Ubuntu
iptables package

Merge lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version into lp:ubuntu/raring/iptables

  1. Raring (13.04)
  2. new-upstream-version
  3. Merge into raring
Proposed by Benjamin Kerensa
Status: Work in progress
Proposed branch: lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version
Merge into: lp:ubuntu/raring/iptables
Diff against target: 71811 lines (+28020/-33748)
209 files modified
.gitignore (+6/-23)
.pc/9000-howtos.patch/Makefile.am (+0/-26)
.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h (+0/-38)
.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c (+0/-203)
.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man (+0/-104)
.pc/9003-lp1020490.patch/extensions/libxt_conntrack.c (+0/-1102)
.pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c (+0/-465)
.pc/9004-argv-is-null.patch/iptables/iptables-restore.c (+0/-470)
.pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c (+0/-465)
.pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c (+0/-470)
.pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c (+0/-148)
.pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules (+0/-193)
.pc/applied-patches (+0/-8)
Changelog (+0/-2992)
Makefile.am (+6/-2)
Makefile.in (+84/-36)
aclocal.m4 (+113/-30)
autogen.sh (+1/-1)
build-aux/ar-lib (+270/-0)
build-aux/compile (+343/-0)
build-aux/config.guess (+1530/-0)
build-aux/config.sub (+1782/-0)
build-aux/depcomp (+708/-0)
build-aux/install-sh (+527/-0)
build-aux/ltmain.sh (+9661/-0)
build-aux/missing (+331/-0)
compile (+0/-143)
config.guess (+0/-1502)
config.h.in (+3/-0)
config.sub (+0/-1714)
configure (+2406/-1130)
configure.ac (+20/-4)
debian/changelog (+6/-0)
depcomp (+0/-630)
extensions/.gitignore (+9/-0)
extensions/GNUmakefile.in (+65/-59)
extensions/libip6t_dst.c (+3/-0)
extensions/libip6t_frag.c (+24/-0)
extensions/libip6t_hbh.c (+1/-0)
extensions/libipt_CLUSTERIP.c (+2/-2)
extensions/libipt_DNAT.c (+10/-7)
extensions/libipt_SAME.c (+14/-10)
extensions/libipt_SNAT.c (+10/-7)
extensions/libipt_ULOG.c (+2/-2)
extensions/libipt_addrtype.c (+0/-308)
extensions/libipt_addrtype.man (+0/-69)
extensions/libipt_ecn.c (+0/-137)
extensions/libipt_ecn.man (+0/-11)
extensions/libipt_realm.c (+5/-5)
extensions/libipt_ttl.c (+1/-1)
extensions/libipt_ttl.man (+1/-1)
extensions/libxt_CONNSECMARK.c (+1/-1)
extensions/libxt_CT.c (+162/-12)
extensions/libxt_CT.man (+5/-0)
extensions/libxt_HMARK.c (+450/-0)
extensions/libxt_HMARK.man (+60/-0)
extensions/libxt_LED.c (+5/-2)
extensions/libxt_NFQUEUE.c (+1/-1)
extensions/libxt_NOTRACK.c (+0/-15)
extensions/libxt_NOTRACK.man (+2/-4)
extensions/libxt_SET.c (+3/-10)
extensions/libxt_SET.man (+8/-9)
extensions/libxt_TCPMSS.c (+31/-31)
extensions/libxt_TEE.c (+28/-28)
extensions/libxt_TOS.man (+4/-4)
extensions/libxt_TRACE.man (+1/-1)
extensions/libxt_addrtype.c (+300/-0)
extensions/libxt_addrtype.man (+69/-0)
extensions/libxt_connbytes.c (+25/-17)
extensions/libxt_connlimit.man (+2/-1)
extensions/libxt_conntrack.c (+207/-9)
extensions/libxt_conntrack.man (+9/-9)
extensions/libxt_dccp.c (+12/-7)
extensions/libxt_dccp.man (+1/-1)
extensions/libxt_devgroup.c (+32/-40)
extensions/libxt_devgroup.man (+7/-0)
extensions/libxt_dscp.c (+3/-2)
extensions/libxt_ecn.c (+138/-0)
extensions/libxt_ecn.man (+11/-0)
extensions/libxt_hashlimit.c (+196/-40)
extensions/libxt_hashlimit.man (+15/-4)
extensions/libxt_limit.c (+14/-5)
extensions/libxt_nfacct.c (+89/-0)
extensions/libxt_nfacct.man (+30/-0)
extensions/libxt_owner.c (+2/-1)
extensions/libxt_policy.c (+1/-2)
extensions/libxt_rateest.c (+34/-21)
extensions/libxt_recent.c (+165/-30)
extensions/libxt_recent.man (+6/-2)
extensions/libxt_rpfilter.c (+96/-0)
extensions/libxt_rpfilter.man (+38/-0)
extensions/libxt_set.c (+101/-8)
extensions/libxt_set.h (+7/-0)
extensions/libxt_set.man (+8/-3)
extensions/libxt_state.c (+0/-137)
extensions/libxt_state.man (+6/-22)
extensions/libxt_string.c (+8/-12)
extensions/libxt_tcp.c (+3/-6)
extensions/libxt_u32.c (+6/-10)
howtos/Makefile (+0/-10)
howtos/NAT-HOWTO.sgml (+0/-609)
howtos/netfilter-extensions-HOWTO.sgml (+0/-1781)
howtos/netfilter-hacking-HOWTO.sgml (+0/-1978)
howtos/packet-filtering-HOWTO.sgml (+0/-1339)
include/Makefile.am (+2/-2)
include/Makefile.in (+61/-22)
include/ip6tables.h (+5/-5)
include/iptables.h (+8/-16)
include/libiptc/libip6tc.h (+57/-55)
include/libiptc/libiptc.h (+56/-54)
include/libiptc/xtcshared.h (+20/-0)
include/linux/kernel.h (+0/-33)
include/linux/netfilter.h (+15/-5)
include/linux/netfilter/ipset/ip_set.h (+227/-0)
include/linux/netfilter/nf_conntrack_common.h (+14/-0)
include/linux/netfilter/nf_conntrack_tuple_common.h (+1/-2)
include/linux/netfilter/x_tables.h (+5/-0)
include/linux/netfilter/xt_CT.h (+14/-0)
include/linux/netfilter/xt_HMARK.h (+50/-0)
include/linux/netfilter/xt_TCPOPTSTRIP.h (+2/-0)
include/linux/netfilter/xt_TPROXY.h (+2/-0)
include/linux/netfilter/xt_addrtype.h (+44/-0)
include/linux/netfilter/xt_cluster.h (+2/-0)
include/linux/netfilter/xt_connbytes.h (+2/-2)
include/linux/netfilter/xt_connlimit.h (+2/-0)
include/linux/netfilter/xt_ecn.h (+33/-0)
include/linux/netfilter/xt_hashlimit.h (+5/-1)
include/linux/netfilter/xt_nfacct.h (+17/-0)
include/linux/netfilter/xt_physdev.h (+0/-3)
include/linux/netfilter/xt_policy.h (+0/-11)
include/linux/netfilter/xt_quota.h (+3/-1)
include/linux/netfilter/xt_recent.h (+10/-0)
include/linux/netfilter/xt_rpfilter.h (+17/-0)
include/linux/netfilter/xt_sctp.h (+2/-2)
include/linux/netfilter/xt_set.h (+11/-70)
include/linux/netfilter/xt_socket.h (+2/-0)
include/linux/netfilter/xt_time.h (+2/-0)
include/linux/netfilter/xt_u32.h (+2/-0)
include/linux/netfilter_ipv4/ip_queue.h (+72/-0)
include/linux/netfilter_ipv4/ip_tables.h (+39/-43)
include/linux/netfilter_ipv4/ipt_CLUSTERIP.h (+9/-7)
include/linux/netfilter_ipv4/ipt_ECN.h (+5/-3)
include/linux/netfilter_ipv4/ipt_SAME.h (+5/-3)
include/linux/netfilter_ipv4/ipt_TTL.h (+4/-2)
include/linux/netfilter_ipv4/ipt_addrtype.h (+9/-7)
include/linux/netfilter_ipv4/ipt_ah.h (+4/-2)
include/linux/netfilter_ipv4/ipt_ecn.h (+0/-33)
include/linux/netfilter_ipv4/ipt_ttl.h (+4/-2)
include/linux/netfilter_ipv6/ip6_tables.h (+38/-62)
include/linux/netfilter_ipv6/ip6t_HL.h (+4/-2)
include/linux/netfilter_ipv6/ip6t_REJECT.h (+3/-1)
include/linux/netfilter_ipv6/ip6t_ah.h (+6/-4)
include/linux/netfilter_ipv6/ip6t_frag.h (+6/-4)
include/linux/netfilter_ipv6/ip6t_hl.h (+4/-2)
include/linux/netfilter_ipv6/ip6t_ipv6header.h (+5/-3)
include/linux/netfilter_ipv6/ip6t_mh.h (+4/-2)
include/linux/netfilter_ipv6/ip6t_opts.h (+7/-5)
include/linux/netfilter_ipv6/ip6t_rt.h (+7/-6)
include/xtables-version.h.in (+2/-0)
include/xtables.h (+530/-0)
include/xtables.h.in (+0/-517)
install-sh (+0/-520)
iptables/.gitignore (+1/-0)
iptables/Makefile.am (+14/-20)
iptables/Makefile.in (+140/-154)
iptables/ip6tables-restore.8 (+3/-1)
iptables/ip6tables-restore.c (+99/-102)
iptables/ip6tables-save.c (+42/-58)
iptables/ip6tables-standalone.c (+1/-6)
iptables/ip6tables.8.in (+10/-15)
iptables/ip6tables.c (+74/-59)
iptables/iptables-apply.8 (+1/-1)
iptables/iptables-extensions.8.in (+27/-0)
iptables/iptables-restore.8 (+4/-1)
iptables/iptables-restore.c (+89/-97)
iptables/iptables-save.c (+42/-59)
iptables/iptables-standalone.c (+1/-6)
iptables/iptables-xml.c (+18/-27)
iptables/iptables.8.in (+6/-15)
iptables/iptables.c (+74/-76)
iptables/xshared.c (+1/-1)
iptables/xtables.c (+0/-1814)
iptables/xtoptions.c (+0/-1159)
libipq/.gitignore (+1/-0)
libipq/Makefile.am (+2/-0)
libipq/Makefile.in (+104/-32)
libipq/libipq.pc.in (+11/-0)
libiptc/.gitignore (+1/-1)
libiptc/Makefile.am (+3/-3)
libiptc/Makefile.in (+64/-21)
libiptc/libip4tc.c (+21/-35)
libiptc/libip4tc.pc.in (+10/-0)
libiptc/libip6tc.c (+18/-20)
libiptc/libip6tc.pc.in (+10/-0)
libiptc/libiptc.c (+41/-28)
libiptc/libiptc.pc.in (+2/-4)
libxtables/Makefile.am (+20/-0)
libxtables/Makefile.in (+601/-0)
libxtables/xtables.c (+1908/-0)
libxtables/xtoptions.c (+1172/-0)
ltmain.sh (+0/-8413)
m4/libtool.m4 (+1441/-835)
m4/ltoptions.m4 (+24/-8)
m4/ltversion.m4 (+6/-6)
m4/lt~obsolete.m4 (+9/-3)
missing (+0/-376)
tests/options-most.rules (+38/-19)
utils/Makefile.am (+2/-1)
utils/Makefile.in (+58/-16)
To merge this branch: bzr merge lp:~bkerensa/ubuntu/raring/iptables/new-upstream-version
Reviewer Review Type Date Requested Status
James Page Disapprove
Ubuntu branches Pending
Review via email: mp+135553@code.launchpad.net

Description of the change

New Upstream Release

To post a comment you must log in.
Revision history for this message
James Page (james-page) wrote :

This version is also in Debian unstable so this should really be a merge from Debian rather than a direct new upstream version in Ubuntu.

Disapproving; please prepare as merge instead.

Thanks.

review: Disapprove
Reply

Unmerged revisions

35. By Benjamin Kerensa

New Upstream Version

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.gitignore'
2--- .gitignore 2012-07-20 15:45:01 +0000
3+++ .gitignore 2012-11-21 23:36:21 +0000
4@@ -1,38 +1,21 @@
5-.*.d
6-.*.dd
7 *.a
8 *.la
9 *.lo
10-*.oo
11 *.so
12 *.o
13-.deps
14+.deps/
15 .dirstamp
16-.libs
17+.libs/
18 Makefile
19 Makefile.in
20
21-/extensions/GNUmakefile
22-/extensions/initext.c
23-/extensions/initext?.c
24-/extensions/matches?.man
25-/extensions/targets?.man
26-
27-/include/xtables.h
28+/include/xtables-version.h
29 /include/iptables/internal.h
30
31 /aclocal.m4
32-/autom4te*.cache
33-/compile
34-/config.guess
35-/config.h*
36-/config.log
37-/config.status
38-/config.sub
39+/autom4te.cache/
40+/build-aux/
41+/config.*
42 /configure
43-/depcomp
44-/install-sh
45 /libtool
46-/ltmain.sh
47-/missing
48 /stamp-h1
49
50=== removed directory '.pc/0101-changelog.patch'
51=== removed file '.pc/0101-changelog.patch/Changelog'
52=== removed directory '.pc/9000-howtos.patch'
53=== removed file '.pc/9000-howtos.patch/Makefile.am'
54--- .pc/9000-howtos.patch/Makefile.am 2011-11-07 13:46:11 +0000
55+++ .pc/9000-howtos.patch/Makefile.am 1970-01-01 00:00:00 +0000
56@@ -1,26 +0,0 @@
57-# -*- Makefile -*-
58-
59-ACLOCAL_AMFLAGS = -I m4
60-AUTOMAKE_OPTIONS = foreign subdir-objects
61-
62-SUBDIRS = extensions libiptc iptables
63-if ENABLE_DEVEL
64-SUBDIRS += include
65-endif
66-if ENABLE_LIBIPQ
67-SUBDIRS += libipq
68-endif
69-if HAVE_LIBNFNETLINK
70-SUBDIRS += utils
71-endif
72-
73-.PHONY: tarball
74-tarball:
75- rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
76- pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
77- pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
78- tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/;
79- rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
80-
81-config.status: extensions/GNUmakefile.in \
82- include/xtables.h.in include/iptables/internal.h.in
83
84=== removed directory '.pc/9000-howtos.patch/howtos'
85=== removed file '.pc/9000-howtos.patch/howtos/Makefile'
86=== removed file '.pc/9000-howtos.patch/howtos/NAT-HOWTO.sgml'
87=== removed file '.pc/9000-howtos.patch/howtos/netfilter-extensions-HOWTO.sgml'
88=== removed file '.pc/9000-howtos.patch/howtos/netfilter-hacking-HOWTO.sgml'
89=== removed file '.pc/9000-howtos.patch/howtos/packet-filtering-HOWTO.sgml'
90=== removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch'
91=== removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include'
92=== removed directory '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux'
93=== removed file '.pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h'
94--- .pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h 2012-07-20 15:45:01 +0000
95+++ .pc/9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch/include/linux/types.h 1970-01-01 00:00:00 +0000
96@@ -1,38 +0,0 @@
97-#ifndef _LINUX_TYPES_H
98-#define _LINUX_TYPES_H
99-
100-#include <asm/types.h>
101-
102-#ifndef __ASSEMBLY__
103-
104-#include <linux/posix_types.h>
105-
106-
107-/*
108- * Below are truly Linux-specific types that should never collide with
109- * any application/library that wants linux/types.h.
110- */
111-
112-#ifdef __CHECKER__
113-#define __bitwise__ __attribute__((bitwise))
114-#else
115-#define __bitwise__
116-#endif
117-#ifdef __CHECK_ENDIAN__
118-#define __bitwise __bitwise__
119-#else
120-#define __bitwise
121-#endif
122-
123-typedef __u16 __bitwise __le16;
124-typedef __u16 __bitwise __be16;
125-typedef __u32 __bitwise __le32;
126-typedef __u32 __bitwise __be32;
127-typedef __u64 __bitwise __le64;
128-typedef __u64 __bitwise __be64;
129-
130-typedef __u16 __bitwise __sum16;
131-typedef __u32 __bitwise __wsum;
132-
133-#endif /* __ASSEMBLY__ */
134-#endif /* _LINUX_TYPES_H */
135
136=== removed directory '.pc/9002-libxt_recent-Add-support-for-reap-option.patch'
137=== removed directory '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions'
138=== removed file '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c'
139--- .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c 2012-07-20 15:45:01 +0000
140+++ .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.c 1970-01-01 00:00:00 +0000
141@@ -1,203 +0,0 @@
142-#include <stdbool.h>
143-#include <stdio.h>
144-#include <string.h>
145-#include <xtables.h>
146-#include <linux/netfilter/xt_recent.h>
147-
148-enum {
149- O_SET = 0,
150- O_RCHECK,
151- O_UPDATE,
152- O_REMOVE,
153- O_SECONDS,
154- O_HITCOUNT,
155- O_RTTL,
156- O_NAME,
157- O_RSOURCE,
158- O_RDEST,
159- F_SET = 1 << O_SET,
160- F_RCHECK = 1 << O_RCHECK,
161- F_UPDATE = 1 << O_UPDATE,
162- F_REMOVE = 1 << O_REMOVE,
163- F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
164-};
165-
166-#define s struct xt_recent_mtinfo
167-static const struct xt_option_entry recent_opts[] = {
168- {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
169- .excl = F_ANY_OP, .flags = XTOPT_INVERT},
170- {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
171- .excl = F_ANY_OP, .flags = XTOPT_INVERT},
172- {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
173- .excl = F_ANY_OP, .flags = XTOPT_INVERT},
174- {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
175- .excl = F_ANY_OP, .flags = XTOPT_INVERT},
176- {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
177- .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
178- {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
179- .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
180- {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
181- .excl = F_SET | F_REMOVE},
182- {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
183- .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
184- {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
185- {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
186- XTOPT_TABLEEND,
187-};
188-#undef s
189-
190-static void recent_help(void)
191-{
192- printf(
193-"recent match options:\n"
194-"[!] --set Add source address to list, always matches.\n"
195-"[!] --rcheck Match if source address in list.\n"
196-"[!] --update Match if source address in list, also update last-seen time.\n"
197-"[!] --remove Match if source address in list, also removes that address from list.\n"
198-" --seconds seconds For check and update commands above.\n"
199-" Specifies that the match will only occur if source address last seen within\n"
200-" the last 'seconds' seconds.\n"
201-" --hitcount hits For check and update commands above.\n"
202-" Specifies that the match will only occur if source address seen hits times.\n"
203-" May be used in conjunction with the seconds option.\n"
204-" --rttl For check and update commands above.\n"
205-" Specifies that the match will only occur if the source address and the TTL\n"
206-" match between this packet and the one which was set.\n"
207-" Useful if you have problems with people spoofing their source address in order\n"
208-" to DoS you via this module.\n"
209-" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
210-" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
211-" --rdest Match/Save the destination address of each packet in the recent list table.\n"
212-"xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n");
213-}
214-
215-static void recent_init(struct xt_entry_match *match)
216-{
217- struct xt_recent_mtinfo *info = (void *)(match)->data;
218-
219- strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
220- /* even though XT_RECENT_NAME_LEN is currently defined as 200,
221- * better be safe, than sorry */
222- info->name[XT_RECENT_NAME_LEN-1] = '\0';
223- info->side = XT_RECENT_SOURCE;
224-}
225-
226-static void recent_parse(struct xt_option_call *cb)
227-{
228- struct xt_recent_mtinfo *info = cb->data;
229-
230- xtables_option_parse(cb);
231- switch (cb->entry->id) {
232- case O_SET:
233- info->check_set |= XT_RECENT_SET;
234- if (cb->invert)
235- info->invert = true;
236- break;
237- case O_RCHECK:
238- info->check_set |= XT_RECENT_CHECK;
239- if (cb->invert)
240- info->invert = true;
241- break;
242- case O_UPDATE:
243- info->check_set |= XT_RECENT_UPDATE;
244- if (cb->invert)
245- info->invert = true;
246- break;
247- case O_REMOVE:
248- info->check_set |= XT_RECENT_REMOVE;
249- if (cb->invert)
250- info->invert = true;
251- break;
252- case O_RTTL:
253- info->check_set |= XT_RECENT_TTL;
254- break;
255- case O_RSOURCE:
256- info->side = XT_RECENT_SOURCE;
257- break;
258- case O_RDEST:
259- info->side = XT_RECENT_DEST;
260- break;
261- }
262-}
263-
264-static void recent_check(struct xt_fcheck_call *cb)
265-{
266- if (!(cb->xflags & F_ANY_OP))
267- xtables_error(PARAMETER_PROBLEM,
268- "recent: you must specify one of `--set', `--rcheck' "
269- "`--update' or `--remove'");
270-}
271-
272-static void recent_print(const void *ip, const struct xt_entry_match *match,
273- int numeric)
274-{
275- const struct xt_recent_mtinfo *info = (const void *)match->data;
276-
277- if (info->invert)
278- printf(" !");
279-
280- printf(" recent:");
281- if (info->check_set & XT_RECENT_SET)
282- printf(" SET");
283- if (info->check_set & XT_RECENT_CHECK)
284- printf(" CHECK");
285- if (info->check_set & XT_RECENT_UPDATE)
286- printf(" UPDATE");
287- if (info->check_set & XT_RECENT_REMOVE)
288- printf(" REMOVE");
289- if(info->seconds) printf(" seconds: %d", info->seconds);
290- if(info->hit_count) printf(" hit_count: %d", info->hit_count);
291- if (info->check_set & XT_RECENT_TTL)
292- printf(" TTL-Match");
293- if(info->name) printf(" name: %s", info->name);
294- if (info->side == XT_RECENT_SOURCE)
295- printf(" side: source");
296- if (info->side == XT_RECENT_DEST)
297- printf(" side: dest");
298-}
299-
300-static void recent_save(const void *ip, const struct xt_entry_match *match)
301-{
302- const struct xt_recent_mtinfo *info = (const void *)match->data;
303-
304- if (info->invert)
305- printf(" !");
306-
307- if (info->check_set & XT_RECENT_SET)
308- printf(" --set");
309- if (info->check_set & XT_RECENT_CHECK)
310- printf(" --rcheck");
311- if (info->check_set & XT_RECENT_UPDATE)
312- printf(" --update");
313- if (info->check_set & XT_RECENT_REMOVE)
314- printf(" --remove");
315- if(info->seconds) printf(" --seconds %d", info->seconds);
316- if(info->hit_count) printf(" --hitcount %d", info->hit_count);
317- if (info->check_set & XT_RECENT_TTL)
318- printf(" --rttl");
319- if(info->name) printf(" --name %s",info->name);
320- if (info->side == XT_RECENT_SOURCE)
321- printf(" --rsource");
322- if (info->side == XT_RECENT_DEST)
323- printf(" --rdest");
324-}
325-
326-static struct xtables_match recent_mt_reg = {
327- .name = "recent",
328- .version = XTABLES_VERSION,
329- .family = NFPROTO_UNSPEC,
330- .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
331- .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
332- .help = recent_help,
333- .init = recent_init,
334- .x6_parse = recent_parse,
335- .x6_fcheck = recent_check,
336- .print = recent_print,
337- .save = recent_save,
338- .x6_options = recent_opts,
339-};
340-
341-void _init(void)
342-{
343- xtables_register_match(&recent_mt_reg);
344-}
345
346=== removed file '.pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man'
347--- .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man 2012-07-20 15:45:01 +0000
348+++ .pc/9002-libxt_recent-Add-support-for-reap-option.patch/extensions/libxt_recent.man 1970-01-01 00:00:00 +0000
349@@ -1,104 +0,0 @@
350-Allows you to dynamically create a list of IP addresses and then match against
351-that list in a few different ways.
352-.PP
353-For example, you can create a "badguy" list out of people attempting to connect
354-to port 139 on your firewall and then DROP all future packets from them without
355-considering them.
356-.PP
357-\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are
358-mutually exclusive.
359-.TP
360-\fB\-\-name\fP \fIname\fP
361-Specify the list to use for the commands. If no name is given then
362-\fBDEFAULT\fP will be used.
363-.TP
364-[\fB!\fP] \fB\-\-set\fP
365-This will add the source address of the packet to the list. If the source
366-address is already in the list, this will update the existing entry. This will
367-always return success (or failure if \fB!\fP is passed in).
368-.TP
369-\fB\-\-rsource\fP
370-Match/save the source address of each packet in the recent list table. This
371-is the default.
372-.TP
373-\fB\-\-rdest\fP
374-Match/save the destination address of each packet in the recent list table.
375-.TP
376-[\fB!\fP] \fB\-\-rcheck\fP
377-Check if the source address of the packet is currently in the list.
378-.TP
379-[\fB!\fP] \fB\-\-update\fP
380-Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it
381-matches.
382-.TP
383-[\fB!\fP] \fB\-\-remove\fP
384-Check if the source address of the packet is currently in the list and if so
385-that address will be removed from the list and the rule will return true. If
386-the address is not found, false is returned.
387-.TP
388-\fB\-\-seconds\fP \fIseconds\fP
389-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
390-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
391-address is in the list and was seen within the last given number of seconds.
392-.TP
393-\fB\-\-hitcount\fP \fIhits\fP
394-This option must be used in conjunction with one of \fB\-\-rcheck\fP or
395-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
396-address is in the list and packets had been received greater than or equal to
397-the given value. This option may be used along with \fB\-\-seconds\fP to create
398-an even narrower match requiring a certain number of hits within a specific
399-time frame. The maximum value for the hitcount parameter is given by the
400-"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
401-value on the command line will cause the rule to be rejected.
402-.TP
403-\fB\-\-rttl\fP
404-This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
405-\fB\-\-update\fP. When used, this will narrow the match to only happen when the
406-address is in the list and the TTL of the current packet matches that of the
407-packet which hit the \fB\-\-set\fP rule. This may be useful if you have problems
408-with people faking their source address in order to DoS you via this module by
409-disallowing others access to your site by sending bogus packets to you.
410-.PP
411-Examples:
412-.IP
413-iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DROP
414-.IP
415-iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
416-.PP
417-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
418-some examples of usage.
419-.PP
420-\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
421-about each entry of each list.
422-.PP
423-Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current
424-list or written two using the following commands to modify the list:
425-.TP
426-\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
427-to add \fIaddr\fP to the DEFAULT list
428-.TP
429-\fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP
430-to remove \fIaddr\fP from the DEFAULT list
431-.TP
432-\fBecho / >/proc/net/xt_recent/DEFAULT\fP
433-to flush the DEFAULT list (remove all entries).
434-.PP
435-The module itself accepts parameters, defaults shown:
436-.TP
437-\fBip_list_tot\fP=\fI100\fP
438-Number of addresses remembered per table.
439-.TP
440-\fBip_pkt_list_tot\fP=\fI20\fP
441-Number of packets per address remembered.
442-.TP
443-\fBip_list_hash_size\fP=\fI0\fP
444-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512.
445-.TP
446-\fBip_list_perms\fP=\fI0644\fP
447-Permissions for /proc/net/xt_recent/* files.
448-.TP
449-\fBip_list_uid\fP=\fI0\fP
450-Numerical UID for ownership of /proc/net/xt_recent/* files.
451-.TP
452-\fBip_list_gid\fP=\fI0\fP
453-Numerical GID for ownership of /proc/net/xt_recent/* files.
454
455=== removed directory '.pc/9003-lp1020490.patch'
456=== removed directory '.pc/9003-lp1020490.patch/extensions'
457=== removed file '.pc/9003-lp1020490.patch/extensions/libxt_conntrack.c'
458--- .pc/9003-lp1020490.patch/extensions/libxt_conntrack.c 2012-07-20 15:45:01 +0000
459+++ .pc/9003-lp1020490.patch/extensions/libxt_conntrack.c 1970-01-01 00:00:00 +0000
460@@ -1,1102 +0,0 @@
461-/*
462- * libxt_conntrack
463- * Shared library add-on to iptables for conntrack matching support.
464- *
465- * GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
466- * Copyright © CC Computer Consultants GmbH, 2007 - 2008
467- * Jan Engelhardt <jengelh@computergmbh.de>
468- */
469-#include <stdbool.h>
470-#include <stdint.h>
471-#include <stdio.h>
472-#include <stdlib.h>
473-#include <string.h>
474-#include <xtables.h>
475-#include <linux/netfilter/xt_conntrack.h>
476-#include <linux/netfilter/nf_conntrack_common.h>
477-
478-struct ip_conntrack_old_tuple {
479- struct {
480- __be32 ip;
481- union {
482- __u16 all;
483- } u;
484- } src;
485-
486- struct {
487- __be32 ip;
488- union {
489- __u16 all;
490- } u;
491-
492- /* The protocol. */
493- __u16 protonum;
494- } dst;
495-};
496-
497-struct xt_conntrack_info {
498- unsigned int statemask, statusmask;
499-
500- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
501- struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
502-
503- unsigned long expires_min, expires_max;
504-
505- /* Flags word */
506- uint8_t flags;
507- /* Inverse flags */
508- uint8_t invflags;
509-};
510-
511-enum {
512- O_CTSTATE = 0,
513- O_CTPROTO,
514- O_CTORIGSRC,
515- O_CTORIGDST,
516- O_CTREPLSRC,
517- O_CTREPLDST,
518- O_CTORIGSRCPORT,
519- O_CTORIGDSTPORT,
520- O_CTREPLSRCPORT,
521- O_CTREPLDSTPORT,
522- O_CTSTATUS,
523- O_CTEXPIRE,
524- O_CTDIR,
525-};
526-
527-static void conntrack_mt_help(void)
528-{
529- printf(
530-"conntrack match options:\n"
531-"[!] --ctstate {INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT}[,...]\n"
532-" State(s) to match\n"
533-"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
534-"[!] --ctorigsrc address[/mask]\n"
535-"[!] --ctorigdst address[/mask]\n"
536-"[!] --ctreplsrc address[/mask]\n"
537-"[!] --ctrepldst address[/mask]\n"
538-" Original/Reply source/destination address\n"
539-"[!] --ctorigsrcport port\n"
540-"[!] --ctorigdstport port\n"
541-"[!] --ctreplsrcport port\n"
542-"[!] --ctrepldstport port\n"
543-" TCP/UDP/SCTP orig./reply source/destination port\n"
544-"[!] --ctstatus {NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED}[,...]\n"
545-" Status(es) to match\n"
546-"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
547-" value or range of values (inclusive)\n"
548-" --ctdir {ORIGINAL|REPLY} Flow direction of packet\n");
549-}
550-
551-#define s struct xt_conntrack_info /* for v0 */
552-static const struct xt_option_entry conntrack_mt_opts_v0[] = {
553- {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
554- .flags = XTOPT_INVERT},
555- {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
556- .flags = XTOPT_INVERT,
557- XTOPT_POINTER(s, tuple[IP_CT_DIR_ORIGINAL].dst.protonum)},
558- {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOST,
559- .flags = XTOPT_INVERT},
560- {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOST,
561- .flags = XTOPT_INVERT},
562- {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOST,
563- .flags = XTOPT_INVERT},
564- {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOST,
565- .flags = XTOPT_INVERT},
566- {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING,
567- .flags = XTOPT_INVERT},
568- {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
569- .flags = XTOPT_INVERT},
570- XTOPT_TABLEEND,
571-};
572-#undef s
573-
574-#define s struct xt_conntrack_mtinfo2
575-/* We exploit the fact that v1-v2 share the same xt_o_e layout */
576-static const struct xt_option_entry conntrack2_mt_opts[] = {
577- {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
578- .flags = XTOPT_INVERT},
579- {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
580- .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
581- {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
582- .flags = XTOPT_INVERT},
583- {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
584- .flags = XTOPT_INVERT},
585- {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK,
586- .flags = XTOPT_INVERT},
587- {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK,
588- .flags = XTOPT_INVERT},
589- {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING,
590- .flags = XTOPT_INVERT},
591- {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
592- .flags = XTOPT_INVERT},
593- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORT,
594- .flags = XTOPT_INVERT | XTOPT_NBO},
595- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORT,
596- .flags = XTOPT_INVERT | XTOPT_NBO},
597- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORT,
598- .flags = XTOPT_INVERT | XTOPT_NBO},
599- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORT,
600- .flags = XTOPT_INVERT | XTOPT_NBO},
601- {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
602- XTOPT_TABLEEND,
603-};
604-#undef s
605-
606-#define s struct xt_conntrack_mtinfo3 /* for v1-v3 */
607-/* We exploit the fact that v1-v3 share the same layout */
608-static const struct xt_option_entry conntrack3_mt_opts[] = {
609- {.name = "ctstate", .id = O_CTSTATE, .type = XTTYPE_STRING,
610- .flags = XTOPT_INVERT},
611- {.name = "ctproto", .id = O_CTPROTO, .type = XTTYPE_PROTOCOL,
612- .flags = XTOPT_INVERT, XTOPT_POINTER(s, l4proto)},
613- {.name = "ctorigsrc", .id = O_CTORIGSRC, .type = XTTYPE_HOSTMASK,
614- .flags = XTOPT_INVERT},
615- {.name = "ctorigdst", .id = O_CTORIGDST, .type = XTTYPE_HOSTMASK,
616- .flags = XTOPT_INVERT},
617- {.name = "ctreplsrc", .id = O_CTREPLSRC, .type = XTTYPE_HOSTMASK,
618- .flags = XTOPT_INVERT},
619- {.name = "ctrepldst", .id = O_CTREPLDST, .type = XTTYPE_HOSTMASK,
620- .flags = XTOPT_INVERT},
621- {.name = "ctstatus", .id = O_CTSTATUS, .type = XTTYPE_STRING,
622- .flags = XTOPT_INVERT},
623- {.name = "ctexpire", .id = O_CTEXPIRE, .type = XTTYPE_UINT32RC,
624- .flags = XTOPT_INVERT},
625- {.name = "ctorigsrcport", .id = O_CTORIGSRCPORT, .type = XTTYPE_PORTRC,
626- .flags = XTOPT_INVERT},
627- {.name = "ctorigdstport", .id = O_CTORIGDSTPORT, .type = XTTYPE_PORTRC,
628- .flags = XTOPT_INVERT},
629- {.name = "ctreplsrcport", .id = O_CTREPLSRCPORT, .type = XTTYPE_PORTRC,
630- .flags = XTOPT_INVERT},
631- {.name = "ctrepldstport", .id = O_CTREPLDSTPORT, .type = XTTYPE_PORTRC,
632- .flags = XTOPT_INVERT},
633- {.name = "ctdir", .id = O_CTDIR, .type = XTTYPE_STRING},
634- XTOPT_TABLEEND,
635-};
636-#undef s
637-
638-static int
639-parse_state(const char *state, size_t len, struct xt_conntrack_info *sinfo)
640-{
641- if (strncasecmp(state, "INVALID", len) == 0)
642- sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
643- else if (strncasecmp(state, "NEW", len) == 0)
644- sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
645- else if (strncasecmp(state, "ESTABLISHED", len) == 0)
646- sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
647- else if (strncasecmp(state, "RELATED", len) == 0)
648- sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
649- else if (strncasecmp(state, "UNTRACKED", len) == 0)
650- sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
651- else if (strncasecmp(state, "SNAT", len) == 0)
652- sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
653- else if (strncasecmp(state, "DNAT", len) == 0)
654- sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
655- else
656- return 0;
657- return 1;
658-}
659-
660-static void
661-parse_states(const char *arg, struct xt_conntrack_info *sinfo)
662-{
663- const char *comma;
664-
665- while ((comma = strchr(arg, ',')) != NULL) {
666- if (comma == arg || !parse_state(arg, comma-arg, sinfo))
667- xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
668- arg = comma+1;
669- }
670- if (!*arg)
671- xtables_error(PARAMETER_PROBLEM, "\"--ctstate\" requires a list of "
672- "states with no spaces, e.g. "
673- "ESTABLISHED,RELATED");
674- if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
675- xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
676-}
677-
678-static bool
679-conntrack_ps_state(struct xt_conntrack_mtinfo3 *info, const char *state,
680- size_t z)
681-{
682- if (strncasecmp(state, "INVALID", z) == 0)
683- info->state_mask |= XT_CONNTRACK_STATE_INVALID;
684- else if (strncasecmp(state, "NEW", z) == 0)
685- info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
686- else if (strncasecmp(state, "ESTABLISHED", z) == 0)
687- info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
688- else if (strncasecmp(state, "RELATED", z) == 0)
689- info->state_mask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
690- else if (strncasecmp(state, "UNTRACKED", z) == 0)
691- info->state_mask |= XT_CONNTRACK_STATE_UNTRACKED;
692- else if (strncasecmp(state, "SNAT", z) == 0)
693- info->state_mask |= XT_CONNTRACK_STATE_SNAT;
694- else if (strncasecmp(state, "DNAT", z) == 0)
695- info->state_mask |= XT_CONNTRACK_STATE_DNAT;
696- else
697- return false;
698- return true;
699-}
700-
701-static void
702-conntrack_ps_states(struct xt_conntrack_mtinfo3 *info, const char *arg)
703-{
704- const char *comma;
705-
706- while ((comma = strchr(arg, ',')) != NULL) {
707- if (comma == arg || !conntrack_ps_state(info, arg, comma - arg))
708- xtables_error(PARAMETER_PROBLEM,
709- "Bad ctstate \"%s\"", arg);
710- arg = comma + 1;
711- }
712-
713- if (strlen(arg) == 0 || !conntrack_ps_state(info, arg, strlen(arg)))
714- xtables_error(PARAMETER_PROBLEM, "Bad ctstate \"%s\"", arg);
715-}
716-
717-static int
718-parse_status(const char *status, size_t len, struct xt_conntrack_info *sinfo)
719-{
720- if (strncasecmp(status, "NONE", len) == 0)
721- sinfo->statusmask |= 0;
722- else if (strncasecmp(status, "EXPECTED", len) == 0)
723- sinfo->statusmask |= IPS_EXPECTED;
724- else if (strncasecmp(status, "SEEN_REPLY", len) == 0)
725- sinfo->statusmask |= IPS_SEEN_REPLY;
726- else if (strncasecmp(status, "ASSURED", len) == 0)
727- sinfo->statusmask |= IPS_ASSURED;
728-#ifdef IPS_CONFIRMED
729- else if (strncasecmp(status, "CONFIRMED", len) == 0)
730- sinfo->statusmask |= IPS_CONFIRMED;
731-#endif
732- else
733- return 0;
734- return 1;
735-}
736-
737-static void
738-parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
739-{
740- const char *comma;
741-
742- while ((comma = strchr(arg, ',')) != NULL) {
743- if (comma == arg || !parse_status(arg, comma-arg, sinfo))
744- xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
745- arg = comma+1;
746- }
747-
748- if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
749- xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
750-}
751-
752-static bool
753-conntrack_ps_status(struct xt_conntrack_mtinfo3 *info, const char *status,
754- size_t z)
755-{
756- if (strncasecmp(status, "NONE", z) == 0)
757- info->status_mask |= 0;
758- else if (strncasecmp(status, "EXPECTED", z) == 0)
759- info->status_mask |= IPS_EXPECTED;
760- else if (strncasecmp(status, "SEEN_REPLY", z) == 0)
761- info->status_mask |= IPS_SEEN_REPLY;
762- else if (strncasecmp(status, "ASSURED", z) == 0)
763- info->status_mask |= IPS_ASSURED;
764- else if (strncasecmp(status, "CONFIRMED", z) == 0)
765- info->status_mask |= IPS_CONFIRMED;
766- else
767- return false;
768- return true;
769-}
770-
771-static void
772-conntrack_ps_statuses(struct xt_conntrack_mtinfo3 *info, const char *arg)
773-{
774- const char *comma;
775-
776- while ((comma = strchr(arg, ',')) != NULL) {
777- if (comma == arg || !conntrack_ps_status(info, arg, comma - arg))
778- xtables_error(PARAMETER_PROBLEM,
779- "Bad ctstatus \"%s\"", arg);
780- arg = comma + 1;
781- }
782-
783- if (strlen(arg) == 0 || !conntrack_ps_status(info, arg, strlen(arg)))
784- xtables_error(PARAMETER_PROBLEM, "Bad ctstatus \"%s\"", arg);
785-}
786-
787-static void conntrack_parse(struct xt_option_call *cb)
788-{
789- struct xt_conntrack_info *sinfo = cb->data;
790-
791- xtables_option_parse(cb);
792- switch (cb->entry->id) {
793- case O_CTSTATE:
794- parse_states(cb->arg, sinfo);
795- if (cb->invert)
796- sinfo->invflags |= XT_CONNTRACK_STATE;
797- break;
798- case O_CTPROTO:
799- if (cb->invert)
800- sinfo->invflags |= XT_CONNTRACK_PROTO;
801- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
802- && (sinfo->invflags & XT_INV_PROTO))
803- xtables_error(PARAMETER_PROBLEM,
804- "rule would never match protocol");
805-
806- sinfo->flags |= XT_CONNTRACK_PROTO;
807- break;
808- case O_CTORIGSRC:
809- if (cb->invert)
810- sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
811- sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = cb->val.haddr.ip;
812- sinfo->flags |= XT_CONNTRACK_ORIGSRC;
813- break;
814- case O_CTORIGDST:
815- if (cb->invert)
816- sinfo->invflags |= XT_CONNTRACK_ORIGDST;
817- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = cb->val.haddr.ip;
818- sinfo->flags |= XT_CONNTRACK_ORIGDST;
819- break;
820- case O_CTREPLSRC:
821- if (cb->invert)
822- sinfo->invflags |= XT_CONNTRACK_REPLSRC;
823- sinfo->tuple[IP_CT_DIR_REPLY].src.ip = cb->val.haddr.ip;
824- sinfo->flags |= XT_CONNTRACK_REPLSRC;
825- break;
826- case O_CTREPLDST:
827- if (cb->invert)
828- sinfo->invflags |= XT_CONNTRACK_REPLDST;
829- sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = cb->val.haddr.ip;
830- sinfo->flags |= XT_CONNTRACK_REPLDST;
831- break;
832- case O_CTSTATUS:
833- parse_statuses(cb->arg, sinfo);
834- if (cb->invert)
835- sinfo->invflags |= XT_CONNTRACK_STATUS;
836- sinfo->flags |= XT_CONNTRACK_STATUS;
837- break;
838- case O_CTEXPIRE:
839- sinfo->expires_min = cb->val.u32_range[0];
840- sinfo->expires_max = cb->val.u32_range[0];
841- if (cb->nvals >= 2)
842- sinfo->expires_max = cb->val.u32_range[1];
843- if (cb->invert)
844- sinfo->invflags |= XT_CONNTRACK_EXPIRES;
845- sinfo->flags |= XT_CONNTRACK_EXPIRES;
846- break;
847- }
848-}
849-
850-static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
851-{
852- struct xt_conntrack_mtinfo3 *info = cb->data;
853-
854- xtables_option_parse(cb);
855- switch (cb->entry->id) {
856- case O_CTSTATE:
857- conntrack_ps_states(info, cb->arg);
858- info->match_flags |= XT_CONNTRACK_STATE;
859- if (cb->invert)
860- info->invert_flags |= XT_CONNTRACK_STATE;
861- break;
862- case O_CTPROTO:
863- if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
864- xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
865- "never match protocol");
866-
867- info->match_flags |= XT_CONNTRACK_PROTO;
868- if (cb->invert)
869- info->invert_flags |= XT_CONNTRACK_PROTO;
870- break;
871- case O_CTORIGSRC:
872- info->origsrc_addr = cb->val.haddr;
873- info->origsrc_mask = cb->val.hmask;
874- info->match_flags |= XT_CONNTRACK_ORIGSRC;
875- if (cb->invert)
876- info->invert_flags |= XT_CONNTRACK_ORIGSRC;
877- break;
878- case O_CTORIGDST:
879- info->origdst_addr = cb->val.haddr;
880- info->origdst_mask = cb->val.hmask;
881- info->match_flags |= XT_CONNTRACK_ORIGDST;
882- if (cb->invert)
883- info->invert_flags |= XT_CONNTRACK_ORIGDST;
884- break;
885- case O_CTREPLSRC:
886- info->replsrc_addr = cb->val.haddr;
887- info->replsrc_mask = cb->val.hmask;
888- info->match_flags |= XT_CONNTRACK_REPLSRC;
889- if (cb->invert)
890- info->invert_flags |= XT_CONNTRACK_REPLSRC;
891- break;
892- case O_CTREPLDST:
893- info->repldst_addr = cb->val.haddr;
894- info->repldst_mask = cb->val.hmask;
895- info->match_flags |= XT_CONNTRACK_REPLDST;
896- if (cb->invert)
897- info->invert_flags |= XT_CONNTRACK_REPLDST;
898- break;
899- case O_CTSTATUS:
900- conntrack_ps_statuses(info, cb->arg);
901- info->match_flags |= XT_CONNTRACK_STATUS;
902- if (cb->invert)
903- info->invert_flags |= XT_CONNTRACK_STATUS;
904- break;
905- case O_CTEXPIRE:
906- info->expires_min = cb->val.u32_range[0];
907- info->expires_max = cb->val.u32_range[0];
908- if (cb->nvals >= 2)
909- info->expires_max = cb->val.u32_range[1];
910- info->match_flags |= XT_CONNTRACK_EXPIRES;
911- if (cb->invert)
912- info->invert_flags |= XT_CONNTRACK_EXPIRES;
913- break;
914- case O_CTORIGSRCPORT:
915- info->origsrc_port = cb->val.port_range[0];
916- info->origsrc_port_high = cb->val.port_range[cb->nvals >= 2];
917- info->match_flags |= XT_CONNTRACK_ORIGSRC_PORT;
918- if (cb->invert)
919- info->invert_flags |= XT_CONNTRACK_ORIGSRC_PORT;
920- break;
921- case O_CTORIGDSTPORT:
922- info->origdst_port = cb->val.port_range[0];
923- info->origdst_port_high = cb->val.port_range[cb->nvals >= 2];
924- info->match_flags |= XT_CONNTRACK_ORIGDST_PORT;
925- if (cb->invert)
926- info->invert_flags |= XT_CONNTRACK_ORIGDST_PORT;
927- break;
928- case O_CTREPLSRCPORT:
929- info->replsrc_port = cb->val.port_range[0];
930- info->replsrc_port_high = cb->val.port_range[cb->nvals >= 2];
931- info->match_flags |= XT_CONNTRACK_REPLSRC_PORT;
932- if (cb->invert)
933- info->invert_flags |= XT_CONNTRACK_REPLSRC_PORT;
934- break;
935- case O_CTREPLDSTPORT:
936- info->repldst_port = cb->val.port_range[0];
937- info->repldst_port_high = cb->val.port_range[cb->nvals >= 2];
938- info->match_flags |= XT_CONNTRACK_REPLDST_PORT;
939- if (cb->invert)
940- info->invert_flags |= XT_CONNTRACK_REPLDST_PORT;
941- break;
942- case O_CTDIR:
943- if (strcasecmp(cb->arg, "ORIGINAL") == 0) {
944- info->match_flags |= XT_CONNTRACK_DIRECTION;
945- info->invert_flags &= ~XT_CONNTRACK_DIRECTION;
946- } else if (strcasecmp(cb->arg, "REPLY") == 0) {
947- info->match_flags |= XT_CONNTRACK_DIRECTION;
948- info->invert_flags |= XT_CONNTRACK_DIRECTION;
949- } else {
950- xtables_param_act(XTF_BAD_VALUE, "conntrack", "--ctdir", cb->arg);
951- }
952- break;
953- }
954-}
955-
956-#define cinfo_transform(r, l) \
957- do { \
958- memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \
959- (r)->state_mask = (l)->state_mask; \
960- (r)->status_mask = (l)->status_mask; \
961- } while (false);
962-
963-static void conntrack1_mt_parse(struct xt_option_call *cb)
964-{
965- struct xt_conntrack_mtinfo1 *info = cb->data;
966- struct xt_conntrack_mtinfo3 up;
967-
968- memset(&up, 0, sizeof(up));
969- cinfo_transform(&up, info);
970- up.origsrc_port_high = up.origsrc_port;
971- up.origdst_port_high = up.origdst_port;
972- up.replsrc_port_high = up.replsrc_port;
973- up.repldst_port_high = up.repldst_port;
974- cb->data = &up;
975- conntrack_mt_parse(cb, 3);
976- if (up.origsrc_port != up.origsrc_port_high ||
977- up.origdst_port != up.origdst_port_high ||
978- up.replsrc_port != up.replsrc_port_high ||
979- up.repldst_port != up.repldst_port_high)
980- xtables_error(PARAMETER_PROBLEM,
981- "conntrack rev 1 does not support port ranges");
982- cinfo_transform(info, &up);
983- cb->data = info;
984-}
985-
986-static void conntrack2_mt_parse(struct xt_option_call *cb)
987-{
988-#define cinfo2_transform(r, l) \
989- memcpy((r), (l), offsetof(typeof(*(l)), sizeof(*info));
990-
991- struct xt_conntrack_mtinfo2 *info = cb->data;
992- struct xt_conntrack_mtinfo3 up;
993-
994- memset(&up, 0, sizeof(up));
995- memcpy(&up, info, sizeof(*info));
996- up.origsrc_port_high = up.origsrc_port;
997- up.origdst_port_high = up.origdst_port;
998- up.replsrc_port_high = up.replsrc_port;
999- up.repldst_port_high = up.repldst_port;
1000- cb->data = &up;
1001- conntrack_mt_parse(cb, 3);
1002- if (up.origsrc_port != up.origsrc_port_high ||
1003- up.origdst_port != up.origdst_port_high ||
1004- up.replsrc_port != up.replsrc_port_high ||
1005- up.repldst_port != up.repldst_port_high)
1006- xtables_error(PARAMETER_PROBLEM,
1007- "conntrack rev 2 does not support port ranges");
1008- memcpy(info, &up, sizeof(*info));
1009- cb->data = info;
1010-#undef cinfo2_transform
1011-}
1012-
1013-static void conntrack3_mt_parse(struct xt_option_call *cb)
1014-{
1015- conntrack_mt_parse(cb, 3);
1016-}
1017-
1018-static void conntrack_mt_check(struct xt_fcheck_call *cb)
1019-{
1020- if (cb->xflags == 0)
1021- xtables_error(PARAMETER_PROBLEM, "conntrack: At least one option "
1022- "is required");
1023-}
1024-
1025-static void
1026-print_state(unsigned int statemask)
1027-{
1028- const char *sep = " ";
1029-
1030- if (statemask & XT_CONNTRACK_STATE_INVALID) {
1031- printf("%sINVALID", sep);
1032- sep = ",";
1033- }
1034- if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
1035- printf("%sNEW", sep);
1036- sep = ",";
1037- }
1038- if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
1039- printf("%sRELATED", sep);
1040- sep = ",";
1041- }
1042- if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
1043- printf("%sESTABLISHED", sep);
1044- sep = ",";
1045- }
1046- if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
1047- printf("%sUNTRACKED", sep);
1048- sep = ",";
1049- }
1050- if (statemask & XT_CONNTRACK_STATE_SNAT) {
1051- printf("%sSNAT", sep);
1052- sep = ",";
1053- }
1054- if (statemask & XT_CONNTRACK_STATE_DNAT) {
1055- printf("%sDNAT", sep);
1056- sep = ",";
1057- }
1058-}
1059-
1060-static void
1061-print_status(unsigned int statusmask)
1062-{
1063- const char *sep = " ";
1064-
1065- if (statusmask & IPS_EXPECTED) {
1066- printf("%sEXPECTED", sep);
1067- sep = ",";
1068- }
1069- if (statusmask & IPS_SEEN_REPLY) {
1070- printf("%sSEEN_REPLY", sep);
1071- sep = ",";
1072- }
1073- if (statusmask & IPS_ASSURED) {
1074- printf("%sASSURED", sep);
1075- sep = ",";
1076- }
1077- if (statusmask & IPS_CONFIRMED) {
1078- printf("%sCONFIRMED", sep);
1079- sep = ",";
1080- }
1081- if (statusmask == 0)
1082- printf("%sNONE", sep);
1083-}
1084-
1085-static void
1086-conntrack_dump_addr(const union nf_inet_addr *addr,
1087- const union nf_inet_addr *mask,
1088- unsigned int family, bool numeric)
1089-{
1090- if (family == NFPROTO_IPV4) {
1091- if (!numeric && addr->ip == 0) {
1092- printf(" anywhere");
1093- return;
1094- }
1095- if (numeric)
1096- printf(" %s%s",
1097- xtables_ipaddr_to_numeric(&addr->in),
1098- xtables_ipmask_to_numeric(&mask->in));
1099- else
1100- printf(" %s%s",
1101- xtables_ipaddr_to_anyname(&addr->in),
1102- xtables_ipmask_to_numeric(&mask->in));
1103- } else if (family == NFPROTO_IPV6) {
1104- if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
1105- addr->ip6[2] == 0 && addr->ip6[3] == 0) {
1106- printf(" anywhere");
1107- return;
1108- }
1109- if (numeric)
1110- printf(" %s%s",
1111- xtables_ip6addr_to_numeric(&addr->in6),
1112- xtables_ip6mask_to_numeric(&mask->in6));
1113- else
1114- printf(" %s%s",
1115- xtables_ip6addr_to_anyname(&addr->in6),
1116- xtables_ip6mask_to_numeric(&mask->in6));
1117- }
1118-}
1119-
1120-static void
1121-print_addr(const struct in_addr *addr, const struct in_addr *mask,
1122- int inv, int numeric)
1123-{
1124- char buf[BUFSIZ];
1125-
1126- if (inv)
1127- printf(" !");
1128-
1129- if (mask->s_addr == 0L && !numeric)
1130- printf(" %s", "anywhere");
1131- else {
1132- if (numeric)
1133- strcpy(buf, xtables_ipaddr_to_numeric(addr));
1134- else
1135- strcpy(buf, xtables_ipaddr_to_anyname(addr));
1136- strcat(buf, xtables_ipmask_to_numeric(mask));
1137- printf(" %s", buf);
1138- }
1139-}
1140-
1141-static void
1142-matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
1143-{
1144- const struct xt_conntrack_info *sinfo = (const void *)match->data;
1145-
1146- if(sinfo->flags & XT_CONNTRACK_STATE) {
1147- if (sinfo->invflags & XT_CONNTRACK_STATE)
1148- printf(" !");
1149- printf(" %sctstate", optpfx);
1150- print_state(sinfo->statemask);
1151- }
1152-
1153- if(sinfo->flags & XT_CONNTRACK_PROTO) {
1154- if (sinfo->invflags & XT_CONNTRACK_PROTO)
1155- printf(" !");
1156- printf(" %sctproto", optpfx);
1157- printf(" %u", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
1158- }
1159-
1160- if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
1161- if (sinfo->invflags & XT_CONNTRACK_ORIGSRC)
1162- printf(" !");
1163- printf(" %sctorigsrc", optpfx);
1164-
1165- print_addr(
1166- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
1167- &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
1168- false,
1169- numeric);
1170- }
1171-
1172- if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
1173- if (sinfo->invflags & XT_CONNTRACK_ORIGDST)
1174- printf(" !");
1175- printf(" %sctorigdst", optpfx);
1176-
1177- print_addr(
1178- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
1179- &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
1180- false,
1181- numeric);
1182- }
1183-
1184- if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
1185- if (sinfo->invflags & XT_CONNTRACK_REPLSRC)
1186- printf(" !");
1187- printf(" %sctreplsrc", optpfx);
1188-
1189- print_addr(
1190- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
1191- &sinfo->sipmsk[IP_CT_DIR_REPLY],
1192- false,
1193- numeric);
1194- }
1195-
1196- if(sinfo->flags & XT_CONNTRACK_REPLDST) {
1197- if (sinfo->invflags & XT_CONNTRACK_REPLDST)
1198- printf(" !");
1199- printf(" %sctrepldst", optpfx);
1200-
1201- print_addr(
1202- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
1203- &sinfo->dipmsk[IP_CT_DIR_REPLY],
1204- false,
1205- numeric);
1206- }
1207-
1208- if(sinfo->flags & XT_CONNTRACK_STATUS) {
1209- if (sinfo->invflags & XT_CONNTRACK_STATUS)
1210- printf(" !");
1211- printf(" %sctstatus", optpfx);
1212- print_status(sinfo->statusmask);
1213- }
1214-
1215- if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
1216- if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
1217- printf(" !");
1218- printf(" %sctexpire ", optpfx);
1219-
1220- if (sinfo->expires_max == sinfo->expires_min)
1221- printf("%lu", sinfo->expires_min);
1222- else
1223- printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max);
1224- }
1225-
1226- if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
1227- if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
1228- printf(" %sctdir REPLY", optpfx);
1229- else
1230- printf(" %sctdir ORIGINAL", optpfx);
1231- }
1232-
1233-}
1234-
1235-static void
1236-conntrack_dump_ports(const char *prefix, const char *opt,
1237- u_int16_t port_low, u_int16_t port_high)
1238-{
1239- if (port_high == 0 || port_low == port_high)
1240- printf(" %s%s %u", prefix, opt, port_low);
1241- else
1242- printf(" %s%s %u:%u", prefix, opt, port_low, port_high);
1243-}
1244-
1245-static void
1246-conntrack_dump(const struct xt_conntrack_mtinfo3 *info, const char *prefix,
1247- unsigned int family, bool numeric, bool v3)
1248-{
1249- if (info->match_flags & XT_CONNTRACK_STATE) {
1250- if (info->invert_flags & XT_CONNTRACK_STATE)
1251- printf(" !");
1252- printf(" %sctstate", prefix);
1253- print_state(info->state_mask);
1254- }
1255-
1256- if (info->match_flags & XT_CONNTRACK_PROTO) {
1257- if (info->invert_flags & XT_CONNTRACK_PROTO)
1258- printf(" !");
1259- printf(" %sctproto %u", prefix, info->l4proto);
1260- }
1261-
1262- if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
1263- if (info->invert_flags & XT_CONNTRACK_ORIGSRC)
1264- printf(" !");
1265- printf(" %sctorigsrc", prefix);
1266- conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
1267- family, numeric);
1268- }
1269-
1270- if (info->match_flags & XT_CONNTRACK_ORIGDST) {
1271- if (info->invert_flags & XT_CONNTRACK_ORIGDST)
1272- printf(" !");
1273- printf(" %sctorigdst", prefix);
1274- conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
1275- family, numeric);
1276- }
1277-
1278- if (info->match_flags & XT_CONNTRACK_REPLSRC) {
1279- if (info->invert_flags & XT_CONNTRACK_REPLSRC)
1280- printf(" !");
1281- printf(" %sctreplsrc", prefix);
1282- conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
1283- family, numeric);
1284- }
1285-
1286- if (info->match_flags & XT_CONNTRACK_REPLDST) {
1287- if (info->invert_flags & XT_CONNTRACK_REPLDST)
1288- printf(" !");
1289- printf(" %sctrepldst", prefix);
1290- conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
1291- family, numeric);
1292- }
1293-
1294- if (info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) {
1295- if (info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT)
1296- printf(" !");
1297- conntrack_dump_ports(prefix, "ctorigsrcport",
1298- v3 ? info->origsrc_port : ntohs(info->origsrc_port),
1299- v3 ? info->origsrc_port_high : 0);
1300- }
1301-
1302- if (info->match_flags & XT_CONNTRACK_ORIGDST_PORT) {
1303- if (info->invert_flags & XT_CONNTRACK_ORIGDST_PORT)
1304- printf(" !");
1305- conntrack_dump_ports(prefix, "ctorigdstport",
1306- v3 ? info->origdst_port : ntohs(info->origdst_port),
1307- v3 ? info->origdst_port_high : 0);
1308- }
1309-
1310- if (info->match_flags & XT_CONNTRACK_REPLSRC_PORT) {
1311- if (info->invert_flags & XT_CONNTRACK_REPLSRC_PORT)
1312- printf(" !");
1313- conntrack_dump_ports(prefix, "ctreplsrcport",
1314- v3 ? info->replsrc_port : ntohs(info->replsrc_port),
1315- v3 ? info->replsrc_port_high : 0);
1316- }
1317-
1318- if (info->match_flags & XT_CONNTRACK_REPLDST_PORT) {
1319- if (info->invert_flags & XT_CONNTRACK_REPLDST_PORT)
1320- printf(" !");
1321- conntrack_dump_ports(prefix, "ctrepldstport",
1322- v3 ? info->repldst_port : ntohs(info->repldst_port),
1323- v3 ? info->repldst_port_high : 0);
1324- }
1325-
1326- if (info->match_flags & XT_CONNTRACK_STATUS) {
1327- if (info->invert_flags & XT_CONNTRACK_STATUS)
1328- printf(" !");
1329- printf(" %sctstatus", prefix);
1330- print_status(info->status_mask);
1331- }
1332-
1333- if (info->match_flags & XT_CONNTRACK_EXPIRES) {
1334- if (info->invert_flags & XT_CONNTRACK_EXPIRES)
1335- printf(" !");
1336- printf(" %sctexpire ", prefix);
1337-
1338- if (info->expires_max == info->expires_min)
1339- printf("%u", (unsigned int)info->expires_min);
1340- else
1341- printf("%u:%u", (unsigned int)info->expires_min,
1342- (unsigned int)info->expires_max);
1343- }
1344-
1345- if (info->match_flags & XT_CONNTRACK_DIRECTION) {
1346- if (info->invert_flags & XT_CONNTRACK_DIRECTION)
1347- printf(" %sctdir REPLY", prefix);
1348- else
1349- printf(" %sctdir ORIGINAL", prefix);
1350- }
1351-}
1352-
1353-static void conntrack_print(const void *ip, const struct xt_entry_match *match,
1354- int numeric)
1355-{
1356- matchinfo_print(ip, match, numeric, "");
1357-}
1358-
1359-static void
1360-conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match,
1361- int numeric)
1362-{
1363- const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
1364- struct xt_conntrack_mtinfo3 up;
1365-
1366- cinfo_transform(&up, info);
1367- conntrack_dump(&up, "", NFPROTO_IPV4, numeric, false);
1368-}
1369-
1370-static void
1371-conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match,
1372- int numeric)
1373-{
1374- const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
1375- struct xt_conntrack_mtinfo3 up;
1376-
1377- cinfo_transform(&up, info);
1378- conntrack_dump(&up, "", NFPROTO_IPV6, numeric, false);
1379-}
1380-
1381-static void
1382-conntrack2_mt_print(const void *ip, const struct xt_entry_match *match,
1383- int numeric)
1384-{
1385- conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, false);
1386-}
1387-
1388-static void
1389-conntrack2_mt6_print(const void *ip, const struct xt_entry_match *match,
1390- int numeric)
1391-{
1392- conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, false);
1393-}
1394-
1395-static void
1396-conntrack3_mt_print(const void *ip, const struct xt_entry_match *match,
1397- int numeric)
1398-{
1399- conntrack_dump((const void *)match->data, "", NFPROTO_IPV4, numeric, true);
1400-}
1401-
1402-static void
1403-conntrack3_mt6_print(const void *ip, const struct xt_entry_match *match,
1404- int numeric)
1405-{
1406- conntrack_dump((const void *)match->data, "", NFPROTO_IPV6, numeric, true);
1407-}
1408-
1409-static void conntrack_save(const void *ip, const struct xt_entry_match *match)
1410-{
1411- matchinfo_print(ip, match, 1, "--");
1412-}
1413-
1414-static void conntrack3_mt_save(const void *ip,
1415- const struct xt_entry_match *match)
1416-{
1417- conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, true);
1418-}
1419-
1420-static void conntrack3_mt6_save(const void *ip,
1421- const struct xt_entry_match *match)
1422-{
1423- conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, true);
1424-}
1425-
1426-static void conntrack2_mt_save(const void *ip,
1427- const struct xt_entry_match *match)
1428-{
1429- conntrack_dump((const void *)match->data, "--", NFPROTO_IPV4, true, false);
1430-}
1431-
1432-static void conntrack2_mt6_save(const void *ip,
1433- const struct xt_entry_match *match)
1434-{
1435- conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true, false);
1436-}
1437-
1438-static void
1439-conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match)
1440-{
1441- const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
1442- struct xt_conntrack_mtinfo3 up;
1443-
1444- cinfo_transform(&up, info);
1445- conntrack_dump(&up, "--", NFPROTO_IPV4, true, false);
1446-}
1447-
1448-static void
1449-conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match)
1450-{
1451- const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
1452- struct xt_conntrack_mtinfo3 up;
1453-
1454- cinfo_transform(&up, info);
1455- conntrack_dump(&up, "--", NFPROTO_IPV6, true, false);
1456-}
1457-
1458-static struct xtables_match conntrack_mt_reg[] = {
1459- {
1460- .version = XTABLES_VERSION,
1461- .name = "conntrack",
1462- .revision = 0,
1463- .family = NFPROTO_IPV4,
1464- .size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1465- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
1466- .help = conntrack_mt_help,
1467- .x6_parse = conntrack_parse,
1468- .x6_fcheck = conntrack_mt_check,
1469- .print = conntrack_print,
1470- .save = conntrack_save,
1471- .x6_options = conntrack_mt_opts_v0,
1472- },
1473- {
1474- .version = XTABLES_VERSION,
1475- .name = "conntrack",
1476- .revision = 1,
1477- .family = NFPROTO_IPV4,
1478- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1479- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1480- .help = conntrack_mt_help,
1481- .x6_parse = conntrack1_mt_parse,
1482- .x6_fcheck = conntrack_mt_check,
1483- .print = conntrack1_mt4_print,
1484- .save = conntrack1_mt4_save,
1485- .x6_options = conntrack2_mt_opts,
1486- },
1487- {
1488- .version = XTABLES_VERSION,
1489- .name = "conntrack",
1490- .revision = 1,
1491- .family = NFPROTO_IPV6,
1492- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1493- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
1494- .help = conntrack_mt_help,
1495- .x6_parse = conntrack1_mt_parse,
1496- .x6_fcheck = conntrack_mt_check,
1497- .print = conntrack1_mt6_print,
1498- .save = conntrack1_mt6_save,
1499- .x6_options = conntrack2_mt_opts,
1500- },
1501- {
1502- .version = XTABLES_VERSION,
1503- .name = "conntrack",
1504- .revision = 2,
1505- .family = NFPROTO_IPV4,
1506- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1507- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1508- .help = conntrack_mt_help,
1509- .x6_parse = conntrack2_mt_parse,
1510- .x6_fcheck = conntrack_mt_check,
1511- .print = conntrack2_mt_print,
1512- .save = conntrack2_mt_save,
1513- .x6_options = conntrack2_mt_opts,
1514- },
1515- {
1516- .version = XTABLES_VERSION,
1517- .name = "conntrack",
1518- .revision = 2,
1519- .family = NFPROTO_IPV6,
1520- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1521- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
1522- .help = conntrack_mt_help,
1523- .x6_parse = conntrack2_mt_parse,
1524- .x6_fcheck = conntrack_mt_check,
1525- .print = conntrack2_mt6_print,
1526- .save = conntrack2_mt6_save,
1527- .x6_options = conntrack2_mt_opts,
1528- },
1529- {
1530- .version = XTABLES_VERSION,
1531- .name = "conntrack",
1532- .revision = 3,
1533- .family = NFPROTO_IPV4,
1534- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1535- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1536- .help = conntrack_mt_help,
1537- .x6_parse = conntrack3_mt_parse,
1538- .x6_fcheck = conntrack_mt_check,
1539- .print = conntrack3_mt_print,
1540- .save = conntrack3_mt_save,
1541- .x6_options = conntrack3_mt_opts,
1542- },
1543- {
1544- .version = XTABLES_VERSION,
1545- .name = "conntrack",
1546- .revision = 3,
1547- .family = NFPROTO_IPV6,
1548- .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1549- .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo3)),
1550- .help = conntrack_mt_help,
1551- .x6_parse = conntrack3_mt_parse,
1552- .x6_fcheck = conntrack_mt_check,
1553- .print = conntrack3_mt6_print,
1554- .save = conntrack3_mt6_save,
1555- .x6_options = conntrack3_mt_opts,
1556- },
1557-};
1558-
1559-void _init(void)
1560-{
1561- xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
1562-}
1563
1564=== removed directory '.pc/9004-argv-is-null.patch'
1565=== removed directory '.pc/9004-argv-is-null.patch/iptables'
1566=== removed file '.pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c'
1567--- .pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c 2012-07-20 15:45:01 +0000
1568+++ .pc/9004-argv-is-null.patch/iptables/ip6tables-restore.c 1970-01-01 00:00:00 +0000
1569@@ -1,465 +0,0 @@
1570-/* Code to restore the iptables state, from file by ip6tables-save.
1571- * Author: Andras Kis-Szabo <kisza@sch.bme.hu>
1572- *
1573- * based on iptables-restore
1574- * Authors:
1575- * Harald Welte <laforge@gnumonks.org>
1576- * Rusty Russell <rusty@linuxcare.com.au>
1577- * This code is distributed under the terms of GNU GPL v2
1578- */
1579-
1580-#include <getopt.h>
1581-#include <sys/errno.h>
1582-#include <stdbool.h>
1583-#include <string.h>
1584-#include <stdio.h>
1585-#include <stdlib.h>
1586-#include "ip6tables.h"
1587-#include "xtables.h"
1588-#include "libiptc/libip6tc.h"
1589-#include "ip6tables-multi.h"
1590-
1591-#ifdef DEBUG
1592-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
1593-#else
1594-#define DEBUGP(x, args...)
1595-#endif
1596-
1597-static int binary = 0, counters = 0, verbose = 0, noflush = 0;
1598-
1599-/* Keeping track of external matches and targets. */
1600-static const struct option options[] = {
1601- {.name = "binary", .has_arg = false, .val = 'b'},
1602- {.name = "counters", .has_arg = false, .val = 'c'},
1603- {.name = "verbose", .has_arg = false, .val = 'v'},
1604- {.name = "test", .has_arg = false, .val = 't'},
1605- {.name = "help", .has_arg = false, .val = 'h'},
1606- {.name = "noflush", .has_arg = false, .val = 'n'},
1607- {.name = "modprobe", .has_arg = true, .val = 'M'},
1608- {NULL},
1609-};
1610-
1611-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
1612-
1613-static void print_usage(const char *name, const char *version)
1614-{
1615- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
1616- " [ --binary ]\n"
1617- " [ --counters ]\n"
1618- " [ --verbose ]\n"
1619- " [ --test ]\n"
1620- " [ --help ]\n"
1621- " [ --noflush ]\n"
1622- " [ --modprobe=<command>]\n", name);
1623-
1624- exit(1);
1625-}
1626-
1627-static struct ip6tc_handle *create_handle(const char *tablename)
1628-{
1629- struct ip6tc_handle *handle;
1630-
1631- handle = ip6tc_init(tablename);
1632-
1633- if (!handle) {
1634- /* try to insmod the module if iptc_init failed */
1635- xtables_load_ko(xtables_modprobe_program, false);
1636- handle = ip6tc_init(tablename);
1637- }
1638-
1639- if (!handle) {
1640- xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
1641- "table '%s'\n", ip6tables_globals.program_name,
1642- tablename);
1643- exit(1);
1644- }
1645- return handle;
1646-}
1647-
1648-static int parse_counters(char *string, struct ip6t_counters *ctr)
1649-{
1650- unsigned long long pcnt, bcnt;
1651- int ret;
1652-
1653- ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
1654- ctr->pcnt = pcnt;
1655- ctr->bcnt = bcnt;
1656- return ret == 2;
1657-}
1658-
1659-/* global new argv and argc */
1660-static char *newargv[255];
1661-static int newargc;
1662-
1663-/* function adding one argument to newargv, updating newargc
1664- * returns true if argument added, false otherwise */
1665-static int add_argv(char *what) {
1666- DEBUGP("add_argv: %s\n", what);
1667- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
1668- newargv[newargc] = strdup(what);
1669- newargc++;
1670- return 1;
1671- } else {
1672- xtables_error(PARAMETER_PROBLEM,
1673- "Parser cannot handle more arguments\n");
1674- return 0;
1675- }
1676-}
1677-
1678-static void free_argv(void) {
1679- int i;
1680-
1681- for (i = 0; i < newargc; i++)
1682- free(newargv[i]);
1683-}
1684-
1685-#ifdef IPTABLES_MULTI
1686-int ip6tables_restore_main(int argc, char *argv[])
1687-#else
1688-int main(int argc, char *argv[])
1689-#endif
1690-{
1691- struct ip6tc_handle *handle = NULL;
1692- char buffer[10240];
1693- int c;
1694- char curtable[IP6T_TABLE_MAXNAMELEN + 1];
1695- FILE *in;
1696- int in_table = 0, testing = 0;
1697-
1698- line = 0;
1699-
1700- ip6tables_globals.program_name = "ip6tables-restore";
1701- c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
1702- if (c < 0) {
1703- fprintf(stderr, "%s/%s Failed to initialize xtables\n",
1704- ip6tables_globals.program_name,
1705- ip6tables_globals.program_version);
1706- exit(1);
1707- }
1708-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
1709- init_extensions();
1710- init_extensions6();
1711-#endif
1712-
1713- while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
1714- switch (c) {
1715- case 'b':
1716- binary = 1;
1717- break;
1718- case 'c':
1719- counters = 1;
1720- break;
1721- case 'v':
1722- verbose = 1;
1723- break;
1724- case 't':
1725- testing = 1;
1726- break;
1727- case 'h':
1728- print_usage("ip6tables-restore",
1729- IPTABLES_VERSION);
1730- break;
1731- case 'n':
1732- noflush = 1;
1733- break;
1734- case 'M':
1735- xtables_modprobe_program = optarg;
1736- break;
1737- }
1738- }
1739-
1740- if (optind == argc - 1) {
1741- in = fopen(argv[optind], "re");
1742- if (!in) {
1743- fprintf(stderr, "Can't open %s: %s\n", argv[optind],
1744- strerror(errno));
1745- exit(1);
1746- }
1747- }
1748- else if (optind < argc) {
1749- fprintf(stderr, "Unknown arguments found on commandline\n");
1750- exit(1);
1751- }
1752- else in = stdin;
1753-
1754- /* Grab standard input. */
1755- while (fgets(buffer, sizeof(buffer), in)) {
1756- int ret = 0;
1757-
1758- line++;
1759- if (buffer[0] == '\n')
1760- continue;
1761- else if (buffer[0] == '#') {
1762- if (verbose)
1763- fputs(buffer, stdout);
1764- continue;
1765- } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
1766- if (!testing) {
1767- DEBUGP("Calling commit\n");
1768- ret = ip6tc_commit(handle);
1769- ip6tc_free(handle);
1770- handle = NULL;
1771- } else {
1772- DEBUGP("Not calling commit, testing\n");
1773- ret = 1;
1774- }
1775- in_table = 0;
1776- } else if ((buffer[0] == '*') && (!in_table)) {
1777- /* New table */
1778- char *table;
1779-
1780- table = strtok(buffer+1, " \t\n");
1781- DEBUGP("line %u, table '%s'\n", line, table);
1782- if (!table) {
1783- xtables_error(PARAMETER_PROBLEM,
1784- "%s: line %u table name invalid\n",
1785- ip6tables_globals.program_name,
1786- line);
1787- exit(1);
1788- }
1789- strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
1790- curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
1791-
1792- if (handle)
1793- ip6tc_free(handle);
1794-
1795- handle = create_handle(table);
1796- if (noflush == 0) {
1797- DEBUGP("Cleaning all chains of table '%s'\n",
1798- table);
1799- for_each_chain6(flush_entries6, verbose, 1,
1800- handle);
1801-
1802- DEBUGP("Deleting all user-defined chains "
1803- "of table '%s'\n", table);
1804- for_each_chain6(delete_chain6, verbose, 0,
1805- handle);
1806- }
1807-
1808- ret = 1;
1809- in_table = 1;
1810-
1811- } else if ((buffer[0] == ':') && (in_table)) {
1812- /* New chain. */
1813- char *policy, *chain;
1814-
1815- chain = strtok(buffer+1, " \t\n");
1816- DEBUGP("line %u, chain '%s'\n", line, chain);
1817- if (!chain) {
1818- xtables_error(PARAMETER_PROBLEM,
1819- "%s: line %u chain name invalid\n",
1820- ip6tables_globals.program_name,
1821- line);
1822- exit(1);
1823- }
1824-
1825- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
1826- xtables_error(PARAMETER_PROBLEM,
1827- "Invalid chain name `%s' "
1828- "(%u chars max)",
1829- chain, XT_EXTENSION_MAXNAMELEN - 1);
1830-
1831- if (ip6tc_builtin(chain, handle) <= 0) {
1832- if (noflush && ip6tc_is_chain(chain, handle)) {
1833- DEBUGP("Flushing existing user defined chain '%s'\n", chain);
1834- if (!ip6tc_flush_entries(chain, handle))
1835- xtables_error(PARAMETER_PROBLEM,
1836- "error flushing chain "
1837- "'%s':%s\n", chain,
1838- strerror(errno));
1839- } else {
1840- DEBUGP("Creating new chain '%s'\n", chain);
1841- if (!ip6tc_create_chain(chain, handle))
1842- xtables_error(PARAMETER_PROBLEM,
1843- "error creating chain "
1844- "'%s':%s\n", chain,
1845- strerror(errno));
1846- }
1847- }
1848-
1849- policy = strtok(NULL, " \t\n");
1850- DEBUGP("line %u, policy '%s'\n", line, policy);
1851- if (!policy) {
1852- xtables_error(PARAMETER_PROBLEM,
1853- "%s: line %u policy invalid\n",
1854- ip6tables_globals.program_name,
1855- line);
1856- exit(1);
1857- }
1858-
1859- if (strcmp(policy, "-") != 0) {
1860- struct ip6t_counters count;
1861-
1862- if (counters) {
1863- char *ctrs;
1864- ctrs = strtok(NULL, " \t\n");
1865-
1866- if (!ctrs || !parse_counters(ctrs, &count))
1867- xtables_error(PARAMETER_PROBLEM,
1868- "invalid policy counters "
1869- "for chain '%s'\n", chain);
1870-
1871- } else {
1872- memset(&count, 0,
1873- sizeof(struct ip6t_counters));
1874- }
1875-
1876- DEBUGP("Setting policy of chain %s to %s\n",
1877- chain, policy);
1878-
1879- if (!ip6tc_set_policy(chain, policy, &count,
1880- handle))
1881- xtables_error(OTHER_PROBLEM,
1882- "Can't set policy `%s'"
1883- " on `%s' line %u: %s\n",
1884- policy, chain, line,
1885- ip6tc_strerror(errno));
1886- }
1887-
1888- ret = 1;
1889-
1890- } else if (in_table) {
1891- int a;
1892- char *ptr = buffer;
1893- char *pcnt = NULL;
1894- char *bcnt = NULL;
1895- char *parsestart;
1896-
1897- /* the parser */
1898- char *curchar;
1899- int quote_open, escaped;
1900- size_t param_len;
1901-
1902- /* reset the newargv */
1903- newargc = 0;
1904-
1905- if (buffer[0] == '[') {
1906- /* we have counters in our input */
1907- ptr = strchr(buffer, ']');
1908- if (!ptr)
1909- xtables_error(PARAMETER_PROBLEM,
1910- "Bad line %u: need ]\n",
1911- line);
1912-
1913- pcnt = strtok(buffer+1, ":");
1914- if (!pcnt)
1915- xtables_error(PARAMETER_PROBLEM,
1916- "Bad line %u: need :\n",
1917- line);
1918-
1919- bcnt = strtok(NULL, "]");
1920- if (!bcnt)
1921- xtables_error(PARAMETER_PROBLEM,
1922- "Bad line %u: need ]\n",
1923- line);
1924-
1925- /* start command parsing after counter */
1926- parsestart = ptr + 1;
1927- } else {
1928- /* start command parsing at start of line */
1929- parsestart = buffer;
1930- }
1931-
1932- add_argv(argv[0]);
1933- add_argv("-t");
1934- add_argv(curtable);
1935-
1936- if (counters && pcnt && bcnt) {
1937- add_argv("--set-counters");
1938- add_argv((char *) pcnt);
1939- add_argv((char *) bcnt);
1940- }
1941-
1942- /* After fighting with strtok enough, here's now
1943- * a 'real' parser. According to Rusty I'm now no
1944- * longer a real hacker, but I can live with that */
1945-
1946- quote_open = 0;
1947- escaped = 0;
1948- param_len = 0;
1949-
1950- for (curchar = parsestart; *curchar; curchar++) {
1951- char param_buffer[1024];
1952-
1953- if (quote_open) {
1954- if (escaped) {
1955- param_buffer[param_len++] = *curchar;
1956- escaped = 0;
1957- continue;
1958- } else if (*curchar == '\\') {
1959- escaped = 1;
1960- continue;
1961- } else if (*curchar == '"') {
1962- quote_open = 0;
1963- *curchar = ' ';
1964- } else {
1965- param_buffer[param_len++] = *curchar;
1966- continue;
1967- }
1968- } else {
1969- if (*curchar == '"') {
1970- quote_open = 1;
1971- continue;
1972- }
1973- }
1974-
1975- if (*curchar == ' '
1976- || *curchar == '\t'
1977- || * curchar == '\n') {
1978- if (!param_len) {
1979- /* two spaces? */
1980- continue;
1981- }
1982-
1983- param_buffer[param_len] = '\0';
1984-
1985- /* check if table name specified */
1986- if (!strncmp(param_buffer, "-t", 2)
1987- || !strncmp(param_buffer, "--table", 8)) {
1988- xtables_error(PARAMETER_PROBLEM,
1989- "Line %u seems to have a "
1990- "-t table option.\n", line);
1991- exit(1);
1992- }
1993-
1994- add_argv(param_buffer);
1995- param_len = 0;
1996- } else {
1997- /* regular character, copy to buffer */
1998- param_buffer[param_len++] = *curchar;
1999-
2000- if (param_len >= sizeof(param_buffer))
2001- xtables_error(PARAMETER_PROBLEM,
2002- "Parameter too long!");
2003- }
2004- }
2005-
2006- DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
2007- newargc, curtable);
2008-
2009- for (a = 0; a < newargc; a++)
2010- DEBUGP("argv[%u]: %s\n", a, newargv[a]);
2011-
2012- ret = do_command6(newargc, newargv,
2013- &newargv[2], &handle);
2014-
2015- free_argv();
2016- fflush(stdout);
2017- }
2018- if (!ret) {
2019- fprintf(stderr, "%s: line %u failed\n",
2020- ip6tables_globals.program_name,
2021- line);
2022- exit(1);
2023- }
2024- }
2025- if (in_table) {
2026- fprintf(stderr, "%s: COMMIT expected at line %u\n",
2027- ip6tables_globals.program_name,
2028- line + 1);
2029- exit(1);
2030- }
2031-
2032- fclose(in);
2033- return 0;
2034-}
2035
2036=== removed file '.pc/9004-argv-is-null.patch/iptables/iptables-restore.c'
2037--- .pc/9004-argv-is-null.patch/iptables/iptables-restore.c 2012-07-20 15:45:01 +0000
2038+++ .pc/9004-argv-is-null.patch/iptables/iptables-restore.c 1970-01-01 00:00:00 +0000
2039@@ -1,470 +0,0 @@
2040-/* Code to restore the iptables state, from file by iptables-save.
2041- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
2042- * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
2043- *
2044- * This code is distributed under the terms of GNU GPL v2
2045- */
2046-
2047-#include <getopt.h>
2048-#include <sys/errno.h>
2049-#include <stdbool.h>
2050-#include <string.h>
2051-#include <stdio.h>
2052-#include <stdlib.h>
2053-#include "iptables.h"
2054-#include "xtables.h"
2055-#include "libiptc/libiptc.h"
2056-#include "iptables-multi.h"
2057-
2058-#ifdef DEBUG
2059-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
2060-#else
2061-#define DEBUGP(x, args...)
2062-#endif
2063-
2064-static int binary = 0, counters = 0, verbose = 0, noflush = 0;
2065-
2066-/* Keeping track of external matches and targets. */
2067-static const struct option options[] = {
2068- {.name = "binary", .has_arg = false, .val = 'b'},
2069- {.name = "counters", .has_arg = false, .val = 'c'},
2070- {.name = "verbose", .has_arg = false, .val = 'v'},
2071- {.name = "test", .has_arg = false, .val = 't'},
2072- {.name = "help", .has_arg = false, .val = 'h'},
2073- {.name = "noflush", .has_arg = false, .val = 'n'},
2074- {.name = "modprobe", .has_arg = true, .val = 'M'},
2075- {.name = "table", .has_arg = true, .val = 'T'},
2076- {NULL},
2077-};
2078-
2079-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
2080-
2081-#define prog_name iptables_globals.program_name
2082-
2083-static void print_usage(const char *name, const char *version)
2084-{
2085- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
2086- " [ --binary ]\n"
2087- " [ --counters ]\n"
2088- " [ --verbose ]\n"
2089- " [ --test ]\n"
2090- " [ --help ]\n"
2091- " [ --noflush ]\n"
2092- " [ --table=<TABLE> ]\n"
2093- " [ --modprobe=<command>]\n", name);
2094-
2095- exit(1);
2096-}
2097-
2098-static struct iptc_handle *create_handle(const char *tablename)
2099-{
2100- struct iptc_handle *handle;
2101-
2102- handle = iptc_init(tablename);
2103-
2104- if (!handle) {
2105- /* try to insmod the module if iptc_init failed */
2106- xtables_load_ko(xtables_modprobe_program, false);
2107- handle = iptc_init(tablename);
2108- }
2109-
2110- if (!handle) {
2111- xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
2112- "table '%s'\n", prog_name, tablename);
2113- exit(1);
2114- }
2115- return handle;
2116-}
2117-
2118-static int parse_counters(char *string, struct ipt_counters *ctr)
2119-{
2120- unsigned long long pcnt, bcnt;
2121- int ret;
2122-
2123- ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
2124- ctr->pcnt = pcnt;
2125- ctr->bcnt = bcnt;
2126- return ret == 2;
2127-}
2128-
2129-/* global new argv and argc */
2130-static char *newargv[255];
2131-static int newargc;
2132-
2133-/* function adding one argument to newargv, updating newargc
2134- * returns true if argument added, false otherwise */
2135-static int add_argv(char *what) {
2136- DEBUGP("add_argv: %s\n", what);
2137- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
2138- newargv[newargc] = strdup(what);
2139- newargc++;
2140- return 1;
2141- } else {
2142- xtables_error(PARAMETER_PROBLEM,
2143- "Parser cannot handle more arguments\n");
2144- return 0;
2145- }
2146-}
2147-
2148-static void free_argv(void) {
2149- int i;
2150-
2151- for (i = 0; i < newargc; i++)
2152- free(newargv[i]);
2153-}
2154-
2155-#ifdef IPTABLES_MULTI
2156-int
2157-iptables_restore_main(int argc, char *argv[])
2158-#else
2159-int
2160-main(int argc, char *argv[])
2161-#endif
2162-{
2163- struct iptc_handle *handle = NULL;
2164- char buffer[10240];
2165- int c;
2166- char curtable[IPT_TABLE_MAXNAMELEN + 1];
2167- FILE *in;
2168- int in_table = 0, testing = 0;
2169- const char *tablename = NULL;
2170-
2171- line = 0;
2172-
2173- iptables_globals.program_name = "iptables-restore";
2174- c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
2175- if (c < 0) {
2176- fprintf(stderr, "%s/%s Failed to initialize xtables\n",
2177- iptables_globals.program_name,
2178- iptables_globals.program_version);
2179- exit(1);
2180- }
2181-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
2182- init_extensions();
2183- init_extensions4();
2184-#endif
2185-
2186- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
2187- switch (c) {
2188- case 'b':
2189- binary = 1;
2190- break;
2191- case 'c':
2192- counters = 1;
2193- break;
2194- case 'v':
2195- verbose = 1;
2196- break;
2197- case 't':
2198- testing = 1;
2199- break;
2200- case 'h':
2201- print_usage("iptables-restore",
2202- IPTABLES_VERSION);
2203- break;
2204- case 'n':
2205- noflush = 1;
2206- break;
2207- case 'M':
2208- xtables_modprobe_program = optarg;
2209- break;
2210- case 'T':
2211- tablename = optarg;
2212- break;
2213- }
2214- }
2215-
2216- if (optind == argc - 1) {
2217- in = fopen(argv[optind], "re");
2218- if (!in) {
2219- fprintf(stderr, "Can't open %s: %s\n", argv[optind],
2220- strerror(errno));
2221- exit(1);
2222- }
2223- }
2224- else if (optind < argc) {
2225- fprintf(stderr, "Unknown arguments found on commandline\n");
2226- exit(1);
2227- }
2228- else in = stdin;
2229-
2230- /* Grab standard input. */
2231- while (fgets(buffer, sizeof(buffer), in)) {
2232- int ret = 0;
2233-
2234- line++;
2235- if (buffer[0] == '\n')
2236- continue;
2237- else if (buffer[0] == '#') {
2238- if (verbose)
2239- fputs(buffer, stdout);
2240- continue;
2241- } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
2242- if (!testing) {
2243- DEBUGP("Calling commit\n");
2244- ret = iptc_commit(handle);
2245- iptc_free(handle);
2246- handle = NULL;
2247- } else {
2248- DEBUGP("Not calling commit, testing\n");
2249- ret = 1;
2250- }
2251- in_table = 0;
2252- } else if ((buffer[0] == '*') && (!in_table)) {
2253- /* New table */
2254- char *table;
2255-
2256- table = strtok(buffer+1, " \t\n");
2257- DEBUGP("line %u, table '%s'\n", line, table);
2258- if (!table) {
2259- xtables_error(PARAMETER_PROBLEM,
2260- "%s: line %u table name invalid\n",
2261- prog_name, line);
2262- exit(1);
2263- }
2264- strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
2265- curtable[IPT_TABLE_MAXNAMELEN] = '\0';
2266-
2267- if (tablename && (strcmp(tablename, table) != 0))
2268- continue;
2269- if (handle)
2270- iptc_free(handle);
2271-
2272- handle = create_handle(table);
2273- if (noflush == 0) {
2274- DEBUGP("Cleaning all chains of table '%s'\n",
2275- table);
2276- for_each_chain4(flush_entries4, verbose, 1,
2277- handle);
2278-
2279- DEBUGP("Deleting all user-defined chains "
2280- "of table '%s'\n", table);
2281- for_each_chain4(delete_chain4, verbose, 0,
2282- handle);
2283- }
2284-
2285- ret = 1;
2286- in_table = 1;
2287-
2288- } else if ((buffer[0] == ':') && (in_table)) {
2289- /* New chain. */
2290- char *policy, *chain;
2291-
2292- chain = strtok(buffer+1, " \t\n");
2293- DEBUGP("line %u, chain '%s'\n", line, chain);
2294- if (!chain) {
2295- xtables_error(PARAMETER_PROBLEM,
2296- "%s: line %u chain name invalid\n",
2297- prog_name, line);
2298- exit(1);
2299- }
2300-
2301- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
2302- xtables_error(PARAMETER_PROBLEM,
2303- "Invalid chain name `%s' "
2304- "(%u chars max)",
2305- chain, XT_EXTENSION_MAXNAMELEN - 1);
2306-
2307- if (iptc_builtin(chain, handle) <= 0) {
2308- if (noflush && iptc_is_chain(chain, handle)) {
2309- DEBUGP("Flushing existing user defined chain '%s'\n", chain);
2310- if (!iptc_flush_entries(chain, handle))
2311- xtables_error(PARAMETER_PROBLEM,
2312- "error flushing chain "
2313- "'%s':%s\n", chain,
2314- strerror(errno));
2315- } else {
2316- DEBUGP("Creating new chain '%s'\n", chain);
2317- if (!iptc_create_chain(chain, handle))
2318- xtables_error(PARAMETER_PROBLEM,
2319- "error creating chain "
2320- "'%s':%s\n", chain,
2321- strerror(errno));
2322- }
2323- }
2324-
2325- policy = strtok(NULL, " \t\n");
2326- DEBUGP("line %u, policy '%s'\n", line, policy);
2327- if (!policy) {
2328- xtables_error(PARAMETER_PROBLEM,
2329- "%s: line %u policy invalid\n",
2330- prog_name, line);
2331- exit(1);
2332- }
2333-
2334- if (strcmp(policy, "-") != 0) {
2335- struct ipt_counters count;
2336-
2337- if (counters) {
2338- char *ctrs;
2339- ctrs = strtok(NULL, " \t\n");
2340-
2341- if (!ctrs || !parse_counters(ctrs, &count))
2342- xtables_error(PARAMETER_PROBLEM,
2343- "invalid policy counters "
2344- "for chain '%s'\n", chain);
2345-
2346- } else {
2347- memset(&count, 0,
2348- sizeof(struct ipt_counters));
2349- }
2350-
2351- DEBUGP("Setting policy of chain %s to %s\n",
2352- chain, policy);
2353-
2354- if (!iptc_set_policy(chain, policy, &count,
2355- handle))
2356- xtables_error(OTHER_PROBLEM,
2357- "Can't set policy `%s'"
2358- " on `%s' line %u: %s\n",
2359- policy, chain, line,
2360- iptc_strerror(errno));
2361- }
2362-
2363- ret = 1;
2364-
2365- } else if (in_table) {
2366- int a;
2367- char *ptr = buffer;
2368- char *pcnt = NULL;
2369- char *bcnt = NULL;
2370- char *parsestart;
2371-
2372- /* the parser */
2373- char *curchar;
2374- int quote_open, escaped;
2375- size_t param_len;
2376-
2377- /* reset the newargv */
2378- newargc = 0;
2379-
2380- if (buffer[0] == '[') {
2381- /* we have counters in our input */
2382- ptr = strchr(buffer, ']');
2383- if (!ptr)
2384- xtables_error(PARAMETER_PROBLEM,
2385- "Bad line %u: need ]\n",
2386- line);
2387-
2388- pcnt = strtok(buffer+1, ":");
2389- if (!pcnt)
2390- xtables_error(PARAMETER_PROBLEM,
2391- "Bad line %u: need :\n",
2392- line);
2393-
2394- bcnt = strtok(NULL, "]");
2395- if (!bcnt)
2396- xtables_error(PARAMETER_PROBLEM,
2397- "Bad line %u: need ]\n",
2398- line);
2399-
2400- /* start command parsing after counter */
2401- parsestart = ptr + 1;
2402- } else {
2403- /* start command parsing at start of line */
2404- parsestart = buffer;
2405- }
2406-
2407- add_argv(argv[0]);
2408- add_argv("-t");
2409- add_argv(curtable);
2410-
2411- if (counters && pcnt && bcnt) {
2412- add_argv("--set-counters");
2413- add_argv((char *) pcnt);
2414- add_argv((char *) bcnt);
2415- }
2416-
2417- /* After fighting with strtok enough, here's now
2418- * a 'real' parser. According to Rusty I'm now no
2419- * longer a real hacker, but I can live with that */
2420-
2421- quote_open = 0;
2422- escaped = 0;
2423- param_len = 0;
2424-
2425- for (curchar = parsestart; *curchar; curchar++) {
2426- char param_buffer[1024];
2427-
2428- if (quote_open) {
2429- if (escaped) {
2430- param_buffer[param_len++] = *curchar;
2431- escaped = 0;
2432- continue;
2433- } else if (*curchar == '\\') {
2434- escaped = 1;
2435- continue;
2436- } else if (*curchar == '"') {
2437- quote_open = 0;
2438- *curchar = ' ';
2439- } else {
2440- param_buffer[param_len++] = *curchar;
2441- continue;
2442- }
2443- } else {
2444- if (*curchar == '"') {
2445- quote_open = 1;
2446- continue;
2447- }
2448- }
2449-
2450- if (*curchar == ' '
2451- || *curchar == '\t'
2452- || * curchar == '\n') {
2453- if (!param_len) {
2454- /* two spaces? */
2455- continue;
2456- }
2457-
2458- param_buffer[param_len] = '\0';
2459-
2460- /* check if table name specified */
2461- if (!strncmp(param_buffer, "-t", 2)
2462- || !strncmp(param_buffer, "--table", 8)) {
2463- xtables_error(PARAMETER_PROBLEM,
2464- "Line %u seems to have a "
2465- "-t table option.\n", line);
2466- exit(1);
2467- }
2468-
2469- add_argv(param_buffer);
2470- param_len = 0;
2471- } else {
2472- /* regular character, copy to buffer */
2473- param_buffer[param_len++] = *curchar;
2474-
2475- if (param_len >= sizeof(param_buffer))
2476- xtables_error(PARAMETER_PROBLEM,
2477- "Parameter too long!");
2478- }
2479- }
2480-
2481- DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
2482- newargc, curtable);
2483-
2484- for (a = 0; a < newargc; a++)
2485- DEBUGP("argv[%u]: %s\n", a, newargv[a]);
2486-
2487- ret = do_command4(newargc, newargv,
2488- &newargv[2], &handle);
2489-
2490- free_argv();
2491- fflush(stdout);
2492- }
2493- if (tablename && (strcmp(tablename, curtable) != 0))
2494- continue;
2495- if (!ret) {
2496- fprintf(stderr, "%s: line %u failed\n",
2497- prog_name, line);
2498- exit(1);
2499- }
2500- }
2501- if (in_table) {
2502- fprintf(stderr, "%s: COMMIT expected at line %u\n",
2503- prog_name, line + 1);
2504- exit(1);
2505- }
2506-
2507- fclose(in);
2508- return 0;
2509-}
2510
2511=== removed directory '.pc/9005-lp1027252-fixrestore.patch'
2512=== removed directory '.pc/9005-lp1027252-fixrestore.patch/iptables'
2513=== removed file '.pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c'
2514--- .pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c 2012-07-20 15:45:01 +0000
2515+++ .pc/9005-lp1027252-fixrestore.patch/iptables/ip6tables-restore.c 1970-01-01 00:00:00 +0000
2516@@ -1,465 +0,0 @@
2517-/* Code to restore the iptables state, from file by ip6tables-save.
2518- * Author: Andras Kis-Szabo <kisza@sch.bme.hu>
2519- *
2520- * based on iptables-restore
2521- * Authors:
2522- * Harald Welte <laforge@gnumonks.org>
2523- * Rusty Russell <rusty@linuxcare.com.au>
2524- * This code is distributed under the terms of GNU GPL v2
2525- */
2526-
2527-#include <getopt.h>
2528-#include <sys/errno.h>
2529-#include <stdbool.h>
2530-#include <string.h>
2531-#include <stdio.h>
2532-#include <stdlib.h>
2533-#include "ip6tables.h"
2534-#include "xtables.h"
2535-#include "libiptc/libip6tc.h"
2536-#include "ip6tables-multi.h"
2537-
2538-#ifdef DEBUG
2539-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
2540-#else
2541-#define DEBUGP(x, args...)
2542-#endif
2543-
2544-static int binary = 0, counters = 0, verbose = 0, noflush = 0;
2545-
2546-/* Keeping track of external matches and targets. */
2547-static const struct option options[] = {
2548- {.name = "binary", .has_arg = false, .val = 'b'},
2549- {.name = "counters", .has_arg = false, .val = 'c'},
2550- {.name = "verbose", .has_arg = false, .val = 'v'},
2551- {.name = "test", .has_arg = false, .val = 't'},
2552- {.name = "help", .has_arg = false, .val = 'h'},
2553- {.name = "noflush", .has_arg = false, .val = 'n'},
2554- {.name = "modprobe", .has_arg = true, .val = 'M'},
2555- {NULL},
2556-};
2557-
2558-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
2559-
2560-static void print_usage(const char *name, const char *version)
2561-{
2562- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
2563- " [ --binary ]\n"
2564- " [ --counters ]\n"
2565- " [ --verbose ]\n"
2566- " [ --test ]\n"
2567- " [ --help ]\n"
2568- " [ --noflush ]\n"
2569- " [ --modprobe=<command>]\n", name);
2570-
2571- exit(1);
2572-}
2573-
2574-static struct ip6tc_handle *create_handle(const char *tablename)
2575-{
2576- struct ip6tc_handle *handle;
2577-
2578- handle = ip6tc_init(tablename);
2579-
2580- if (!handle) {
2581- /* try to insmod the module if iptc_init failed */
2582- xtables_load_ko(xtables_modprobe_program, false);
2583- handle = ip6tc_init(tablename);
2584- }
2585-
2586- if (!handle) {
2587- xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
2588- "table '%s'\n", ip6tables_globals.program_name,
2589- tablename);
2590- exit(1);
2591- }
2592- return handle;
2593-}
2594-
2595-static int parse_counters(char *string, struct ip6t_counters *ctr)
2596-{
2597- unsigned long long pcnt, bcnt;
2598- int ret;
2599-
2600- ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
2601- ctr->pcnt = pcnt;
2602- ctr->bcnt = bcnt;
2603- return ret == 2;
2604-}
2605-
2606-/* global new argv and argc */
2607-static char *newargv[255];
2608-static int newargc;
2609-
2610-/* function adding one argument to newargv, updating newargc
2611- * returns true if argument added, false otherwise */
2612-static int add_argv(char *what) {
2613- DEBUGP("add_argv: %s\n", what);
2614- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
2615- newargv[newargc] = strdup(what);
2616- newargv[++newargc] = NULL;
2617- return 1;
2618- } else {
2619- xtables_error(PARAMETER_PROBLEM,
2620- "Parser cannot handle more arguments\n");
2621- return 0;
2622- }
2623-}
2624-
2625-static void free_argv(void) {
2626- int i;
2627-
2628- for (i = 0; i < newargc; i++)
2629- free(newargv[i]);
2630-}
2631-
2632-#ifdef IPTABLES_MULTI
2633-int ip6tables_restore_main(int argc, char *argv[])
2634-#else
2635-int main(int argc, char *argv[])
2636-#endif
2637-{
2638- struct ip6tc_handle *handle = NULL;
2639- char buffer[10240];
2640- int c;
2641- char curtable[IP6T_TABLE_MAXNAMELEN + 1];
2642- FILE *in;
2643- int in_table = 0, testing = 0;
2644-
2645- line = 0;
2646-
2647- ip6tables_globals.program_name = "ip6tables-restore";
2648- c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
2649- if (c < 0) {
2650- fprintf(stderr, "%s/%s Failed to initialize xtables\n",
2651- ip6tables_globals.program_name,
2652- ip6tables_globals.program_version);
2653- exit(1);
2654- }
2655-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
2656- init_extensions();
2657- init_extensions6();
2658-#endif
2659-
2660- while ((c = getopt_long(argc, argv, "bcvthnM:", options, NULL)) != -1) {
2661- switch (c) {
2662- case 'b':
2663- binary = 1;
2664- break;
2665- case 'c':
2666- counters = 1;
2667- break;
2668- case 'v':
2669- verbose = 1;
2670- break;
2671- case 't':
2672- testing = 1;
2673- break;
2674- case 'h':
2675- print_usage("ip6tables-restore",
2676- IPTABLES_VERSION);
2677- break;
2678- case 'n':
2679- noflush = 1;
2680- break;
2681- case 'M':
2682- xtables_modprobe_program = optarg;
2683- break;
2684- }
2685- }
2686-
2687- if (optind == argc - 1) {
2688- in = fopen(argv[optind], "re");
2689- if (!in) {
2690- fprintf(stderr, "Can't open %s: %s\n", argv[optind],
2691- strerror(errno));
2692- exit(1);
2693- }
2694- }
2695- else if (optind < argc) {
2696- fprintf(stderr, "Unknown arguments found on commandline\n");
2697- exit(1);
2698- }
2699- else in = stdin;
2700-
2701- /* Grab standard input. */
2702- while (fgets(buffer, sizeof(buffer), in)) {
2703- int ret = 0;
2704-
2705- line++;
2706- if (buffer[0] == '\n')
2707- continue;
2708- else if (buffer[0] == '#') {
2709- if (verbose)
2710- fputs(buffer, stdout);
2711- continue;
2712- } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
2713- if (!testing) {
2714- DEBUGP("Calling commit\n");
2715- ret = ip6tc_commit(handle);
2716- ip6tc_free(handle);
2717- handle = NULL;
2718- } else {
2719- DEBUGP("Not calling commit, testing\n");
2720- ret = 1;
2721- }
2722- in_table = 0;
2723- } else if ((buffer[0] == '*') && (!in_table)) {
2724- /* New table */
2725- char *table;
2726-
2727- table = strtok(buffer+1, " \t\n");
2728- DEBUGP("line %u, table '%s'\n", line, table);
2729- if (!table) {
2730- xtables_error(PARAMETER_PROBLEM,
2731- "%s: line %u table name invalid\n",
2732- ip6tables_globals.program_name,
2733- line);
2734- exit(1);
2735- }
2736- strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
2737- curtable[IP6T_TABLE_MAXNAMELEN] = '\0';
2738-
2739- if (handle)
2740- ip6tc_free(handle);
2741-
2742- handle = create_handle(table);
2743- if (noflush == 0) {
2744- DEBUGP("Cleaning all chains of table '%s'\n",
2745- table);
2746- for_each_chain6(flush_entries6, verbose, 1,
2747- handle);
2748-
2749- DEBUGP("Deleting all user-defined chains "
2750- "of table '%s'\n", table);
2751- for_each_chain6(delete_chain6, verbose, 0,
2752- handle);
2753- }
2754-
2755- ret = 1;
2756- in_table = 1;
2757-
2758- } else if ((buffer[0] == ':') && (in_table)) {
2759- /* New chain. */
2760- char *policy, *chain;
2761-
2762- chain = strtok(buffer+1, " \t\n");
2763- DEBUGP("line %u, chain '%s'\n", line, chain);
2764- if (!chain) {
2765- xtables_error(PARAMETER_PROBLEM,
2766- "%s: line %u chain name invalid\n",
2767- ip6tables_globals.program_name,
2768- line);
2769- exit(1);
2770- }
2771-
2772- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
2773- xtables_error(PARAMETER_PROBLEM,
2774- "Invalid chain name `%s' "
2775- "(%u chars max)",
2776- chain, XT_EXTENSION_MAXNAMELEN - 1);
2777-
2778- if (ip6tc_builtin(chain, handle) <= 0) {
2779- if (noflush && ip6tc_is_chain(chain, handle)) {
2780- DEBUGP("Flushing existing user defined chain '%s'\n", chain);
2781- if (!ip6tc_flush_entries(chain, handle))
2782- xtables_error(PARAMETER_PROBLEM,
2783- "error flushing chain "
2784- "'%s':%s\n", chain,
2785- strerror(errno));
2786- } else {
2787- DEBUGP("Creating new chain '%s'\n", chain);
2788- if (!ip6tc_create_chain(chain, handle))
2789- xtables_error(PARAMETER_PROBLEM,
2790- "error creating chain "
2791- "'%s':%s\n", chain,
2792- strerror(errno));
2793- }
2794- }
2795-
2796- policy = strtok(NULL, " \t\n");
2797- DEBUGP("line %u, policy '%s'\n", line, policy);
2798- if (!policy) {
2799- xtables_error(PARAMETER_PROBLEM,
2800- "%s: line %u policy invalid\n",
2801- ip6tables_globals.program_name,
2802- line);
2803- exit(1);
2804- }
2805-
2806- if (strcmp(policy, "-") != 0) {
2807- struct ip6t_counters count;
2808-
2809- if (counters) {
2810- char *ctrs;
2811- ctrs = strtok(NULL, " \t\n");
2812-
2813- if (!ctrs || !parse_counters(ctrs, &count))
2814- xtables_error(PARAMETER_PROBLEM,
2815- "invalid policy counters "
2816- "for chain '%s'\n", chain);
2817-
2818- } else {
2819- memset(&count, 0,
2820- sizeof(struct ip6t_counters));
2821- }
2822-
2823- DEBUGP("Setting policy of chain %s to %s\n",
2824- chain, policy);
2825-
2826- if (!ip6tc_set_policy(chain, policy, &count,
2827- handle))
2828- xtables_error(OTHER_PROBLEM,
2829- "Can't set policy `%s'"
2830- " on `%s' line %u: %s\n",
2831- policy, chain, line,
2832- ip6tc_strerror(errno));
2833- }
2834-
2835- ret = 1;
2836-
2837- } else if (in_table) {
2838- int a;
2839- char *ptr = buffer;
2840- char *pcnt = NULL;
2841- char *bcnt = NULL;
2842- char *parsestart;
2843-
2844- /* the parser */
2845- char *curchar;
2846- int quote_open, escaped;
2847- size_t param_len;
2848-
2849- /* reset the newargv */
2850- newargc = 0;
2851-
2852- if (buffer[0] == '[') {
2853- /* we have counters in our input */
2854- ptr = strchr(buffer, ']');
2855- if (!ptr)
2856- xtables_error(PARAMETER_PROBLEM,
2857- "Bad line %u: need ]\n",
2858- line);
2859-
2860- pcnt = strtok(buffer+1, ":");
2861- if (!pcnt)
2862- xtables_error(PARAMETER_PROBLEM,
2863- "Bad line %u: need :\n",
2864- line);
2865-
2866- bcnt = strtok(NULL, "]");
2867- if (!bcnt)
2868- xtables_error(PARAMETER_PROBLEM,
2869- "Bad line %u: need ]\n",
2870- line);
2871-
2872- /* start command parsing after counter */
2873- parsestart = ptr + 1;
2874- } else {
2875- /* start command parsing at start of line */
2876- parsestart = buffer;
2877- }
2878-
2879- add_argv(argv[0]);
2880- add_argv("-t");
2881- add_argv(curtable);
2882-
2883- if (counters && pcnt && bcnt) {
2884- add_argv("--set-counters");
2885- add_argv((char *) pcnt);
2886- add_argv((char *) bcnt);
2887- }
2888-
2889- /* After fighting with strtok enough, here's now
2890- * a 'real' parser. According to Rusty I'm now no
2891- * longer a real hacker, but I can live with that */
2892-
2893- quote_open = 0;
2894- escaped = 0;
2895- param_len = 0;
2896-
2897- for (curchar = parsestart; *curchar; curchar++) {
2898- char param_buffer[1024];
2899-
2900- if (quote_open) {
2901- if (escaped) {
2902- param_buffer[param_len++] = *curchar;
2903- escaped = 0;
2904- continue;
2905- } else if (*curchar == '\\') {
2906- escaped = 1;
2907- continue;
2908- } else if (*curchar == '"') {
2909- quote_open = 0;
2910- *curchar = ' ';
2911- } else {
2912- param_buffer[param_len++] = *curchar;
2913- continue;
2914- }
2915- } else {
2916- if (*curchar == '"') {
2917- quote_open = 1;
2918- continue;
2919- }
2920- }
2921-
2922- if (*curchar == ' '
2923- || *curchar == '\t'
2924- || * curchar == '\n') {
2925- if (!param_len) {
2926- /* two spaces? */
2927- continue;
2928- }
2929-
2930- param_buffer[param_len] = '\0';
2931-
2932- /* check if table name specified */
2933- if (!strncmp(param_buffer, "-t", 2)
2934- || !strncmp(param_buffer, "--table", 8)) {
2935- xtables_error(PARAMETER_PROBLEM,
2936- "Line %u seems to have a "
2937- "-t table option.\n", line);
2938- exit(1);
2939- }
2940-
2941- add_argv(param_buffer);
2942- param_len = 0;
2943- } else {
2944- /* regular character, copy to buffer */
2945- param_buffer[param_len++] = *curchar;
2946-
2947- if (param_len >= sizeof(param_buffer))
2948- xtables_error(PARAMETER_PROBLEM,
2949- "Parameter too long!");
2950- }
2951- }
2952-
2953- DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
2954- newargc, curtable);
2955-
2956- for (a = 0; a < newargc; a++)
2957- DEBUGP("argv[%u]: %s\n", a, newargv[a]);
2958-
2959- ret = do_command6(newargc, newargv,
2960- &newargv[2], &handle);
2961-
2962- free_argv();
2963- fflush(stdout);
2964- }
2965- if (!ret) {
2966- fprintf(stderr, "%s: line %u failed\n",
2967- ip6tables_globals.program_name,
2968- line);
2969- exit(1);
2970- }
2971- }
2972- if (in_table) {
2973- fprintf(stderr, "%s: COMMIT expected at line %u\n",
2974- ip6tables_globals.program_name,
2975- line + 1);
2976- exit(1);
2977- }
2978-
2979- fclose(in);
2980- return 0;
2981-}
2982
2983=== removed file '.pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c'
2984--- .pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c 2012-07-20 15:45:01 +0000
2985+++ .pc/9005-lp1027252-fixrestore.patch/iptables/iptables-restore.c 1970-01-01 00:00:00 +0000
2986@@ -1,470 +0,0 @@
2987-/* Code to restore the iptables state, from file by iptables-save.
2988- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
2989- * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
2990- *
2991- * This code is distributed under the terms of GNU GPL v2
2992- */
2993-
2994-#include <getopt.h>
2995-#include <sys/errno.h>
2996-#include <stdbool.h>
2997-#include <string.h>
2998-#include <stdio.h>
2999-#include <stdlib.h>
3000-#include "iptables.h"
3001-#include "xtables.h"
3002-#include "libiptc/libiptc.h"
3003-#include "iptables-multi.h"
3004-
3005-#ifdef DEBUG
3006-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
3007-#else
3008-#define DEBUGP(x, args...)
3009-#endif
3010-
3011-static int binary = 0, counters = 0, verbose = 0, noflush = 0;
3012-
3013-/* Keeping track of external matches and targets. */
3014-static const struct option options[] = {
3015- {.name = "binary", .has_arg = false, .val = 'b'},
3016- {.name = "counters", .has_arg = false, .val = 'c'},
3017- {.name = "verbose", .has_arg = false, .val = 'v'},
3018- {.name = "test", .has_arg = false, .val = 't'},
3019- {.name = "help", .has_arg = false, .val = 'h'},
3020- {.name = "noflush", .has_arg = false, .val = 'n'},
3021- {.name = "modprobe", .has_arg = true, .val = 'M'},
3022- {.name = "table", .has_arg = true, .val = 'T'},
3023- {NULL},
3024-};
3025-
3026-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
3027-
3028-#define prog_name iptables_globals.program_name
3029-
3030-static void print_usage(const char *name, const char *version)
3031-{
3032- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n"
3033- " [ --binary ]\n"
3034- " [ --counters ]\n"
3035- " [ --verbose ]\n"
3036- " [ --test ]\n"
3037- " [ --help ]\n"
3038- " [ --noflush ]\n"
3039- " [ --table=<TABLE> ]\n"
3040- " [ --modprobe=<command>]\n", name);
3041-
3042- exit(1);
3043-}
3044-
3045-static struct iptc_handle *create_handle(const char *tablename)
3046-{
3047- struct iptc_handle *handle;
3048-
3049- handle = iptc_init(tablename);
3050-
3051- if (!handle) {
3052- /* try to insmod the module if iptc_init failed */
3053- xtables_load_ko(xtables_modprobe_program, false);
3054- handle = iptc_init(tablename);
3055- }
3056-
3057- if (!handle) {
3058- xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
3059- "table '%s'\n", prog_name, tablename);
3060- exit(1);
3061- }
3062- return handle;
3063-}
3064-
3065-static int parse_counters(char *string, struct ipt_counters *ctr)
3066-{
3067- unsigned long long pcnt, bcnt;
3068- int ret;
3069-
3070- ret = sscanf(string, "[%llu:%llu]", &pcnt, &bcnt);
3071- ctr->pcnt = pcnt;
3072- ctr->bcnt = bcnt;
3073- return ret == 2;
3074-}
3075-
3076-/* global new argv and argc */
3077-static char *newargv[255];
3078-static int newargc;
3079-
3080-/* function adding one argument to newargv, updating newargc
3081- * returns true if argument added, false otherwise */
3082-static int add_argv(char *what) {
3083- DEBUGP("add_argv: %s\n", what);
3084- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
3085- newargv[newargc] = strdup(what);
3086- newargv[++newargc] = NULL;
3087- return 1;
3088- } else {
3089- xtables_error(PARAMETER_PROBLEM,
3090- "Parser cannot handle more arguments\n");
3091- return 0;
3092- }
3093-}
3094-
3095-static void free_argv(void) {
3096- int i;
3097-
3098- for (i = 0; i < newargc; i++)
3099- free(newargv[i]);
3100-}
3101-
3102-#ifdef IPTABLES_MULTI
3103-int
3104-iptables_restore_main(int argc, char *argv[])
3105-#else
3106-int
3107-main(int argc, char *argv[])
3108-#endif
3109-{
3110- struct iptc_handle *handle = NULL;
3111- char buffer[10240];
3112- int c;
3113- char curtable[IPT_TABLE_MAXNAMELEN + 1];
3114- FILE *in;
3115- int in_table = 0, testing = 0;
3116- const char *tablename = NULL;
3117-
3118- line = 0;
3119-
3120- iptables_globals.program_name = "iptables-restore";
3121- c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
3122- if (c < 0) {
3123- fprintf(stderr, "%s/%s Failed to initialize xtables\n",
3124- iptables_globals.program_name,
3125- iptables_globals.program_version);
3126- exit(1);
3127- }
3128-#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
3129- init_extensions();
3130- init_extensions4();
3131-#endif
3132-
3133- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
3134- switch (c) {
3135- case 'b':
3136- binary = 1;
3137- break;
3138- case 'c':
3139- counters = 1;
3140- break;
3141- case 'v':
3142- verbose = 1;
3143- break;
3144- case 't':
3145- testing = 1;
3146- break;
3147- case 'h':
3148- print_usage("iptables-restore",
3149- IPTABLES_VERSION);
3150- break;
3151- case 'n':
3152- noflush = 1;
3153- break;
3154- case 'M':
3155- xtables_modprobe_program = optarg;
3156- break;
3157- case 'T':
3158- tablename = optarg;
3159- break;
3160- }
3161- }
3162-
3163- if (optind == argc - 1) {
3164- in = fopen(argv[optind], "re");
3165- if (!in) {
3166- fprintf(stderr, "Can't open %s: %s\n", argv[optind],
3167- strerror(errno));
3168- exit(1);
3169- }
3170- }
3171- else if (optind < argc) {
3172- fprintf(stderr, "Unknown arguments found on commandline\n");
3173- exit(1);
3174- }
3175- else in = stdin;
3176-
3177- /* Grab standard input. */
3178- while (fgets(buffer, sizeof(buffer), in)) {
3179- int ret = 0;
3180-
3181- line++;
3182- if (buffer[0] == '\n')
3183- continue;
3184- else if (buffer[0] == '#') {
3185- if (verbose)
3186- fputs(buffer, stdout);
3187- continue;
3188- } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
3189- if (!testing) {
3190- DEBUGP("Calling commit\n");
3191- ret = iptc_commit(handle);
3192- iptc_free(handle);
3193- handle = NULL;
3194- } else {
3195- DEBUGP("Not calling commit, testing\n");
3196- ret = 1;
3197- }
3198- in_table = 0;
3199- } else if ((buffer[0] == '*') && (!in_table)) {
3200- /* New table */
3201- char *table;
3202-
3203- table = strtok(buffer+1, " \t\n");
3204- DEBUGP("line %u, table '%s'\n", line, table);
3205- if (!table) {
3206- xtables_error(PARAMETER_PROBLEM,
3207- "%s: line %u table name invalid\n",
3208- prog_name, line);
3209- exit(1);
3210- }
3211- strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
3212- curtable[IPT_TABLE_MAXNAMELEN] = '\0';
3213-
3214- if (tablename && (strcmp(tablename, table) != 0))
3215- continue;
3216- if (handle)
3217- iptc_free(handle);
3218-
3219- handle = create_handle(table);
3220- if (noflush == 0) {
3221- DEBUGP("Cleaning all chains of table '%s'\n",
3222- table);
3223- for_each_chain4(flush_entries4, verbose, 1,
3224- handle);
3225-
3226- DEBUGP("Deleting all user-defined chains "
3227- "of table '%s'\n", table);
3228- for_each_chain4(delete_chain4, verbose, 0,
3229- handle);
3230- }
3231-
3232- ret = 1;
3233- in_table = 1;
3234-
3235- } else if ((buffer[0] == ':') && (in_table)) {
3236- /* New chain. */
3237- char *policy, *chain;
3238-
3239- chain = strtok(buffer+1, " \t\n");
3240- DEBUGP("line %u, chain '%s'\n", line, chain);
3241- if (!chain) {
3242- xtables_error(PARAMETER_PROBLEM,
3243- "%s: line %u chain name invalid\n",
3244- prog_name, line);
3245- exit(1);
3246- }
3247-
3248- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
3249- xtables_error(PARAMETER_PROBLEM,
3250- "Invalid chain name `%s' "
3251- "(%u chars max)",
3252- chain, XT_EXTENSION_MAXNAMELEN - 1);
3253-
3254- if (iptc_builtin(chain, handle) <= 0) {
3255- if (noflush && iptc_is_chain(chain, handle)) {
3256- DEBUGP("Flushing existing user defined chain '%s'\n", chain);
3257- if (!iptc_flush_entries(chain, handle))
3258- xtables_error(PARAMETER_PROBLEM,
3259- "error flushing chain "
3260- "'%s':%s\n", chain,
3261- strerror(errno));
3262- } else {
3263- DEBUGP("Creating new chain '%s'\n", chain);
3264- if (!iptc_create_chain(chain, handle))
3265- xtables_error(PARAMETER_PROBLEM,
3266- "error creating chain "
3267- "'%s':%s\n", chain,
3268- strerror(errno));
3269- }
3270- }
3271-
3272- policy = strtok(NULL, " \t\n");
3273- DEBUGP("line %u, policy '%s'\n", line, policy);
3274- if (!policy) {
3275- xtables_error(PARAMETER_PROBLEM,
3276- "%s: line %u policy invalid\n",
3277- prog_name, line);
3278- exit(1);
3279- }
3280-
3281- if (strcmp(policy, "-") != 0) {
3282- struct ipt_counters count;
3283-
3284- if (counters) {
3285- char *ctrs;
3286- ctrs = strtok(NULL, " \t\n");
3287-
3288- if (!ctrs || !parse_counters(ctrs, &count))
3289- xtables_error(PARAMETER_PROBLEM,
3290- "invalid policy counters "
3291- "for chain '%s'\n", chain);
3292-
3293- } else {
3294- memset(&count, 0,
3295- sizeof(struct ipt_counters));
3296- }
3297-
3298- DEBUGP("Setting policy of chain %s to %s\n",
3299- chain, policy);
3300-
3301- if (!iptc_set_policy(chain, policy, &count,
3302- handle))
3303- xtables_error(OTHER_PROBLEM,
3304- "Can't set policy `%s'"
3305- " on `%s' line %u: %s\n",
3306- policy, chain, line,
3307- iptc_strerror(errno));
3308- }
3309-
3310- ret = 1;
3311-
3312- } else if (in_table) {
3313- int a;
3314- char *ptr = buffer;
3315- char *pcnt = NULL;
3316- char *bcnt = NULL;
3317- char *parsestart;
3318-
3319- /* the parser */
3320- char *curchar;
3321- int quote_open, escaped;
3322- size_t param_len;
3323-
3324- /* reset the newargv */
3325- newargc = 0;
3326-
3327- if (buffer[0] == '[') {
3328- /* we have counters in our input */
3329- ptr = strchr(buffer, ']');
3330- if (!ptr)
3331- xtables_error(PARAMETER_PROBLEM,
3332- "Bad line %u: need ]\n",
3333- line);
3334-
3335- pcnt = strtok(buffer+1, ":");
3336- if (!pcnt)
3337- xtables_error(PARAMETER_PROBLEM,
3338- "Bad line %u: need :\n",
3339- line);
3340-
3341- bcnt = strtok(NULL, "]");
3342- if (!bcnt)
3343- xtables_error(PARAMETER_PROBLEM,
3344- "Bad line %u: need ]\n",
3345- line);
3346-
3347- /* start command parsing after counter */
3348- parsestart = ptr + 1;
3349- } else {
3350- /* start command parsing at start of line */
3351- parsestart = buffer;
3352- }
3353-
3354- add_argv(argv[0]);
3355- add_argv("-t");
3356- add_argv(curtable);
3357-
3358- if (counters && pcnt && bcnt) {
3359- add_argv("--set-counters");
3360- add_argv((char *) pcnt);
3361- add_argv((char *) bcnt);
3362- }
3363-
3364- /* After fighting with strtok enough, here's now
3365- * a 'real' parser. According to Rusty I'm now no
3366- * longer a real hacker, but I can live with that */
3367-
3368- quote_open = 0;
3369- escaped = 0;
3370- param_len = 0;
3371-
3372- for (curchar = parsestart; *curchar; curchar++) {
3373- char param_buffer[1024];
3374-
3375- if (quote_open) {
3376- if (escaped) {
3377- param_buffer[param_len++] = *curchar;
3378- escaped = 0;
3379- continue;
3380- } else if (*curchar == '\\') {
3381- escaped = 1;
3382- continue;
3383- } else if (*curchar == '"') {
3384- quote_open = 0;
3385- *curchar = ' ';
3386- } else {
3387- param_buffer[param_len++] = *curchar;
3388- continue;
3389- }
3390- } else {
3391- if (*curchar == '"') {
3392- quote_open = 1;
3393- continue;
3394- }
3395- }
3396-
3397- if (*curchar == ' '
3398- || *curchar == '\t'
3399- || * curchar == '\n') {
3400- if (!param_len) {
3401- /* two spaces? */
3402- continue;
3403- }
3404-
3405- param_buffer[param_len] = '\0';
3406-
3407- /* check if table name specified */
3408- if (!strncmp(param_buffer, "-t", 2)
3409- || !strncmp(param_buffer, "--table", 8)) {
3410- xtables_error(PARAMETER_PROBLEM,
3411- "Line %u seems to have a "
3412- "-t table option.\n", line);
3413- exit(1);
3414- }
3415-
3416- add_argv(param_buffer);
3417- param_len = 0;
3418- } else {
3419- /* regular character, copy to buffer */
3420- param_buffer[param_len++] = *curchar;
3421-
3422- if (param_len >= sizeof(param_buffer))
3423- xtables_error(PARAMETER_PROBLEM,
3424- "Parameter too long!");
3425- }
3426- }
3427-
3428- DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
3429- newargc, curtable);
3430-
3431- for (a = 0; a < newargc; a++)
3432- DEBUGP("argv[%u]: %s\n", a, newargv[a]);
3433-
3434- ret = do_command4(newargc, newargv,
3435- &newargv[2], &handle);
3436-
3437- free_argv();
3438- fflush(stdout);
3439- }
3440- if (tablename && (strcmp(tablename, curtable) != 0))
3441- continue;
3442- if (!ret) {
3443- fprintf(stderr, "%s: line %u failed\n",
3444- prog_name, line);
3445- exit(1);
3446- }
3447- }
3448- if (in_table) {
3449- fprintf(stderr, "%s: COMMIT expected at line %u\n",
3450- prog_name, line + 1);
3451- exit(1);
3452- }
3453-
3454- fclose(in);
3455- return 0;
3456-}
3457
3458=== removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch'
3459=== removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch/extensions'
3460=== removed file '.pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c'
3461--- .pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c 2012-09-17 17:10:24 +0000
3462+++ .pc/9006-lp1042260-fix-inverted-physdev.patch/extensions/libxt_physdev.c 1970-01-01 00:00:00 +0000
3463@@ -1,148 +0,0 @@
3464-#include <stdio.h>
3465-#include <xtables.h>
3466-#include <linux/netfilter/xt_physdev.h>
3467-
3468-enum {
3469- O_PHYSDEV_IN = 0,
3470- O_PHYSDEV_OUT,
3471- O_PHYSDEV_IS_IN,
3472- O_PHYSDEV_IS_OUT,
3473- O_PHYSDEV_IS_BRIDGED,
3474-};
3475-
3476-static void physdev_help(void)
3477-{
3478- printf(
3479-"physdev match options:\n"
3480-" [!] --physdev-in inputname[+] bridge port name ([+] for wildcard)\n"
3481-" [!] --physdev-out outputname[+] bridge port name ([+] for wildcard)\n"
3482-" [!] --physdev-is-in arrived on a bridge device\n"
3483-" [!] --physdev-is-out will leave on a bridge device\n"
3484-" [!] --physdev-is-bridged it's a bridged packet\n");
3485-}
3486-
3487-#define s struct xt_physdev_info
3488-static const struct xt_option_entry physdev_opts[] = {
3489- {.name = "physdev-in", .id = O_PHYSDEV_IN, .type = XTTYPE_STRING,
3490- .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physindev)},
3491- {.name = "physdev-out", .id = O_PHYSDEV_OUT, .type = XTTYPE_STRING,
3492- .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, physoutdev)},
3493- {.name = "physdev-is-in", .id = O_PHYSDEV_IS_IN, .type = XTTYPE_NONE},
3494- {.name = "physdev-is-out", .id = O_PHYSDEV_IS_OUT,
3495- .type = XTTYPE_NONE},
3496- {.name = "physdev-is-bridged", .id = O_PHYSDEV_IS_BRIDGED,
3497- .type = XTTYPE_NONE},
3498- XTOPT_TABLEEND,
3499-};
3500-#undef s
3501-
3502-static void physdev_parse(struct xt_option_call *cb)
3503-{
3504- struct xt_physdev_info *info = cb->data;
3505-
3506- xtables_option_parse(cb);
3507- switch (cb->entry->id) {
3508- case O_PHYSDEV_IN:
3509- xtables_parse_interface(cb->arg, info->physindev,
3510- (unsigned char *)info->in_mask);
3511- if (cb->invert)
3512- info->invert |= XT_PHYSDEV_OP_IN;
3513- info->bitmask |= XT_PHYSDEV_OP_IN;
3514- break;
3515- case O_PHYSDEV_OUT:
3516- xtables_parse_interface(cb->arg, info->physoutdev,
3517- (unsigned char *)info->out_mask);
3518- if (cb->invert)
3519- info->invert |= XT_PHYSDEV_OP_OUT;
3520- info->bitmask |= XT_PHYSDEV_OP_OUT;
3521- break;
3522- case O_PHYSDEV_IS_IN:
3523- info->bitmask |= XT_PHYSDEV_OP_ISIN;
3524- if (cb->invert)
3525- info->invert |= XT_PHYSDEV_OP_ISIN;
3526- break;
3527- case O_PHYSDEV_IS_OUT:
3528- info->bitmask |= XT_PHYSDEV_OP_ISOUT;
3529- if (cb->invert)
3530- info->invert |= XT_PHYSDEV_OP_ISOUT;
3531- break;
3532- case O_PHYSDEV_IS_BRIDGED:
3533- if (cb->invert)
3534- info->invert |= XT_PHYSDEV_OP_BRIDGED;
3535- info->bitmask |= XT_PHYSDEV_OP_BRIDGED;
3536- break;
3537- }
3538-}
3539-
3540-static void physdev_check(struct xt_fcheck_call *cb)
3541-{
3542- if (cb->xflags == 0)
3543- xtables_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified");
3544-}
3545-
3546-static void
3547-physdev_print(const void *ip, const struct xt_entry_match *match, int numeric)
3548-{
3549- const struct xt_physdev_info *info = (const void *)match->data;
3550-
3551- printf(" PHYSDEV match");
3552- if (info->bitmask & XT_PHYSDEV_OP_ISIN)
3553- printf("%s --physdev-is-in",
3554- info->invert & XT_PHYSDEV_OP_ISIN ? " !":"");
3555- if (info->bitmask & XT_PHYSDEV_OP_IN)
3556- printf("%s --physdev-in %s",
3557- (info->invert & XT_PHYSDEV_OP_IN) ? " !":"", info->physindev);
3558-
3559- if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
3560- printf("%s --physdev-is-out",
3561- info->invert & XT_PHYSDEV_OP_ISOUT ? " !":"");
3562- if (info->bitmask & XT_PHYSDEV_OP_OUT)
3563- printf("%s --physdev-out %s",
3564- (info->invert & XT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev);
3565- if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
3566- printf("%s --physdev-is-bridged",
3567- info->invert & XT_PHYSDEV_OP_BRIDGED ? " !":"");
3568-}
3569-
3570-static void physdev_save(const void *ip, const struct xt_entry_match *match)
3571-{
3572- const struct xt_physdev_info *info = (const void *)match->data;
3573-
3574- if (info->bitmask & XT_PHYSDEV_OP_ISIN)
3575- printf("%s --physdev-is-in",
3576- (info->invert & XT_PHYSDEV_OP_ISIN) ? " !" : "");
3577- if (info->bitmask & XT_PHYSDEV_OP_IN)
3578- printf("%s --physdev-in %s",
3579- (info->invert & XT_PHYSDEV_OP_IN) ? " !" : "",
3580- info->physindev);
3581-
3582- if (info->bitmask & XT_PHYSDEV_OP_ISOUT)
3583- printf("%s --physdev-is-out",
3584- (info->invert & XT_PHYSDEV_OP_ISOUT) ? " !" : "");
3585- if (info->bitmask & XT_PHYSDEV_OP_OUT)
3586- printf("%s --physdev-out %s",
3587- (info->invert & XT_PHYSDEV_OP_OUT) ? " !" : "",
3588- info->physoutdev);
3589- if (info->bitmask & XT_PHYSDEV_OP_BRIDGED)
3590- printf("%s --physdev-is-bridged",
3591- (info->invert & XT_PHYSDEV_OP_BRIDGED) ? " !" : "");
3592-}
3593-
3594-static struct xtables_match physdev_match = {
3595- .family = NFPROTO_UNSPEC,
3596- .name = "physdev",
3597- .version = XTABLES_VERSION,
3598- .size = XT_ALIGN(sizeof(struct xt_physdev_info)),
3599- .userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)),
3600- .help = physdev_help,
3601- .print = physdev_print,
3602- .save = physdev_save,
3603- .x6_parse = physdev_parse,
3604- .x6_fcheck = physdev_check,
3605- .x6_options = physdev_opts,
3606-};
3607-
3608-void _init(void)
3609-{
3610- xtables_register_match(&physdev_match);
3611-}
3612
3613=== removed directory '.pc/9006-lp1042260-fix-inverted-physdev.patch/tests'
3614=== removed file '.pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules'
3615--- .pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules 2012-09-17 17:10:24 +0000
3616+++ .pc/9006-lp1042260-fix-inverted-physdev.patch/tests/options-most.rules 1970-01-01 00:00:00 +0000
3617@@ -1,193 +0,0 @@
3618-*filter
3619-:INPUT ACCEPT [0:0]
3620-:FORWARD ACCEPT [0:0]
3621-:OUTPUT ACCEPT [0:0]
3622-:matches - -
3623-:ntarg - -
3624-:zmatches - -
3625--A INPUT -j matches
3626--A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
3627--A INPUT -j zmatches
3628--A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
3629--A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --timestop 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0" -m hbh -m hbh -m hl --hl-eq 1
3630--A INPUT -m ipv6header --header hop-by-hop --soft
3631--A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
3632--A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
3633--A INPUT -p tcp -m comment --comment foo
3634--A INPUT -p tcp -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both
3635--A INPUT -p tcp -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr
3636--A INPUT -p tcp -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr
3637--A INPUT -p tcp -m connmark --mark 0x99
3638--A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
3639--A INPUT -p tcp -m cpu --cpu 2
3640--A INPUT -p tcp -m dscp --dscp 0x04
3641--A INPUT -p tcp -m dscp --dscp 0x00
3642--A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24
3643--A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1
3644--A INPUT -p tcp -m helper --helper ftp
3645--A INPUT -p tcp -m iprange --src-range ::1-::2 --dst-range ::1-::2
3646--A INPUT -p tcp -m length --length 1:2
3647--A INPUT -p tcp -m limit --limit 1/sec
3648--A INPUT -p tcp -m mac --mac-source 01:02:03:04:05:06
3649--A INPUT -p tcp -m mark --mark 0x1
3650--A INPUT -p tcp -m physdev --physdev-in eth0
3651--A INPUT -p tcp -m pkttype --pkt-type unicast
3652--A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2
3653--A INPUT -p tcp -m quota --quota 0
3654--A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
3655--A INPUT -p tcp -m socket --transparent
3656--A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
3657--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
3658--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
3659--A INPUT -p tcp -m tos --tos 0xff/0x01
3660--A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
3661--A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
3662--A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
3663--A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
3664--A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1
3665--A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1
3666--A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1
3667--A INPUT -p esp -m esp --espspi 1:2
3668--A INPUT -p tcp -m multiport --dports 1,2 -m multiport --dports 1,2
3669--A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
3670--A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0
3671--A INPUT
3672--A INPUT -p mobility
3673--A INPUT -p mobility -m mh --mh-type 3
3674--A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
3675--A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
3676--A matches
3677--A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both
3678--A matches
3679--A matches -m connbytes --connbytes 0:3 --connbytes-mode bytes --connbytes-dir both
3680--A matches
3681--A matches -m connbytes --connbytes 4: --connbytes-mode bytes --connbytes-dir both
3682--A matches
3683--A matches -m connbytes --connbytes 5:18446744073709551615 --connbytes-mode bytes --connbytes-dir both
3684--A matches
3685--A matches -m conntrack --ctexpire 1
3686--A matches
3687--A matches -m conntrack --ctexpire :2
3688--A matches
3689--A matches -m conntrack --ctexpire 0:3
3690--A matches
3691--A matches -m conntrack --ctexpire 4:
3692--A matches
3693--A matches -m conntrack --ctexpire 5:4294967295
3694--A matches
3695--A matches -m conntrack ! --ctstate NEW ! --ctproto tcp ! --ctorigsrc ::1/127 ! --ctorigdst ::2/127 ! --ctreplsrc ::2/127 ! --ctrepldst ::2/127 ! --ctorigsrcport 3 ! --ctorigdstport 4 ! --ctreplsrcport 5 ! --ctrepldstport 6 ! --ctstatus ASSURED ! --ctexpire 8:9
3696--A matches
3697--A matches -p esp -m esp --espspi 1
3698--A matches
3699--A matches -p esp -m esp --espspi :2
3700--A matches
3701--A matches -p esp -m esp --espspi 0:3
3702--A matches
3703--A matches -p esp -m esp --espspi 4:
3704--A matches
3705--A matches -p esp -m esp --espspi 5:4294967295
3706--A matches
3707--A matches -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1
3708--A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
3709--A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
3710--A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
3711--A matches
3712--A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
3713--A matches
3714--A matches -m length --length 1
3715--A matches
3716--A matches -m length --length :2
3717--A matches
3718--A matches -m length --length 0:3
3719--A matches
3720--A matches -m length --length 4:
3721--A matches
3722--A matches -m length --length 5:65535
3723--A matches
3724--A matches -p tcp -m tcpmss --mss 1
3725--A matches
3726--A matches -p tcp -m tcpmss --mss :2
3727--A matches
3728--A matches -p tcp -m tcpmss --mss 0:3
3729--A matches
3730--A matches -p tcp -m tcpmss --mss 4:
3731--A matches
3732--A matches -p tcp -m tcpmss --mss 5:65535
3733--A matches
3734--A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
3735--A matches
3736--A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
3737--A matches
3738--A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05
3739--A matches
3740--A matches -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00
3741--A matches
3742--A matches -m ah --ahspi 1
3743--A matches
3744--A matches -m ah --ahspi :2
3745--A matches
3746--A matches -m ah --ahspi 0:3
3747--A matches
3748--A matches -m ah --ahspi 4:
3749--A matches
3750--A matches -m ah --ahspi 5:4294967295
3751--A matches
3752--A matches -m frag --fragid 1
3753--A matches
3754--A matches -m frag --fragid :2
3755--A matches
3756--A matches -m frag --fragid 0:3
3757--A matches
3758--A matches -m frag --fragid 4:
3759--A matches
3760--A matches -m frag --fragid 5:4294967295
3761--A matches
3762--A matches -m rt --rt-segsleft 1
3763--A matches
3764--A matches -m rt --rt-segsleft :2
3765--A matches
3766--A matches -m rt --rt-segsleft 0:3
3767--A matches
3768--A matches -m rt --rt-segsleft 4:
3769--A matches
3770--A matches -m rt --rt-segsleft 5:4294967295
3771--A matches
3772--A ntarg -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options
3773--A ntarg
3774--A ntarg -j NFQUEUE --queue-num 1
3775--A ntarg
3776--A ntarg -j NFQUEUE --queue-balance 8:99
3777--A ntarg
3778--A ntarg -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
3779--A ntarg
3780--A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
3781--A ntarg
3782-#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit
3783-#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit
3784-#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit
3785-#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5
3786-#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5
3787-#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5
3788-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit
3789-#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes
3790-#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets
3791-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit
3792-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit
3793-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9
3794-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
3795-#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
3796-COMMIT
3797-*mangle
3798-:PREROUTING ACCEPT [0:0]
3799-:INPUT ACCEPT [0:0]
3800-:FORWARD ACCEPT [0:0]
3801-:OUTPUT ACCEPT [0:0]
3802-:POSTROUTING ACCEPT [0:0]
3803-:matches - -
3804-:ntarg - -
3805-:zmatches - -
3806--A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
3807--A ntarg -j HL --hl-inc 1
3808--A ntarg -j HL --hl-dec 1
3809--A ntarg
3810-COMMIT
3811
3812=== removed file '.pc/applied-patches'
3813--- .pc/applied-patches 2012-09-17 17:10:24 +0000
3814+++ .pc/applied-patches 1970-01-01 00:00:00 +0000
3815@@ -1,8 +0,0 @@
3816-0101-changelog.patch
3817-9000-howtos.patch
3818-9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch
3819-9002-libxt_recent-Add-support-for-reap-option.patch
3820-9003-lp1020490.patch
3821-9004-argv-is-null.patch
3822-9005-lp1027252-fixrestore.patch
3823-9006-lp1042260-fix-inverted-physdev.patch
3824
3825=== removed file 'Changelog'
3826--- Changelog 2012-07-20 15:45:01 +0000
3827+++ Changelog 1970-01-01 00:00:00 +0000
3828@@ -1,2992 +0,0 @@
3829-iptables v1.4.12 Changelog:
3830-======================================================================
3831-Changes from 1.4.11.1:
3832-
3833-
3834-
3835-Fernando Luis Vazquez Cao (1):
3836- doc: document IPv6 TOS mangling bug in old Linux kernels
3837-
3838-Jakub Zawadzki (1):
3839- doc: fix group range in libxt_NFLOG's man
3840-
3841-Jan Engelhardt (23):
3842- doc: include matches/targets in manpage again
3843- libipt_LOG: fix ignoring all but last flags
3844- libxt_RATEEST: use guided option parser
3845- iptables: consolidate target/match init call
3846- extensions: support for per-extension instance "global" variable space
3847- libxt_rateest: abolish global variables
3848- libxt_RATEEST: abolish global variables
3849- libip6t_HL: fix option names from ttl -> hl
3850- libxt_state: fix regression about inversion of main option
3851- libxt_hashlimit: use a more obvious expiry value by default
3852- build: bump soversion for recent data structure change
3853- build: attempt to fix building under Linux 2.4
3854- doc: mention multiple verbosity flags
3855- build: install modules in arch-dependent location
3856- doc: fix version string in ip6tables.8
3857- doc: the -m option cannot be inverted
3858- iptables: restore negation for -f
3859- libxtables: properly reject empty hostnames
3860- libxtables: ignore whitespace in the multiaddress argument parser
3861- option: remove last traces of intrapositional negation
3862- libxtables: set clone's initial data to NULL
3863- libxt_conntrack: restore network-byte order for v1,v2
3864- libxt_conntrack: move more data into the xt_option_entry
3865-
3866-Jiri Popelka (5):
3867- iptables: Coverity: DEADCODE
3868- iptables: Coverity: NEGATIVE_RETURNS
3869- iptables: Coverity: REVERSE_INULL
3870- iptables: Coverity: VARARGS
3871- iptables: Coverity: RESOURCE_LEAK
3872-
3873-Martin F. Krafft (1):
3874- iptables-apply: select default rule file depending on call name
3875-
3876-Massimo Maggi (1):
3877- libxt_RATEEST: fix userspacesize field
3878-
3879-Patrick McHardy (4):
3880- Merge branch 'master' of git://dev.medozas.de/iptables
3881- Merge branch 'master' of git://dev.medozas.de/iptables
3882- Merge branch 'master' of git://dev.medozas.de/iptables
3883- Bump version to 1.4.12
3884-
3885-
3886-iptables v1.4.11.1 Changelog:
3887-======================================================================
3888-Changes from 1.4.11:
3889-
3890-
3891-Elie De Brauwer (1):
3892- doc: fix trivial typo in libipt_SNAT
3893-
3894-Jan Engelhardt (13):
3895- libxt_owner: restore inversion support
3896- build: remove dead code parts
3897- build: fix installation of symlinks
3898- build: fix absence of xml translator in IPv6-only builds
3899- doc: update GPL license text
3900- doc: iptables-xml should be in manpage section 1
3901- build: move basic preprocessor flags to regular_CPPFLAGS
3902- build: move kinclude's preprocessor flags to kinclude_CPPFLAGS
3903- src: move all libiptc pieces into its directory
3904- src: move all iptables pieces into a separate directory
3905- tests: add some sample rulesets to test save-restore cycle
3906- option: fix ignored negation before implicit extension loading
3907- build: re-add missing CPPFLAGS for libiptc
3908-
3909-Maciej Żenczykowski (1):
3910- xtables-multi: fix absence of xml translator in IPv6-only builds
3911-
3912-Mike Frysinger (1):
3913- build: move remaining preprocessor flags to CPPFLAGS
3914-
3915-Patrick McHardy (1):
3916- Bump version to 1.4.11.1
3917-
3918-Vlad Dogaru (1):
3919- doc: fix MASQUERADE section of man page
3920-
3921-
3922-
3923-iptables v1.4.11 Changelog:
3924-======================================================================
3925-Changes from 1.4.10:
3926-
3927-
3928-Changli Gao (1):
3929- iptables: fix the dead loop when meeting unknown options
3930-
3931-Florian Westphal (3):
3932- libxt_conntrack: fix --ctdir save/dump output format
3933- libxt_time: fix random --datestart skips
3934- extensions: libxt_NFQUEUE: add v2 revision with --queue-bypass option
3935-
3936-JP Abgrall (1):
3937- libxt_quota: make sure uint64 is not truncated
3938-
3939-Jan Engelhardt (218):
3940- libxtables: change option precedence order to be intuitive
3941- libxt_TOS: avoid an undesired overflowing computation
3942- iptables: fix longopt reecognition and workaround getopt(3) behavior
3943- Revert "Revert "libxtables: change option precedence order to be intuitive""
3944- Merge branch 'master' of git://dev.medozas.de/iptables into m2
3945- iptables: reset options at the start of each command
3946- iptables: do not emit orig_opts twice
3947- include: update files with headers from Linux 2.6.37-rc1
3948- TPROXY: add support for revision 1
3949- socket: add support for revision 1
3950- build: fix globbing of extensions in other locales
3951- libxt_owner: output numeric IDs when save is requested
3952- Merge commit 'v1.4.10'
3953- build: stop on error in subcommand
3954- src: const annotations
3955- xt_comment: remove redundant cast
3956- src: use C99/POSIX types
3957- iptables: abort on empty interface specification
3958- xtables: reorder num_old substraction for clarity
3959- ip[6]tables: only call match's parse function when option char is in range
3960- ip[6]tables: only call target's parse function when option char is in range
3961- extensions: remove no longer necessary default: cases
3962- libxt_sctp: fix a typo
3963- libipt_CLUSTERIP: const annotations
3964- libxtables: do some option structure checking
3965- libxt_quota: print negation when it has been selected
3966- libxt_connlimit: reword help text to say prefix length
3967- libxt_connlimit: add a --connlimit-upto option
3968- libxt_connlimit: support for dstaddr-supporting revision 1
3969- libxt_connlimit: remove duplicate member that caused size change
3970- libxt_quota: clarifications on matching
3971- iptables: improve error reporting with extension loading troubles
3972- libxt_u32: enclose argument in quotes
3973- xtables: set custom opts to NULL on free
3974- iptables: warn when parameter limit is exceeded
3975- iptables: remove bogus address-of
3976- iptables: remove more redundant casts
3977- iptables: do not print trailing whitespaces
3978- src: collect do_command variables in a struct
3979- src: move large default: block from do_command6 into its own function
3980- src: share iptables_command_state across the two programs
3981- src: deduplicate find_proto function
3982- src: move OPT_FRAGMENT to the end so the list can be shared
3983- src: put shared option flags into xshared
3984- src: deduplicate and simplify implicit protocol extension loading
3985- src: unclutter command_default function
3986- src: move jump option handling from do_command6 into its own function
3987- src: move match option handling from do_command6 into its own functions
3988- iptables: fix error message for unknown options
3989- iptables: fix segfault target option parsing
3990- ip6tables: spacing fixes for -o argument
3991- libxt_devgroup: option whitespace update following v1.4.10-49-g7386635
3992- extensions: fix indent of vtable
3993- doc: fix wrong sentence about negation in xt_limit
3994- doc: fix misspelling of "field"
3995- extensions: remove redundant init functions
3996- Remove unused CVS expanded keywords
3997- libip6t_dst: remove unimplemented --dst-not-strict
3998- libip6t_hbh: remove unimplemented --hbh-not-strict
3999- extensions: add missing checks for specific flags
4000- libipt_ECN: set proper option flags
4001- doc: mention other possible nf_loggers for TRACE
4002- doc: fix odd partial sentence in libipt_TTL
4003- libxt_quota: require --quota to be specified
4004- doc: rateest options can be optional
4005- libxtables: fix memory scribble beyond end of array
4006- iptables: fix an inversion
4007- doc: add VERSION section to manpages
4008- extensions: add missing checks for specific flags (2)
4009- libxtables: guided option parser
4010- libxt_CHECKSUM: use guided option parser
4011- libxt_socket: use guided option parser
4012- libxtables: provide better final_check
4013- libxt_CONNSECMARK: use guided option parser
4014- libxtables: XTTYPE_UINT32 support
4015- libxt_cpu: use guided option parser
4016- libxtables: min-max option support
4017- libxt_cluster: use guided option parser
4018- libxtables: XTTYPE_UINT8 support
4019- libip[6]t_HL: use guided option parser
4020- libip[6]t_hl: use guided option parser
4021- libxtables: XTTYPE_UINT32RC support
4022- libip[6]t_ah: use guided option parser
4023- libip6t_frag: use guided option parser
4024- libxt_esp: use guided option parser
4025- libxtables: XTTYPE_STRING support
4026- libip[6]t_REJECT: use guided option parser
4027- libip6t_dst: use guided option parser
4028- libip6t_hbh: use guided option parser
4029- libip[6]t_icmp: use guided option parser
4030- libip6t_ipv6header: use guided option parser
4031- libipt_ECN: use guided option parser
4032- libipt_addrtype: use guided option parser
4033- libxt_AUDIT: use guided option parser
4034- libxt_CLASSIFY: use guided option parser
4035- libxt_DSCP: use guided option parser
4036- libxt_LED: use guided option parser
4037- libxt_SECMARK: use guided option parser
4038- libxt_TCPOPTSTRIP: use guided option parser
4039- libxt_comment: use guided option parser
4040- libxt_helper: use guided option parser
4041- libxt_physdev: use guided option parser
4042- libxt_pkttype: use guided option parser
4043- libxt_state: use guided option parser
4044- libxt_time: use guided option parser
4045- libxt_u32: use guided option parser
4046- doc: avoid duplicate entries in manpage
4047- libxtables: XTTYPE_MARKMASK32 support
4048- libxt_MARK: use guided option parser
4049- libxt_CONNMARK: use guided option parser
4050- libxtables: XTTYPE_UINT64 support
4051- libxt_quota: use guided option parser
4052- libxtables: linked-list name<->id map
4053- libxt_devgroup: use guided option parser
4054- libipt_realm: use guided option parser
4055- libxtables: XTTYPE_UINT16RC support
4056- libxt_length: use guided option parser
4057- libxt_tcpmss: use guided option parser
4058- libxtables: XTTYPE_UINT8RC support
4059- libxtables: XTTYPE_UINT64RC support
4060- libxt_connbytes: use guided option parser
4061- libxtables: XTTYPE_UINT16 support
4062- libxt_CT: use guided option parser
4063- libxt_NFQUEUE: use guided option parser
4064- libxt_TCPMSS: use guided option parser
4065- libxtables: pass struct xt_entry_{match,target} to x6 parser
4066- libxt_string: use guided option parser
4067- libxtables: XTTYPE_SYSLOGLEVEL support
4068- libip[6]t_LOG: use guided option parser
4069- libxtables: XTTYPE_ONEHOST support
4070- libxtables: XTTYPE_PORT support
4071- libxt_TPROXY: use guided option parser
4072- libipt_ULOG: use guided option parser
4073- build: bump libxtables ABI version
4074- libxt_TEE: use guided option parser
4075- xtoptions: respect return value in xtables_getportbyname
4076- libxt_TOS: use guided option parser
4077- libxt_tos: use guided option parser
4078- extensions: remove unused TOS code
4079- libxtables: XTTYPE_PORTRC support
4080- libxt_udp: use guided option parser
4081- libxt_dccp: use guided option parser
4082- libxt_tos: add inversion support back again
4083- libxtables: fix assignment in wrong offset (XTTYPE_UINT*RC)
4084- libxt_u32: add missing call to xtables_option_parse
4085- extensions: remove bogus use of XT_GETOPT_TABLEEND
4086- libxt_owner: remove ifdef IPT_COMM_OWNER
4087- libxtables: output name of extension on rev detect failure
4088- extensions: const annotations
4089- libxt_statistic: streamline and document possible placement of negation
4090- libxt_statistic: increase precision on create and dump
4091- libxtables: XTTYPE_DOUBLE support
4092- libxt_statistic: use guided option parser
4093- libxt_IDLETIMER: use guided option parser
4094- libxt_NFLOG: use guided option parser
4095- libxtables: support for XTTYPE_PLENMASK
4096- libxt_connlimit: use guided option parser
4097- libxt_recent: use guided option parser
4098- libxtables: do not overlay addr and mask parts, and cleanup
4099- libxtables: flag invalid uses of XTOPT_PUT
4100- libxtables: XTTYPE_PLEN support
4101- libxt_hashlimit: use guided option parser
4102- libxtables: XTTYPE_HOSTMASK support
4103- libxt_policy: use guided option parser
4104- libxt_owner: use guided option parser
4105- libxt_osf: use guided option parser
4106- libxt_multiport: use guided option parser
4107- libipt_NETMAP: use guided option parser
4108- libxt_limit: use guided option parser
4109- libxtables: XTTYPE_PROTOCOL support
4110- libxt_ipvs: use guided option parser
4111- doc: S/DNAT allows to omit IP addresses
4112- libxt_conntrack: use guided option parser
4113- libip6t_mh: use guided option parser
4114- libip6t_rt: use guided option parser
4115- libxtables: XTTYPE_ETHERMAC support
4116- libxt_mac: use guided option parser
4117- libipt_CLUSTERIP: use guided option parser
4118- libxt_iprange: use guided option parser
4119- libipt_DNAT: use guided option parser
4120- libipt_SNAT: use guided option parser
4121- libipt_MASQUERADE: use guided option parser
4122- libipt_REDIRECT: use guided option parser
4123- libipt_SAME: use guided option parser
4124- src: replace old IP*T_ALIGN macros
4125- src: combine default_command functions
4126- libxt_policy: option table fixes, improved error tracking
4127- libxtables: avoid running into .also checks when option not used
4128- libxt_policy: use XTTYPE_PROTOCOL type
4129- libxtables: collapse double protocol parsing
4130- libipt_[SD]NAT: flag up module name on error
4131- libipt_[SD]NAT: avoid false error about multiple destinations specified
4132- libxt_conntrack: correct printed module name
4133- libxt_conntrack: fix assignment to wrong member
4134- libxt_conntrack: resolve erroneous rev-2 port range message
4135- libip6t_rt: rt-0-not-strict should take no arg
4136- libxtables: retract _NE types and use a flag instead
4137- libxt_quota: readd missing XTOPT_PUT request
4138- libxtables: check for negative numbers in xtables_strtou*
4139- libxt_rateest: streamline case display of units
4140- doc: add some coded option examples to libxt_hashlimit
4141- doc: make usage of libxt_rateest more obvious
4142- doc: clarify that -p all is a special keyword only
4143- doc: use .IP list for TCPMSS
4144- doc: remove redundant .IP calls in libxt_time
4145- libxt_ipvs: restore network-byte order
4146- libxt_u32: --u32 option is required
4147- libip6t_rt: restore --rt-type storing
4148- libxtables: more detailed error message on multi-int parsing
4149- libxtables: use uintmax for xtables_strtoul
4150- libxtables: make multiint parser have greater range
4151- libxtables: unclutter xtopt_parse_mint
4152- libxtables: have xtopt_parse_mint interpret partially-spec'd ranges
4153- libxt_NFQUEUE: avoid double attempt at parsing
4154- libxt_NFQUEUE: add mutual exclusion between qnum and qbal
4155- libxt_time: always ignore libc timezone
4156- libxt_time: --utc and --localtz are mutually exclusive
4157- libxt_time: deprecate --localtz option, document kernel TZ caveats
4158-
4159-Jozsef Kadlecsik (3):
4160- Fix listing/saving the new revision of the SET target
4161- Fix set match/target direction parser
4162- SET target revision 2 added
4163-
4164-Li Yewang (1):
4165- xtables: fix typo in error message of xtables_register_match()
4166-
4167-Lutz Jaenicke (2):
4168- libipt_REDIRECT: "--to-ports" is not mandatory
4169- libxt_devgroup: actually set XT_DEVGROUP_OPT_???GROUP flags
4170-
4171-Maciej Zenczykowski (20):
4172- man pages: allow underscores in match and target names
4173- mark newly opened fds as FD_CLOEXEC (close on exec)
4174- xtables_ip6addr_to_numeric: fix typo in comment
4175- xtables: delay (statically built) match/target initialization
4176- v4: rename init_extensions() to init_extensions4()
4177- v6: rename init_extensions() to init_extensions6()
4178- xtables.h: init_extensions() no longer exists
4179- v4: rename for_each_chain() to for_each_chain4()
4180- v6: rename for_each_chain() to for_each_chain6()
4181- v4: rename flush_entries() to flush_entries4()
4182- v6: rename flush_entries() to flush_entries6()
4183- v4: rename delete_chain() to delete_chain4()
4184- v6: rename delete_chain() to delete_chain6()
4185- v4: rename print_rule() to print_rule4()
4186- v6: rename print_rule() to print_rule6()
4187- v4: rename do_command() to do_command4()
4188- v6: rename do_command() to do_command6()
4189- move 'int line' definition from ip6?tables.c into xtables.c
4190- convert ip6?tables-multi to actually use their own header files
4191- Don't load ip6?_tables module when already loaded
4192-
4193-Maciej Żenczykowski (3):
4194- Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
4195- Move common parts of libext{4,6}.a into libext.a
4196- combine ip6?tables-multi into xtables-multi
4197-
4198-Mark Montague (1):
4199- iptables: documentation for iptables and ip6tables "security" tables
4200-
4201-Max Kellerman (1):
4202- xtables: use strspn() to check if string needs to be quoted
4203-
4204-Pablo Neira Ayuso (1):
4205- libxt_cluster: fix inversion in the cluster match
4206-
4207-Patrick McHardy (16):
4208- Revert "libxtables: change option precedence order to be intuitive"
4209- Merge branch 'master' of git://dev.medozas.de/iptables
4210- extensions: libxt_conntrack: add support for specifying port ranges
4211- extensions: add extension for devgroup match
4212- Merge branch 'master' of git://dev.medozas.de/iptables
4213- Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
4214- Merge branch 'opts' of git://dev.medozas.de/iptables
4215- Merge branch 'opts' of git://dev.medozas.de/iptables
4216- Merge branch 'floating/opts' of git://dev.medozas.de/iptables
4217- Merge branch 'opts' of git://dev.medozas.de/iptables
4218- Merge branch 'opts' of git://dev.medozas.de/iptables
4219- Merge branch 'master' of git://dev.medozas.de/iptables
4220- Merge branch 'opts' of git://dev.medozas.de/iptables
4221- Merge branch 'floating/opts' of git://dev.medozas.de/iptables
4222- Merge branch 'master' of git://dev.medozas.de/iptables
4223- Bump version to 1.4.11
4224-
4225-Rob Leslie (1):
4226- iptables-restore: resolve confusing policy error message
4227-
4228-Stefan Tomanek (2):
4229- ip(6)tables-multi: unify subcommand handling
4230- iptables: add -C to check for existing rules
4231-
4232-Stephen Beahm (1):
4233- libipt_REDIRECT: avoid dereference of uninitialized pointer
4234-
4235-Thomas Graf (2):
4236- libxt_AUDIT: add AUDIT target
4237- iptables: add manual page section for AUDIT target
4238-
4239-Wes Campaigne (4):
4240- libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
4241- xtables: fix excessive memory allocation in host_to_ipaddr
4242- xtables: fix the broken detection/removal of redundant addresses
4243- xtables: use all IPv6 addresses resolved from a hostname
4244-
4245-
4246-
4247-iptables v1.4.10 Changelog:
4248-======================================================================
4249-Changes from 1.4.9:
4250-
4251-
4252-Changli Gao (1):
4253- libxt_quota: don't ignore the quota value on deletion
4254-
4255-Eric Dumazet (2):
4256- extensions: REDIRECT: add random help
4257- extension: add xt_cpu match
4258-
4259-Hannes Eder (1):
4260- libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
4261-
4262-Jan Engelhardt (11):
4263- doc: let man(1) autoalign the text in xt_cpu
4264- doc: remove extra empty line from xt_cpu
4265- doc: minimal spelling updates to xt_cpu
4266- all: consistent syntax use in struct option
4267- doc: consistent use of markup
4268- xtables: remove unnecessary cast
4269- build: fix static linking
4270- iptables-xml: resolve compiler warnings
4271- iptables: limit chain name length to be consistent with targets
4272- libiptc: build with -Wl,--no-as-needed
4273- libiptc: add Libs.private to pkgconfig files
4274-
4275-Luciano Coelho (2):
4276- extensions: add idletimer xt target extension
4277- extensions: libxt_IDLETIMER: use xtables_param_act when checking options
4278-
4279-Michael S. Tsirkin (1):
4280- extensions: libxt_CHECKSUM extension
4281-
4282-Patrick McHardy (6):
4283- extensions: libipt_LOG/libip6t_LOG: support macdecode option
4284- extensions: fix compilation of the new CHECKSUM target
4285- Merge branch 'master' into iptables-next
4286- Merge branch 'master' into iptables-next
4287- Merge branch 'iptables-next'
4288- Bump version to 1.4.10
4289-
4290-
4291-
4292-iptables v1.4.9 Changelog:
4293-======================================================================
4294-Changes from 1.4.8:
4295-
4296-
4297-Adam Nielsen (1):
4298- extensions: add the LED target
4299-
4300-Eric Dumazet (1):
4301- extensions: REDIRECT: add random help
4302-
4303-Jan Engelhardt (10):
4304- utils: add missing include flags to Makefile
4305- doc: xt_string: correct copy-and-pasting in manpage
4306- doc: xt_hashlimit: fix a typo
4307- doc: xt_LED: nroff formatting requirements
4308- includes: sync header files from Linux 2.6.35-rc1
4309- xtables: another try at chain name length checking
4310- xtables: remove xtables_set_revision function
4311- libxt_hashlimit: always print burst value
4312- libxt_conntrack: do print netmask
4313- xt_quota: also document negation
4314-
4315-Jozsef Kadlecsik (1):
4316- libxt_set: new revision added
4317-
4318-Luciano Coelho (2):
4319- extensions: libxt_rateest: fix typo in the man page
4320- extensions: libxt_rateest: fix bps options for iptables-save
4321-
4322-Patrick McHardy (5):
4323- Revert "Revert "Merge branch 'iptables-next'""
4324- Merge branch 'master' of git://dev.medozas.de/iptables
4325- Merge branch 'master' of git://dev.medozas.de/iptables
4326- Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
4327- Bump version to 1.4.9
4328-
4329-Samuel Ortiz (1):
4330- extensions: libxt_quota.c: Support option negation
4331-
4332-Shan Wei (2):
4333- xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension
4334- xt_sctp: support FORWARD_TSN chunk type
4335-
4336-
4337-
4338-iptables v1.4.8 Changelog:
4339-======================================================================
4340-Changes from 1.4.7:
4341-
4342-
4343-Dmitry V. Levin (3):
4344- extensions: REDIRECT: fix --to-ports parser
4345- iptables: add noreturn attribute to exit_tryhelp()
4346- extensions: MASQUERADE: fix --to-ports parser
4347-
4348-Jan Engelhardt (9):
4349- libxt_comment: avoid use of IPv4-specific examples
4350- libxt_CT: add a manpage
4351- iptables: correctly check for too-long chain/target/match names
4352- doc: libxt_MARK: no longer restricted to mangle table
4353- doc: remove claim that TCPMSS is limited to mangle
4354- libxt_recent: add a missing space in output
4355- doc: add manpage for libxt_osf
4356- libxt_osf: import nfnl_osf program
4357- extensions: add support for xt_TEE
4358-
4359-Karl Hiramoto (1):
4360- iptables: optionally disable largefile support
4361-
4362-Pablo Neira Ayuso (1):
4363- CT: fix --ctevents parsing
4364-
4365-Patrick McHardy (7):
4366- extensions: add CT extension
4367- libxt_CT: print conntrack zone in ->print/->save
4368- Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next
4369- xtables: fix compilation when debugging is enabled
4370- Merge branch 'iptables-next'
4371- Revert "Merge branch 'iptables-next'"
4372- Bump version to 1.4.8
4373-
4374-Simon Lodal (1):
4375- libxt_conntrack: document --ctstate UNTRACKED
4376-
4377-Vincent Bernat (1):
4378- iprange: fix xt_iprange v0 parsing
4379-
4380-
4381-
4382-iptables v1.4.7 Changelog:
4383-======================================================================
4384-Changes from 1.4.6:
4385-
4386-
4387-Dmitry V. Levin (1):
4388- libip4tc: Add static qualifier to dump_entry()
4389-
4390-Jan Engelhardt (8):
4391- libipq: build as shared library
4392- recent: reorder cases in code (cosmetic cleanup)
4393- doc: fix recent manpage to reflect actual supported syntax
4394- doc: fix limit manpage to reflect actual supported syntax
4395- doc: mention requirement of additional packages for ipset
4396- policy: fix error message showing wrong option
4397- includes: header updates
4398- Lift restrictions on interface names
4399-
4400-Patrick McHardy (1):
4401- iptables 1.4.7
4402-
4403-
4404-
4405-iptables v1.4.6 Changelog:
4406-======================================================================
4407-Changes from 1.4.5:
4408-
4409-
4410-Jan Engelhardt (20):
4411- iptables: manpage updates for augmented -Z syntax
4412- doc: mention maximum mark size in manpages
4413- Support for nommu arches
4414- realm: remove static initializations
4415- libiptc: remove unused functions
4416- libiptc: avoid strict-aliasing warnings
4417- iprange: do accept non-ranges for xt_iprange v1
4418- iprange: warn on reverse range
4419- iprange: roll address parsing into a loop
4420- iprange: do accept non-ranges for xt_iprange v1 (log)
4421- iprange: warn on reverse range (log)
4422- libiptc: fix wrong maptype of base chain counters on restore
4423- iptables: fix undersized deletion mask creation
4424- style: reduce indent in xtables_check_inverse
4425- libxtables: hand argv to xtables_check_inverse
4426- iptables/extensions: make bundled options work again
4427- CONNMARK: print mark rules with mask 0xffffffff as set instead of xset
4428- iptables: take masks into consideration for replace command
4429- doc: explain experienced --hitcount limit
4430- doc: name resolution clarification
4431-
4432-Mohit Mehta (1):
4433- iptables: expose option to zero packet/byte counters for a specific rule
4434-
4435-Olaf Rempel (1):
4436- build: restore --disable-ipv6 functionality on system w/o v6 headers
4437-
4438-Patrick McHardy (7):
4439- Merge branch 'zero' of git://dev.medozas.de/iptables
4440- MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark
4441- DNAT: fix incorrect check during parsing
4442- extensions: add osf extension
4443- conntrack: fix --expires parsing
4444- Merge branch 'master' of git://dev.medozas.de/iptables
4445- Bump version to v1.4.6
4446-
4447-Tim Small (1):
4448- doc: update TCPMSS manpage with Linux 2.6.25 changes
4449-
4450-sobtwmxt (1):
4451- doc: fix typo in length manpage
4452-
4453-
4454-
4455-iptables v1.4.5 Changelog:
4456-======================================================================
4457-Changes from 1.4.4:
4458-
4459-
4460-Florian Westphal (1):
4461- libxt_NFQUEUE: add new v1 version with queue-balance option
4462-
4463-Jan Engelhardt (18):
4464- xt_conntrack: revision 2 for enlarged state_mask member
4465- libxt_helper: fix invalid passed option to check_inverse
4466- libiptc: split v4 and v6
4467- extensions: collapse registration structures
4468- iptables: allow for parse-less extensions
4469- iptables: allow for help-less extensions
4470- extensions: remove empty help and parse functions
4471- xtables: add multi-registration functions
4472- extensions: collapse data variables to use multi-reg calls
4473- xtables: warn of missing version identifier in extensions
4474- COMMIT_NOTES: notice to check for soversion bumps
4475- build: order of dependent libs is sensitive
4476- multi binary: allow subcommand via argv[1]
4477- build: fix struct size mismatch
4478- build: combine iptables-multi and iptables-static
4479- build: build only iptables-multi
4480- Merge branch 'stable'
4481- manpages: more fixes to minuses, hyphens, dashes
4482-
4483-Laurence J. Lane (1):
4484- manpage: fix lintian warnings
4485-
4486-Michael Granzow (1):
4487- iptables: accept multiple IP address specifications for -s, -d
4488-
4489-Patrick McHardy (2):
4490- man: fix incorrect plural in libipt_set.man
4491- Bump version number to 1.4.5
4492-
4493-Trent W. Buck (1):
4494- ipt_set: fix a typo in the manpage
4495-
4496-
4497-iptables v1.4.4 Changelog:
4498-======================================================================
4499-Changes from 1.4.3.2:
4500-
4501-
4502-Frank Tobin (1):
4503- libxt_tcp: fix a manpage syntax typo
4504-
4505-Ian Bruce (1):
4506- libxt_tcp: manpage corrections and suggestions
4507-
4508-Jan Engelhardt (15):
4509- Add new COMMIT_NOTES document
4510- xtables: use extern "C"
4511- extensions: add const qualifiers in print/save functions
4512- iptables: replace open-coded sizeof by ARRAY_SIZE
4513- addrtype: fix one manpage type
4514- manpages: do not include v4-only modules in ip6tables manpage
4515- libip6t_policy: remove redundant functions
4516- policy: use direct xt_policy_info instead of ipt/ip6t
4517- policy: merge ipv6 and ipv4 variant
4518- build: fix manpage collection
4519- extensions: use NFPROTO_UNSPEC for .family field
4520- DNAT/SNAT: add manpage documentation for --persistent flag
4521- extensions: remove redundant casts
4522- iptables: close open file descriptors
4523- manpages: markup corrections
4524-
4525-Jozsef Kadlecsik (1):
4526- Updated set/SET match and target to support multiple ipset protocols.
4527-
4528-Pablo Neira Ayuso (2):
4529- extensions: add `cluster' match support
4530- xtables: fix segfault if incorrect protocol name is used
4531-
4532-Patrick McHardy (3):
4533- SNAT/DNAT: add support for persistent multi-range NAT mappings
4534- Merge branch 'stable' of git://dev.medozas.de/iptables
4535- Bump version
4536-
4537-kd6lvw (1):
4538- libxt_connlimit: initialize v6_mask
4539-
4540-
4541-
4542-iptables v1.4.3.2 Changelog:
4543-======================================================================
4544-Changes from 1.4.3.1:
4545-
4546-
4547-Jan Engelhardt (12):
4548- libxt_tcpmss: fix an inversion while parsing --mss
4549- iptables-multi: support "iptables-static" as a callable name
4550- libxtables: reorder .version member
4551- build: do not run ldconfig for DESTDIR installations
4552- build: add configure option to disable ip6tables
4553- build: add configure option to disable ipv4 iptables
4554- libxtables: provide IPv6 zero address variable
4555- iptables: print negation extrapositioned
4556- Merge commit 'v1.4.3'
4557- Merge branch 'plus'
4558- CLASSIFY: document non-standard interpretation behavior
4559- libxt_conntrack: properly output negation symbol
4560-
4561-Pablo Neira Ayuso (1):
4562- build: bump version to 1.4.3.2
4563-
4564-
4565-iptables v1.4.3.1 Changelog:
4566-======================================================================
4567-Changes from 1.4.3:
4568-
4569-
4570-Jan Engelhardt (2):
4571- iptables-save: minor corrections to the manpage markup
4572- libxt_hashlimit: add missing space for iptables-save output
4573-
4574-Pablo Neira Ayuso (2):
4575- build: bump version to 1.4.3.1
4576- iptables: refer to dmesg if we hit EINVAL
4577-
4578-Peter Volkov (2):
4579- libxtables: fix compile error due to incomplete change
4580- build: fix linker issue when LDFLAGS contains --as-needed
4581-
4582-
4583-
4584-iptables v1.4.3 Changelog:
4585-======================================================================
4586-Changes from 1.4.2:
4587-
4588-
4589-Bart De Schuymer (1):
4590- man: fix physdev manpage
4591-
4592-Christian Perle (1):
4593- libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff
4594-
4595-Christoph Paasch (1):
4596- libiptc: avoid compile warnings for iptc_insert_chain
4597-
4598-Daniel Drake (1):
4599- libxt_owner: add more spaces to output
4600-
4601-Eric Leblond (1):
4602- xt_NFLOG: Set default NFLOG qthreshold to 0
4603-
4604-Jamal Hadi Salim (12):
4605- libxtables: Introduce global params structuring
4606- libxtables: define xtables_free_opts()
4607- libxtables: Add exit_error cb to xtables_globals
4608- libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals
4609- libxtables: Replace direct exit_error() calls inside libxtables
4610- libxtables: simple aliasing macro for exit_error
4611- libxtables: set names of programs
4612- libxtables: add xtables_set_revision
4613- libxtables: make iptables and ip6tables use xtables_free_opts
4614- libxtables: consolidate merge_options into xtables_merge_options
4615- libxtables: consolidate init calls into one function
4616- libxtables: general follow-up cleanup
4617-
4618-Jan Engelhardt (84):
4619- Move libipt_recent to libxt_recent
4620- libxt_recent: add IPv6 support
4621- manpage: use separate paragraphs for command syntax
4622- manpage: explain what rule-specification is
4623- libiptc: remove typedef indirection
4624- libiptc: remove indirections
4625- libiptc: remove unused iptc_get_raw_socket and iptc_check_packet
4626- libiptc: use hex output for hookmask
4627- libxt_conntrack: respect -n option during ruledump
4628- libiptc: make sockfd a per-handle thing
4629- libxt_conntrack: dump ctdir
4630- src: reuse the global modprobe_program variable
4631- src: use NFPROTO_ constants
4632- src: remove inclusion of iptables.h
4633- doc: fix a typo in libip6t_REJECT.man
4634- libiptc: guard chain index allocation for different malloc implementations
4635- src: remove unused include files
4636- iptables-save: output ! in position according to manpage
4637- rateest: guard against segfault
4638- env: augment deprecation notice
4639- build: resolve autotools suggestions
4640- doc: put iptables version into manpage
4641- doc: resynchronize markup in iptables,ip6tables.8.in
4642- doc: escape minus sign in manpages
4643- build: use regular = assignments in Makefile
4644- build: remove non-portable rule
4645- doc: escape minus sign in manpage (2)
4646- doc: augment ICMP manpage by type/code syntax
4647- src: remove redundant returns at end of void-returning functions
4648- src: remove redundant casts
4649- libxt_owner: use correct UID/GID boundaries
4650- extensions: use UINT_MAX constants over open-coded bits (1/2)
4651- extensions: use UINT_MAX constants over open-coded numbers (2/2)
4652- libxtables: prefix/order - fw_xalloc
4653- libxtables: prefix/order - modprobe and xtables.ko loading
4654- libxtables: prefix/order - match/target loading
4655- libxtables: prefix/order - libdir
4656- libxtables: prefix/order - strtoui
4657- libxtables: prefix/order - program_name
4658- libxtables: prefix/order - param_act
4659- libxtables: prefix/order - ipaddr/ipmask to ascii output
4660- libxtables: prefix/order - ascii to ipaddr/ipmask input
4661- libxtables: prefix - misc functions
4662- libxtables: prefix - parse and escaped output func
4663- libxtables: prefix/order - move check_inverse to xtables.c
4664- libxtables: prefix/order - move parse_protocol to xtables.c
4665- libbxtables: prefix names and order it #1
4666- libxtables: prefix names and order it #2
4667- libxtables: prefix names and order #3
4668- libxtables: move afinfo around
4669- Merge branch 'origin/master'
4670- libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable
4671- build: move -ldl to proper LDADD
4672- libxtables: remove unused XT_LIB_DIR macro
4673- libxtables: decouple non-xtables parts from header
4674- src: remove iptables_rule_match indirection macro
4675- src: remove unused ipt_tryload macro
4676- libxtables: move compat defines to xtables.c
4677- src: consolidate duplicate code in iptables/internal.h
4678- libxtables: use const for vars holding literals
4679- libxt_string: fix undefined behavior/incorrect patlen calculation
4680- libxtables: flush before fork
4681- libipq: add missing doc for NF_ values
4682- build: restructure Makefile for include/ directory
4683- libipq: fix compile error
4684- build: remove unneeded -ldl from iptables_xml_LDADD
4685- libiptc: make library available as a shared library
4686- build: trigger reconfigure when extensions/GNUmakefile.in changes
4687- doc: do not put IPv4 doc into ip6tables.8
4688- doc: resynchronize manpage with in-code help
4689- libxtables: inline and remove unused OPTION_OFFSET macro
4690- libxtables: prefix exit_error to xtables_error
4691- extensions: remove unwanted/add needed includes for IPv6 exts
4692- extensions: remove unwanted/add needed includes for IPv4 exts
4693- libxt_policy: use bounded strtoui
4694- include: resynchronize headers with 2.6.29-rc5
4695- extensions: add missing limits.h include
4696- iptables: turn deprecation warning into enforcing mode
4697- Merge commit 'nf/master'
4698- libxt_connbytes: minor manpage adustments
4699- libxt_connbytes: document nf_ct_acct behavior
4700- libxtables: add -I/-L flags to pkgconfig files
4701- libxt_comment: output quotes must be escaped in
4702- iptables-save: module loading corrections
4703-
4704-Jesper Dangaard Brouer (3):
4705- libiptc: fix chain rename bug in libiptc
4706- libiptc: fix whitespaces and typos
4707- libiptc: give credits to my self
4708-
4709-Jirí Moravec (1):
4710- libxt_TOS: fix compilation error
4711-
4712-KOVACS Krisztian (2):
4713- Add iptables support for the TPROXY target
4714- Add iptables support for the socket match
4715-
4716-Marc Fournier (1):
4717- doc: fix option typo in libxt_multiport
4718-
4719-Pablo Neira Ayuso (5):
4720- iptables: fix error reporting with wrong/missing arguments
4721- state: report spaces in the state list parsing
4722- iptables: refer to dmesg when we hit error
4723- string: fix wrong pattern length calculation
4724- iptables: fix broken options-merging during libxtables rework
4725-
4726-Patrick McHardy (5):
4727- Add SCTP/DCCP support to NAT targets
4728- Bump version to 1.4.3-rc1
4729- Merge branch 'master' of git://dev.medozas.de/iptables
4730- Merge branch 'master' of git://dev.medozas.de/iptables
4731- Bump version to 1.4.3
4732-
4733-Shaul Karl (1):
4734- doc: fix one layout issue in iptables-restore.8
4735-
4736-Stephen Hemminger (1):
4737- iptables: Add limits.h to get INT_MIN, INT_MAX, ...
4738-
4739-Thomas Jarosch (2):
4740- Fix compile error in libxt_iprange.c using gcc 4.3.2
4741- Fix compile warnings using gcc 4.3.2
4742-
4743-
4744-iptables v1.4.2 Changelog:
4745-======================================================================
4746-Changes from 1.4.2-rc1:
4747-
4748-Jan Engelhard (1):
4749- build: fix iptables-static build
4750-
4751-Jan Engelhardt (26):
4752- build: do not install ip{,6}tables.h
4753- Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables
4754- manpages: name and markup fixes
4755- src: remove dependency on libiptc headers
4756- src: drop libiptc from installation
4757- iptables-restore: fix segmentation fault with -tanything
4758- libxt_recent: do not allow both --set and --rttl
4759- Put xtables.c into its own library, libxtables.so
4760- manpages: correct erroneous markup
4761- physdev: remove extra space in output
4762- Warn about use of DROP in nat table
4763- Synchronize invert flag order with manpages
4764- build: fix dependency tracking for xtables.h.in
4765- build: fix initext.c dependency
4766- manpages: add missing --rsource,--rdest options to libxt_recent.man
4767- manpages: add missing rateest documentation
4768- manpages: add missing rateest match documentation
4769- libxt_mac: flatten casts in libxt_mac
4770- libxt_iprange: fix option names
4771- src: use regular includes
4772- src: Update comments
4773- build: prepare make tarball for git 1.6.0
4774- libxt_recent: do allow --rttl for --update
4775- src: update comments part II
4776- build: run ldconfig on `make install`
4777- doc: remove mentions of NAT in ip6tables manpage
4778-
4779-Jesper Dangaard Brouer (1):
4780- libiptc: remove old fixme
4781-
4782-Pablo Sebastian Greco (1):
4783- mark: fix invalid iptables-save output
4784-
4785-Patrick McHardy (2):
4786- manpages: fix another typo in tcp manpage
4787- v1.4.2
4788-
4789-Phil Oester (3):
4790- iptables-save: fix hashlimit output
4791- libxt_dscp: fix save of negated dscp match rules
4792- src: Missing limits.h includes
4793-
4794-WANG Cong (1):
4795- manpages: Fix a typo in tcp man page
4796-
4797-
4798-
4799-iptables v1.4.1-rc1 Changelog:
4800-======================================================================
4801-Changes from 1.4.0:
4802-
4803-Peter Warasin:
4804- Fix CONNMARK mask initialisation
4805-
4806-Jesper Dangaard Brouer:
4807- Inline functions iptcc_is_builtin() and set_changed()
4808- Introduce a counter for number of user defined chains
4809- Solving scalability issue: for chain list "name" searching
4810-
4811-Patrick McHardy:
4812- Add RATEEST target extension
4813- Add rateest match extension
4814- Remove obsolete file
4815- Add netfilter.h
4816- Remove compiler.h inclusions
4817- Retry ruleset dump when kernel returns EAGAIN
4818-
4819-Pablo Neira Ayuso:
4820- Cleanup several code wraparounds
4821- Check for malloc() return value in merge_opts()
4822- Check for merge_opts() return value
4823-
4824-Jan Engelhardt:
4825- Converts the iptables build infrastructure to autotools
4826- Introduce strtonum()
4827- Introduce common error messages
4828- Add libxt_owner
4829- Add libxt_tos
4830- Add libxt_TOS
4831- Add libxt_MARK r2
4832- Add libxt_connmark r1
4833- Print warning when dlopen fails
4834- Add libxt_conntrack r0
4835- Bunch o' renames
4836- Rename overlapping function names
4837- Add more libxt_hashlimit checks
4838- Add libxt_mark r1
4839- Add libxt_iprange r0
4840- Add libxt_iprange r1
4841- Give preference to iptables header files
4842- Build adjustments
4843- Add libxt_CONNMARK revision 1
4844- Add libxt_conntrack revision 1
4845- libxt_owner: UID/GID range support
4846- Fix compilation of iptables-static build
4847- Correct the family member value of libxt_mark revision 1
4848- Makefile: add a "tarball" target
4849- Drop -W from CFLAGS and some tiny code cleanups
4850- Fix -Wshadow warnings and clean up xt_sctp.h
4851- Update the libxt_owner manpage with the UID/GID-range feature
4852- Fix all remaining warnings (missing declarations, missing prototypes)
4853- xtables.h: move non-exported parts to internal.h
4854- Add support for xt_hashlimit match revision 1
4855- Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
4856- manpages: fix broken markup (missing close tags)
4857- manpages: grammar and spelling
4858- manpages: update to reflect fine-grained control
4859- configure: split --enable-libipq from --enable-devel
4860- Import iptables-apply
4861- Add all necessary header files - compilation fix for various cases
4862- Install libiptc header files because xtables.h depends on it
4863- iptables: use C99 lists for struct options
4864- RATEEST: add manpage
4865- Implement AF_UNSPEC as a wildcard for extensions
4866- Combine ipt and ip6t manpages
4867- Resolve warnings on 64-bit compile
4868- Wrap dlopen code into NO_SHARED_LIBS
4869- Remove support for compilation of conditional extensions
4870- Resolve libipt_set warnings
4871- Update documentation about building the package
4872- configure.ac: AC_SUBST must be separate
4873- Dynamically create xtables.h.in with version
4874- configure.ac: remove already-defined variables
4875- Remove old functions, constants
4876- Properly initialize revision for ip6tables targets
4877- Makefile.am: use PACKAGE_TARNAME
4878- iptables out-of-tree build directory
4879-
4880-Sven Schnelle:
4881- Add libxt_TCPOPTSTRIP
4882-
4883-Max Kellermann:
4884- Fix REDIRECT manpage
4885- Whitespace cleanup
4886- Use size_t
4887- Escape strings
4888- Unescape parameters
4889- Allow empty strings in argument parser
4890- Fix gcc warnings
4891-
4892-Naohiro Ooiwa:
4893- Fix define value of SCTP chunk type
4894-
4895-Filippo Zangheri:
4896- Remove useless white spaces from iptables-xml manpages
4897-
4898-James King:
4899- libxt_iprange: Fix IP validation logic
4900-
4901-Shan Wei:
4902- iptables-save: remove unnecessary code
4903-
4904-Henrik Nordstrom:
4905- Make iptables-restore usable over a pipe
4906- Add support for --set-counters to iptables -P
4907- iptables --list-rules command
4908- iptables --list chain rulenum
4909- Make --set-counters (-c) accept comma separated counters
4910-
4911-Jamie Strandboge:
4912- Fix ip6tables dest address printing
4913-
4914-
4915-
4916-iptables v1.4.1.1 Changelog
4917-=====================================================================
4918-
4919-Henrik Nordstrom (1):
4920- iptables: fix printing of line numbers with --line-numbers arg
4921-
4922-Jan Engelhardt (3):
4923- ip6tables: fix printing of ipv6 network masks
4924- build: fix `make install` when --disable-shared is used
4925- iprange: kernel flags were not set
4926-
4927-Patrick McHardy (1):
4928- v1.4.1.1
4929-
4930-
4931-
4932-iptables v1.4.1 Changelog
4933-======================================================================
4934-
4935-Filippo Zangheri (1):
4936- removes useless white spaces from iptables-xml manpages.
4937-
4938-Gáspár Lajos (1):
4939- iptables: use C99 lists for struct options
4940-
4941-Henrik Nordstrom (5):
4942- Make iptables-restore usable over a pipe
4943- Add support for --set-counters to iptables -P
4944- iptables --list-rules command
4945- iptables --list chain rulenum
4946- Make --set-counters (-c) accept comma separated counters
4947-
4948-James King (1):
4949- [IPTABLES]: libxt_iprange: Fix IP validation logic
4950-
4951-Jamie Strandboge (1):
4952- fix ip6tables dest address printing
4953-
4954-Jan Engelhardt (55):
4955- Converts the iptables build infrastructure to autotools.
4956- Introduce strtonum(), which works like string_to_number(), but passes
4957- common error messages
4958- libxt_owner
4959- libxt_tos
4960- libxt_TOS
4961- libxt_MARK r2
4962- libxt_connmark r1
4963- print warning when dlopen fails
4964- libxt_conntrack r0
4965- bunch o' renames
4966- rename overlapping function names
4967- libxt_hashlimit checks
4968- libxt_mark r1
4969- libxt_iprange r0
4970- libxt_iprange r1
4971- Give preference to iptables header files
4972- Build adjustments
4973- libxt_CONNMARK revision 1
4974- [IPTABLES]: libxt_conntrack revision 1
4975- [IPTABLES]: libxt_owner: UID/GID range support
4976- Fix compilation of iptables-static build
4977- Correct the family member value of libxt_mark revision 1
4978- Makefile: add a "tarball" target
4979- Drop -W from CFLAGS and some tiny code cleanups
4980- Fix -Wshadow warnings and clean up xt_sctp.h
4981- Update the libxt_owner manpage with the UID/GID-range feature
4982- Fix all remaining warnings (missing declarations, missing prototypes)
4983- xtables.h: move non-exported parts to internal.h
4984- Add support for xt_hashlimit match revision 1
4985- Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR
4986- manpages: fix broken markup (missing close tags)
4987- manpages: grammar and spelling
4988- manpages: update to reflect fine-grained control
4989- configure: split --enable-libipq from --enable-devel
4990- Add all necessary header files - compilation fix for various cases
4991- Install libiptc header files because xtables.h depends on it
4992- RATEEST: add manpage
4993- Implement AF_UNSPEC as a wildcard for extensions
4994- Combine ipt and ip6t manpages
4995- Resolve warnings on 64-bit compile
4996- Wrap dlopen code into NO_SHARED_LIBS
4997- Remove support for compilation of conditional extensions
4998- Resolve libipt_set warnings
4999- Update documentation about building the package
5000- configure.ac: AC_SUBST must be separate
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches