Changes - j0ke.net Open Build Service

Changes of Revision 35

[-] [+]	Changed	iptables.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Mon May 13 20:22:35 UTC 2013 - cs@linux-administrator.com + +- update to release 1.4.18 + +------------------------------------------------------------------- Sun Jan 13 11:08:31 UTC 2013 - cs@linux-administrator.com - update to release 1.4.17
[-] [+]	Changed	iptables.spec ^
@@ -22,16 +22,12 @@ License: GPL v2 or later Group: Productivity/Networking/Security AutoReqProv: on -Version: 1.4.17 -%define real_ver 1.4.17 +Version: 1.4.18 +%define real_ver 1.4.18 Release: 1 Summary: IP Packet Filter Administration Source0: %name-%version.tar.bz2 Source1: %{name}-1.4.2-rc1-debian-howtos.tar.bz2 -# fix for 1.4.17 (already upstream) -Patch10: libip6t_NETMAP-linkfix.patch -Patch11: libip6t_DNPT-wordingfix.patch - Url: http://netfilter.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} @@ -74,8 +70,6 @@ %prep %setup -q -a 1 -%patch10 -p1 -%patch11 -p1 %build autoreconf -f -i
[-] [+]	Deleted	libip6t_DNPT-wordingfix.patch ^
@@ -1,72 +0,0 @@ -From: Ulrich Weber <ulrich.weber@sophos.com> -Date: Wed, 2 Jan 2013 06:03:49 +0000 (+0000) -Subject: extensions: libip6t_DNPT: fix wording in DNPT target -X-Git-Url: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=7b04e3ef3a6ffccb23de83ef3b2d8f5aeaaa09e5 - -extensions: libip6t_DNPT: fix wording in DNPT target - -replaces SNPT by DNPT. - -This fixes broken help message that points to SNPT. - -Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - -diff --git a/extensions/libip6t_DNPT.c b/extensions/libip6t_DNPT.c -index 9e4dc5c..7439816 100644 ---- a/extensions/libip6t_DNPT.c -+++ b/extensions/libip6t_DNPT.c -@@ -8,7 +8,7 @@ enum { - O_DST_PFX = 1 << 1, - }; - --static const struct xt_option_entry SNPT_options[] = { -+static const struct xt_option_entry DNPT_options[] = { - { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK, - .flags = XTOPT_MAND }, - { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK, -@@ -16,16 +16,16 @@ static const struct xt_option_entry SNPT_options[] = { - { } - }; - --static void SNPT_help(void) -+static void DNPT_help(void) - { -- printf("SNPT target options:" -+ printf("DNPT target options:" - "\n" - " --src-pfx prefix/length\n" - " --dst-pfx prefix/length\n" - "\n"); - } - --static void SNPT_parse(struct xt_option_call cb) -+static void DNPT_parse(struct xt_option_call cb) - { - struct ip6t_npt_tginfo npt = cb->data; - -@@ -42,7 +42,7 @@ static void SNPT_parse(struct xt_option_call cb) - } - } - --static void SNPT_print(const void ip, const struct xt_entry_target target, -+static void DNPT_print(const void ip, const struct xt_entry_target target, - int numeric) - { - const struct ip6t_npt_tginfo npt = (const void )target->data; -@@ -59,10 +59,10 @@ static struct xtables_target snpt_tg_reg = { - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)), - .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment), -- .help = SNPT_help, -- .x6_parse = SNPT_parse, -- .print = SNPT_print, -- .x6_options = SNPT_options, -+ .help = DNPT_help, -+ .x6_parse = DNPT_parse, -+ .print = DNPT_print, -+ .x6_options = DNPT_options, - }; - - void _init(void)
[-] [+]	Deleted	libip6t_NETMAP-linkfix.patch ^
@@ -1,81 +0,0 @@ -From: Jan Engelhardt <jengelh@inai.de> -Date: Tue, 1 Jan 2013 22:47:51 +0000 (+0000) -Subject: build: resolve link failure for ip6t_NETMAP -X-Git-Url: https://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff_plain;h=68e77a26111ee6b8f10c735a76891a7de6d57ee6 - -build: resolve link failure for ip6t_NETMAP - -Link stage of libip6t_NETMAP failed since recently. - - CCLD libip6t_NETMAP.so -/usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: -cannot find -lip6tc - -libip6t_NETMAP.c uses the "ipv6_prefix_length" function from -libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to -it is not specified. - -Why does the link succeed for some people? Because -/usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments, -especially those without iptables development files, have that file, -hence this link error can happen. - -By suggestion of Mike Frysinger, this patch uses libtool to produce -and link the plugins. - -Signed-off-by: Jan Engelhardt <jengelh@inai.de> -Acked-by: Mike Frysinger <vapier@gentoo.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - -diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in -index e71e3ff..adad4d6 100644 ---- a/extensions/GNUmakefile.in -+++ b/extensions/GNUmakefile.in -@@ -33,6 +33,7 @@ AM_VERBOSE_CXX = @echo " CXX " $@; - AM_VERBOSE_CXXLD = @echo " CXXLD " $@; - AM_VERBOSE_AR = @echo " AR " $@; - AM_VERBOSE_GEN = @echo " GEN " $@; -+AM_VERBOSE_NULL = @ - endif - - # -@@ -75,7 +76,7 @@ install: ${targets_install} - if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; - - clean: -- rm -f .o .oo .so .a {matches,targets}.man initext.c initext4.c initext6.c; -+ rm -f .la .o .lo .so .a {matches,targets}.man initext.c initext4.c initext6.c; - rm -f ..d ..dd; - - distclean: clean -@@ -89,19 +90,22 @@ init%.o: init%.c - # - # Shared libraries - # --lib%.so: lib%.oo -- ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$_LIBADD}; -+lib%.so: lib%.la -+ ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ - --lib%.oo: ${srcdir}/lib%.c -- ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; -+lib%.la: lib%.lo -+ ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$_LIBADD} -rpath ${xtlibdir} -+ -+lib%.lo: ${srcdir}/lib%.c -+ ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< - - libxt_NOTRACK.so: libxt_CT.so -- ln -fs $< $@ -+ ${AM_VERBOSE_GEN} ln -fs $< $@ - libxt_state.so: libxt_conntrack.so -- ln -fs $< $@ -+ ${AM_VERBOSE_GEN} ln -fs $< $@ - - # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD --ip6t_NETMAP_LIBADD = -lip6tc -+ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la - xt_RATEEST_LIBADD = -lm - xt_statistic_LIBADD = -lm -
[-] [+]	Deleted	iptables-1.4.16.3.tar.bz2/include/net ^
-(directory)
[-] [+]	Deleted	iptables-1.4.16.3.tar.bz2/include/net/netfilter ^
-(directory)
[-] [+]	Deleted	iptables-1.4.16.3.tar.bz2/include/net/netfilter/nf_conntrack_tuple.h ^
@@ -1,114 +0,0 @@ -/* This file was manually copied from the Linux kernel source - * and manually stripped from __KERNEL__ sections and unused functions. - / - -/ - * Definitions and Declarations for tuple. - * - * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> - * - generalize L3 protocol dependent part. - * - * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h - / - -#ifndef _NF_CONNTRACK_TUPLE_H -#define _NF_CONNTRACK_TUPLE_H - -#include <linux/netfilter/x_tables.h> -#include <linux/netfilter/nf_conntrack_tuple_common.h> - -/ A `tuple' is a structure containing the information to uniquely - identify a connection. ie. if two packets have the same tuple, they - are in the same connection; if not, they are not. - - We divide the structure along "manipulatable" and - "non-manipulatable" lines, for the benefit of the NAT code. -/ - -#define NF_CT_TUPLE_L3SIZE ARRAY_SIZE(((union nf_inet_addr )NULL)->all) - -/* The protocol-specific manipulable parts of the tuple: always in - network order! / -union nf_conntrack_man_proto -{ - / Add other protocols here. / - __be16 all; - - struct { - __be16 port; - } tcp; - struct { - __be16 port; - } udp; - struct { - __be16 id; - } icmp; - struct { - __be16 port; - } dccp; - struct { - __be16 port; - } sctp; - struct { - __be16 key; / GRE key is 32bit, PPtP only uses 16bit / - } gre; -}; - -/ The manipulable part of the tuple. / -struct nf_conntrack_man -{ - union nf_inet_addr u3; - union nf_conntrack_man_proto u; - / Layer 3 protocol / - u_int16_t l3num; -}; - -/ This contains the information to distinguish a connection. / -struct nf_conntrack_tuple -{ - struct nf_conntrack_man src; - - / These are the parts of the tuple which are fixed. / - struct { - union nf_inet_addr u3; - union { - / Add other protocols here. / - __be16 all; - - struct { - __be16 port; - } tcp; - struct { - __be16 port; - } udp; - struct { - u_int8_t type, code; - } icmp; - struct { - __be16 port; - } dccp; - struct { - __be16 port; - } sctp; - struct { - __be16 key; - } gre; - } u; - - / The protocol. / - u_int8_t protonum; - - / The direction (for tuplehash) / - u_int8_t dir; - } dst; -}; - -struct nf_conntrack_tuple_mask -{ - struct { - union nf_inet_addr u3; - union nf_conntrack_man_proto u; - } src; -}; - -#endif / _NF_CONNTRACK_TUPLE_H */
[-] [+]	Deleted	iptables-1.4.16.3.tar.bz2/include/net/netfilter/nf_nat.h ^
@@ -1,55 +0,0 @@ -#ifndef _NF_NAT_H -#define _NF_NAT_H -#include <linux/netfilter_ipv4.h> -#include <net/netfilter/nf_conntrack_tuple.h> - -#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16 - -enum nf_nat_manip_type -{ - IP_NAT_MANIP_SRC, - IP_NAT_MANIP_DST -}; - -/* SRC manip occurs POST_ROUTING or LOCAL_IN / -#define HOOK2MANIP(hooknum) ((hooknum) != NF_INET_POST_ROUTING && \ - (hooknum) != NF_INET_LOCAL_IN) - -#define IP_NAT_RANGE_MAP_IPS 1 -#define IP_NAT_RANGE_PROTO_SPECIFIED 2 -#define IP_NAT_RANGE_PROTO_RANDOM 4 -#define IP_NAT_RANGE_PERSISTENT 8 - -/ NAT sequence number modifications / -struct nf_nat_seq { - / position of the last TCP sequence number modification (if any) / - u_int32_t correction_pos; - - / sequence number offset before and after last modification / - int16_t offset_before, offset_after; -}; - -/ Single range specification. / -struct nf_nat_range -{ - / Set to OR of flags above. / - unsigned int flags; - - / Inclusive: network order. / - __be32 min_ip, max_ip; - - / Inclusive: network order / - union nf_conntrack_man_proto min, max; -}; - -/ For backwards compat: don't use in modern code. / -struct nf_nat_multi_range_compat -{ - unsigned int rangesize; / Must be 1. / - - / hangs off end. */ - struct nf_nat_range range[1]; -}; - -#define nf_nat_multi_range nf_nat_multi_range_compat -#endif
	Deleted	iptables-1.4.17.tar.bz2 ^
[-] [+]	Changed	iptables-1.4.18.tar.bz2/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for iptables 1.4.16.3. +# Generated by GNU Autoconf 2.69 for iptables 1.4.18. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.4.16.3' -PACKAGE_STRING='iptables 1.4.16.3' +PACKAGE_VERSION='1.4.18' +PACKAGE_STRING='iptables 1.4.18' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1351,7 +1351,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.4.16.3 to adapt to many kinds of systems. +\`configure' configures iptables 1.4.18 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1421,7 +1421,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of iptables 1.4.16.3:";; + short \| recursive ) echo "Configuration of iptables 1.4.18:";; esac cat <<\_ACEOF @@ -1545,7 +1545,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.4.16.3 +iptables configure 1.4.18 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2093,7 +2093,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.4.16.3, which was +It was created by iptables $as_me 1.4.18, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2443,7 +2443,7 @@ # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=9 +libxtables_vcurrent=10 libxtables_vage=0 ac_aux_dir= @@ -2916,7 +2916,7 @@ # Define the identity of the package. PACKAGE='iptables' - VERSION='1.4.16.3' + VERSION='1.4.18' cat >>confdefs.h <<_ACEOF @@ -12836,7 +12836,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.4.16.3, which was +This file was extended by iptables $as_me 1.4.18, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -12902,7 +12902,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.4.16.3 +iptables config.status 1.4.18 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\"
[-] [+]	Changed	iptables-1.4.18.tar.bz2/configure.ac ^
@@ -1,8 +1,8 @@ -AC_INIT([iptables], [1.4.16.3]) +AC_INIT([iptables], [1.4.18]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=9 +libxtables_vcurrent=10 libxtables_vage=0 AC_CONFIG_AUX_DIR([build-aux])
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/GNUmakefile.in ^
@@ -33,6 +33,7 @@ AM_VERBOSE_CXXLD = @echo " CXXLD " $@; AM_VERBOSE_AR = @echo " AR " $@; AM_VERBOSE_GEN = @echo " GEN " $@; +AM_VERBOSE_NULL = @ endif # @@ -75,7 +76,7 @@ if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f .o .oo .so .a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f .la .o .lo .so .a {matches,targets}.man initext.c initext4.c initext6.c; rm -f ..d ..dd; distclean: clean @@ -89,22 +90,25 @@ # # Shared libraries # -lib%.so: lib%.oo - ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$_LIBADD}; +lib%.so: lib%.la + ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ -lib%.oo: ${srcdir}/lib%.c - ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; +lib%.la: lib%.lo + ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$_LIBADD} -rpath ${xtlibdir} + +lib%.lo: ${srcdir}/lib%.c + ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< libxt_NOTRACK.so: libxt_CT.so - ln -fs $< $@ + ${AM_VERBOSE_GEN} ln -fs $< $@ libxt_state.so: libxt_conntrack.so - ln -fs $< $@ + ${AM_VERBOSE_GEN} ln -fs $< $@ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD +ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la xt_RATEEST_LIBADD = -lm xt_statistic_LIBADD = -lm - # # Static bits #
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_DNAT.c ^
@@ -0,0 +1,252 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Rusty Russell's IPv4 DNAT target. Development of IPv6 NAT + * funded by Astaro. + / + +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <xtables.h> +#include <iptables.h> +#include <limits.h> / INT_MAX in ip_tables.h / +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/nf_nat.h> + +enum { + O_TO_DEST = 0, + O_RANDOM, + O_PERSISTENT, + O_X_TO_DEST, + F_TO_DEST = 1 << O_TO_DEST, + F_RANDOM = 1 << O_RANDOM, + F_X_TO_DEST = 1 << O_X_TO_DEST, +}; + +static void DNAT_help(void) +{ + printf( +"DNAT target options:\n" +" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port]]\n" +" Address to map destination to.\n" +"[--random] [--persistent]\n"); +} + +static const struct xt_option_entry DNAT_opts[] = { + {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, + .flags = XTOPT_MAND \| XTOPT_MULTI}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +/ Ranges expected in network order. / +static void +parse_to(const char orig_arg, int portok, struct nf_nat_range range) +{ + char arg, start, end = NULL, colon = NULL, dash, error; + const struct in6_addr ip; + + arg = strdup(orig_arg); + if (arg == NULL) + xtables_error(RESOURCE_PROBLEM, "strdup"); + + start = strchr(arg, '['); + if (start == NULL) { + start = arg; + /* Lets assume one colon is port information. Otherwise its an IPv6 address / + colon = strchr(arg, ':'); + if (colon && strchr(colon+1, ':')) + colon = NULL; + } + else { + start++; + end = strchr(start, ']'); + if (end == NULL) + xtables_error(PARAMETER_PROBLEM, + "Invalid address format"); + + end = '\0'; + colon = strchr(end + 1, ':'); + } + + if (colon) { + int port; + + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + + range->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; + + port = atoi(colon+1); + if (port <= 0 \|\| port > 65535) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", colon+1); + + error = strchr(colon+1, ':'); + if (error) + xtables_error(PARAMETER_PROBLEM, + "Invalid port:port syntax - use dash\n"); + + dash = strchr(colon, '-'); + if (!dash) { + range->min_proto.tcp.port + = range->max_proto.tcp.port + = htons(port); + } else { + int maxport; + + maxport = atoi(dash + 1); + if (maxport <= 0 \|\| maxport > 65535) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", dash+1); + if (maxport < port) + /* People are stupid. / + xtables_error(PARAMETER_PROBLEM, + "Port range `%s' funky\n", colon+1); + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + } + / Starts with colon or [] colon? No IP info.../ + if (colon == arg \|\| colon == arg+2) { + free(arg); + return; + } + colon = '\0'; + } + + range->flags \|= NF_NAT_RANGE_MAP_IPS; + dash = strchr(start, '-'); + if (colon && dash && dash > colon) + dash = NULL; + + if (dash) + dash = '\0'; + + ip = xtables_numeric_to_ip6addr(start); + if (!ip) + xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", + start); + range->min_addr.in6 = ip; + if (dash) { + ip = xtables_numeric_to_ip6addr(dash + 1); + if (!ip) + xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", + dash+1); + range->max_addr.in6 = ip; + } else + range->max_addr = range->min_addr; + + free(arg); + return; +} + +static void DNAT_parse(struct xt_option_call cb) +{ + const struct ip6t_entry entry = cb->xt_entry; + struct nf_nat_range range = cb->data; + int portok; + + if (entry->ipv6.proto == IPPROTO_TCP \|\| + entry->ipv6.proto == IPPROTO_UDP \|\| + entry->ipv6.proto == IPPROTO_SCTP \|\| + entry->ipv6.proto == IPPROTO_DCCP \|\| + entry->ipv6.proto == IPPROTO_ICMP) + portok = 1; + else + portok = 0; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_DEST: + if (cb->xflags & F_X_TO_DEST) { + if (!kernel_version) + get_kernel_version(); + if (kernel_version > LINUX_VERSION(2, 6, 10)) + xtables_error(PARAMETER_PROBLEM, + "DNAT: Multiple --to-destination not supported"); + } + parse_to(cb->arg, portok, range); + break; + case O_PERSISTENT: + range->flags \|= NF_NAT_RANGE_PERSISTENT; + break; + } +} + +static void DNAT_fcheck(struct xt_fcheck_call cb) +{ + static const unsigned int f = F_TO_DEST \| F_RANDOM; + struct nf_nat_range mr = cb->data; + + if ((cb->xflags & f) == f) + mr->flags \|= NF_NAT_RANGE_PROTO_RANDOM; +} + +static void print_range(const struct nf_nat_range range) +{ + if (range->flags & NF_NAT_RANGE_MAP_IPS) { + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) + printf("["); + printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6)); + if (memcmp(&range->min_addr, &range->max_addr, + sizeof(range->min_addr))) + printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6)); + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) + printf("]"); + } + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(":"); + printf("%hu", ntohs(range->min_proto.tcp.port)); + if (range->max_proto.tcp.port != range->min_proto.tcp.port) + printf("-%hu", ntohs(range->max_proto.tcp.port)); + } +} + +static void DNAT_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct nf_nat_range range = (const void )target->data; + + printf(" to:"); + print_range(range); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" persistent"); +} + +static void DNAT_save(const void ip, const struct xt_entry_target target) +{ + const struct nf_nat_range range = (const void *)target->data; + + printf(" --to-destination "); + print_range(range); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" --persistent"); +} + +static struct xtables_target snat_tg_reg = { + .name = "DNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .revision = 1, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = DNAT_help, + .x6_parse = DNAT_parse, + .x6_fcheck = DNAT_fcheck, + .print = DNAT_print, + .save = DNAT_save, + .x6_options = DNAT_opts, +}; + +void _init(void) +{ + xtables_register_target(&snat_tg_reg); +}
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_DNPT.c ^
@@ -0,0 +1,90 @@ +#include <stdio.h> +#include <string.h> +#include <xtables.h> +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter_ipv6/ip6t_NPT.h> + +enum { + O_SRC_PFX = 1 << 0, + O_DST_PFX = 1 << 1, +}; + +static const struct xt_option_entry DNPT_options[] = { + { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND }, + { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND }, + { } +}; + +static void DNPT_help(void) +{ + printf("DNPT target options:" + "\n" + " --src-pfx prefix/length\n" + " --dst-pfx prefix/length\n" + "\n"); +} + +static void DNPT_parse(struct xt_option_call cb) +{ + struct ip6t_npt_tginfo npt = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_SRC_PFX: + npt->src_pfx = cb->val.haddr; + npt->src_pfx_len = cb->val.hlen; + break; + case O_DST_PFX: + npt->dst_pfx = cb->val.haddr; + npt->dst_pfx_len = cb->val.hlen; + break; + } +} + +static void DNPT_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct ip6t_npt_tginfo npt = (const void )target->data; + + printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6), + npt->src_pfx_len); + printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6), + npt->dst_pfx_len); +} + +static void DNPT_save(const void ip, const struct xt_entry_target target) +{ + static const struct in6_addr zero_addr; + const struct ip6t_npt_tginfo info = (const void )target->data; + + if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 \|\| + info->src_pfx_len != 0) + printf("--src-pfx %s/%u ", + xtables_ip6addr_to_numeric(&info->src_pfx.in6), + info->src_pfx_len); + if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 \|\| + info->dst_pfx_len != 0) + printf("--dst-pfx %s/%u ", + xtables_ip6addr_to_numeric(&info->dst_pfx.in6), + info->dst_pfx_len); +} + +static struct xtables_target snpt_tg_reg = { + .name = "DNPT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)), + .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment), + .help = DNPT_help, + .x6_parse = DNPT_parse, + .print = DNPT_print, + .save = DNPT_save, + .x6_options = DNPT_options, +}; + +void _init(void) +{ + xtables_register_target(&snpt_tg_reg); +}
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libip6t_LOG.man ^
@@ -11,7 +11,10 @@ then DROP (or REJECT). .TP \fB\-\-log\-level\fP \fIlevel\fP -Level of logging (numeric or see \fIsyslog.conf\fP(5)). +Level of logging, which can be (system-specific) numeric or a mnemonic. +Possible values are (in decreasing order of priority): \fBemerg\fP, +\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP +or \fBdebug\fP. .TP \fB\-\-log\-prefix\fP \fIprefix\fP Prefix log messages with the specified prefix; up to 29 letters long,
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_MASQUERADE.c ^
@@ -0,0 +1,150 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Rusty Russell's IPv4 MASQUERADE target. Development of IPv6 NAT + * funded by Astaro. + / + +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <limits.h> / INT_MAX in ip_tables.h / +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/nf_nat.h> + +enum { + O_TO_PORTS = 0, + O_RANDOM, +}; + +static void MASQUERADE_help(void) +{ + printf( +"MASQUERADE target options:\n" +" --to-ports <port>[-<port>]\n" +" Port (range) to map to.\n" +" --random\n" +" Randomize source port.\n"); +} + +static const struct xt_option_entry MASQUERADE_opts[] = { + {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +/ Parses ports / +static void +parse_ports(const char arg, struct nf_nat_range r) +{ + char end; + unsigned int port, maxport; + + r->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; + + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); + + switch (end) { + case '\0': + r->min_proto.tcp.port + = r->max_proto.tcp.port + = htons(port); + return; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX)) + break; + + if (maxport < port) + break; + + r->min_proto.tcp.port = htons(port); + r->max_proto.tcp.port = htons(maxport); + return; + default: + break; + } + xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); +} + +static void MASQUERADE_parse(struct xt_option_call cb) +{ + const struct ip6t_entry entry = cb->xt_entry; + struct nf_nat_range r = cb->data; + int portok; + + if (entry->ipv6.proto == IPPROTO_TCP \|\| + entry->ipv6.proto == IPPROTO_UDP \|\| + entry->ipv6.proto == IPPROTO_SCTP \|\| + entry->ipv6.proto == IPPROTO_DCCP \|\| + entry->ipv6.proto == IPPROTO_ICMP) + portok = 1; + else + portok = 0; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_PORTS: + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + parse_ports(cb->arg, r); + break; + case O_RANDOM: + r->flags \|= NF_NAT_RANGE_PROTO_RANDOM; + break; + } +} + +static void +MASQUERADE_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct nf_nat_range r = (const void )target->data; + + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" masq ports: "); + printf("%hu", ntohs(r->min_proto.tcp.port)); + if (r->max_proto.tcp.port != r->min_proto.tcp.port) + printf("-%hu", ntohs(r->max_proto.tcp.port)); + } + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" random"); +} + +static void +MASQUERADE_save(const void ip, const struct xt_entry_target target) +{ + const struct nf_nat_range r = (const void )target->data; + + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" --to-ports %hu", ntohs(r->min_proto.tcp.port)); + if (r->max_proto.tcp.port != r->min_proto.tcp.port) + printf("-%hu", ntohs(r->max_proto.tcp.port)); + } + + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); +} + +static struct xtables_target masquerade_tg_reg = { + .name = "MASQUERADE", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = MASQUERADE_help, + .x6_parse = MASQUERADE_parse, + .print = MASQUERADE_print, + .save = MASQUERADE_save, + .x6_options = MASQUERADE_opts, +}; + +void _init(void) +{ + xtables_register_target(&masquerade_tg_reg); +}
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_MASQUERADE.man ^
@@ -0,0 +1,30 @@ +This target is only valid in the +.B nat +table, in the +.B POSTROUTING +chain. It should only be used with dynamically assigned IPv6 (dialup) +connections: if you have a static IP address, you should use the SNAT +target. Masquerading is equivalent to specifying a mapping to the IP +address of the interface the packet is going out, but also has the +effect that connections are +.I forgotten +when the interface goes down. This is the correct behavior when the +next dialup is unlikely to have the same interface address (and hence +any established connections are lost anyway). +.TP +\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] +This specifies a range of source ports to use, overriding the default +.B SNAT +source port-selection heuristics (see above). This is only valid +if the rule also specifies +\fB\-p tcp\fP +or +\fB\-p udp\fP. +.TP +\fB\-\-random\fP +Randomize source port mapping +If option +\fB\-\-random\fP +is used then port mapping will be randomized. +.RS +.PP
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_NETMAP.c ^
@@ -0,0 +1,93 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Svenning Soerensen's IPv4 NETMAP target. Development of IPv6 NAT + * funded by Astaro. + / + +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <libiptc/libip6tc.h> +#include <linux/netfilter/nf_nat.h> + +#define MODULENAME "NETMAP" + +enum { + O_TO = 0, +}; + +static const struct xt_option_entry NETMAP_opts[] = { + {.name = "to", .id = O_TO, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND}, + XTOPT_TABLEEND, +}; + +static void NETMAP_help(void) +{ + printf(MODULENAME" target options:\n" + " --%s address[/mask]\n" + " Network address to map to.\n\n", + NETMAP_opts[0].name); +} + +static void NETMAP_parse(struct xt_option_call cb) +{ + struct nf_nat_range range = cb->data; + unsigned int i; + + xtables_option_parse(cb); + range->flags \|= NF_NAT_RANGE_MAP_IPS; + for (i = 0; i < 4; i++) { + range->min_addr.ip6[i] = cb->val.haddr.ip6[i] & + cb->val.hmask.ip6[i]; + range->max_addr.ip6[i] = range->min_addr.ip6[i] \| + ~cb->val.hmask.ip6[i]; + } +} + +static void NETMAP_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct nf_nat_range r = (const void )target->data; + struct in6_addr a; + unsigned int i; + int bits; + + a = r->min_addr.in6; + printf("%s", xtables_ip6addr_to_numeric(&a)); + for (i = 0; i < 4; i++) + a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]); + bits = ipv6_prefix_length(&a); + if (bits < 0) + printf("/%s", xtables_ip6addr_to_numeric(&a)); + else + printf("/%d", bits); +} + +static void NETMAP_save(const void ip, const struct xt_entry_target *target) +{ + printf(" --%s ", NETMAP_opts[0].name); + NETMAP_print(ip, target, 0); +} + +static struct xtables_target netmap_tg_reg = { + .name = MODULENAME, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = NETMAP_help, + .x6_parse = NETMAP_parse, + .print = NETMAP_print, + .save = NETMAP_save, + .x6_options = NETMAP_opts, +}; + +void _init(void) +{ + xtables_register_target(&netmap_tg_reg); +}
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_REDIRECT.c ^
@@ -0,0 +1,151 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6 NAT + * funded by Astaro. + / + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <xtables.h> +#include <limits.h> / INT_MAX in ip_tables.h / +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/nf_nat.h> + +enum { + O_TO_PORTS = 0, + O_RANDOM, + F_TO_PORTS = 1 << O_TO_PORTS, + F_RANDOM = 1 << O_RANDOM, +}; + +static void REDIRECT_help(void) +{ + printf( +"REDIRECT target options:\n" +" --to-ports <port>[-<port>]\n" +" Port (range) to map to.\n" +" [--random]\n"); +} + +static const struct xt_option_entry REDIRECT_opts[] = { + {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +/ Parses ports / +static void +parse_ports(const char arg, struct nf_nat_range range) +{ + char end = ""; + unsigned int port, maxport; + + range->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; + + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) && + (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); + + switch (end) { + case '\0': + range->min_proto.tcp.port + = range->max_proto.tcp.port + = htons(port); + return; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && + (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) + break; + + if (maxport < port) + break; + + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + return; + default: + break; + } + xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); +} + +static void REDIRECT_parse(struct xt_option_call cb) +{ + const struct ip6t_entry entry = cb->xt_entry; + struct nf_nat_range range = (void )(cb->target)->data; + int portok; + + if (entry->ipv6.proto == IPPROTO_TCP + \|\| entry->ipv6.proto == IPPROTO_UDP + \|\| entry->ipv6.proto == IPPROTO_SCTP + \|\| entry->ipv6.proto == IPPROTO_DCCP + \|\| entry->ipv6.proto == IPPROTO_ICMP) + portok = 1; + else + portok = 0; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_PORTS: + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + parse_ports(cb->arg, range); + if (cb->xflags & F_RANDOM) + range->flags \|= NF_NAT_RANGE_PROTO_RANDOM; + break; + case O_RANDOM: + if (cb->xflags & F_TO_PORTS) + range->flags \|= NF_NAT_RANGE_PROTO_RANDOM; + break; + } +} + +static void REDIRECT_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct nf_nat_range range = (const void )target->data; + + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" redir ports "); + printf("%hu", ntohs(range->min_proto.tcp.port)); + if (range->max_proto.tcp.port != range->min_proto.tcp.port) + printf("-%hu", ntohs(range->max_proto.tcp.port)); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" random"); + } +} + +static void REDIRECT_save(const void ip, const struct xt_entry_target target) +{ + const struct nf_nat_range range = (const void )target->data; + + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(" --to-ports "); + printf("%hu", ntohs(range->min_proto.tcp.port)); + if (range->max_proto.tcp.port != range->min_proto.tcp.port) + printf("-%hu", ntohs(range->max_proto.tcp.port)); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); + } +} + +static struct xtables_target redirect_tg_reg = { + .name = "REDIRECT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = REDIRECT_help, + .x6_parse = REDIRECT_parse, + .print = REDIRECT_print, + .save = REDIRECT_save, + .x6_options = REDIRECT_opts, +}; + +void _init(void) +{ + xtables_register_target(&redirect_tg_reg); +}
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_SNAT.c ^
@@ -0,0 +1,252 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Rusty Russell's IPv4 SNAT target. Development of IPv6 NAT + * funded by Astaro. + / + +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <xtables.h> +#include <iptables.h> +#include <limits.h> / INT_MAX in ip_tables.h / +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/nf_nat.h> + +enum { + O_TO_SRC = 0, + O_RANDOM, + O_PERSISTENT, + O_X_TO_SRC, + F_TO_SRC = 1 << O_TO_SRC, + F_RANDOM = 1 << O_RANDOM, + F_X_TO_SRC = 1 << O_X_TO_SRC, +}; + +static void SNAT_help(void) +{ + printf( +"SNAT target options:\n" +" --to-source [<ipaddr>[-<ipaddr>]][:port[-port]]\n" +" Address to map source to.\n" +"[--random] [--persistent]\n"); +} + +static const struct xt_option_entry SNAT_opts[] = { + {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING, + .flags = XTOPT_MAND \| XTOPT_MULTI}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +/ Ranges expected in network order. / +static void +parse_to(const char orig_arg, int portok, struct nf_nat_range range) +{ + char arg, start, end = NULL, colon = NULL, dash, error; + const struct in6_addr ip; + + arg = strdup(orig_arg); + if (arg == NULL) + xtables_error(RESOURCE_PROBLEM, "strdup"); + + start = strchr(arg, '['); + if (start == NULL) { + start = arg; + /* Lets assume one colon is port information. Otherwise its an IPv6 address / + colon = strchr(arg, ':'); + if (colon && strchr(colon+1, ':')) + colon = NULL; + } + else { + start++; + end = strchr(start, ']'); + if (end == NULL) + xtables_error(PARAMETER_PROBLEM, + "Invalid address format"); + + end = '\0'; + colon = strchr(end + 1, ':'); + } + + if (colon) { + int port; + + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + + range->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; + + port = atoi(colon+1); + if (port <= 0 \|\| port > 65535) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", colon+1); + + error = strchr(colon+1, ':'); + if (error) + xtables_error(PARAMETER_PROBLEM, + "Invalid port:port syntax - use dash\n"); + + dash = strchr(colon, '-'); + if (!dash) { + range->min_proto.tcp.port + = range->max_proto.tcp.port + = htons(port); + } else { + int maxport; + + maxport = atoi(dash + 1); + if (maxport <= 0 \|\| maxport > 65535) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", dash+1); + if (maxport < port) + /* People are stupid. / + xtables_error(PARAMETER_PROBLEM, + "Port range `%s' funky\n", colon+1); + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + } + / Starts with colon or [] colon? No IP info.../ + if (colon == arg \|\| colon == arg+2) { + free(arg); + return; + } + colon = '\0'; + } + + range->flags \|= NF_NAT_RANGE_MAP_IPS; + dash = strchr(start, '-'); + if (colon && dash && dash > colon) + dash = NULL; + + if (dash) + dash = '\0'; + + ip = xtables_numeric_to_ip6addr(start); + if (!ip) + xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", + start); + range->min_addr.in6 = ip; + if (dash) { + ip = xtables_numeric_to_ip6addr(dash + 1); + if (!ip) + xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", + dash+1); + range->max_addr.in6 = ip; + } else + range->max_addr = range->min_addr; + + free(arg); + return; +} + +static void SNAT_parse(struct xt_option_call cb) +{ + const struct ip6t_entry entry = cb->xt_entry; + struct nf_nat_range range = cb->data; + int portok; + + if (entry->ipv6.proto == IPPROTO_TCP \|\| + entry->ipv6.proto == IPPROTO_UDP \|\| + entry->ipv6.proto == IPPROTO_SCTP \|\| + entry->ipv6.proto == IPPROTO_DCCP \|\| + entry->ipv6.proto == IPPROTO_ICMP) + portok = 1; + else + portok = 0; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_SRC: + if (cb->xflags & F_X_TO_SRC) { + if (!kernel_version) + get_kernel_version(); + if (kernel_version > LINUX_VERSION(2, 6, 10)) + xtables_error(PARAMETER_PROBLEM, + "SNAT: Multiple --to-source not supported"); + } + parse_to(cb->arg, portok, range); + break; + case O_PERSISTENT: + range->flags \|= NF_NAT_RANGE_PERSISTENT; + break; + } +} + +static void SNAT_fcheck(struct xt_fcheck_call cb) +{ + static const unsigned int f = F_TO_SRC \| F_RANDOM; + struct nf_nat_range range = cb->data; + + if ((cb->xflags & f) == f) + range->flags \|= NF_NAT_RANGE_PROTO_RANDOM; +} + +static void print_range(const struct nf_nat_range range) +{ + if (range->flags & NF_NAT_RANGE_MAP_IPS) { + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) + printf("["); + printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6)); + if (memcmp(&range->min_addr, &range->max_addr, + sizeof(range->min_addr))) + printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6)); + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) + printf("]"); + } + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + printf(":"); + printf("%hu", ntohs(range->min_proto.tcp.port)); + if (range->max_proto.tcp.port != range->min_proto.tcp.port) + printf("-%hu", ntohs(range->max_proto.tcp.port)); + } +} + +static void SNAT_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct nf_nat_range range = (const void )target->data; + + printf(" to:"); + print_range(range); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" persistent"); +} + +static void SNAT_save(const void ip, const struct xt_entry_target target) +{ + const struct nf_nat_range range = (const void *)target->data; + + printf(" --to-source "); + print_range(range); + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" --random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" --persistent"); +} + +static struct xtables_target snat_tg_reg = { + .name = "SNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .revision = 1, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = SNAT_help, + .x6_parse = SNAT_parse, + .x6_fcheck = SNAT_fcheck, + .print = SNAT_print, + .save = SNAT_save, + .x6_options = SNAT_opts, +}; + +void _init(void) +{ + xtables_register_target(&snat_tg_reg); +}
[-] [+]	Added	iptables-1.4.18.tar.bz2/extensions/libip6t_SNPT.c ^
@@ -0,0 +1,90 @@ +#include <stdio.h> +#include <string.h> +#include <xtables.h> +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter_ipv6/ip6t_NPT.h> + +enum { + O_SRC_PFX = 1 << 0, + O_DST_PFX = 1 << 1, +}; + +static const struct xt_option_entry SNPT_options[] = { + { .name = "src-pfx", .id = O_SRC_PFX, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND }, + { .name = "dst-pfx", .id = O_DST_PFX, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_MAND }, + { } +}; + +static void SNPT_help(void) +{ + printf("SNPT target options:" + "\n" + " --src-pfx prefix/length\n" + " --dst-pfx prefix/length\n" + "\n"); +} + +static void SNPT_parse(struct xt_option_call cb) +{ + struct ip6t_npt_tginfo npt = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_SRC_PFX: + npt->src_pfx = cb->val.haddr; + npt->src_pfx_len = cb->val.hlen; + break; + case O_DST_PFX: + npt->dst_pfx = cb->val.haddr; + npt->dst_pfx_len = cb->val.hlen; + break; + } +} + +static void SNPT_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + const struct ip6t_npt_tginfo npt = (const void )target->data; + + printf("src-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->src_pfx.in6), + npt->src_pfx_len); + printf("dst-pfx %s/%u ", xtables_ip6addr_to_numeric(&npt->dst_pfx.in6), + npt->dst_pfx_len); +} + +static void SNPT_save(const void ip, const struct xt_entry_target target) +{ + static const struct in6_addr zero_addr; + const struct ip6t_npt_tginfo info = (const void )target->data; + + if (memcmp(&info->src_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 \|\| + info->src_pfx_len != 0) + printf("--src-pfx %s/%u ", + xtables_ip6addr_to_numeric(&info->src_pfx.in6), + info->src_pfx_len); + if (memcmp(&info->dst_pfx.in6, &zero_addr, sizeof(zero_addr)) != 0 \|\| + info->dst_pfx_len != 0) + printf("--dst-pfx %s/%u ", + xtables_ip6addr_to_numeric(&info->dst_pfx.in6), + info->dst_pfx_len); +} + +static struct xtables_target snpt_tg_reg = { + .name = "SNPT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct ip6t_npt_tginfo)), + .userspacesize = offsetof(struct ip6t_npt_tginfo, adjustment), + .help = SNPT_help, + .x6_parse = SNPT_parse, + .print = SNPT_print, + .save = SNPT_save, + .x6_options = SNPT_options, +}; + +void _init(void) +{ + xtables_register_target(&snpt_tg_reg); +}
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_DNAT.c ^
@@ -6,7 +6,7 @@ #include <iptables.h> /* get_kernel_version / #include <limits.h> / INT_MAX in ip_tables.h / #include <linux/netfilter_ipv4/ip_tables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> enum { O_TO_DEST = 0, @@ -23,7 +23,7 @@ struct ipt_natinfo { struct xt_entry_target t; - struct nf_nat_multi_range mr; + struct nf_nat_ipv4_multi_range_compat mr; }; static void DNAT_help(void) @@ -44,7 +44,7 @@ }; static struct ipt_natinfo -append_range(struct ipt_natinfo info, const struct nf_nat_range range) +append_range(struct ipt_natinfo info, const struct nf_nat_ipv4_range range) { unsigned int size; @@ -66,7 +66,7 @@ static struct xt_entry_target * parse_to(const char orig_arg, int portok, struct ipt_natinfo info) { - struct nf_nat_range range; + struct nf_nat_ipv4_range range; char arg, colon, dash, error; const struct in_addr ip; @@ -83,7 +83,7 @@ xtables_error(PARAMETER_PROBLEM, "Need TCP, UDP, SCTP or DCCP with port specification"); - range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED; + range.flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; port = atoi(colon+1); if (port <= 0 \|\| port > 65535) @@ -122,7 +122,7 @@ colon = '\0'; } - range.flags \|= IP_NAT_RANGE_MAP_IPS; + range.flags \|= NF_NAT_RANGE_MAP_IPS; dash = strchr(arg, '-'); if (colon && dash && dash > colon) dash = NULL; @@ -177,7 +177,7 @@ cb->xflags \|= F_X_TO_DEST; break; case O_PERSISTENT: - info->mr.range[0].flags \|= IP_NAT_RANGE_PERSISTENT; + info->mr.range[0].flags \|= NF_NAT_RANGE_PERSISTENT; break; } } @@ -185,15 +185,15 @@ static void DNAT_fcheck(struct xt_fcheck_call cb) { static const unsigned int f = F_TO_DEST \| F_RANDOM; - struct nf_nat_multi_range mr = cb->data; + struct nf_nat_ipv4_multi_range_compat mr = cb->data; if ((cb->xflags & f) == f) - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM; } -static void print_range(const struct nf_nat_range r) +static void print_range(const struct nf_nat_ipv4_range *r) { - if (r->flags & IP_NAT_RANGE_MAP_IPS) { + if (r->flags & NF_NAT_RANGE_MAP_IPS) { struct in_addr a; a.s_addr = r->min_ip; @@ -203,7 +203,7 @@ printf("-%s", xtables_ipaddr_to_numeric(&a)); } } - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(":"); printf("%hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) @@ -220,9 +220,9 @@ printf(" to:"); for (i = 0; i < info->mr.rangesize; i++) { print_range(&info->mr.range[i]); - if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" random"); - if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT) + if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" persistent"); } } @@ -235,9 +235,9 @@ for (i = 0; i < info->mr.rangesize; i++) { printf(" --to-destination "); print_range(&info->mr.range[i]); - if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" --random"); - if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT) + if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" --persistent"); } } @@ -246,8 +246,8 @@ .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = DNAT_help, .x6_parse = DNAT_parse, .x6_fcheck = DNAT_fcheck,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_LOG.man ^
@@ -11,7 +11,10 @@ then DROP (or REJECT). .TP \fB\-\-log\-level\fP \fIlevel\fP -Level of logging (numeric or see \fIsyslog.conf\fP(5)). +Level of logging, which can be (system-specific) numeric or a mnemonic. +Possible values are (in decreasing order of priority): \fBemerg\fP, +\fBalert\fP, \fBcrit\fP, \fBerror\fP, \fBwarning\fP, \fBnotice\fP, \fBinfo\fP +or \fBdebug\fP. .TP \fB\-\-log\-prefix\fP \fIprefix\fP Prefix log messages with the specified prefix; up to 29 letters long,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_MASQUERADE.c ^
@@ -6,7 +6,7 @@ #include <xtables.h> #include <limits.h> /* INT_MAX in ip_tables.h / #include <linux/netfilter_ipv4/ip_tables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> enum { O_TO_PORTS = 0, @@ -31,7 +31,7 @@ static void MASQUERADE_init(struct xt_entry_target t) { - struct nf_nat_multi_range mr = (struct nf_nat_multi_range )t->data; + struct nf_nat_ipv4_multi_range_compat mr = (struct nf_nat_ipv4_multi_range_compat )t->data; /* Actually, it's 0, but it's ignored at the moment. / mr->rangesize = 1; @@ -39,12 +39,12 @@ / Parses ports / static void -parse_ports(const char arg, struct nf_nat_multi_range mr) +parse_ports(const char arg, struct nf_nat_ipv4_multi_range_compat mr) { char end; unsigned int port, maxport; - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_SPECIFIED; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); @@ -75,7 +75,7 @@ { const struct ipt_entry entry = cb->xt_entry; int portok; - struct nf_nat_multi_range mr = cb->data; + struct nf_nat_ipv4_multi_range_compat mr = cb->data; if (entry->ip.proto == IPPROTO_TCP \|\| entry->ip.proto == IPPROTO_UDP @@ -95,7 +95,7 @@ parse_ports(cb->arg, mr); break; case O_RANDOM: - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM; break; } } @@ -104,33 +104,33 @@ MASQUERADE_print(const void ip, const struct xt_entry_target target, int numeric) { - const struct nf_nat_multi_range mr = (const void )target->data; - const struct nf_nat_range r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat mr = (const void )target->data; + const struct nf_nat_ipv4_range r = &mr->range[0]; - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(" masq ports: "); printf("%hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) printf("-%hu", ntohs(r->max.tcp.port)); } - if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" random"); } static void MASQUERADE_save(const void ip, const struct xt_entry_target target) { - const struct nf_nat_multi_range mr = (const void )target->data; - const struct nf_nat_range r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat mr = (const void )target->data; + const struct nf_nat_ipv4_range *r = &mr->range[0]; - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(" --to-ports %hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) printf("-%hu", ntohs(r->max.tcp.port)); } - if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" --random"); } @@ -138,8 +138,8 @@ .name = "MASQUERADE", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = MASQUERADE_help, .init = MASQUERADE_init, .x6_parse = MASQUERADE_parse,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_NETMAP.c ^
@@ -7,7 +7,7 @@ #include <stdlib.h> #include <getopt.h> #include <xtables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> #define MODULENAME "NETMAP" @@ -45,7 +45,7 @@ static void NETMAP_init(struct xt_entry_target t) { - struct nf_nat_multi_range mr = (struct nf_nat_multi_range )t->data; + struct nf_nat_ipv4_multi_range_compat mr = (struct nf_nat_ipv4_multi_range_compat )t->data; / Actually, it's 0, but it's ignored at the moment. / mr->rangesize = 1; @@ -53,11 +53,11 @@ static void NETMAP_parse(struct xt_option_call cb) { - struct nf_nat_multi_range mr = cb->data; - struct nf_nat_range range = &mr->range[0]; + struct nf_nat_ipv4_multi_range_compat mr = cb->data; + struct nf_nat_ipv4_range range = &mr->range[0]; xtables_option_parse(cb); - range->flags \|= IP_NAT_RANGE_MAP_IPS; + range->flags \|= NF_NAT_RANGE_MAP_IPS; range->min_ip = cb->val.haddr.ip & cb->val.hmask.ip; range->max_ip = range->min_ip \| ~cb->val.hmask.ip; } @@ -65,8 +65,8 @@ static void NETMAP_print(const void ip, const struct xt_entry_target target, int numeric) { - const struct nf_nat_multi_range mr = (const void )target->data; - const struct nf_nat_range r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat mr = (const void )target->data; + const struct nf_nat_ipv4_range r = &mr->range[0]; struct in_addr a; int bits; @@ -90,8 +90,8 @@ .name = MODULENAME, .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = NETMAP_help, .init = NETMAP_init, .x6_parse = NETMAP_parse,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_REDIRECT.c ^
@@ -4,7 +4,7 @@ #include <xtables.h> #include <limits.h> /* INT_MAX in ip_tables.h / #include <linux/netfilter_ipv4/ip_tables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> enum { O_TO_PORTS = 0, @@ -30,7 +30,7 @@ static void REDIRECT_init(struct xt_entry_target t) { - struct nf_nat_multi_range mr = (struct nf_nat_multi_range )t->data; + struct nf_nat_ipv4_multi_range_compat mr = (struct nf_nat_ipv4_multi_range_compat )t->data; /* Actually, it's 0, but it's ignored at the moment. / mr->rangesize = 1; @@ -38,12 +38,12 @@ / Parses ports / static void -parse_ports(const char arg, struct nf_nat_multi_range mr) +parse_ports(const char arg, struct nf_nat_ipv4_multi_range_compat mr) { char end = ""; unsigned int port, maxport; - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_SPECIFIED; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) && (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1) @@ -75,7 +75,7 @@ static void REDIRECT_parse(struct xt_option_call cb) { const struct ipt_entry entry = cb->xt_entry; - struct nf_nat_multi_range mr = (void )(cb->target)->data; + struct nf_nat_ipv4_multi_range_compat mr = (void )(cb->target)->data; int portok; if (entry->ip.proto == IPPROTO_TCP @@ -95,11 +95,11 @@ "Need TCP, UDP, SCTP or DCCP with port specification"); parse_ports(cb->arg, mr); if (cb->xflags & F_RANDOM) - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM; break; case O_RANDOM: if (cb->xflags & F_TO_PORTS) - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM; break; } } @@ -107,30 +107,30 @@ static void REDIRECT_print(const void ip, const struct xt_entry_target target, int numeric) { - const struct nf_nat_multi_range mr = (const void )target->data; - const struct nf_nat_range r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat mr = (const void )target->data; + const struct nf_nat_ipv4_range r = &mr->range[0]; - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(" redir ports "); printf("%hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) printf("-%hu", ntohs(r->max.tcp.port)); - if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" random"); } } static void REDIRECT_save(const void ip, const struct xt_entry_target target) { - const struct nf_nat_multi_range mr = (const void )target->data; - const struct nf_nat_range r = &mr->range[0]; + const struct nf_nat_ipv4_multi_range_compat mr = (const void )target->data; + const struct nf_nat_ipv4_range r = &mr->range[0]; - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(" --to-ports "); printf("%hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) printf("-%hu", ntohs(r->max.tcp.port)); - if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (mr->range[0].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" --random"); } } @@ -139,8 +139,8 @@ .name = "REDIRECT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = REDIRECT_help, .init = REDIRECT_init, .x6_parse = REDIRECT_parse,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_SAME.c ^
@@ -2,7 +2,7 @@ #include <string.h> #include <stdlib.h> #include <xtables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> #include <linux/netfilter_ipv4/ipt_SAME.h> enum { @@ -37,7 +37,7 @@ }; /* Parses range of IPs / -static void parse_to(const char orig_arg, struct nf_nat_range range) +static void parse_to(const char orig_arg, struct nf_nat_ipv4_range range) { char dash, arg; const struct in_addr ip; @@ -45,7 +45,7 @@ arg = strdup(orig_arg); if (arg == NULL) xtables_error(RESOURCE_PROBLEM, "strdup"); - range->flags \|= IP_NAT_RANGE_MAP_IPS; + range->flags \|= NF_NAT_RANGE_MAP_IPS; dash = strchr(arg, '-'); if (dash) @@ -74,6 +74,7 @@ static void SAME_parse(struct xt_option_call cb) { struct ipt_same_info mr = cb->data; + unsigned int count; xtables_option_parse(cb); switch (cb->entry->id) { @@ -89,6 +90,10 @@ case O_NODST: mr->info \|= IPT_SAME_NODST; break; + case O_RANDOM: + for (count=0; count < mr->rangesize; count++) + mr->range[count].flags \|= NF_NAT_RANGE_PROTO_RANDOM; + break; } } @@ -100,7 +105,7 @@ if ((cb->xflags & f) == f) for (count = 0; count < mr->rangesize; ++count) - mr->range[count].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[count].flags \|= NF_NAT_RANGE_PROTO_RANDOM; } static void SAME_print(const void ip, const struct xt_entry_target target, @@ -113,7 +118,7 @@ printf(" same:"); for (count = 0; count < mr->rangesize; count++) { - const struct nf_nat_range r = &mr->range[count]; + const struct nf_nat_ipv4_range r = &mr->range[count]; struct in_addr a; a.s_addr = r->min_ip; @@ -123,7 +128,7 @@ if (r->min_ip != r->max_ip) printf("-%s", xtables_ipaddr_to_numeric(&a)); - if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) random_selection = 1; } @@ -141,7 +146,7 @@ int random_selection = 0; for (count = 0; count < mr->rangesize; count++) { - const struct nf_nat_range r = &mr->range[count]; + const struct nf_nat_ipv4_range r = &mr->range[count]; struct in_addr a; a.s_addr = r->min_ip; @@ -150,7 +155,7 @@ if (r->min_ip != r->max_ip) printf("-%s", xtables_ipaddr_to_numeric(&a)); - if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) random_selection = 1; }
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libipt_SNAT.c ^
@@ -6,7 +6,7 @@ #include <iptables.h> #include <limits.h> /* INT_MAX in ip_tables.h / #include <linux/netfilter_ipv4/ip_tables.h> -#include <net/netfilter/nf_nat.h> +#include <linux/netfilter/nf_nat.h> enum { O_TO_SRC = 0, @@ -23,7 +23,7 @@ struct ipt_natinfo { struct xt_entry_target t; - struct nf_nat_multi_range mr; + struct nf_nat_ipv4_multi_range_compat mr; }; static void SNAT_help(void) @@ -44,7 +44,7 @@ }; static struct ipt_natinfo -append_range(struct ipt_natinfo info, const struct nf_nat_range range) +append_range(struct ipt_natinfo info, const struct nf_nat_ipv4_range range) { unsigned int size; @@ -66,7 +66,7 @@ static struct xt_entry_target * parse_to(const char orig_arg, int portok, struct ipt_natinfo info) { - struct nf_nat_range range; + struct nf_nat_ipv4_range range; char arg, colon, dash, error; const struct in_addr ip; @@ -83,7 +83,7 @@ xtables_error(PARAMETER_PROBLEM, "Need TCP, UDP, SCTP or DCCP with port specification"); - range.flags \|= IP_NAT_RANGE_PROTO_SPECIFIED; + range.flags \|= NF_NAT_RANGE_PROTO_SPECIFIED; port = atoi(colon+1); if (port <= 0 \|\| port > 65535) @@ -122,7 +122,7 @@ colon = '\0'; } - range.flags \|= IP_NAT_RANGE_MAP_IPS; + range.flags \|= NF_NAT_RANGE_MAP_IPS; dash = strchr(arg, '-'); if (colon && dash && dash > colon) dash = NULL; @@ -177,7 +177,7 @@ cb->xflags \|= F_X_TO_SRC; break; case O_PERSISTENT: - info->mr.range[0].flags \|= IP_NAT_RANGE_PERSISTENT; + info->mr.range[0].flags \|= NF_NAT_RANGE_PERSISTENT; break; } } @@ -185,15 +185,15 @@ static void SNAT_fcheck(struct xt_fcheck_call cb) { static const unsigned int f = F_TO_SRC \| F_RANDOM; - struct nf_nat_multi_range mr = cb->data; + struct nf_nat_ipv4_multi_range_compat mr = cb->data; if ((cb->xflags & f) == f) - mr->range[0].flags \|= IP_NAT_RANGE_PROTO_RANDOM; + mr->range[0].flags \|= NF_NAT_RANGE_PROTO_RANDOM; } -static void print_range(const struct nf_nat_range r) +static void print_range(const struct nf_nat_ipv4_range *r) { - if (r->flags & IP_NAT_RANGE_MAP_IPS) { + if (r->flags & NF_NAT_RANGE_MAP_IPS) { struct in_addr a; a.s_addr = r->min_ip; @@ -203,7 +203,7 @@ printf("-%s", xtables_ipaddr_to_numeric(&a)); } } - if (r->flags & IP_NAT_RANGE_PROTO_SPECIFIED) { + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { printf(":"); printf("%hu", ntohs(r->min.tcp.port)); if (r->max.tcp.port != r->min.tcp.port) @@ -220,9 +220,9 @@ printf(" to:"); for (i = 0; i < info->mr.rangesize; i++) { print_range(&info->mr.range[i]); - if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" random"); - if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT) + if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" persistent"); } } @@ -235,9 +235,9 @@ for (i = 0; i < info->mr.rangesize; i++) { printf(" --to-source "); print_range(&info->mr.range[i]); - if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM) + if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) printf(" --random"); - if (info->mr.range[i].flags & IP_NAT_RANGE_PERSISTENT) + if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" --persistent"); } } @@ -246,8 +246,8 @@ .name = "SNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_multi_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_multi_range)), + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), .help = SNAT_help, .x6_parse = SNAT_parse, .x6_fcheck = SNAT_fcheck,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_conntrack.c ^
@@ -801,7 +801,9 @@ if (info->match_flags & XT_CONNTRACK_STATE) { if (info->invert_flags & XT_CONNTRACK_STATE) printf(" !"); - printf(" %sctstate", prefix); + printf(" %s%s", prefix, + info->match_flags & XT_CONNTRACK_STATE_ALIAS + ? "state" : "ctstate"); print_state(info->state_mask); } @@ -902,6 +904,15 @@ } } +static const char * +conntrack_print_name_alias(const struct xt_entry_match match) +{ + struct xt_conntrack_mtinfo1 info = (void )match->data; + + return info->match_flags & XT_CONNTRACK_STATE_ALIAS + ? "state" : "conntrack"; +} + static void conntrack_print(const void ip, const struct xt_entry_match match, int numeric) { @@ -1083,7 +1094,7 @@ struct xt_conntrack_mtinfo1 sinfo = cb->data; xtables_option_parse(cb); - sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->match_flags = XT_CONNTRACK_STATE \| XT_CONNTRACK_STATE_ALIAS; sinfo->state_mask = state_parse_states(cb->arg); if (cb->invert) sinfo->invert_flags \|= XT_CONNTRACK_STATE; @@ -1094,7 +1105,7 @@ struct xt_conntrack_mtinfo3 *sinfo = cb->data; xtables_option_parse(cb); - sinfo->match_flags = XT_CONNTRACK_STATE; + sinfo->match_flags = XT_CONNTRACK_STATE \| XT_CONNTRACK_STATE_ALIAS; sinfo->state_mask = state_parse_states(cb->arg); if (cb->invert) sinfo->invert_flags \|= XT_CONNTRACK_STATE; @@ -1158,6 +1169,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack_print, .save = conntrack_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack_mt_opts_v0, }, { @@ -1172,6 +1184,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt4_print, .save = conntrack1_mt4_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack2_mt_opts, }, { @@ -1186,6 +1199,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack1_mt6_print, .save = conntrack1_mt6_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack2_mt_opts, }, { @@ -1200,6 +1214,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt_print, .save = conntrack2_mt_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack2_mt_opts, }, { @@ -1214,6 +1229,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack2_mt6_print, .save = conntrack2_mt6_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack2_mt_opts, }, { @@ -1228,6 +1244,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt_print, .save = conntrack3_mt_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack3_mt_opts, }, { @@ -1242,6 +1259,7 @@ .x6_fcheck = conntrack_mt_check, .print = conntrack3_mt6_print, .save = conntrack3_mt6_save, + .alias = conntrack_print_name_alias, .x6_options = conntrack3_mt_opts, }, { @@ -1249,6 +1267,7 @@ .name = "state", .real_name = "conntrack", .revision = 1, + .ext_flags = XTABLES_EXT_ALIAS, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), @@ -1261,6 +1280,7 @@ .name = "state", .real_name = "conntrack", .revision = 2, + .ext_flags = XTABLES_EXT_ALIAS, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), @@ -1273,6 +1293,7 @@ .name = "state", .real_name = "conntrack", .revision = 3, + .ext_flags = XTABLES_EXT_ALIAS, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_rpfilter.man ^
@@ -17,6 +17,7 @@ \fB\-\-accept\-local\fP This will permit packets arriving from the network with a source address that is also assigned to the local machine. +.TP \fB\-\-invert\fP This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_state.man ^
@@ -1,4 +1,4 @@ -The "state" module is an obsolete version of "conntrack". +The "state" extension is a subset of the "conntrack" module. "state" allows access to the connection tracking state for this packet. .TP [\fB!\fP] \fB\-\-state\fP \fIstate\fP
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_statistic.c ^
@@ -107,7 +107,7 @@ (info->flags & XT_STATISTIC_INVERT) ? " !" : "", prefix, info->u.nth.every + 1); - if (info->u.nth.packet) + if (info->u.nth.packet \|\| *prefix) printf(" %spacket %u", prefix, info->u.nth.packet); break; }
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_time.c ^
@@ -22,6 +22,7 @@ O_DATE_STOP, O_TIME_START, O_TIME_STOP, + O_TIME_CONTIGUOUS, O_MONTHDAYS, O_WEEKDAYS, O_LOCAL_TZ, @@ -30,6 +31,7 @@ F_LOCAL_TZ = 1 << O_LOCAL_TZ, F_UTC = 1 << O_UTC, F_KERNEL_TZ = 1 << O_KERNEL_TZ, + F_TIME_CONTIGUOUS = 1 << O_TIME_CONTIGUOUS, }; static const char const week_days[] = { @@ -41,6 +43,7 @@ {.name = "datestop", .id = O_DATE_STOP, .type = XTTYPE_STRING}, {.name = "timestart", .id = O_TIME_START, .type = XTTYPE_STRING}, {.name = "timestop", .id = O_TIME_STOP, .type = XTTYPE_STRING}, + {.name = "contiguous", .id = O_TIME_CONTIGUOUS, .type = XTTYPE_NONE}, {.name = "weekdays", .id = O_WEEKDAYS, .type = XTTYPE_STRING, .flags = XTOPT_INVERT}, {.name = "monthdays", .id = O_MONTHDAYS, .type = XTTYPE_STRING, @@ -273,6 +276,9 @@ case O_TIME_STOP: info->daytime_stop = time_parse_minutes(cb->arg); break; + case O_TIME_CONTIGUOUS: + info->flags \|= XT_TIME_CONTIGUOUS; + break; case O_LOCAL_TZ: fprintf(stderr, "WARNING: --localtz is being replaced by " "--kerneltz, since \"local\" is ambiguous. Note the " @@ -403,6 +409,8 @@ } if (!(info->flags & XT_TIME_LOCAL_TZ)) printf(" UTC"); + if (info->flags & XT_TIME_CONTIGUOUS) + printf(" contiguous"); } static void time_save(const void ip, const struct xt_entry_match match) @@ -429,6 +437,17 @@ time_print_date(info->date_stop, "--datestop"); if (info->flags & XT_TIME_LOCAL_TZ) printf(" --kerneltz"); + if (info->flags & XT_TIME_CONTIGUOUS) + printf(" --contiguous"); +} + +static void time_check(struct xt_fcheck_call cb) +{ + const struct xt_time_info info = (const void ) cb->data; + if ((cb->xflags & F_TIME_CONTIGUOUS) && + info->daytime_start < info->daytime_stop) + xtables_error(PARAMETER_PROBLEM, + "time: --contiguous only makes sense when stoptime is smaller than starttime"); } static struct xtables_match time_match = { @@ -442,6 +461,7 @@ .print = time_print, .save = time_save, .x6_parse = time_parse, + .x6_fcheck = time_check, .x6_options = time_opts, };
[-] [+]	Changed	iptables-1.4.18.tar.bz2/extensions/libxt_time.man ^
@@ -30,6 +30,10 @@ to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, \fBTu\fP, etc.). .TP +\fB\-\-contiguous\fP +When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match +this as a single time period instead distinct intervals. See EXAMPLES. +.TP \fB\-\-kerneltz\fP Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. @@ -84,3 +88,11 @@ (Note that this exploits a certain mathematical property. It is not possible to say "fourth Thursday OR fourth Friday" in one rule. It is possible with multiple rules, though.) +.PP +Matching across days might not do what is expected. For instance, +.IP +\-m time \-\-weekdays Mo \-\-timestart 23:00 \-\-timestop 01:00 +Will match Monday, for one hour from midnight to 1 a.m., and then +again for another hour from 23:00 onwards. If this is unwanted, e.g. if you +would like 'match for two hours from Montay 23:00 onwards' you need to also specify +the \-\-contiguous option in the example above.
[-] [+]	Changed	iptables-1.4.18.tar.bz2/include/linux/netfilter/nf_conntrack_tuple_common.h ^
@@ -7,6 +7,33 @@ IP_CT_DIR_MAX }; +/* The protocol-specific manipulable parts of the tuple: always in + * network order + / +union nf_conntrack_man_proto { + / Add other protocols here. / + __be16 all; + + struct { + __be16 port; + } tcp; + struct { + __be16 port; + } udp; + struct { + __be16 id; + } icmp; + struct { + __be16 port; + } dccp; + struct { + __be16 port; + } sctp; + struct { + __be16 key; / GRE key is 32bit, PPtP only uses 16bit / + } gre; +}; + #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) #endif / _NF_CONNTRACK_TUPLE_COMMON_H */
[-] [+]	Added	iptables-1.4.18.tar.bz2/include/linux/netfilter/nf_nat.h ^
@@ -0,0 +1,33 @@ +#ifndef _NETFILTER_NF_NAT_H +#define _NETFILTER_NF_NAT_H + +#include <linux/netfilter.h> +#include <linux/netfilter/nf_conntrack_tuple_common.h> + +#define NF_NAT_RANGE_MAP_IPS 1 +#define NF_NAT_RANGE_PROTO_SPECIFIED 2 +#define NF_NAT_RANGE_PROTO_RANDOM 4 +#define NF_NAT_RANGE_PERSISTENT 8 + +struct nf_nat_ipv4_range { + unsigned int flags; + __be32 min_ip; + __be32 max_ip; + union nf_conntrack_man_proto min; + union nf_conntrack_man_proto max; +}; + +struct nf_nat_ipv4_multi_range_compat { + unsigned int rangesize; + struct nf_nat_ipv4_range range[1]; +}; + +struct nf_nat_range { + unsigned int flags; + union nf_inet_addr min_addr; + union nf_inet_addr max_addr; + union nf_conntrack_man_proto min_proto; + union nf_conntrack_man_proto max_proto; +}; + +#endif /* _NETFILTER_NF_NAT_H */
[-] [+]	Changed	iptables-1.4.18.tar.bz2/include/linux/netfilter/xt_conntrack.h ^
@@ -30,6 +30,7 @@ XT_CONNTRACK_REPLSRC_PORT = 1 << 10, XT_CONNTRACK_REPLDST_PORT = 1 << 11, XT_CONNTRACK_DIRECTION = 1 << 12, + XT_CONNTRACK_STATE_ALIAS = 1 << 13, }; struct xt_conntrack_mtinfo1 {
[-] [+]	Changed	iptables-1.4.18.tar.bz2/include/linux/netfilter/xt_time.h ^
@@ -16,6 +16,7 @@ enum { /* Match against local time (instead of UTC) / XT_TIME_LOCAL_TZ = 1 << 0, + XT_TIME_CONTIGUOUS = 1 << 1, / Shortcuts */ XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
[-] [+]	Changed	iptables-1.4.18.tar.bz2/include/linux/netfilter_ipv4/ipt_SAME.h ^
@@ -14,7 +14,7 @@ __u32 iparray; / hangs off end. / - struct nf_nat_range range[IPT_SAME_MAX_RANGE]; + struct nf_nat_ipv4_range range[IPT_SAME_MAX_RANGE]; }; #endif /_IPT_SAME_H*/
[-] [+]	Added	iptables-1.4.18.tar.bz2/include/linux/netfilter_ipv6/ip6t_NPT.h ^
@@ -0,0 +1,16 @@ +#ifndef __NETFILTER_IP6T_NPT +#define __NETFILTER_IP6T_NPT + +#include <linux/types.h> +#include <linux/netfilter.h> + +struct ip6t_npt_tginfo { + union nf_inet_addr src_pfx; + union nf_inet_addr dst_pfx; + __u8 src_pfx_len; + __u8 dst_pfx_len; + /* Used internally by the kernel / + __sum16 adjustment; +}; + +#endif / __NETFILTER_IP6T_NPT */
[-] [+]	Changed	iptables-1.4.18.tar.bz2/include/xtables.h ^
@@ -201,6 +201,10 @@ struct xtables_lmap next; }; +enum xtables_ext_flags { + XTABLES_EXT_ALIAS = 1 << 0, +}; + / Include file for additions: new matches and targets. / struct xtables_match { @@ -218,6 +222,9 @@ / Revision of match (0 by default). / u_int8_t revision; + / Extension flags / + u_int8_t ext_flags; + u_int16_t family; / Size of match data. / @@ -251,6 +258,9 @@ / ip is struct ipt_ip * for example / void (save)(const void ip, const struct xt_entry_match match); + /* Print match name or alias / + const char (alias)(const struct xt_entry_match match); + /* Pointer to list of extra command-line options / const struct option extra_opts; @@ -289,6 +299,9 @@ /* Revision of target (0 by default). / u_int8_t revision; + / Extension flags / + u_int8_t ext_flags; + u_int16_t family; @@ -322,6 +335,9 @@ void (save)(const void ip, const struct xt_entry_target target); + /* Print target name or alias / + const char (alias)(const struct xt_entry_target target); + /* Pointer to list of extra command-line options / const struct option extra_opts; @@ -417,6 +433,8 @@ extern struct xtables_target xtables_find_target(const char name, enum xtables_tryload); +extern void xtables_rule_matches_free(struct xtables_rule_match *matches); + / Your shared library should call one of these. / extern void xtables_register_match(struct xtables_match me); extern void xtables_register_matches(struct xtables_match , unsigned int); @@ -467,6 +485,22 @@ / extern void xtables_save_string(const char *value); +#define FMT_NUMERIC 0x0001 +#define FMT_NOCOUNTS 0x0002 +#define FMT_KILOMEGAGIGA 0x0004 +#define FMT_OPTIONS 0x0008 +#define FMT_NOTABLE 0x0010 +#define FMT_NOTARGET 0x0020 +#define FMT_VIA 0x0040 +#define FMT_NONEWLINE 0x0080 +#define FMT_LINENUMBERS 0x0100 + +#define FMT_PRINT_RULE (FMT_NOCOUNTS \| FMT_OPTIONS \| FMT_VIA \ + \| FMT_NUMERIC \| FMT_NOTABLE) +#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) + +extern void xtables_print_num(uint64_t number, unsigned int format); + #if defined(ALL_INCLUSIVE) \|\| defined(NO_SHARED_LIBS) # ifdef _INIT # undef _init
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/ip6tables-restore.8 ^
@@ -21,7 +21,8 @@ .SH NAME ip6tables-restore \(em Restore IPv6 Tables .SH SYNOPSIS -\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] +\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] +[\fB\-T\fP \fIname\fP] .SH DESCRIPTION .PP .B ip6tables-restore @@ -31,8 +32,23 @@ \fB\-c\fR, \fB\-\-counters\fR restore the values of all packet and byte counters .TP +\fB\-h\fP, \fB\-\-help\fP +Print a short option summary. +.TP \fB\-n\fR, \fB\-\-noflush\fR -don't flush the previous contents of the table. If not specified, +don't flush the previous contents of the table. If not specified, +\fBip6tables-restore\fP flushes (deletes) all previous contents of the +respective table. +.TP +\fB\-t\fP, \fB\-\-test\fP +Only parse and construct the ruleset, but do not commit it. +.TP +\fB\-v\fP, \fB\-\-verbose\fP +Print additional debug info during ruleset processing. +.TP +\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP +Specify the path to the modprobe program. By default, ip6tables-restore will +inspect /proc/sys/kernel/modprobe to determine the executable's path. .TP \fB\-T\fP, \fB\-\-table\fP \fIname\fP Restore only the named table even if the input stream contains other ones.
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/ip6tables.8.in ^
@@ -87,7 +87,7 @@ is matched, the target specified by the chain policy determines the fate of the packet. .SH TABLES -There are currently three independent tables (which tables are present +There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present). .TP @@ -106,6 +106,13 @@ \fBFORWARD\fP (for packets being routed through the box), and \fBOUTPUT\fP (for locally-generated packets). .TP +\fBnat\fP: +This table is consulted when a packet that creates a new +connection is encountered. It consists of three built-ins: \fBPREROUTING\fP +(for altering packets as soon as they come in), \fBOUTPUT\fP +(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP +(for altering packets as they are about to go out). Available since kernel 3.7. +.TP \fBmangle\fP: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: \fBPREROUTING\fP @@ -240,6 +247,15 @@ The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands). .TP +\fB\-4\fP, \fB\-\-ipv4\fP +If a rule using the \fB\-4\fP option is inserted with (and only with) +ip6tables-restore, it will be silently ignored. Any other uses will throw an +error. This option allows to put both IPv4 and IPv6 rules in a single rule file +for use with both iptables-restore and ip6tables-restore. +.TP +\fB\-6\fP, \fB\-\-ipv6\fP +This option has no effect in ip6tables and ip6tables-restore. +.TP [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP The protocol of the rule or of the packet to check. The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP, @@ -281,6 +297,13 @@ (source) flag for a detailed description of the syntax. The flag \fB\-\-dst\fP is an alias for this option. .TP +\fB\-m\fP, \fB\-\-match\fP \fImatch\fP +Specifies a match to use, that is, an extension module that tests for a +specific property. The set of matches make up the condition under which a +target is invoked. Matches are evaluated first to last as specified on the +command line and work in short-circuit fashion, i.e. if one extension yields +false, evaluation will stop. +.TP \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/ip6tables.c ^
@@ -52,21 +52,6 @@ #define FALSE 0 #endif -#define FMT_NUMERIC 0x0001 -#define FMT_NOCOUNTS 0x0002 -#define FMT_KILOMEGAGIGA 0x0004 -#define FMT_OPTIONS 0x0008 -#define FMT_NOTABLE 0x0010 -#define FMT_NOTARGET 0x0020 -#define FMT_VIA 0x0040 -#define FMT_NONEWLINE 0x0080 -#define FMT_LINENUMBERS 0x0100 - -#define FMT_PRINT_RULE (FMT_NOCOUNTS \| FMT_OPTIONS \| FMT_VIA \ - \| FMT_NUMERIC \| FMT_NOTABLE) -#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) - - #define CMD_NONE 0x0000U #define CMD_INSERT 0x0001U #define CMD_DELETE 0x0002U @@ -442,31 +427,6 @@ } } -static void -print_num(uint64_t number, unsigned int format) -{ - if (format & FMT_KILOMEGAGIGA) { - if (number > 99999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); - } - else printf(FMT("%4lluG ","%lluG "), (unsigned long long)number); - } - else printf(FMT("%4lluM ","%lluM "), (unsigned long long)number); - } else - printf(FMT("%4lluK ","%lluK "), (unsigned long long)number); - } else - printf(FMT("%5llu ","%llu "), (unsigned long long)number); - } else - printf(FMT("%8llu ","%llu "), (unsigned long long)number); -} - static void print_header(unsigned int format, const char chain, struct xtc_handle handle) @@ -478,9 +438,9 @@ printf(" (policy %s", pol); if (!(format & FMT_NOCOUNTS)) { fputc(' ', stdout); - print_num(counters.pcnt, (format\|FMT_NOTABLE)); + xtables_print_num(counters.pcnt, (format\|FMT_NOTABLE)); fputs("packets, ", stdout); - print_num(counters.bcnt, (format\|FMT_NOTABLE)); + xtables_print_num(counters.bcnt, (format\|FMT_NOTABLE)); fputs("bytes", stdout); } printf(")\n"); @@ -563,8 +523,8 @@ printf(FMT("%-4u ", "%u "), num); if (!(format & FMT_NOCOUNTS)) { - print_num(fw->counters.pcnt, format); - print_num(fw->counters.bcnt, format); + xtables_print_num(fw->counters.pcnt, format); + xtables_print_num(fw->counters.bcnt, format); } if (!(format & FMT_NOTARGET)) @@ -1040,7 +1000,8 @@ xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL); if (match) { - printf(" -m %s", e->u.user.name); + printf(" -m %s", + match->alias ? match->alias(e) : e->u.user.name); /* some matches don't provide a save function / if (match->save) @@ -1129,16 +1090,8 @@ if (counters < 0) printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); - / Print target name / + / Print target name and targinfo part / target_name = ip6tc_get_target(e, h); - if (target_name && (target_name != '\0')) -#ifdef IP6T_F_GOTO - printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name); -#else - printf(" -j %s", target_name); -#endif - - /* Print targinfo part / t = ip6t_get_target((struct ip6t_entry )e); if (t->u.user.name[0]) { struct xtables_target target = @@ -1150,6 +1103,7 @@ exit(1); } + printf(" -j %s", target->alias ? target->alias(t) : target_name); if (target->save) target->save(&e->ipv6, t); else { @@ -1164,7 +1118,13 @@ exit(1); } } - } + } else if (target_name && (target_name != '\0')) +#ifdef IP6T_F_GOTO + printf(" -%c %s", e->ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', target_name); +#else + printf(" -j %s", target_name); +#endif + printf("\n"); } @@ -1249,27 +1209,6 @@ return e; } -static void clear_rule_matches(struct xtables_rule_match *matches) -{ - struct xtables_rule_match matchp, tmp; - - for (matchp = matches; matchp;) { - tmp = matchp->next; - if (matchp->match->m) { - free(matchp->match->m); - matchp->match->m = NULL; - } - if (matchp->match == matchp->match->next) { - free(matchp->match); - matchp->match = NULL; - } - free(matchp); - matchp = tmp; - } - - matches = NULL; -} - static void command_jump(struct iptables_command_state cs) { size_t size; @@ -1290,9 +1229,10 @@ strcpy(cs->target->t->u.user.name, cs->jumpto); } else { strcpy(cs->target->t->u.user.name, cs->target->real_name); - fprintf(stderr, "WARNING: The %s target is obsolete. " - "Use %s instead.\n", - cs->jumpto, cs->target->real_name); + if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS)) + fprintf(stderr, "Notice: The %s target is converted into %s target " + "in rule listing and saving.\n", + cs->jumpto, cs->target->real_name); } cs->target->t->u.user.revision = cs->target->revision; @@ -1326,8 +1266,9 @@ strcpy(m->m->u.user.name, m->name); } else { strcpy(m->m->u.user.name, m->real_name); - fprintf(stderr, "WARNING: The %s match is obsolete. " - "Use %s instead.\n", m->name, m->real_name); + if (!(m->ext_flags & XTABLES_EXT_ALIAS)) + fprintf(stderr, "Notice: The %s match is converted into %s match " + "in rule listing and saving.\n", m->name, m->real_name); } m->m->u.user.revision = m->revision; @@ -1963,7 +1904,7 @@ if (verbose > 1) dump_entries6(*handle); - clear_rule_matches(&cs.matches); + xtables_rule_matches_free(&cs.matches); if (e != NULL) { free(e);
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/iptables-extensions.8.in ^
@@ -15,7 +15,8 @@ module. You can specify multiple extended match modules in one line, and you can use the \fB\-h\fP or \fB\-\-help\fP options after the module has been specified to receive help specific -to that module. +to that module. The extended match modules are evaluated in the order +they are specified in the rule. .PP If the \fB\-p\fP or \fB\-\-protocol\fP was specified and if and only if an unknown option is encountered, iptables will try load a match module of the
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/iptables-restore.8 ^
@@ -21,7 +21,8 @@ .SH NAME iptables-restore \(em Restore IP Tables .SH SYNOPSIS -\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] [\fB\-T\fP \fIname\fP] +\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] +[\fB\-T\fP \fIname\fP] .SH DESCRIPTION .PP .B iptables-restore @@ -31,10 +32,23 @@ \fB\-c\fR, \fB\-\-counters\fR restore the values of all packet and byte counters .TP +\fB\-h\fP, \fB\-\-help\fP +Print a short option summary. +.TP \fB\-n\fR, \fB\-\-noflush\fR don't flush the previous contents of the table. If not specified, .B iptables-restore -flushes (deletes) all previous contents of the respective IP Table. +flushes (deletes) all previous contents of the respective table. +.TP +\fB\-t\fP, \fB\-\-test\fP +Only parse and construct the ruleset, but do not commit it. +.TP +\fB\-v\fP, \fB\-\-verbose\fP +Print additional debug info during ruleset processing. +.TP +\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP +Specify the path to the modprobe program. By default, iptables-restore will +inspect /proc/sys/kernel/modprobe to determine the executable's path. .TP \fB\-T\fP, \fB\-\-table\fP \fIname\fP Restore only the named table even if the input stream contains other ones.
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/iptables.8.in ^
@@ -86,7 +86,7 @@ is matched, the target specified by the chain policy determines the fate of the packet. .SH TABLES -There are currently three independent tables (which tables are present +There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present). .TP @@ -243,6 +243,15 @@ The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands). .TP +\fB\-4\fP, \fB\-\-ipv4\fP +This option has no effect in iptables and iptables-restore. +.TP +\fB\-6\fP, \fB\-\-ipv6\fP +If a rule using the \fB\-6\fP option is inserted with (and only with) +iptables-restore, it will be silently ignored. Any other uses will throw an +error. This option allows to put both IPv4 and IPv6 rules in a single rule file +for use with both iptables-restore and ip6tables-restore. +.TP [\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP The protocol of the rule or of the packet to check. The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP, @@ -277,6 +286,13 @@ (source) flag for a detailed description of the syntax. The flag \fB\-\-dst\fP is an alias for this option. .TP +\fB\-m\fP, \fB\-\-match\fP \fImatch\fP +Specifies a match to use, that is, an extension module that tests for a +specific property. The set of matches make up the condition under which a +target is invoked. Matches are evaluated first to last as specified on the +command line and work in short-circuit fashion, i.e. if one extension yields +false, evaluation will stop. +.TP \fB\-j\fP, \fB\-\-jump\fP \fItarget\fP This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the
[-] [+]	Changed	iptables-1.4.18.tar.bz2/iptables/iptables.c ^
@@ -48,21 +48,6 @@ #define FALSE 0 #endif -#define FMT_NUMERIC 0x0001 -#define FMT_NOCOUNTS 0x0002 -#define FMT_KILOMEGAGIGA 0x0004 -#define FMT_OPTIONS 0x0008 -#define FMT_NOTABLE 0x0010 -#define FMT_NOTARGET 0x0020 -#define FMT_VIA 0x0040 -#define FMT_NONEWLINE 0x0080 -#define FMT_LINENUMBERS 0x0100 - -#define FMT_PRINT_RULE (FMT_NOCOUNTS \| FMT_OPTIONS \| FMT_VIA \ - \| FMT_NUMERIC \| FMT_NOTABLE) -#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) - - #define CMD_NONE 0x0000U #define CMD_INSERT 0x0001U #define CMD_DELETE 0x0002U @@ -186,22 +171,6 @@ #define prog_name iptables_globals.program_name #define prog_vers iptables_globals.program_version -/* Primitive headers... / -/ defined in netinet/in.h / -#if 0 -#ifndef IPPROTO_ESP -#define IPPROTO_ESP 50 -#endif -#ifndef IPPROTO_AH -#define IPPROTO_AH 51 -#endif -#endif - -enum { - IPT_DOTTED_ADDR = 0, - IPT_DOTTED_MASK -}; - static void __attribute__((noreturn)) exit_tryhelp(int status) { @@ -445,32 +414,6 @@ } static void -print_num(uint64_t number, unsigned int format) -{ - if (format & FMT_KILOMEGAGIGA) { - if (number > 99999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - if (number > 9999) { - number = (number + 500) / 1000; - printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); - } - else printf(FMT("%4lluG ","%lluG "), (unsigned long long)number); - } - else printf(FMT("%4lluM ","%lluM "), (unsigned long long)number); - } else - printf(FMT("%4lluK ","%lluK "), (unsigned long long)number); - } else - printf(FMT("%5llu ","%llu "), (unsigned long long)number); - } else - printf(FMT("%8llu ","%llu "), (unsigned long long)number); -} - - -static void print_header(unsigned int format, const char chain, struct xtc_handle handle) { struct xt_counters counters; @@ -480,9 +423,9 @@ printf(" (policy %s", pol); if (!(format & FMT_NOCOUNTS)) { fputc(' ', stdout); - print_num(counters.pcnt, (format\|FMT_NOTABLE)); + xtables_print_num(counters.pcnt, (format\|FMT_NOTABLE)); fputs("packets, ", stdout); - print_num(counters.bcnt, (format\|FMT_NOTABLE)); + xtables_print_num(counters.bcnt, (format\|FMT_NOTABLE)); fputs("bytes", stdout); } printf(")\n"); @@ -567,8 +510,8 @@ printf(FMT("%-4u ", "%u "), num); if (!(format & FMT_NOCOUNTS)) { - print_num(fw->counters.pcnt, format); - print_num(fw->counters.bcnt, format); + xtables_print_num(fw->counters.pcnt, format); + xtables_print_num(fw->counters.bcnt, format); } if (!(format & FMT_NOTARGET)) @@ -1048,7 +991,8 @@ xtables_find_match(e->u.user.name, XTF_TRY_LOAD, NULL); if (match) { - printf(" -m %s", e->u.user.name); + printf(" -m %s", + match->alias ? match->alias(e) : e->u.user.name); / some matches don't provide a save function / if (match->save) @@ -1137,16 +1081,8 @@ if (counters < 0) printf(" -c %llu %llu", (unsigned long long)e->counters.pcnt, (unsigned long long)e->counters.bcnt); - / Print target name / + / Print target name and targinfo part / target_name = iptc_get_target(e, h); - if (target_name && (target_name != '\0')) -#ifdef IPT_F_GOTO - printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); -#else - printf(" -j %s", target_name); -#endif - - /* Print targinfo part / t = ipt_get_target((struct ipt_entry )e); if (t->u.user.name[0]) { const struct xtables_target target = @@ -1158,6 +1094,7 @@ exit(1); } + printf(" -j %s", target->alias ? target->alias(t) : target_name); if (target->save) target->save(&e->ip, t); else { @@ -1172,7 +1109,13 @@ exit(1); } } - } + } else if (target_name && (target_name != '\0')) +#ifdef IPT_F_GOTO + printf(" -%c %s", e->ip.flags & IPT_F_GOTO ? 'g' : 'j', target_name); +#else + printf(" -j %s", target_name); +#endif + printf("\n"); } @@ -1257,27 +1200,6 @@ return e; } -static void clear_rule_matches(struct xtables_rule_match *matches) -{ - struct xtables_rule_match matchp, tmp; - - for (matchp = matches; matchp;) { - tmp = matchp->next; - if (matchp->match->m) { - free(matchp->match->m); - matchp->match->m = NULL; - } - if (matchp->match == matchp->match->next) { - free(matchp->match); - matchp->match = NULL; - } - free(matchp); - matchp = tmp; - } - - matches = NULL; -} - static void command_jump(struct iptables_command_state cs) { size_t size; @@ -1300,9 +1222,10 @@ } else { /* Alias support for userspace side / strcpy(cs->target->t->u.user.name, cs->target->real_name); - fprintf(stderr, "WARNING: The %s target is obsolete. " - "Use %s instead.\n", - cs->jumpto, cs->target->real_name); + if (!(cs->target->ext_flags & XTABLES_EXT_ALIAS)) + fprintf(stderr, "Notice: The %s target is converted into %s target " + "in rule listing and saving.\n", + cs->jumpto, cs->target->real_name); } cs->target->t->u.user.revision = cs->target->revision; @@ -1337,8 +1260,9 @@ strcpy(m->m->u.user.name, m->name); } else { strcpy(m->m->u.user.name, m->real_name); - fprintf(stderr, "WARNING: The %s match is obsolete. " - "Use %s instead.\n", m->name, m->real_name); + if (!(m->ext_flags & XTABLES_EXT_ALIAS)) + fprintf(stderr, "Notice: the %s match is converted into %s match " + "in rule listing and saving.\n", m->name, m->real_name); } m->m->u.user.revision = m->revision; @@ -1979,7 +1903,7 @@ if (verbose > 1) dump_entries(handle); - clear_rule_matches(&cs.matches); + xtables_rule_matches_free(&cs.matches); if (e != NULL) { free(e);
[-] [+]	Changed	iptables-1.4.18.tar.bz2/libxtables/xtables.c ^
@@ -1075,6 +1075,28 @@ } while (n > 0); } +/* receives a list of xtables_rule_match, release them / +void xtables_rule_matches_free(struct xtables_rule_match matches) +{ + struct xtables_rule_match matchp, tmp; + + for (matchp = matches; matchp;) { + tmp = matchp->next; + if (matchp->match->m) { + free(matchp->match->m); + matchp->match->m = NULL; + } + if (matchp->match == matchp->match->next) { + free(matchp->match); + matchp->match = NULL; + } + free(matchp); + matchp = tmp; + } + + matches = NULL; +} + /* * xtables_param_act - act on condition * @status: a constant from enum xtables_exittype @@ -1890,6 +1912,35 @@ return -1; } +void xtables_print_num(uint64_t number, unsigned int format) +{ + if (!(format & FMT_KILOMEGAGIGA)) { + printf(FMT("%8llu ","%llu "), (unsigned long long)number); + return; + } + if (number <= 99999) { + printf(FMT("%5llu ","%llu "), (unsigned long long)number); + return; + } + number = (number + 500) / 1000; + if (number <= 9999) { + printf(FMT("%4lluK ","%lluK "), (unsigned long long)number); + return; + } + number = (number + 500) / 1000; + if (number <= 9999) { + printf(FMT("%4lluM ","%lluM "), (unsigned long long)number); + return; + } + number = (number + 500) / 1000; + if (number <= 9999) { + printf(FMT("%4lluG ","%lluG "), (unsigned long long)number); + return; + } + number = (number + 500) / 1000; + printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); +} + int kernel_version; void get_kernel_version(void)