.arhln);
-		mangle->flags |= ARPT_MANGLE_TDEV;
-		break;
-	case MANGLE_TARGET:
-		if (!strcmp(cb->arg, "DROP"))
-			mangle->target = NF_DROP;
-		else if (!strcmp(cb->arg, "ACCEPT"))
-			mangle->target = NF_ACCEPT;
-		else if (!strcmp(cb->arg, "CONTINUE"))
-			mangle->target = ARPT_CONTINUE;
-		else
-			xtables_error(PARAMETER_PROBLEM,
-				      "bad target for --mangle-target");
-		break;
-	}
-}
-
-static void mangle_fcheck(struct xt_fcheck_call *cb)
-{
-}
-
-static char *addr_to_dotted(const struct in_addr *addrp)
-{
-	static char buf[20];
-	const unsigned char *bytep;
-
-	bytep = (const unsigned char *) &(addrp->s_addr);
-	sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
-	return buf;
-}
-
-static char *addr_to_host(const struct in_addr *addr)
-{
-	struct hostent *host;
-
-	if ((host = gethostbyaddr((char *) addr,
-				  sizeof(struct in_addr), AF_INET)) != NULL)
-		return (char *) host->h_name;
-
-	return (char *) NULL;
-}
-
-static char *addr_to_network(const struct in_addr *addr)
-{
-	struct netent *net;
-
-	if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
-		return (char *) net->n_name;
-
-	return (char *) NULL;
-}
-
-static char *addr_to_anyname(const struct in_addr *addr)
-{
-	char *name;
-
-	if ((name = addr_to_host(addr)) != NULL ||
-		(name = addr_to_network(addr)) != NULL)
-		return name;
-
-	return addr_to_dotted(addr);
-}
-
-static void print_mac(const unsigned char *mac, int l)
-{
-	int j;
-
-	for (j = 0; j < l; j++)
-		printf("%02x%s", mac[j],
-			(j==l-1) ? "" : ":");
-}
-
-static void mangle_print(const void *ip, const struct xt_entry_target *target,
-			 int numeric)
-{
-	const struct arpt_mangle *m = (const void *)target;
-	char buf[100];
-
-	if (m->flags & ARPT_MANGLE_SIP) {
-		if (numeric)
-			sprintf(buf, "%s", addr_to_dotted(&(m->u_s.src_ip)));
-		else
-			sprintf(buf, "%s", addr_to_anyname(&(m->u_s.src_ip)));
-		printf("--mangle-ip-s %s ", buf);
-	}
-	if (m->flags & ARPT_MANGLE_SDEV) {
-		printf("--mangle-mac-s ");
-		print_mac((unsigned char *)m->src_devaddr, 6);
-		printf(" ");
-	}
-	if (m->flags & ARPT_MANGLE_TIP) {
-		if (numeric)
-			sprintf(buf, "%s", addr_to_dotted(&(m->u_t.tgt_ip)));
-		else
-			sprintf(buf, "%s", addr_to_anyname(&(m->u_t.tgt_ip)));
-		printf("--mangle-ip-d %s ", buf);
-	}
-	if (m->flags & ARPT_MANGLE_TDEV) {
-		printf("--mangle-mac-d ");
-		print_mac((unsigned char *)m->tgt_devaddr, 6);
-		printf(" ");
-	}
-	if (m->target != NF_ACCEPT) {
-		printf("--mangle-target ");
-		if (m->target == NF_DROP)
-			printf("DROP ");
-		else
-			printf("CONTINUE ");
-	}
-}
-
-static void mangle_save(const void *ip, const struct xt_entry_target *target)
-{
-}
-
-static struct xtables_target mangle_tg_reg = {
-	.family		= NFPROTO_ARP,
-	.name		= "mangle",
-	.version	= XTABLES_VERSION,
-	.size		= XT_ALIGN(sizeof(struct arpt_mangle)),
-	.userspacesize	= XT_ALIGN(sizeof(struct arpt_mangle)),
-	.help		= mangle_help,
-	.x6_parse	= mangle_parse,
-	.x6_fcheck	= mangle_fcheck,
-	.print		= mangle_print,
-	.save		= mangle_save,
-	.x6_options	= mangle_opts,
-};
-
-void _init(void)
-{
-	xtables_register_target(&mangle_tg_reg);
-}

extensions/libxt_set.c

@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
 	case '2':
 		fprintf(stderr,
 			"--set option deprecated, please use --match-set\n");
+		/* fall through */
 	case '1':		/* --match-set <set> <flag>[,<flag> */
 		if (info->u.flags[0])
 			xtables_error(PARAMETER_PROBLEM,
@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
 	case '2':
 		fprintf(stderr,
 			"--set option deprecated, please use --match-set\n");
+		/* fall through */
 	case '1':		/* --match-set <set> <flag>[,<flag> */
 		if (info->dim)
 			xtables_error(PARAMETER_PROBLEM,
@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags,
 	case '2':
 		fprintf(stderr,
 			"--set option deprecated, please use --match-set\n");
+		/* fall through */
 	case '1':		/* --match-set <set> <flag>[,<flag> */
 		if (info->dim)
 			xtables_error(PARAMETER_PROBLEM,
@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags,
 	case '2':
 		fprintf(stderr,
 			"--set option deprecated, please use --match-set\n");
+		/* fall through */
 	case '1':		/* --match-set <set> <flag>[,<flag> */
 		if (info->match_set.dim)
 			xtables_error(PARAMETER_PROBLEM,
@@ -583,6 +587,7 @@ set_parse_v4(int c, char **argv, int invert, unsigned int *flags,
 	case '2':
 		fprintf(stderr,
 			"--set option deprecated, please use --match-set\n");
+		/* fall through */
 	case '1':		/* --match-set <set> <flag>[,<flag> */
 		if (info->match_set.dim)
 			xtables_error(PARAMETER_PROBLEM,

extensions/libxt_set.h

@@ -8,12 +8,6 @@
 #include <errno.h>
 #include "../iptables/xshared.h"
 
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x , ## args)
-#else
-#define DEBUGP(x, args...) 
-#endif
-
 static int
 get_version(unsigned *version)
 {

extensions/libxt_string.c

@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info)
 	}
 
 	while (i < slen) {
+		if (sindex >= XT_STRING_MAX_PATTERN_SIZE)
+			xtables_error(PARAMETER_PROBLEM,
+				      "STRING too long \"%s\"", s);
 		if (s[i] == '\\' && !hex_f) {
 			literal_f = 1;
 		} else if (s[i] == '\\') {
@@ -159,8 +162,6 @@ parse_hex_string(const char *s, struct xt_string_info *info)
 			info->pattern[sindex] = s[i];
 			i++;
 		}
-		if (sindex > XT_STRING_MAX_PATTERN_SIZE)
-			xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
 		sindex++;
 	}
 	info->patlen = sindex;

extensions/libxt_time.c

@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m)
 	info->date_stop  = INT_MAX;
 }
 
-static time_t time_parse_date(const char *s, bool end)
+static time_t time_parse_date(const char *s)
 {
 	unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0;
-	unsigned int year  = end ? 2038 : 1970;
+	unsigned int year;
 	const char *os = s;
 	struct tm tm;
 	time_t ret;
@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb)
 	xtables_option_parse(cb);
 	switch (cb->entry->id) {
 	case O_DATE_START:
-		info->date_start = time_parse_date(cb->arg, false);
+		info->date_start = time_parse_date(cb->arg);
 		break;
 	case O_DATE_STOP:
-		info->date_stop = time_parse_date(cb->arg, true);
+		info->date_stop = time_parse_date(cb->arg);
 		break;
 	case O_TIME_START:
 		info->daytime_start = time_parse_minutes(cb->arg);

extensions/libxt_u32.man

@@ -40,18 +40,23 @@ A is of type \fBchar *\fP, initially the address of the IP header
 B and C are unsigned 32 bit integers, initially zero
 .PP
 The instructions are:
-.IP
-number B = number;
+.TP
+.B number
+B = number;
 .IP
 C = (*(A+B)<<24) + (*(A+B+1)<<16) + (*(A+B+2)<<8) + *(A+B+3)
-.IP
-&number C = C & number
-.IP
-<< number C = C << number
-.IP
->> number C = C >> number
-.IP
-@number A = A + C; then do the instruction number
+.TP
+.B &number
+C = C & number
+.TP
+.B << number
+C = C << number
+.TP
+.B >> number
+C = C >> number
+.TP
+.B @number
+A = A + C; then do the instruction number
 .PP
 Any access of memory outside [skb\->data,skb\->end] causes the match to fail.
 Otherwise the result of the computation is the final value of C.

include/ebtables/ethernetdb.h

-/*
-* This program is free software; you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
-* the Free Software Foundation; either version 2 of the License, or
-* (at your option) any later version.
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-*/
-
-/* All data returned by the network data base library are supplied in
-   host order and returned in network order (suitable for use in
-   system calls).  */
-
-#ifndef	_ETHERNETDB_H
-#define	_ETHERNETDB_H	1
-
-#include <features.h>
-#include <netinet/in.h>
-#include <stdint.h>
-
-/* Absolute file name for network data base files.  */
-#ifndef	_PATH_ETHERTYPES
-#define	_PATH_ETHERTYPES	"/etc/ethertypes"
-#endif				/* _PATH_ETHERTYPES */
-
-struct ethertypeent {
-	char *e_name;		/* Official ethernet type name.  */
-	char **e_aliases;	/* Alias list.  */
-	int e_ethertype;	/* Ethernet type number.  */
-};
-
-/* Open ethertype data base files and mark them as staying open even
-   after a later search if STAY_OPEN is non-zero.  */
-extern void setethertypeent(int __stay_open);
-
-/* Close ethertype data base files and clear `stay open' flag.  */
-extern void endethertypeent(void);
-
-/* Get next entry from ethertype data base file.  Open data base if
-   necessary.  */
-extern struct ethertypeent *getethertypeent(void);
-
-/* Return entry from ethertype data base for network with NAME.  */
-extern struct ethertypeent *getethertypebyname(__const char *__name);
-
-/* Return entry from ethertype data base which number is PROTO.  */
-extern struct ethertypeent *getethertypebynumber(int __ethertype);
-
-
-#endif				/* ethernetdb.h */

include/linux/netfilter/xt_cgroup.h

-#ifndef _XT_CGROUP_H
-#define _XT_CGROUP_H
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _UAPI_XT_CGROUP_H
+#define _UAPI_XT_CGROUP_H
 
 #include <linux/types.h>
 #include <linux/limits.h>
@@ -21,4 +22,20 @@ struct xt_cgroup_info_v1 {
 	void		*priv __attribute__((aligned(8)));
 };
 
-#endif /* _XT_CGROUP_H */
+#define XT_CGROUP_PATH_MAX	512
+
+struct xt_cgroup_info_v2 {
+	__u8		has_path;
+	__u8		has_classid;
+	__u8		invert_path;
+	__u8		invert_classid;
+	union {
+		char	path[XT_CGROUP_PATH_MAX];
+		__u32	classid;
+	};
+
+	/* kernel internal data */
+	void		*priv __attribute__((aligned(8)));
+};
+
+#endif /* _UAPI_XT_CGROUP_H */

include/xtables.h

@@ -521,6 +521,18 @@ extern void xtables_ip6parse_any(const char *, struct in6_addr **,
 extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
 	struct in6_addr **, unsigned int *);
 
+/* Absolute file name for network data base files.  */
+#define XT_PATH_ETHERTYPES     "/etc/ethertypes"
+
+struct xt_ethertypeent {
+	char *e_name;           /* Official ethernet type name.  */
+	char **e_aliases;       /* Alias list.  */
+	int e_ethertype;        /* Ethernet type number.  */
+};
+
+extern struct xt_ethertypeent *xtables_getethertypebyname(const char *name);
+extern struct xt_ethertypeent *xtables_getethertypebynumber(int ethertype);
+
 /**
  * Print the specified value to standard output, quoting dangerous
  * characters if required.
@@ -536,6 +548,8 @@ extern void xtables_save_string(const char *value);
 #define FMT_VIA			0x0040
 #define FMT_NONEWLINE		0x0080
 #define FMT_LINENUMBERS		0x0100
+#define FMT_EBT_SAVE		0x0200
+#define FMT_C_COUNTS		0x0400
 
 #define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
                         | FMT_NUMERIC | FMT_NOTABLE)

iptables/.gitignore

@@ -14,6 +14,8 @@
 /iptables-xml
 /iptables-xml.1
 /xtables-multi
+/xtables-legacy-multi
+/xtables-nft-multi
 /xtables-config-parser.c
 /xtables-config-parser.h
 /xtables-config-syntax.c

iptables/Makefile.am

@@ -43,7 +43,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
 				nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
 				xtables-monitor.c \
 				xtables-arp-standalone.c xtables-arp.c \
-				getethertype.c nft-bridge.c \
+				nft-bridge.c \
 				xtables-eb-standalone.c xtables-eb.c \
 				xtables-eb-translate.c \
 				xtables-translate.c
@@ -80,7 +80,13 @@ x_sbin_links  = iptables-nft iptables-nft-restore iptables-nft-save \
 		ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
 		iptables-translate ip6tables-translate \
 		iptables-restore-translate ip6tables-restore-translate \
-		arptables ebtables xtables-monitor
+		arptables-nft arptables \
+		arptables-nft-restore arptables-restore \
+		arptables-nft-save arptables-save \
+		ebtables-nft ebtables \
+		ebtables-nft-restore ebtables-restore \
+		ebtables-nft-save ebtables-save \
+		xtables-monitor
 endif
 
 iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man

iptables/Makefile.in

@@ -159,9 +159,8 @@ am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
 	xtables-save.c xtables-restore.c xtables-standalone.c \
 	xtables.c nft.c nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
 	xtables-monitor.c xtables-arp-standalone.c xtables-arp.c \
-	getethertype.c nft-bridge.c xtables-eb-standalone.c \
-	xtables-eb.c xtables-eb-translate.c xtables-translate.c \
-	xshared.c
+	nft-bridge.c xtables-eb-standalone.c xtables-eb.c \
+	xtables-eb-translate.c xtables-translate.c xshared.c
 @ENABLE_NFTABLES_TRUE@am_xtables_nft_multi_OBJECTS = xtables_nft_multi-xtables-nft-multi.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-iptables-xml.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-config-parser.$(OBJEXT) \
@@ -178,7 +177,6 @@ am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-monitor.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-arp-standalone.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-arp.$(OBJEXT) \
-@ENABLE_NFTABLES_TRUE@	xtables_nft_multi-getethertype.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-nft-bridge.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-eb-standalone.$(OBJEXT) \
 @ENABLE_NFTABLES_TRUE@	xtables_nft_multi-xtables-eb.$(OBJEXT) \
@@ -489,9 +487,8 @@ xtables_legacy_multi_LDADD = ../extensions/libext.a $(am__append_4) \
 @ENABLE_NFTABLES_TRUE@	xtables.c nft.c nft-shared.c nft-ipv4.c \
 @ENABLE_NFTABLES_TRUE@	nft-ipv6.c nft-arp.c xtables-monitor.c \
 @ENABLE_NFTABLES_TRUE@	xtables-arp-standalone.c xtables-arp.c \
-@ENABLE_NFTABLES_TRUE@	getethertype.c nft-bridge.c \
-@ENABLE_NFTABLES_TRUE@	xtables-eb-standalone.c xtables-eb.c \
-@ENABLE_NFTABLES_TRUE@	xtables-eb-translate.c \
+@ENABLE_NFTABLES_TRUE@	nft-bridge.c xtables-eb-standalone.c \
+@ENABLE_NFTABLES_TRUE@	xtables-eb.c xtables-eb-translate.c \
 @ENABLE_NFTABLES_TRUE@	xtables-translate.c xshared.c
 @ENABLE_NFTABLES_TRUE@xtables_nft_multi_CFLAGS = ${AM_CFLAGS} \
 @ENABLE_NFTABLES_TRUE@	$(am__append_9) -DENABLE_NFTABLES \
@@ -526,7 +523,13 @@ vx_bin_links = iptables-xml
 @ENABLE_NFTABLES_TRUE@		ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \
 @ENABLE_NFTABLES_TRUE@		iptables-translate ip6tables-translate \
 @ENABLE_NFTABLES_TRUE@		iptables-restore-translate ip6tables-restore-translate \
-@ENABLE_NFTABLES_TRUE@		arptables ebtables xtables-monitor
+@ENABLE_NFTABLES_TRUE@		arptables-nft arptables \
+@ENABLE_NFTABLES_TRUE@		arptables-nft-restore arptables-restore \
+@ENABLE_NFTABLES_TRUE@		arptables-nft-save arptables-save \
+@ENABLE_NFTABLES_TRUE@		ebtables-nft ebtables \
+@ENABLE_NFTABLES_TRUE@		ebtables-nft-restore ebtables-restore \
+@ENABLE_NFTABLES_TRUE@		ebtables-nft-save ebtables-save \
+@ENABLE_NFTABLES_TRUE@		xtables-monitor
 
 pkgconfig_DATA = xtables.pc
 all: $(BUILT_SOURCES)
@@ -657,7 +660,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xshared.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-getethertype.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-arp.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po@am__quote@
@@ -1080,20 +1082,6 @@ xtables_nft_multi-xtables-arp.obj: xtables-arp.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-arp.obj `if test -f 'xtables-arp.c'; then $(CYGPATH_W) 'xtables-arp.c'; else $(CYGPATH_W) '$(srcdir)/xtables-arp.c'; fi`
 
-xtables_nft_multi-getethertype.o: getethertype.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-getethertype.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-getethertype.Tpo -c -o xtables_nft_multi-getethertype.o `test -f 'getethertype.c' || echo '$(srcdir)/'`getethertype.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-getethertype.Tpo $(DEPDIR)/xtables_nft_multi-getethertype.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='getethertype.c' object='xtables_nft_multi-getethertype.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-getethertype.o `test -f 'getethertype.c' || echo '$(srcdir)/'`getethertype.c
-
-xtables_nft_multi-getethertype.obj: getethertype.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-getethertype.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-getethertype.Tpo -c -o xtables_nft_multi-getethertype.obj `if test -f 'getethertype.c'; then $(CYGPATH_W) 'getethertype.c'; else $(CYGPATH_W) '$(srcdir)/getethertype.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-getethertype.Tpo $(DEPDIR)/xtables_nft_multi-getethertype.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='getethertype.c' object='xtables_nft_multi-getethertype.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-getethertype.obj `if test -f 'getethertype.c'; then $(CYGPATH_W) 'getethertype.c'; else $(CYGPATH_W) '$(srcdir)/getethertype.c'; fi`
-
 xtables_nft_multi-nft-bridge.o: nft-bridge.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po

iptables/ip6tables-restore.c

@@ -20,12 +20,6 @@
 #include "libiptc/libip6tc.h"
 #include "ip6tables-multi.h"
 
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
 static int counters, verbose, noflush, wait;
 
 static struct timeval wait_interval = {
@@ -85,116 +79,12 @@ static struct xtc_handle *create_handle(const char *tablename)
 	return handle;
 }
 
-static int parse_counters(char *string, struct xt_counters *ctr)
-{
-	unsigned long long pcnt, bcnt;
-	int ret;
-
-	ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
-	ctr->pcnt = pcnt;
-	ctr->bcnt = bcnt;
-	return ret == 2;
-}
-
-/* global new argv and argc */
-static char *newargv[255];
-static int newargc;
-
-/* function adding one argument to newargv, updating newargc
- * returns true if argument added, false otherwise */
-static int add_argv(char *what) {
-	DEBUGP("add_argv: %s\n", what);
-	if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
-		newargv[newargc] = strdup(what);
-		newargv[++newargc] = NULL;
-		return 1;
-	} else {
-		xtables_error(PARAMETER_PROBLEM,
-			"Parser cannot handle more arguments\n");
-		return 0;
-	}
-}
-
-static void free_argv(void) {
-	int i;
-
-	for (i = 0; i < newargc; i++)
-		free(newargv[i]);
-}
-
-static void add_param_to_argv(char *parsestart)
-{
-	int quote_open = 0, escaped = 0, param_len = 0;
-	char param_buffer[1024], *curchar;
-
-	/* After fighting with strtok enough, here's now
-	 * a 'real' parser. According to Rusty I'm now no
-	 * longer a real hacker, but I can live with that */
-
-	for (curchar = parsestart; *curchar; curchar++) {
-		if (quote_open) {
-			if (escaped) {
-				param_buffer[param_len++] = *curchar;
-				escaped = 0;
-				continue;
-			} else if (*curchar == '\\') {
-				escaped = 1;
-				continue;
-			} else if (*curchar == '"') {
-				quote_open = 0;
-				*curchar = ' ';
-			} else {
-				param_buffer[param_len++] = *curchar;
-				continue;
-			}
-		} else {
-			if (*curchar == '"') {
-				quote_open = 1;
-				continue;
-			}
-		}
-
-		if (*curchar == ' '
-		    || *curchar == '\t'
-		    || * curchar == '\n') {
-			if (!param_len) {
-				/* two spaces? */
-				continue;
-			}
-
-			param_buffer[param_len] = '\0';
-
-			/* check if table name specified */
-			if ((param_buffer[0] == '-' &&
-			     param_buffer[1] != '-' &&
-			     strchr(param_buffer, 't')) ||
-			    (!strncmp(param_buffer, "--t", 3) &&
-			     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
-				xtables_error(PARAMETER_PROBLEM,
-				"The -t option (seen in line %u) cannot be "
-				"used in ip6tables-restore.\n", line);
-				exit(1);
-			}
-
-			add_argv(param_buffer);
-			param_len = 0;
-		} else {
-			/* regular character, copy to buffer */
-			param_buffer[param_len++] = *curchar;
-
-			if (param_len >= sizeof(param_buffer))
-				xtables_error(PARAMETER_PROBLEM,
-				   "Parameter too long!");
-		}
-	}
-}
-
 int ip6tables_restore_main(int argc, char *argv[])
 {
 	struct xtc_handle *handle = NULL;
 	char buffer[10240];
 	int c, lock;
-	char curtable[XT_TABLE_MAXNAMELEN + 1];
+	char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
 	FILE *in;
 	int in_table = 0, testing = 0;
 	const char *tablename = NULL;
@@ -325,8 +215,13 @@ int ip6tables_restore_main(int argc, char *argv[])
 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
 
-			if (tablename != NULL && strcmp(tablename, table) != 0)
+			if (tablename != NULL && strcmp(tablename, table) != 0) {
+				if (lock >= 0) {
+					xtables_unlock(lock);
+					lock = XT_LOCK_NOT_ACQUIRED;
+				}
 				continue;
+			}
 			if (handle)
 				ops->free(handle);
 
@@ -393,7 +288,7 @@ int ip6tables_restore_main(int argc, char *argv[])
 			}
 
 			if (strcmp(policy, "-") != 0) {
-				struct xt_counters count;
+				struct xt_counters count = {};
 
 				if (counters) {
 					char *ctrs;
@@ -403,9 +298,6 @@ int ip6tables_restore_main(int argc, char *argv[])
 						xtables_error(PARAMETER_PROBLEM,
 							  "invalid policy counters "
 							  "for chain '%s'\n", chain);
-
-				} else {
-					memset(&count, 0, sizeof(count));
 				}
 
 				DEBUGP("Setting policy of chain %s to %s\n",
@@ -424,17 +316,14 @@ int ip6tables_restore_main(int argc, char *argv[])
 
 		} else if (in_table) {
 			int a;
-			char *ptr = buffer;
 			char *pcnt = NULL;
 			char *bcnt = NULL;
 			char *parsestart;
 
-			/* reset the newargv */
-			newargc = 0;
-
 			if (buffer[0] == '[') {
 				/* we have counters in our input */
-				ptr = strchr(buffer, ']');
+				char *ptr = strchr(buffer, ']');
+
 				if (!ptr)
 					xtables_error(PARAMETER_PROBLEM,
 						   "Bad line %u: need ]\n",
@@ -459,17 +348,17 @@ int ip6tables_restore_main(int argc, char *argv[])
 				parsestart = buffer;
 			}
 
-			add_argv(argv[0]);
-			add_argv("-t");
-			add_argv(curtable);
+			add_argv(argv[0], 0);
+			add_argv("-t", 0);
+			add_argv(curtable, 0);
 
 			if (counters && pcnt && bcnt) {
-				add_argv("--set-counters");
-				add_argv((char *) pcnt);
-				add_argv((char *) bcnt);
+				add_argv("--set-counters", 0);
+				add_argv((char *) pcnt, 0);
+				add_argv((char *) bcnt, 0);
 			}
 
-			add_param_to_argv(parsestart);
+			add_param_to_argv(parsestart, line);
 
 			DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
 				newargc, curtable);

iptables/ip6tables.c

@@ -420,27 +420,6 @@ parse_chain(const char *chainname)
 				   "Invalid chain name `%s'", chainname);
 }
 
-static const char *
-parse_target(const char *targetname)
-{
-	const char *ptr;
-
-	if (strlen(targetname) < 1)
-		xtables_error(PARAMETER_PROBLEM,
-			   "Invalid target name (too short)");
-
-	if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN)
-		xtables_error(PARAMETER_PROBLEM,
-			   "Invalid target name `%s' (%u chars max)",
-			   targetname, XT_EXTENSION_MAXNAMELEN - 1);
-
-	for (ptr = targetname; *ptr; ptr++)
-		if (isspace(*ptr))
-			xtables_error(PARAMETER_PROBLEM,
-				   "Invalid target name `%s'", targetname);
-	return targetname;
-}
-
 static void
 set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
 	   int invert)
@@ -550,7 +529,6 @@ print_firewall(const struct ip6t_entry *fw,
 {
 	struct xtables_target *target, *tg;
 	const struct xt_entry_target *t;
-	char buf[BUFSIZ];
 
 	if (!ip6tc_is_chain(targname, handle))
 		target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -588,61 +566,10 @@ print_firewall(const struct ip6t_entry *fw,
 		fputc(' ', stdout);
 	}
 
-	if (format & FMT_VIA) {
-		char iface[IFNAMSIZ+2];
-
-		if (fw->ipv6.invflags & IP6T_INV_VIA_IN) {
-			iface[0] = '!';
-			iface[1] = '\0';
-		}
-		else iface[0] = '\0';
-
-		if (fw->ipv6.iniface[0] != '\0') {
-			strcat(iface, fw->ipv6.iniface);
-		}
-		else if (format & FMT_NUMERIC) strcat(iface, "*");
-		else strcat(iface, "any");
-		printf(FMT(" %-6s ","in %s "), iface);
-
-		if (fw->ipv6.invflags & IP6T_INV_VIA_OUT) {
-			iface[0] = '!';
-			iface[1] = '\0';
-		}
-		else iface[0] = '\0';
-
-		if (fw->ipv6.outiface[0] != '\0') {
-			strcat(iface, fw->ipv6.outiface);
-		}
-		else if (format & FMT_NUMERIC) strcat(iface, "*");
-		else strcat(iface, "any");
-		printf(FMT("%-6s ","out %s "), iface);
-	}
-
-	fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
-	if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any)
-	    && !(format & FMT_NUMERIC))
-		printf(FMT("%-19s ","%s "), "anywhere");
-	else {
-		if (format & FMT_NUMERIC)
-			strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src));
-		else
-			strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src));
-		strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk));
-		printf(FMT("%-19s ","%s "), buf);
-	}
+	print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface,
+		     fw->ipv6.invflags, format);
 
-	fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
-	if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any)
-	    && !(format & FMT_NUMERIC))
-		printf(FMT("%-19s ","-> %s"), "anywhere");
-	else {
-		if (format & FMT_NUMERIC)
-			strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst));
-		else
-			strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst));
-		strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk));
-		printf(FMT("%-19s ","-> %s"), buf);
-	}
+	print_ipv6_addresses(fw, format);
 
 	if (format & FMT_NOTABLE)
 		fputs("  ", stdout);
@@ -1273,85 +1200,13 @@ generate_entry(const struct ip6t_entry *fw,
 	return e;
 }
 
-static void command_jump(struct iptables_command_state *cs)
-{
-	size_t size;
-
-	set_option(&cs->options, OPT_JUMP, &cs->fw6.ipv6.invflags, cs->invert);
-	cs->jumpto = parse_target(optarg);
-	/* TRY_LOAD (may be chain name) */
-	cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
-
-	if (cs->target == NULL)
-		return;
-
-	size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
-
-	cs->target->t = xtables_calloc(1, size);
-	cs->target->t->u.target_size = size;
-	if (cs->target->real_name == NULL) {
-		strcpy(cs->target->t->u.user.name, cs->jumpto);
-	} else {
-		strcpy(cs->target->t->u.user.name, cs->target->real_name);
-		if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
-			fprintf(stderr, "Notice: The %s target is converted into %s target "
-			        "in rule listing and saving.\n",
-			        cs->jumpto, cs->target->real_name);
-	}
-	cs->target->t->u.user.revision = cs->target->revision;
-
-	xs_init_target(cs->target);
-	if (cs->target->x6_options != NULL)
-		opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
-					    cs->target->x6_options,
-					    &cs->target->option_offset);
-	else
-		opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
-					     cs->target->extra_opts,
-					     &cs->target->option_offset);
-	if (opts == NULL)
-		xtables_error(OTHER_PROBLEM, "can't alloc memory!");
-}
-
-static void command_match(struct iptables_command_state *cs)
-{
-	struct xtables_match *m;
-	size_t size;
-
-	if (cs->invert)
-		xtables_error(PARAMETER_PROBLEM,
-			   "unexpected ! flag before --match");
-
-	m = xtables_find_match(optarg, XTF_LOAD_MUST_SUCCEED, &cs->matches);
-	size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size;
-	m->m = xtables_calloc(1, size);
-	m->m->u.match_size = size;
-	if (m->real_name == NULL) {
-		strcpy(m->m->u.user.name, m->name);
-	} else {
-		strcpy(m->m->u.user.name, m->real_name);
-		if (!(m->ext_flags & XTABLES_EXT_ALIAS))
-			fprintf(stderr, "Notice: The %s match is converted into %s match "
-			        "in rule listing and saving.\n", m->name, m->real_name);
-	}
-	m->m->u.user.revision = m->revision;
-
-	xs_init_match(m);
-	if (m == m->next)
-		return;
-	/* Merge options for non-cloned matches */
-	if (m->x6_options != NULL)
-		opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
-					    m->x6_options, &m->option_offset);
-	else if (m->extra_opts != NULL)
-		opts = xtables_merge_options(ip6tables_globals.orig_opts, opts,
-					     m->extra_opts, &m->option_offset);
-}
-
 int do_command6(int argc, char *argv[], char **table,
 		struct xtc_handle **handle, bool restore)
 {
-	struct iptables_command_state cs;
+	struct iptables_command_state cs = {
+		.jumpto	= "",
+		.argv	= argv,
+	};
 	struct ip6t_entry *e = NULL;
 	unsigned int nsaddrs = 0, ndaddrs = 0;
 	struct in6_addr *saddrs = NULL, *daddrs = NULL;
@@ -1374,10 +1229,6 @@ int do_command6(int argc, char *argv[], char **table,
 	struct xtables_target *t;
 	unsigned long long cnt;
 
-	memset(&cs, 0, sizeof(cs));
-	cs.jumpto = "";
-	cs.argv = argv;
-
 	/* re-set optind to 0 in case do_command6 gets called
 	 * a second time */
 	optind = 0;
@@ -1583,11 +1434,13 @@ int do_command6(int argc, char *argv[], char **table,
 			set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
 					cs.invert);
 			cs.fw6.ipv6.flags |= IP6T_F_GOTO;
-			cs.jumpto = parse_target(optarg);
+			cs.jumpto = xt_parse_target(optarg);
 			break;
 #endif
 
 		case 'j':
+			set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags,
+					cs.invert);
 			command_jump(&cs);
 			break;
 

iptables/iptables-apply

@@ -123,7 +123,8 @@ done
 umask 0700
 
 TMPFILE=$(tempfile -p iptap)
-trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
+trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
+		      FPE USR1 SEGV USR2 PIPE ALRM TERM
 
 if ! "$SAVE" >"$TMPFILE"; then
 	if ! grep -q ipt /proc/modules 2>/dev/null; then
@@ -143,7 +144,7 @@ if ! "$RESTORE" <"$FILE"; then
 	echo "E: unknown error applying new iptables ruleset." >&2
 	exit 5
 else
-	echo done.
+	echo "done."
 fi
 
 echo -n "Can you establish NEW connections to the machine? (y/N) "
@@ -152,7 +153,7 @@ read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
 case "${ret:-}" in
 	(y*|Y*)
 		echo
-		echo ... then my job is done. See you next time.
+		echo "... then my job is done. See you next time."
 		;;
 	(*)
 		if [[ -z "${ret:-}" ]]; then
@@ -163,7 +164,7 @@ case "${ret:-}" in
 		echo "Timeout. Something happened (or did not). Better play it safe..."
 		echo -n "Reverting to old ruleset... "
 		"$RESTORE" <"$TMPFILE";
-		echo done.
+		echo "done."
 		exit 255
 		;;
 esac

iptables/iptables-restore.c

@@ -17,12 +17,6 @@
 #include "libiptc/libiptc.h"
 #include "iptables-multi.h"
 
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
 static int counters, verbose, noflush, wait;
 
 static struct timeval wait_interval = {
@@ -82,117 +76,13 @@ static struct xtc_handle *create_handle(const char *tablename)
 	return handle;
 }
 
-static int parse_counters(char *string, struct xt_counters *ctr)
-{
-	unsigned long long pcnt, bcnt;
-	int ret;
-
-	ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
-	ctr->pcnt = pcnt;
-	ctr->bcnt = bcnt;
-	return ret == 2;
-}
-
-/* global new argv and argc */
-static char *newargv[255];
-static int newargc;
-
-/* function adding one argument to newargv, updating newargc 
- * returns true if argument added, false otherwise */
-static int add_argv(char *what) {
-	DEBUGP("add_argv: %s\n", what);
-	if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
-		newargv[newargc] = strdup(what);
-		newargv[++newargc] = NULL;
-		return 1;
-	} else {
-		xtables_error(PARAMETER_PROBLEM,
-			"Parser cannot handle more arguments\n");
-		return 0;
-	}
-}
-
-static void free_argv(void) {
-	int i;
-
-	for (i = 0; i < newargc; i++)
-		free(newargv[i]);
-}
-
-static void add_param_to_argv(char *parsestart)
-{
-	int quote_open = 0, escaped = 0, param_len = 0;
-	char param_buffer[1024], *curchar;
-
-	/* After fighting with strtok enough, here's now
-	 * a 'real' parser. According to Rusty I'm now no
-	 * longer a real hacker, but I can live with that */
-
-	for (curchar = parsestart; *curchar; curchar++) {
-		if (quote_open) {
-			if (escaped) {
-				param_buffer[param_len++] = *curchar;
-				escaped = 0;
-				continue;
-			} else if (*curchar == '\\') {
-				escaped = 1;
-				continue;
-			} else if (*curchar == '"') {
-				quote_open = 0;
-				*curchar = ' ';
-			} else {
-				param_buffer[param_len++] = *curchar;
-				continue;
-			}
-		} else {
-			if (*curchar == '"') {
-				quote_open = 1;
-				continue;
-			}
-		}
-
-		if (*curchar == ' '
-		    || *curchar == '\t'
-		    || * curchar == '\n') {
-			if (!param_len) {
-				/* two spaces? */
-				continue;
-			}
-
-			param_buffer[param_len] = '\0';
-
-			/* check if table name specified */
-			if ((param_buffer[0] == '-' &&
-			     param_buffer[1] != '-' &&
-			     strchr(param_buffer, 't')) ||
-			    (!strncmp(param_buffer, "--t", 3) &&
-			     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
-				xtables_error(PARAMETER_PROBLEM,
-				"The -t option (seen in line %u) cannot be "
-				"used in iptables-restore.\n", line);
-				exit(1);
-			}
-
-			add_argv(param_buffer);
-			param_len = 0;
-		} else {
-			/* regular character, copy to buffer */
-			param_buffer[param_len++] = *curchar;
-
-			if (param_len >= sizeof(param_buffer))
-				xtables_error(PARAMETER_PROBLEM,
-				   "Parameter too long!");
-		}
-	}
-}
-
 int
 iptables_restore_main(int argc, char *argv[])
 {
 	struct xtc_handle *handle = NULL;
 	char buffer[10240];
 	int c, lock;
-	char curtable[XT_TABLE_MAXNAMELEN + 1];
+	char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
 	FILE *in;
 	int in_table = 0, testing = 0;
 	const char *tablename = NULL;
@@ -323,8 +213,13 @@ iptables_restore_main(int argc, char *argv[])
 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
 
-			if (tablename && (strcmp(tablename, table) != 0))
+			if (tablename && (strcmp(tablename, table) != 0)) {
+				if (lock >= 0) {
+					xtables_unlock(lock);
+					lock = XT_LOCK_NOT_ACQUIRED;
+				}
 				continue;
+			}
 			if (handle)
 				ops->free(handle);
 
@@ -391,7 +286,7 @@ iptables_restore_main(int argc, char *argv[])
 			}
 
 			if (strcmp(policy, "-") != 0) {
-				struct xt_counters count;
+				struct xt_counters count = {};
 
 				if (counters) {
 					char *ctrs;
@@ -401,9 +296,6 @@ iptables_restore_main(int argc, char *argv[])
 						xtables_error(PARAMETER_PROBLEM,
 							   "invalid policy counters "
 							   "for chain '%s'\n", chain);
-
-				} else {
-					memset(&count, 0, sizeof(count));
 				}
 
 				DEBUGP("Setting policy of chain %s to %s\n",
@@ -422,17 +314,14 @@ iptables_restore_main(int argc, char *argv[])
 
 		} else if (in_table) {
 			int a;
-			char *ptr = buffer;
 			char *pcnt = NULL;
 			char *bcnt = NULL;
 			char *parsestart;
 
-			/* reset the newargv */
-			newargc = 0;
-
 			if (buffer[0] == '[') {
 				/* we have counters in our input */
-				ptr = strchr(buffer, ']');
+				char *ptr = strchr(buffer, ']');
+
 				if (!ptr)
 					xtables_error(PARAMETER_PROBLEM,
 						   "Bad line %u: need ]\n",
@@ -457,17 +346,17 @@ iptables_restore_main(int argc, char *argv[])
 				parsestart = buffer;
 			}
 
-			add_argv(argv[0]);
-			add_argv("-t");
-			add_argv(curtable);
+			add_argv(argv[0], 0);
+			add_argv("-t", 0);
+			add_argv(curtable, 0);
 
 			if (counters && pcnt && bcnt) {
-				add_argv("--set-counters");
-				add_argv((char *) pcnt);
-				add_argv((char *) bcnt);
+				add_argv("--set-counters", 0);
+				add_argv((char *) pcnt, 0);
+				add_argv((char *) bcnt, 0);
 			}
 
-			add_param_to_argv(parsestart);
+			add_param_to_argv(parsestart, line);
 
 			DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
 				newargc, curtable);

iptables/iptables-xml.c

@@ -16,12 +16,7 @@
 #include "libiptc/libiptc.h"
 #include "xtables-multi.h"
 #include <xtables.h>
-
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
+#include "xshared.h"
 
 struct xtables_globals iptables_xml_globals = {
 	.option_offset = 0,
@@ -55,32 +50,6 @@ print_usage(const char *name, const char *version)
 	exit(1);
 }
 
-static int
-parse_counters(char *string, struct xt_counters *ctr)
-{
-	__u64 *pcnt, *bcnt;
-
-	if (string != NULL) {
-		pcnt = &ctr->pcnt;
-		bcnt = &ctr->bcnt;
-		return (sscanf
-			(string, "[%llu:%llu]",
-			 (unsigned long long *)pcnt,
-			 (unsigned long long *)bcnt) == 2);
-	} else
-		return (0 == 2);
-}
-
-/* global new argv and argc */
-static char *newargv[255];
-static unsigned int newargc;
-
-static char *oldargv[255];
-static unsigned int oldargc;
-
-/* arg meta data, were they quoted, frinstance */
-static int newargvattr[255];
-
 #define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN
 static char closeActionTag[XT_TABLE_MAXNAMELEN + 1];
 static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1];
@@ -98,57 +67,6 @@ struct chain {
 static struct chain chains[maxChains];
 static int nextChain;
 
-/* funCtion adding one argument to newargv, updating newargc 
- * returns true if argument added, false otherwise */
-static int
-add_argv(char *what, int quoted)
-{
-	DEBUGP("add_argv: %d %s\n", newargc, what);
-	if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
-		newargv[newargc] = strdup(what);
-		newargvattr[newargc] = quoted;
-		newargc++;
-		return 1;
-	} else
-		return 0;
-}
-
-static void
-free_argv(void)
-{
-	unsigned int i;
-
-	for (i = 0; i < newargc; i++) {
-		free(newargv[i]);
-		newargv[i] = NULL;
-	}
-	newargc = 0;
-
-	for (i = 0; i < oldargc; i++) {
-		free(oldargv[i]);
-		oldargv[i] = NULL;
-	}
-	oldargc = 0;
-}
-
-/* Save parsed rule for comparison with next rule to perform action aggregation
- * on duplicate conditions.
- */
-static void
-save_argv(void)
-{
-	unsigned int i;
-
-	for (i = 0; i < oldargc; i++)
-		free(oldargv[i]);
-	oldargc = newargc;
-	newargc = 0;
-	for (i = 0; i < oldargc; i++) {
-		oldargv[i] = newargv[i];
-		newargv[i] = NULL;
-	}
-}
-
 /* like puts but with xml encoding */
 static void
 xmlEncode(char *text)
@@ -730,7 +648,6 @@ iptables_xml_main(int argc, char *argv[])
 			ret = 1;
 		} else if (curTable[0]) {
 			unsigned int a;
-			char *ptr = buffer;
 			char *pcnt = NULL;
 			char *bcnt = NULL;
 			char *parsestart;
@@ -741,12 +658,10 @@ iptables_xml_main(int argc, char *argv[])
 			int quote_open, quoted;
 			char param_buffer[1024];
 
-			/* reset the newargv */
-			newargc = 0;
-
 			if (buffer[0] == '[') {
 				/* we have counters in our input */
-				ptr = strchr(buffer, ']');
+				char *ptr = strchr(buffer, ']');
+
 				if (!ptr)
 					xtables_error(PARAMETER_PROBLEM,
 						   "Bad line %u: need ]\n",