Changes - j0ke.net Open Build Service

Changes of Revision 25

[-] [+]	Changed	iptables.spec
@@ -1,5 +1,5 @@ # -# spec file for package iptables (Version 1.4.11.1) +# spec file for package iptables (Version 1.4.12) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,8 +22,8 @@ License: GPL v2 or later Group: Productivity/Networking/Security AutoReqProv: on -Version: 1.4.11.1 -%define real_ver 1.4.11.1 +Version: 1.4.12 +%define real_ver 1.4.12 Release: 1 Summary: IP Packet Filter Administration Source0: %name-%version.tar.bz2 @@ -109,6 +109,9 @@ %_libdir/pkgconfig/* %changelog +* Sat Jul 30 2011 Carsten Schoene <cs@linux-administrator.com> - 1.4.12-1 +- update to release 1.4.12 + * Fri May 27 2011 Carsten Schoene <cs@linux-administrator.com> - 1.4.11-1 - update to release 1.4.11
[-] [+]	Changed	iptables-1.4.12.tar.bz2/INSTALL ^
@@ -31,7 +31,7 @@ --with-xtlibdir= The path to where Xtables extensions should be installed to. It - defaults to ${prefix}/libexec/xtables. + defaults to ${libdir}/xtables. --enable-devel (or --disable-devel)
[-] [+]	Changed	iptables-1.4.12.tar.bz2/config.h.in ^
@@ -6,6 +6,18 @@ /* Define to 1 if you have the <inttypes.h> header file. / #undef HAVE_INTTYPES_H +/ Define to 1 if you have the <linux/dccp.h> header file. / +#undef HAVE_LINUX_DCCP_H + +/ Define to 1 if you have the <linux/ip_vs.h> header file. / +#undef HAVE_LINUX_IP_VS_H + +/ Define to 1 if you have the <linux/magic.h> header file. / +#undef HAVE_LINUX_MAGIC_H + +/ Define to 1 if you have the <linux/proc_fs.h> header file. / +#undef HAVE_LINUX_PROC_FS_H + / Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H
[-] [+]	Changed	iptables-1.4.12.tar.bz2/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for iptables 1.4.11.1. +# Generated by GNU Autoconf 2.67 for iptables 1.4.12. # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -698,8 +698,8 @@ # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.4.11.1' -PACKAGE_STRING='iptables 1.4.11.1' +PACKAGE_VERSION='1.4.12' +PACKAGE_STRING='iptables 1.4.12' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1459,7 +1459,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.4.11.1 to adapt to many kinds of systems. +\`configure' configures iptables 1.4.12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1529,7 +1529,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of iptables 1.4.11.1:";; + short \| recursive ) echo "Configuration of iptables 1.4.12:";; esac cat <<\_ACEOF @@ -1651,7 +1651,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.4.11.1 +iptables configure 1.4.12 generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2016,7 +2016,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.4.11.1, which was +It was created by iptables $as_me 1.4.12, which was generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -2366,7 +2366,7 @@ # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=6 +libxtables_vcurrent=7 libxtables_vage=0 ac_config_headers="$ac_config_headers config.h" @@ -2839,7 +2839,7 @@ # Define the identity of the package. PACKAGE='iptables' - VERSION='1.4.11.1' + VERSION='1.4.12' cat >>confdefs.h <<_ACEOF @@ -10636,7 +10636,7 @@ if test "${with_xtlibdir+set}" = set; then : withval=$with_xtlibdir; xtlibdir="$withval" else - xtlibdir="${libexecdir}/xtables" + xtlibdir="${libdir}/xtables" fi # Check whether --enable-ipv4 was given. @@ -10725,22 +10725,22 @@ blacklist_modules=""; -ac_fn_c_check_header_mongrel "$LINENO" "linux/dccp.h" "ac_cv_header_linux_dccp_h" "$ac_includes_default" -if test "x$ac_cv_header_linux_dccp_h" = x""yes; then : +for ac_header in linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" \| $as_tr_cpp` 1 +_ACEOF fi +done if test "$ac_cv_header_linux_dccp_h" != "yes"; then blacklist_modules="$blacklist_modules dccp"; fi; - -ac_fn_c_check_header_mongrel "$LINENO" "linux/ip_vs.h" "ac_cv_header_linux_ip_vs_h" "$ac_includes_default" -if test "x$ac_cv_header_linux_ip_vs_h" = x""yes; then : - -fi - - if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then blacklist_modules="$blacklist_modules ipvs"; fi; @@ -11584,7 +11584,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.4.11.1, which was +This file was extended by iptables $as_me 1.4.12, which was generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11650,7 +11650,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.4.11.1 +iptables config.status 1.4.12 configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\"
[-] [+]	Changed	iptables-1.4.12.tar.bz2/configure.ac ^
@@ -1,8 +1,8 @@ -AC_INIT([iptables], [1.4.11.1]) +AC_INIT([iptables], [1.4.12]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=6 +libxtables_vcurrent=7 libxtables_vage=0 AC_CONFIG_HEADERS([config.h]) @@ -30,7 +30,7 @@ AS_HELP_STRING([--with-xtlibdir=PATH], [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), [xtlibdir="$withval"], - [xtlibdir="${libexecdir}/xtables"]) + [xtlibdir="${libdir}/xtables"]) AC_ARG_ENABLE([ipv4], AS_HELP_STRING([--disable-ipv4], [Do not build iptables]), [enable_ipv4="$enableval"], [enable_ipv4="yes"]) @@ -59,12 +59,10 @@ blacklist_modules=""; -AC_CHECK_HEADER([linux/dccp.h]) +AC_CHECK_HEADERS([linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h]) if test "$ac_cv_header_linux_dccp_h" != "yes"; then blacklist_modules="$blacklist_modules dccp"; fi; - -AC_CHECK_HEADER([linux/ip_vs.h]) if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then blacklist_modules="$blacklist_modules ipvs"; fi;
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libip6t_HL.c ^
@@ -20,12 +20,12 @@ #define s struct ip6t_HL_info static const struct xt_option_entry HL_opts[] = { - {.name = "ttl-set", .type = XTTYPE_UINT8, .id = O_HL_SET, + {.name = "hl-set", .type = XTTYPE_UINT8, .id = O_HL_SET, .excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit)}, - {.name = "ttl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC, + {.name = "hl-dec", .type = XTTYPE_UINT8, .id = O_HL_DEC, .excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit), .min = 1}, - {.name = "ttl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC, + {.name = "hl-inc", .type = XTTYPE_UINT8, .id = O_HL_INC, .excl = F_ANY, .flags = XTOPT_PUT, XTOPT_POINTER(s, hop_limit), .min = 1}, XTOPT_TABLEEND,
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libip6t_LOG.c ^
@@ -87,19 +87,19 @@ "Newlines not allowed in --log-prefix"); break; case O_LOG_TCPSEQ: - info->logflags = IP6T_LOG_TCPSEQ; + info->logflags \|= IP6T_LOG_TCPSEQ; break; case O_LOG_TCPOPTS: - info->logflags = IP6T_LOG_TCPOPT; + info->logflags \|= IP6T_LOG_TCPOPT; break; case O_LOG_IPOPTS: - info->logflags = IP6T_LOG_IPOPT; + info->logflags \|= IP6T_LOG_IPOPT; break; case O_LOG_UID: - info->logflags = IP6T_LOG_UID; + info->logflags \|= IP6T_LOG_UID; break; case O_LOG_MAC: - info->logflags = IP6T_LOG_MACDECODE; + info->logflags \|= IP6T_LOG_MACDECODE; break; } }
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libipt_LOG.c ^
@@ -87,19 +87,19 @@ "Newlines not allowed in --log-prefix"); break; case O_LOG_TCPSEQ: - info->logflags = IPT_LOG_TCPSEQ; + info->logflags \|= IPT_LOG_TCPSEQ; break; case O_LOG_TCPOPTS: - info->logflags = IPT_LOG_TCPOPT; + info->logflags \|= IPT_LOG_TCPOPT; break; case O_LOG_IPOPTS: - info->logflags = IPT_LOG_IPOPT; + info->logflags \|= IPT_LOG_IPOPT; break; case O_LOG_UID: - info->logflags = IPT_LOG_UID; + info->logflags \|= IPT_LOG_UID; break; case O_LOG_MAC: - info->logflags = IPT_LOG_MACDECODE; + info->logflags \|= IPT_LOG_MACDECODE; break; } }
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_NFLOG.man ^
@@ -9,7 +9,7 @@ non-terminating target, i.e. rule traversal continues at the next rule. .TP \fB\-\-nflog\-group\fP \fInlgroup\fP -The netlink group (1 \- 2^32\-1) to which packets are (only applicable for +The netlink group (0 - 2^16\-1) to which packets are (only applicable for nfnetlink_log). The default value is 0. .TP \fB\-\-nflog\-prefix\fP \fIprefix\fP
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_RATEEST.c ^
@@ -1,19 +1,16 @@ -#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> -#include <stddef.h> -#include <getopt.h> #include <math.h> #include <xtables.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_RATEEST.h> -/* hack to pass raw values to final_check / -static struct xt_rateest_target_info RATEEST_info; -static unsigned int interval; -static unsigned int ewma_log; +struct rateest_tg_udata { + unsigned int interval; + unsigned int ewma_log; +}; static void RATEEST_help(void) @@ -25,18 +22,23 @@ " --rateest-ewmalog value Rate measurement averaging time constant\n"); } -enum RATEEST_options { - RATEEST_OPT_NAME, - RATEEST_OPT_INTERVAL, - RATEEST_OPT_EWMALOG, +enum { + O_NAME = 0, + O_INTERVAL, + O_EWMALOG, }; -static const struct option RATEEST_opts[] = { - {.name = "rateest-name", .has_arg = true, .val = RATEEST_OPT_NAME}, - {.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL}, - {.name = "rateest-ewmalog", .has_arg = true, .val = RATEEST_OPT_EWMALOG}, - XT_GETOPT_TABLEEND, +#define s struct xt_rateest_target_info +static const struct xt_option_entry RATEEST_opts[] = { + {.name = "rateest-name", .id = O_NAME, .type = XTTYPE_STRING, + .flags = XTOPT_MAND \| XTOPT_PUT, XTOPT_POINTER(s, name)}, + {.name = "rateest-interval", .id = O_INTERVAL, .type = XTTYPE_STRING, + .flags = XTOPT_MAND}, + {.name = "rateest-ewmalog", .id = O_EWMALOG, .type = XTTYPE_STRING, + .flags = XTOPT_MAND}, + XTOPT_TABLEEND, }; +#undef s /* Copied from iproute / #define TIME_UNITS_PER_SEC 1000000 @@ -82,66 +84,34 @@ printf(" %uus", time); } -static int -RATEEST_parse(int c, char argv, int invert, unsigned int flags, - const void entry, struct xt_entry_target target) +static void RATEEST_parse(struct xt_option_call cb) { - struct xt_rateest_target_info info = (void )(target)->data; - - RATEEST_info = info; + struct rateest_tg_udata udata = cb->udata; - switch (c) { - case RATEEST_OPT_NAME: - if (flags & (1 << c)) + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_INTERVAL: + if (RATEEST_get_time(&udata->interval, cb->arg) < 0) xtables_error(PARAMETER_PROBLEM, - "RATEEST: can't specify --rateest-name twice"); - flags \|= 1 << c; - - strncpy(info->name, optarg, sizeof(info->name) - 1); + "RATEEST: bad interval value \"%s\"", + cb->arg); break; - - case RATEEST_OPT_INTERVAL: - if (flags & (1 << c)) + case O_EWMALOG: + if (RATEEST_get_time(&udata->ewma_log, cb->arg) < 0) xtables_error(PARAMETER_PROBLEM, - "RATEEST: can't specify --rateest-interval twice"); - flags \|= 1 << c; - - if (RATEEST_get_time(&interval, optarg) < 0) - xtables_error(PARAMETER_PROBLEM, - "RATEEST: bad interval value `%s'", optarg); - - break; - - case RATEEST_OPT_EWMALOG: - if (flags & (1 << c)) - xtables_error(PARAMETER_PROBLEM, - "RATEEST: can't specify --rateest-ewmalog twice"); - flags \|= 1 << c; - - if (RATEEST_get_time(&ewma_log, optarg) < 0) - xtables_error(PARAMETER_PROBLEM, - "RATEEST: bad ewmalog value `%s'", optarg); - + "RATEEST: bad ewmalog value \"%s\"", + cb->arg); break; } - - return 1; } -static void -RATEEST_final_check(unsigned int flags) +static void RATEEST_final_check(struct xt_fcheck_call cb) { - struct xt_rateest_target_info info = RATEEST_info; - - if (!(flags & (1 << RATEEST_OPT_NAME))) - xtables_error(PARAMETER_PROBLEM, "RATEEST: no name specified"); - if (!(flags & (1 << RATEEST_OPT_INTERVAL))) - xtables_error(PARAMETER_PROBLEM, "RATEEST: no interval specified"); - if (!(flags & (1 << RATEEST_OPT_EWMALOG))) - xtables_error(PARAMETER_PROBLEM, "RATEEST: no ewmalog specified"); + struct xt_rateest_target_info info = cb->data; + struct rateest_tg_udata udata = cb->udata; for (info->interval = 0; info->interval <= 5; info->interval++) { - if (interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4)) + if (udata->interval <= (1 << info->interval) * (TIME_UNITS_PER_SEC / 4)) break; } @@ -152,7 +122,7 @@ for (info->ewma_log = 1; info->ewma_log < 32; info->ewma_log++) { double w = 1.0 - 1.0 / (1 << info->ewma_log); - if (interval / (-log(w)) > ewma_log) + if (udata->interval / (-log(w)) > udata->ewma_log) break; } info->ewma_log--; @@ -197,13 +167,14 @@ .name = "RATEEST", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_rateest_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)), + .userspacesize = offsetof(struct xt_rateest_target_info, est), .help = RATEEST_help, - .parse = RATEEST_parse, - .final_check = RATEEST_final_check, + .x6_parse = RATEEST_parse, + .x6_fcheck = RATEEST_final_check, .print = RATEEST_print, .save = RATEEST_save, - .extra_opts = RATEEST_opts, + .x6_options = RATEEST_opts, + .udata_size = sizeof(struct rateest_tg_udata), }; void _init(void)
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_SET.c ^
@@ -67,10 +67,6 @@ xtables_error(PARAMETER_PROBLEM, "--%s can be specified only once", what); - if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - if (!argv[optind] \|\| argv[optind][0] == '-' \|\| argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, @@ -173,11 +169,6 @@ if (info->dim) xtables_error(PARAMETER_PROBLEM, "--%s can be specified only once", what); - - if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - if (!argv[optind] \|\| argv[optind][0] == '-' \|\| argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM,
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_TOS.man ^
@@ -4,24 +4,33 @@ \fBmangle\fP table. .TP \fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the -TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. +Zeroes out the bits given by \fImask\fP (see NOTE below) and XORs \fIvalue\fP +into the TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. .TP \fB\-\-set\-tos\fP \fIsymbol\fP You can specify a symbolic name when using the TOS target for IPv4. It implies -a mask of 0xFF. The list of recognized TOS names can be obtained by calling -iptables with \fB\-j TOS \-h\fP. +a mask of 0xFF (see NOTE below). The list of recognized TOS names can be +obtained by calling iptables with \fB\-j TOS \-h\fP. .PP The following mnemonics are available: .TP \fB\-\-and\-tos\fP \fIbits\fP Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos -0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP. +See NOTE below.) .TP \fB\-\-or\-tos\fP \fIbits\fP Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fP\fB/\fP\fIbits\fP.) +\fIbits\fP\fB/\fP\fIbits\fP. See NOTE below.) .TP \fB\-\-xor\-tos\fP \fIbits\fP Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fP\fB/0\fP.) +\fIbits\fP\fB/0\fP. See NOTE below.) +.PP +NOTE: In Linux kernels up to and including 2.6.38, with the exception of +longterm releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug +whereby IPv6 TOS mangling does not behave as documented and differs from the +IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs +to be inverted before applying it to the original TOS field. However, the +aformentioned kernels forgo the inversion which breaks --set-tos and its +mnemonics.
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_conntrack.c ^
@@ -93,7 +93,8 @@ {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, + XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST, @@ -110,13 +111,45 @@ }; #undef s +#define s struct xt_conntrack_mtinfo2 +/* We exploit the fact that v1-v2 share the same xt_o_e layout / +static const struct xt_option_entry conntrack2_mt_opts[] = { + {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, + {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, + .flags = XTOPT_INVERT}, + {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, + .flags = XTOPT_INVERT}, + {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT \| XTOPT_NBO}, + {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT \| XTOPT_NBO}, + {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT \| XTOPT_NBO}, + {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, + .flags = XTOPT_INVERT \| XTOPT_NBO}, + {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, +}; +#undef s + #define s struct xt_conntrack_mtinfo3 / for v1-v3 / / We exploit the fact that v1-v3 share the same layout */ -static const struct xt_option_entry conntrack_mt_opts[] = { +static const struct xt_option_entry conntrack3_mt_opts[] = { {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, - .flags = XTOPT_INVERT}, + .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, .flags = XTOPT_INVERT}, {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, @@ -305,8 +338,6 @@ case O_CTPROTO: if (cb->invert) sinfo->invflags \|= XT_CONNTRACK_PROTO; - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol; - if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 && (sinfo->invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, @@ -369,7 +400,6 @@ info->invert_flags \|= XT_CONNTRACK_STATE; break; case O_CTPROTO: - info->l4proto = cb->val.protocol; if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " "never match protocol"); @@ -992,7 +1022,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt4_print, .save = conntrack1_mt4_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1006,7 +1036,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt6_print, .save = conntrack1_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1020,7 +1050,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt_print, .save = conntrack2_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1034,7 +1064,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt6_print, .save = conntrack2_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack2_mt_opts, }, { .version = XTABLES_VERSION, @@ -1048,7 +1078,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt_print, .save = conntrack3_mt_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, { .version = XTABLES_VERSION, @@ -1062,7 +1092,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt6_print, .save = conntrack3_mt6_save, - .x6_options = conntrack_mt_opts, + .x6_options = conntrack3_mt_opts, }, };
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_hashlimit.c ^
@@ -25,6 +25,10 @@ #define XT_HASHLIMIT_GCINTERVAL 1000 #define XT_HASHLIMIT_EXPIRE 10000 +struct hashlimit_mt_udata { + uint32_t mult; +}; + static void hashlimit_help(void) { printf( @@ -56,8 +60,9 @@ O_HTABLE_MAX, O_HTABLE_GCINT, O_HTABLE_EXPIRE, - F_UPTO = 1 << O_UPTO, - F_ABOVE = 1 << O_ABOVE, + F_UPTO = 1 << O_UPTO, + F_ABOVE = 1 << O_ABOVE, + F_HTABLE_EXPIRE = 1 << O_HTABLE_EXPIRE, }; static void hashlimit_mt_help(void) @@ -141,25 +146,25 @@ #undef s static -int parse_rate(const char rate, uint32_t val) +int parse_rate(const char rate, uint32_t val, struct hashlimit_mt_udata ud) { const char delim; uint32_t r; - uint32_t mult = 1; /* Seconds by default. / + ud->mult = 1; / Seconds by default. / delim = strchr(rate, '/'); if (delim) { if (strlen(delim+1) == 0) return 0; if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) - mult = 1; + ud->mult = 1; else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) - mult = 60; + ud->mult = 60; else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) - mult = 6060; + ud->mult = 6060; else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) - mult = 246060; + ud->mult = 246060; else return 0; } @@ -169,10 +174,10 @@ / This would get mapped to infinite (1/day is minimum they can specify, so we're ok at that end). / - if (r / mult > XT_HASHLIMIT_SCALE) + if (r / ud->mult > XT_HASHLIMIT_SCALE) xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); - val = XT_HASHLIMIT_SCALE * mult / r; + val = XT_HASHLIMIT_SCALE ud->mult / r; return 1; } @@ -248,14 +253,14 @@ case O_UPTO: if (cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg)) + if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-upto", cb->arg); break; case O_ABOVE: if (!cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg)) + if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-above", cb->arg); break; @@ -276,14 +281,14 @@ case O_UPTO: if (cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg)) + if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-upto", cb->arg); break; case O_ABOVE: if (!cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg)) + if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-above", cb->arg); break; @@ -303,9 +308,26 @@ static void hashlimit_check(struct xt_fcheck_call cb) { + const struct hashlimit_mt_udata udata = cb->udata; + struct xt_hashlimit_info info = cb->data; + if (!(cb->xflags & (F_UPTO \| F_ABOVE))) xtables_error(PARAMETER_PROBLEM, "You have to specify --hashlimit"); + if (!(cb->xflags & F_HTABLE_EXPIRE)) + info->cfg.expire = udata->mult; +} + +static void hashlimit_mt_check(struct xt_fcheck_call cb) +{ + const struct hashlimit_mt_udata udata = cb->udata; + struct xt_hashlimit_mtinfo1 info = cb->data; + + if (!(cb->xflags & (F_UPTO \| F_ABOVE))) + xtables_error(PARAMETER_PROBLEM, + "You have to specify --hashlimit"); + if (!(cb->xflags & F_HTABLE_EXPIRE)) + info->cfg.expire = udata->mult; } static const struct rates @@ -508,6 +530,7 @@ .print = hashlimit_print, .save = hashlimit_save, .x6_options = hashlimit_mt_opts, + .udata_size = sizeof(struct hashlimit_mt_udata), }, { .version = XTABLES_VERSION, @@ -519,10 +542,11 @@ .help = hashlimit_mt_help, .init = hashlimit_mt4_init, .x6_parse = hashlimit_mt_parse, - .x6_fcheck = hashlimit_check, + .x6_fcheck = hashlimit_mt_check, .print = hashlimit_mt4_print, .save = hashlimit_mt4_save, .x6_options = hashlimit_mt_opts, + .udata_size = sizeof(struct hashlimit_mt_udata), }, { .version = XTABLES_VERSION, @@ -534,10 +558,11 @@ .help = hashlimit_mt_help, .init = hashlimit_mt6_init, .x6_parse = hashlimit_mt_parse, - .x6_fcheck = hashlimit_check, + .x6_fcheck = hashlimit_mt_check, .print = hashlimit_mt6_print, .save = hashlimit_mt6_save, .x6_options = hashlimit_mt_opts, + .udata_size = sizeof(struct hashlimit_mt_udata), }, };
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_rateest.c ^
@@ -8,9 +8,6 @@ #include <xtables.h> #include <linux/netfilter/xt_rateest.h> -/* Ugly hack to pass info to final_check function. We should fix the API / -static struct xt_rateest_match_info rateest_info; - static void rateest_help(void) { printf( @@ -115,11 +112,8 @@ struct xt_rateest_match_info info = (void )(match)->data; unsigned int val; - rateest_info = info; - switch (c) { case OPT_RATEEST1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -133,7 +127,6 @@ break; case OPT_RATEEST2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -148,7 +141,6 @@ break; case OPT_RATEEST_BPS1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -172,7 +164,6 @@ break; case OPT_RATEEST_PPS1: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -197,7 +188,6 @@ break; case OPT_RATEEST_BPS2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -221,7 +211,6 @@ break; case OPT_RATEEST_PPS2: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -246,7 +235,6 @@ break; case OPT_RATEEST_DELTA: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-delta can't be inverted"); @@ -260,8 +248,6 @@ break; case OPT_RATEEST_EQ: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); @@ -273,8 +259,6 @@ break; case OPT_RATEEST_LT: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); @@ -286,8 +270,6 @@ break; case OPT_RATEEST_GT: - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, "rateest: can't specify lt/gt/eq twice"); @@ -302,10 +284,9 @@ return 1; } -static void -rateest_final_check(unsigned int flags) +static void rateest_final_check(struct xt_fcheck_call cb) { - struct xt_rateest_match_info info = rateest_info; + struct xt_rateest_match_info *info = cb->data; if (info == NULL) xtables_error(PARAMETER_PROBLEM, "rateest match: " @@ -439,7 +420,7 @@ .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)), .help = rateest_help, .parse = rateest_parse, - .final_check = rateest_final_check, + .x6_fcheck = rateest_final_check, .print = rateest_print, .save = rateest_save, .extra_opts = rateest_opts,
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_sctp.c ^
@@ -257,7 +257,6 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); einfo->flags \|= XT_SCTP_SRC_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_sctp_ports(optarg, einfo->spts); if (invert) einfo->invflags \|= XT_SCTP_SRC_PORTS; @@ -269,7 +268,6 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); einfo->flags \|= XT_SCTP_DEST_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_sctp_ports(optarg, einfo->dpts); if (invert) einfo->invflags \|= XT_SCTP_DEST_PORTS; @@ -280,8 +278,6 @@ if (*flags & XT_SCTP_CHUNK_TYPES) xtables_error(PARAMETER_PROBLEM, "Only one `--chunk-types' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (!argv[optind] \|\| argv[optind][0] == '-' \|\| argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM,
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_set.c ^
@@ -64,8 +64,6 @@ if (info->u.flags[0]) xtables_error(PARAMETER_PROBLEM, "--match-set can be specified only once"); - - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->u.flags[0] \|= IPSET_MATCH_INV; @@ -151,8 +149,6 @@ if (info->dim) xtables_error(PARAMETER_PROBLEM, "--match-set can be specified only once"); - - xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->flags \|= IPSET_INV_MATCH;
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_state.c ^
@@ -23,7 +23,7 @@ static const struct xt_option_entry state_opts[] = { {.name = "state", .id = O_STATE, .type = XTTYPE_STRING, - .flags = XTOPT_MAND}, + .flags = XTOPT_MAND \| XTOPT_INVERT}, XTOPT_TABLEEND, };
[-] [+]	Changed	iptables-1.4.12.tar.bz2/extensions/libxt_tcp.c ^
@@ -148,7 +148,6 @@ if (flags & TCP_SRC_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_ports(optarg, tcpinfo->spts); if (invert) tcpinfo->invflags \|= XT_TCP_INV_SRCPT; @@ -159,7 +158,6 @@ if (flags & TCP_DST_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_ports(optarg, tcpinfo->dpts); if (invert) tcpinfo->invflags \|= XT_TCP_INV_DSTPT; @@ -180,8 +178,6 @@ xtables_error(PARAMETER_PROBLEM, "Only one of `--syn' or `--tcp-flags' " " allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (!argv[optind] \|\| argv[optind][0] == '-' \|\| argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, @@ -197,7 +193,6 @@ if (*flags & TCP_OPTION) xtables_error(PARAMETER_PROBLEM, "Only one `--tcp-option' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0, argv); parse_tcp_option(optarg, &tcpinfo->option); if (invert) tcpinfo->invflags \|= XT_TCP_INV_OPTION;
[-] [+]	Changed	iptables-1.4.12.tar.bz2/include/xtables.h.in ^
@@ -137,11 +137,13 @@ * @arg: input from command line * @ext_name: name of extension currently being processed * @entry: current option being processed - * @data: per-extension data block + * @data: per-extension kernel data block * @xflags: options of the extension that have been used * @invert: whether option was used with ! * @nvals: number of results in uXX_multi * @val: parsed result + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) / struct xt_option_call { const char arg, ext_name; @@ -174,16 +176,19 @@ struct xt_entry_target target; }; void xt_entry; + void udata; }; /* * @ext_name: name of extension currently being processed - * @data: per-extension data block + * @data: per-extension (kernel) data block + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) * @xflags: options of the extension that have been used / struct xt_fcheck_call { const char ext_name; - void data; + void data, udata; unsigned int xflags; }; @@ -254,7 +259,11 @@ void (x6_fcheck)(struct xt_fcheck_call ); const struct xt_option_entry x6_options; + /* Size of per-extension instance extra "global" scratch space / + size_t udata_size; + / Ignore these men behind the curtain: / + void udata; unsigned int option_offset; struct xt_entry_match m; unsigned int mflags; @@ -318,7 +327,10 @@ void (x6_fcheck)(struct xt_fcheck_call ); const struct xt_option_entry x6_options; + size_t udata_size; + /* Ignore these men behind the curtain: / + void udata; unsigned int option_offset; struct xt_entry_target t; unsigned int tflags; @@ -420,8 +432,6 @@ / this is a special 64bit data type that is 8-byte aligned / #define aligned_u64 u_int64_t __attribute__((aligned(8))) -int xtables_check_inverse(const char option[], int invert, - int my_optind, int argc, char argv); extern struct xtables_globals xt_params; #define xtables_error (xt_params->exit_err)
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/Makefile.am ^
@@ -51,10 +51,10 @@ endif iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; pkgconfig_DATA = xtables.pc
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/Makefile.in ^
@@ -949,10 +949,10 @@ iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook:
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/ip6tables-restore.c ^
@@ -460,7 +460,6 @@ exit(1); } - if (in != NULL) - fclose(in); + fclose(in); return 0; }
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/ip6tables.8.in ^
@@ -1,4 +1,4 @@ -.TH IP6TABLES 8 "" "iptables 1.4.4" "iptables 1.4.4" +.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@" .\" .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu> .\" It is based on iptables man page. @@ -333,7 +333,8 @@ 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the \fB\-x\fP flag to change this). For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. +detailed information on the rule or rules to be printed. \fB\-v\fP may be +specified multiple times to possibly emit more detailed debug statements. .TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. @@ -365,9 +366,6 @@ and you can use the \fB\-h\fP or \fB\-\-help\fP options after the module has been specified to receive help specific to that module. -.PP -The following are included in the base package, and most of these can -be preceded by a "\fB!\fP" to invert the sense of the match. .\" @MATCH@ .SH TARGET EXTENSIONS ip6tables can use extended target modules: the following are included
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/ip6tables.c ^
@@ -1288,8 +1288,7 @@ cs->target->t->u.target_size = size; strcpy(cs->target->t->u.user.name, cs->jumpto); cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->init != NULL) - cs->target->init(cs->target->t); + xs_init_target(cs->target); if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts, cs->target->x6_options, @@ -1317,8 +1316,7 @@ m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m == m->next) return; /* Merge options for non-cloned matches / @@ -1538,7 +1536,6 @@ Option selection */ case 'p': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags, cs.invert); @@ -1564,14 +1561,12 @@ break; case 's': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags, cs.invert); shostnetworkmask = optarg; break; case 'd': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags, cs.invert); dhostnetworkmask = optarg; @@ -1596,7 +1591,6 @@ xtables_error(PARAMETER_PROBLEM, "Empty interface is likely to be " "undesired"); - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags, cs.invert); xtables_parse_interface(optarg, @@ -1609,7 +1603,6 @@ xtables_error(PARAMETER_PROBLEM, "Empty interface is likely to be " "undesired"); - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags, cs.invert); xtables_parse_interface(optarg, @@ -1839,8 +1832,7 @@ cs.target->t = xtables_calloc(1, size); cs.target->t->u.target_size = size; strcpy(cs.target->t->u.user.name, cs.jumpto); - if (cs.target->init != NULL) - cs.target->init(cs.target->t); + xs_init_target(cs.target); } if (!cs.target) {
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/iptables-apply ^
@@ -11,7 +11,6 @@ VERSION=1.0 TIMEOUT=10 -DEFAULT_FILE=/etc/network/iptables function blurb() { @@ -87,6 +86,19 @@ shift done +case "$PROGNAME" in + (6) + SAVE=ip6tables-save + RESTORE=ip6tables-restore + DEFAULT_FILE=/etc/network/ip6tables + ;; + () + SAVE=iptables-save + RESTORE=iptables-restore + DEFAULT_FILE=/etc/network/iptables + ;; +esac + FILE="${1:-$DEFAULT_FILE}"; if [[ -z "$FILE" ]]; then @@ -99,17 +111,6 @@ exit 2 fi -case "${0##/}" in - (6) - SAVE=ip6tables-save - RESTORE=ip6tables-restore - ;; - (*) - SAVE=iptables-save - RESTORE=iptables-restore - ;; -esac - COMMANDS=(tempfile "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/iptables-restore.c ^
@@ -465,7 +465,6 @@ exit(1); } - if (in != NULL) - fclose(in); + fclose(in); return 0; }
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/iptables-xml.c ^
@@ -865,8 +865,7 @@ exit(1); } - if (in != NULL) - fclose(in); + fclose(in); printf("</iptables-rules>\n"); free_argv();
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/iptables.8.in ^
@@ -332,7 +332,8 @@ 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the \fB\-x\fP flag to change this). For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. +detailed information on the rule or rules to be printed. \fB\-v\fP may be +specified multiple times to possibly emit more detailed debug statements. .TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. @@ -364,9 +365,6 @@ and you can use the \fB\-h\fP or \fB\-\-help\fP options after the module has been specified to receive help specific to that module. -.PP -The following are included in the base package, and most of these can -be preceded by a "\fB!\fP" to invert the sense of the match. .\" @MATCH@ .SH TARGET EXTENSIONS iptables can use extended target modules: the following are included
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/iptables.c ^
@@ -178,9 +178,9 @@ /* -x / 0, / -i / IPT_INV_VIA_IN, / -o / IPT_INV_VIA_OUT, -/ -f / IPT_INV_FRAG, /--line/ 0, / -c / 0, +/ -f / IPT_INV_FRAG, }; #define opts iptables_globals.opts @@ -1315,8 +1315,8 @@ cs->target->t->u.target_size = size; strcpy(cs->target->t->u.user.name, cs->jumpto); cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->init != NULL) - cs->target->init(cs->target->t); + xs_init_target(cs->target); + if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(iptables_globals.orig_opts, opts, cs->target->x6_options, @@ -1344,8 +1344,7 @@ m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m == m->next) return; / Merge options for non-cloned matches / @@ -1567,7 +1566,6 @@ Option selection / case 'p': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags, cs.invert); @@ -1585,14 +1583,12 @@ break; case 's': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags, cs.invert); shostnetworkmask = optarg; break; case 'd': - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags, cs.invert); dhostnetworkmask = optarg; @@ -1617,7 +1613,6 @@ xtables_error(PARAMETER_PROBLEM, "Empty interface is likely to be " "undesired"); - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags, cs.invert); xtables_parse_interface(optarg, @@ -1630,7 +1625,6 @@ xtables_error(PARAMETER_PROBLEM, "Empty interface is likely to be " "undesired"); - xtables_check_inverse(optarg, &cs.invert, &optind, argc, argv); set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags, cs.invert); xtables_parse_interface(optarg, @@ -1871,8 +1865,7 @@ strcpy(cs.target->t->u.user.name, cs.jumpto); if (!iptc_is_chain(cs.jumpto, handle)) cs.target->t->u.user.revision = cs.target->revision; - if (cs.target->init != NULL) - cs.target->init(cs.target->t); + xs_init_target(cs.target); } if (!cs.target) {
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/xshared.c ^
@@ -145,8 +145,7 @@ m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m->x6_options != NULL) gl->opts = xtables_options_xfrm(gl->orig_opts, @@ -207,3 +206,33 @@ fprintf(stderr, " * %s\n", cb->name); exit(EXIT_FAILURE); } + +void xs_init_target(struct xtables_target target) +{ + if (target->udata_size != 0) { + free(target->udata); + target->udata = calloc(1, target->udata_size); + if (target->udata == NULL) + xtables_error(RESOURCE_PROBLEM, "malloc"); + } + if (target->init != NULL) + target->init(target->t); +} + +void xs_init_match(struct xtables_match match) +{ + if (match->udata_size != 0) { + /* + * As soon as a subsequent instance of the same match + * is used, e.g. "-m time -m time", the first instance + * is no longer reachable anyway, so we can free udata. + * Same goes for target. + */ + free(match->udata); + match->udata = calloc(1, match->udata_size); + if (match->udata == NULL) + xtables_error(RESOURCE_PROBLEM, "malloc"); + } + if (match->init != NULL) + match->init(match->m); +}
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/xshared.h ^
@@ -81,6 +81,8 @@ struct xtables_globals ); extern struct xtables_match load_proto(struct iptables_command_state ); extern int subcmd_main(int, char , const struct subcommand ); +extern void xs_init_target(struct xtables_target ); +extern void xs_init_match(struct xtables_match ); extern const struct xtables_afinfo *afinfo;
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/xtables.c ^
@@ -15,6 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. / +#include "config.h" #include <ctype.h> #include <errno.h> #include <fcntl.h> @@ -32,7 +33,11 @@ #include <sys/types.h> #include <sys/wait.h> #include <arpa/inet.h> -#include <linux/magic.h> / for PROC_SUPER_MAGIC / +#if defined(HAVE_LINUX_MAGIC_H) +# include <linux/magic.h> / for PROC_SUPER_MAGIC / +#elif defined(HAVE_LINUX_PROC_FS_H) +# include <linux/proc_fs.h> / Linux 2.4 / +#endif #include <xtables.h> #include <limits.h> / INT_MAX in ip_tables.h/ip6_tables.h / @@ -362,6 +367,7 @@ / not usually reached / exit(1); case -1: + free(buf); return -1; default: / parent / @@ -626,6 +632,7 @@ / Second and subsequent clones / clone = xtables_malloc(sizeof(struct xtables_match)); memcpy(clone, ptr, sizeof(struct xtables_match)); + clone->udata = NULL; clone->mflags = 0; / This is a clone: / clone->next = clone; @@ -1042,8 +1049,10 @@ case XTF_ONLY_ONCE: p2 = va_arg(args, const char ); b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: \"%s\" option may only be specified once", p1, p2); @@ -1051,8 +1060,10 @@ case XTF_NO_INVERT: p2 = va_arg(args, const char ); b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: \"%s\" option cannot be inverted", p1, p2); break; @@ -1065,8 +1076,10 @@ break; case XTF_ONE_ACTION: b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: At most one action is possible", p1); break; @@ -1287,7 +1300,7 @@ struct in_addr maskpp, unsigned int naddrs) { struct in_addr addrp; - char buf[256], p; + char buf[256], p, next; unsigned int len, i, j, n, count = 1; const char loop = name; @@ -1302,23 +1315,19 @@ loop = name; for (i = 0; i < count; ++i) { - if (loop == NULL) - break; - if (loop == ',') + while (isspace(loop)) ++loop; - if (loop == '\0') - break; - p = strchr(loop, ','); - if (p != NULL) - len = p - loop; + next = strchr(loop, ','); + if (next != NULL) + len = next - loop; else len = strlen(loop); - if (len == 0 \|\| sizeof(buf) - 1 < len) - break; + if (len > sizeof(buf) - 1) + xt_params->exit_err(PARAMETER_PROBLEM, + "Hostname too long"); strncpy(buf, loop, len); buf[len] = '\0'; - loop += len; if ((p = strrchr(buf, '/')) != NULL) { p = '\0'; addrp = parse_ipmask(p + 1); @@ -1356,6 +1365,9 @@ } / free what ipparse_hostnetwork had allocated: / free(addrp); + if (next == NULL) + break; + loop = next + 1; } naddrs = count; for (i = 0; i < count; ++i) @@ -1604,7 +1616,7 @@ { static const struct in6_addr zero_addr; struct in6_addr addrp; - char buf[256], p; + char buf[256], p, next; unsigned int len, i, j, n, count = 1; const char loop = name; @@ -1619,23 +1631,19 @@ loop = name; for (i = 0; i < count /NB: count can grow/; ++i) { - if (loop == NULL) - break; - if (loop == ',') + while (isspace(loop)) ++loop; - if (loop == '\0') - break; - p = strchr(loop, ','); - if (p != NULL) - len = p - loop; + next = strchr(loop, ','); + if (next != NULL) + len = next - loop; else len = strlen(loop); - if (len == 0 \|\| sizeof(buf) - 1 < len) - break; + if (len > sizeof(buf) - 1) + xt_params->exit_err(PARAMETER_PROBLEM, + "Hostname too long"); strncpy(buf, loop, len); buf[len] = '\0'; - loop += len; if ((p = strrchr(buf, '/')) != NULL) { p = '\0'; addrp = parse_ip6mask(p + 1); @@ -1669,6 +1677,9 @@ } / free what ip6parse_hostnetwork had allocated: / free(addrp); + if (next == NULL) + break; + loop = next + 1; } naddrs = count; for (i = 0; i < count; ++i) @@ -1755,35 +1766,6 @@ } } -/** - * Check for option-intrapositional negation. - * Do not use in new code. - / -int xtables_check_inverse(const char option[], int invert, - int my_optind, int argc, char argv) -{ - if (option == NULL \|\| strcmp(option, "!") != 0) - return false; - - fprintf(stderr, "Using intrapositioned negation " - "(`--option ! this`) is deprecated in favor of " - "extrapositioned (`! --option this`).\n"); - - if (invert) - xt_params->exit_err(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - invert = true; - if (my_optind != NULL) { - optarg = argv[my_optind]; - ++my_optind; - if (argc && my_optind > argc) - xt_params->exit_err(PARAMETER_PROBLEM, - "no argument following `!'"); - } - - return true; -} - const struct xtables_pprot xtables_chain_protos[] = { {"tcp", IPPROTO_TCP}, {"sctp", IPPROTO_SCTP},
[-] [+]	Changed	iptables-1.4.12.tar.bz2/iptables/xtoptions.c ^
@@ -908,6 +908,7 @@ cb.xflags = t->tflags; cb.target = &t->t; cb.xt_entry = fw; + cb.udata = t->udata; t->x6_parse(&cb); t->tflags = cb.xflags; } @@ -943,6 +944,7 @@ cb.xflags = m->mflags; cb.match = &m->m; cb.xt_entry = fw; + cb.udata = m->udata; m->x6_parse(&cb); m->mflags = cb.xflags; } @@ -1028,6 +1030,7 @@ cb.ext_name = t->name; cb.data = t->t->data; cb.xflags = t->tflags; + cb.udata = t->udata; t->x6_fcheck(&cb); } else if (t->final_check != NULL) { t->final_check(t->tflags); @@ -1048,6 +1051,7 @@ cb.ext_name = m->name; cb.data = m->m->data; cb.xflags = m->mflags; + cb.udata = m->udata; m->x6_fcheck(&cb); } else if (m->final_check != NULL) { m->final_check(m->mflags);
[-] [+]	Changed	iptables-1.4.12.tar.bz2/libipq/libipq.c ^
@@ -231,7 +231,6 @@ if (h->fd == -1) { ipq_errno = IPQ_ERR_SOCKET; - close(h->fd); free(h); return NULL; }
[-] [+]	Changed	iptables-1.4.12.tar.bz2/libiptc/libiptc.c ^
@@ -403,7 +403,7 @@ } debug("jump back to pos:%d (end:%d)\n", pos, end); goto loop; - } else if (res > 0 ){ /* Not far enough, jump forward / + } else { / res > 0; Not far enough, jump forward / / Exit case: Last element of array / if (pos == handle->chain_index_sz-1) { @@ -430,8 +430,6 @@ debug("jump forward to pos:%d (end:%d)\n", pos, end); goto loop; } - - return list_pos; } / Wrapper for string chain name based bsearch */
[-] [+]	Changed	iptables-1.4.12.tar.bz2/tests/options-most.rules ^
@@ -1,4 +1,3 @@ -# Generated by ip6tables-save v1.4.10 on Mon Jan 31 02:19:53 2011 filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] @@ -76,6 +75,8 @@ -A matches -A matches -m conntrack --ctexpire 5:4294967295 -A matches +-A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9 +-A matches -A matches -p esp -m esp --espspi 1 -A matches -A matches -p esp -m esp --espspi :2 @@ -86,6 +87,11 @@ -A matches -A matches -p esp -m esp --espspi 5:4294967295 -A matches +-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 +-A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2 +-A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3 +-A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4 +-A matches -A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -A matches -A matches -m length --length 1 @@ -146,6 +152,8 @@ -A matches -A matches -m rt --rt-segsleft 5:4294967295 -A matches +-A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options +-A ntarg -A ntarg -j NFQUEUE --queue-num 1 -A ntarg -A ntarg -j NFQUEUE --queue-balance 8:99 @@ -169,4 +177,17 @@ #-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9 #-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9 COMMIT -# Completed on Mon Jan 31 02:19:54 2011 +mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:matches - - +:ntarg - - +:zmatches - - +-A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg +-A ntarg -j HL --hl-inc 1 +-A ntarg -j HL --hl-dec 1 +-A ntarg +COMMIT