[netfilter-cvslog] r4451 - trunk/iptables

laforge at netfilter.org laforge at netfilter.org
Sat Nov 5 10:26:41 CET 2005


Author: laforge at netfilter.org
Date: 2005-11-05 10:26:40 +0100 (Sat, 05 Nov 2005)
New Revision: 4451

Modified:
   trunk/iptables/iptables-save.c
   trunk/iptables/iptables.8.in
   trunk/iptables/iptables.c
Log:
add 'goto' support (Henrik Nordstrom <hno at marasystems.com>)


Modified: trunk/iptables/iptables-save.c
===================================================================
--- trunk/iptables/iptables-save.c	2005-11-04 18:53:06 UTC (rev 4450)
+++ trunk/iptables/iptables-save.c	2005-11-05 09:26:40 UTC (rev 4451)
@@ -197,7 +197,7 @@
 	/* Print target name */	
 	target_name = iptc_get_target(e, h);
 	if (target_name && (*target_name != '\0'))
-		printf("-j %s ", target_name);
+		printf("-%c %s ", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
 
 	/* Print targinfo part */
 	t = ipt_get_target((struct ipt_entry *)e);

Modified: trunk/iptables/iptables.8.in
===================================================================
--- trunk/iptables/iptables.8.in	2005-11-04 18:53:06 UTC (rev 4450)
+++ trunk/iptables/iptables.8.in	2005-11-05 09:26:40 UTC (rev 4451)
@@ -296,10 +296,18 @@
 the fate of the packet immediately, or an extension (see
 .B EXTENSIONS
 below).  If this
-option is omitted in a rule, then matching the rule will have no
+option is omitted in a rule (and
+.B -g
+is not used), then matching the rule will have no
 effect on the packet's fate, but the counters on the rule will be
 incremented.
 .TP
+.BI "-g, --goto " "chain"
+This specifies that the processing should continue in a user
+specified chain. Unlike the --jump option return will not continue
+processing in this chain but instead in the chain that called us via
+--jump.
+.TP
 .BR "-i, --in-interface " "[!] \fIname\fP"
 Name of an interface via which a packet was received (only for
 packets entering the 

Modified: trunk/iptables/iptables.c
===================================================================
--- trunk/iptables/iptables.c	2005-11-04 18:53:06 UTC (rev 4450)
+++ trunk/iptables/iptables.c	2005-11-05 09:26:40 UTC (rev 4451)
@@ -135,6 +135,7 @@
 	{ "line-numbers", 0, 0, '0' },
 	{ "modprobe", 1, 0, 'M' },
 	{ "set-counters", 1, 0, 'c' },
+	{ "goto", 1, 0, 'g' },
 	{ 0 }
 };
 
@@ -402,6 +403,10 @@
 "				network interface name ([+] for wildcard)\n"
 "  --jump	-j target\n"
 "				target for rule (may load target extension)\n"
+#ifdef IPT_F_GOTO
+"  --goto      -g chain\n"
+"                              jump to chain with no return\n"
+#endif
 "  --match	-m match\n"
 "				extended match (may load extension)\n"
 "  --numeric	-n		numeric output of addresses and ports\n"
@@ -1410,6 +1415,9 @@
 	if (format & FMT_NOTABLE)
 		fputs("  ", stdout);
 
+	if(fw->ip.flags & IPT_F_GOTO)
+		printf("[goto] ");
+
 	IPT_MATCH_ITERATE(fw, print_match, &fw->ip, format & FMT_NUMERIC);
 
 	if (target) {
@@ -1867,7 +1875,7 @@
 	opterr = 0;
 
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:",
+	   "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
 					   opts, NULL)) != -1) {
 		switch (c) {
 			/*
@@ -2035,6 +2043,15 @@
 			dhostnetworkmask = argv[optind-1];
 			break;
 
+#ifdef IPT_F_GOTO
+		case 'g':
+			set_option(&options, OPT_JUMP, &fw.ip.invflags,
+				   invert);
+			fw.ip.flags |= IPT_F_GOTO;
+			jumpto = parse_target(optarg);
+			break;
+#endif
+
 		case 'j':
 			set_option(&options, OPT_JUMP, &fw.ip.invflags,
 				   invert);
@@ -2387,6 +2404,11 @@
 			 * We cannot know if the plugin is corrupt, non
 			 * existant OR if the user just misspelled a
 			 * chain. */
+#ifdef IPT_F_GOTO
+			if (fw.ip.flags & IPT_F_GOTO)
+				exit_error(PARAMETER_PROBLEM,
+					   "goto '%s' is not a chain\n", jumpto);
+#endif
 			find_target(jumpto, LOAD_MUST_SUCCEED);
 		} else {
 			e = generate_entry(&fw, matches, target->t);




More information about the netfilter-cvslog mailing list