New upstream version 1.8.3

89c92f0c · Arturo Borrero Gonzalez · 0309474b · 89c92f0c · 89c92f0c · 89c92f0c
Commit 89c92f0c authored May 28, 2019 by Arturo Borrero Gonzalez
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -9,6 +9,7 @@
 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
 */

+#define _GNU_SOURCE
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
@@ -403,26 +404,24 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
 		case IPPROTO_UDP:
 			if (len < 4)
 				break;
-			printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+			printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
 			break;
 		case IPPROTO_TCP:
 			if (len < sizeof(*tcph))
 				break;
-			printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
-			if (tcph->th_flags & (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)) {
-				if (tcph->th_flags & TH_SYN)
+			printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
+			if (tcph->syn)
 				printf("SYN ");
-				if (tcph->th_flags & TH_ACK)
+			if (tcph->ack)
 				printf("ACK ");
-				if (tcph->th_flags & TH_FIN)
+			if (tcph->fin)
 				printf("FIN ");
-				if (tcph->th_flags & TH_RST)
+			if (tcph->rst)
 				printf("RST ");
-				if (tcph->th_flags & TH_PUSH)
+			if (tcph->psh)
 				printf("PSH ");
-				if (tcph->th_flags & TH_URG)
+			if (tcph->urg)
 				printf("URG ");
-			}
 			break;
 		default:
 			break;

--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -19,7 +19,7 @@
 #include "nft-bridge.h"
 #include <libnftnl/chain.h>

-static int counters, verbose, noflush;
+static int counters, verbose;

 /* Keeping track of external matches and targets.  */
 static const struct option options[] = {
@@ -56,43 +56,27 @@ static void print_usage(const char *name, const char *version)
 			"	   [ --ipv6 ]\n", name);
 }

-static struct nftnl_chain_list *get_chain_list(struct nft_handle *h)
+static struct nftnl_chain_list *get_chain_list(struct nft_handle *h,
+					       const char *table)
 {
 	struct nftnl_chain_list *chain_list;

-	chain_list = nft_chain_list_get(h);
+	chain_list = nft_chain_list_get(h, table);
 	if (chain_list == NULL)
 		xtables_error(OTHER_PROBLEM, "cannot retrieve chain list\n");

 	return chain_list;
 }

-static void chain_delete(struct nftnl_chain_list *clist, const char *curtable,
-			 const char *chain)
-{
-	struct nftnl_chain *chain_obj;
-
-	chain_obj = nft_chain_list_find(clist, curtable, chain);
-	/* This chain has been found, delete from list. Later
-	 * on, unvisited chains will be purged out.
-	 */
-	if (chain_obj != NULL) {
-		nftnl_chain_list_del(chain_obj);
-		nftnl_chain_free(chain_obj);
-	}
-}
-
 struct nft_xt_restore_cb restore_cb = {
 	.chain_list	= get_chain_list,
 	.commit		= nft_commit,
 	.abort		= nft_abort,
 	.table_new	= nft_table_new,
 	.table_flush	= nft_table_flush,
-	.chain_user_flush = nft_chain_user_flush,
-	.chain_del	= chain_delete,
 	.do_command	= do_commandx,
 	.chain_set	= nft_chain_set,
-	.chain_user_add	= nft_chain_user_add,
+	.chain_restore  = nft_chain_restore,
 };

 static const struct xtc_ops xtc_ops = {
@@ -104,17 +88,13 @@ void xtables_restore_parse(struct nft_handle *h,
 			   struct nft_xt_restore_cb *cb,
 			   int argc, char *argv[])
 {
+	const struct builtin_table *curtable = NULL;
 	char buffer[10240];
 	int in_table = 0;
-	struct builtin_table *curtable = NULL;
 	const struct xtc_ops *ops = &xtc_ops;
-	struct nftnl_chain_list *chain_list = NULL;

 	line = 0;

-	if (cb->chain_list)
-		chain_list = cb->chain_list(h);
-
 	/* Grab standard input. */
 	while (fgets(buffer, sizeof(buffer), p->in)) {
 		int ret = 0;
@@ -165,7 +145,9 @@ void xtables_restore_parse(struct nft_handle *h,
 			if (p->tablename && (strcmp(p->tablename, table) != 0))
 				continue;

-			if (noflush == 0) {
+			nft_build_cache(h);
+
+			if (h->noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
 				if (cb->table_flush)
@@ -182,7 +164,6 @@ void xtables_restore_parse(struct nft_handle *h,
 			/* New chain. */
 			char *policy, *chain = NULL;
 			struct xt_counters count = {};
-			bool chain_exists = false;

 			chain = strtok(buffer+1, " \t\n");
 			DEBUGP("line %u, chain '%s'\n", line, chain);
@@ -193,22 +174,6 @@ void xtables_restore_parse(struct nft_handle *h,
 				exit(1);
 			}

-			if (noflush == 0) {
-				if (cb->chain_del)
-					cb->chain_del(chain_list, curtable->name,
-						      chain);
-			} else if (nft_chain_list_find(chain_list,
-						       curtable->name, chain)) {
-				chain_exists = true;
-				/* Apparently -n still flushes existing user
-				 * defined chains that are redefined. Otherwise,
-				 * leave them as is.
-				 */
-				if (cb->chain_user_flush)
-					cb->chain_user_flush(h, chain_list,
-							     curtable->name, chain);
-			}
-
 			if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 				xtables_error(PARAMETER_PROBLEM,
 					   "Invalid chain name `%s' "
@@ -246,24 +211,22 @@ void xtables_restore_parse(struct nft_handle *h,
 				}
 				DEBUGP("Setting policy of chain %s to %s\n",
 				       chain, policy);
-				ret = 1;
-
-			} else {
-				if (!chain_exists &&
-				    cb->chain_user_add &&
-				    cb->chain_user_add(h, chain,
-						       curtable->name) < 0) {
-					if (errno == EEXIST)
-						continue;
-
+			} else if (cb->chain_restore(h, chain, curtable->name) < 0 &&
+				   errno != EEXIST) {
 				xtables_error(PARAMETER_PROBLEM,
 					      "cannot create chain "
 					      "'%s' (%s)\n", chain,
 					      strerror(errno));
+			} else if (h->family == NFPROTO_BRIDGE &&
+				   !ebt_set_user_chain_policy(h, curtable->name,
+							      chain, policy)) {
+				xtables_error(OTHER_PROBLEM,
+					      "Can't set policy `%s'"
+					      " on `%s' line %u: %s\n",
+					      policy, chain, line,
+					      ops->strerror(errno));
 			}
-				continue;
-			}
-
+			ret = 1;
 		} else if (in_table) {
 			int a;
 			char *pcnt = NULL;
@@ -359,7 +322,7 @@ void xtables_restore_parse(struct nft_handle *h,
 static int
 xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 {
-	struct builtin_table *tables;
+	const struct builtin_table *tables;
 	struct nft_handle h = {
 		.family = family,
 		.restore = true,
@@ -402,7 +365,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 					    IPTABLES_VERSION);
 				exit(0);
 			case 'n':
-				noflush = 1;
+				h.noflush = 1;
 				break;
 			case 'M':
 				xtables_modprobe_program = optarg;
@@ -490,16 +453,21 @@ int xtables_ip6_restore_main(int argc, char *argv[])
 				    argc, argv);
 }

+static int ebt_table_flush(struct nft_handle *h, const char *table)
+{
+	/* drop any pending policy rule add/removal jobs */
+	nft_abort_policy_rule(h, table);
+	return nft_table_flush(h, table);
+}
+
 struct nft_xt_restore_cb ebt_restore_cb = {
 	.chain_list	= get_chain_list,
 	.commit		= nft_commit,
 	.table_new	= nft_table_new,
-	.table_flush	= nft_table_flush,
-	.chain_user_flush = nft_chain_user_flush,
-	.chain_del	= chain_delete,
+	.table_flush	= ebt_table_flush,
 	.do_command	= do_commandeb,
 	.chain_set	= nft_chain_set,
-	.chain_user_add	= nft_chain_user_add,
+	.chain_restore  = nft_chain_restore,
 };

 static const struct option ebt_restore_options[] = {
@@ -512,6 +480,7 @@ int xtables_eb_restore_main(int argc, char *argv[])
 	struct nft_xt_restore_parse p = {
 		.in = stdin,
 	};
+	bool noflush = false;
 	struct nft_handle h;
 	int c;

@@ -530,6 +499,7 @@ int xtables_eb_restore_main(int argc, char *argv[])
 	}

 	nft_init_eb(&h, "ebtables-restore");
+	h.noflush = noflush;
 	xtables_restore_parse(&h, &p, &ebt_restore_cb, argc, argv);
 	nft_fini(&h);

@@ -541,11 +511,9 @@ struct nft_xt_restore_cb arp_restore_cb = {
 	.commit		= nft_commit,
 	.table_new	= nft_table_new,
 	.table_flush	= nft_table_flush,
-	.chain_user_flush = nft_chain_user_flush,
-	.chain_del	= chain_delete,
 	.do_command	= do_commandarp,
 	.chain_set	= nft_chain_set,
-	.chain_user_add	= nft_chain_user_add,
+	.chain_restore  = nft_chain_restore,
 };

 int xtables_arp_restore_main(int argc, char *argv[])

--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -73,7 +73,9 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters)
 		return 0;
 	}

-	chain_list = nft_chain_list_get(h);
+	chain_list = nft_chain_list_get(h, tablename);
+	if (!chain_list)
+		return 0;

 	time_t now = time(NULL);

@@ -83,7 +85,7 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters)

 	/* Dump out chain names first,
 	 * thereby preventing dependency conflicts */
-	nft_chain_save(h, chain_list, tablename);
+	nft_chain_save(h, chain_list);
 	nft_rule_save(h, tablename, counters ? 0 : FMT_NOCOUNTS);

 	now = time(NULL);
@@ -103,8 +105,9 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
 		return !!ret;
 	}

-	if (!nft_table_find(h, tablename)) {
-		printf("Table `%s' does not exist\n", tablename);
+	if (!nft_table_find(h, tablename) &&
+	    !nft_table_builtin_find(h, tablename)) {
+		fprintf(stderr, "Table `%s' does not exist\n", tablename);
 		return 1;
 	}

@@ -120,7 +123,7 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
 static int
 xtables_save_main(int family, const char *progname, int argc, char *argv[])
 {
-	struct builtin_table *tables;
+	const struct builtin_table *tables;
 	const char *tablename = NULL;
 	bool dump = false;
 	struct nft_handle h = {
@@ -184,7 +187,8 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
 			exit(0);
 		default:
 			fprintf(stderr,
-				"Look at manual page `xtables-save.8' for more information.\n");
+				"Look at manual page `%s.8' for more information.\n",
+				prog_name);
 			exit(1);
 		}
 	}
@@ -257,7 +261,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters
 		return 0;
 	}

-	chain_list = nft_chain_list_get(h);
+	chain_list = nft_chain_list_get(h, tablename);

 	if (first) {
 		now = time(NULL);
@@ -272,7 +276,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters

 	/* Dump out chain names first,
 	 * thereby preventing dependency conflicts */
-	nft_chain_save(h, chain_list, tablename);
+	nft_chain_save(h, chain_list);
 	nft_rule_save(h, tablename, format);
 	printf("\n");
 	return 0;
@@ -330,7 +334,8 @@ int xtables_eb_save_main(int argc_, char *argv_[])
 			exit(0);
 		default:
 			fprintf(stderr,
-				"Look at manual page `xtables-save.8' for more information.\n");
+				"Look at manual page `%s.8' for more information.\n",
+				prog_name);
 			exit(1);
 		}
 	}
@@ -377,7 +382,8 @@ int xtables_arp_save_main(int argc, char **argv)
 			exit(0);
 		default:
 			fprintf(stderr,
-				"Look at manual page `xtables-save.8' for more information.\n");
+				"Look at manual page `%s.8' for more information.\n",
+				prog_name);
 			exit(1);
 		}
 	}
@@ -399,7 +405,7 @@ int xtables_arp_save_main(int argc, char **argv)
 	}

 	printf("*filter\n");
-	nft_chain_save(&h, nft_chain_list_get(&h), "filter");
+	nft_chain_save(&h, nft_chain_list_get(&h, "filter"));
 	nft_rule_save(&h, "filter", show_counters ? 0 : FMT_NOCOUNTS);
 	printf("\n");
 	nft_fini(&h);

--- a/iptables/xtables-translate.8
+++ b/iptables/xtables-translate.8
@@ -22,11 +22,12 @@
 .\" <http://www.gnu.org/licenses/>.
 .\" %%%LICENSE_END
 .\"
-.TH XTABLES-TRANSLATE 8 "Mar 16, 2018"
+.TH IPTABLES-TRANSLATE 8 "May 14, 2019"

 .SH NAME
-xtables-translate \- translation tools to migrate from iptables to nftables
-
+iptables-translate \(em translation tool to migrate from iptables to nftables
+.P
+ip6tables-translate \(em translation tool to migrate from ip6tables to nftables
 .SH DESCRIPTION
 There is a set of tools to help the system administrator translate a given
 ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP.
@@ -123,7 +124,7 @@ To get up-to-date information about this, please head to
 \fBhttps://wiki.nftables.org/\fP.

 .SH SEE ALSO
-\fBnft(8)\fP, \fBxtables-compat(8)\fP
+\fBnft(8)\fP, \fBiptables(8)\fP

 .SH AUTHORS
 The nftables framework is written by the Netfilter project

--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -329,7 +329,7 @@ static const struct option options[] = {
 	{ NULL },
 };

-static int xlate_chain_user_add(struct nft_handle *h, const char *chain,
+static int xlate_chain_user_restore(struct nft_handle *h, const char *chain,
 				    const char *table)
 {
 	printf("add chain %s %s %s\n", family2str[h->family], table, chain);
@@ -416,7 +416,7 @@ static int dummy_compat_rev(const char *name, uint8_t rev, int opt)
 static struct nft_xt_restore_cb cb_xlate = {
 	.table_new	= xlate_table_new,
 	.chain_set	= xlate_chain_set,
-	.chain_user_add	= xlate_chain_user_add,
+	.chain_restore	= xlate_chain_user_restore,
 	.do_command	= do_command_xlate,
 	.commit		= commit,
 	.abort		= commit,
@@ -426,7 +426,7 @@ static int xtables_xlate_main_common(struct nft_handle *h,
 				     int family,
 				     const char *progname)
 {
-	struct builtin_table *tables;
+	const struct builtin_table *tables;
 	int ret;

 	xtables_globals.program_name = progname;

--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -406,7 +406,7 @@ add_entry(const char *chain,

 				if (append) {
 					ret = nft_rule_append(h, chain, table,
-							      cs, 0,
+							      cs, NULL,
 							      verbose);
 				} else {
 					ret = nft_rule_insert(h, chain, table,
@@ -426,7 +426,7 @@ add_entry(const char *chain,
 				       &d.mask.v6[j], sizeof(struct in6_addr));
 				if (append) {
 					ret = nft_rule_append(h, chain, table,
-							      cs, 0,
+							      cs, NULL,
 							      verbose);
 				} else {
 					ret = nft_rule_insert(h, chain, table,
@@ -820,7 +820,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 		case 'j':
 			set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags,
 				   cs->invert);
-			command_jump(cs);
+			command_jump(cs, optarg);
 			break;


@@ -1064,18 +1064,11 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
 					   p->chain);
 		}

-		if (!p->xlate && !nft_chain_exists(h, p->table, p->chain))
-			xtables_error(OTHER_PROBLEM,
-				      "Chain '%s' does not exist", p->chain);
-
 		if (!p->xlate && !cs->target && strlen(cs->jumpto) > 0 &&
 		    !nft_chain_exists(h, p->table, cs->jumpto))
 			xtables_error(PARAMETER_PROBLEM,
 				      "Chain '%s' does not exist", cs->jumpto);
 	}
-	if (!p->xlate && p->command == CMD_NEW_CHAIN &&
-	    nft_chain_exists(h, p->table, p->chain))
-		xtables_error(OTHER_PROBLEM, "Chain already exists");
 }

 int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
@@ -1189,8 +1182,10 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 	*table = p.table;

 	xtables_rule_matches_free(&cs.matches);
-	if (cs.target)
+	if (cs.target) {
 		free(cs.target->t);
+		cs.target->t = NULL;
+	}

 	if (h->family == AF_INET) {
 		free(args.s.addr.v4);

--- a/libiptc/Makefile.am
+++ b/libiptc/Makefile.am
@@ -10,6 +10,6 @@ libiptc_la_SOURCES  =
 libiptc_la_LIBADD   = libip4tc.la libip6tc.la
 libiptc_la_LDFLAGS  = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 libip4tc_la_SOURCES = libip4tc.c
-libip4tc_la_LDFLAGS = -version-info 1:0:1
+libip4tc_la_LDFLAGS = -version-info 2:0:0
 libip6tc_la_SOURCES = libip6tc.c
-libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2}
+libip6tc_la_LDFLAGS = -version-info 2:0:0 ${libiptc_LDFLAGS2}
--- a/libiptc/Makefile.in
+++ b/libiptc/Makefile.in
@@ -380,9 +380,9 @@ libiptc_la_SOURCES =
 libiptc_la_LIBADD = libip4tc.la libip6tc.la
 libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
 libip4tc_la_SOURCES = libip4tc.c
-libip4tc_la_LDFLAGS = -version-info 1:0:1
+libip4tc_la_LDFLAGS = -version-info 2:0:0
 libip6tc_la_SOURCES = libip6tc.c
-libip6tc_la_LDFLAGS = -version-info 1:0:1 ${libiptc_LDFLAGS2}
+libip6tc_la_LDFLAGS = -version-info 2:0:0 ${libiptc_LDFLAGS2}
 all: all-am

 .SUFFIXES:

--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -2751,11 +2751,15 @@ TC_STRERROR(int err)

 const struct xtc_ops TC_OPS = {
 	.commit        = TC_COMMIT,
+	.init          = TC_INIT,
 	.free          = TC_FREE,
 	.builtin       = TC_BUILTIN,
 	.is_chain      = TC_IS_CHAIN,
 	.flush_entries = TC_FLUSH_ENTRIES,
 	.create_chain  = TC_CREATE_CHAIN,
+	.first_chain   = TC_FIRST_CHAIN,
+	.next_chain    = TC_NEXT_CHAIN,
+	.get_policy    = TC_GET_POLICY,
 	.set_policy    = TC_SET_POLICY,
 	.strerror      = TC_STRERROR,
 };
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -756,8 +756,24 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 	}

 	for (ptr = xtables_targets; ptr; ptr = ptr->next) {
-		if (extension_cmp(name, ptr->name, ptr->family))
+		if (extension_cmp(name, ptr->name, ptr->family)) {
+			struct xtables_target *clone;
+
+			/* First target of this type: */
+			if (ptr->t == NULL)
 				break;
+
+			/* Second and subsequent clones */
+			clone = xtables_malloc(sizeof(struct xtables_target));
+			memcpy(clone, ptr, sizeof(struct xtables_target));
+			clone->udata = NULL;
+			clone->tflags = 0;
+			/* This is a clone: */
+			clone->next = clone;
+
+			ptr = clone;
+			break;
+		}
 	}

 #ifndef NO_SHARED_LIBS

--- a/release.sh
+++ b/release.sh
-#! /bin/sh
-#
-set -e
-
-VERSION=1.4.7
-PREV_VERSION=1.4.6
-TMPDIR=/tmp/ipt-release
-IPTDIR="$TMPDIR/iptables-$VERSION"
-
-PATCH="patch-iptables-$PREV_VERSION-$VERSION.bz2";
-TARBALL="iptables-$VERSION.tar.bz2";
-CHANGELOG="changes-iptables-$PREV_VERSION-$VERSION.txt";
-
-mkdir -p "$TMPDIR"
-git shortlog "v$PREV_VERSION..v$VERSION" > "$TMPDIR/$CHANGELOG"
-git diff "v$PREV_VERSION..v$VERSION" | bzip2 > "$TMPDIR/$PATCH"
-git archive --prefix="iptables-$VERSION/" "v$VERSION" | tar -xC "$TMPDIR/"
-
-cd "$IPTDIR" && {
-	sh autogen.sh
-	cd ..
-}
-
-tar -cjf "$TARBALL" "iptables-$VERSION";
-gpg -u "Netfilter Core Team" -sb "$TARBALL";
-md5sum "$TARBALL" >"$TARBALL.md5sum";
-sha1sum "$TARBALL" >"$TARBALL.sha1sum";
-
-gpg -u "Netfilter Core Team" -sb "$PATCH";
-md5sum "$PATCH" >"$PATCH.md5sum";
-sha1sum "$PATCH" >"$PATCH.sha1sum";
--- a/utils/.gitignore
+++ b/utils/.gitignore
 /nfnl_osf
 /nfnl_osf.8
 /nfbpf_compile
+/nfbpf_compile.8
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -17,6 +17,7 @@ nfnl_osf_LDADD = ${libnfnetlink_LIBS}
 endif

 if ENABLE_BPFC
+man_MANS += nfbpf_compile.8
 sbin_PROGRAMS += nfbpf_compile
 nfbpf_compile_LDADD = -lpcap
 endif
@@ -26,4 +27,4 @@ sbin_PROGRAMS += nfsynproxy
 nfsynproxy_LDADD = -lpcap
 endif

-CLEANFILES = nfnl_osf.8
+CLEANFILES = nfnl_osf.8 nfbpf_compile.8
--- a/utils/Makefile.in
+++ b/utils/Makefile.in
@@ -94,8 +94,9 @@ sbin_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) $(am__EXEEXT_3)
 @HAVE_LIBNFNETLINK_TRUE@am__append_1 = nfnl_osf.8
 @HAVE_LIBNFNETLINK_TRUE@am__append_2 = nfnl_osf
 @HAVE_LIBNFNETLINK_TRUE@am__append_3 = pf.os
-@ENABLE_BPFC_TRUE@am__append_4 = nfbpf_compile
-@ENABLE_SYNCONF_TRUE@am__append_5 = nfsynproxy
+@ENABLE_BPFC_TRUE@am__append_4 = nfbpf_compile.8
+@ENABLE_BPFC_TRUE@am__append_5 = nfbpf_compile
+@ENABLE_SYNCONF_TRUE@am__append_6 = nfsynproxy
 subdir = utils
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
@@ -107,7 +108,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES = nfnl_osf.8
+CONFIG_CLEAN_FILES = nfnl_osf.8 nfbpf_compile.8
 CONFIG_CLEAN_VPATH_FILES =
 @HAVE_LIBNFNETLINK_TRUE@am__EXEEXT_1 = nfnl_osf$(EXEEXT)
 @ENABLE_BPFC_TRUE@am__EXEEXT_2 = nfbpf_compile$(EXEEXT)
@@ -220,8 +221,8 @@ am__define_uniq_tagged_files = \
  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/nfnl_osf.8.in \
-	$(top_srcdir)/build-aux/depcomp
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/nfbpf_compile.8.in \
+	$(srcdir)/nfnl_osf.8.in $(top_srcdir)/build-aux/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 pkgdatadir = @pkgdatadir@
 ACLOCAL = @ACLOCAL@
@@ -379,11 +380,11 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
              -I${top_srcdir}/include ${libnfnetlink_CFLAGS}

 pkgdata_DATA = $(am__append_3)
-man_MANS = $(am__append_1)
+man_MANS = $(am__append_1) $(am__append_4)
 @HAVE_LIBNFNETLINK_TRUE@nfnl_osf_LDADD = ${libnfnetlink_LIBS}
 @ENABLE_BPFC_TRUE@nfbpf_compile_LDADD = -lpcap
 @ENABLE_SYNCONF_TRUE@nfsynproxy_LDADD = -lpcap
-CLEANFILES = nfnl_osf.8
+CLEANFILES = nfnl_osf.8 nfbpf_compile.8
 all: all-am

 .SUFFIXES:
@@ -419,6 +420,8 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 nfnl_osf.8: $(top_builddir)/config.status $(srcdir)/nfnl_osf.8.in
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+nfbpf_compile.8: $(top_builddir)/config.status $(srcdir)/nfbpf_compile.8.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
 install-sbinPROGRAMS: $(sbin_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \

--- a/utils/nfbpf_compile.8.in
+++ b/utils/nfbpf_compile.8.in
+.TH NFBPF_COMPILE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
+
+.SH NAME
+nfbpf_compile \- generate bytecode for use with xt_bpf
+.SH SYNOPSIS
+
+.ad l
+.in +8
+.ti -8
+.B nfbpf_compile
+[
+.I LLTYPE
+]
+.I PROGRAM
+
+.ti -8
+.I LLTYPE
+:= {
+.BR EN10MB " | " RAW " | " SLIP " | "
+.I ...
+}
+
+.SH DESCRIPTION
+The
+.B nfbpf_compile
+utility aids in generating BPF byte code suitable for passing to
+the iptables
+.B bpf
+match.
+
+.SH OPTIONS
+
+.TP
+.I LLTYPE
+Link-layer header type to operate on. This is a name as defined in
+.RB < pcap/dlt.h >
+but with the leading
+.B DLT_
+prefix stripped. For use with iptables,
+.B RAW
+should be the right choice (it's also the default if not specified).
+
+.TP
+.I PROGRAM
+The BPF expression to compile, see
+.BR pcap-filter (7)
+for a description of the language.
+
+.SH EXIT STATUS
+The program returns 0 on success, 1 otherwise.
+
+.SH EXAMPLE
+Match incoming TCP packets with size bigger than 100 bytes:
+.P
+.in +8
+.EE
+bpf=$(nfbpf_compile 'tcp and greater 100')
+.br
+iptables -A INPUT -m bpf --bytecode "$bpf" -j ACCEPT
+.RE
+.P
+The description of
+.B bpf
+match in
+.BR iptables-extensions (8)
+lists a few more examples.
+
+.SH SEE ALSO
+.BR iptables-extensions (8),
+.BR pcap-filter (7)
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -8,6 +8,7 @@ import argparse
 from subprocess import Popen, PIPE

 keywords = ("iptables-translate", "ip6tables-translate", "ebtables-translate")
+xtables_nft_multi = 'xtables-nft-multi'

 if sys.stdout.isatty():
    colors = {"magenta": "\033[95m", "green": "\033[92m", "yellow": "\033[93m",
@@ -33,6 +34,7 @@ def green(string):


 def run_test(name, payload):
+    global xtables_nft_multi
    test_passed = True
    tests = passed = failed = errors = 0
    result = []
@@ -40,7 +42,7 @@ def run_test(name, payload):
    for line in payload:
        if line.startswith(keywords):
            tests += 1
-            process = Popen([ os.path.abspath(os.path.curdir) + "/iptables/xtables-nft-multi" ] + shlex.split(line), stdout=PIPE, stderr=PIPE)
+            process = Popen([ xtables_nft_multi ] + shlex.split(line), stdout=PIPE, stderr=PIPE)
            (output, error) = process.communicate()
            if process.returncode == 0:
                translation = output.decode("utf-8").rstrip(" \n")
@@ -86,8 +88,12 @@ def load_test_files():
    print("%d test files, %d tests, %d tests passed, %d tests failed, %d errors" % (test_files, total_tests, total_passed, total_failed, total_error))

 def main():
+    global xtables_nft_multi
+    if not args.host:
        os.putenv("XTABLES_LIBDIR", os.path.abspath("extensions"))
-    os.putenv("PATH", "%s/iptables:%s" % (os.path.abspath(os.path.curdir), os.getenv("PATH")))
+        xtables_nft_multi = os.path.abspath(os.path.curdir) \
+                            + '/iptables/' + xtables_nft_multi
+
    if args.test:
        if not args.test.endswith(".txlate"):
            args.test += ".txlate"
@@ -101,6 +107,8 @@ def main():


 parser = argparse.ArgumentParser()
+parser.add_argument('-H', '--host', action='store_true',
+                    help='Run tests against installed binaries')
 parser.add_argument("test", nargs="?", help="run only the specified test file")
 args = parser.parse_args()
 main()