[PATCH 16/16] libxtables: move afinfo around

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



libxtables should not rely on the program executable providing the
magic constants for using [gs]etsockopt.

Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
 include/xtables.h.in          |    1 +
 include/xtables/internal.h.in |   24 -------------
 ip6tables-restore.c           |    1 +
 ip6tables-save.c              |    1 +
 ip6tables-standalone.c        |    1 +
 ip6tables.c                   |    9 -----
 iptables-restore.c            |    1 +
 iptables-save.c               |    1 +
 iptables-standalone.c         |    1 +
 iptables.c                    |    9 -----
 xtables.c                     |   74 +++++++++++++++++++++++++++++++++++-----
 11 files changed, 71 insertions(+), 52 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 07217d6..02750fb 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -189,6 +189,7 @@ extern struct xtables_match *xtables_matches;
 extern struct xtables_target *xtables_targets;
 
 extern void xtables_init(void);
+extern void xtables_set_nfproto(uint8_t);
 extern void *xtables_calloc(size_t, size_t);
 extern void *xtables_malloc(size_t);
 
diff --git a/include/xtables/internal.h.in b/include/xtables/internal.h.in
index 2143829..81ddb48 100644
--- a/include/xtables/internal.h.in
+++ b/include/xtables/internal.h.in
@@ -7,30 +7,6 @@
 #	define XT_LIB_DIR "/usr/local/lib/iptables"
 #endif
 
-/* protocol family dependent informations */
-struct afinfo {
-	/* protocol family */
-	int family;
-
-	/* prefix of library name (ex "libipt_" */
-	char *libprefix;
-
-	/* used by setsockopt (ex IPPROTO_IP */
-	int ipproto;
-
-	/* kernel module (ex "ip_tables" */
-	char *kmod;
-
-	/* optname to check revision support of match */
-	int so_rev_match;
-
-	/* optname to check revision support of match */
-	int so_rev_target;
-};
-
-/* This is decleared in ip[6]tables.c */
-extern struct afinfo afinfo;
-
 /**
  * Program's own name and version.
  */
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index beb640b..acaf97b 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -132,6 +132,7 @@ int main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV6);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/ip6tables-save.c b/ip6tables-save.c
index 86ec6b2..32b5992 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -141,6 +141,7 @@ int main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV6);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 3ab114e..cea4818 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -54,6 +54,7 @@ main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV6);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/ip6tables.c b/ip6tables.c
index 53163b7..233974f 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -199,15 +199,6 @@ struct pprot {
 	u_int8_t num;
 };
 
-struct afinfo afinfo = {
-	.family		= NFPROTO_IPV6,
-	.libprefix	= "libip6t_",
-	.ipproto	= IPPROTO_IPV6,
-	.kmod		= "ip6_tables",
-	.so_rev_match	= IP6T_SO_GET_REVISION_MATCH,
-	.so_rev_target	= IP6T_SO_GET_REVISION_TARGET,
-};
-
 static const char *
 proto_to_name(u_int8_t proto, int nolookup)
 {
diff --git a/iptables-restore.c b/iptables-restore.c
index 56812ee..810806f 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -134,6 +134,7 @@ main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV4);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/iptables-save.c b/iptables-save.c
index d08ec4b..c4306fd 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -141,6 +141,7 @@ main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV4);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 9190873..ece7cf4 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -55,6 +55,7 @@ main(int argc, char *argv[])
 
 	xtables_program_name = program_name;
 	xtables_init();
+	xtables_set_nfproto(NFPROTO_IPV4);
 #ifdef NO_SHARED_LIBS
 	init_extensions();
 #endif
diff --git a/iptables.c b/iptables.c
index b43aadf..f1a5d33 100644
--- a/iptables.c
+++ b/iptables.c
@@ -194,15 +194,6 @@ const char *program_name;
 
 int kernel_version;
 
-struct afinfo afinfo = {
-	.family		= NFPROTO_IPV4,
-	.libprefix	= "libipt_",
-	.ipproto	= IPPROTO_IP,
-	.kmod		= "ip_tables",
-	.so_rev_match	= IPT_SO_GET_REVISION_MATCH,
-	.so_rev_target	= IPT_SO_GET_REVISION_TARGET,
-};
-
 /* Primitive headers... */
 /* defined in netinet/in.h */
 #if 0
diff --git a/xtables.c b/xtables.c
index cf64352..6c95475 100644
--- a/xtables.c
+++ b/xtables.c
@@ -32,7 +32,8 @@
 #include <arpa/inet.h>
 
 #include <xtables.h>
-#include <ip6tables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
 #include <libiptc/libxtc.h>
 
 #ifndef NO_SHARED_LIBS
@@ -46,6 +47,44 @@
 #endif
 
 /**
+ * xtables_afinfo - protocol family dependent information
+ * @kmod:		kernel module basename (e.g. "ip_tables")
+ * @libprefix:		prefix of .so library name (e.g. "libipt_")
+ * @family:		nfproto family
+ * @ipproto:		used by setsockopt (e.g. IPPROTO_IP)
+ * @so_rev_match:	optname to check revision support of match
+ * @so_rev_target:	optname to check revision support of target
+ */
+struct xtables_afinfo {
+	const char *kmod;
+	const char *libprefix;
+	uint8_t family;
+	uint8_t ipproto;
+	int so_rev_match;
+	int so_rev_target;
+};
+
+static const struct xtables_afinfo afinfo_ipv4 = {
+	.kmod          = "ip_tables",
+	.libprefix     = "libipt_",
+	.family	       = NFPROTO_IPV4,
+	.ipproto       = IPPROTO_IP,
+	.so_rev_match  = IPT_SO_GET_REVISION_MATCH,
+	.so_rev_target = IPT_SO_GET_REVISION_TARGET,
+};
+
+static const struct xtables_afinfo afinfo_ipv6 = {
+	.kmod          = "ip6_tables",
+	.libprefix     = "libip6t_",
+	.family        = NFPROTO_IPV6,
+	.ipproto       = IPPROTO_IPV6,
+	.so_rev_match  = IP6T_SO_GET_REVISION_MATCH,
+	.so_rev_target = IP6T_SO_GET_REVISION_TARGET,
+};
+
+static const struct xtables_afinfo *afinfo;
+
+/**
  * Program will set this to its own name.
  */
 const char *xtables_program_name;
@@ -74,6 +113,21 @@ void xtables_init(void)
 	xtables_libdir = XTABLES_LIBDIR;
 }
 
+void xtables_set_nfproto(uint8_t nfproto)
+{
+	switch (nfproto) {
+	case NFPROTO_IPV4:
+		afinfo = &afinfo_ipv4;
+		break;
+	case NFPROTO_IPV6:
+		afinfo = &afinfo_ipv6;
+		break;
+	default:
+		fprintf(stderr, "libxtables: unhandled NFPROTO in %s\n",
+		        __func__);
+	}
+}
+
 /**
  * xtables_*alloc - wrappers that exit on failure
  */
@@ -177,7 +231,7 @@ int xtables_load_ko(const char *modprobe, bool quiet)
 	static int ret = -1;
 
 	if (!loaded) {
-		ret = xtables_insmod(afinfo.kmod, modprobe, quiet);
+		ret = xtables_insmod(afinfo->kmod, modprobe, quiet);
 		loaded = (ret == 0);
 	}
 
@@ -387,7 +441,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 
 #ifndef NO_SHARED_LIBS
 	if (!ptr && tryload != XTF_DONT_LOAD && tryload != XTF_DURING_LOAD) {
-		ptr = load_extension(xtables_libdir, afinfo.libprefix,
+		ptr = load_extension(xtables_libdir, afinfo->libprefix,
 		      name, false);
 
 		if (ptr == NULL && tryload == XTF_LOAD_MUST_SUCCEED)
@@ -447,7 +501,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 
 #ifndef NO_SHARED_LIBS
 	if (!ptr && tryload != XTF_DONT_LOAD && tryload != XTF_DURING_LOAD) {
-		ptr = load_extension(xtables_libdir, afinfo.libprefix,
+		ptr = load_extension(xtables_libdir, afinfo->libprefix,
 		      name, true);
 
 		if (ptr == NULL && tryload == XTF_LOAD_MUST_SUCCEED)
@@ -480,7 +534,7 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
 	socklen_t s = sizeof(rev);
 	int max_rev, sockfd;
 
-	sockfd = socket(afinfo.family, SOCK_RAW, IPPROTO_RAW);
+	sockfd = socket(afinfo->family, SOCK_RAW, IPPROTO_RAW);
 	if (sockfd < 0) {
 		if (errno == EPERM) {
 			/* revision 0 is always supported. */
@@ -501,7 +555,7 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
 	strcpy(rev.name, name);
 	rev.revision = revision;
 
-	max_rev = getsockopt(sockfd, afinfo.ipproto, opt, &rev, &s);
+	max_rev = getsockopt(sockfd, afinfo->ipproto, opt, &rev, &s);
 	if (max_rev < 0) {
 		/* Definitely don't support this? */
 		if (errno == ENOENT || errno == EPROTONOSUPPORT) {
@@ -524,12 +578,12 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
 
 static int compatible_match_revision(const char *name, u_int8_t revision)
 {
-	return compatible_revision(name, revision, afinfo.so_rev_match);
+	return compatible_revision(name, revision, afinfo->so_rev_match);
 }
 
 static int compatible_target_revision(const char *name, u_int8_t revision)
 {
-	return compatible_revision(name, revision, afinfo.so_rev_target);
+	return compatible_revision(name, revision, afinfo->so_rev_target);
 }
 
 void xtables_register_match(struct xtables_match *me)
@@ -559,7 +613,7 @@ void xtables_register_match(struct xtables_match *me)
 	}
 
 	/* ignore not interested match */
-	if (me->family != afinfo.family && me->family != AF_UNSPEC)
+	if (me->family != afinfo->family && me->family != AF_UNSPEC)
 		return;
 
 	old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL);
@@ -632,7 +686,7 @@ void xtables_register_target(struct xtables_target *me)
 	}
 
 	/* ignore not interested target */
-	if (me->family != afinfo.family && me->family != AF_UNSPEC)
+	if (me->family != afinfo->family && me->family != AF_UNSPEC)
 		return;
 
 	old = xtables_find_target(me->name, XTF_DURING_LOAD);
-- 
1.6.1.2

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux