Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
ip6tables.c | 34 +---------------------------------
iptables.c | 34 +---------------------------------
xshared.c | 35 ++++++++++++++++++++++++++++++++++-
xshared.h | 3 +--
4 files changed, 37 insertions(+), 69 deletions(-)
diff --git a/ip6tables.c b/ip6tables.c
index 7f8a8df..3330420 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1268,39 +1268,7 @@ static void command_default(struct iptables_command_state *cs)
}
m = matchp ? matchp->match : NULL;
- /* If you listen carefully, you can
- actually hear this code suck. */
-
- /* some explanations (after four different bugs
- * in 3 different releases): If we encounter a
- * parameter, that has not been parsed yet,
- * it's not an option of an explicitly loaded
- * match or a target. However, we support
- * implicit loading of the protocol match
- * extension. '-p tcp' means 'l4 proto 6' and
- * at the same time 'load tcp protocol match on
- * demand if we specify --dport'.
- *
- * To make this work, we need to make sure:
- * - the parameter has not been parsed by
- * a match (m above)
- * - a protocol has been specified
- * - the protocol extension has not been
- * loaded yet, or is loaded and unused
- * [think of ip6tables-restore!]
- * - the protocol extension can be successively
- * loaded
- */
- if (m == NULL
- && cs->protocol
- && (!find_proto(cs->protocol, XTF_DONT_LOAD,
- cs->options&OPT_NUMERIC, NULL)
- || (find_proto(cs->protocol, XTF_DONT_LOAD,
- cs->options&OPT_NUMERIC, NULL)
- && (cs->proto_used == 0))
- )
- && (m = find_proto(cs->protocol, XTF_TRY_LOAD,
- cs->options&OPT_NUMERIC, &cs->matches))) {
+ if (m == NULL && (m = load_proto(cs)) != NULL) {
/* Try loading protocol */
size_t size;
diff --git a/iptables.c b/iptables.c
index 0de656e..bae14af 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1292,39 +1292,7 @@ static void command_default(struct iptables_command_state *cs)
}
m = matchp ? matchp->match : NULL;
- /* If you listen carefully, you can
- actually hear this code suck. */
-
- /* some explanations (after four different bugs
- * in 3 different releases): If we encounter a
- * parameter, that has not been parsed yet,
- * it's not an option of an explicitly loaded
- * match or a target. However, we support
- * implicit loading of the protocol match
- * extension. '-p tcp' means 'l4 proto 6' and
- * at the same time 'load tcp protocol match on
- * demand if we specify --dport'.
- *
- * To make this work, we need to make sure:
- * - the parameter has not been parsed by
- * a match (m above)
- * - a protocol has been specified
- * - the protocol extension has not been
- * loaded yet, or is loaded and unused
- * [think of iptables-restore!]
- * - the protocol extension can be successively
- * loaded
- */
- if (m == NULL
- && cs->protocol
- && (!find_proto(cs->protocol, XTF_DONT_LOAD,
- cs->options&OPT_NUMERIC, NULL)
- || (find_proto(cs->protocol, XTF_DONT_LOAD,
- cs->options&OPT_NUMERIC, NULL)
- && (cs->proto_used == 0))
- )
- && (m = find_proto(cs->protocol, XTF_TRY_LOAD,
- cs->options&OPT_NUMERIC, &cs->matches))) {
+ if (m == NULL && (m = load_proto(cs)) != NULL) {
/* Try loading protocol */
size_t size;
diff --git a/xshared.c b/xshared.c
index 40b6b56..b47beb1 100644
--- a/xshared.c
+++ b/xshared.c
@@ -1,4 +1,5 @@
#include <netdb.h>
+#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <xtables.h>
@@ -50,7 +51,7 @@ proto_to_name(uint8_t proto, int nolookup)
return NULL;
}
-struct xtables_match *
+static struct xtables_match *
find_proto(const char *pname, enum xtables_tryload tryload,
int nolookup, struct xtables_rule_match **matches)
{
@@ -66,3 +67,35 @@ find_proto(const char *pname, enum xtables_tryload tryload,
return NULL;
}
+
+/*
+ * Some explanations (after four different bugs in 3 different releases): If
+ * we encounter a parameter, that has not been parsed yet, it's not an option
+ * of an explicitly loaded match or a target. However, we support implicit
+ * loading of the protocol match extension. '-p tcp' means 'l4 proto 6' and at
+ * the same time 'load tcp protocol match on demand if we specify --dport'.
+ *
+ * To make this work, we need to make sure:
+ * - the parameter has not been parsed by a match (m above)
+ * - a protocol has been specified
+ * - the protocol extension has not been loaded yet, or is loaded and unused
+ * [think of ip6tables-restore!]
+ * - the protocol extension can be successively loaded
+ */
+static bool should_load_proto(struct iptables_command_state *cs)
+{
+ if (cs->protocol == NULL)
+ return false;
+ if (find_proto(cs->protocol, XTF_DONT_LOAD,
+ cs->options & OPT_NUMERIC, NULL) != NULL)
+ return true;
+ return cs->proto_used;
+}
+
+struct xtables_match *load_proto(struct iptables_command_state *cs)
+{
+ if (!should_load_proto(cs))
+ return NULL;
+ return find_proto(cs->protocol, XTF_TRY_LOAD,
+ cs->options & OPT_NUMERIC, &cs->matches);
+}
diff --git a/xshared.h b/xshared.h
index 06d73ab..d0cb516 100644
--- a/xshared.h
+++ b/xshared.h
@@ -45,7 +45,6 @@ enum {
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
extern const char *proto_to_name(uint8_t, int);
-extern struct xtables_match *find_proto(const char *, enum xtables_tryload,
- int, struct xtables_rule_match **);
+extern struct xtables_match *load_proto(struct iptables_command_state *);
#endif /* IPTABLES_XSHARED_H */
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
