On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
>+<----->if (cs->target->alias == NULL)^M
>+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M
>+<----->else^M
>+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M
>
>I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)
>
>doesn't this all really belong in the CT files now?
>ie. libxt_CT.c not libxt_NOTRACK.c
I think so too.
Furthermore, I have refined Pablo's patch.
0. vcurrent was not updated, now done.
1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
(function "compatible_revision"), now addressed.
2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
providing a symlink.
Not solved:
4. Since NOTRACK now always maps to CT, "-j NOTRACK"
has become unusable on sufficiently old kernels.
Should we even bother?
[ Agglomeration of two patches in git://git.inai.de/iptables master ]
diff --git a/configure.ac b/configure.ac
index 861f5b3..a45d9ab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
AC_INIT([iptables], [1.4.15])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=8
-libxtables_vage=1
+libxtables_vcurrent=9
+libxtables_vage=0
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 218dc3a..92ac63d 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -39,6 +39,7 @@ endif
# Wildcard module list
#
pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
+pfx_build_mod += NOTRACK
@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
@@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c
xt_RATEEST_LIBADD = -lm
xt_statistic_LIBADD = -lm
+libxt_NOTRACK.so: libxt_CT.so
+ ln -s $< $@
#
# Static bits
diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index 27a20e2..8012a59 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
printf(" --zone %u", info->zone);
}
+static void notrack_tg_init(struct xt_entry_target *target)
+{
+ struct xt_ct_target_info_v1 *info = (void *)target->data;
+
+ info->flags |= XT_CT_NOTRACK;
+}
+
static struct xtables_target ct_target_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = {
.x6_parse = ct_parse_v1,
.x6_options = ct_opts_v1,
},
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "NOTRACK",
+ .revision = 0,
+ .real_name = "CT",
+ .real_rev = 1,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
+ .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
+ .print = ct_print_v1,
+ .save = ct_save_v1,
+ .init = notrack_tg_init,
+ },
};
void _init(void)
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
deleted file mode 100644
index ca58700..0000000
--- a/extensions/libxt_NOTRACK.c
+++ /dev/null
@@ -1,15 +0,0 @@
-/* Shared library add-on to iptables to add NOTRACK target support. */
-#include <xtables.h>
-
-static struct xtables_target notrack_target = {
- .family = NFPROTO_UNSPEC,
- .name = "NOTRACK",
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
-};
-
-void _init(void)
-{
- xtables_register_target(¬rack_target);
-}
diff --git a/include/xtables.h.in b/include/xtables.h.in
index db69c03..7993414 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -280,11 +280,13 @@ struct xtables_target
struct xtables_target *next;
-
const char *name;
+ /* Real target behind this, if any. */
+ const char *real_name;
+
/* Revision of target (0 by default). */
- u_int8_t revision;
+ u_int8_t revision, real_rev;
u_int16_t family;
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index b191d5d..f0ebe15 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1286,8 +1286,17 @@ static void command_jump(struct iptables_command_state *cs)
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
- strcpy(cs->target->t->u.user.name, cs->jumpto);
- cs->target->t->u.user.revision = cs->target->revision;
+ if (cs->target->real_name == NULL) {
+ strcpy(cs->target->t->u.user.name, cs->jumpto);
+ cs->target->t->u.user.revision = cs->target->revision;
+ } else {
+ strcpy(cs->target->t->u.user.name, cs->target->real_name);
+ cs->target->t->u.user.revision = cs->target->real_rev;
+ fprintf(stderr, "WARNING: The %s target is obsolete. "
+ "Use %s instead.\n",
+ cs->jumpto, cs->target->real_name);
+ }
+
xs_init_target(cs->target);
if (cs->target->x6_options != NULL)
opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 03ac63b..5d8698d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1295,8 +1295,18 @@ static void command_jump(struct iptables_command_state *cs)
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
- strcpy(cs->target->t->u.user.name, cs->jumpto);
- cs->target->t->u.user.revision = cs->target->revision;
+ if (cs->target->real_name == NULL) {
+ strcpy(cs->target->t->u.user.name, cs->jumpto);
+ cs->target->t->u.user.revision = cs->target->revision;
+ } else {
+ /* Alias support for userspace side */
+ strcpy(cs->target->t->u.user.name, cs->target->real_name);
+ cs->target->t->u.user.revision = cs->target->real_rev;
+ fprintf(stderr, "WARNING: The %s target is obsolete. "
+ "Use %s instead.\n",
+ cs->jumpto, cs->target->real_name);
+ }
+
xs_init_target(cs->target);
if (cs->target->x6_options != NULL)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index d818579..4758ddc 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -944,6 +944,10 @@ void xtables_register_target(struct xtables_target *me)
xt_params->program_name, me->name);
exit(1);
}
+ if (me->real_name == NULL) {
+ me->real_name = me->name;
+ me->real_rev = me->revision;
+ }
if (me->x6_options != NULL)
xtables_option_metavalidate(me->name, me->x6_options);
@@ -976,16 +980,16 @@ static void xtables_fully_register_pending_target(struct xtables_target *me)
}
/* Now we have two (or more) options, check compatibility. */
- if (compatible_target_revision(old->name, old->revision)
- && old->revision > me->revision)
+ if (compatible_target_revision(old->real_name, old->real_rev)
+ && old->real_rev > me->real_rev)
return;
/* See if new target can be used. */
- if (!compatible_target_revision(me->name, me->revision))
+ if (!compatible_target_revision(me->real_name, me->real_rev))
return;
/* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
- if (old->revision == me->revision && me->family == AF_UNSPEC)
+ if (old->real_rev == me->real_rev && me->family == AF_UNSPEC)
return;
/* Delete old one. */
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
