From patchwork Wed Nov 29 13:28:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869681 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=VsgHrt9r; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-117-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZy0HhRz1yST for ; Thu, 30 Nov 2023 00:16:10 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4E3DC1C21127 for ; Wed, 29 Nov 2023 13:16:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 78765208B0; Wed, 29 Nov 2023 13:15:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="VsgHrt9r" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17813A8 for ; Wed, 29 Nov 2023 05:15:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YIs1l6yfHG3MEAZIo2PzCeSIfZE81qB9rWHN2JUQ3Wc=; b=VsgHrt9rXdLAnYcZfD/eOswURo 0k2hCdkutQOz43DhKKjnqKAO0wftHb6BoRrO6cMRB4pD5o1pIXI0vApGcwsxK1sLjzvyespaDULmg dlC8tbn4Y4HxVigHnUAqbmS8XyCHJbs0YkBLj3kwtiGkkvqBlQccDjNDsE8pZMK6UEUf4N57Rgb6O y2Qh4Yr9ZJoZaJGZfJ6U87/VjTvljHGnT+tBa6WRsFDIrZhe18HvdrtbhMwPLaKYXuQ+AUT3P5UFW J1tfBpM0bJ6L9uuJVnyKvyRKHVvyquxGRByAhal4vN51HfXWw/1xWEkMh//sVCiWPQQMXqxwzgDS9 VzTrLeOg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPm-0001jh-G8 for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:42 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 01/13] xshared: do_parse: Skip option checking for CMD_DELETE_NUM Date: Wed, 29 Nov 2023 14:28:15 +0100 Message-ID: <20231129132827.18166-2-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This command will delete a rule by its number, not rule spec. No -i/-o options are expected on commandline. Signed-off-by: Phil Sutter --- iptables/xshared.c | 1 - 1 file changed, 1 deletion(-) diff --git a/iptables/xshared.c b/iptables/xshared.c index dca744773d773..53e6720169950 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1837,7 +1837,6 @@ void do_parse(int argc, char *argv[], if (p->command == CMD_APPEND || p->command == CMD_DELETE || - p->command == CMD_DELETE_NUM || p->command == CMD_CHECK || p->command == CMD_INSERT || p->command == CMD_REPLACE) { From patchwork Wed Nov 29 13:28:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869671 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=ea7pV/Ok; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-107-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZc4ySRz24DJ for ; Thu, 30 Nov 2023 00:15:52 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 43B2A2823AB for ; Wed, 29 Nov 2023 13:15:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E01A7200C8; Wed, 29 Nov 2023 13:15:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="ea7pV/Ok" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16E1F85 for ; Wed, 29 Nov 2023 05:15:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BgjE3LazCOEi/oVaZwc7f/T2/TeTz0xpQM6b/3Mkj1U=; b=ea7pV/OkDDh7T79JIo/Q5puYuN I9EJyhHGzaCl3xeJCeffOnBj2+JG8P9K/ciszQJE9beAYCwe7LdNVlBDp1DNsDE6e2oVQlstKTBDe yORGV5hlz3FHTaApsU8DS7b052GDdgm/amIcjuT0CwINiyGqa2Y6WnKxEhcFWwQ+hmuM5GUwadSni ysLMA7kaTiQ2vk1gFYSx82mwzMZDxoZMA9CMfR9rZfN1T+0hQLaxorYfJL9vWf0EJJIjlWQeSvLvl yYS3c3Cl0xNjGfpufRVjMJksNBcYfIRfbH0/Zj2Qv974XnrlpKz0G/zuPqCcI6OaBsHrx2O8zeynW 67O3W14g==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPh-0001iq-EY for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:37 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 02/13] xshared: Perform protocol value parsing in callback Date: Wed, 29 Nov 2023 14:28:16 +0100 Message-ID: <20231129132827.18166-3-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The code is same in iptables and ip6tables, but different in ebtables. Therefore move it into the callback to keep that part of do_parse() generic. Signed-off-by: Phil Sutter --- iptables/xshared.c | 22 ++++++++++++++-------- iptables/xshared.h | 1 - 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/iptables/xshared.c b/iptables/xshared.c index 53e6720169950..ff809f2be3438 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1547,12 +1547,6 @@ void do_parse(int argc, char *argv[], *cs->protocol = tolower(*cs->protocol); cs->protocol = optarg; - args->proto = xtables_parse_protocol(cs->protocol); - - if (args->proto == 0 && - (args->invflags & XT_INV_PROTO)) - xtables_error(PARAMETER_PROBLEM, - "rule would never match protocol"); /* This needs to happen here to parse extensions */ if (p->ops->proto_parse) @@ -1865,7 +1859,13 @@ void do_parse(int argc, char *argv[], void ipv4_proto_parse(struct iptables_command_state *cs, struct xtables_args *args) { - cs->fw.ip.proto = args->proto; + cs->fw.ip.proto = xtables_parse_protocol(cs->protocol); + + if (cs->fw.ip.proto == 0 && + (args->invflags & XT_INV_PROTO)) + xtables_error(PARAMETER_PROBLEM, + "rule would never match protocol"); + cs->fw.ip.invflags = args->invflags; } @@ -1881,7 +1881,13 @@ static int is_exthdr(uint16_t proto) void ipv6_proto_parse(struct iptables_command_state *cs, struct xtables_args *args) { - cs->fw6.ipv6.proto = args->proto; + cs->fw6.ipv6.proto = xtables_parse_protocol(cs->protocol); + + if (cs->fw6.ipv6.proto == 0 && + (args->invflags & XT_INV_PROTO)) + xtables_error(PARAMETER_PROBLEM, + "rule would never match protocol"); + cs->fw6.ipv6.invflags = args->invflags; /* this is needed for ip6tables-legacy only */ diff --git a/iptables/xshared.h b/iptables/xshared.h index d2ce72e90824a..3df2153fd6a10 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -249,7 +249,6 @@ struct addr_mask { struct xtables_args { int family; - uint16_t proto; uint8_t flags; uint16_t invflags; char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; From patchwork Wed Nov 29 13:28:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869679 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=FyCH1j4I; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-115-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZt4cGkz1yST for ; Thu, 30 Nov 2023 00:16:06 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6704F28275E for ; Wed, 29 Nov 2023 13:16:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 089912033E; Wed, 29 Nov 2023 13:15:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="FyCH1j4I" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66779B2 for ; Wed, 29 Nov 2023 05:15:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qAqm42Llfs712T9EGHrSvgmeJMePZd8CxVFLF3AVx+E=; b=FyCH1j4IHjqwwm2xgxn/RFh36E rSz/94RCSjUy9G2FMGPBIbSM94gqQLTQO3d3zOpYlQ9kbL+e9dzdCfw9+QCGE74hRYkevsz+fS68q 6CxlUCBcH/x9sfMI4U8ZyQ0xkW49NvVs9qn5JV61C7xoWc09K0DusXZz07qlbTHsLkXupyZw+xi8+ oxyFGJjJyNDR1TzuDquFtk+PB+nEZSKi4iq+DZkNf8/V0gT93i7TmOoLp5ovZ1JRZDFT01Nd4JUy3 miEopBTjnYic7JJM0oSzDHRQScIBY+d7N6KDSB8ZAG/MLy2d3ocVCMcAOKUNdnYERSYXzUhpMy09m 29C9525w==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPh-0001iu-R2 for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:37 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 03/13] xshared: Turn command_default() into a callback Date: Wed, 29 Nov 2023 14:28:17 +0100 Message-ID: <20231129132827.18166-4-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Ebtables' variant is pretty different since all extensions are loaded up front and some targets serve as "watcher" extensions, so let variants specify the function to call for extension parameters. Signed-off-by: Phil Sutter --- iptables/ip6tables.c | 1 + iptables/iptables.c | 1 + iptables/nft-arp.c | 1 + iptables/nft-ipv4.c | 1 + iptables/nft-ipv6.c | 1 + iptables/xshared.c | 6 +++--- iptables/xshared.h | 4 ++++ 7 files changed, 12 insertions(+), 3 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 53eeb6e90bbb7..96603756324a5 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -670,6 +670,7 @@ int do_command6(int argc, char *argv[], char **table, .post_parse = ipv6_post_parse, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, + .command_default = command_default, }; struct xt_cmd_parse p = { .table = *table, diff --git a/iptables/iptables.c b/iptables/iptables.c index 69dd289060528..b57483ef44514 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -664,6 +664,7 @@ int do_command4(int argc, char *argv[], char **table, .post_parse = ipv4_post_parse, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, + .command_default = command_default, }; struct xt_cmd_parse p = { .table = *table, diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index c009dd83e26cf..f3e2920ac6d15 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -858,6 +858,7 @@ struct nft_family_ops nft_family_ops_arp = { .post_parse = nft_arp_post_parse, .option_name = nft_arp_option_name, .option_invert = nft_arp_option_invert, + .command_default = command_default, }, .rule_to_cs = nft_rule_to_iptables_command_state, .init_cs = nft_arp_init_cs, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index c140ffde34b62..754c776473143 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -354,6 +354,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .post_parse = ipv4_post_parse, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, + .command_default = command_default, }, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = xtables_clear_iptables_command_state, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 4bf4f54f18a00..b1b5891013577 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -345,6 +345,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .post_parse = ipv6_post_parse, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, + .command_default = command_default, }, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = xtables_clear_iptables_command_state, diff --git a/iptables/xshared.c b/iptables/xshared.c index ff809f2be3438..29b3992904e68 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -122,8 +122,8 @@ static struct xtables_match *load_proto(struct iptables_command_state *cs) cs->options & OPT_NUMERIC, &cs->matches); } -static int command_default(struct iptables_command_state *cs, - struct xtables_globals *gl, bool invert) +int command_default(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert) { struct xtables_rule_match *matchp; struct xtables_match *m; @@ -1784,7 +1784,7 @@ void do_parse(int argc, char *argv[], exit_tryhelp(2, p->line); default: - if (command_default(cs, xt_params, invert)) + if (p->ops->command_default(cs, xt_params, invert)) /* cf. ip6tables.c */ continue; break; diff --git a/iptables/xshared.h b/iptables/xshared.h index 3df2153fd6a10..bf24fd568a6f5 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -272,6 +272,8 @@ struct xt_cmd_parse_ops { struct xtables_args *args); const char *(*option_name)(int option); int (*option_invert)(int option); + int (*command_default)(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert); }; struct xt_cmd_parse { @@ -289,6 +291,8 @@ struct xt_cmd_parse { const char *ip46t_option_name(int option); int ip46t_option_invert(int option); +int command_default(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert); void do_parse(int argc, char *argv[], struct xt_cmd_parse *p, struct iptables_command_state *cs, From patchwork Wed Nov 29 13:28:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869674 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=ThQ6fLny; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-110-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZk2kXPz23mS for ; Thu, 30 Nov 2023 00:15:58 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0862C2833D6 for ; Wed, 29 Nov 2023 13:15:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 400EF20328; Wed, 29 Nov 2023 13:15:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="ThQ6fLny" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E23810A for ; Wed, 29 Nov 2023 05:15:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LX03F5ZwCADDJEyWZ6+uuGTjpov9WP0rhX6xumsVnhM=; b=ThQ6fLnyoc/EVmoh8Is7FO9JPN P1troriTRbcS52Y+2vgMd7JksQgcDEZcLgP9bfxUx4UuJj146gJz8BwI6eUbVAD0J6dy0lkpyuoen QWXN1qXLM7RNvNfAPC+N1O+o/PF57AAJF8kn8ARQclU+sRI/5emK6lK/j101ShC4i/Cgo+/z/r2S6 Z9cluzG197uOmE7jcKyFqpxsivOwWr4MWCoNrX9vhL1kTkLpQ7xwrXf2aK1cjNCNfAqILschE824+ I7OD2h+5jUqH+e7Rxw4gWMTLWEQbhlhEZjfQrz4WQk+O33kEpvMwqoeuDtgFt0BWpRyBT0oUQiZA8 Vm+X2MOA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPi-0001j2-GE for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:38 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 04/13] xshared: Introduce print_help callback (again) Date: Wed, 29 Nov 2023 14:28:18 +0100 Message-ID: <20231129132827.18166-5-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Prep work for ebtables parser to use do_parse(). Adding more special casing to xtables_printhelp() causes a mess, so work with a callback again. Signed-off-by: Phil Sutter --- iptables/ip6tables.c | 1 + iptables/iptables.c | 1 + iptables/nft-arp.c | 1 + iptables/nft-ipv4.c | 1 + iptables/nft-ipv6.c | 1 + iptables/xshared.c | 6 +++--- iptables/xshared.h | 2 ++ 7 files changed, 10 insertions(+), 3 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 96603756324a5..4b5d4ac6878b7 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -671,6 +671,7 @@ int do_command6(int argc, char *argv[], char **table, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, .command_default = command_default, + .print_help = xtables_printhelp, }; struct xt_cmd_parse p = { .table = *table, diff --git a/iptables/iptables.c b/iptables/iptables.c index b57483ef44514..5ae28fe04a5f5 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -665,6 +665,7 @@ int do_command4(int argc, char *argv[], char **table, .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, .command_default = command_default, + .print_help = xtables_printhelp, }; struct xt_cmd_parse p = { .table = *table, diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index f3e2920ac6d15..6011620cf52a7 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -859,6 +859,7 @@ struct nft_family_ops nft_family_ops_arp = { .option_name = nft_arp_option_name, .option_invert = nft_arp_option_invert, .command_default = command_default, + .print_help = xtables_printhelp, }, .rule_to_cs = nft_rule_to_iptables_command_state, .init_cs = nft_arp_init_cs, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 754c776473143..979880a3e7702 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -355,6 +355,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, .command_default = command_default, + .print_help = xtables_printhelp, }, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = xtables_clear_iptables_command_state, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index b1b5891013577..e4b1714d00c2f 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -346,6 +346,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .option_name = ip46t_option_name, .option_invert = ip46t_option_invert, .command_default = command_default, + .print_help = xtables_printhelp, }, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = xtables_clear_iptables_command_state, diff --git a/iptables/xshared.c b/iptables/xshared.c index 29b3992904e68..177f3ddd1c19e 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1108,9 +1108,9 @@ int print_match_save(const struct xt_entry_match *e, const void *ip) return 0; } -static void -xtables_printhelp(const struct xtables_rule_match *matches) +void xtables_printhelp(struct iptables_command_state *cs) { + const struct xtables_rule_match *matches = cs->matches; const char *prog_name = xt_params->program_name; const char *prog_vers = xt_params->program_version; @@ -1527,7 +1527,7 @@ void do_parse(int argc, char *argv[], xtables_find_match(cs->protocol, XTF_TRY_LOAD, &cs->matches); - xtables_printhelp(cs->matches); + p->ops->print_help(cs); xtables_clear_iptables_command_state(cs); xtables_free_opts(1); xtables_fini(); diff --git a/iptables/xshared.h b/iptables/xshared.h index bf24fd568a6f5..69f50e505cb9b 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -274,6 +274,7 @@ struct xt_cmd_parse_ops { int (*option_invert)(int option); int (*command_default)(struct iptables_command_state *cs, struct xtables_globals *gl, bool invert); + void (*print_help)(struct iptables_command_state *cs); }; struct xt_cmd_parse { @@ -289,6 +290,7 @@ struct xt_cmd_parse { struct xt_cmd_parse_ops *ops; }; +void xtables_printhelp(struct iptables_command_state *cs); const char *ip46t_option_name(int option); int ip46t_option_invert(int option); int command_default(struct iptables_command_state *cs, From patchwork Wed Nov 29 13:28:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869677 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=qXU5iilx; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-113-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZp629Yz23mS for ; Thu, 30 Nov 2023 00:16:02 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9BB30282E00 for ; Wed, 29 Nov 2023 13:16:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51E1020334; Wed, 29 Nov 2023 13:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="qXU5iilx" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 313E51A8 for ; Wed, 29 Nov 2023 05:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BIZfeMXhWjjvENrylSWL9FA5RbfMQ2Zj83oOK9K9nZQ=; b=qXU5iilxnTS5O6Snnn2UzOy+kF ZygsA63WMSfFlduJZIUEEq6pFTc3aXvVjphcY1XjyBM163iT9WUMjgc7q/ylHAouBdgEH4PB8NtwJ 7DZ12ckQ6NUCBAPkGGmrBTHkxTAu8cahTCMNw4BQPHj0gX9SOKCmSsqLfhdGKj4+9O01vcoYzJTas p1nusBQmMBCT5NzR7uTzqKtXpc+PgBkRsVFBJbYdmkv2ECB99aqm1N9ofh/LPQh7Vqqio150YtQn5 2JH7t0Y/l3IG9/FJmEVVyEeN8kuNayy3jNDEZ1CQwtQlO7RDLU2kr89vyRzxjTP5CrDiMs8H3dfiS 4QDHOzVA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPj-0001jD-HI for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:39 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 05/13] xshared: Support rule range deletion in do_parse() Date: Wed, 29 Nov 2023 14:28:19 +0100 Message-ID: <20231129132827.18166-6-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This is a distinct ebtables feature. Introduce struct xt_cmd_parse::rule_ranges boolean indicating support for it and bail otherwise if a range was specified by the user. Signed-off-by: Phil Sutter --- iptables/xshared.c | 34 +++++++++++++++++++++++++++++++++- iptables/xshared.h | 2 ++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/iptables/xshared.c b/iptables/xshared.c index 177f3ddd1c19e..62ae4141325ed 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -903,6 +903,38 @@ static int parse_rulenumber(const char *rule) return rulenum; } +static void parse_rule_range(struct xt_cmd_parse *p, const char *argv) +{ + char *colon = strchr(argv, ':'), *buffer; + + if (colon) { + if (!p->rule_ranges) + xtables_error(PARAMETER_PROBLEM, + "Rule ranges are not supported"); + + *colon = '\0'; + if (*(colon + 1) == '\0') + p->rulenum_end = -1; /* Until the last rule */ + else { + p->rulenum_end = strtol(colon + 1, &buffer, 10); + if (*buffer != '\0' || p->rulenum_end == 0) + xtables_error(PARAMETER_PROBLEM, + "Invalid rule range end`%s'", + colon + 1); + } + } + if (colon == argv) + p->rulenum = 1; /* Beginning with the first rule */ + else { + p->rulenum = strtol(argv, &buffer, 10); + if (*buffer != '\0' || p->rulenum == 0) + xtables_error(PARAMETER_PROBLEM, + "Invalid rule number `%s'", argv); + } + if (!colon) + p->rulenum_end = p->rulenum; +} + /* list the commands an option is allowed with */ #define CMD_IDRAC CMD_INSERT | CMD_DELETE | CMD_REPLACE | \ CMD_APPEND | CMD_CHECK @@ -1411,7 +1443,7 @@ void do_parse(int argc, char *argv[], add_command(&p->command, CMD_DELETE, CMD_NONE, invert); p->chain = optarg; if (xs_has_arg(argc, argv)) { - p->rulenum = parse_rulenumber(argv[optind++]); + parse_rule_range(p, argv[optind++]); p->command = CMD_DELETE_NUM; } break; diff --git a/iptables/xshared.h b/iptables/xshared.h index 69f50e505cb9b..2fd15c725faaf 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -280,6 +280,7 @@ struct xt_cmd_parse_ops { struct xt_cmd_parse { unsigned int command; unsigned int rulenum; + unsigned int rulenum_end; char *table; const char *chain; const char *newname; @@ -287,6 +288,7 @@ struct xt_cmd_parse { bool restore; int line; int verbose; + bool rule_ranges; struct xt_cmd_parse_ops *ops; }; From patchwork Wed Nov 29 13:28:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869673 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=MqZBDt0I; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-109-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZj5Wr9z1yST for ; Thu, 30 Nov 2023 00:15:57 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 8D920B2189D for ; Wed, 29 Nov 2023 13:15:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 347C020323; Wed, 29 Nov 2023 13:15:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="MqZBDt0I" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68F0B19A for ; Wed, 29 Nov 2023 05:15:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JZqsfWOknLtp2WpFwIXCIyCIxeQ8nhpHi4Q48weCE44=; b=MqZBDt0IfdhpZVsZZMIlCwpkIQ 9yZIgEOmcbh02guwEbXCLb//7kTeNix2CCqArHOAd43wCnfMCDG965a5yCuxvW4s+hDY4hqbnhPdm 57uh/tJrE6rzIhCnqtQt5MlDjELg2Er0KAB+c36rGHhnvIlBxy5wlRdo9/RMp+4KSJeQnzjLZDbbV Q2qZSdanMTV++jcoX9ci25dvI4P9RSQicMuBR3qqqoeieO5C2lqtRzSfHmjD3z9N7VzpTsHVdomxs jIcYpOHZM30+yw0mvmclF73nKTxK1EZU/GJ4hGSHd1MtAobM+c//OcUpP2ZeNqHjsrzNDlEvhRmX1 1/N0qugQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPi-0001j7-Qo for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:38 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 06/13] xshared: Support for ebtables' --change-counters command Date: Wed, 29 Nov 2023 14:28:20 +0100 Message-ID: <20231129132827.18166-7-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This is tricky because the short-option clashes with the --check command. OTOH, ebtables supports --check as well (though without short-option), so making do_parse() detect ebtables based on struct xtables_args::family is probably still the least messy option. Signed-off-by: Phil Sutter --- iptables/nft-cmd.h | 7 ------ iptables/xshared.c | 57 +++++++++++++++++++++++++++++++++++++++++++++- iptables/xshared.h | 11 ++++++++- 3 files changed, 66 insertions(+), 9 deletions(-) diff --git a/iptables/nft-cmd.h b/iptables/nft-cmd.h index 8163b82c3511f..00ecc80249f0d 100644 --- a/iptables/nft-cmd.h +++ b/iptables/nft-cmd.h @@ -7,13 +7,6 @@ struct nftnl_rule; -enum { - CTR_OP_INC_PKTS = 1 << 0, - CTR_OP_DEC_PKTS = 1 << 1, - CTR_OP_INC_BYTES = 1 << 2, - CTR_OP_DEC_BYTES = 1 << 3, -}; - struct nft_cmd { struct list_head head; int command; diff --git a/iptables/xshared.c b/iptables/xshared.c index 62ae4141325ed..50f23757d4aff 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -937,7 +937,7 @@ static void parse_rule_range(struct xt_cmd_parse *p, const char *argv) /* list the commands an option is allowed with */ #define CMD_IDRAC CMD_INSERT | CMD_DELETE | CMD_REPLACE | \ - CMD_APPEND | CMD_CHECK + CMD_APPEND | CMD_CHECK | CMD_CHANGE_COUNTERS static const unsigned int options_v_commands[NUMBER_OF_OPT] = { /*OPT_NUMERIC*/ CMD_LIST, /*OPT_SOURCE*/ CMD_IDRAC, @@ -1392,10 +1392,58 @@ static void parse_interface(const char *arg, char *iface) strcpy(iface, arg); } +static bool +parse_signed_counter(char *argv, unsigned long long *val, uint8_t *ctr_op, + uint8_t flag_inc, uint8_t flag_dec) +{ + char *endptr, *p = argv; + + switch (*p) { + case '+': + *ctr_op |= flag_inc; + p++; + break; + case '-': + *ctr_op |= flag_dec; + p++; + break; + } + *val = strtoull(p, &endptr, 10); + return *endptr == '\0'; +} + +static void parse_change_counters_rule(int argc, char **argv, + struct xt_cmd_parse *p, + struct xtables_args *args) +{ + if (optind + 1 >= argc || + (argv[optind][0] == '-' && !isdigit(argv[optind][1])) || + (argv[optind + 1][0] == '-' && !isdigit(argv[optind + 1][1]))) + xtables_error(PARAMETER_PROBLEM, + "The command -C needs at least 2 arguments"); + if (optind + 2 < argc && + (argv[optind + 2][0] != '-' || isdigit(argv[optind + 2][1]))) { + if (optind + 3 != argc) + xtables_error(PARAMETER_PROBLEM, + "No extra options allowed with -C start_nr[:end_nr] pcnt bcnt"); + parse_rule_range(p, argv[optind++]); + } + + if (!parse_signed_counter(argv[optind++], &args->pcnt_cnt, + &args->counter_op, + CTR_OP_INC_PKTS, CTR_OP_DEC_PKTS) || + !parse_signed_counter(argv[optind++], &args->bcnt_cnt, + &args->counter_op, + CTR_OP_INC_BYTES, CTR_OP_DEC_BYTES)) + xtables_error(PARAMETER_PROBLEM, + "Packet counter '%s' invalid", argv[optind - 1]); +} + void do_parse(int argc, char *argv[], struct xt_cmd_parse *p, struct iptables_command_state *cs, struct xtables_args *args) { + bool family_is_bridge = args->family == NFPROTO_BRIDGE; struct xtables_match *m; struct xtables_rule_match *matchp; bool wait_interval_set = false; @@ -1435,6 +1483,13 @@ void do_parse(int argc, char *argv[], break; case 'C': + if (family_is_bridge) { + add_command(&p->command, CMD_CHANGE_COUNTERS, + CMD_NONE, invert); + p->chain = optarg; + parse_change_counters_rule(argc, argv, p, args); + break; + } add_command(&p->command, CMD_CHECK, CMD_NONE, invert); p->chain = optarg; break; diff --git a/iptables/xshared.h b/iptables/xshared.h index 2fd15c725faaf..68acfb4b406fb 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -69,8 +69,9 @@ enum { CMD_LIST_RULES = 1 << 12, CMD_ZERO_NUM = 1 << 13, CMD_CHECK = 1 << 14, + CMD_CHANGE_COUNTERS = 1 << 15, /* ebtables only */ }; -#define NUMBER_OF_CMD 16 +#define NUMBER_OF_CMD 17 struct xtables_globals; struct xtables_rule_match; @@ -247,6 +248,13 @@ struct addr_mask { } mask; }; +enum { + CTR_OP_INC_PKTS = 1 << 0, + CTR_OP_DEC_PKTS = 1 << 1, + CTR_OP_INC_BYTES = 1 << 2, + CTR_OP_DEC_BYTES = 1 << 3, +}; + struct xtables_args { int family; uint8_t flags; @@ -261,6 +269,7 @@ struct xtables_args { const char *arp_hlen, *arp_opcode; const char *arp_htype, *arp_ptype; unsigned long long pcnt_cnt, bcnt_cnt; + uint8_t counter_op; int wait; }; From patchwork Wed Nov 29 13:28:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869669 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=ne/8LBXt; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-105-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZY1ttXz1yST for ; Thu, 30 Nov 2023 00:15:49 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id DD2462825F7 for ; Wed, 29 Nov 2023 13:15:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A08481F959; Wed, 29 Nov 2023 13:15:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="ne/8LBXt" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D23E99A for ; Wed, 29 Nov 2023 05:15:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fR/OTWwDhGlM9aVNvymAnk4o3HL4xGQN18TWCg4+F9M=; b=ne/8LBXtkvQk7HMEJj9XLgKOwf u5Sfzo0jIeAj5eHpybFdG66Jg9c8q+rqlotZp0rfM8mLF1PpV89juHkEtfZe8GD6aEIU0zMnL6qnq Ha7zdenE5ZbE1NXep+h5In5mhwahJPuIBFjLIx2mW2d0Q9YjpUoU40wZqjvGqicxrJE0/nRthVgMz GXtBiHnes+xh9caGHr04JXhHjIaZyzJ9/p8NhAyzfojfgSd1f0+zEUtBKLEhlAtq6d6M7MsntRzNS PjRuwqWiTl/d/73RGBlIS8L8HuuNpg9pGD1tQMqrxnWcdOuHMVPv0Bd/9DKILBfKABEfTTeAtUb8W QKxZbPWg==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPg-0001id-Au for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:36 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 07/13] ebtables{,-translate}: Convert if-clause to switch() Date: Wed, 29 Nov 2023 14:28:21 +0100 Message-ID: <20231129132827.18166-8-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Parser merge prep work, align final do_commandeb*() parts with do_commandx(). Signed-off-by: Phil Sutter --- iptables/xtables-eb-translate.c | 24 +++++++++-------- iptables/xtables-eb.c | 46 ++++++++++++++++++++------------- 2 files changed, 41 insertions(+), 29 deletions(-) diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c index da7e5e3dda1f3..d0fec9c6d5ae3 100644 --- a/iptables/xtables-eb-translate.c +++ b/iptables/xtables-eb-translate.c @@ -497,23 +497,25 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char cs.eb.ethproto = htons(cs.eb.ethproto); - if (command == 'P') { - return 0; - } else if (command == 'F') { - if (p.chain) { - printf("flush chain bridge %s %s\n", p.table, p.chain); - } else { - printf("flush table bridge %s\n", p.table); - } - ret = 1; - } else if (command == 'A') { + switch (command) { + case 'F': + if (p.chain) { + printf("flush chain bridge %s %s\n", p.table, p.chain); + } else { + printf("flush table bridge %s\n", p.table); + } + ret = 1; + break; + case 'A': ret = nft_rule_eb_xlate_add(h, &p, &cs, true); if (!ret) print_ebt_cmd(argc, argv); - } else if (command == 'I') { + break; + case 'I': ret = nft_rule_eb_xlate_add(h, &p, &cs, false); if (!ret) print_ebt_cmd(argc, argv); + break; } ebt_cs_clean(&cs); diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index ddbe1b5a3adc0..db75e65caa02a 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -1168,47 +1168,57 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, * The kernel does not have to do this of course */ cs.eb.ethproto = htons(cs.eb.ethproto); - if (command == 'P') { + switch (command) { + case 'P': if (selected_chain >= NF_BR_NUMHOOKS) { ret = ebt_cmd_user_chain_policy(h, *table, chain, policy); - } else { - if (strcmp(policy, "RETURN") == 0) { - xtables_error(PARAMETER_PROBLEM, - "Policy RETURN only allowed for user defined chains"); - } - ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy"); + break; } - } else if (command == 'L') { + if (strcmp(policy, "RETURN") == 0) { + xtables_error(PARAMETER_PROBLEM, + "Policy RETURN only allowed for user defined chains"); + } + ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); + if (ret < 0) + xtables_error(PARAMETER_PROBLEM, "Wrong policy"); + break; + case 'L': ret = list_rules(h, chain, *table, rule_nr, flags & OPT_VERBOSE, 0, /*flags&OPT_EXPANDED*/0, flags&LIST_N, flags&LIST_C); - } - if (flags & OPT_ZERO) { + if (!(flags & OPT_ZERO)) + break; + case 'Z': ret = nft_cmd_chain_zero_counters(h, chain, *table, flags & OPT_VERBOSE); - } else if (command == 'F') { + break; + case 'F': ret = nft_cmd_rule_flush(h, chain, *table, flags & OPT_VERBOSE); - } else if (command == 'A') { + break; + case 'A': ret = nft_cmd_rule_append(h, chain, *table, &cs, flags & OPT_VERBOSE); - } else if (command == 'I') { + break; + case 'I': ret = nft_cmd_rule_insert(h, chain, *table, &cs, rule_nr - 1, flags & OPT_VERBOSE); - } else if (command == 'D') { + break; + case 'D': ret = delete_entry(h, chain, *table, &cs, rule_nr - 1, rule_nr_end, flags & OPT_VERBOSE); - } else if (command == 14) { + break; + case 14: ret = nft_cmd_rule_check(h, chain, *table, &cs, flags & OPT_VERBOSE); - } else if (command == 'C') { + break; + case 'C': ret = change_entry_counters(h, chain, *table, &cs, rule_nr - 1, rule_nr_end, chcounter, flags & OPT_VERBOSE); + break; } ebt_cs_clean(&cs); From patchwork Wed Nov 29 13:28:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869680 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=TezizLDa; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-116-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZw6jc7z23mS for ; Thu, 30 Nov 2023 00:16:08 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A13B42825CE for ; Wed, 29 Nov 2023 13:16:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 60248208AD; Wed, 29 Nov 2023 13:15:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="TezizLDa" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6434010D4 for ; Wed, 29 Nov 2023 05:15:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KxUdjGCe4vJwoieDwFtcWCGbhastKXhd3wwPrafRJps=; b=TezizLDaDGp/j+zJXRMZoX+vEZ tjWQK7IHl7DrBh3tT+LNBnHTpqltiSyyYc4vTelE9jLRMUAzCj0ddYfdSbVdvIMD21ad7ZkDgJ5nS lf8YdDgGarw2C/4T4BDVSgdmKvQxPY2C/FX9k2FFhddGt37gjx7+evgRxFAAdy+OunMC6FPXQ1XTz ZlbOQJ8Is2VBinP6hlEsMqyrs14Ddk3W+5E7lqaX72JNbRbZSRWy2MHjJ47B/cJ2l5asmjw85iyFw mfsBXNXhoCMWbqQQ+dRQD4U+Luu4WVigdncJx4dlyucgNFCg1EaLAYs3El54FQi07JRTNsfbgRAqI VNsStxaA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPl-0001jb-PI for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:41 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 08/13] ebtables: Change option values to avoid clashes Date: Wed, 29 Nov 2023 14:28:22 +0100 Message-ID: <20231129132827.18166-9-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In order to parse input using do_parse(), distinct ebtables option's values have to be distinct from others. Since arptables uses values 2-8 already, resort to values >10. Signed-off-by: Phil Sutter --- iptables/xtables-eb-translate.c | 14 +++++++------- iptables/xtables-eb.c | 24 ++++++++++++------------ 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c index d0fec9c6d5ae3..a2ab318cff251 100644 --- a/iptables/xtables-eb-translate.c +++ b/iptables/xtables-eb-translate.c @@ -292,9 +292,9 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char table_set = true; break; case 'i': /* Input interface */ - case 2 : /* Logical input interface */ + case 15 : /* Logical input interface */ case 'o': /* Output interface */ - case 3 : /* Logical output interface */ + case 16 : /* Logical output interface */ case 'j': /* Target */ case 'p': /* Net family protocol */ case 's': /* Source mac */ @@ -316,7 +316,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char ebtables_parse_interface(optarg, cs.eb.in); break; - } else if (c == 2) { + } else if (c == 15) { ebt_check_option2(&flags, OPT_LOGICALIN); if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, @@ -336,7 +336,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char ebtables_parse_interface(optarg, cs.eb.out); break; - } else if (c == 3) { + } else if (c == 16) { ebt_check_option2(&flags, OPT_LOGICALOUT); if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, @@ -424,14 +424,14 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char xtables_error(PARAMETER_PROBLEM, "Sorry, protocols have values above or equal to 0x0600"); break; - case 4 : /* Lc */ + case 17 : /* Lc */ ebt_check_option2(&flags, LIST_C); if (command != 'L') xtables_error(PARAMETER_PROBLEM, "Use --Lc with -L"); flags |= LIST_C; break; - case 5 : /* Ln */ + case 18 : /* Ln */ ebt_check_option2(&flags, LIST_N); if (command != 'L') xtables_error(PARAMETER_PROBLEM, @@ -441,7 +441,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char "--Lx is not compatible with --Ln"); flags |= LIST_N; break; - case 6 : /* Lx */ + case 19 : /* Lx */ ebt_check_option2(&flags, LIST_X); if (command != 'L') xtables_error(PARAMETER_PROBLEM, diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index db75e65caa02a..9afaa614bac5b 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -196,17 +196,17 @@ struct option ebt_original_options[] = { "insert" , required_argument, 0, 'I' }, { "delete" , required_argument, 0, 'D' }, { "list" , optional_argument, 0, 'L' }, - { "Lc" , no_argument , 0, 4 }, - { "Ln" , no_argument , 0, 5 }, - { "Lx" , no_argument , 0, 6 }, + { "Lc" , no_argument , 0, 17 }, + { "Ln" , no_argument , 0, 18 }, + { "Lx" , no_argument , 0, 19 }, { "Lmac2" , no_argument , 0, 12 }, { "zero" , optional_argument, 0, 'Z' }, { "flush" , optional_argument, 0, 'F' }, { "policy" , required_argument, 0, 'P' }, { "in-interface" , required_argument, 0, 'i' }, { "in-if" , required_argument, 0, 'i' }, - { "logical-in" , required_argument, 0, 2 }, - { "logical-out" , required_argument, 0, 3 }, + { "logical-in" , required_argument, 0, 15 }, + { "logical-out" , required_argument, 0, 16 }, { "out-interface" , required_argument, 0, 'o' }, { "out-if" , required_argument, 0, 'o' }, { "version" , no_argument , 0, 'V' }, @@ -940,9 +940,9 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, table_set = true; break; case 'i': /* Input interface */ - case 2 : /* Logical input interface */ + case 15 : /* Logical input interface */ case 'o': /* Output interface */ - case 3 : /* Logical output interface */ + case 16 : /* Logical output interface */ case 'j': /* Target */ case 'p': /* Net family protocol */ case 's': /* Source mac */ @@ -965,7 +965,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, ebtables_parse_interface(optarg, cs.eb.in); break; - } else if (c == 2) { + } else if (c == 15) { ebt_check_option2(&flags, OPT_LOGICALIN); if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, @@ -985,7 +985,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, ebtables_parse_interface(optarg, cs.eb.out); break; - } else if (c == 3) { + } else if (c == 16) { ebt_check_option2(&flags, OPT_LOGICALOUT); if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, @@ -1073,14 +1073,14 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, xtables_error(PARAMETER_PROBLEM, "Sorry, protocols have values above or equal to 0x0600"); break; - case 4 : /* Lc */ + case 17 : /* Lc */ ebt_check_option2(&flags, LIST_C); if (command != 'L') xtables_error(PARAMETER_PROBLEM, "Use --Lc with -L"); flags |= LIST_C; break; - case 5 : /* Ln */ + case 18 : /* Ln */ ebt_check_option2(&flags, LIST_N); if (command != 'L') xtables_error(PARAMETER_PROBLEM, @@ -1090,7 +1090,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, "--Lx is not compatible with --Ln"); flags |= LIST_N; break; - case 6 : /* Lx */ + case 19 : /* Lx */ ebt_check_option2(&flags, LIST_X); if (command != 'L') xtables_error(PARAMETER_PROBLEM, From patchwork Wed Nov 29 13:28:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869675 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=iDz7kGdS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.48.161; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-111-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [147.75.48.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZl1cWqz24DJ for ; Thu, 30 Nov 2023 00:15:59 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 01553B21693 for ; Wed, 29 Nov 2023 13:15:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 898BB1F953; Wed, 29 Nov 2023 13:15:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="iDz7kGdS" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEB2BD68 for ; Wed, 29 Nov 2023 05:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z7Xe+vB7HcXssf9unKSAeNbJnWNwd0tPHNJqRh2JpVc=; b=iDz7kGdSmgBsrjd4HOOPs2OJ1i c6ZVWeRnfZiThLeYK476daWt5mbxDGclQe/OgSN/2mfkT+r5xKu0ESVGNVC2utQY9E7cCZI3hS6XU 7FaE1S78lQShwsjb8fDoclIU7lTzCRYJCpxCr3v4wf8RboECbqbK+og/mv73dynyvyPcL/KoFuSbF ee88b0ttfdIU7BsbgZ7t+He/MlEw7+Qz7RKC0MpAQpj+O2iqoCK3yWMiO0TarbqqvTxvJ07KiVm+P J/3aK+YpC0kcWL7miP+w0gRHNRQHA0jrKK/TC1wzdEXPmU3B6+KL/udgT0u4yvTESTE53FXoDUcrL wGk006Qw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPk-0001jK-BA for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:40 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 09/13] ebtables: Pass struct iptables_command_state to print_help() Date: Wed, 29 Nov 2023 14:28:23 +0100 Message-ID: <20231129132827.18166-10-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Parameters passed by the sole caller came from there already, apart from 'table' which is not used (ebtables-nft does not have per-table help texts). Signed-off-by: Phil Sutter --- iptables/xtables-eb.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 9afaa614bac5b..017e1ad364840 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -303,9 +303,11 @@ static struct option *merge_options(struct option *oldopts, return merge; } -static void print_help(const struct xtables_target *t, - const struct xtables_rule_match *m, const char *table) +static void print_help(struct iptables_command_state *cs) { + const struct xtables_rule_match *m = cs->matches; + struct xtables_target *t = cs->target; + printf("%s %s\n", prog_name, prog_vers); printf( "Usage:\n" @@ -354,9 +356,6 @@ static void print_help(const struct xtables_target *t, printf("\n"); t->help(); } - -// if (table->help) -// table->help(ebt_hooknames); } /* Execute command L */ @@ -1144,7 +1143,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, ebt_print_error2("Bad table name");*/ if (command == 'h' && !(flags & OPT_ZERO)) { - print_help(cs.target, cs.matches, *table); + print_help(&cs); ret = 1; } From patchwork Wed Nov 29 13:28:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869672 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=Ubf1S4T+; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-108-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZg5S0Wz1yST for ; Thu, 30 Nov 2023 00:15:55 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 07EAFB218BD for ; Wed, 29 Nov 2023 13:15:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9260F20310; Wed, 29 Nov 2023 13:15:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="Ubf1S4T+" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA59BC4 for ; Wed, 29 Nov 2023 05:15:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4TkhuKzb/wjlUvntsy6XWtLJ7Js6pu8c3kPwgNifcUM=; b=Ubf1S4T+HpU1zScNta80nKEpOL 1hQJQMB8iYb7g7oomQvSjMGm2dmDI4d4mvhOSgAqjnhG/0wvVxPLpPSdjtYeuqR2XXdRqSFypiNLU py6XY+Ja9yzKsZJvirRyqYa8A0UFSzfBYQ5ijo5nIThZPK1A79OcaHTlP8uTftxP/nsh3Be8Os7/b 5F5JSkOYbpIZQm5euJH5ofjvVg2sYteVha5QZifxnic+Q1L/mTct1SsAbl+yh0ywdTU3Rv+uGoMz+ 65D+299LpF3vbA3LehhroLewuvxAb1lOq3T7ino4bz7pQ5+9osgZnwEs155cK1KFrskQQIT8kodbM qdfNDcSQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPi-0001iy-5J for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:38 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 10/13] ebtables: Make 'h' case just a call to print_help() Date: Wed, 29 Nov 2023 14:28:24 +0100 Message-ID: <20231129132827.18166-11-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move the special ebtables help parameter handling into its print_help() function to prepare for it turning into a callback. Add new field 'argc' to struct iptables_command_state to make this possible. It is actually kind of consistent as it holds 'argv' already. Signed-off-by: Phil Sutter --- iptables/xshared.h | 1 + iptables/xtables-eb.c | 61 +++++++++++++++++++++---------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/iptables/xshared.h b/iptables/xshared.h index 68acfb4b406fb..de32198fa0b67 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -137,6 +137,7 @@ struct iptables_command_state { char *protocol; int proto_used; const char *jumpto; + int argc; char **argv; bool restore; }; diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 017e1ad364840..8ab479237faa8 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -308,6 +308,33 @@ static void print_help(struct iptables_command_state *cs) const struct xtables_rule_match *m = cs->matches; struct xtables_target *t = cs->target; + while (optind < cs->argc) { + /*struct ebt_u_match *m; + struct ebt_u_watcher *w;*/ + + if (!strcasecmp("list_extensions", cs->argv[optind])) { + ebt_list_extensions(xtables_targets, cs->matches); + exit(0); + } + /*if ((m = ebt_find_match(cs->argv[optind]))) + ebt_add_match(new_entry, m); + else if ((w = ebt_find_watcher(cs->argv[optind]))) + ebt_add_watcher(new_entry, w); + else {*/ + if (!(t = xtables_find_target(cs->argv[optind], + XTF_TRY_LOAD))) + xtables_error(PARAMETER_PROBLEM, + "Extension '%s' not found", + cs->argv[optind]); + if (cs->options & OPT_JUMP) + xtables_error(PARAMETER_PROBLEM, + "Sorry, you can only see help for one target extension at a time"); + cs->options |= OPT_JUMP; + cs->target = t; + //} + optind++; + } + printf("%s %s\n", prog_name, prog_vers); printf( "Usage:\n" @@ -735,6 +762,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, unsigned int flags = 0; struct xtables_target *t; struct iptables_command_state cs = { + .argc = argc, .argv = argv, .jumpto = "", .eb.bitmask = EBT_NOPROTO, @@ -897,32 +925,8 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, if (OPT_COMMANDS) xtables_error(PARAMETER_PROBLEM, "Multiple commands are not allowed"); - command = 'h'; - - /* All other arguments should be extension names */ - while (optind < argc) { - /*struct ebt_u_match *m; - struct ebt_u_watcher *w;*/ - - if (!strcasecmp("list_extensions", argv[optind])) { - ebt_list_extensions(xtables_targets, cs.matches); - exit(0); - } - /*if ((m = ebt_find_match(argv[optind]))) - ebt_add_match(new_entry, m); - else if ((w = ebt_find_watcher(argv[optind]))) - ebt_add_watcher(new_entry, w); - else {*/ - if (!(t = xtables_find_target(argv[optind], XTF_TRY_LOAD))) - xtables_error(PARAMETER_PROBLEM,"Extension '%s' not found", argv[optind]); - if (flags & OPT_JUMP) - xtables_error(PARAMETER_PROBLEM,"Sorry, you can only see help for one target extension at a time"); - flags |= OPT_JUMP; - cs.target = t; - //} - optind++; - } - break; + print_help(&cs); + exit(0); case 't': /* Table */ if (restore && table_set) xtables_error(PARAMETER_PROBLEM, @@ -1142,11 +1146,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, if (!(table = ebt_find_table(replace->name))) ebt_print_error2("Bad table name");*/ - if (command == 'h' && !(flags & OPT_ZERO)) { - print_help(&cs); - ret = 1; - } - /* Do the final checks */ if (command == 'A' || command == 'I' || command == 'D' || command == 'C' || command == 14) { From patchwork Wed Nov 29 13:28:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869678 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=er8rZnLy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=147.75.199.223; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-114-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [147.75.199.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZs3Jngz24DJ for ; Thu, 30 Nov 2023 00:16:05 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id AA71E1C20FB0 for ; Wed, 29 Nov 2023 13:16:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AA7AF20339; Wed, 29 Nov 2023 13:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="er8rZnLy" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07DCE10D3 for ; Wed, 29 Nov 2023 05:15:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+YZBIQcCVHBaWqpMveCoQ9XFOSrBaB/NxHGOEC5649U=; b=er8rZnLy+Z0P73lQYU/qNqHfNF 6zt/OqhVkBCJFujD0qVg+H1HTVPmP/8UIWrYkX75X+hEPgNWQM1TRVULJof/4DX9JmbL86z2uCWqi Lt6qRjm4V4vdq99n5lGoSS0jCUFYyTNiVwrDb0EHlkVmaqUYx9lv1fkxnJ/2WNKC82LCPd7TbQ3Pt I73geqBeD2F6riBFJXtTGu6QVvv9X9R00ESl6hbmXK4wvlqQ3QQt4sEbzFUEgjrWXkrmjaCGDmZFF ipvjITZwz21Jq6/zbxH8YxXd73wLxK7o25MnlrLi5gaYnoxJEYF+XMkUljLDuKPqFW81FDtvE/6ST +NmFl3AA==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPl-0001jX-ER for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:41 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 11/13] ebtables: Use struct xt_cmd_parse Date: Wed, 29 Nov 2023 14:28:25 +0100 Message-ID: <20231129132827.18166-12-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This is merely to reduce size of the parser merge patch, no functional change intended. Signed-off-by: Phil Sutter --- iptables/xtables-eb.c | 59 ++++++++++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 8ab479237faa8..e03b2b2510eda 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -767,6 +767,8 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, .jumpto = "", .eb.bitmask = EBT_NOPROTO, }; + struct xt_cmd_parse p = { + }; char command = 'h'; const char *chain = NULL; const char *policy = NULL; @@ -1166,56 +1168,67 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, * The kernel does not have to do this of course */ cs.eb.ethproto = htons(cs.eb.ethproto); + p.table = *table; + p.chain = chain; + p.policy = policy; + p.rulenum = rule_nr; + p.rulenum_end = rule_nr_end; + cs.options = flags; + switch (command) { case 'P': if (selected_chain >= NF_BR_NUMHOOKS) { - ret = ebt_cmd_user_chain_policy(h, *table, chain, policy); + ret = ebt_cmd_user_chain_policy(h, p.table, p.chain, + p.policy); break; } - if (strcmp(policy, "RETURN") == 0) { + if (strcmp(p.policy, "RETURN") == 0) { xtables_error(PARAMETER_PROBLEM, "Policy RETURN only allowed for user defined chains"); } - ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); + ret = nft_cmd_chain_set(h, p.table, p.chain, p.policy, NULL); if (ret < 0) xtables_error(PARAMETER_PROBLEM, "Wrong policy"); break; case 'L': - ret = list_rules(h, chain, *table, rule_nr, - flags & OPT_VERBOSE, + ret = list_rules(h, p.chain, p.table, p.rulenum, + cs.options & OPT_VERBOSE, 0, - /*flags&OPT_EXPANDED*/0, - flags&LIST_N, - flags&LIST_C); - if (!(flags & OPT_ZERO)) + /*cs.options&OPT_EXPANDED*/0, + cs.options&LIST_N, + cs.options&LIST_C); + if (!(cs.options & OPT_ZERO)) break; case 'Z': - ret = nft_cmd_chain_zero_counters(h, chain, *table, - flags & OPT_VERBOSE); + ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, + cs.options & OPT_VERBOSE); break; case 'F': - ret = nft_cmd_rule_flush(h, chain, *table, flags & OPT_VERBOSE); + ret = nft_cmd_rule_flush(h, p.chain, p.table, + cs.options & OPT_VERBOSE); break; case 'A': - ret = nft_cmd_rule_append(h, chain, *table, &cs, - flags & OPT_VERBOSE); + ret = nft_cmd_rule_append(h, p.chain, p.table, &cs, + cs.options & OPT_VERBOSE); break; case 'I': - ret = nft_cmd_rule_insert(h, chain, *table, &cs, - rule_nr - 1, flags & OPT_VERBOSE); + ret = nft_cmd_rule_insert(h, p.chain, p.table, &cs, + p.rulenum - 1, + cs.options & OPT_VERBOSE); break; case 'D': - ret = delete_entry(h, chain, *table, &cs, rule_nr - 1, - rule_nr_end, flags & OPT_VERBOSE); + ret = delete_entry(h, p.chain, p.table, &cs, p.rulenum - 1, + p.rulenum_end, cs.options & OPT_VERBOSE); break; case 14: - ret = nft_cmd_rule_check(h, chain, *table, - &cs, flags & OPT_VERBOSE); + ret = nft_cmd_rule_check(h, p.chain, p.table, + &cs, cs.options & OPT_VERBOSE); break; case 'C': - ret = change_entry_counters(h, chain, *table, &cs, - rule_nr - 1, rule_nr_end, chcounter, - flags & OPT_VERBOSE); + ret = change_entry_counters(h, p.chain, p.table, &cs, + p.rulenum - 1, p.rulenum_end, + chcounter, + cs.options & OPT_VERBOSE); break; } From patchwork Wed Nov 29 13:28:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869676 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=pXEg4erX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-112-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZp3khXz1yST for ; Thu, 30 Nov 2023 00:16:02 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id B12671C20F95 for ; Wed, 29 Nov 2023 13:16:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 15D8B20332; Wed, 29 Nov 2023 13:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="pXEg4erX" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC798D7F for ; Wed, 29 Nov 2023 05:15:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=93FZ81YMjx38BgShSrEX+i3cU71Z+4T6pfE8YPZcuN8=; b=pXEg4erXS92dPXZ9YD006JhaEF D3Eu3xkn3L7BcTix27IPA/TA/fRc6csa3JuqXpvnX7DP30m3a65Yhkz5IQkaLcx4Ii5XEYT2+Iab3 dzmsDqKzi8AbBZqRn5UZjpPyACwcQdhAT0sxyTmA78wi+eYdggmzmU6rndiM6ZxsSQ49UYX3ig0zl U3ofs0ONtb++C56QKVsjCpb16xlqFcSb3YgVhxeybS9dblO8RK9plJ+/sjhfLmdpNoggwH7P+4CeY tnJIXo7ZzwmogTJkPpjUuZTEN47PcYNxA/EU4fIlssP4ybChNoJZyjNA8LL2LCgR3Zfqb16lkguNx g44hSGkw==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPl-0001jS-3r for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:41 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 12/13] xshared: Introduce option_test_and_reject() Date: Wed, 29 Nov 2023 14:28:26 +0100 Message-ID: <20231129132827.18166-13-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Just a small helper eliminating the repetitive code there. Signed-off-by: Phil Sutter --- iptables/xshared.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/iptables/xshared.c b/iptables/xshared.c index 50f23757d4aff..ebe172223486e 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1439,6 +1439,15 @@ static void parse_change_counters_rule(int argc, char **argv, "Packet counter '%s' invalid", argv[optind - 1]); } +static void option_test_and_reject(struct xt_cmd_parse *p, + struct iptables_command_state *cs, + unsigned int option) +{ + if (cs->options & option) + xtables_error(PARAMETER_PROBLEM, "Can't use %s with %s", + p->ops->option_name(option), p->chain); +} + void do_parse(int argc, char *argv[], struct xt_cmd_parse *p, struct iptables_command_state *cs, struct xtables_args *args) @@ -1924,21 +1933,13 @@ void do_parse(int argc, char *argv[], if (strcmp(p->chain, "PREROUTING") == 0 || strcmp(p->chain, "INPUT") == 0) { /* -o not valid with incoming packets. */ - if (cs->options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use %s with %s\n", - p->ops->option_name(OPT_VIANAMEOUT), - p->chain); + option_test_and_reject(p, cs, OPT_VIANAMEOUT); } if (strcmp(p->chain, "POSTROUTING") == 0 || strcmp(p->chain, "OUTPUT") == 0) { /* -i not valid with outgoing packets */ - if (cs->options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use %s with %s\n", - p->ops->option_name(OPT_VIANAMEIN), - p->chain); + option_test_and_reject(p, cs, OPT_VIANAMEIN); } } } From patchwork Wed Nov 29 13:28:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1869682 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nwl.cc header.i=@nwl.cc header.a=rsa-sha256 header.s=mail2022 header.b=TZNufhOU; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=netfilter-devel+bounces-118-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SgKZz1DN0z1yST for ; Thu, 30 Nov 2023 00:16:11 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E049A28254B for ; Wed, 29 Nov 2023 13:16:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51F4D1F959; Wed, 29 Nov 2023 13:15:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=nwl.cc header.i=@nwl.cc header.b="TZNufhOU" X-Original-To: netfilter-devel@vger.kernel.org Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D144183 for ; Wed, 29 Nov 2023 05:15:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nwl.cc; s=mail2022; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MXhZiKWs9aEGuU+Hm2AHA6xKwhX6CWZQjFa2POpo/KE=; b=TZNufhOUNkCZCl08LhPfeq1mZ6 Ov9pbYGInfaUPM547qMB0G/gFWUEJx9kHt8ebM7SUjs2cZRHBeyYkFAmlsGt/EN9QnE6qDxHHYRrQ X2RIxvnu11OoVC9w8oOUS3MKE0/94AKrZ7wvachN8ortENA7lVzRl+FAzdvzzY9bLexmH/65nPEro kNwhMipUocQdLc9Z9zNsccYjpnfYkhuIdt/6SU6caYKhnOZe/utsQoeWEIArECfdGVfWabPGBn6AH wQDWAJIvMvxzOlPZJwyZ1h9VUI0qsPUZKV5jzQC+Vj2hYOut2bTvLSH5qQJUWy2q5bsqbrsYqALLT /lWSUtWQ==; Received: from localhost ([::1] helo=xic) by orbyte.nwl.cc with esmtp (Exim 4.94.2) (envelope-from ) id 1r8KPg-0001ih-M0 for netfilter-devel@vger.kernel.org; Wed, 29 Nov 2023 14:15:36 +0100 From: Phil Sutter To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 13/13] ebtables: Use do_parse() from xshared Date: Wed, 29 Nov 2023 14:28:27 +0100 Message-ID: <20231129132827.18166-14-phil@nwl.cc> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231129132827.18166-1-phil@nwl.cc> References: <20231129132827.18166-1-phil@nwl.cc> Precedence: bulk X-Mailing-List: netfilter-devel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Drop the custom commandline parsers from ebtables and ebtables-translate, extend and use the shared one instead. ebtables gains a few new features from doing this: - Rule counters may be specified in the '-c N,M' syntax - Support for --replace command - Support for --list-rules command - Zero individual rules There is one known regression in this patch, namely maximum chain name length shrinks to 28 characters (from 32). Since this limit changed for iptables in the past as well (e.g. with commit 5429b41c2bb4a), assume nobody really relies upon it anyway. Signed-off-by: Phil Sutter --- iptables/nft-bridge.c | 121 ++++++ iptables/nft-bridge.h | 13 +- iptables/nft.h | 1 - iptables/xshared.c | 71 +++- iptables/xshared.h | 17 +- iptables/xtables-eb-translate.c | 477 +++------------------ iptables/xtables-eb.c | 720 ++++---------------------------- 7 files changed, 341 insertions(+), 1079 deletions(-) diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 1fcdeaf2cad68..60d5f4d0ba1b1 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -571,11 +571,132 @@ static int nft_bridge_xlate(const struct iptables_command_state *cs, return ret; } +static const char *nft_bridge_option_name(int option) +{ + switch (option) { + /* ebtables specific ones */ + case OPT_LOGICALIN: return "--logical-in"; + case OPT_LOGICALOUT: return "--logical-out"; + case OPT_LINENUMBERS: return "--Ln"; + case OPT_LIST_C: return "--Lc"; + case OPT_LIST_X: return "--Lx"; + case OPT_LIST_MAC2: return "--Lmac2"; + default: return ip46t_option_name(option); + } +} + +static int nft_bridge_option_invert(int option) +{ + switch (option) { + case OPT_SOURCE: return EBT_ISOURCE; + case OPT_DESTINATION: return EBT_IDEST; + case OPT_PROTOCOL: return EBT_IPROTO; + case OPT_VIANAMEIN: return EBT_IIN; + case OPT_VIANAMEOUT: return EBT_IOUT; + case OPT_LOGICALIN: return EBT_ILOGICALIN; + case OPT_LOGICALOUT: return EBT_ILOGICALOUT; + default: return -1; + } +} + +static void nft_bridge_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args) +{ + char *buffer; + int i; + + cs->eb.bitmask &= ~((unsigned int)EBT_NOPROTO); + + i = strtol(cs->protocol, &buffer, 16); + if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) + xtables_error(PARAMETER_PROBLEM, + "Problem with the specified protocol"); + if (*buffer != '\0') { + struct xt_ethertypeent *ent; + + if (!strcmp(cs->protocol, "length")) { + cs->eb.bitmask |= EBT_802_3; + return; + } + ent = xtables_getethertypebyname(cs->protocol); + if (!ent) + xtables_error(PARAMETER_PROBLEM, + "Problem with the specified Ethernet protocol '%s', perhaps "XT_PATH_ETHERTYPES " is missing", + cs->protocol); + cs->eb.ethproto = ent->e_ethertype; + } else + cs->eb.ethproto = i; + + if (cs->eb.ethproto < 0x0600) + xtables_error(PARAMETER_PROBLEM, + "Sorry, protocols have values above or equal to 0x0600"); +} + +static void nft_bridge_post_parse(int command, + struct iptables_command_state *cs, + struct xtables_args *args) +{ + struct ebt_match *match; + + cs->eb.invflags = args->invflags; + + memcpy(cs->eb.in, args->iniface, IFNAMSIZ); + memcpy(cs->eb.out, args->outiface, IFNAMSIZ); + memcpy(cs->eb.logical_in, args->bri_iniface, IFNAMSIZ); + memcpy(cs->eb.logical_out, args->bri_outiface, IFNAMSIZ); + + cs->counters.pcnt = args->pcnt_cnt; + cs->counters.bcnt = args->bcnt_cnt; + + if (args->shostnetworkmask) { + if (xtables_parse_mac_and_mask(args->shostnetworkmask, + cs->eb.sourcemac, + cs->eb.sourcemsk)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified source mac '%s'", + args->shostnetworkmask); + cs->eb.bitmask |= EBT_SOURCEMAC; + } + if (args->dhostnetworkmask) { + if (xtables_parse_mac_and_mask(args->dhostnetworkmask, + cs->eb.destmac, + cs->eb.destmsk)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified destination mac '%s'", + args->dhostnetworkmask); + cs->eb.bitmask |= EBT_DESTMAC; + } + + if ((cs->options & (OPT_LIST_X | OPT_LINENUMBERS)) == + (OPT_LIST_X | OPT_LINENUMBERS)) + xtables_error(PARAMETER_PROBLEM, + "--Lx is not compatible with --Ln"); + + /* So, the extensions can work with the host endian. + * The kernel does not have to do this of course */ + cs->eb.ethproto = htons(cs->eb.ethproto); + + for (match = cs->match_list; match; match = match->next) { + if (match->ismatch) + continue; + + xtables_option_tfcall(match->u.watcher); + } +} + struct nft_family_ops nft_family_ops_bridge = { .add = nft_bridge_add, .is_same = nft_bridge_is_same, .print_payload = NULL, .rule_parse = &nft_ruleparse_ops_bridge, + .cmd_parse = { + .proto_parse = nft_bridge_proto_parse, + .post_parse = nft_bridge_post_parse, + .option_name = nft_bridge_option_name, + .option_invert = nft_bridge_option_invert, + .command_default = ebt_command_default, + .print_help = nft_bridge_print_help, + }, .print_table_header = nft_bridge_print_table_header, .print_header = nft_bridge_print_header, .print_rule = nft_bridge_print_rule, diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index 0e6a29650acca..13b077fc4fbf3 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -8,13 +8,6 @@ #include #include -/* We use replace->flags, so we can't use the following values: - * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */ -#define LIST_N 0x04 -#define LIST_C 0x08 -#define LIST_X 0x10 -#define LIST_MAC2 0x20 - extern unsigned char eb_mac_type_unicast[ETH_ALEN]; extern unsigned char eb_msk_type_unicast[ETH_ALEN]; extern unsigned char eb_mac_type_multicast[ETH_ALEN]; @@ -119,7 +112,8 @@ void ebt_add_match(struct xtables_match *m, struct iptables_command_state *cs); void ebt_add_watcher(struct xtables_target *watcher, struct iptables_command_state *cs); -int ebt_command_default(struct iptables_command_state *cs); +int ebt_command_default(struct iptables_command_state *cs, + struct xtables_globals *unused, bool ebt_invert); struct nft_among_pair { struct ether_addr ether; @@ -177,4 +171,7 @@ nft_among_insert_pair(struct nft_among_pair *pairs, (*pcount)++; } +/* from xtables-eb.c */ +void nft_bridge_print_help(struct iptables_command_state *cs); + #endif diff --git a/iptables/nft.h b/iptables/nft.h index 79f1e037cd6d3..57533b6529f5b 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -234,7 +234,6 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, bo /* For xtables-eb.c */ int nft_init_eb(struct nft_handle *h, const char *pname); void nft_fini_eb(struct nft_handle *h); -int ebt_get_current_chain(const char *chain); int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore); /* diff --git a/iptables/xshared.c b/iptables/xshared.c index ebe172223486e..5cae62b45cdf4 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -957,6 +957,11 @@ static const unsigned int options_v_commands[NUMBER_OF_OPT] = { /*OPT_OPCODE*/ CMD_IDRAC, /*OPT_H_TYPE*/ CMD_IDRAC, /*OPT_P_TYPE*/ CMD_IDRAC, +/*OPT_LOGICALIN*/ CMD_IDRAC, +/*OPT_LOGICALOUT*/ CMD_IDRAC, +/*OPT_LIST_C*/ CMD_LIST, +/*OPT_LIST_X*/ CMD_LIST, +/*OPT_LIST_MAC2*/ CMD_LIST, }; #undef CMD_IDRAC @@ -1301,6 +1306,7 @@ static void check_inverse(struct xtables_args *args, const char option[], { switch (args->family) { case NFPROTO_ARP: + case NFPROTO_BRIDGE: break; default: return; @@ -1499,6 +1505,8 @@ void do_parse(int argc, char *argv[], parse_change_counters_rule(argc, argv, p, args); break; } + /* fall through */ + case 14: /* ebtables --check */ add_command(&p->command, CMD_CHECK, CMD_NONE, invert); p->chain = optarg; break; @@ -1606,15 +1614,19 @@ void do_parse(int argc, char *argv[], break; case 'P': - add_command(&p->command, CMD_SET_POLICY, CMD_NONE, + add_command(&p->command, CMD_SET_POLICY, + family_is_bridge ? CMD_NEW_CHAIN : CMD_NONE, invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) + if (p->command & CMD_NEW_CHAIN) { + p->policy = optarg; + } else if (xs_has_arg(argc, argv)) { + p->chain = optarg; p->policy = argv[optind++]; - else + } else { xtables_error(PARAMETER_PROBLEM, "-%c requires a chain and a policy", cmd2char(CMD_SET_POLICY)); + } break; case 'h': @@ -1716,6 +1728,45 @@ void do_parse(int argc, char *argv[], args->arp_ptype = optarg; break; + case 11: /* ebtables --init-table */ + if (p->restore) + xtables_error(PARAMETER_PROBLEM, + "--init-table is not supported in daemon mode"); + add_command(&p->command, CMD_INIT_TABLE, CMD_NONE, invert); + break; + + case 12 : /* ebtables --Lmac2 */ + set_option(p->ops, &cs->options, OPT_LIST_MAC2, + &args->invflags, invert); + break; + + case 13 : /* ebtables --concurrent */ + break; + + case 15 : /* ebtables --logical-in */ + check_inverse(args, optarg, &invert, argc, argv); + set_option(p->ops, &cs->options, OPT_LOGICALIN, + &args->invflags, invert); + parse_interface(optarg, args->bri_iniface); + break; + + case 16 : /* ebtables --logical-out */ + check_inverse(args, optarg, &invert, argc, argv); + set_option(p->ops, &cs->options, OPT_LOGICALOUT, + &args->invflags, invert); + parse_interface(optarg, args->bri_outiface); + break; + + case 17 : /* ebtables --Lc */ + set_option(p->ops, &cs->options, OPT_LIST_C, + &args->invflags, invert); + break; + + case 19 : /* ebtables --Lx */ + set_option(p->ops, &cs->options, OPT_LIST_X, + &args->invflags, invert); + break; + case 'j': set_option(p->ops, &cs->options, OPT_JUMP, &args->invflags, invert); @@ -1815,6 +1866,7 @@ void do_parse(int argc, char *argv[], break; case '0': + case 18 : /* ebtables --Ln */ set_option(p->ops, &cs->options, OPT_LINENUMBERS, &args->invflags, invert); break; @@ -1880,6 +1932,7 @@ void do_parse(int argc, char *argv[], exit_tryhelp(2, p->line); default: + check_inverse(args, optarg, &invert, argc, argv); if (p->ops->command_default(cs, xt_params, invert)) /* cf. ip6tables.c */ continue; @@ -1888,7 +1941,8 @@ void do_parse(int argc, char *argv[], invert = false; } - if (strcmp(p->table, "nat") == 0 && + if (!family_is_bridge && + strcmp(p->table, "nat") == 0 && ((p->policy != NULL && strcmp(p->policy, "DROP") == 0) || (cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0))) xtables_error(PARAMETER_PROBLEM, @@ -1929,17 +1983,22 @@ void do_parse(int argc, char *argv[], p->command == CMD_DELETE || p->command == CMD_CHECK || p->command == CMD_INSERT || - p->command == CMD_REPLACE) { + p->command == CMD_REPLACE || + p->command == CMD_CHANGE_COUNTERS) { if (strcmp(p->chain, "PREROUTING") == 0 || strcmp(p->chain, "INPUT") == 0) { /* -o not valid with incoming packets. */ option_test_and_reject(p, cs, OPT_VIANAMEOUT); + /* same with --logical-out */ + option_test_and_reject(p, cs, OPT_LOGICALOUT); } if (strcmp(p->chain, "POSTROUTING") == 0 || strcmp(p->chain, "OUTPUT") == 0) { /* -i not valid with outgoing packets */ option_test_and_reject(p, cs, OPT_VIANAMEIN); + /* same with --logical-in */ + option_test_and_reject(p, cs, OPT_LOGICALIN); } } } diff --git a/iptables/xshared.h b/iptables/xshared.h index de32198fa0b67..2a9cdf45f581a 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -47,10 +47,11 @@ enum { /* below are for ebtables only */ OPT_LOGICALIN = 1 << 18, OPT_LOGICALOUT = 1 << 19, - OPT_COMMAND = 1 << 20, - OPT_ZERO = 1 << 21, + OPT_LIST_C = 1 << 20, + OPT_LIST_X = 1 << 21, + OPT_LIST_MAC2 = 1 << 22, }; -#define NUMBER_OF_OPT 23 +#define NUMBER_OF_OPT 24 enum { CMD_NONE = 0, @@ -70,16 +71,17 @@ enum { CMD_ZERO_NUM = 1 << 13, CMD_CHECK = 1 << 14, CMD_CHANGE_COUNTERS = 1 << 15, /* ebtables only */ + CMD_INIT_TABLE = 1 << 16, /* ebtables only */ }; -#define NUMBER_OF_CMD 17 +#define NUMBER_OF_CMD 18 struct xtables_globals; struct xtables_rule_match; struct xtables_target; -#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v" -#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x" -#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */ +#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:R:S::VX::Z::" "c:d:i:j:o:p:s:t:v" +#define IPT_OPTSTRING OPTSTRING_COMMON "W::" "46bfg:h::m:nw::x" +#define ARPT_OPTSTRING OPTSTRING_COMMON "h::l:nx" /* "m:" */ #define EBT_OPTSTRING OPTSTRING_COMMON "h" /* define invflags which won't collide with IPT ones. @@ -262,6 +264,7 @@ struct xtables_args { uint16_t invflags; char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ]; bool goto_set; const char *shostnetworkmask, *dhostnetworkmask; const char *pcnt, *bcnt; diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c index a2ab318cff251..fbeff74f7fbb0 100644 --- a/iptables/xtables-eb-translate.c +++ b/iptables/xtables-eb-translate.c @@ -21,61 +21,10 @@ #include "nft-bridge.h" #include "nft.h" #include "nft-shared.h" -/* - * From include/ebtables_u.h - */ -#define ebt_check_option2(flags, mask) EBT_CHECK_OPTION(flags, mask) -extern int ebt_invert; - -static int ebt_check_inverse2(const char option[], int argc, char **argv) -{ - if (!option) - return ebt_invert; - if (strcmp(option, "!") == 0) { - if (ebt_invert == 1) - xtables_error(PARAMETER_PROBLEM, - "Double use of '!' not allowed"); - if (optind >= argc) - optarg = NULL; - else - optarg = argv[optind]; - optind++; - ebt_invert = 1; - return 1; - } - return ebt_invert; -} - -/* - * Glue code to use libxtables - */ -static int parse_rule_number(const char *rule) -{ - unsigned int rule_nr; - - if (!xtables_strtoui(rule, NULL, &rule_nr, 1, INT_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid rule number `%s'", rule); - - return rule_nr; -} - -/* - * The original ebtables parser - */ - -/* Checks whether a command has already been specified */ -#define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO) - -/* Default command line options. Do not mess around with the already - * assigned numbers unless you know what you are doing */ -extern struct option ebt_original_options[]; -#define opts ebtables_globals.opts #define prog_name ebtables_globals.program_name -#define prog_vers ebtables_globals.program_version -static void print_help(void) +static void print_help(struct iptables_command_state *cs) { fprintf(stderr, "%s: Translate ebtables command to nft syntax\n" "no side effects occur, the translated command is written " @@ -85,46 +34,6 @@ static void print_help(void) exit(0); } -static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end) -{ - char *colon = strchr(argv, ':'), *buffer; - - if (colon) { - *colon = '\0'; - if (*(colon + 1) == '\0') - *rule_nr_end = -1; /* Until the last rule */ - else { - *rule_nr_end = strtol(colon + 1, &buffer, 10); - if (*buffer != '\0' || *rule_nr_end == 0) - return -1; - } - } - if (colon == argv) - *rule_nr = 1; /* Beginning with the first rule */ - else { - *rule_nr = strtol(argv, &buffer, 10); - if (*buffer != '\0' || *rule_nr == 0) - return -1; - } - if (!colon) - *rule_nr_end = *rule_nr; - return 0; -} - -static void ebtables_parse_interface(const char *arg, char *vianame) -{ - unsigned char mask[IFNAMSIZ]; - char *c; - - xtables_parse_interface(arg, vianame, mask); - - if ((c = strchr(vianame, '+'))) { - if (*(c + 1) != '\0') - xtables_error(PARAMETER_PROBLEM, - "Spurious characters after '+' wildcard"); - } -} - static void print_ebt_cmd(int argc, char *argv[]) { int i; @@ -158,347 +67,35 @@ static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct xt_cmd_parse static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char **table) { - char *buffer; - int c, i; - int rule_nr = 0; - int rule_nr_end = 0; - int ret = 0; - unsigned int flags = 0; struct iptables_command_state cs = { .argv = argv, + .jumpto = "", .eb.bitmask = EBT_NOPROTO, }; - char command = 'h'; - const char *chain = NULL; - int selected_chain = -1; - struct xtables_rule_match *xtrm_i; - struct ebt_match *match; struct xt_cmd_parse p = { .table = *table, + .rule_ranges = true, + .ops = &h->ops->cmd_parse, }; - bool table_set = false; - - /* prevent getopt to spoil our error reporting */ - opterr = false; - - printf("nft "); - /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, - "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { - cs.c = c; - switch (c) { - case 'A': /* Add a rule */ - case 'D': /* Delete a rule */ - case 'P': /* Define policy */ - case 'I': /* Insert a rule */ - case 'N': /* Make a user defined chain */ - case 'E': /* Rename chain */ - case 'X': /* Delete chain */ - /* We allow -N chainname -P policy */ - /* XXX: Not in ebtables-compat */ - if (command == 'N' && c == 'P') { - command = c; - optind--; /* No table specified */ - break; - } - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - command = c; - chain = optarg; - selected_chain = ebt_get_current_chain(chain); - p.chain = chain; - flags |= OPT_COMMAND; - - if (c == 'N') { - printf("add chain bridge %s %s\n", p.table, p.chain); - ret = 1; - break; - } else if (c == 'X') { - printf("delete chain bridge %s %s\n", p.table, p.chain); - ret = 1; - break; - } - - if (c == 'E') { - break; - } else if (c == 'D' && optind < argc && (argv[optind][0] != '-' || (argv[optind][1] >= '0' && argv[optind][1] <= '9'))) { - if (optind != argc - 1) - xtables_error(PARAMETER_PROBLEM, - "No extra options allowed with -D start_nr[:end_nr]"); - if (parse_rule_range(argv[optind], &rule_nr, &rule_nr_end)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified rule number(s) '%s'", argv[optind]); - optind++; - } else if (c == 'I') { - if (optind >= argc || (argv[optind][0] == '-' && (argv[optind][1] < '0' || argv[optind][1] > '9'))) - rule_nr = 1; - else { - rule_nr = parse_rule_number(argv[optind]); - optind++; - } - p.rulenum = rule_nr; - } else if (c == 'P') { - break; - } - break; - case 'L': /* List */ - printf("list table bridge %s\n", p.table); - ret = 1; - break; - case 'F': /* Flush */ - case 'Z': /* Zero counters */ - if (c == 'Z') { - if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L')) -print_zero: - xtables_error(PARAMETER_PROBLEM, - "Command -Z only allowed together with command -L"); - flags |= OPT_ZERO; - } else { - if (flags & OPT_COMMAND) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - command = c; - flags |= OPT_COMMAND; - if (flags & OPT_ZERO && c != 'L') - goto print_zero; - } - break; - case 'V': /* Version */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - printf("%s %s\n", prog_name, prog_vers); - exit(0); - case 'h': - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - print_help(); - break; - case 't': /* Table */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Please put the -t option first"); - if (table_set) - xtables_error(PARAMETER_PROBLEM, - "Multiple use of same option not allowed"); - if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) - xtables_error(PARAMETER_PROBLEM, - "Table name length cannot exceed %d characters", - EBT_TABLE_MAXNAMELEN - 1); - *table = optarg; - p.table = optarg; - table_set = true; - break; - case 'i': /* Input interface */ - case 15 : /* Logical input interface */ - case 'o': /* Output interface */ - case 16 : /* Logical output interface */ - case 'j': /* Target */ - case 'p': /* Net family protocol */ - case 's': /* Source mac */ - case 'd': /* Destination mac */ - case 'c': /* Set counters */ - if (!OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "No command specified"); - if (command != 'A' && command != 'D' && command != 'I') - xtables_error(PARAMETER_PROBLEM, - "Command and option do not match"); - if (c == 'i') { - ebt_check_option2(&flags, OPT_VIANAMEIN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IIN; - - ebtables_parse_interface(optarg, cs.eb.in); - break; - } else if (c == 15) { - ebt_check_option2(&flags, OPT_LOGICALIN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALIN; - - ebtables_parse_interface(optarg, cs.eb.logical_in); - break; - } else if (c == 'o') { - ebt_check_option2(&flags, OPT_VIANAMEOUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IOUT; - - ebtables_parse_interface(optarg, cs.eb.out); - break; - } else if (c == 16) { - ebt_check_option2(&flags, OPT_LOGICALOUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALOUT; - - ebtables_parse_interface(optarg, cs.eb.logical_out); - break; - } else if (c == 'j') { - ebt_check_option2(&flags, OPT_JUMP); - if (strcmp(optarg, "CONTINUE") != 0) { - command_jump(&cs, optarg); - } - break; - } else if (c == 's') { - ebt_check_option2(&flags, OPT_SOURCE); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ISOURCE; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.sourcemac, - cs.eb.sourcemsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg); - cs.eb.bitmask |= EBT_SOURCEMAC; - break; - } else if (c == 'd') { - ebt_check_option2(&flags, OPT_DESTINATION); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IDEST; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.destmac, - cs.eb.destmsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg); - cs.eb.bitmask |= EBT_DESTMAC; - break; - } else if (c == 'c') { - ebt_check_option2(&flags, OPT_COUNTERS); - if (ebt_check_inverse2(optarg, argc, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected '!' after -c"); - if (optind >= argc || optarg[0] == '-' || argv[optind][0] == '-') - xtables_error(PARAMETER_PROBLEM, - "Option -c needs 2 arguments"); - - cs.counters.pcnt = strtoull(optarg, &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - optarg); - cs.counters.bcnt = strtoull(argv[optind], &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - argv[optind]); - optind++; - break; - } - ebt_check_option2(&flags, OPT_PROTOCOL); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IPROTO; + struct xtables_args args = { + .family = h->family, + }; + int ret = 0; - cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO); - i = strtol(optarg, &buffer, 16); - if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified protocol"); - if (*buffer != '\0') { - struct xt_ethertypeent *ent; + p.ops->print_help = print_help; - if (!strcasecmp(optarg, "LENGTH")) { - cs.eb.bitmask |= EBT_802_3; - break; - } - ent = xtables_getethertypebyname(optarg); - if (!ent) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified Ethernet protocol '%s', perhaps "XT_PATH_ETHERTYPES " is missing", optarg); - cs.eb.ethproto = ent->e_ethertype; - } else - cs.eb.ethproto = i; + do_parse(argc, argv, &p, &cs, &args); - if (cs.eb.ethproto < 0x0600) - xtables_error(PARAMETER_PROBLEM, - "Sorry, protocols have values above or equal to 0x0600"); - break; - case 17 : /* Lc */ - ebt_check_option2(&flags, LIST_C); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lc with -L"); - flags |= LIST_C; - break; - case 18 : /* Ln */ - ebt_check_option2(&flags, LIST_N); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Ln with -L"); - if (flags & LIST_X) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_N; - break; - case 19 : /* Lx */ - ebt_check_option2(&flags, LIST_X); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lx with -L"); - if (flags & LIST_N) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_X; - break; - case 12 : /* Lmac2 */ - ebt_check_option2(&flags, LIST_MAC2); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lmac2 with -L"); - flags |= LIST_MAC2; - break; - case 1 : - if (!strcmp(optarg, "!")) - ebt_check_inverse2(optarg, argc, argv); - else - xtables_error(PARAMETER_PROBLEM, - "Bad argument : '%s'", optarg); - /* ebt_ebt_check_inverse2() did optind++ */ - optind--; - continue; - default: - ebt_check_inverse2(optarg, argc, argv); - ebt_command_default(&cs); - - if (command != 'A' && command != 'I' && - command != 'D') - xtables_error(PARAMETER_PROBLEM, - "Extensions only for -A, -I, -D"); - } - ebt_invert = 0; - } + h->verbose = p.verbose; /* Do the final checks */ - if (command == 'A' || command == 'I' || command == 'D') { - for (xtrm_i = cs.matches; xtrm_i; xtrm_i = xtrm_i->next) - xtables_option_mfcall(xtrm_i->match); - - for (match = cs.match_list; match; match = match->next) { - if (match->ismatch) - continue; + if (!nft_table_builtin_find(h, p.table)) + xtables_error(VERSION_PROBLEM, + "table '%s' does not exist", p.table); - xtables_option_tfcall(match->u.watcher); - } - - if (cs.target != NULL) - xtables_option_tfcall(cs.target); - } - - cs.eb.ethproto = htons(cs.eb.ethproto); - - switch (command) { - case 'F': + printf("nft "); + switch (p.command) { + case CMD_FLUSH: if (p.chain) { printf("flush chain bridge %s %s\n", p.table, p.chain); } else { @@ -506,16 +103,52 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char } ret = 1; break; - case 'A': + case CMD_APPEND: ret = nft_rule_eb_xlate_add(h, &p, &cs, true); if (!ret) print_ebt_cmd(argc, argv); break; - case 'I': + case CMD_INSERT: ret = nft_rule_eb_xlate_add(h, &p, &cs, false); if (!ret) print_ebt_cmd(argc, argv); break; + case CMD_LIST: + printf("list table bridge %s\n", p.table); + ret = 1; + break; + case CMD_NEW_CHAIN: + printf("add chain bridge %s %s\n", p.table, p.chain); + ret = 1; + break; + case CMD_DELETE_CHAIN: + printf("delete chain bridge %s %s\n", p.table, p.chain); + ret = 1; + break; + case CMD_INIT_TABLE: + printf("flush table bridge %s\n", p.table); + ret = 1; + break; + case CMD_DELETE: + case CMD_DELETE_NUM: + case CMD_CHECK: + case CMD_REPLACE: + case CMD_ZERO: + case CMD_ZERO_NUM: + case CMD_LIST|CMD_ZERO: + case CMD_LIST|CMD_ZERO_NUM: + case CMD_LIST_RULES: + case CMD_LIST_RULES|CMD_ZERO: + case CMD_LIST_RULES|CMD_ZERO_NUM: + case CMD_NEW_CHAIN|CMD_SET_POLICY: + case CMD_SET_POLICY: + case CMD_RENAME_CHAIN: + case CMD_CHANGE_COUNTERS: + break; + default: + /* We should never reach this... */ + printf("Unsupported command?\n"); + exit(1); } ebt_cs_clean(&cs); diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index e03b2b2510eda..c3cf1c2c74104 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -42,76 +42,6 @@ #include "nft.h" #include "nft-bridge.h" -/* from linux/netfilter_bridge/ebtables.h */ -#define EBT_TABLE_MAXNAMELEN 32 -#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN - -/* - * From include/ebtables_u.h - */ -#define ebt_check_option2(flags, mask) EBT_CHECK_OPTION(flags, mask) - -/* - * From useful_functions.c - */ - -/* 0: default - * 1: the inverse '!' of the option has already been specified */ -int ebt_invert = 0; - -static int ebt_check_inverse2(const char option[], int argc, char **argv) -{ - if (!option) - return ebt_invert; - if (strcmp(option, "!") == 0) { - if (ebt_invert == 1) - xtables_error(PARAMETER_PROBLEM, - "Double use of '!' not allowed"); - if (optind >= argc) - optarg = NULL; - else - optarg = argv[optind]; - optind++; - ebt_invert = 1; - return 1; - } - return ebt_invert; -} - -/* XXX: merge with assert_valid_chain_name()? */ -static void ebt_assert_valid_chain_name(const char *chainname) -{ - if (strlen(chainname) >= EBT_CHAIN_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "Chain name length can't exceed %d", - EBT_CHAIN_MAXNAMELEN - 1); - - if (*chainname == '-' || *chainname == '!') - xtables_error(PARAMETER_PROBLEM, "No chain name specified"); - - if (xtables_find_target(chainname, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "Target with name %s exists", chainname); - - if (strchr(chainname, ' ') != NULL) - xtables_error(PARAMETER_PROBLEM, - "Use of ' ' not allowed in chain names"); -} - -/* - * Glue code to use libxtables - */ -static int parse_rule_number(const char *rule) -{ - unsigned int rule_nr; - - if (!xtables_strtoui(rule, NULL, &rule_nr, 1, INT_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid rule number `%s'", rule); - - return rule_nr; -} - static int delete_entry(struct nft_handle *h, const char *chain, @@ -159,35 +89,6 @@ change_entry_counters(struct nft_handle *h, return ret; } -int ebt_get_current_chain(const char *chain) -{ - if (!chain) - return -1; - - if (strcmp(chain, "PREROUTING") == 0) - return NF_BR_PRE_ROUTING; - else if (strcmp(chain, "INPUT") == 0) - return NF_BR_LOCAL_IN; - else if (strcmp(chain, "FORWARD") == 0) - return NF_BR_FORWARD; - else if (strcmp(chain, "OUTPUT") == 0) - return NF_BR_LOCAL_OUT; - else if (strcmp(chain, "POSTROUTING") == 0) - return NF_BR_POST_ROUTING; - else if (strcmp(chain, "BROUTING") == 0) - return NF_BR_BROUTING; - - /* placeholder for user defined chain */ - return NF_BR_NUMHOOKS; -} - -/* - * The original ebtables parser - */ - -/* Checks whether a command has already been specified */ -#define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO) - /* Default command line options. Do not mess around with the already * assigned numbers unless you know what you are doing */ struct option ebt_original_options[] = @@ -244,10 +145,6 @@ struct xtables_globals ebtables_globals = { #define prog_name ebtables_globals.program_name #define prog_vers ebtables_globals.program_version -/* - * From libebtc.c - */ - /* Prints all registered extensions */ static void ebt_list_extensions(const struct xtables_target *t, const struct xtables_rule_match *m) @@ -303,7 +200,7 @@ static struct option *merge_options(struct option *oldopts, return merge; } -static void print_help(struct iptables_command_state *cs) +void nft_bridge_print_help(struct iptables_command_state *cs) { const struct xtables_rule_match *m = cs->matches; struct xtables_target *t = cs->target; @@ -411,107 +308,6 @@ static int list_rules(struct nft_handle *h, const char *chain, const char *table return nft_cmd_rule_list(h, chain, table, rule_nr, format); } -static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end) -{ - char *colon = strchr(argv, ':'), *buffer; - - if (colon) { - *colon = '\0'; - if (*(colon + 1) == '\0') - *rule_nr_end = -1; /* Until the last rule */ - else { - *rule_nr_end = strtol(colon + 1, &buffer, 10); - if (*buffer != '\0' || *rule_nr_end == 0) - return -1; - } - } - if (colon == argv) - *rule_nr = 1; /* Beginning with the first rule */ - else { - *rule_nr = strtol(argv, &buffer, 10); - if (*buffer != '\0' || *rule_nr == 0) - return -1; - } - if (!colon) - *rule_nr_end = *rule_nr; - return 0; -} - -/* Incrementing or decrementing rules in daemon mode is not supported as the - * involved code overload is not worth it (too annoying to take the increased - * counters in the kernel into account). */ -static uint8_t parse_change_counters_rule(int argc, char **argv, - int *rule_nr, int *rule_nr_end, - struct iptables_command_state *cs) -{ - uint8_t ret = 0; - char *buffer; - - if (optind + 1 >= argc || - (argv[optind][0] == '-' && !isdigit(argv[optind][1])) || - (argv[optind + 1][0] == '-' && !isdigit(argv[optind + 1][1]))) - xtables_error(PARAMETER_PROBLEM, - "The command -C needs at least 2 arguments"); - if (optind + 2 < argc && - (argv[optind + 2][0] != '-' || isdigit(argv[optind + 2][1]))) { - if (optind + 3 != argc) - xtables_error(PARAMETER_PROBLEM, - "No extra options allowed with -C start_nr[:end_nr] pcnt bcnt"); - if (parse_rule_range(argv[optind], rule_nr, rule_nr_end)) - xtables_error(PARAMETER_PROBLEM, - "Something is wrong with the rule number specification '%s'", - argv[optind]); - optind++; - } - - if (argv[optind][0] == '+') { - ret |= CTR_OP_INC_PKTS; - cs->counters.pcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else if (argv[optind][0] == '-') { - ret |= CTR_OP_DEC_PKTS; - cs->counters.pcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else { - cs->counters.pcnt = strtoull(argv[optind], &buffer, 10); - } - if (*buffer != '\0') - goto invalid; - - optind++; - - if (argv[optind][0] == '+') { - ret |= CTR_OP_INC_BYTES; - cs->counters.bcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else if (argv[optind][0] == '-') { - ret |= CTR_OP_DEC_BYTES; - cs->counters.bcnt = strtoull(argv[optind] + 1, &buffer, 10); - } else { - cs->counters.bcnt = strtoull(argv[optind], &buffer, 10); - } - if (*buffer != '\0') - goto invalid; - - optind++; - - return ret; -invalid: - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", argv[optind]); -} - -static void ebtables_parse_interface(const char *arg, char *vianame) -{ - unsigned char mask[IFNAMSIZ]; - char *c; - - xtables_parse_interface(arg, vianame, mask); - - if ((c = strchr(vianame, '+'))) { - if (*(c + 1) != '\0') - xtables_error(PARAMETER_PROBLEM, - "Spurious characters after '+' wildcard"); - } -} - /* This code is very similar to iptables/xtables.c:command_match() */ static void ebt_load_match(const char *name) { @@ -580,6 +376,10 @@ static void ebt_load_match_extensions(void) ebt_load_watcher("log"); ebt_load_watcher("nflog"); + + /* assign them back so do_parse() may + * reset opts to orig_opts upon each call */ + xt_params->orig_opts = opts; } void ebt_add_match(struct xtables_match *m, @@ -642,7 +442,8 @@ void ebt_add_watcher(struct xtables_target *watcher, *matchp = newnode; } -int ebt_command_default(struct iptables_command_state *cs) +int ebt_command_default(struct iptables_command_state *cs, + struct xtables_globals *unused, bool ebt_invert) { struct xtables_target *t = cs->target; struct xtables_match *m; @@ -753,431 +554,43 @@ void nft_fini_eb(struct nft_handle *h) int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, bool restore) { - char *buffer; - int c, i; - uint8_t chcounter = 0; /* Needed for -C */ - int rule_nr = 0; - int rule_nr_end = 0; - int ret = 0; - unsigned int flags = 0; - struct xtables_target *t; struct iptables_command_state cs = { .argc = argc, .argv = argv, .jumpto = "", .eb.bitmask = EBT_NOPROTO, }; + const struct builtin_table *t; + struct xtables_args args = { + .family = h->family, + }; struct xt_cmd_parse p = { + .table = *table, + .restore = restore, + .line = line, + .rule_ranges = true, + .ops = &h->ops->cmd_parse, }; - char command = 'h'; - const char *chain = NULL; - const char *policy = NULL; - int selected_chain = -1; - struct xtables_rule_match *xtrm_i; - struct ebt_match *match; - bool table_set = false; + int ret = 0; - /* avoid cumulating verbosity with ebtables-restore */ - h->verbose = 0; + do_parse(argc, argv, &p, &cs, &args); - /* prevent getopt to spoil our error reporting */ - optind = 0; - opterr = false; + h->verbose = p.verbose; - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } + t = nft_table_builtin_find(h, p.table); + if (!t) + xtables_error(VERSION_PROBLEM, + "table '%s' does not exist", p.table); - /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, EBT_OPTSTRING, - opts, NULL)) != -1) { - cs.c = c; - switch (c) { - - case 'A': /* Add a rule */ - case 'D': /* Delete a rule */ - case 'C': /* Change counters */ - case 'P': /* Define policy */ - case 'I': /* Insert a rule */ - case 'N': /* Make a user defined chain */ - case 'E': /* Rename chain */ - case 'X': /* Delete chain */ - case 14: /* check a rule */ - /* We allow -N chainname -P policy */ - if (command == 'N' && c == 'P') { - command = c; - optind--; /* No table specified */ - goto handle_P; - } - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - - command = c; - if (optarg && (optarg[0] == '-' || !strcmp(optarg, "!"))) - xtables_error(PARAMETER_PROBLEM, "No chain name specified"); - chain = optarg; - selected_chain = ebt_get_current_chain(chain); - flags |= OPT_COMMAND; - - if (c == 'N') { - ebt_assert_valid_chain_name(chain); - ret = nft_cmd_chain_user_add(h, chain, *table); - break; - } else if (c == 'X') { - /* X arg is optional, optarg is NULL */ - if (!chain && optind < argc && argv[optind][0] != '-') { - chain = argv[optind]; - optind++; - } - ret = nft_cmd_chain_del(h, chain, *table, 0); - break; - } - - if (c == 'E') { - if (!xs_has_arg(argc, argv)) - xtables_error(PARAMETER_PROBLEM, "No new chain name specified"); - else if (optind < argc - 1) - xtables_error(PARAMETER_PROBLEM, "No extra options allowed with -E"); - - ebt_assert_valid_chain_name(argv[optind]); - - errno = 0; - ret = nft_cmd_chain_user_rename(h, chain, *table, - argv[optind]); - if (ret != 0 && errno == ENOENT) - xtables_error(PARAMETER_PROBLEM, "Chain '%s' doesn't exists", chain); - - optind++; - break; - } else if (c == 'D' && optind < argc && (argv[optind][0] != '-' || (argv[optind][1] >= '0' && argv[optind][1] <= '9'))) { - if (optind != argc - 1) - xtables_error(PARAMETER_PROBLEM, - "No extra options allowed with -D start_nr[:end_nr]"); - if (parse_rule_range(argv[optind], &rule_nr, &rule_nr_end)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified rule number(s) '%s'", argv[optind]); - optind++; - } else if (c == 'C') { - if ((chcounter = parse_change_counters_rule(argc, argv, &rule_nr, &rule_nr_end, &cs)) == -1) - return -1; - } else if (c == 'I') { - if (optind >= argc || (argv[optind][0] == '-' && (argv[optind][1] < '0' || argv[optind][1] > '9'))) - rule_nr = 1; - else { - rule_nr = parse_rule_number(argv[optind]); - optind++; - } - } else if (c == 'P') { -handle_P: - if (optind >= argc) - xtables_error(PARAMETER_PROBLEM, - "No policy specified"); - for (i = 0; i < NUM_STANDARD_TARGETS; i++) - if (!strcmp(argv[optind], nft_ebt_standard_target(i))) { - policy = argv[optind]; - if (-i-1 == EBT_CONTINUE) - xtables_error(PARAMETER_PROBLEM, - "Wrong policy '%s'", - argv[optind]); - break; - } - if (i == NUM_STANDARD_TARGETS) - xtables_error(PARAMETER_PROBLEM, - "Unknown policy '%s'", argv[optind]); - optind++; - } - break; - case 'L': /* List */ - case 'F': /* Flush */ - case 'Z': /* Zero counters */ - if (c == 'Z') { - if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L')) -print_zero: - xtables_error(PARAMETER_PROBLEM, - "Command -Z only allowed together with command -L"); - flags |= OPT_ZERO; - } else { - if (flags & OPT_COMMAND) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - command = c; - flags |= OPT_COMMAND; - if (flags & OPT_ZERO && c != 'L') - goto print_zero; - } - - if (optind < argc && argv[optind][0] != '-') { - chain = argv[optind]; - optind++; - } - break; - case 'v': /* verbose */ - flags |= OPT_VERBOSE; - h->verbose++; - break; - case 'V': /* Version */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - printf("%s %s\n", prog_name, prog_vers); - exit(0); - case 'h': /* Help */ - if (OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "Multiple commands are not allowed"); - print_help(&cs); - exit(0); - case 't': /* Table */ - if (restore && table_set) - xtables_error(PARAMETER_PROBLEM, - "The -t option cannot be used in %s.", - xt_params->program_name); - else if (table_set) - xtables_error(PARAMETER_PROBLEM, - "Multiple use of same option not allowed"); - if (!nft_table_builtin_find(h, optarg)) - xtables_error(VERSION_PROBLEM, - "table '%s' does not exist", - optarg); - *table = optarg; - table_set = true; + switch (p.command) { + case CMD_NEW_CHAIN: + case CMD_NEW_CHAIN | CMD_SET_POLICY: + ret = nft_cmd_chain_user_add(h, p.chain, p.table); + if (!ret || !(p.command & CMD_SET_POLICY)) break; - case 'i': /* Input interface */ - case 15 : /* Logical input interface */ - case 'o': /* Output interface */ - case 16 : /* Logical output interface */ - case 'j': /* Target */ - case 'p': /* Net family protocol */ - case 's': /* Source mac */ - case 'd': /* Destination mac */ - case 'c': /* Set counters */ - if (!OPT_COMMANDS) - xtables_error(PARAMETER_PROBLEM, - "No command specified"); - if (command != 'A' && command != 'D' && - command != 'I' && command != 'C' && command != 14) - xtables_error(PARAMETER_PROBLEM, - "Command and option do not match"); - if (c == 'i') { - ebt_check_option2(&flags, OPT_VIANAMEIN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IIN; - - ebtables_parse_interface(optarg, cs.eb.in); - break; - } else if (c == 15) { - ebt_check_option2(&flags, OPT_LOGICALIN); - if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALIN; - - ebtables_parse_interface(optarg, cs.eb.logical_in); - break; - } else if (c == 'o') { - ebt_check_option2(&flags, OPT_VIANAMEOUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IOUT; - - ebtables_parse_interface(optarg, cs.eb.out); - break; - } else if (c == 16) { - ebt_check_option2(&flags, OPT_LOGICALOUT); - if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) - xtables_error(PARAMETER_PROBLEM, - "Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains"); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ILOGICALOUT; - - ebtables_parse_interface(optarg, cs.eb.logical_out); - break; - } else if (c == 'j') { - ebt_check_option2(&flags, OPT_JUMP); - if (strcmp(optarg, "CONTINUE") != 0) { - command_jump(&cs, optarg); - } - break; - } else if (c == 's') { - ebt_check_option2(&flags, OPT_SOURCE); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_ISOURCE; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.sourcemac, - cs.eb.sourcemsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg); - cs.eb.bitmask |= EBT_SOURCEMAC; - break; - } else if (c == 'd') { - ebt_check_option2(&flags, OPT_DESTINATION); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IDEST; - - if (xtables_parse_mac_and_mask(optarg, - cs.eb.destmac, - cs.eb.destmsk)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg); - cs.eb.bitmask |= EBT_DESTMAC; - break; - } else if (c == 'c') { - ebt_check_option2(&flags, OPT_COUNTERS); - if (ebt_check_inverse2(optarg, argc, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected '!' after -c"); - if (optind >= argc || optarg[0] == '-' || argv[optind][0] == '-') - xtables_error(PARAMETER_PROBLEM, - "Option -c needs 2 arguments"); - - cs.counters.pcnt = strtoull(optarg, &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - optarg); - cs.counters.bcnt = strtoull(argv[optind], &buffer, 10); - if (*buffer != '\0') - xtables_error(PARAMETER_PROBLEM, - "Packet counter '%s' invalid", - argv[optind]); - optind++; - break; - } - ebt_check_option2(&flags, OPT_PROTOCOL); - if (ebt_check_inverse2(optarg, argc, argv)) - cs.eb.invflags |= EBT_IPROTO; - - cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO); - i = strtol(optarg, &buffer, 16); - if (*buffer == '\0' && (i < 0 || i > 0xFFFF)) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified protocol"); - if (*buffer != '\0') { - struct xt_ethertypeent *ent; - - if (!strcasecmp(optarg, "LENGTH")) { - cs.eb.bitmask |= EBT_802_3; - break; - } - ent = xtables_getethertypebyname(optarg); - if (!ent) - xtables_error(PARAMETER_PROBLEM, - "Problem with the specified Ethernet protocol '%s', perhaps "XT_PATH_ETHERTYPES " is missing", optarg); - cs.eb.ethproto = ent->e_ethertype; - } else - cs.eb.ethproto = i; - - if (cs.eb.ethproto < 0x0600) - xtables_error(PARAMETER_PROBLEM, - "Sorry, protocols have values above or equal to 0x0600"); - break; - case 17 : /* Lc */ - ebt_check_option2(&flags, LIST_C); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lc with -L"); - flags |= LIST_C; - break; - case 18 : /* Ln */ - ebt_check_option2(&flags, LIST_N); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Ln with -L"); - if (flags & LIST_X) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_N; - break; - case 19 : /* Lx */ - ebt_check_option2(&flags, LIST_X); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lx with -L"); - if (flags & LIST_N) - xtables_error(PARAMETER_PROBLEM, - "--Lx is not compatible with --Ln"); - flags |= LIST_X; - break; - case 12 : /* Lmac2 */ - ebt_check_option2(&flags, LIST_MAC2); - if (command != 'L') - xtables_error(PARAMETER_PROBLEM, - "Use --Lmac2 with -L"); - flags |= LIST_MAC2; - break; - case 11: /* init-table */ - if (restore) - xtables_error(PARAMETER_PROBLEM, - "--init-table is not supported in daemon mode"); - nft_cmd_table_flush(h, *table, false); - return 1; - case 13 : - break; - case 1 : - if (!strcmp(optarg, "!")) - ebt_check_inverse2(optarg, argc, argv); - else - xtables_error(PARAMETER_PROBLEM, - "Bad argument : '%s'", optarg); - /* ebt_ebt_check_inverse2() did optind++ */ - optind--; - continue; - default: - ebt_check_inverse2(optarg, argc, argv); - ebt_command_default(&cs); - - if (command != 'A' && command != 'I' && - command != 'D' && command != 'C' && command != 14) - xtables_error(PARAMETER_PROBLEM, - "Extensions only for -A, -I, -D and -C"); - } - ebt_invert = 0; - } - - /* Just in case we didn't catch an error */ - /*if (ebt_errormsg[0] != '\0') - return -1; - - if (!(table = ebt_find_table(replace->name))) - ebt_print_error2("Bad table name");*/ - - /* Do the final checks */ - if (command == 'A' || command == 'I' || - command == 'D' || command == 'C' || command == 14) { - for (xtrm_i = cs.matches; xtrm_i; xtrm_i = xtrm_i->next) - xtables_option_mfcall(xtrm_i->match); - - for (match = cs.match_list; match; match = match->next) { - if (match->ismatch) - continue; - - xtables_option_tfcall(match->u.watcher); - } - - if (cs.target != NULL) - xtables_option_tfcall(cs.target); - } - /* So, the extensions can work with the host endian. - * The kernel does not have to do this of course */ - cs.eb.ethproto = htons(cs.eb.ethproto); - - p.table = *table; - p.chain = chain; - p.policy = policy; - p.rulenum = rule_nr; - p.rulenum_end = rule_nr_end; - cs.options = flags; - - switch (command) { - case 'P': - if (selected_chain >= NF_BR_NUMHOOKS) { + /* fall through */ + case CMD_SET_POLICY: + if (!nft_chain_builtin_find(t, p.chain)) { ret = ebt_cmd_user_chain_policy(h, p.table, p.chain, p.policy); break; @@ -1190,46 +603,83 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, if (ret < 0) xtables_error(PARAMETER_PROBLEM, "Wrong policy"); break; - case 'L': - ret = list_rules(h, p.chain, p.table, p.rulenum, - cs.options & OPT_VERBOSE, - 0, - /*cs.options&OPT_EXPANDED*/0, - cs.options&LIST_N, - cs.options&LIST_C); - if (!(cs.options & OPT_ZERO)) - break; - case 'Z': + case CMD_LIST: + case CMD_LIST | CMD_ZERO: + case CMD_LIST | CMD_ZERO_NUM: + case CMD_LIST_RULES: + case CMD_LIST_RULES | CMD_ZERO: + case CMD_LIST_RULES | CMD_ZERO_NUM: + if (p.command & CMD_LIST) + ret = list_rules(h, p.chain, p.table, p.rulenum, + cs.options & OPT_VERBOSE, + 0, + /*cs.options&OPT_EXPANDED*/0, + cs.options&OPT_LINENUMBERS, + cs.options&OPT_LIST_C); + else if (p.command & CMD_LIST_RULES) + ret = nft_cmd_rule_list_save(h, p.chain, p.table, + p.rulenum - 1, + cs.options & OPT_VERBOSE); + if (ret && (p.command & CMD_ZERO)) + ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, + cs.options & OPT_VERBOSE); + if (ret && (p.command & CMD_ZERO_NUM)) + ret = nft_cmd_rule_zero_counters(h, p.chain, p.table, + p.rulenum - 1); + break; + case CMD_ZERO: ret = nft_cmd_chain_zero_counters(h, p.chain, p.table, cs.options & OPT_VERBOSE); break; - case 'F': + case CMD_ZERO_NUM: + ret = nft_cmd_rule_zero_counters(h, p.chain, p.table, + p.rulenum - 1); + break; + case CMD_FLUSH: ret = nft_cmd_rule_flush(h, p.chain, p.table, cs.options & OPT_VERBOSE); break; - case 'A': + case CMD_APPEND: ret = nft_cmd_rule_append(h, p.chain, p.table, &cs, cs.options & OPT_VERBOSE); break; - case 'I': + case CMD_INSERT: ret = nft_cmd_rule_insert(h, p.chain, p.table, &cs, p.rulenum - 1, cs.options & OPT_VERBOSE); break; - case 'D': + case CMD_DELETE: + case CMD_DELETE_NUM: ret = delete_entry(h, p.chain, p.table, &cs, p.rulenum - 1, p.rulenum_end, cs.options & OPT_VERBOSE); break; - case 14: + case CMD_DELETE_CHAIN: + ret = nft_cmd_chain_del(h, p.chain, p.table, 0); + break; + case CMD_RENAME_CHAIN: + ret = nft_cmd_chain_user_rename(h, p.chain, p.table, p.newname); + break; + case CMD_INIT_TABLE: + ret = nft_cmd_table_flush(h, p.table, false); + break; + case CMD_CHECK: ret = nft_cmd_rule_check(h, p.chain, p.table, &cs, cs.options & OPT_VERBOSE); break; - case 'C': + case CMD_CHANGE_COUNTERS: ret = change_entry_counters(h, p.chain, p.table, &cs, p.rulenum - 1, p.rulenum_end, - chcounter, + args.counter_op, cs.options & OPT_VERBOSE); break; + case CMD_REPLACE: + ret = nft_cmd_rule_replace(h, p.chain, p.table, &cs, + p.rulenum - 1, + cs.options & OPT_VERBOSE); + break; + default: + /* We should never reach this... */ + exit_tryhelp(2, line); } ebt_cs_clean(&cs);