Message ID | 1424351483-27617-8-git-send-email-fw@strlen.de |
---|---|
State | Accepted |
Delegated to: | Florian Westphal |
Headers | show |
On Thursday 2015-02-19 14:11, Florian Westphal wrote:
>The inversion flag wasn't set in the match struct.
The documentation needs to be updated too.
It reflected what source code did: not supportting the "!" option at
all/silently ignoring it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jan Engelhardt <jengelh@inai.de> wrote: > On Thursday 2015-02-19 14:11, Florian Westphal wrote: > > >The inversion flag wasn't set in the match struct. > > The documentation needs to be updated too. > > It reflected what source code did: not supportting the "!" option at > all/silently ignoring it. Interesting, --help does mention it: dst match options: [!] --dst-len length total length of this header So, whats the desired action? Given that the kernel already supports it (on kernel side its a module alias for hop-by-hop match) I'd vote for just also updating the man page snippet to mention ! as well, since it seems like artifical restriction. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thursday 2015-02-19 14:37, Florian Westphal wrote: >Interesting, --help does mention it: >dst match options: >[!] --dst-len length total length of this header Um, I got confused by your change to dst-opts related code: >>> opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8; if (range) { if (opts[i] == 0) xtables_error(PARAMETER_PROBLEM, "PAD0 hasn't got length"); opts[i] |= parse_opts_num(range, "length") & 0xFF; - } else + } else { opts[i] |= (0x00FF); + } <<< All in order. But perhaps separate style changes from real changes commit-wise. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c index 3fd4c01..1f15162 100644 --- a/extensions/libip6t_dst.c +++ b/extensions/libip6t_dst.c @@ -70,22 +70,21 @@ parse_options(const char *optsstr, uint16_t *opts) *next++='\0'; range = strchr(cp, ':'); - if (range) { if (i == IP6T_OPTS_OPTSNR-1) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); *range++ = '\0'; } - opts[i] = (parse_opts_num(cp, "opt") & 0xFF) << 8; if (range) { if (opts[i] == 0) xtables_error(PARAMETER_PROBLEM, "PAD0 hasn't got length"); opts[i] |= parse_opts_num(range, "length") & 0xFF; - } else + } else { opts[i] |= (0x00FF); + } #ifdef DEBUG printf("opts str: %s %s\n", cp, range); @@ -112,6 +111,8 @@ static void dst_parse(struct xt_option_call *cb) xtables_option_parse(cb); switch (cb->entry->id) { case O_DSTLEN: + if (cb->invert) + optinfo->invflags |= IP6T_OPTS_INV_LEN; optinfo->flags |= IP6T_OPTS_LEN; break; case O_DSTOPTS: @@ -152,7 +153,6 @@ static void dst_print(const void *ip, const struct xt_entry_match *match, printf(" opts"); print_options(optinfo->optsnr, (uint16_t *)optinfo->opts); - if (optinfo->invflags & ~IP6T_OPTS_INV_MASK) printf(" Unknown invflags: 0x%X", optinfo->invflags & ~IP6T_OPTS_INV_MASK); diff --git a/extensions/libip6t_dst.t b/extensions/libip6t_dst.t index b2788aa..0b0013b 100644 --- a/extensions/libip6t_dst.t +++ b/extensions/libip6t_dst.t @@ -1,4 +1,5 @@ :INPUT,FORWARD,OUTPUT -m dst --dst-len 0;=;OK -m dst --dst-opts 149:92,12:12,123:12;=;OK +-m dst ! --dst-len 42;=;OK -m dst --dst-len 42 --dst-opts 149:92,12:12,123:12;=;OK
The inversion flag wasn't set in the match struct. Signed-off-by: Florian Westphal <fw@strlen.de> --- extensions/libip6t_dst.c | 8 ++++---- extensions/libip6t_dst.t | 1 + 2 files changed, 5 insertions(+), 4 deletions(-)