Changes - j0ke.net Open Build Service

Changes of Revision 31

[-] [+]	Changed	iptables.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Tue Oct 9 18:24:55 UTC 2012 - cs@linux-administrator.com + +- update to release 1.4.16.2 + +------------------------------------------------------------------- Mon Aug 27 14:27:09 UTC 2012 - cs@linux-administrator.com - update to release 1.4.15
[-] [+]	Changed	iptables.spec ^
@@ -22,8 +22,8 @@ License: GPL v2 or later Group: Productivity/Networking/Security AutoReqProv: on -Version: 1.4.15 -%define real_ver 1.4.15 +Version: 1.4.16.2 +%define real_ver 1.4.16.2 Release: 1 Summary: IP Packet Filter Administration Source0: %name-%version.tar.bz2
[-] [+]	Deleted	iptables-1.4.14.tar.bz2/extensions/libxt_NOTRACK.c ^
@@ -1,15 +0,0 @@ -/* Shared library add-on to iptables to add NOTRACK target support. */ -#include <xtables.h> - -static struct xtables_target notrack_target = { - .family = NFPROTO_UNSPEC, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), -}; - -void _init(void) -{ - xtables_register_target(&notrack_target); -}
[-] [+]	Deleted	iptables-1.4.14.tar.bz2/extensions/libxt_state.c ^
@@ -1,137 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <xtables.h> -#include <linux/netfilter/nf_conntrack_common.h> -#include <linux/netfilter/xt_state.h> - -#ifndef XT_STATE_UNTRACKED -#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -#endif - -enum { - O_STATE = 0, -}; - -static void -state_help(void) -{ - printf( -"state match options:\n" -" [!] --state [INVALID\|ESTABLISHED\|NEW\|RELATED\|UNTRACKED][,...]\n" -" State(s) to match\n"); -} - -static const struct xt_option_entry state_opts[] = { - {.name = "state", .id = O_STATE, .type = XTTYPE_STRING, - .flags = XTOPT_MAND \| XTOPT_INVERT}, - XTOPT_TABLEEND, -}; - -static int -state_parse_state(const char state, size_t len, struct xt_state_info sinfo) -{ - if (strncasecmp(state, "INVALID", len) == 0) - sinfo->statemask \|= XT_STATE_INVALID; - else if (strncasecmp(state, "NEW", len) == 0) - sinfo->statemask \|= XT_STATE_BIT(IP_CT_NEW); - else if (strncasecmp(state, "ESTABLISHED", len) == 0) - sinfo->statemask \|= XT_STATE_BIT(IP_CT_ESTABLISHED); - else if (strncasecmp(state, "RELATED", len) == 0) - sinfo->statemask \|= XT_STATE_BIT(IP_CT_RELATED); - else if (strncasecmp(state, "UNTRACKED", len) == 0) - sinfo->statemask \|= XT_STATE_UNTRACKED; - else - return 0; - return 1; -} - -static void -state_parse_states(const char arg, struct xt_state_info sinfo) -{ - const char comma; - - while ((comma = strchr(arg, ',')) != NULL) { - if (comma == arg \|\| !state_parse_state(arg, comma-arg, sinfo)) - xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); - arg = comma+1; - } - if (!arg) - xtables_error(PARAMETER_PROBLEM, "\"--state\" requires a list of " - "states with no spaces, e.g. " - "ESTABLISHED,RELATED"); - if (strlen(arg) == 0 \|\| !state_parse_state(arg, strlen(arg), sinfo)) - xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); -} - -static void state_parse(struct xt_option_call cb) -{ - struct xt_state_info sinfo = cb->data; - - xtables_option_parse(cb); - state_parse_states(cb->arg, sinfo); - if (cb->invert) - sinfo->statemask = ~sinfo->statemask; -} - -static void state_print_state(unsigned int statemask) -{ - const char sep = ""; - - if (statemask & XT_STATE_INVALID) { - printf("%sINVALID", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_NEW)) { - printf("%sNEW", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_RELATED)) { - printf("%sRELATED", sep); - sep = ","; - } - if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) { - printf("%sESTABLISHED", sep); - sep = ","; - } - if (statemask & XT_STATE_UNTRACKED) { - printf("%sUNTRACKED", sep); - sep = ","; - } -} - -static void -state_print(const void ip, - const struct xt_entry_match match, - int numeric) -{ - const struct xt_state_info sinfo = (const void )match->data; - - printf(" state "); - state_print_state(sinfo->statemask); -} - -static void state_save(const void ip, const struct xt_entry_match match) -{ - const struct xt_state_info sinfo = (const void *)match->data; - - printf(" --state "); - state_print_state(sinfo->statemask); -} - -static struct xtables_match state_match = { - .family = NFPROTO_UNSPEC, - .name = "state", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_state_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), - .help = state_help, - .print = state_print, - .save = state_save, - .x6_parse = state_parse, - .x6_options = state_opts, -}; - -void _init(void) -{ - xtables_register_match(&state_match); -}
[-] [+]	Deleted	iptables-1.4.14.tar.bz2/include/xtables.h.in ^
@@ -1,525 +0,0 @@ -#ifndef _XTABLES_H -#define _XTABLES_H - -/* - * Changing any structs/functions may incur a needed change - * in libxtables_vcurrent/vage too. - / - -#include <sys/socket.h> / PF_* / -#include <sys/types.h> -#include <limits.h> -#include <stdbool.h> -#include <stddef.h> -#include <stdint.h> -#include <netinet/in.h> -#include <net/if.h> -#include <linux/types.h> -#include <linux/netfilter.h> -#include <linux/netfilter/x_tables.h> - -#ifndef IPPROTO_SCTP -#define IPPROTO_SCTP 132 -#endif -#ifndef IPPROTO_DCCP -#define IPPROTO_DCCP 33 -#endif -#ifndef IPPROTO_MH -# define IPPROTO_MH 135 -#endif -#ifndef IPPROTO_UDPLITE -#define IPPROTO_UDPLITE 136 -#endif - -#define XTABLES_VERSION "libxtables.so.@libxtables_vmajor@" -#define XTABLES_VERSION_CODE @libxtables_vmajor@ - -struct in_addr; - -/ - * .size is here so that there is a somewhat reasonable check - * against the chosen .type. - / -#define XTOPT_POINTER(stype, member) \ - .ptroff = offsetof(stype, member), \ - .size = sizeof(((stype )NULL)->member) -#define XTOPT_TABLEEND {.name = NULL} - -/** - * Select the format the input has to conform to, as well as the target type - * (area pointed to with XTOPT_POINTER). Note that the storing is not always - * uniform. @cb->val will be populated with as much as there is space, i.e. - * exactly 2 items for ranges, but the target area can receive more values - * (e.g. in case of ranges), or less values (e.g. %XTTYPE_HOSTMASK). - * - * %XTTYPE_NONE: option takes no argument - * %XTTYPE_UINT: standard integer - %XTTYPE_UINTRC: colon-separated range of standard integers - %XTTYPE_DOUBLE: double-precision floating point number - * %XTTYPE_STRING: arbitrary string - * %XTTYPE_TOSMASK: 8-bit TOS value with optional mask - * %XTTYPE_MARKMASK32: 32-bit mark with optional mask - * %XTTYPE_SYSLOGLEVEL: syslog level by name or number - * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) - * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length - * (ptr: union nf_inet_addr; only host portion is stored) - * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) - * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) - * %XTTYPE_PORTRC: colon-separated port range (names acceptable), - * (supports %XTOPT_NBO) - * %XTTYPE_PLEN: prefix length - * %XTTYPE_PLENMASK: prefix length (ptr: union nf_inet_addr) - * %XTTYPE_ETHERMAC: Ethernet MAC address in hex form - / -enum xt_option_type { - XTTYPE_NONE, - XTTYPE_UINT8, - XTTYPE_UINT16, - XTTYPE_UINT32, - XTTYPE_UINT64, - XTTYPE_UINT8RC, - XTTYPE_UINT16RC, - XTTYPE_UINT32RC, - XTTYPE_UINT64RC, - XTTYPE_DOUBLE, - XTTYPE_STRING, - XTTYPE_TOSMASK, - XTTYPE_MARKMASK32, - XTTYPE_SYSLOGLEVEL, - XTTYPE_HOST, - XTTYPE_HOSTMASK, - XTTYPE_PROTOCOL, - XTTYPE_PORT, - XTTYPE_PORTRC, - XTTYPE_PLEN, - XTTYPE_PLENMASK, - XTTYPE_ETHERMAC, -}; - -/* - * %XTOPT_INVERT: option is invertible (usable with !) - * %XTOPT_MAND: option is mandatory - * %XTOPT_MULTI: option may be specified multiple times - * %XTOPT_PUT: store value into memory at @ptroff - * %XTOPT_NBO: store value in network-byte order - * (only certain XTTYPEs recognize this) - / -enum xt_option_flags { - XTOPT_INVERT = 1 << 0, - XTOPT_MAND = 1 << 1, - XTOPT_MULTI = 1 << 2, - XTOPT_PUT = 1 << 3, - XTOPT_NBO = 1 << 4, -}; - -/* - * @name: name of option - * @type: type of input and validation method, see %XTTYPE_* - * @id: unique number (within extension) for option, 0-31 - * @excl: bitmask of flags that cannot be used with this option - * @also: bitmask of flags that must be used with this option - * @flags: bitmask of option flags, see %XTOPT_* - * @ptroff: offset into private structure for member - * @size: size of the item pointed to by @ptroff; this is a safeguard - * @min: lowest allowed value (for singular integral types) - * @max: highest allowed value (for singular integral types) - / -struct xt_option_entry { - const char name; - enum xt_option_type type; - unsigned int id, excl, also, flags; - unsigned int ptroff; - size_t size; - unsigned int min, max; -}; - -/** - * @arg: input from command line - * @ext_name: name of extension currently being processed - * @entry: current option being processed - * @data: per-extension kernel data block - * @xflags: options of the extension that have been used - * @invert: whether option was used with ! - * @nvals: number of results in uXX_multi - * @val: parsed result - * @udata: per-extension private scratch area - * (cf. xtables_{match,target}->udata_size) - / -struct xt_option_call { - const char arg, ext_name; - const struct xt_option_entry entry; - void data; - unsigned int xflags; - bool invert; - uint8_t nvals; - union { - uint8_t u8, u8_range[2], syslog_level, protocol; - uint16_t u16, u16_range[2], port, port_range[2]; - uint32_t u32, u32_range[2]; - uint64_t u64, u64_range[2]; - double dbl; - struct { - union nf_inet_addr haddr, hmask; - uint8_t hlen; - }; - struct { - uint8_t tos_value, tos_mask; - }; - struct { - uint32_t mark, mask; - }; - uint8_t ethermac[6]; - } val; - / Wished for a world where the ones below were gone: / - union { - struct xt_entry_match match; - struct xt_entry_target target; - }; - void xt_entry; - void udata; -}; - -/* - * @ext_name: name of extension currently being processed - * @data: per-extension (kernel) data block - * @udata: per-extension private scratch area - * (cf. xtables_{match,target}->udata_size) - * @xflags: options of the extension that have been used - / -struct xt_fcheck_call { - const char ext_name; - void data, udata; - unsigned int xflags; -}; - -/** - * A "linear"/linked-list based name<->id map, for files similar to - * /etc/iproute2/. - / -struct xtables_lmap { - char name; - int id; - struct xtables_lmap next; -}; - -/ Include file for additions: new matches and targets. / -struct xtables_match -{ - / - * ABI/API version this module requires. Must be first member, - * as the rest of this struct may be subject to ABI changes. - / - const char version; - - struct xtables_match next; - - const char name; - - /* Revision of match (0 by default). / - u_int8_t revision; - - u_int16_t family; - - / Size of match data. / - size_t size; - - / Size of match data relevent for userspace comparison purposes / - size_t userspacesize; - - / Function which prints out usage message. / - void (help)(void); - - /* Initialize the match. / - void (init)(struct xt_entry_match m); - - / Function which parses command options; returns true if it - ate an option / - / entry is struct ipt_entry for example / - int (parse)(int c, char *argv, int invert, unsigned int flags, - const void entry, - struct xt_entry_match match); - - / Final check; exit if not ok. / - void (final_check)(unsigned int flags); - - /* Prints out the match iff non-NULL: put space at end / - / ip is struct ipt_ip * for example / - void (print)(const void ip, - const struct xt_entry_match match, int numeric); - - /* Saves the match info in parsable form to stdout. / - / ip is struct ipt_ip * for example / - void (save)(const void ip, const struct xt_entry_match match); - - /* Pointer to list of extra command-line options / - const struct option extra_opts; - - /* New parser / - void (x6_parse)(struct xt_option_call ); - void (x6_fcheck)(struct xt_fcheck_call ); - const struct xt_option_entry x6_options; - - /* Size of per-extension instance extra "global" scratch space / - size_t udata_size; - - / Ignore these men behind the curtain: / - void udata; - unsigned int option_offset; - struct xt_entry_match m; - unsigned int mflags; - unsigned int loaded; / simulate loading so options are merged properly / -}; - -struct xtables_target -{ - / - * ABI/API version this module requires. Must be first member, - * as the rest of this struct may be subject to ABI changes. - / - const char version; - - struct xtables_target next; - - - const char name; - - /* Revision of target (0 by default). / - u_int8_t revision; - - u_int16_t family; - - - / Size of target data. / - size_t size; - - / Size of target data relevent for userspace comparison purposes / - size_t userspacesize; - - / Function which prints out usage message. / - void (help)(void); - - /* Initialize the target. / - void (init)(struct xt_entry_target t); - - / Function which parses command options; returns true if it - ate an option / - / entry is struct ipt_entry for example / - int (parse)(int c, char *argv, int invert, unsigned int flags, - const void entry, - struct xt_entry_target targetinfo); - - / Final check; exit if not ok. / - void (final_check)(unsigned int flags); - - /* Prints out the target iff non-NULL: put space at end / - void (print)(const void ip, - const struct xt_entry_target target, int numeric); - - /* Saves the targinfo in parsable form to stdout. / - void (save)(const void ip, - const struct xt_entry_target target); - - /* Pointer to list of extra command-line options / - const struct option extra_opts; - - /* New parser / - void (x6_parse)(struct xt_option_call ); - void (x6_fcheck)(struct xt_fcheck_call ); - const struct xt_option_entry x6_options; - - size_t udata_size; - - /* Ignore these men behind the curtain: / - void udata; - unsigned int option_offset; - struct xt_entry_target t; - unsigned int tflags; - unsigned int used; - unsigned int loaded; / simulate loading so options are merged properly / -}; - -struct xtables_rule_match { - struct xtables_rule_match next; - struct xtables_match match; - / Multiple matches of the same type: the ones before - the current one are completed from parsing point of view / - bool completed; -}; - -/* - * struct xtables_pprot - - * - * A few hardcoded protocols for 'all' and in case the user has no - * /etc/protocols. - / -struct xtables_pprot { - const char name; - u_int8_t num; -}; - -enum xtables_tryload { - XTF_DONT_LOAD, - XTF_DURING_LOAD, - XTF_TRY_LOAD, - XTF_LOAD_MUST_SUCCEED, -}; - -enum xtables_exittype { - OTHER_PROBLEM = 1, - PARAMETER_PROBLEM, - VERSION_PROBLEM, - RESOURCE_PROBLEM, - XTF_ONLY_ONCE, - XTF_NO_INVERT, - XTF_BAD_VALUE, - XTF_ONE_ACTION, -}; - -struct xtables_globals -{ - unsigned int option_offset; - const char program_name, program_version; - struct option orig_opts; - struct option opts; - void (exit_err)(enum xtables_exittype status, const char msg, ...) __attribute__((noreturn, format(printf,2,3))); -}; - -#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} - -#ifdef __cplusplus -extern "C" { -#endif - -extern const char xtables_modprobe_program; -extern struct xtables_match xtables_matches; -extern struct xtables_target xtables_targets; - -extern void xtables_init(void); -extern void xtables_set_nfproto(uint8_t); -extern void xtables_calloc(size_t, size_t); -extern void xtables_malloc(size_t); -extern void xtables_realloc(void , size_t); - -extern int xtables_insmod(const char , const char , bool); -extern int xtables_load_ko(const char , bool); -extern int xtables_set_params(struct xtables_globals xtp); -extern void xtables_free_opts(int reset_offset); -extern struct option xtables_merge_options(struct option origopts, - struct option oldopts, const struct option newopts, - unsigned int option_offset); - -extern int xtables_init_all(struct xtables_globals xtp, uint8_t nfproto); -extern struct xtables_match xtables_find_match(const char name, - enum xtables_tryload, struct xtables_rule_match match); -extern struct xtables_target xtables_find_target(const char name, - enum xtables_tryload); - -/ Your shared library should call one of these. / -extern void xtables_register_match(struct xtables_match me); -extern void xtables_register_matches(struct xtables_match , unsigned int); -extern void xtables_register_target(struct xtables_target me); -extern void xtables_register_targets(struct xtables_target , unsigned int); - -extern bool xtables_strtoul(const char , char *, uintmax_t , - uintmax_t, uintmax_t); -extern bool xtables_strtoui(const char , char , unsigned int , - unsigned int, unsigned int); -extern int xtables_service_to_port(const char name, const char proto); -extern u_int16_t xtables_parse_port(const char port, const char proto); -extern void -xtables_parse_interface(const char arg, char vianame, unsigned char mask); - -/ this is a special 64bit data type that is 8-byte aligned / -#define aligned_u64 u_int64_t __attribute__((aligned(8))) - -extern struct xtables_globals xt_params; -#define xtables_error (xt_params->exit_err) - -extern void xtables_param_act(unsigned int, const char , ...); - -extern const char xtables_ipaddr_to_numeric(const struct in_addr ); -extern const char xtables_ipaddr_to_anyname(const struct in_addr ); -extern const char xtables_ipmask_to_numeric(const struct in_addr ); -extern struct in_addr xtables_numeric_to_ipaddr(const char ); -extern struct in_addr xtables_numeric_to_ipmask(const char ); -extern void xtables_ipparse_any(const char , struct in_addr *, - struct in_addr , unsigned int ); -extern void xtables_ipparse_multiple(const char , struct in_addr , - struct in_addr , unsigned int ); - -extern struct in6_addr xtables_numeric_to_ip6addr(const char ); -extern const char xtables_ip6addr_to_numeric(const struct in6_addr ); -extern const char xtables_ip6addr_to_anyname(const struct in6_addr ); -extern const char xtables_ip6mask_to_numeric(const struct in6_addr ); -extern void xtables_ip6parse_any(const char , struct in6_addr *, - struct in6_addr , unsigned int ); -extern void xtables_ip6parse_multiple(const char , struct in6_addr , - struct in6_addr , unsigned int ); - -/* - * Print the specified value to standard output, quoting dangerous - * characters if required. - / -extern void xtables_save_string(const char value); - -#if defined(ALL_INCLUSIVE) \|\| defined(NO_SHARED_LIBS) -# ifdef _INIT -# undef _init -# define _init _INIT -# endif - extern void init_extensions(void); - extern void init_extensions4(void); - extern void init_extensions6(void); -#else -# define _init __attribute__((constructor)) _INIT -#endif - -extern const struct xtables_pprot xtables_chain_protos[]; -extern u_int16_t xtables_parse_protocol(const char s); - -/ kernel revision handling / -extern int kernel_version; -extern void get_kernel_version(void); -#define LINUX_VERSION(x,y,z) (0x10000(x) + 0x100(y) + z) -#define LINUX_VERSION_MAJOR(x) (((x)>>16) & 0xFF) -#define LINUX_VERSION_MINOR(x) (((x)>> 8) & 0xFF) -#define LINUX_VERSION_PATCH(x) ( (x) & 0xFF) - -/ xtoptions.c / -extern void xtables_option_metavalidate(const char , - const struct xt_option_entry ); -extern struct option xtables_options_xfrm(struct option , struct option , - const struct xt_option_entry , - unsigned int ); -extern void xtables_option_parse(struct xt_option_call ); -extern void xtables_option_tpcall(unsigned int, char , bool, - struct xtables_target , void ); -extern void xtables_option_mpcall(unsigned int, char , bool, - struct xtables_match , void ); -extern void xtables_option_tfcall(struct xtables_target ); -extern void xtables_option_mfcall(struct xtables_match ); -extern void xtables_options_fcheck(const char , unsigned int, - const struct xt_option_entry ); - -extern struct xtables_lmap xtables_lmap_init(const char ); -extern void xtables_lmap_free(struct xtables_lmap ); -extern int xtables_lmap_name2id(const struct xtables_lmap , const char ); -extern const char xtables_lmap_id2name(const struct xtables_lmap , int); - -#ifdef XTABLES_INTERNAL - -/* Shipped modules rely on this... / - -# ifndef ARRAY_SIZE -# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x))) -# endif - -extern void _init(void); - -#endif - -#ifdef __cplusplus -} /* extern "C" / -#endif - -#endif / _XTABLES_H */
	Deleted	iptables-1.4.15.tar.bz2 ^
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/.gitignore ^
@@ -9,7 +9,7 @@ Makefile Makefile.in -/include/xtables.h +/include/xtables-version.h /include/iptables/internal.h /aclocal.m4
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/Makefile.am ^
@@ -27,4 +27,4 @@ rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \ - include/xtables.h.in include/iptables/internal.h.in + include/xtables-version.h.in include/iptables/internal.h.in
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -17,6 +17,23 @@ # -- Makefile -- VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -43,9 +60,9 @@ $(top_srcdir)/configure \ $(top_srcdir)/extensions/GNUmakefile.in \ $(top_srcdir)/include/iptables/internal.h.in COPYING INSTALL \ - build-aux/compile build-aux/config.guess build-aux/config.sub \ - build-aux/depcomp build-aux/install-sh build-aux/ltmain.sh \ - build-aux/missing + build-aux/ar-lib build-aux/compile build-aux/config.guess \ + build-aux/config.sub build-aux/depcomp build-aux/install-sh \ + build-aux/ltmain.sh build-aux/missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ @@ -69,6 +86,11 @@ install-pdf-recursive install-ps-recursive install-recursive \ installcheck-recursive installdirs-recursive pdf-recursive \ ps-recursive uninstall-recursive +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + ) (install-info --version) >/dev/null 2>&1;; \ + esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ @@ -492,13 +514,10 @@ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - \|\| $(MKDIR_P) "$(distdir)/$$subdir" \ - \|\| exit 1; \ - fi; \ - done - @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + \|\| test -d "$(distdir)/$$subdir" \ + \|\| $(MKDIR_P) "$(distdir)/$$subdir" \ + \|\| exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ @@ -584,7 +603,7 @@ .zip*) \ unzip $(distdir).zip ;;\ esac - chmod -R a-w $(distdir); chmod a+w $(distdir) + chmod -R a-w $(distdir); chmod u+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst chmod a-w $(distdir) @@ -782,7 +801,7 @@ rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \ - include/xtables.h.in include/iptables/internal.h.in + include/xtables-version.h.in include/iptables/internal.h.in # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded.
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/aclocal.m4 ^
@@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.11.3 -- Autoconf -- +# generated automatically by aclocal 1.11.6 -- Autoconf -- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, @@ -198,7 +198,7 @@ [am__api_version='1.11' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.11.3], [], +m4_if([$1], [1.11.6], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -214,11 +214,72 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.11.3])dnl +[AM_AUTOMAKE_VERSION([1.11.6])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) +# Copyright (C) 2011 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 1 + +# AM_PROG_AR([ACT-IF-FAIL]) +# ------------------------- +# Try to determine the archiver interface, and trigger the ar-lib wrapper +# if it is needed. If the detection of archiver interface fails, run +# ACT-IF-FAIL (default is to abort configure with a proper error message). +AC_DEFUN([AM_PROG_AR], +[AC_BEFORE([$0], [LT_INIT])dnl +AC_BEFORE([$0], [AC_PROG_LIBTOOL])dnl +AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([ar-lib])dnl +AC_CHECK_TOOLS([AR], [ar lib "link -lib"], [false]) +: ${AR=ar} + +AC_CACHE_CHECK([the archiver ($AR) interface], [am_cv_ar_interface], + [am_cv_ar_interface=ar + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int some_variable = 0;]])], + [am_ar_try='$AR cru libconftest.a conftest.$ac_objext >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([am_ar_try]) + if test "$ac_status" -eq 0; then + am_cv_ar_interface=ar + else + am_ar_try='$AR -NOLOGO -OUT:conftest.lib conftest.$ac_objext >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([am_ar_try]) + if test "$ac_status" -eq 0; then + am_cv_ar_interface=lib + else + am_cv_ar_interface=unknown + fi + fi + rm -f conftest.lib libconftest.a + ]) + ]) + +case $am_cv_ar_interface in +ar) + ;; +lib) + # Microsoft lib, so override with the ar-lib wrapper script. + # FIXME: It is wrong to rewrite AR. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__AR in this case, + # and then we could set am__AR="$am_aux_dir/ar-lib \$(AR)" or something + # similar. + AR="$am_aux_dir/ar-lib $AR" + ;; +unknown) + m4_default([$1], + [AC_MSG_ERROR([could not determine $AR interface])]) + ;; +esac +AC_SUBST([AR])dnl +]) + # AM_AUX_DIR_EXPAND -- Autoconf -- # Copyright (C) 2001, 2003, 2005, 2011 Free Software Foundation, Inc.
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/build-aux/ar-lib ^
@@ -0,0 +1,270 @@ +#! /bin/sh +# Wrapper for Microsoft lib.exe + +me=ar-lib +scriptversion=2012-03-01.08; # UTC + +# Copyright (C) 2010, 2012 Free Software Foundation, Inc. +# Written by Peter Rosin <peda@lysator.liu.se>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <bug-automake@gnu.org> or send patches to +# <automake-patches@gnu.org>. + + +# func_error message +func_error () +{ + echo "$me: $1" 1>&2 + exit 1 +} + +file_conv= + +# func_file_conv build_file +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. +func_file_conv () +{ + file=$1 + case $file in + / \| /[!/]) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW) + file_conv=mingw + ;; + CYGWIN) + file_conv=cygwin + ;; + ) + file_conv=wine + ;; + esac + fi + case $file_conv in + mingw) + file=`cmd //C echo "$file " \| sed -e 's/"$.$ " $/\1/'` + ;; + cygwin) + file=`cygpath -m "$file" \|\| echo "$file"` + ;; + wine) + file=`winepath -w "$file" \|\| echo "$file"` + ;; + esac + ;; + esac +} + +# func_at_file at_file operation archive +# Iterate over all members in AT_FILE performing OPERATION on ARCHIVE +# for each of them. +# When interpreting the content of the @FILE, do NOT use func_file_conv, +# since the user would need to supply preconverted file names to +# binutils ar, at least for MinGW. +func_at_file () +{ + operation=$2 + archive=$3 + at_file_contents=`cat "$1"` + eval set x "$at_file_contents" + shift + + for member + do + $AR -NOLOGO $operation:"$member" "$archive" \|\| exit $? + done +} + +case $1 in + '') + func_error "no command. Try '$0 --help' for more information." + ;; + -h \| --h) + cat <<EOF +Usage: $me [--help] [--version] PROGRAM ACTION ARCHIVE [MEMBER...] + +Members may be specified in a file named with @FILE. +EOF + exit $? + ;; + -v \| --v) + echo "$me, version $scriptversion" + exit $? + ;; +esac + +if test $# -lt 3; then + func_error "you must specify a program, an action and an archive" +fi + +AR=$1 +shift +while : +do + if test $# -lt 2; then + func_error "you must specify a program, an action and an archive" + fi + case $1 in + -lib \| -LIB \ + \| -ltcg \| -LTCG \ + \| -machine* \| -MACHINE* \ + \| -subsystem* \| -SUBSYSTEM* \ + \| -verbose \| -VERBOSE \ + \| -wx* \| -WX* ) + AR="$AR $1" + shift + ;; + ) + action=$1 + shift + break + ;; + esac +done +orig_archive=$1 +shift +func_file_conv "$orig_archive" +archive=$file + +# strip leading dash in $action +action=${action#-} + +delete= +extract= +list= +quick= +replace= +index= +create= + +while test -n "$action" +do + case $action in + d) delete=yes ;; + x) extract=yes ;; + t) list=yes ;; + q) quick=yes ;; + r) replace=yes ;; + s) index=yes ;; + S) ;; # the index is always updated implicitly + c) create=yes ;; + u) ;; # TODO: don't ignore the update modifier + v) ;; # TODO: don't ignore the verbose modifier + ) + func_error "unknown action specified" + ;; + esac + action=${action#?} +done + +case $delete$extract$list$quick$replace,$index in + yes,* \| ,yes) + ;; + yesyes) + func_error "more than one action specified" + ;; + ) + func_error "no action specified" + ;; +esac + +if test -n "$delete"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + for member + do + case $1 in + @) + func_at_file "${1#@}" -REMOVE "$archive" + ;; + ) + func_file_conv "$1" + $AR -NOLOGO -REMOVE:"$file" "$archive" \|\| exit $? + ;; + esac + done + +elif test -n "$extract"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + if test $# -gt 0; then + for member + do + case $1 in + @) + func_at_file "${1#@}" -EXTRACT "$archive" + ;; + ) + func_file_conv "$1" + $AR -NOLOGO -EXTRACT:"$file" "$archive" \|\| exit $? + ;; + esac + done + else + $AR -NOLOGO -LIST "$archive" \| sed -e 's/\\/\\\\/g' \| while read member + do + $AR -NOLOGO -EXTRACT:"$member" "$archive" \|\| exit $? + done + fi + +elif test -n "$quick$replace"; then + if test ! -f "$orig_archive"; then + if test -z "$create"; then + echo "$me: creating $orig_archive" + fi + orig_archive= + else + orig_archive=$archive + fi + + for member + do + case $1 in + @) + func_file_conv "${1#@}" + set x "$@" "@$file" + ;; + ) + func_file_conv "$1" + set x "$@" "$file" + ;; + esac + shift + shift + done + + if test -n "$orig_archive"; then + $AR -NOLOGO -OUT:"$archive" "$orig_archive" "$@" \|\| exit $? + else + $AR -NOLOGO -OUT:"$archive" "$@" \|\| exit $? + fi + +elif test -n "$list"; then + if test ! -f "$orig_archive"; then + func_error "archive not found" + fi + $AR -NOLOGO -LIST "$archive" \|\| exit $? +fi
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/build-aux/compile ^
@@ -1,7 +1,7 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-01-04.17; # UTC +scriptversion=2012-03-05.13; # UTC # Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009, 2010, 2012 Free # Software Foundation, Inc. @@ -79,6 +79,48 @@ esac } +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + # func_cl_wrapper cl arg... # Adjust compile command to suit cl func_cl_wrapper () @@ -109,43 +151,34 @@ ;; esac ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; -I) func_file_conv "${1#-I}" mingw set x "$@" -I"$file" shift ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; -l) - lib=${1#-l} - found=no - save_IFS=$IFS - IFS=';' - for dir in $lib_path $LIB - do - IFS=$save_IFS - if $shared && test -f "$dir/$lib.dll.lib"; then - found=yes - set x "$@" "$dir/$lib.dll.lib" - break - fi - if test -f "$dir/$lib.lib"; then - found=yes - set x "$@" "$dir/$lib.lib" - break - fi - done - IFS=$save_IFS - - test "$found" != yes && set x "$@" "$lib.lib" + func_cl_dashl "${1#-l}" + set x "$@" "$lib" shift ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; -L*) - func_file_conv "${1#-L}" - if test -z "$lib_path"; then - lib_path=$file - else - lib_path="$lib_path;$file" - fi - linker_opts="$linker_opts -LIBPATH:$file" + func_cl_dashL "${1#-L}" ;; -static) shared=false
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/build-aux/config.sub ^
@@ -4,7 +4,7 @@ # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, # 2011, 2012 Free Software Foundation, Inc. -timestamp='2012-02-10' +timestamp='2012-04-18' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -225,6 +225,12 @@ -isc) basic_machine=`echo $1 \| sed -e 's/86-./86-pc/'` ;; + -lynx178) + os=-lynxos178 + ;; + -lynx5) + os=-lynxos5 + ;; -lynx) os=-lynxos ;; @@ -1537,6 +1543,9 @@ c4x- \| tic4x-) os=-coff ;; + hexagon-) + os=-elf + ;; tic54x-*) os=-coff ;;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/build-aux/depcomp ^
@@ -1,10 +1,10 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2011-12-04.11; # UTC +scriptversion=2012-03-27.16; # UTC # Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,7 +28,7 @@ case $1 in '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 + echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h \| --h) @@ -40,8 +40,8 @@ Environment variables: depmode Dependency tracking mode. - source Source file read by `PROGRAMS ARGS'. - object Object file output by `PROGRAMS ARGS'. + source Source file read by 'PROGRAMS ARGS'. + object Object file output by 'PROGRAMS ARGS'. DEPDIR directory where to store dependencies. depfile Dependency file to output. tmpdepfile Temporary file to use when outputting dependencies. @@ -57,6 +57,12 @@ ;; esac +# A tabulation character. +tab=' ' +# A newline character. +nl=' +' + if test -z "$depmode" \|\| test -z "$source" \|\| test -z "$object"; then echo "depcomp: Variables source, object and depmode must be set" 1>&2 exit 1 @@ -102,6 +108,12 @@ depmode=msvc7 fi +if test "$depmode" = xlc; then + # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency informations. + gccflag=-qmakedep=gcc,-MF + depmode=gcc +fi + case "$depmode" in gcc3) ## gcc 3 implements dependency tracking that does exactly what @@ -156,15 +168,14 @@ ## The second -e expression handles DOS-style file names with drive letters. sed -e 's/^[^:]: / /' \ -e 's/^['$alpha']:\/[^:]: / /' < "$tmpdepfile" >> "$depfile" -## This next piece of magic avoids the `deleted header file' problem. +## This next piece of magic avoids the "deleted header file" problem. ## The problem is that when a header file which appears in a .P file ## is deleted, the dependency causes make to die (because there is ## typically no way to rebuild the header). We avoid this by adding ## dummy dependencies for each header file. Too bad gcc doesn't do ## this for us directly. - tr ' ' ' -' < "$tmpdepfile" \| -## Some versions of gcc put a space before the `:'. On the theory + tr ' ' "$nl" < "$tmpdepfile" \| +## Some versions of gcc put a space before the ':'. On the theory ## that the space means something, we add a space to the output as ## well. hp depmode also adds that space, but also prefixes the VPATH ## to the object. Take care to not repeat it in the output. @@ -203,18 +214,15 @@ # clever and replace this with sed code, as IRIX sed won't handle # lines with more than a fixed number of characters (4096 in # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; - # the IRIX cc adds comments like `#:fec' to the end of the + # the IRIX cc adds comments like '#:fec' to the end of the # dependency line. - tr ' ' ' -' < "$tmpdepfile" \ + tr ' ' "$nl" < "$tmpdepfile" \ \| sed -e 's/^.\.o://' -e 's/#.$//' -e '/^$/ d' \| \ - tr ' -' ' ' >> "$depfile" + tr "$nl" ' ' >> "$depfile" echo >> "$depfile" # The second pass generates a dummy entry for each header file. - tr ' ' ' -' < "$tmpdepfile" \ + tr ' ' "$nl" < "$tmpdepfile" \ \| sed -e 's/^.\.o://' -e 's/#.$//' -e '/^$/ d' -e 's/$/:/' \ >> "$depfile" else @@ -226,10 +234,17 @@ rm -f "$tmpdepfile" ;; +xlc) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + aix) # The C for AIX Compiler uses -M and outputs the dependencies # in a .u file. In older versions, this file always lives in the - # current directory. Also, the AIX compiler puts `$object:' at the + # current directory. Also, the AIX compiler puts '$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. dir=`echo "$object" \| sed -e 's\|/[^/]$\|/\|'` @@ -259,12 +274,11 @@ test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then - # Each line is of the form `foo.o: dependent.h'. + # Each line is of the form 'foo.o: dependent.h'. # Do two passes, one to just change these to - # `$object: dependent.h' and one to simply `dependent.h:'. + # '$object: dependent.h' and one to simply 'dependent.h:'. sed -e "s,^.\.[a-z]:,$object:," < "$tmpdepfile" > "$depfile" - # That's a tab and a space in the []. - sed -e 's,^.\.[a-z]:[ ],,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" + sed -e 's,^.\.[a-z]:['"$tab"' ],,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" else # The sourcefile does not contain any dependencies, so just # store a dummy comment line, to avoid errors with the Makefile @@ -275,23 +289,26 @@ ;; icc) - # Intel's C compiler understands `-MD -MF file'. However on - # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c + # Intel's C compiler anf tcc (Tiny C Compiler) understand '-MD -MF file'. + # However on + # $CC -MD -MF foo.d -c -o sub/foo.o sub/foo.c # ICC 7.0 will fill foo.d with something like # foo.o: sub/foo.c # foo.o: sub/foo.h - # which is wrong. We want: + # which is wrong. We want # sub/foo.o: sub/foo.c # sub/foo.o: sub/foo.h # sub/foo.c: # sub/foo.h: # ICC 7.1 will output # foo.o: sub/foo.c sub/foo.h - # and will wrap long lines using \ : + # and will wrap long lines using '\': # foo.o: sub/foo.c ... \ # sub/foo.h ... \ # ... - + # tcc 0.9.26 (FIXME still under development at the moment of writing) + # will emit a similar output, but also prepend the continuation lines + # with horizontal tabulation characters. "$@" -MD -MF "$tmpdepfile" stat=$? if test $stat -eq 0; then : @@ -300,15 +317,21 @@ exit $stat fi rm -f "$depfile" - # Each line is of the form `foo.o: dependent.h', - # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. + # Each line is of the form 'foo.o: dependent.h', + # or 'foo.o: dep1.h dep2.h \', or ' dep3.h dep4.h \'. # Do two passes, one to just change these to - # `$object: dependent.h' and one to simply `dependent.h:'. - sed "s,^[^:]:,$object :," < "$tmpdepfile" > "$depfile" - # Some versions of the HPUX 10.20 sed can't process this invocation - # correctly. Breaking it into two sed invocations is a workaround. - sed 's,^[^:]: $.$$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \| - sed -e 's/$/ :/' >> "$depfile" + # '$object: dependent.h' and one to simply 'dependent.h:'. + sed -e "s/^[ $tab][ $tab]/ /" -e "s,^[^:]:,$object :," \ + < "$tmpdepfile" > "$depfile" + sed ' + s/[ '"$tab"'][ '"$tab"']/ /g + s/^ // + s/ \\$// + s/^[^:]: // + /^$/d + /:$/d + s/$/ :/ + ' < "$tmpdepfile" >> "$depfile" rm -f "$tmpdepfile" ;; @@ -344,7 +367,7 @@ done if test -f "$tmpdepfile"; then sed -e "s,^.\.[a-z]:,$object:," "$tmpdepfile" > "$depfile" - # Add `dependent.h:' lines. + # Add 'dependent.h:' lines. sed -ne '2,${ s/^ // s/ \\$// @@ -359,9 +382,9 @@ tru64) # The Tru64 compiler uses -MD to generate dependencies as a side - # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. + # effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'. # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put - # dependencies in `foo.d' instead, so we check for that too. + # dependencies in 'foo.d' instead, so we check for that too. # Subdirectories are respected. dir=`echo "$object" \| sed -e 's\|/[^/]$\|/\|'` test "x$dir" = "x$object" && dir= @@ -407,8 +430,7 @@ done if test -f "$tmpdepfile"; then sed -e "s,^.\.[a-z]:,$object:," < "$tmpdepfile" > "$depfile" - # That's a tab and a space in the []. - sed -e 's,^.\.[a-z]:[ ],,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" + sed -e 's,^.\.[a-z]:['"$tab"' ],,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" else echo "#dummy" > "$depfile" fi @@ -443,11 +465,11 @@ p }' \| $cygpath_u \| sort -u \| sed -n ' s/ /\\ /g -s/$.$/ \1 \\/p +s/$.$/'"$tab"'\1 \\/p s/.$.$ \\/\1:/ H $ { - s/./ / + s/./'"$tab"'/ G p }' >> "$depfile" @@ -478,7 +500,7 @@ shift fi - # Remove `-o $object'. + # Remove '-o $object'. IFS=" " for arg do @@ -498,15 +520,14 @@ done test -z "$dashmflag" && dashmflag=-M - # Require at least two characters before searching for `:' + # Require at least two characters before searching for ':' # in the target name. This is to cope with DOS-style filenames: - # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. + # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise. "$@" $dashmflag \| - sed 's:^[ ][^: ][^:][^:]\:[ ]:'"$object"'\: :' > "$tmpdepfile" + sed 's:^['"$tab"' ][^:'"$tab"' ][^:][^:]\:['"$tab"' ]:'"$object"'\: :' > "$tmpdepfile" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" - tr ' ' ' -' < "$tmpdepfile" \| \ + tr ' ' "$nl" < "$tmpdepfile" \| \ ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \| sed -e 's/$/ :/' >> "$depfile" @@ -562,8 +583,7 @@ # makedepend may prepend the VPATH from the source file name to the object. # No need to regex-escape $object, excess matching of '.' is harmless. sed "s\|^.$$object :$\|\1\|" "$tmpdepfile" > "$depfile" - sed '1,2d' "$tmpdepfile" \| tr ' ' ' -' \| \ + sed '1,2d' "$tmpdepfile" \| tr ' ' "$nl" \| \ ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \| sed -e 's/$/ :/' >> "$depfile" @@ -583,7 +603,7 @@ shift fi - # Remove `-o $object'. + # Remove '-o $object'. IFS=" " for arg do @@ -652,8 +672,8 @@ sed -n '/^#line [0-9][0-9] "$[^"]$"/ s::\1:p' \| $cygpath_u \| sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" - sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^$.$$/ s:: \1 \\:p' >> "$depfile" - echo " " >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^$.$$/ s::'"$tab"'\1 \\:p' >> "$depfile" + echo "$tab" >> "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^$.$$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/build-aux/ltmain.sh ^
@@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.1 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1" +VERSION="2.4.2 Debian-2.4.2-1.1" TIMESTAMP="" package_revision=1.3337
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for iptables 1.4.14. +# Generated by GNU Autoconf 2.69 for iptables 1.4.16.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.4.14' -PACKAGE_STRING='iptables 1.4.14' +PACKAGE_VERSION='1.4.16.2' +PACKAGE_STRING='iptables 1.4.16.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -675,8 +675,6 @@ DSYMUTIL MANIFEST_TOOL RANLIB -ac_ct_AR -AR DLLTOOL OBJDUMP LN_S @@ -697,6 +695,8 @@ build_cpu build LIBTOOL +ac_ct_AR +AR am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE @@ -1351,7 +1351,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.4.14 to adapt to many kinds of systems. +\`configure' configures iptables 1.4.16.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1421,7 +1421,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of iptables 1.4.14:";; + short \| recursive ) echo "Configuration of iptables 1.4.16.2:";; esac cat <<\_ACEOF @@ -1545,7 +1545,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.4.14 +iptables configure 1.4.16.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2093,7 +2093,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.4.14, which was +It was created by iptables $as_me 1.4.16.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2443,7 +2443,7 @@ # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=7 +libxtables_vcurrent=9 libxtables_vage=0 ac_aux_dir= @@ -2916,7 +2916,7 @@ # Define the identity of the package. PACKAGE='iptables' - VERSION='1.4.14' + VERSION='1.4.16.2' cat >>confdefs.h <<_ACEOF @@ -4093,6 +4093,167 @@ + +if test -n "$ac_tool_prefix"; then + for ac_prog in ar lib "link -lib" + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AR="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AR=$ac_cv_prog_AR +if test -n "$AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 +$as_echo "$AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AR" && break + done +fi +if test -z "$AR"; then + ac_ct_AR=$AR + for ac_prog in ar lib "link -lib" +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_AR"; then + ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_AR="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_AR=$ac_cv_prog_ac_ct_AR +if test -n "$ac_ct_AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 +$as_echo "$ac_ct_AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_AR" && break +done + + if test "x$ac_ct_AR" = x; then + AR="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + AR=$ac_ct_AR + fi +fi + +: ${AR=ar} + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the archiver ($AR) interface" >&5 +$as_echo_n "checking the archiver ($AR) interface... " >&6; } +if ${am_cv_ar_interface+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_ar_interface=ar + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. / +int some_variable = 0; +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + am_ar_try='$AR cru libconftest.a conftest.$ac_objext >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$am_ar_try\""; } >&5 + (eval $am_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -eq 0; then + am_cv_ar_interface=ar + else + am_ar_try='$AR -NOLOGO -OUT:conftest.lib conftest.$ac_objext >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$am_ar_try\""; } >&5 + (eval $am_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -eq 0; then + am_cv_ar_interface=lib + else + am_cv_ar_interface=unknown + fi + fi + rm -f conftest.lib libconftest.a + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_ar_interface" >&5 +$as_echo "$am_cv_ar_interface" >&6; } + +case $am_cv_ar_interface in +ar) + ;; +lib) + # Microsoft lib, so override with the ar-lib wrapper script. + # FIXME: It is wrong to rewrite AR. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__AR in this case, + # and then we could set am__AR="$am_aux_dir/ar-lib \$(AR)" or something + # similar. + AR="$am_aux_dir/ar-lib $AR" + ;; +unknown) + as_fn_error $? "could not determine $AR interface" "$LINENO" 5 + ;; +esac + case `pwd` in \ * \| \ ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 @@ -5379,10 +5540,6 @@ fi ;; -gnu) - lt_cv_deplibs_check_method=pass_all - ;; - haiku) lt_cv_deplibs_check_method=pass_all ;; @@ -5421,7 +5578,7 @@ ;; # This must be glibc/ELF. -linux* \| kbsd-gnu \| kopensolaris-gnu) +linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -5683,7 +5840,6 @@ - if test -n "$ac_tool_prefix"; then for ac_prog in ar do @@ -8318,7 +8474,7 @@ lt_prog_compiler_static='-non_shared' ;; - linux* \| kbsd-gnu \| kopensolaris-gnu) + linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc) @@ -10488,17 +10644,6 @@ esac ;; -gnu) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -10615,7 +10760,7 @@ ;; # This must be glibc/ELF. -linux \| kbsd-gnu \| kopensolaris-gnu) +linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -12135,7 +12280,7 @@ libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); -ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables.h include/iptables/internal.h" +ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables-version.h include/iptables/internal.h" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -12691,7 +12836,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.4.14, which was +This file was extended by iptables $as_me 1.4.16.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -12757,7 +12902,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.4.14 +iptables config.status 1.4.16.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -13179,7 +13324,7 @@ "libiptc/libip6tc.pc") CONFIG_FILES="$CONFIG_FILES libiptc/libip6tc.pc" ;; "libxtables/Makefile") CONFIG_FILES="$CONFIG_FILES libxtables/Makefile" ;; "utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;; - "include/xtables.h") CONFIG_FILES="$CONFIG_FILES include/xtables.h" ;; + "include/xtables-version.h") CONFIG_FILES="$CONFIG_FILES include/xtables-version.h" ;; "include/iptables/internal.h") CONFIG_FILES="$CONFIG_FILES include/iptables/internal.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/configure.ac ^
@@ -1,8 +1,8 @@ -AC_INIT([iptables], [1.4.14]) +AC_INIT([iptables], [1.4.16.2]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=7 +libxtables_vcurrent=9 libxtables_vage=0 AC_CONFIG_AUX_DIR([build-aux]) @@ -13,6 +13,7 @@ AC_PROG_CC AM_PROG_CC_C_O AC_DISABLE_STATIC +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) AM_PROG_LIBTOOL AC_ARG_WITH([kernel], @@ -126,5 +127,5 @@ libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile - include/xtables.h include/iptables/internal.h]) + include/xtables-version.h include/iptables/internal.h]) AC_OUTPUT
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/.gitignore ^
@@ -5,5 +5,5 @@ /GNUmakefile /initext.c /initext?.c -/matches?.man -/targets?.man +/matches.man +/targets.man
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/GNUmakefile.in ^
@@ -39,6 +39,7 @@ # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_.c))) +pfx_build_mod += NOTRACK state @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_.c))) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) @@ -55,9 +56,7 @@ # # Building blocks # -targets := libext.a libext4.a libext6.a \ - matches4.man matches6.man \ - targets4.man targets6.man +targets := libext.a libext4.a libext6.a matches.man targets.man targets_install := @ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs} @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} @@ -76,10 +75,10 @@ if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f .o .oo .so .a {matches,targets}[46].man initext.c initext4.c initext6.c; + rm -f .o .oo .so .a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f ..d ..dd; distclean: clean - rm -f ..d ..dd; init%.o: init%.c ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$_init ${CFLAGS} -o $@ -c $<; @@ -96,6 +95,11 @@ lib%.oo: ${srcdir}/lib%.c ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; +libxt_NOTRACK.so: libxt_CT.so + ln -fs $< $@ +libxt_state.so: libxt_conntrack.so + ln -fs $< $@ + # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD xt_RATEEST_LIBADD = -lm xt_statistic_LIBADD = -lm @@ -196,30 +200,27 @@ ${AM_VERBOSE_GEN} \ for ext in $(sort ${1}); do \ f="${srcdir}/libxt_$$ext.man"; \ - cf="${srcdir}/libxt_$$ext.c"; \ - if [ -f "$$f" ] && grep -Eq "$(3)\|NFPROTO_UNSPEC" "$$cf"; then \ + if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ echo ".SS $$ext"; \ cat "$$f" \|\| exit $$?; \ - continue; \ fi; \ - f="${srcdir}/lib$(2)t_$$ext.man"; \ + f="${srcdir}/libip6t_$$ext.man"; \ if [ -f "$$f" ]; then \ echo -e "\t+ $$f" >&2; \ - echo ".SS $$ext"; \ + echo ".SS $$ext (IPv6-specific)"; \ + cat "$$f" \|\| exit $$?; \ + fi; \ + f="${srcdir}/libipt_$$ext.man"; \ + if [ -f "$$f" ]; then \ + echo -e "\t+ $$f" >&2; \ + echo ".SS $$ext (IPv4-specific)"; \ cat "$$f" \|\| exit $$?; \ - continue; \ fi; \ done >$@; -matches4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) - -matches6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib.man) - $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) - -targets4.man: .initext.dd .initext4.dd $(wildcard ${srcdir}/lib.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod}),ip,NFPROTO_IPV4) +matches.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib.man) + $(call man_run,$(call ex_matches,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod})) -targets6.man: .initext.dd .initext6.dd $(wildcard ${srcdir}/lib.man) - $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf6_build_mod}),ip6,NFPROTO_IPV6) +targets.man: .initext.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) + $(call man_run,$(call ex_targets,${pfx_build_mod} ${pf4_build_mod} ${pf6_build_mod}))
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libip6t_frag.c ^
@@ -41,6 +41,13 @@ }; #undef s +static void frag_init(struct xt_entry_match m) +{ + struct ip6t_frag fraginfo = (void )m->data; + + fraginfo->ids[1] = ~0U; +} + static void frag_parse(struct xt_option_call cb) { struct ip6t_frag *fraginfo = cb->data; @@ -173,6 +180,7 @@ .size = XT_ALIGN(sizeof(struct ip6t_frag)), .userspacesize = XT_ALIGN(sizeof(struct ip6t_frag)), .help = frag_help, + .init = frag_init, .print = frag_print, .save = frag_save, .x6_parse = frag_parse,
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_CT.c ^
@@ -248,6 +248,20 @@ printf(" --zone %u", info->zone); } +static void notrack_ct0_tg_init(struct xt_entry_target target) +{ + struct xt_ct_target_info info = (void )target->data; + + info->flags = XT_CT_NOTRACK; +} + +static void notrack_ct1_tg_init(struct xt_entry_target target) +{ + struct xt_ct_target_info_v1 info = (void )target->data; + + info->flags = XT_CT_NOTRACK; +} + static struct xtables_target ct_target_reg[] = { { .family = NFPROTO_UNSPEC, @@ -274,6 +288,32 @@ .x6_parse = ct_parse_v1, .x6_options = ct_opts_v1, }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .real_name = "CT", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), + .userspacesize = offsetof(struct xt_ct_target_info, ct), + .init = notrack_ct0_tg_init, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .real_name = "CT", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .init = notrack_ct1_tg_init, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .revision = 0, + .version = XTABLES_VERSION, + }, }; void _init(void)
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/extensions/libxt_HMARK.c ^
@@ -0,0 +1,450 @@ +/* + * (C) 2012 by Hans Schillstrom <hans.schillstrom@ericsson.com> + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Description: shared library add-on to iptables to add HMARK target support + * + * Initial development by Hans Schillstrom. Pablo's improvements to this piece + * of software has been sponsored by Sophos Astaro <http://www.sophos.com>. + / + +#include <stdbool.h> +#include <stdio.h> +#include <string.h> + +#include "xtables.h" +#include <linux/netfilter/xt_HMARK.h> + +static void HMARK_help(void) +{ + printf( +"HMARK target options, i.e. modify hash calculation by:\n" +" --hmark-tuple [src\|dst\|sport\|dport\|spi\|proto\|ct][,...]\n" +" --hmark-mod value nfmark modulus value\n" +" --hmark-offset value Last action add value to nfmark\n\n" +" --hmark-rnd Random see for hashing\n" +" Alternatively, fine tuning of what will be included in hash calculation\n" +" --hmark-src-prefix length Source address mask CIDR prefix\n" +" --hmark-dst-prefix length Dest address mask CIDR prefix\n" +" --hmark-sport-mask value Mask src port with value\n" +" --hmark-dport-mask value Mask dst port with value\n" +" --hmark-spi-mask value For esp and ah AND spi with value\n" +" --hmark-sport value OR src port with value\n" +" --hmark-dport value OR dst port with value\n" +" --hmark-spi value For esp and ah OR spi with value\n" +" --hmark-proto-mask value Mask Protocol with value\n"); +} + +#define hi struct xt_hmark_info + +enum { + O_HMARK_SADDR_MASK, + O_HMARK_DADDR_MASK, + O_HMARK_SPI, + O_HMARK_SPI_MASK, + O_HMARK_SPORT, + O_HMARK_DPORT, + O_HMARK_SPORT_MASK, + O_HMARK_DPORT_MASK, + O_HMARK_PROTO_MASK, + O_HMARK_RND, + O_HMARK_MODULUS, + O_HMARK_OFFSET, + O_HMARK_CT, + O_HMARK_TYPE, +}; + +#define HMARK_OPT_PKT_MASK \ + ((1 << O_HMARK_SADDR_MASK) \| \ + (1 << O_HMARK_DADDR_MASK) \| \ + (1 << O_HMARK_SPI_MASK) \| \ + (1 << O_HMARK_SPORT_MASK) \| \ + (1 << O_HMARK_DPORT_MASK) \| \ + (1 << O_HMARK_PROTO_MASK) \| \ + (1 << O_HMARK_SPI_MASK) \| \ + (1 << O_HMARK_SPORT) \| \ + (1 << O_HMARK_DPORT) \| \ + (1 << O_HMARK_SPI)) + +static const struct xt_option_entry HMARK_opts[] = { + { .name = "hmark-tuple", + .type = XTTYPE_STRING, + .id = O_HMARK_TYPE, + }, + { .name = "hmark-src-prefix", + .type = XTTYPE_PLENMASK, + .id = O_HMARK_SADDR_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, src_mask) + }, + { .name = "hmark-dst-prefix", + .type = XTTYPE_PLENMASK, + .id = O_HMARK_DADDR_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, dst_mask) + }, + { .name = "hmark-sport-mask", + .type = XTTYPE_UINT16, + .id = O_HMARK_SPORT_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.src) + }, + { .name = "hmark-dport-mask", + .type = XTTYPE_UINT16, + .id = O_HMARK_DPORT_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.dst) + }, + { .name = "hmark-spi-mask", + .type = XTTYPE_UINT32, + .id = O_HMARK_SPI_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.v32) + }, + { .name = "hmark-sport", + .type = XTTYPE_UINT16, + .id = O_HMARK_SPORT, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.src) + }, + { .name = "hmark-dport", + .type = XTTYPE_UINT16, + .id = O_HMARK_DPORT, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.dst) + }, + { .name = "hmark-spi", + .type = XTTYPE_UINT32, + .id = O_HMARK_SPI, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.v32) + }, + { .name = "hmark-proto-mask", + .type = XTTYPE_UINT16, + .id = O_HMARK_PROTO_MASK, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, proto_mask) + }, + { .name = "hmark-rnd", + .type = XTTYPE_UINT32, + .id = O_HMARK_RND, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, hashrnd) + }, + { .name = "hmark-mod", + .type = XTTYPE_UINT32, + .id = O_HMARK_MODULUS, + .min = 1, + .flags = XTOPT_PUT \| XTOPT_MAND, XTOPT_POINTER(hi, hmodulus) + }, + { .name = "hmark-offset", + .type = XTTYPE_UINT32, + .id = O_HMARK_OFFSET, + .flags = XTOPT_PUT, XTOPT_POINTER(hi, hoffset) + }, + XTOPT_TABLEEND, +}; + +static int +hmark_parse(const char type, size_t len, struct xt_hmark_info info, + unsigned int xflags) +{ + if (strncasecmp(type, "ct", len) == 0) { + info->flags \|= XT_HMARK_FLAG(XT_HMARK_CT); + xflags \|= (1 << O_HMARK_CT); + } else if (strncasecmp(type, "src", len) == 0) { + memset(&info->src_mask, 0xff, sizeof(info->src_mask)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); + xflags \|= (1 << O_HMARK_SADDR_MASK); + } else if (strncasecmp(type, "dst", len) == 0) { + memset(&info->dst_mask, 0xff, sizeof(info->dst_mask)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); + xflags \|= (1 << O_HMARK_DADDR_MASK); + } else if (strncasecmp(type, "sport", len) == 0) { + memset(&info->port_mask.p16.src, 0xff, + sizeof(info->port_mask.p16.src)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); + xflags \|= (1 << O_HMARK_SPORT_MASK); + } else if (strncasecmp(type, "dport", len) == 0) { + memset(&info->port_mask.p16.dst, 0xff, + sizeof(info->port_mask.p16.dst)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); + xflags \|= (1 << O_HMARK_DPORT_MASK); + } else if (strncasecmp(type, "proto", len) == 0) { + memset(&info->proto_mask, 0xff, sizeof(info->proto_mask)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); + xflags \|= (1 << O_HMARK_PROTO_MASK); + } else if (strncasecmp(type, "spi", len) == 0) { + memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32)); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); + xflags \|= (1 << O_HMARK_SPI_MASK); + } else + return 0; + + return 1; +} + +static void +hmark_parse_type(struct xt_option_call cb) +{ + const char arg = cb->arg; + struct xt_hmark_info info = cb->data; + const char comma; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg \|\| + !hmark_parse(arg, comma-arg, info, &cb->xflags)) + xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg); + arg = comma+1; + } + if (!arg) + xtables_error(PARAMETER_PROBLEM, "\"--hmark-tuple\" requires " + "a list of types with no " + "spaces, e.g. " + "src,dst,sport,dport,proto"); + if (strlen(arg) == 0 \|\| + !hmark_parse(arg, strlen(arg), info, &cb->xflags)) + xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg); +} + +static void HMARK_parse(struct xt_option_call cb, int plen) +{ + struct xt_hmark_info info = cb->data; + + xtables_option_parse(cb); + + switch (cb->entry->id) { + case O_HMARK_TYPE: + hmark_parse_type(cb); + break; + case O_HMARK_SADDR_MASK: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); + break; + case O_HMARK_DADDR_MASK: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); + break; + case O_HMARK_SPI: + info->port_set.v32 = htonl(cb->val.u32); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPI); + break; + case O_HMARK_SPORT: + info->port_set.p16.src = htons(cb->val.u16); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPORT); + break; + case O_HMARK_DPORT: + info->port_set.p16.dst = htons(cb->val.u16); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_DPORT); + break; + case O_HMARK_SPORT_MASK: + info->port_mask.p16.src = htons(cb->val.u16); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); + break; + case O_HMARK_DPORT_MASK: + info->port_mask.p16.dst = htons(cb->val.u16); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); + break; + case O_HMARK_SPI_MASK: + info->port_mask.v32 = htonl(cb->val.u32); + info->flags \|= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); + break; + case O_HMARK_PROTO_MASK: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); + break; + case O_HMARK_RND: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_RND); + break; + case O_HMARK_MODULUS: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_MODULUS); + break; + case O_HMARK_OFFSET: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_OFFSET); + break; + case O_HMARK_CT: + info->flags \|= XT_HMARK_FLAG(XT_HMARK_CT); + break; + } + cb->xflags \|= (1 << cb->entry->id); +} + +static void HMARK_ip4_parse(struct xt_option_call cb) +{ + HMARK_parse(cb, 32); +} +static void HMARK_ip6_parse(struct xt_option_call cb) +{ + HMARK_parse(cb, 128); +} + +static void HMARK_check(struct xt_fcheck_call cb) +{ + if (!(cb->xflags & (1 << O_HMARK_MODULUS))) + xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory"); + if (!(cb->xflags & (1 << O_HMARK_RND))) + xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory"); + if (cb->xflags & (1 << O_HMARK_SPI_MASK) && + (cb->xflags & ((1 << O_HMARK_SPORT_MASK) \| + (1 << O_HMARK_DPORT_MASK)))) + xtables_error(PARAMETER_PROBLEM, "you cannot use " + "--hmark-spi-mask and --hmark-?port-mask," + "at the same time"); + if (!((cb->xflags & HMARK_OPT_PKT_MASK) \|\| + cb->xflags & (1 << O_HMARK_CT))) + xtables_error(PARAMETER_PROBLEM, "you have to specify " + "--hmark-tuple at least"); +} + +static void HMARK_print(const struct xt_hmark_info info) +{ + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) + printf("sport-mask 0x%x ", htons(info->port_mask.p16.src)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) + printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) + printf("spi-mask 0x%x ", htonl(info->port_mask.v32)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) + printf("sport 0x%x ", htons(info->port_set.p16.src)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) + printf("dport 0x%x ", htons(info->port_set.p16.dst)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) + printf("spi 0x%x ", htonl(info->port_set.v32)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) + printf("proto-mask 0x%x ", info->proto_mask); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) + printf("rnd 0x%x ", info->hashrnd); +} + +static void HMARK_ip6_print(const void ip, + const struct xt_entry_target target, int numeric) +{ + const struct xt_hmark_info info = + (const struct xt_hmark_info )target->data; + + printf(" HMARK "); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) + printf("mod %u ", info->hmodulus); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) + printf("+ 0x%x ", info->hoffset); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) + printf("ct, "); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) + printf("src-prefix %s ", + xtables_ip6mask_to_numeric(&info->src_mask.in6) + 1); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) + printf("dst-prefix %s ", + xtables_ip6mask_to_numeric(&info->dst_mask.in6) + 1); + HMARK_print(info); +} +static void HMARK_ip4_print(const void ip, + const struct xt_entry_target target, int numeric) +{ + const struct xt_hmark_info info = + (const struct xt_hmark_info )target->data; + + printf(" HMARK "); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) + printf("mod %u ", info->hmodulus); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) + printf("+ 0x%x ", info->hoffset); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) + printf("ct, "); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) + printf("src-prefix %u ", + xtables_ipmask_to_cidr(&info->src_mask.in)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) + printf("dst-prefix %u ", + xtables_ipmask_to_cidr(&info->dst_mask.in)); + HMARK_print(info); +} + +static void HMARK_save(const struct xt_hmark_info info) +{ + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) + printf(" --hmark-sport-mask 0x%04x", + htons(info->port_mask.p16.src)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) + printf(" --hmark-dport-mask 0x%04x", + htons(info->port_mask.p16.dst)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) + printf(" --hmark-spi-mask 0x%08x", + htonl(info->port_mask.v32)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) + printf(" --hmark-sport 0x%04x", + htons(info->port_set.p16.src)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) + printf(" --hmark-dport 0x%04x", + htons(info->port_set.p16.dst)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) + printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32)); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) + printf(" --hmark-proto-mask 0x%02x", info->proto_mask); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) + printf(" --hmark-rnd 0x%08x", info->hashrnd); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) + printf(" --hmark-mod %u", info->hmodulus); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) + printf(" --hmark-offset %u", info->hoffset); + if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) + printf(" --hmark-tuple ct"); +} + +static void HMARK_ip6_save(const void ip, const struct xt_entry_target target) +{ + const struct xt_hmark_info info = + (const struct xt_hmark_info )target->data; + int ret; + + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) { + ret = xtables_ip6mask_to_cidr(&info->src_mask.in6); + printf(" --hmark-src-prefix %d", ret); + } + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) { + ret = xtables_ip6mask_to_cidr(&info->dst_mask.in6); + printf(" --hmark-dst-prefix %d", ret); + } + HMARK_save(info); +} + +static void HMARK_ip4_save(const void ip, const struct xt_entry_target target) +{ + const struct xt_hmark_info info = + (const struct xt_hmark_info *)target->data; + int ret; + + if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) { + ret = xtables_ipmask_to_cidr(&info->src_mask.in); + printf(" --hmark-src-prefix %d", ret); + } + if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) { + ret = xtables_ipmask_to_cidr(&info->dst_mask.in); + printf(" --hmark-dst-prefix %d", ret); + } + HMARK_save(info); +} + +static struct xtables_target mark_tg_reg[] = { + { + .family = NFPROTO_IPV4, + .name = "HMARK", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_hmark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)), + .help = HMARK_help, + .print = HMARK_ip4_print, + .save = HMARK_ip4_save, + .x6_parse = HMARK_ip4_parse, + .x6_fcheck = HMARK_check, + .x6_options = HMARK_opts, + }, + { + .family = NFPROTO_IPV6, + .name = "HMARK", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_hmark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)), + .help = HMARK_help, + .print = HMARK_ip6_print, + .save = HMARK_ip6_save, + .x6_parse = HMARK_ip6_parse, + .x6_fcheck = HMARK_check, + .x6_options = HMARK_opts, + }, +}; + +void _init(void) +{ + xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); +}
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/extensions/libxt_HMARK.man ^
@@ -0,0 +1,60 @@ +Like MARK, i.e. set the fwmark, but the mark is calculated from hashing +packet selector at choice. You have also to specify the mark range and, +optionally, the offset to start from. ICMP error messages are inspected +and used to calculate the hashing. +.PP +Existing options are: +.TP +\fB\-\-hmark\-tuple\fP tuple\fI\fP +Possible tuple members are: +.B src +meaning source address (IPv4, IPv6 address), +.B dst +meaning destination address (IPv4, IPv6 address), +.B sport +meaning source port (TCP, UDP, UDPlite, SCTP, DCCP), +.B dport +meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP), +.B spi +meaning Security Parameter Index (AH, ESP), and +.B ct +meaning the usage of the conntrack tuple instead of the packet selectors. +.TP +\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP +Modulus for hash calculation (to limit the range of possible marks) +.TP +\fB\-\-hmark\-offset\fP \fIvalue\fP +Offset to start marks from. +.TP +For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom +prefixes and masks: +.TP +\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP +The source address mask in CIDR notation. +.TP +\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP +The destination address mask in CIDR notation. +.TP +\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP +A 16 bit source port mask in hexadecimal. +.TP +\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP +A 16 bit destination port mask in hexadecimal. +.TP +\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP +A 32 bit field with spi mask. +.TP +\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP +An 8 bit field with layer 4 protocol number. +.TP +\fB\-\-hmark\-rnd\fP \fIvalue\fP +A 32 bit random custom value to feed hash calculation. +.PP +\fIExamples:\fP +.PP +iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW + \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 +\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe +.PP +iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000 +\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_LED.c ^
@@ -49,6 +49,7 @@ static void LED_parse(struct xt_option_call cb) { struct xt_led_info led = cb->data; + unsigned int delay; xtables_option_parse(cb); switch (cb->entry->id) { @@ -59,8 +60,10 @@ case O_LED_DELAY: if (strncasecmp(cb->arg, "inf", 3) == 0) led->delay = -1; - else - led->delay = strtoul(cb->arg, NULL, 0); + else if (!xtables_strtoui(cb->arg, NULL, &delay, 0, UINT32_MAX)) + xtables_error(PARAMETER_PROBLEM, + "Delay value must be within range 0..%u", + UINT32_MAX); break; case O_LED_ALWAYS_BLINK: led->always_blink = 1;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_NOTRACK.man ^
@@ -1,5 +1,3 @@ This target disables connection tracking for all packets matching that rule. -.PP -It can only be used in the -.B raw -table. +It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in +the \fBraw\fP table.
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_SET.man ^
@@ -1,24 +1,24 @@ -This modules adds and/or deletes entries from IP sets which can be defined +This module adds and/or deletes entries from IP sets which can be defined by ipset(8). .TP \fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -add the address(es)/port(s) of the packet to the sets +add the address(es)/port(s) of the packet to the set .TP \fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -delete the address(es)/port(s) of the packet from the sets +delete the address(es)/port(s) of the packet from the set .IP -where flags are +where \fIflag\fP(s) are .BR "src" and/or .BR "dst" specifications and there can be no more than six of them. .TP \fB\-\-timeout\fP \fIvalue\fP -when adding entry, the timeout value to use instead of the default +when adding an entry, the timeout value to use instead of the default one from the set definition .TP \fB\-\-exist\fP -when adding entry if it already exists, reset the timeout value +when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition .PP Use of -j SET requires that ipset kernel support is provided, which, for
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_addrtype.c ^
@@ -60,7 +60,7 @@ " [!] --src-type type[,...] Match source address type\n" " [!] --dst-type type[,...] Match destination address type\n" " --limit-iface-in Match only on the packet's incoming device\n" -" --limit-iface-out Match only on the packet's incoming device\n" +" --limit-iface-out Match only on the packet's outgoing device\n" "\n" "Valid types: \n"); addrtype_help_types();
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_conntrack.c ^
@@ -13,7 +13,11 @@ #include <string.h> #include <xtables.h> #include <linux/netfilter/xt_conntrack.h> +#include <linux/netfilter/xt_state.h> #include <linux/netfilter/nf_conntrack_common.h> +#ifndef XT_STATE_UNTRACKED +#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) +#endif struct ip_conntrack_old_tuple { struct { @@ -1003,6 +1007,144 @@ conntrack_dump(&up, "--", NFPROTO_IPV6, true, false); } +static void +state_help(void) +{ + printf( +"state match options:\n" +" [!] --state [INVALID\|ESTABLISHED\|NEW\|RELATED\|UNTRACKED][,...]\n" +" State(s) to match\n"); +} + +static const struct xt_option_entry state_opts[] = { + {.name = "state", .id = O_CTSTATE, .type = XTTYPE_STRING, + .flags = XTOPT_MAND \| XTOPT_INVERT}, + XTOPT_TABLEEND, +}; + +static unsigned int +state_parse_state(const char state, size_t len) +{ + if (strncasecmp(state, "INVALID", len) == 0) + return XT_STATE_INVALID; + else if (strncasecmp(state, "NEW", len) == 0) + return XT_STATE_BIT(IP_CT_NEW); + else if (strncasecmp(state, "ESTABLISHED", len) == 0) + return XT_STATE_BIT(IP_CT_ESTABLISHED); + else if (strncasecmp(state, "RELATED", len) == 0) + return XT_STATE_BIT(IP_CT_RELATED); + else if (strncasecmp(state, "UNTRACKED", len) == 0) + return XT_STATE_UNTRACKED; + return 0; +} + +static unsigned int +state_parse_states(const char arg) +{ + const char comma; + unsigned int mask = 0, flag; + + while ((comma = strchr(arg, ',')) != NULL) { + if (comma == arg) + goto badstate; + flag = state_parse_state(arg, comma-arg); + if (flag == 0) + goto badstate; + mask \|= flag; + arg = comma+1; + } + if (!arg) + xtables_error(PARAMETER_PROBLEM, "\"--state\" requires a list of " + "states with no spaces, e.g. " + "ESTABLISHED,RELATED"); + if (strlen(arg) == 0) + goto badstate; + flag = state_parse_state(arg, strlen(arg)); + if (flag == 0) + goto badstate; + mask \|= flag; + return mask; + badstate: + xtables_error(PARAMETER_PROBLEM, "Bad state \"%s\"", arg); +} + +static void state_parse(struct xt_option_call cb) +{ + struct xt_state_info sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->statemask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->statemask = ~sinfo->statemask; +} + +static void state_ct1_parse(struct xt_option_call cb) +{ + struct xt_conntrack_mtinfo1 sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->state_mask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->invert_flags \|= XT_CONNTRACK_STATE; +} + +static void state_ct23_parse(struct xt_option_call cb) +{ + struct xt_conntrack_mtinfo3 sinfo = cb->data; + + xtables_option_parse(cb); + sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->state_mask = state_parse_states(cb->arg); + if (cb->invert) + sinfo->invert_flags \|= XT_CONNTRACK_STATE; +} + +static void state_print_state(unsigned int statemask) +{ + const char sep = ""; + + if (statemask & XT_STATE_INVALID) { + printf("%sINVALID", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_NEW)) { + printf("%sNEW", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_RELATED)) { + printf("%sRELATED", sep); + sep = ","; + } + if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) { + printf("%sESTABLISHED", sep); + sep = ","; + } + if (statemask & XT_STATE_UNTRACKED) { + printf("%sUNTRACKED", sep); + sep = ","; + } +} + +static void +state_print(const void ip, + const struct xt_entry_match match, + int numeric) +{ + const struct xt_state_info sinfo = (const void )match->data; + + printf(" state "); + state_print_state(sinfo->statemask); +} + +static void state_save(const void ip, const struct xt_entry_match match) +{ + const struct xt_state_info sinfo = (const void *)match->data; + + printf(" --state "); + state_print_state(sinfo->statemask); +} + static struct xtables_match conntrack_mt_reg[] = { { .version = XTABLES_VERSION, @@ -1102,6 +1244,55 @@ .save = conntrack3_mt6_save, .x6_options = conntrack3_mt_opts, }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = state_help, + .x6_parse = state_ct1_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 2, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = state_help, + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .real_name = "conntrack", + .revision = 3, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), + .help = state_help, + .x6_parse = state_ct23_parse, + .x6_options = state_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "state", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_state_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), + .help = state_help, + .print = state_print, + .save = state_save, + .x6_parse = state_parse, + .x6_options = state_opts, + }, }; void _init(void)
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_conntrack.man ^
@@ -42,23 +42,23 @@ States for \fB\-\-ctstate\fP: .TP \fBINVALID\fP -meaning that the packet is associated with no known connection +The packet is associated with no known connection. .TP \fBNEW\fP -meaning that the packet has started a new connection, or otherwise associated -with a connection which has not seen packets in both directions, and +The packet has started a new connection, or otherwise associated +with a connection which has not seen packets in both directions. .TP \fBESTABLISHED\fP -meaning that the packet is associated with a connection which has seen packets -in both directions, +The packet is associated with a connection which has seen packets +in both directions. .TP \fBRELATED\fP -meaning that the packet is starting a new connection, but is associated with an +The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP \fBUNTRACKED\fP -meaning that the packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +The packet is not tracked at all, which happens if you explicitly untrack it +by using \-j CT \-\-notrack in the raw table. .TP \fBSNAT\fP A virtual state, matching if the original source address differs from the reply @@ -74,7 +74,7 @@ None of the below. .TP \fBEXPECTED\fP -This is an expected connection (i.e. a conntrack helper set it up) +This is an expected connection (i.e. a conntrack helper set it up). .TP \fBSEEN_REPLY\fP Conntrack has seen packets in both directions.
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_devgroup.c ^
@@ -42,58 +42,50 @@ fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); } +static void devgroup_parse_groupspec(const char arg, unsigned int group, + unsigned int mask) +{ + char end; + bool ok; + + ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX); + if (ok && (end == '/' \|\| end == '\0')) { + if (end == '/') + ok = xtables_strtoui(end + 1, NULL, mask, + 0, UINT32_MAX); + else + mask = ~0U; + if (!ok) + xtables_error(PARAMETER_PROBLEM, + "Bad group value \"%s\"", arg); + } else { + group = xtables_lmap_name2id(devgroups, arg); + if (group == -1) + xtables_error(PARAMETER_PROBLEM, + "Device group \"%s\" not found", arg); + mask = ~0U; + } +} + static void devgroup_parse(struct xt_option_call cb) { struct xt_devgroup_info info = cb->data; - unsigned int id; - char end; + unsigned int id, mask; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_GROUP: - info->src_group = strtoul(cb->arg, &end, 0); - if (end != cb->arg && (end == '/' \|\| end == '\0')) { - if (end == '/') - info->src_mask = strtoul(end+1, &end, 0); - else - info->src_mask = 0xffffffff; - if (end != '\0' \|\| end == cb->arg) - xtables_error(PARAMETER_PROBLEM, - "Bad src-group value `%s'", - cb->arg); - } else { - id = xtables_lmap_name2id(devgroups, cb->arg); - if (id == -1) - xtables_error(PARAMETER_PROBLEM, - "Device group `%s' not found", - cb->arg); - info->src_group = id; - info->src_mask = 0xffffffff; - } + devgroup_parse_groupspec(cb->arg, &id, &mask); + info->src_group = id; + info->src_mask = mask; info->flags \|= XT_DEVGROUP_MATCH_SRC; if (cb->invert) info->flags \|= XT_DEVGROUP_INVERT_SRC; break; case O_DST_GROUP: - info->dst_group = strtoul(cb->arg, &end, 0); - if (end != cb->arg && (end == '/' \|\| end == '\0')) { - if (end == '/') - info->dst_mask = strtoul(end+1, &end, 0); - else - info->dst_mask = 0xffffffff; - if (end != '\0' \|\| end == cb->arg) - xtables_error(PARAMETER_PROBLEM, - "Bad dst-group value `%s'", - cb->arg); - } else { - id = xtables_lmap_name2id(devgroups, cb->arg); - if (id == -1) - xtables_error(PARAMETER_PROBLEM, - "Device group `%s' not found", - cb->arg); - info->dst_group = id; - info->dst_mask = 0xffffffff; - } + devgroup_parse_groupspec(cb->arg, &id, &mask); + info->dst_group = id; + info->dst_mask = mask; info->flags \|= XT_DEVGROUP_MATCH_DST; if (cb->invert) info->flags \|= XT_DEVGROUP_INVERT_DST;
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/extensions/libxt_devgroup.man ^
@@ -0,0 +1,7 @@ +Match device group of a packets incoming/outgoing interface. +.TP +[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP +Match device group of incoming device +.TP +[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP +Match device group of outgoing device
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_hashlimit.c ^
@@ -10,6 +10,7 @@ * * Error corections by nmalykh@bilim.com (22.01.2005) / +#include <math.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> @@ -20,6 +21,10 @@ #include <linux/netfilter/xt_hashlimit.h> #define XT_HASHLIMIT_BURST 5 +#define XT_HASHLIMIT_BURST_MAX 10000 + +#define XT_HASHLIMIT_BYTE_EXPIRE 15 +#define XT_HASHLIMIT_BYTE_EXPIRE_BURST 60 / miliseconds / #define XT_HASHLIMIT_GCINTERVAL 1000 @@ -59,6 +64,7 @@ O_HTABLE_MAX, O_HTABLE_GCINT, O_HTABLE_EXPIRE, + F_BURST = 1 << O_BURST, F_UPTO = 1 << O_UPTO, F_ABOVE = 1 << O_ABOVE, F_HTABLE_EXPIRE = 1 << O_HTABLE_EXPIRE, @@ -90,7 +96,7 @@ {.name = "hashlimit", .id = O_UPTO, .excl = F_ABOVE, .type = XTTYPE_STRING}, {.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32, - .min = 1, .max = 10000, .flags = XTOPT_PUT, + .min = 1, .max = XT_HASHLIMIT_BURST_MAX, .flags = XTOPT_PUT, XTOPT_POINTER(s, cfg.burst)}, {.name = "hashlimit-htable-size", .id = O_HTABLE_SIZE, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, @@ -122,9 +128,7 @@ .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, / old name / {.name = "hashlimit-srcmask", .id = O_SRCMASK, .type = XTTYPE_PLEN}, {.name = "hashlimit-dstmask", .id = O_DSTMASK, .type = XTTYPE_PLEN}, - {.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32, - .min = 1, .max = 10000, .flags = XTOPT_PUT, - XTOPT_POINTER(s, cfg.burst)}, + {.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_STRING}, {.name = "hashlimit-htable-size", .id = O_HTABLE_SIZE, .type = XTTYPE_UINT32, .flags = XTOPT_PUT, XTOPT_POINTER(s, cfg.size)}, @@ -144,6 +148,82 @@ }; #undef s +static uint32_t cost_to_bytes(uint32_t cost) +{ + uint32_t r; + + r = cost ? UINT32_MAX / cost : UINT32_MAX; + r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT; + return r; +} + +static uint64_t bytes_to_cost(uint32_t bytes) +{ + uint32_t r = bytes >> XT_HASHLIMIT_BYTE_SHIFT; + return UINT32_MAX / (r+1); +} + +static uint32_t get_factor(int chr) +{ + switch (chr) { + case 'm': return 1024 1024; + case 'k': return 1024; + } + return 1; +} + +static void burst_error(void) +{ + xtables_error(PARAMETER_PROBLEM, "bad value for option " + "\"--hashlimit-burst\", or out of range (1-%u).", XT_HASHLIMIT_BURST_MAX); +} + +static uint32_t parse_burst(const char burst, struct xt_hashlimit_mtinfo1 info) +{ + uintmax_t v; + char end; + + if (!xtables_strtoul(burst, &end, &v, 1, UINT32_MAX) \|\| + (end == 0 && v > XT_HASHLIMIT_BURST_MAX)) + burst_error(); + + v = get_factor(end); + if (v > UINT32_MAX) + xtables_error(PARAMETER_PROBLEM, "bad value for option " + "\"--hashlimit-burst\", value \"%s\" too large " + "(max %umb).", burst, UINT32_MAX/1024/1024); + return v; +} + +static bool parse_bytes(const char rate, uint32_t val, struct hashlimit_mt_udata ud) +{ + unsigned int factor = 1; + uint64_t tmp; + int r; + const char mode = strstr(rate, "b/s"); + if (!mode \|\| mode == rate) + return false; + + mode--; + r = atoi(rate); + if (r == 0) + return false; + + factor = get_factor(mode); + tmp = (uint64_t) r factor; + if (tmp > UINT32_MAX) + xtables_error(PARAMETER_PROBLEM, + "Rate value too large \"%llu\" (max %u)\n", + (unsigned long long)tmp, UINT32_MAX); + + val = bytes_to_cost(tmp); + if (val == 0) + xtables_error(PARAMETER_PROBLEM, "Rate too high \"%s\"\n", rate); + + ud->mult = XT_HASHLIMIT_BYTE_EXPIRE; + return true; +} + static int parse_rate(const char rate, uint32_t val, struct hashlimit_mt_udata ud) { @@ -171,12 +251,13 @@ if (!r) return 0; - / This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). / - if (r / ud->mult > XT_HASHLIMIT_SCALE) - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); - val = XT_HASHLIMIT_SCALE * ud->mult / r; + if (val == 0) + / + * The rate maps to infinity. (1/day is the minimum they can + * specify, so we are ok at that end). + / + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); return 1; } @@ -265,17 +346,24 @@ xtables_option_parse(cb); switch (cb->entry->id) { + case O_BURST: + info->cfg.burst = parse_burst(cb->arg, info); + break; case O_UPTO: if (cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) + if (parse_bytes(cb->arg, &info->cfg.avg, cb->udata)) + info->cfg.mode \|= XT_HASHLIMIT_BYTES; + else if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-upto", cb->arg); break; case O_ABOVE: if (!cb->invert) info->cfg.mode \|= XT_HASHLIMIT_INVERT; - if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) + if (parse_bytes(cb->arg, &info->cfg.avg, cb->udata)) + info->cfg.mode \|= XT_HASHLIMIT_BYTES; + else if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata)) xtables_param_act(XTF_BAD_VALUE, "hashlimit", "--hashlimit-above", cb->arg); break; @@ -315,6 +403,24 @@ "You have to specify --hashlimit"); if (!(cb->xflags & F_HTABLE_EXPIRE)) info->cfg.expire = udata->mult 1000; /* from s to msec / + + if (info->cfg.mode & XT_HASHLIMIT_BYTES) { + uint32_t burst = 0; + if (cb->xflags & F_BURST) { + if (info->cfg.burst < cost_to_bytes(info->cfg.avg)) + xtables_error(PARAMETER_PROBLEM, + "burst cannot be smaller than %ub", cost_to_bytes(info->cfg.avg)); + + burst = info->cfg.burst; + burst /= cost_to_bytes(info->cfg.avg); + if (info->cfg.burst % cost_to_bytes(info->cfg.avg)) + burst++; + if (!(cb->xflags & F_HTABLE_EXPIRE)) + info->cfg.expire = XT_HASHLIMIT_BYTE_EXPIRE_BURST 1000; + } + info->cfg.burst = burst; + } else if (info->cfg.burst > XT_HASHLIMIT_BURST_MAX) + burst_error(); } static const struct rates @@ -330,6 +436,11 @@ { unsigned int i; + if (period == 0) { + printf(" %f", INFINITY); + return 0; + } + for (i = 1; i < ARRAY_SIZE(rates); ++i) if (period > rates[i].mult \|\| rates[i].mult/period < rates[i].mult%period) @@ -340,6 +451,41 @@ return rates[i-1].mult / XT_HASHLIMIT_SCALE * 1000; } +static const struct { + const char name; + uint32_t thresh; +} units[] = { + { "m", 1024 1024 }, + { "k", 1024 }, + { "", 1 }, +}; + +static uint32_t print_bytes(uint32_t avg, uint32_t burst, const char prefix) +{ + unsigned int i; + unsigned long long r; + + r = cost_to_bytes(avg); + + for (i = 0; i < ARRAY_SIZE(units) -1; ++i) + if (r >= units[i].thresh && + bytes_to_cost(r & ~(units[i].thresh - 1)) == avg) + break; + printf(" %llu%sb/s", r/units[i].thresh, units[i].name); + + if (burst == 0) + return XT_HASHLIMIT_BYTE_EXPIRE 1000; + + r = burst; + printf(" %s", prefix); + for (i = 0; i < ARRAY_SIZE(units) -1; ++i) + if (r >= units[i].thresh) + break; + + printf("burst %llu%sb", r / units[i].thresh, units[i].name); + return XT_HASHLIMIT_BYTE_EXPIRE_BURST 1000; +} + static void print_mode(unsigned int mode, char separator) { bool prevmode = false; @@ -398,8 +544,13 @@ fputs(" limit: above", stdout); else fputs(" limit: up to", stdout); - quantum = print_rate(info->cfg.avg); - printf(" burst %u", info->cfg.burst); + + if (info->cfg.mode & XT_HASHLIMIT_BYTES) { + quantum = print_bytes(info->cfg.avg, info->cfg.burst, ""); + } else { + quantum = print_rate(info->cfg.avg); + printf(" burst %u", info->cfg.burst); + } if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP \| XT_HASHLIMIT_HASH_SPT \| XT_HASHLIMIT_HASH_DIP \| XT_HASHLIMIT_HASH_DPT)) { fputs(" mode", stdout); @@ -449,7 +600,7 @@ fputs(" --hashlimit-mode", stdout); print_mode(r->cfg.mode, ','); - + printf(" --hashlimit-name %s", r->name); if (r->cfg.size) @@ -471,8 +622,13 @@ fputs(" --hashlimit-above", stdout); else fputs(" --hashlimit-upto", stdout); - quantum = print_rate(info->cfg.avg); - printf(" --hashlimit-burst %u", info->cfg.burst); + + if (info->cfg.mode & XT_HASHLIMIT_BYTES) { + quantum = print_bytes(info->cfg.avg, info->cfg.burst, "--hashlimit-"); + } else { + quantum = print_rate(info->cfg.avg); + printf(" --hashlimit-burst %u", info->cfg.burst); + } if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP \| XT_HASHLIMIT_HASH_SPT \| XT_HASHLIMIT_HASH_DIP \| XT_HASHLIMIT_HASH_DPT)) {
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_hashlimit.man ^
@@ -2,14 +2,15 @@ \fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables rule. Grouping can be done per-hostgroup (source and/or destination address) and/or per-port. It gives you the ability to express "\fIN\fP packets per time -quantum per group" (see below for some examples). +quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples). .PP A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and \fB\-\-hashlimit\-name\fP are required. .TP \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP\|\fB/minute\fP\|\fB/hour\fP\|\fB/day\fP] -Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as -a number, with an optional time quantum suffix; the default is 3/hour. +Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as +a number, with an optional time quantum suffix (the default is 3/hour), or as +\fIamount\fPb/second (number of bytes per second). .TP \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP\|\fB/minute\fP\|\fB/hour\fP\|\fB/day\fP] Match if the rate is above \fIamount\fP/quantum. @@ -17,7 +18,9 @@ \fB\-\-hashlimit\-burst\fP \fIamount\fP Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the -default is 5. +default is 5. When byte-based rate matching is requested, this option specifies +the amount of bytes that can exceed the given rate. This option should be used +with caution -- if the entry expires, the burst value is reset too. .TP \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP\|\fBsrcport\fP\|\fBdstip\fP\|\fBdstport\fP}\fB,\fP... A comma-separated list of objects to take into consideration. If no @@ -63,3 +66,11 @@ "10000 packets per minute for every /28 subnet (groups of 8 addresses) in 10.0.0.0/8" => \-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min +.TP +matching bytes per second +"flows exceeding 512kbyte/s" => +\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s +.TP +matching bytes per second +"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching" +\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_limit.c ^
@@ -3,6 +3,7 @@ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> * Hervé Eychenne <rv@wallfire.org> / +#include <math.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -64,12 +65,13 @@ if (!r) return 0; - / This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). / - if (r / mult > XT_LIMIT_SCALE) - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); - val = XT_LIMIT_SCALE * mult / r; + if (val == 0) + / + * The rate maps to infinity. (1/day is the minimum they can + * specify, so we are ok at that end). + */ + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); return 1; } @@ -118,6 +120,11 @@ { unsigned int i; + if (period == 0) { + printf(" %f", INFINITY); + return; + } + for (i = 1; i < ARRAY_SIZE(rates); ++i) if (period > rates[i].mult \|\| rates[i].mult/period < rates[i].mult%period)
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_recent.c ^
@@ -16,6 +16,7 @@ O_NAME, O_RSOURCE, O_RDEST, + O_MASK, F_SET = 1 << O_SET, F_RCHECK = 1 << O_RCHECK, F_UPDATE = 1 << O_UPDATE, @@ -25,7 +26,7 @@ }; #define s struct xt_recent_mtinfo -static const struct xt_option_entry recent_opts[] = { +static const struct xt_option_entry recent_opts_v0[] = { {.name = "set", .id = O_SET, .type = XTTYPE_NONE, .excl = F_ANY_OP, .flags = XTOPT_INVERT}, {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE, @@ -50,6 +51,32 @@ }; #undef s +#define s struct xt_recent_mtinfo_v1 +static const struct xt_option_entry recent_opts_v1[] = { + {.name = "set", .id = O_SET, .type = XTTYPE_NONE, + .excl = F_ANY_OP, .flags = XTOPT_INVERT}, + {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE, + .excl = F_ANY_OP, .flags = XTOPT_INVERT}, + {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE, + .excl = F_ANY_OP, .flags = XTOPT_INVERT}, + {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, + .excl = F_ANY_OP, .flags = XTOPT_INVERT}, + {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, + .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, + {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, + .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, + {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, + .excl = F_SET \| F_REMOVE}, + {.name = "name", .id = O_NAME, .type = XTTYPE_STRING, + .flags = XTOPT_PUT, XTOPT_POINTER(s, name)}, + {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE}, + {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE}, + {.name = "mask", .id = O_MASK, .type = XTTYPE_HOST, + .flags = XTOPT_PUT, XTOPT_POINTER(s, mask)}, + XTOPT_TABLEEND, +}; +#undef s + static void recent_help(void) { printf( @@ -74,18 +101,28 @@ " --name name Name of the recent list to be used. DEFAULT used if none given.\n" " --rsource Match/Save the source address of each packet in the recent list table (default).\n" " --rdest Match/Save the destination address of each packet in the recent list table.\n" +" --mask netmask Netmask that will be applied to this recent list.\n" "xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"); } -static void recent_init(struct xt_entry_match match) +enum { + XT_RECENT_REV_0 = 0, + XT_RECENT_REV_1, +}; + +static void recent_init(struct xt_entry_match match, unsigned int rev) { - struct xt_recent_mtinfo info = (void )(match)->data; + struct xt_recent_mtinfo info = (struct xt_recent_mtinfo )match->data; + struct xt_recent_mtinfo_v1 info_v1 = + (struct xt_recent_mtinfo_v1 )match->data; strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN); /* even though XT_RECENT_NAME_LEN is currently defined as 200, * better be safe, than sorry / info->name[XT_RECENT_NAME_LEN-1] = '\0'; info->side = XT_RECENT_SOURCE; + if (rev == XT_RECENT_REV_1) + memset(&info_v1->mask, 0xFF, sizeof(info_v1->mask)); } static void recent_parse(struct xt_option_call cb) @@ -131,8 +168,6 @@ static void recent_check(struct xt_fcheck_call cb) { - struct xt_recent_mtinfo info = cb->data; - if (!(cb->xflags & F_ANY_OP)) xtables_error(PARAMETER_PROBLEM, "recent: you must specify one of `--set', `--rcheck' " @@ -140,9 +175,9 @@ } static void recent_print(const void ip, const struct xt_entry_match match, - int numeric) + unsigned int family) { - const struct xt_recent_mtinfo info = (const void )match->data; + const struct xt_recent_mtinfo_v1 info = (const void )match->data; if (info->invert) printf(" !"); @@ -167,11 +202,23 @@ printf(" side: source"); if (info->side == XT_RECENT_DEST) printf(" side: dest"); + + switch(family) { + case NFPROTO_IPV4: + printf(" mask: %s", + xtables_ipaddr_to_numeric(&info->mask.in)); + break; + case NFPROTO_IPV6: + printf(" mask: %s", + xtables_ip6addr_to_numeric(&info->mask.in6)); + break; + } } -static void recent_save(const void ip, const struct xt_entry_match match) +static void recent_save(const void ip, const struct xt_entry_match match, + unsigned int family) { - const struct xt_recent_mtinfo info = (const void )match->data; + const struct xt_recent_mtinfo_v1 info = (const void )match->data; if (info->invert) printf(" !"); @@ -191,28 +238,116 @@ if (info->check_set & XT_RECENT_TTL) printf(" --rttl"); if(info->name) printf(" --name %s",info->name); + + switch(family) { + case NFPROTO_IPV4: + printf(" --mask %s", + xtables_ipaddr_to_numeric(&info->mask.in)); + break; + case NFPROTO_IPV6: + printf(" --mask %s", + xtables_ip6addr_to_numeric(&info->mask.in6)); + break; + } + if (info->side == XT_RECENT_SOURCE) printf(" --rsource"); if (info->side == XT_RECENT_DEST) printf(" --rdest"); } -static struct xtables_match recent_mt_reg = { - .name = "recent", - .version = XTABLES_VERSION, - .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .help = recent_help, - .init = recent_init, - .x6_parse = recent_parse, - .x6_fcheck = recent_check, - .print = recent_print, - .save = recent_save, - .x6_options = recent_opts, +static void recent_init_v0(struct xt_entry_match match) +{ + recent_init(match, XT_RECENT_REV_0); +} + +static void recent_init_v1(struct xt_entry_match match) +{ + recent_init(match, XT_RECENT_REV_1); +} + +static void recent_save_v0(const void ip, const struct xt_entry_match match) +{ + recent_save(ip, match, NFPROTO_UNSPEC); +} + +static void recent_save_v4(const void ip, const struct xt_entry_match match) +{ + recent_save(ip, match, NFPROTO_IPV4); +} + +static void recent_save_v6(const void ip, const struct xt_entry_match match) +{ + recent_save(ip, match, NFPROTO_IPV6); +} + +static void recent_print_v0(const void ip, const struct xt_entry_match match, + int numeric) +{ + recent_print(ip, match, NFPROTO_UNSPEC); +} + +static void recent_print_v4(const void ip, const struct xt_entry_match match, + int numeric) +{ + recent_print(ip, match, NFPROTO_IPV4); +} + +static void recent_print_v6(const void ip, const struct xt_entry_match match, + int numeric) +{ + recent_print(ip, match, NFPROTO_IPV6); +} + +static struct xtables_match recent_mt_reg[] = { + { + .name = "recent", + .version = XTABLES_VERSION, + .revision = 0, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), + .help = recent_help, + .init = recent_init_v0, + .x6_parse = recent_parse, + .x6_fcheck = recent_check, + .print = recent_print_v0, + .save = recent_save_v0, + .x6_options = recent_opts_v0, + }, + { + .name = "recent", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)), + .help = recent_help, + .init = recent_init_v1, + .x6_parse = recent_parse, + .x6_fcheck = recent_check, + .print = recent_print_v4, + .save = recent_save_v4, + .x6_options = recent_opts_v1, + }, + { + .name = "recent", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)), + .help = recent_help, + .init = recent_init_v1, + .x6_parse = recent_parse, + .x6_fcheck = recent_check, + .print = recent_print_v6, + .save = recent_save_v6, + .x6_options = recent_opts_v1, + }, }; void _init(void) { - xtables_register_match(&recent_mt_reg); + xtables_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg)); }
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_recent.man ^
@@ -24,6 +24,9 @@ \fB\-\-rdest\fP Match/save the destination address of each packet in the recent list table. .TP +\fB\-\-mask\fPnetmask +Netmask that will be applied to this recent list. +.TP [\fB!\fP] \fB\-\-rcheck\fP Check if the source address of the packet is currently in the list. .TP
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_set.c ^
@@ -205,6 +205,90 @@ print_match("--match-set", &info->match_set); } +/* Revision 2 / +static void +set_help_v2(void) +{ + printf("set match options:\n" + " [!] --match-set name flags [--return-nomatch]\n" + " 'name' is the set name from to match,\n" + " 'flags' are the comma separated list of\n" + " 'src' and 'dst' specifications.\n"); +} + +static const struct option set_opts_v2[] = { + {.name = "match-set", .has_arg = true, .val = '1'}, + {.name = "set", .has_arg = true, .val = '2'}, + {.name = "return-nomatch", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, +}; + +static int +set_parse_v2(int c, char argv, int invert, unsigned int flags, + const void entry, struct xt_entry_match match) +{ + struct xt_set_info_match_v1 myinfo = + (struct xt_set_info_match_v1 ) (match)->data; + struct xt_set_info info = &myinfo->match_set; + + switch (c) { + case '3': + info->flags \|= IPSET_RETURN_NOMATCH; + break; + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); + case '1': / --match-set <set> <flag>[,<flag> / + if (info->dim) + xtables_error(PARAMETER_PROBLEM, + "--match-set can be specified only once"); + if (invert) + info->flags \|= IPSET_INV_MATCH; + + if (!argv[optind] + \|\| argv[optind][0] == '-' + \|\| argv[optind][0] == '!') + xtables_error(PARAMETER_PROBLEM, + "--match-set requires two args."); + + if (strlen(optarg) > IPSET_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "setname `%s' too long, max %d characters.", + optarg, IPSET_MAXNAMELEN - 1); + + get_set_byname(optarg, info); + parse_dirs(argv[optind], info); + DEBUGP("parse: set index %u\n", info->index); + optind++; + + flags = 1; + break; + } + + return 1; +} + +/* Prints out the matchinfo. / +static void +set_print_v2(const void ip, const struct xt_entry_match match, int numeric) +{ + const struct xt_set_info_match_v1 info = (const void )match->data; + + print_match("match-set", &info->match_set); + if (info->match_set.flags & IPSET_RETURN_NOMATCH) + printf(" return-nomatch"); +} + +static void +set_save_v2(const void ip, const struct xt_entry_match match) +{ + const struct xt_set_info_match_v1 info = (const void *)match->data; + + print_match("--match-set", &info->match_set); + if (info->match_set.flags & IPSET_RETURN_NOMATCH) + printf(" --return-nomatch"); +} + static struct xtables_match set_mt_reg[] = { { .name = "set", @@ -234,6 +318,20 @@ .save = set_save_v1, .extra_opts = set_opts_v0, }, + { + .name = "set", + .revision = 2, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_set_info_match_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v1)), + .help = set_help_v2, + .parse = set_parse_v2, + .final_check = set_check_v0, + .print = set_print_v2, + .save = set_save_v2, + .extra_opts = set_opts_v2, + }, }; void _init(void)
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_set.man ^
@@ -14,6 +14,12 @@ the set type of the specified set is single dimension (for example ipmap), then the command will match packets for which the source address can be found in the specified set. +.TP +\fB\-\-return\-\-nomatch\fP +If the \fB\-\-return\-\-nomatch\fP option is specified and the set type +supports the \fBnomatch\fP flag, then the matching is reversed: a match +with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a +match with a plain element returns \fBfalse\fP. .PP The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does not clash with an option of other extensions.
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_state.man ^
@@ -1,24 +1,8 @@ -This module, when combined with connection tracking, allows access to -the connection tracking state for this packet. +The "state" module is an obsolete version of "conntrack". +"state" allows access to the connection tracking state for this packet. .TP [\fB!\fP] \fB\-\-state\fP \fIstate\fP -Where state is a comma separated list of the connection states to -match. Possible states are -.B INVALID -meaning that the packet could not be identified for some reason which -includes running out of memory and ICMP errors which don't correspond to any -known connection, -.B ESTABLISHED -meaning that the packet is associated with a connection which has seen -packets in both directions, -.B NEW -meaning that the packet has started a new connection, or otherwise -associated with a connection which has not seen packets in both -directions, and -.B RELATED -meaning that the packet is starting a new connection, but is -associated with an existing connection, such as an FTP data transfer, -or an ICMP error. -.B UNTRACKED -meaning that the packet is not tracked at all, which happens if you use -the NOTRACK target in raw table. +Where state is a comma separated list of the connection states to match. Only a +subset of the states unterstood by "conntrack" are recognized: \fBINVALID\fP, +\fBESTABLISHED\fP, \fBNEW\fP, \fBRELATED\fP or \fBUNTRACKED\fP. For their +description, see the "conntrack" heading in this manpage.
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_tcp.c ^
@@ -278,11 +278,10 @@ print_flags(uint8_t mask, uint8_t cmp, int invert, int numeric) { if (mask \|\| invert) { - printf("flags:%s", invert ? "!" : ""); + printf(" flags:%s", invert ? "!" : ""); if (numeric) - printf(" 0x%02X/0x%02X", mask, cmp); + printf("0x%02X/0x%02X", mask, cmp); else { - printf(" "); print_tcpf(mask); printf("/"); print_tcpf(cmp);
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/extensions/libxt_u32.c ^
@@ -88,17 +88,13 @@ /* string_to_number() is not quite what we need here ... / static uint32_t parse_number(const char s, int pos) { - uint32_t number; + unsigned int number; char end; - errno = 0; - number = strtoul(s, &end, 0); - if (end == s) + if (!xtables_strtoui(s, &end, &number, 0, UINT32_MAX) \|\| + end == s) xtables_error(PARAMETER_PROBLEM, - "u32: at char %d: expected number", pos); - if (errno != 0) - xtables_error(PARAMETER_PROBLEM, - "u32: at char %d: error reading number", pos); + "u32: at char %d: not a number or out of range", pos); *s = end; return number; }
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/include/Makefile.am ^
@@ -1,7 +1,7 @@ # -- Makefile -- include_HEADERS = -nobase_include_HEADERS = xtables.h +nobase_include_HEADERS = xtables.h xtables-version.h if ENABLE_LIBIPQ include_HEADERS += libipq/libipq.h
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/include/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -18,6 +18,23 @@ # -- Makefile -- VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -39,7 +56,7 @@ subdir = include DIST_COMMON = $(am__include_HEADERS_DIST) $(nobase_include_HEADERS) \ $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(srcdir)/xtables.h.in + $(srcdir)/xtables-version.h.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ @@ -49,10 +66,15 @@ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = xtables.h +CONFIG_CLEAN_FILES = xtables-version.h CONFIG_CLEAN_VPATH_FILES = SOURCES = DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac am__include_HEADERS_DIST = libipq/libipq.h am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" \| sed 's\|.\|.\|g'`; am__vpath_adj = case $$p in \ @@ -219,9 +241,9 @@ top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ include_HEADERS = $(am__append_1) -nobase_include_HEADERS = xtables.h libiptc/ipt_kernel_headers.h \ - libiptc/libiptc.h libiptc/libip6tc.h libiptc/libxtc.h \ - libiptc/xtcshared.h +nobase_include_HEADERS = xtables.h xtables-version.h \ + libiptc/ipt_kernel_headers.h libiptc/libiptc.h \ + libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h all: all-am .SUFFIXES: @@ -255,7 +277,7 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -xtables.h: $(top_builddir)/config.status $(srcdir)/xtables.h.in +xtables-version.h: $(top_builddir)/config.status $(srcdir)/xtables-version.h.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: @@ -265,8 +287,11 @@ -rm -rf .libs _libs install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" \|\| $(MKDIR_P) "$(DESTDIR)$(includedir)" @list='$(include_HEADERS)'; test -n "$(includedir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" \|\| exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ @@ -283,15 +308,18 @@ dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) install-nobase_includeHEADERS: $(nobase_include_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" \|\| $(MKDIR_P) "$(DESTDIR)$(includedir)" @list='$(nobase_include_HEADERS)'; test -n "$(includedir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" \|\| exit 1; \ + fi; \ $(am__nobase_list) \| while read dir files; do \ xfiles=; for file in $$files; do \ if test -f "$$file"; then xfiles="$$xfiles $$file"; \ else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \ test -z "$$xfiles" \|\| { \ test "x$$dir" = x. \|\| { \ - echo "$(MKDIR_P) '$(DESTDIR)$(includedir)/$$dir'"; \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)/$$dir'"; \ $(MKDIR_P) "$(DESTDIR)$(includedir)/$$dir"; }; \ echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(includedir)/$$dir'"; \ $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(includedir)/$$dir" \|\| exit $$?; }; \
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/include/linux/netfilter/ipset/ip_set.h ^
@@ -186,6 +186,7 @@ * If changed, new revision of iptables match/target is required. / IPSET_DIM_MAX = 6, + IPSET_BIT_RETURN_NOMATCH = 7, }; / Option flags for kernel operations */ @@ -194,6 +195,7 @@ IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), + IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), };
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/include/linux/netfilter/xt_HMARK.h ^
@@ -0,0 +1,50 @@ +#ifndef XT_HMARK_H_ +#define XT_HMARK_H_ + +#include <linux/types.h> + +enum { + XT_HMARK_SADDR_MASK, + XT_HMARK_DADDR_MASK, + XT_HMARK_SPI, + XT_HMARK_SPI_MASK, + XT_HMARK_SPORT, + XT_HMARK_DPORT, + XT_HMARK_SPORT_MASK, + XT_HMARK_DPORT_MASK, + XT_HMARK_PROTO_MASK, + XT_HMARK_RND, + XT_HMARK_MODULUS, + XT_HMARK_OFFSET, + XT_HMARK_CT, + XT_HMARK_METHOD_L3, + XT_HMARK_METHOD_L3_4, +}; +#define XT_HMARK_FLAG(flag) (1 << flag) + +union hmark_ports { + struct { + __u16 src; + __u16 dst; + } p16; + struct { + __be16 src; + __be16 dst; + } b16; + __u32 v32; + __be32 b32; +}; + +struct xt_hmark_info { + union nf_inet_addr src_mask; + union nf_inet_addr dst_mask; + union hmark_ports port_mask; + union hmark_ports port_set; + __u32 flags; + __u16 proto_mask; + __u32 hashrnd; + __u32 hmodulus; + __u32 hoffset; /* Mark offset to start from / +}; + +#endif / XT_HMARK_H_ */
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/include/linux/netfilter/xt_hashlimit.h ^
@@ -6,7 +6,10 @@ /* timings are in milliseconds. / #define XT_HASHLIMIT_SCALE 10000 / 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 - seconds, or one every 59 hours. / + seconds, or one packet every 59 hours. / + +/* packet length accounting is done in 16-byte steps / +#define XT_HASHLIMIT_BYTE_SHIFT 4 / details of this structure hidden by the implementation */ struct xt_hashlimit_htable; @@ -17,6 +20,7 @@ XT_HASHLIMIT_HASH_SIP = 1 << 2, XT_HASHLIMIT_HASH_SPT = 1 << 3, XT_HASHLIMIT_INVERT = 1 << 4, + XT_HASHLIMIT_BYTES = 1 << 5, }; struct hashlimit_cfg {
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/include/linux/netfilter/xt_recent.h ^
@@ -32,4 +32,14 @@ __u8 side; }; +struct xt_recent_mtinfo_v1 { + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; + char name[XT_RECENT_NAME_LEN]; + __u8 side; + union nf_inet_addr mask; +}; + #endif /* _LINUX_NETFILTER_XT_RECENT_H */
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/include/linux/netfilter_ipv4/ip_queue.h ^
@@ -0,0 +1,72 @@ +/* + * This is a module which is used for queueing IPv4 packets and + * communicating with userspace via netlink. + * + * (C) 2000 James Morris, this code is GPL. + / +#ifndef _IP_QUEUE_H +#define _IP_QUEUE_H + +#ifdef __KERNEL__ +#ifdef DEBUG_IPQ +#define QDEBUG(x...) printk(KERN_DEBUG ## x) +#else +#define QDEBUG(x...) +#endif / DEBUG_IPQ / +#else +#include <net/if.h> +#endif / ! __KERNEL__ / + +/ Messages sent from kernel / +typedef struct ipq_packet_msg { + unsigned long packet_id; / ID of queued packet / + unsigned long mark; / Netfilter mark value / + long timestamp_sec; / Packet arrival time (seconds) / + long timestamp_usec; / Packet arrvial time (+useconds) / + unsigned int hook; / Netfilter hook we rode in on / + char indev_name[IFNAMSIZ]; / Name of incoming interface / + char outdev_name[IFNAMSIZ]; / Name of outgoing interface / + __be16 hw_protocol; / Hardware protocol (network order) / + unsigned short hw_type; / Hardware type / + unsigned char hw_addrlen; / Hardware address length / + unsigned char hw_addr[8]; / Hardware address / + size_t data_len; / Length of packet data / + unsigned char payload[0]; / Optional packet data / +} ipq_packet_msg_t; + +/ Messages sent from userspace / +typedef struct ipq_mode_msg { + unsigned char value; / Requested mode / + size_t range; / Optional range of packet requested / +} ipq_mode_msg_t; + +typedef struct ipq_verdict_msg { + unsigned int value; / Verdict to hand to netfilter / + unsigned long id; / Packet ID for this verdict / + size_t data_len; / Length of replacement data / + unsigned char payload[0]; / Optional replacement packet / +} ipq_verdict_msg_t; + +typedef struct ipq_peer_msg { + union { + ipq_verdict_msg_t verdict; + ipq_mode_msg_t mode; + } msg; +} ipq_peer_msg_t; + +/ Packet delivery modes / +enum { + IPQ_COPY_NONE, / Initial mode, packets are dropped / + IPQ_COPY_META, / Copy metadata / + IPQ_COPY_PACKET / Copy metadata + packet (range) / +}; +#define IPQ_COPY_MAX IPQ_COPY_PACKET + +/ Types of messages / +#define IPQM_BASE 0x10 / standard netlink messages below this / +#define IPQM_MODE (IPQM_BASE + 1) / Mode request from peer / +#define IPQM_VERDICT (IPQM_BASE + 2) / Verdict from peer / +#define IPQM_PACKET (IPQM_BASE + 3) / Packet from kernel / +#define IPQM_MAX (IPQM_BASE + 4) + +#endif /_IP_QUEUE_H*/
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/include/xtables-version.h.in ^
@@ -0,0 +1,2 @@ +#define XTABLES_VERSION "libxtables.so.@libxtables_vmajor@" +#define XTABLES_VERSION_CODE @libxtables_vmajor@
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/include/xtables.h ^
@@ -0,0 +1,530 @@ +#ifndef _XTABLES_H +#define _XTABLES_H + +/* + * Changing any structs/functions may incur a needed change + * in libxtables_vcurrent/vage too. + / + +#include <sys/socket.h> / PF_* / +#include <sys/types.h> +#include <limits.h> +#include <stdbool.h> +#include <stddef.h> +#include <stdint.h> +#include <netinet/in.h> +#include <net/if.h> +#include <linux/types.h> +#include <linux/netfilter.h> +#include <linux/netfilter/x_tables.h> + +#ifndef IPPROTO_SCTP +#define IPPROTO_SCTP 132 +#endif +#ifndef IPPROTO_DCCP +#define IPPROTO_DCCP 33 +#endif +#ifndef IPPROTO_MH +# define IPPROTO_MH 135 +#endif +#ifndef IPPROTO_UDPLITE +#define IPPROTO_UDPLITE 136 +#endif + +#include <xtables-version.h> + +struct in_addr; + +/ + * .size is here so that there is a somewhat reasonable check + * against the chosen .type. + / +#define XTOPT_POINTER(stype, member) \ + .ptroff = offsetof(stype, member), \ + .size = sizeof(((stype )NULL)->member) +#define XTOPT_TABLEEND {.name = NULL} + +/** + * Select the format the input has to conform to, as well as the target type + * (area pointed to with XTOPT_POINTER). Note that the storing is not always + * uniform. @cb->val will be populated with as much as there is space, i.e. + * exactly 2 items for ranges, but the target area can receive more values + * (e.g. in case of ranges), or less values (e.g. %XTTYPE_HOSTMASK). + * + * %XTTYPE_NONE: option takes no argument + * %XTTYPE_UINT: standard integer + %XTTYPE_UINTRC: colon-separated range of standard integers + %XTTYPE_DOUBLE: double-precision floating point number + * %XTTYPE_STRING: arbitrary string + * %XTTYPE_TOSMASK: 8-bit TOS value with optional mask + * %XTTYPE_MARKMASK32: 32-bit mark with optional mask + * %XTTYPE_SYSLOGLEVEL: syslog level by name or number + * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) + * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length + * (ptr: union nf_inet_addr; only host portion is stored) + * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) + * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) + * %XTTYPE_PORTRC: colon-separated port range (names acceptable), + * (supports %XTOPT_NBO) + * %XTTYPE_PLEN: prefix length + * %XTTYPE_PLENMASK: prefix length (ptr: union nf_inet_addr) + * %XTTYPE_ETHERMAC: Ethernet MAC address in hex form + / +enum xt_option_type { + XTTYPE_NONE, + XTTYPE_UINT8, + XTTYPE_UINT16, + XTTYPE_UINT32, + XTTYPE_UINT64, + XTTYPE_UINT8RC, + XTTYPE_UINT16RC, + XTTYPE_UINT32RC, + XTTYPE_UINT64RC, + XTTYPE_DOUBLE, + XTTYPE_STRING, + XTTYPE_TOSMASK, + XTTYPE_MARKMASK32, + XTTYPE_SYSLOGLEVEL, + XTTYPE_HOST, + XTTYPE_HOSTMASK, + XTTYPE_PROTOCOL, + XTTYPE_PORT, + XTTYPE_PORTRC, + XTTYPE_PLEN, + XTTYPE_PLENMASK, + XTTYPE_ETHERMAC, +}; + +/* + * %XTOPT_INVERT: option is invertible (usable with !) + * %XTOPT_MAND: option is mandatory + * %XTOPT_MULTI: option may be specified multiple times + * %XTOPT_PUT: store value into memory at @ptroff + * %XTOPT_NBO: store value in network-byte order + * (only certain XTTYPEs recognize this) + / +enum xt_option_flags { + XTOPT_INVERT = 1 << 0, + XTOPT_MAND = 1 << 1, + XTOPT_MULTI = 1 << 2, + XTOPT_PUT = 1 << 3, + XTOPT_NBO = 1 << 4, +}; + +/* + * @name: name of option + * @type: type of input and validation method, see %XTTYPE_* + * @id: unique number (within extension) for option, 0-31 + * @excl: bitmask of flags that cannot be used with this option + * @also: bitmask of flags that must be used with this option + * @flags: bitmask of option flags, see %XTOPT_* + * @ptroff: offset into private structure for member + * @size: size of the item pointed to by @ptroff; this is a safeguard + * @min: lowest allowed value (for singular integral types) + * @max: highest allowed value (for singular integral types) + / +struct xt_option_entry { + const char name; + enum xt_option_type type; + unsigned int id, excl, also, flags; + unsigned int ptroff; + size_t size; + unsigned int min, max; +}; + +/** + * @arg: input from command line + * @ext_name: name of extension currently being processed + * @entry: current option being processed + * @data: per-extension kernel data block + * @xflags: options of the extension that have been used + * @invert: whether option was used with ! + * @nvals: number of results in uXX_multi + * @val: parsed result + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) + / +struct xt_option_call { + const char arg, ext_name; + const struct xt_option_entry entry; + void data; + unsigned int xflags; + bool invert; + uint8_t nvals; + union { + uint8_t u8, u8_range[2], syslog_level, protocol; + uint16_t u16, u16_range[2], port, port_range[2]; + uint32_t u32, u32_range[2]; + uint64_t u64, u64_range[2]; + double dbl; + struct { + union nf_inet_addr haddr, hmask; + uint8_t hlen; + }; + struct { + uint8_t tos_value, tos_mask; + }; + struct { + uint32_t mark, mask; + }; + uint8_t ethermac[6]; + } val; + / Wished for a world where the ones below were gone: / + union { + struct xt_entry_match match; + struct xt_entry_target target; + }; + void xt_entry; + void udata; +}; + +/* + * @ext_name: name of extension currently being processed + * @data: per-extension (kernel) data block + * @udata: per-extension private scratch area + * (cf. xtables_{match,target}->udata_size) + * @xflags: options of the extension that have been used + / +struct xt_fcheck_call { + const char ext_name; + void data, udata; + unsigned int xflags; +}; + +/** + * A "linear"/linked-list based name<->id map, for files similar to + * /etc/iproute2/. + / +struct xtables_lmap { + char name; + int id; + struct xtables_lmap next; +}; + +/ Include file for additions: new matches and targets. / +struct xtables_match +{ + / + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + / + const char version; + + struct xtables_match next; + + const char name; + const char real_name; + + / Revision of match (0 by default). / + u_int8_t revision; + + u_int16_t family; + + / Size of match data. / + size_t size; + + / Size of match data relevent for userspace comparison purposes / + size_t userspacesize; + + / Function which prints out usage message. / + void (help)(void); + + /* Initialize the match. / + void (init)(struct xt_entry_match m); + + / Function which parses command options; returns true if it + ate an option / + / entry is struct ipt_entry for example / + int (parse)(int c, char *argv, int invert, unsigned int flags, + const void entry, + struct xt_entry_match match); + + / Final check; exit if not ok. / + void (final_check)(unsigned int flags); + + /* Prints out the match iff non-NULL: put space at end / + / ip is struct ipt_ip * for example / + void (print)(const void ip, + const struct xt_entry_match match, int numeric); + + /* Saves the match info in parsable form to stdout. / + / ip is struct ipt_ip * for example / + void (save)(const void ip, const struct xt_entry_match match); + + /* Pointer to list of extra command-line options / + const struct option extra_opts; + + /* New parser / + void (x6_parse)(struct xt_option_call ); + void (x6_fcheck)(struct xt_fcheck_call ); + const struct xt_option_entry x6_options; + + /* Size of per-extension instance extra "global" scratch space / + size_t udata_size; + + / Ignore these men behind the curtain: / + void udata; + unsigned int option_offset; + struct xt_entry_match m; + unsigned int mflags; + unsigned int loaded; / simulate loading so options are merged properly / +}; + +struct xtables_target +{ + / + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + / + const char version; + + struct xtables_target next; + + + const char name; + + /* Real target behind this, if any. / + const char real_name; + + /* Revision of target (0 by default). / + u_int8_t revision; + + u_int16_t family; + + + / Size of target data. / + size_t size; + + / Size of target data relevent for userspace comparison purposes / + size_t userspacesize; + + / Function which prints out usage message. / + void (help)(void); + + /* Initialize the target. / + void (init)(struct xt_entry_target t); + + / Function which parses command options; returns true if it + ate an option / + / entry is struct ipt_entry for example / + int (parse)(int c, char *argv, int invert, unsigned int flags, + const void entry, + struct xt_entry_target targetinfo); + + / Final check; exit if not ok. / + void (final_check)(unsigned int flags); + + /* Prints out the target iff non-NULL: put space at end / + void (print)(const void ip, + const struct xt_entry_target target, int numeric); + + /* Saves the targinfo in parsable form to stdout. / + void (save)(const void ip, + const struct xt_entry_target target); + + /* Pointer to list of extra command-line options / + const struct option extra_opts; + + /* New parser / + void (x6_parse)(struct xt_option_call ); + void (x6_fcheck)(struct xt_fcheck_call ); + const struct xt_option_entry x6_options; + + size_t udata_size; + + /* Ignore these men behind the curtain: / + void udata; + unsigned int option_offset; + struct xt_entry_target t; + unsigned int tflags; + unsigned int used; + unsigned int loaded; / simulate loading so options are merged properly / +}; + +struct xtables_rule_match { + struct xtables_rule_match next; + struct xtables_match match; + / Multiple matches of the same type: the ones before + the current one are completed from parsing point of view / + bool completed; +}; + +/* + * struct xtables_pprot - + * + * A few hardcoded protocols for 'all' and in case the user has no + * /etc/protocols. + / +struct xtables_pprot { + const char name; + u_int8_t num; +}; + +enum xtables_tryload { + XTF_DONT_LOAD, + XTF_DURING_LOAD, + XTF_TRY_LOAD, + XTF_LOAD_MUST_SUCCEED, +}; + +enum xtables_exittype { + OTHER_PROBLEM = 1, + PARAMETER_PROBLEM, + VERSION_PROBLEM, + RESOURCE_PROBLEM, + XTF_ONLY_ONCE, + XTF_NO_INVERT, + XTF_BAD_VALUE, + XTF_ONE_ACTION, +}; + +struct xtables_globals +{ + unsigned int option_offset; + const char program_name, program_version; + struct option orig_opts; + struct option opts; + void (exit_err)(enum xtables_exittype status, const char msg, ...) __attribute__((noreturn, format(printf,2,3))); +}; + +#define XT_GETOPT_TABLEEND {.name = NULL, .has_arg = false} + +#ifdef __cplusplus +extern "C" { +#endif + +extern const char xtables_modprobe_program; +extern struct xtables_match xtables_matches; +extern struct xtables_target xtables_targets; + +extern void xtables_init(void); +extern void xtables_set_nfproto(uint8_t); +extern void xtables_calloc(size_t, size_t); +extern void xtables_malloc(size_t); +extern void xtables_realloc(void , size_t); + +extern int xtables_insmod(const char , const char , bool); +extern int xtables_load_ko(const char , bool); +extern int xtables_set_params(struct xtables_globals xtp); +extern void xtables_free_opts(int reset_offset); +extern struct option xtables_merge_options(struct option origopts, + struct option oldopts, const struct option newopts, + unsigned int option_offset); + +extern int xtables_init_all(struct xtables_globals xtp, uint8_t nfproto); +extern struct xtables_match xtables_find_match(const char name, + enum xtables_tryload, struct xtables_rule_match match); +extern struct xtables_target xtables_find_target(const char name, + enum xtables_tryload); + +/ Your shared library should call one of these. / +extern void xtables_register_match(struct xtables_match me); +extern void xtables_register_matches(struct xtables_match , unsigned int); +extern void xtables_register_target(struct xtables_target me); +extern void xtables_register_targets(struct xtables_target , unsigned int); + +extern bool xtables_strtoul(const char , char *, uintmax_t , + uintmax_t, uintmax_t); +extern bool xtables_strtoui(const char , char , unsigned int , + unsigned int, unsigned int); +extern int xtables_service_to_port(const char name, const char proto); +extern u_int16_t xtables_parse_port(const char port, const char proto); +extern void +xtables_parse_interface(const char arg, char vianame, unsigned char mask); + +/ this is a special 64bit data type that is 8-byte aligned / +#define aligned_u64 u_int64_t __attribute__((aligned(8))) + +extern struct xtables_globals xt_params; +#define xtables_error (xt_params->exit_err) + +extern void xtables_param_act(unsigned int, const char , ...); + +extern const char xtables_ipaddr_to_numeric(const struct in_addr ); +extern const char xtables_ipaddr_to_anyname(const struct in_addr ); +extern const char xtables_ipmask_to_numeric(const struct in_addr ); +extern struct in_addr xtables_numeric_to_ipaddr(const char ); +extern struct in_addr xtables_numeric_to_ipmask(const char ); +extern int xtables_ipmask_to_cidr(const struct in_addr ); +extern void xtables_ipparse_any(const char , struct in_addr , + struct in_addr , unsigned int ); +extern void xtables_ipparse_multiple(const char , struct in_addr , + struct in_addr , unsigned int ); + +extern struct in6_addr xtables_numeric_to_ip6addr(const char ); +extern const char xtables_ip6addr_to_numeric(const struct in6_addr ); +extern const char xtables_ip6addr_to_anyname(const struct in6_addr ); +extern const char xtables_ip6mask_to_numeric(const struct in6_addr ); +extern int xtables_ip6mask_to_cidr(const struct in6_addr ); +extern void xtables_ip6parse_any(const char , struct in6_addr , + struct in6_addr , unsigned int ); +extern void xtables_ip6parse_multiple(const char , struct in6_addr , + struct in6_addr , unsigned int ); + +/* + * Print the specified value to standard output, quoting dangerous + * characters if required. + / +extern void xtables_save_string(const char value); + +#if defined(ALL_INCLUSIVE) \|\| defined(NO_SHARED_LIBS) +# ifdef _INIT +# undef _init +# define _init _INIT +# endif + extern void init_extensions(void); + extern void init_extensions4(void); + extern void init_extensions6(void); +#else +# define _init __attribute__((constructor)) _INIT +#endif + +extern const struct xtables_pprot xtables_chain_protos[]; +extern u_int16_t xtables_parse_protocol(const char s); + +/ kernel revision handling / +extern int kernel_version; +extern void get_kernel_version(void); +#define LINUX_VERSION(x,y,z) (0x10000(x) + 0x100(y) + z) +#define LINUX_VERSION_MAJOR(x) (((x)>>16) & 0xFF) +#define LINUX_VERSION_MINOR(x) (((x)>> 8) & 0xFF) +#define LINUX_VERSION_PATCH(x) ( (x) & 0xFF) + +/ xtoptions.c / +extern void xtables_option_metavalidate(const char , + const struct xt_option_entry ); +extern struct option xtables_options_xfrm(struct option , struct option , + const struct xt_option_entry , + unsigned int ); +extern void xtables_option_parse(struct xt_option_call ); +extern void xtables_option_tpcall(unsigned int, char , bool, + struct xtables_target , void ); +extern void xtables_option_mpcall(unsigned int, char , bool, + struct xtables_match , void ); +extern void xtables_option_tfcall(struct xtables_target ); +extern void xtables_option_mfcall(struct xtables_match ); +extern void xtables_options_fcheck(const char , unsigned int, + const struct xt_option_entry ); + +extern struct xtables_lmap xtables_lmap_init(const char ); +extern void xtables_lmap_free(struct xtables_lmap ); +extern int xtables_lmap_name2id(const struct xtables_lmap , const char ); +extern const char xtables_lmap_id2name(const struct xtables_lmap , int); + +#ifdef XTABLES_INTERNAL + +/* Shipped modules rely on this... / + +# ifndef ARRAY_SIZE +# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x))) +# endif + +extern void _init(void); + +#endif + +#ifdef __cplusplus +} /* extern "C" / +#endif + +#endif / _XTABLES_H */
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/.gitignore ^
@@ -5,6 +5,7 @@ /ip6tables-static /iptables /iptables.8 +/iptables-extensions.8 /iptables-save /iptables-restore /iptables-static
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/Makefile.am ^
@@ -27,7 +27,7 @@ sbin_PROGRAMS = xtables-multi man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 + ip6tables-save.8 iptables-extensions.8 CLEANFILES = iptables.8 ip6tables.8 vx_bin_links = iptables-xml @@ -38,11 +38,17 @@ v6_sbin_links = ip6tables ip6tables-restore ip6tables-save endif -iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; +iptables.8: ${srcdir}/iptables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; -ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; +ip6tables.8: ${srcdir}/ip6tables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; + +iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man + ${AM_VERBOSE_GEN} sed -e \ + 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \ + -e '/@MATCH@/ r ../extensions/matches.man' \ + -e '/@TARGET@/ r ../extensions/targets.man' $< >$@; pkgconfig_DATA = xtables.pc
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -19,6 +19,23 @@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -103,6 +120,11 @@ $(LDFLAGS) -o $@ SOURCES = $(xtables_multi_SOURCES) DIST_SOURCES = $(am__xtables_multi_SOURCES_DIST) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + ) (install-info --version) >/dev/null 2>&1;; \ + esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" \| sed 's\|.\|.\|g'`; am__vpath_adj = case $$p in \ $(srcdir)/) f=`echo "$$p" \| sed "s\|^$$srcdirstrip/\|\|"`;; \ @@ -280,7 +302,7 @@ $(am__append_7) ../libxtables/libxtables.la -lm man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 + ip6tables-save.8 iptables-extensions.8 CLEANFILES = iptables.8 ip6tables.8 vx_bin_links = iptables-xml @@ -325,8 +347,11 @@ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(sbindir)" \|\| $(MKDIR_P) "$(DESTDIR)$(sbindir)" @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" \|\| exit 1; \ + fi; \ for p in $$list; do echo "$$p $$p"; done \| \ sed 's/$(EXEEXT)$$//' \| \ while read p p1; do if test -f $$p \|\| test -f $$p1; \ @@ -570,11 +595,18 @@ -rm -rf .libs _libs install-man1: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man1dir)" \|\| $(MKDIR_P) "$(DESTDIR)$(man1dir)" - @list=''; test -n "$(man1dir)" \|\| exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done \| \ - sed -n '/\.1[a-z]$$/p'; \ + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man1dir)" \ + && test -n "`echo $$list1$$list2`" \ + \|\| exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man1dir)" \|\| exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + \| sed -n '/\.1[a-z]$$/p'; \ + fi; \ } \| while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ @@ -606,11 +638,18 @@ dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) install-man8: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" \|\| $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list=''; test -n "$(man8dir)" \|\| exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done \| \ - sed -n '/\.8[a-z]$$/p'; \ + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + \|\| exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" \|\| exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + \| sed -n '/\.8[a-z]$$/p'; \ + fi; \ } \| while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ @@ -642,8 +681,11 @@ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) - test -z "$(pkgconfigdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgconfigdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" \|\| exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ @@ -886,11 +928,17 @@ uninstall-man8 uninstall-pkgconfigDATA uninstall-sbinPROGRAMS -iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; +iptables.8: ${srcdir}/iptables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; + +ip6tables.8: ${srcdir}/ip6tables.8.in + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' $< >$@; -ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; +iptables-extensions.8: ${srcdir}/iptables-extensions.8.in ../extensions/matches.man ../extensions/targets.man + ${AM_VERBOSE_GEN} sed -e \ + 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' \ + -e '/@MATCH@/ r ../extensions/matches.man' \ + -e '/@TARGET@/ r ../extensions/targets.man' $< >$@; # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook:
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/ip6tables-restore.c ^
@@ -114,6 +114,70 @@ free(newargv[i]); } +static void add_param_to_argv(char parsestart) +{ + int quote_open = 0, escaped = 0, param_len = 0; + char param_buffer[1024], curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that / + + for (curchar = parsestart; curchar; curchar++) { + if (quote_open) { + if (escaped) { + param_buffer[param_len++] = curchar; + escaped = 0; + continue; + } else if (curchar == '\\') { + escaped = 1; + continue; + } else if (curchar == '"') { + quote_open = 0; + curchar = ' '; + } else { + param_buffer[param_len++] = curchar; + continue; + } + } else { + if (curchar == '"') { + quote_open = 1; + continue; + } + } + + if (curchar == ' ' + \|\| curchar == '\t' + \|\| * curchar == '\n') { + if (!param_len) { + /* two spaces? / + continue; + } + + param_buffer[param_len] = '\0'; + + / check if table name specified / + if (!strncmp(param_buffer, "-t", 2) + \|\| !strncmp(param_buffer, "--table", 8)) { + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be " + "used in ip6tables-restore.\n", line); + exit(1); + } + + add_argv(param_buffer); + param_len = 0; + } else { + / regular character, copy to buffer / + param_buffer[param_len++] = curchar; + + if (param_len >= sizeof(param_buffer)) + xtables_error(PARAMETER_PROBLEM, + "Parameter too long!"); + } + } +} + int ip6tables_restore_main(int argc, char argv[]) { struct xtc_handle handle = NULL; @@ -325,11 +389,6 @@ char bcnt = NULL; char parsestart; - /* the parser / - char curchar; - int quote_open, escaped; - size_t param_len; - /* reset the newargv / newargc = 0; @@ -370,69 +429,7 @@ add_argv((char ) bcnt); } - /* After fighting with strtok enough, here's now - * a 'real' parser. According to Rusty I'm now no - * longer a real hacker, but I can live with that / - - quote_open = 0; - escaped = 0; - param_len = 0; - - for (curchar = parsestart; curchar; curchar++) { - char param_buffer[1024]; - - if (quote_open) { - if (escaped) { - param_buffer[param_len++] = curchar; - escaped = 0; - continue; - } else if (curchar == '\\') { - escaped = 1; - continue; - } else if (curchar == '"') { - quote_open = 0; - curchar = ' '; - } else { - param_buffer[param_len++] = curchar; - continue; - } - } else { - if (curchar == '"') { - quote_open = 1; - continue; - } - } - - if (curchar == ' ' - \|\| curchar == '\t' - \|\| * curchar == '\n') { - if (!param_len) { - /* two spaces? / - continue; - } - - param_buffer[param_len] = '\0'; - - / check if table name specified / - if (!strncmp(param_buffer, "-t", 2) - \|\| !strncmp(param_buffer, "--table", 8)) { - xtables_error(PARAMETER_PROBLEM, - "Line %u seems to have a " - "-t table option.\n", line); - exit(1); - } - - add_argv(param_buffer); - param_len = 0; - } else { - / regular character, copy to buffer / - param_buffer[param_len++] = curchar; - - if (param_len >= sizeof(param_buffer)) - xtables_error(PARAMETER_PROBLEM, - "Parameter too long!"); - } - } + add_param_to_argv(parsestart); DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", newargc, curtable);
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/ip6tables.8.in ^
@@ -362,23 +362,8 @@ to load any necessary modules (targets, match extensions, etc). .SH MATCH EXTENSIONS .PP -ip6tables can use extended packet matching modules -with the \fB\-m\fP or \fB\-\-match\fP -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the \fB\-h\fP or \fB\-\-help\fP -options after the module has been specified to receive help specific -to that module. -.PP -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an -unknown option is encountered, ip6tables will try load a match module of the -same name as the protocol, to try making the option available. -.\" @MATCH@ -.SH TARGET EXTENSIONS -ip6tables can use extended target modules: the following are included -in the standard distribution. -.\" @TARGET@ +iptables can use extended packet matching and target modules. +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by @@ -405,6 +390,8 @@ \fBip6tables\-save\fP(8), \fBip6tables\-restore\fP(8), \fBiptables\fP(8), +\fBiptables\-apply\fP(8), +\fBiptables\-extensions\fP(8), \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBlibipq\fP(3).
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/ip6tables.c ^
@@ -85,7 +85,7 @@ #define CMD_CHECK 0x4000U #define NUMBER_OF_CMD 16 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', - 'Z', 'N', 'X', 'P', 'E', 'S', 'C' }; + 'N', 'X', 'P', 'E', 'S', 'Z', 'C' }; #define NUMBER_OF_OPT ARRAY_SIZE(optflags) static const char optflags[] @@ -1286,8 +1286,16 @@ cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + if (cs->target->real_name == NULL) { + strcpy(cs->target->t->u.user.name, cs->jumpto); + } else { + strcpy(cs->target->t->u.user.name, cs->target->real_name); + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + } cs->target->t->u.user.revision = cs->target->revision; + xs_init_target(cs->target); if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts, @@ -1314,8 +1322,15 @@ size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->name); + if (m->real_name == NULL) { + strcpy(m->m->u.user.name, m->name); + } else { + strcpy(m->m->u.user.name, m->real_name); + fprintf(stderr, "WARNING: The %s match is obsolete. " + "Use %s instead.\n", m->name, m->real_name); + } m->m->u.user.revision = m->revision; + xs_init_match(m); if (m == m->next) return;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/iptables-apply.8 ^
@@ -18,7 +18,7 @@ case, the script rolls back to the previous ruleset after the timeout expired. The timeout can be set with \fB\-t\fP. .PP -When called as ip6tables\-apply, the script will use +When called as \fBip6tables\-apply\fP, the script will use ip6tables\-save/\-restore instead. .SH OPTIONS .TP
[-] [+]	Added	iptables-1.4.16.2.tar.bz2/iptables/iptables-extensions.8.in ^
@@ -0,0 +1,27 @@ +.TH iptables-extensions 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@" +.SH NAME +iptables-extensions \(em list of extensions in the standard iptables distribution +.SH SYNOPSIS +\fBip6tables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.PP +\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] +[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] +.SH MATCH EXTENSIONS +iptables can use extended packet matching modules +with the \fB\-m\fP or \fB\-\-match\fP +options, followed by the matching module name; after these, various +extra command line options become available, depending on the specific +module. You can specify multiple extended match modules in one line, +and you can use the \fB\-h\fP or \fB\-\-help\fP +options after the module has been specified to receive help specific +to that module. +.PP +If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an +unknown option is encountered, iptables will try load a match module of the +same name as the protocol, to try making the option available. +.\" @MATCH@ +.SH TARGET EXTENSIONS +iptables can use extended target modules: the following are included +in the standard distribution. +.\" @TARGET@
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/iptables-restore.c ^
@@ -113,6 +113,70 @@ free(newargv[i]); } +static void add_param_to_argv(char parsestart) +{ + int quote_open = 0, escaped = 0, param_len = 0; + char param_buffer[1024], curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that / + + for (curchar = parsestart; curchar; curchar++) { + if (quote_open) { + if (escaped) { + param_buffer[param_len++] = curchar; + escaped = 0; + continue; + } else if (curchar == '\\') { + escaped = 1; + continue; + } else if (curchar == '"') { + quote_open = 0; + curchar = ' '; + } else { + param_buffer[param_len++] = curchar; + continue; + } + } else { + if (curchar == '"') { + quote_open = 1; + continue; + } + } + + if (curchar == ' ' + \|\| curchar == '\t' + \|\| * curchar == '\n') { + if (!param_len) { + /* two spaces? / + continue; + } + + param_buffer[param_len] = '\0'; + + / check if table name specified / + if (!strncmp(param_buffer, "-t", 2) + \|\| !strncmp(param_buffer, "--table", 8)) { + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be " + "used in iptables-restore.\n", line); + exit(1); + } + + add_argv(param_buffer); + param_len = 0; + } else { + / regular character, copy to buffer / + param_buffer[param_len++] = curchar; + + if (param_len >= sizeof(param_buffer)) + xtables_error(PARAMETER_PROBLEM, + "Parameter too long!"); + } + } +} + int iptables_restore_main(int argc, char argv[]) { @@ -325,11 +389,6 @@ char bcnt = NULL; char parsestart; - / the parser / - char curchar; - int quote_open, escaped; - size_t param_len; - /* reset the newargv / newargc = 0; @@ -370,69 +429,7 @@ add_argv((char ) bcnt); } - /* After fighting with strtok enough, here's now - * a 'real' parser. According to Rusty I'm now no - * longer a real hacker, but I can live with that / - - quote_open = 0; - escaped = 0; - param_len = 0; - - for (curchar = parsestart; curchar; curchar++) { - char param_buffer[1024]; - - if (quote_open) { - if (escaped) { - param_buffer[param_len++] = curchar; - escaped = 0; - continue; - } else if (curchar == '\\') { - escaped = 1; - continue; - } else if (curchar == '"') { - quote_open = 0; - curchar = ' '; - } else { - param_buffer[param_len++] = curchar; - continue; - } - } else { - if (curchar == '"') { - quote_open = 1; - continue; - } - } - - if (curchar == ' ' - \|\| curchar == '\t' - \|\| * curchar == '\n') { - if (!param_len) { - /* two spaces? / - continue; - } - - param_buffer[param_len] = '\0'; - - / check if table name specified / - if (!strncmp(param_buffer, "-t", 2) - \|\| !strncmp(param_buffer, "--table", 8)) { - xtables_error(PARAMETER_PROBLEM, - "Line %u seems to have a " - "-t table option.\n", line); - exit(1); - } - - add_argv(param_buffer); - param_len = 0; - } else { - / regular character, copy to buffer / - param_buffer[param_len++] = curchar; - - if (param_len >= sizeof(param_buffer)) - xtables_error(PARAMETER_PROBLEM, - "Parameter too long!"); - } - } + add_param_to_argv(parsestart); DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", newargc, curtable);
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/iptables.8.in ^
@@ -355,25 +355,10 @@ \fB\-\-modprobe=\fP\fIcommand\fP When adding or inserting rules into a chain, use \fIcommand\fP to load any necessary modules (targets, match extensions, etc). -.SH MATCH EXTENSIONS +.SH MATCH AND TARGET EXTENSIONS .PP -iptables can use extended packet matching modules -with the \fB\-m\fP or \fB\-\-match\fP -options, followed by the matching module name; after these, various -extra command line options become available, depending on the specific -module. You can specify multiple extended match modules in one line, -and you can use the \fB\-h\fP or \fB\-\-help\fP -options after the module has been specified to receive help specific -to that module. -.PP -If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an -unknown option is encountered, iptables will try load a match module of the -same name as the protocol, to try making the option available. -.\" @MATCH@ -.SH TARGET EXTENSIONS -iptables can use extended target modules: the following are included -in the standard distribution. -.\" @TARGET@ +iptables can use extended packet matching and target modules. +A list of these is available in the \fBiptables\-extensions\fP(8) manpage. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by @@ -408,8 +393,10 @@ .fi There are several other changes in iptables. .SH SEE ALSO +\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), +\fBiptables\-extensions\fP(8), \fBip6tables\fP(8), \fBip6tables\-save\fP(8), \fBip6tables\-restore\fP(8),
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/iptables/iptables.c ^
@@ -81,7 +81,7 @@ #define CMD_CHECK 0x4000U #define NUMBER_OF_CMD 16 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', - 'Z', 'N', 'X', 'P', 'E', 'S', 'C' }; + 'N', 'X', 'P', 'E', 'S', 'Z', 'C' }; #define OPT_FRAGMENT 0x00800U #define NUMBER_OF_OPT ARRAY_SIZE(optflags) @@ -1295,8 +1295,17 @@ cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + if (cs->target->real_name == NULL) { + strcpy(cs->target->t->u.user.name, cs->jumpto); + } else { + /* Alias support for userspace side */ + strcpy(cs->target->t->u.user.name, cs->target->real_name); + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + } cs->target->t->u.user.revision = cs->target->revision; + xs_init_target(cs->target); if (cs->target->x6_options != NULL) @@ -1324,8 +1333,15 @@ size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->name); + if (m->real_name == NULL) { + strcpy(m->m->u.user.name, m->name); + } else { + strcpy(m->m->u.user.name, m->real_name); + fprintf(stderr, "WARNING: The %s match is obsolete. " + "Use %s instead.\n", m->name, m->real_name); + } m->m->u.user.revision = m->revision; + xs_init_match(m); if (m == m->next) return;
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/libipq/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -19,6 +19,23 @@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -98,6 +115,11 @@ $(LDFLAGS) -o $@ SOURCES = $(libipq_la_SOURCES) DIST_SOURCES = $(libipq_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + ) (install-info --version) >/dev/null 2>&1;; \ + esac man3dir = $(mandir)/man3 NROFF = nroff MANS = $(man_MANS) @@ -285,7 +307,6 @@ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" \|\| list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -293,6 +314,8 @@ else :; fi; \ done; \ test -z "$$list2" \|\| { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" \|\| exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ } @@ -353,11 +376,18 @@ -rm -rf .libs _libs install-man3: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man3dir)" \|\| $(MKDIR_P) "$(DESTDIR)$(man3dir)" - @list=''; test -n "$(man3dir)" \|\| exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done \| \ - sed -n '/\.3[a-z]$$/p'; \ + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man3dir)" \ + && test -n "`echo $$list1$$list2`" \ + \|\| exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man3dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man3dir)" \|\| exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + \| sed -n '/\.3[a-z]*$$/p'; \ + fi; \ } \| while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ @@ -389,8 +419,11 @@ dir='$(DESTDIR)$(man3dir)'; $(am__uninstall_files_from_dir) install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) - test -z "$(pkgconfigdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgconfigdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" \|\| exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/libiptc/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -19,6 +19,23 @@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -115,6 +132,11 @@ $(libiptc_la_SOURCES) DIST_SOURCES = $(libip4tc_la_SOURCES) $(libip6tc_la_SOURCES) \ $(libiptc_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac DATA = $(pkgconfig_DATA) ETAGS = etags CTAGS = ctags @@ -304,7 +326,6 @@ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" \|\| list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -312,6 +333,8 @@ else :; fi; \ done; \ test -z "$$list2" \|\| { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" \|\| exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ } @@ -377,8 +400,11 @@ -rm -rf .libs _libs install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) - test -z "$(pkgconfigdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgconfigdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" \|\| exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/libxtables/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -18,6 +18,23 @@ # -- Makefile -- VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -105,6 +122,11 @@ $(LDFLAGS) -o $@ SOURCES = $(libxtables_la_SOURCES) DIST_SOURCES = $(libxtables_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -284,7 +306,6 @@ $(am__aclocal_m4_deps): install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" \|\| $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" \|\| list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -292,6 +313,8 @@ else :; fi; \ done; \ test -z "$$list2" \|\| { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" \|\| exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ }
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/libxtables/xtables.c ^
@@ -862,14 +862,77 @@ xtables_pending_matches = me; } +/** + * Compare two actions for their preference + * @a: one action + * @b: another + * + * Like strcmp, returns a negative number if @a is less preferred than @b, + * positive number if @a is more preferred than @b, or zero if equally + * preferred. + / +static int +xtables_mt_prefer(bool a_alias, unsigned int a_rev, unsigned int a_fam, + bool b_alias, unsigned int b_rev, unsigned int b_fam) +{ + / + * Alias ranks higher than no alias. + * (We want the new action to be used whenever possible.) + / + if (!a_alias && b_alias) + return -1; + if (a_alias && !b_alias) + return 1; + + / Higher revision ranks higher. / + if (a_rev < b_rev) + return -1; + if (a_rev > b_rev) + return 1; + + / NFPROTO_<specific> ranks higher than NFPROTO_UNSPEC. / + if (a_fam == NFPROTO_UNSPEC && b_fam != NFPROTO_UNSPEC) + return -1; + if (a_fam != NFPROTO_UNSPEC && b_fam == NFPROTO_UNSPEC) + return 1; + + / Must be the same thing. / + return 0; +} + +static int xtables_match_prefer(const struct xtables_match a, + const struct xtables_match b) +{ + return xtables_mt_prefer(a->real_name != NULL, + a->revision, a->family, + b->real_name != NULL, + b->revision, b->family); +} + +static int xtables_target_prefer(const struct xtables_target a, + const struct xtables_target b) +{ + / + * Note that if x->real_name==NULL, it will be set to x->name in + * xtables_register_; the direct pointer comparison here is therefore + legitimate to detect an alias. + / + return xtables_mt_prefer(a->real_name != NULL, + a->revision, a->family, + b->real_name != NULL, + b->revision, b->family); +} + static void xtables_fully_register_pending_match(struct xtables_match me) { struct xtables_match *i, old; + const char rn; + int compare; old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL); if (old) { - if (old->revision == me->revision && - old->family == me->family) { + compare = xtables_match_prefer(old, me); + if (compare == 0) { fprintf(stderr, "%s: match `%s' already registered.\n", xt_params->program_name, me->name); @@ -877,16 +940,14 @@ } / Now we have two (or more) options, check compatibility. / - if (compatible_match_revision(old->name, old->revision) - && old->revision > me->revision) + rn = (old->real_name != NULL) ? old->real_name : old->name; + if (compare > 0 && + compatible_match_revision(rn, old->revision)) return; / See if new match can be used. / - if (!compatible_match_revision(me->name, me->revision)) - return; - - / Prefer !AF_UNSPEC over AF_UNSPEC for same revision. / - if (old->revision == me->revision && me->family == AF_UNSPEC) + rn = (me->real_name != NULL) ? me->real_name : me->name; + if (!compatible_match_revision(rn, me->revision)) return; / Delete old one. / @@ -962,13 +1023,15 @@ static void xtables_fully_register_pending_target(struct xtables_target me) { struct xtables_target old; + const char rn; + int compare; old = xtables_find_target(me->name, XTF_DURING_LOAD); if (old) { struct xtables_target *i; - if (old->revision == me->revision && - old->family == me->family) { + compare = xtables_target_prefer(old, me); + if (compare == 0) { fprintf(stderr, "%s: target `%s' already registered.\n", xt_params->program_name, me->name); @@ -976,16 +1039,14 @@ } / Now we have two (or more) options, check compatibility. / - if (compatible_target_revision(old->name, old->revision) - && old->revision > me->revision) + rn = (old->real_name != NULL) ? old->real_name : old->name; + if (compare > 0 && + compatible_target_revision(rn, old->revision)) return; / See if new target can be used. / - if (!compatible_target_revision(me->name, me->revision)) - return; - - / Prefer !AF_UNSPEC over AF_UNSPEC for same revision. / - if (old->revision == me->revision && me->family == AF_UNSPEC) + rn = (me->real_name != NULL) ? me->real_name : me->name; + if (!compatible_target_revision(rn, me->revision)) return; / Delete old one. / @@ -1133,28 +1194,43 @@ return xtables_ipaddr_to_numeric(addr); } -const char xtables_ipmask_to_numeric(const struct in_addr mask) +int xtables_ipmask_to_cidr(const struct in_addr mask) { - static char buf[20]; uint32_t maskaddr, bits; int i; maskaddr = ntohl(mask->s_addr); - + /* shortcut for /32 networks / if (maskaddr == 0xFFFFFFFFL) - / we don't want to see "/32" / - return ""; + return 32; i = 32; bits = 0xFFFFFFFEL; while (--i >= 0 && maskaddr != bits) bits <<= 1; if (i >= 0) - sprintf(buf, "/%d", i); - else + return i; + + / this mask cannot be converted to CIDR notation / + return -1; +} + +const char xtables_ipmask_to_numeric(const struct in_addr mask) +{ + static char buf[20]; + uint32_t cidr; + + cidr = xtables_ipmask_to_cidr(mask); + if (cidr < 0) { / mask was not a decent combination of 1's and 0's / sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); + return buf; + } else if (cidr == 32) { + / we don't want to see "/32" / + return ""; + } + sprintf(buf, "/%d", cidr); return buf; } @@ -1465,7 +1541,7 @@ return xtables_ip6addr_to_numeric(addr); } -static int ip6addr_prefix_length(const struct in6_addr k) +int xtables_ip6mask_to_cidr(const struct in6_addr k) { unsigned int bits = 0; uint32_t a, b, c, d; @@ -1492,7 +1568,7 @@ const char xtables_ip6mask_to_numeric(const struct in6_addr *addrp) { static char buf[50+2]; - int l = ip6addr_prefix_length(addrp); + int l = xtables_ip6mask_to_cidr(addrp); if (l == -1) { strcpy(buf, "/");
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/m4/libtool.m4 ^
@@ -2512,17 +2512,6 @@ esac ;; -gnu) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -2639,7 +2628,7 @@ ;; # This must be glibc/ELF. -linux* \| kbsd-gnu \| kopensolaris-gnu) +linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -3255,10 +3244,6 @@ fi ;; -gnu) - lt_cv_deplibs_check_method=pass_all - ;; - haiku) lt_cv_deplibs_check_method=pass_all ;; @@ -3297,7 +3282,7 @@ ;; # This must be glibc/ELF. -linux* \| kbsd-gnu \| kopensolaris-gnu) +linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -4049,7 +4034,7 @@ ;; esac ;; - linux* \| kbsd-gnu \| kopensolaris-gnu) + linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) case $cc_basename in KCC) # KAI C++ Compiler @@ -4348,7 +4333,7 @@ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux \| kbsd-gnu \| kopensolaris-gnu) + linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc) @@ -6241,9 +6226,6 @@ _LT_TAGVAR(ld_shlibs, $1)=yes ;; - gnu) - ;; - haiku) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes @@ -6405,7 +6387,7 @@ _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux \| kbsd-gnu \| kopensolaris-gnu) + linux \| kbsd-gnu \| kopensolaris-gnu \| gnu) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/tests/options-most.rules ^
@@ -96,6 +96,9 @@ -A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2 -A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3 -A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4 +-A matches -m hashlimit --hashlimit-upto 4kb/s --hashlimit-burst 400kb --hashlimit-name mini5 +-A matches -m hashlimit --hashlimit-upto 10mb/s --hashlimit-name mini6 +-A matches -m hashlimit --hashlimit-upto 123456b/s --hashlimit-burst 1mb --hashlimit-name mini7 -A matches -A matches -m hbh ! --hbh-len 5 -A matches
[-] [+]	Changed	iptables-1.4.16.2.tar.bz2/utils/Makefile.in ^
@@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -19,6 +19,23 @@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + \\[\ \ ]) \ + echo 'am--echo: ; @echo "AM" OK' \| $(MAKE) -f - 2>/dev/null \ + \| grep '^AM OK$$' >/dev/null \|\| am__dry=yes;; \ + ) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + =\|--) ;; \ + n) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ @@ -70,6 +87,11 @@ $(LDFLAGS) -o $@ SOURCES = nfnl_osf.c DIST_SOURCES = nfnl_osf.c +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n\|no\|NO) false;; \ + ) (install-info --version) >/dev/null 2>&1;; \ + esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" \| sed 's\|.\|.\|g'`; am__vpath_adj = case $$p in \ $(srcdir)/) f=`echo "$$p" \| sed "s\|^$$srcdirstrip/\|\|"`;; \ @@ -275,8 +297,11 @@ $(am__aclocal_m4_deps): install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(sbindir)" \|\| $(MKDIR_P) "$(DESTDIR)$(sbindir)" @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" \|\| exit 1; \ + fi; \ for p in $$list; do echo "$$p $$p"; done \| \ sed 's/$(EXEEXT)$$//' \| \ while read p p1; do if test -f $$p \|\| test -f $$p1; \ @@ -356,8 +381,11 @@ -rm -rf .libs _libs install-pkgdataDATA: $(pkgdata_DATA) @$(NORMAL_INSTALL) - test -z "$(pkgdatadir)" \|\| $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" @list='$(pkgdata_DATA)'; test -n "$(pkgdatadir)" \|\| list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" \|\| exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \