[-]
[+]
|
Changed |
iptables.changes
|
|
[-]
[+]
|
Changed |
iptables.spec
^
|
|
[-]
[+]
|
Deleted |
libip6t_DNPT-wordingfix.patch
^
|
@@ -1,72 +0,0 @@
-From: Ulrich Weber <ulrich.weber@sophos.com>
-Date: Wed, 2 Jan 2013 06:03:49 +0000 (+0000)
-Subject: extensions: libip6t_DNPT: fix wording in DNPT target
-X-Git-Url: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=7b04e3ef3a6ffccb23de83ef3b2d8f5aeaaa09e5
-
-extensions: libip6t_DNPT: fix wording in DNPT target
-
-replaces SNPT by DNPT.
-
-This fixes broken help message that points to SNPT.
-
-Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
-
-diff --git a/extensions/libip6t_DNPT.c b/extensions/libip6t_DNPT.c
-index 9e4dc5c..7439816 100644
---- a/extensions/libip6t_DNPT.c
-+++ b/extensions/libip6t_DNPT.c
-@@ -8,7 +8,7 @@ enum {
- O_DST_PFX = 1 << 1,
- };
-
--static const struct xt_option_entry SNPT_options[] = {
-+static const struct xt_option_entry DNPT_options[] = {
- { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK,
- .flags = XTOPT_MAND },
- { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK,
-@@ -16,16 +16,16 @@ static const struct xt_option_entry SNPT_options[] = {
- { }
- };
-
--static void SNPT_help(void)
-+static void DNPT_help(void)
- {
-- printf("SNPT target options:"
-+ printf("DNPT target options:"
- "\n"
- " --src-pfx prefix/length\n"
- " --dst-pfx prefix/length\n"
- "\n");
- }
-
--static void SNPT_parse(struct xt_option_call *cb)
-+static void DNPT_parse(struct xt_option_call *cb)
- {
- struct ip6t_npt_tginfo *npt = cb->data;
-
-@@ -42,7 +42,7 @@ static void SNPT_parse(struct xt_option_call *cb)
- }
- }
-
--static void SNPT_print(const void *ip, const struct xt_entry_target *target,
-+static void DNPT_print(const void *ip, const struct xt_entry_target *target,
- int numeric)
- {
- const struct ip6t_npt_tginfo *npt = (const void *)target->data;
-@@ -59,10 +59,10 @@ static struct xtables_target snpt_tg_reg = {
- .family = NFPROTO_IPV6,
- .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)),
- .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment),
-- .help = SNPT_help,
-- .x6_parse = SNPT_parse,
-- .print = SNPT_print,
-- .x6_options = SNPT_options,
-+ .help = DNPT_help,
-+ .x6_parse = DNPT_parse,
-+ .print = DNPT_print,
-+ .x6_options = DNPT_options,
- };
-
- void _init(void)
|
[-]
[+]
|
Deleted |
libip6t_NETMAP-linkfix.patch
^
|
@@ -1,81 +0,0 @@
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Tue, 1 Jan 2013 22:47:51 +0000 (+0000)
-Subject: build: resolve link failure for ip6t_NETMAP
-X-Git-Url: https://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=68e77a26111ee6b8f10c735a76891a7de6d57ee6
-
-build: resolve link failure for ip6t_NETMAP
-
-Link stage of libip6t_NETMAP failed since recently.
-
- CCLD libip6t_NETMAP.so
-/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld:
-cannot find -lip6tc
-
-libip6t_NETMAP.c uses the "ipv6_prefix_length" function from
-libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to
-it is not specified.
-
-Why does the link succeed for some people? Because
-/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments,
-especially those without iptables development files, have that file,
-hence this link error can happen.
-
-By suggestion of Mike Frysinger, this patch uses libtool to produce
-and link the plugins.
-
-Signed-off-by: Jan Engelhardt <jengelh@inai.de>
-Acked-by: Mike Frysinger <vapier@gentoo.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
-
-diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
-index e71e3ff..adad4d6 100644
---- a/extensions/GNUmakefile.in
-+++ b/extensions/GNUmakefile.in
-@@ -33,6 +33,7 @@ AM_VERBOSE_CXX = @echo " CXX " $@;
- AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
- AM_VERBOSE_AR = @echo " AR " $@;
- AM_VERBOSE_GEN = @echo " GEN " $@;
-+AM_VERBOSE_NULL = @
- endif
-
- #
-@@ -75,7 +76,7 @@ install: ${targets_install}
- if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
-
- clean:
-- rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
-+ rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
- rm -f .*.d .*.dd;
-
- distclean: clean
-@@ -89,19 +90,22 @@ init%.o: init%.c
- #
- # Shared libraries
- #
--lib%.so: lib%.oo
-- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
-+lib%.so: lib%.la
-+ ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
-
--lib%.oo: ${srcdir}/lib%.c
-- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-+lib%.la: lib%.lo
-+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
-+
-+lib%.lo: ${srcdir}/lib%.c
-+ ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
-
- libxt_NOTRACK.so: libxt_CT.so
-- ln -fs $< $@
-+ ${AM_VERBOSE_GEN} ln -fs $< $@
- libxt_state.so: libxt_conntrack.so
-- ln -fs $< $@
-+ ${AM_VERBOSE_GEN} ln -fs $< $@
-
- # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
--ip6t_NETMAP_LIBADD = -lip6tc
-+ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
- xt_RATEEST_LIBADD = -lm
- xt_statistic_LIBADD = -lm
-
|
[-]
[+]
|
Deleted |
iptables-1.4.16.3.tar.bz2/include/net
^
|
-(directory)
|
[-]
[+]
|
Deleted |
iptables-1.4.16.3.tar.bz2/include/net/netfilter
^
|
-(directory)
|
[-]
[+]
|
Deleted |
iptables-1.4.16.3.tar.bz2/include/net/netfilter/nf_conntrack_tuple.h
^
|
@@ -1,114 +0,0 @@
-/* This file was manually copied from the Linux kernel source
- * and manually stripped from __KERNEL__ sections and unused functions.
- */
-
-/*
- * Definitions and Declarations for tuple.
- *
- * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
- * - generalize L3 protocol dependent part.
- *
- * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
- */
-
-#ifndef _NF_CONNTRACK_TUPLE_H
-#define _NF_CONNTRACK_TUPLE_H
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/nf_conntrack_tuple_common.h>
-
-/* A `tuple' is a structure containing the information to uniquely
- identify a connection. ie. if two packets have the same tuple, they
- are in the same connection; if not, they are not.
-
- We divide the structure along "manipulatable" and
- "non-manipulatable" lines, for the benefit of the NAT code.
-*/
-
-#define NF_CT_TUPLE_L3SIZE ARRAY_SIZE(((union nf_inet_addr *)NULL)->all)
-
-/* The protocol-specific manipulable parts of the tuple: always in
- network order! */
-union nf_conntrack_man_proto
-{
- /* Add other protocols here. */
- __be16 all;
-
- struct {
- __be16 port;
- } tcp;
- struct {
- __be16 port;
- } udp;
- struct {
- __be16 id;
- } icmp;
- struct {
- __be16 port;
- } dccp;
- struct {
- __be16 port;
- } sctp;
- struct {
- __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
- } gre;
-};
-
-/* The manipulable part of the tuple. */
-struct nf_conntrack_man
-{
- union nf_inet_addr u3;
- union nf_conntrack_man_proto u;
- /* Layer 3 protocol */
- u_int16_t l3num;
-};
-
-/* This contains the information to distinguish a connection. */
-struct nf_conntrack_tuple
-{
- struct nf_conntrack_man src;
-
- /* These are the parts of the tuple which are fixed. */
- struct {
- union nf_inet_addr u3;
- union {
- /* Add other protocols here. */
- __be16 all;
-
- struct {
- __be16 port;
- } tcp;
- struct {
- __be16 port;
- } udp;
- struct {
- u_int8_t type, code;
- } icmp;
- struct {
- __be16 port;
- } dccp;
- struct {
- __be16 port;
- } sctp;
- struct {
- __be16 key;
- } gre;
- } u;
-
- /* The protocol. */
- u_int8_t protonum;
-
- /* The direction (for tuplehash) */
- u_int8_t dir;
- } dst;
-};
-
-struct nf_conntrack_tuple_mask
-{
- struct {
- union nf_inet_addr u3;
- union nf_conntrack_man_proto u;
- } src;
-};
-
-#endif /* _NF_CONNTRACK_TUPLE_H */
|
[-]
[+]
|
Deleted |
iptables-1.4.16.3.tar.bz2/include/net/netfilter/nf_nat.h
^
|
@@ -1,55 +0,0 @@
-#ifndef _NF_NAT_H
-#define _NF_NAT_H
-#include <linux/netfilter_ipv4.h>
-#include <net/netfilter/nf_conntrack_tuple.h>
-
-#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16
-
-enum nf_nat_manip_type
-{
- IP_NAT_MANIP_SRC,
- IP_NAT_MANIP_DST
-};
-
-/* SRC manip occurs POST_ROUTING or LOCAL_IN */
-#define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \
- (hooknum) != NF_INET_LOCAL_IN)
-
-#define IP_NAT_RANGE_MAP_IPS 1
-#define IP_NAT_RANGE_PROTO_SPECIFIED 2
-#define IP_NAT_RANGE_PROTO_RANDOM 4
-#define IP_NAT_RANGE_PERSISTENT 8
-
-/* NAT sequence number modifications */
-struct nf_nat_seq {
- /* position of the last TCP sequence number modification (if any) */
- u_int32_t correction_pos;
-
- /* sequence number offset before and after last modification */
- int16_t offset_before, offset_after;
-};
-
-/* Single range specification. */
-struct nf_nat_range
-{
- /* Set to OR of flags above. */
- unsigned int flags;
-
- /* Inclusive: network order. */
- __be32 min_ip, max_ip;
-
- /* Inclusive: network order */
- union nf_conntrack_man_proto min, max;
-};
-
-/* For backwards compat: don't use in modern code. */
-struct nf_nat_multi_range_compat
-{
- unsigned int rangesize; /* Must be 1. */
-
- /* hangs off end. */
- struct nf_nat_range range[1];
-};
-
-#define nf_nat_multi_range nf_nat_multi_range_compat
-#endif
|
|
Deleted |
iptables-1.4.17.tar.bz2
^
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for iptables 1.4.16.3.
+# Generated by GNU Autoconf 2.69 for iptables 1.4.18.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='iptables'
PACKAGE_TARNAME='iptables'
-PACKAGE_VERSION='1.4.16.3'
-PACKAGE_STRING='iptables 1.4.16.3'
+PACKAGE_VERSION='1.4.18'
+PACKAGE_STRING='iptables 1.4.18'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1351,7 +1351,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures iptables 1.4.16.3 to adapt to many kinds of systems.
+\`configure' configures iptables 1.4.18 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1421,7 +1421,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of iptables 1.4.16.3:";;
+ short | recursive ) echo "Configuration of iptables 1.4.18:";;
esac
cat <<\_ACEOF
@@ -1545,7 +1545,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-iptables configure 1.4.16.3
+iptables configure 1.4.18
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2093,7 +2093,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by iptables $as_me 1.4.16.3, which was
+It was created by iptables $as_me 1.4.18, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2443,7 +2443,7 @@
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=9
+libxtables_vcurrent=10
libxtables_vage=0
ac_aux_dir=
@@ -2916,7 +2916,7 @@
# Define the identity of the package.
PACKAGE='iptables'
- VERSION='1.4.16.3'
+ VERSION='1.4.18'
cat >>confdefs.h <<_ACEOF
@@ -12836,7 +12836,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by iptables $as_me 1.4.16.3, which was
+This file was extended by iptables $as_me 1.4.18, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -12902,7 +12902,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-iptables config.status 1.4.16.3
+iptables config.status 1.4.18
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/configure.ac
^
|
@@ -1,8 +1,8 @@
-AC_INIT([iptables], [1.4.16.3])
+AC_INIT([iptables], [1.4.18])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=9
+libxtables_vcurrent=10
libxtables_vage=0
AC_CONFIG_AUX_DIR([build-aux])
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/GNUmakefile.in
^
|
@@ -33,6 +33,7 @@
AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
AM_VERBOSE_AR = @echo " AR " $@;
AM_VERBOSE_GEN = @echo " GEN " $@;
+AM_VERBOSE_NULL = @
endif
#
@@ -75,7 +76,7 @@
if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
clean:
- rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
rm -f .*.d .*.dd;
distclean: clean
@@ -89,22 +90,25 @@
#
# Shared libraries
#
-lib%.so: lib%.oo
- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
+lib%.so: lib%.la
+ ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
-lib%.oo: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+lib%.la: lib%.lo
+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+
+lib%.lo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
libxt_NOTRACK.so: libxt_CT.so
- ln -fs $< $@
+ ${AM_VERBOSE_GEN} ln -fs $< $@
libxt_state.so: libxt_conntrack.so
- ln -fs $< $@
+ ${AM_VERBOSE_GEN} ln -fs $< $@
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
xt_RATEEST_LIBADD = -lm
xt_statistic_LIBADD = -lm
-
#
# Static bits
#
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_DNAT.c
^
|
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * Based on Rusty Russell's IPv4 DNAT target. Development of IPv6 NAT
+ * funded by Astaro.
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <iptables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/nf_nat.h>
+
+enum {
+ O_TO_DEST = 0,
+ O_RANDOM,
+ O_PERSISTENT,
+ O_X_TO_DEST,
+ F_TO_DEST = 1 << O_TO_DEST,
+ F_RANDOM = 1 << O_RANDOM,
+ F_X_TO_DEST = 1 << O_X_TO_DEST,
+};
+
+static void DNAT_help(void)
+{
+ printf(
+"DNAT target options:\n"
+" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]\n"
+" Address to map destination to.\n"
+"[--random] [--persistent]\n");
+}
+
+static const struct xt_option_entry DNAT_opts[] = {
+ {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_MULTI},
+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+ {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
+/* Ranges expected in network order. */
+static void
+parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
+{
+ char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
+ const struct in6_addr *ip;
+
+ arg = strdup(orig_arg);
+ if (arg == NULL)
+ xtables_error(RESOURCE_PROBLEM, "strdup");
+
+ start = strchr(arg, '[');
+ if (start == NULL) {
+ start = arg;
+ /* Lets assume one colon is port information. Otherwise its an IPv6 address */
+ colon = strchr(arg, ':');
+ if (colon && strchr(colon+1, ':'))
+ colon = NULL;
+ }
+ else {
+ start++;
+ end = strchr(start, ']');
+ if (end == NULL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid address format");
+
+ *end = '\0';
+ colon = strchr(end + 1, ':');
+ }
+
+ if (colon) {
+ int port;
+
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+
+ port = atoi(colon+1);
+ if (port <= 0 || port > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
+
+ error = strchr(colon+1, ':');
+ if (error)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range->min_proto.tcp.port
+ = range->max_proto.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
+
+ maxport = atoi(dash + 1);
+ if (maxport <= 0 || maxport > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ xtables_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range->min_proto.tcp.port = htons(port);
+ range->max_proto.tcp.port = htons(maxport);
+ }
+ /* Starts with colon or [] colon? No IP info...*/
+ if (colon == arg || colon == arg+2) {
+ free(arg);
+ return;
+ }
+ *colon = '\0';
+ }
+
+ range->flags |= NF_NAT_RANGE_MAP_IPS;
+ dash = strchr(start, '-');
+ if (colon && dash && dash > colon)
+ dash = NULL;
+
+ if (dash)
+ *dash = '\0';
+
+ ip = xtables_numeric_to_ip6addr(start);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ start);
+ range->min_addr.in6 = *ip;
+ if (dash) {
+ ip = xtables_numeric_to_ip6addr(dash + 1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ dash+1);
+ range->max_addr.in6 = *ip;
+ } else
+ range->max_addr = range->min_addr;
+
+ free(arg);
+ return;
+}
+
+static void DNAT_parse(struct xt_option_call *cb)
+{
+ const struct ip6t_entry *entry = cb->xt_entry;
+ struct nf_nat_range *range = cb->data;
+ int portok;
+
+ if (entry->ipv6.proto == IPPROTO_TCP ||
+ entry->ipv6.proto == IPPROTO_UDP ||
+ entry->ipv6.proto == IPPROTO_SCTP ||
+ entry->ipv6.proto == IPPROTO_DCCP ||
+ entry->ipv6.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TO_DEST:
+ if (cb->xflags & F_X_TO_DEST) {
+ if (!kernel_version)
+ get_kernel_version();
+ if (kernel_version > LINUX_VERSION(2, 6, 10))
+ xtables_error(PARAMETER_PROBLEM,
+ "DNAT: Multiple --to-destination not supported");
+ }
+ parse_to(cb->arg, portok, range);
+ break;
+ case O_PERSISTENT:
+ range->flags |= NF_NAT_RANGE_PERSISTENT;
+ break;
+ }
+}
+
+static void DNAT_fcheck(struct xt_fcheck_call *cb)
+{
+ static const unsigned int f = F_TO_DEST | F_RANDOM;
+ struct nf_nat_range *mr = cb->data;
+
+ if ((cb->xflags & f) == f)
+ mr->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+}
+
+static void print_range(const struct nf_nat_range *range)
+{
+ if (range->flags & NF_NAT_RANGE_MAP_IPS) {
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+ printf("[");
+ printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6));
+ if (memcmp(&range->min_addr, &range->max_addr,
+ sizeof(range->min_addr)))
+ printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6));
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+ printf("]");
+ }
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(":");
+ printf("%hu", ntohs(range->min_proto.tcp.port));
+ if (range->max_proto.tcp.port != range->min_proto.tcp.port)
+ printf("-%hu", ntohs(range->max_proto.tcp.port));
+ }
+}
+
+static void DNAT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ printf(" to:");
+ print_range(range);
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" random");
+ if (range->flags & NF_NAT_RANGE_PERSISTENT)
+ printf(" persistent");
+}
+
+static void DNAT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ printf(" --to-destination ");
+ print_range(range);
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" --random");
+ if (range->flags & NF_NAT_RANGE_PERSISTENT)
+ printf(" --persistent");
+}
+
+static struct xtables_target snat_tg_reg = {
+ .name = "DNAT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .help = DNAT_help,
+ .x6_parse = DNAT_parse,
+ .x6_fcheck = DNAT_fcheck,
+ .print = DNAT_print,
+ .save = DNAT_save,
+ .x6_options = DNAT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&snat_tg_reg);
+}
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_DNPT.c
^
|
@@ -0,0 +1,90 @@
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_NPT.h>
+
+enum {
+ O_SRC_PFX = 1 << 0,
+ O_DST_PFX = 1 << 1,
+};
+
+static const struct xt_option_entry DNPT_options[] = {
+ { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_MAND },
+ { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_MAND },
+ { }
+};
+
+static void DNPT_help(void)
+{
+ printf("DNPT target options:"
+ "\n"
+ " --src-pfx prefix/length\n"
+ " --dst-pfx prefix/length\n"
+ "\n");
+}
+
+static void DNPT_parse(struct xt_option_call *cb)
+{
+ struct ip6t_npt_tginfo *npt = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SRC_PFX:
+ npt->src_pfx = cb->val.haddr;
+ npt->src_pfx_len = cb->val.hlen;
+ break;
+ case O_DST_PFX:
+ npt->dst_pfx = cb->val.haddr;
+ npt->dst_pfx_len = cb->val.hlen;
+ break;
+ }
+}
+
+static void DNPT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_npt_tginfo *npt = (const void *)target->data;
+
+ printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
+ npt->src_pfx_len);
+ printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
+ npt->dst_pfx_len);
+}
+
+static void DNPT_save(const void *ip, const struct xt_entry_target *target)
+{
+ static const struct in6_addr zero_addr;
+ const struct ip6t_npt_tginfo *info = (const void *)target->data;
+
+ if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
+ info->src_pfx_len != 0)
+ printf("--src-pfx %s/%u ",
+ xtables_ip6addr_to_numeric(&info->src_pfx.in6),
+ info->src_pfx_len);
+ if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
+ info->dst_pfx_len != 0)
+ printf("--dst-pfx %s/%u ",
+ xtables_ip6addr_to_numeric(&info->dst_pfx.in6),
+ info->dst_pfx_len);
+}
+
+static struct xtables_target snpt_tg_reg = {
+ .name = "DNPT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)),
+ .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment),
+ .help = DNPT_help,
+ .x6_parse = DNPT_parse,
+ .print = DNPT_print,
+ .save = DNPT_save,
+ .x6_options = DNPT_options,
+};
+
+void _init(void)
+{
+ xtables_register_target(&snpt_tg_reg);
+}
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libip6t_LOG.man
^
|
@@ -11,7 +11,10 @@
then DROP (or REJECT).
.TP
\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
.TP
\fB\-\-log\-prefix\fP \fIprefix\fP
Prefix log messages with the specified prefix; up to 29 letters long,
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_MASQUERADE.c
^
|
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * Based on Rusty Russell's IPv4 MASQUERADE target. Development of IPv6 NAT
+ * funded by Astaro.
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/nf_nat.h>
+
+enum {
+ O_TO_PORTS = 0,
+ O_RANDOM,
+};
+
+static void MASQUERADE_help(void)
+{
+ printf(
+"MASQUERADE target options:\n"
+" --to-ports <port>[-<port>]\n"
+" Port (range) to map to.\n"
+" --random\n"
+" Randomize source port.\n");
+}
+
+static const struct xt_option_entry MASQUERADE_opts[] = {
+ {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, struct nf_nat_range *r)
+{
+ char *end;
+ unsigned int port, maxport;
+
+ r->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+
+ if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
+
+ switch (*end) {
+ case '\0':
+ r->min_proto.tcp.port
+ = r->max_proto.tcp.port
+ = htons(port);
+ return;
+ case '-':
+ if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX))
+ break;
+
+ if (maxport < port)
+ break;
+
+ r->min_proto.tcp.port = htons(port);
+ r->max_proto.tcp.port = htons(maxport);
+ return;
+ default:
+ break;
+ }
+ xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
+}
+
+static void MASQUERADE_parse(struct xt_option_call *cb)
+{
+ const struct ip6t_entry *entry = cb->xt_entry;
+ struct nf_nat_range *r = cb->data;
+ int portok;
+
+ if (entry->ipv6.proto == IPPROTO_TCP ||
+ entry->ipv6.proto == IPPROTO_UDP ||
+ entry->ipv6.proto == IPPROTO_SCTP ||
+ entry->ipv6.proto == IPPROTO_DCCP ||
+ entry->ipv6.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TO_PORTS:
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+ parse_ports(cb->arg, r);
+ break;
+ case O_RANDOM:
+ r->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+ break;
+ }
+}
+
+static void
+MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_range *r = (const void *)target->data;
+
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(" masq ports: ");
+ printf("%hu", ntohs(r->min_proto.tcp.port));
+ if (r->max_proto.tcp.port != r->min_proto.tcp.port)
+ printf("-%hu", ntohs(r->max_proto.tcp.port));
+ }
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" random");
+}
+
+static void
+MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_range *r = (const void *)target->data;
+
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(" --to-ports %hu", ntohs(r->min_proto.tcp.port));
+ if (r->max_proto.tcp.port != r->min_proto.tcp.port)
+ printf("-%hu", ntohs(r->max_proto.tcp.port));
+ }
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" --random");
+}
+
+static struct xtables_target masquerade_tg_reg = {
+ .name = "MASQUERADE",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .help = MASQUERADE_help,
+ .x6_parse = MASQUERADE_parse,
+ .print = MASQUERADE_print,
+ .save = MASQUERADE_save,
+ .x6_options = MASQUERADE_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&masquerade_tg_reg);
+}
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_MASQUERADE.man
^
|
@@ -0,0 +1,30 @@
+This target is only valid in the
+.B nat
+table, in the
+.B POSTROUTING
+chain. It should only be used with dynamically assigned IPv6 (dialup)
+connections: if you have a static IP address, you should use the SNAT
+target. Masquerading is equivalent to specifying a mapping to the IP
+address of the interface the packet is going out, but also has the
+effect that connections are
+.I forgotten
+when the interface goes down. This is the correct behavior when the
+next dialup is unlikely to have the same interface address (and hence
+any established connections are lost anyway).
+.TP
+\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
+This specifies a range of source ports to use, overriding the default
+.B SNAT
+source port-selection heuristics (see above). This is only valid
+if the rule also specifies
+\fB\-p tcp\fP
+or
+\fB\-p udp\fP.
+.TP
+\fB\-\-random\fP
+Randomize source port mapping
+If option
+\fB\-\-random\fP
+is used then port mapping will be randomized.
+.RS
+.PP
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_NETMAP.c
^
|
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * Based on Svenning Soerensen's IPv4 NETMAP target. Development of IPv6 NAT
+ * funded by Astaro.
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <libiptc/libip6tc.h>
+#include <linux/netfilter/nf_nat.h>
+
+#define MODULENAME "NETMAP"
+
+enum {
+ O_TO = 0,
+};
+
+static const struct xt_option_entry NETMAP_opts[] = {
+ {.name = "to", .id = O_TO, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_MAND},
+ XTOPT_TABLEEND,
+};
+
+static void NETMAP_help(void)
+{
+ printf(MODULENAME" target options:\n"
+ " --%s address[/mask]\n"
+ " Network address to map to.\n\n",
+ NETMAP_opts[0].name);
+}
+
+static void NETMAP_parse(struct xt_option_call *cb)
+{
+ struct nf_nat_range *range = cb->data;
+ unsigned int i;
+
+ xtables_option_parse(cb);
+ range->flags |= NF_NAT_RANGE_MAP_IPS;
+ for (i = 0; i < 4; i++) {
+ range->min_addr.ip6[i] = cb->val.haddr.ip6[i] &
+ cb->val.hmask.ip6[i];
+ range->max_addr.ip6[i] = range->min_addr.ip6[i] |
+ ~cb->val.hmask.ip6[i];
+ }
+}
+
+static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_range *r = (const void *)target->data;
+ struct in6_addr a;
+ unsigned int i;
+ int bits;
+
+ a = r->min_addr.in6;
+ printf("%s", xtables_ip6addr_to_numeric(&a));
+ for (i = 0; i < 4; i++)
+ a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]);
+ bits = ipv6_prefix_length(&a);
+ if (bits < 0)
+ printf("/%s", xtables_ip6addr_to_numeric(&a));
+ else
+ printf("/%d", bits);
+}
+
+static void NETMAP_save(const void *ip, const struct xt_entry_target *target)
+{
+ printf(" --%s ", NETMAP_opts[0].name);
+ NETMAP_print(ip, target, 0);
+}
+
+static struct xtables_target netmap_tg_reg = {
+ .name = MODULENAME,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .help = NETMAP_help,
+ .x6_parse = NETMAP_parse,
+ .print = NETMAP_print,
+ .save = NETMAP_save,
+ .x6_options = NETMAP_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&netmap_tg_reg);
+}
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_REDIRECT.c
^
|
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6 NAT
+ * funded by Astaro.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/nf_nat.h>
+
+enum {
+ O_TO_PORTS = 0,
+ O_RANDOM,
+ F_TO_PORTS = 1 << O_TO_PORTS,
+ F_RANDOM = 1 << O_RANDOM,
+};
+
+static void REDIRECT_help(void)
+{
+ printf(
+"REDIRECT target options:\n"
+" --to-ports <port>[-<port>]\n"
+" Port (range) to map to.\n"
+" [--random]\n");
+}
+
+static const struct xt_option_entry REDIRECT_opts[] = {
+ {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
+/* Parses ports */
+static void
+parse_ports(const char *arg, struct nf_nat_range *range)
+{
+ char *end = "";
+ unsigned int port, maxport;
+
+ range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+
+ if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) &&
+ (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1)
+ xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg);
+
+ switch (*end) {
+ case '\0':
+ range->min_proto.tcp.port
+ = range->max_proto.tcp.port
+ = htons(port);
+ return;
+ case '-':
+ if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) &&
+ (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1)
+ break;
+
+ if (maxport < port)
+ break;
+
+ range->min_proto.tcp.port = htons(port);
+ range->max_proto.tcp.port = htons(maxport);
+ return;
+ default:
+ break;
+ }
+ xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg);
+}
+
+static void REDIRECT_parse(struct xt_option_call *cb)
+{
+ const struct ip6t_entry *entry = cb->xt_entry;
+ struct nf_nat_range *range = (void *)(*cb->target)->data;
+ int portok;
+
+ if (entry->ipv6.proto == IPPROTO_TCP
+ || entry->ipv6.proto == IPPROTO_UDP
+ || entry->ipv6.proto == IPPROTO_SCTP
+ || entry->ipv6.proto == IPPROTO_DCCP
+ || entry->ipv6.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TO_PORTS:
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+ parse_ports(cb->arg, range);
+ if (cb->xflags & F_RANDOM)
+ range->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+ break;
+ case O_RANDOM:
+ if (cb->xflags & F_TO_PORTS)
+ range->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+ break;
+ }
+}
+
+static void REDIRECT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(" redir ports ");
+ printf("%hu", ntohs(range->min_proto.tcp.port));
+ if (range->max_proto.tcp.port != range->min_proto.tcp.port)
+ printf("-%hu", ntohs(range->max_proto.tcp.port));
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" random");
+ }
+}
+
+static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(" --to-ports ");
+ printf("%hu", ntohs(range->min_proto.tcp.port));
+ if (range->max_proto.tcp.port != range->min_proto.tcp.port)
+ printf("-%hu", ntohs(range->max_proto.tcp.port));
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" --random");
+ }
+}
+
+static struct xtables_target redirect_tg_reg = {
+ .name = "REDIRECT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .help = REDIRECT_help,
+ .x6_parse = REDIRECT_parse,
+ .print = REDIRECT_print,
+ .save = REDIRECT_save,
+ .x6_options = REDIRECT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&redirect_tg_reg);
+}
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_SNAT.c
^
|
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * Based on Rusty Russell's IPv4 SNAT target. Development of IPv6 NAT
+ * funded by Astaro.
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <xtables.h>
+#include <iptables.h>
+#include <limits.h> /* INT_MAX in ip_tables.h */
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/nf_nat.h>
+
+enum {
+ O_TO_SRC = 0,
+ O_RANDOM,
+ O_PERSISTENT,
+ O_X_TO_SRC,
+ F_TO_SRC = 1 << O_TO_SRC,
+ F_RANDOM = 1 << O_RANDOM,
+ F_X_TO_SRC = 1 << O_X_TO_SRC,
+};
+
+static void SNAT_help(void)
+{
+ printf(
+"SNAT target options:\n"
+" --to-source [<ipaddr>[-<ipaddr>]][:port[-port]]\n"
+" Address to map source to.\n"
+"[--random] [--persistent]\n");
+}
+
+static const struct xt_option_entry SNAT_opts[] = {
+ {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_MULTI},
+ {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+ {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
+/* Ranges expected in network order. */
+static void
+parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
+{
+ char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
+ const struct in6_addr *ip;
+
+ arg = strdup(orig_arg);
+ if (arg == NULL)
+ xtables_error(RESOURCE_PROBLEM, "strdup");
+
+ start = strchr(arg, '[');
+ if (start == NULL) {
+ start = arg;
+ /* Lets assume one colon is port information. Otherwise its an IPv6 address */
+ colon = strchr(arg, ':');
+ if (colon && strchr(colon+1, ':'))
+ colon = NULL;
+ }
+ else {
+ start++;
+ end = strchr(start, ']');
+ if (end == NULL)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid address format");
+
+ *end = '\0';
+ colon = strchr(end + 1, ':');
+ }
+
+ if (colon) {
+ int port;
+
+ if (!portok)
+ xtables_error(PARAMETER_PROBLEM,
+ "Need TCP, UDP, SCTP or DCCP with port specification");
+
+ range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
+
+ port = atoi(colon+1);
+ if (port <= 0 || port > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
+
+ error = strchr(colon+1, ':');
+ if (error)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range->min_proto.tcp.port
+ = range->max_proto.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
+
+ maxport = atoi(dash + 1);
+ if (maxport <= 0 || maxport > 65535)
+ xtables_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ xtables_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range->min_proto.tcp.port = htons(port);
+ range->max_proto.tcp.port = htons(maxport);
+ }
+ /* Starts with colon or [] colon? No IP info...*/
+ if (colon == arg || colon == arg+2) {
+ free(arg);
+ return;
+ }
+ *colon = '\0';
+ }
+
+ range->flags |= NF_NAT_RANGE_MAP_IPS;
+ dash = strchr(start, '-');
+ if (colon && dash && dash > colon)
+ dash = NULL;
+
+ if (dash)
+ *dash = '\0';
+
+ ip = xtables_numeric_to_ip6addr(start);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ start);
+ range->min_addr.in6 = *ip;
+ if (dash) {
+ ip = xtables_numeric_to_ip6addr(dash + 1);
+ if (!ip)
+ xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+ dash+1);
+ range->max_addr.in6 = *ip;
+ } else
+ range->max_addr = range->min_addr;
+
+ free(arg);
+ return;
+}
+
+static void SNAT_parse(struct xt_option_call *cb)
+{
+ const struct ip6t_entry *entry = cb->xt_entry;
+ struct nf_nat_range *range = cb->data;
+ int portok;
+
+ if (entry->ipv6.proto == IPPROTO_TCP ||
+ entry->ipv6.proto == IPPROTO_UDP ||
+ entry->ipv6.proto == IPPROTO_SCTP ||
+ entry->ipv6.proto == IPPROTO_DCCP ||
+ entry->ipv6.proto == IPPROTO_ICMP)
+ portok = 1;
+ else
+ portok = 0;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TO_SRC:
+ if (cb->xflags & F_X_TO_SRC) {
+ if (!kernel_version)
+ get_kernel_version();
+ if (kernel_version > LINUX_VERSION(2, 6, 10))
+ xtables_error(PARAMETER_PROBLEM,
+ "SNAT: Multiple --to-source not supported");
+ }
+ parse_to(cb->arg, portok, range);
+ break;
+ case O_PERSISTENT:
+ range->flags |= NF_NAT_RANGE_PERSISTENT;
+ break;
+ }
+}
+
+static void SNAT_fcheck(struct xt_fcheck_call *cb)
+{
+ static const unsigned int f = F_TO_SRC | F_RANDOM;
+ struct nf_nat_range *range = cb->data;
+
+ if ((cb->xflags & f) == f)
+ range->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+}
+
+static void print_range(const struct nf_nat_range *range)
+{
+ if (range->flags & NF_NAT_RANGE_MAP_IPS) {
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+ printf("[");
+ printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6));
+ if (memcmp(&range->min_addr, &range->max_addr,
+ sizeof(range->min_addr)))
+ printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6));
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+ printf("]");
+ }
+ if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ printf(":");
+ printf("%hu", ntohs(range->min_proto.tcp.port));
+ if (range->max_proto.tcp.port != range->min_proto.tcp.port)
+ printf("-%hu", ntohs(range->max_proto.tcp.port));
+ }
+}
+
+static void SNAT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ printf(" to:");
+ print_range(range);
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" random");
+ if (range->flags & NF_NAT_RANGE_PERSISTENT)
+ printf(" persistent");
+}
+
+static void SNAT_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct nf_nat_range *range = (const void *)target->data;
+
+ printf(" --to-source ");
+ print_range(range);
+ if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ printf(" --random");
+ if (range->flags & NF_NAT_RANGE_PERSISTENT)
+ printf(" --persistent");
+}
+
+static struct xtables_target snat_tg_reg = {
+ .name = "SNAT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)),
+ .help = SNAT_help,
+ .x6_parse = SNAT_parse,
+ .x6_fcheck = SNAT_fcheck,
+ .print = SNAT_print,
+ .save = SNAT_save,
+ .x6_options = SNAT_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&snat_tg_reg);
+}
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/extensions/libip6t_SNPT.c
^
|
@@ -0,0 +1,90 @@
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_NPT.h>
+
+enum {
+ O_SRC_PFX = 1 << 0,
+ O_DST_PFX = 1 << 1,
+};
+
+static const struct xt_option_entry SNPT_options[] = {
+ { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_MAND },
+ { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_MAND },
+ { }
+};
+
+static void SNPT_help(void)
+{
+ printf("SNPT target options:"
+ "\n"
+ " --src-pfx prefix/length\n"
+ " --dst-pfx prefix/length\n"
+ "\n");
+}
+
+static void SNPT_parse(struct xt_option_call *cb)
+{
+ struct ip6t_npt_tginfo *npt = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SRC_PFX:
+ npt->src_pfx = cb->val.haddr;
+ npt->src_pfx_len = cb->val.hlen;
+ break;
+ case O_DST_PFX:
+ npt->dst_pfx = cb->val.haddr;
+ npt->dst_pfx_len = cb->val.hlen;
+ break;
+ }
+}
+
+static void SNPT_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct ip6t_npt_tginfo *npt = (const void *)target->data;
+
+ printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6),
+ npt->src_pfx_len);
+ printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6),
+ npt->dst_pfx_len);
+}
+
+static void SNPT_save(const void *ip, const struct xt_entry_target *target)
+{
+ static const struct in6_addr zero_addr;
+ const struct ip6t_npt_tginfo *info = (const void *)target->data;
+
+ if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
+ info->src_pfx_len != 0)
+ printf("--src-pfx %s/%u ",
+ xtables_ip6addr_to_numeric(&info->src_pfx.in6),
+ info->src_pfx_len);
+ if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 ||
+ info->dst_pfx_len != 0)
+ printf("--dst-pfx %s/%u ",
+ xtables_ip6addr_to_numeric(&info->dst_pfx.in6),
+ info->dst_pfx_len);
+}
+
+static struct xtables_target snpt_tg_reg = {
+ .name = "SNPT",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)),
+ .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment),
+ .help = SNPT_help,
+ .x6_parse = SNPT_parse,
+ .print = SNPT_print,
+ .save = SNPT_save,
+ .x6_options = SNPT_options,
+};
+
+void _init(void)
+{
+ xtables_register_target(&snpt_tg_reg);
+}
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_DNAT.c
^
|
@@ -6,7 +6,7 @@
#include <iptables.h> /* get_kernel_version */
#include <limits.h> /* INT_MAX in ip_tables.h */
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
enum {
O_TO_DEST = 0,
@@ -23,7 +23,7 @@
struct ipt_natinfo
{
struct xt_entry_target t;
- struct nf_nat_multi_range mr;
+ struct nf_nat_ipv4_multi_range_compat mr;
};
static void DNAT_help(void)
@@ -44,7 +44,7 @@
};
static struct ipt_natinfo *
-append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
+append_range(struct ipt_natinfo *info, const struct nf_nat_ipv4_range *range)
{
unsigned int size;
@@ -66,7 +66,7 @@
static struct xt_entry_target *
parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
{
- struct nf_nat_range range;
+ struct nf_nat_ipv4_range range;
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
@@ -83,7 +83,7 @@
xtables_error(PARAMETER_PROBLEM,
"Need TCP, UDP, SCTP or DCCP with port specification");
- range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
port = atoi(colon+1);
if (port <= 0 || port > 65535)
@@ -122,7 +122,7 @@
*colon = '\0';
}
- range.flags |= IP_NAT_RANGE_MAP_IPS;
+ range.flags |= NF_NAT_RANGE_MAP_IPS;
dash = strchr(arg, '-');
if (colon && dash && dash > colon)
dash = NULL;
@@ -177,7 +177,7 @@
cb->xflags |= F_X_TO_DEST;
break;
case O_PERSISTENT:
- info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
+ info->mr.range[0].flags |= NF_NAT_RANGE_PERSISTENT;
break;
}
}
@@ -185,15 +185,15 @@
static void DNAT_fcheck(struct xt_fcheck_call *cb)
{
static const unsigned int f = F_TO_DEST | F_RANDOM;
- struct nf_nat_multi_range *mr = cb->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = cb->data;
if ((cb->xflags & f) == f)
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
}
-static void print_range(const struct nf_nat_range *r)
+static void print_range(const struct nf_nat_ipv4_range *r)
{
- if (r->flags & IP_NAT_RANGE_MAP_IPS) {
+ if (r->flags & NF_NAT_RANGE_MAP_IPS) {
struct in_addr a;
a.s_addr = r->min_ip;
@@ -203,7 +203,7 @@
printf("-%s", xtables_ipaddr_to_numeric(&a));
}
}
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(":");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
@@ -220,9 +220,9 @@
printf(" to:");
for (i = 0; i < info->mr.rangesize; i++) {
print_range(&info->mr.range[i]);
- if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
- if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" persistent");
}
}
@@ -235,9 +235,9 @@
for (i = 0; i < info->mr.rangesize; i++) {
printf(" --to-destination ");
print_range(&info->mr.range[i]);
- if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
- if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" --persistent");
}
}
@@ -246,8 +246,8 @@
.name = "DNAT",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
- .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
.help = DNAT_help,
.x6_parse = DNAT_parse,
.x6_fcheck = DNAT_fcheck,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_LOG.man
^
|
@@ -11,7 +11,10 @@
then DROP (or REJECT).
.TP
\fB\-\-log\-level\fP \fIlevel\fP
-Level of logging (numeric or see \fIsyslog.conf\fP(5)).
+Level of logging, which can be (system-specific) numeric or a mnemonic.
+Possible values are (in decreasing order of priority): \fBemerg\fP,
+\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP
+or \fBdebug\fP.
.TP
\fB\-\-log\-prefix\fP \fIprefix\fP
Prefix log messages with the specified prefix; up to 29 letters long,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_MASQUERADE.c
^
|
@@ -6,7 +6,7 @@
#include <xtables.h>
#include <limits.h> /* INT_MAX in ip_tables.h */
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
enum {
O_TO_PORTS = 0,
@@ -31,7 +31,7 @@
static void MASQUERADE_init(struct xt_entry_target *t)
{
- struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data;
/* Actually, it's 0, but it's ignored at the moment. */
mr->rangesize = 1;
@@ -39,12 +39,12 @@
/* Parses ports */
static void
-parse_ports(const char *arg, struct nf_nat_multi_range *mr)
+parse_ports(const char *arg, struct nf_nat_ipv4_multi_range_compat *mr)
{
char *end;
unsigned int port, maxport;
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX))
xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg);
@@ -75,7 +75,7 @@
{
const struct ipt_entry *entry = cb->xt_entry;
int portok;
- struct nf_nat_multi_range *mr = cb->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = cb->data;
if (entry->ip.proto == IPPROTO_TCP
|| entry->ip.proto == IPPROTO_UDP
@@ -95,7 +95,7 @@
parse_ports(cb->arg, mr);
break;
case O_RANDOM:
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
break;
}
}
@@ -104,33 +104,33 @@
MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- const struct nf_nat_multi_range *mr = (const void *)target->data;
- const struct nf_nat_range *r = &mr->range[0];
+ const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(" masq ports: ");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
}
- if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
}
static void
MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
{
- const struct nf_nat_multi_range *mr = (const void *)target->data;
- const struct nf_nat_range *r = &mr->range[0];
+ const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(" --to-ports %hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
}
- if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
}
@@ -138,8 +138,8 @@
.name = "MASQUERADE",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
- .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
.help = MASQUERADE_help,
.init = MASQUERADE_init,
.x6_parse = MASQUERADE_parse,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_NETMAP.c
^
|
@@ -7,7 +7,7 @@
#include <stdlib.h>
#include <getopt.h>
#include <xtables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
#define MODULENAME "NETMAP"
@@ -45,7 +45,7 @@
static void NETMAP_init(struct xt_entry_target *t)
{
- struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data;
/* Actually, it's 0, but it's ignored at the moment. */
mr->rangesize = 1;
@@ -53,11 +53,11 @@
static void NETMAP_parse(struct xt_option_call *cb)
{
- struct nf_nat_multi_range *mr = cb->data;
- struct nf_nat_range *range = &mr->range[0];
+ struct nf_nat_ipv4_multi_range_compat *mr = cb->data;
+ struct nf_nat_ipv4_range *range = &mr->range[0];
xtables_option_parse(cb);
- range->flags |= IP_NAT_RANGE_MAP_IPS;
+ range->flags |= NF_NAT_RANGE_MAP_IPS;
range->min_ip = cb->val.haddr.ip & cb->val.hmask.ip;
range->max_ip = range->min_ip | ~cb->val.hmask.ip;
}
@@ -65,8 +65,8 @@
static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- const struct nf_nat_multi_range *mr = (const void *)target->data;
- const struct nf_nat_range *r = &mr->range[0];
+ const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
struct in_addr a;
int bits;
@@ -90,8 +90,8 @@
.name = MODULENAME,
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
- .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
.help = NETMAP_help,
.init = NETMAP_init,
.x6_parse = NETMAP_parse,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_REDIRECT.c
^
|
@@ -4,7 +4,7 @@
#include <xtables.h>
#include <limits.h> /* INT_MAX in ip_tables.h */
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
enum {
O_TO_PORTS = 0,
@@ -30,7 +30,7 @@
static void REDIRECT_init(struct xt_entry_target *t)
{
- struct nf_nat_multi_range *mr = (struct nf_nat_multi_range *)t->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data;
/* Actually, it's 0, but it's ignored at the moment. */
mr->rangesize = 1;
@@ -38,12 +38,12 @@
/* Parses ports */
static void
-parse_ports(const char *arg, struct nf_nat_multi_range *mr)
+parse_ports(const char *arg, struct nf_nat_ipv4_multi_range_compat *mr)
{
char *end = "";
unsigned int port, maxport;
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) &&
(port = xtables_service_to_port(arg, NULL)) == (unsigned)-1)
@@ -75,7 +75,7 @@
static void REDIRECT_parse(struct xt_option_call *cb)
{
const struct ipt_entry *entry = cb->xt_entry;
- struct nf_nat_multi_range *mr = (void *)(*cb->target)->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = (void *)(*cb->target)->data;
int portok;
if (entry->ip.proto == IPPROTO_TCP
@@ -95,11 +95,11 @@
"Need TCP, UDP, SCTP or DCCP with port specification");
parse_ports(cb->arg, mr);
if (cb->xflags & F_RANDOM)
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
break;
case O_RANDOM:
if (cb->xflags & F_TO_PORTS)
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
break;
}
}
@@ -107,30 +107,30 @@
static void REDIRECT_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- const struct nf_nat_multi_range *mr = (const void *)target->data;
- const struct nf_nat_range *r = &mr->range[0];
+ const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(" redir ports ");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
- if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
}
}
static void REDIRECT_save(const void *ip, const struct xt_entry_target *target)
{
- const struct nf_nat_multi_range *mr = (const void *)target->data;
- const struct nf_nat_range *r = &mr->range[0];
+ const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(" --to-ports ");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
- if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
}
}
@@ -139,8 +139,8 @@
.name = "REDIRECT",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
- .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
.help = REDIRECT_help,
.init = REDIRECT_init,
.x6_parse = REDIRECT_parse,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_SAME.c
^
|
@@ -2,7 +2,7 @@
#include <string.h>
#include <stdlib.h>
#include <xtables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
#include <linux/netfilter_ipv4/ipt_SAME.h>
enum {
@@ -37,7 +37,7 @@
};
/* Parses range of IPs */
-static void parse_to(const char *orig_arg, struct nf_nat_range *range)
+static void parse_to(const char *orig_arg, struct nf_nat_ipv4_range *range)
{
char *dash, *arg;
const struct in_addr *ip;
@@ -45,7 +45,7 @@
arg = strdup(orig_arg);
if (arg == NULL)
xtables_error(RESOURCE_PROBLEM, "strdup");
- range->flags |= IP_NAT_RANGE_MAP_IPS;
+ range->flags |= NF_NAT_RANGE_MAP_IPS;
dash = strchr(arg, '-');
if (dash)
@@ -74,6 +74,7 @@
static void SAME_parse(struct xt_option_call *cb)
{
struct ipt_same_info *mr = cb->data;
+ unsigned int count;
xtables_option_parse(cb);
switch (cb->entry->id) {
@@ -89,6 +90,10 @@
case O_NODST:
mr->info |= IPT_SAME_NODST;
break;
+ case O_RANDOM:
+ for (count=0; count < mr->rangesize; count++)
+ mr->range[count].flags |= NF_NAT_RANGE_PROTO_RANDOM;
+ break;
}
}
@@ -100,7 +105,7 @@
if ((cb->xflags & f) == f)
for (count = 0; count < mr->rangesize; ++count)
- mr->range[count].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[count].flags |= NF_NAT_RANGE_PROTO_RANDOM;
}
static void SAME_print(const void *ip, const struct xt_entry_target *target,
@@ -113,7 +118,7 @@
printf(" same:");
for (count = 0; count < mr->rangesize; count++) {
- const struct nf_nat_range *r = &mr->range[count];
+ const struct nf_nat_ipv4_range *r = &mr->range[count];
struct in_addr a;
a.s_addr = r->min_ip;
@@ -123,7 +128,7 @@
if (r->min_ip != r->max_ip)
printf("-%s", xtables_ipaddr_to_numeric(&a));
- if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
random_selection = 1;
}
@@ -141,7 +146,7 @@
int random_selection = 0;
for (count = 0; count < mr->rangesize; count++) {
- const struct nf_nat_range *r = &mr->range[count];
+ const struct nf_nat_ipv4_range *r = &mr->range[count];
struct in_addr a;
a.s_addr = r->min_ip;
@@ -150,7 +155,7 @@
if (r->min_ip != r->max_ip)
printf("-%s", xtables_ipaddr_to_numeric(&a));
- if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
random_selection = 1;
}
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libipt_SNAT.c
^
|
@@ -6,7 +6,7 @@
#include <iptables.h>
#include <limits.h> /* INT_MAX in ip_tables.h */
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <net/netfilter/nf_nat.h>
+#include <linux/netfilter/nf_nat.h>
enum {
O_TO_SRC = 0,
@@ -23,7 +23,7 @@
struct ipt_natinfo
{
struct xt_entry_target t;
- struct nf_nat_multi_range mr;
+ struct nf_nat_ipv4_multi_range_compat mr;
};
static void SNAT_help(void)
@@ -44,7 +44,7 @@
};
static struct ipt_natinfo *
-append_range(struct ipt_natinfo *info, const struct nf_nat_range *range)
+append_range(struct ipt_natinfo *info, const struct nf_nat_ipv4_range *range)
{
unsigned int size;
@@ -66,7 +66,7 @@
static struct xt_entry_target *
parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
{
- struct nf_nat_range range;
+ struct nf_nat_ipv4_range range;
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
@@ -83,7 +83,7 @@
xtables_error(PARAMETER_PROBLEM,
"Need TCP, UDP, SCTP or DCCP with port specification");
- range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
port = atoi(colon+1);
if (port <= 0 || port > 65535)
@@ -122,7 +122,7 @@
*colon = '\0';
}
- range.flags |= IP_NAT_RANGE_MAP_IPS;
+ range.flags |= NF_NAT_RANGE_MAP_IPS;
dash = strchr(arg, '-');
if (colon && dash && dash > colon)
dash = NULL;
@@ -177,7 +177,7 @@
cb->xflags |= F_X_TO_SRC;
break;
case O_PERSISTENT:
- info->mr.range[0].flags |= IP_NAT_RANGE_PERSISTENT;
+ info->mr.range[0].flags |= NF_NAT_RANGE_PERSISTENT;
break;
}
}
@@ -185,15 +185,15 @@
static void SNAT_fcheck(struct xt_fcheck_call *cb)
{
static const unsigned int f = F_TO_SRC | F_RANDOM;
- struct nf_nat_multi_range *mr = cb->data;
+ struct nf_nat_ipv4_multi_range_compat *mr = cb->data;
if ((cb->xflags & f) == f)
- mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
}
-static void print_range(const struct nf_nat_range *r)
+static void print_range(const struct nf_nat_ipv4_range *r)
{
- if (r->flags & IP_NAT_RANGE_MAP_IPS) {
+ if (r->flags & NF_NAT_RANGE_MAP_IPS) {
struct in_addr a;
a.s_addr = r->min_ip;
@@ -203,7 +203,7 @@
printf("-%s", xtables_ipaddr_to_numeric(&a));
}
}
- if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) {
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
printf(":");
printf("%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
@@ -220,9 +220,9 @@
printf(" to:");
for (i = 0; i < info->mr.rangesize; i++) {
print_range(&info->mr.range[i]);
- if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" random");
- if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" persistent");
}
}
@@ -235,9 +235,9 @@
for (i = 0; i < info->mr.rangesize; i++) {
printf(" --to-source ");
print_range(&info->mr.range[i]);
- if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM)
printf(" --random");
- if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT)
+ if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" --persistent");
}
}
@@ -246,8 +246,8 @@
.name = "SNAT",
.version = XTABLES_VERSION,
.family = NFPROTO_IPV4,
- .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
- .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)),
+ .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
+ .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)),
.help = SNAT_help,
.x6_parse = SNAT_parse,
.x6_fcheck = SNAT_fcheck,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_conntrack.c
^
|
@@ -801,7 +801,9 @@
if (info->match_flags & XT_CONNTRACK_STATE) {
if (info->invert_flags & XT_CONNTRACK_STATE)
printf(" !");
- printf(" %sctstate", prefix);
+ printf(" %s%s", prefix,
+ info->match_flags & XT_CONNTRACK_STATE_ALIAS
+ ? "state" : "ctstate");
print_state(info->state_mask);
}
@@ -902,6 +904,15 @@
}
}
+static const char *
+conntrack_print_name_alias(const struct xt_entry_match *match)
+{
+ struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+
+ return info->match_flags & XT_CONNTRACK_STATE_ALIAS
+ ? "state" : "conntrack";
+}
+
static void conntrack_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
@@ -1083,7 +1094,7 @@
struct xt_conntrack_mtinfo1 *sinfo = cb->data;
xtables_option_parse(cb);
- sinfo->match_flags = XT_CONNTRACK_STATE;
+ sinfo->match_flags = XT_CONNTRACK_STATE | XT_CONNTRACK_STATE_ALIAS;
sinfo->state_mask = state_parse_states(cb->arg);
if (cb->invert)
sinfo->invert_flags |= XT_CONNTRACK_STATE;
@@ -1094,7 +1105,7 @@
struct xt_conntrack_mtinfo3 *sinfo = cb->data;
xtables_option_parse(cb);
- sinfo->match_flags = XT_CONNTRACK_STATE;
+ sinfo->match_flags = XT_CONNTRACK_STATE | XT_CONNTRACK_STATE_ALIAS;
sinfo->state_mask = state_parse_states(cb->arg);
if (cb->invert)
sinfo->invert_flags |= XT_CONNTRACK_STATE;
@@ -1158,6 +1169,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack_print,
.save = conntrack_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack_mt_opts_v0,
},
{
@@ -1172,6 +1184,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt4_print,
.save = conntrack1_mt4_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
{
@@ -1186,6 +1199,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack1_mt6_print,
.save = conntrack1_mt6_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
{
@@ -1200,6 +1214,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt_print,
.save = conntrack2_mt_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
{
@@ -1214,6 +1229,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack2_mt6_print,
.save = conntrack2_mt6_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack2_mt_opts,
},
{
@@ -1228,6 +1244,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt_print,
.save = conntrack3_mt_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack3_mt_opts,
},
{
@@ -1242,6 +1259,7 @@
.x6_fcheck = conntrack_mt_check,
.print = conntrack3_mt6_print,
.save = conntrack3_mt6_save,
+ .alias = conntrack_print_name_alias,
.x6_options = conntrack3_mt_opts,
},
{
@@ -1249,6 +1267,7 @@
.name = "state",
.real_name = "conntrack",
.revision = 1,
+ .ext_flags = XTABLES_EXT_ALIAS,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
@@ -1261,6 +1280,7 @@
.name = "state",
.real_name = "conntrack",
.revision = 2,
+ .ext_flags = XTABLES_EXT_ALIAS,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
@@ -1273,6 +1293,7 @@
.name = "state",
.real_name = "conntrack",
.revision = 3,
+ .ext_flags = XTABLES_EXT_ALIAS,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_rpfilter.man
^
|
@@ -17,6 +17,7 @@
\fB\-\-accept\-local\fP
This will permit packets arriving from the network with a source address that is also
assigned to the local machine.
+.TP
\fB\-\-invert\fP
This will invert the sense of the match. Instead of matching packets that passed the
reverse path filter test, match those that have failed it.
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_state.man
^
|
@@ -1,4 +1,4 @@
-The "state" module is an obsolete version of "conntrack".
+The "state" extension is a subset of the "conntrack" module.
"state" allows access to the connection tracking state for this packet.
.TP
[\fB!\fP] \fB\-\-state\fP \fIstate\fP
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_statistic.c
^
|
@@ -107,7 +107,7 @@
(info->flags & XT_STATISTIC_INVERT) ? " !" : "",
prefix,
info->u.nth.every + 1);
- if (info->u.nth.packet)
+ if (info->u.nth.packet || *prefix)
printf(" %spacket %u", prefix, info->u.nth.packet);
break;
}
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_time.c
^
|
@@ -22,6 +22,7 @@
O_DATE_STOP,
O_TIME_START,
O_TIME_STOP,
+ O_TIME_CONTIGUOUS,
O_MONTHDAYS,
O_WEEKDAYS,
O_LOCAL_TZ,
@@ -30,6 +31,7 @@
F_LOCAL_TZ = 1 << O_LOCAL_TZ,
F_UTC = 1 << O_UTC,
F_KERNEL_TZ = 1 << O_KERNEL_TZ,
+ F_TIME_CONTIGUOUS = 1 << O_TIME_CONTIGUOUS,
};
static const char *const week_days[] = {
@@ -41,6 +43,7 @@
{.name = "datestop", .id = O_DATE_STOP, .type = XTTYPE_STRING},
{.name = "timestart", .id = O_TIME_START, .type = XTTYPE_STRING},
{.name = "timestop", .id = O_TIME_STOP, .type = XTTYPE_STRING},
+ {.name = "contiguous", .id = O_TIME_CONTIGUOUS, .type = XTTYPE_NONE},
{.name = "weekdays", .id = O_WEEKDAYS, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
{.name = "monthdays", .id = O_MONTHDAYS, .type = XTTYPE_STRING,
@@ -273,6 +276,9 @@
case O_TIME_STOP:
info->daytime_stop = time_parse_minutes(cb->arg);
break;
+ case O_TIME_CONTIGUOUS:
+ info->flags |= XT_TIME_CONTIGUOUS;
+ break;
case O_LOCAL_TZ:
fprintf(stderr, "WARNING: --localtz is being replaced by "
"--kerneltz, since \"local\" is ambiguous. Note the "
@@ -403,6 +409,8 @@
}
if (!(info->flags & XT_TIME_LOCAL_TZ))
printf(" UTC");
+ if (info->flags & XT_TIME_CONTIGUOUS)
+ printf(" contiguous");
}
static void time_save(const void *ip, const struct xt_entry_match *match)
@@ -429,6 +437,17 @@
time_print_date(info->date_stop, "--datestop");
if (info->flags & XT_TIME_LOCAL_TZ)
printf(" --kerneltz");
+ if (info->flags & XT_TIME_CONTIGUOUS)
+ printf(" --contiguous");
+}
+
+static void time_check(struct xt_fcheck_call *cb)
+{
+ const struct xt_time_info *info = (const void *) cb->data;
+ if ((cb->xflags & F_TIME_CONTIGUOUS) &&
+ info->daytime_start < info->daytime_stop)
+ xtables_error(PARAMETER_PROBLEM,
+ "time: --contiguous only makes sense when stoptime is smaller than starttime");
}
static struct xtables_match time_match = {
@@ -442,6 +461,7 @@
.print = time_print,
.save = time_save,
.x6_parse = time_parse,
+ .x6_fcheck = time_check,
.x6_options = time_opts,
};
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/extensions/libxt_time.man
^
|
@@ -30,6 +30,10 @@
to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
\fBTu\fP, etc.).
.TP
+\fB\-\-contiguous\fP
+When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match
+this as a single time period instead distinct intervals. See EXAMPLES.
+.TP
\fB\-\-kerneltz\fP
Use the kernel timezone instead of UTC to determine whether a packet meets the
time regulations.
@@ -84,3 +88,11 @@
(Note that this exploits a certain mathematical property. It is not possible to
say "fourth Thursday OR fourth Friday" in one rule. It is possible with
multiple rules, though.)
+.PP
+Matching across days might not do what is expected. For instance,
+.IP
+\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00
+Will match Monday, for one hour from midnight to 1 a.m., and then
+again for another hour from 23:00 onwards. If this is unwanted, e.g. if you
+would like 'match for two hours from Montay 23:00 onwards' you need to also specify
+the \-\-contiguous option in the example above.
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/include/linux/netfilter/nf_conntrack_tuple_common.h
^
|
@@ -7,6 +7,33 @@
IP_CT_DIR_MAX
};
+/* The protocol-specific manipulable parts of the tuple: always in
+ * network order
+ */
+union nf_conntrack_man_proto {
+ /* Add other protocols here. */
+ __be16 all;
+
+ struct {
+ __be16 port;
+ } tcp;
+ struct {
+ __be16 port;
+ } udp;
+ struct {
+ __be16 id;
+ } icmp;
+ struct {
+ __be16 port;
+ } dccp;
+ struct {
+ __be16 port;
+ } sctp;
+ struct {
+ __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
+ } gre;
+};
+
#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/include/linux/netfilter/nf_nat.h
^
|
@@ -0,0 +1,33 @@
+#ifndef _NETFILTER_NF_NAT_H
+#define _NETFILTER_NF_NAT_H
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define NF_NAT_RANGE_MAP_IPS 1
+#define NF_NAT_RANGE_PROTO_SPECIFIED 2
+#define NF_NAT_RANGE_PROTO_RANDOM 4
+#define NF_NAT_RANGE_PERSISTENT 8
+
+struct nf_nat_ipv4_range {
+ unsigned int flags;
+ __be32 min_ip;
+ __be32 max_ip;
+ union nf_conntrack_man_proto min;
+ union nf_conntrack_man_proto max;
+};
+
+struct nf_nat_ipv4_multi_range_compat {
+ unsigned int rangesize;
+ struct nf_nat_ipv4_range range[1];
+};
+
+struct nf_nat_range {
+ unsigned int flags;
+ union nf_inet_addr min_addr;
+ union nf_inet_addr max_addr;
+ union nf_conntrack_man_proto min_proto;
+ union nf_conntrack_man_proto max_proto;
+};
+
+#endif /* _NETFILTER_NF_NAT_H */
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/include/linux/netfilter/xt_conntrack.h
^
|
@@ -30,6 +30,7 @@
XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
XT_CONNTRACK_REPLDST_PORT = 1 << 11,
XT_CONNTRACK_DIRECTION = 1 << 12,
+ XT_CONNTRACK_STATE_ALIAS = 1 << 13,
};
struct xt_conntrack_mtinfo1 {
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/include/linux/netfilter/xt_time.h
^
|
@@ -16,6 +16,7 @@
enum {
/* Match against local time (instead of UTC) */
XT_TIME_LOCAL_TZ = 1 << 0,
+ XT_TIME_CONTIGUOUS = 1 << 1,
/* Shortcuts */
XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/include/linux/netfilter_ipv4/ipt_SAME.h
^
|
@@ -14,7 +14,7 @@
__u32 *iparray;
/* hangs off end. */
- struct nf_nat_range range[IPT_SAME_MAX_RANGE];
+ struct nf_nat_ipv4_range range[IPT_SAME_MAX_RANGE];
};
#endif /*_IPT_SAME_H*/
|
[-]
[+]
|
Added |
iptables-1.4.18.tar.bz2/include/linux/netfilter_ipv6/ip6t_NPT.h
^
|
@@ -0,0 +1,16 @@
+#ifndef __NETFILTER_IP6T_NPT
+#define __NETFILTER_IP6T_NPT
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+struct ip6t_npt_tginfo {
+ union nf_inet_addr src_pfx;
+ union nf_inet_addr dst_pfx;
+ __u8 src_pfx_len;
+ __u8 dst_pfx_len;
+ /* Used internally by the kernel */
+ __sum16 adjustment;
+};
+
+#endif /* __NETFILTER_IP6T_NPT */
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/include/xtables.h
^
|
@@ -201,6 +201,10 @@
struct xtables_lmap *next;
};
+enum xtables_ext_flags {
+ XTABLES_EXT_ALIAS = 1 << 0,
+};
+
/* Include file for additions: new matches and targets. */
struct xtables_match
{
@@ -218,6 +222,9 @@
/* Revision of match (0 by default). */
u_int8_t revision;
+ /* Extension flags */
+ u_int8_t ext_flags;
+
u_int16_t family;
/* Size of match data. */
@@ -251,6 +258,9 @@
/* ip is struct ipt_ip * for example */
void (*save)(const void *ip, const struct xt_entry_match *match);
+ /* Print match name or alias */
+ const char *(*alias)(const struct xt_entry_match *match);
+
/* Pointer to list of extra command-line options */
const struct option *extra_opts;
@@ -289,6 +299,9 @@
/* Revision of target (0 by default). */
u_int8_t revision;
+ /* Extension flags */
+ u_int8_t ext_flags;
+
u_int16_t family;
@@ -322,6 +335,9 @@
void (*save)(const void *ip,
const struct xt_entry_target *target);
+ /* Print target name or alias */
+ const char *(*alias)(const struct xt_entry_target *target);
+
/* Pointer to list of extra command-line options */
const struct option *extra_opts;
@@ -417,6 +433,8 @@
extern struct xtables_target *xtables_find_target(const char *name,
enum xtables_tryload);
+extern void xtables_rule_matches_free(struct xtables_rule_match **matches);
+
/* Your shared library should call one of these. */
extern void xtables_register_match(struct xtables_match *me);
extern void xtables_register_matches(struct xtables_match *, unsigned int);
@@ -467,6 +485,22 @@
*/
extern void xtables_save_string(const char *value);
+#define FMT_NUMERIC 0x0001
+#define FMT_NOCOUNTS 0x0002
+#define FMT_KILOMEGAGIGA 0x0004
+#define FMT_OPTIONS 0x0008
+#define FMT_NOTABLE 0x0010
+#define FMT_NOTARGET 0x0020
+#define FMT_VIA 0x0040
+#define FMT_NONEWLINE 0x0080
+#define FMT_LINENUMBERS 0x0100
+
+#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
+ | FMT_NUMERIC | FMT_NOTABLE)
+#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
+
+extern void xtables_print_num(uint64_t number, unsigned int format);
+
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
# ifdef _INIT
# undef _init
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/ip6tables-restore.8
^
|
@@ -21,7 +21,8 @@
.SH NAME
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP]
+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B ip6tables-restore
@@ -31,8 +32,23 @@
\fB\-c\fR, \fB\-\-counters\fR
restore the values of all packet and byte counters
.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
+don't flush the previous contents of the table. If not specified,
+\fBip6tables-restore\fP flushes (deletes) all previous contents of the
+respective table.
+.TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, ip6tables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/ip6tables.8.in
^
|
@@ -87,7 +87,7 @@
is matched, the target specified by the chain policy determines the
fate of the packet.
.SH TABLES
-There are currently three independent tables (which tables are present
+There are currently five independent tables (which tables are present
at any time depends on the kernel configuration options and which
modules are present).
.TP
@@ -106,6 +106,13 @@
\fBFORWARD\fP (for packets being routed through the box), and
\fBOUTPUT\fP (for locally-generated packets).
.TP
+\fBnat\fP:
+This table is consulted when a packet that creates a new
+connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
+(for altering packets as soon as they come in), \fBOUTPUT\fP
+(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
+(for altering packets as they are about to go out). Available since kernel 3.7.
+.TP
\fBmangle\fP:
This table is used for specialized packet alteration. Until kernel
2.4.17 it had two built-in chains: \fBPREROUTING\fP
@@ -240,6 +247,15 @@
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
.TP
+\fB\-4\fP, \fB\-\-ipv4\fP
+If a rule using the \fB\-4\fP option is inserted with (and only with)
+ip6tables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
+.TP
+\fB\-6\fP, \fB\-\-ipv6\fP
+This option has no effect in ip6tables and ip6tables-restore.
+.TP
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
@@ -281,6 +297,13 @@
(source) flag for a detailed description of the syntax. The flag
\fB\-\-dst\fP is an alias for this option.
.TP
+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
+Specifies a match to use, that is, an extension module that tests for a
+specific property. The set of matches make up the condition under which a
+target is invoked. Matches are evaluated first to last as specified on the
+command line and work in short-circuit fashion, i.e. if one extension yields
+false, evaluation will stop.
+.TP
\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
This specifies the target of the rule; i.e., what to do if the packet
matches it. The target can be a user-defined chain (other than the
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/ip6tables.c
^
|
@@ -52,21 +52,6 @@
#define FALSE 0
#endif
-#define FMT_NUMERIC 0x0001
-#define FMT_NOCOUNTS 0x0002
-#define FMT_KILOMEGAGIGA 0x0004
-#define FMT_OPTIONS 0x0008
-#define FMT_NOTABLE 0x0010
-#define FMT_NOTARGET 0x0020
-#define FMT_VIA 0x0040
-#define FMT_NONEWLINE 0x0080
-#define FMT_LINENUMBERS 0x0100
-
-#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
- | FMT_NUMERIC | FMT_NOTABLE)
-#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
-
-
#define CMD_NONE 0x0000U
#define CMD_INSERT 0x0001U
#define CMD_DELETE 0x0002U
@@ -442,31 +427,6 @@
}
}
-static void
-print_num(uint64_t number, unsigned int format)
-{
- if (format & FMT_KILOMEGAGIGA) {
- if (number > 99999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
- }
- else printf(FMT("%4lluG ","%lluG "), (unsigned long long)number);
- }
- else printf(FMT("%4lluM ","%lluM "), (unsigned long long)number);
- } else
- printf(FMT("%4lluK ","%lluK "), (unsigned long long)number);
- } else
- printf(FMT("%5llu ","%llu "), (unsigned long long)number);
- } else
- printf(FMT("%8llu ","%llu "), (unsigned long long)number);
-}
-
static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
@@ -478,9 +438,9 @@
printf(" (policy %s", pol);
if (!(format & FMT_NOCOUNTS)) {
fputc(' ', stdout);
- print_num(counters.pcnt, (format|FMT_NOTABLE));
+ xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
fputs("packets, ", stdout);
- print_num(counters.bcnt, (format|FMT_NOTABLE));
+ xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
fputs("bytes", stdout);
}
printf(")\n");
@@ -563,8 +523,8 @@
printf(FMT("%-4u ", "%u "), num);
if (!(format & FMT_NOCOUNTS)) {
- print_num(fw->counters.pcnt, format);
- print_num(fw->counters.bcnt, format);
+ xtables_print_num(fw->counters.pcnt, format);
+ xtables_print_num(fw->counters.bcnt, format);
}
if (!(format & FMT_NOTARGET))
@@ -1040,7 +1000,8 @@
xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL);
if (match) {
- printf(" -m %s", e->u.user.name);
+ printf(" -m %s",
+ match->alias ? match->alias(e) : e->u.user.name);
/* some matches don't provide a save function */
if (match->save)
@@ -1129,16 +1090,8 @@
if (counters < 0)
printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
- /* Print target name */
+ /* Print target name and targinfo part */
target_name = ip6tc_get_target(e, h);
- if (target_name && (*target_name != '\0'))
-#ifdef IP6T_F_GOTO
- printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
-#else
- printf(" -j %s", target_name);
-#endif
-
- /* Print targinfo part */
t = ip6t_get_target((struct ip6t_entry *)e);
if (t->u.user.name[0]) {
struct xtables_target *target =
@@ -1150,6 +1103,7 @@
exit(1);
}
+ printf(" -j %s", target->alias ? target->alias(t) : target_name);
if (target->save)
target->save(&e->ipv6, t);
else {
@@ -1164,7 +1118,13 @@
exit(1);
}
}
- }
+ } else if (target_name && (*target_name != '\0'))
+#ifdef IP6T_F_GOTO
+ printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name);
+#else
+ printf(" -j %s", target_name);
+#endif
+
printf("\n");
}
@@ -1249,27 +1209,6 @@
return e;
}
-static void clear_rule_matches(struct xtables_rule_match **matches)
-{
- struct xtables_rule_match *matchp, *tmp;
-
- for (matchp = *matches; matchp;) {
- tmp = matchp->next;
- if (matchp->match->m) {
- free(matchp->match->m);
- matchp->match->m = NULL;
- }
- if (matchp->match == matchp->match->next) {
- free(matchp->match);
- matchp->match = NULL;
- }
- free(matchp);
- matchp = tmp;
- }
-
- *matches = NULL;
-}
-
static void command_jump(struct iptables_command_state *cs)
{
size_t size;
@@ -1290,9 +1229,10 @@
strcpy(cs->target->t->u.user.name, cs->jumpto);
} else {
strcpy(cs->target->t->u.user.name, cs->target->real_name);
- fprintf(stderr, "WARNING: The %s target is obsolete. "
- "Use %s instead.\n",
- cs->jumpto, cs->target->real_name);
+ if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
+ fprintf(stderr, "Notice: The %s target is converted into %s target "
+ "in rule listing and saving.\n",
+ cs->jumpto, cs->target->real_name);
}
cs->target->t->u.user.revision = cs->target->revision;
@@ -1326,8 +1266,9 @@
strcpy(m->m->u.user.name, m->name);
} else {
strcpy(m->m->u.user.name, m->real_name);
- fprintf(stderr, "WARNING: The %s match is obsolete. "
- "Use %s instead.\n", m->name, m->real_name);
+ if (!(m->ext_flags & XTABLES_EXT_ALIAS))
+ fprintf(stderr, "Notice: The %s match is converted into %s match "
+ "in rule listing and saving.\n", m->name, m->real_name);
}
m->m->u.user.revision = m->revision;
@@ -1963,7 +1904,7 @@
if (verbose > 1)
dump_entries6(*handle);
- clear_rule_matches(&cs.matches);
+ xtables_rule_matches_free(&cs.matches);
if (e != NULL) {
free(e);
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/iptables-extensions.8.in
^
|
@@ -15,7 +15,8 @@
module. You can specify multiple extended match modules in one line,
and you can use the \fB\-h\fP or \fB\-\-help\fP
options after the module has been specified to receive help specific
-to that module.
+to that module. The extended match modules are evaluated in the order
+they are specified in the rule.
.PP
If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an
unknown option is encountered, iptables will try load a match module of the
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/iptables-restore.8
^
|
@@ -21,7 +21,8 @@
.SH NAME
iptables-restore \(em Restore IP Tables
.SH SYNOPSIS
-\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP]
+\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
@@ -31,10 +32,23 @@
\fB\-c\fR, \fB\-\-counters\fR
restore the values of all packet and byte counters
.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print a short option summary.
+.TP
\fB\-n\fR, \fB\-\-noflush\fR
don't flush the previous contents of the table. If not specified,
.B iptables-restore
-flushes (deletes) all previous contents of the respective IP Table.
+flushes (deletes) all previous contents of the respective table.
+.TP
+\fB\-t\fP, \fB\-\-test\fP
+Only parse and construct the ruleset, but do not commit it.
+.TP
+\fB\-v\fP, \fB\-\-verbose\fP
+Print additional debug info during ruleset processing.
+.TP
+\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-restore will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
.TP
\fB\-T\fP, \fB\-\-table\fP \fIname\fP
Restore only the named table even if the input stream contains other ones.
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/iptables.8.in
^
|
@@ -86,7 +86,7 @@
is matched, the target specified by the chain policy determines the
fate of the packet.
.SH TABLES
-There are currently three independent tables (which tables are present
+There are currently five independent tables (which tables are present
at any time depends on the kernel configuration options and which
modules are present).
.TP
@@ -243,6 +243,15 @@
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
.TP
+\fB\-4\fP, \fB\-\-ipv4\fP
+This option has no effect in iptables and iptables-restore.
+.TP
+\fB\-6\fP, \fB\-\-ipv6\fP
+If a rule using the \fB\-6\fP option is inserted with (and only with)
+iptables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
+.TP
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
@@ -277,6 +286,13 @@
(source) flag for a detailed description of the syntax. The flag
\fB\-\-dst\fP is an alias for this option.
.TP
+\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
+Specifies a match to use, that is, an extension module that tests for a
+specific property. The set of matches make up the condition under which a
+target is invoked. Matches are evaluated first to last as specified on the
+command line and work in short-circuit fashion, i.e. if one extension yields
+false, evaluation will stop.
+.TP
\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
This specifies the target of the rule; i.e., what to do if the packet
matches it. The target can be a user-defined chain (other than the
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/iptables/iptables.c
^
|
@@ -48,21 +48,6 @@
#define FALSE 0
#endif
-#define FMT_NUMERIC 0x0001
-#define FMT_NOCOUNTS 0x0002
-#define FMT_KILOMEGAGIGA 0x0004
-#define FMT_OPTIONS 0x0008
-#define FMT_NOTABLE 0x0010
-#define FMT_NOTARGET 0x0020
-#define FMT_VIA 0x0040
-#define FMT_NONEWLINE 0x0080
-#define FMT_LINENUMBERS 0x0100
-
-#define FMT_PRINT_RULE (FMT_NOCOUNTS | FMT_OPTIONS | FMT_VIA \
- | FMT_NUMERIC | FMT_NOTABLE)
-#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
-
-
#define CMD_NONE 0x0000U
#define CMD_INSERT 0x0001U
#define CMD_DELETE 0x0002U
@@ -186,22 +171,6 @@
#define prog_name iptables_globals.program_name
#define prog_vers iptables_globals.program_version
-/* Primitive headers... */
-/* defined in netinet/in.h */
-#if 0
-#ifndef IPPROTO_ESP
-#define IPPROTO_ESP 50
-#endif
-#ifndef IPPROTO_AH
-#define IPPROTO_AH 51
-#endif
-#endif
-
-enum {
- IPT_DOTTED_ADDR = 0,
- IPT_DOTTED_MASK
-};
-
static void __attribute__((noreturn))
exit_tryhelp(int status)
{
@@ -445,32 +414,6 @@
}
static void
-print_num(uint64_t number, unsigned int format)
-{
- if (format & FMT_KILOMEGAGIGA) {
- if (number > 99999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- if (number > 9999) {
- number = (number + 500) / 1000;
- printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
- }
- else printf(FMT("%4lluG ","%lluG "), (unsigned long long)number);
- }
- else printf(FMT("%4lluM ","%lluM "), (unsigned long long)number);
- } else
- printf(FMT("%4lluK ","%lluK "), (unsigned long long)number);
- } else
- printf(FMT("%5llu ","%llu "), (unsigned long long)number);
- } else
- printf(FMT("%8llu ","%llu "), (unsigned long long)number);
-}
-
-
-static void
print_header(unsigned int format, const char *chain, struct xtc_handle *handle)
{
struct xt_counters counters;
@@ -480,9 +423,9 @@
printf(" (policy %s", pol);
if (!(format & FMT_NOCOUNTS)) {
fputc(' ', stdout);
- print_num(counters.pcnt, (format|FMT_NOTABLE));
+ xtables_print_num(counters.pcnt, (format|FMT_NOTABLE));
fputs("packets, ", stdout);
- print_num(counters.bcnt, (format|FMT_NOTABLE));
+ xtables_print_num(counters.bcnt, (format|FMT_NOTABLE));
fputs("bytes", stdout);
}
printf(")\n");
@@ -567,8 +510,8 @@
printf(FMT("%-4u ", "%u "), num);
if (!(format & FMT_NOCOUNTS)) {
- print_num(fw->counters.pcnt, format);
- print_num(fw->counters.bcnt, format);
+ xtables_print_num(fw->counters.pcnt, format);
+ xtables_print_num(fw->counters.bcnt, format);
}
if (!(format & FMT_NOTARGET))
@@ -1048,7 +991,8 @@
xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL);
if (match) {
- printf(" -m %s", e->u.user.name);
+ printf(" -m %s",
+ match->alias ? match->alias(e) : e->u.user.name);
/* some matches don't provide a save function */
if (match->save)
@@ -1137,16 +1081,8 @@
if (counters < 0)
printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt);
- /* Print target name */
+ /* Print target name and targinfo part */
target_name = iptc_get_target(e, h);
- if (target_name && (*target_name != '\0'))
-#ifdef IPT_F_GOTO
- printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
-#else
- printf(" -j %s", target_name);
-#endif
-
- /* Print targinfo part */
t = ipt_get_target((struct ipt_entry *)e);
if (t->u.user.name[0]) {
const struct xtables_target *target =
@@ -1158,6 +1094,7 @@
exit(1);
}
+ printf(" -j %s", target->alias ? target->alias(t) : target_name);
if (target->save)
target->save(&e->ip, t);
else {
@@ -1172,7 +1109,13 @@
exit(1);
}
}
- }
+ } else if (target_name && (*target_name != '\0'))
+#ifdef IPT_F_GOTO
+ printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name);
+#else
+ printf(" -j %s", target_name);
+#endif
+
printf("\n");
}
@@ -1257,27 +1200,6 @@
return e;
}
-static void clear_rule_matches(struct xtables_rule_match **matches)
-{
- struct xtables_rule_match *matchp, *tmp;
-
- for (matchp = *matches; matchp;) {
- tmp = matchp->next;
- if (matchp->match->m) {
- free(matchp->match->m);
- matchp->match->m = NULL;
- }
- if (matchp->match == matchp->match->next) {
- free(matchp->match);
- matchp->match = NULL;
- }
- free(matchp);
- matchp = tmp;
- }
-
- *matches = NULL;
-}
-
static void command_jump(struct iptables_command_state *cs)
{
size_t size;
@@ -1300,9 +1222,10 @@
} else {
/* Alias support for userspace side */
strcpy(cs->target->t->u.user.name, cs->target->real_name);
- fprintf(stderr, "WARNING: The %s target is obsolete. "
- "Use %s instead.\n",
- cs->jumpto, cs->target->real_name);
+ if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS))
+ fprintf(stderr, "Notice: The %s target is converted into %s target "
+ "in rule listing and saving.\n",
+ cs->jumpto, cs->target->real_name);
}
cs->target->t->u.user.revision = cs->target->revision;
@@ -1337,8 +1260,9 @@
strcpy(m->m->u.user.name, m->name);
} else {
strcpy(m->m->u.user.name, m->real_name);
- fprintf(stderr, "WARNING: The %s match is obsolete. "
- "Use %s instead.\n", m->name, m->real_name);
+ if (!(m->ext_flags & XTABLES_EXT_ALIAS))
+ fprintf(stderr, "Notice: the %s match is converted into %s match "
+ "in rule listing and saving.\n", m->name, m->real_name);
}
m->m->u.user.revision = m->revision;
@@ -1979,7 +1903,7 @@
if (verbose > 1)
dump_entries(*handle);
- clear_rule_matches(&cs.matches);
+ xtables_rule_matches_free(&cs.matches);
if (e != NULL) {
free(e);
|
[-]
[+]
|
Changed |
iptables-1.4.18.tar.bz2/libxtables/xtables.c
^
|
@@ -1075,6 +1075,28 @@
} while (n > 0);
}
+/* receives a list of xtables_rule_match, release them */
+void xtables_rule_matches_free(struct xtables_rule_match **matches)
+{
+ struct xtables_rule_match *matchp, *tmp;
+
+ for (matchp = *matches; matchp;) {
+ tmp = matchp->next;
+ if (matchp->match->m) {
+ free(matchp->match->m);
+ matchp->match->m = NULL;
+ }
+ if (matchp->match == matchp->match->next) {
+ free(matchp->match);
+ matchp->match = NULL;
+ }
+ free(matchp);
+ matchp = tmp;
+ }
+
+ *matches = NULL;
+}
+
/**
* xtables_param_act - act on condition
* @status: a constant from enum xtables_exittype
@@ -1890,6 +1912,35 @@
return -1;
}
+void xtables_print_num(uint64_t number, unsigned int format)
+{
+ if (!(format & FMT_KILOMEGAGIGA)) {
+ printf(FMT("%8llu ","%llu "), (unsigned long long)number);
+ return;
+ }
+ if (number <= 99999) {
+ printf(FMT("%5llu ","%llu "), (unsigned long long)number);
+ return;
+ }
+ number = (number + 500) / 1000;
+ if (number <= 9999) {
+ printf(FMT("%4lluK ","%lluK "), (unsigned long long)number);
+ return;
+ }
+ number = (number + 500) / 1000;
+ if (number <= 9999) {
+ printf(FMT("%4lluM ","%lluM "), (unsigned long long)number);
+ return;
+ }
+ number = (number + 500) / 1000;
+ if (number <= 9999) {
+ printf(FMT("%4lluG ","%lluG "), (unsigned long long)number);
+ return;
+ }
+ number = (number + 500) / 1000;
+ printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
+}
+
int kernel_version;
void get_kernel_version(void)
|