Merge lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version into lp:ubuntu/raring/iptables
- Raring (13.04)
- new-upstream-version
- Merge into raring
Proposed by
Benjamin Kerensa
Status: | Work in progress |
---|---|
Proposed branch: | lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version |
Merge into: | lp:ubuntu/raring/iptables |
Diff against target: |
71811 lines (+28020/-33748) 209 files modified
.gitignore (+6/-23) .pc/9000-howtos.patch/Makefile.am (+0/-26) .pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h (+0/-38) .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c (+0/-203) .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man (+0/-104) .pc/9003-lp1020490.patch/extensions/libxt_conntrack.c (+0/-1102) .pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c (+0/-465) .pc/9004-argv-is-null.patch/iptables/iptables-restore.c (+0/-470) .pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c (+0/-465) .pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c (+0/-470) .pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c (+0/-148) .pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules (+0/-193) .pc/applied-patches (+0/-8) Changelog (+0/-2992) Makefile.am (+6/-2) Makefile.in (+84/-36) aclocal.m4 (+113/-30) autogen.sh (+1/-1) build-aux/ar-lib (+270/-0) build-aux/compile (+343/-0) build-aux/config.guess (+1530/-0) build-aux/config.sub (+1782/-0) build-aux/depcomp (+708/-0) build-aux/install-sh (+527/-0) build-aux/ltmain.sh (+9661/-0) build-aux/missing (+331/-0) compile (+0/-143) config.guess (+0/-1502) config.h.in (+3/-0) config.sub (+0/-1714) configure (+2406/-1130) configure.ac (+20/-4) debian/changelog (+6/-0) depcomp (+0/-630) extensions/.gitignore (+9/-0) extensions/GNUmakefile.in (+65/-59) extensions/libip6t_dst.c (+3/-0) extensions/libip6t_frag.c (+24/-0) extensions/libip6t_hbh.c (+1/-0) extensions/libipt_CLUSTERIP.c (+2/-2) extensions/libipt_DNAT.c (+10/-7) extensions/libipt_SAME.c (+14/-10) extensions/libipt_SNAT.c (+10/-7) extensions/libipt_ULOG.c (+2/-2) extensions/libipt_addrtype.c (+0/-308) extensions/libipt_addrtype.man (+0/-69) extensions/libipt_ecn.c (+0/-137) extensions/libipt_ecn.man (+0/-11) extensions/libipt_realm.c (+5/-5) extensions/libipt_ttl.c (+1/-1) extensions/libipt_ttl.man (+1/-1) extensions/libxt_CONNSECMARK.c (+1/-1) extensions/libxt_CT.c (+162/-12) extensions/libxt_CT.man (+5/-0) extensions/libxt_HMARK.c (+450/-0) extensions/libxt_HMARK.man (+60/-0) extensions/libxt_LED.c (+5/-2) extensions/libxt_NFQUEUE.c (+1/-1) extensions/libxt_NOTRACK.c (+0/-15) extensions/libxt_NOTRACK.man (+2/-4) extensions/libxt_SET.c (+3/-10) extensions/libxt_SET.man (+8/-9) extensions/libxt_TCPMSS.c (+31/-31) extensions/libxt_TEE.c (+28/-28) extensions/libxt_TOS.man (+4/-4) extensions/libxt_TRACE.man (+1/-1) extensions/libxt_addrtype.c (+300/-0) extensions/libxt_addrtype.man (+69/-0) extensions/libxt_connbytes.c (+25/-17) extensions/libxt_connlimit.man (+2/-1) extensions/libxt_conntrack.c (+207/-9) extensions/libxt_conntrack.man (+9/-9) extensions/libxt_dccp.c (+12/-7) extensions/libxt_dccp.man (+1/-1) extensions/libxt_devgroup.c (+32/-40) extensions/libxt_devgroup.man (+7/-0) extensions/libxt_dscp.c (+3/-2) extensions/libxt_ecn.c (+138/-0) extensions/libxt_ecn.man (+11/-0) extensions/libxt_hashlimit.c (+196/-40) extensions/libxt_hashlimit.man (+15/-4) extensions/libxt_limit.c (+14/-5) extensions/libxt_nfacct.c (+89/-0) extensions/libxt_nfacct.man (+30/-0) extensions/libxt_owner.c (+2/-1) extensions/libxt_policy.c (+1/-2) extensions/libxt_rateest.c (+34/-21) extensions/libxt_recent.c (+165/-30) extensions/libxt_recent.man (+6/-2) extensions/libxt_rpfilter.c (+96/-0) extensions/libxt_rpfilter.man (+38/-0) extensions/libxt_set.c (+101/-8) extensions/libxt_set.h (+7/-0) extensions/libxt_set.man (+8/-3) extensions/libxt_state.c (+0/-137) extensions/libxt_state.man (+6/-22) extensions/libxt_string.c (+8/-12) extensions/libxt_tcp.c (+3/-6) extensions/libxt_u32.c (+6/-10) howtos/Makefile (+0/-10) howtos/NAT-HOWTO.sgml (+0/-609) howtos/netfilter-extensions-HOWTO.sgml (+0/-1781) howtos/netfilter-hacking-HOWTO.sgml (+0/-1978) howtos/packet-filtering-HOWTO.sgml (+0/-1339) include/Makefile.am (+2/-2) include/Makefile.in (+61/-22) include/ip6tables.h (+5/-5) include/iptables.h (+8/-16) include/libiptc/libip6tc.h (+57/-55) include/libiptc/libiptc.h (+56/-54) include/libiptc/xtcshared.h (+20/-0) include/linux/kernel.h (+0/-33) include/linux/netfilter.h (+15/-5) include/linux/netfilter/ipset/ip_set.h (+227/-0) include/linux/netfilter/nf_conntrack_common.h (+14/-0) include/linux/netfilter/nf_conntrack_tuple_common.h (+1/-2) include/linux/netfilter/x_tables.h (+5/-0) include/linux/netfilter/xt_CT.h (+14/-0) include/linux/netfilter/xt_HMARK.h (+50/-0) include/linux/netfilter/xt_TCPOPTSTRIP.h (+2/-0) include/linux/netfilter/xt_TPROXY.h (+2/-0) include/linux/netfilter/xt_addrtype.h (+44/-0) include/linux/netfilter/xt_cluster.h (+2/-0) include/linux/netfilter/xt_connbytes.h (+2/-2) include/linux/netfilter/xt_connlimit.h (+2/-0) include/linux/netfilter/xt_ecn.h (+33/-0) include/linux/netfilter/xt_hashlimit.h (+5/-1) include/linux/netfilter/xt_nfacct.h (+17/-0) include/linux/netfilter/xt_physdev.h (+0/-3) include/linux/netfilter/xt_policy.h (+0/-11) include/linux/netfilter/xt_quota.h (+3/-1) include/linux/netfilter/xt_recent.h (+10/-0) include/linux/netfilter/xt_rpfilter.h (+17/-0) include/linux/netfilter/xt_sctp.h (+2/-2) include/linux/netfilter/xt_set.h (+11/-70) include/linux/netfilter/xt_socket.h (+2/-0) include/linux/netfilter/xt_time.h (+2/-0) include/linux/netfilter/xt_u32.h (+2/-0) include/linux/netfilter_ipv4/ip_queue.h (+72/-0) include/linux/netfilter_ipv4/ip_tables.h (+39/-43) include/linux/netfilter_ipv4/ipt_CLUSTERIP.h (+9/-7) include/linux/netfilter_ipv4/ipt_ECN.h (+5/-3) include/linux/netfilter_ipv4/ipt_SAME.h (+5/-3) include/linux/netfilter_ipv4/ipt_TTL.h (+4/-2) include/linux/netfilter_ipv4/ipt_addrtype.h (+9/-7) include/linux/netfilter_ipv4/ipt_ah.h (+4/-2) include/linux/netfilter_ipv4/ipt_ecn.h (+0/-33) include/linux/netfilter_ipv4/ipt_ttl.h (+4/-2) include/linux/netfilter_ipv6/ip6_tables.h (+38/-62) include/linux/netfilter_ipv6/ip6t_HL.h (+4/-2) include/linux/netfilter_ipv6/ip6t_REJECT.h (+3/-1) include/linux/netfilter_ipv6/ip6t_ah.h (+6/-4) include/linux/netfilter_ipv6/ip6t_frag.h (+6/-4) include/linux/netfilter_ipv6/ip6t_hl.h (+4/-2) include/linux/netfilter_ipv6/ip6t_ipv6header.h (+5/-3) include/linux/netfilter_ipv6/ip6t_mh.h (+4/-2) include/linux/netfilter_ipv6/ip6t_opts.h (+7/-5) include/linux/netfilter_ipv6/ip6t_rt.h (+7/-6) include/xtables-version.h.in (+2/-0) include/xtables.h (+530/-0) include/xtables.h.in (+0/-517) install-sh (+0/-520) iptables/.gitignore (+1/-0) iptables/Makefile.am (+14/-20) iptables/Makefile.in (+140/-154) iptables/ip6tables-restore.8 (+3/-1) iptables/ip6tables-restore.c (+99/-102) iptables/ip6tables-save.c (+42/-58) iptables/ip6tables-standalone.c (+1/-6) iptables/ip6tables.8.in (+10/-15) iptables/ip6tables.c (+74/-59) iptables/iptables-apply.8 (+1/-1) iptables/iptables-extensions.8.in (+27/-0) iptables/iptables-restore.8 (+4/-1) iptables/iptables-restore.c (+89/-97) iptables/iptables-save.c (+42/-59) iptables/iptables-standalone.c (+1/-6) iptables/iptables-xml.c (+18/-27) iptables/iptables.8.in (+6/-15) iptables/iptables.c (+74/-76) iptables/xshared.c (+1/-1) iptables/xtables.c (+0/-1814) iptables/xtoptions.c (+0/-1159) libipq/.gitignore (+1/-0) libipq/Makefile.am (+2/-0) libipq/Makefile.in (+104/-32) libipq/libipq.pc.in (+11/-0) libiptc/.gitignore (+1/-1) libiptc/Makefile.am (+3/-3) libiptc/Makefile.in (+64/-21) libiptc/libip4tc.c (+21/-35) libiptc/libip4tc.pc.in (+10/-0) libiptc/libip6tc.c (+18/-20) libiptc/libip6tc.pc.in (+10/-0) libiptc/libiptc.c (+41/-28) libiptc/libiptc.pc.in (+2/-4) libxtables/Makefile.am (+20/-0) libxtables/Makefile.in (+601/-0) libxtables/xtables.c (+1908/-0) libxtables/xtoptions.c (+1172/-0) ltmain.sh (+0/-8413) m4/libtool.m4 (+1441/-835) m4/ltoptions.m4 (+24/-8) m4/ltversion.m4 (+6/-6) m4/lt~obsolete.m4 (+9/-3) missing (+0/-376) tests/options-most.rules (+38/-19) utils/Makefile.am (+2/-1) utils/Makefile.in (+58/-16) |
To merge this branch: | bzr merge lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
James Page | Disapprove | ||
Ubuntu branches | Pending | ||
Review via email: mp+135553@code.launchpad.net |
Commit message
Description of the change
New Upstream Release
To post a comment you must log in.
Unmerged revisions
- 35. By Benjamin Kerensa
-
New Upstream Version
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file '.gitignore' |
2 | --- .gitignore 2012-07-20 15:45:01 +0000 |
3 | +++ .gitignore 2012-11-21 23:36:21 +0000 |
4 | @@ -1,38 +1,21 @@ |
5 | -.*.d |
6 | -.*.dd |
7 | *.a |
8 | *.la |
9 | *.lo |
10 | -*.oo |
11 | *.so |
12 | *.o |
13 | -.deps |
14 | +.deps/ |
15 | .dirstamp |
16 | -.libs |
17 | +.libs/ |
18 | Makefile |
19 | Makefile.in |
20 | |
21 | -/extensions/GNUmakefile |
22 | -/extensions/initext.c |
23 | -/extensions/initext?.c |
24 | -/extensions/matches?.man |
25 | -/extensions/targets?.man |
26 | - |
27 | -/include/xtables.h |
28 | +/include/xtables-version.h |
29 | /include/iptables/internal.h |
30 | |
31 | /aclocal.m4 |
32 | -/autom4te*.cache |
33 | -/compile |
34 | -/config.guess |
35 | -/config.h* |
36 | -/config.log |
37 | -/config.status |
38 | -/config.sub |
39 | +/autom4te.cache/ |
40 | +/build-aux/ |
41 | +/config.* |
42 | /configure |
43 | -/depcomp |
44 | -/install-sh |
45 | /libtool |
46 | -/ltmain.sh |
47 | -/missing |
48 | /stamp-h1 |
49 | |
50 | === removed directory '.pc/0101-changelog.patch' |
51 | === removed file '.pc/0101-changelog.patch/Changelog' |
52 | === removed directory '.pc/9000-howtos.patch' |
53 | === removed file '.pc/9000-howtos.patch/Makefile.am' |
54 | --- .pc/9000-howtos.patch/Makefile.am 2011-11-07 13:46:11 +0000 |
55 | +++ .pc/9000-howtos.patch/Makefile.am 1970-01-01 00:00:00 +0000 |
56 | @@ -1,26 +0,0 @@ |
57 | -# -*- Makefile -*- |
58 | - |
59 | -ACLOCAL_AMFLAGS = -I m4 |
60 | -AUTOMAKE_OPTIONS = foreign subdir-objects |
61 | - |
62 | -SUBDIRS = extensions libiptc iptables |
63 | -if ENABLE_DEVEL |
64 | -SUBDIRS += include |
65 | -endif |
66 | -if ENABLE_LIBIPQ |
67 | -SUBDIRS += libipq |
68 | -endif |
69 | -if HAVE_LIBNFNETLINK |
70 | -SUBDIRS += utils |
71 | -endif |
72 | - |
73 | -.PHONY: tarball |
74 | -tarball: |
75 | - rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; |
76 | - pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd; |
77 | - pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd; |
78 | - tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; |
79 | - rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; |
80 | - |
81 | -config.status: extensions/GNUmakefile.in \ |
82 | - include/xtables.h.in include/iptables/internal.h.in |
83 | |
84 | === removed directory '.pc/9000-howtos.patch/howtos' |
85 | === removed file '.pc/9000-howtos.patch/howtos/Makefile' |
86 | === removed file '.pc/9000-howtos.patch/howtos/NAT-HOWTO.sgml' |
87 | === removed file '.pc/9000-howtos.patch/howtos/netfilter-extensions-HOWTO.sgml' |
88 | === removed file '.pc/9000-howtos.patch/howtos/netfilter-hacking-HOWTO.sgml' |
89 | === removed file '.pc/9000-howtos.patch/howtos/packet-filtering-HOWTO.sgml' |
90 | === removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch' |
91 | === removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include' |
92 | === removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux' |
93 | === removed file '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h' |
94 | --- .pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h 2012-07-20 15:45:01 +0000 |
95 | +++ .pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h 1970-01-01 00:00:00 +0000 |
96 | @@ -1,38 +0,0 @@ |
97 | -#ifndef _LINUX_TYPES_H |
98 | -#define _LINUX_TYPES_H |
99 | - |
100 | -#include <asm/types.h> |
101 | - |
102 | -#ifndef __ASSEMBLY__ |
103 | - |
104 | -#include <linux/posix_types.h> |
105 | - |
106 | - |
107 | -/* |
108 | - * Below are truly Linux-specific types that should never collide with |
109 | - * any application/library that wants linux/types.h. |
110 | - */ |
111 | - |
112 | -#ifdef __CHECKER__ |
113 | -#define __bitwise__ __attribute__((bitwise)) |
114 | -#else |
115 | -#define __bitwise__ |
116 | -#endif |
117 | -#ifdef __CHECK_ENDIAN__ |
118 | -#define __bitwise __bitwise__ |
119 | -#else |
120 | -#define __bitwise |
121 | -#endif |
122 | - |
123 | -typedef __u16 __bitwise __le16; |
124 | -typedef __u16 __bitwise __be16; |
125 | -typedef __u32 __bitwise __le32; |
126 | -typedef __u32 __bitwise __be32; |
127 | -typedef __u64 __bitwise __le64; |
128 | -typedef __u64 __bitwise __be64; |
129 | - |
130 | -typedef __u16 __bitwise __sum16; |
131 | -typedef __u32 __bitwise __wsum; |
132 | - |
133 | -#endif /* __ASSEMBLY__ */ |
134 | -#endif /* _LINUX_TYPES_H */ |
135 | |
136 | === removed directory '.pc/9002-libxt_recent-Add-support-for-reap-option.patch' |
137 | === removed directory '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions' |
138 | === removed file '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c' |
139 | --- .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c 2012-07-20 15:45:01 +0000 |
140 | +++ .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c 1970-01-01 00:00:00 +0000 |
141 | @@ -1,203 +0,0 @@ |
142 | -#include <stdbool.h> |
143 | -#include <stdio.h> |
144 | -#include <string.h> |
145 | -#include <xtables.h> |
146 | -#include <linux/netfilter/xt_recent.h> |
147 | - |
148 | -enum { |
149 | - O_SET = 0, |
150 | - O_RCHECK, |
151 | - O_UPDATE, |
152 | - O_REMOVE, |
153 | - O_SECONDS, |
154 | - O_HITCOUNT, |
155 | - O_RTTL, |
156 | - O_NAME, |
157 | - O_RSOURCE, |
158 | - O_RDEST, |
159 | - F_SET = 1 << O_SET, |
160 | - F_RCHECK = 1 << O_RCHECK, |
161 | - F_UPDATE = 1 << O_UPDATE, |
162 | - F_REMOVE = 1 << O_REMOVE, |
163 | - F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE, |
164 | -}; |
165 | - |
166 | -#define s struct xt_recent_mtinfo |
167 | -static const struct xt_option_entry recent_opts[] = { |
168 | - {.name = "set", .id = O_SET, .type = XTTYPE_NONE, |
169 | - .excl = F_ANY_OP, .flags = XTOPT_INVERT}, |
170 | - {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE, |
171 | - .excl = F_ANY_OP, .flags = XTOPT_INVERT}, |
172 | - {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE, |
173 | - .excl = F_ANY_OP, .flags = XTOPT_INVERT}, |
174 | - {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE, |
175 | - .excl = F_ANY_OP, .flags = XTOPT_INVERT}, |
176 | - {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32, |
177 | - .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)}, |
178 | - {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32, |
179 | - .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)}, |
180 | - {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE, |
181 | - .excl = F_SET | F_REMOVE}, |
182 | - {.name = "name", .id = O_NAME, .type = XTTYPE_STRING, |
183 | - .flags = XTOPT_PUT, XTOPT_POINTER(s, name)}, |
184 | - {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE}, |
185 | - {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE}, |
186 | - XTOPT_TABLEEND, |
187 | -}; |
188 | -#undef s |
189 | - |
190 | -static void recent_help(void) |
191 | -{ |
192 | - printf( |
193 | -"recent match options:\n" |
194 | -"[!] --set Add source address to list, always matches.\n" |
195 | -"[!] --rcheck Match if source address in list.\n" |
196 | -"[!] --update Match if source address in list, also update last-seen time.\n" |
197 | -"[!] --remove Match if source address in list, also removes that address from list.\n" |
198 | -" --seconds seconds For check and update commands above.\n" |
199 | -" Specifies that the match will only occur if source address last seen within\n" |
200 | -" the last 'seconds' seconds.\n" |
201 | -" --hitcount hits For check and update commands above.\n" |
202 | -" Specifies that the match will only occur if source address seen hits times.\n" |
203 | -" May be used in conjunction with the seconds option.\n" |
204 | -" --rttl For check and update commands above.\n" |
205 | -" Specifies that the match will only occur if the source address and the TTL\n" |
206 | -" match between this packet and the one which was set.\n" |
207 | -" Useful if you have problems with people spoofing their source address in order\n" |
208 | -" to DoS you via this module.\n" |
209 | -" --name name Name of the recent list to be used. DEFAULT used if none given.\n" |
210 | -" --rsource Match/Save the source address of each packet in the recent list table (default).\n" |
211 | -" --rdest Match/Save the destination address of each packet in the recent list table.\n" |
212 | -"xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"); |
213 | -} |
214 | - |
215 | -static void recent_init(struct xt_entry_match *match) |
216 | -{ |
217 | - struct xt_recent_mtinfo *info = (void *)(match)->data; |
218 | - |
219 | - strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN); |
220 | - /* even though XT_RECENT_NAME_LEN is currently defined as 200, |
221 | - * better be safe, than sorry */ |
222 | - info->name[XT_RECENT_NAME_LEN-1] = '\0'; |
223 | - info->side = XT_RECENT_SOURCE; |
224 | -} |
225 | - |
226 | -static void recent_parse(struct xt_option_call *cb) |
227 | -{ |
228 | - struct xt_recent_mtinfo *info = cb->data; |
229 | - |
230 | - xtables_option_parse(cb); |
231 | - switch (cb->entry->id) { |
232 | - case O_SET: |
233 | - info->check_set |= XT_RECENT_SET; |
234 | - if (cb->invert) |
235 | - info->invert = true; |
236 | - break; |
237 | - case O_RCHECK: |
238 | - info->check_set |= XT_RECENT_CHECK; |
239 | - if (cb->invert) |
240 | - info->invert = true; |
241 | - break; |
242 | - case O_UPDATE: |
243 | - info->check_set |= XT_RECENT_UPDATE; |
244 | - if (cb->invert) |
245 | - info->invert = true; |
246 | - break; |
247 | - case O_REMOVE: |
248 | - info->check_set |= XT_RECENT_REMOVE; |
249 | - if (cb->invert) |
250 | - info->invert = true; |
251 | - break; |
252 | - case O_RTTL: |
253 | - info->check_set |= XT_RECENT_TTL; |
254 | - break; |
255 | - case O_RSOURCE: |
256 | - info->side = XT_RECENT_SOURCE; |
257 | - break; |
258 | - case O_RDEST: |
259 | - info->side = XT_RECENT_DEST; |
260 | - break; |
261 | - } |
262 | -} |
263 | - |
264 | -static void recent_check(struct xt_fcheck_call *cb) |
265 | -{ |
266 | - if (!(cb->xflags & F_ANY_OP)) |
267 | - xtables_error(PARAMETER_PROBLEM, |
268 | - "recent: you must specify one of `--set', `--rcheck' " |
269 | - "`--update' or `--remove'"); |
270 | -} |
271 | - |
272 | -static void recent_print(const void *ip, const struct xt_entry_match *match, |
273 | - int numeric) |
274 | -{ |
275 | - const struct xt_recent_mtinfo *info = (const void *)match->data; |
276 | - |
277 | - if (info->invert) |
278 | - printf(" !"); |
279 | - |
280 | - printf(" recent:"); |
281 | - if (info->check_set & XT_RECENT_SET) |
282 | - printf(" SET"); |
283 | - if (info->check_set & XT_RECENT_CHECK) |
284 | - printf(" CHECK"); |
285 | - if (info->check_set & XT_RECENT_UPDATE) |
286 | - printf(" UPDATE"); |
287 | - if (info->check_set & XT_RECENT_REMOVE) |
288 | - printf(" REMOVE"); |
289 | - if(info->seconds) printf(" seconds: %d", info->seconds); |
290 | - if(info->hit_count) printf(" hit_count: %d", info->hit_count); |
291 | - if (info->check_set & XT_RECENT_TTL) |
292 | - printf(" TTL-Match"); |
293 | - if(info->name) printf(" name: %s", info->name); |
294 | - if (info->side == XT_RECENT_SOURCE) |
295 | - printf(" side: source"); |
296 | - if (info->side == XT_RECENT_DEST) |
297 | - printf(" side: dest"); |
298 | -} |
299 | - |
300 | -static void recent_save(const void *ip, const struct xt_entry_match *match) |
301 | -{ |
302 | - const struct xt_recent_mtinfo *info = (const void *)match->data; |
303 | - |
304 | - if (info->invert) |
305 | - printf(" !"); |
306 | - |
307 | - if (info->check_set & XT_RECENT_SET) |
308 | - printf(" --set"); |
309 | - if (info->check_set & XT_RECENT_CHECK) |
310 | - printf(" --rcheck"); |
311 | - if (info->check_set & XT_RECENT_UPDATE) |
312 | - printf(" --update"); |
313 | - if (info->check_set & XT_RECENT_REMOVE) |
314 | - printf(" --remove"); |
315 | - if(info->seconds) printf(" --seconds %d", info->seconds); |
316 | - if(info->hit_count) printf(" --hitcount %d", info->hit_count); |
317 | - if (info->check_set & XT_RECENT_TTL) |
318 | - printf(" --rttl"); |
319 | - if(info->name) printf(" --name %s",info->name); |
320 | - if (info->side == XT_RECENT_SOURCE) |
321 | - printf(" --rsource"); |
322 | - if (info->side == XT_RECENT_DEST) |
323 | - printf(" --rdest"); |
324 | -} |
325 | - |
326 | -static struct xtables_match recent_mt_reg = { |
327 | - .name = "recent", |
328 | - .version = XTABLES_VERSION, |
329 | - .family = NFPROTO_UNSPEC, |
330 | - .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), |
331 | - .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), |
332 | - .help = recent_help, |
333 | - .init = recent_init, |
334 | - .x6_parse = recent_parse, |
335 | - .x6_fcheck = recent_check, |
336 | - .print = recent_print, |
337 | - .save = recent_save, |
338 | - .x6_options = recent_opts, |
339 | -}; |
340 | - |
341 | -void _init(void) |
342 | -{ |
343 | - xtables_register_match(&recent_mt_reg); |
344 | -} |
345 | |
346 | === removed file '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man' |
347 | --- .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man 2012-07-20 15:45:01 +0000 |
348 | +++ .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man 1970-01-01 00:00:00 +0000 |
349 | @@ -1,104 +0,0 @@ |
350 | -Allows you to dynamically create a list of IP addresses and then match against |
351 | -that list in a few different ways. |
352 | -.PP |
353 | -For example, you can create a "badguy" list out of people attempting to connect |
354 | -to port 139 on your firewall and then DROP all future packets from them without |
355 | -considering them. |
356 | -.PP |
357 | -\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are |
358 | -mutually exclusive. |
359 | -.TP |
360 | -\fB\-\-name\fP \fIname\fP |
361 | -Specify the list to use for the commands. If no name is given then |
362 | -\fBDEFAULT\fP will be used. |
363 | -.TP |
364 | -[\fB!\fP] \fB\-\-set\fP |
365 | -This will add the source address of the packet to the list. If the source |
366 | -address is already in the list, this will update the existing entry. This will |
367 | -always return success (or failure if \fB!\fP is passed in). |
368 | -.TP |
369 | -\fB\-\-rsource\fP |
370 | -Match/save the source address of each packet in the recent list table. This |
371 | -is the default. |
372 | -.TP |
373 | -\fB\-\-rdest\fP |
374 | -Match/save the destination address of each packet in the recent list table. |
375 | -.TP |
376 | -[\fB!\fP] \fB\-\-rcheck\fP |
377 | -Check if the source address of the packet is currently in the list. |
378 | -.TP |
379 | -[\fB!\fP] \fB\-\-update\fP |
380 | -Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it |
381 | -matches. |
382 | -.TP |
383 | -[\fB!\fP] \fB\-\-remove\fP |
384 | -Check if the source address of the packet is currently in the list and if so |
385 | -that address will be removed from the list and the rule will return true. If |
386 | -the address is not found, false is returned. |
387 | -.TP |
388 | -\fB\-\-seconds\fP \fIseconds\fP |
389 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
390 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the |
391 | -address is in the list and was seen within the last given number of seconds. |
392 | -.TP |
393 | -\fB\-\-hitcount\fP \fIhits\fP |
394 | -This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
395 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the |
396 | -address is in the list and packets had been received greater than or equal to |
397 | -the given value. This option may be used along with \fB\-\-seconds\fP to create |
398 | -an even narrower match requiring a certain number of hits within a specific |
399 | -time frame. The maximum value for the hitcount parameter is given by the |
400 | -"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this |
401 | -value on the command line will cause the rule to be rejected. |
402 | -.TP |
403 | -\fB\-\-rttl\fP |
404 | -This option may only be used in conjunction with one of \fB\-\-rcheck\fP or |
405 | -\fB\-\-update\fP. When used, this will narrow the match to only happen when the |
406 | -address is in the list and the TTL of the current packet matches that of the |
407 | -packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems |
408 | -with people faking their source address in order to DoS you via this module by |
409 | -disallowing others access to your site by sending bogus packets to you. |
410 | -.PP |
411 | -Examples: |
412 | -.IP |
413 | -iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP |
414 | -.IP |
415 | -iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP |
416 | -.PP |
417 | -Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has |
418 | -some examples of usage. |
419 | -.PP |
420 | -\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information |
421 | -about each entry of each list. |
422 | -.PP |
423 | -Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current |
424 | -list or written two using the following commands to modify the list: |
425 | -.TP |
426 | -\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP |
427 | -to add \fIaddr\fP to the DEFAULT list |
428 | -.TP |
429 | -\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP |
430 | -to remove \fIaddr\fP from the DEFAULT list |
431 | -.TP |
432 | -\fBecho / >/proc/net/xt_recent/DEFAULT\fP |
433 | -to flush the DEFAULT list (remove all entries). |
434 | -.PP |
435 | -The module itself accepts parameters, defaults shown: |
436 | -.TP |
437 | -\fBip_list_tot\fP=\fI100\fP |
438 | -Number of addresses remembered per table. |
439 | -.TP |
440 | -\fBip_pkt_list_tot\fP=\fI20\fP |
441 | -Number of packets per address remembered. |
442 | -.TP |
443 | -\fBip_list_hash_size\fP=\fI0\fP |
444 | -Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. |
445 | -.TP |
446 | -\fBip_list_perms\fP=\fI0644\fP |
447 | -Permissions for /proc/net/xt_recent/* files. |
448 | -.TP |
449 | -\fBip_list_uid\fP=\fI0\fP |
450 | -Numerical UID for ownership of /proc/net/xt_recent/* files. |
451 | -.TP |
452 | -\fBip_list_gid\fP=\fI0\fP |
453 | -Numerical GID for ownership of /proc/net/xt_recent/* files. |
454 | |
455 | === removed directory '.pc/9003-lp1020490.patch' |
456 | === removed directory '.pc/9003-lp1020490.patch/extensions' |
457 | === removed file '.pc/9003-lp1020490.patch/extensions/libxt_conntrack.c' |
458 | --- .pc/9003-lp1020490.patch/extensions/libxt_conntrack.c 2012-07-20 15:45:01 +0000 |
459 | +++ .pc/9003-lp1020490.patch/extensions/libxt_conntrack.c 1970-01-01 00:00:00 +0000 |
460 | @@ -1,1102 +0,0 @@ |
461 | -/* |
462 | - * libxt_conntrack |
463 | - * Shared library add-on to iptables for conntrack matching support. |
464 | - * |
465 | - * GPL (C) 2001 Marc Boucher (marc@mbsi.ca). |
466 | - * Copyright © CC Computer Consultants GmbH, 2007 - 2008 |
467 | - * Jan Engelhardt <jengelh@computergmbh.de> |
468 | - */ |
469 | -#include <stdbool.h> |
470 | -#include <stdint.h> |
471 | -#include <stdio.h> |
472 | -#include <stdlib.h> |
473 | -#include <string.h> |
474 | -#include <xtables.h> |
475 | -#include <linux/netfilter/xt_conntrack.h> |
476 | -#include <linux/netfilter/nf_conntrack_common.h> |
477 | - |
478 | -struct ip_conntrack_old_tuple { |
479 | - struct { |
480 | - __be32 ip; |
481 | - union { |
482 | - __u16 all; |
483 | - } u; |
484 | - } src; |
485 | - |
486 | - struct { |
487 | - __be32 ip; |
488 | - union { |
489 | - __u16 all; |
490 | - } u; |
491 | - |
492 | - /* The protocol. */ |
493 | - __u16 protonum; |
494 | - } dst; |
495 | -}; |
496 | - |
497 | -struct xt_conntrack_info { |
498 | - unsigned int statemask, statusmask; |
499 | - |
500 | - struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; |
501 | - struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; |
502 | - |
503 | - unsigned long expires_min, expires_max; |
504 | - |
505 | - /* Flags word */ |
506 | - uint8_t flags; |
507 | - /* Inverse flags */ |
508 | - uint8_t invflags; |
509 | -}; |
510 | - |
511 | -enum { |
512 | - O_CTSTATE = 0, |
513 | - O_CTPROTO, |
514 | - O_CTORIGSRC, |
515 | - O_CTORIGDST, |
516 | - O_CTREPLSRC, |
517 | - O_CTREPLDST, |
518 | - O_CTORIGSRCPORT, |
519 | - O_CTORIGDSTPORT, |
520 | - O_CTREPLSRCPORT, |
521 | - O_CTREPLDSTPORT, |
522 | - O_CTSTATUS, |
523 | - O_CTEXPIRE, |
524 | - O_CTDIR, |
525 | -}; |
526 | - |
527 | -static void conntrack_mt_help(void) |
528 | -{ |
529 | - printf( |
530 | -"conntrack match options:\n" |
531 | -"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n" |
532 | -" State(s) to match\n" |
533 | -"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n" |
534 | -"[!] --ctorigsrc address[/mask]\n" |
535 | -"[!] --ctorigdst address[/mask]\n" |
536 | -"[!] --ctreplsrc address[/mask]\n" |
537 | -"[!] --ctrepldst address[/mask]\n" |
538 | -" Original/Reply source/destination address\n" |
539 | -"[!] --ctorigsrcport port\n" |
540 | -"[!] --ctorigdstport port\n" |
541 | -"[!] --ctreplsrcport port\n" |
542 | -"[!] --ctrepldstport port\n" |
543 | -" TCP/UDP/SCTP orig./reply source/destination port\n" |
544 | -"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n" |
545 | -" Status(es) to match\n" |
546 | -"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n" |
547 | -" value or range of values (inclusive)\n" |
548 | -" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n"); |
549 | -} |
550 | - |
551 | -#define s struct xt_conntrack_info /* for v0 */ |
552 | -static const struct xt_option_entry conntrack_mt_opts_v0[] = { |
553 | - {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, |
554 | - .flags = XTOPT_INVERT}, |
555 | - {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, |
556 | - .flags = XTOPT_INVERT, |
557 | - XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)}, |
558 | - {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST, |
559 | - .flags = XTOPT_INVERT}, |
560 | - {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST, |
561 | - .flags = XTOPT_INVERT}, |
562 | - {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOST, |
563 | - .flags = XTOPT_INVERT}, |
564 | - {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOST, |
565 | - .flags = XTOPT_INVERT}, |
566 | - {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, |
567 | - .flags = XTOPT_INVERT}, |
568 | - {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, |
569 | - .flags = XTOPT_INVERT}, |
570 | - XTOPT_TABLEEND, |
571 | -}; |
572 | -#undef s |
573 | - |
574 | -#define s struct xt_conntrack_mtinfo2 |
575 | -/* We exploit the fact that v1-v2 share the same xt_o_e layout */ |
576 | -static const struct xt_option_entry conntrack2_mt_opts[] = { |
577 | - {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, |
578 | - .flags = XTOPT_INVERT}, |
579 | - {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, |
580 | - .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, |
581 | - {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, |
582 | - .flags = XTOPT_INVERT}, |
583 | - {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, |
584 | - .flags = XTOPT_INVERT}, |
585 | - {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK, |
586 | - .flags = XTOPT_INVERT}, |
587 | - {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK, |
588 | - .flags = XTOPT_INVERT}, |
589 | - {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, |
590 | - .flags = XTOPT_INVERT}, |
591 | - {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, |
592 | - .flags = XTOPT_INVERT}, |
593 | - {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT, |
594 | - .flags = XTOPT_INVERT | XTOPT_NBO}, |
595 | - {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT, |
596 | - .flags = XTOPT_INVERT | XTOPT_NBO}, |
597 | - {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT, |
598 | - .flags = XTOPT_INVERT | XTOPT_NBO}, |
599 | - {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT, |
600 | - .flags = XTOPT_INVERT | XTOPT_NBO}, |
601 | - {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, |
602 | - XTOPT_TABLEEND, |
603 | -}; |
604 | -#undef s |
605 | - |
606 | -#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */ |
607 | -/* We exploit the fact that v1-v3 share the same layout */ |
608 | -static const struct xt_option_entry conntrack3_mt_opts[] = { |
609 | - {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING, |
610 | - .flags = XTOPT_INVERT}, |
611 | - {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL, |
612 | - .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)}, |
613 | - {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK, |
614 | - .flags = XTOPT_INVERT}, |
615 | - {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK, |
616 | - .flags = XTOPT_INVERT}, |
617 | - {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK, |
618 | - .flags = XTOPT_INVERT}, |
619 | - {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK, |
620 | - .flags = XTOPT_INVERT}, |
621 | - {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING, |
622 | - .flags = XTOPT_INVERT}, |
623 | - {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC, |
624 | - .flags = XTOPT_INVERT}, |
625 | - {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC, |
626 | - .flags = XTOPT_INVERT}, |
627 | - {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC, |
628 | - .flags = XTOPT_INVERT}, |
629 | - {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC, |
630 | - .flags = XTOPT_INVERT}, |
631 | - {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC, |
632 | - .flags = XTOPT_INVERT}, |
633 | - {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING}, |
634 | - XTOPT_TABLEEND, |
635 | -}; |
636 | -#undef s |
637 | - |
638 | -static int |
639 | -parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo) |
640 | -{ |
641 | - if (strncasecmp(state, "INVALID", len) == 0) |
642 | - sinfo->statemask |= XT_CONNTRACK_STATE_INVALID; |
643 | - else if (strncasecmp(state, "NEW", len) == 0) |
644 | - sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); |
645 | - else if (strncasecmp(state, "ESTABLISHED", len) == 0) |
646 | - sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); |
647 | - else if (strncasecmp(state, "RELATED", len) == 0) |
648 | - sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); |
649 | - else if (strncasecmp(state, "UNTRACKED", len) == 0) |
650 | - sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED; |
651 | - else if (strncasecmp(state, "SNAT", len) == 0) |
652 | - sinfo->statemask |= XT_CONNTRACK_STATE_SNAT; |
653 | - else if (strncasecmp(state, "DNAT", len) == 0) |
654 | - sinfo->statemask |= XT_CONNTRACK_STATE_DNAT; |
655 | - else |
656 | - return 0; |
657 | - return 1; |
658 | -} |
659 | - |
660 | -static void |
661 | -parse_states(const char *arg, struct xt_conntrack_info *sinfo) |
662 | -{ |
663 | - const char *comma; |
664 | - |
665 | - while ((comma = strchr(arg, ',')) != NULL) { |
666 | - if (comma == arg || !parse_state(arg, comma-arg, sinfo)) |
667 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); |
668 | - arg = comma+1; |
669 | - } |
670 | - if (!*arg) |
671 | - xtables_error(PARAMETER_PROBLEM, "\"--ctstate\" requires a list of " |
672 | - "states with no spaces, e.g. " |
673 | - "ESTABLISHED,RELATED"); |
674 | - if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo)) |
675 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); |
676 | -} |
677 | - |
678 | -static bool |
679 | -conntrack_ps_state(struct xt_conntrack_mtinfo3 *info, const char *state, |
680 | - size_t z) |
681 | -{ |
682 | - if (strncasecmp(state, "INVALID", z) == 0) |
683 | - info->state_mask |= XT_CONNTRACK_STATE_INVALID; |
684 | - else if (strncasecmp(state, "NEW", z) == 0) |
685 | - info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW); |
686 | - else if (strncasecmp(state, "ESTABLISHED", z) == 0) |
687 | - info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); |
688 | - else if (strncasecmp(state, "RELATED", z) == 0) |
689 | - info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); |
690 | - else if (strncasecmp(state, "UNTRACKED", z) == 0) |
691 | - info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED; |
692 | - else if (strncasecmp(state, "SNAT", z) == 0) |
693 | - info->state_mask |= XT_CONNTRACK_STATE_SNAT; |
694 | - else if (strncasecmp(state, "DNAT", z) == 0) |
695 | - info->state_mask |= XT_CONNTRACK_STATE_DNAT; |
696 | - else |
697 | - return false; |
698 | - return true; |
699 | -} |
700 | - |
701 | -static void |
702 | -conntrack_ps_states(struct xt_conntrack_mtinfo3 *info, const char *arg) |
703 | -{ |
704 | - const char *comma; |
705 | - |
706 | - while ((comma = strchr(arg, ',')) != NULL) { |
707 | - if (comma == arg || !conntrack_ps_state(info, arg, comma - arg)) |
708 | - xtables_error(PARAMETER_PROBLEM, |
709 | - "Bad ctstate \"%s\"", arg); |
710 | - arg = comma + 1; |
711 | - } |
712 | - |
713 | - if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg))) |
714 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg); |
715 | -} |
716 | - |
717 | -static int |
718 | -parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo) |
719 | -{ |
720 | - if (strncasecmp(status, "NONE", len) == 0) |
721 | - sinfo->statusmask |= 0; |
722 | - else if (strncasecmp(status, "EXPECTED", len) == 0) |
723 | - sinfo->statusmask |= IPS_EXPECTED; |
724 | - else if (strncasecmp(status, "SEEN_REPLY", len) == 0) |
725 | - sinfo->statusmask |= IPS_SEEN_REPLY; |
726 | - else if (strncasecmp(status, "ASSURED", len) == 0) |
727 | - sinfo->statusmask |= IPS_ASSURED; |
728 | -#ifdef IPS_CONFIRMED |
729 | - else if (strncasecmp(status, "CONFIRMED", len) == 0) |
730 | - sinfo->statusmask |= IPS_CONFIRMED; |
731 | -#endif |
732 | - else |
733 | - return 0; |
734 | - return 1; |
735 | -} |
736 | - |
737 | -static void |
738 | -parse_statuses(const char *arg, struct xt_conntrack_info *sinfo) |
739 | -{ |
740 | - const char *comma; |
741 | - |
742 | - while ((comma = strchr(arg, ',')) != NULL) { |
743 | - if (comma == arg || !parse_status(arg, comma-arg, sinfo)) |
744 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); |
745 | - arg = comma+1; |
746 | - } |
747 | - |
748 | - if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo)) |
749 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); |
750 | -} |
751 | - |
752 | -static bool |
753 | -conntrack_ps_status(struct xt_conntrack_mtinfo3 *info, const char *status, |
754 | - size_t z) |
755 | -{ |
756 | - if (strncasecmp(status, "NONE", z) == 0) |
757 | - info->status_mask |= 0; |
758 | - else if (strncasecmp(status, "EXPECTED", z) == 0) |
759 | - info->status_mask |= IPS_EXPECTED; |
760 | - else if (strncasecmp(status, "SEEN_REPLY", z) == 0) |
761 | - info->status_mask |= IPS_SEEN_REPLY; |
762 | - else if (strncasecmp(status, "ASSURED", z) == 0) |
763 | - info->status_mask |= IPS_ASSURED; |
764 | - else if (strncasecmp(status, "CONFIRMED", z) == 0) |
765 | - info->status_mask |= IPS_CONFIRMED; |
766 | - else |
767 | - return false; |
768 | - return true; |
769 | -} |
770 | - |
771 | -static void |
772 | -conntrack_ps_statuses(struct xt_conntrack_mtinfo3 *info, const char *arg) |
773 | -{ |
774 | - const char *comma; |
775 | - |
776 | - while ((comma = strchr(arg, ',')) != NULL) { |
777 | - if (comma == arg || !conntrack_ps_status(info, arg, comma - arg)) |
778 | - xtables_error(PARAMETER_PROBLEM, |
779 | - "Bad ctstatus \"%s\"", arg); |
780 | - arg = comma + 1; |
781 | - } |
782 | - |
783 | - if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg))) |
784 | - xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg); |
785 | -} |
786 | - |
787 | -static void conntrack_parse(struct xt_option_call *cb) |
788 | -{ |
789 | - struct xt_conntrack_info *sinfo = cb->data; |
790 | - |
791 | - xtables_option_parse(cb); |
792 | - switch (cb->entry->id) { |
793 | - case O_CTSTATE: |
794 | - parse_states(cb->arg, sinfo); |
795 | - if (cb->invert) |
796 | - sinfo->invflags |= XT_CONNTRACK_STATE; |
797 | - break; |
798 | - case O_CTPROTO: |
799 | - if (cb->invert) |
800 | - sinfo->invflags |= XT_CONNTRACK_PROTO; |
801 | - if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 |
802 | - && (sinfo->invflags & XT_INV_PROTO)) |
803 | - xtables_error(PARAMETER_PROBLEM, |
804 | - "rule would never match protocol"); |
805 | - |
806 | - sinfo->flags |= XT_CONNTRACK_PROTO; |
807 | - break; |
808 | - case O_CTORIGSRC: |
809 | - if (cb->invert) |
810 | - sinfo->invflags |= XT_CONNTRACK_ORIGSRC; |
811 | - sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = cb->val.haddr.ip; |
812 | - sinfo->flags |= XT_CONNTRACK_ORIGSRC; |
813 | - break; |
814 | - case O_CTORIGDST: |
815 | - if (cb->invert) |
816 | - sinfo->invflags |= XT_CONNTRACK_ORIGDST; |
817 | - sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = cb->val.haddr.ip; |
818 | - sinfo->flags |= XT_CONNTRACK_ORIGDST; |
819 | - break; |
820 | - case O_CTREPLSRC: |
821 | - if (cb->invert) |
822 | - sinfo->invflags |= XT_CONNTRACK_REPLSRC; |
823 | - sinfo->tuple[IP_CT_DIR_REPLY].src.ip = cb->val.haddr.ip; |
824 | - sinfo->flags |= XT_CONNTRACK_REPLSRC; |
825 | - break; |
826 | - case O_CTREPLDST: |
827 | - if (cb->invert) |
828 | - sinfo->invflags |= XT_CONNTRACK_REPLDST; |
829 | - sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = cb->val.haddr.ip; |
830 | - sinfo->flags |= XT_CONNTRACK_REPLDST; |
831 | - break; |
832 | - case O_CTSTATUS: |
833 | - parse_statuses(cb->arg, sinfo); |
834 | - if (cb->invert) |
835 | - sinfo->invflags |= XT_CONNTRACK_STATUS; |
836 | - sinfo->flags |= XT_CONNTRACK_STATUS; |
837 | - break; |
838 | - case O_CTEXPIRE: |
839 | - sinfo->expires_min = cb->val.u32_range[0]; |
840 | - sinfo->expires_max = cb->val.u32_range[0]; |
841 | - if (cb->nvals >= 2) |
842 | - sinfo->expires_max = cb->val.u32_range[1]; |
843 | - if (cb->invert) |
844 | - sinfo->invflags |= XT_CONNTRACK_EXPIRES; |
845 | - sinfo->flags |= XT_CONNTRACK_EXPIRES; |
846 | - break; |
847 | - } |
848 | -} |
849 | - |
850 | -static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev) |
851 | -{ |
852 | - struct xt_conntrack_mtinfo3 *info = cb->data; |
853 | - |
854 | - xtables_option_parse(cb); |
855 | - switch (cb->entry->id) { |
856 | - case O_CTSTATE: |
857 | - conntrack_ps_states(info, cb->arg); |
858 | - info->match_flags |= XT_CONNTRACK_STATE; |
859 | - if (cb->invert) |
860 | - info->invert_flags |= XT_CONNTRACK_STATE; |
861 | - break; |
862 | - case O_CTPROTO: |
863 | - if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) |
864 | - xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " |
865 | - "never match protocol"); |
866 | - |
867 | - info->match_flags |= XT_CONNTRACK_PROTO; |
868 | - if (cb->invert) |
869 | - info->invert_flags |= XT_CONNTRACK_PROTO; |
870 | - break; |
871 | - case O_CTORIGSRC: |
872 | - info->origsrc_addr = cb->val.haddr; |
873 | - info->origsrc_mask = cb->val.hmask; |
874 | - info->match_flags |= XT_CONNTRACK_ORIGSRC; |
875 | - if (cb->invert) |
876 | - info->invert_flags |= XT_CONNTRACK_ORIGSRC; |
877 | - break; |
878 | - case O_CTORIGDST: |
879 | - info->origdst_addr = cb->val.haddr; |
880 | - info->origdst_mask = cb->val.hmask; |
881 | - info->match_flags |= XT_CONNTRACK_ORIGDST; |
882 | - if (cb->invert) |
883 | - info->invert_flags |= XT_CONNTRACK_ORIGDST; |
884 | - break; |
885 | - case O_CTREPLSRC: |
886 | - info->replsrc_addr = cb->val.haddr; |
887 | - info->replsrc_mask = cb->val.hmask; |
888 | - info->match_flags |= XT_CONNTRACK_REPLSRC; |
889 | - if (cb->invert) |
890 | - info->invert_flags |= XT_CONNTRACK_REPLSRC; |
891 | - break; |
892 | - case O_CTREPLDST: |
893 | - info->repldst_addr = cb->val.haddr; |
894 | - info->repldst_mask = cb->val.hmask; |
895 | - info->match_flags |= XT_CONNTRACK_REPLDST; |
896 | - if (cb->invert) |
897 | - info->invert_flags |= XT_CONNTRACK_REPLDST; |
898 | - break; |
899 | - case O_CTSTATUS: |
900 | - conntrack_ps_statuses(info, cb->arg); |
901 | - info->match_flags |= XT_CONNTRACK_STATUS; |
902 | - if (cb->invert) |
903 | - info->invert_flags |= XT_CONNTRACK_STATUS; |
904 | - break; |
905 | - case O_CTEXPIRE: |
906 | - info->expires_min = cb->val.u32_range[0]; |
907 | - info->expires_max = cb->val.u32_range[0]; |
908 | - if (cb->nvals >= 2) |
909 | - info->expires_max = cb->val.u32_range[1]; |
910 | - info->match_flags |= XT_CONNTRACK_EXPIRES; |
911 | - if (cb->invert) |
912 | - info->invert_flags |= XT_CONNTRACK_EXPIRES; |
913 | - break; |
914 | - case O_CTORIGSRCPORT: |
915 | - info->origsrc_port = cb->val.port_range[0]; |
916 | - info->origsrc_port_high = cb->val.port_range[cb->nvals >= 2]; |
917 | - info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT; |
918 | - if (cb->invert) |
919 | - info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT; |
920 | - break; |
921 | - case O_CTORIGDSTPORT: |
922 | - info->origdst_port = cb->val.port_range[0]; |
923 | - info->origdst_port_high = cb->val.port_range[cb->nvals >= 2]; |
924 | - info->match_flags |= XT_CONNTRACK_ORIGDST_PORT; |
925 | - if (cb->invert) |
926 | - info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT; |
927 | - break; |
928 | - case O_CTREPLSRCPORT: |
929 | - info->replsrc_port = cb->val.port_range[0]; |
930 | - info->replsrc_port_high = cb->val.port_range[cb->nvals >= 2]; |
931 | - info->match_flags |= XT_CONNTRACK_REPLSRC_PORT; |
932 | - if (cb->invert) |
933 | - info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT; |
934 | - break; |
935 | - case O_CTREPLDSTPORT: |
936 | - info->repldst_port = cb->val.port_range[0]; |
937 | - info->repldst_port_high = cb->val.port_range[cb->nvals >= 2]; |
938 | - info->match_flags |= XT_CONNTRACK_REPLDST_PORT; |
939 | - if (cb->invert) |
940 | - info->invert_flags |= XT_CONNTRACK_REPLDST_PORT; |
941 | - break; |
942 | - case O_CTDIR: |
943 | - if (strcasecmp(cb->arg, "ORIGINAL") == 0) { |
944 | - info->match_flags |= XT_CONNTRACK_DIRECTION; |
945 | - info->invert_flags &= ~XT_CONNTRACK_DIRECTION; |
946 | - } else if (strcasecmp(cb->arg, "REPLY") == 0) { |
947 | - info->match_flags |= XT_CONNTRACK_DIRECTION; |
948 | - info->invert_flags |= XT_CONNTRACK_DIRECTION; |
949 | - } else { |
950 | - xtables_param_act(XTF_BAD_VALUE, "conntrack", "--ctdir", cb->arg); |
951 | - } |
952 | - break; |
953 | - } |
954 | -} |
955 | - |
956 | -#define cinfo_transform(r, l) \ |
957 | - do { \ |
958 | - memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \ |
959 | - (r)->state_mask = (l)->state_mask; \ |
960 | - (r)->status_mask = (l)->status_mask; \ |
961 | - } while (false); |
962 | - |
963 | -static void conntrack1_mt_parse(struct xt_option_call *cb) |
964 | -{ |
965 | - struct xt_conntrack_mtinfo1 *info = cb->data; |
966 | - struct xt_conntrack_mtinfo3 up; |
967 | - |
968 | - memset(&up, 0, sizeof(up)); |
969 | - cinfo_transform(&up, info); |
970 | - up.origsrc_port_high = up.origsrc_port; |
971 | - up.origdst_port_high = up.origdst_port; |
972 | - up.replsrc_port_high = up.replsrc_port; |
973 | - up.repldst_port_high = up.repldst_port; |
974 | - cb->data = &up; |
975 | - conntrack_mt_parse(cb, 3); |
976 | - if (up.origsrc_port != up.origsrc_port_high || |
977 | - up.origdst_port != up.origdst_port_high || |
978 | - up.replsrc_port != up.replsrc_port_high || |
979 | - up.repldst_port != up.repldst_port_high) |
980 | - xtables_error(PARAMETER_PROBLEM, |
981 | - "conntrack rev 1 does not support port ranges"); |
982 | - cinfo_transform(info, &up); |
983 | - cb->data = info; |
984 | -} |
985 | - |
986 | -static void conntrack2_mt_parse(struct xt_option_call *cb) |
987 | -{ |
988 | -#define cinfo2_transform(r, l) \ |
989 | - memcpy((r), (l), offsetof(typeof(*(l)), sizeof(*info)); |
990 | - |
991 | - struct xt_conntrack_mtinfo2 *info = cb->data; |
992 | - struct xt_conntrack_mtinfo3 up; |
993 | - |
994 | - memset(&up, 0, sizeof(up)); |
995 | - memcpy(&up, info, sizeof(*info)); |
996 | - up.origsrc_port_high = up.origsrc_port; |
997 | - up.origdst_port_high = up.origdst_port; |
998 | - up.replsrc_port_high = up.replsrc_port; |
999 | - up.repldst_port_high = up.repldst_port; |
1000 | - cb->data = &up; |
1001 | - conntrack_mt_parse(cb, 3); |
1002 | - if (up.origsrc_port != up.origsrc_port_high || |
1003 | - up.origdst_port != up.origdst_port_high || |
1004 | - up.replsrc_port != up.replsrc_port_high || |
1005 | - up.repldst_port != up.repldst_port_high) |
1006 | - xtables_error(PARAMETER_PROBLEM, |
1007 | - "conntrack rev 2 does not support port ranges"); |
1008 | - memcpy(info, &up, sizeof(*info)); |
1009 | - cb->data = info; |
1010 | -#undef cinfo2_transform |
1011 | -} |
1012 | - |
1013 | -static void conntrack3_mt_parse(struct xt_option_call *cb) |
1014 | -{ |
1015 | - conntrack_mt_parse(cb, 3); |
1016 | -} |
1017 | - |
1018 | -static void conntrack_mt_check(struct xt_fcheck_call *cb) |
1019 | -{ |
1020 | - if (cb->xflags == 0) |
1021 | - xtables_error(PARAMETER_PROBLEM, "conntrack: At least one option " |
1022 | - "is required"); |
1023 | -} |
1024 | - |
1025 | -static void |
1026 | -print_state(unsigned int statemask) |
1027 | -{ |
1028 | - const char *sep = " "; |
1029 | - |
1030 | - if (statemask & XT_CONNTRACK_STATE_INVALID) { |
1031 | - printf("%sINVALID", sep); |
1032 | - sep = ","; |
1033 | - } |
1034 | - if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { |
1035 | - printf("%sNEW", sep); |
1036 | - sep = ","; |
1037 | - } |
1038 | - if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { |
1039 | - printf("%sRELATED", sep); |
1040 | - sep = ","; |
1041 | - } |
1042 | - if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { |
1043 | - printf("%sESTABLISHED", sep); |
1044 | - sep = ","; |
1045 | - } |
1046 | - if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { |
1047 | - printf("%sUNTRACKED", sep); |
1048 | - sep = ","; |
1049 | - } |
1050 | - if (statemask & XT_CONNTRACK_STATE_SNAT) { |
1051 | - printf("%sSNAT", sep); |
1052 | - sep = ","; |
1053 | - } |
1054 | - if (statemask & XT_CONNTRACK_STATE_DNAT) { |
1055 | - printf("%sDNAT", sep); |
1056 | - sep = ","; |
1057 | - } |
1058 | -} |
1059 | - |
1060 | -static void |
1061 | -print_status(unsigned int statusmask) |
1062 | -{ |
1063 | - const char *sep = " "; |
1064 | - |
1065 | - if (statusmask & IPS_EXPECTED) { |
1066 | - printf("%sEXPECTED", sep); |
1067 | - sep = ","; |
1068 | - } |
1069 | - if (statusmask & IPS_SEEN_REPLY) { |
1070 | - printf("%sSEEN_REPLY", sep); |
1071 | - sep = ","; |
1072 | - } |
1073 | - if (statusmask & IPS_ASSURED) { |
1074 | - printf("%sASSURED", sep); |
1075 | - sep = ","; |
1076 | - } |
1077 | - if (statusmask & IPS_CONFIRMED) { |
1078 | - printf("%sCONFIRMED", sep); |
1079 | - sep = ","; |
1080 | - } |
1081 | - if (statusmask == 0) |
1082 | - printf("%sNONE", sep); |
1083 | -} |
1084 | - |
1085 | -static void |
1086 | -conntrack_dump_addr(const union nf_inet_addr *addr, |
1087 | - const union nf_inet_addr *mask, |
1088 | - unsigned int family, bool numeric) |
1089 | -{ |
1090 | - if (family == NFPROTO_IPV4) { |
1091 | - if (!numeric && addr->ip == 0) { |
1092 | - printf(" anywhere"); |
1093 | - return; |
1094 | - } |
1095 | - if (numeric) |
1096 | - printf(" %s%s", |
1097 | - xtables_ipaddr_to_numeric(&addr->in), |
1098 | - xtables_ipmask_to_numeric(&mask->in)); |
1099 | - else |
1100 | - printf(" %s%s", |
1101 | - xtables_ipaddr_to_anyname(&addr->in), |
1102 | - xtables_ipmask_to_numeric(&mask->in)); |
1103 | - } else if (family == NFPROTO_IPV6) { |
1104 | - if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && |
1105 | - addr->ip6[2] == 0 && addr->ip6[3] == 0) { |
1106 | - printf(" anywhere"); |
1107 | - return; |
1108 | - } |
1109 | - if (numeric) |
1110 | - printf(" %s%s", |
1111 | - xtables_ip6addr_to_numeric(&addr->in6), |
1112 | - xtables_ip6mask_to_numeric(&mask->in6)); |
1113 | - else |
1114 | - printf(" %s%s", |
1115 | - xtables_ip6addr_to_anyname(&addr->in6), |
1116 | - xtables_ip6mask_to_numeric(&mask->in6)); |
1117 | - } |
1118 | -} |
1119 | - |
1120 | -static void |
1121 | -print_addr(const struct in_addr *addr, const struct in_addr *mask, |
1122 | - int inv, int numeric) |
1123 | -{ |
1124 | - char buf[BUFSIZ]; |
1125 | - |
1126 | - if (inv) |
1127 | - printf(" !"); |
1128 | - |
1129 | - if (mask->s_addr == 0L && !numeric) |
1130 | - printf(" %s", "anywhere"); |
1131 | - else { |
1132 | - if (numeric) |
1133 | - strcpy(buf, xtables_ipaddr_to_numeric(addr)); |
1134 | - else |
1135 | - strcpy(buf, xtables_ipaddr_to_anyname(addr)); |
1136 | - strcat(buf, xtables_ipmask_to_numeric(mask)); |
1137 | - printf(" %s", buf); |
1138 | - } |
1139 | -} |
1140 | - |
1141 | -static void |
1142 | -matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx) |
1143 | -{ |
1144 | - const struct xt_conntrack_info *sinfo = (const void *)match->data; |
1145 | - |
1146 | - if(sinfo->flags & XT_CONNTRACK_STATE) { |
1147 | - if (sinfo->invflags & XT_CONNTRACK_STATE) |
1148 | - printf(" !"); |
1149 | - printf(" %sctstate", optpfx); |
1150 | - print_state(sinfo->statemask); |
1151 | - } |
1152 | - |
1153 | - if(sinfo->flags & XT_CONNTRACK_PROTO) { |
1154 | - if (sinfo->invflags & XT_CONNTRACK_PROTO) |
1155 | - printf(" !"); |
1156 | - printf(" %sctproto", optpfx); |
1157 | - printf(" %u", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum); |
1158 | - } |
1159 | - |
1160 | - if(sinfo->flags & XT_CONNTRACK_ORIGSRC) { |
1161 | - if (sinfo->invflags & XT_CONNTRACK_ORIGSRC) |
1162 | - printf(" !"); |
1163 | - printf(" %sctorigsrc", optpfx); |
1164 | - |
1165 | - print_addr( |
1166 | - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, |
1167 | - &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], |
1168 | - false, |
1169 | - numeric); |
1170 | - } |
1171 | - |
1172 | - if(sinfo->flags & XT_CONNTRACK_ORIGDST) { |
1173 | - if (sinfo->invflags & XT_CONNTRACK_ORIGDST) |
1174 | - printf(" !"); |
1175 | - printf(" %sctorigdst", optpfx); |
1176 | - |
1177 | - print_addr( |
1178 | - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, |
1179 | - &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], |
1180 | - false, |
1181 | - numeric); |
1182 | - } |
1183 | - |
1184 | - if(sinfo->flags & XT_CONNTRACK_REPLSRC) { |
1185 | - if (sinfo->invflags & XT_CONNTRACK_REPLSRC) |
1186 | - printf(" !"); |
1187 | - printf(" %sctreplsrc", optpfx); |
1188 | - |
1189 | - print_addr( |
1190 | - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip, |
1191 | - &sinfo->sipmsk[IP_CT_DIR_REPLY], |
1192 | - false, |
1193 | - numeric); |
1194 | - } |
1195 | - |
1196 | - if(sinfo->flags & XT_CONNTRACK_REPLDST) { |
1197 | - if (sinfo->invflags & XT_CONNTRACK_REPLDST) |
1198 | - printf(" !"); |
1199 | - printf(" %sctrepldst", optpfx); |
1200 | - |
1201 | - print_addr( |
1202 | - (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, |
1203 | - &sinfo->dipmsk[IP_CT_DIR_REPLY], |
1204 | - false, |
1205 | - numeric); |
1206 | - } |
1207 | - |
1208 | - if(sinfo->flags & XT_CONNTRACK_STATUS) { |
1209 | - if (sinfo->invflags & XT_CONNTRACK_STATUS) |
1210 | - printf(" !"); |
1211 | - printf(" %sctstatus", optpfx); |
1212 | - print_status(sinfo->statusmask); |
1213 | - } |
1214 | - |
1215 | - if(sinfo->flags & XT_CONNTRACK_EXPIRES) { |
1216 | - if (sinfo->invflags & XT_CONNTRACK_EXPIRES) |
1217 | - printf(" !"); |
1218 | - printf(" %sctexpire ", optpfx); |
1219 | - |
1220 | - if (sinfo->expires_max == sinfo->expires_min) |
1221 | - printf("%lu", sinfo->expires_min); |
1222 | - else |
1223 | - printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max); |
1224 | - } |
1225 | - |
1226 | - if (sinfo->flags & XT_CONNTRACK_DIRECTION) { |
1227 | - if (sinfo->invflags & XT_CONNTRACK_DIRECTION) |
1228 | - printf(" %sctdir REPLY", optpfx); |
1229 | - else |
1230 | - printf(" %sctdir ORIGINAL", optpfx); |
1231 | - } |
1232 | - |
1233 | -} |
1234 | - |
1235 | -static void |
1236 | -conntrack_dump_ports(const char *prefix, const char *opt, |
1237 | - u_int16_t port_low, u_int16_t port_high) |
1238 | -{ |
1239 | - if (port_high == 0 || port_low == port_high) |
1240 | - printf(" %s%s %u", prefix, opt, port_low); |
1241 | - else |
1242 | - printf(" %s%s %u:%u", prefix, opt, port_low, port_high); |
1243 | -} |
1244 | - |
1245 | -static void |
1246 | -conntrack_dump(const struct xt_conntrack_mtinfo3 *info, const char *prefix, |
1247 | - unsigned int family, bool numeric, bool v3) |
1248 | -{ |
1249 | - if (info->match_flags & XT_CONNTRACK_STATE) { |
1250 | - if (info->invert_flags & XT_CONNTRACK_STATE) |
1251 | - printf(" !"); |
1252 | - printf(" %sctstate", prefix); |
1253 | - print_state(info->state_mask); |
1254 | - } |
1255 | - |
1256 | - if (info->match_flags & XT_CONNTRACK_PROTO) { |
1257 | - if (info->invert_flags & XT_CONNTRACK_PROTO) |
1258 | - printf(" !"); |
1259 | - printf(" %sctproto %u", prefix, info->l4proto); |
1260 | - } |
1261 | - |
1262 | - if (info->match_flags & XT_CONNTRACK_ORIGSRC) { |
1263 | - if (info->invert_flags & XT_CONNTRACK_ORIGSRC) |
1264 | - printf(" !"); |
1265 | - printf(" %sctorigsrc", prefix); |
1266 | - conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask, |
1267 | - family, numeric); |
1268 | - } |
1269 | - |
1270 | - if (info->match_flags & XT_CONNTRACK_ORIGDST) { |
1271 | - if (info->invert_flags & XT_CONNTRACK_ORIGDST) |
1272 | - printf(" !"); |
1273 | - printf(" %sctorigdst", prefix); |
1274 | - conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask, |
1275 | - family, numeric); |
1276 | - } |
1277 | - |
1278 | - if (info->match_flags & XT_CONNTRACK_REPLSRC) { |
1279 | - if (info->invert_flags & XT_CONNTRACK_REPLSRC) |
1280 | - printf(" !"); |
1281 | - printf(" %sctreplsrc", prefix); |
1282 | - conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask, |
1283 | - family, numeric); |
1284 | - } |
1285 | - |
1286 | - if (info->match_flags & XT_CONNTRACK_REPLDST) { |
1287 | - if (info->invert_flags & XT_CONNTRACK_REPLDST) |
1288 | - printf(" !"); |
1289 | - printf(" %sctrepldst", prefix); |
1290 | - conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask, |
1291 | - family, numeric); |
1292 | - } |
1293 | - |
1294 | - if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) { |
1295 | - if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT) |
1296 | - printf(" !"); |
1297 | - conntrack_dump_ports(prefix, "ctorigsrcport", |
1298 | - v3 ? info->origsrc_port : ntohs(info->origsrc_port), |
1299 | - v3 ? info->origsrc_port_high : 0); |
1300 | - } |
1301 | - |
1302 | - if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) { |
1303 | - if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT) |
1304 | - printf(" !"); |
1305 | - conntrack_dump_ports(prefix, "ctorigdstport", |
1306 | - v3 ? info->origdst_port : ntohs(info->origdst_port), |
1307 | - v3 ? info->origdst_port_high : 0); |
1308 | - } |
1309 | - |
1310 | - if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) { |
1311 | - if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT) |
1312 | - printf(" !"); |
1313 | - conntrack_dump_ports(prefix, "ctreplsrcport", |
1314 | - v3 ? info->replsrc_port : ntohs(info->replsrc_port), |
1315 | - v3 ? info->replsrc_port_high : 0); |
1316 | - } |
1317 | - |
1318 | - if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) { |
1319 | - if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT) |
1320 | - printf(" !"); |
1321 | - conntrack_dump_ports(prefix, "ctrepldstport", |
1322 | - v3 ? info->repldst_port : ntohs(info->repldst_port), |
1323 | - v3 ? info->repldst_port_high : 0); |
1324 | - } |
1325 | - |
1326 | - if (info->match_flags & XT_CONNTRACK_STATUS) { |
1327 | - if (info->invert_flags & XT_CONNTRACK_STATUS) |
1328 | - printf(" !"); |
1329 | - printf(" %sctstatus", prefix); |
1330 | - print_status(info->status_mask); |
1331 | - } |
1332 | - |
1333 | - if (info->match_flags & XT_CONNTRACK_EXPIRES) { |
1334 | - if (info->invert_flags & XT_CONNTRACK_EXPIRES) |
1335 | - printf(" !"); |
1336 | - printf(" %sctexpire ", prefix); |
1337 | - |
1338 | - if (info->expires_max == info->expires_min) |
1339 | - printf("%u", (unsigned int)info->expires_min); |
1340 | - else |
1341 | - printf("%u:%u", (unsigned int)info->expires_min, |
1342 | - (unsigned int)info->expires_max); |
1343 | - } |
1344 | - |
1345 | - if (info->match_flags & XT_CONNTRACK_DIRECTION) { |
1346 | - if (info->invert_flags & XT_CONNTRACK_DIRECTION) |
1347 | - printf(" %sctdir REPLY", prefix); |
1348 | - else |
1349 | - printf(" %sctdir ORIGINAL", prefix); |
1350 | - } |
1351 | -} |
1352 | - |
1353 | -static void conntrack_print(const void *ip, const struct xt_entry_match *match, |
1354 | - int numeric) |
1355 | -{ |
1356 | - matchinfo_print(ip, match, numeric, ""); |
1357 | -} |
1358 | - |
1359 | -static void |
1360 | -conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match, |
1361 | - int numeric) |
1362 | -{ |
1363 | - const struct xt_conntrack_mtinfo1 *info = (void *)match->data; |
1364 | - struct xt_conntrack_mtinfo3 up; |
1365 | - |
1366 | - cinfo_transform(&up, info); |
1367 | - conntrack_dump(&up, "", NFPROTO_IPV4, numeric, false); |
1368 | -} |
1369 | - |
1370 | -static void |
1371 | -conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match, |
1372 | - int numeric) |
1373 | -{ |
1374 | - const struct xt_conntrack_mtinfo1 *info = (void *)match->data; |
1375 | - struct xt_conntrack_mtinfo3 up; |
1376 | - |
1377 | - cinfo_transform(&up, info); |
1378 | - conntrack_dump(&up, "", NFPROTO_IPV6, numeric, false); |
1379 | -} |
1380 | - |
1381 | -static void |
1382 | -conntrack2_mt_print(const void *ip, const struct xt_entry_match *match, |
1383 | - int numeric) |
1384 | -{ |
1385 | - conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, false); |
1386 | -} |
1387 | - |
1388 | -static void |
1389 | -conntrack2_mt6_print(const void *ip, const struct xt_entry_match *match, |
1390 | - int numeric) |
1391 | -{ |
1392 | - conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, false); |
1393 | -} |
1394 | - |
1395 | -static void |
1396 | -conntrack3_mt_print(const void *ip, const struct xt_entry_match *match, |
1397 | - int numeric) |
1398 | -{ |
1399 | - conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, true); |
1400 | -} |
1401 | - |
1402 | -static void |
1403 | -conntrack3_mt6_print(const void *ip, const struct xt_entry_match *match, |
1404 | - int numeric) |
1405 | -{ |
1406 | - conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, true); |
1407 | -} |
1408 | - |
1409 | -static void conntrack_save(const void *ip, const struct xt_entry_match *match) |
1410 | -{ |
1411 | - matchinfo_print(ip, match, 1, "--"); |
1412 | -} |
1413 | - |
1414 | -static void conntrack3_mt_save(const void *ip, |
1415 | - const struct xt_entry_match *match) |
1416 | -{ |
1417 | - conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, true); |
1418 | -} |
1419 | - |
1420 | -static void conntrack3_mt6_save(const void *ip, |
1421 | - const struct xt_entry_match *match) |
1422 | -{ |
1423 | - conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, true); |
1424 | -} |
1425 | - |
1426 | -static void conntrack2_mt_save(const void *ip, |
1427 | - const struct xt_entry_match *match) |
1428 | -{ |
1429 | - conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, false); |
1430 | -} |
1431 | - |
1432 | -static void conntrack2_mt6_save(const void *ip, |
1433 | - const struct xt_entry_match *match) |
1434 | -{ |
1435 | - conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, false); |
1436 | -} |
1437 | - |
1438 | -static void |
1439 | -conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match) |
1440 | -{ |
1441 | - const struct xt_conntrack_mtinfo1 *info = (void *)match->data; |
1442 | - struct xt_conntrack_mtinfo3 up; |
1443 | - |
1444 | - cinfo_transform(&up, info); |
1445 | - conntrack_dump(&up, "--", NFPROTO_IPV4, true, false); |
1446 | -} |
1447 | - |
1448 | -static void |
1449 | -conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match) |
1450 | -{ |
1451 | - const struct xt_conntrack_mtinfo1 *info = (void *)match->data; |
1452 | - struct xt_conntrack_mtinfo3 up; |
1453 | - |
1454 | - cinfo_transform(&up, info); |
1455 | - conntrack_dump(&up, "--", NFPROTO_IPV6, true, false); |
1456 | -} |
1457 | - |
1458 | -static struct xtables_match conntrack_mt_reg[] = { |
1459 | - { |
1460 | - .version = XTABLES_VERSION, |
1461 | - .name = "conntrack", |
1462 | - .revision = 0, |
1463 | - .family = NFPROTO_IPV4, |
1464 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), |
1465 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), |
1466 | - .help = conntrack_mt_help, |
1467 | - .x6_parse = conntrack_parse, |
1468 | - .x6_fcheck = conntrack_mt_check, |
1469 | - .print = conntrack_print, |
1470 | - .save = conntrack_save, |
1471 | - .x6_options = conntrack_mt_opts_v0, |
1472 | - }, |
1473 | - { |
1474 | - .version = XTABLES_VERSION, |
1475 | - .name = "conntrack", |
1476 | - .revision = 1, |
1477 | - .family = NFPROTO_IPV4, |
1478 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), |
1479 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), |
1480 | - .help = conntrack_mt_help, |
1481 | - .x6_parse = conntrack1_mt_parse, |
1482 | - .x6_fcheck = conntrack_mt_check, |
1483 | - .print = conntrack1_mt4_print, |
1484 | - .save = conntrack1_mt4_save, |
1485 | - .x6_options = conntrack2_mt_opts, |
1486 | - }, |
1487 | - { |
1488 | - .version = XTABLES_VERSION, |
1489 | - .name = "conntrack", |
1490 | - .revision = 1, |
1491 | - .family = NFPROTO_IPV6, |
1492 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), |
1493 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), |
1494 | - .help = conntrack_mt_help, |
1495 | - .x6_parse = conntrack1_mt_parse, |
1496 | - .x6_fcheck = conntrack_mt_check, |
1497 | - .print = conntrack1_mt6_print, |
1498 | - .save = conntrack1_mt6_save, |
1499 | - .x6_options = conntrack2_mt_opts, |
1500 | - }, |
1501 | - { |
1502 | - .version = XTABLES_VERSION, |
1503 | - .name = "conntrack", |
1504 | - .revision = 2, |
1505 | - .family = NFPROTO_IPV4, |
1506 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), |
1507 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), |
1508 | - .help = conntrack_mt_help, |
1509 | - .x6_parse = conntrack2_mt_parse, |
1510 | - .x6_fcheck = conntrack_mt_check, |
1511 | - .print = conntrack2_mt_print, |
1512 | - .save = conntrack2_mt_save, |
1513 | - .x6_options = conntrack2_mt_opts, |
1514 | - }, |
1515 | - { |
1516 | - .version = XTABLES_VERSION, |
1517 | - .name = "conntrack", |
1518 | - .revision = 2, |
1519 | - .family = NFPROTO_IPV6, |
1520 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), |
1521 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), |
1522 | - .help = conntrack_mt_help, |
1523 | - .x6_parse = conntrack2_mt_parse, |
1524 | - .x6_fcheck = conntrack_mt_check, |
1525 | - .print = conntrack2_mt6_print, |
1526 | - .save = conntrack2_mt6_save, |
1527 | - .x6_options = conntrack2_mt_opts, |
1528 | - }, |
1529 | - { |
1530 | - .version = XTABLES_VERSION, |
1531 | - .name = "conntrack", |
1532 | - .revision = 3, |
1533 | - .family = NFPROTO_IPV4, |
1534 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), |
1535 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), |
1536 | - .help = conntrack_mt_help, |
1537 | - .x6_parse = conntrack3_mt_parse, |
1538 | - .x6_fcheck = conntrack_mt_check, |
1539 | - .print = conntrack3_mt_print, |
1540 | - .save = conntrack3_mt_save, |
1541 | - .x6_options = conntrack3_mt_opts, |
1542 | - }, |
1543 | - { |
1544 | - .version = XTABLES_VERSION, |
1545 | - .name = "conntrack", |
1546 | - .revision = 3, |
1547 | - .family = NFPROTO_IPV6, |
1548 | - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), |
1549 | - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)), |
1550 | - .help = conntrack_mt_help, |
1551 | - .x6_parse = conntrack3_mt_parse, |
1552 | - .x6_fcheck = conntrack_mt_check, |
1553 | - .print = conntrack3_mt6_print, |
1554 | - .save = conntrack3_mt6_save, |
1555 | - .x6_options = conntrack3_mt_opts, |
1556 | - }, |
1557 | -}; |
1558 | - |
1559 | -void _init(void) |
1560 | -{ |
1561 | - xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg)); |
1562 | -} |
1563 | |
1564 | === removed directory '.pc/9004-argv-is-null.patch' |
1565 | === removed directory '.pc/9004-argv-is-null.patch/iptables' |
1566 | === removed file '.pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c' |
1567 | --- .pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c 2012-07-20 15:45:01 +0000 |
1568 | +++ .pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c 1970-01-01 00:00:00 +0000 |
1569 | @@ -1,465 +0,0 @@ |
1570 | -/* Code to restore the iptables state, from file by ip6tables-save. |
1571 | - * Author: Andras Kis-Szabo <kisza@sch.bme.hu> |
1572 | - * |
1573 | - * based on iptables-restore |
1574 | - * Authors: |
1575 | - * Harald Welte <laforge@gnumonks.org> |
1576 | - * Rusty Russell <rusty@linuxcare.com.au> |
1577 | - * This code is distributed under the terms of GNU GPL v2 |
1578 | - */ |
1579 | - |
1580 | -#include <getopt.h> |
1581 | -#include <sys/errno.h> |
1582 | -#include <stdbool.h> |
1583 | -#include <string.h> |
1584 | -#include <stdio.h> |
1585 | -#include <stdlib.h> |
1586 | -#include "ip6tables.h" |
1587 | -#include "xtables.h" |
1588 | -#include "libiptc/libip6tc.h" |
1589 | -#include "ip6tables-multi.h" |
1590 | - |
1591 | -#ifdef DEBUG |
1592 | -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
1593 | -#else |
1594 | -#define DEBUGP(x, args...) |
1595 | -#endif |
1596 | - |
1597 | -static int binary = 0, counters = 0, verbose = 0, noflush = 0; |
1598 | - |
1599 | -/* Keeping track of external matches and targets. */ |
1600 | -static const struct option options[] = { |
1601 | - {.name = "binary", .has_arg = false, .val = 'b'}, |
1602 | - {.name = "counters", .has_arg = false, .val = 'c'}, |
1603 | - {.name = "verbose", .has_arg = false, .val = 'v'}, |
1604 | - {.name = "test", .has_arg = false, .val = 't'}, |
1605 | - {.name = "help", .has_arg = false, .val = 'h'}, |
1606 | - {.name = "noflush", .has_arg = false, .val = 'n'}, |
1607 | - {.name = "modprobe", .has_arg = true, .val = 'M'}, |
1608 | - {NULL}, |
1609 | -}; |
1610 | - |
1611 | -static void print_usage(const char *name, const char *version) __attribute__((noreturn)); |
1612 | - |
1613 | -static void print_usage(const char *name, const char *version) |
1614 | -{ |
1615 | - fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" |
1616 | - " [ --binary ]\n" |
1617 | - " [ --counters ]\n" |
1618 | - " [ --verbose ]\n" |
1619 | - " [ --test ]\n" |
1620 | - " [ --help ]\n" |
1621 | - " [ --noflush ]\n" |
1622 | - " [ --modprobe=<command>]\n", name); |
1623 | - |
1624 | - exit(1); |
1625 | -} |
1626 | - |
1627 | -static struct ip6tc_handle *create_handle(const char *tablename) |
1628 | -{ |
1629 | - struct ip6tc_handle *handle; |
1630 | - |
1631 | - handle = ip6tc_init(tablename); |
1632 | - |
1633 | - if (!handle) { |
1634 | - /* try to insmod the module if iptc_init failed */ |
1635 | - xtables_load_ko(xtables_modprobe_program, false); |
1636 | - handle = ip6tc_init(tablename); |
1637 | - } |
1638 | - |
1639 | - if (!handle) { |
1640 | - xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " |
1641 | - "table '%s'\n", ip6tables_globals.program_name, |
1642 | - tablename); |
1643 | - exit(1); |
1644 | - } |
1645 | - return handle; |
1646 | -} |
1647 | - |
1648 | -static int parse_counters(char *string, struct ip6t_counters *ctr) |
1649 | -{ |
1650 | - unsigned long long pcnt, bcnt; |
1651 | - int ret; |
1652 | - |
1653 | - ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt); |
1654 | - ctr->pcnt = pcnt; |
1655 | - ctr->bcnt = bcnt; |
1656 | - return ret == 2; |
1657 | -} |
1658 | - |
1659 | -/* global new argv and argc */ |
1660 | -static char *newargv[255]; |
1661 | -static int newargc; |
1662 | - |
1663 | -/* function adding one argument to newargv, updating newargc |
1664 | - * returns true if argument added, false otherwise */ |
1665 | -static int add_argv(char *what) { |
1666 | - DEBUGP("add_argv: %s\n", what); |
1667 | - if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
1668 | - newargv[newargc] = strdup(what); |
1669 | - newargc++; |
1670 | - return 1; |
1671 | - } else { |
1672 | - xtables_error(PARAMETER_PROBLEM, |
1673 | - "Parser cannot handle more arguments\n"); |
1674 | - return 0; |
1675 | - } |
1676 | -} |
1677 | - |
1678 | -static void free_argv(void) { |
1679 | - int i; |
1680 | - |
1681 | - for (i = 0; i < newargc; i++) |
1682 | - free(newargv[i]); |
1683 | -} |
1684 | - |
1685 | -#ifdef IPTABLES_MULTI |
1686 | -int ip6tables_restore_main(int argc, char *argv[]) |
1687 | -#else |
1688 | -int main(int argc, char *argv[]) |
1689 | -#endif |
1690 | -{ |
1691 | - struct ip6tc_handle *handle = NULL; |
1692 | - char buffer[10240]; |
1693 | - int c; |
1694 | - char curtable[IP6T_TABLE_MAXNAMELEN + 1]; |
1695 | - FILE *in; |
1696 | - int in_table = 0, testing = 0; |
1697 | - |
1698 | - line = 0; |
1699 | - |
1700 | - ip6tables_globals.program_name = "ip6tables-restore"; |
1701 | - c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); |
1702 | - if (c < 0) { |
1703 | - fprintf(stderr, "%s/%s Failed to initialize xtables\n", |
1704 | - ip6tables_globals.program_name, |
1705 | - ip6tables_globals.program_version); |
1706 | - exit(1); |
1707 | - } |
1708 | -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) |
1709 | - init_extensions(); |
1710 | - init_extensions6(); |
1711 | -#endif |
1712 | - |
1713 | - while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) { |
1714 | - switch (c) { |
1715 | - case 'b': |
1716 | - binary = 1; |
1717 | - break; |
1718 | - case 'c': |
1719 | - counters = 1; |
1720 | - break; |
1721 | - case 'v': |
1722 | - verbose = 1; |
1723 | - break; |
1724 | - case 't': |
1725 | - testing = 1; |
1726 | - break; |
1727 | - case 'h': |
1728 | - print_usage("ip6tables-restore", |
1729 | - IPTABLES_VERSION); |
1730 | - break; |
1731 | - case 'n': |
1732 | - noflush = 1; |
1733 | - break; |
1734 | - case 'M': |
1735 | - xtables_modprobe_program = optarg; |
1736 | - break; |
1737 | - } |
1738 | - } |
1739 | - |
1740 | - if (optind == argc - 1) { |
1741 | - in = fopen(argv[optind], "re"); |
1742 | - if (!in) { |
1743 | - fprintf(stderr, "Can't open %s: %s\n", argv[optind], |
1744 | - strerror(errno)); |
1745 | - exit(1); |
1746 | - } |
1747 | - } |
1748 | - else if (optind < argc) { |
1749 | - fprintf(stderr, "Unknown arguments found on commandline\n"); |
1750 | - exit(1); |
1751 | - } |
1752 | - else in = stdin; |
1753 | - |
1754 | - /* Grab standard input. */ |
1755 | - while (fgets(buffer, sizeof(buffer), in)) { |
1756 | - int ret = 0; |
1757 | - |
1758 | - line++; |
1759 | - if (buffer[0] == '\n') |
1760 | - continue; |
1761 | - else if (buffer[0] == '#') { |
1762 | - if (verbose) |
1763 | - fputs(buffer, stdout); |
1764 | - continue; |
1765 | - } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { |
1766 | - if (!testing) { |
1767 | - DEBUGP("Calling commit\n"); |
1768 | - ret = ip6tc_commit(handle); |
1769 | - ip6tc_free(handle); |
1770 | - handle = NULL; |
1771 | - } else { |
1772 | - DEBUGP("Not calling commit, testing\n"); |
1773 | - ret = 1; |
1774 | - } |
1775 | - in_table = 0; |
1776 | - } else if ((buffer[0] == '*') && (!in_table)) { |
1777 | - /* New table */ |
1778 | - char *table; |
1779 | - |
1780 | - table = strtok(buffer+1, " \t\n"); |
1781 | - DEBUGP("line %u, table '%s'\n", line, table); |
1782 | - if (!table) { |
1783 | - xtables_error(PARAMETER_PROBLEM, |
1784 | - "%s: line %u table name invalid\n", |
1785 | - ip6tables_globals.program_name, |
1786 | - line); |
1787 | - exit(1); |
1788 | - } |
1789 | - strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN); |
1790 | - curtable[IP6T_TABLE_MAXNAMELEN] = '\0'; |
1791 | - |
1792 | - if (handle) |
1793 | - ip6tc_free(handle); |
1794 | - |
1795 | - handle = create_handle(table); |
1796 | - if (noflush == 0) { |
1797 | - DEBUGP("Cleaning all chains of table '%s'\n", |
1798 | - table); |
1799 | - for_each_chain6(flush_entries6, verbose, 1, |
1800 | - handle); |
1801 | - |
1802 | - DEBUGP("Deleting all user-defined chains " |
1803 | - "of table '%s'\n", table); |
1804 | - for_each_chain6(delete_chain6, verbose, 0, |
1805 | - handle); |
1806 | - } |
1807 | - |
1808 | - ret = 1; |
1809 | - in_table = 1; |
1810 | - |
1811 | - } else if ((buffer[0] == ':') && (in_table)) { |
1812 | - /* New chain. */ |
1813 | - char *policy, *chain; |
1814 | - |
1815 | - chain = strtok(buffer+1, " \t\n"); |
1816 | - DEBUGP("line %u, chain '%s'\n", line, chain); |
1817 | - if (!chain) { |
1818 | - xtables_error(PARAMETER_PROBLEM, |
1819 | - "%s: line %u chain name invalid\n", |
1820 | - ip6tables_globals.program_name, |
1821 | - line); |
1822 | - exit(1); |
1823 | - } |
1824 | - |
1825 | - if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) |
1826 | - xtables_error(PARAMETER_PROBLEM, |
1827 | - "Invalid chain name `%s' " |
1828 | - "(%u chars max)", |
1829 | - chain, XT_EXTENSION_MAXNAMELEN - 1); |
1830 | - |
1831 | - if (ip6tc_builtin(chain, handle) <= 0) { |
1832 | - if (noflush && ip6tc_is_chain(chain, handle)) { |
1833 | - DEBUGP("Flushing existing user defined chain '%s'\n", chain); |
1834 | - if (!ip6tc_flush_entries(chain, handle)) |
1835 | - xtables_error(PARAMETER_PROBLEM, |
1836 | - "error flushing chain " |
1837 | - "'%s':%s\n", chain, |
1838 | - strerror(errno)); |
1839 | - } else { |
1840 | - DEBUGP("Creating new chain '%s'\n", chain); |
1841 | - if (!ip6tc_create_chain(chain, handle)) |
1842 | - xtables_error(PARAMETER_PROBLEM, |
1843 | - "error creating chain " |
1844 | - "'%s':%s\n", chain, |
1845 | - strerror(errno)); |
1846 | - } |
1847 | - } |
1848 | - |
1849 | - policy = strtok(NULL, " \t\n"); |
1850 | - DEBUGP("line %u, policy '%s'\n", line, policy); |
1851 | - if (!policy) { |
1852 | - xtables_error(PARAMETER_PROBLEM, |
1853 | - "%s: line %u policy invalid\n", |
1854 | - ip6tables_globals.program_name, |
1855 | - line); |
1856 | - exit(1); |
1857 | - } |
1858 | - |
1859 | - if (strcmp(policy, "-") != 0) { |
1860 | - struct ip6t_counters count; |
1861 | - |
1862 | - if (counters) { |
1863 | - char *ctrs; |
1864 | - ctrs = strtok(NULL, " \t\n"); |
1865 | - |
1866 | - if (!ctrs || !parse_counters(ctrs, &count)) |
1867 | - xtables_error(PARAMETER_PROBLEM, |
1868 | - "invalid policy counters " |
1869 | - "for chain '%s'\n", chain); |
1870 | - |
1871 | - } else { |
1872 | - memset(&count, 0, |
1873 | - sizeof(struct ip6t_counters)); |
1874 | - } |
1875 | - |
1876 | - DEBUGP("Setting policy of chain %s to %s\n", |
1877 | - chain, policy); |
1878 | - |
1879 | - if (!ip6tc_set_policy(chain, policy, &count, |
1880 | - handle)) |
1881 | - xtables_error(OTHER_PROBLEM, |
1882 | - "Can't set policy `%s'" |
1883 | - " on `%s' line %u: %s\n", |
1884 | - policy, chain, line, |
1885 | - ip6tc_strerror(errno)); |
1886 | - } |
1887 | - |
1888 | - ret = 1; |
1889 | - |
1890 | - } else if (in_table) { |
1891 | - int a; |
1892 | - char *ptr = buffer; |
1893 | - char *pcnt = NULL; |
1894 | - char *bcnt = NULL; |
1895 | - char *parsestart; |
1896 | - |
1897 | - /* the parser */ |
1898 | - char *curchar; |
1899 | - int quote_open, escaped; |
1900 | - size_t param_len; |
1901 | - |
1902 | - /* reset the newargv */ |
1903 | - newargc = 0; |
1904 | - |
1905 | - if (buffer[0] == '[') { |
1906 | - /* we have counters in our input */ |
1907 | - ptr = strchr(buffer, ']'); |
1908 | - if (!ptr) |
1909 | - xtables_error(PARAMETER_PROBLEM, |
1910 | - "Bad line %u: need ]\n", |
1911 | - line); |
1912 | - |
1913 | - pcnt = strtok(buffer+1, ":"); |
1914 | - if (!pcnt) |
1915 | - xtables_error(PARAMETER_PROBLEM, |
1916 | - "Bad line %u: need :\n", |
1917 | - line); |
1918 | - |
1919 | - bcnt = strtok(NULL, "]"); |
1920 | - if (!bcnt) |
1921 | - xtables_error(PARAMETER_PROBLEM, |
1922 | - "Bad line %u: need ]\n", |
1923 | - line); |
1924 | - |
1925 | - /* start command parsing after counter */ |
1926 | - parsestart = ptr + 1; |
1927 | - } else { |
1928 | - /* start command parsing at start of line */ |
1929 | - parsestart = buffer; |
1930 | - } |
1931 | - |
1932 | - add_argv(argv[0]); |
1933 | - add_argv("-t"); |
1934 | - add_argv(curtable); |
1935 | - |
1936 | - if (counters && pcnt && bcnt) { |
1937 | - add_argv("--set-counters"); |
1938 | - add_argv((char *) pcnt); |
1939 | - add_argv((char *) bcnt); |
1940 | - } |
1941 | - |
1942 | - /* After fighting with strtok enough, here's now |
1943 | - * a 'real' parser. According to Rusty I'm now no |
1944 | - * longer a real hacker, but I can live with that */ |
1945 | - |
1946 | - quote_open = 0; |
1947 | - escaped = 0; |
1948 | - param_len = 0; |
1949 | - |
1950 | - for (curchar = parsestart; *curchar; curchar++) { |
1951 | - char param_buffer[1024]; |
1952 | - |
1953 | - if (quote_open) { |
1954 | - if (escaped) { |
1955 | - param_buffer[param_len++] = *curchar; |
1956 | - escaped = 0; |
1957 | - continue; |
1958 | - } else if (*curchar == '\\') { |
1959 | - escaped = 1; |
1960 | - continue; |
1961 | - } else if (*curchar == '"') { |
1962 | - quote_open = 0; |
1963 | - *curchar = ' '; |
1964 | - } else { |
1965 | - param_buffer[param_len++] = *curchar; |
1966 | - continue; |
1967 | - } |
1968 | - } else { |
1969 | - if (*curchar == '"') { |
1970 | - quote_open = 1; |
1971 | - continue; |
1972 | - } |
1973 | - } |
1974 | - |
1975 | - if (*curchar == ' ' |
1976 | - || *curchar == '\t' |
1977 | - || * curchar == '\n') { |
1978 | - if (!param_len) { |
1979 | - /* two spaces? */ |
1980 | - continue; |
1981 | - } |
1982 | - |
1983 | - param_buffer[param_len] = '\0'; |
1984 | - |
1985 | - /* check if table name specified */ |
1986 | - if (!strncmp(param_buffer, "-t", 2) |
1987 | - || !strncmp(param_buffer, "--table", 8)) { |
1988 | - xtables_error(PARAMETER_PROBLEM, |
1989 | - "Line %u seems to have a " |
1990 | - "-t table option.\n", line); |
1991 | - exit(1); |
1992 | - } |
1993 | - |
1994 | - add_argv(param_buffer); |
1995 | - param_len = 0; |
1996 | - } else { |
1997 | - /* regular character, copy to buffer */ |
1998 | - param_buffer[param_len++] = *curchar; |
1999 | - |
2000 | - if (param_len >= sizeof(param_buffer)) |
2001 | - xtables_error(PARAMETER_PROBLEM, |
2002 | - "Parameter too long!"); |
2003 | - } |
2004 | - } |
2005 | - |
2006 | - DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", |
2007 | - newargc, curtable); |
2008 | - |
2009 | - for (a = 0; a < newargc; a++) |
2010 | - DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
2011 | - |
2012 | - ret = do_command6(newargc, newargv, |
2013 | - &newargv[2], &handle); |
2014 | - |
2015 | - free_argv(); |
2016 | - fflush(stdout); |
2017 | - } |
2018 | - if (!ret) { |
2019 | - fprintf(stderr, "%s: line %u failed\n", |
2020 | - ip6tables_globals.program_name, |
2021 | - line); |
2022 | - exit(1); |
2023 | - } |
2024 | - } |
2025 | - if (in_table) { |
2026 | - fprintf(stderr, "%s: COMMIT expected at line %u\n", |
2027 | - ip6tables_globals.program_name, |
2028 | - line + 1); |
2029 | - exit(1); |
2030 | - } |
2031 | - |
2032 | - fclose(in); |
2033 | - return 0; |
2034 | -} |
2035 | |
2036 | === removed file '.pc/9004-argv-is-null.patch/iptables/iptables-restore.c' |
2037 | --- .pc/9004-argv-is-null.patch/iptables/iptables-restore.c 2012-07-20 15:45:01 +0000 |
2038 | +++ .pc/9004-argv-is-null.patch/iptables/iptables-restore.c 1970-01-01 00:00:00 +0000 |
2039 | @@ -1,470 +0,0 @@ |
2040 | -/* Code to restore the iptables state, from file by iptables-save. |
2041 | - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> |
2042 | - * based on previous code from Rusty Russell <rusty@linuxcare.com.au> |
2043 | - * |
2044 | - * This code is distributed under the terms of GNU GPL v2 |
2045 | - */ |
2046 | - |
2047 | -#include <getopt.h> |
2048 | -#include <sys/errno.h> |
2049 | -#include <stdbool.h> |
2050 | -#include <string.h> |
2051 | -#include <stdio.h> |
2052 | -#include <stdlib.h> |
2053 | -#include "iptables.h" |
2054 | -#include "xtables.h" |
2055 | -#include "libiptc/libiptc.h" |
2056 | -#include "iptables-multi.h" |
2057 | - |
2058 | -#ifdef DEBUG |
2059 | -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
2060 | -#else |
2061 | -#define DEBUGP(x, args...) |
2062 | -#endif |
2063 | - |
2064 | -static int binary = 0, counters = 0, verbose = 0, noflush = 0; |
2065 | - |
2066 | -/* Keeping track of external matches and targets. */ |
2067 | -static const struct option options[] = { |
2068 | - {.name = "binary", .has_arg = false, .val = 'b'}, |
2069 | - {.name = "counters", .has_arg = false, .val = 'c'}, |
2070 | - {.name = "verbose", .has_arg = false, .val = 'v'}, |
2071 | - {.name = "test", .has_arg = false, .val = 't'}, |
2072 | - {.name = "help", .has_arg = false, .val = 'h'}, |
2073 | - {.name = "noflush", .has_arg = false, .val = 'n'}, |
2074 | - {.name = "modprobe", .has_arg = true, .val = 'M'}, |
2075 | - {.name = "table", .has_arg = true, .val = 'T'}, |
2076 | - {NULL}, |
2077 | -}; |
2078 | - |
2079 | -static void print_usage(const char *name, const char *version) __attribute__((noreturn)); |
2080 | - |
2081 | -#define prog_name iptables_globals.program_name |
2082 | - |
2083 | -static void print_usage(const char *name, const char *version) |
2084 | -{ |
2085 | - fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" |
2086 | - " [ --binary ]\n" |
2087 | - " [ --counters ]\n" |
2088 | - " [ --verbose ]\n" |
2089 | - " [ --test ]\n" |
2090 | - " [ --help ]\n" |
2091 | - " [ --noflush ]\n" |
2092 | - " [ --table=<TABLE> ]\n" |
2093 | - " [ --modprobe=<command>]\n", name); |
2094 | - |
2095 | - exit(1); |
2096 | -} |
2097 | - |
2098 | -static struct iptc_handle *create_handle(const char *tablename) |
2099 | -{ |
2100 | - struct iptc_handle *handle; |
2101 | - |
2102 | - handle = iptc_init(tablename); |
2103 | - |
2104 | - if (!handle) { |
2105 | - /* try to insmod the module if iptc_init failed */ |
2106 | - xtables_load_ko(xtables_modprobe_program, false); |
2107 | - handle = iptc_init(tablename); |
2108 | - } |
2109 | - |
2110 | - if (!handle) { |
2111 | - xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " |
2112 | - "table '%s'\n", prog_name, tablename); |
2113 | - exit(1); |
2114 | - } |
2115 | - return handle; |
2116 | -} |
2117 | - |
2118 | -static int parse_counters(char *string, struct ipt_counters *ctr) |
2119 | -{ |
2120 | - unsigned long long pcnt, bcnt; |
2121 | - int ret; |
2122 | - |
2123 | - ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt); |
2124 | - ctr->pcnt = pcnt; |
2125 | - ctr->bcnt = bcnt; |
2126 | - return ret == 2; |
2127 | -} |
2128 | - |
2129 | -/* global new argv and argc */ |
2130 | -static char *newargv[255]; |
2131 | -static int newargc; |
2132 | - |
2133 | -/* function adding one argument to newargv, updating newargc |
2134 | - * returns true if argument added, false otherwise */ |
2135 | -static int add_argv(char *what) { |
2136 | - DEBUGP("add_argv: %s\n", what); |
2137 | - if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
2138 | - newargv[newargc] = strdup(what); |
2139 | - newargc++; |
2140 | - return 1; |
2141 | - } else { |
2142 | - xtables_error(PARAMETER_PROBLEM, |
2143 | - "Parser cannot handle more arguments\n"); |
2144 | - return 0; |
2145 | - } |
2146 | -} |
2147 | - |
2148 | -static void free_argv(void) { |
2149 | - int i; |
2150 | - |
2151 | - for (i = 0; i < newargc; i++) |
2152 | - free(newargv[i]); |
2153 | -} |
2154 | - |
2155 | -#ifdef IPTABLES_MULTI |
2156 | -int |
2157 | -iptables_restore_main(int argc, char *argv[]) |
2158 | -#else |
2159 | -int |
2160 | -main(int argc, char *argv[]) |
2161 | -#endif |
2162 | -{ |
2163 | - struct iptc_handle *handle = NULL; |
2164 | - char buffer[10240]; |
2165 | - int c; |
2166 | - char curtable[IPT_TABLE_MAXNAMELEN + 1]; |
2167 | - FILE *in; |
2168 | - int in_table = 0, testing = 0; |
2169 | - const char *tablename = NULL; |
2170 | - |
2171 | - line = 0; |
2172 | - |
2173 | - iptables_globals.program_name = "iptables-restore"; |
2174 | - c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); |
2175 | - if (c < 0) { |
2176 | - fprintf(stderr, "%s/%s Failed to initialize xtables\n", |
2177 | - iptables_globals.program_name, |
2178 | - iptables_globals.program_version); |
2179 | - exit(1); |
2180 | - } |
2181 | -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) |
2182 | - init_extensions(); |
2183 | - init_extensions4(); |
2184 | -#endif |
2185 | - |
2186 | - while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { |
2187 | - switch (c) { |
2188 | - case 'b': |
2189 | - binary = 1; |
2190 | - break; |
2191 | - case 'c': |
2192 | - counters = 1; |
2193 | - break; |
2194 | - case 'v': |
2195 | - verbose = 1; |
2196 | - break; |
2197 | - case 't': |
2198 | - testing = 1; |
2199 | - break; |
2200 | - case 'h': |
2201 | - print_usage("iptables-restore", |
2202 | - IPTABLES_VERSION); |
2203 | - break; |
2204 | - case 'n': |
2205 | - noflush = 1; |
2206 | - break; |
2207 | - case 'M': |
2208 | - xtables_modprobe_program = optarg; |
2209 | - break; |
2210 | - case 'T': |
2211 | - tablename = optarg; |
2212 | - break; |
2213 | - } |
2214 | - } |
2215 | - |
2216 | - if (optind == argc - 1) { |
2217 | - in = fopen(argv[optind], "re"); |
2218 | - if (!in) { |
2219 | - fprintf(stderr, "Can't open %s: %s\n", argv[optind], |
2220 | - strerror(errno)); |
2221 | - exit(1); |
2222 | - } |
2223 | - } |
2224 | - else if (optind < argc) { |
2225 | - fprintf(stderr, "Unknown arguments found on commandline\n"); |
2226 | - exit(1); |
2227 | - } |
2228 | - else in = stdin; |
2229 | - |
2230 | - /* Grab standard input. */ |
2231 | - while (fgets(buffer, sizeof(buffer), in)) { |
2232 | - int ret = 0; |
2233 | - |
2234 | - line++; |
2235 | - if (buffer[0] == '\n') |
2236 | - continue; |
2237 | - else if (buffer[0] == '#') { |
2238 | - if (verbose) |
2239 | - fputs(buffer, stdout); |
2240 | - continue; |
2241 | - } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { |
2242 | - if (!testing) { |
2243 | - DEBUGP("Calling commit\n"); |
2244 | - ret = iptc_commit(handle); |
2245 | - iptc_free(handle); |
2246 | - handle = NULL; |
2247 | - } else { |
2248 | - DEBUGP("Not calling commit, testing\n"); |
2249 | - ret = 1; |
2250 | - } |
2251 | - in_table = 0; |
2252 | - } else if ((buffer[0] == '*') && (!in_table)) { |
2253 | - /* New table */ |
2254 | - char *table; |
2255 | - |
2256 | - table = strtok(buffer+1, " \t\n"); |
2257 | - DEBUGP("line %u, table '%s'\n", line, table); |
2258 | - if (!table) { |
2259 | - xtables_error(PARAMETER_PROBLEM, |
2260 | - "%s: line %u table name invalid\n", |
2261 | - prog_name, line); |
2262 | - exit(1); |
2263 | - } |
2264 | - strncpy(curtable, table, IPT_TABLE_MAXNAMELEN); |
2265 | - curtable[IPT_TABLE_MAXNAMELEN] = '\0'; |
2266 | - |
2267 | - if (tablename && (strcmp(tablename, table) != 0)) |
2268 | - continue; |
2269 | - if (handle) |
2270 | - iptc_free(handle); |
2271 | - |
2272 | - handle = create_handle(table); |
2273 | - if (noflush == 0) { |
2274 | - DEBUGP("Cleaning all chains of table '%s'\n", |
2275 | - table); |
2276 | - for_each_chain4(flush_entries4, verbose, 1, |
2277 | - handle); |
2278 | - |
2279 | - DEBUGP("Deleting all user-defined chains " |
2280 | - "of table '%s'\n", table); |
2281 | - for_each_chain4(delete_chain4, verbose, 0, |
2282 | - handle); |
2283 | - } |
2284 | - |
2285 | - ret = 1; |
2286 | - in_table = 1; |
2287 | - |
2288 | - } else if ((buffer[0] == ':') && (in_table)) { |
2289 | - /* New chain. */ |
2290 | - char *policy, *chain; |
2291 | - |
2292 | - chain = strtok(buffer+1, " \t\n"); |
2293 | - DEBUGP("line %u, chain '%s'\n", line, chain); |
2294 | - if (!chain) { |
2295 | - xtables_error(PARAMETER_PROBLEM, |
2296 | - "%s: line %u chain name invalid\n", |
2297 | - prog_name, line); |
2298 | - exit(1); |
2299 | - } |
2300 | - |
2301 | - if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) |
2302 | - xtables_error(PARAMETER_PROBLEM, |
2303 | - "Invalid chain name `%s' " |
2304 | - "(%u chars max)", |
2305 | - chain, XT_EXTENSION_MAXNAMELEN - 1); |
2306 | - |
2307 | - if (iptc_builtin(chain, handle) <= 0) { |
2308 | - if (noflush && iptc_is_chain(chain, handle)) { |
2309 | - DEBUGP("Flushing existing user defined chain '%s'\n", chain); |
2310 | - if (!iptc_flush_entries(chain, handle)) |
2311 | - xtables_error(PARAMETER_PROBLEM, |
2312 | - "error flushing chain " |
2313 | - "'%s':%s\n", chain, |
2314 | - strerror(errno)); |
2315 | - } else { |
2316 | - DEBUGP("Creating new chain '%s'\n", chain); |
2317 | - if (!iptc_create_chain(chain, handle)) |
2318 | - xtables_error(PARAMETER_PROBLEM, |
2319 | - "error creating chain " |
2320 | - "'%s':%s\n", chain, |
2321 | - strerror(errno)); |
2322 | - } |
2323 | - } |
2324 | - |
2325 | - policy = strtok(NULL, " \t\n"); |
2326 | - DEBUGP("line %u, policy '%s'\n", line, policy); |
2327 | - if (!policy) { |
2328 | - xtables_error(PARAMETER_PROBLEM, |
2329 | - "%s: line %u policy invalid\n", |
2330 | - prog_name, line); |
2331 | - exit(1); |
2332 | - } |
2333 | - |
2334 | - if (strcmp(policy, "-") != 0) { |
2335 | - struct ipt_counters count; |
2336 | - |
2337 | - if (counters) { |
2338 | - char *ctrs; |
2339 | - ctrs = strtok(NULL, " \t\n"); |
2340 | - |
2341 | - if (!ctrs || !parse_counters(ctrs, &count)) |
2342 | - xtables_error(PARAMETER_PROBLEM, |
2343 | - "invalid policy counters " |
2344 | - "for chain '%s'\n", chain); |
2345 | - |
2346 | - } else { |
2347 | - memset(&count, 0, |
2348 | - sizeof(struct ipt_counters)); |
2349 | - } |
2350 | - |
2351 | - DEBUGP("Setting policy of chain %s to %s\n", |
2352 | - chain, policy); |
2353 | - |
2354 | - if (!iptc_set_policy(chain, policy, &count, |
2355 | - handle)) |
2356 | - xtables_error(OTHER_PROBLEM, |
2357 | - "Can't set policy `%s'" |
2358 | - " on `%s' line %u: %s\n", |
2359 | - policy, chain, line, |
2360 | - iptc_strerror(errno)); |
2361 | - } |
2362 | - |
2363 | - ret = 1; |
2364 | - |
2365 | - } else if (in_table) { |
2366 | - int a; |
2367 | - char *ptr = buffer; |
2368 | - char *pcnt = NULL; |
2369 | - char *bcnt = NULL; |
2370 | - char *parsestart; |
2371 | - |
2372 | - /* the parser */ |
2373 | - char *curchar; |
2374 | - int quote_open, escaped; |
2375 | - size_t param_len; |
2376 | - |
2377 | - /* reset the newargv */ |
2378 | - newargc = 0; |
2379 | - |
2380 | - if (buffer[0] == '[') { |
2381 | - /* we have counters in our input */ |
2382 | - ptr = strchr(buffer, ']'); |
2383 | - if (!ptr) |
2384 | - xtables_error(PARAMETER_PROBLEM, |
2385 | - "Bad line %u: need ]\n", |
2386 | - line); |
2387 | - |
2388 | - pcnt = strtok(buffer+1, ":"); |
2389 | - if (!pcnt) |
2390 | - xtables_error(PARAMETER_PROBLEM, |
2391 | - "Bad line %u: need :\n", |
2392 | - line); |
2393 | - |
2394 | - bcnt = strtok(NULL, "]"); |
2395 | - if (!bcnt) |
2396 | - xtables_error(PARAMETER_PROBLEM, |
2397 | - "Bad line %u: need ]\n", |
2398 | - line); |
2399 | - |
2400 | - /* start command parsing after counter */ |
2401 | - parsestart = ptr + 1; |
2402 | - } else { |
2403 | - /* start command parsing at start of line */ |
2404 | - parsestart = buffer; |
2405 | - } |
2406 | - |
2407 | - add_argv(argv[0]); |
2408 | - add_argv("-t"); |
2409 | - add_argv(curtable); |
2410 | - |
2411 | - if (counters && pcnt && bcnt) { |
2412 | - add_argv("--set-counters"); |
2413 | - add_argv((char *) pcnt); |
2414 | - add_argv((char *) bcnt); |
2415 | - } |
2416 | - |
2417 | - /* After fighting with strtok enough, here's now |
2418 | - * a 'real' parser. According to Rusty I'm now no |
2419 | - * longer a real hacker, but I can live with that */ |
2420 | - |
2421 | - quote_open = 0; |
2422 | - escaped = 0; |
2423 | - param_len = 0; |
2424 | - |
2425 | - for (curchar = parsestart; *curchar; curchar++) { |
2426 | - char param_buffer[1024]; |
2427 | - |
2428 | - if (quote_open) { |
2429 | - if (escaped) { |
2430 | - param_buffer[param_len++] = *curchar; |
2431 | - escaped = 0; |
2432 | - continue; |
2433 | - } else if (*curchar == '\\') { |
2434 | - escaped = 1; |
2435 | - continue; |
2436 | - } else if (*curchar == '"') { |
2437 | - quote_open = 0; |
2438 | - *curchar = ' '; |
2439 | - } else { |
2440 | - param_buffer[param_len++] = *curchar; |
2441 | - continue; |
2442 | - } |
2443 | - } else { |
2444 | - if (*curchar == '"') { |
2445 | - quote_open = 1; |
2446 | - continue; |
2447 | - } |
2448 | - } |
2449 | - |
2450 | - if (*curchar == ' ' |
2451 | - || *curchar == '\t' |
2452 | - || * curchar == '\n') { |
2453 | - if (!param_len) { |
2454 | - /* two spaces? */ |
2455 | - continue; |
2456 | - } |
2457 | - |
2458 | - param_buffer[param_len] = '\0'; |
2459 | - |
2460 | - /* check if table name specified */ |
2461 | - if (!strncmp(param_buffer, "-t", 2) |
2462 | - || !strncmp(param_buffer, "--table", 8)) { |
2463 | - xtables_error(PARAMETER_PROBLEM, |
2464 | - "Line %u seems to have a " |
2465 | - "-t table option.\n", line); |
2466 | - exit(1); |
2467 | - } |
2468 | - |
2469 | - add_argv(param_buffer); |
2470 | - param_len = 0; |
2471 | - } else { |
2472 | - /* regular character, copy to buffer */ |
2473 | - param_buffer[param_len++] = *curchar; |
2474 | - |
2475 | - if (param_len >= sizeof(param_buffer)) |
2476 | - xtables_error(PARAMETER_PROBLEM, |
2477 | - "Parameter too long!"); |
2478 | - } |
2479 | - } |
2480 | - |
2481 | - DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", |
2482 | - newargc, curtable); |
2483 | - |
2484 | - for (a = 0; a < newargc; a++) |
2485 | - DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
2486 | - |
2487 | - ret = do_command4(newargc, newargv, |
2488 | - &newargv[2], &handle); |
2489 | - |
2490 | - free_argv(); |
2491 | - fflush(stdout); |
2492 | - } |
2493 | - if (tablename && (strcmp(tablename, curtable) != 0)) |
2494 | - continue; |
2495 | - if (!ret) { |
2496 | - fprintf(stderr, "%s: line %u failed\n", |
2497 | - prog_name, line); |
2498 | - exit(1); |
2499 | - } |
2500 | - } |
2501 | - if (in_table) { |
2502 | - fprintf(stderr, "%s: COMMIT expected at line %u\n", |
2503 | - prog_name, line + 1); |
2504 | - exit(1); |
2505 | - } |
2506 | - |
2507 | - fclose(in); |
2508 | - return 0; |
2509 | -} |
2510 | |
2511 | === removed directory '.pc/9005-lp1027252-fixrestore.patch' |
2512 | === removed directory '.pc/9005-lp1027252-fixrestore.patch/iptables' |
2513 | === removed file '.pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c' |
2514 | --- .pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c 2012-07-20 15:45:01 +0000 |
2515 | +++ .pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c 1970-01-01 00:00:00 +0000 |
2516 | @@ -1,465 +0,0 @@ |
2517 | -/* Code to restore the iptables state, from file by ip6tables-save. |
2518 | - * Author: Andras Kis-Szabo <kisza@sch.bme.hu> |
2519 | - * |
2520 | - * based on iptables-restore |
2521 | - * Authors: |
2522 | - * Harald Welte <laforge@gnumonks.org> |
2523 | - * Rusty Russell <rusty@linuxcare.com.au> |
2524 | - * This code is distributed under the terms of GNU GPL v2 |
2525 | - */ |
2526 | - |
2527 | -#include <getopt.h> |
2528 | -#include <sys/errno.h> |
2529 | -#include <stdbool.h> |
2530 | -#include <string.h> |
2531 | -#include <stdio.h> |
2532 | -#include <stdlib.h> |
2533 | -#include "ip6tables.h" |
2534 | -#include "xtables.h" |
2535 | -#include "libiptc/libip6tc.h" |
2536 | -#include "ip6tables-multi.h" |
2537 | - |
2538 | -#ifdef DEBUG |
2539 | -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
2540 | -#else |
2541 | -#define DEBUGP(x, args...) |
2542 | -#endif |
2543 | - |
2544 | -static int binary = 0, counters = 0, verbose = 0, noflush = 0; |
2545 | - |
2546 | -/* Keeping track of external matches and targets. */ |
2547 | -static const struct option options[] = { |
2548 | - {.name = "binary", .has_arg = false, .val = 'b'}, |
2549 | - {.name = "counters", .has_arg = false, .val = 'c'}, |
2550 | - {.name = "verbose", .has_arg = false, .val = 'v'}, |
2551 | - {.name = "test", .has_arg = false, .val = 't'}, |
2552 | - {.name = "help", .has_arg = false, .val = 'h'}, |
2553 | - {.name = "noflush", .has_arg = false, .val = 'n'}, |
2554 | - {.name = "modprobe", .has_arg = true, .val = 'M'}, |
2555 | - {NULL}, |
2556 | -}; |
2557 | - |
2558 | -static void print_usage(const char *name, const char *version) __attribute__((noreturn)); |
2559 | - |
2560 | -static void print_usage(const char *name, const char *version) |
2561 | -{ |
2562 | - fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" |
2563 | - " [ --binary ]\n" |
2564 | - " [ --counters ]\n" |
2565 | - " [ --verbose ]\n" |
2566 | - " [ --test ]\n" |
2567 | - " [ --help ]\n" |
2568 | - " [ --noflush ]\n" |
2569 | - " [ --modprobe=<command>]\n", name); |
2570 | - |
2571 | - exit(1); |
2572 | -} |
2573 | - |
2574 | -static struct ip6tc_handle *create_handle(const char *tablename) |
2575 | -{ |
2576 | - struct ip6tc_handle *handle; |
2577 | - |
2578 | - handle = ip6tc_init(tablename); |
2579 | - |
2580 | - if (!handle) { |
2581 | - /* try to insmod the module if iptc_init failed */ |
2582 | - xtables_load_ko(xtables_modprobe_program, false); |
2583 | - handle = ip6tc_init(tablename); |
2584 | - } |
2585 | - |
2586 | - if (!handle) { |
2587 | - xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " |
2588 | - "table '%s'\n", ip6tables_globals.program_name, |
2589 | - tablename); |
2590 | - exit(1); |
2591 | - } |
2592 | - return handle; |
2593 | -} |
2594 | - |
2595 | -static int parse_counters(char *string, struct ip6t_counters *ctr) |
2596 | -{ |
2597 | - unsigned long long pcnt, bcnt; |
2598 | - int ret; |
2599 | - |
2600 | - ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt); |
2601 | - ctr->pcnt = pcnt; |
2602 | - ctr->bcnt = bcnt; |
2603 | - return ret == 2; |
2604 | -} |
2605 | - |
2606 | -/* global new argv and argc */ |
2607 | -static char *newargv[255]; |
2608 | -static int newargc; |
2609 | - |
2610 | -/* function adding one argument to newargv, updating newargc |
2611 | - * returns true if argument added, false otherwise */ |
2612 | -static int add_argv(char *what) { |
2613 | - DEBUGP("add_argv: %s\n", what); |
2614 | - if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
2615 | - newargv[newargc] = strdup(what); |
2616 | - newargv[++newargc] = NULL; |
2617 | - return 1; |
2618 | - } else { |
2619 | - xtables_error(PARAMETER_PROBLEM, |
2620 | - "Parser cannot handle more arguments\n"); |
2621 | - return 0; |
2622 | - } |
2623 | -} |
2624 | - |
2625 | -static void free_argv(void) { |
2626 | - int i; |
2627 | - |
2628 | - for (i = 0; i < newargc; i++) |
2629 | - free(newargv[i]); |
2630 | -} |
2631 | - |
2632 | -#ifdef IPTABLES_MULTI |
2633 | -int ip6tables_restore_main(int argc, char *argv[]) |
2634 | -#else |
2635 | -int main(int argc, char *argv[]) |
2636 | -#endif |
2637 | -{ |
2638 | - struct ip6tc_handle *handle = NULL; |
2639 | - char buffer[10240]; |
2640 | - int c; |
2641 | - char curtable[IP6T_TABLE_MAXNAMELEN + 1]; |
2642 | - FILE *in; |
2643 | - int in_table = 0, testing = 0; |
2644 | - |
2645 | - line = 0; |
2646 | - |
2647 | - ip6tables_globals.program_name = "ip6tables-restore"; |
2648 | - c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); |
2649 | - if (c < 0) { |
2650 | - fprintf(stderr, "%s/%s Failed to initialize xtables\n", |
2651 | - ip6tables_globals.program_name, |
2652 | - ip6tables_globals.program_version); |
2653 | - exit(1); |
2654 | - } |
2655 | -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) |
2656 | - init_extensions(); |
2657 | - init_extensions6(); |
2658 | -#endif |
2659 | - |
2660 | - while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) { |
2661 | - switch (c) { |
2662 | - case 'b': |
2663 | - binary = 1; |
2664 | - break; |
2665 | - case 'c': |
2666 | - counters = 1; |
2667 | - break; |
2668 | - case 'v': |
2669 | - verbose = 1; |
2670 | - break; |
2671 | - case 't': |
2672 | - testing = 1; |
2673 | - break; |
2674 | - case 'h': |
2675 | - print_usage("ip6tables-restore", |
2676 | - IPTABLES_VERSION); |
2677 | - break; |
2678 | - case 'n': |
2679 | - noflush = 1; |
2680 | - break; |
2681 | - case 'M': |
2682 | - xtables_modprobe_program = optarg; |
2683 | - break; |
2684 | - } |
2685 | - } |
2686 | - |
2687 | - if (optind == argc - 1) { |
2688 | - in = fopen(argv[optind], "re"); |
2689 | - if (!in) { |
2690 | - fprintf(stderr, "Can't open %s: %s\n", argv[optind], |
2691 | - strerror(errno)); |
2692 | - exit(1); |
2693 | - } |
2694 | - } |
2695 | - else if (optind < argc) { |
2696 | - fprintf(stderr, "Unknown arguments found on commandline\n"); |
2697 | - exit(1); |
2698 | - } |
2699 | - else in = stdin; |
2700 | - |
2701 | - /* Grab standard input. */ |
2702 | - while (fgets(buffer, sizeof(buffer), in)) { |
2703 | - int ret = 0; |
2704 | - |
2705 | - line++; |
2706 | - if (buffer[0] == '\n') |
2707 | - continue; |
2708 | - else if (buffer[0] == '#') { |
2709 | - if (verbose) |
2710 | - fputs(buffer, stdout); |
2711 | - continue; |
2712 | - } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { |
2713 | - if (!testing) { |
2714 | - DEBUGP("Calling commit\n"); |
2715 | - ret = ip6tc_commit(handle); |
2716 | - ip6tc_free(handle); |
2717 | - handle = NULL; |
2718 | - } else { |
2719 | - DEBUGP("Not calling commit, testing\n"); |
2720 | - ret = 1; |
2721 | - } |
2722 | - in_table = 0; |
2723 | - } else if ((buffer[0] == '*') && (!in_table)) { |
2724 | - /* New table */ |
2725 | - char *table; |
2726 | - |
2727 | - table = strtok(buffer+1, " \t\n"); |
2728 | - DEBUGP("line %u, table '%s'\n", line, table); |
2729 | - if (!table) { |
2730 | - xtables_error(PARAMETER_PROBLEM, |
2731 | - "%s: line %u table name invalid\n", |
2732 | - ip6tables_globals.program_name, |
2733 | - line); |
2734 | - exit(1); |
2735 | - } |
2736 | - strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN); |
2737 | - curtable[IP6T_TABLE_MAXNAMELEN] = '\0'; |
2738 | - |
2739 | - if (handle) |
2740 | - ip6tc_free(handle); |
2741 | - |
2742 | - handle = create_handle(table); |
2743 | - if (noflush == 0) { |
2744 | - DEBUGP("Cleaning all chains of table '%s'\n", |
2745 | - table); |
2746 | - for_each_chain6(flush_entries6, verbose, 1, |
2747 | - handle); |
2748 | - |
2749 | - DEBUGP("Deleting all user-defined chains " |
2750 | - "of table '%s'\n", table); |
2751 | - for_each_chain6(delete_chain6, verbose, 0, |
2752 | - handle); |
2753 | - } |
2754 | - |
2755 | - ret = 1; |
2756 | - in_table = 1; |
2757 | - |
2758 | - } else if ((buffer[0] == ':') && (in_table)) { |
2759 | - /* New chain. */ |
2760 | - char *policy, *chain; |
2761 | - |
2762 | - chain = strtok(buffer+1, " \t\n"); |
2763 | - DEBUGP("line %u, chain '%s'\n", line, chain); |
2764 | - if (!chain) { |
2765 | - xtables_error(PARAMETER_PROBLEM, |
2766 | - "%s: line %u chain name invalid\n", |
2767 | - ip6tables_globals.program_name, |
2768 | - line); |
2769 | - exit(1); |
2770 | - } |
2771 | - |
2772 | - if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) |
2773 | - xtables_error(PARAMETER_PROBLEM, |
2774 | - "Invalid chain name `%s' " |
2775 | - "(%u chars max)", |
2776 | - chain, XT_EXTENSION_MAXNAMELEN - 1); |
2777 | - |
2778 | - if (ip6tc_builtin(chain, handle) <= 0) { |
2779 | - if (noflush && ip6tc_is_chain(chain, handle)) { |
2780 | - DEBUGP("Flushing existing user defined chain '%s'\n", chain); |
2781 | - if (!ip6tc_flush_entries(chain, handle)) |
2782 | - xtables_error(PARAMETER_PROBLEM, |
2783 | - "error flushing chain " |
2784 | - "'%s':%s\n", chain, |
2785 | - strerror(errno)); |
2786 | - } else { |
2787 | - DEBUGP("Creating new chain '%s'\n", chain); |
2788 | - if (!ip6tc_create_chain(chain, handle)) |
2789 | - xtables_error(PARAMETER_PROBLEM, |
2790 | - "error creating chain " |
2791 | - "'%s':%s\n", chain, |
2792 | - strerror(errno)); |
2793 | - } |
2794 | - } |
2795 | - |
2796 | - policy = strtok(NULL, " \t\n"); |
2797 | - DEBUGP("line %u, policy '%s'\n", line, policy); |
2798 | - if (!policy) { |
2799 | - xtables_error(PARAMETER_PROBLEM, |
2800 | - "%s: line %u policy invalid\n", |
2801 | - ip6tables_globals.program_name, |
2802 | - line); |
2803 | - exit(1); |
2804 | - } |
2805 | - |
2806 | - if (strcmp(policy, "-") != 0) { |
2807 | - struct ip6t_counters count; |
2808 | - |
2809 | - if (counters) { |
2810 | - char *ctrs; |
2811 | - ctrs = strtok(NULL, " \t\n"); |
2812 | - |
2813 | - if (!ctrs || !parse_counters(ctrs, &count)) |
2814 | - xtables_error(PARAMETER_PROBLEM, |
2815 | - "invalid policy counters " |
2816 | - "for chain '%s'\n", chain); |
2817 | - |
2818 | - } else { |
2819 | - memset(&count, 0, |
2820 | - sizeof(struct ip6t_counters)); |
2821 | - } |
2822 | - |
2823 | - DEBUGP("Setting policy of chain %s to %s\n", |
2824 | - chain, policy); |
2825 | - |
2826 | - if (!ip6tc_set_policy(chain, policy, &count, |
2827 | - handle)) |
2828 | - xtables_error(OTHER_PROBLEM, |
2829 | - "Can't set policy `%s'" |
2830 | - " on `%s' line %u: %s\n", |
2831 | - policy, chain, line, |
2832 | - ip6tc_strerror(errno)); |
2833 | - } |
2834 | - |
2835 | - ret = 1; |
2836 | - |
2837 | - } else if (in_table) { |
2838 | - int a; |
2839 | - char *ptr = buffer; |
2840 | - char *pcnt = NULL; |
2841 | - char *bcnt = NULL; |
2842 | - char *parsestart; |
2843 | - |
2844 | - /* the parser */ |
2845 | - char *curchar; |
2846 | - int quote_open, escaped; |
2847 | - size_t param_len; |
2848 | - |
2849 | - /* reset the newargv */ |
2850 | - newargc = 0; |
2851 | - |
2852 | - if (buffer[0] == '[') { |
2853 | - /* we have counters in our input */ |
2854 | - ptr = strchr(buffer, ']'); |
2855 | - if (!ptr) |
2856 | - xtables_error(PARAMETER_PROBLEM, |
2857 | - "Bad line %u: need ]\n", |
2858 | - line); |
2859 | - |
2860 | - pcnt = strtok(buffer+1, ":"); |
2861 | - if (!pcnt) |
2862 | - xtables_error(PARAMETER_PROBLEM, |
2863 | - "Bad line %u: need :\n", |
2864 | - line); |
2865 | - |
2866 | - bcnt = strtok(NULL, "]"); |
2867 | - if (!bcnt) |
2868 | - xtables_error(PARAMETER_PROBLEM, |
2869 | - "Bad line %u: need ]\n", |
2870 | - line); |
2871 | - |
2872 | - /* start command parsing after counter */ |
2873 | - parsestart = ptr + 1; |
2874 | - } else { |
2875 | - /* start command parsing at start of line */ |
2876 | - parsestart = buffer; |
2877 | - } |
2878 | - |
2879 | - add_argv(argv[0]); |
2880 | - add_argv("-t"); |
2881 | - add_argv(curtable); |
2882 | - |
2883 | - if (counters && pcnt && bcnt) { |
2884 | - add_argv("--set-counters"); |
2885 | - add_argv((char *) pcnt); |
2886 | - add_argv((char *) bcnt); |
2887 | - } |
2888 | - |
2889 | - /* After fighting with strtok enough, here's now |
2890 | - * a 'real' parser. According to Rusty I'm now no |
2891 | - * longer a real hacker, but I can live with that */ |
2892 | - |
2893 | - quote_open = 0; |
2894 | - escaped = 0; |
2895 | - param_len = 0; |
2896 | - |
2897 | - for (curchar = parsestart; *curchar; curchar++) { |
2898 | - char param_buffer[1024]; |
2899 | - |
2900 | - if (quote_open) { |
2901 | - if (escaped) { |
2902 | - param_buffer[param_len++] = *curchar; |
2903 | - escaped = 0; |
2904 | - continue; |
2905 | - } else if (*curchar == '\\') { |
2906 | - escaped = 1; |
2907 | - continue; |
2908 | - } else if (*curchar == '"') { |
2909 | - quote_open = 0; |
2910 | - *curchar = ' '; |
2911 | - } else { |
2912 | - param_buffer[param_len++] = *curchar; |
2913 | - continue; |
2914 | - } |
2915 | - } else { |
2916 | - if (*curchar == '"') { |
2917 | - quote_open = 1; |
2918 | - continue; |
2919 | - } |
2920 | - } |
2921 | - |
2922 | - if (*curchar == ' ' |
2923 | - || *curchar == '\t' |
2924 | - || * curchar == '\n') { |
2925 | - if (!param_len) { |
2926 | - /* two spaces? */ |
2927 | - continue; |
2928 | - } |
2929 | - |
2930 | - param_buffer[param_len] = '\0'; |
2931 | - |
2932 | - /* check if table name specified */ |
2933 | - if (!strncmp(param_buffer, "-t", 2) |
2934 | - || !strncmp(param_buffer, "--table", 8)) { |
2935 | - xtables_error(PARAMETER_PROBLEM, |
2936 | - "Line %u seems to have a " |
2937 | - "-t table option.\n", line); |
2938 | - exit(1); |
2939 | - } |
2940 | - |
2941 | - add_argv(param_buffer); |
2942 | - param_len = 0; |
2943 | - } else { |
2944 | - /* regular character, copy to buffer */ |
2945 | - param_buffer[param_len++] = *curchar; |
2946 | - |
2947 | - if (param_len >= sizeof(param_buffer)) |
2948 | - xtables_error(PARAMETER_PROBLEM, |
2949 | - "Parameter too long!"); |
2950 | - } |
2951 | - } |
2952 | - |
2953 | - DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", |
2954 | - newargc, curtable); |
2955 | - |
2956 | - for (a = 0; a < newargc; a++) |
2957 | - DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
2958 | - |
2959 | - ret = do_command6(newargc, newargv, |
2960 | - &newargv[2], &handle); |
2961 | - |
2962 | - free_argv(); |
2963 | - fflush(stdout); |
2964 | - } |
2965 | - if (!ret) { |
2966 | - fprintf(stderr, "%s: line %u failed\n", |
2967 | - ip6tables_globals.program_name, |
2968 | - line); |
2969 | - exit(1); |
2970 | - } |
2971 | - } |
2972 | - if (in_table) { |
2973 | - fprintf(stderr, "%s: COMMIT expected at line %u\n", |
2974 | - ip6tables_globals.program_name, |
2975 | - line + 1); |
2976 | - exit(1); |
2977 | - } |
2978 | - |
2979 | - fclose(in); |
2980 | - return 0; |
2981 | -} |
2982 | |
2983 | === removed file '.pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c' |
2984 | --- .pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c 2012-07-20 15:45:01 +0000 |
2985 | +++ .pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c 1970-01-01 00:00:00 +0000 |
2986 | @@ -1,470 +0,0 @@ |
2987 | -/* Code to restore the iptables state, from file by iptables-save. |
2988 | - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org> |
2989 | - * based on previous code from Rusty Russell <rusty@linuxcare.com.au> |
2990 | - * |
2991 | - * This code is distributed under the terms of GNU GPL v2 |
2992 | - */ |
2993 | - |
2994 | -#include <getopt.h> |
2995 | -#include <sys/errno.h> |
2996 | -#include <stdbool.h> |
2997 | -#include <string.h> |
2998 | -#include <stdio.h> |
2999 | -#include <stdlib.h> |
3000 | -#include "iptables.h" |
3001 | -#include "xtables.h" |
3002 | -#include "libiptc/libiptc.h" |
3003 | -#include "iptables-multi.h" |
3004 | - |
3005 | -#ifdef DEBUG |
3006 | -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
3007 | -#else |
3008 | -#define DEBUGP(x, args...) |
3009 | -#endif |
3010 | - |
3011 | -static int binary = 0, counters = 0, verbose = 0, noflush = 0; |
3012 | - |
3013 | -/* Keeping track of external matches and targets. */ |
3014 | -static const struct option options[] = { |
3015 | - {.name = "binary", .has_arg = false, .val = 'b'}, |
3016 | - {.name = "counters", .has_arg = false, .val = 'c'}, |
3017 | - {.name = "verbose", .has_arg = false, .val = 'v'}, |
3018 | - {.name = "test", .has_arg = false, .val = 't'}, |
3019 | - {.name = "help", .has_arg = false, .val = 'h'}, |
3020 | - {.name = "noflush", .has_arg = false, .val = 'n'}, |
3021 | - {.name = "modprobe", .has_arg = true, .val = 'M'}, |
3022 | - {.name = "table", .has_arg = true, .val = 'T'}, |
3023 | - {NULL}, |
3024 | -}; |
3025 | - |
3026 | -static void print_usage(const char *name, const char *version) __attribute__((noreturn)); |
3027 | - |
3028 | -#define prog_name iptables_globals.program_name |
3029 | - |
3030 | -static void print_usage(const char *name, const char *version) |
3031 | -{ |
3032 | - fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" |
3033 | - " [ --binary ]\n" |
3034 | - " [ --counters ]\n" |
3035 | - " [ --verbose ]\n" |
3036 | - " [ --test ]\n" |
3037 | - " [ --help ]\n" |
3038 | - " [ --noflush ]\n" |
3039 | - " [ --table=<TABLE> ]\n" |
3040 | - " [ --modprobe=<command>]\n", name); |
3041 | - |
3042 | - exit(1); |
3043 | -} |
3044 | - |
3045 | -static struct iptc_handle *create_handle(const char *tablename) |
3046 | -{ |
3047 | - struct iptc_handle *handle; |
3048 | - |
3049 | - handle = iptc_init(tablename); |
3050 | - |
3051 | - if (!handle) { |
3052 | - /* try to insmod the module if iptc_init failed */ |
3053 | - xtables_load_ko(xtables_modprobe_program, false); |
3054 | - handle = iptc_init(tablename); |
3055 | - } |
3056 | - |
3057 | - if (!handle) { |
3058 | - xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " |
3059 | - "table '%s'\n", prog_name, tablename); |
3060 | - exit(1); |
3061 | - } |
3062 | - return handle; |
3063 | -} |
3064 | - |
3065 | -static int parse_counters(char *string, struct ipt_counters *ctr) |
3066 | -{ |
3067 | - unsigned long long pcnt, bcnt; |
3068 | - int ret; |
3069 | - |
3070 | - ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt); |
3071 | - ctr->pcnt = pcnt; |
3072 | - ctr->bcnt = bcnt; |
3073 | - return ret == 2; |
3074 | -} |
3075 | - |
3076 | -/* global new argv and argc */ |
3077 | -static char *newargv[255]; |
3078 | -static int newargc; |
3079 | - |
3080 | -/* function adding one argument to newargv, updating newargc |
3081 | - * returns true if argument added, false otherwise */ |
3082 | -static int add_argv(char *what) { |
3083 | - DEBUGP("add_argv: %s\n", what); |
3084 | - if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
3085 | - newargv[newargc] = strdup(what); |
3086 | - newargv[++newargc] = NULL; |
3087 | - return 1; |
3088 | - } else { |
3089 | - xtables_error(PARAMETER_PROBLEM, |
3090 | - "Parser cannot handle more arguments\n"); |
3091 | - return 0; |
3092 | - } |
3093 | -} |
3094 | - |
3095 | -static void free_argv(void) { |
3096 | - int i; |
3097 | - |
3098 | - for (i = 0; i < newargc; i++) |
3099 | - free(newargv[i]); |
3100 | -} |
3101 | - |
3102 | -#ifdef IPTABLES_MULTI |
3103 | -int |
3104 | -iptables_restore_main(int argc, char *argv[]) |
3105 | -#else |
3106 | -int |
3107 | -main(int argc, char *argv[]) |
3108 | -#endif |
3109 | -{ |
3110 | - struct iptc_handle *handle = NULL; |
3111 | - char buffer[10240]; |
3112 | - int c; |
3113 | - char curtable[IPT_TABLE_MAXNAMELEN + 1]; |
3114 | - FILE *in; |
3115 | - int in_table = 0, testing = 0; |
3116 | - const char *tablename = NULL; |
3117 | - |
3118 | - line = 0; |
3119 | - |
3120 | - iptables_globals.program_name = "iptables-restore"; |
3121 | - c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); |
3122 | - if (c < 0) { |
3123 | - fprintf(stderr, "%s/%s Failed to initialize xtables\n", |
3124 | - iptables_globals.program_name, |
3125 | - iptables_globals.program_version); |
3126 | - exit(1); |
3127 | - } |
3128 | -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) |
3129 | - init_extensions(); |
3130 | - init_extensions4(); |
3131 | -#endif |
3132 | - |
3133 | - while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { |
3134 | - switch (c) { |
3135 | - case 'b': |
3136 | - binary = 1; |
3137 | - break; |
3138 | - case 'c': |
3139 | - counters = 1; |
3140 | - break; |
3141 | - case 'v': |
3142 | - verbose = 1; |
3143 | - break; |
3144 | - case 't': |
3145 | - testing = 1; |
3146 | - break; |
3147 | - case 'h': |
3148 | - print_usage("iptables-restore", |
3149 | - IPTABLES_VERSION); |
3150 | - break; |
3151 | - case 'n': |
3152 | - noflush = 1; |
3153 | - break; |
3154 | - case 'M': |
3155 | - xtables_modprobe_program = optarg; |
3156 | - break; |
3157 | - case 'T': |
3158 | - tablename = optarg; |
3159 | - break; |
3160 | - } |
3161 | - } |
3162 | - |
3163 | - if (optind == argc - 1) { |
3164 | - in = fopen(argv[optind], "re"); |
3165 | - if (!in) { |
3166 | - fprintf(stderr, "Can't open %s: %s\n", argv[optind], |
3167 | - strerror(errno)); |
3168 | - exit(1); |
3169 | - } |
3170 | - } |
3171 | - else if (optind < argc) { |
3172 | - fprintf(stderr, "Unknown arguments found on commandline\n"); |
3173 | - exit(1); |
3174 | - } |
3175 | - else in = stdin; |
3176 | - |
3177 | - /* Grab standard input. */ |
3178 | - while (fgets(buffer, sizeof(buffer), in)) { |
3179 | - int ret = 0; |
3180 | - |
3181 | - line++; |
3182 | - if (buffer[0] == '\n') |
3183 | - continue; |
3184 | - else if (buffer[0] == '#') { |
3185 | - if (verbose) |
3186 | - fputs(buffer, stdout); |
3187 | - continue; |
3188 | - } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) { |
3189 | - if (!testing) { |
3190 | - DEBUGP("Calling commit\n"); |
3191 | - ret = iptc_commit(handle); |
3192 | - iptc_free(handle); |
3193 | - handle = NULL; |
3194 | - } else { |
3195 | - DEBUGP("Not calling commit, testing\n"); |
3196 | - ret = 1; |
3197 | - } |
3198 | - in_table = 0; |
3199 | - } else if ((buffer[0] == '*') && (!in_table)) { |
3200 | - /* New table */ |
3201 | - char *table; |
3202 | - |
3203 | - table = strtok(buffer+1, " \t\n"); |
3204 | - DEBUGP("line %u, table '%s'\n", line, table); |
3205 | - if (!table) { |
3206 | - xtables_error(PARAMETER_PROBLEM, |
3207 | - "%s: line %u table name invalid\n", |
3208 | - prog_name, line); |
3209 | - exit(1); |
3210 | - } |
3211 | - strncpy(curtable, table, IPT_TABLE_MAXNAMELEN); |
3212 | - curtable[IPT_TABLE_MAXNAMELEN] = '\0'; |
3213 | - |
3214 | - if (tablename && (strcmp(tablename, table) != 0)) |
3215 | - continue; |
3216 | - if (handle) |
3217 | - iptc_free(handle); |
3218 | - |
3219 | - handle = create_handle(table); |
3220 | - if (noflush == 0) { |
3221 | - DEBUGP("Cleaning all chains of table '%s'\n", |
3222 | - table); |
3223 | - for_each_chain4(flush_entries4, verbose, 1, |
3224 | - handle); |
3225 | - |
3226 | - DEBUGP("Deleting all user-defined chains " |
3227 | - "of table '%s'\n", table); |
3228 | - for_each_chain4(delete_chain4, verbose, 0, |
3229 | - handle); |
3230 | - } |
3231 | - |
3232 | - ret = 1; |
3233 | - in_table = 1; |
3234 | - |
3235 | - } else if ((buffer[0] == ':') && (in_table)) { |
3236 | - /* New chain. */ |
3237 | - char *policy, *chain; |
3238 | - |
3239 | - chain = strtok(buffer+1, " \t\n"); |
3240 | - DEBUGP("line %u, chain '%s'\n", line, chain); |
3241 | - if (!chain) { |
3242 | - xtables_error(PARAMETER_PROBLEM, |
3243 | - "%s: line %u chain name invalid\n", |
3244 | - prog_name, line); |
3245 | - exit(1); |
3246 | - } |
3247 | - |
3248 | - if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) |
3249 | - xtables_error(PARAMETER_PROBLEM, |
3250 | - "Invalid chain name `%s' " |
3251 | - "(%u chars max)", |
3252 | - chain, XT_EXTENSION_MAXNAMELEN - 1); |
3253 | - |
3254 | - if (iptc_builtin(chain, handle) <= 0) { |
3255 | - if (noflush && iptc_is_chain(chain, handle)) { |
3256 | - DEBUGP("Flushing existing user defined chain '%s'\n", chain); |
3257 | - if (!iptc_flush_entries(chain, handle)) |
3258 | - xtables_error(PARAMETER_PROBLEM, |
3259 | - "error flushing chain " |
3260 | - "'%s':%s\n", chain, |
3261 | - strerror(errno)); |
3262 | - } else { |
3263 | - DEBUGP("Creating new chain '%s'\n", chain); |
3264 | - if (!iptc_create_chain(chain, handle)) |
3265 | - xtables_error(PARAMETER_PROBLEM, |
3266 | - "error creating chain " |
3267 | - "'%s':%s\n", chain, |
3268 | - strerror(errno)); |
3269 | - } |
3270 | - } |
3271 | - |
3272 | - policy = strtok(NULL, " \t\n"); |
3273 | - DEBUGP("line %u, policy '%s'\n", line, policy); |
3274 | - if (!policy) { |
3275 | - xtables_error(PARAMETER_PROBLEM, |
3276 | - "%s: line %u policy invalid\n", |
3277 | - prog_name, line); |
3278 | - exit(1); |
3279 | - } |
3280 | - |
3281 | - if (strcmp(policy, "-") != 0) { |
3282 | - struct ipt_counters count; |
3283 | - |
3284 | - if (counters) { |
3285 | - char *ctrs; |
3286 | - ctrs = strtok(NULL, " \t\n"); |
3287 | - |
3288 | - if (!ctrs || !parse_counters(ctrs, &count)) |
3289 | - xtables_error(PARAMETER_PROBLEM, |
3290 | - "invalid policy counters " |
3291 | - "for chain '%s'\n", chain); |
3292 | - |
3293 | - } else { |
3294 | - memset(&count, 0, |
3295 | - sizeof(struct ipt_counters)); |
3296 | - } |
3297 | - |
3298 | - DEBUGP("Setting policy of chain %s to %s\n", |
3299 | - chain, policy); |
3300 | - |
3301 | - if (!iptc_set_policy(chain, policy, &count, |
3302 | - handle)) |
3303 | - xtables_error(OTHER_PROBLEM, |
3304 | - "Can't set policy `%s'" |
3305 | - " on `%s' line %u: %s\n", |
3306 | - policy, chain, line, |
3307 | - iptc_strerror(errno)); |
3308 | - } |
3309 | - |
3310 | - ret = 1; |
3311 | - |
3312 | - } else if (in_table) { |
3313 | - int a; |
3314 | - char *ptr = buffer; |
3315 | - char *pcnt = NULL; |
3316 | - char *bcnt = NULL; |
3317 | - char *parsestart; |
3318 | - |
3319 | - /* the parser */ |
3320 | - char *curchar; |
3321 | - int quote_open, escaped; |
3322 | - size_t param_len; |
3323 | - |
3324 | - /* reset the newargv */ |
3325 | - newargc = 0; |
3326 | - |
3327 | - if (buffer[0] == '[') { |
3328 | - /* we have counters in our input */ |
3329 | - ptr = strchr(buffer, ']'); |
3330 | - if (!ptr) |
3331 | - xtables_error(PARAMETER_PROBLEM, |
3332 | - "Bad line %u: need ]\n", |
3333 | - line); |
3334 | - |
3335 | - pcnt = strtok(buffer+1, ":"); |
3336 | - if (!pcnt) |
3337 | - xtables_error(PARAMETER_PROBLEM, |
3338 | - "Bad line %u: need :\n", |
3339 | - line); |
3340 | - |
3341 | - bcnt = strtok(NULL, "]"); |
3342 | - if (!bcnt) |
3343 | - xtables_error(PARAMETER_PROBLEM, |
3344 | - "Bad line %u: need ]\n", |
3345 | - line); |
3346 | - |
3347 | - /* start command parsing after counter */ |
3348 | - parsestart = ptr + 1; |
3349 | - } else { |
3350 | - /* start command parsing at start of line */ |
3351 | - parsestart = buffer; |
3352 | - } |
3353 | - |
3354 | - add_argv(argv[0]); |
3355 | - add_argv("-t"); |
3356 | - add_argv(curtable); |
3357 | - |
3358 | - if (counters && pcnt && bcnt) { |
3359 | - add_argv("--set-counters"); |
3360 | - add_argv((char *) pcnt); |
3361 | - add_argv((char *) bcnt); |
3362 | - } |
3363 | - |
3364 | - /* After fighting with strtok enough, here's now |
3365 | - * a 'real' parser. According to Rusty I'm now no |
3366 | - * longer a real hacker, but I can live with that */ |
3367 | - |
3368 | - quote_open = 0; |
3369 | - escaped = 0; |
3370 | - param_len = 0; |
3371 | - |
3372 | - for (curchar = parsestart; *curchar; curchar++) { |
3373 | - char param_buffer[1024]; |
3374 | - |
3375 | - if (quote_open) { |
3376 | - if (escaped) { |
3377 | - param_buffer[param_len++] = *curchar; |
3378 | - escaped = 0; |
3379 | - continue; |
3380 | - } else if (*curchar == '\\') { |
3381 | - escaped = 1; |
3382 | - continue; |
3383 | - } else if (*curchar == '"') { |
3384 | - quote_open = 0; |
3385 | - *curchar = ' '; |
3386 | - } else { |
3387 | - param_buffer[param_len++] = *curchar; |
3388 | - continue; |
3389 | - } |
3390 | - } else { |
3391 | - if (*curchar == '"') { |
3392 | - quote_open = 1; |
3393 | - continue; |
3394 | - } |
3395 | - } |
3396 | - |
3397 | - if (*curchar == ' ' |
3398 | - || *curchar == '\t' |
3399 | - || * curchar == '\n') { |
3400 | - if (!param_len) { |
3401 | - /* two spaces? */ |
3402 | - continue; |
3403 | - } |
3404 | - |
3405 | - param_buffer[param_len] = '\0'; |
3406 | - |
3407 | - /* check if table name specified */ |
3408 | - if (!strncmp(param_buffer, "-t", 2) |
3409 | - || !strncmp(param_buffer, "--table", 8)) { |
3410 | - xtables_error(PARAMETER_PROBLEM, |
3411 | - "Line %u seems to have a " |
3412 | - "-t table option.\n", line); |
3413 | - exit(1); |
3414 | - } |
3415 | - |
3416 | - add_argv(param_buffer); |
3417 | - param_len = 0; |
3418 | - } else { |
3419 | - /* regular character, copy to buffer */ |
3420 | - param_buffer[param_len++] = *curchar; |
3421 | - |
3422 | - if (param_len >= sizeof(param_buffer)) |
3423 | - xtables_error(PARAMETER_PROBLEM, |
3424 | - "Parameter too long!"); |
3425 | - } |
3426 | - } |
3427 | - |
3428 | - DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", |
3429 | - newargc, curtable); |
3430 | - |
3431 | - for (a = 0; a < newargc; a++) |
3432 | - DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
3433 | - |
3434 | - ret = do_command4(newargc, newargv, |
3435 | - &newargv[2], &handle); |
3436 | - |
3437 | - free_argv(); |
3438 | - fflush(stdout); |
3439 | - } |
3440 | - if (tablename && (strcmp(tablename, curtable) != 0)) |
3441 | - continue; |
3442 | - if (!ret) { |
3443 | - fprintf(stderr, "%s: line %u failed\n", |
3444 | - prog_name, line); |
3445 | - exit(1); |
3446 | - } |
3447 | - } |
3448 | - if (in_table) { |
3449 | - fprintf(stderr, "%s: COMMIT expected at line %u\n", |
3450 | - prog_name, line + 1); |
3451 | - exit(1); |
3452 | - } |
3453 | - |
3454 | - fclose(in); |
3455 | - return 0; |
3456 | -} |
3457 | |
3458 | === removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch' |
3459 | === removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch/extensions' |
3460 | === removed file '.pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c' |
3461 | --- .pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c 2012-09-17 17:10:24 +0000 |
3462 | +++ .pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c 1970-01-01 00:00:00 +0000 |
3463 | @@ -1,148 +0,0 @@ |
3464 | -#include <stdio.h> |
3465 | -#include <xtables.h> |
3466 | -#include <linux/netfilter/xt_physdev.h> |
3467 | - |
3468 | -enum { |
3469 | - O_PHYSDEV_IN = 0, |
3470 | - O_PHYSDEV_OUT, |
3471 | - O_PHYSDEV_IS_IN, |
3472 | - O_PHYSDEV_IS_OUT, |
3473 | - O_PHYSDEV_IS_BRIDGED, |
3474 | -}; |
3475 | - |
3476 | -static void physdev_help(void) |
3477 | -{ |
3478 | - printf( |
3479 | -"physdev match options:\n" |
3480 | -" [!] --physdev-in inputname[+] bridge port name ([+] for wildcard)\n" |
3481 | -" [!] --physdev-out outputname[+] bridge port name ([+] for wildcard)\n" |
3482 | -" [!] --physdev-is-in arrived on a bridge device\n" |
3483 | -" [!] --physdev-is-out will leave on a bridge device\n" |
3484 | -" [!] --physdev-is-bridged it's a bridged packet\n"); |
3485 | -} |
3486 | - |
3487 | -#define s struct xt_physdev_info |
3488 | -static const struct xt_option_entry physdev_opts[] = { |
3489 | - {.name = "physdev-in", .id = O_PHYSDEV_IN, .type = XTTYPE_STRING, |
3490 | - .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physindev)}, |
3491 | - {.name = "physdev-out", .id = O_PHYSDEV_OUT, .type = XTTYPE_STRING, |
3492 | - .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physoutdev)}, |
3493 | - {.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE}, |
3494 | - {.name = "physdev-is-out", .id = O_PHYSDEV_IS_OUT, |
3495 | - .type = XTTYPE_NONE}, |
3496 | - {.name = "physdev-is-bridged", .id = O_PHYSDEV_IS_BRIDGED, |
3497 | - .type = XTTYPE_NONE}, |
3498 | - XTOPT_TABLEEND, |
3499 | -}; |
3500 | -#undef s |
3501 | - |
3502 | -static void physdev_parse(struct xt_option_call *cb) |
3503 | -{ |
3504 | - struct xt_physdev_info *info = cb->data; |
3505 | - |
3506 | - xtables_option_parse(cb); |
3507 | - switch (cb->entry->id) { |
3508 | - case O_PHYSDEV_IN: |
3509 | - xtables_parse_interface(cb->arg, info->physindev, |
3510 | - (unsigned char *)info->in_mask); |
3511 | - if (cb->invert) |
3512 | - info->invert |= XT_PHYSDEV_OP_IN; |
3513 | - info->bitmask |= XT_PHYSDEV_OP_IN; |
3514 | - break; |
3515 | - case O_PHYSDEV_OUT: |
3516 | - xtables_parse_interface(cb->arg, info->physoutdev, |
3517 | - (unsigned char *)info->out_mask); |
3518 | - if (cb->invert) |
3519 | - info->invert |= XT_PHYSDEV_OP_OUT; |
3520 | - info->bitmask |= XT_PHYSDEV_OP_OUT; |
3521 | - break; |
3522 | - case O_PHYSDEV_IS_IN: |
3523 | - info->bitmask |= XT_PHYSDEV_OP_ISIN; |
3524 | - if (cb->invert) |
3525 | - info->invert |= XT_PHYSDEV_OP_ISIN; |
3526 | - break; |
3527 | - case O_PHYSDEV_IS_OUT: |
3528 | - info->bitmask |= XT_PHYSDEV_OP_ISOUT; |
3529 | - if (cb->invert) |
3530 | - info->invert |= XT_PHYSDEV_OP_ISOUT; |
3531 | - break; |
3532 | - case O_PHYSDEV_IS_BRIDGED: |
3533 | - if (cb->invert) |
3534 | - info->invert |= XT_PHYSDEV_OP_BRIDGED; |
3535 | - info->bitmask |= XT_PHYSDEV_OP_BRIDGED; |
3536 | - break; |
3537 | - } |
3538 | -} |
3539 | - |
3540 | -static void physdev_check(struct xt_fcheck_call *cb) |
3541 | -{ |
3542 | - if (cb->xflags == 0) |
3543 | - xtables_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified"); |
3544 | -} |
3545 | - |
3546 | -static void |
3547 | -physdev_print(const void *ip, const struct xt_entry_match *match, int numeric) |
3548 | -{ |
3549 | - const struct xt_physdev_info *info = (const void *)match->data; |
3550 | - |
3551 | - printf(" PHYSDEV match"); |
3552 | - if (info->bitmask & XT_PHYSDEV_OP_ISIN) |
3553 | - printf("%s --physdev-is-in", |
3554 | - info->invert & XT_PHYSDEV_OP_ISIN ? " !":""); |
3555 | - if (info->bitmask & XT_PHYSDEV_OP_IN) |
3556 | - printf("%s --physdev-in %s", |
3557 | - (info->invert & XT_PHYSDEV_OP_IN) ? " !":"", info->physindev); |
3558 | - |
3559 | - if (info->bitmask & XT_PHYSDEV_OP_ISOUT) |
3560 | - printf("%s --physdev-is-out", |
3561 | - info->invert & XT_PHYSDEV_OP_ISOUT ? " !":""); |
3562 | - if (info->bitmask & XT_PHYSDEV_OP_OUT) |
3563 | - printf("%s --physdev-out %s", |
3564 | - (info->invert & XT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev); |
3565 | - if (info->bitmask & XT_PHYSDEV_OP_BRIDGED) |
3566 | - printf("%s --physdev-is-bridged", |
3567 | - info->invert & XT_PHYSDEV_OP_BRIDGED ? " !":""); |
3568 | -} |
3569 | - |
3570 | -static void physdev_save(const void *ip, const struct xt_entry_match *match) |
3571 | -{ |
3572 | - const struct xt_physdev_info *info = (const void *)match->data; |
3573 | - |
3574 | - if (info->bitmask & XT_PHYSDEV_OP_ISIN) |
3575 | - printf("%s --physdev-is-in", |
3576 | - (info->invert & XT_PHYSDEV_OP_ISIN) ? " !" : ""); |
3577 | - if (info->bitmask & XT_PHYSDEV_OP_IN) |
3578 | - printf("%s --physdev-in %s", |
3579 | - (info->invert & XT_PHYSDEV_OP_IN) ? " !" : "", |
3580 | - info->physindev); |
3581 | - |
3582 | - if (info->bitmask & XT_PHYSDEV_OP_ISOUT) |
3583 | - printf("%s --physdev-is-out", |
3584 | - (info->invert & XT_PHYSDEV_OP_ISOUT) ? " !" : ""); |
3585 | - if (info->bitmask & XT_PHYSDEV_OP_OUT) |
3586 | - printf("%s --physdev-out %s", |
3587 | - (info->invert & XT_PHYSDEV_OP_OUT) ? " !" : "", |
3588 | - info->physoutdev); |
3589 | - if (info->bitmask & XT_PHYSDEV_OP_BRIDGED) |
3590 | - printf("%s --physdev-is-bridged", |
3591 | - (info->invert & XT_PHYSDEV_OP_BRIDGED) ? " !" : ""); |
3592 | -} |
3593 | - |
3594 | -static struct xtables_match physdev_match = { |
3595 | - .family = NFPROTO_UNSPEC, |
3596 | - .name = "physdev", |
3597 | - .version = XTABLES_VERSION, |
3598 | - .size = XT_ALIGN(sizeof(struct xt_physdev_info)), |
3599 | - .userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)), |
3600 | - .help = physdev_help, |
3601 | - .print = physdev_print, |
3602 | - .save = physdev_save, |
3603 | - .x6_parse = physdev_parse, |
3604 | - .x6_fcheck = physdev_check, |
3605 | - .x6_options = physdev_opts, |
3606 | -}; |
3607 | - |
3608 | -void _init(void) |
3609 | -{ |
3610 | - xtables_register_match(&physdev_match); |
3611 | -} |
3612 | |
3613 | === removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch/tests' |
3614 | === removed file '.pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules' |
3615 | --- .pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules 2012-09-17 17:10:24 +0000 |
3616 | +++ .pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules 1970-01-01 00:00:00 +0000 |
3617 | @@ -1,193 +0,0 @@ |
3618 | -*filter |
3619 | -:INPUT ACCEPT [0:0] |
3620 | -:FORWARD ACCEPT [0:0] |
3621 | -:OUTPUT ACCEPT [0:0] |
3622 | -:matches - - |
3623 | -:ntarg - - |
3624 | -:zmatches - - |
3625 | --A INPUT -j matches |
3626 | --A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg |
3627 | --A INPUT -j zmatches |
3628 | --A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY |
3629 | --A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --timestop 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" -m hbh -m hbh -m hl --hl-eq 1 |
3630 | --A INPUT -m ipv6header --header hop-by-hop --soft |
3631 | --A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 |
3632 | --A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 |
3633 | --A INPUT -p tcp -m comment --comment foo |
3634 | --A INPUT -p tcp -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both |
3635 | --A INPUT -p tcp -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr |
3636 | --A INPUT -p tcp -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr |
3637 | --A INPUT -p tcp -m connmark --mark 0x99 |
3638 | --A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY |
3639 | --A INPUT -p tcp -m cpu --cpu 2 |
3640 | --A INPUT -p tcp -m dscp --dscp 0x04 |
3641 | --A INPUT -p tcp -m dscp --dscp 0x00 |
3642 | --A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 |
3643 | --A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 |
3644 | --A INPUT -p tcp -m helper --helper ftp |
3645 | --A INPUT -p tcp -m iprange --src-range ::1-::2 --dst-range ::1-::2 |
3646 | --A INPUT -p tcp -m length --length 1:2 |
3647 | --A INPUT -p tcp -m limit --limit 1/sec |
3648 | --A INPUT -p tcp -m mac --mac-source 01:02:03:04:05:06 |
3649 | --A INPUT -p tcp -m mark --mark 0x1 |
3650 | --A INPUT -p tcp -m physdev --physdev-in eth0 |
3651 | --A INPUT -p tcp -m pkttype --pkt-type unicast |
3652 | --A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 |
3653 | --A INPUT -p tcp -m quota --quota 0 |
3654 | --A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource |
3655 | --A INPUT -p tcp -m socket --transparent |
3656 | --A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase |
3657 | --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN |
3658 | --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN |
3659 | --A INPUT -p tcp -m tos --tos 0xff/0x01 |
3660 | --A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" |
3661 | --A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft |
3662 | --A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict |
3663 | --A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1 |
3664 | --A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1 |
3665 | --A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1 |
3666 | --A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1 |
3667 | --A INPUT -p esp -m esp --espspi 1:2 |
3668 | --A INPUT -p tcp -m multiport --dports 1,2 -m multiport --dports 1,2 |
3669 | --A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN |
3670 | --A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 |
3671 | --A INPUT |
3672 | --A INPUT -p mobility |
3673 | --A INPUT -p mobility -m mh --mh-type 3 |
3674 | --A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3 |
3675 | --A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both |
3676 | --A matches |
3677 | --A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both |
3678 | --A matches |
3679 | --A matches -m connbytes --connbytes 0:3 --connbytes-mode bytes --connbytes-dir both |
3680 | --A matches |
3681 | --A matches -m connbytes --connbytes 4: --connbytes-mode bytes --connbytes-dir both |
3682 | --A matches |
3683 | --A matches -m connbytes --connbytes 5:18446744073709551615 --connbytes-mode bytes --connbytes-dir both |
3684 | --A matches |
3685 | --A matches -m conntrack --ctexpire 1 |
3686 | --A matches |
3687 | --A matches -m conntrack --ctexpire :2 |
3688 | --A matches |
3689 | --A matches -m conntrack --ctexpire 0:3 |
3690 | --A matches |
3691 | --A matches -m conntrack --ctexpire 4: |
3692 | --A matches |
3693 | --A matches -m conntrack --ctexpire 5:4294967295 |
3694 | --A matches |
3695 | --A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9 |
3696 | --A matches |
3697 | --A matches -p esp -m esp --espspi 1 |
3698 | --A matches |
3699 | --A matches -p esp -m esp --espspi :2 |
3700 | --A matches |
3701 | --A matches -p esp -m esp --espspi 0:3 |
3702 | --A matches |
3703 | --A matches -p esp -m esp --espspi 4: |
3704 | --A matches |
3705 | --A matches -p esp -m esp --espspi 5:4294967295 |
3706 | --A matches |
3707 | --A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 |
3708 | --A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2 |
3709 | --A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3 |
3710 | --A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4 |
3711 | --A matches |
3712 | --A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 |
3713 | --A matches |
3714 | --A matches -m length --length 1 |
3715 | --A matches |
3716 | --A matches -m length --length :2 |
3717 | --A matches |
3718 | --A matches -m length --length 0:3 |
3719 | --A matches |
3720 | --A matches -m length --length 4: |
3721 | --A matches |
3722 | --A matches -m length --length 5:65535 |
3723 | --A matches |
3724 | --A matches -p tcp -m tcpmss --mss 1 |
3725 | --A matches |
3726 | --A matches -p tcp -m tcpmss --mss :2 |
3727 | --A matches |
3728 | --A matches -p tcp -m tcpmss --mss 0:3 |
3729 | --A matches |
3730 | --A matches -p tcp -m tcpmss --mss 4: |
3731 | --A matches |
3732 | --A matches -p tcp -m tcpmss --mss 5:65535 |
3733 | --A matches |
3734 | --A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz |
3735 | --A matches |
3736 | --A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz |
3737 | --A matches |
3738 | --A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 |
3739 | --A matches |
3740 | --A matches -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00 |
3741 | --A matches |
3742 | --A matches -m ah --ahspi 1 |
3743 | --A matches |
3744 | --A matches -m ah --ahspi :2 |
3745 | --A matches |
3746 | --A matches -m ah --ahspi 0:3 |
3747 | --A matches |
3748 | --A matches -m ah --ahspi 4: |
3749 | --A matches |
3750 | --A matches -m ah --ahspi 5:4294967295 |
3751 | --A matches |
3752 | --A matches -m frag --fragid 1 |
3753 | --A matches |
3754 | --A matches -m frag --fragid :2 |
3755 | --A matches |
3756 | --A matches -m frag --fragid 0:3 |
3757 | --A matches |
3758 | --A matches -m frag --fragid 4: |
3759 | --A matches |
3760 | --A matches -m frag --fragid 5:4294967295 |
3761 | --A matches |
3762 | --A matches -m rt --rt-segsleft 1 |
3763 | --A matches |
3764 | --A matches -m rt --rt-segsleft :2 |
3765 | --A matches |
3766 | --A matches -m rt --rt-segsleft 0:3 |
3767 | --A matches |
3768 | --A matches -m rt --rt-segsleft 4: |
3769 | --A matches |
3770 | --A matches -m rt --rt-segsleft 5:4294967295 |
3771 | --A matches |
3772 | --A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options |
3773 | --A ntarg |
3774 | --A ntarg -j NFQUEUE --queue-num 1 |
3775 | --A ntarg |
3776 | --A ntarg -j NFQUEUE --queue-balance 8:99 |
3777 | --A ntarg |
3778 | --A ntarg -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms |
3779 | --A ntarg |
3780 | --A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms |
3781 | --A ntarg |
3782 | -#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit |
3783 | -#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit |
3784 | -#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit |
3785 | -#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5 |
3786 | -#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5 |
3787 | -#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5 |
3788 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit |
3789 | -#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes |
3790 | -#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets |
3791 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit |
3792 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit |
3793 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9 |
3794 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9 |
3795 | -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9 |
3796 | -COMMIT |
3797 | -*mangle |
3798 | -:PREROUTING ACCEPT [0:0] |
3799 | -:INPUT ACCEPT [0:0] |
3800 | -:FORWARD ACCEPT [0:0] |
3801 | -:OUTPUT ACCEPT [0:0] |
3802 | -:POSTROUTING ACCEPT [0:0] |
3803 | -:matches - - |
3804 | -:ntarg - - |
3805 | -:zmatches - - |
3806 | --A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg |
3807 | --A ntarg -j HL --hl-inc 1 |
3808 | --A ntarg -j HL --hl-dec 1 |
3809 | --A ntarg |
3810 | -COMMIT |
3811 | |
3812 | === removed file '.pc/applied-patches' |
3813 | --- .pc/applied-patches 2012-09-17 17:10:24 +0000 |
3814 | +++ .pc/applied-patches 1970-01-01 00:00:00 +0000 |
3815 | @@ -1,8 +0,0 @@ |
3816 | -0101-changelog.patch |
3817 | -9000-howtos.patch |
3818 | -9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch |
3819 | -9002-libxt_recent-Add-support-for-reap-option.patch |
3820 | -9003-lp1020490.patch |
3821 | -9004-argv-is-null.patch |
3822 | -9005-lp1027252-fixrestore.patch |
3823 | -9006-lp1042260-fix-inverted-physdev.patch |
3824 | |
3825 | === removed file 'Changelog' |
3826 | --- Changelog 2012-07-20 15:45:01 +0000 |
3827 | +++ Changelog 1970-01-01 00:00:00 +0000 |
3828 | @@ -1,2992 +0,0 @@ |
3829 | -iptables v1.4.12 Changelog: |
3830 | -====================================================================== |
3831 | -Changes from 1.4.11.1: |
3832 | - |
3833 | - |
3834 | - |
3835 | -Fernando Luis Vazquez Cao (1): |
3836 | - doc: document IPv6 TOS mangling bug in old Linux kernels |
3837 | - |
3838 | -Jakub Zawadzki (1): |
3839 | - doc: fix group range in libxt_NFLOG's man |
3840 | - |
3841 | -Jan Engelhardt (23): |
3842 | - doc: include matches/targets in manpage again |
3843 | - libipt_LOG: fix ignoring all but last flags |
3844 | - libxt_RATEEST: use guided option parser |
3845 | - iptables: consolidate target/match init call |
3846 | - extensions: support for per-extension instance "global" variable space |
3847 | - libxt_rateest: abolish global variables |
3848 | - libxt_RATEEST: abolish global variables |
3849 | - libip6t_HL: fix option names from ttl -> hl |
3850 | - libxt_state: fix regression about inversion of main option |
3851 | - libxt_hashlimit: use a more obvious expiry value by default |
3852 | - build: bump soversion for recent data structure change |
3853 | - build: attempt to fix building under Linux 2.4 |
3854 | - doc: mention multiple verbosity flags |
3855 | - build: install modules in arch-dependent location |
3856 | - doc: fix version string in ip6tables.8 |
3857 | - doc: the -m option cannot be inverted |
3858 | - iptables: restore negation for -f |
3859 | - libxtables: properly reject empty hostnames |
3860 | - libxtables: ignore whitespace in the multiaddress argument parser |
3861 | - option: remove last traces of intrapositional negation |
3862 | - libxtables: set clone's initial data to NULL |
3863 | - libxt_conntrack: restore network-byte order for v1,v2 |
3864 | - libxt_conntrack: move more data into the xt_option_entry |
3865 | - |
3866 | -Jiri Popelka (5): |
3867 | - iptables: Coverity: DEADCODE |
3868 | - iptables: Coverity: NEGATIVE_RETURNS |
3869 | - iptables: Coverity: REVERSE_INULL |
3870 | - iptables: Coverity: VARARGS |
3871 | - iptables: Coverity: RESOURCE_LEAK |
3872 | - |
3873 | -Martin F. Krafft (1): |
3874 | - iptables-apply: select default rule file depending on call name |
3875 | - |
3876 | -Massimo Maggi (1): |
3877 | - libxt_RATEEST: fix userspacesize field |
3878 | - |
3879 | -Patrick McHardy (4): |
3880 | - Merge branch 'master' of git://dev.medozas.de/iptables |
3881 | - Merge branch 'master' of git://dev.medozas.de/iptables |
3882 | - Merge branch 'master' of git://dev.medozas.de/iptables |
3883 | - Bump version to 1.4.12 |
3884 | - |
3885 | - |
3886 | -iptables v1.4.11.1 Changelog: |
3887 | -====================================================================== |
3888 | -Changes from 1.4.11: |
3889 | - |
3890 | - |
3891 | -Elie De Brauwer (1): |
3892 | - doc: fix trivial typo in libipt_SNAT |
3893 | - |
3894 | -Jan Engelhardt (13): |
3895 | - libxt_owner: restore inversion support |
3896 | - build: remove dead code parts |
3897 | - build: fix installation of symlinks |
3898 | - build: fix absence of xml translator in IPv6-only builds |
3899 | - doc: update GPL license text |
3900 | - doc: iptables-xml should be in manpage section 1 |
3901 | - build: move basic preprocessor flags to regular_CPPFLAGS |
3902 | - build: move kinclude's preprocessor flags to kinclude_CPPFLAGS |
3903 | - src: move all libiptc pieces into its directory |
3904 | - src: move all iptables pieces into a separate directory |
3905 | - tests: add some sample rulesets to test save-restore cycle |
3906 | - option: fix ignored negation before implicit extension loading |
3907 | - build: re-add missing CPPFLAGS for libiptc |
3908 | - |
3909 | -Maciej Żenczykowski (1): |
3910 | - xtables-multi: fix absence of xml translator in IPv6-only builds |
3911 | - |
3912 | -Mike Frysinger (1): |
3913 | - build: move remaining preprocessor flags to CPPFLAGS |
3914 | - |
3915 | -Patrick McHardy (1): |
3916 | - Bump version to 1.4.11.1 |
3917 | - |
3918 | -Vlad Dogaru (1): |
3919 | - doc: fix MASQUERADE section of man page |
3920 | - |
3921 | - |
3922 | - |
3923 | -iptables v1.4.11 Changelog: |
3924 | -====================================================================== |
3925 | -Changes from 1.4.10: |
3926 | - |
3927 | - |
3928 | -Changli Gao (1): |
3929 | - iptables: fix the dead loop when meeting unknown options |
3930 | - |
3931 | -Florian Westphal (3): |
3932 | - libxt_conntrack: fix --ctdir save/dump output format |
3933 | - libxt_time: fix random --datestart skips |
3934 | - extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option |
3935 | - |
3936 | -JP Abgrall (1): |
3937 | - libxt_quota: make sure uint64 is not truncated |
3938 | - |
3939 | -Jan Engelhardt (218): |
3940 | - libxtables: change option precedence order to be intuitive |
3941 | - libxt_TOS: avoid an undesired overflowing computation |
3942 | - iptables: fix longopt reecognition and workaround getopt(3) behavior |
3943 | - Revert "Revert "libxtables: change option precedence order to be intuitive"" |
3944 | - Merge branch 'master' of git://dev.medozas.de/iptables into m2 |
3945 | - iptables: reset options at the start of each command |
3946 | - iptables: do not emit orig_opts twice |
3947 | - include: update files with headers from Linux 2.6.37-rc1 |
3948 | - TPROXY: add support for revision 1 |
3949 | - socket: add support for revision 1 |
3950 | - build: fix globbing of extensions in other locales |
3951 | - libxt_owner: output numeric IDs when save is requested |
3952 | - Merge commit 'v1.4.10' |
3953 | - build: stop on error in subcommand |
3954 | - src: const annotations |
3955 | - xt_comment: remove redundant cast |
3956 | - src: use C99/POSIX types |
3957 | - iptables: abort on empty interface specification |
3958 | - xtables: reorder num_old substraction for clarity |
3959 | - ip[6]tables: only call match's parse function when option char is in range |
3960 | - ip[6]tables: only call target's parse function when option char is in range |
3961 | - extensions: remove no longer necessary default: cases |
3962 | - libxt_sctp: fix a typo |
3963 | - libipt_CLUSTERIP: const annotations |
3964 | - libxtables: do some option structure checking |
3965 | - libxt_quota: print negation when it has been selected |
3966 | - libxt_connlimit: reword help text to say prefix length |
3967 | - libxt_connlimit: add a --connlimit-upto option |
3968 | - libxt_connlimit: support for dstaddr-supporting revision 1 |
3969 | - libxt_connlimit: remove duplicate member that caused size change |
3970 | - libxt_quota: clarifications on matching |
3971 | - iptables: improve error reporting with extension loading troubles |
3972 | - libxt_u32: enclose argument in quotes |
3973 | - xtables: set custom opts to NULL on free |
3974 | - iptables: warn when parameter limit is exceeded |
3975 | - iptables: remove bogus address-of |
3976 | - iptables: remove more redundant casts |
3977 | - iptables: do not print trailing whitespaces |
3978 | - src: collect do_command variables in a struct |
3979 | - src: move large default: block from do_command6 into its own function |
3980 | - src: share iptables_command_state across the two programs |
3981 | - src: deduplicate find_proto function |
3982 | - src: move OPT_FRAGMENT to the end so the list can be shared |
3983 | - src: put shared option flags into xshared |
3984 | - src: deduplicate and simplify implicit protocol extension loading |
3985 | - src: unclutter command_default function |
3986 | - src: move jump option handling from do_command6 into its own function |
3987 | - src: move match option handling from do_command6 into its own functions |
3988 | - iptables: fix error message for unknown options |
3989 | - iptables: fix segfault target option parsing |
3990 | - ip6tables: spacing fixes for -o argument |
3991 | - libxt_devgroup: option whitespace update following v1.4.10-49-g7386635 |
3992 | - extensions: fix indent of vtable |
3993 | - doc: fix wrong sentence about negation in xt_limit |
3994 | - doc: fix misspelling of "field" |
3995 | - extensions: remove redundant init functions |
3996 | - Remove unused CVS expanded keywords |
3997 | - libip6t_dst: remove unimplemented --dst-not-strict |
3998 | - libip6t_hbh: remove unimplemented --hbh-not-strict |
3999 | - extensions: add missing checks for specific flags |
4000 | - libipt_ECN: set proper option flags |
4001 | - doc: mention other possible nf_loggers for TRACE |
4002 | - doc: fix odd partial sentence in libipt_TTL |
4003 | - libxt_quota: require --quota to be specified |
4004 | - doc: rateest options can be optional |
4005 | - libxtables: fix memory scribble beyond end of array |
4006 | - iptables: fix an inversion |
4007 | - doc: add VERSION section to manpages |
4008 | - extensions: add missing checks for specific flags (2) |
4009 | - libxtables: guided option parser |
4010 | - libxt_CHECKSUM: use guided option parser |
4011 | - libxt_socket: use guided option parser |
4012 | - libxtables: provide better final_check |
4013 | - libxt_CONNSECMARK: use guided option parser |
4014 | - libxtables: XTTYPE_UINT32 support |
4015 | - libxt_cpu: use guided option parser |
4016 | - libxtables: min-max option support |
4017 | - libxt_cluster: use guided option parser |
4018 | - libxtables: XTTYPE_UINT8 support |
4019 | - libip[6]t_HL: use guided option parser |
4020 | - libip[6]t_hl: use guided option parser |
4021 | - libxtables: XTTYPE_UINT32RC support |
4022 | - libip[6]t_ah: use guided option parser |
4023 | - libip6t_frag: use guided option parser |
4024 | - libxt_esp: use guided option parser |
4025 | - libxtables: XTTYPE_STRING support |
4026 | - libip[6]t_REJECT: use guided option parser |
4027 | - libip6t_dst: use guided option parser |
4028 | - libip6t_hbh: use guided option parser |
4029 | - libip[6]t_icmp: use guided option parser |
4030 | - libip6t_ipv6header: use guided option parser |
4031 | - libipt_ECN: use guided option parser |
4032 | - libipt_addrtype: use guided option parser |
4033 | - libxt_AUDIT: use guided option parser |
4034 | - libxt_CLASSIFY: use guided option parser |
4035 | - libxt_DSCP: use guided option parser |
4036 | - libxt_LED: use guided option parser |
4037 | - libxt_SECMARK: use guided option parser |
4038 | - libxt_TCPOPTSTRIP: use guided option parser |
4039 | - libxt_comment: use guided option parser |
4040 | - libxt_helper: use guided option parser |
4041 | - libxt_physdev: use guided option parser |
4042 | - libxt_pkttype: use guided option parser |
4043 | - libxt_state: use guided option parser |
4044 | - libxt_time: use guided option parser |
4045 | - libxt_u32: use guided option parser |
4046 | - doc: avoid duplicate entries in manpage |
4047 | - libxtables: XTTYPE_MARKMASK32 support |
4048 | - libxt_MARK: use guided option parser |
4049 | - libxt_CONNMARK: use guided option parser |
4050 | - libxtables: XTTYPE_UINT64 support |
4051 | - libxt_quota: use guided option parser |
4052 | - libxtables: linked-list name<->id map |
4053 | - libxt_devgroup: use guided option parser |
4054 | - libipt_realm: use guided option parser |
4055 | - libxtables: XTTYPE_UINT16RC support |
4056 | - libxt_length: use guided option parser |
4057 | - libxt_tcpmss: use guided option parser |
4058 | - libxtables: XTTYPE_UINT8RC support |
4059 | - libxtables: XTTYPE_UINT64RC support |
4060 | - libxt_connbytes: use guided option parser |
4061 | - libxtables: XTTYPE_UINT16 support |
4062 | - libxt_CT: use guided option parser |
4063 | - libxt_NFQUEUE: use guided option parser |
4064 | - libxt_TCPMSS: use guided option parser |
4065 | - libxtables: pass struct xt_entry_{match,target} to x6 parser |
4066 | - libxt_string: use guided option parser |
4067 | - libxtables: XTTYPE_SYSLOGLEVEL support |
4068 | - libip[6]t_LOG: use guided option parser |
4069 | - libxtables: XTTYPE_ONEHOST support |
4070 | - libxtables: XTTYPE_PORT support |
4071 | - libxt_TPROXY: use guided option parser |
4072 | - libipt_ULOG: use guided option parser |
4073 | - build: bump libxtables ABI version |
4074 | - libxt_TEE: use guided option parser |
4075 | - xtoptions: respect return value in xtables_getportbyname |
4076 | - libxt_TOS: use guided option parser |
4077 | - libxt_tos: use guided option parser |
4078 | - extensions: remove unused TOS code |
4079 | - libxtables: XTTYPE_PORTRC support |
4080 | - libxt_udp: use guided option parser |
4081 | - libxt_dccp: use guided option parser |
4082 | - libxt_tos: add inversion support back again |
4083 | - libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC) |
4084 | - libxt_u32: add missing call to xtables_option_parse |
4085 | - extensions: remove bogus use of XT_GETOPT_TABLEEND |
4086 | - libxt_owner: remove ifdef IPT_COMM_OWNER |
4087 | - libxtables: output name of extension on rev detect failure |
4088 | - extensions: const annotations |
4089 | - libxt_statistic: streamline and document possible placement of negation |
4090 | - libxt_statistic: increase precision on create and dump |
4091 | - libxtables: XTTYPE_DOUBLE support |
4092 | - libxt_statistic: use guided option parser |
4093 | - libxt_IDLETIMER: use guided option parser |
4094 | - libxt_NFLOG: use guided option parser |
4095 | - libxtables: support for XTTYPE_PLENMASK |
4096 | - libxt_connlimit: use guided option parser |
4097 | - libxt_recent: use guided option parser |
4098 | - libxtables: do not overlay addr and mask parts, and cleanup |
4099 | - libxtables: flag invalid uses of XTOPT_PUT |
4100 | - libxtables: XTTYPE_PLEN support |
4101 | - libxt_hashlimit: use guided option parser |
4102 | - libxtables: XTTYPE_HOSTMASK support |
4103 | - libxt_policy: use guided option parser |
4104 | - libxt_owner: use guided option parser |
4105 | - libxt_osf: use guided option parser |
4106 | - libxt_multiport: use guided option parser |
4107 | - libipt_NETMAP: use guided option parser |
4108 | - libxt_limit: use guided option parser |
4109 | - libxtables: XTTYPE_PROTOCOL support |
4110 | - libxt_ipvs: use guided option parser |
4111 | - doc: S/DNAT allows to omit IP addresses |
4112 | - libxt_conntrack: use guided option parser |
4113 | - libip6t_mh: use guided option parser |
4114 | - libip6t_rt: use guided option parser |
4115 | - libxtables: XTTYPE_ETHERMAC support |
4116 | - libxt_mac: use guided option parser |
4117 | - libipt_CLUSTERIP: use guided option parser |
4118 | - libxt_iprange: use guided option parser |
4119 | - libipt_DNAT: use guided option parser |
4120 | - libipt_SNAT: use guided option parser |
4121 | - libipt_MASQUERADE: use guided option parser |
4122 | - libipt_REDIRECT: use guided option parser |
4123 | - libipt_SAME: use guided option parser |
4124 | - src: replace old IP*T_ALIGN macros |
4125 | - src: combine default_command functions |
4126 | - libxt_policy: option table fixes, improved error tracking |
4127 | - libxtables: avoid running into .also checks when option not used |
4128 | - libxt_policy: use XTTYPE_PROTOCOL type |
4129 | - libxtables: collapse double protocol parsing |
4130 | - libipt_[SD]NAT: flag up module name on error |
4131 | - libipt_[SD]NAT: avoid false error about multiple destinations specified |
4132 | - libxt_conntrack: correct printed module name |
4133 | - libxt_conntrack: fix assignment to wrong member |
4134 | - libxt_conntrack: resolve erroneous rev-2 port range message |
4135 | - libip6t_rt: rt-0-not-strict should take no arg |
4136 | - libxtables: retract _NE types and use a flag instead |
4137 | - libxt_quota: readd missing XTOPT_PUT request |
4138 | - libxtables: check for negative numbers in xtables_strtou* |
4139 | - libxt_rateest: streamline case display of units |
4140 | - doc: add some coded option examples to libxt_hashlimit |
4141 | - doc: make usage of libxt_rateest more obvious |
4142 | - doc: clarify that -p all is a special keyword only |
4143 | - doc: use .IP list for TCPMSS |
4144 | - doc: remove redundant .IP calls in libxt_time |
4145 | - libxt_ipvs: restore network-byte order |
4146 | - libxt_u32: --u32 option is required |
4147 | - libip6t_rt: restore --rt-type storing |
4148 | - libxtables: more detailed error message on multi-int parsing |
4149 | - libxtables: use uintmax for xtables_strtoul |
4150 | - libxtables: make multiint parser have greater range |
4151 | - libxtables: unclutter xtopt_parse_mint |
4152 | - libxtables: have xtopt_parse_mint interpret partially-spec'd ranges |
4153 | - libxt_NFQUEUE: avoid double attempt at parsing |
4154 | - libxt_NFQUEUE: add mutual exclusion between qnum and qbal |
4155 | - libxt_time: always ignore libc timezone |
4156 | - libxt_time: --utc and --localtz are mutually exclusive |
4157 | - libxt_time: deprecate --localtz option, document kernel TZ caveats |
4158 | - |
4159 | -Jozsef Kadlecsik (3): |
4160 | - Fix listing/saving the new revision of the SET target |
4161 | - Fix set match/target direction parser |
4162 | - SET target revision 2 added |
4163 | - |
4164 | -Li Yewang (1): |
4165 | - xtables: fix typo in error message of xtables_register_match() |
4166 | - |
4167 | -Lutz Jaenicke (2): |
4168 | - libipt_REDIRECT: "--to-ports" is not mandatory |
4169 | - libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags |
4170 | - |
4171 | -Maciej Zenczykowski (20): |
4172 | - man pages: allow underscores in match and target names |
4173 | - mark newly opened fds as FD_CLOEXEC (close on exec) |
4174 | - xtables_ip6addr_to_numeric: fix typo in comment |
4175 | - xtables: delay (statically built) match/target initialization |
4176 | - v4: rename init_extensions() to init_extensions4() |
4177 | - v6: rename init_extensions() to init_extensions6() |
4178 | - xtables.h: init_extensions() no longer exists |
4179 | - v4: rename for_each_chain() to for_each_chain4() |
4180 | - v6: rename for_each_chain() to for_each_chain6() |
4181 | - v4: rename flush_entries() to flush_entries4() |
4182 | - v6: rename flush_entries() to flush_entries6() |
4183 | - v4: rename delete_chain() to delete_chain4() |
4184 | - v6: rename delete_chain() to delete_chain6() |
4185 | - v4: rename print_rule() to print_rule4() |
4186 | - v6: rename print_rule() to print_rule6() |
4187 | - v4: rename do_command() to do_command4() |
4188 | - v6: rename do_command() to do_command6() |
4189 | - move 'int line' definition from ip6?tables.c into xtables.c |
4190 | - convert ip6?tables-multi to actually use their own header files |
4191 | - Don't load ip6?_tables module when already loaded |
4192 | - |
4193 | -Maciej Żenczykowski (3): |
4194 | - Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}. |
4195 | - Move common parts of libext{4,6}.a into libext.a |
4196 | - combine ip6?tables-multi into xtables-multi |
4197 | - |
4198 | -Mark Montague (1): |
4199 | - iptables: documentation for iptables and ip6tables "security" tables |
4200 | - |
4201 | -Max Kellerman (1): |
4202 | - xtables: use strspn() to check if string needs to be quoted |
4203 | - |
4204 | -Pablo Neira Ayuso (1): |
4205 | - libxt_cluster: fix inversion in the cluster match |
4206 | - |
4207 | -Patrick McHardy (16): |
4208 | - Revert "libxtables: change option precedence order to be intuitive" |
4209 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4210 | - extensions: libxt_conntrack: add support for specifying port ranges |
4211 | - extensions: add extension for devgroup match |
4212 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4213 | - Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables |
4214 | - Merge branch 'opts' of git://dev.medozas.de/iptables |
4215 | - Merge branch 'opts' of git://dev.medozas.de/iptables |
4216 | - Merge branch 'floating/opts' of git://dev.medozas.de/iptables |
4217 | - Merge branch 'opts' of git://dev.medozas.de/iptables |
4218 | - Merge branch 'opts' of git://dev.medozas.de/iptables |
4219 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4220 | - Merge branch 'opts' of git://dev.medozas.de/iptables |
4221 | - Merge branch 'floating/opts' of git://dev.medozas.de/iptables |
4222 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4223 | - Bump version to 1.4.11 |
4224 | - |
4225 | -Rob Leslie (1): |
4226 | - iptables-restore: resolve confusing policy error message |
4227 | - |
4228 | -Stefan Tomanek (2): |
4229 | - ip(6)tables-multi: unify subcommand handling |
4230 | - iptables: add -C to check for existing rules |
4231 | - |
4232 | -Stephen Beahm (1): |
4233 | - libipt_REDIRECT: avoid dereference of uninitialized pointer |
4234 | - |
4235 | -Thomas Graf (2): |
4236 | - libxt_AUDIT: add AUDIT target |
4237 | - iptables: add manual page section for AUDIT target |
4238 | - |
4239 | -Wes Campaigne (4): |
4240 | - libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6 |
4241 | - xtables: fix excessive memory allocation in host_to_ipaddr |
4242 | - xtables: fix the broken detection/removal of redundant addresses |
4243 | - xtables: use all IPv6 addresses resolved from a hostname |
4244 | - |
4245 | - |
4246 | - |
4247 | -iptables v1.4.10 Changelog: |
4248 | -====================================================================== |
4249 | -Changes from 1.4.9: |
4250 | - |
4251 | - |
4252 | -Changli Gao (1): |
4253 | - libxt_quota: don't ignore the quota value on deletion |
4254 | - |
4255 | -Eric Dumazet (2): |
4256 | - extensions: REDIRECT: add random help |
4257 | - extension: add xt_cpu match |
4258 | - |
4259 | -Hannes Eder (1): |
4260 | - libxt_ipvs: user-space lib for netfilter matcher xt_ipvs |
4261 | - |
4262 | -Jan Engelhardt (11): |
4263 | - doc: let man(1) autoalign the text in xt_cpu |
4264 | - doc: remove extra empty line from xt_cpu |
4265 | - doc: minimal spelling updates to xt_cpu |
4266 | - all: consistent syntax use in struct option |
4267 | - doc: consistent use of markup |
4268 | - xtables: remove unnecessary cast |
4269 | - build: fix static linking |
4270 | - iptables-xml: resolve compiler warnings |
4271 | - iptables: limit chain name length to be consistent with targets |
4272 | - libiptc: build with -Wl,--no-as-needed |
4273 | - libiptc: add Libs.private to pkgconfig files |
4274 | - |
4275 | -Luciano Coelho (2): |
4276 | - extensions: add idletimer xt target extension |
4277 | - extensions: libxt_IDLETIMER: use xtables_param_act when checking options |
4278 | - |
4279 | -Michael S. Tsirkin (1): |
4280 | - extensions: libxt_CHECKSUM extension |
4281 | - |
4282 | -Patrick McHardy (6): |
4283 | - extensions: libipt_LOG/libip6t_LOG: support macdecode option |
4284 | - extensions: fix compilation of the new CHECKSUM target |
4285 | - Merge branch 'master' into iptables-next |
4286 | - Merge branch 'master' into iptables-next |
4287 | - Merge branch 'iptables-next' |
4288 | - Bump version to 1.4.10 |
4289 | - |
4290 | - |
4291 | - |
4292 | -iptables v1.4.9 Changelog: |
4293 | -====================================================================== |
4294 | -Changes from 1.4.8: |
4295 | - |
4296 | - |
4297 | -Adam Nielsen (1): |
4298 | - extensions: add the LED target |
4299 | - |
4300 | -Eric Dumazet (1): |
4301 | - extensions: REDIRECT: add random help |
4302 | - |
4303 | -Jan Engelhardt (10): |
4304 | - utils: add missing include flags to Makefile |
4305 | - doc: xt_string: correct copy-and-pasting in manpage |
4306 | - doc: xt_hashlimit: fix a typo |
4307 | - doc: xt_LED: nroff formatting requirements |
4308 | - includes: sync header files from Linux 2.6.35-rc1 |
4309 | - xtables: another try at chain name length checking |
4310 | - xtables: remove xtables_set_revision function |
4311 | - libxt_hashlimit: always print burst value |
4312 | - libxt_conntrack: do print netmask |
4313 | - xt_quota: also document negation |
4314 | - |
4315 | -Jozsef Kadlecsik (1): |
4316 | - libxt_set: new revision added |
4317 | - |
4318 | -Luciano Coelho (2): |
4319 | - extensions: libxt_rateest: fix typo in the man page |
4320 | - extensions: libxt_rateest: fix bps options for iptables-save |
4321 | - |
4322 | -Patrick McHardy (5): |
4323 | - Revert "Revert "Merge branch 'iptables-next'"" |
4324 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4325 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4326 | - Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables |
4327 | - Bump version to 1.4.9 |
4328 | - |
4329 | -Samuel Ortiz (1): |
4330 | - extensions: libxt_quota.c: Support option negation |
4331 | - |
4332 | -Shan Wei (2): |
4333 | - xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension |
4334 | - xt_sctp: support FORWARD_TSN chunk type |
4335 | - |
4336 | - |
4337 | - |
4338 | -iptables v1.4.8 Changelog: |
4339 | -====================================================================== |
4340 | -Changes from 1.4.7: |
4341 | - |
4342 | - |
4343 | -Dmitry V. Levin (3): |
4344 | - extensions: REDIRECT: fix --to-ports parser |
4345 | - iptables: add noreturn attribute to exit_tryhelp() |
4346 | - extensions: MASQUERADE: fix --to-ports parser |
4347 | - |
4348 | -Jan Engelhardt (9): |
4349 | - libxt_comment: avoid use of IPv4-specific examples |
4350 | - libxt_CT: add a manpage |
4351 | - iptables: correctly check for too-long chain/target/match names |
4352 | - doc: libxt_MARK: no longer restricted to mangle table |
4353 | - doc: remove claim that TCPMSS is limited to mangle |
4354 | - libxt_recent: add a missing space in output |
4355 | - doc: add manpage for libxt_osf |
4356 | - libxt_osf: import nfnl_osf program |
4357 | - extensions: add support for xt_TEE |
4358 | - |
4359 | -Karl Hiramoto (1): |
4360 | - iptables: optionally disable largefile support |
4361 | - |
4362 | -Pablo Neira Ayuso (1): |
4363 | - CT: fix --ctevents parsing |
4364 | - |
4365 | -Patrick McHardy (7): |
4366 | - extensions: add CT extension |
4367 | - libxt_CT: print conntrack zone in ->print/->save |
4368 | - Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next |
4369 | - xtables: fix compilation when debugging is enabled |
4370 | - Merge branch 'iptables-next' |
4371 | - Revert "Merge branch 'iptables-next'" |
4372 | - Bump version to 1.4.8 |
4373 | - |
4374 | -Simon Lodal (1): |
4375 | - libxt_conntrack: document --ctstate UNTRACKED |
4376 | - |
4377 | -Vincent Bernat (1): |
4378 | - iprange: fix xt_iprange v0 parsing |
4379 | - |
4380 | - |
4381 | - |
4382 | -iptables v1.4.7 Changelog: |
4383 | -====================================================================== |
4384 | -Changes from 1.4.6: |
4385 | - |
4386 | - |
4387 | -Dmitry V. Levin (1): |
4388 | - libip4tc: Add static qualifier to dump_entry() |
4389 | - |
4390 | -Jan Engelhardt (8): |
4391 | - libipq: build as shared library |
4392 | - recent: reorder cases in code (cosmetic cleanup) |
4393 | - doc: fix recent manpage to reflect actual supported syntax |
4394 | - doc: fix limit manpage to reflect actual supported syntax |
4395 | - doc: mention requirement of additional packages for ipset |
4396 | - policy: fix error message showing wrong option |
4397 | - includes: header updates |
4398 | - Lift restrictions on interface names |
4399 | - |
4400 | -Patrick McHardy (1): |
4401 | - iptables 1.4.7 |
4402 | - |
4403 | - |
4404 | - |
4405 | -iptables v1.4.6 Changelog: |
4406 | -====================================================================== |
4407 | -Changes from 1.4.5: |
4408 | - |
4409 | - |
4410 | -Jan Engelhardt (20): |
4411 | - iptables: manpage updates for augmented -Z syntax |
4412 | - doc: mention maximum mark size in manpages |
4413 | - Support for nommu arches |
4414 | - realm: remove static initializations |
4415 | - libiptc: remove unused functions |
4416 | - libiptc: avoid strict-aliasing warnings |
4417 | - iprange: do accept non-ranges for xt_iprange v1 |
4418 | - iprange: warn on reverse range |
4419 | - iprange: roll address parsing into a loop |
4420 | - iprange: do accept non-ranges for xt_iprange v1 (log) |
4421 | - iprange: warn on reverse range (log) |
4422 | - libiptc: fix wrong maptype of base chain counters on restore |
4423 | - iptables: fix undersized deletion mask creation |
4424 | - style: reduce indent in xtables_check_inverse |
4425 | - libxtables: hand argv to xtables_check_inverse |
4426 | - iptables/extensions: make bundled options work again |
4427 | - CONNMARK: print mark rules with mask 0xffffffff as set instead of xset |
4428 | - iptables: take masks into consideration for replace command |
4429 | - doc: explain experienced --hitcount limit |
4430 | - doc: name resolution clarification |
4431 | - |
4432 | -Mohit Mehta (1): |
4433 | - iptables: expose option to zero packet/byte counters for a specific rule |
4434 | - |
4435 | -Olaf Rempel (1): |
4436 | - build: restore --disable-ipv6 functionality on system w/o v6 headers |
4437 | - |
4438 | -Patrick McHardy (7): |
4439 | - Merge branch 'zero' of git://dev.medozas.de/iptables |
4440 | - MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark |
4441 | - DNAT: fix incorrect check during parsing |
4442 | - extensions: add osf extension |
4443 | - conntrack: fix --expires parsing |
4444 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4445 | - Bump version to v1.4.6 |
4446 | - |
4447 | -Tim Small (1): |
4448 | - doc: update TCPMSS manpage with Linux 2.6.25 changes |
4449 | - |
4450 | -sobtwmxt (1): |
4451 | - doc: fix typo in length manpage |
4452 | - |
4453 | - |
4454 | - |
4455 | -iptables v1.4.5 Changelog: |
4456 | -====================================================================== |
4457 | -Changes from 1.4.4: |
4458 | - |
4459 | - |
4460 | -Florian Westphal (1): |
4461 | - libxt_NFQUEUE: add new v1 version with queue-balance option |
4462 | - |
4463 | -Jan Engelhardt (18): |
4464 | - xt_conntrack: revision 2 for enlarged state_mask member |
4465 | - libxt_helper: fix invalid passed option to check_inverse |
4466 | - libiptc: split v4 and v6 |
4467 | - extensions: collapse registration structures |
4468 | - iptables: allow for parse-less extensions |
4469 | - iptables: allow for help-less extensions |
4470 | - extensions: remove empty help and parse functions |
4471 | - xtables: add multi-registration functions |
4472 | - extensions: collapse data variables to use multi-reg calls |
4473 | - xtables: warn of missing version identifier in extensions |
4474 | - COMMIT_NOTES: notice to check for soversion bumps |
4475 | - build: order of dependent libs is sensitive |
4476 | - multi binary: allow subcommand via argv[1] |
4477 | - build: fix struct size mismatch |
4478 | - build: combine iptables-multi and iptables-static |
4479 | - build: build only iptables-multi |
4480 | - Merge branch 'stable' |
4481 | - manpages: more fixes to minuses, hyphens, dashes |
4482 | - |
4483 | -Laurence J. Lane (1): |
4484 | - manpage: fix lintian warnings |
4485 | - |
4486 | -Michael Granzow (1): |
4487 | - iptables: accept multiple IP address specifications for -s, -d |
4488 | - |
4489 | -Patrick McHardy (2): |
4490 | - man: fix incorrect plural in libipt_set.man |
4491 | - Bump version number to 1.4.5 |
4492 | - |
4493 | -Trent W. Buck (1): |
4494 | - ipt_set: fix a typo in the manpage |
4495 | - |
4496 | - |
4497 | -iptables v1.4.4 Changelog: |
4498 | -====================================================================== |
4499 | -Changes from 1.4.3.2: |
4500 | - |
4501 | - |
4502 | -Frank Tobin (1): |
4503 | - libxt_tcp: fix a manpage syntax typo |
4504 | - |
4505 | -Ian Bruce (1): |
4506 | - libxt_tcp: manpage corrections and suggestions |
4507 | - |
4508 | -Jan Engelhardt (15): |
4509 | - Add new COMMIT_NOTES document |
4510 | - xtables: use extern "C" |
4511 | - extensions: add const qualifiers in print/save functions |
4512 | - iptables: replace open-coded sizeof by ARRAY_SIZE |
4513 | - addrtype: fix one manpage type |
4514 | - manpages: do not include v4-only modules in ip6tables manpage |
4515 | - libip6t_policy: remove redundant functions |
4516 | - policy: use direct xt_policy_info instead of ipt/ip6t |
4517 | - policy: merge ipv6 and ipv4 variant |
4518 | - build: fix manpage collection |
4519 | - extensions: use NFPROTO_UNSPEC for .family field |
4520 | - DNAT/SNAT: add manpage documentation for --persistent flag |
4521 | - extensions: remove redundant casts |
4522 | - iptables: close open file descriptors |
4523 | - manpages: markup corrections |
4524 | - |
4525 | -Jozsef Kadlecsik (1): |
4526 | - Updated set/SET match and target to support multiple ipset protocols. |
4527 | - |
4528 | -Pablo Neira Ayuso (2): |
4529 | - extensions: add `cluster' match support |
4530 | - xtables: fix segfault if incorrect protocol name is used |
4531 | - |
4532 | -Patrick McHardy (3): |
4533 | - SNAT/DNAT: add support for persistent multi-range NAT mappings |
4534 | - Merge branch 'stable' of git://dev.medozas.de/iptables |
4535 | - Bump version |
4536 | - |
4537 | -kd6lvw (1): |
4538 | - libxt_connlimit: initialize v6_mask |
4539 | - |
4540 | - |
4541 | - |
4542 | -iptables v1.4.3.2 Changelog: |
4543 | -====================================================================== |
4544 | -Changes from 1.4.3.1: |
4545 | - |
4546 | - |
4547 | -Jan Engelhardt (12): |
4548 | - libxt_tcpmss: fix an inversion while parsing --mss |
4549 | - iptables-multi: support "iptables-static" as a callable name |
4550 | - libxtables: reorder .version member |
4551 | - build: do not run ldconfig for DESTDIR installations |
4552 | - build: add configure option to disable ip6tables |
4553 | - build: add configure option to disable ipv4 iptables |
4554 | - libxtables: provide IPv6 zero address variable |
4555 | - iptables: print negation extrapositioned |
4556 | - Merge commit 'v1.4.3' |
4557 | - Merge branch 'plus' |
4558 | - CLASSIFY: document non-standard interpretation behavior |
4559 | - libxt_conntrack: properly output negation symbol |
4560 | - |
4561 | -Pablo Neira Ayuso (1): |
4562 | - build: bump version to 1.4.3.2 |
4563 | - |
4564 | - |
4565 | -iptables v1.4.3.1 Changelog: |
4566 | -====================================================================== |
4567 | -Changes from 1.4.3: |
4568 | - |
4569 | - |
4570 | -Jan Engelhardt (2): |
4571 | - iptables-save: minor corrections to the manpage markup |
4572 | - libxt_hashlimit: add missing space for iptables-save output |
4573 | - |
4574 | -Pablo Neira Ayuso (2): |
4575 | - build: bump version to 1.4.3.1 |
4576 | - iptables: refer to dmesg if we hit EINVAL |
4577 | - |
4578 | -Peter Volkov (2): |
4579 | - libxtables: fix compile error due to incomplete change |
4580 | - build: fix linker issue when LDFLAGS contains --as-needed |
4581 | - |
4582 | - |
4583 | - |
4584 | -iptables v1.4.3 Changelog: |
4585 | -====================================================================== |
4586 | -Changes from 1.4.2: |
4587 | - |
4588 | - |
4589 | -Bart De Schuymer (1): |
4590 | - man: fix physdev manpage |
4591 | - |
4592 | -Christian Perle (1): |
4593 | - libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff |
4594 | - |
4595 | -Christoph Paasch (1): |
4596 | - libiptc: avoid compile warnings for iptc_insert_chain |
4597 | - |
4598 | -Daniel Drake (1): |
4599 | - libxt_owner: add more spaces to output |
4600 | - |
4601 | -Eric Leblond (1): |
4602 | - xt_NFLOG: Set default NFLOG qthreshold to 0 |
4603 | - |
4604 | -Jamal Hadi Salim (12): |
4605 | - libxtables: Introduce global params structuring |
4606 | - libxtables: define xtables_free_opts() |
4607 | - libxtables: Add exit_error cb to xtables_globals |
4608 | - libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals |
4609 | - libxtables: Replace direct exit_error() calls inside libxtables |
4610 | - libxtables: simple aliasing macro for exit_error |
4611 | - libxtables: set names of programs |
4612 | - libxtables: add xtables_set_revision |
4613 | - libxtables: make iptables and ip6tables use xtables_free_opts |
4614 | - libxtables: consolidate merge_options into xtables_merge_options |
4615 | - libxtables: consolidate init calls into one function |
4616 | - libxtables: general follow-up cleanup |
4617 | - |
4618 | -Jan Engelhardt (84): |
4619 | - Move libipt_recent to libxt_recent |
4620 | - libxt_recent: add IPv6 support |
4621 | - manpage: use separate paragraphs for command syntax |
4622 | - manpage: explain what rule-specification is |
4623 | - libiptc: remove typedef indirection |
4624 | - libiptc: remove indirections |
4625 | - libiptc: remove unused iptc_get_raw_socket and iptc_check_packet |
4626 | - libiptc: use hex output for hookmask |
4627 | - libxt_conntrack: respect -n option during ruledump |
4628 | - libiptc: make sockfd a per-handle thing |
4629 | - libxt_conntrack: dump ctdir |
4630 | - src: reuse the global modprobe_program variable |
4631 | - src: use NFPROTO_ constants |
4632 | - src: remove inclusion of iptables.h |
4633 | - doc: fix a typo in libip6t_REJECT.man |
4634 | - libiptc: guard chain index allocation for different malloc implementations |
4635 | - src: remove unused include files |
4636 | - iptables-save: output ! in position according to manpage |
4637 | - rateest: guard against segfault |
4638 | - env: augment deprecation notice |
4639 | - build: resolve autotools suggestions |
4640 | - doc: put iptables version into manpage |
4641 | - doc: resynchronize markup in iptables,ip6tables.8.in |
4642 | - doc: escape minus sign in manpages |
4643 | - build: use regular = assignments in Makefile |
4644 | - build: remove non-portable rule |
4645 | - doc: escape minus sign in manpage (2) |
4646 | - doc: augment ICMP manpage by type/code syntax |
4647 | - src: remove redundant returns at end of void-returning functions |
4648 | - src: remove redundant casts |
4649 | - libxt_owner: use correct UID/GID boundaries |
4650 | - extensions: use UINT_MAX constants over open-coded bits (1/2) |
4651 | - extensions: use UINT_MAX constants over open-coded numbers (2/2) |
4652 | - libxtables: prefix/order - fw_xalloc |
4653 | - libxtables: prefix/order - modprobe and xtables.ko loading |
4654 | - libxtables: prefix/order - match/target loading |
4655 | - libxtables: prefix/order - libdir |
4656 | - libxtables: prefix/order - strtoui |
4657 | - libxtables: prefix/order - program_name |
4658 | - libxtables: prefix/order - param_act |
4659 | - libxtables: prefix/order - ipaddr/ipmask to ascii output |
4660 | - libxtables: prefix/order - ascii to ipaddr/ipmask input |
4661 | - libxtables: prefix - misc functions |
4662 | - libxtables: prefix - parse and escaped output func |
4663 | - libxtables: prefix/order - move check_inverse to xtables.c |
4664 | - libxtables: prefix/order - move parse_protocol to xtables.c |
4665 | - libbxtables: prefix names and order it #1 |
4666 | - libxtables: prefix names and order it #2 |
4667 | - libxtables: prefix names and order #3 |
4668 | - libxtables: move afinfo around |
4669 | - Merge branch 'origin/master' |
4670 | - libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable |
4671 | - build: move -ldl to proper LDADD |
4672 | - libxtables: remove unused XT_LIB_DIR macro |
4673 | - libxtables: decouple non-xtables parts from header |
4674 | - src: remove iptables_rule_match indirection macro |
4675 | - src: remove unused ipt_tryload macro |
4676 | - libxtables: move compat defines to xtables.c |
4677 | - src: consolidate duplicate code in iptables/internal.h |
4678 | - libxtables: use const for vars holding literals |
4679 | - libxt_string: fix undefined behavior/incorrect patlen calculation |
4680 | - libxtables: flush before fork |
4681 | - libipq: add missing doc for NF_ values |
4682 | - build: restructure Makefile for include/ directory |
4683 | - libipq: fix compile error |
4684 | - build: remove unneeded -ldl from iptables_xml_LDADD |
4685 | - libiptc: make library available as a shared library |
4686 | - build: trigger reconfigure when extensions/GNUmakefile.in changes |
4687 | - doc: do not put IPv4 doc into ip6tables.8 |
4688 | - doc: resynchronize manpage with in-code help |
4689 | - libxtables: inline and remove unused OPTION_OFFSET macro |
4690 | - libxtables: prefix exit_error to xtables_error |
4691 | - extensions: remove unwanted/add needed includes for IPv6 exts |
4692 | - extensions: remove unwanted/add needed includes for IPv4 exts |
4693 | - libxt_policy: use bounded strtoui |
4694 | - include: resynchronize headers with 2.6.29-rc5 |
4695 | - extensions: add missing limits.h include |
4696 | - iptables: turn deprecation warning into enforcing mode |
4697 | - Merge commit 'nf/master' |
4698 | - libxt_connbytes: minor manpage adustments |
4699 | - libxt_connbytes: document nf_ct_acct behavior |
4700 | - libxtables: add -I/-L flags to pkgconfig files |
4701 | - libxt_comment: output quotes must be escaped in |
4702 | - iptables-save: module loading corrections |
4703 | - |
4704 | -Jesper Dangaard Brouer (3): |
4705 | - libiptc: fix chain rename bug in libiptc |
4706 | - libiptc: fix whitespaces and typos |
4707 | - libiptc: give credits to my self |
4708 | - |
4709 | -Jirí Moravec (1): |
4710 | - libxt_TOS: fix compilation error |
4711 | - |
4712 | -KOVACS Krisztian (2): |
4713 | - Add iptables support for the TPROXY target |
4714 | - Add iptables support for the socket match |
4715 | - |
4716 | -Marc Fournier (1): |
4717 | - doc: fix option typo in libxt_multiport |
4718 | - |
4719 | -Pablo Neira Ayuso (5): |
4720 | - iptables: fix error reporting with wrong/missing arguments |
4721 | - state: report spaces in the state list parsing |
4722 | - iptables: refer to dmesg when we hit error |
4723 | - string: fix wrong pattern length calculation |
4724 | - iptables: fix broken options-merging during libxtables rework |
4725 | - |
4726 | -Patrick McHardy (5): |
4727 | - Add SCTP/DCCP support to NAT targets |
4728 | - Bump version to 1.4.3-rc1 |
4729 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4730 | - Merge branch 'master' of git://dev.medozas.de/iptables |
4731 | - Bump version to 1.4.3 |
4732 | - |
4733 | -Shaul Karl (1): |
4734 | - doc: fix one layout issue in iptables-restore.8 |
4735 | - |
4736 | -Stephen Hemminger (1): |
4737 | - iptables: Add limits.h to get INT_MIN, INT_MAX, ... |
4738 | - |
4739 | -Thomas Jarosch (2): |
4740 | - Fix compile error in libxt_iprange.c using gcc 4.3.2 |
4741 | - Fix compile warnings using gcc 4.3.2 |
4742 | - |
4743 | - |
4744 | -iptables v1.4.2 Changelog: |
4745 | -====================================================================== |
4746 | -Changes from 1.4.2-rc1: |
4747 | - |
4748 | -Jan Engelhard (1): |
4749 | - build: fix iptables-static build |
4750 | - |
4751 | -Jan Engelhardt (26): |
4752 | - build: do not install ip{,6}tables.h |
4753 | - Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables |
4754 | - manpages: name and markup fixes |
4755 | - src: remove dependency on libiptc headers |
4756 | - src: drop libiptc from installation |
4757 | - iptables-restore: fix segmentation fault with -tanything |
4758 | - libxt_recent: do not allow both --set and --rttl |
4759 | - Put xtables.c into its own library, libxtables.so |
4760 | - manpages: correct erroneous markup |
4761 | - physdev: remove extra space in output |
4762 | - Warn about use of DROP in nat table |
4763 | - Synchronize invert flag order with manpages |
4764 | - build: fix dependency tracking for xtables.h.in |
4765 | - build: fix initext.c dependency |
4766 | - manpages: add missing --rsource,--rdest options to libxt_recent.man |
4767 | - manpages: add missing rateest documentation |
4768 | - manpages: add missing rateest match documentation |
4769 | - libxt_mac: flatten casts in libxt_mac |
4770 | - libxt_iprange: fix option names |
4771 | - src: use regular includes |
4772 | - src: Update comments |
4773 | - build: prepare make tarball for git 1.6.0 |
4774 | - libxt_recent: do allow --rttl for --update |
4775 | - src: update comments part II |
4776 | - build: run ldconfig on `make install` |
4777 | - doc: remove mentions of NAT in ip6tables manpage |
4778 | - |
4779 | -Jesper Dangaard Brouer (1): |
4780 | - libiptc: remove old fixme |
4781 | - |
4782 | -Pablo Sebastian Greco (1): |
4783 | - mark: fix invalid iptables-save output |
4784 | - |
4785 | -Patrick McHardy (2): |
4786 | - manpages: fix another typo in tcp manpage |
4787 | - v1.4.2 |
4788 | - |
4789 | -Phil Oester (3): |
4790 | - iptables-save: fix hashlimit output |
4791 | - libxt_dscp: fix save of negated dscp match rules |
4792 | - src: Missing limits.h includes |
4793 | - |
4794 | -WANG Cong (1): |
4795 | - manpages: Fix a typo in tcp man page |
4796 | - |
4797 | - |
4798 | - |
4799 | -iptables v1.4.1-rc1 Changelog: |
4800 | -====================================================================== |
4801 | -Changes from 1.4.0: |
4802 | - |
4803 | -Peter Warasin: |
4804 | - Fix CONNMARK mask initialisation |
4805 | - |
4806 | -Jesper Dangaard Brouer: |
4807 | - Inline functions iptcc_is_builtin() and set_changed() |
4808 | - Introduce a counter for number of user defined chains |
4809 | - Solving scalability issue: for chain list "name" searching |
4810 | - |
4811 | -Patrick McHardy: |
4812 | - Add RATEEST target extension |
4813 | - Add rateest match extension |
4814 | - Remove obsolete file |
4815 | - Add netfilter.h |
4816 | - Remove compiler.h inclusions |
4817 | - Retry ruleset dump when kernel returns EAGAIN |
4818 | - |
4819 | -Pablo Neira Ayuso: |
4820 | - Cleanup several code wraparounds |
4821 | - Check for malloc() return value in merge_opts() |
4822 | - Check for merge_opts() return value |
4823 | - |
4824 | -Jan Engelhardt: |
4825 | - Converts the iptables build infrastructure to autotools |
4826 | - Introduce strtonum() |
4827 | - Introduce common error messages |
4828 | - Add libxt_owner |
4829 | - Add libxt_tos |
4830 | - Add libxt_TOS |
4831 | - Add libxt_MARK r2 |
4832 | - Add libxt_connmark r1 |
4833 | - Print warning when dlopen fails |
4834 | - Add libxt_conntrack r0 |
4835 | - Bunch o' renames |
4836 | - Rename overlapping function names |
4837 | - Add more libxt_hashlimit checks |
4838 | - Add libxt_mark r1 |
4839 | - Add libxt_iprange r0 |
4840 | - Add libxt_iprange r1 |
4841 | - Give preference to iptables header files |
4842 | - Build adjustments |
4843 | - Add libxt_CONNMARK revision 1 |
4844 | - Add libxt_conntrack revision 1 |
4845 | - libxt_owner: UID/GID range support |
4846 | - Fix compilation of iptables-static build |
4847 | - Correct the family member value of libxt_mark revision 1 |
4848 | - Makefile: add a "tarball" target |
4849 | - Drop -W from CFLAGS and some tiny code cleanups |
4850 | - Fix -Wshadow warnings and clean up xt_sctp.h |
4851 | - Update the libxt_owner manpage with the UID/GID-range feature |
4852 | - Fix all remaining warnings (missing declarations, missing prototypes) |
4853 | - xtables.h: move non-exported parts to internal.h |
4854 | - Add support for xt_hashlimit match revision 1 |
4855 | - Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR |
4856 | - manpages: fix broken markup (missing close tags) |
4857 | - manpages: grammar and spelling |
4858 | - manpages: update to reflect fine-grained control |
4859 | - configure: split --enable-libipq from --enable-devel |
4860 | - Import iptables-apply |
4861 | - Add all necessary header files - compilation fix for various cases |
4862 | - Install libiptc header files because xtables.h depends on it |
4863 | - iptables: use C99 lists for struct options |
4864 | - RATEEST: add manpage |
4865 | - Implement AF_UNSPEC as a wildcard for extensions |
4866 | - Combine ipt and ip6t manpages |
4867 | - Resolve warnings on 64-bit compile |
4868 | - Wrap dlopen code into NO_SHARED_LIBS |
4869 | - Remove support for compilation of conditional extensions |
4870 | - Resolve libipt_set warnings |
4871 | - Update documentation about building the package |
4872 | - configure.ac: AC_SUBST must be separate |
4873 | - Dynamically create xtables.h.in with version |
4874 | - configure.ac: remove already-defined variables |
4875 | - Remove old functions, constants |
4876 | - Properly initialize revision for ip6tables targets |
4877 | - Makefile.am: use PACKAGE_TARNAME |
4878 | - iptables out-of-tree build directory |
4879 | - |
4880 | -Sven Schnelle: |
4881 | - Add libxt_TCPOPTSTRIP |
4882 | - |
4883 | -Max Kellermann: |
4884 | - Fix REDIRECT manpage |
4885 | - Whitespace cleanup |
4886 | - Use size_t |
4887 | - Escape strings |
4888 | - Unescape parameters |
4889 | - Allow empty strings in argument parser |
4890 | - Fix gcc warnings |
4891 | - |
4892 | -Naohiro Ooiwa: |
4893 | - Fix define value of SCTP chunk type |
4894 | - |
4895 | -Filippo Zangheri: |
4896 | - Remove useless white spaces from iptables-xml manpages |
4897 | - |
4898 | -James King: |
4899 | - libxt_iprange: Fix IP validation logic |
4900 | - |
4901 | -Shan Wei: |
4902 | - iptables-save: remove unnecessary code |
4903 | - |
4904 | -Henrik Nordstrom: |
4905 | - Make iptables-restore usable over a pipe |
4906 | - Add support for --set-counters to iptables -P |
4907 | - iptables --list-rules command |
4908 | - iptables --list chain rulenum |
4909 | - Make --set-counters (-c) accept comma separated counters |
4910 | - |
4911 | -Jamie Strandboge: |
4912 | - Fix ip6tables dest address printing |
4913 | - |
4914 | - |
4915 | - |
4916 | -iptables v1.4.1.1 Changelog |
4917 | -===================================================================== |
4918 | - |
4919 | -Henrik Nordstrom (1): |
4920 | - iptables: fix printing of line numbers with --line-numbers arg |
4921 | - |
4922 | -Jan Engelhardt (3): |
4923 | - ip6tables: fix printing of ipv6 network masks |
4924 | - build: fix `make install` when --disable-shared is used |
4925 | - iprange: kernel flags were not set |
4926 | - |
4927 | -Patrick McHardy (1): |
4928 | - v1.4.1.1 |
4929 | - |
4930 | - |
4931 | - |
4932 | -iptables v1.4.1 Changelog |
4933 | -====================================================================== |
4934 | - |
4935 | -Filippo Zangheri (1): |
4936 | - removes useless white spaces from iptables-xml manpages. |
4937 | - |
4938 | -Gáspár Lajos (1): |
4939 | - iptables: use C99 lists for struct options |
4940 | - |
4941 | -Henrik Nordstrom (5): |
4942 | - Make iptables-restore usable over a pipe |
4943 | - Add support for --set-counters to iptables -P |
4944 | - iptables --list-rules command |
4945 | - iptables --list chain rulenum |
4946 | - Make --set-counters (-c) accept comma separated counters |
4947 | - |
4948 | -James King (1): |
4949 | - [IPTABLES]: libxt_iprange: Fix IP validation logic |
4950 | - |
4951 | -Jamie Strandboge (1): |
4952 | - fix ip6tables dest address printing |
4953 | - |
4954 | -Jan Engelhardt (55): |
4955 | - Converts the iptables build infrastructure to autotools. |
4956 | - Introduce strtonum(), which works like string_to_number(), but passes |
4957 | - common error messages |
4958 | - libxt_owner |
4959 | - libxt_tos |
4960 | - libxt_TOS |
4961 | - libxt_MARK r2 |
4962 | - libxt_connmark r1 |
4963 | - print warning when dlopen fails |
4964 | - libxt_conntrack r0 |
4965 | - bunch o' renames |
4966 | - rename overlapping function names |
4967 | - libxt_hashlimit checks |
4968 | - libxt_mark r1 |
4969 | - libxt_iprange r0 |
4970 | - libxt_iprange r1 |
4971 | - Give preference to iptables header files |
4972 | - Build adjustments |
4973 | - libxt_CONNMARK revision 1 |
4974 | - [IPTABLES]: libxt_conntrack revision 1 |
4975 | - [IPTABLES]: libxt_owner: UID/GID range support |
4976 | - Fix compilation of iptables-static build |
4977 | - Correct the family member value of libxt_mark revision 1 |
4978 | - Makefile: add a "tarball" target |
4979 | - Drop -W from CFLAGS and some tiny code cleanups |
4980 | - Fix -Wshadow warnings and clean up xt_sctp.h |
4981 | - Update the libxt_owner manpage with the UID/GID-range feature |
4982 | - Fix all remaining warnings (missing declarations, missing prototypes) |
4983 | - xtables.h: move non-exported parts to internal.h |
4984 | - Add support for xt_hashlimit match revision 1 |
4985 | - Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR |
4986 | - manpages: fix broken markup (missing close tags) |
4987 | - manpages: grammar and spelling |
4988 | - manpages: update to reflect fine-grained control |
4989 | - configure: split --enable-libipq from --enable-devel |
4990 | - Add all necessary header files - compilation fix for various cases |
4991 | - Install libiptc header files because xtables.h depends on it |
4992 | - RATEEST: add manpage |
4993 | - Implement AF_UNSPEC as a wildcard for extensions |
4994 | - Combine ipt and ip6t manpages |
4995 | - Resolve warnings on 64-bit compile |
4996 | - Wrap dlopen code into NO_SHARED_LIBS |
4997 | - Remove support for compilation of conditional extensions |
4998 | - Resolve libipt_set warnings |
4999 | - Update documentation about building the package |
5000 | - configure.ac: AC_SUBST must be separate |
The diff has been truncated for viewing.
This version is also in Debian unstable so this should really be a merge from Debian rather than a direct new upstream version in Ubuntu.
Disapproving; please prepare as merge instead.
Thanks.