Prepare policy match for x_tables unification by making sure both

ipt_policy and ip6t_policy use the same data structure.

diff --git a/extensions/.policy-test b/extensions/.policy-test
deleted file mode 100755 (executable)
index c2bb7bd..0000000
--- a/extensions/.policy-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-#
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_policy.h ] && echo policy

diff --git a/extensions/.policy-test6 b/extensions/.policy-test6
deleted file mode 100755 (executable)
index 5e6f484..0000000
--- a/extensions/.policy-test6
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-#
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_policy.h ] && echo policy

diff --git a/extensions/Makefile b/extensions/Makefile
index a751b29859a66070eecca801bc88f1a84cd71d47..7164e1d2a0a268a8958a042e77e2d6fa2794ba6a 100644 (file)
--- a/extensions/Makefile
+++ b/extensions/Makefile
@@ -5,8 +5,8 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
-PF6_EXT_SLIB:=connmark eui64 hl icmpv6 length limit mac mark multiport owner physdev standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
+PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF6_EXT_SLIB:=connmark eui64 hl icmpv6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
 
 # Optionals
 PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))

diff --git a/extensions/libip6t_policy.c b/extensions/libip6t_policy.c
index 54cd5f2badafa5dc203670c4b294889be9b08bc0..74912b47c27144826522fc24b1afc91665ee2cb6 100644 (file)
--- a/extensions/libip6t_policy.c
+++ b/extensions/libip6t_policy.c
@@ -237,8 +237,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
 
                e->match.saddr = 1;
                e->invert.saddr = invert;
-               in6addrcpy(&e->saddr, addr);
-               in6addrcpy(&e->smask, &mask);
+               in6addrcpy(&e->saddr.a6, addr);
+               in6addrcpy(&e->smask.a6, &mask);
                 break;
        case '7':
                if (e->match.daddr)
@@ -252,8 +252,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
 
                e->match.daddr = 1;
                e->invert.daddr = invert;
-               in6addrcpy(&e->daddr, addr);
-               in6addrcpy(&e->dmask, &mask);
+               in6addrcpy(&e->daddr.a6, addr);
+               in6addrcpy(&e->dmask.a6, &mask);
                break;
        case '8':
                if (e->match.proto)

diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index 55b969d15873702d7374ab473d8800e0df757a27..6c8828e1e62ce406c7739e6003061e79b9124eb3 100644 (file)
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -197,8 +197,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
 
                e->match.saddr = 1;
                e->invert.saddr = invert;
-               e->saddr = addr[0].s_addr;
-               e->smask = mask.s_addr;
+               e->saddr.a4 = addr[0];
+               e->smask.a4 = mask;
                 break;
        case '7':
                if (e->match.daddr)
@@ -212,8 +212,8 @@ static int parse(int c, char **argv, int invert, unsigned int *flags,
 
                e->match.daddr = 1;
                e->invert.daddr = invert;
-               e->daddr = addr[0].s_addr;
-               e->dmask = mask.s_addr;
+               e->daddr.a4 = addr[0];
+               e->dmask.a4 = mask;
                break;
        case '8':
                if (e->match.proto)

diff --git a/include/linux/netfilter_ipv4/ipt_policy.h b/include/linux/netfilter_ipv4/ipt_policy.h
new file mode 100644 (file)
index 0000000..a3f6eff
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_policy.h
@@ -0,0 +1,58 @@
+#ifndef _IPT_POLICY_H
+#define _IPT_POLICY_H
+
+#define IPT_POLICY_MAX_ELEM    4
+
+enum ipt_policy_flags
+{
+       IPT_POLICY_MATCH_IN     = 0x1,
+       IPT_POLICY_MATCH_OUT    = 0x2,
+       IPT_POLICY_MATCH_NONE   = 0x4,
+       IPT_POLICY_MATCH_STRICT = 0x8,
+};
+
+enum ipt_policy_modes
+{
+       IPT_POLICY_MODE_TRANSPORT,
+       IPT_POLICY_MODE_TUNNEL
+};
+
+struct ipt_policy_spec
+{
+       u_int8_t        saddr:1,
+                       daddr:1,
+                       proto:1,
+                       mode:1,
+                       spi:1,
+                       reqid:1;
+};
+
+union ipt_policy_addr
+{
+       struct in_addr  a4;
+       struct in6_addr a6;
+};
+
+struct ipt_policy_elem
+{
+       union ipt_policy_addr   saddr;
+       union ipt_policy_addr   smask;
+       union ipt_policy_addr   daddr;
+       union ipt_policy_addr   dmask;
+       u_int32_t               spi;
+       u_int32_t               reqid;
+       u_int8_t                proto;
+       u_int8_t                mode;
+
+       struct ipt_policy_spec  match;
+       struct ipt_policy_spec  invert;
+};
+
+struct ipt_policy_info
+{
+       struct ipt_policy_elem pol[IPT_POLICY_MAX_ELEM];
+       u_int16_t flags;
+       u_int16_t len;
+};
+
+#endif /* _IPT_POLICY_H */

diff --git a/include/linux/netfilter_ipv6/ip6t_policy.h b/include/linux/netfilter_ipv6/ip6t_policy.h
new file mode 100644 (file)
index 0000000..671bd81
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_policy.h
@@ -0,0 +1,58 @@
+#ifndef _IP6T_POLICY_H
+#define _IP6T_POLICY_H
+
+#define IP6T_POLICY_MAX_ELEM   4
+
+enum ip6t_policy_flags
+{
+       IP6T_POLICY_MATCH_IN            = 0x1,
+       IP6T_POLICY_MATCH_OUT           = 0x2,
+       IP6T_POLICY_MATCH_NONE          = 0x4,
+       IP6T_POLICY_MATCH_STRICT        = 0x8,
+};
+
+enum ip6t_policy_modes
+{
+       IP6T_POLICY_MODE_TRANSPORT,
+       IP6T_POLICY_MODE_TUNNEL
+};
+
+struct ip6t_policy_spec
+{
+       u_int8_t        saddr:1,
+                       daddr:1,
+                       proto:1,
+                       mode:1,
+                       spi:1,
+                       reqid:1;
+};
+
+union ip6t_policy_addr
+{
+       struct in_addr  a4;
+       struct in6_addr a6;
+};
+
+struct ip6t_policy_elem
+{
+       union ip6t_policy_addr  saddr;
+       union ip6t_policy_addr  smask;
+       union ip6t_policy_addr  daddr;
+       union ip6t_policy_addr  dmask;
+       u_int32_t               spi;
+       u_int32_t               reqid;
+       u_int8_t                proto;
+       u_int8_t                mode;
+
+       struct ip6t_policy_spec match;
+       struct ip6t_policy_spec invert;
+};
+
+struct ip6t_policy_info
+{
+       struct ip6t_policy_elem pol[IP6T_POLICY_MAX_ELEM];
+       u_int16_t flags;
+       u_int16_t len;
+};
+
+#endif /* _IP6T_POLICY_H */