[netfilter-cvslog] r4268 - in trunk/iptables: . extensions include

Mon Sep 19 17:00:34 CEST 2005

Author: laforge at netfilter.org
Date: 2005-09-19 17:00:33 +0200 (Mon, 19 Sep 2005)
New Revision: 4268

Modified:
   trunk/iptables/extensions/libipt_DNAT.c
   trunk/iptables/extensions/libipt_SNAT.c
   trunk/iptables/include/iptables.h
   trunk/iptables/iptables.c
Log:
Kernels higher than 2.6.10 don't support multiple --to arguments in
DNAT and SNAT targets.  At present, the error is somewhat vague:

# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables: Invalid argument

But if we want current iptables to work with kernels <= 2.6.10, we
cannot simply disallow this in all cases.

So the below patch adds kernel version checking to iptables, and
utilizes it in [DS]NAT.  Now, users will see a more informative error:

# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables v1.3.3: Multiple --to-source not supported

This generic infrastructure (shamelessly lifted from procps btw) may
come in handy in the future for other changes.

This fixes bugzilla #367. (Phil Oester)



Modified: trunk/iptables/extensions/libipt_DNAT.c
===================================================================

--- trunk/iptables/extensions/libipt_DNAT.c	2005-09-19 14:58:23 UTC (rev 4267)
+++ trunk/iptables/extensions/libipt_DNAT.c	2005-09-19 15:00:33 UTC (rev 4268)
@@ -155,6 +155,13 @@
 			exit_error(PARAMETER_PROBLEM,
 				   "Unexpected `!' after --to-destination");
 
+		if (*flags) {
+			if (!kernel_version)
+				get_kernel_version();
+			if (kernel_version > LINUX_VERSION(2, 6, 10))
+				exit_error(PARAMETER_PROBLEM,
+					   "Multiple --to-destination not supported");
+		}
 		*target = parse_to(optarg, portok, info);
 		*flags = 1;
 		return 1;

Modified: trunk/iptables/extensions/libipt_SNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.c	2005-09-19 14:58:23 UTC (rev 4267)
+++ trunk/iptables/extensions/libipt_SNAT.c	2005-09-19 15:00:33 UTC (rev 4268)
@@ -155,6 +155,13 @@
 			exit_error(PARAMETER_PROBLEM,
 				   "Unexpected `!' after --to-source");
 
+		if (*flags) {
+			if (!kernel_version)
+				get_kernel_version();
+			if (kernel_version > LINUX_VERSION(2, 6, 10))
+				exit_error(PARAMETER_PROBLEM,
+					   "Multiple --to-source not supported");
+		}
 		*target = parse_to(optarg, portok, info);
 		*flags = 1;
 		return 1;

Modified: trunk/iptables/include/iptables.h
===================================================================
--- trunk/iptables/include/iptables.h	2005-09-19 14:58:23 UTC (rev 4267)
+++ trunk/iptables/include/iptables.h	2005-09-19 15:00:33 UTC (rev 4268)
@@ -175,4 +175,13 @@
 			iptc_handle_t *handle);
 extern int for_each_chain(int (*fn)(const ipt_chainlabel, int, iptc_handle_t *),
 		int verbose, int builtinstoo, iptc_handle_t *handle);
+
+/* kernel revision handling */
+extern int kernel_version;
+extern void get_kernel_version(void);
+#define LINUX_VERSION(x,y,z)	(0x10000*(x) + 0x100*(y) + z)
+#define LINUX_VERSION_MAJOR(x)	(((x)>>16) & 0xFF)
+#define LINUX_VERSION_MINOR(x)	(((x)>> 8) & 0xFF)
+#define LINUX_VERSION_PATCH(x)	( (x)      & 0xFF)
+
 #endif /*_IPTABLES_USER_H*/

Modified: trunk/iptables/iptables.c
===================================================================
--- trunk/iptables/iptables.c	2005-09-19 14:58:23 UTC (rev 4267)
+++ trunk/iptables/iptables.c	2005-09-19 15:00:33 UTC (rev 4268)
@@ -39,6 +39,7 @@
 #include <iptables.h>
 #include <fcntl.h>
 #include <sys/wait.h>
+#include <sys/utsname.h>
 
 #ifndef TRUE
 #define TRUE 1
@@ -193,6 +194,8 @@
 const char *program_name;
 char *lib_dir;
 
+int kernel_version;
+
 /* Keeping track of external matches and targets: linked lists.  */
 struct iptables_match *iptables_matches = NULL;
 struct iptables_target *iptables_targets = NULL;
@@ -1804,6 +1807,21 @@
 	name[IPT_FUNCTION_MAXNAMELEN - 1] = revision;
 }
 
+void
+get_kernel_version(void) {
+	static struct utsname uts;
+	int x = 0, y = 0, z = 0;
+
+	if (uname(&uts) == -1) {
+		fprintf(stderr, "Unable to retrieve kernel version.\n");
+		free_opts(1);
+		exit(1); 
+	}
+
+	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
+	kernel_version = LINUX_VERSION(x, y, z);
+}
+
 int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
 {
 	struct ipt_entry fw, *e = NULL;


