[-]
[+]
|
Changed |
iptables.spec
|
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/autogen.sh
^
|
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh -e
autoreconf -fi;
rm -Rf autom4te*.cache;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/config.h.in
^
|
@@ -70,6 +70,9 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
+/* The size of `struct ip6_hdr', as computed by sizeof. */
+#undef SIZEOF_STRUCT_IP6_HDR
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.67 for iptables 1.4.12.
+# Generated by GNU Autoconf 2.67 for iptables 1.4.12.1.
#
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -698,8 +698,8 @@
# Identity of this package.
PACKAGE_NAME='iptables'
PACKAGE_TARNAME='iptables'
-PACKAGE_VERSION='1.4.12'
-PACKAGE_STRING='iptables 1.4.12'
+PACKAGE_VERSION='1.4.12.1'
+PACKAGE_STRING='iptables 1.4.12.1'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1459,7 +1459,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures iptables 1.4.12 to adapt to many kinds of systems.
+\`configure' configures iptables 1.4.12.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1529,7 +1529,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of iptables 1.4.12:";;
+ short | recursive ) echo "Configuration of iptables 1.4.12.1:";;
esac
cat <<\_ACEOF
@@ -1651,7 +1651,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-iptables configure 1.4.12
+iptables configure 1.4.12.1
generated by GNU Autoconf 2.67
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2012,11 +2012,189 @@
eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
} # ac_fn_c_check_header_mongrel
+
+# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES
+# --------------------------------------------
+# Tries to find the compile-time value of EXPR in a program that includes
+# INCLUDES, setting VAR accordingly. Returns whether the value could be
+# computed
+ac_fn_c_compute_int ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ if test "$cross_compiling" = yes; then
+ # Depending upon the size, compute the lo and hi bounds.
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) >= 0)];
+test_array [0] = 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_lo=0 ac_mid=0
+ while :; do
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+test_array [0] = 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_hi=$ac_mid; break
+else
+ as_fn_arith $ac_mid + 1 && ac_lo=$as_val
+ if test $ac_lo -le $ac_mid; then
+ ac_lo= ac_hi=
+ break
+ fi
+ as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) < 0)];
+test_array [0] = 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_hi=-1 ac_mid=-1
+ while :; do
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) >= $ac_mid)];
+test_array [0] = 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_lo=$ac_mid; break
+else
+ as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val
+ if test $ac_mid -le $ac_hi; then
+ ac_lo= ac_hi=
+ break
+ fi
+ as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+else
+ ac_lo= ac_hi=
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+# Binary search between lo and hi bounds.
+while test "x$ac_lo" != "x$ac_hi"; do
+ as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+int
+main ()
+{
+static int test_array [1 - 2 * !(($2) <= $ac_mid)];
+test_array [0] = 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_hi=$ac_mid
+else
+ as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+done
+case $ac_lo in #((
+?*) eval "$3=\$ac_lo"; ac_retval=0 ;;
+'') ac_retval=1 ;;
+esac
+ else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+$4
+static long int longval () { return $2; }
+static unsigned long int ulongval () { return $2; }
+#include <stdio.h>
+#include <stdlib.h>
+int
+main ()
+{
+
+ FILE *f = fopen ("conftest.val", "w");
+ if (! f)
+ return 1;
+ if (($2) < 0)
+ {
+ long int i = longval ();
+ if (i != ($2))
+ return 1;
+ fprintf (f, "%ld", i);
+ }
+ else
+ {
+ unsigned long int i = ulongval ();
+ if (i != ($2))
+ return 1;
+ fprintf (f, "%lu", i);
+ }
+ /* Do not output a trailing newline, as this causes \r\n confusion
+ on some platforms. */
+ return ferror (f) || fclose (f) != 0;
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ echo >>conftest.val; read $3 <conftest.val; ac_retval=0
+else
+ ac_retval=1
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm -f conftest.val
+
+ fi
+ eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_compute_int
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by iptables $as_me 1.4.12, which was
+It was created by iptables $as_me 1.4.12.1, which was
generated by GNU Autoconf 2.67. Invocation command line was
$ $0 $@
@@ -2839,7 +3017,7 @@
# Define the identity of the package.
PACKAGE='iptables'
- VERSION='1.4.12'
+ VERSION='1.4.12.1'
cat >>confdefs.h <<_ACEOF
@@ -4695,13 +4873,13 @@
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:4698: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:4876: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:4701: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:4879: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:4704: output\"" >&5)
+ (eval echo "\"\$as_me:4882: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
@@ -5907,7 +6085,7 @@
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 5910 "configure"' > conftest.$ac_ext
+ echo '#line 6088 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -7406,11 +7584,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7409: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7587: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7413: \$? = $ac_status" >&5
+ echo "$as_me:7591: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7745,11 +7923,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7748: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:7926: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:7752: \$? = $ac_status" >&5
+ echo "$as_me:7930: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -7850,11 +8028,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7853: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:8031: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:7857: \$? = $ac_status" >&5
+ echo "$as_me:8035: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -7905,11 +8083,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:7908: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:8086: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:7912: \$? = $ac_status" >&5
+ echo "$as_me:8090: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -10289,7 +10467,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 10292 "configure"
+#line 10470 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10385,7 +10563,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 10388 "configure"
+#line 10566 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -10746,6 +10924,40 @@
fi;
+# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of struct ip6_hdr" >&5
+$as_echo_n "checking size of struct ip6_hdr... " >&6; }
+if test "${ac_cv_sizeof_struct_ip6_hdr+set}" = set; then :
+ $as_echo_n "(cached) " >&6
+else
+ if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (struct ip6_hdr))" "ac_cv_sizeof_struct_ip6_hdr" "#include <netinet/ip6.h>
+"; then :
+
+else
+ if test "$ac_cv_type_struct_ip6_hdr" = yes; then
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (struct ip6_hdr)
+See \`config.log' for more details" "$LINENO" 5 ; }
+ else
+ ac_cv_sizeof_struct_ip6_hdr=0
+ fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_struct_ip6_hdr" >&5
+$as_echo "$ac_cv_sizeof_struct_ip6_hdr" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_STRUCT_IP6_HDR $ac_cv_sizeof_struct_ip6_hdr
+_ACEOF
+
+
if test "$enable_static" = "yes"; then
ENABLE_STATIC_TRUE=
@@ -11028,7 +11240,7 @@
libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage));
-ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc libipq/Makefile libiptc/Makefile libiptc/libiptc.pc utils/Makefile include/xtables.h include/iptables/internal.h"
+ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc utils/Makefile include/xtables.h include/iptables/internal.h"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -11584,7 +11796,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by iptables $as_me 1.4.12, which was
+This file was extended by iptables $as_me 1.4.12.1, which was
generated by GNU Autoconf 2.67. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11650,7 +11862,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-iptables config.status 1.4.12
+iptables config.status 1.4.12.1
configured by $0, generated by GNU Autoconf 2.67,
with options \\"\$ac_cs_config\\"
@@ -12043,6 +12255,7 @@
"iptables/Makefile") CONFIG_FILES="$CONFIG_FILES iptables/Makefile" ;;
"iptables/xtables.pc") CONFIG_FILES="$CONFIG_FILES iptables/xtables.pc" ;;
"libipq/Makefile") CONFIG_FILES="$CONFIG_FILES libipq/Makefile" ;;
+ "libipq/libipq.pc") CONFIG_FILES="$CONFIG_FILES libipq/libipq.pc" ;;
"libiptc/Makefile") CONFIG_FILES="$CONFIG_FILES libiptc/Makefile" ;;
"libiptc/libiptc.pc") CONFIG_FILES="$CONFIG_FILES libiptc/libiptc.pc" ;;
"utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/configure.ac
^
|
@@ -1,5 +1,5 @@
-AC_INIT([iptables], [1.4.12])
+AC_INIT([iptables], [1.4.12.1])
# See libtool.info "Libtool's versioning system"
libxtables_vcurrent=7
@@ -68,6 +68,7 @@
fi;
AC_SUBST([blacklist_modules])
+AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"])
@@ -110,6 +111,7 @@
AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
iptables/Makefile iptables/xtables.pc
- libipq/Makefile libiptc/Makefile libiptc/libiptc.pc utils/Makefile
+ libipq/Makefile libipq/libipq.pc
+ libiptc/Makefile libiptc/libiptc.pc utils/Makefile
include/xtables.h include/iptables/internal.h])
AC_OUTPUT
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/GNUmakefile.in
^
|
@@ -21,7 +21,7 @@
kinclude_CPPFLAGS := @kinclude_CPPFLAGS@
AM_CFLAGS := ${regular_CFLAGS}
-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS}
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
ifeq (${V},)
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libip6t_dst.c
^
|
@@ -111,6 +111,9 @@
xtables_option_parse(cb);
switch (cb->entry->id) {
+ case O_DSTLEN:
+ optinfo->flags |= IP6T_OPTS_LEN;
+ break;
case O_DSTOPTS:
optinfo->optsnr = parse_options(cb->arg, optinfo->opts);
optinfo->flags |= IP6T_OPTS_OPTS;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libip6t_frag.c
^
|
@@ -50,6 +50,22 @@
case O_FRAGID:
if (cb->nvals == 1)
fraginfo->ids[1] = fraginfo->ids[0];
+ if (cb->invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_IDS;
+ /*
+ * Note however that IP6T_FRAG_IDS is not tested by anything,
+ * so it is merely here for completeness.
+ */
+ fraginfo->flags |= IP6T_FRAG_IDS;
+ break;
+ case O_FRAGLEN:
+ /*
+ * As of Linux 3.0, the kernel does not check for
+ * fraglen at all.
+ */
+ if (cb->invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_LEN;
+ fraginfo->flags |= IP6T_FRAG_LEN;
break;
case O_FRAGRES:
fraginfo->flags |= IP6T_FRAG_RES;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libip6t_hbh.c
^
|
@@ -108,6 +108,7 @@
case O_HBH_LEN:
if (cb->invert)
optinfo->invflags |= IP6T_OPTS_INV_LEN;
+ optinfo->flags |= IP6T_OPTS_LEN;
break;
case O_HBH_OPTS:
optinfo->optsnr = parse_options(cb->arg, optinfo->opts);
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libipt_ttl.c
^
|
@@ -20,7 +20,7 @@
{
printf(
"ttl match options:\n"
-" --ttl-eq value Match time to live value\n"
+"[!] --ttl-eq value Match time to live value\n"
" --ttl-lt value Match TTL < value\n"
" --ttl-gt value Match TTL > value\n");
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libipt_ttl.man
^
|
@@ -1,6 +1,6 @@
This module matches the time to live field in the IP header.
.TP
-\fB\-\-ttl\-eq\fP \fIttl\fP
+[\fB!\fP] \fB\-\-ttl\-eq\fP \fIttl\fP
Matches the given TTL value.
.TP
\fB\-\-ttl\-gt\fP \fIttl\fP
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_SET.c
^
|
@@ -143,9 +143,6 @@
}
/* Revision 1 */
-
-#define set_target_help_v1 set_target_help_v0
-
static void
set_target_init_v1(struct xt_entry_target *target)
{
@@ -204,8 +201,6 @@
return 1;
}
-#define set_target_check_v1 set_target_check_v0
-
static void
print_target(const char *prefix, const struct xt_set_info *info)
{
@@ -242,8 +237,6 @@
print_target("--del-set", &info->del_set);
}
-#define set_target_opts_v1 set_target_opts_v0
-
/* Revision 2 */
static void
@@ -376,13 +369,13 @@
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
- .help = set_target_help_v1,
+ .help = set_target_help_v0,
.init = set_target_init_v1,
.parse = set_target_parse_v1,
- .final_check = set_target_check_v1,
+ .final_check = set_target_check_v0,
.print = set_target_print_v1,
.save = set_target_save_v1,
- .extra_opts = set_target_opts_v1,
+ .extra_opts = set_target_opts_v0,
},
{
.name = "SET",
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_SET.man
^
|
@@ -21,6 +21,5 @@
when adding entry if it already exists, reset the timeout value
to the specified one or to the default from the set definition
.PP
-Use of -j SET requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -j SET requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_TCPMSS.c
^
|
@@ -2,10 +2,10 @@
*
* Copyright (c) 2000 Marc Boucher
*/
+#include "config.h"
#include <stdio.h>
#include <xtables.h>
#include <netinet/ip.h>
-#include <netinet/ip6.h>
#include <linux/netfilter/xt_TCPMSS.h>
enum {
@@ -34,7 +34,7 @@
static void TCPMSS_help6(void)
{
- __TCPMSS_help(sizeof(struct ip6_hdr));
+ __TCPMSS_help(SIZEOF_STRUCT_IP6_HDR);
}
static const struct xt_option_entry TCPMSS4_opts[] = {
@@ -47,7 +47,7 @@
static const struct xt_option_entry TCPMSS6_opts[] = {
{.name = "set-mss", .id = O_SET_MSS, .type = XTTYPE_UINT16,
- .min = 0, .max = UINT16_MAX - sizeof(struct ip6_hdr),
+ .min = 0, .max = UINT16_MAX - SIZEOF_STRUCT_IP6_HDR,
.flags = XTOPT_PUT, XTOPT_POINTER(struct xt_tcpmss_info, mss)},
{.name = "clamp-mss-to-pmtu", .id = O_CLAMP_MSS, .type = XTTYPE_NONE},
XTOPT_TABLEEND,
@@ -91,36 +91,36 @@
printf(" --set-mss %u", mssinfo->mss);
}
-static struct xtables_target tcpmss_target = {
- .family = NFPROTO_IPV4,
- .name = "TCPMSS",
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
- .help = TCPMSS_help,
- .print = TCPMSS_print,
- .save = TCPMSS_save,
- .x6_parse = TCPMSS_parse,
- .x6_fcheck = TCPMSS_check,
- .x6_options = TCPMSS4_opts,
-};
-
-static struct xtables_target tcpmss_target6 = {
- .family = NFPROTO_IPV6,
- .name = "TCPMSS",
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
- .help = TCPMSS_help6,
- .print = TCPMSS_print,
- .save = TCPMSS_save,
- .x6_parse = TCPMSS_parse,
- .x6_fcheck = TCPMSS_check,
- .x6_options = TCPMSS6_opts,
+static struct xtables_target tcpmss_tg_reg[] = {
+ {
+ .family = NFPROTO_IPV4,
+ .name = "TCPMSS",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .help = TCPMSS_help,
+ .print = TCPMSS_print,
+ .save = TCPMSS_save,
+ .x6_parse = TCPMSS_parse,
+ .x6_fcheck = TCPMSS_check,
+ .x6_options = TCPMSS4_opts,
+ },
+ {
+ .family = NFPROTO_IPV6,
+ .name = "TCPMSS",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_info)),
+ .help = TCPMSS_help6,
+ .print = TCPMSS_print,
+ .save = TCPMSS_save,
+ .x6_parse = TCPMSS_parse,
+ .x6_fcheck = TCPMSS_check,
+ .x6_options = TCPMSS6_opts,
+ },
};
void _init(void)
{
- xtables_register_target(&tcpmss_target);
- xtables_register_target(&tcpmss_target6);
+ xtables_register_targets(tcpmss_tg_reg, ARRAY_SIZE(tcpmss_tg_reg));
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_TEE.c
^
|
@@ -92,36 +92,36 @@
printf(" --oif %s", info->oif);
}
-static struct xtables_target tee_tg_reg = {
- .name = "TEE",
- .version = XTABLES_VERSION,
- .revision = 1,
- .family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
- .help = tee_tg_help,
- .print = tee_tg_print,
- .save = tee_tg_save,
- .x6_parse = xtables_option_parse,
- .x6_options = tee_tg_opts,
-};
-
-static struct xtables_target tee_tg6_reg = {
- .name = "TEE",
- .version = XTABLES_VERSION,
- .revision = 1,
- .family = NFPROTO_IPV6,
- .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
- .help = tee_tg_help,
- .print = tee_tg6_print,
- .save = tee_tg6_save,
- .x6_parse = xtables_option_parse,
- .x6_options = tee_tg_opts,
+static struct xtables_target tee_tg_reg[] = {
+ {
+ .name = "TEE",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .help = tee_tg_help,
+ .print = tee_tg_print,
+ .save = tee_tg_save,
+ .x6_parse = xtables_option_parse,
+ .x6_options = tee_tg_opts,
+ },
+ {
+ .name = "TEE",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+ .help = tee_tg_help,
+ .print = tee_tg6_print,
+ .save = tee_tg6_save,
+ .x6_parse = xtables_option_parse,
+ .x6_options = tee_tg_opts,
+ },
};
void _init(void)
{
- xtables_register_target(&tee_tg_reg);
- xtables_register_target(&tee_tg6_reg);
+ xtables_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_TOS.man
^
|
@@ -28,9 +28,9 @@
\fIbits\fP\fB/0\fP. See NOTE below.)
.PP
NOTE: In Linux kernels up to and including 2.6.38, with the exception of
-longterm releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug
-whereby IPv6 TOS mangling does not behave as documented and differs from the
-IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs
-to be inverted before applying it to the original TOS field. However, the
+longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
+a bug whereby IPv6 TOS mangling does not behave as documented and differs from
+the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
+needs to be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_TRACE.man
^
|
@@ -1,4 +1,4 @@
-This target marks packes so that the kernel will log every rule which match
+This target marks packets so that the kernel will log every rule which match
the packets as those traverse the tables, chains, rules.
.PP
A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_connlimit.man
^
|
@@ -13,7 +13,8 @@
maximum prefix length for the applicable protocol is used.
.TP
\fB\-\-connlimit\-saddr\fP
-Apply the limit onto the source group.
+Apply the limit onto the source group. This is the default if
+\-\-connlimit\-daddr is not specified.
.TP
\fB\-\-connlimit\-daddr\fP
Apply the limit onto the destination group.
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_conntrack.c
^
|
@@ -93,8 +93,7 @@
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT,
- XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)},
+ .flags = XTOPT_INVERT},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST,
@@ -117,7 +116,7 @@
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+ .flags = XTOPT_INVERT},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -143,13 +142,13 @@
};
#undef s
-#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */
-/* We exploit the fact that v1-v3 share the same layout */
+#define s struct xt_conntrack_mtinfo3
+/* Difference from v2 is the non-NBO form. */
static const struct xt_option_entry conntrack3_mt_opts[] = {
{.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
- .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
+ .flags = XTOPT_INVERT},
{.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT},
{.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
@@ -336,6 +335,7 @@
sinfo->invflags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
if (cb->invert)
sinfo->invflags |= XT_CONNTRACK_PROTO;
if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
@@ -400,6 +400,7 @@
info->invert_flags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ info->l4proto = cb->val.protocol;
if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
"never match protocol");
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_dccp.c
^
|
@@ -37,7 +37,10 @@
"[!] --source-port port[:port] match source port(s)\n"
" --sport ...\n"
"[!] --destination-port port[:port] match destination port(s)\n"
-" --dport ...\n");
+" --dport ...\n"
+"[!] --dccp-types type[,...] match when packet is one of the given types\n"
+"[!] --dccp-option option match if option (by number!) is set\n"
+);
}
#define s struct xt_dccp_info
@@ -50,9 +53,10 @@
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
{.name = "dport", .id = O_DEST_PORT, .type = XTTYPE_PORTRC,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, dpts)},
- {.name = "dccp-types", .id = O_DCCP_TYPES, .type = XTTYPE_STRING},
+ {.name = "dccp-types", .id = O_DCCP_TYPES, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
{.name = "dccp-option", .id = O_DCCP_OPTION, .type = XTTYPE_UINT8,
- .min = 1, .max = UINT8_MAX, .flags = XTOPT_PUT,
+ .min = 1, .max = UINT8_MAX, .flags = XTOPT_INVERT | XTOPT_PUT,
XTOPT_POINTER(s, option)},
XTOPT_TABLEEND,
};
@@ -261,13 +265,14 @@
}
if (einfo->flags & XT_DCCP_TYPE) {
- printf(" --dccp-type");
- print_types(einfo->typemask, einfo->invflags & XT_DCCP_TYPE,0);
+ printf("%s --dccp-types",
+ einfo->invflags & XT_DCCP_TYPE ? " !" : "");
+ print_types(einfo->typemask, false, 0);
}
if (einfo->flags & XT_DCCP_OPTION) {
- printf(" --dccp-option %s%u",
- einfo->typemask & XT_DCCP_OPTION ? "! " : "",
+ printf("%s --dccp-option %u",
+ einfo->invflags & XT_DCCP_OPTION ? " !" : "",
einfo->option);
}
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_dccp.man
^
|
@@ -9,4 +9,4 @@
.BR "REQUEST RESPONSE DATA ACK DATAACK CLOSEREQ CLOSE RESET SYNC SYNCACK INVALID" .
.TP
[\fB!\fP] \fB\-\-dccp\-option\fP \fInumber\fP
-Match if DCP option set.
+Match if DCCP option set.
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_dscp.c
^
|
@@ -43,9 +43,10 @@
static const struct xt_option_entry dscp_opts[] = {
{.name = "dscp", .id = O_DSCP, .excl = F_DSCP_CLASS,
.type = XTTYPE_UINT8, .min = 0, .max = XT_DSCP_MAX,
- .flags = XTOPT_PUT, XTOPT_POINTER(struct xt_dscp_info, dscp)},
+ .flags = XTOPT_INVERT | XTOPT_PUT,
+ XTOPT_POINTER(struct xt_dscp_info, dscp)},
{.name = "dscp-class", .id = O_DSCP_CLASS, .excl = F_DSCP,
- .type = XTTYPE_STRING},
+ .type = XTTYPE_STRING, .flags = XTOPT_INVERT},
XTOPT_TABLEEND,
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_hashlimit.c
^
|
@@ -23,7 +23,6 @@
/* miliseconds */
#define XT_HASHLIMIT_GCINTERVAL 1000
-#define XT_HASHLIMIT_EXPIRE 10000
struct hashlimit_mt_udata {
uint32_t mult;
@@ -89,7 +88,7 @@
#define s struct xt_hashlimit_info
static const struct xt_option_entry hashlimit_opts[] = {
{.name = "hashlimit", .id = O_UPTO, .excl = F_ABOVE,
- .type = XTTYPE_STRING, .flags = XTOPT_INVERT},
+ .type = XTTYPE_STRING},
{.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32,
.min = 1, .max = 10000, .flags = XTOPT_PUT,
XTOPT_POINTER(s, cfg.burst)},
@@ -187,7 +186,6 @@
r->cfg.burst = XT_HASHLIMIT_BURST;
r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
- r->cfg.expire = XT_HASHLIMIT_EXPIRE;
}
@@ -198,7 +196,6 @@
info->cfg.mode = 0;
info->cfg.burst = XT_HASHLIMIT_BURST;
info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
- info->cfg.expire = XT_HASHLIMIT_EXPIRE;
info->cfg.srcmask = 32;
info->cfg.dstmask = 32;
}
@@ -210,7 +207,6 @@
info->cfg.mode = 0;
info->cfg.burst = XT_HASHLIMIT_BURST;
info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL;
- info->cfg.expire = XT_HASHLIMIT_EXPIRE;
info->cfg.srcmask = 128;
info->cfg.dstmask = 128;
}
@@ -251,19 +247,10 @@
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_UPTO:
- if (cb->invert)
- info->cfg.mode |= XT_HASHLIMIT_INVERT;
if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
- case O_ABOVE:
- if (!cb->invert)
- info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
- xtables_param_act(XTF_BAD_VALUE, "hashlimit",
- "--hashlimit-above", cb->arg);
- break;
case O_MODE:
if (parse_mode(&info->cfg.mode, cb->arg) < 0)
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
@@ -315,7 +302,7 @@
xtables_error(PARAMETER_PROBLEM,
"You have to specify --hashlimit");
if (!(cb->xflags & F_HTABLE_EXPIRE))
- info->cfg.expire = udata->mult;
+ info->cfg.expire = udata->mult * 1000; /* from s to msec */
}
static void hashlimit_mt_check(struct xt_fcheck_call *cb)
@@ -327,7 +314,7 @@
xtables_error(PARAMETER_PROBLEM,
"You have to specify --hashlimit");
if (!(cb->xflags & F_HTABLE_EXPIRE))
- info->cfg.expire = udata->mult;
+ info->cfg.expire = udata->mult * 1000; /* from s to msec */
}
static const struct rates
@@ -339,7 +326,7 @@
{ "min", XT_HASHLIMIT_SCALE*60 },
{ "sec", XT_HASHLIMIT_SCALE } };
-static void print_rate(uint32_t period)
+static uint32_t print_rate(uint32_t period)
{
unsigned int i;
@@ -349,6 +336,8 @@
break;
printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name);
+ /* return in msec */
+ return rates[i-1].mult / XT_HASHLIMIT_SCALE * 1000;
}
static void print_mode(unsigned int mode, char separator)
@@ -383,7 +372,10 @@
const struct xt_entry_match *match, int numeric)
{
const struct xt_hashlimit_info *r = (const void *)match->data;
- fputs(" limit: avg", stdout); print_rate(r->cfg.avg);
+ uint32_t quantum;
+
+ fputs(" limit: avg", stdout);
+ quantum = print_rate(r->cfg.avg);
printf(" burst %u", r->cfg.burst);
fputs(" mode", stdout);
print_mode(r->cfg.mode, '-');
@@ -393,18 +385,20 @@
printf(" htable-max %u", r->cfg.max);
if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
printf(" htable-gcinterval %u", r->cfg.gc_interval);
- if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ if (r->cfg.expire != quantum)
printf(" htable-expire %u", r->cfg.expire);
}
static void
hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
{
+ uint32_t quantum;
+
if (info->cfg.mode & XT_HASHLIMIT_INVERT)
fputs(" limit: above", stdout);
else
fputs(" limit: up to", stdout);
- print_rate(info->cfg.avg);
+ quantum = print_rate(info->cfg.avg);
printf(" burst %u", info->cfg.burst);
if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
@@ -417,7 +411,7 @@
printf(" htable-max %u", info->cfg.max);
if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
printf(" htable-gcinterval %u", info->cfg.gc_interval);
- if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ if (info->cfg.expire != quantum)
printf(" htable-expire %u", info->cfg.expire);
if (info->cfg.srcmask != dmask)
@@ -447,8 +441,10 @@
static void hashlimit_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_hashlimit_info *r = (const void *)match->data;
+ uint32_t quantum;
- fputs(" --hashlimit", stdout); print_rate(r->cfg.avg);
+ fputs(" --hashlimit", stdout);
+ quantum = print_rate(r->cfg.avg);
printf(" --hashlimit-burst %u", r->cfg.burst);
fputs(" --hashlimit-mode", stdout);
@@ -462,18 +458,20 @@
printf(" --hashlimit-htable-max %u", r->cfg.max);
if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
printf(" --hashlimit-htable-gcinterval %u", r->cfg.gc_interval);
- if (r->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ if (r->cfg.expire != quantum)
printf(" --hashlimit-htable-expire %u", r->cfg.expire);
}
static void
hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask)
{
+ uint32_t quantum;
+
if (info->cfg.mode & XT_HASHLIMIT_INVERT)
fputs(" --hashlimit-above", stdout);
else
fputs(" --hashlimit-upto", stdout);
- print_rate(info->cfg.avg);
+ quantum = print_rate(info->cfg.avg);
printf(" --hashlimit-burst %u", info->cfg.burst);
if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
@@ -490,7 +488,7 @@
printf(" --hashlimit-htable-max %u", info->cfg.max);
if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL)
printf(" --hashlimit-htable-gcinterval %u", info->cfg.gc_interval);
- if (info->cfg.expire != XT_HASHLIMIT_EXPIRE)
+ if (info->cfg.expire != quantum)
printf(" --hashlimit-htable-expire %u", info->cfg.expire);
if (info->cfg.srcmask != dmask)
@@ -529,7 +527,7 @@
.x6_fcheck = hashlimit_check,
.print = hashlimit_print,
.save = hashlimit_save,
- .x6_options = hashlimit_mt_opts,
+ .x6_options = hashlimit_opts,
.udata_size = sizeof(struct hashlimit_mt_udata),
},
{
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_owner.c
^
|
@@ -129,7 +129,8 @@
.flags = XTOPT_INVERT},
{.name = "gid-owner", .id = O_GROUP, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
- {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE},
+ {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
+ .flags = XTOPT_INVERT},
XTOPT_TABLEEND,
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_physdev.c
^
|
@@ -27,11 +27,12 @@
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physindev)},
{.name = "physdev-out", .id = O_PHYSDEV_OUT, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physoutdev)},
- {.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE},
+ {.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE,
+ .flags = XTOPT_INVERT},
{.name = "physdev-is-out", .id = O_PHYSDEV_IS_OUT,
- .type = XTTYPE_NONE},
+ .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
{.name = "physdev-is-bridged", .id = O_PHYSDEV_IS_BRIDGED,
- .type = XTTYPE_NONE},
+ .type = XTTYPE_NONE, .flags = XTOPT_INVERT},
XTOPT_TABLEEND,
};
#undef s
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_policy.c
^
|
@@ -40,8 +40,7 @@
}
static const struct xt_option_entry policy_opts[] = {
- {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING,
- .flags = XTOPT_INVERT},
+ {.name = "dir", .id = O_DIRECTION, .type = XTTYPE_STRING},
{.name = "pol", .id = O_POLICY, .type = XTTYPE_STRING},
{.name = "strict", .id = O_STRICT, .type = XTTYPE_NONE},
{.name = "reqid", .id = O_REQID, .type = XTTYPE_UINT32,
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_set.c
^
|
@@ -128,11 +128,6 @@
}
/* Revision 1 */
-
-#define set_help_v1 set_help_v0
-#define set_opts_v1 set_opts_v0
-#define set_check_v1 set_check_v0
-
static int
set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
@@ -232,12 +227,12 @@
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
- .help = set_help_v1,
+ .help = set_help_v0,
.parse = set_parse_v1,
- .final_check = set_check_v1,
+ .final_check = set_check_v0,
.print = set_print_v1,
.save = set_save_v1,
- .extra_opts = set_opts_v1,
+ .extra_opts = set_opts_v0,
},
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_set.man
^
|
@@ -18,6 +18,5 @@
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
not clash with an option of other extensions.
.PP
-Use of -m set requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -m set requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_string.c
^
|
@@ -20,6 +20,7 @@
* updated to work with slightly modified
* ipt_string_info.
*/
+#define _GNU_SOURCE 1 /* strnlen for older glibcs */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -217,7 +218,7 @@
if (! isprint(str[i]))
return 1; /* string contains at least one non-printable char */
/* use hex output if the last char is a "\" */
- if ((unsigned char) str[len-1] == 0x5c)
+ if (str[len-1] == '\\')
return 1;
return 0;
}
@@ -228,16 +229,11 @@
{
unsigned int i;
/* start hex block */
- printf("\"|");
- for (i=0; i < len; i++) {
- /* see if we need to prepend a zero */
- if ((unsigned char) str[i] <= 0x0F)
- printf("0%x", (unsigned char) str[i]);
- else
- printf("%x", (unsigned char) str[i]);
- }
+ printf(" \"|");
+ for (i=0; i < len; i++)
+ printf("%02x", (unsigned char)str[i]);
/* close hex block */
- printf("|\" ");
+ printf("|\"");
}
static void
@@ -246,8 +242,8 @@
unsigned int i;
printf(" \"");
for (i=0; i < len; i++) {
- if ((unsigned char) str[i] == 0x22) /* escape any embedded quotes */
- printf("%c", 0x5c);
+ if (str[i] == '\"' || str[i] == '\\')
+ putchar('\\');
printf("%c", (unsigned char) str[i]);
}
printf("\""); /* closing quote */
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_tcp.c
^
|
@@ -357,9 +357,7 @@
if (tcpinfo->invflags & XT_TCP_INV_FLAGS)
printf(" !");
printf(" --tcp-flags ");
- if (tcpinfo->flg_mask != 0xFF) {
- print_tcpf(tcpinfo->flg_mask);
- }
+ print_tcpf(tcpinfo->flg_mask);
printf(" ");
print_tcpf(tcpinfo->flg_cmp);
}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/extensions/libxt_u32.c
^
|
@@ -24,7 +24,7 @@
static const struct xt_option_entry u32_opts[] = {
{.name = "u32", .id = O_U32, .type = XTTYPE_STRING,
- .flags = XTOPT_MAND},
+ .flags = XTOPT_MAND | XTOPT_INVERT},
XTOPT_TABLEEND,
};
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/Makefile.am
^
|
@@ -15,7 +15,7 @@
endif
xtables_multi_SOURCES = xtables-multi.c iptables-xml.c
-xtables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI
+xtables_multi_CFLAGS = ${AM_CFLAGS}
xtables_multi_LDFLAGS = -rdynamic
xtables_multi_LDADD = ../extensions/libext.a
if ENABLE_STATIC
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/Makefile.in
^
|
@@ -283,8 +283,8 @@
@ENABLE_SHARED_TRUE@libxtables_la_LIBADD = -ldl
xtables_multi_SOURCES = xtables-multi.c iptables-xml.c $(am__append_2) \
$(am__append_5) xshared.c
-xtables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI $(am__append_1) \
- $(am__append_3) $(am__append_6)
+xtables_multi_CFLAGS = ${AM_CFLAGS} $(am__append_1) $(am__append_3) \
+ $(am__append_6)
xtables_multi_LDFLAGS = -rdynamic
xtables_multi_LDADD = ../extensions/libext.a $(am__append_4) \
$(am__append_7) libxtables.la -lm
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/ip6tables-restore.c
^
|
@@ -113,11 +113,7 @@
free(newargv[i]);
}
-#ifdef IPTABLES_MULTI
int ip6tables_restore_main(int argc, char *argv[])
-#else
-int main(int argc, char *argv[])
-#endif
{
struct ip6tc_handle *handle = NULL;
char buffer[10240];
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/ip6tables-save.c
^
|
@@ -131,11 +131,7 @@
* :Chain name POLICY packets bytes
* rule
*/
-#ifdef IPTABLES_MULTI
int ip6tables_save_main(int argc, char *argv[])
-#else
-int main(int argc, char *argv[])
-#endif
{
const char *tablename = NULL;
int c;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/ip6tables-standalone.c
^
|
@@ -37,13 +37,8 @@
#include <ip6tables.h>
#include "ip6tables-multi.h"
-#ifdef IPTABLES_MULTI
int
ip6tables_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
{
int ret;
char *table = "filter";
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/iptables-restore.c
^
|
@@ -113,13 +113,8 @@
free(newargv[i]);
}
-#ifdef IPTABLES_MULTI
int
iptables_restore_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
{
struct iptc_handle *handle = NULL;
char buffer[10240];
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/iptables-save.c
^
|
@@ -129,13 +129,8 @@
* :Chain name POLICY packets bytes
* rule
*/
-#ifdef IPTABLES_MULTI
int
iptables_save_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
{
const char *tablename = NULL;
int c;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/iptables-standalone.c
^
|
@@ -38,13 +38,8 @@
#include <iptables.h>
#include "iptables-multi.h"
-#ifdef IPTABLES_MULTI
int
iptables_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
{
int ret;
char *table = "filter";
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/iptables-xml.c
^
|
@@ -23,10 +23,6 @@
#define DEBUGP(x, args...)
#endif
-#ifndef IPTABLES_MULTI
-int line = 0;
-#endif
-
struct xtables_globals iptables_xml_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
@@ -617,13 +613,8 @@
do_rule_part(NULL, NULL, 1, argc, argv, argvattr);
}
-#ifdef IPTABLES_MULTI
int
iptables_xml_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
{
char buffer[10240];
int c;
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/xtables.c
^
|
@@ -37,6 +37,8 @@
# include <linux/magic.h> /* for PROC_SUPER_MAGIC */
#elif defined(HAVE_LINUX_PROC_FS_H)
# include <linux/proc_fs.h> /* Linux 2.4 */
+#else
+# define PROC_SUPER_MAGIC 0x9fa0
#endif
#include <xtables.h>
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/iptables/xtoptions.c
^
|
@@ -757,13 +757,13 @@
for (i = 0; i < ARRAY_SIZE(cb->val.ethermac) - 1; ++i) {
cb->val.ethermac[i] = strtoul(arg, &end, 16);
- if (cb->val.ethermac[i] > UINT8_MAX || *end != ':')
+ if (*end != ':' || end - arg > 2)
goto out;
arg = end + 1;
}
i = ARRAY_SIZE(cb->val.ethermac) - 1;
cb->val.ethermac[i] = strtoul(arg, &end, 16);
- if (cb->val.ethermac[i] > UINT8_MAX || *end != '\0')
+ if (*end != '\0' || end - arg > 2)
goto out;
if (cb->entry->flags & XTOPT_PUT)
memcpy(XTOPT_MKPTR(cb), cb->val.ethermac,
@@ -847,8 +847,14 @@
xt_params->exit_err(OTHER_PROBLEM,
"Extension %s uses invalid ID %u\n",
name, entry->id);
- if (!(entry->flags & XTOPT_PUT))
+ if (!(entry->flags & XTOPT_PUT)) {
+ if (entry->ptroff != 0)
+ xt_params->exit_err(OTHER_PROBLEM,
+ "%s: ptroff for \"--%s\" is non-"
+ "zero but no XTOPT_PUT is specified. "
+ "Oversight?", name, entry->name);
continue;
+ }
if (entry->type >= ARRAY_SIZE(xtopt_psize) ||
xtopt_psize[entry->type] == 0)
xt_params->exit_err(OTHER_PROBLEM,
|
[-]
[+]
|
Added |
iptables-1.4.12.1.tar.bz2/libipq/.gitignore
^
|
@@ -0,0 +1 @@
+/libipq.pc
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/libipq/Makefile.am
^
|
@@ -9,3 +9,5 @@
ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \
ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \
libipq.3
+
+pkgconfig_DATA = libipq.pc
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/libipq/Makefile.in
^
|
@@ -17,6 +17,7 @@
# -*- Makefile -*-
+
VPATH = @srcdir@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -36,7 +37,8 @@
build_triplet = @build@
host_triplet = @host@
subdir = libipq
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+ $(srcdir)/libipq.pc.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
@@ -46,7 +48,7 @@
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_FILES = libipq.pc
CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
@@ -69,7 +71,8 @@
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)"
+am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" \
+ "$(DESTDIR)$(pkgconfigdir)"
LTLIBRARIES = $(lib_LTLIBRARIES)
libipq_la_LIBADD =
am_libipq_la_OBJECTS = libipq.lo
@@ -92,6 +95,7 @@
man3dir = $(mandir)/man3
NROFF = nroff
MANS = $(man_MANS)
+DATA = $(pkgconfig_DATA)
ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -233,6 +237,7 @@
ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \
libipq.3
+pkgconfig_DATA = libipq.pc
all: all-am
.SUFFIXES:
@@ -267,6 +272,8 @@
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
+libipq.pc: $(top_builddir)/config.status $(srcdir)/libipq.pc.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
install-libLTLIBRARIES: $(lib_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
@@ -373,6 +380,26 @@
test -z "$$files" || { \
echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(man3dir)" && rm -f $$files; }
+install-pkgconfigDATA: $(pkgconfig_DATA)
+ @$(NORMAL_INSTALL)
+ test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)"
+ @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \
+ done
+
+uninstall-pkgconfigDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ test -n "$$files" || exit 0; \
+ echo " ( cd '$(DESTDIR)$(pkgconfigdir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(pkgconfigdir)" && rm -f $$files
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -471,9 +498,9 @@
done
check-am: all-am
check: check-am
-all-am: Makefile $(LTLIBRARIES) $(MANS)
+all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA)
installdirs:
- for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)"; do \
+ for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(pkgconfigdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@@ -524,7 +551,7 @@
info-am:
-install-data-am: install-man
+install-data-am: install-man install-pkgconfigDATA
install-dvi: install-dvi-am
@@ -570,7 +597,8 @@
ps-am:
-uninstall-am: uninstall-libLTLIBRARIES uninstall-man
+uninstall-am: uninstall-libLTLIBRARIES uninstall-man \
+ uninstall-pkgconfigDATA
uninstall-man: uninstall-man3
@@ -584,12 +612,13 @@
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am \
install-libLTLIBRARIES install-man install-man3 install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-compile \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags uninstall uninstall-am uninstall-libLTLIBRARIES \
- uninstall-man uninstall-man3
+ install-pdf-am install-pkgconfigDATA install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-libLTLIBRARIES uninstall-man uninstall-man3 \
+ uninstall-pkgconfigDATA
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
[-]
[+]
|
Added |
iptables-1.4.12.1.tar.bz2/libipq/libipq.pc.in
^
|
@@ -0,0 +1,11 @@
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: libipq
+Description: Interface to the (old) ip_queue mechanism
+Version: @PACKAGE_VERSION@
+Libs: -L${libdir} -lipq
+Cflags: -I${includedir}
|
[-]
[+]
|
Changed |
iptables-1.4.12.1.tar.bz2/tests/options-most.rules
^
|
@@ -20,8 +20,8 @@
-A INPUT -p tcp -m connmark --mark 0x99
-A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
-A INPUT -p tcp -m cpu --cpu 2
--A INPUT -p tcp -m dscp --dscp 0x04
--A INPUT -p tcp -m dscp --dscp 0x00
+-A INPUT -p tcp -m dscp --dscp 0x04 -m dscp ! --dscp 0x04
+-A INPUT -p tcp -m dscp --dscp 0x00 -m dscp ! --dscp 0x00
-A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24
-A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1
-A INPUT -p tcp -m helper --helper ftp
@@ -37,14 +37,16 @@
-A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
-A INPUT -p tcp -m socket --transparent
-A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m string --hex-string "|00|" --algo kmp --from 1 --to 2 --icase
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-A INPUT -p tcp -m tos --tos 0xff/0x01
--A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
+-A INPUT -p tcp -m u32 ! --u32 "0x0=0x0" -m u32 ! --u32 "0x0=0x0"
-A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
-A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
-A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
-A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1
+-A INPUT -p dccp -m dccp ! --sport 1:2 ! --dport 3:4 ! --dccp-types REQUEST,RESPONSE ! --dccp-option 1
-A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1
-A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1
-A INPUT -p esp -m esp --espspi 1:2
@@ -55,6 +57,7 @@
-A INPUT -p mobility
-A INPUT -p mobility -m mh --mh-type 3
-A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
+-A OUTPUT -m owner ! --socket-exists ! --uid-owner 0 ! --gid-owner 0
-A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
-A matches
-A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both
@@ -77,6 +80,8 @@
-A matches
-A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9
-A matches
+-A matches -m dst ! --dst-len 12
+-A matches
-A matches -p esp -m esp --espspi 1
-A matches
-A matches -p esp -m esp --espspi :2
@@ -87,11 +92,14 @@
-A matches
-A matches -p esp -m esp --espspi 5:4294967295
-A matches
+-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000
-A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1
-A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
-A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
-A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
-A matches
+-A matches -m hbh ! --hbh-len 5
+-A matches
-A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
-A matches
-A matches -m length --length 1
@@ -104,6 +112,8 @@
-A matches
-A matches -m length --length 5:65535
-A matches
+-A matches -m physdev ! --physdev-is-in ! --physdev-is-out ! --physdev-is-bridged
+-A matches
-A matches -p tcp -m tcpmss --mss 1
-A matches
-A matches -p tcp -m tcpmss --mss :2
@@ -114,6 +124,14 @@
-A matches
-A matches -p tcp -m tcpmss --mss 5:65535
-A matches
+-A matches -m statistic --mode random ! --probability 0.4
+-A matches
+-A matches -m statistic --mode nth ! --every 5 --packet 2
+-A matches
+-A matches -m string --hex-string "action=|5C22|http|3A|" --algo bm
+-A matches
+-A matches -m string --hex-string "action=|5C|http|3A|" --algo bm
+-A matches
-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
-A matches
-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
@@ -142,6 +160,8 @@
-A matches
-A matches -m frag --fragid 5:4294967295
-A matches
+-A matches -m frag ! --fragid 9:10 ! --fraglen 12
+-A matches
-A matches -m rt --rt-segsleft 1
-A matches
-A matches -m rt --rt-segsleft :2
|