iptables: fix multiport match for brcm-2.4 Since the netfilter framework in Linux 2.4 lacks support for target and match revisioning, iptables falls back to the v0 implementation of multiport while only v1 is implemented on the kernel side, leading to an invalid argument error when trying to insert rules using multiport. This patch removes v0 support from the userspace match library to enforce the usage of the v1 match implementation.

SVN-Revision: 19761
This commit is contained in:
Jo-Philipp Wich 2010-02-19 21:25:40 +00:00
parent 046caa7e25
commit 2a473ebe19

View File

@ -0,0 +1,265 @@
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -14,21 +14,6 @@
#include <linux/netfilter/xt_multiport.h>
/* Function which prints out usage message. */
-static void multiport_help(void)
-{
- printf(
-"multiport match options:\n"
-" --source-ports port[,port,port...]\n"
-" --sports ...\n"
-" match source port(s)\n"
-" --destination-ports port[,port,port...]\n"
-" --dports ...\n"
-" match destination port(s)\n"
-" --ports port[,port,port]\n"
-" match both source and destination port(s)\n"
-" NOTE: this kernel does not support port ranges in multiport.\n");
-}
-
static void multiport_help_v1(void)
{
printf(
@@ -71,26 +56,6 @@
}
}
-static unsigned int
-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
-{
- char *buffer, *cp, *next;
- unsigned int i;
-
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
- {
- next=strchr(cp, ',');
- if (next) *next++='\0';
- ports[i] = xtables_parse_port(cp, proto);
- }
- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
- free(buffer);
- return i;
-}
-
static void
parse_multi_ports_v1(const char *portstring,
struct xt_multiport_v1 *multiinfo,
@@ -154,73 +119,6 @@
/* Function which parses command options; returns true if it
ate an option */
static int
-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
- struct xt_entry_match **match, u_int16_t pnum,
- u_int8_t invflags)
-{
- const char *proto;
- struct xt_multiport *multiinfo
- = (struct xt_multiport *)(*match)->data;
-
- switch (c) {
- case '1':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_SOURCE;
- break;
-
- case '2':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_DESTINATION;
- break;
-
- case '3':
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- proto = check_proto(pnum, invflags);
- multiinfo->count = parse_multi_ports(optarg,
- multiinfo->ports, proto);
- multiinfo->flags = XT_MULTIPORT_EITHER;
- break;
-
- default:
- return 0;
- }
-
- if (invert)
- xtables_error(PARAMETER_PROBLEM,
- "multiport does not support invert");
-
- if (*flags)
- xtables_error(PARAMETER_PROBLEM,
- "multiport can only have one option");
- *flags = 1;
- return 1;
-}
-
-static int
-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *e, struct xt_entry_match **match)
-{
- const struct ipt_entry *entry = e;
- return __multiport_parse(c, argv, invert, flags, match,
- entry->ip.proto, entry->ip.invflags);
-}
-
-static int
-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
- const void *e, struct xt_entry_match **match)
-{
- const struct ip6t_entry *entry = e;
- return __multiport_parse(c, argv, invert, flags, match,
- entry->ipv6.proto, entry->ipv6.invflags);
-}
-
-static int
__multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
struct xt_entry_match **match, u_int16_t pnum,
u_int8_t invflags)
@@ -313,55 +211,6 @@
}
/* Prints out the matchinfo. */
-static void
-__multiport_print(const struct xt_entry_match *match, int numeric,
- u_int16_t proto)
-{
- const struct xt_multiport *multiinfo
- = (const struct xt_multiport *)match->data;
- unsigned int i;
-
- printf("multiport ");
-
- switch (multiinfo->flags) {
- case XT_MULTIPORT_SOURCE:
- printf("sports ");
- break;
-
- case XT_MULTIPORT_DESTINATION:
- printf("dports ");
- break;
-
- case XT_MULTIPORT_EITHER:
- printf("ports ");
- break;
-
- default:
- printf("ERROR ");
- break;
- }
-
- for (i=0; i < multiinfo->count; i++) {
- printf("%s", i ? "," : "");
- print_port(multiinfo->ports[i], proto, numeric);
- }
- printf(" ");
-}
-
-static void multiport_print(const void *ip_void,
- const struct xt_entry_match *match, int numeric)
-{
- const struct ipt_ip *ip = ip_void;
- __multiport_print(match, numeric, ip->proto);
-}
-
-static void multiport_print6(const void *ip_void,
- const struct xt_entry_match *match, int numeric)
-{
- const struct ip6t_ip6 *ip = ip_void;
- __multiport_print(match, numeric, ip->proto);
-}
-
static void __multiport_print_v1(const struct xt_entry_match *match,
int numeric, u_int16_t proto)
{
@@ -418,48 +267,6 @@
}
/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void __multiport_save(const struct xt_entry_match *match,
- u_int16_t proto)
-{
- const struct xt_multiport *multiinfo
- = (const struct xt_multiport *)match->data;
- unsigned int i;
-
- switch (multiinfo->flags) {
- case XT_MULTIPORT_SOURCE:
- printf("--sports ");
- break;
-
- case XT_MULTIPORT_DESTINATION:
- printf("--dports ");
- break;
-
- case XT_MULTIPORT_EITHER:
- printf("--ports ");
- break;
- }
-
- for (i=0; i < multiinfo->count; i++) {
- printf("%s", i ? "," : "");
- print_port(multiinfo->ports[i], proto, 1);
- }
- printf(" ");
-}
-
-static void multiport_save(const void *ip_void,
- const struct xt_entry_match *match)
-{
- const struct ipt_ip *ip = ip_void;
- __multiport_save(match, ip->proto);
-}
-
-static void multiport_save6(const void *ip_void,
- const struct xt_entry_match *match)
-{
- const struct ip6t_ip6 *ip = ip_void;
- __multiport_save(match, ip->proto);
-}
-
static void __multiport_save_v1(const struct xt_entry_match *match,
u_int16_t proto)
{
@@ -513,34 +320,6 @@
{
.family = NFPROTO_IPV4,
.name = "multiport",
- .revision = 0,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_multiport)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
- .help = multiport_help,
- .parse = multiport_parse,
- .final_check = multiport_check,
- .print = multiport_print,
- .save = multiport_save,
- .extra_opts = multiport_opts,
- },
- {
- .family = NFPROTO_IPV6,
- .name = "multiport",
- .revision = 0,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_multiport)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
- .help = multiport_help,
- .parse = multiport_parse6,
- .final_check = multiport_check,
- .print = multiport_print6,
- .save = multiport_save6,
- .extra_opts = multiport_opts,
- },
- {
- .family = NFPROTO_IPV4,
- .name = "multiport",
.version = XTABLES_VERSION,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_multiport_v1)),