Introduces xtables match/target registration
- moves lib_dir to xtables.c
- introduces struct pfinfo which has protocol family dependent infomations.
- unifies load_ip[6]tables_ko() and moves them as load_xtables_ko()
- introduces xt_{match,match_rule,target,tryload} and replaces
ip[6]t_* with them
- unifies following functions and move them to xtables.c
- find_{match,find_target}
- compatible_revision, compatible_{match,target}_revision
- introduces xtables_register_{match,target} and make
register_{match,target}[6] call them. xtables_register_* register ONLY
matches/targets matched protocol family
Some concepts:
- source compatibility for libip[6]t_xxx.c with warning on compilation
not binary compatibility.
- binary compatibility between 2.4/2.6 kernel and iptables/ip6tables,
of cause.
- xtables is enough to support only one address family at runtime.
Then xtables keeps infomations of only the focused address famiy
in struct afinfo.
diff --git a/include/iptables.h b/include/iptables.h
index cd51428..9df1a29 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -1,6 +1,7 @@
#ifndef _IPTABLES_USER_H
#define _IPTABLES_USER_H
+#include "xtables.h"
#include "iptables_common.h"
#include "libiptc/libiptc.h"
@@ -21,132 +22,12 @@
#ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
#define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
-
-struct ipt_get_revision
-{
- char name[IPT_FUNCTION_MAXNAMELEN-1];
-
- u_int8_t revision;
-};
#endif /* IPT_SO_GET_REVISION_MATCH Old kernel source */
-struct iptables_rule_match
-{
- struct iptables_rule_match *next;
-
- struct iptables_match *match;
-
- /* Multiple matches of the same type: the ones before
- the current one are completed from parsing point of view */
- unsigned int completed;
-};
-
-/* Include file for additions: new matches and targets. */
-struct iptables_match
-{
- struct iptables_match *next;
-
- ipt_chainlabel name;
-
- /* Revision of match (0 by default). */
- u_int8_t revision;
-
- const char *version;
-
- /* Size of match data. */
- size_t size;
-
- /* Size of match data relevent for userspace comparison purposes */
- size_t userspacesize;
-
- /* Function which prints out usage message. */
- void (*help)(void);
-
- /* Initialize the match. */
- void (*init)(struct ipt_entry_match *m, unsigned int *nfcache);
-
- /* Function which parses command options; returns true if it
- ate an option */
- int (*parse)(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- unsigned int *nfcache,
- struct ipt_entry_match **match);
-
- /* Final check; exit if not ok. */
- void (*final_check)(unsigned int flags);
-
- /* Prints out the match iff non-NULL: put space at end */
- void (*print)(const struct ipt_ip *ip,
- const struct ipt_entry_match *match, int numeric);
-
- /* Saves the match info in parsable form to stdout. */
- void (*save)(const struct ipt_ip *ip,
- const struct ipt_entry_match *match);
-
- /* Pointer to list of extra command-line options */
- const struct option *extra_opts;
-
- /* Ignore these men behind the curtain: */
- unsigned int option_offset;
- struct ipt_entry_match *m;
- unsigned int mflags;
-#ifdef NO_SHARED_LIBS
- unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
-};
-
-struct iptables_target
-{
- struct iptables_target *next;
-
- ipt_chainlabel name;
-
- /* Revision of target (0 by default). */
- u_int8_t revision;
-
- const char *version;
-
- /* Size of target data. */
- size_t size;
-
- /* Size of target data relevent for userspace comparison purposes */
- size_t userspacesize;
-
- /* Function which prints out usage message. */
- void (*help)(void);
-
- /* Initialize the target. */
- void (*init)(struct ipt_entry_target *t, unsigned int *nfcache);
-
- /* Function which parses command options; returns true if it
- ate an option */
- int (*parse)(int c, char **argv, int invert, unsigned int *flags,
- const struct ipt_entry *entry,
- struct ipt_entry_target **target);
-
- /* Final check; exit if not ok. */
- void (*final_check)(unsigned int flags);
-
- /* Prints out the target iff non-NULL: put space at end */
- void (*print)(const struct ipt_ip *ip,
- const struct ipt_entry_target *target, int numeric);
-
- /* Saves the targinfo in parsable form to stdout. */
- void (*save)(const struct ipt_ip *ip,
- const struct ipt_entry_target *target);
-
- /* Pointer to list of extra command-line options */
- struct option *extra_opts;
-
- /* Ignore these men behind the curtain: */
- unsigned int option_offset;
- struct ipt_entry_target *t;
- unsigned int tflags;
- unsigned int used;
-#ifdef NO_SHARED_LIBS
- unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
-};
+#define iptables_rule_match xtables_rule_match
+#define iptables_match xtables_match
+#define iptables_target xtables_target
+#define ipt_tryload xt_tryload
extern int line;
@@ -169,20 +50,6 @@
extern int do_command(int argc, char *argv[], char **table,
iptc_handle_t *handle);
-/* Keeping track of external matches and targets: linked lists. */
-extern struct iptables_match *iptables_matches;
-extern struct iptables_target *iptables_targets;
-
-enum ipt_tryload {
- DONT_LOAD,
- DURING_LOAD,
- TRY_LOAD,
- LOAD_MUST_SUCCEED
-};
-
-extern struct iptables_target *find_target(const char *name, enum ipt_tryload);
-extern struct iptables_match *find_match(const char *name, enum ipt_tryload, struct iptables_rule_match **match);
-
extern int delete_chain(const ipt_chainlabel chain, int verbose,
iptc_handle_t *handle);
extern int flush_entries(const ipt_chainlabel chain, int verbose,