[-]
[+]
|
Changed |
iptables.spec
|
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/INSTALL
^
|
@@ -31,7 +31,7 @@
--with-xtlibdir=
The path to where Xtables extensions should be installed to. It
- defaults to ${prefix}/libexec/xtables.
+ defaults to ${libdir}/xtables.
--enable-devel (or --disable-devel)
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/config.h.in
^
|
@@ -6,6 +6,18 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+/* Define to 1 if you have the <linux/dccp.h> header file. */
+#undef HAVE_LINUX_DCCP_H
+
+/* Define to 1 if you have the <linux/ip_vs.h> header file. */
+#undef HAVE_LINUX_IP_VS_H
+
+/* Define to 1 if you have the <linux/magic.h> header file. */
+#undef HAVE_LINUX_MAGIC_H
+
+/* Define to 1 if you have the <linux/proc_fs.h> header file. */
+#undef HAVE_LINUX_PROC_FS_H
+
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for iptables 1.4.11.1.
+# Generated by GNU Autoconf 2.67 for iptables 1.4.12.
#
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -698,8 +698,8 @@
# Identity of this package.
PACKAGE_NAME='iptables'
PACKAGE_TARNAME='iptables'
-PACKAGE_VERSION='1.4.11.1'
-PACKAGE_STRING='iptables 1.4.11.1'
+PACKAGE_VERSION='1.4.12'
+PACKAGE_STRING='iptables 1.4.12'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1459,7 +1459,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures iptables 1.4.11.1 to adapt to many kinds of systems.
+\`configure' configures iptables 1.4.12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1529,7 +1529,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of iptables 1.4.11.1:";;
+ short | recursive ) echo "Configuration of iptables 1.4.12:";;
esac
cat <<\_ACEOF
@@ -1651,7 +1651,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-iptables configure 1.4.11.1
+iptables configure 1.4.12
generated by GNU Autoconf 2.67
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2016,7 +2016,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by iptables $as_me 1.4.11.1, which was
+It was created by iptables $as_me 1.4.12, which was
generated by GNU Autoconf 2.67. Invocation command line was
$ $0 $@
@@ -2366,7 +2366,7 @@
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=6
+libxtables_vcurrent=7
libxtables_vage=0
ac_config_headers="$ac_config_headers config.h"
@@ -2839,7 +2839,7 @@
# Define the identity of the package.
PACKAGE='iptables'
- VERSION='1.4.11.1'
+ VERSION='1.4.12'
cat >>confdefs.h <<_ACEOF
@@ -10636,7 +10636,7 @@
if test "${with_xtlibdir+set}" = set; then :
withval=$with_xtlibdir; xtlibdir="$withval"
else
- xtlibdir="${libexecdir}/xtables"
+ xtlibdir="${libdir}/xtables"
fi
# Check whether --enable-ipv4 was given.
@@ -10725,22 +10725,22 @@
blacklist_modules="";
-ac_fn_c_check_header_mongrel "$LINENO" "linux/dccp.h" "ac_cv_header_linux_dccp_h" "$ac_includes_default"
-if test "x$ac_cv_header_linux_dccp_h" = x""yes; then :
+for ac_header in linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
fi
+done
if test "$ac_cv_header_linux_dccp_h" != "yes"; then
blacklist_modules="$blacklist_modules dccp";
fi;
-
-ac_fn_c_check_header_mongrel "$LINENO" "linux/ip_vs.h" "ac_cv_header_linux_ip_vs_h" "$ac_includes_default"
-if test "x$ac_cv_header_linux_ip_vs_h" = x""yes; then :
-
-fi
-
-
if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
fi;
@@ -11584,7 +11584,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by iptables $as_me 1.4.11.1, which was
+This file was extended by iptables $as_me 1.4.12, which was
generated by GNU Autoconf 2.67. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11650,7 +11650,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-iptables config.status 1.4.11.1
+iptables config.status 1.4.12
configured by $0, generated by GNU Autoconf 2.67,
with options \\"\$ac_cs_config\\"
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/configure.ac
^
|
@@ -1,8 +1,8 @@
-AC_INIT([iptables], [1.4.11.1])
+AC_INIT([iptables], [1.4.12])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=6
+libxtables_vcurrent=7
libxtables_vage=0
AC_CONFIG_HEADERS([config.h])
@@ -30,7 +30,7 @@
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
[xtlibdir="$withval"],
- [xtlibdir="${libexecdir}/xtables"])
+ [xtlibdir="${libdir}/xtables"])
AC_ARG_ENABLE([ipv4],
AS_HELP_STRING([--disable-ipv4], [Do not build iptables]),
[enable_ipv4="$enableval"], [enable_ipv4="yes"])
@@ -59,12 +59,10 @@
blacklist_modules="";
-AC_CHECK_HEADER([linux/dccp.h])
+AC_CHECK_HEADERS([linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h])
if test "$ac_cv_header_linux_dccp_h" != "yes"; then
blacklist_modules="$blacklist_modules dccp";
fi;
-
-AC_CHECK_HEADER([linux/ip_vs.h])
if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
fi;
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libip6t_HL.c
^
|
@@ -20,12 +20,12 @@
#define s struct ip6t_HL_info
static const struct xt_option_entry HL_opts[] = {
- {.name = "ttl-set", .type = XTTYPE_UINT8, .id = O_HL_SET,
+ {.name = "hl-set", .type = XTTYPE_UINT8, .id = O_HL_SET,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit)},
- {.name = "ttl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC,
+ {.name = "hl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit),
.min = 1},
- {.name = "ttl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC,
+ {.name = "hl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC,
.excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit),
.min = 1},
XTOPT_TABLEEND,
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libip6t_LOG.c
^
|
@@ -87,19 +87,19 @@
"Newlines not allowed in --log-prefix");
break;
case O_LOG_TCPSEQ:
- info->logflags = IP6T_LOG_TCPSEQ;
+ info->logflags |= IP6T_LOG_TCPSEQ;
break;
case O_LOG_TCPOPTS:
- info->logflags = IP6T_LOG_TCPOPT;
+ info->logflags |= IP6T_LOG_TCPOPT;
break;
case O_LOG_IPOPTS:
- info->logflags = IP6T_LOG_IPOPT;
+ info->logflags |= IP6T_LOG_IPOPT;
break;
case O_LOG_UID:
- info->logflags = IP6T_LOG_UID;
+ info->logflags |= IP6T_LOG_UID;
break;
case O_LOG_MAC:
- info->logflags = IP6T_LOG_MACDECODE;
+ info->logflags |= IP6T_LOG_MACDECODE;
break;
}
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libipt_LOG.c
^
|
@@ -87,19 +87,19 @@
"Newlines not allowed in --log-prefix");
break;
case O_LOG_TCPSEQ:
- info->logflags = IPT_LOG_TCPSEQ;
+ info->logflags |= IPT_LOG_TCPSEQ;
break;
case O_LOG_TCPOPTS:
- info->logflags = IPT_LOG_TCPOPT;
+ info->logflags |= IPT_LOG_TCPOPT;
break;
case O_LOG_IPOPTS:
- info->logflags = IPT_LOG_IPOPT;
+ info->logflags |= IPT_LOG_IPOPT;
break;
case O_LOG_UID:
- info->logflags = IPT_LOG_UID;
+ info->logflags |= IPT_LOG_UID;
break;
case O_LOG_MAC:
- info->logflags = IPT_LOG_MACDECODE;
+ info->logflags |= IPT_LOG_MACDECODE;
break;
}
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_NFLOG.man
^
|
@@ -9,7 +9,7 @@
non-terminating target, i.e. rule traversal continues at the next rule.
.TP
\fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (1 \- 2^32\-1) to which packets are (only applicable for
+The netlink group (0 - 2^16\-1) to which packets are (only applicable for
nfnetlink_log). The default value is 0.
.TP
\fB\-\-nflog\-prefix\fP \fIprefix\fP
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_RATEEST.c
^
|
@@ -1,19 +1,16 @@
-#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
-#include <stddef.h>
-#include <getopt.h>
#include <math.h>
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_RATEEST.h>
-/* hack to pass raw values to final_check */
-static struct xt_rateest_target_info *RATEEST_info;
-static unsigned int interval;
-static unsigned int ewma_log;
+struct rateest_tg_udata {
+ unsigned int interval;
+ unsigned int ewma_log;
+};
static void
RATEEST_help(void)
@@ -25,18 +22,23 @@
" --rateest-ewmalog value Rate measurement averaging time constant\n");
}
-enum RATEEST_options {
- RATEEST_OPT_NAME,
- RATEEST_OPT_INTERVAL,
- RATEEST_OPT_EWMALOG,
+enum {
+ O_NAME = 0,
+ O_INTERVAL,
+ O_EWMALOG,
};
-static const struct option RATEEST_opts[] = {
- {.name = "rateest-name", .has_arg = true, .val = RATEEST_OPT_NAME},
- {.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL},
- {.name = "rateest-ewmalog", .has_arg = true, .val = RATEEST_OPT_EWMALOG},
- XT_GETOPT_TABLEEND,
+#define s struct xt_rateest_target_info
+static const struct xt_option_entry RATEEST_opts[] = {
+ {.name = "rateest-name", .id = O_NAME, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name)},
+ {.name = "rateest-interval", .id = O_INTERVAL, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND},
+ {.name = "rateest-ewmalog", .id = O_EWMALOG, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND},
+ XTOPT_TABLEEND,
};
+#undef s
/* Copied from iproute */
#define TIME_UNITS_PER_SEC 1000000
@@ -82,66 +84,34 @@
printf(" %uus", time);
}
-static int
-RATEEST_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
+static void RATEEST_parse(struct xt_option_call *cb)
{
- struct xt_rateest_target_info *info = (void *)(*target)->data;
-
- RATEEST_info = info;
+ struct rateest_tg_udata *udata = cb->udata;
- switch (c) {
- case RATEEST_OPT_NAME:
- if (*flags & (1 << c))
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_INTERVAL:
+ if (RATEEST_get_time(&udata->interval, cb->arg) < 0)
xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-name twice");
- *flags |= 1 << c;
-
- strncpy(info->name, optarg, sizeof(info->name) - 1);
+ "RATEEST: bad interval value \"%s\"",
+ cb->arg);
break;
-
- case RATEEST_OPT_INTERVAL:
- if (*flags & (1 << c))
+ case O_EWMALOG:
+ if (RATEEST_get_time(&udata->ewma_log, cb->arg) < 0)
xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-interval twice");
- *flags |= 1 << c;
-
- if (RATEEST_get_time(&interval, optarg) < 0)
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: bad interval value `%s'", optarg);
-
- break;
-
- case RATEEST_OPT_EWMALOG:
- if (*flags & (1 << c))
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: can't specify --rateest-ewmalog twice");
- *flags |= 1 << c;
-
- if (RATEEST_get_time(&ewma_log, optarg) < 0)
- xtables_error(PARAMETER_PROBLEM,
- "RATEEST: bad ewmalog value `%s'", optarg);
-
+ "RATEEST: bad ewmalog value \"%s\"",
+ cb->arg);
break;
}
-
- return 1;
}
-static void
-RATEEST_final_check(unsigned int flags)
+static void RATEEST_final_check(struct xt_fcheck_call *cb)
{
- struct xt_rateest_target_info *info = RATEEST_info;
-
- if (!(flags & (1 << RATEEST_OPT_NAME)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no name specified");
- if (!(flags & (1 << RATEEST_OPT_INTERVAL)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no interval specified");
- if (!(flags & (1 << RATEEST_OPT_EWMALOG)))
- xtables_error(PARAMETER_PROBLEM, "RATEEST: no ewmalog specified");
+ struct xt_rateest_target_info *info = cb->data;
+ struct rateest_tg_udata *udata = cb->udata;
for (info->interval = 0; info->interval <= 5; info->interval++) {
- if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
+ if (udata->interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4))
break;
}
@@ -152,7 +122,7 @@
for (info->ewma_log = 1; info->ewma_log < 32; info->ewma_log++) {
double w = 1.0 - 1.0 / (1 << info->ewma_log);
- if (interval / (-log(w)) > ewma_log)
+ if (udata->interval / (-log(w)) > udata->ewma_log)
break;
}
info->ewma_log--;
@@ -197,13 +167,14 @@
.name = "RATEEST",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
+ .userspacesize = offsetof(struct xt_rateest_target_info, est),
.help = RATEEST_help,
- .parse = RATEEST_parse,
- .final_check = RATEEST_final_check,
+ .x6_parse = RATEEST_parse,
+ .x6_fcheck = RATEEST_final_check,
.print = RATEEST_print,
.save = RATEEST_save,
- .extra_opts = RATEEST_opts,
+ .x6_options = RATEEST_opts,
+ .udata_size = sizeof(struct rateest_tg_udata),
};
void _init(void)
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_SET.c
^
|
@@ -67,10 +67,6 @@
xtables_error(PARAMETER_PROBLEM,
"--%s can be specified only once", what);
- if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
- xtables_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
@@ -173,11 +169,6 @@
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
"--%s can be specified only once", what);
-
- if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
- xtables_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_TOS.man
^
|
@@ -4,24 +4,33 @@
\fBmangle\fP table.
.TP
\fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP]
-Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the
-TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
+Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP
+into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed.
.TP
\fB\-\-set\-tos\fP \fIsymbol\fP
You can specify a symbolic name when using the TOS target for IPv4. It implies
-a mask of 0xFF. The list of recognized TOS names can be obtained by calling
-iptables with \fB\-j TOS \-h\fP.
+a mask of 0xFF (see NOTE below). The list of recognized TOS names can be
+obtained by calling iptables with \fB\-j TOS \-h\fP.
.PP
The following mnemonics are available:
.TP
\fB\-\-and\-tos\fP \fIbits\fP
Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos
-0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.)
+0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.
+See NOTE below.)
.TP
\fB\-\-or\-tos\fP \fIbits\fP
Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
-\fIbits\fP\fB/\fP\fIbits\fP.)
+\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.)
.TP
\fB\-\-xor\-tos\fP \fIbits\fP
Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
-\fIbits\fP\fB/0\fP.)
+\fIbits\fP\fB/0\fP. See NOTE below.)
+.PP
+NOTE: In Linux kernels up to and including 2.6.38, with the exception of
+longterm releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug
+whereby IPv6 TOS mangling does not behave as documented and differs from the
+IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs
+to be inverted before applying it to the original TOS field. However, the
+aformentioned kernels forgo the inversion which breaks --set-tos and its
+mnemonics.
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_conntrack.c
^
|
@@ -93,7 +93,8 @@
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT},
+ .flags = XTOPT_INVERT,
+ XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST,
@@ -110,13 +111,45 @@
};
#undef s
+#define s struct xt_conntrack_mtinfo2
+/* We exploit the fact that v1-v2 share the same xt_o_e layout */
+static const struct xt_option_entry conntrack2_mt_opts[] = {
+ {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
+ .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+ {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+ {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
+ .flags = XTOPT_INVERT},
+ {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT,
+ .flags = XTOPT_INVERT | XTOPT_NBO},
+ {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
+ XTOPT_TABLEEND,
+};
+#undef s
+
#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */
/* We exploit the fact that v1-v3 share the same layout */
-static const struct xt_option_entry conntrack_mt_opts[] = {
+static const struct xt_option_entry conntrack3_mt_opts[] = {
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT},
+ .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -305,8 +338,6 @@
case O_CTPROTO:
if (cb->invert)
sinfo->invflags |= XT_CONNTRACK_PROTO;
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
-
if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
&& (sinfo->invflags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM,
@@ -369,7 +400,6 @@
info->invert_flags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
- info->l4proto = cb->val.protocol;
if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
"never match protocol");
@@ -992,7 +1022,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt4_print,
.save = conntrack1_mt4_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1006,7 +1036,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt6_print,
.save = conntrack1_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1020,7 +1050,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt_print,
.save = conntrack2_mt_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1034,7 +1064,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt6_print,
.save = conntrack2_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack2_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1048,7 +1078,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt_print,
.save = conntrack3_mt_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack3_mt_opts,
},
{
.version = XTABLES_VERSION,
@@ -1062,7 +1092,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt6_print,
.save = conntrack3_mt6_save,
- .x6_options = conntrack_mt_opts,
+ .x6_options = conntrack3_mt_opts,
},
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_hashlimit.c
^
|
@@ -25,6 +25,10 @@
#define XT_HASHLIMIT_GCINTERVAL 1000
#define XT_HASHLIMIT_EXPIRE 10000
+struct hashlimit_mt_udata {
+ uint32_t mult;
+};
+
static void hashlimit_help(void)
{
printf(
@@ -56,8 +60,9 @@
O_HTABLE_MAX,
O_HTABLE_GCINT,
O_HTABLE_EXPIRE,
- F_UPTO = 1 << O_UPTO,
- F_ABOVE = 1 << O_ABOVE,
+ F_UPTO = 1 << O_UPTO,
+ F_ABOVE = 1 << O_ABOVE,
+ F_HTABLE_EXPIRE = 1 << O_HTABLE_EXPIRE,
};
static void hashlimit_mt_help(void)
@@ -141,25 +146,25 @@
#undef s
static
-int parse_rate(const char *rate, uint32_t *val)
+int parse_rate(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud)
{
const char *delim;
uint32_t r;
- uint32_t mult = 1; /* Seconds by default. */
+ ud->mult = 1; /* Seconds by default. */
delim = strchr(rate, '/');
if (delim) {
if (strlen(delim+1) == 0)
return 0;
if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
- mult = 1;
+ ud->mult = 1;
else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
- mult = 60;
+ ud->mult = 60;
else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
- mult = 60*60;
+ ud->mult = 60*60;
else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
- mult = 24*60*60;
+ ud->mult = 24*60*60;
else
return 0;
}
@@ -169,10 +174,10 @@
/* This would get mapped to infinite (1/day is minimum they
can specify, so we're ok at that end). */
- if (r / mult > XT_HASHLIMIT_SCALE)
+ if (r / ud->mult > XT_HASHLIMIT_SCALE)
xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
- *val = XT_HASHLIMIT_SCALE * mult / r;
+ *val = XT_HASHLIMIT_SCALE * ud->mult / r;
return 1;
}
@@ -248,14 +253,14 @@
case O_UPTO:
if (cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
case O_ABOVE:
if (!cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-above", cb->arg);
break;
@@ -276,14 +281,14 @@
case O_UPTO:
if (cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
case O_ABOVE:
if (!cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg))
+ if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-above", cb->arg);
break;
@@ -303,9 +308,26 @@
static void hashlimit_check(struct xt_fcheck_call *cb)
{
+ const struct hashlimit_mt_udata *udata = cb->udata;
+ struct xt_hashlimit_info *info = cb->data;
+
if (!(cb->xflags & (F_UPTO | F_ABOVE)))
xtables_error(PARAMETER_PROBLEM,
"You have to specify --hashlimit");
+ if (!(cb->xflags & F_HTABLE_EXPIRE))
+ info->cfg.expire = udata->mult;
+}
+
+static void hashlimit_mt_check(struct xt_fcheck_call *cb)
+{
+ const struct hashlimit_mt_udata *udata = cb->udata;
+ struct xt_hashlimit_mtinfo1 *info = cb->data;
+
+ if (!(cb->xflags & (F_UPTO | F_ABOVE)))
+ xtables_error(PARAMETER_PROBLEM,
+ "You have to specify --hashlimit");
+ if (!(cb->xflags & F_HTABLE_EXPIRE))
+ info->cfg.expire = udata->mult;
}
static const struct rates
@@ -508,6 +530,7 @@
.print = hashlimit_print,
.save = hashlimit_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
{
.version = XTABLES_VERSION,
@@ -519,10 +542,11 @@
.help = hashlimit_mt_help,
.init = hashlimit_mt4_init,
.x6_parse = hashlimit_mt_parse,
- .x6_fcheck = hashlimit_check,
+ .x6_fcheck = hashlimit_mt_check,
.print = hashlimit_mt4_print,
.save = hashlimit_mt4_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
{
.version = XTABLES_VERSION,
@@ -534,10 +558,11 @@
.help = hashlimit_mt_help,
.init = hashlimit_mt6_init,
.x6_parse = hashlimit_mt_parse,
- .x6_fcheck = hashlimit_check,
+ .x6_fcheck = hashlimit_mt_check,
.print = hashlimit_mt6_print,
.save = hashlimit_mt6_save,
.x6_options = hashlimit_mt_opts,
+ .udata_size = sizeof(struct hashlimit_mt_udata),
},
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_rateest.c
^
|
@@ -8,9 +8,6 @@
#include <xtables.h>
#include <linux/netfilter/xt_rateest.h>
-/* Ugly hack to pass info to final_check function. We should fix the API */
-static struct xt_rateest_match_info *rateest_info;
-
static void rateest_help(void)
{
printf(
@@ -115,11 +112,8 @@
struct xt_rateest_match_info *info = (void *)(*match)->data;
unsigned int val;
- rateest_info = info;
-
switch (c) {
case OPT_RATEEST1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest can't be inverted");
@@ -133,7 +127,6 @@
break;
case OPT_RATEEST2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest can't be inverted");
@@ -148,7 +141,6 @@
break;
case OPT_RATEEST_BPS1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-bps can't be inverted");
@@ -172,7 +164,6 @@
break;
case OPT_RATEEST_PPS1:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-pps can't be inverted");
@@ -197,7 +188,6 @@
break;
case OPT_RATEEST_BPS2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-bps can't be inverted");
@@ -221,7 +211,6 @@
break;
case OPT_RATEEST_PPS2:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-pps can't be inverted");
@@ -246,7 +235,6 @@
break;
case OPT_RATEEST_DELTA:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
xtables_error(PARAMETER_PROBLEM,
"rateest: rateest-delta can't be inverted");
@@ -260,8 +248,6 @@
break;
case OPT_RATEEST_EQ:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
@@ -273,8 +259,6 @@
break;
case OPT_RATEEST_LT:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
@@ -286,8 +270,6 @@
break;
case OPT_RATEEST_GT:
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (*flags & (1 << c))
xtables_error(PARAMETER_PROBLEM,
"rateest: can't specify lt/gt/eq twice");
@@ -302,10 +284,9 @@
return 1;
}
-static void
-rateest_final_check(unsigned int flags)
+static void rateest_final_check(struct xt_fcheck_call *cb)
{
- struct xt_rateest_match_info *info = rateest_info;
+ struct xt_rateest_match_info *info = cb->data;
if (info == NULL)
xtables_error(PARAMETER_PROBLEM, "rateest match: "
@@ -439,7 +420,7 @@
.userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
.help = rateest_help,
.parse = rateest_parse,
- .final_check = rateest_final_check,
+ .x6_fcheck = rateest_final_check,
.print = rateest_print,
.save = rateest_save,
.extra_opts = rateest_opts,
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_sctp.c
^
|
@@ -257,7 +257,6 @@
xtables_error(PARAMETER_PROBLEM,
"Only one `--source-port' allowed");
einfo->flags |= XT_SCTP_SRC_PORTS;
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_sctp_ports(optarg, einfo->spts);
if (invert)
einfo->invflags |= XT_SCTP_SRC_PORTS;
@@ -269,7 +268,6 @@
xtables_error(PARAMETER_PROBLEM,
"Only one `--destination-port' allowed");
einfo->flags |= XT_SCTP_DEST_PORTS;
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_sctp_ports(optarg, einfo->dpts);
if (invert)
einfo->invflags |= XT_SCTP_DEST_PORTS;
@@ -280,8 +278,6 @@
if (*flags & XT_SCTP_CHUNK_TYPES)
xtables_error(PARAMETER_PROBLEM,
"Only one `--chunk-types' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_set.c
^
|
@@ -64,8 +64,6 @@
if (info->u.flags[0])
xtables_error(PARAMETER_PROBLEM,
"--match-set can be specified only once");
-
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
info->u.flags[0] |= IPSET_MATCH_INV;
@@ -151,8 +149,6 @@
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
"--match-set can be specified only once");
-
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
if (invert)
info->flags |= IPSET_INV_MATCH;
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_state.c
^
|
@@ -23,7 +23,7 @@
static const struct xt_option_entry state_opts[] = {
{.name = "state", .id = O_STATE, .type = XTTYPE_STRING,
- .flags = XTOPT_MAND},
+ .flags = XTOPT_MAND | XTOPT_INVERT},
XTOPT_TABLEEND,
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/extensions/libxt_tcp.c
^
|
@@ -148,7 +148,6 @@
if (*flags & TCP_SRC_PORTS)
xtables_error(PARAMETER_PROBLEM,
"Only one `--source-port' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_ports(optarg, tcpinfo->spts);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_SRCPT;
@@ -159,7 +158,6 @@
if (*flags & TCP_DST_PORTS)
xtables_error(PARAMETER_PROBLEM,
"Only one `--destination-port' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_ports(optarg, tcpinfo->dpts);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_DSTPT;
@@ -180,8 +178,6 @@
xtables_error(PARAMETER_PROBLEM,
"Only one of `--syn' or `--tcp-flags' "
" allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
-
if (!argv[optind]
|| argv[optind][0] == '-' || argv[optind][0] == '!')
xtables_error(PARAMETER_PROBLEM,
@@ -197,7 +193,6 @@
if (*flags & TCP_OPTION)
xtables_error(PARAMETER_PROBLEM,
"Only one `--tcp-option' allowed");
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
parse_tcp_option(optarg, &tcpinfo->option);
if (invert)
tcpinfo->invflags |= XT_TCP_INV_OPTION;
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/include/xtables.h.in
^
|
@@ -137,11 +137,13 @@
* @arg: input from command line
* @ext_name: name of extension currently being processed
* @entry: current option being processed
- * @data: per-extension data block
+ * @data: per-extension kernel data block
* @xflags: options of the extension that have been used
* @invert: whether option was used with !
* @nvals: number of results in uXX_multi
* @val: parsed result
+ * @udata: per-extension private scratch area
+ * (cf. xtables_{match,target}->udata_size)
*/
struct xt_option_call {
const char *arg, *ext_name;
@@ -174,16 +176,19 @@
struct xt_entry_target **target;
};
void *xt_entry;
+ void *udata;
};
/**
* @ext_name: name of extension currently being processed
- * @data: per-extension data block
+ * @data: per-extension (kernel) data block
+ * @udata: per-extension private scratch area
+ * (cf. xtables_{match,target}->udata_size)
* @xflags: options of the extension that have been used
*/
struct xt_fcheck_call {
const char *ext_name;
- void *data;
+ void *data, *udata;
unsigned int xflags;
};
@@ -254,7 +259,11 @@
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
+ /* Size of per-extension instance extra "global" scratch space */
+ size_t udata_size;
+
/* Ignore these men behind the curtain: */
+ void *udata;
unsigned int option_offset;
struct xt_entry_match *m;
unsigned int mflags;
@@ -318,7 +327,10 @@
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
+ size_t udata_size;
+
/* Ignore these men behind the curtain: */
+ void *udata;
unsigned int option_offset;
struct xt_entry_target *t;
unsigned int tflags;
@@ -420,8 +432,6 @@
/* this is a special 64bit data type that is 8-byte aligned */
#define aligned_u64 u_int64_t __attribute__((aligned(8)))
-int xtables_check_inverse(const char option[], int *invert,
- int *my_optind, int argc, char **argv);
extern struct xtables_globals *xt_params;
#define xtables_error (xt_params->exit_err)
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/Makefile.am
^
|
@@ -51,10 +51,10 @@
endif
iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@;
ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@;
pkgconfig_DATA = xtables.pc
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/Makefile.in
^
|
@@ -949,10 +949,10 @@
iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@;
ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
- ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
+ ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@;
# Using if..fi avoids an ugly "error (ignored)" message :)
install-exec-hook:
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/ip6tables-restore.c
^
|
@@ -460,7 +460,6 @@
exit(1);
}
- if (in != NULL)
- fclose(in);
+ fclose(in);
return 0;
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/ip6tables.8.in
^
|
@@ -1,4 +1,4 @@
-.TH IP6TABLES 8 "" "iptables 1.4.4" "iptables 1.4.4"
+.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@"
.\"
.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
.\" It is based on iptables man page.
@@ -333,7 +333,8 @@
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
the \fB\-x\fP flag to change this).
For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed.
+detailed information on the rule or rules to be printed. \fB\-v\fP may be
+specified multiple times to possibly emit more detailed debug statements.
.TP
\fB\-n\fP, \fB\-\-numeric\fP
Numeric output.
@@ -365,9 +366,6 @@
and you can use the \fB\-h\fP or \fB\-\-help\fP
options after the module has been specified to receive help specific
to that module.
-.PP
-The following are included in the base package, and most of these can
-be preceded by a "\fB!\fP" to invert the sense of the match.
.\" @MATCH@
.SH TARGET EXTENSIONS
ip6tables can use extended target modules: the following are included
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/ip6tables.c
^
|
@@ -1288,8 +1288,7 @@
cs->target->t->u.target_size = size;
strcpy(cs->target->t->u.user.name, cs->jumpto);
cs->target->t->u.user.revision = cs->target->revision;
- if (cs->target->init != NULL)
- cs->target->init(cs->target->t);
+ xs_init_target(cs->target);
if (cs->target->x6_options != NULL)
opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts,
cs->target->x6_options,
@@ -1317,8 +1316,7 @@
m->m->u.match_size = size;
strcpy(m->m->u.user.name, m->name);
m->m->u.user.revision = m->revision;
- if (m->init != NULL)
- m->init(m->m);
+ xs_init_match(m);
if (m == m->next)
return;
/* Merge options for non-cloned matches */
@@ -1538,7 +1536,6 @@
* Option selection
*/
case 'p':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags,
cs.invert);
@@ -1564,14 +1561,12 @@
break;
case 's':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags,
cs.invert);
shostnetworkmask = optarg;
break;
case 'd':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags,
cs.invert);
dhostnetworkmask = optarg;
@@ -1596,7 +1591,6 @@
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1609,7 +1603,6 @@
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1839,8 +1832,7 @@
cs.target->t = xtables_calloc(1, size);
cs.target->t->u.target_size = size;
strcpy(cs.target->t->u.user.name, cs.jumpto);
- if (cs.target->init != NULL)
- cs.target->init(cs.target->t);
+ xs_init_target(cs.target);
}
if (!cs.target) {
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/iptables-apply
^
|
@@ -11,7 +11,6 @@
VERSION=1.0
TIMEOUT=10
-DEFAULT_FILE=/etc/network/iptables
function blurb()
{
@@ -87,6 +86,19 @@
shift
done
+case "$PROGNAME" in
+ (*6*)
+ SAVE=ip6tables-save
+ RESTORE=ip6tables-restore
+ DEFAULT_FILE=/etc/network/ip6tables
+ ;;
+ (*)
+ SAVE=iptables-save
+ RESTORE=iptables-restore
+ DEFAULT_FILE=/etc/network/iptables
+ ;;
+esac
+
FILE="${1:-$DEFAULT_FILE}";
if [[ -z "$FILE" ]]; then
@@ -99,17 +111,6 @@
exit 2
fi
-case "${0##*/}" in
- (*6*)
- SAVE=ip6tables-save
- RESTORE=ip6tables-restore
- ;;
- (*)
- SAVE=iptables-save
- RESTORE=iptables-restore
- ;;
-esac
-
COMMANDS=(tempfile "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/iptables-restore.c
^
|
@@ -465,7 +465,6 @@
exit(1);
}
- if (in != NULL)
- fclose(in);
+ fclose(in);
return 0;
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/iptables-xml.c
^
|
@@ -865,8 +865,7 @@
exit(1);
}
- if (in != NULL)
- fclose(in);
+ fclose(in);
printf("</iptables-rules>\n");
free_argv();
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/iptables.8.in
^
|
@@ -332,7 +332,8 @@
1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
the \fB\-x\fP flag to change this).
For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed.
+detailed information on the rule or rules to be printed. \fB\-v\fP may be
+specified multiple times to possibly emit more detailed debug statements.
.TP
\fB\-n\fP, \fB\-\-numeric\fP
Numeric output.
@@ -364,9 +365,6 @@
and you can use the \fB\-h\fP or \fB\-\-help\fP
options after the module has been specified to receive help specific
to that module.
-.PP
-The following are included in the base package, and most of these can
-be preceded by a "\fB!\fP" to invert the sense of the match.
.\" @MATCH@
.SH TARGET EXTENSIONS
iptables can use extended target modules: the following are included
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/iptables.c
^
|
@@ -178,9 +178,9 @@
/* -x */ 0,
/* -i */ IPT_INV_VIA_IN,
/* -o */ IPT_INV_VIA_OUT,
-/* -f */ IPT_INV_FRAG,
/*--line*/ 0,
/* -c */ 0,
+/* -f */ IPT_INV_FRAG,
};
#define opts iptables_globals.opts
@@ -1315,8 +1315,8 @@
cs->target->t->u.target_size = size;
strcpy(cs->target->t->u.user.name, cs->jumpto);
cs->target->t->u.user.revision = cs->target->revision;
- if (cs->target->init != NULL)
- cs->target->init(cs->target->t);
+ xs_init_target(cs->target);
+
if (cs->target->x6_options != NULL)
opts = xtables_options_xfrm(iptables_globals.orig_opts, opts,
cs->target->x6_options,
@@ -1344,8 +1344,7 @@
m->m->u.match_size = size;
strcpy(m->m->u.user.name, m->name);
m->m->u.user.revision = m->revision;
- if (m->init != NULL)
- m->init(m->m);
+ xs_init_match(m);
if (m == m->next)
return;
/* Merge options for non-cloned matches */
@@ -1567,7 +1566,6 @@
* Option selection
*/
case 'p':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags,
cs.invert);
@@ -1585,14 +1583,12 @@
break;
case 's':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags,
cs.invert);
shostnetworkmask = optarg;
break;
case 'd':
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags,
cs.invert);
dhostnetworkmask = optarg;
@@ -1617,7 +1613,6 @@
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1630,7 +1625,6 @@
xtables_error(PARAMETER_PROBLEM,
"Empty interface is likely to be "
"undesired");
- xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv);
set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags,
cs.invert);
xtables_parse_interface(optarg,
@@ -1871,8 +1865,7 @@
strcpy(cs.target->t->u.user.name, cs.jumpto);
if (!iptc_is_chain(cs.jumpto, *handle))
cs.target->t->u.user.revision = cs.target->revision;
- if (cs.target->init != NULL)
- cs.target->init(cs.target->t);
+ xs_init_target(cs.target);
}
if (!cs.target) {
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/xshared.c
^
|
@@ -145,8 +145,7 @@
m->m->u.match_size = size;
strcpy(m->m->u.user.name, m->name);
m->m->u.user.revision = m->revision;
- if (m->init != NULL)
- m->init(m->m);
+ xs_init_match(m);
if (m->x6_options != NULL)
gl->opts = xtables_options_xfrm(gl->orig_opts,
@@ -207,3 +206,33 @@
fprintf(stderr, " * %s\n", cb->name);
exit(EXIT_FAILURE);
}
+
+void xs_init_target(struct xtables_target *target)
+{
+ if (target->udata_size != 0) {
+ free(target->udata);
+ target->udata = calloc(1, target->udata_size);
+ if (target->udata == NULL)
+ xtables_error(RESOURCE_PROBLEM, "malloc");
+ }
+ if (target->init != NULL)
+ target->init(target->t);
+}
+
+void xs_init_match(struct xtables_match *match)
+{
+ if (match->udata_size != 0) {
+ /*
+ * As soon as a subsequent instance of the same match
+ * is used, e.g. "-m time -m time", the first instance
+ * is no longer reachable anyway, so we can free udata.
+ * Same goes for target.
+ */
+ free(match->udata);
+ match->udata = calloc(1, match->udata_size);
+ if (match->udata == NULL)
+ xtables_error(RESOURCE_PROBLEM, "malloc");
+ }
+ if (match->init != NULL)
+ match->init(match->m);
+}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/xshared.h
^
|
@@ -81,6 +81,8 @@
struct xtables_globals *);
extern struct xtables_match *load_proto(struct iptables_command_state *);
extern int subcmd_main(int, char **, const struct subcommand *);
+extern void xs_init_target(struct xtables_target *);
+extern void xs_init_match(struct xtables_match *);
extern const struct xtables_afinfo *afinfo;
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/xtables.c
^
|
@@ -15,6 +15,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+#include "config.h"
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
@@ -32,7 +33,11 @@
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
-#include <linux/magic.h> /* for PROC_SUPER_MAGIC */
+#if defined(HAVE_LINUX_MAGIC_H)
+# include <linux/magic.h> /* for PROC_SUPER_MAGIC */
+#elif defined(HAVE_LINUX_PROC_FS_H)
+# include <linux/proc_fs.h> /* Linux 2.4 */
+#endif
#include <xtables.h>
#include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
@@ -362,6 +367,7 @@
/* not usually reached */
exit(1);
case -1:
+ free(buf);
return -1;
default: /* parent */
@@ -626,6 +632,7 @@
/* Second and subsequent clones */
clone = xtables_malloc(sizeof(struct xtables_match));
memcpy(clone, ptr, sizeof(struct xtables_match));
+ clone->udata = NULL;
clone->mflags = 0;
/* This is a clone: */
clone->next = clone;
@@ -1042,8 +1049,10 @@
case XTF_ONLY_ONCE:
p2 = va_arg(args, const char *);
b = va_arg(args, unsigned int);
- if (!b)
+ if (!b) {
+ va_end(args);
return;
+ }
xt_params->exit_err(PARAMETER_PROBLEM,
"%s: \"%s\" option may only be specified once",
p1, p2);
@@ -1051,8 +1060,10 @@
case XTF_NO_INVERT:
p2 = va_arg(args, const char *);
b = va_arg(args, unsigned int);
- if (!b)
+ if (!b) {
+ va_end(args);
return;
+ }
xt_params->exit_err(PARAMETER_PROBLEM,
"%s: \"%s\" option cannot be inverted", p1, p2);
break;
@@ -1065,8 +1076,10 @@
break;
case XTF_ONE_ACTION:
b = va_arg(args, unsigned int);
- if (!b)
+ if (!b) {
+ va_end(args);
return;
+ }
xt_params->exit_err(PARAMETER_PROBLEM,
"%s: At most one action is possible", p1);
break;
@@ -1287,7 +1300,7 @@
struct in_addr **maskpp, unsigned int *naddrs)
{
struct in_addr *addrp;
- char buf[256], *p;
+ char buf[256], *p, *next;
unsigned int len, i, j, n, count = 1;
const char *loop = name;
@@ -1302,23 +1315,19 @@
loop = name;
for (i = 0; i < count; ++i) {
- if (loop == NULL)
- break;
- if (*loop == ',')
+ while (isspace(*loop))
++loop;
- if (*loop == '\0')
- break;
- p = strchr(loop, ',');
- if (p != NULL)
- len = p - loop;
+ next = strchr(loop, ',');
+ if (next != NULL)
+ len = next - loop;
else
len = strlen(loop);
- if (len == 0 || sizeof(buf) - 1 < len)
- break;
+ if (len > sizeof(buf) - 1)
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "Hostname too long");
strncpy(buf, loop, len);
buf[len] = '\0';
- loop += len;
if ((p = strrchr(buf, '/')) != NULL) {
*p = '\0';
addrp = parse_ipmask(p + 1);
@@ -1356,6 +1365,9 @@
}
/* free what ipparse_hostnetwork had allocated: */
free(addrp);
+ if (next == NULL)
+ break;
+ loop = next + 1;
}
*naddrs = count;
for (i = 0; i < count; ++i)
@@ -1604,7 +1616,7 @@
{
static const struct in6_addr zero_addr;
struct in6_addr *addrp;
- char buf[256], *p;
+ char buf[256], *p, *next;
unsigned int len, i, j, n, count = 1;
const char *loop = name;
@@ -1619,23 +1631,19 @@
loop = name;
for (i = 0; i < count /*NB: count can grow*/; ++i) {
- if (loop == NULL)
- break;
- if (*loop == ',')
+ while (isspace(*loop))
++loop;
- if (*loop == '\0')
- break;
- p = strchr(loop, ',');
- if (p != NULL)
- len = p - loop;
+ next = strchr(loop, ',');
+ if (next != NULL)
+ len = next - loop;
else
len = strlen(loop);
- if (len == 0 || sizeof(buf) - 1 < len)
- break;
+ if (len > sizeof(buf) - 1)
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "Hostname too long");
strncpy(buf, loop, len);
buf[len] = '\0';
- loop += len;
if ((p = strrchr(buf, '/')) != NULL) {
*p = '\0';
addrp = parse_ip6mask(p + 1);
@@ -1669,6 +1677,9 @@
}
/* free what ip6parse_hostnetwork had allocated: */
free(addrp);
+ if (next == NULL)
+ break;
+ loop = next + 1;
}
*naddrs = count;
for (i = 0; i < count; ++i)
@@ -1755,35 +1766,6 @@
}
}
-/**
- * Check for option-intrapositional negation.
- * Do not use in new code.
- */
-int xtables_check_inverse(const char option[], int *invert,
- int *my_optind, int argc, char **argv)
-{
- if (option == NULL || strcmp(option, "!") != 0)
- return false;
-
- fprintf(stderr, "Using intrapositioned negation "
- "(`--option ! this`) is deprecated in favor of "
- "extrapositioned (`! --option this`).\n");
-
- if (*invert)
- xt_params->exit_err(PARAMETER_PROBLEM,
- "Multiple `!' flags not allowed");
- *invert = true;
- if (my_optind != NULL) {
- optarg = argv[*my_optind];
- ++*my_optind;
- if (argc && *my_optind > argc)
- xt_params->exit_err(PARAMETER_PROBLEM,
- "no argument following `!'");
- }
-
- return true;
-}
-
const struct xtables_pprot xtables_chain_protos[] = {
{"tcp", IPPROTO_TCP},
{"sctp", IPPROTO_SCTP},
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/iptables/xtoptions.c
^
|
@@ -908,6 +908,7 @@
cb.xflags = t->tflags;
cb.target = &t->t;
cb.xt_entry = fw;
+ cb.udata = t->udata;
t->x6_parse(&cb);
t->tflags = cb.xflags;
}
@@ -943,6 +944,7 @@
cb.xflags = m->mflags;
cb.match = &m->m;
cb.xt_entry = fw;
+ cb.udata = m->udata;
m->x6_parse(&cb);
m->mflags = cb.xflags;
}
@@ -1028,6 +1030,7 @@
cb.ext_name = t->name;
cb.data = t->t->data;
cb.xflags = t->tflags;
+ cb.udata = t->udata;
t->x6_fcheck(&cb);
} else if (t->final_check != NULL) {
t->final_check(t->tflags);
@@ -1048,6 +1051,7 @@
cb.ext_name = m->name;
cb.data = m->m->data;
cb.xflags = m->mflags;
+ cb.udata = m->udata;
m->x6_fcheck(&cb);
} else if (m->final_check != NULL) {
m->final_check(m->mflags);
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/libipq/libipq.c
^
|
@@ -231,7 +231,6 @@
if (h->fd == -1) {
ipq_errno = IPQ_ERR_SOCKET;
- close(h->fd);
free(h);
return NULL;
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/libiptc/libiptc.c
^
|
@@ -403,7 +403,7 @@
}
debug("jump back to pos:%d (end:%d)\n", pos, end);
goto loop;
- } else if (res > 0 ){ /* Not far enough, jump forward */
+ } else { /* res > 0; Not far enough, jump forward */
/* Exit case: Last element of array */
if (pos == handle->chain_index_sz-1) {
@@ -430,8 +430,6 @@
debug("jump forward to pos:%d (end:%d)\n", pos, end);
goto loop;
}
-
- return list_pos;
}
/* Wrapper for string chain name based bsearch */
|
[-]
[+]
|
Changed |
iptables-1.4.12.tar.bz2/tests/options-most.rules
^
|
@@ -1,4 +1,3 @@
-# Generated by ip6tables-save v1.4.10 on Mon Jan 31 02:19:53 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
@@ -76,6 +75,8 @@
-A matches
-A matches -m conntrack --ctexpire 5:4294967295
-A matches
+-A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9
+-A matches
-A matches -p esp -m esp --espspi 1
-A matches
-A matches -p esp -m esp --espspi :2
@@ -86,6 +87,11 @@
-A matches
-A matches -p esp -m esp --espspi 5:4294967295
-A matches
+-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1
+-A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
+-A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
+-A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
+-A matches
-A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
-A matches
-A matches -m length --length 1
@@ -146,6 +152,8 @@
-A matches
-A matches -m rt --rt-segsleft 5:4294967295
-A matches
+-A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options
+-A ntarg
-A ntarg -j NFQUEUE --queue-num 1
-A ntarg
-A ntarg -j NFQUEUE --queue-balance 8:99
@@ -169,4 +177,17 @@
#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
COMMIT
-# Completed on Mon Jan 31 02:19:54 2011
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:matches - -
+:ntarg - -
+:zmatches - -
+-A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
+-A ntarg -j HL --hl-inc 1
+-A ntarg -j HL --hl-dec 1
+-A ntarg
+COMMIT
|