Projects
Factory:RISC-V:Base
iptables
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:iptables.spec
Changed
@@ -1,19 +1,19 @@ %global script_path %{_libexecdir}/iptables %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables -Version: 1.8.7 -Release: 11 +Version: 1.8.9 +Release: 1 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ -Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 +Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.xz Source1: iptables.init Source2: iptables-config Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables -Patch0: enabled-makecheck-in-extensions.patch +Patch01: 0001-extensions-NAT-Fix-for-Werror-format-security.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -78,9 +78,6 @@ %make_build -%check -make check - %install %make_install @@ -91,7 +88,6 @@ install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables install -m 0755 -d %{buildroot}%{_includedir}/libipulog/ -install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog install -m 0755 -d %{buildroot}/%{script_path} install -m 0755 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init @@ -145,6 +141,13 @@ touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 +# Drop xtables.conf, it's not used +rm -f %{buildroot}%{_sysconfdir}/xtables.conf + +# fix absolute symlink +rm -f %{buildroot}%{_bindir}/iptables-xml +ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml + %ldconfig_scriptlets %post @@ -287,6 +290,7 @@ %{_sbindir}/arptables-nft* %{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-monitor +%{_sbindir}/ebtables-translate %dir %{_libdir}/xtables %{_libdir}/xtables/libarpt* %{_libdir}/xtables/libebt* @@ -306,11 +310,11 @@ %files help %defattr(-,root,root) -%doc INCOMPATIBILITIES %ghost %{_mandir}/man8/arptables.8.gz %ghost %{_mandir}/man8/arptables-save.8.gz %ghost %{_mandir}/man8/arptables-restore.8.gz %ghost %{_mandir}/man8/ebtables.8.gz +%{_mandir}/man8/ebtables-translate* %{_mandir}/man8/xtables-monitor* %{_mandir}/man8/xtables-translate* %{_mandir}/man8/*-nft* @@ -320,8 +324,15 @@ %{_mandir}/man8/iptables* %{_mandir}/man8/ip6tables* %{_mandir}/man8/xtables-legacy* +%{_datadir}/xtables/iptables.xslt %changelog +* Wed Feb 08 2023 zhanghao <zhanghao383@huawei.com> - 1.8.9-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update to 1.8.9 + * Tue Nov 29 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11 - Type:bugfix - ID:NA
View file
_service:tar_scm:0001-extensions-NAT-Fix-for-Werror-format-security.patch
Added
@@ -0,0 +1,28 @@ +From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001 +From: Phil Sutter <phil@nwl.cc> +Date: Thu, 12 Jan 2023 14:38:44 +0100 +Subject: iptables PATCH extensions: NAT: Fix for -Werror=format-security + +Have to pass either a string literal or format string to xt_xlate_add(). + +Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") +Signed-off-by: Phil Sutter <phil@nwl.cc> +--- + extensions/libxt_NAT.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c +index da9f22012c5d6..2a6343986d54f 100644 +--- a/extensions/libxt_NAT.c ++++ b/extensions/libxt_NAT.c +@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, + if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) + return 0; + +- xt_xlate_add(xl, tgt); ++ xt_xlate_add(xl, "%s", tgt); + if (strlen(range_str)) + xt_xlate_add(xl, " to %s", range_str); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { +-- +2.38.0
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/.gitignore
Deleted
@@ -1,27 +0,0 @@ -*.a -*.la -*.lo -*.so -*.o -.deps/ -.dirstamp -.libs/ -Makefile -Makefile.in - -/include/xtables-version.h - -/aclocal.m4 -/autom4te.cache/ -/build-aux/ -/config.* -/configure -/libtool -/stamp-h1 -/iptables/iptables-apply.8 - -/iptables/xtables-multi -/iptables/xtables-compat-multi - -# vim/nano swap file -*.swp
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/COMMIT_NOTES
Deleted
@@ -1,19 +0,0 @@ -A quick list of rules for committing stuff into netfilter git: - -- Always add an appropriate description, in git format - (i.e. first line is a summary) - -- Please try to include references to bugs when the description does not - include total discussion coverage or when the bug report is external to - netfilter-devel, e.g. - "Closes: netfilter bugzilla #123", or - "Reference: http://bugs.{debian,gentoo}.org/..." - -- If you touch any parts of libxtables (xtables.c, include/xtables.h.in), - make sure the so-version is updated _appropriately_ (i.e. read the - libtool manual about Versioning:: first, if need be) in configure.ac. - Adding fields to a struct always entails a vcurrent bump. - - - Check, whether a bump (vcurrent,vage) has already been made since the - last release (no more than one per release), e.g.: - git log v1.4.4.. configure.ac
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/INCOMPATIBILITIES
Deleted
@@ -1,14 +0,0 @@ -INCOMPATIBILITIES: - -- The REJECT target has an '--reject-with admin-prohib' option which used - with kernels that do not support it, will result in a plain DROP instead - of REJECT. Use with caution. - Kernels that do support it: - 2.4 - since 2.4.22-pre9 - 2.6 - all - -- There are some issues related to upgrading from 1.2.x to 1.3.x on a system - with dynamic ruleset changes during runtime. (Please see - https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=334). - After upgrading from 1.2 to 1.3, it suggest go do an iptables-save, then - iptables-restore to ensure your dynamic rule changes continue to work.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/.gitignore
Deleted
@@ -1,9 +0,0 @@ -.*.d -.*.dd -*.oo - -/GNUmakefile -/initext.c -/initext?.c -/matches.man -/targets.man
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_mark.xlate
Deleted
@@ -1,11 +0,0 @@ -ebtables-translate -A INPUT --mark-set 42 -nft add rule bridge filter INPUT mark set 0x2a counter - -ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN -nft add rule bridge filter INPUT mark set mark or 0x2a counter return - -ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT -nft add rule bridge filter INPUT mark set mark and 0x2a counter accept - -ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP -nft add rule bridge filter INPUT mark set mark xor 0x2a counter drop
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_DNAT.c
Deleted
@@ -1,411 +0,0 @@ -/* - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> - * - * Based on Rusty Russell's IPv4 DNAT target. Development of IPv6 NAT - * funded by Astaro. - */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <iptables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_DEST = 0, - O_RANDOM, - O_PERSISTENT, - O_X_TO_DEST, - F_TO_DEST = 1 << O_TO_DEST, - F_RANDOM = 1 << O_RANDOM, - F_X_TO_DEST = 1 << O_X_TO_DEST, -}; - -static void DNAT_help(void) -{ - printf( -"DNAT target options:\n" -" --to-destination <ipaddr>-<ipaddr>:port-port\n" -" Address to map destination to.\n" -"--random --persistent\n"); -} - -static void DNAT_help_v2(void) -{ - printf( -"DNAT target options:\n" -" --to-destination <ipaddr>-<ipaddr>:port-port/port\n" -" Address to map destination to.\n" -"--random --persistent\n"); -} - -static const struct xt_option_entry DNAT_opts = { - {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_MULTI}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -/* Ranges expected in network order. */ -static void -parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev) -{ - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - - arg = strdup(orig_arg); - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); - - start = strchr(arg, ''); - if (start == NULL) { - start = arg; - /* Lets assume one colon is port information. Otherwise its an IPv6 address */ - colon = strchr(arg, ':'); - if (colon && strchr(colon+1, ':')) - colon = NULL; - } - else { - start++; - end = strchr(start, ''); - if (end == NULL) - xtables_error(PARAMETER_PROBLEM, - "Invalid address format"); - - *end = '\0'; - colon = strchr(end + 1, ':'); - } - - if (colon) { - int port; - - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - - range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range->min_proto.tcp.port - = range->max_proto.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range->min_proto.tcp.port = htons(port); - range->max_proto.tcp.port = htons(maxport); - - if (rev >= 2) { - char *slash = strchr(dash, '/'); - if (slash) { - int baseport; - - baseport = atoi(slash + 1); - if (baseport <= 0 || baseport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", slash+1); - range->flags |= NF_NAT_RANGE_PROTO_OFFSET; - range->base_proto.tcp.port = htons(baseport); - } - } - } - /* Starts with colon or colon? No IP info...*/ - if (colon == arg || colon == arg+2) { - free(arg); - return; - } - *colon = '\0'; - } - - range->flags |= NF_NAT_RANGE_MAP_IPS; - dash = strchr(start, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = xtables_numeric_to_ip6addr(start); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - start); - range->min_addr.in6 = *ip; - if (dash) { - ip = xtables_numeric_to_ip6addr(dash + 1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - dash+1); - range->max_addr.in6 = *ip; - } else - range->max_addr = range->min_addr; - - free(arg); - return; -} - -static void _DNAT_parse(struct xt_option_call *cb, - struct nf_nat_range2 *range, int rev) -{ - const struct ip6t_entry *entry = cb->xt_entry; - int portok; - - if (entry->ipv6.proto == IPPROTO_TCP || - entry->ipv6.proto == IPPROTO_UDP || - entry->ipv6.proto == IPPROTO_SCTP || - entry->ipv6.proto == IPPROTO_DCCP || - entry->ipv6.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_DEST: - if (cb->xflags & F_X_TO_DEST) { - xtables_error(PARAMETER_PROBLEM, - "DNAT: Multiple --to-destination not supported"); - } - parse_to(cb->arg, portok, range, rev); - cb->xflags |= F_X_TO_DEST; - break; - case O_PERSISTENT: - range->flags |= NF_NAT_RANGE_PERSISTENT; - break; - } -} - -static void DNAT_parse(struct xt_option_call *cb) -{ - struct nf_nat_range *range_v1 = (void *)cb->data; - struct nf_nat_range2 range = {}; - - memcpy(&range, range_v1, sizeof(*range_v1)); - _DNAT_parse(cb, &range, 1); - memcpy(range_v1, &range, sizeof(*range_v1)); -} - -static void DNAT_parse_v2(struct xt_option_call *cb) -{ - _DNAT_parse(cb, (struct nf_nat_range2 *)cb->data, 2); -} - -static void _DNAT_fcheck(struct xt_fcheck_call *cb, unsigned int *flags) -{ - static const unsigned int f = F_TO_DEST | F_RANDOM; - - if ((cb->xflags & f) == f) - *flags |= NF_NAT_RANGE_PROTO_RANDOM; -} - -static void DNAT_fcheck(struct xt_fcheck_call *cb) -{ - _DNAT_fcheck(cb, &((struct nf_nat_range *)cb->data)->flags); -} - -static void DNAT_fcheck_v2(struct xt_fcheck_call *cb) -{ - _DNAT_fcheck(cb, &((struct nf_nat_range2 *)cb->data)->flags); -} - -static void print_range(const struct nf_nat_range2 *range, int rev) -{ - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) - printf(""); - printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6)); - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) - printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6)); - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) - printf(""); - } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - printf("-%hu", ntohs(range->max_proto.tcp.port)); - if (rev >= 2 && (range->flags & NF_NAT_RANGE_PROTO_OFFSET)) - printf("/%hu", ntohs(range->base_proto.tcp.port)); - } -} - -static void _DNAT_print(const struct nf_nat_range2 *range, int rev) -{ - printf(" to:"); - print_range(range, rev); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" persistent"); -} - -static void DNAT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_range *range_v1 = (const void *)target->data; - struct nf_nat_range2 range = {}; - - memcpy(&range, range_v1, sizeof(*range_v1)); - _DNAT_print(&range, 1); -} - -static void DNAT_print_v2(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - _DNAT_print((const struct nf_nat_range2 *)target->data, 2); -} - -static void _DNAT_save(const struct nf_nat_range2 *range, int rev) -{ - printf(" --to-destination "); - print_range(range, rev); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" --persistent"); -} - -static void DNAT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_range *range_v1 = (const void *)target->data; - struct nf_nat_range2 range = {}; - - memcpy(&range, range_v1, sizeof(*range_v1)); - _DNAT_save(&range, 1); -} - -static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target) -{ - _DNAT_save((const struct nf_nat_range2 *)target->data, 2); -} - -static void print_range_xlate(const struct nf_nat_range2 *range, - struct xt_xlate *xl, int rev) -{ - bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED; - - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - xt_xlate_add(xl, "%s%s%s", - proto_specified ? "" : "", - xtables_ip6addr_to_numeric(&range->min_addr.in6), - proto_specified ? "" : ""); - - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) { - xt_xlate_add(xl, "-%s%s%s", - proto_specified ? "" : "", - xtables_ip6addr_to_numeric(&range->max_addr.in6), - proto_specified ? "" : ""); - } - } - if (proto_specified) { - xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port)); - - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - xt_xlate_add(xl, "-%hu", - ntohs(range->max_proto.tcp.port)); - } -} - -static int _DNAT_xlate(struct xt_xlate *xl, - const struct nf_nat_range2 *range, int rev) -{ - bool sep_need = false; - const char *sep = " "; - - xt_xlate_add(xl, "dnat to "); - print_range_xlate(range, xl, rev); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { - xt_xlate_add(xl, " random"); - sep_need = true; - } - if (range->flags & NF_NAT_RANGE_PERSISTENT) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%spersistent", sep); - } - - return 1; -} - -static int DNAT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_range *range_v1 = (const void *)params->target->data; - struct nf_nat_range2 range = {}; - - memcpy(&range, range_v1, sizeof(*range_v1)); - _DNAT_xlate(xl, &range, 1); - - return 1; -} - -static int DNAT_xlate_v2(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - _DNAT_xlate(xl, (const struct nf_nat_range2 *)params->target->data, 2); - - return 1; -} - -static struct xtables_target dnat_tg_reg = { - { - .name = "DNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), - .help = DNAT_help, - .print = DNAT_print, - .save = DNAT_save, - .x6_parse = DNAT_parse, - .x6_fcheck = DNAT_fcheck, - .x6_options = DNAT_opts, - .xlate = DNAT_xlate, - }, - { - .name = "DNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .revision = 2, - .size = XT_ALIGN(sizeof(struct nf_nat_range2)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), - .help = DNAT_help_v2, - .print = DNAT_print_v2, - .save = DNAT_save_v2, - .x6_parse = DNAT_parse_v2, - .x6_fcheck = DNAT_fcheck_v2, - .x6_options = DNAT_opts, - .xlate = DNAT_xlate_v2, - }, -}; - -void _init(void) -{ - xtables_register_targets(dnat_tg_reg, ARRAY_SIZE(dnat_tg_reg)); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_DNAT.txlate
Deleted
@@ -1,11 +0,0 @@ -ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination fec0::1234:80 -nft add rule ip6 nat prerouting iifname "eth1" tcp dport 8080 counter dnat to fec0::1234:80 - -ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:1-20 -nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:1-20 - -ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:80 --persistent -nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:80 persistent - -ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:80 --random --persistent -nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:80 random,persistent
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_LOG.c
Deleted
@@ -1,250 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <syslog.h> -#include <xtables.h> -#include <linux/netfilter_ipv6/ip6t_LOG.h> - -#ifndef IP6T_LOG_UID /* Old kernel */ -#define IP6T_LOG_UID 0x08 -#undef IP6T_LOG_MASK -#define IP6T_LOG_MASK 0x0f -#endif - -#define LOG_DEFAULT_LEVEL LOG_WARNING - -enum { - O_LOG_LEVEL = 0, - O_LOG_PREFIX, - O_LOG_TCPSEQ, - O_LOG_TCPOPTS, - O_LOG_IPOPTS, - O_LOG_UID, - O_LOG_MAC, -}; - -static void LOG_help(void) -{ - printf( -"LOG target options:\n" -" --log-level level Level of logging (numeric or see syslog.conf)\n" -" --log-prefix prefix Prefix log messages with this prefix.\n" -" --log-tcp-sequence Log TCP sequence numbers.\n" -" --log-tcp-options Log TCP options.\n" -" --log-ip-options Log IP options.\n" -" --log-uid Log UID owning the local socket.\n" -" --log-macdecode Decode MAC addresses and protocol.\n"); -} - -#define s struct ip6t_log_info -static const struct xt_option_entry LOG_opts = { - {.name = "log-level", .id = O_LOG_LEVEL, .type = XTTYPE_SYSLOGLEVEL, - .flags = XTOPT_PUT, XTOPT_POINTER(s, level)}, - {.name = "log-prefix", .id = O_LOG_PREFIX, .type = XTTYPE_STRING, - .flags = XTOPT_PUT, XTOPT_POINTER(s, prefix), .min = 1}, - {.name = "log-tcp-sequence", .id = O_LOG_TCPSEQ, .type = XTTYPE_NONE}, - {.name = "log-tcp-options", .id = O_LOG_TCPOPTS, .type = XTTYPE_NONE}, - {.name = "log-ip-options", .id = O_LOG_IPOPTS, .type = XTTYPE_NONE}, - {.name = "log-uid", .id = O_LOG_UID, .type = XTTYPE_NONE}, - {.name = "log-macdecode", .id = O_LOG_MAC, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; -#undef s - -static void LOG_init(struct xt_entry_target *t) -{ - struct ip6t_log_info *loginfo = (struct ip6t_log_info *)t->data; - - loginfo->level = LOG_DEFAULT_LEVEL; - -} - -struct ip6t_log_names { - const char *name; - unsigned int level; -}; - -struct ip6t_log_xlate { - const char *name; - unsigned int level; -}; - -static const struct ip6t_log_names ip6t_log_names -= { { .name = "alert", .level = LOG_ALERT }, - { .name = "crit", .level = LOG_CRIT }, - { .name = "debug", .level = LOG_DEBUG }, - { .name = "emerg", .level = LOG_EMERG }, - { .name = "error", .level = LOG_ERR }, /* DEPRECATED */ - { .name = "info", .level = LOG_INFO }, - { .name = "notice", .level = LOG_NOTICE }, - { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */ - { .name = "warning", .level = LOG_WARNING } -}; - -static void LOG_parse(struct xt_option_call *cb) -{ - struct ip6t_log_info *info = cb->data; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_LOG_PREFIX: - if (strchr(cb->arg, '\n') != NULL) - xtables_error(PARAMETER_PROBLEM, - "Newlines not allowed in --log-prefix"); - break; - case O_LOG_TCPSEQ: - info->logflags |= IP6T_LOG_TCPSEQ; - break; - case O_LOG_TCPOPTS: - info->logflags |= IP6T_LOG_TCPOPT; - break; - case O_LOG_IPOPTS: - info->logflags |= IP6T_LOG_IPOPT; - break; - case O_LOG_UID: - info->logflags |= IP6T_LOG_UID; - break; - case O_LOG_MAC: - info->logflags |= IP6T_LOG_MACDECODE; - break; - } -} - -static void LOG_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct ip6t_log_info *loginfo - = (const struct ip6t_log_info *)target->data; - unsigned int i = 0; - - printf(" LOG"); - if (numeric) - printf(" flags %u level %u", - loginfo->logflags, loginfo->level); - else { - for (i = 0; i < ARRAY_SIZE(ip6t_log_names); ++i) - if (loginfo->level == ip6t_log_namesi.level) { - printf(" level %s", ip6t_log_namesi.name); - break; - } - if (i == ARRAY_SIZE(ip6t_log_names)) - printf(" UNKNOWN level %u", loginfo->level); - if (loginfo->logflags & IP6T_LOG_TCPSEQ) - printf(" tcp-sequence"); - if (loginfo->logflags & IP6T_LOG_TCPOPT) - printf(" tcp-options"); - if (loginfo->logflags & IP6T_LOG_IPOPT) - printf(" ip-options"); - if (loginfo->logflags & IP6T_LOG_UID) - printf(" uid"); - if (loginfo->logflags & IP6T_LOG_MACDECODE) - printf(" macdecode"); - if (loginfo->logflags & ~(IP6T_LOG_MASK)) - printf(" unknown-flags"); - } - - if (strcmp(loginfo->prefix, "") != 0) - printf(" prefix \"%s\"", loginfo->prefix); -} - -static void LOG_save(const void *ip, const struct xt_entry_target *target) -{ - const struct ip6t_log_info *loginfo - = (const struct ip6t_log_info *)target->data; - - if (strcmp(loginfo->prefix, "") != 0) { - printf(" --log-prefix"); - xtables_save_string(loginfo->prefix); - } - - if (loginfo->level != LOG_DEFAULT_LEVEL) - printf(" --log-level %d", loginfo->level); - - if (loginfo->logflags & IP6T_LOG_TCPSEQ) - printf(" --log-tcp-sequence"); - if (loginfo->logflags & IP6T_LOG_TCPOPT) - printf(" --log-tcp-options"); - if (loginfo->logflags & IP6T_LOG_IPOPT) - printf(" --log-ip-options"); - if (loginfo->logflags & IP6T_LOG_UID) - printf(" --log-uid"); - if (loginfo->logflags & IP6T_LOG_MACDECODE) - printf(" --log-macdecode"); -} - -static const struct ip6t_log_xlate ip6t_log_xlate_names = { - {"alert", LOG_ALERT }, - {"crit", LOG_CRIT }, - {"debug", LOG_DEBUG }, - {"emerg", LOG_EMERG }, - {"err", LOG_ERR }, - {"info", LOG_INFO }, - {"notice", LOG_NOTICE }, - {"warn", LOG_WARNING } -}; - -static int LOG_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct ip6t_log_info *loginfo = - (const struct ip6t_log_info *)params->target->data; - unsigned int i = 0; - - xt_xlate_add(xl, "log"); - if (strcmp(loginfo->prefix, "") != 0) { - if (params->escape_quotes) - xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); - else - xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); - } - - for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i) - if (loginfo->level == ip6t_log_xlate_namesi.level && - loginfo->level != LOG_DEFAULT_LEVEL) { - xt_xlate_add(xl, " level %s", - ip6t_log_xlate_namesi.name); - break; - } - - if ((loginfo->logflags & IP6T_LOG_MASK) == IP6T_LOG_MASK) { - xt_xlate_add(xl, " flags all"); - } else { - if (loginfo->logflags & (IP6T_LOG_TCPSEQ | IP6T_LOG_TCPOPT)) { - const char *delim = " "; - - xt_xlate_add(xl, " flags tcp"); - if (loginfo->logflags & IP6T_LOG_TCPSEQ) { - xt_xlate_add(xl, " sequence"); - delim = ","; - } - if (loginfo->logflags & IP6T_LOG_TCPOPT) - xt_xlate_add(xl, "%soptions", delim); - } - if (loginfo->logflags & IP6T_LOG_IPOPT) - xt_xlate_add(xl, " flags ip options"); - if (loginfo->logflags & IP6T_LOG_UID) - xt_xlate_add(xl, " flags skuid"); - if (loginfo->logflags & IP6T_LOG_MACDECODE) - xt_xlate_add(xl, " flags ether"); - } - - return 1; -} -static struct xtables_target log_tg6_reg = { - .name = "LOG", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct ip6t_log_info)), - .userspacesize = XT_ALIGN(sizeof(struct ip6t_log_info)), - .help = LOG_help, - .init = LOG_init, - .print = LOG_print, - .save = LOG_save, - .x6_parse = LOG_parse, - .x6_options = LOG_opts, - .xlate = LOG_xlate, -}; - -void _init(void) -{ - xtables_register_target(&log_tg6_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_MASQUERADE.c
Deleted
@@ -1,188 +0,0 @@ -/* - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> - * - * Based on Rusty Russell's IPv4 MASQUERADE target. Development of IPv6 NAT - * funded by Astaro. - */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <xtables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_PORTS = 0, - O_RANDOM, - O_RANDOM_FULLY, -}; - -static void MASQUERADE_help(void) -{ - printf( -"MASQUERADE target options:\n" -" --to-ports <port>-<port>\n" -" Port (range) to map to.\n" -" --random\n" -" Randomize source port.\n" -" --random-fully\n" -" Fully randomize source port.\n"); -} - -static const struct xt_option_entry MASQUERADE_opts = { - {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -/* Parses ports */ -static void -parse_ports(const char *arg, struct nf_nat_range *r) -{ - char *end; - unsigned int port, maxport; - - r->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) - xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); - - switch (*end) { - case '\0': - r->min_proto.tcp.port - = r->max_proto.tcp.port - = htons(port); - return; - case '-': - if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX)) - break; - - if (maxport < port) - break; - - r->min_proto.tcp.port = htons(port); - r->max_proto.tcp.port = htons(maxport); - return; - default: - break; - } - xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); -} - -static void MASQUERADE_parse(struct xt_option_call *cb) -{ - const struct ip6t_entry *entry = cb->xt_entry; - struct nf_nat_range *r = cb->data; - int portok; - - if (entry->ipv6.proto == IPPROTO_TCP || - entry->ipv6.proto == IPPROTO_UDP || - entry->ipv6.proto == IPPROTO_SCTP || - entry->ipv6.proto == IPPROTO_DCCP || - entry->ipv6.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_PORTS: - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - parse_ports(cb->arg, r); - break; - case O_RANDOM: - r->flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - case O_RANDOM_FULLY: - r->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; - break; - } -} - -static void -MASQUERADE_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_range *r = (const void *)target->data; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" masq ports: "); - printf("%hu", ntohs(r->min_proto.tcp.port)); - if (r->max_proto.tcp.port != r->min_proto.tcp.port) - printf("-%hu", ntohs(r->max_proto.tcp.port)); - } - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" random-fully"); -} - -static void -MASQUERADE_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_range *r = (const void *)target->data; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" --to-ports %hu", ntohs(r->min_proto.tcp.port)); - if (r->max_proto.tcp.port != r->min_proto.tcp.port) - printf("-%hu", ntohs(r->max_proto.tcp.port)); - } - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" --random-fully"); -} - -static int MASQUERADE_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_range *r = (const void *)params->target->data; - - xt_xlate_add(xl, "masquerade"); - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, " to :%hu", ntohs(r->min_proto.tcp.port)); - if (r->max_proto.tcp.port != r->min_proto.tcp.port) - xt_xlate_add(xl, "-%hu", ntohs(r->max_proto.tcp.port)); - } - - xt_xlate_add(xl, " "); - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - xt_xlate_add(xl, "random "); - - xt_xlate_add(xl, " "); - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - xt_xlate_add(xl, "random-fully "); - - return 1; -} - -static struct xtables_target masquerade_tg_reg = { - .name = "MASQUERADE", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), - .help = MASQUERADE_help, - .x6_parse = MASQUERADE_parse, - .print = MASQUERADE_print, - .save = MASQUERADE_save, - .x6_options = MASQUERADE_opts, - .xlate = MASQUERADE_xlate, -}; - -void _init(void) -{ - xtables_register_target(&masquerade_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_REDIRECT.c
Deleted
@@ -1,170 +0,0 @@ -/* - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> - * - * Based on Rusty Russell's IPv4 REDIRECT target. Development of IPv6 NAT - * funded by Astaro. - */ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_PORTS = 0, - O_RANDOM, - F_TO_PORTS = 1 << O_TO_PORTS, - F_RANDOM = 1 << O_RANDOM, -}; - -static void REDIRECT_help(void) -{ - printf( -"REDIRECT target options:\n" -" --to-ports <port>-<port>\n" -" Port (range) to map to.\n" -" --random\n"); -} - -static const struct xt_option_entry REDIRECT_opts = { - {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -/* Parses ports */ -static void -parse_ports(const char *arg, struct nf_nat_range *range) -{ - char *end = ""; - unsigned int port, maxport; - - range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) && - (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1) - xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); - - switch (*end) { - case '\0': - range->min_proto.tcp.port - = range->max_proto.tcp.port - = htons(port); - return; - case '-': - if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && - (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) - break; - - if (maxport < port) - break; - - range->min_proto.tcp.port = htons(port); - range->max_proto.tcp.port = htons(maxport); - return; - default: - break; - } - xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); -} - -static void REDIRECT_parse(struct xt_option_call *cb) -{ - const struct ip6t_entry *entry = cb->xt_entry; - struct nf_nat_range *range = (void *)(*cb->target)->data; - int portok; - - if (entry->ipv6.proto == IPPROTO_TCP - || entry->ipv6.proto == IPPROTO_UDP - || entry->ipv6.proto == IPPROTO_SCTP - || entry->ipv6.proto == IPPROTO_DCCP - || entry->ipv6.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_PORTS: - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - parse_ports(cb->arg, range); - if (cb->xflags & F_RANDOM) - range->flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - case O_RANDOM: - if (cb->xflags & F_TO_PORTS) - range->flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - } -} - -static void REDIRECT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_range *range = (const void *)target->data; - - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" redir ports "); - printf("%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - printf("-%hu", ntohs(range->max_proto.tcp.port)); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - } -} - -static void REDIRECT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_range *range = (const void *)target->data; - - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" --to-ports "); - printf("%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - printf("-%hu", ntohs(range->max_proto.tcp.port)); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - } -} - -static int REDIRECT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_range *range = (const void *)params->target->data; - - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, "redirect to :%hu", - ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - xt_xlate_add(xl, "-%hu ", - ntohs(range->max_proto.tcp.port)); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - xt_xlate_add(xl, " random "); - } - - return 1; -} - -static struct xtables_target redirect_tg_reg = { - .name = "REDIRECT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), - .help = REDIRECT_help, - .x6_parse = REDIRECT_parse, - .print = REDIRECT_print, - .save = REDIRECT_save, - .x6_options = REDIRECT_opts, - .xlate = REDIRECT_xlate, -}; - -void _init(void) -{ - xtables_register_target(&redirect_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_REDIRECT.t
Deleted
@@ -1,6 +0,0 @@ -:PREROUTING,OUTPUT -*nat --p tcp -j REDIRECT --to-ports 42;=;OK --p udp -j REDIRECT --to-ports 42-1234;=;OK --p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK --j REDIRECT --to-ports 42;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_REDIRECT.txlate
Deleted
@@ -1,5 +0,0 @@ -ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 -nft add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080 - -ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random -nft add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080 random
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_SNAT.c
Deleted
@@ -1,317 +0,0 @@ -/* - * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> - * - * Based on Rusty Russell's IPv4 SNAT target. Development of IPv6 NAT - * funded by Astaro. - */ - -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <iptables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_SRC = 0, - O_RANDOM, - O_RANDOM_FULLY, - O_PERSISTENT, - O_X_TO_SRC, - F_TO_SRC = 1 << O_TO_SRC, - F_RANDOM = 1 << O_RANDOM, - F_RANDOM_FULLY = 1 << O_RANDOM_FULLY, - F_X_TO_SRC = 1 << O_X_TO_SRC, -}; - -static void SNAT_help(void) -{ - printf( -"SNAT target options:\n" -" --to-source <ipaddr>-<ipaddr>:port-port\n" -" Address to map source to.\n" -"--random --random-fully --persistent\n"); -} - -static const struct xt_option_entry SNAT_opts = { - {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_MULTI}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, - {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -/* Ranges expected in network order. */ -static void -parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) -{ - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - - arg = strdup(orig_arg); - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); - - start = strchr(arg, ''); - if (start == NULL) { - start = arg; - /* Lets assume one colon is port information. Otherwise its an IPv6 address */ - colon = strchr(arg, ':'); - if (colon && strchr(colon+1, ':')) - colon = NULL; - } - else { - start++; - end = strchr(start, ''); - if (end == NULL) - xtables_error(PARAMETER_PROBLEM, - "Invalid address format"); - - *end = '\0'; - colon = strchr(end + 1, ':'); - } - - if (colon) { - int port; - - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - - range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range->min_proto.tcp.port - = range->max_proto.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range->min_proto.tcp.port = htons(port); - range->max_proto.tcp.port = htons(maxport); - } - /* Starts with colon or colon? No IP info...*/ - if (colon == arg || colon == arg+2) { - free(arg); - return; - } - *colon = '\0'; - } - - range->flags |= NF_NAT_RANGE_MAP_IPS; - dash = strchr(start, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = xtables_numeric_to_ip6addr(start); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - start); - range->min_addr.in6 = *ip; - if (dash) { - ip = xtables_numeric_to_ip6addr(dash + 1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - dash+1); - range->max_addr.in6 = *ip; - } else - range->max_addr = range->min_addr; - - free(arg); - return; -} - -static void SNAT_parse(struct xt_option_call *cb) -{ - const struct ip6t_entry *entry = cb->xt_entry; - struct nf_nat_range *range = cb->data; - int portok; - - if (entry->ipv6.proto == IPPROTO_TCP || - entry->ipv6.proto == IPPROTO_UDP || - entry->ipv6.proto == IPPROTO_SCTP || - entry->ipv6.proto == IPPROTO_DCCP || - entry->ipv6.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_SRC: - if (cb->xflags & F_X_TO_SRC) { - xtables_error(PARAMETER_PROBLEM, - "SNAT: Multiple --to-source not supported"); - } - parse_to(cb->arg, portok, range); - cb->xflags |= F_X_TO_SRC; - break; - case O_PERSISTENT: - range->flags |= NF_NAT_RANGE_PERSISTENT; - break; - } -} - -static void SNAT_fcheck(struct xt_fcheck_call *cb) -{ - static const unsigned int f = F_TO_SRC | F_RANDOM; - static const unsigned int r = F_TO_SRC | F_RANDOM_FULLY; - struct nf_nat_range *range = cb->data; - - if ((cb->xflags & f) == f) - range->flags |= NF_NAT_RANGE_PROTO_RANDOM; - if ((cb->xflags & r) == r) - range->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; -} - -static void print_range(const struct nf_nat_range *range) -{ - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) - printf(""); - printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6)); - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) - printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6)); - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) - printf(""); - } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - printf("-%hu", ntohs(range->max_proto.tcp.port)); - } -} - -static void SNAT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_range *range = (const void *)target->data; - - printf(" to:"); - print_range(range); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" random-fully"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" persistent"); -} - -static void SNAT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_range *range = (const void *)target->data; - - printf(" --to-source "); - print_range(range); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" --random-fully"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" --persistent"); -} - -static void print_range_xlate(const struct nf_nat_range *range, - struct xt_xlate *xl) -{ - bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED; - - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - xt_xlate_add(xl, "%s%s%s", - proto_specified ? "" : "", - xtables_ip6addr_to_numeric(&range->min_addr.in6), - proto_specified ? "" : ""); - - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) { - xt_xlate_add(xl, "-%s%s%s", - proto_specified ? "" : "", - xtables_ip6addr_to_numeric(&range->max_addr.in6), - proto_specified ? "" : ""); - } - } - if (proto_specified) { - xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port)); - - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - xt_xlate_add(xl, "-%hu", - ntohs(range->max_proto.tcp.port)); - } -} - -static int SNAT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_range *range = (const void *)params->target->data; - bool sep_need = false; - const char *sep = " "; - - xt_xlate_add(xl, "snat to "); - print_range_xlate(range, xl); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { - xt_xlate_add(xl, " random"); - sep_need = true; - } - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%sfully-random", sep); - sep_need = true; - } - if (range->flags & NF_NAT_RANGE_PERSISTENT) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%spersistent", sep); - } - - return 1; -} - -static struct xtables_target snat_tg_reg = { - .name = "SNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct nf_nat_range)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), - .help = SNAT_help, - .x6_parse = SNAT_parse, - .x6_fcheck = SNAT_fcheck, - .print = SNAT_print, - .save = SNAT_save, - .x6_options = SNAT_opts, - .xlate = SNAT_xlate, -}; - -void _init(void) -{ - xtables_register_target(&snat_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_DNAT.c
Deleted
@@ -1,555 +0,0 @@ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <iptables.h> /* get_kernel_version */ -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_DEST = 0, - O_RANDOM, - O_PERSISTENT, - O_X_TO_DEST, /* hidden flag */ - F_TO_DEST = 1 << O_TO_DEST, - F_RANDOM = 1 << O_RANDOM, - F_X_TO_DEST = 1 << O_X_TO_DEST, -}; - -/* Dest NAT data consists of a multi-range, indicating where to map - to. */ -struct ipt_natinfo -{ - struct xt_entry_target t; - struct nf_nat_ipv4_multi_range_compat mr; -}; - -static void DNAT_help(void) -{ - printf( -"DNAT target options:\n" -" --to-destination <ipaddr>-<ipaddr>:port-port\n" -" Address to map destination to.\n" -"--random --persistent\n"); -} - -static void DNAT_help_v2(void) -{ - printf( -"DNAT target options:\n" -" --to-destination <ipaddr>-<ipaddr>:port-port/port\n" -" Address to map destination to.\n" -"--random --persistent\n"); -} - -static const struct xt_option_entry DNAT_opts = { - {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_MULTI}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -static struct ipt_natinfo * -append_range(struct ipt_natinfo *info, const struct nf_nat_ipv4_range *range) -{ - unsigned int size; - - /* One rangesize already in struct ipt_natinfo */ - size = XT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range)); - - info = realloc(info, size); - if (!info) - xtables_error(OTHER_PROBLEM, "Out of memory\n"); - - info->t.u.target_size = size; - info->mr.rangeinfo->mr.rangesize = *range; - info->mr.rangesize++; - - return info; -} - -/* Ranges expected in network order. */ -static struct xt_entry_target * -parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) -{ - struct nf_nat_ipv4_range range; - char *arg, *colon, *dash, *error; - const struct in_addr *ip; - - arg = strdup(orig_arg); - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); - memset(&range, 0, sizeof(range)); - colon = strchr(arg, ':'); - - if (colon) { - int port; - - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - - range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range.min.tcp.port - = range.max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range.min.tcp.port = htons(port); - range.max.tcp.port = htons(maxport); - } - /* Starts with a colon? No IP info...*/ - if (colon == arg) { - free(arg); - return &(append_range(info, &range)->t); - } - *colon = '\0'; - } - - range.flags |= NF_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = xtables_numeric_to_ipaddr(arg); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - arg); - range.min_ip = ip->s_addr; - if (dash) { - ip = xtables_numeric_to_ipaddr(dash+1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - dash+1); - range.max_ip = ip->s_addr; - } else - range.max_ip = range.min_ip; - - free(arg); - return &(append_range(info, &range)->t); -} - -static void DNAT_parse(struct xt_option_call *cb) -{ - const struct ipt_entry *entry = cb->xt_entry; - struct ipt_natinfo *info = (void *)(*cb->target); - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_SCTP - || entry->ip.proto == IPPROTO_DCCP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_DEST: - if (cb->xflags & F_X_TO_DEST) { - if (!kernel_version) - get_kernel_version(); - if (kernel_version > LINUX_VERSION(2, 6, 10)) - xtables_error(PARAMETER_PROBLEM, - "DNAT: Multiple --to-destination not supported"); - } - *cb->target = parse_to(cb->arg, portok, info); - cb->xflags |= F_X_TO_DEST; - break; - case O_PERSISTENT: - info->mr.range0.flags |= NF_NAT_RANGE_PERSISTENT; - break; - } -} - -static void DNAT_fcheck(struct xt_fcheck_call *cb) -{ - static const unsigned int f = F_TO_DEST | F_RANDOM; - struct nf_nat_ipv4_multi_range_compat *mr = cb->data; - - if ((cb->xflags & f) == f) - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM; -} - -static void print_range(const struct nf_nat_ipv4_range *r) -{ - if (r->flags & NF_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - printf("%s", xtables_ipaddr_to_numeric(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - printf("-%s", xtables_ipaddr_to_numeric(&a)); - } - } - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } -} - -static void DNAT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct ipt_natinfo *info = (const void *)target; - unsigned int i = 0; - - printf(" to:"); - for (i = 0; i < info->mr.rangesize; i++) { - print_range(&info->mr.rangei); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) - printf(" persistent"); - } -} - -static void DNAT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct ipt_natinfo *info = (const void *)target; - unsigned int i = 0; - - for (i = 0; i < info->mr.rangesize; i++) { - printf(" --to-destination "); - print_range(&info->mr.rangei); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) - printf(" --persistent"); - } -} - -static void print_range_xlate(const struct nf_nat_ipv4_range *r, - struct xt_xlate *xl) -{ - if (r->flags & NF_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - xt_xlate_add(xl, "%s", xtables_ipaddr_to_numeric(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&a)); - } - } - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, ":%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port)); - } -} - -static int DNAT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct ipt_natinfo *info = (const void *)params->target; - unsigned int i = 0; - bool sep_need = false; - const char *sep = " "; - - for (i = 0; i < info->mr.rangesize; i++) { - xt_xlate_add(xl, "dnat to "); - print_range_xlate(&info->mr.rangei, xl); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) { - xt_xlate_add(xl, " random"); - sep_need = true; - } - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%spersistent", sep); - } - } - - return 1; -} - -static void -parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range) -{ - char *arg, *colon, *dash, *error; - const struct in_addr *ip; - - arg = strdup(orig_arg); - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); - - colon = strchr(arg, ':'); - if (colon) { - int port; - - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - - range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range->min_proto.tcp.port - = range->max_proto.tcp.port - = htons(port); - } else { - int maxport; - char *slash; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range->min_proto.tcp.port = htons(port); - range->max_proto.tcp.port = htons(maxport); - - slash = strchr(dash, '/'); - if (slash) { - int baseport; - - baseport = atoi(slash + 1); - if (baseport <= 0 || baseport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", slash+1); - range->flags |= NF_NAT_RANGE_PROTO_OFFSET; - range->base_proto.tcp.port = htons(baseport); - } - } - /* Starts with a colon? No IP info...*/ - if (colon == arg) { - free(arg); - return; - } - *colon = '\0'; - } - - range->flags |= NF_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = xtables_numeric_to_ipaddr(arg); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - arg); - range->min_addr.in = *ip; - if (dash) { - ip = xtables_numeric_to_ipaddr(dash+1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - dash+1); - range->max_addr.in = *ip; - } else - range->max_addr = range->min_addr; - - free(arg); - return; -} - -static void DNAT_parse_v2(struct xt_option_call *cb) -{ - const struct ipt_entry *entry = cb->xt_entry; - struct nf_nat_range2 *range = cb->data; - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_SCTP - || entry->ip.proto == IPPROTO_DCCP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_DEST: - if (cb->xflags & F_X_TO_DEST) { - xtables_error(PARAMETER_PROBLEM, - "DNAT: Multiple --to-destination not supported"); - } - parse_to_v2(cb->arg, portok, range); - cb->xflags |= F_X_TO_DEST; - break; - case O_PERSISTENT: - range->flags |= NF_NAT_RANGE_PERSISTENT; - break; - } -} - -static void DNAT_fcheck_v2(struct xt_fcheck_call *cb) -{ - static const unsigned int f = F_TO_DEST | F_RANDOM; - struct nf_nat_range2 *range = cb->data; - - if ((cb->xflags & f) == f) - range->flags |= NF_NAT_RANGE_PROTO_RANDOM; -} - -static void print_range_v2(const struct nf_nat_range2 *range) -{ - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - printf("%s", xtables_ipaddr_to_numeric(&range->min_addr.in)); - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) - printf("-%s", xtables_ipaddr_to_numeric(&range->max_addr.in)); - } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - printf("-%hu", ntohs(range->max_proto.tcp.port)); - if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) - printf("/%hu", ntohs(range->base_proto.tcp.port)); - } -} - -static void DNAT_print_v2(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_range2 *range = (const void *)target->data; - - printf(" to:"); - print_range_v2(range); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" persistent"); -} - -static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_range2 *range = (const void *)target->data; - - printf(" --to-destination "); - print_range_v2(range); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - if (range->flags & NF_NAT_RANGE_PERSISTENT) - printf(" --persistent"); -} - -static void print_range_xlate_v2(const struct nf_nat_range2 *range, - struct xt_xlate *xl) -{ - if (range->flags & NF_NAT_RANGE_MAP_IPS) { - xt_xlate_add(xl, "%s", xtables_ipaddr_to_numeric(&range->min_addr.in)); - if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) { - xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&range->max_addr.in)); - } - } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port)); - if (range->max_proto.tcp.port != range->min_proto.tcp.port) - xt_xlate_add(xl, "-%hu", ntohs(range->max_proto.tcp.port)); - if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) - xt_xlate_add(xl, ";%hu", ntohs(range->base_proto.tcp.port)); - } -} - -static int DNAT_xlate_v2(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_range2 *range = (const void *)params->target->data; - bool sep_need = false; - const char *sep = " "; - - xt_xlate_add(xl, "dnat to "); - print_range_xlate_v2(range, xl); - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { - xt_xlate_add(xl, " random"); - sep_need = true; - } - if (range->flags & NF_NAT_RANGE_PERSISTENT) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%spersistent", sep); - } - - return 1; -} - -static struct xtables_target dnat_tg_reg = { - { - .name = "DNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .revision = 0, - .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .help = DNAT_help, - .print = DNAT_print, - .save = DNAT_save, - .x6_parse = DNAT_parse, - .x6_fcheck = DNAT_fcheck, - .x6_options = DNAT_opts, - .xlate = DNAT_xlate, - }, - { - .name = "DNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .revision = 2, - .size = XT_ALIGN(sizeof(struct nf_nat_range2)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), - .help = DNAT_help_v2, - .print = DNAT_print_v2, - .save = DNAT_save_v2, - .x6_parse = DNAT_parse_v2, - .x6_fcheck = DNAT_fcheck_v2, - .x6_options = DNAT_opts, - .xlate = DNAT_xlate_v2, - }, -}; - -void _init(void) -{ - xtables_register_targets(dnat_tg_reg, ARRAY_SIZE(dnat_tg_reg)); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_DNAT.txlate
Deleted
@@ -1,14 +0,0 @@ -iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 -nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 - -iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10 -nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat to 192.168.1.1-192.168.1.10 - -iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023 -nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4:1-1023 - -iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random -nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random - -iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent -nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_LOG.c
Deleted
@@ -1,250 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <syslog.h> -#include <xtables.h> -#include <linux/netfilter_ipv4/ipt_LOG.h> - -#define LOG_DEFAULT_LEVEL LOG_WARNING - -#ifndef IPT_LOG_UID /* Old kernel */ -#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ -#undef IPT_LOG_MASK -#define IPT_LOG_MASK 0x0f -#endif - -enum { - O_LOG_LEVEL = 0, - O_LOG_PREFIX, - O_LOG_TCPSEQ, - O_LOG_TCPOPTS, - O_LOG_IPOPTS, - O_LOG_UID, - O_LOG_MAC, -}; - -static void LOG_help(void) -{ - printf( -"LOG target options:\n" -" --log-level level Level of logging (numeric or see syslog.conf)\n" -" --log-prefix prefix Prefix log messages with this prefix.\n\n" -" --log-tcp-sequence Log TCP sequence numbers.\n\n" -" --log-tcp-options Log TCP options.\n\n" -" --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n" -" --log-macdecode Decode MAC addresses and protocol.\n\n"); -} - -#define s struct ipt_log_info -static const struct xt_option_entry LOG_opts = { - {.name = "log-level", .id = O_LOG_LEVEL, .type = XTTYPE_SYSLOGLEVEL, - .flags = XTOPT_PUT, XTOPT_POINTER(s, level)}, - {.name = "log-prefix", .id = O_LOG_PREFIX, .type = XTTYPE_STRING, - .flags = XTOPT_PUT, XTOPT_POINTER(s, prefix), .min = 1}, - {.name = "log-tcp-sequence", .id = O_LOG_TCPSEQ, .type = XTTYPE_NONE}, - {.name = "log-tcp-options", .id = O_LOG_TCPOPTS, .type = XTTYPE_NONE}, - {.name = "log-ip-options", .id = O_LOG_IPOPTS, .type = XTTYPE_NONE}, - {.name = "log-uid", .id = O_LOG_UID, .type = XTTYPE_NONE}, - {.name = "log-macdecode", .id = O_LOG_MAC, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; -#undef s - -static void LOG_init(struct xt_entry_target *t) -{ - struct ipt_log_info *loginfo = (struct ipt_log_info *)t->data; - - loginfo->level = LOG_DEFAULT_LEVEL; - -} - -struct ipt_log_names { - const char *name; - unsigned int level; -}; - -struct ipt_log_xlate { - const char *name; - unsigned int level; -}; - -static const struct ipt_log_names ipt_log_names -= { { .name = "alert", .level = LOG_ALERT }, - { .name = "crit", .level = LOG_CRIT }, - { .name = "debug", .level = LOG_DEBUG }, - { .name = "emerg", .level = LOG_EMERG }, - { .name = "error", .level = LOG_ERR }, /* DEPRECATED */ - { .name = "info", .level = LOG_INFO }, - { .name = "notice", .level = LOG_NOTICE }, - { .name = "panic", .level = LOG_EMERG }, /* DEPRECATED */ - { .name = "warning", .level = LOG_WARNING } -}; - -static void LOG_parse(struct xt_option_call *cb) -{ - struct ipt_log_info *info = cb->data; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_LOG_PREFIX: - if (strchr(cb->arg, '\n') != NULL) - xtables_error(PARAMETER_PROBLEM, - "Newlines not allowed in --log-prefix"); - break; - case O_LOG_TCPSEQ: - info->logflags |= IPT_LOG_TCPSEQ; - break; - case O_LOG_TCPOPTS: - info->logflags |= IPT_LOG_TCPOPT; - break; - case O_LOG_IPOPTS: - info->logflags |= IPT_LOG_IPOPT; - break; - case O_LOG_UID: - info->logflags |= IPT_LOG_UID; - break; - case O_LOG_MAC: - info->logflags |= IPT_LOG_MACDECODE; - break; - } -} - -static void LOG_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct ipt_log_info *loginfo - = (const struct ipt_log_info *)target->data; - unsigned int i = 0; - - printf(" LOG"); - if (numeric) - printf(" flags %u level %u", - loginfo->logflags, loginfo->level); - else { - for (i = 0; i < ARRAY_SIZE(ipt_log_names); ++i) - if (loginfo->level == ipt_log_namesi.level) { - printf(" level %s", ipt_log_namesi.name); - break; - } - if (i == ARRAY_SIZE(ipt_log_names)) - printf(" UNKNOWN level %u", loginfo->level); - if (loginfo->logflags & IPT_LOG_TCPSEQ) - printf(" tcp-sequence"); - if (loginfo->logflags & IPT_LOG_TCPOPT) - printf(" tcp-options"); - if (loginfo->logflags & IPT_LOG_IPOPT) - printf(" ip-options"); - if (loginfo->logflags & IPT_LOG_UID) - printf(" uid"); - if (loginfo->logflags & IPT_LOG_MACDECODE) - printf(" macdecode"); - if (loginfo->logflags & ~(IPT_LOG_MASK)) - printf(" unknown-flags"); - } - - if (strcmp(loginfo->prefix, "") != 0) - printf(" prefix \"%s\"", loginfo->prefix); -} - -static void LOG_save(const void *ip, const struct xt_entry_target *target) -{ - const struct ipt_log_info *loginfo - = (const struct ipt_log_info *)target->data; - - if (strcmp(loginfo->prefix, "") != 0) { - printf(" --log-prefix"); - xtables_save_string(loginfo->prefix); - } - - if (loginfo->level != LOG_DEFAULT_LEVEL) - printf(" --log-level %d", loginfo->level); - - if (loginfo->logflags & IPT_LOG_TCPSEQ) - printf(" --log-tcp-sequence"); - if (loginfo->logflags & IPT_LOG_TCPOPT) - printf(" --log-tcp-options"); - if (loginfo->logflags & IPT_LOG_IPOPT) - printf(" --log-ip-options"); - if (loginfo->logflags & IPT_LOG_UID) - printf(" --log-uid"); - if (loginfo->logflags & IPT_LOG_MACDECODE) - printf(" --log-macdecode"); -} - -static const struct ipt_log_xlate ipt_log_xlate_names = { - {"alert", LOG_ALERT }, - {"crit", LOG_CRIT }, - {"debug", LOG_DEBUG }, - {"emerg", LOG_EMERG }, - {"err", LOG_ERR }, - {"info", LOG_INFO }, - {"notice", LOG_NOTICE }, - {"warn", LOG_WARNING } -}; - -static int LOG_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct ipt_log_info *loginfo = - (const struct ipt_log_info *)params->target->data; - unsigned int i = 0; - - xt_xlate_add(xl, "log"); - if (strcmp(loginfo->prefix, "") != 0) { - if (params->escape_quotes) - xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); - else - xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); - } - - for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i) - if (loginfo->level != LOG_DEFAULT_LEVEL && - loginfo->level == ipt_log_xlate_namesi.level) { - xt_xlate_add(xl, " level %s", - ipt_log_xlate_namesi.name); - break; - } - - if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) { - xt_xlate_add(xl, " flags all"); - } else { - if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) { - const char *delim = " "; - - xt_xlate_add(xl, " flags tcp"); - if (loginfo->logflags & IPT_LOG_TCPSEQ) { - xt_xlate_add(xl, " sequence"); - delim = ","; - } - if (loginfo->logflags & IPT_LOG_TCPOPT) - xt_xlate_add(xl, "%soptions", delim); - } - if (loginfo->logflags & IPT_LOG_IPOPT) - xt_xlate_add(xl, " flags ip options"); - if (loginfo->logflags & IPT_LOG_UID) - xt_xlate_add(xl, " flags skuid"); - if (loginfo->logflags & IPT_LOG_MACDECODE) - xt_xlate_add(xl, " flags ether"); - } - - return 1; -} -static struct xtables_target log_tg_reg = { - .name = "LOG", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_log_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_log_info)), - .help = LOG_help, - .init = LOG_init, - .print = LOG_print, - .save = LOG_save, - .x6_parse = LOG_parse, - .x6_options = LOG_opts, - .xlate = LOG_xlate, -}; - -void _init(void) -{ - xtables_register_target(&log_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_MASQUERADE.c
Deleted
@@ -1,190 +0,0 @@ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <xtables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_PORTS = 0, - O_RANDOM, - O_RANDOM_FULLY, -}; - -static void MASQUERADE_help(void) -{ - printf( -"MASQUERADE target options:\n" -" --to-ports <port>-<port>\n" -" Port (range) to map to.\n" -" --random\n" -" Randomize source port.\n" -" --random-fully\n" -" Fully randomize source port.\n"); -} - -static const struct xt_option_entry MASQUERADE_opts = { - {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -static void MASQUERADE_init(struct xt_entry_target *t) -{ - struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data; - - /* Actually, it's 0, but it's ignored at the moment. */ - mr->rangesize = 1; -} - -/* Parses ports */ -static void -parse_ports(const char *arg, struct nf_nat_ipv4_multi_range_compat *mr) -{ - char *end; - unsigned int port, maxport; - - mr->range0.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) - xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); - - switch (*end) { - case '\0': - mr->range0.min.tcp.port - = mr->range0.max.tcp.port - = htons(port); - return; - case '-': - if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX)) - break; - - if (maxport < port) - break; - - mr->range0.min.tcp.port = htons(port); - mr->range0.max.tcp.port = htons(maxport); - return; - default: - break; - } - xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); -} - -static void MASQUERADE_parse(struct xt_option_call *cb) -{ - const struct ipt_entry *entry = cb->xt_entry; - int portok; - struct nf_nat_ipv4_multi_range_compat *mr = cb->data; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_SCTP - || entry->ip.proto == IPPROTO_DCCP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_PORTS: - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - parse_ports(cb->arg, mr); - break; - case O_RANDOM: - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - case O_RANDOM_FULLY: - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; - break; - } -} - -static void -MASQUERADE_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" masq ports: "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" random-fully"); -} - -static void -MASQUERADE_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" --to-ports %hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" --random-fully"); -} - -static int MASQUERADE_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = - (const void *)params->target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - xt_xlate_add(xl, "masquerade"); - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, " to :%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port)); - } - - xt_xlate_add(xl, " "); - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - xt_xlate_add(xl, "random "); - - return 1; -} - -static struct xtables_target masquerade_tg_reg = { - .name = "MASQUERADE", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .help = MASQUERADE_help, - .init = MASQUERADE_init, - .x6_parse = MASQUERADE_parse, - .print = MASQUERADE_print, - .save = MASQUERADE_save, - .x6_options = MASQUERADE_opts, - .xlate = MASQUERADE_xlate, -}; - -void _init(void) -{ - xtables_register_target(&masquerade_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_REDIRECT.c
Deleted
@@ -1,174 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_PORTS = 0, - O_RANDOM, - F_TO_PORTS = 1 << O_TO_PORTS, - F_RANDOM = 1 << O_RANDOM, -}; - -static void REDIRECT_help(void) -{ - printf( -"REDIRECT target options:\n" -" --to-ports <port>-<port>\n" -" Port (range) to map to.\n" -" --random\n"); -} - -static const struct xt_option_entry REDIRECT_opts = { - {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -static void REDIRECT_init(struct xt_entry_target *t) -{ - struct nf_nat_ipv4_multi_range_compat *mr = (struct nf_nat_ipv4_multi_range_compat *)t->data; - - /* Actually, it's 0, but it's ignored at the moment. */ - mr->rangesize = 1; -} - -/* Parses ports */ -static void -parse_ports(const char *arg, struct nf_nat_ipv4_multi_range_compat *mr) -{ - char *end = ""; - unsigned int port, maxport; - - mr->range0.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) && - (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1) - xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); - - switch (*end) { - case '\0': - mr->range0.min.tcp.port - = mr->range0.max.tcp.port - = htons(port); - return; - case '-': - if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && - (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) - break; - - if (maxport < port) - break; - - mr->range0.min.tcp.port = htons(port); - mr->range0.max.tcp.port = htons(maxport); - return; - default: - break; - } - xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); -} - -static void REDIRECT_parse(struct xt_option_call *cb) -{ - const struct ipt_entry *entry = cb->xt_entry; - struct nf_nat_ipv4_multi_range_compat *mr = (void *)(*cb->target)->data; - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_SCTP - || entry->ip.proto == IPPROTO_DCCP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_PORTS: - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - parse_ports(cb->arg, mr); - if (cb->xflags & F_RANDOM) - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - case O_RANDOM: - if (cb->xflags & F_TO_PORTS) - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM; - break; - } -} - -static void REDIRECT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" redir ports "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - if (mr->range0.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - } -} - -static void REDIRECT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = (const void *)target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(" --to-ports "); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - if (mr->range0.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - } -} - -static int REDIRECT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct nf_nat_ipv4_multi_range_compat *mr = - (const void *)params->target->data; - const struct nf_nat_ipv4_range *r = &mr->range0; - - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, "redirect to :%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - xt_xlate_add(xl, "-%hu ", ntohs(r->max.tcp.port)); - if (mr->range0.flags & NF_NAT_RANGE_PROTO_RANDOM) - xt_xlate_add(xl, " random "); - } - - return 1; -} - -static struct xtables_target redirect_tg_reg = { - .name = "REDIRECT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .help = REDIRECT_help, - .init = REDIRECT_init, - .x6_parse = REDIRECT_parse, - .print = REDIRECT_print, - .save = REDIRECT_save, - .x6_options = REDIRECT_opts, - .xlate = REDIRECT_xlate, -}; - -void _init(void) -{ - xtables_register_target(&redirect_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_REDIRECT.t
Deleted
@@ -1,6 +0,0 @@ -:PREROUTING,OUTPUT -*nat --p tcp -j REDIRECT --to-ports 42;=;OK --p udp -j REDIRECT --to-ports 42-1234;=;OK --p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK --j REDIRECT --to-ports 42;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_REDIRECT.txlate
Deleted
@@ -1,5 +0,0 @@ -iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 -nft add rule ip nat prerouting tcp dport 80 counter redirect to :8080 - -iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random -nft add rule ip nat prerouting tcp dport 80 counter redirect to :8080 random
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_SNAT.c
Deleted
@@ -1,325 +0,0 @@ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <xtables.h> -#include <iptables.h> -#include <limits.h> /* INT_MAX in ip_tables.h */ -#include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter/nf_nat.h> - -enum { - O_TO_SRC = 0, - O_RANDOM, - O_RANDOM_FULLY, - O_PERSISTENT, - O_X_TO_SRC, - F_TO_SRC = 1 << O_TO_SRC, - F_RANDOM = 1 << O_RANDOM, - F_RANDOM_FULLY = 1 << O_RANDOM_FULLY, - F_X_TO_SRC = 1 << O_X_TO_SRC, -}; - -/* Source NAT data consists of a multi-range, indicating where to map - to. */ -struct ipt_natinfo -{ - struct xt_entry_target t; - struct nf_nat_ipv4_multi_range_compat mr; -}; - -static void SNAT_help(void) -{ - printf( -"SNAT target options:\n" -" --to-source <ipaddr>-<ipaddr>:port-port\n" -" Address to map source to.\n" -"--random --random-fully --persistent\n"); -} - -static const struct xt_option_entry SNAT_opts = { - {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_MULTI}, - {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, - {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, - {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, - XTOPT_TABLEEND, -}; - -static struct ipt_natinfo * -append_range(struct ipt_natinfo *info, const struct nf_nat_ipv4_range *range) -{ - unsigned int size; - - /* One rangesize already in struct ipt_natinfo */ - size = XT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range)); - - info = realloc(info, size); - if (!info) - xtables_error(OTHER_PROBLEM, "Out of memory\n"); - - info->t.u.target_size = size; - info->mr.rangeinfo->mr.rangesize = *range; - info->mr.rangesize++; - - return info; -} - -/* Ranges expected in network order. */ -static struct xt_entry_target * -parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) -{ - struct nf_nat_ipv4_range range; - char *arg, *colon, *dash, *error; - const struct in_addr *ip; - - arg = strdup(orig_arg); - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); - memset(&range, 0, sizeof(range)); - colon = strchr(arg, ':'); - - if (colon) { - int port; - - if (!portok) - xtables_error(PARAMETER_PROBLEM, - "Need TCP, UDP, SCTP or DCCP with port specification"); - - range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); - - dash = strchr(colon, '-'); - if (!dash) { - range.min.tcp.port - = range.max.tcp.port - = htons(port); - } else { - int maxport; - - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range.min.tcp.port = htons(port); - range.max.tcp.port = htons(maxport); - } - /* Starts with a colon? No IP info...*/ - if (colon == arg) { - free(arg); - return &(append_range(info, &range)->t); - } - *colon = '\0'; - } - - range.flags |= NF_NAT_RANGE_MAP_IPS; - dash = strchr(arg, '-'); - if (colon && dash && dash > colon) - dash = NULL; - - if (dash) - *dash = '\0'; - - ip = xtables_numeric_to_ipaddr(arg); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - arg); - range.min_ip = ip->s_addr; - if (dash) { - ip = xtables_numeric_to_ipaddr(dash+1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n", - dash+1); - range.max_ip = ip->s_addr; - } else - range.max_ip = range.min_ip; - - free(arg); - return &(append_range(info, &range)->t); -} - -static void SNAT_parse(struct xt_option_call *cb) -{ - const struct ipt_entry *entry = cb->xt_entry; - struct ipt_natinfo *info = (void *)(*cb->target); - int portok; - - if (entry->ip.proto == IPPROTO_TCP - || entry->ip.proto == IPPROTO_UDP - || entry->ip.proto == IPPROTO_SCTP - || entry->ip.proto == IPPROTO_DCCP - || entry->ip.proto == IPPROTO_ICMP) - portok = 1; - else - portok = 0; - - xtables_option_parse(cb); - switch (cb->entry->id) { - case O_TO_SRC: - if (cb->xflags & F_X_TO_SRC) { - if (!kernel_version) - get_kernel_version(); - if (kernel_version > LINUX_VERSION(2, 6, 10)) - xtables_error(PARAMETER_PROBLEM, - "SNAT: Multiple --to-source not supported"); - } - *cb->target = parse_to(cb->arg, portok, info); - cb->xflags |= F_X_TO_SRC; - break; - case O_PERSISTENT: - info->mr.range0.flags |= NF_NAT_RANGE_PERSISTENT; - break; - } -} - -static void SNAT_fcheck(struct xt_fcheck_call *cb) -{ - static const unsigned int f = F_TO_SRC | F_RANDOM; - static const unsigned int r = F_TO_SRC | F_RANDOM_FULLY; - struct nf_nat_ipv4_multi_range_compat *mr = cb->data; - - if ((cb->xflags & f) == f) - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM; - if ((cb->xflags & r) == r) - mr->range0.flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; -} - -static void print_range(const struct nf_nat_ipv4_range *r) -{ - if (r->flags & NF_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - printf("%s", xtables_ipaddr_to_numeric(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - printf("-%s", xtables_ipaddr_to_numeric(&a)); - } - } - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - printf(":"); - printf("%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - printf("-%hu", ntohs(r->max.tcp.port)); - } -} - -static void SNAT_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct ipt_natinfo *info = (const void *)target; - unsigned int i = 0; - - printf(" to:"); - for (i = 0; i < info->mr.rangesize; i++) { - print_range(&info->mr.rangei); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" random-fully"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) - printf(" persistent"); - } -} - -static void SNAT_save(const void *ip, const struct xt_entry_target *target) -{ - const struct ipt_natinfo *info = (const void *)target; - unsigned int i = 0; - - for (i = 0; i < info->mr.rangesize; i++) { - printf(" --to-source "); - print_range(&info->mr.rangei); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) - printf(" --random-fully"); - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) - printf(" --persistent"); - } -} - -static void print_range_xlate(const struct nf_nat_ipv4_range *r, - struct xt_xlate *xl) -{ - if (r->flags & NF_NAT_RANGE_MAP_IPS) { - struct in_addr a; - - a.s_addr = r->min_ip; - xt_xlate_add(xl, "%s", xtables_ipaddr_to_numeric(&a)); - if (r->max_ip != r->min_ip) { - a.s_addr = r->max_ip; - xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&a)); - } - } - if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, ":"); - xt_xlate_add(xl, "%hu", ntohs(r->min.tcp.port)); - if (r->max.tcp.port != r->min.tcp.port) - xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port)); - } -} - -static int SNAT_xlate(struct xt_xlate *xl, - const struct xt_xlate_tg_params *params) -{ - const struct ipt_natinfo *info = (const void *)params->target; - unsigned int i = 0; - bool sep_need = false; - const char *sep = " "; - - for (i = 0; i < info->mr.rangesize; i++) { - xt_xlate_add(xl, "snat to "); - print_range_xlate(&info->mr.rangei, xl); - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM) { - xt_xlate_add(xl, " random"); - sep_need = true; - } - if (info->mr.rangei.flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%sfully-random", sep); - sep_need = true; - } - if (info->mr.rangei.flags & NF_NAT_RANGE_PERSISTENT) { - if (sep_need) - sep = ","; - xt_xlate_add(xl, "%spersistent", sep); - } - } - - return 1; -} - -static struct xtables_target snat_tg_reg = { - .name = "SNAT", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), - .help = SNAT_help, - .x6_parse = SNAT_parse, - .x6_fcheck = SNAT_fcheck, - .print = SNAT_print, - .save = SNAT_save, - .x6_options = SNAT_opts, - .xlate = SNAT_xlate, -}; - -void _init(void) -{ - xtables_register_target(&snat_tg_reg); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/libipulog
Deleted
-(directory)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/libipulog/libipulog.h
Deleted
@@ -1,39 +0,0 @@ -#ifndef _LIBIPULOG_H -#define _LIBIPULOG_H - -/* libipulog.h,v 1.3 2001/05/21 19:15:16 laforge Exp */ - -#include <errno.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/uio.h> -#include <asm/types.h> -#include <linux/netlink.h> -#include <net/if.h> -#include <linux/netfilter_ipv4/ipt_ULOG.h> - -/* FIXME: glibc sucks */ -#ifndef MSG_TRUNC -#define MSG_TRUNC 0x20 -#endif - -struct ipulog_handle; - -u_int32_t ipulog_group2gmask(u_int32_t group); - -struct ipulog_handle *ipulog_create_handle(u_int32_t gmask); - -void ipulog_destroy_handle(struct ipulog_handle *h); - -ssize_t ipulog_read(struct ipulog_handle *h, - unsigned char *buf, size_t len, int timeout); - -ulog_packet_msg_t *ipulog_get_packet(struct ipulog_handle *h, - const unsigned char *buf, - size_t len); - -void ipulog_perror(const char *s); - -#endif /* _LIBULOG_H */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/.gitignore
Deleted
@@ -1,25 +0,0 @@ -/ip6tables -/ip6tables-save -/ip6tables-restore -/ip6tables-static -/ip6tables-translate.8 -/ip6tables-restore-translate.8 -/iptables -/iptables.8 -/iptables-extensions.8 -/iptables-extensions.8.tmpl -/iptables-save -/iptables-save.8 -/iptables-restore -/iptables-restore.8 -/iptables-static -/iptables-translate.8 -/iptables-restore-translate.8 -/iptables-xml -/iptables-xml.1 -/xtables-multi -/xtables-legacy-multi -/xtables-nft-multi -/xtables-monitor.8 - -/xtables.pc
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables-apply.8
Deleted
@@ -1,1 +0,0 @@ -.so man8/iptables-apply.8
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables-restore.8
Deleted
@@ -1,1 +0,0 @@ -.so man8/iptables-restore.8
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables-save.8
Deleted
@@ -1,1 +0,0 @@ -.so man8/iptables-save.8
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables.8
Deleted
@@ -1,1 +0,0 @@ -.so man8/iptables.8
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-arp.h
Deleted
@@ -1,14 +0,0 @@ -#ifndef _NFT_ARP_H_ -#define _NFT_ARP_H_ - -extern char *arp_opcodes; -#define NUMOPCODES 9 - -/* define invflags which won't collide with IPT ones */ -#define IPT_INV_SRCDEVADDR 0x0080 -#define IPT_INV_TGTDEVADDR 0x0100 -#define IPT_INV_ARPHLN 0x0200 -#define IPT_INV_ARPOP 0x0400 -#define IPT_INV_ARPHRD 0x0800 - -#endif
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-arp-standalone.c
Deleted
@@ -1,65 +0,0 @@ -/* - * Author: Paul.Russell@rustcorp.com.au and mneuling@radlogic.com.au - * - * Based on the ipchains code by Paul Russell and Michael Neuling - * - * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>: - * Paul 'Rusty' Russell <rusty@rustcorp.com.au> - * Marc Boucher <marc+nf@mbsi.ca> - * James Morris <jmorris@intercode.com.au> - * Harald Welte <laforge@gnumonks.org> - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * arptables -- IP firewall administration for kernels with - * firewall table (aimed for the 2.3 kernels) - * - * See the accompanying manual page arptables(8) for information - * about proper usage of this program. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> -#include <string.h> -#include <xtables.h> -#include "nft.h" -#include <linux/netfilter_arp/arp_tables.h> - -#include "xtables-multi.h" - -extern struct xtables_globals arptables_globals; - -int xtables_arp_main(int argc, char *argv) -{ - int ret; - char *table = "filter"; - struct nft_handle h; - - nft_init_arp(&h, "arptables"); - - ret = do_commandarp(&h, argc, argv, &table, false); - if (ret) - ret = nft_commit(&h); - - nft_fini(&h); - xtables_fini(); - - if (!ret) - fprintf(stderr, "arptables: %s\n", nft_strerror(errno)); - - exit(!ret); -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libipq/.gitignore
Deleted
@@ -1,1 +0,0 @@ -/libipq.pc
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libiptc/.gitignore
Deleted
@@ -1,1 +0,0 @@ -/*.pc
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libiptc/linux_stddef.h
Deleted
@@ -1,39 +0,0 @@ -#ifndef _LINUX_STDDEF_H -#define _LINUX_STDDEF_H - -#undef NULL -#if defined(__cplusplus) -#define NULL 0 -#else -#define NULL ((void *)0) -#endif - -#undef offsetof -#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER) - - -/** - * container_of - cast a member of a structure out to the containing structure - * - * @ptr: the pointer to the member. - * @type: the type of the container struct this is embedded in. - * @member: the name of the member within the struct. - * - */ -#define container_of(ptr, type, member) ({ \ - const typeof( ((type *)0)->member ) *__mptr = (ptr); \ - (type *)( (char *)__mptr - offsetof(type,member) );}) - -/* - * Check at compile time that something is of a particular type. - * Always evaluates to 1 so you may use it easily in comparisons. - */ -#define typecheck(type,x) \ -({ type __dummy; \ - typeof(x) __dummy2; \ - (void)(&__dummy == &__dummy2); \ - 1; \ -}) - - -#endif
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/m4/.gitignore
Deleted
@@ -1,2 +0,0 @@ -/libtool.m4 -/lt*.m4
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/utils/.gitignore
Deleted
@@ -1,4 +0,0 @@ -/nfnl_osf -/nfnl_osf.8 -/nfbpf_compile -/nfbpf_compile.8
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/Makefile.am
Changed
@@ -1,7 +1,7 @@ # -*- Makefile -*- ACLOCAL_AMFLAGS = -I m4 -AUTOMAKE_OPTIONS = foreign subdir-objects +AUTOMAKE_OPTIONS = foreign subdir-objects dist-xz no-dist-gzip SUBDIRS = libiptc libxtables if ENABLE_DEVEL @@ -16,9 +16,11 @@ # Depends on extensions/libext.a: SUBDIRS += iptables +EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py + if ENABLE_NFTABLES confdir = $(sysconfdir) -dist_conf_DATA = etc/ethertypes +dist_conf_DATA = etc/ethertypes etc/xtables.conf endif .PHONY: tarball @@ -26,8 +28,10 @@ rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd; pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd; - tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; + tar -C /tmp -cJf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.xz --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \ include/xtables-version.h.in + +TESTS = xlate-test.py iptables-test.py iptables/tests/shell/run-tests.sh
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -135,7 +135,7 @@ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac -am__dist_conf_DATA_DIST = etc/ethertypes +am__dist_conf_DATA_DIST = etc/ethertypes etc/xtables.conf am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -172,9 +172,10 @@ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ - cscope distdir distdir-am dist dist-all distcheck -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ - $(LISP)config.h.in + cscope check recheck distdir distdir-am dist dist-all \ + distcheck +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \ + config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. @@ -194,6 +195,183 @@ ETAGS = etags CTAGS = ctags CSCOPE = cscope +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='0;31m'; \ + grn='0;32m'; \ + lgn='1;32m'; \ + blu='1;34m'; \ + mgn='0;35m'; \ + brg='1m'; \ + std='m'; \ + fi; \ +} +am__recheck_rx = ^ *:recheck: * +am__global_test_result_rx = ^ *:global-test-result: * +am__copy_in_global_log_rx = ^ *:copy-in-global-log: * +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)nNOo/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)yYeEsS/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub(" *$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)nNoO/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/^/*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *\ \ $$f\ \ * | *\ \ $$dir$$f\ \ *) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' +RECHECK_LOGS = $(TEST_LOGS) +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = @EXEEXT@ .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ + $(TEST_LOG_FLAGS) DIST_SUBDIRS = libiptc libxtables include libipq utils extensions \ iptables am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ @@ -203,6 +381,7 @@ $(top_srcdir)/build-aux/install-sh \ $(top_srcdir)/build-aux/ltmain.sh \ $(top_srcdir)/build-aux/missing \ + $(top_srcdir)/build-aux/test-driver \ $(top_srcdir)/extensions/GNUmakefile.in COPYING INSTALL \ build-aux/ar-lib build-aux/compile build-aux/config.guess \ build-aux/config.sub build-aux/install-sh build-aux/ltmain.sh \ @@ -242,9 +421,11 @@ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" -DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best -DIST_TARGETS = dist-gzip +DIST_ARCHIVES = $(distdir).tar.xz +DIST_TARGETS = dist-xz +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -385,6 +566,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -396,17 +578,20 @@ top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ ACLOCAL_AMFLAGS = -I m4 -AUTOMAKE_OPTIONS = foreign subdir-objects +AUTOMAKE_OPTIONS = foreign subdir-objects dist-xz no-dist-gzip # Depends on libxtables: # Depends on extensions/libext.a: SUBDIRS = libiptc libxtables $(am__append_1) $(am__append_2) utils \ extensions iptables +EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py @ENABLE_NFTABLES_TRUE@confdir = $(sysconfdir) -@ENABLE_NFTABLES_TRUE@dist_conf_DATA = etc/ethertypes +@ENABLE_NFTABLES_TRUE@dist_conf_DATA = etc/ethertypes etc/xtables.conf +TESTS = xlate-test.py iptables-test.py iptables/tests/shell/run-tests.sh all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive .SUFFIXES: +.SUFFIXES: .log .test .test$(EXEEXT) .trs am--refresh: Makefile @: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @@ -594,6 +779,183 @@ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + elif test -n "$$redo_logs"; then \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws=' '; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +xlate-test.py.log: xlate-test.py + @p='xlate-test.py'; \ + b='xlate-test.py'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +iptables-test.py.log: iptables-test.py + @p='iptables-test.py'; \ + b='iptables-test.py'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +iptables/tests/shell/run-tests.sh.log: iptables/tests/shell/run-tests.sh + @p='iptables/tests/shell/run-tests.sh'; \ + b='iptables/tests/shell/run-tests.sh'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.test.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -672,11 +1034,14 @@ dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) - dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) +dist-zstd: distdir + tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst + $(am__post_remove_distdir) + dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @@ -719,6 +1084,8 @@ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ + *.tar.zst*) \ + zstd -dc $(distdir).tar.zst | $(am__untar) ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) @@ -734,7 +1101,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ @@ -786,6 +1153,7 @@ $(distcleancheck_listfiles) ; \ exit 1; } >&2 check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-recursive all-am: Makefile $(DATA) config.h installdirs: installdirs-recursive @@ -813,6 +1181,9 @@ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) clean-generic: @@ -893,24 +1264,25 @@ uninstall-am: uninstall-dist_confDATA -.MAKE: $(am__recursive_targets) all install-am install-strip +.MAKE: $(am__recursive_targets) all check-am install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ - am--refresh check check-am clean clean-cscope clean-generic \ - clean-libtool cscope cscopelist-am ctags ctags-am dist \ - dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-hdr distclean-libtool distclean-tags distcleancheck \ - distdir distuninstallcheck dvi dvi-am html html-am info \ - info-am install install-am install-data install-data-am \ - install-dist_confDATA install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-dist_confDATA + am--refresh check check-TESTS check-am clean clean-cscope \ + clean-generic clean-libtool cscope cscopelist-am ctags \ + ctags-am dist dist-all dist-bzip2 dist-gzip dist-lzip \ + dist-shar dist-tarZ dist-xz dist-zip dist-zstd distcheck \ + distclean distclean-generic distclean-hdr distclean-libtool \ + distclean-tags distcleancheck distdir distuninstallcheck dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dist_confDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am recheck tags tags-am uninstall uninstall-am \ + uninstall-dist_confDATA .PRECIOUS: Makefile @@ -920,7 +1292,7 @@ rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; pushd ${top_srcdir} && git archive --prefix=${PACKAGE_TARNAME}-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd; pushd /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION} && ./autogen.sh && popd; - tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; + tar -C /tmp -cJf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.xz --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; config.status: extensions/GNUmakefile.in \
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/aclocal.m4 -> _service:tar_scm:iptables-1.8.9.tar.xz/aclocal.m4
Changed
@@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,9 +20,9 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.)) -dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29) -dnl +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 12 (pkg-config-0.29.2) + dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>. dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com> dnl @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun(PKG_PREREQ, -m4_define(PKG_MACROS_VERSION, 0.29) +m4_define(PKG_MACROS_VERSION, 0.29.2) m4_if(m4_version_compare(PKG_MACROS_VERSION, $1), -1, m4_fatal(pkg.m4 version $1 or higher is required but PKG_MACROS_VERSION found)) )dnl PKG_PREREQ @@ -164,7 +164,7 @@ AC_ARG_VAR($1_LIBS, linker flags for $1, overriding pkg-config)dnl pkg_failed=no -AC_MSG_CHECKING(for $1) +AC_MSG_CHECKING(for $2) _PKG_CONFIG($1_CFLAGS, cflags, $2) _PKG_CONFIG($1_LIBS, libs, $2) @@ -174,11 +174,11 @@ See the pkg-config man page for more details.) if test $pkg_failed = yes; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` - else + else $1_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs @@ -195,7 +195,7 @@ _PKG_TEXT)dnl ) elif test $pkg_failed = untried; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) m4_default($4, AC_MSG_FAILURE( The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full @@ -296,7 +296,7 @@ AS_VAR_IF($1, "", $5, $4)dnl )dnl PKG_CHECK_VAR -# Copyright (C) 2002-2018 Free Software Foundation, Inc. +# Copyright (C) 2002-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -311,7 +311,7 @@ am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if($1, 1.16.1, , +m4_if($1, 1.16.3, , AC_FATAL(Do not call $0, use AM_INIT_AUTOMAKE($1).))dnl ) @@ -327,12 +327,12 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN(AM_SET_CURRENT_AUTOMAKE_VERSION, -AM_AUTOMAKE_VERSION(1.16.1)dnl +AM_AUTOMAKE_VERSION(1.16.3)dnl m4_ifndef(AC_AUTOCONF_VERSION, m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl _AM_AUTOCONF_VERSION(m4_defn(AC_AUTOCONF_VERSION))) -# Copyright (C) 2011-2018 Free Software Foundation, Inc. +# Copyright (C) 2011-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -394,7 +394,7 @@ # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -446,7 +446,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -477,7 +477,7 @@ Usually this means the macro was only invoked conditionally.) fi)) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -668,7 +668,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -707,7 +707,9 @@ done if test $am_rc -ne 0; then AC_MSG_FAILURE(Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE="gmake" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking).) fi @@ -734,7 +736,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -931,7 +933,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME("$_am_arg")`/stamp-h$_am_stamp_count) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -952,7 +954,7 @@ fi AC_SUBST(install_sh)) -# Copyright (C) 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -973,7 +975,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1016,7 +1018,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1037,12 +1039,7 @@ AC_REQUIRE(AM_AUX_DIR_EXPAND)dnl AC_REQUIRE_AUX_FILE(missing)dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -1055,7 +1052,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1084,7 +1081,7 @@ AC_DEFUN(_AM_IF_OPTION, m4_ifset(_AM_MANGLE_OPTION($1), $2, $3)) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1131,7 +1128,7 @@ # For backward compatibility. AC_DEFUN_ONCE(AM_PROG_CC_C_O, AC_REQUIRE(AC_PROG_CC)) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1150,7 +1147,7 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1231,7 +1228,7 @@ rm -f conftest.file ) -# Copyright (C) 2009-2018 Free Software Foundation, Inc. +# Copyright (C) 2009-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1291,7 +1288,7 @@ _AM_SUBST_NOTMAKE(AM_BACKSLASH)dnl ) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1319,7 +1316,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST(INSTALL_STRIP_PROGRAM)) -# Copyright (C) 2006-2018 Free Software Foundation, Inc. +# Copyright (C) 2006-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1338,7 +1335,7 @@ # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2018 Free Software Foundation, Inc. +# Copyright (C) 2004-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/ar-lib -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/ar-lib
Changed
@@ -2,9 +2,9 @@ # Wrapper for Microsoft lib.exe me=ar-lib -scriptversion=2012-03-01.08; # UTC +scriptversion=2019-07-04.01; # UTC -# Copyright (C) 2010-2018 Free Software Foundation, Inc. +# Copyright (C) 2010-2020 Free Software Foundation, Inc. # Written by Peter Rosin <peda@lysator.liu.se>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -65,7 +65,7 @@ mingw) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin) + cygwin | msys) file=`cygpath -m "$file" || echo "$file"` ;; wine) @@ -224,10 +224,11 @@ esac done else - $AR -NOLOGO -LIST "$archive" | sed -e 's/\\/\\\\/g' | while read member - do - $AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $? - done + $AR -NOLOGO -LIST "$archive" | tr -d '\r' | sed -e 's/\\/\\\\/g' \ + | while read member + do + $AR -NOLOGO -EXTRACT:"$member" "$archive" || exit $? + done fi elif test -n "$quick$replace"; then
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/compile -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/compile
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey <tromey@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/depcomp -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/depcomp
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/install-sh -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/install-sh
Changed
@@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *23672367) mkdir_umask=$umask;; - .*00202 | .0202 | .02) mkdir_umask=22;; - - *0-7) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *1235670-70-7) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX, + # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. @@ -411,7 +416,7 @@ prefixes= else if $posix_mkdir; then - (umask=$mkdir_umask && + (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 @@ -451,7 +456,18 @@ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. - (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + (umask $cp_umask && + { test -z "$stripcmd" || { + # Create $dsttmp read-write so that cp doesn't create it read-only, + # which would cause strip to fail. + if test -z "$doit"; then + : >"$dsttmp" # No need to fork-exec 'touch'. + else + $doit touch "$dsttmp" + fi + } + } && + $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # @@ -477,6 +493,13 @@ then rm -f "$dsttmp" else + # If $backupsuffix is set, and the file being installed + # already exists, attempt a backup. Don't worry if it fails, + # e.g., if mv doesn't support -f. + if test -n "$backupsuffix" && test -f "$dst"; then + $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null + fi + # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || @@ -491,9 +514,9 @@ # file should still install successfully. { test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || + $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/ltmain.sh -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/ltmain.sh
Changed
@@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-9" +VERSION="2.4.6 Debian-2.4.6-15" package_revision=2.4.6 @@ -387,7 +387,7 @@ # putting '$debug_cmd' at the start of all your functions, you can get # bash to show function call trace with: # -# debug_cmd='eval echo "${FUNCNAME0} $*" >&2' bash your-script-name +# debug_cmd='echo "${FUNCNAME0} $*" >&2' bash your-script-name debug_cmd=${debug_cmd-":"} exit_cmd=: @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-9 + version: $progname $scriptversion Debian-2.4.6-15 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -7368,10 +7368,12 @@ # -stdlib=* select c++ std lib with clang # -fsanitize=* Clang/GCC memory and address sanitizer # -fuse-ld=* Linker select flags for GCC + # -static-* direct GCC to link specific libraries statically + # -fcilkplus Cilk Plus language extension features for C/C++ -64|-mips0-9|-r0-90-9*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ -t45*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ - -specs=*|-fsanitize=*|-fuse-ld=*) + -specs=*|-fsanitize=*|-fuse-ld=*|-static-*|-fcilkplus) func_quote_for_eval "$arg" arg=$func_quote_for_eval_result func_append compile_command " $arg"
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/build-aux/missing -> _service:tar_scm:iptables-1.8.9.tar.xz/build-aux/missing
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify
View file
_service:tar_scm:iptables-1.8.9.tar.xz/build-aux/test-driver
Added
@@ -0,0 +1,150 @@ +#! /bin/sh +# test-driver - basic testsuite driver script. + +scriptversion=2018-03-07.03; # UTC + +# Copyright (C) 2011-2020 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <bug-automake@gnu.org> or send patches to +# <automake-patches@gnu.org>. + +# Make unconditional expansion of undefined variables an error. This +# helps a lot in preventing typo-related bugs. +set -u + +usage_error () +{ + echo "$0: $*" >&2 + print_usage >&2 + exit 2 +} + +print_usage () +{ + cat <<END +Usage: + test-driver --test-name NAME --log-file PATH --trs-file PATH + --expect-failure {yes|no} --color-tests {yes|no} + --enable-hard-errors {yes|no} -- + TEST-SCRIPT TEST-SCRIPT-ARGUMENTS + +The '--test-name', '--log-file' and '--trs-file' options are mandatory. +See the GNU Automake documentation for information. +END +} + +test_name= # Used for reporting. +log_file= # Where to save the output of the test script. +trs_file= # Where to save the metadata of the test run. +expect_failure=no +color_tests=no +enable_hard_errors=yes +while test $# -gt 0; do + case $1 in + --help) print_usage; exit $?;; + --version) echo "test-driver $scriptversion"; exit $?;; + --test-name) test_name=$2; shift;; + --log-file) log_file=$2; shift;; + --trs-file) trs_file=$2; shift;; + --color-tests) color_tests=$2; shift;; + --expect-failure) expect_failure=$2; shift;; + --enable-hard-errors) enable_hard_errors=$2; shift;; + --) shift; break;; + -*) usage_error "invalid option: '$1'";; + *) break;; + esac + shift +done + +missing_opts= +test x"$test_name" = x && missing_opts="$missing_opts --test-name" +test x"$log_file" = x && missing_opts="$missing_opts --log-file" +test x"$trs_file" = x && missing_opts="$missing_opts --trs-file" +if test x"$missing_opts" != x; then + usage_error "the following mandatory options are missing:$missing_opts" +fi + +if test $# -eq 0; then + usage_error "missing argument" +fi + +if test $color_tests = yes; then + # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'. + red='0;31m' # Red. + grn='0;32m' # Green. + lgn='1;32m' # Light green. + blu='1;34m' # Blue. + mgn='0;35m' # Magenta. + std='m' # No color. +else + red= grn= lgn= blu= mgn= std= +fi + +do_exit='rm -f $log_file $trs_file; (exit $st); exit $st' +trap "st=129; $do_exit" 1 +trap "st=130; $do_exit" 2 +trap "st=141; $do_exit" 13 +trap "st=143; $do_exit" 15 + +# Test script is run here. +"$@" >$log_file 2>&1 +estatus=$? + +if test $enable_hard_errors = no && test $estatus -eq 99; then + tweaked_estatus=1 +else + tweaked_estatus=$estatus +fi + +case $tweaked_estatus:$expect_failure in + 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; + 0:*) col=$grn res=PASS recheck=no gcopy=no;; + 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; + 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; + *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; + *:*) col=$red res=FAIL recheck=yes gcopy=yes;; +esac + +# Report the test outcome and exit status in the logs, so that one can +# know whether the test passed or failed simply by looking at the '.log' +# file, without the need of also peaking into the corresponding '.trs' +# file (automake bug#11814). +echo "$res $test_name (exit status: $estatus)" >>$log_file + +# Report outcome to console. +echo "${col}${res}${std}: $test_name" + +# Register the test result, and other relevant metadata. +echo ":test-result: $res" > $trs_file +echo ":global-test-result: $res" >> $trs_file +echo ":recheck: $recheck" >> $trs_file +echo ":copy-in-global-log: $gcopy" >> $trs_file + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/configure -> _service:tar_scm:iptables-1.8.9.tar.xz/configure
Changed
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for iptables 1.8.7. +# Generated by GNU Autoconf 2.69 for iptables 1.8.9. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.8.7' -PACKAGE_STRING='iptables 1.8.7' +PACKAGE_VERSION='1.8.9' +PACKAGE_STRING='iptables 1.8.9' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -642,6 +642,7 @@ ksourcedir kbuilddir kinclude_CPPFLAGS +regular_LDFLAGS noundef_LDFLAGS regular_CPPFLAGS regular_CFLAGS @@ -834,6 +835,7 @@ enable_nftables enable_connlabel with_xt_lock_name +enable_profiling ' ac_precious_vars='build_alias host_alias @@ -1406,7 +1408,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.8.7 to adapt to many kinds of systems. +\`configure' configures iptables 1.8.9 to adapt to many kinds of systems. Usage: $0 OPTION... VAR=VALUE... @@ -1477,7 +1479,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of iptables 1.8.7:";; + short | recursive ) echo "Configuration of iptables 1.8.9:";; esac cat <<\_ACEOF @@ -1505,6 +1507,7 @@ --enable-nfsynproxy Build SYNPROXY configuration tool --disable-nftables Do not build nftables compat --disable-connlabel Do not build libnetfilter_conntrack + --enable-profiling build for use of gcov/gprof Optional Packages: --with-PACKAGE=ARG use PACKAGE ARG=yes @@ -1628,7 +1631,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.8.7 +iptables configure 1.8.9 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2176,7 +2179,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.8.7, which was +It was created by iptables $as_me 1.8.9, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2526,8 +2529,8 @@ # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=16 -libxtables_vage=4 +libxtables_vcurrent=19 +libxtables_vage=7 ac_aux_dir= for ac_dir in build-aux "$srcdir"/build-aux; do @@ -2737,12 +2740,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -3047,7 +3045,7 @@ # Define the identity of the package. PACKAGE='iptables' - VERSION='1.8.7' + VERSION='1.8.9' cat >>confdefs.h <<_ACEOF @@ -4180,37 +4178,6 @@ -# Check whether --enable-static was given. -if test "${enable_static+set}" = set; then : - enableval=$enable_static; p=${PACKAGE-default} - case $enableval in - yes) enable_static=yes ;; - no) enable_static=no ;; - *) - enable_static=no - # Look at the argument we got. We use all the common list separators. - lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, - for pkg in $enableval; do - IFS=$lt_save_ifs - if test "X$pkg" = "X$p"; then - enable_static=yes - fi - done - IFS=$lt_save_ifs - ;; - esac -else - enable_static=no -fi - - - - - - - - - if test -n "$ac_tool_prefix"; then for ac_prog in ar lib "link -lib" @@ -6054,7 +6021,7 @@ fi : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} @@ -7775,8 +7742,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 - echo "$AR cru libconftest.a conftest.o" >&5 - $AR cru libconftest.a conftest.o 2>&5 + echo "$AR cr libconftest.a conftest.o" >&5 + $AR cr libconftest.a conftest.o 2>&5 echo "$RANLIB libconftest.a" >&5 $RANLIB libconftest.a 2>&5 cat > conftest.c << _LT_EOF @@ -7808,11 +7775,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -8153,6 +8120,35 @@ # Set options +# Check whether --enable-static was given. +if test "${enable_static+set}" = set; then : + enableval=$enable_static; p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_static=yes + fi + done + IFS=$lt_save_ifs + ;; + esac +else + enable_static=no +fi + + + + + + + @@ -8875,6 +8871,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -12544,6 +12546,13 @@ xt_lock_name="/run/xtables.lock" fi +# Check whether --enable-profiling was given. +if test "${enable_profiling+set}" = set; then : + enableval=$enable_profiling; enable_profiling="$enableval" +else + enable_profiling="no" +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $LD knows -Wl,--no-undefined" >&5 $as_echo_n "checking whether $LD knows -Wl,--no-undefined... " >&6; } @@ -12888,8 +12897,8 @@ fi pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 -$as_echo_n "checking for libnfnetlink... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink >= 1.0" >&5 +$as_echo_n "checking for libnfnetlink >= 1.0... " >&6; } if test -n "$libnfnetlink_CFLAGS"; then pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" @@ -12929,7 +12938,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -12947,7 +12956,7 @@ nfnetlink=0 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } nfnetlink=0 else @@ -12969,8 +12978,8 @@ if test "x$enable_nftables" = "xyes"; then pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5 -$as_echo_n "checking for libmnl... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl >= 1.0" >&5 +$as_echo_n "checking for libmnl >= 1.0... " >&6; } if test -n "$libmnl_CFLAGS"; then pkg_cv_libmnl_CFLAGS="$libmnl_CFLAGS" @@ -13010,7 +13019,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -13028,7 +13037,7 @@ mnl=0 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } mnl=0 else @@ -13050,8 +13059,8 @@ pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnftnl" >&5 -$as_echo_n "checking for libnftnl... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnftnl >= 1.1.6" >&5 +$as_echo_n "checking for libnftnl >= 1.1.6... " >&6; } if test -n "$libnftnl_CFLAGS"; then pkg_cv_libnftnl_CFLAGS="$libnftnl_CFLAGS" @@ -13091,7 +13100,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -13109,7 +13118,7 @@ nftables=0 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } nftables=0 else @@ -13155,8 +13164,8 @@ if test "x$enable_connlabel" = "xyes"; then pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnetfilter_conntrack" >&5 -$as_echo_n "checking for libnetfilter_conntrack... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnetfilter_conntrack >= 1.0.6" >&5 +$as_echo_n "checking for libnetfilter_conntrack >= 1.0.6... " >&6; } if test -n "$libnetfilter_conntrack_CFLAGS"; then pkg_cv_libnetfilter_conntrack_CFLAGS="$libnetfilter_conntrack_CFLAGS" @@ -13196,7 +13205,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -13214,7 +13223,7 @@ nfconntrack=0 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } nfconntrack=0 else @@ -13265,6 +13274,12 @@ fi; pkgdatadir='${datadir}/xtables'; +if test "x$enable_profiling" = "xyes"; then + regular_CFLAGS+=" -fprofile-arcs -ftest-coverage" + regular_LDFLAGS+=" -lgcov --coverage" +fi + + @@ -13880,7 +13895,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.8.7, which was +This file was extended by iptables $as_me 1.8.9, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13946,7 +13961,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/\\""\`\$/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.8.7 +iptables config.status 1.8.9 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -14075,9 +14090,9 @@ sed_quote_subst='$sed_quote_subst' double_quote_subst='$double_quote_subst' delay_variable_subst='$delay_variable_subst' -enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' +enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`' pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' @@ -15061,7 +15076,9 @@ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE=\"gmake\" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking). See \`config.log' for more details" "$LINENO" 5; } @@ -15124,13 +15141,13 @@ # ### BEGIN LIBTOOL CONFIG -# Whether or not to build static libraries. -build_old_libs=$enable_static - # Which release of libtool.m4 was used? macro_version=$macro_version macro_revision=$macro_revision +# Whether or not to build static libraries. +build_old_libs=$enable_static + # Whether or not to build shared libraries. build_libtool_libs=$enable_shared @@ -15691,6 +15708,7 @@ nfsynproxy util support: ${enable_nfsynproxy} nftables support: ${enable_nftables} connlabel support: ${enable_connlabel} + profiling support: ${enable_profiling} Build parameters: Put plugins into executable (static): ${enable_static}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/configure.ac -> _service:tar_scm:iptables-1.8.9.tar.xz/configure.ac
Changed
@@ -1,9 +1,9 @@ -AC_INIT(iptables, 1.8.7) +AC_INIT(iptables, 1.8.9) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=16 -libxtables_vage=4 +libxtables_vcurrent=19 +libxtables_vage=7 AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_HEADERS(config.h) @@ -12,9 +12,8 @@ AM_INIT_AUTOMAKE(-Wall) AC_PROG_CC AM_PROG_CC_C_O -AC_DISABLE_STATIC m4_ifdef(AM_PROG_AR, AM_PROG_AR) -AM_PROG_LIBTOOL +LT_INIT(disable-static) AC_ARG_WITH(kernel, AS_HELP_STRING(--with-kernel=PATH, @@ -72,6 +71,9 @@ Path to the xtables lock /run/xtables.lock), xt_lock_name="$withval", xt_lock_name="/run/xtables.lock") +AC_ARG_ENABLE(profiling, + AS_HELP_STRING(--enable-profiling, build for use of gcov/gprof), + enable_profiling="$enableval", enable_profiling="no") AC_MSG_CHECKING(whether $LD knows -Wl,--no-undefined) saved_LDFLAGS="$LDFLAGS"; @@ -189,6 +191,11 @@ fi; pkgdatadir='${datadir}/xtables'; +if test "x$enable_profiling" = "xyes"; then + regular_CFLAGS+=" -fprofile-arcs -ftest-coverage" + regular_LDFLAGS+=" -lgcov --coverage" +fi + define(EXPAND_VARIABLE, $2=$$1 if test $prefix = 'NONE'; then @@ -206,6 +213,7 @@ AC_SUBST(regular_CFLAGS) AC_SUBST(regular_CPPFLAGS) AC_SUBST(noundef_LDFLAGS) +AC_SUBST(regular_LDFLAGS) AC_SUBST(kinclude_CPPFLAGS) AC_SUBST(kbuilddir) AC_SUBST(ksourcedir) @@ -251,6 +259,7 @@ nfsynproxy util support: ${enable_nfsynproxy} nftables support: ${enable_nftables} connlabel support: ${enable_connlabel} + profiling support: ${enable_profiling} Build parameters: Put plugins into executable (static): ${enable_static}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/GNUmakefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/GNUmakefile.in
Changed
@@ -24,7 +24,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@ @libnftnl_CFLAGS@ AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@ -AM_LDFLAGS = @noundef_LDFLAGS@ +AM_LDFLAGS = @noundef_LDFLAGS@ @regular_LDFLAGS@ ifeq (${V},) AM_LIBTOOL_SILENT = --silent @@ -42,7 +42,7 @@ pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) @ENABLE_NFTABLES_TRUE@ pfb_build_mod := $(patsubst ${srcdir}/libebt_%.c,%,$(sort $(wildcard ${srcdir}/libebt_*.c))) @ENABLE_NFTABLES_TRUE@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/libarpt_*.c))) -pfx_symlinks := NOTRACK state +pfx_symlinks := NOTRACK state REDIRECT MASQUERADE SNAT DNAT @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) pfx_build_mod := $(filter-out @blacklist_modules@ @blacklist_x_modules@,${pfx_build_mod}) @@ -79,7 +79,7 @@ .SECONDARY: -.PHONY: all install uninstall clean distclean FORCE +.PHONY: all install uninstall clean distclean FORCE dvi check installcheck all: ${targets} @@ -106,7 +106,8 @@ } clean: - rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c; + rm -f *.o *.oo *.so *.a matches.man targets.man + rm -f initext.c initext4.c initext6.c initextb.c initexta.c rm -f .*.d .*.dd; distclean: clean @@ -130,6 +131,14 @@ ln -fs $< $@ libxt_state.so: libxt_conntrack.so ln -fs $< $@ +libxt_REDIRECT.so: libxt_NAT.so + ln -fs $< $@ +libxt_MASQUERADE.so: libxt_NAT.so + ln -fs $< $@ +libxt_SNAT.so: libxt_NAT.so + ln -fs $< $@ +libxt_DNAT.so: libxt_NAT.so + ln -fs $< $@ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD xt_RATEEST_LIBADD = -lm @@ -167,111 +176,33 @@ initext4_func := $(addprefix ipt_,${pf4_build_mod}) initext6_func := $(addprefix ip6t_,${pf6_build_mod}) -.initext.dd: FORCE - @echo "${initext_func}" >$@.tmp; \ - cmp -s $@ $@.tmp || mv $@.tmp $@; \ - rm -f $@.tmp; - -.initextb.dd: FORCE - @echo "${initextb_func}" >$@.tmp; \ - cmp -s $@ $@.tmp || mv $@.tmp $@; \ - rm -f $@.tmp; - -.initexta.dd: FORCE - @echo "${initexta_func}" >$@.tmp; \ - cmp -s $@ $@.tmp || mv $@.tmp $@; \ - rm -f $@.tmp; - -.initext4.dd: FORCE - @echo "${initext4_func}" >$@.tmp; \ - cmp -s $@ $@.tmp || mv $@.tmp $@; \ - rm -f $@.tmp; +initexts := ext exta extb ext4 ext6 +initext_depfiles = $(patsubst %,.init%.dd,${initexts}) +initext_sources = $(patsubst %,init%.c,${initexts}) -.initext6.dd: FORCE - @echo "${initext6_func}" >$@.tmp; \ +${initext_depfiles}: FORCE + @echo "$(value $(patsubst .%.dd,%,$@)_func)" >$@.tmp; \ cmp -s $@ $@.tmp || mv $@.tmp $@; \ rm -f $@.tmp; -initext.c: .initext.dd +${initext_sources}: %.c: .%.dd ${AM_VERBOSE_GEN} @( \ + initext_func="$(value $(basename $@)_func)"; \ + funcname="init_extensions$(patsubst initext%.c,%,$@)"; \ echo "" >$@; \ - for i in ${initext_func}; do \ + for i in $${initext_func}; do \ echo "extern void lib$${i}_init(void);" >>$@; \ done; \ - echo "void init_extensions(void);" >>$@; \ - echo "void init_extensions(void)" >>$@; \ + echo "void $${funcname}(void);" >>$@; \ + echo "void $${funcname}(void)" >>$@; \ echo "{" >>$@; \ - for i in ${initext_func}; do \ + for i in $${initext_func}; do \ echo " ""lib$${i}_init();" >>$@; \ done; \ echo "}" >>$@; \ ); -initextb.c: .initextb.dd - ${AM_VERBOSE_GEN} - @( \ - echo "" >$@; \ - for i in ${initextb_func}; do \ - echo "extern void lib$${i}_init(void);" >>$@; \ - done; \ - echo "void init_extensionsb(void);" >>$@; \ - echo "void init_extensionsb(void)" >>$@; \ - echo "{" >>$@; \ - for i in ${initextb_func}; do \ - echo " ""lib$${i}_init();" >>$@; \ - done; \ - echo "}" >>$@; \ - ); - -initexta.c: .initexta.dd - ${AM_VERBOSE_GEN} - @( \ - echo "" >$@; \ - for i in ${initexta_func}; do \ - echo "extern void lib$${i}_init(void);" >>$@; \ - done; \ - echo "void init_extensionsa(void);" >>$@; \ - echo "void init_extensionsa(void)" >>$@; \ - echo "{" >>$@; \ - for i in ${initexta_func}; do \ - echo " ""lib$${i}_init();" >>$@; \ - done; \ - echo "}" >>$@; \ - ); - -initext4.c: .initext4.dd - ${AM_VERBOSE_GEN} - @( \ - echo "" >$@; \ - for i in ${initext4_func}; do \ - echo "extern void lib$${i}_init(void);" >>$@; \ - done; \ - echo "void init_extensions4(void);" >>$@; \ - echo "void init_extensions4(void)" >>$@; \ - echo "{" >>$@; \ - for i in ${initext4_func}; do \ - echo " ""lib$${i}_init();" >>$@; \ - done; \ - echo "}" >>$@; \ - ); - -initext6.c: .initext6.dd - ${AM_VERBOSE_GEN} - @( \ - echo "" >$@; \ - for i in ${initext6_func}; do \ - echo "extern void lib$${i}_init(void);" >>$@; \ - done; \ - echo "void init_extensions6(void);" >>$@; \ - echo "void init_extensions6(void)" >>$@; \ - echo "{" >>$@; \ - for i in ${initext6_func}; do \ - echo " ""lib$${i}_init();" >>$@; \ - done; \ - echo "}" >>$@; \ - ); - # # Manual pages # @@ -300,8 +231,21 @@ fi; \ done >$@; -matches.man: .initext.dd .initextb.dd .initexta.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) +matches.man: ${initext_depfiles} $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_matches,${pfx_build_mod} ${pfb_build_mod} ${pfa_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) -targets.man: .initext.dd .initextb.dd .initexta.dd .initext4.dd .initext6.dd $(wildcard ${srcdir}/lib*.man) +targets.man: ${initext_depfiles} $(wildcard ${srcdir}/lib*.man) $(call man_run,$(call ex_targets,${pfx_build_mod} ${pfb_build_mod} ${pfa_build_mod} ${pf4_build_mod} ${pf6_build_mod} ${pfx_symlinks})) + +dist_initext_src = $(addprefix $(srcdir)/,${initext_sources}) +dist_sources = $(filter-out ${dist_initext_src},$(wildcard $(srcdir)/*.ch)) + +distdir: + mkdir -p $(distdir) + cp -p ${dist_sources} $(distdir)/ + cp -p $(wildcard ${srcdir}/lib*.man) $(distdir)/ + cp -p $(wildcard ${srcdir}/*.t ${srcdir}/*.txlate) $(distdir)/ + +dvi: +check: all +installcheck:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/dscp_helper.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/dscp_helper.c
Changed
@@ -58,7 +58,7 @@ } xtables_error(PARAMETER_PROBLEM, - "Invalid DSCP value `%s'\n", name); + "Invalid DSCP value `%s'", name); } @@ -73,7 +73,7 @@ return ds_classesi.name; xtables_error(PARAMETER_PROBLEM, - "Invalid DSCP value `%d'\n", dscp); + "Invalid DSCP value `%d'", dscp); } #endif
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/generic.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/generic.txlate
Changed
@@ -1,36 +1,90 @@ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT -nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept +nft 'insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept' iptables-translate -F -t nat nft flush table ip nat iptables-translate -I INPUT -i iifname -s 10.0.0.0/8 -nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter +nft 'insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter' iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 -nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter +nft 'add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter' + +iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 +nft 'insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter' + +iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 +nft 'insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter' + +iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 +nft 'insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter' + +iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 +nft 'insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter' + +iptables-translate -I INPUT -s 0.0.0.0/16 +nft 'insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter' + +iptables-translate -I INPUT -s 0.0.0.0/0 +nft 'insert rule ip filter INPUT counter' + +iptables-translate -I INPUT ! -s 0.0.0.0/0 +nft 'insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter' + +ip6tables-translate -I INPUT -i iifname -s feed::/16 +nft 'insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter' + +ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 +nft 'add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter' + +ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: +nft 'insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter' + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 +nft 'insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter' + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft 'insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter' + +ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft 'insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter' + +ip6tables-translate -I INPUT -s ::/16 +nft 'insert rule ip6 filter INPUT ip6 saddr ::/16 counter' + +ip6tables-translate -I INPUT -s ::/0 +nft 'insert rule ip6 filter INPUT counter' + +ip6tables-translate -I INPUT ! -s ::/0 +nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter' ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 -nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter +nft 'insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter' ebtables-translate -A FORWARD ! -i iname --logical-in ilogname -o out+ --logical-out lout+ -d 1:2:3:4:de:af -nft add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oifname "out*" meta obrname "lout*" ether daddr 01:02:03:04:de:af counter +nft 'add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oifname "out*" meta obrname "lout*" ether daddr 01:02:03:04:de:af counter' ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00 -nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter +nft 'insert rule bridge filter INPUT ether type 0x800 ether daddr and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter' + +ebtables-translate -I INPUT -p Length +nft 'insert rule bridge filter INPUT ether type < 0x0600 counter' + +ebtables-translate -I INPUT -p ! Length +nft 'insert rule bridge filter INPUT ether type >= 0x0600 counter' # asterisk is not special in iptables and it is even a valid interface name -iptables-translate -A FORWARD -i '*' -o 'eth*foo' -nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter +iptables-translate -A FORWARD -i * -o eth*foo +nft 'add rule ip filter FORWARD iifname "\*" oifname "eth*foo" counter' -# escape all asterisks but translate only the first plus character -iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++' -nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter +# escape only suffix asterisk and translate only the last plus character +iptables-translate -A FORWARD -i eth*foo*+ -o eth++ +nft 'add rule ip filter FORWARD iifname "eth*foo**" oifname "eth+*" counter' # skip for always matching interface names -iptables-translate -A FORWARD -i '+' -nft add rule ip filter FORWARD counter +iptables-translate -A FORWARD -i + +nft 'add rule ip filter FORWARD counter' # match against invalid interface name to simulate never matching rule -iptables-translate -A FORWARD ! -i '+' -nft add rule ip filter FORWARD iifname "INVAL/D" counter +iptables-translate -A FORWARD ! -i + +nft 'add rule ip filter FORWARD iifname "INVAL/D" counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libarpt_mangle.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libarpt_mangle.c
Changed
@@ -13,7 +13,6 @@ #include <xtables.h> #include <linux/netfilter_arp/arpt_mangle.h> #include "iptables/nft.h" -#include "iptables/nft-arp.h" static void arpmangle_print_help(void) {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_802_3.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_802_3.t
Changed
@@ -1,3 +1,5 @@ :INPUT,FORWARD,OUTPUT ---802_3-sap ! 0x0a -j CONTINUE;=;OK ---802_3-type 0x000a -j RETURN;=;OK +--802_3-sap ! 0x0a -j CONTINUE;=;FAIL +--802_3-type 0x000a -j RETURN;=;FAIL +-p Length --802_3-sap ! 0x0a -j CONTINUE;=;OK +-p Length --802_3-type 0x000a -j RETURN;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_among.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_among.c
Changed
@@ -66,14 +66,14 @@ if (sep) { *sep = '\0'; - if (!inet_aton(sep + 1, &pair->in)) + if (!inet_pton(AF_INET, sep + 1, &pair->in)) xtables_error(PARAMETER_PROBLEM, - "Invalid IP address '%s'\n", sep + 1); + "Invalid IP address '%s'", sep + 1); } ether = ether_aton(buf); if (!ether) xtables_error(PARAMETER_PROBLEM, - "Invalid MAC address '%s'\n", buf); + "Invalid MAC address '%s'", buf); memcpy(&pair->ether, ether, sizeof(*ether)); } @@ -119,7 +119,6 @@ struct xt_entry_match **match) { struct nft_among_data *data = (struct nft_among_data *)(*match)->data; - struct xt_entry_match *new_match; bool have_ip, dst = false; size_t new_size, cnt; struct stat stats; @@ -152,10 +151,9 @@ xtables_error(PARAMETER_PROBLEM, "File should only contain one line"); optargflen-1 = '\0'; - /* fall through */ + break; case AMONG_DST: - if (c == AMONG_DST) - dst = true; + dst = true; /* fall through */ case AMONG_SRC: break; @@ -171,18 +169,17 @@ new_size *= sizeof(struct nft_among_pair); new_size += XT_ALIGN(sizeof(struct xt_entry_match)) + sizeof(struct nft_among_data); - new_match = xtables_calloc(1, new_size); - memcpy(new_match, *match, (*match)->u.match_size); - new_match->u.match_size = new_size; - data = (struct nft_among_data *)new_match->data; + if (new_size > (*match)->u.match_size) { + *match = xtables_realloc(*match, new_size); + (*match)->u.match_size = new_size; + data = (struct nft_among_data *)(*match)->data; + } + have_ip = nft_among_pairs_have_ip(optarg); poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip); parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip); - free(*match); - *match = new_match; - if (c == AMONG_DST_F || c == AMONG_SRC_F) { munmap(argv, flen); close(fd); @@ -194,6 +191,7 @@ int cnt, bool inv, bool have_ip) { const char *isep = inv ? "! " : ""; + char abufINET_ADDRSTRLEN; int i; for (i = 0; i < cnt; i++) { @@ -202,7 +200,8 @@ printf("%s", ether_ntoa(&pairsi.ether)); if (pairsi.in.s_addr != INADDR_ANY) - printf("=%s", inet_ntoa(pairsi.in)); + printf("=%s", inet_ntop(AF_INET, &pairsi.in, + abuf, sizeof(abuf))); } printf(" "); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_arp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_arp.c
Changed
@@ -87,91 +87,17 @@ #define OPT_MAC_D 0x40 #define OPT_GRAT 0x80 -static int undot_ip(char *ip, unsigned char *ip2) -{ - char *p, *q, *end; - long int onebyte; - int i; - char buf20; - - strncpy(buf, ip, sizeof(buf) - 1); - - p = buf; - for (i = 0; i < 3; i++) { - if ((q = strchr(p, '.')) == NULL) - return -1; - *q = '\0'; - onebyte = strtol(p, &end, 10); - if (*end != '\0' || onebyte > 255 || onebyte < 0) - return -1; - ip2i = (unsigned char)onebyte; - p = q + 1; - } - - onebyte = strtol(p, &end, 10); - if (*end != '\0' || onebyte > 255 || onebyte < 0) - return -1; - ip23 = (unsigned char)onebyte; - - return 0; -} - -static int ip_mask(char *mask, unsigned char *mask2) -{ - char *end; - long int bits; - uint32_t mask22; - - if (undot_ip(mask, mask2)) { - /* not the /a.b.c.e format, maybe the /x format */ - bits = strtol(mask, &end, 10); - if (*end != '\0' || bits > 32 || bits < 0) - return -1; - if (bits != 0) { - mask22 = htonl(0xFFFFFFFF << (32 - bits)); - memcpy(mask2, &mask22, 4); - } else { - mask22 = 0xFFFFFFFF; - memcpy(mask2, &mask22, 4); - } - } - return 0; -} - -static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) -{ - char *p; - - /* first the mask */ - if ((p = strrchr(address, '/')) != NULL) { - *p = '\0'; - if (ip_mask(p + 1, (unsigned char *)msk)) { - xtables_error(PARAMETER_PROBLEM, - "Problem with the IP mask '%s'", p + 1); - return; - } - } else - *msk = 0xFFFFFFFF; - - if (undot_ip(address, (unsigned char *)addr)) { - xtables_error(PARAMETER_PROBLEM, - "Problem with the IP address '%s'", address); - return; - } - *addr = *addr & *msk; -} - static int brarp_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { struct ebt_arp_info *arpinfo = (struct ebt_arp_info *)(*match)->data; + struct in_addr *ipaddr, ipmask; long int i; char *end; - uint32_t *addr; - uint32_t *mask; unsigned char *maddr; unsigned char *mmask; + unsigned int ipnr; switch (c) { case ARP_OPCODE: @@ -231,24 +157,25 @@ case ARP_IP_S: case ARP_IP_D: + xtables_ipparse_any(optarg, &ipaddr, &ipmask, &ipnr); if (c == ARP_IP_S) { EBT_CHECK_OPTION(flags, OPT_IP_S); - addr = &arpinfo->saddr; - mask = &arpinfo->smsk; + arpinfo->saddr = ipaddr->s_addr; + arpinfo->smsk = ipmask.s_addr; arpinfo->bitmask |= EBT_ARP_SRC_IP; } else { EBT_CHECK_OPTION(flags, OPT_IP_D); - addr = &arpinfo->daddr; - mask = &arpinfo->dmsk; + arpinfo->daddr = ipaddr->s_addr; + arpinfo->dmsk = ipmask.s_addr; arpinfo->bitmask |= EBT_ARP_DST_IP; } + free(ipaddr); if (invert) { if (c == ARP_IP_S) arpinfo->invflags |= EBT_ARP_SRC_IP; else arpinfo->invflags |= EBT_ARP_DST_IP; } - ebt_parse_ip_address(optarg, addr, mask); break; case ARP_MAC_S: case ARP_MAC_D:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_arp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_arp.t
Changed
@@ -6,6 +6,9 @@ -p ARP ! --arp-ip-dst 1.2.3.4;-p ARP --arp-ip-dst ! 1.2.3.4 -j CONTINUE;OK -p ARP --arp-ip-src ! 0.0.0.0;=;OK -p ARP --arp-ip-dst ! 0.0.0.0/8;=;OK +-p ARP --arp-ip-src ! 1.2.3.4/32;-p ARP --arp-ip-src ! 1.2.3.4;OK +-p ARP --arp-ip-src ! 1.2.3.4/255.255.255.0;-p ARP --arp-ip-src ! 1.2.3.0/24;OK +-p ARP --arp-ip-src ! 1.2.3.4/255.0.255.255;-p ARP --arp-ip-src ! 1.0.3.4/255.0.255.255;OK -p ARP --arp-mac-src 00:de:ad:be:ef:00;=;OK -p ARP --arp-mac-dst de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK -p ARP --arp-gratuitous;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_dnat.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_dnat.txlate
Changed
@@ -1,8 +1,8 @@ ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff -nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter +nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT -nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter +nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE -nft add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter +nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_ip.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_ip.c
Changed
@@ -20,40 +20,10 @@ #include <netdb.h> #include <inttypes.h> #include <xtables.h> +#include <linux/netfilter_bridge/ebt_ip.h> #include "libxt_icmp.h" -#define EBT_IP_SOURCE 0x01 -#define EBT_IP_DEST 0x02 -#define EBT_IP_TOS 0x04 -#define EBT_IP_PROTO 0x08 -#define EBT_IP_SPORT 0x10 -#define EBT_IP_DPORT 0x20 -#define EBT_IP_ICMP 0x40 -#define EBT_IP_IGMP 0x80 -#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ - EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP | EBT_IP_IGMP) - -struct ebt_ip_info { - __be32 saddr; - __be32 daddr; - __be32 smsk; - __be32 dmsk; - __u8 tos; - __u8 protocol; - __u8 bitmask; - __u8 invflags; - union { - __u16 sport2; - __u8 icmp_type2; - __u8 igmp_type2; - }; - union { - __u16 dport2; - __u8 icmp_code2; - }; -}; - #define IP_SOURCE '1' #define IP_DEST '2' #define IP_EBT_TOS '3' /* include/bits/in.h seems to already define IP_TOS */ @@ -80,68 +50,6 @@ XT_GETOPT_TABLEEND, }; -static const struct xt_icmp_names icmp_codes = { - { "echo-reply", 0, 0, 0xFF }, - /* Alias */ { "pong", 0, 0, 0xFF }, - - { "destination-unreachable", 3, 0, 0xFF }, - { "network-unreachable", 3, 0, 0 }, - { "host-unreachable", 3, 1, 1 }, - { "protocol-unreachable", 3, 2, 2 }, - { "port-unreachable", 3, 3, 3 }, - { "fragmentation-needed", 3, 4, 4 }, - { "source-route-failed", 3, 5, 5 }, - { "network-unknown", 3, 6, 6 }, - { "host-unknown", 3, 7, 7 }, - { "network-prohibited", 3, 9, 9 }, - { "host-prohibited", 3, 10, 10 }, - { "TOS-network-unreachable", 3, 11, 11 }, - { "TOS-host-unreachable", 3, 12, 12 }, - { "communication-prohibited", 3, 13, 13 }, - { "host-precedence-violation", 3, 14, 14 }, - { "precedence-cutoff", 3, 15, 15 }, - - { "source-quench", 4, 0, 0xFF }, - - { "redirect", 5, 0, 0xFF }, - { "network-redirect", 5, 0, 0 }, - { "host-redirect", 5, 1, 1 }, - { "TOS-network-redirect", 5, 2, 2 }, - { "TOS-host-redirect", 5, 3, 3 }, - - { "echo-request", 8, 0, 0xFF }, - /* Alias */ { "ping", 8, 0, 0xFF }, - - { "router-advertisement", 9, 0, 0xFF }, - - { "router-solicitation", 10, 0, 0xFF }, - - { "time-exceeded", 11, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 11, 0, 0xFF }, - { "ttl-zero-during-transit", 11, 0, 0 }, - { "ttl-zero-during-reassembly", 11, 1, 1 }, - - { "parameter-problem", 12, 0, 0xFF }, - { "ip-header-bad", 12, 0, 0 }, - { "required-option-missing", 12, 1, 1 }, - - { "timestamp-request", 13, 0, 0xFF }, - - { "timestamp-reply", 14, 0, 0xFF }, - - { "address-mask-request", 17, 0, 0xFF }, - - { "address-mask-reply", 18, 0, 0xFF } -}; - -static const struct xt_icmp_names igmp_types = { - { "membership-query", 0x11 }, - { "membership-report-v1", 0x12 }, - { "membership-report-v2", 0x16 }, - { "leave-group", 0x17 }, - { "membership-report-v3", 0x22 }, -}; - static void brip_print_help(void) { printf( @@ -175,7 +83,8 @@ char *buffer; char *cp; - buffer = strdup(portstring); + buffer = xtables_strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) ports0 = ports1 = xtables_parse_port(buffer, NULL); else { @@ -193,156 +102,6 @@ } /* original code from ebtables: useful_functions.c */ -static int undot_ip(char *ip, unsigned char *ip2) -{ - char *p, *q, *end; - long int onebyte; - int i; - char buf20; - - strncpy(buf, ip, sizeof(buf) - 1); - - p = buf; - for (i = 0; i < 3; i++) { - if ((q = strchr(p, '.')) == NULL) - return -1; - *q = '\0'; - onebyte = strtol(p, &end, 10); - if (*end != '\0' || onebyte > 255 || onebyte < 0) - return -1; - ip2i = (unsigned char)onebyte; - p = q + 1; - } - - onebyte = strtol(p, &end, 10); - if (*end != '\0' || onebyte > 255 || onebyte < 0) - return -1; - ip23 = (unsigned char)onebyte; - - return 0; -} - -static int ip_mask(char *mask, unsigned char *mask2) -{ - char *end; - long int bits; - uint32_t mask22; - - if (undot_ip(mask, mask2)) { - /* not the /a.b.c.e format, maybe the /x format */ - bits = strtol(mask, &end, 10); - if (*end != '\0' || bits > 32 || bits < 0) - return -1; - if (bits != 0) { - mask22 = htonl(0xFFFFFFFF << (32 - bits)); - memcpy(mask2, &mask22, 4); - } else { - mask22 = 0xFFFFFFFF; - memcpy(mask2, &mask22, 4); - } - } - return 0; -} - -static void ebt_parse_ip_address(char *address, uint32_t *addr, uint32_t *msk) -{ - char *p; - - /* first the mask */ - if ((p = strrchr(address, '/')) != NULL) { - *p = '\0'; - if (ip_mask(p + 1, (unsigned char *)msk)) { - xtables_error(PARAMETER_PROBLEM, - "Problem with the IP mask '%s'", p + 1); - return; - } - } else - *msk = 0xFFFFFFFF; - - if (undot_ip(address, (unsigned char *)addr)) { - xtables_error(PARAMETER_PROBLEM, - "Problem with the IP address '%s'", address); - return; - } - *addr = *addr & *msk; -} - -static char *parse_range(const char *str, unsigned int res) -{ - char *next; - - if (!xtables_strtoui(str, &next, &res0, 0, 255)) - return NULL; - - res1 = res0; - if (*next == ':') { - str = next + 1; - if (!xtables_strtoui(str, &next, &res1, 0, 255)) - return NULL; - } - - return next; -} - -static int ebt_parse_icmp(const struct xt_icmp_names *codes, size_t n_codes, - const char *icmptype, uint8_t type, uint8_t code) -{ - unsigned int match = n_codes; - unsigned int i, number2; - - for (i = 0; i < n_codes; i++) { - if (strncasecmp(codesi.name, icmptype, strlen(icmptype))) - continue; - if (match != n_codes) - xtables_error(PARAMETER_PROBLEM, "Ambiguous ICMP type `%s':" - " `%s' or `%s'?", - icmptype, codesmatch.name, - codesi.name); - match = i; - } - - if (match < n_codes) { - type0 = type1 = codesmatch.type; - if (code) { - code0 = codesmatch.code_min; - code1 = codesmatch.code_max; - } - } else { - char *next = parse_range(icmptype, number); - if (!next) { - xtables_error(PARAMETER_PROBLEM, "Unknown ICMP type `%s'", - icmptype); - return -1; - } - - type0 = (uint8_t) number0; - type1 = (uint8_t) number1; - switch (*next) { - case 0: - if (code) { - code0 = 0; - code1 = 255; - } - return 0; - case '/': - if (code) { - next = parse_range(next+1, number); - code0 = (uint8_t) number0; - code1 = (uint8_t) number1; - if (next == NULL) - return -1; - if (next && *next == 0) - return 0; - } - /* fallthrough */ - default: - xtables_error(PARAMETER_PROBLEM, "unknown character %c", *next); - return -1; - } - } - return 0; -} - static void print_icmp_code(uint8_t *code) { if (!code) @@ -384,18 +143,26 @@ const void *entry, struct xt_entry_match **match) { struct ebt_ip_info *info = (struct ebt_ip_info *)(*match)->data; + struct in_addr *ipaddr, ipmask; + unsigned int ipnr; switch (c) { case IP_SOURCE: if (invert) info->invflags |= EBT_IP_SOURCE; - ebt_parse_ip_address(optarg, &info->saddr, &info->smsk); + xtables_ipparse_any(optarg, &ipaddr, &ipmask, &ipnr); + info->saddr = ipaddr->s_addr; + info->smsk = ipmask.s_addr; + free(ipaddr); info->bitmask |= EBT_IP_SOURCE; break; case IP_DEST: if (invert) info->invflags |= EBT_IP_DEST; - ebt_parse_ip_address(optarg, &info->daddr, &info->dmsk); + xtables_ipparse_any(optarg, &ipaddr, &ipmask, &ipnr); + info->daddr = ipaddr->s_addr; + info->dmsk = ipmask.s_addr; + free(ipaddr); info->bitmask |= EBT_IP_DEST; break; case IP_SPORT: @@ -413,15 +180,13 @@ case IP_EBT_ICMP: if (invert) info->invflags |= EBT_IP_ICMP; - ebt_parse_icmp(icmp_codes, ARRAY_SIZE(icmp_codes), optarg, - info->icmp_type, info->icmp_code); + ebt_parse_icmp(optarg, info->icmp_type, info->icmp_code); info->bitmask |= EBT_IP_ICMP; break; case IP_EBT_IGMP: if (invert) info->invflags |= EBT_IP_IGMP; - ebt_parse_icmp(igmp_types, ARRAY_SIZE(igmp_types), optarg, - info->igmp_type, NULL); + ebt_parse_igmp(optarg, info->igmp_type); info->bitmask |= EBT_IP_IGMP; break; case IP_EBT_TOS: {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_ip.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_ip.txlate
Changed
@@ -1,26 +1,26 @@ ebtables-translate -A FORWARD -p ip --ip-src ! 192.168.0.0/24 -j ACCEPT -nft add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept +nft 'add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept' ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 -nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter +nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter' ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff -nft insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter +nft 'insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter' ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 -nft add rule bridge filter FORWARD tcp dport 22 counter +nft 'add rule bridge filter FORWARD tcp dport 22 counter' ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535 -nft add rule bridge filter FORWARD udp sport 1024-65535 counter +nft 'add rule bridge filter FORWARD udp sport 1024-65535 counter' ebtables-translate -A FORWARD -p ip --ip-proto 253 -nft add rule bridge filter FORWARD ip protocol 253 counter +nft 'add rule bridge filter FORWARD ip protocol 253 counter' ebtables-translate -A FORWARD -p ip --ip-protocol icmp --ip-icmp-type "echo-request" -nft add rule bridge filter FORWARD icmp type 8 counter +nft 'add rule bridge filter FORWARD icmp type 8 counter' ebtables-translate -A FORWARD -p ip --ip-proto icmp --ip-icmp-type 1/1 -nft add rule bridge filter FORWARD icmp type 1 icmp code 1 counter +nft 'add rule bridge filter FORWARD icmp type 1 icmp code 1 counter' ebtables-translate -A FORWARD -p ip --ip-protocol icmp --ip-icmp-type ! 1:10 -nft add rule bridge filter FORWARD icmp type != 1-10 counter +nft 'add rule bridge filter FORWARD icmp type != 1-10 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_ip6.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_ip6.c
Changed
@@ -49,51 +49,13 @@ XT_GETOPT_TABLEEND, }; -static const struct xt_icmp_names icmpv6_codes = { - { "destination-unreachable", 1, 0, 0xFF }, - { "no-route", 1, 0, 0 }, - { "communication-prohibited", 1, 1, 1 }, - { "address-unreachable", 1, 3, 3 }, - { "port-unreachable", 1, 4, 4 }, - - { "packet-too-big", 2, 0, 0xFF }, - - { "time-exceeded", 3, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 3, 0, 0xFF }, - { "ttl-zero-during-transit", 3, 0, 0 }, - { "ttl-zero-during-reassembly", 3, 1, 1 }, - - { "parameter-problem", 4, 0, 0xFF }, - { "bad-header", 4, 0, 0 }, - { "unknown-header-type", 4, 1, 1 }, - { "unknown-option", 4, 2, 2 }, - - { "echo-request", 128, 0, 0xFF }, - /* Alias */ { "ping", 128, 0, 0xFF }, - - { "echo-reply", 129, 0, 0xFF }, - /* Alias */ { "pong", 129, 0, 0xFF }, - - { "router-solicitation", 133, 0, 0xFF }, - - { "router-advertisement", 134, 0, 0xFF }, - - { "neighbour-solicitation", 135, 0, 0xFF }, - /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF }, - - { "neighbour-advertisement", 136, 0, 0xFF }, - /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF }, - - { "redirect", 137, 0, 0xFF }, -}; - static void parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) { char *buffer; char *cp; - buffer = strdup(portstring); + buffer = xtables_strdup(portstring); if ((cp = strchr(buffer, ':')) == NULL) ports0 = ports1 = xtables_parse_port(buffer, NULL); else { @@ -110,76 +72,6 @@ free(buffer); } -static char *parse_range(const char *str, unsigned int res) -{ - char *next; - - if (!xtables_strtoui(str, &next, &res0, 0, 255)) - return NULL; - - res1 = res0; - if (*next == ':') { - str = next + 1; - if (!xtables_strtoui(str, &next, &res1, 0, 255)) - return NULL; - } - - return next; -} - -static int -parse_icmpv6(const char *icmpv6type, uint8_t type, uint8_t code) -{ - static const unsigned int limit = ARRAY_SIZE(icmpv6_codes); - unsigned int match = limit; - unsigned int i, number2; - - for (i = 0; i < limit; i++) { - if (strncasecmp(icmpv6_codesi.name, icmpv6type, strlen(icmpv6type))) - continue; - if (match != limit) - xtables_error(PARAMETER_PROBLEM, "Ambiguous ICMPv6 type `%s':" - " `%s' or `%s'?", - icmpv6type, icmpv6_codesmatch.name, - icmpv6_codesi.name); - match = i; - } - - if (match < limit) { - type0 = type1 = icmpv6_codesmatch.type; - code0 = icmpv6_codesmatch.code_min; - code1 = icmpv6_codesmatch.code_max; - } else { - char *next = parse_range(icmpv6type, number); - if (!next) { - xtables_error(PARAMETER_PROBLEM, "Unknown ICMPv6 type `%s'", - icmpv6type); - return -1; - } - type0 = (uint8_t) number0; - type1 = (uint8_t) number1; - switch (*next) { - case 0: - code0 = 0; - code1 = 255; - return 0; - case '/': - next = parse_range(next+1, number); - code0 = (uint8_t) number0; - code1 = (uint8_t) number1; - if (next == NULL) - return -1; - if (next && *next == 0) - return 0; - /* fallthrough */ - default: - xtables_error(PARAMETER_PROBLEM, "unknown character %c", *next); - return -1; - } - } - return 0; -} - static void print_port_range(uint16_t *ports) { if (ports0 == ports1) @@ -247,75 +139,19 @@ memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); } -static struct in6_addr *numeric_to_addr(const char *num) -{ - static struct in6_addr ap; - int err; - - if ((err=inet_pton(AF_INET6, num, &ap)) == 1) - return ≈ - return (struct in6_addr *)NULL; -} - -static struct in6_addr *parse_ip6_mask(char *mask) +/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */ +static void ebt_parse_ip6_address(char *address, + struct in6_addr *addr, struct in6_addr *msk) { - static struct in6_addr maskaddr; struct in6_addr *addrp; - unsigned int bits; - - if (mask == NULL) { - /* no mask at all defaults to 128 bits */ - memset(&maskaddr, 0xff, sizeof maskaddr); - return &maskaddr; - } - if ((addrp = numeric_to_addr(mask)) != NULL) - return addrp; - if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) - xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask); - if (bits != 0) { - char *p = (char *)&maskaddr; - memset(p, 0xff, bits / 8); - memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); - pbits / 8 = 0xff << (8 - (bits & 7)); - return &maskaddr; - } - - memset(&maskaddr, 0, sizeof maskaddr); - return &maskaddr; -} + unsigned int naddrs; -/* Set the ipv6 mask and address. Callers should check ebt_errormsg0. - * The string pointed to by address can be altered. */ -static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk) -{ - struct in6_addr *tmp_addr; - char buf256; - char *p; - int i; - int err; - - strncpy(buf, address, sizeof(buf) - 1); - /* first the mask */ - bufsizeof(buf) - 1 = '\0'; - if ((p = strrchr(buf, '/')) != NULL) { - *p = '\0'; - tmp_addr = parse_ip6_mask(p + 1); - } else - tmp_addr = parse_ip6_mask(NULL); - - *msk = *tmp_addr; - - /* if a null mask is given, the name is ignored, like in "any/0" */ - if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) - strcpy(buf, "::"); - - if ((err=inet_pton(AF_INET6, buf, addr)) < 1) { - xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); - return; - } - - for (i = 0; i < 4; i++) - addr->s6_addr32i &= msk->s6_addr32i; + xtables_ip6parse_any(address, &addrp, msk, &naddrs); + if (naddrs != 1) + xtables_error(PARAMETER_PROBLEM, + "Invalid IPv6 Address '%s' specified", address); + memcpy(addr, addrp, sizeof(*addr)); + free(addrp); } #define OPT_SOURCE 0x01 @@ -360,8 +196,7 @@ case IP_ICMP6: if (invert) info->invflags |= EBT_IP6_ICMP6; - if (parse_icmpv6(optarg, info->icmpv6_type, info->icmpv6_code)) - return 0; + ebt_parse_icmpv6(optarg, info->icmpv6_type, info->icmpv6_code); info->bitmask |= EBT_IP6_ICMP6; break; case IP_TCLASS:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_ip6.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_ip6.txlate
Changed
@@ -1,29 +1,29 @@ ebtables-translate -A FORWARD -p ip6 --ip6-src ! dead::beef/64 -j ACCEPT -nft add rule bridge filter FORWARD ip6 saddr != dead::/64 counter accept +nft 'add rule bridge filter FORWARD ip6 saddr != dead::/64 counter accept' ebtables-translate -A FORWARD -p ip6 ! --ip6-dst dead:beef::/64 -j ACCEPT -nft add rule bridge filter FORWARD ip6 daddr != dead:beef::/64 counter accept +nft 'add rule bridge filter FORWARD ip6 daddr != dead:beef::/64 counter accept' ebtables-translate -I FORWARD -p ip6 --ip6-dst f00:ba:: -nft insert rule bridge filter FORWARD ip6 daddr f00:ba:: counter +nft 'insert rule bridge filter FORWARD ip6 daddr f00:ba:: counter' ebtables-translate -I OUTPUT -o eth0 -p ip6 --ip6-tclass 0xff -nft insert rule bridge filter OUTPUT oifname "eth0" ip6 dscp 0x3f counter +nft 'insert rule bridge filter OUTPUT oifname "eth0" ip6 dscp 0x3f counter' ebtables-translate -A FORWARD -p ip6 --ip6-proto tcp --ip6-dport 22 -nft add rule bridge filter FORWARD ether type ip6 tcp dport 22 counter +nft 'add rule bridge filter FORWARD ether type ip6 tcp dport 22 counter' ebtables-translate -A FORWARD -p ip6 --ip6-proto udp --ip6-sport 1024:65535 -nft add rule bridge filter FORWARD ether type ip6 udp sport 1024-65535 counter +nft 'add rule bridge filter FORWARD ether type ip6 udp sport 1024-65535 counter' ebtables-translate -A FORWARD -p ip6 --ip6-proto 253 -nft add rule bridge filter FORWARD ether type ip6 meta l4proto 253 counter +nft 'add rule bridge filter FORWARD ether type ip6 meta l4proto 253 counter' ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type "echo-request" -nft add rule bridge filter FORWARD icmpv6 type 128 counter +nft 'add rule bridge filter FORWARD icmpv6 type 128 counter' ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1 -nft add rule bridge filter FORWARD icmpv6 type 1 icmpv6 code 1 counter +nft 'add rule bridge filter FORWARD icmpv6 type 1 icmpv6 code 1 counter' ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type ! 1:10 -nft add rule bridge filter FORWARD icmpv6 type != 1-10 counter +nft 'add rule bridge filter FORWARD icmpv6 type != 1-10 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_limit.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_limit.txlate
Changed
@@ -1,8 +1,8 @@ ebtables-translate -A INPUT --limit 3/m --limit-burst 3 -nft add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter +nft 'add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter' ebtables-translate -A INPUT --limit 10/s --limit-burst 5 -nft add rule bridge filter INPUT limit rate 10/second burst 5 packets counter +nft 'add rule bridge filter INPUT limit rate 10/second burst 5 packets counter' ebtables-translate -A INPUT --limit 10/s --limit-burst 0 -nft add rule bridge filter INPUT limit rate 10/second counter +nft 'add rule bridge filter INPUT limit rate 10/second counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_log.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_log.c
Changed
@@ -161,9 +161,10 @@ { struct ebt_log_info *loginfo = (struct ebt_log_info *)target->data; - printf("--log-level %s --log-prefix \"%s\"", - eight_priorityloginfo->loglevel.c_name, - loginfo->prefix); + printf("--log-level %s", eight_priorityloginfo->loglevel.c_name); + + if (loginfo->prefix0) + printf(" --log-prefix \"%s\"", loginfo->prefix); if (loginfo->bitmask & EBT_LOG_IP) printf(" --log-ip"); @@ -180,16 +181,14 @@ const struct ebt_log_info *loginfo = (const void *)params->target->data; xt_xlate_add(xl, "log"); - if (loginfo->prefix0) { - if (params->escape_quotes) - xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix); - else - xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); - } + if (loginfo->prefix0) + xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); if (loginfo->loglevel != LOG_DEFAULT_LEVEL) xt_xlate_add(xl, " level %s", eight_priorityloginfo->loglevel.c_name); + /* ebt_log always decodes MAC header, nft_log always decodes upper header - + * so set flags ether and ignore EBT_LOG_IP, EBT_LOG_ARP and EBT_LOG_IP6 */ xt_xlate_add(xl, " flags ether "); return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_log.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_log.t
Changed
@@ -1,6 +1,6 @@ :INPUT,FORWARD,OUTPUT ---log;=;OK +--log;--log-level notice;OK --log-level crit;=;OK ---log-level 1;--log-level alert --log-prefix "";OK ---log-level emerg --log-ip --log-arp --log-ip6;--log-level emerg --log-prefix "" --log-ip --log-arp --log-ip6 -j CONTINUE;OK +--log-level 1;--log-level alert;OK +--log-level emerg --log-ip --log-arp --log-ip6;=;OK --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo;--log-level crit --log-prefix "foo" --log-ip --log-arp --log-ip6 -j CONTINUE;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_log.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_log.txlate
Changed
@@ -1,15 +1,15 @@ ebtables-translate -A INPUT --log -nft add rule bridge filter INPUT log level notice flags ether counter +nft 'add rule bridge filter INPUT log level notice flags ether counter' ebtables-translate -A INPUT --log-level 1 -nft add rule bridge filter INPUT log level alert flags ether counter +nft 'add rule bridge filter INPUT log level alert flags ether counter' ebtables-translate -A INPUT --log-level crit -nft add rule bridge filter INPUT log level crit flags ether counter +nft 'add rule bridge filter INPUT log level crit flags ether counter' ebtables-translate -A INPUT --log-level emerg --log-ip --log-arp --log-ip6 -nft add rule bridge filter INPUT log level emerg flags ether counter +nft 'add rule bridge filter INPUT log level emerg flags ether counter' ebtables-translate -A INPUT --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo -nft add rule bridge filter INPUT log prefix "foo" level crit flags ether counter +nft 'add rule bridge filter INPUT log prefix "foo" level crit flags ether counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_mark.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_mark.c
Changed
@@ -201,7 +201,7 @@ return 0; } - tmp = info->target & EBT_VERDICT_BITS; + tmp = info->target | ~EBT_VERDICT_BITS; xt_xlate_add(xl, "0x%lx %s ", info->mark, brmark_verdict(tmp)); return 1; }
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_mark.txlate
Added
@@ -0,0 +1,11 @@ +ebtables-translate -A INPUT --mark-set 42 +nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter' + +ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN +nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter' + +ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT +nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter' + +ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP +nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_mark_m.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_mark_m.txlate
Changed
@@ -1,14 +1,14 @@ ebtables-translate -A INPUT --mark 42 -nft add rule bridge filter INPUT meta mark 0x2a counter +nft 'add rule bridge filter INPUT meta mark 0x2a counter' ebtables-translate -A INPUT ! --mark 42 -nft add rule bridge filter INPUT meta mark != 0x2a counter +nft 'add rule bridge filter INPUT meta mark != 0x2a counter' ebtables-translate -A INPUT --mark ! 42 -nft add rule bridge filter INPUT meta mark != 0x2a counter +nft 'add rule bridge filter INPUT meta mark != 0x2a counter' ebtables-translate -A INPUT --mark ! 0x1/0xff -nft add rule bridge filter INPUT meta mark and 0xff != 0x1 counter +nft 'add rule bridge filter INPUT meta mark and 0xff != 0x1 counter' ebtables-translate -A INPUT --mark /0x02 -nft add rule bridge filter INPUT meta mark and 0x2 != 0 counter +nft 'add rule bridge filter INPUT meta mark and 0x2 != 0 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_nflog.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_nflog.c
Changed
@@ -130,12 +130,8 @@ const struct ebt_nflog_info *info = (void *)params->target->data; xt_xlate_add(xl, "log "); - if (info->prefix0 != '\0') { - if (params->escape_quotes) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); - else - xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); - } + if (info->prefix0 != '\0') + xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); xt_xlate_add(xl, "group %u ", info->group);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_nflog.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_nflog.t
Changed
@@ -1,5 +1,5 @@ :INPUT,FORWARD,OUTPUT ---nflog;=;OK +--nflog;--nflog-group 1;OK --nflog-group 42;=;OK --nflog-range 42;--nflog-group 1 --nflog-range 42 -j CONTINUE;OK --nflog-threshold 100 --nflog-prefix foo;--nflog-prefix "foo" --nflog-group 1 --nflog-threshold 100 -j CONTINUE;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_nflog.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_nflog.txlate
Changed
@@ -1,11 +1,11 @@ ebtables-translate -A INPUT --nflog -nft add rule bridge filter INPUT log group 1 counter +nft 'add rule bridge filter INPUT log group 1 counter' ebtables-translate -A INPUT --nflog-group 42 -nft add rule bridge filter INPUT log group 42 counter +nft 'add rule bridge filter INPUT log group 42 counter' ebtables-translate -A INPUT --nflog-range 42 -nft add rule bridge filter INPUT log group 1 snaplen 42 counter +nft 'add rule bridge filter INPUT log group 1 snaplen 42 counter' ebtables-translate -A INPUT --nflog-threshold 100 --nflog-prefix foo -nft add rule bridge filter INPUT log prefix "foo" group 1 queue-threshold 100 counter +nft 'add rule bridge filter INPUT log prefix "foo" group 1 queue-threshold 100 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_pkttype.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_pkttype.txlate
Changed
@@ -1,20 +1,20 @@ ebtables-translate -A INPUT --pkttype-type host -nft add rule bridge filter INPUT meta pkttype host counter +nft 'add rule bridge filter INPUT meta pkttype host counter' ebtables-translate -A INPUT ! --pkttype-type broadcast -nft add rule bridge filter INPUT meta pkttype != broadcast counter +nft 'add rule bridge filter INPUT meta pkttype != broadcast counter' ebtables-translate -A INPUT --pkttype-type ! multicast -nft add rule bridge filter INPUT meta pkttype != multicast counter +nft 'add rule bridge filter INPUT meta pkttype != multicast counter' ebtables-translate -A INPUT --pkttype-type otherhost -nft add rule bridge filter INPUT meta pkttype other counter +nft 'add rule bridge filter INPUT meta pkttype other counter' ebtables-translate -A INPUT --pkttype-type outgoing -nft add rule bridge filter INPUT meta pkttype 4 counter +nft 'add rule bridge filter INPUT meta pkttype 4 counter' ebtables-translate -A INPUT --pkttype-type loopback -nft add rule bridge filter INPUT meta pkttype 5 counter +nft 'add rule bridge filter INPUT meta pkttype 5 counter' ebtables-translate -A INPUT --pkttype-type fastroute -nft add rule bridge filter INPUT meta pkttype 6 counter +nft 'add rule bridge filter INPUT meta pkttype 6 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_redirect.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_redirect.c
Changed
@@ -86,7 +86,7 @@ xt_xlate_add(xl, "meta set pkttype host"); if (red->target != EBT_ACCEPT) xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); - return 0; + return 1; } static struct xtables_target brredirect_target = {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_redirect.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_redirect.t
Changed
@@ -1,4 +1,4 @@ :PREROUTING *nat --j redirect;=;OK +-j redirect ;=;OK -j redirect --redirect-target RETURN;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_snat.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_snat.txlate
Changed
@@ -1,5 +1,5 @@ ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff -nft add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter +nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter' ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE -nft add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter +nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_standard.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_standard.t
Changed
@@ -12,12 +12,17 @@ :INPUT -i foobar;=;OK -o foobar;=;FAIL +--logical-in br0;=;OK +--logical-out br1;=;FAIL :FORWARD -i foobar;=;OK -o foobar;=;OK +--logical-in br0 --logical-out br1;=;OK :OUTPUT -i foobar;=;FAIL -o foobar;=;OK +--logical-in br0;=;FAIL +--logical-out br1;=;OK :PREROUTING *nat -i foobar;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_stp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_stp.c
Changed
@@ -90,7 +90,8 @@ uint32_t low_nr, upp_nr; int ret = 0; - buffer = strdup(portstring); + buffer = xtables_strdup(portstring); + if ((cp = strchr(buffer, ':')) == NULL) { low_nr = strtoul(buffer, &end, 10); if (*end || low_nr < min || low_nr > max) { @@ -145,9 +146,9 @@ static void print_range(unsigned int l, unsigned int u) { if (l == u) - printf("%u ", l); + printf("%u", l); else - printf("%u:%u ", l, u); + printf("%u:%u", l, u); } static int
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_stp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_stp.t
Changed
@@ -1,7 +1,7 @@ :INPUT,FORWARD,OUTPUT --stp-type 1;=;OK --stp-flags 0x1;--stp-flags topology-change -j CONTINUE;OK ---stp-root-prio 1 -j ACCEPT;=;OK +--stp-root-prio 1 -j ACCEPT;=;OK --stp-root-addr 0d:ea:d0:0b:ee:f0;=;OK --stp-root-cost 1;=;OK --stp-sender-prio 1;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_vlan.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_vlan.t
Changed
@@ -4,8 +4,8 @@ -p 802_1Q --vlan-prio 1;=;OK -p 802_1Q --vlan-prio ! 1;=;OK -p 802_1Q --vlan-encap ip;-p 802_1Q --vlan-encap 0800 -j CONTINUE;OK --p 802_1Q --vlan-encap 0800 ;=;OK --p 802_1Q --vlan-encap ! 0800 ;=;OK +-p 802_1Q --vlan-encap 0800;=;OK +-p 802_1Q --vlan-encap ! 0800;=;OK -p 802_1Q --vlan-encap IPv6 ! --vlan-id 1;-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD -j CONTINUE;OK -p 802_1Q --vlan-id ! 1 --vlan-encap 86DD;=;OK --vlan-encap ip;=;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libebt_vlan.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libebt_vlan.txlate
Changed
@@ -1,11 +1,11 @@ ebtables-translate -A INPUT -p 802_1Q --vlan-id 42 -nft add rule bridge filter INPUT vlan id 42 counter +nft 'add rule bridge filter INPUT vlan id 42 counter' ebtables-translate -A INPUT -p 802_1Q --vlan-prio ! 1 -nft add rule bridge filter INPUT vlan pcp != 1 counter +nft 'add rule bridge filter INPUT vlan pcp != 1 counter' ebtables-translate -A INPUT -p 802_1Q --vlan-encap ip -nft add rule bridge filter INPUT vlan type 0x0800 counter +nft 'add rule bridge filter INPUT vlan type 0x0800 counter' ebtables-translate -A INPUT -p 802_1Q --vlan-encap ipv6 ! --vlan-id 1 -nft add rule bridge filter INPUT vlan id != 1 vlan type 0x86dd counter +nft 'add rule bridge filter INPUT vlan id != 1 vlan type 0x86dd counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_DNAT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_DNAT.t
Changed
@@ -13,4 +13,8 @@ -p tcp -j DNAT --to-destination dead::beef-dead::fee7:1000-2000/65535;=;OK -p tcp -j DNAT --to-destination dead::beef-dead::fee7:1000-2000/0;;FAIL -p tcp -j DNAT --to-destination dead::beef-dead::fee7:1000-2000/65536;;FAIL +-p tcp -j DNAT --to-destination dead::beef:ssh;-p tcp -j DNAT --to-destination dead::beef:22;OK +-p tcp -j DNAT --to-destination dead::beef:ftp-data;-p tcp -j DNAT --to-destination dead::beef:20;OK +-p tcp -j DNAT --to-destination dead::beef:echo-ssh;;FAIL +-p tcp -j DNAT --to-destination dead::beef:10-20/ftp;-p tcp -j DNAT --to-destination dead::beef:10-20/21;OK -j DNAT;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_LOG.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_LOG.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -I INPUT -j LOG -nft insert rule ip filter INPUT counter log +nft 'insert rule ip filter INPUT counter log' ip6tables-translate -A FORWARD -p tcp -j LOG --log-level debug -nft add rule ip6 filter FORWARD meta l4proto tcp counter log level debug +nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log level debug' ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log" -nft add rule ip6 filter FORWARD meta l4proto tcp counter log prefix \"Checking log\" +nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log prefix "Checking log"'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_MASQUERADE.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_MASQUERADE.txlate
Changed
@@ -1,8 +1,17 @@ ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE -nft add rule ip6 nat POSTROUTING counter masquerade +nft 'add rule ip6 nat POSTROUTING counter masquerade' ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10 -nft add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10 +nft 'add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10' ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random -nft add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10-20 random +nft 'add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade to :10-20 random' + +ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random +nft 'add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade random' + +ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random-fully +nft 'add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade fully-random' + +ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random --random-fully +nft 'add rule ip6 nat POSTROUTING meta l4proto tcp counter masquerade random,fully-random'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_NETMAP.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_NETMAP.t
Changed
@@ -1,4 +1,4 @@ :PREROUTING,INPUT,OUTPUT,POSTROUTING *nat -j NETMAP --to dead::/64;=;OK --j NETMAP --to dead::beef;=;OK +-j NETMAP --to dead::beef;-j NETMAP --to dead::beef/128;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_REJECT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_REJECT.t
Changed
@@ -1,5 +1,5 @@ :INPUT,FORWARD,OUTPUT --j REJECT;=;OK +-j REJECT;-j REJECT --reject-with icmp6-port-unreachable;OK # manpage for IPv6 variant of REJECT does not show up for some reason? -j REJECT --reject-with icmp6-no-route;=;OK -j REJECT --reject-with icmp6-adm-prohibited;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_REJECT.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_REJECT.txlate
Changed
@@ -1,8 +1,8 @@ ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT -nft add rule ip6 filter FORWARD tcp dport 22 counter reject +nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject' ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route -nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route +nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route' ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset -nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset +nft 'add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_SNAT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_SNAT.t
Changed
@@ -4,6 +4,12 @@ -j SNAT --to-source dead::beef-dead::fee7;=;OK -j SNAT --to-source dead::beef:1025-65535;;FAIL -j SNAT --to-source dead::beef --to-source dead::fee7;;FAIL +-j SNAT --to-source dead::beef --random;=;OK +-j SNAT --to-source dead::beef --random-fully;=;OK +-j SNAT --to-source dead::beef --persistent;=;OK +-j SNAT --to-source dead::beef --random --persistent;=;OK +-j SNAT --to-source dead::beef --random --random-fully;=;OK +-j SNAT --to-source dead::beef --random --random-fully --persistent;=;OK -p tcp -j SNAT --to-source dead::beef:1025-65535;=;OK -p tcp -j SNAT --to-source dead::beef-dead::fee7:1025-65535;=;OK -p tcp -j SNAT --to-source dead::beef-dead::fee7:1025-65536;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_SNAT.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_SNAT.txlate
Changed
@@ -1,11 +1,11 @@ ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to fec0::1234:80 -nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:80 +nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:80' ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to fec0::1234:1-20 -nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:1-20 +nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:1-20' ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to fec0::1234:123 --random -nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:123 random +nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:123 random' ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to fec0::1234:123 --random-fully --persistent -nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:123 fully-random,persistent +nft 'add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to fec0::1234:123 fully-random,persistent'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_ah.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_ah.txlate
Changed
@@ -1,17 +1,17 @@ ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP -nft add rule ip6 filter INPUT ah spi 500 counter drop +nft 'add rule ip6 filter INPUT ah spi 500 counter drop' ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP -nft add rule ip6 filter INPUT ah spi 500-550 counter drop +nft 'add rule ip6 filter INPUT ah spi 500-550 counter drop' ip6tables-translate -A INPUT -m ah ! --ahlen 120 -nft add rule ip6 filter INPUT ah hdrlength != 120 counter +nft 'add rule ip6 filter INPUT ah hdrlength != 120 counter' ip6tables-translate -A INPUT -m ah --ahres -nft add rule ip6 filter INPUT ah reserved 1 counter +nft 'add rule ip6 filter INPUT ah reserved 1 counter' ip6tables-translate -A INPUT -m ah --ahspi 500 ! --ahlen 120 -j DROP -nft add rule ip6 filter INPUT ah spi 500 ah hdrlength != 120 counter drop +nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength != 120 counter drop' ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT -nft add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept +nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_dst.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_dst.c
Changed
@@ -57,11 +57,9 @@ { char *buffer, *cp, *next, *range; unsigned int i; - - buffer = strdup(optsstr); - if (!buffer) - xtables_error(OTHER_PROBLEM, "strdup failed"); - + + buffer = xtables_strdup(optsstr); + for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++) { next = strchr(cp, ','); @@ -127,15 +125,15 @@ print_options(unsigned int optsnr, uint16_t *optsp) { unsigned int i; + char sep = ' '; - printf(" "); for(i = 0; i < optsnr; i++) { - printf("%d", (optspi & 0xFF00) >> 8); + printf("%c%d", sep, (optspi & 0xFF00) >> 8); if ((optspi & 0x00FF) != 0x00FF) printf(":%d", (optspi & 0x00FF)); - printf("%c", (i != optsnr - 1) ? ',' : ' '); + sep = ','; } }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_frag.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_frag.c
Changed
@@ -178,7 +178,6 @@ { const struct ip6t_frag *fraginfo = (struct ip6t_frag *)params->match->data; - char *space= ""; if (!(fraginfo->ids0 == 0 && fraginfo->ids1 == 0xFFFFFFFF)) { xt_xlate_add(xl, "frag id %s", @@ -190,24 +189,21 @@ else xt_xlate_add(xl, "%u", fraginfo->ids0); - space = " "; } - if (fraginfo->flags & IP6T_FRAG_RES) { - xt_xlate_add(xl, "%sfrag reserved 1", space); - space = " "; - } - if (fraginfo->flags & IP6T_FRAG_FST) { - xt_xlate_add(xl, "%sfrag frag-off 0", space); - space = " "; - } - if (fraginfo->flags & IP6T_FRAG_MF) { - xt_xlate_add(xl, "%sfrag more-fragments 1", space); - space = " "; - } - if (fraginfo->flags & IP6T_FRAG_NMF) { - xt_xlate_add(xl, "%sfrag more-fragments 0", space); - } + /* ignore ineffective IP6T_FRAG_LEN bit */ + + if (fraginfo->flags & IP6T_FRAG_RES) + xt_xlate_add(xl, "frag reserved 1"); + + if (fraginfo->flags & IP6T_FRAG_FST) + xt_xlate_add(xl, "frag frag-off 0"); + + if (fraginfo->flags & IP6T_FRAG_MF) + xt_xlate_add(xl, "frag more-fragments 1"); + + if (fraginfo->flags & IP6T_FRAG_NMF) + xt_xlate_add(xl, "frag more-fragments 0"); return 1; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_frag.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_frag.txlate
Changed
@@ -1,17 +1,17 @@ ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 -j ACCEPT -nft add rule ip6 filter INPUT frag id 100-200 counter accept +nft 'add rule ip6 filter INPUT frag id 100-200 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fragid 100 --fragres --fragmore -j ACCEPT -nft add rule ip6 filter INPUT frag id 100 frag reserved 1 frag more-fragments 1 counter accept +nft 'add rule ip6 filter INPUT frag id 100 frag reserved 1 frag more-fragments 1 counter accept' ip6tables-translate -t filter -A INPUT -m frag ! --fragid 100:200 -j ACCEPT -nft add rule ip6 filter INPUT frag id != 100-200 counter accept +nft 'add rule ip6 filter INPUT frag id != 100-200 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 --fraglast -j ACCEPT -nft add rule ip6 filter INPUT frag id 100-200 frag more-fragments 0 counter accept +nft 'add rule ip6 filter INPUT frag id 100-200 frag more-fragments 0 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fragid 100:200 --fragfirst -j ACCEPT -nft add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept +nft 'add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept' ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT -nft add rule ip6 filter INPUT frag more-fragments 0 counter accept +nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_hbh.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_hbh.c
Changed
@@ -57,10 +57,9 @@ { char *buffer, *cp, *next, *range; unsigned int i; - - buffer = strdup(optsstr); - if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); - + + buffer = xtables_strdup(optsstr); + for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++) { next=strchr(cp, ',');
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_hbh.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_hbh.txlate
Changed
@@ -1,5 +1,5 @@ ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22 -nft add rule ip6 filter INPUT hbh hdrlength 22 counter +nft 'add rule ip6 filter INPUT hbh hdrlength 22 counter' ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22 -nft add rule ip6 filter INPUT hbh hdrlength != 22 counter +nft 'add rule ip6 filter INPUT hbh hdrlength != 22 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_hl.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_hl.txlate
Changed
@@ -1,5 +1,5 @@ ip6tables-translate -t nat -A postrouting -m hl --hl-gt 3 -nft add rule ip6 nat postrouting ip6 hoplimit gt 3 counter +nft 'add rule ip6 nat postrouting ip6 hoplimit gt 3 counter' ip6tables-translate -t nat -A postrouting -m hl ! --hl-eq 3 -nft add rule ip6 nat postrouting ip6 hoplimit != 3 counter +nft 'add rule ip6 nat postrouting ip6 hoplimit != 3 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_icmp6.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_icmp6.c
Changed
@@ -12,48 +12,6 @@ O_ICMPV6_TYPE = 0, }; -static const struct xt_icmp_names icmpv6_codes = { - { "destination-unreachable", 1, 0, 0xFF }, - { "no-route", 1, 0, 0 }, - { "communication-prohibited", 1, 1, 1 }, - { "beyond-scope", 1, 2, 2 }, - { "address-unreachable", 1, 3, 3 }, - { "port-unreachable", 1, 4, 4 }, - { "failed-policy", 1, 5, 5 }, - { "reject-route", 1, 6, 6 }, - - { "packet-too-big", 2, 0, 0xFF }, - - { "time-exceeded", 3, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 3, 0, 0xFF }, - { "ttl-zero-during-transit", 3, 0, 0 }, - { "ttl-zero-during-reassembly", 3, 1, 1 }, - - { "parameter-problem", 4, 0, 0xFF }, - { "bad-header", 4, 0, 0 }, - { "unknown-header-type", 4, 1, 1 }, - { "unknown-option", 4, 2, 2 }, - - { "echo-request", 128, 0, 0xFF }, - /* Alias */ { "ping", 128, 0, 0xFF }, - - { "echo-reply", 129, 0, 0xFF }, - /* Alias */ { "pong", 129, 0, 0xFF }, - - { "router-solicitation", 133, 0, 0xFF }, - - { "router-advertisement", 134, 0, 0xFF }, - - { "neighbour-solicitation", 135, 0, 0xFF }, - /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF }, - - { "neighbour-advertisement", 136, 0, 0xFF }, - /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF }, - - { "redirect", 137, 0, 0xFF }, - -}; - static void icmp6_help(void) { printf( @@ -70,59 +28,6 @@ XTOPT_TABLEEND, }; -static void -parse_icmpv6(const char *icmpv6type, uint8_t *type, uint8_t code) -{ - static const unsigned int limit = ARRAY_SIZE(icmpv6_codes); - unsigned int match = limit; - unsigned int i; - - for (i = 0; i < limit; i++) { - if (strncasecmp(icmpv6_codesi.name, icmpv6type, strlen(icmpv6type)) - == 0) { - if (match != limit) - xtables_error(PARAMETER_PROBLEM, - "Ambiguous ICMPv6 type `%s':" - " `%s' or `%s'?", - icmpv6type, - icmpv6_codesmatch.name, - icmpv6_codesi.name); - match = i; - } - } - - if (match != limit) { - *type = icmpv6_codesmatch.type; - code0 = icmpv6_codesmatch.code_min; - code1 = icmpv6_codesmatch.code_max; - } else { - char *slash; - char bufferstrlen(icmpv6type) + 1; - unsigned int number; - - strcpy(buffer, icmpv6type); - slash = strchr(buffer, '/'); - - if (slash) - *slash = '\0'; - - if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid ICMPv6 type `%s'\n", buffer); - *type = number; - if (slash) { - if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid ICMPv6 code `%s'\n", - slash+1); - code0 = code1 = number; - } else { - code0 = 0; - code1 = 0xFF; - } - } -} - static void icmp6_init(struct xt_entry_match *m) { struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data; @@ -135,7 +40,7 @@ struct ip6t_icmp *icmpv6info = cb->data; xtables_option_parse(cb); - parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code); + ipt_parse_icmpv6(cb->arg, &icmpv6info->type, icmpv6info->code); if (cb->invert) icmpv6info->invflags |= IP6T_ICMP_INV; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_icmp6.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_icmp6.txlate
Changed
@@ -1,8 +1,8 @@ ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type 1 -j LOG -nft add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log +nft 'add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log' ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type neighbour-advertisement -j LOG -nft add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log +nft 'add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log' ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG -nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log +nft 'add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_ipv6header.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_ipv6header.c
Changed
@@ -147,7 +147,7 @@ char *ptr; char *buffer; - buffer = strdup(flags); + buffer = xtables_strdup(flags); for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) ret |= add_proto_to_mask(name_to_proto(ptr));
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_mh.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_mh.c
Changed
@@ -97,7 +97,7 @@ if (!xtables_strtoui(name, NULL, &number, 0, UINT8_MAX)) xtables_error(PARAMETER_PROBLEM, - "Invalid MH type `%s'\n", name); + "Invalid MH type `%s'", name); return number; } } @@ -107,7 +107,7 @@ char *buffer; char *cp; - buffer = strdup(mhtype); + buffer = xtables_strdup(mhtype); if ((cp = strchr(buffer, ':')) == NULL) types0 = types1 = name_to_type(buffer); else {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_mh.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_mh.txlate
Changed
@@ -1,5 +1,5 @@ ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT -nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept +nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept' ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT -nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept +nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_rt.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_rt.c
Changed
@@ -73,10 +73,9 @@ { char *buffer, *cp, *next; unsigned int i; - - buffer = strdup(addrstr); - if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); - + + buffer = xtables_strdup(addrstr); + for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++) { next=strchr(cp, ','); @@ -249,17 +248,15 @@ const struct xt_xlate_mt_params *params) { const struct ip6t_rt *rtinfo = (struct ip6t_rt *)params->match->data; - char *space = ""; if (rtinfo->flags & IP6T_RT_TYP) { xt_xlate_add(xl, "rt type%s %u", (rtinfo->invflags & IP6T_RT_INV_TYP) ? " !=" : "", rtinfo->rt_type); - space = " "; } if (!(rtinfo->segsleft0 == 0 && rtinfo->segsleft1 == 0xFFFFFFFF)) { - xt_xlate_add(xl, "%srt seg-left%s ", space, + xt_xlate_add(xl, "rt seg-left%s ", (rtinfo->invflags & IP6T_RT_INV_SGS) ? " !=" : ""); if (rtinfo->segsleft0 != rtinfo->segsleft1) @@ -267,11 +264,10 @@ rtinfo->segsleft1); else xt_xlate_add(xl, "%u", rtinfo->segsleft0); - space = " "; } if (rtinfo->flags & IP6T_RT_LEN) { - xt_xlate_add(xl, "%srt hdrlength%s %u", space, + xt_xlate_add(xl, "rt hdrlength%s %u", (rtinfo->invflags & IP6T_RT_INV_LEN) ? " !=" : "", rtinfo->hdrlen); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libip6t_rt.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libip6t_rt.txlate
Changed
@@ -1,14 +1,14 @@ ip6tables-translate -A INPUT -m rt --rt-type 0 -j DROP -nft add rule ip6 filter INPUT rt type 0 counter drop +nft 'add rule ip6 filter INPUT rt type 0 counter drop' ip6tables-translate -A INPUT -m rt ! --rt-len 22 -j DROP -nft add rule ip6 filter INPUT rt hdrlength != 22 counter drop +nft 'add rule ip6 filter INPUT rt hdrlength != 22 counter drop' ip6tables-translate -A INPUT -m rt --rt-segsleft 26 -j ACCEPT -nft add rule ip6 filter INPUT rt seg-left 26 counter accept +nft 'add rule ip6 filter INPUT rt seg-left 26 counter accept' ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 -j DROP -nft add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop +nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop' ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT -nft add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept +nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_CLUSTERIP.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_CLUSTERIP.c
Changed
@@ -87,12 +87,13 @@ else if (strcmp(cb->arg, "sourceip-sourceport-destport") == 0) cipinfo->hash_mode = CLUSTERIP_HASHMODE_SIP_SPT_DPT; else - xtables_error(PARAMETER_PROBLEM, "Unknown hashmode \"%s\"\n", - cb->arg); + xtables_error(PARAMETER_PROBLEM, + "Unknown hashmode \"%s\"", cb->arg); break; case O_CLUSTERMAC: if (!(cipinfo->clustermac0 & 0x01)) - xtables_error(PARAMETER_PROBLEM, "MAC has to be a multicast ethernet address\n"); + xtables_error(PARAMETER_PROBLEM, + "MAC has to be a multicast ethernet address"); break; case O_LOCAL_NODE: cipinfo->num_local_nodes = 1; @@ -107,7 +108,8 @@ if ((cb->xflags & F_FULL) == F_FULL) return; - xtables_error(PARAMETER_PROBLEM, "CLUSTERIP target: Invalid parameter combination\n"); + xtables_error(PARAMETER_PROBLEM, + "CLUSTERIP target: Invalid parameter combination"); } static const char *hashmode2str(enum clusterip_hashmode mode)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_CLUSTERIP.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_CLUSTERIP.t
Changed
@@ -1,4 +1,4 @@ :INPUT -d 10.31.3.236/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:AA:7B:47:F7:D7 --total-nodes 2 --local-node 0 --hash-init 1;=;FAIL --d 10.31.3.236/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:AA:7B:47:F7:D7 --total-nodes 2 --local-node 1 --hash-init 1;=;OK --d 10.31.3.236/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:AA:7B:47:F7:D7 --total-nodes 2 --local-node 2 --hash-init 1;=;OK +-d 10.31.3.236/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:AA:7B:47:F7:D7 --total-nodes 2 --local-node 1 --hash-init 1;=;OK;LEGACY +-d 10.31.3.236/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:AA:7B:47:F7:D7 --total-nodes 2 --local-node 2 --hash-init 1;=;OK;LEGACY
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_DNAT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_DNAT.t
Changed
@@ -13,4 +13,8 @@ -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/65535;=;OK -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/0;;FAIL -p tcp -j DNAT --to-destination 1.1.1.1:1000-2000/65536;;FAIL +-p tcp -j DNAT --to-destination 1.1.1.1:ssh;-p tcp -j DNAT --to-destination 1.1.1.1:22;OK +-p tcp -j DNAT --to-destination 1.1.1.1:ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:20;OK +-p tcp -j DNAT --to-destination 1.1.1.1:echo-ssh;;FAIL +-p tcp -j DNAT --to-destination 1.1.1.1:10-20/ftp;-p tcp -j DNAT --to-destination 1.1.1.1:10-20/21;OK -j DNAT;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_LOG.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_LOG.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A FORWARD -p tcp -j LOG --log-level error -nft add rule ip filter FORWARD ip protocol tcp counter log level err +nft 'add rule ip filter FORWARD ip protocol tcp counter log level err' iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix" -nft add rule ip filter FORWARD ip protocol tcp counter log prefix \"Random prefix\" +nft 'add rule ip filter FORWARD ip protocol tcp counter log prefix "Random prefix"'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_MASQUERADE.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_MASQUERADE.txlate
Changed
@@ -1,8 +1,17 @@ iptables-translate -t nat -A POSTROUTING -j MASQUERADE -nft add rule ip nat POSTROUTING counter masquerade +nft 'add rule ip nat POSTROUTING counter masquerade' iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10 -nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10 +nft 'add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10' iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random -nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random +nft 'add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random' + +iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random +nft 'add rule ip nat POSTROUTING ip protocol tcp counter masquerade random' + +iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random-fully +nft 'add rule ip nat POSTROUTING ip protocol tcp counter masquerade fully-random' + +iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --random --random-fully +nft 'add rule ip nat POSTROUTING ip protocol tcp counter masquerade random,fully-random'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_NETMAP.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_NETMAP.t
Changed
@@ -1,4 +1,4 @@ :PREROUTING,INPUT,OUTPUT,POSTROUTING *nat -j NETMAP --to 1.2.3.0/24;=;OK --j NETMAP --to 1.2.3.4;=;OK +-j NETMAP --to 1.2.3.4;-j NETMAP --to 1.2.3.4/32;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_REJECT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_REJECT.t
Changed
@@ -1,5 +1,5 @@ :INPUT,FORWARD,OUTPUT --j REJECT;=;OK +-j REJECT;-j REJECT --reject-with icmp-port-unreachable;OK -j REJECT --reject-with icmp-net-unreachable;=;OK -j REJECT --reject-with icmp-host-unreachable;=;OK -j REJECT --reject-with icmp-port-unreachable;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_REJECT.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_REJECT.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT -nft add rule ip filter FORWARD tcp dport 22 counter reject +nft 'add rule ip filter FORWARD tcp dport 22 counter reject' iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable -nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable +nft 'add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable' iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset -nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset +nft 'add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_SNAT.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_SNAT.t
Changed
@@ -4,6 +4,12 @@ -j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK -j SNAT --to-source 1.1.1.1:1025-65535;;FAIL -j SNAT --to-source 1.1.1.1 --to-source 2.2.2.2;;FAIL +-j SNAT --to-source 1.1.1.1 --random;=;OK +-j SNAT --to-source 1.1.1.1 --random-fully;=;OK +-j SNAT --to-source 1.1.1.1 --persistent;=;OK +-j SNAT --to-source 1.1.1.1 --random --persistent;=;OK +-j SNAT --to-source 1.1.1.1 --random --random-fully;=;OK +-j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK -p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_SNAT.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_SNAT.txlate
Changed
@@ -1,14 +1,14 @@ iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 -nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 +nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4' iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 -nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4-1.2.3.6 +nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4-1.2.3.6' iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 -nft add rule ip nat postrouting oifname "eth0" ip protocol tcp counter snat to 1.2.3.4:1-1023 +nft 'add rule ip nat postrouting oifname "eth0" ip protocol tcp counter snat to 1.2.3.4:1-1023' iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random -nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random +nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random' iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent -nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random,persistent +nft 'add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random,persistent'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_ah.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_ah.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A INPUT -p 51 -m ah --ahspi 500 -j DROP -nft add rule ip filter INPUT ah spi 500 counter drop +nft 'add rule ip filter INPUT ah spi 500 counter drop' iptables-translate -A INPUT -p 51 -m ah --ahspi 500:600 -j DROP -nft add rule ip filter INPUT ah spi 500-600 counter drop +nft 'add rule ip filter INPUT ah spi 500-600 counter drop' iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP -nft add rule ip filter INPUT ah spi != 50 counter drop +nft 'add rule ip filter INPUT ah spi != 50 counter drop'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_icmp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_icmp.c
Changed
@@ -19,61 +19,6 @@ O_ICMP_TYPE = 0, }; -static const struct xt_icmp_names icmp_codes = { - { "any", 0xFF, 0, 0xFF }, - { "echo-reply", 0, 0, 0xFF }, - /* Alias */ { "pong", 0, 0, 0xFF }, - - { "destination-unreachable", 3, 0, 0xFF }, - { "network-unreachable", 3, 0, 0 }, - { "host-unreachable", 3, 1, 1 }, - { "protocol-unreachable", 3, 2, 2 }, - { "port-unreachable", 3, 3, 3 }, - { "fragmentation-needed", 3, 4, 4 }, - { "source-route-failed", 3, 5, 5 }, - { "network-unknown", 3, 6, 6 }, - { "host-unknown", 3, 7, 7 }, - { "network-prohibited", 3, 9, 9 }, - { "host-prohibited", 3, 10, 10 }, - { "TOS-network-unreachable", 3, 11, 11 }, - { "TOS-host-unreachable", 3, 12, 12 }, - { "communication-prohibited", 3, 13, 13 }, - { "host-precedence-violation", 3, 14, 14 }, - { "precedence-cutoff", 3, 15, 15 }, - - { "source-quench", 4, 0, 0xFF }, - - { "redirect", 5, 0, 0xFF }, - { "network-redirect", 5, 0, 0 }, - { "host-redirect", 5, 1, 1 }, - { "TOS-network-redirect", 5, 2, 2 }, - { "TOS-host-redirect", 5, 3, 3 }, - - { "echo-request", 8, 0, 0xFF }, - /* Alias */ { "ping", 8, 0, 0xFF }, - - { "router-advertisement", 9, 0, 0xFF }, - - { "router-solicitation", 10, 0, 0xFF }, - - { "time-exceeded", 11, 0, 0xFF }, - /* Alias */ { "ttl-exceeded", 11, 0, 0xFF }, - { "ttl-zero-during-transit", 11, 0, 0 }, - { "ttl-zero-during-reassembly", 11, 1, 1 }, - - { "parameter-problem", 12, 0, 0xFF }, - { "ip-header-bad", 12, 0, 0 }, - { "required-option-missing", 12, 1, 1 }, - - { "timestamp-request", 13, 0, 0xFF }, - - { "timestamp-reply", 14, 0, 0xFF }, - - { "address-mask-request", 17, 0, 0xFF }, - - { "address-mask-reply", 18, 0, 0xFF } -}; - static void icmp_help(void) { printf( @@ -90,59 +35,6 @@ XTOPT_TABLEEND, }; -static void -parse_icmp(const char *icmptype, uint8_t *type, uint8_t code) -{ - static const unsigned int limit = ARRAY_SIZE(icmp_codes); - unsigned int match = limit; - unsigned int i; - - for (i = 0; i < limit; i++) { - if (strncasecmp(icmp_codesi.name, icmptype, strlen(icmptype)) - == 0) { - if (match != limit) - xtables_error(PARAMETER_PROBLEM, - "Ambiguous ICMP type `%s':" - " `%s' or `%s'?", - icmptype, - icmp_codesmatch.name, - icmp_codesi.name); - match = i; - } - } - - if (match != limit) { - *type = icmp_codesmatch.type; - code0 = icmp_codesmatch.code_min; - code1 = icmp_codesmatch.code_max; - } else { - char *slash; - char bufferstrlen(icmptype) + 1; - unsigned int number; - - strcpy(buffer, icmptype); - slash = strchr(buffer, '/'); - - if (slash) - *slash = '\0'; - - if (!xtables_strtoui(buffer, NULL, &number, 0, UINT8_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid ICMP type `%s'\n", buffer); - *type = number; - if (slash) { - if (!xtables_strtoui(slash+1, NULL, &number, 0, UINT8_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid ICMP code `%s'\n", - slash+1); - code0 = code1 = number; - } else { - code0 = 0; - code1 = 0xFF; - } - } -} - static void icmp_init(struct xt_entry_match *m) { struct ipt_icmp *icmpinfo = (struct ipt_icmp *)m->data; @@ -156,7 +48,7 @@ struct ipt_icmp *icmpinfo = cb->data; xtables_option_parse(cb); - parse_icmp(cb->arg, &icmpinfo->type, icmpinfo->code); + ipt_parse_icmp(cb->arg, &icmpinfo->type, icmpinfo->code); if (cb->invert) icmpinfo->invflags |= IPT_ICMP_INV; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_icmp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_icmp.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j ACCEPT -nft add rule ip filter INPUT icmp type echo-reply counter accept +nft 'add rule ip filter INPUT icmp type echo-reply counter accept' iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j ACCEPT -nft add rule ip filter INPUT icmp type destination-unreachable counter accept +nft 'add rule ip filter INPUT icmp type destination-unreachable counter accept' iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT -nft add rule ip filter INPUT icmp type != destination-unreachable counter accept +nft 'add rule ip filter INPUT icmp type != destination-unreachable counter accept' iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT -nft add rule ip filter INPUT ip protocol icmp counter accept +nft 'add rule ip filter INPUT ip protocol icmp counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_realm.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_realm.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -A PREROUTING -m realm --realm 4 -nft add rule ip filter PREROUTING rtclassid 0x4 counter +nft 'add rule ip filter PREROUTING rtclassid 0x4 counter' iptables-translate -A PREROUTING -m realm --realm 5/5 -nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter +nft 'add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter' iptables-translate -A PREROUTING -m realm ! --realm 50 -nft add rule ip filter PREROUTING rtclassid != 0x32 counter +nft 'add rule ip filter PREROUTING rtclassid != 0x32 counter' iptables-translate -A INPUT -m realm --realm 1/0xf -nft add rule ip filter INPUT rtclassid and 0xf == 0x1 counter +nft 'add rule ip filter INPUT rtclassid and 0xf == 0x1 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_ttl.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_ttl.c
Changed
@@ -106,7 +106,7 @@ const struct ipt_ttl_info *info = (struct ipt_ttl_info *) params->match->data; - switch (info->mode) { + switch (info->mode) { case IPT_TTL_EQ: xt_xlate_add(xl, "ip ttl"); break; @@ -121,7 +121,7 @@ break; default: /* Should not happen. */ - break; + return 0; } xt_xlate_add(xl, " %u", info->ttl);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libipt_ttl.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libipt_ttl.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A INPUT -m ttl --ttl-eq 3 -j ACCEPT -nft add rule ip filter INPUT ip ttl 3 counter accept +nft 'add rule ip filter INPUT ip ttl 3 counter accept' iptables-translate -A INPUT -m ttl --ttl-gt 5 -j ACCEPT -nft add rule ip filter INPUT ip ttl gt 5 counter accept +nft 'add rule ip filter INPUT ip ttl gt 5 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_AUDIT.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_AUDIT.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -t filter -A INPUT -j AUDIT --type accept -nft add rule ip filter INPUT counter log level audit +nft 'add rule ip filter INPUT counter log level audit' iptables-translate -t filter -A INPUT -j AUDIT --type drop -nft add rule ip filter INPUT counter log level audit +nft 'add rule ip filter INPUT counter log level audit' iptables-translate -t filter -A INPUT -j AUDIT --type reject -nft add rule ip filter INPUT counter log level audit +nft 'add rule ip filter INPUT counter log level audit'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CLASSIFY.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CLASSIFY.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0 -nft add rule ip filter OUTPUT counter meta priority set none +nft 'add rule ip filter OUTPUT counter meta priority set none' iptables-translate -A OUTPUT -j CLASSIFY --set-class ffff:ffff -nft add rule ip filter OUTPUT counter meta priority set root +nft 'add rule ip filter OUTPUT counter meta priority set root' iptables-translate -A OUTPUT -j CLASSIFY --set-class 1:234 -nft add rule ip filter OUTPUT counter meta priority set 1:234 +nft 'add rule ip filter OUTPUT counter meta priority set 1:234'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CONNMARK.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CONNMARK.c
Changed
@@ -595,11 +595,11 @@ { const struct xt_connmark_tginfo2 *info = (const void *)params->target->data; - const char *shift_op = xt_connmark_shift_opsinfo->shift_dir; + const char *braces = info->shift_bits ? "( " : ""; switch (info->mode) { case XT_CONNMARK_SET: - xt_xlate_add(xl, "ct mark set "); + xt_xlate_add(xl, "ct mark set %s", braces); if (info->ctmask == 0xFFFFFFFFU) xt_xlate_add(xl, "0x%x ", info->ctmark); else if (info->ctmark == 0) @@ -615,26 +615,31 @@ info->ctmark, ~info->ctmask); break; case XT_CONNMARK_SAVE: - xt_xlate_add(xl, "ct mark set mark"); + xt_xlate_add(xl, "ct mark set %smark", braces); if (!(info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)) { if (info->nfmask == info->ctmask) xt_xlate_add(xl, " and 0x%x", info->nfmask); + else + return 0; } break; case XT_CONNMARK_RESTORE: - xt_xlate_add(xl, "meta mark set ct mark"); + xt_xlate_add(xl, "meta mark set %sct mark", braces); if (!(info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)) { if (info->nfmask == info->ctmask) xt_xlate_add(xl, " and 0x%x", info->nfmask); + else + return 0; } break; } if (info->mode <= XT_CONNMARK_RESTORE && info->shift_bits != 0) { - xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits); + xt_xlate_add(xl, " ) %s %u", + info->shift_dir ? ">>" : "<<", info->shift_bits); } return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CONNMARK.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CONNMARK.t
Changed
@@ -1,7 +1,7 @@ :PREROUTING,FORWARD,OUTPUT,POSTROUTING *mangle --j CONNMARK --restore-mark;=;OK --j CONNMARK --save-mark;=;OK --j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --save-mark;OK --j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --restore-mark;OK +-j CONNMARK --restore-mark;-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff;OK +-j CONNMARK --save-mark;-j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff;OK +-j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;=;OK +-j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;=;OK -j CONNMARK;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CONNMARK.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CONNMARK.txlate
Changed
@@ -1,20 +1,23 @@ iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0 -nft add rule ip mangle PREROUTING counter ct mark set 0x0 +nft 'add rule ip mangle PREROUTING counter ct mark set 0x0' iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16 -nft add rule ip mangle PREROUTING counter ct mark set 0x16 +nft 'add rule ip mangle PREROUTING counter ct mark set 0x16' iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12 -nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and 0xffffffed +nft 'add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and 0xffffffed' iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16 -nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16 +nft 'add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16' iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16 -nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16 +nft 'add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16' iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark -nft add rule ip mangle PREROUTING counter ct mark set mark +nft 'add rule ip mangle PREROUTING counter ct mark set mark' iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark -nft add rule ip mangle PREROUTING counter meta mark set ct mark +nft 'add rule ip mangle PREROUTING counter meta mark set ct mark' + +iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x23/0x42 --right-shift-mark 5 +nft 'add rule ip mangle PREROUTING counter ct mark set ( ct mark xor 0x23 and 0xffffff9c ) >> 5'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CONNSECMARK.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CONNSECMARK.c
Changed
@@ -66,7 +66,8 @@ break; default: - xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + xtables_error(OTHER_PROBLEM, + PFX "invalid mode %hhu", info->mode); } }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_CT.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_CT.c
Changed
@@ -117,7 +117,7 @@ if (!xtables_strtoul(opt, NULL, &val, 0, UINT16_MAX)) xtables_error(PARAMETER_PROBLEM, - "Cannot parse %s as a zone ID\n", opt); + "Cannot parse %s as a zone ID", opt); *zone_id = (uint16_t)val; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_DNAT.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_DNAT.man
Changed
@@ -10,7 +10,7 @@ also be mangled), and rules should cease being examined. It takes the following options: .TP -\fB\-\-to\-destination\fP \fIipaddr\fP\fB\-\fP\fIipaddr\fP\fB:\fP\fIport\fP\fB\-\fP\fIport\fP +\fB\-\-to\-destination\fP \fIipaddr\fP\fB\-\fP\fIipaddr\fP\fB:\fP\fIport\fP\fB\-\fP\fIport\fP\fB/\fIbaseport\fP which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: @@ -18,17 +18,14 @@ If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified. -In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For -those kernels, if you specify more than one destination address, either via an -address range or multiple \-\-to\-destination options, a simple round-robin (one -after another in cycle) load balancing takes place between these addresses. -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges -anymore. +If \fBbaseport\fP is given, the difference of the original destination port and +its value is used as offset into the mapping port range. This allows to create +shifted portmap ranges and is available since kernel version 4.18. +For a single port or \fIbaseport\fP, a service name as listed in +\fB/etc/services\fP may be used. .TP \fB\-\-random\fP -If option -\fB\-\-random\fP -is used then port mapping will be randomized (kernel >= 2.6.22). +Randomize source port mapping (kernel >= 2.6.22). .TP \fB\-\-persistent\fP Gives a client the same source-/destination-address for each connection.
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_DNAT.txlate
Added
@@ -0,0 +1,35 @@ +iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 +nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4' + +iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10 +nft 'add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat to 192.168.1.1-192.168.1.10' + +iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023 +nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4:1-1023' + +iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random +nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random' + +iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent +nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent' + +ip6tables-translate -t nat -A prerouting -p tcp --dport 8080 -j DNAT --to-destination fec0::1234 +nft 'add rule ip6 nat prerouting tcp dport 8080 counter dnat to fec0::1234' + +ip6tables-translate -t nat -A prerouting -p tcp --dport 8080 -j DNAT --to-destination fec0::1234-fec0::2000 +nft 'add rule ip6 nat prerouting tcp dport 8080 counter dnat to fec0::1234-fec0::2000' + +ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination fec0::1234:80 +nft 'add rule ip6 nat prerouting iifname "eth1" tcp dport 8080 counter dnat to fec0::1234:80' + +ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:1-20 +nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:1-20' + +ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234-fec0::2000:1-20 +nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234-fec0::2000:1-20' + +ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:80 --persistent +nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:80 persistent' + +ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination fec0::1234:80 --random --persistent +nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to fec0::1234:80 random,persistent'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_DSCP.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_DSCP.t
Changed
@@ -1,6 +1,6 @@ :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING *mangle --j DSCP --set-dscp 0;=;OK +-j DSCP --set-dscp 0x00;=;OK -j DSCP --set-dscp 0x3f;=;OK -j DSCP --set-dscp -1;;FAIL -j DSCP --set-dscp 0x40;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_DSCP.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_DSCP.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A OUTPUT -j DSCP --set-dscp 1 -nft add rule ip filter OUTPUT counter ip dscp set 0x01 +nft 'add rule ip filter OUTPUT counter ip dscp set 0x01' ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6 -nft add rule ip6 filter OUTPUT counter ip6 dscp set 0x06 +nft 'add rule ip6 filter OUTPUT counter ip6 dscp set 0x06'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_IDLETIMER.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_IDLETIMER.t
Changed
@@ -2,4 +2,4 @@ -j IDLETIMER --timeout;;FAIL -j IDLETIMER --timeout 42;;FAIL -j IDLETIMER --timeout 42 --label foo;=;OK --j IDLETIMER --timeout 42 --label foo --alarm;;OK +-j IDLETIMER --timeout 42 --label bar --alarm;=;OK
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_LOG.c
Added
@@ -0,0 +1,204 @@ +#include <stdio.h> +#include <string.h> +#define SYSLOG_NAMES +#include <syslog.h> +#include <xtables.h> +#include <linux/netfilter/xt_LOG.h> + +#define LOG_DEFAULT_LEVEL LOG_WARNING + +enum { + /* make sure the values correspond with XT_LOG_* bit positions */ + O_LOG_TCPSEQ = 0, + O_LOG_TCPOPTS, + O_LOG_IPOPTS, + O_LOG_UID, + __O_LOG_NFLOG, + O_LOG_MAC, + O_LOG_LEVEL, + O_LOG_PREFIX, +}; + +static void LOG_help(void) +{ + printf( +"LOG target options:\n" +" --log-level level Level of logging (numeric or see syslog.conf)\n" +" --log-prefix prefix Prefix log messages with this prefix.\n" +" --log-tcp-sequence Log TCP sequence numbers.\n" +" --log-tcp-options Log TCP options.\n" +" --log-ip-options Log IP options.\n" +" --log-uid Log UID owning the local socket.\n" +" --log-macdecode Decode MAC addresses and protocol.\n"); +} + +#define s struct xt_log_info +static const struct xt_option_entry LOG_opts = { + {.name = "log-level", .id = O_LOG_LEVEL, .type = XTTYPE_SYSLOGLEVEL, + .flags = XTOPT_PUT, XTOPT_POINTER(s, level)}, + {.name = "log-prefix", .id = O_LOG_PREFIX, .type = XTTYPE_STRING, + .flags = XTOPT_PUT, XTOPT_POINTER(s, prefix), .min = 1}, + {.name = "log-tcp-sequence", .id = O_LOG_TCPSEQ, .type = XTTYPE_NONE}, + {.name = "log-tcp-options", .id = O_LOG_TCPOPTS, .type = XTTYPE_NONE}, + {.name = "log-ip-options", .id = O_LOG_IPOPTS, .type = XTTYPE_NONE}, + {.name = "log-uid", .id = O_LOG_UID, .type = XTTYPE_NONE}, + {.name = "log-macdecode", .id = O_LOG_MAC, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; +#undef s + +static void LOG_init(struct xt_entry_target *t) +{ + struct xt_log_info *loginfo = (void *)t->data; + + loginfo->level = LOG_DEFAULT_LEVEL; +} + +static void LOG_parse(struct xt_option_call *cb) +{ + struct xt_log_info *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_LOG_PREFIX: + if (strchr(cb->arg, '\n') != NULL) + xtables_error(PARAMETER_PROBLEM, + "Newlines not allowed in --log-prefix"); + break; + case O_LOG_TCPSEQ: + case O_LOG_TCPOPTS: + case O_LOG_IPOPTS: + case O_LOG_UID: + case O_LOG_MAC: + info->logflags |= 1 << cb->entry->id; + break; + } +} + +static const char *priority2name(unsigned char level) +{ + int i; + + for (i = 0; prioritynamesi.c_name; ++i) { + if (level == prioritynamesi.c_val) + return prioritynamesi.c_name; + } + return NULL; +} + +static void LOG_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_log_info *loginfo = (const void *)target->data; + + printf(" LOG"); + if (numeric) + printf(" flags %u level %u", + loginfo->logflags, loginfo->level); + else { + const char *pname = priority2name(loginfo->level); + + if (pname) + printf(" level %s", pname); + else + printf(" UNKNOWN level %u", loginfo->level); + if (loginfo->logflags & XT_LOG_TCPSEQ) + printf(" tcp-sequence"); + if (loginfo->logflags & XT_LOG_TCPOPT) + printf(" tcp-options"); + if (loginfo->logflags & XT_LOG_IPOPT) + printf(" ip-options"); + if (loginfo->logflags & XT_LOG_UID) + printf(" uid"); + if (loginfo->logflags & XT_LOG_MACDECODE) + printf(" macdecode"); + if (loginfo->logflags & ~(XT_LOG_MASK)) + printf(" unknown-flags"); + } + + if (strcmp(loginfo->prefix, "") != 0) + printf(" prefix \"%s\"", loginfo->prefix); +} + +static void LOG_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_log_info *loginfo = (const void *)target->data; + + if (strcmp(loginfo->prefix, "") != 0) { + printf(" --log-prefix"); + xtables_save_string(loginfo->prefix); + } + + if (loginfo->level != LOG_DEFAULT_LEVEL) + printf(" --log-level %d", loginfo->level); + + if (loginfo->logflags & XT_LOG_TCPSEQ) + printf(" --log-tcp-sequence"); + if (loginfo->logflags & XT_LOG_TCPOPT) + printf(" --log-tcp-options"); + if (loginfo->logflags & XT_LOG_IPOPT) + printf(" --log-ip-options"); + if (loginfo->logflags & XT_LOG_UID) + printf(" --log-uid"); + if (loginfo->logflags & XT_LOG_MACDECODE) + printf(" --log-macdecode"); +} + +static int LOG_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + const struct xt_log_info *loginfo = (const void *)params->target->data; + const char *pname = priority2name(loginfo->level); + + xt_xlate_add(xl, "log"); + if (strcmp(loginfo->prefix, "") != 0) + xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix); + + if (loginfo->level != LOG_DEFAULT_LEVEL && pname) + xt_xlate_add(xl, " level %s", pname); + else if (!pname) + return 0; + + if ((loginfo->logflags & XT_LOG_MASK) == XT_LOG_MASK) { + xt_xlate_add(xl, " flags all"); + } else { + if (loginfo->logflags & (XT_LOG_TCPSEQ | XT_LOG_TCPOPT)) { + const char *delim = " "; + + xt_xlate_add(xl, " flags tcp"); + if (loginfo->logflags & XT_LOG_TCPSEQ) { + xt_xlate_add(xl, " sequence"); + delim = ","; + } + if (loginfo->logflags & XT_LOG_TCPOPT) + xt_xlate_add(xl, "%soptions", delim); + } + if (loginfo->logflags & XT_LOG_IPOPT) + xt_xlate_add(xl, " flags ip options"); + if (loginfo->logflags & XT_LOG_UID) + xt_xlate_add(xl, " flags skuid"); + if (loginfo->logflags & XT_LOG_MACDECODE) + xt_xlate_add(xl, " flags ether"); + } + + return 1; +} +static struct xtables_target log_tg_reg = { + .name = "LOG", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_log_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_log_info)), + .help = LOG_help, + .init = LOG_init, + .print = LOG_print, + .save = LOG_save, + .x6_parse = LOG_parse, + .x6_options = LOG_opts, + .xlate = LOG_xlate, +}; + +void _init(void) +{ + xtables_register_target(&log_tg_reg); +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_LOG.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_LOG.man
Changed
@@ -30,3 +30,6 @@ .TP \fB\-\-log\-uid\fP Log the userid of the process which generated the packet. +.TP +\fB\-\-log\-macdecode\fP +Log MAC addresses and protocol.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_MARK.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_MARK.c
Changed
@@ -77,8 +77,7 @@ " --set-mark value/mask Clear bits in mask and OR value into nfmark\n" " --and-mark bits Binary AND the nfmark with bits\n" " --or-mark bits Binary OR the nfmark with bits\n" -" --xor-mark bits Binary XOR the nfmark with bits\n" -"\n"); +" --xor-mark bits Binary XOR the nfmark with bits\n"); } static void MARK_parse_v0(struct xt_option_call *cb) @@ -367,6 +366,8 @@ case XT_MARK_OR: xt_xlate_add(xl, "mark or 0x%x ", (uint32_t)markinfo->mark); break; + default: + return 0; } return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_MARK.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_MARK.t
Changed
@@ -1,7 +1,7 @@ :INPUT,FORWARD,OUTPUT -j MARK --set-xmark 0xfeedcafe/0xfeedcafe;=;OK --j MARK --set-xmark 0;=;OK --j MARK --set-xmark 4294967295;-j MARK --set-xmark 0xffffffff;OK +-j MARK --set-xmark 0x0;-j MARK --set-xmark 0x0/0xffffffff;OK +-j MARK --set-xmark 4294967295;-j MARK --set-xmark 0xffffffff/0xffffffff;OK -j MARK --set-xmark 4294967296;;FAIL -j MARK --set-xmark -1;;FAIL -j MARK;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_MARK.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_MARK.txlate
Changed
@@ -1,26 +1,26 @@ iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 0 -nft add rule ip mangle OUTPUT counter meta mark set 0x0 +nft 'add rule ip mangle OUTPUT counter meta mark set 0x0' iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 -nft add rule ip mangle OUTPUT counter meta mark set 0x40 +nft 'add rule ip mangle OUTPUT counter meta mark set 0x40' iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32 -nft add rule ip mangle OUTPUT counter meta mark set mark and 0xffffffcd xor 0x40 +nft 'add rule ip mangle OUTPUT counter meta mark set mark and 0xffffffcd xor 0x40' iptables-translate -t mangle -A OUTPUT -j MARK --or-mark 64 -nft add rule ip mangle OUTPUT counter meta mark set mark or 0x40 +nft 'add rule ip mangle OUTPUT counter meta mark set mark or 0x40' iptables-translate -t mangle -A OUTPUT -j MARK --and-mark 64 -nft add rule ip mangle OUTPUT counter meta mark set mark and 0x40 +nft 'add rule ip mangle OUTPUT counter meta mark set mark and 0x40' iptables-translate -t mangle -A OUTPUT -j MARK --xor-mark 64 -nft add rule ip mangle OUTPUT counter meta mark set mark xor 0x40 +nft 'add rule ip mangle OUTPUT counter meta mark set mark xor 0x40' iptables-translate -t mangle -A PREROUTING -j MARK --set-mark 0x64 -nft add rule ip mangle PREROUTING counter meta mark set 0x64 +nft 'add rule ip mangle PREROUTING counter meta mark set 0x64' iptables-translate -t mangle -A PREROUTING -j MARK --and-mark 0x64 -nft add rule ip mangle PREROUTING counter meta mark set mark and 0x64 +nft 'add rule ip mangle PREROUTING counter meta mark set mark and 0x64' iptables-translate -t mangle -A PREROUTING -j MARK --or-mark 0x64 -nft add rule ip mangle PREROUTING counter meta mark set mark or 0x64 +nft 'add rule ip mangle PREROUTING counter meta mark set mark or 0x64'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_MASQUERADE.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_MASQUERADE.man
Changed
@@ -20,16 +20,10 @@ \fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. .TP \fB\-\-random\fP -Randomize source port mapping -If option -\fB\-\-random\fP -is used then port mapping will be randomized (kernel >= 2.6.21). +Randomize source port mapping (kernel >= 2.6.21). Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP. .TP \fB\-\-random-fully\fP -Full randomize source port mapping -If option -\fB\-\-random-fully\fP -is used then port mapping will be fully randomized (kernel >= 3.13). +Fully randomize source port mapping (kernel >= 3.13). .TP IPv6 support available since Linux kernels >= 3.7.
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NAT.c
Added
@@ -0,0 +1,646 @@ +/* + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> + * + * Based on Rusty Russell's IPv4 DNAT target. Development of IPv6 NAT + * funded by Astaro. + */ + +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <xtables.h> +#include <iptables.h> /* get_kernel_version */ +#include <limits.h> /* INT_MAX in ip_tables.h */ +#include <arpa/inet.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv6/ip6_tables.h> +#include <linux/netfilter/nf_nat.h> + +#define TO_IPV4_MRC(ptr) ((const struct nf_nat_ipv4_multi_range_compat *)(ptr)) +#define RANGE2_INIT_FROM_IPV4_MRC(ptr) { \ + .flags = TO_IPV4_MRC(ptr)->range0.flags, \ + .min_addr.ip = TO_IPV4_MRC(ptr)->range0.min_ip, \ + .max_addr.ip = TO_IPV4_MRC(ptr)->range0.max_ip, \ + .min_proto = TO_IPV4_MRC(ptr)->range0.min, \ + .max_proto = TO_IPV4_MRC(ptr)->range0.max, \ +}; +#define TO_NF_NAT_RANGE(ptr) ((const struct nf_nat_range *)(ptr)) +#define RANGE2_INIT_FROM_RANGE(ptr) { \ + .flags = TO_NF_NAT_RANGE(ptr)->flags, \ + .min_addr = TO_NF_NAT_RANGE(ptr)->min_addr, \ + .max_addr = TO_NF_NAT_RANGE(ptr)->max_addr, \ + .min_proto = TO_NF_NAT_RANGE(ptr)->min_proto, \ + .max_proto = TO_NF_NAT_RANGE(ptr)->max_proto, \ +}; + +enum { + O_TO_DEST = 0, + O_TO_SRC, + O_TO_PORTS, + O_RANDOM, + O_RANDOM_FULLY, + O_PERSISTENT, +}; + +static void SNAT_help(void) +{ + printf( +"SNAT target options:\n" +" --to-source <ipaddr>-<ipaddr>:port-port\n" +" Address to map source to.\n" +"--random --random-fully --persistent\n"); +} + +static void MASQUERADE_help(void) +{ + printf( +"MASQUERADE target options:\n" +" --to-ports <port>-<port>\n" +" Port (range) to map to.\n" +" --random\n" +" Randomize source port.\n" +" --random-fully\n" +" Fully randomize source port.\n"); +} + +static void DNAT_help(void) +{ + printf( +"DNAT target options:\n" +" --to-destination <ipaddr>-<ipaddr>:port-port\n" +" Address to map destination to.\n" +"--random --persistent\n"); +} + +static void DNAT_help_v2(void) +{ + printf( +"DNAT target options:\n" +" --to-destination <ipaddr>-<ipaddr>:port-port/port\n" +" Address to map destination to.\n" +"--random --persistent\n"); +} + +static void REDIRECT_help(void) +{ + printf( +"REDIRECT target options:\n" +" --to-ports <port>-<port>\n" +" Port (range) to map to.\n" +" --random\n"); +} + +static const struct xt_option_entry SNAT_opts = { + {.name = "to-source", .id = O_TO_SRC, .type = XTTYPE_STRING, + .flags = XTOPT_MAND}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, + {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +static const struct xt_option_entry MASQUERADE_opts = { + {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +static const struct xt_option_entry DNAT_opts = { + {.name = "to-destination", .id = O_TO_DEST, .type = XTTYPE_STRING, + .flags = XTOPT_MAND}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +static const struct xt_option_entry REDIRECT_opts = { + {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, + {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +/* Parses ports */ +static void +parse_ports(const char *arg, bool portok, struct nf_nat_range2 *range) +{ + unsigned int port, maxport, baseport; + char *end = NULL; + + if (!portok) + xtables_error(PARAMETER_PROBLEM, + "Need TCP, UDP, SCTP or DCCP with port specification"); + + range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; + + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) { + port = xtables_service_to_port(arg, NULL); + if (port == (unsigned)-1) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid", arg); + end = ""; + } + + switch (*end) { + case '\0': + range->min_proto.tcp.port + = range->max_proto.tcp.port + = htons(port); + return; + case '-': + arg = end + 1; + break; + case ':': + xtables_error(PARAMETER_PROBLEM, + "Invalid port:port syntax - use dash"); + default: + xtables_error(PARAMETER_PROBLEM, + "Garbage after port value: `%s'", end); + } + + /* it is a range, don't allow service names here */ + if (!xtables_strtoui(arg, &end, &maxport, 0, UINT16_MAX)) + xtables_error(PARAMETER_PROBLEM, "Port `%s' not valid", arg); + + if (maxport < port) + /* People are stupid. */ + xtables_error(PARAMETER_PROBLEM, + "Port range `%s' funky", arg); + + range->min_proto.tcp.port = htons(port); + range->max_proto.tcp.port = htons(maxport); + + switch (*end) { + case '\0': + return; + case '/': + arg = end + 1; + break; + default: + xtables_error(PARAMETER_PROBLEM, + "Garbage after port range: `%s'", end); + } + + if (!xtables_strtoui(arg, &end, &baseport, 1, UINT16_MAX)) { + baseport = xtables_service_to_port(arg, NULL); + if (baseport == (unsigned)-1) + xtables_error(PARAMETER_PROBLEM, + "Port `%s' not valid", arg); + } + + range->flags |= NF_NAT_RANGE_PROTO_OFFSET; + range->base_proto.tcp.port = htons(baseport); +} + +/* Ranges expected in network order. */ +static void +parse_to(const char *orig_arg, bool portok, + struct nf_nat_range2 *range, int family) +{ + char *arg, *start, *end, *colon, *dash; + + arg = xtables_strdup(orig_arg); + start = strchr(arg, ''); + if (!start) { + start = arg; + /* Lets assume one colon is port information. + * Otherwise its an IPv6 address */ + colon = strchr(arg, ':'); + if (colon && strchr(colon + 1, ':')) + colon = NULL; + } else { + start++; + end = strchr(start, ''); + if (end == NULL || family == AF_INET) + xtables_error(PARAMETER_PROBLEM, + "Invalid address format"); + + *end = '\0'; + colon = strchr(end + 1, ':'); + } + + if (colon) { + parse_ports(colon + 1, portok, range); + + /* Starts with colon or colon? No IP info...*/ + if (colon == arg || colon == arg + 2) { + free(arg); + return; + } + *colon = '\0'; + } + + range->flags |= NF_NAT_RANGE_MAP_IPS; + dash = strchr(start, '-'); + if (colon && dash && dash > colon) + dash = NULL; + + if (dash) + *dash = '\0'; + + if (!inet_pton(family, start, &range->min_addr)) + xtables_error(PARAMETER_PROBLEM, + "Bad IP address \"%s\"", start); + if (dash) { + if (!inet_pton(family, dash + 1, &range->max_addr)) + xtables_error(PARAMETER_PROBLEM, + "Bad IP address \"%s\"", dash + 1); + } else { + range->max_addr = range->min_addr; + } + free(arg); + return; +} + +static void __NAT_parse(struct xt_option_call *cb, __u16 proto, + struct nf_nat_range2 *range, int family) +{ + bool portok = proto == IPPROTO_TCP || + proto == IPPROTO_UDP || + proto == IPPROTO_SCTP || + proto == IPPROTO_DCCP || + proto == IPPROTO_ICMP; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_TO_DEST: + case O_TO_SRC: + parse_to(cb->arg, portok, range, family); + break; + case O_TO_PORTS: + parse_ports(cb->arg, portok, range); + break; + case O_PERSISTENT: + range->flags |= NF_NAT_RANGE_PERSISTENT; + break; + case O_RANDOM: + range->flags |= NF_NAT_RANGE_PROTO_RANDOM; + break; + case O_RANDOM_FULLY: + range->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; + } +} + +static void NAT_parse(struct xt_option_call *cb) +{ + struct nf_nat_ipv4_multi_range_compat *mr = (void *)cb->data; + const struct ipt_entry *entry = cb->xt_entry; + struct nf_nat_range2 range = {}; + + __NAT_parse(cb, entry->ip.proto, &range, AF_INET); + + switch (cb->entry->id) { + case O_TO_DEST: + case O_TO_SRC: + mr->range->min_ip = range.min_addr.ip; + mr->range->max_ip = range.max_addr.ip; + /* fall through */ + case O_TO_PORTS: + mr->range->min = range.min_proto; + mr->range->max = range.max_proto; + /* fall through */ + case O_PERSISTENT: + case O_RANDOM: + case O_RANDOM_FULLY: + mr->range->flags |= range.flags; + break; + } +} + +static void NAT_parse6(struct xt_option_call *cb) +{ + struct nf_nat_range2 range = RANGE2_INIT_FROM_RANGE(cb->data); + struct nf_nat_range *range_v1 = (void *)cb->data; + const struct ip6t_entry *entry = cb->xt_entry; + + __NAT_parse(cb, entry->ipv6.proto, &range, AF_INET6); + memcpy(range_v1, &range, sizeof(*range_v1)); +} + +static void DNAT_parse_v2(struct xt_option_call *cb) +{ + const struct ipt_entry *entry = cb->xt_entry; + + __NAT_parse(cb, entry->ip.proto, cb->data, AF_INET); +} + +static void DNAT_parse6_v2(struct xt_option_call *cb) +{ + const struct ip6t_entry *entry = cb->xt_entry; + + __NAT_parse(cb, entry->ipv6.proto, cb->data, AF_INET6); +} + +static void SNAT_fcheck(struct xt_fcheck_call *cb) +{ + struct nf_nat_ipv4_multi_range_compat *mr = cb->data; + + mr->rangesize = 1; +} + +static void DNAT_fcheck(struct xt_fcheck_call *cb) +{ + struct nf_nat_ipv4_multi_range_compat *mr = cb->data; + + mr->rangesize = 1; + + if (mr->range0.flags & NF_NAT_RANGE_PROTO_OFFSET) + xtables_error(PARAMETER_PROBLEM, + "Shifted portmap ranges not supported with this kernel"); +} + +static void DNAT_fcheck6(struct xt_fcheck_call *cb) +{ + struct nf_nat_range *range = (void *)cb->data; + + if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) + xtables_error(PARAMETER_PROBLEM, + "Shifted portmap ranges not supported with this kernel"); +} + +static char *sprint_range(const struct nf_nat_range2 *r, int family) +{ + bool brackets = family == AF_INET6 && + r->flags & NF_NAT_RANGE_PROTO_SPECIFIED; + static char bufINET6_ADDRSTRLEN * 2 + 3 + 6 * 3; + + buf0 = '\0'; + + if (r->flags & NF_NAT_RANGE_MAP_IPS) { + if (brackets) + strcat(buf, ""); + inet_ntop(family, &r->min_addr, + buf + strlen(buf), INET6_ADDRSTRLEN); + if (memcmp(&r->min_addr, &r->max_addr, sizeof(r->min_addr))) { + strcat(buf, "-"); + inet_ntop(family, &r->max_addr, + buf + strlen(buf), INET6_ADDRSTRLEN); + } + if (brackets) + strcat(buf, ""); + } + if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + sprintf(buf + strlen(buf), ":%hu", + ntohs(r->min_proto.tcp.port)); + if (r->max_proto.tcp.port != r->min_proto.tcp.port) + sprintf(buf + strlen(buf), "-%hu", + ntohs(r->max_proto.tcp.port)); + if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) + sprintf(buf + strlen(buf), "/%hu", + ntohs(r->base_proto.tcp.port)); + } + return buf; +} + +static void __NAT_print(const struct nf_nat_range2 *r, int family, + const char *rangeopt, const char *flag_pfx, + bool skip_colon) +{ + char *range_str = sprint_range(r, family); + + if (strlen(range_str)) { + if (range_str0 == ':' && skip_colon) + range_str++; + printf(" %s%s", rangeopt, range_str); + } + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) + printf(" %srandom", flag_pfx); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" %srandom-fully", flag_pfx); + if (r->flags & NF_NAT_RANGE_PERSISTENT) + printf(" %spersistent", flag_pfx); +} + +static int +__NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, + int family, const char *tgt) +{ + char *range_str = sprint_range(r, family); + const char *sep = " "; + + /* shifted portmap ranges are not supported by nftables */ + if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) + return 0; + + xt_xlate_add(xl, tgt); + if (strlen(range_str)) + xt_xlate_add(xl, " to %s", range_str); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { + xt_xlate_add(xl, "%srandom", sep); + sep = ","; + } + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { + xt_xlate_add(xl, "%sfully-random", sep); + sep = ","; + } + if (r->flags & NF_NAT_RANGE_PERSISTENT) { + xt_xlate_add(xl, "%spersistent", sep); + sep = ","; + } + return 1; +} + +#define PSX_GEN(name, converter, family, \ + print_rangeopt, save_rangeopt, skip_colon, xlate) \ +static void name##_print(const void *ip, const struct xt_entry_target *target, \ + int numeric) \ +{ \ + struct nf_nat_range2 range = converter(target->data); \ + \ + __NAT_print(&range, family, print_rangeopt, "", skip_colon); \ +} \ +static void name##_save(const void *ip, const struct xt_entry_target *target) \ +{ \ + struct nf_nat_range2 range = converter(target->data); \ + \ + __NAT_print(&range, family, save_rangeopt, "--", skip_colon); \ +} \ +static int name##_xlate(struct xt_xlate *xl, \ + const struct xt_xlate_tg_params *params) \ +{ \ + struct nf_nat_range2 range = converter(params->target->data); \ + \ + return __NAT_xlate(xl, &range, family, xlate); \ +} + +PSX_GEN(DNAT, RANGE2_INIT_FROM_IPV4_MRC, \ + AF_INET, "to:", "--to-destination ", false, "dnat") + +PSX_GEN(DNATv2, *(struct nf_nat_range2 *), \ + AF_INET, "to:", "--to-destination ", false, "dnat") + +PSX_GEN(DNAT6, RANGE2_INIT_FROM_RANGE, \ + AF_INET6, "to:", "--to-destination ", false, "dnat") + +PSX_GEN(DNAT6v2, *(struct nf_nat_range2 *), \ + AF_INET6, "to:", "--to-destination ", false, "dnat") + +PSX_GEN(REDIRECT, RANGE2_INIT_FROM_IPV4_MRC, \ + AF_INET, "redir ports ", "--to-ports ", true, "redirect") + +PSX_GEN(REDIRECT6, RANGE2_INIT_FROM_RANGE, \ + AF_INET6, "redir ports ", "--to-ports ", true, "redirect") + +PSX_GEN(SNAT, RANGE2_INIT_FROM_IPV4_MRC, \ + AF_INET, "to:", "--to-source ", false, "snat") + +PSX_GEN(SNAT6, RANGE2_INIT_FROM_RANGE, \ + AF_INET6, "to:", "--to-source ", false, "snat") + +PSX_GEN(MASQUERADE, RANGE2_INIT_FROM_IPV4_MRC, \ + AF_INET, "masq ports: ", "--to-ports ", true, "masquerade") + +PSX_GEN(MASQUERADE6, RANGE2_INIT_FROM_RANGE, \ + AF_INET6, "masq ports: ", "--to-ports ", true, "masquerade") + +static struct xtables_target nat_tg_reg = { + { + .name = "SNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .help = SNAT_help, + .x6_parse = NAT_parse, + .x6_fcheck = SNAT_fcheck, + .print = SNAT_print, + .save = SNAT_save, + .x6_options = SNAT_opts, + .xlate = SNAT_xlate, + }, + { + .name = "DNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .revision = 0, + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .help = DNAT_help, + .print = DNAT_print, + .save = DNAT_save, + .x6_parse = NAT_parse, + .x6_fcheck = DNAT_fcheck, + .x6_options = DNAT_opts, + .xlate = DNAT_xlate, + }, + { + .name = "MASQUERADE", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .help = MASQUERADE_help, + .x6_parse = NAT_parse, + .x6_fcheck = SNAT_fcheck, + .print = MASQUERADE_print, + .save = MASQUERADE_save, + .x6_options = MASQUERADE_opts, + .xlate = MASQUERADE_xlate, + }, + { + .name = "MASQUERADE", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = MASQUERADE_help, + .x6_parse = NAT_parse6, + .print = MASQUERADE6_print, + .save = MASQUERADE6_save, + .x6_options = MASQUERADE_opts, + .xlate = MASQUERADE6_xlate, + }, + { + .name = "REDIRECT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .revision = 0, + .size = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat)), + .help = REDIRECT_help, + .print = REDIRECT_print, + .save = REDIRECT_save, + .x6_parse = NAT_parse, + .x6_fcheck = DNAT_fcheck, + .x6_options = REDIRECT_opts, + .xlate = REDIRECT_xlate, + }, + { + .name = "SNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .revision = 1, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = SNAT_help, + .x6_parse = NAT_parse6, + .print = SNAT6_print, + .save = SNAT6_save, + .x6_options = SNAT_opts, + .xlate = SNAT6_xlate, + }, + { + .name = "DNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .revision = 1, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = DNAT_help, + .print = DNAT6_print, + .save = DNAT6_save, + .x6_parse = NAT_parse6, + .x6_fcheck = DNAT_fcheck6, + .x6_options = DNAT_opts, + .xlate = DNAT6_xlate, + }, + { + .name = "REDIRECT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct nf_nat_range)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), + .help = REDIRECT_help, + .print = REDIRECT6_print, + .save = REDIRECT6_save, + .x6_parse = NAT_parse6, + .x6_fcheck = DNAT_fcheck6, + .x6_options = REDIRECT_opts, + .xlate = REDIRECT6_xlate, + }, + { + .name = "DNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .revision = 2, + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), + .help = DNAT_help_v2, + .print = DNATv2_print, + .save = DNATv2_save, + .x6_parse = DNAT_parse_v2, + .x6_options = DNAT_opts, + .xlate = DNATv2_xlate, + }, + { + .name = "DNAT", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .revision = 2, + .size = XT_ALIGN(sizeof(struct nf_nat_range2)), + .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range2)), + .help = DNAT_help_v2, + .print = DNAT6v2_print, + .save = DNAT6v2_save, + .x6_parse = DNAT_parse6_v2, + .x6_options = DNAT_opts, + .xlate = DNAT6v2_xlate, + }, +}; + +void _init(void) +{ + xtables_register_targets(nat_tg_reg, ARRAY_SIZE(nat_tg_reg)); +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFLOG.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFLOG.c
Changed
@@ -5,6 +5,7 @@ #include <getopt.h> #include <xtables.h> +#include <linux/netfilter/nf_log.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_NFLOG.h> @@ -53,12 +54,16 @@ static void NFLOG_parse(struct xt_option_call *cb) { + char *nf_log_prefix = cb->udata; + xtables_option_parse(cb); switch (cb->entry->id) { case O_PREFIX: if (strchr(cb->arg, '\n') != NULL) xtables_error(PARAMETER_PROBLEM, "Newlines not allowed in --log-prefix"); + + snprintf(nf_log_prefix, NF_LOG_PREFIXLEN, "%s", cb->arg); break; } } @@ -69,7 +74,7 @@ if (cb->xflags & F_RANGE) fprintf(stderr, "warn: --nflog-range has never worked and is no" - " longer supported, please use --nflog-size insted\n"); + " longer supported, please use --nflog-size instead\n"); if (cb->xflags & F_SIZE) info->flags |= XT_NFLOG_F_COPY_LEN; @@ -78,7 +83,7 @@ static void nflog_print(const struct xt_nflog_info *info, char *prefix) { if (info->prefix0 != '\0') { - printf(" %snflog-prefix ", prefix); + printf(" %snflog-prefix", prefix); xtables_save_string(info->prefix); } if (info->group) @@ -107,16 +112,12 @@ } static void nflog_print_xlate(const struct xt_nflog_info *info, - struct xt_xlate *xl, bool escape_quotes) + struct xt_xlate *xl) { xt_xlate_add(xl, "log "); - if (info->prefix0 != '\0') { - if (escape_quotes) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); - else - xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); + if (info->prefix0 != '\0') + xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); - } if (info->flags & XT_NFLOG_F_COPY_LEN) xt_xlate_add(xl, "snaplen %u ", info->len); if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) @@ -130,7 +131,7 @@ const struct xt_nflog_info *info = (struct xt_nflog_info *)params->target->data; - nflog_print_xlate(info, xl, params->escape_quotes); + nflog_print_xlate(info, xl); return 1; } @@ -149,6 +150,7 @@ .save = NFLOG_save, .x6_options = NFLOG_opts, .xlate = NFLOG_xlate, + .udata_size = NF_LOG_PREFIXLEN }; void _init(void)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFLOG.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFLOG.t
Changed
@@ -3,8 +3,10 @@ -j NFLOG --nflog-group 65535;=;OK -j NFLOG --nflog-group 65536;;FAIL -j NFLOG --nflog-group 0;-j NFLOG;OK --j NFLOG --nflog-range 1;=;OK --j NFLOG --nflog-range 4294967295;=;OK +# `--nflog-range` is broken and only supported by xtables-legacy. +# It has been superseded by `--nflog--group`. +-j NFLOG --nflog-range 1;=;OK;LEGACY;NOMATCH +-j NFLOG --nflog-range 4294967295;=;OK;LEGACY;NOMATCH -j NFLOG --nflog-range 4294967296;;FAIL -j NFLOG --nflog-range -1;;FAIL -j NFLOG --nflog-size 0;=;OK @@ -12,10 +14,8 @@ -j NFLOG --nflog-size 4294967295;=;OK -j NFLOG --nflog-size 4294967296;;FAIL -j NFLOG --nflog-size -1;;FAIL -# ERROR: cannot find: iptables -I INPUT -j NFLOG --nflog-prefix xxxxxx ... -# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK -# ERROR: should fail: iptables -A INPUT -j NFLOG --nflog-prefix xxxxxxx ... -# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL +-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK +-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK -j NFLOG --nflog-threshold 1;=;OK # ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0 # -j NFLOG --nflog-threshold 0;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFLOG.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFLOG.txlate
Changed
@@ -1,14 +1,14 @@ iptables-translate -A FORWARD -j NFLOG --nflog-group 32 --nflog-prefix "Prefix 1.0" -nft add rule ip filter FORWARD counter log prefix \"Prefix 1.0\" group 32 +nft 'add rule ip filter FORWARD counter log prefix "Prefix 1.0" group 32' iptables-translate -A OUTPUT -j NFLOG --nflog-group 30 -nft add rule ip filter OUTPUT counter log group 30 +nft 'add rule ip filter OUTPUT counter log group 30' iptables-translate -I INPUT -j NFLOG --nflog-threshold 2 -nft insert rule ip filter INPUT counter log queue-threshold 2 group 0 +nft 'insert rule ip filter INPUT counter log queue-threshold 2 group 0' iptables-translate -I INPUT -j NFLOG --nflog-size 256 -nft insert rule ip filter INPUT counter log snaplen 256 group 0 +nft 'insert rule ip filter INPUT counter log snaplen 256 group 0' iptables-translate -I INPUT -j NFLOG --nflog-threshold 25 -nft insert rule ip filter INPUT counter log queue-threshold 25 group 0 +nft 'insert rule ip filter INPUT counter log queue-threshold 25 group 0'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFQUEUE.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFQUEUE.c
Changed
@@ -64,7 +64,7 @@ {.name = "queue-num", .id = O_QUEUE_NUM, .type = XTTYPE_UINT16, .flags = XTOPT_PUT, XTOPT_POINTER(s, queuenum), .excl = F_QUEUE_BALANCE}, - {.name = "queue-balance", .id = O_QUEUE_BALANCE, + {.name = "queue-balance", .id = O_QUEUE_BALANCE, .max = UINT16_MAX - 1, .type = XTTYPE_UINT16RC, .excl = F_QUEUE_NUM}, {.name = "queue-bypass", .id = O_QUEUE_BYPASS, .type = XTTYPE_NONE}, {.name = "queue-cpu-fanout", .id = O_QUEUE_CPU_FANOUT,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFQUEUE.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFQUEUE.man
Changed
@@ -18,6 +18,8 @@ This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP". Packets belonging to the same connection are put into the same nfqueue. +Due to implementation details, a lower range value of 0 limits the higher range +value to 65534, i.e. one can only balance between at most 65535 queues. .PP .TP \fB\-\-queue\-bypass\fP
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFQUEUE.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFQUEUE.t
Changed
@@ -1,12 +1,11 @@ :INPUT,FORWARD,OUTPUT --j NFQUEUE;=;OK +-j NFQUEUE;-j NFQUEUE --queue-num 0;OK -j NFQUEUE --queue-num 0;=;OK -j NFQUEUE --queue-num 65535;=;OK -j NFQUEUE --queue-num 65536;;FAIL -j NFQUEUE --queue-num -1;;FAIL -# it says "NFQUEUE: number of total queues is 0", overflow in NFQUEUE_parse_v1? -# ERROR: cannot load: iptables -A INPUT -j NFQUEUE --queue-balance 0:65535 -# -j NFQUEUE --queue-balance 0:65535;=;OK +-j NFQUEUE --queue-balance 0:65534;=;OK +-j NFQUEUE --queue-balance 0:65535;;FAIL -j NFQUEUE --queue-balance 0:65536;;FAIL -j NFQUEUE --queue-balance -1:65535;;FAIL -j NFQUEUE --queue-num 10 --queue-bypass;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NFQUEUE.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NFQUEUE.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30 -nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30 +nft 'add rule ip nat PREROUTING tcp dport 80 counter queue num 30' iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80 -nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass +nft 'add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass' iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout -nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout +nft 'add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_NOTRACK.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_NOTRACK.txlate
Changed
@@ -1,2 +1,2 @@ iptables-translate -A PREROUTING -t raw -j NOTRACK -nft add rule ip raw PREROUTING counter notrack +nft 'add rule ip raw PREROUTING counter notrack'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_REDIRECT.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_REDIRECT.man
Changed
@@ -16,10 +16,9 @@ this, the destination port is never altered. This is only valid if the rule also specifies one of the following protocols: \fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. +For a single port, a service name as listed in \fB/etc/services\fP may be used. .TP \fB\-\-random\fP -If option -\fB\-\-random\fP -is used then port mapping will be randomized (kernel >= 2.6.22). +Randomize source port mapping (kernel >= 2.6.22). .TP IPv6 support available starting Linux kernels >= 3.7.
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_REDIRECT.t
Added
@@ -0,0 +1,17 @@ +:PREROUTING,OUTPUT +*nat +-p tcp -j REDIRECT --to-ports 42;=;OK +-p tcp -j REDIRECT --to-ports 0;=;OK +-p tcp -j REDIRECT --to-ports 65535;=;OK +-p tcp -j REDIRECT --to-ports 65536;;FAIL +-p udp -j REDIRECT --to-ports 0-0;-p udp -j REDIRECT --to-ports 0;OK +-p udp -j REDIRECT --to-ports 512-512;-p udp -j REDIRECT --to-ports 512;OK +-p udp -j REDIRECT --to-ports 42-1234;=;OK +-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK +-p tcp -j REDIRECT --to-ports 42-1234/567;;FAIL +-p tcp -j REDIRECT --to-ports ssh;-p tcp -j REDIRECT --to-ports 22;OK +-p tcp -j REDIRECT --to-ports ftp-data;-p tcp -j REDIRECT --to-ports 20;OK +-p tcp -j REDIRECT --to-ports ftp-ssh;;FAIL +-p tcp -j REDIRECT --to-ports 10-ssh;;FAIL +-j REDIRECT --to-ports 42;;FAIL +-j REDIRECT --random;=;OK
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_REDIRECT.txlate
Added
@@ -0,0 +1,29 @@ +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT +nft 'add rule ip nat prerouting tcp dport 80 counter redirect' + +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 0 +nft 'add rule ip nat prerouting tcp dport 80 counter redirect to :0' + +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 +nft 'add rule ip nat prerouting tcp dport 80 counter redirect to :8080' + +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 0-65535 +nft 'add rule ip nat prerouting tcp dport 80 counter redirect to :0-65535' + +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 10-22 +nft 'add rule ip nat prerouting tcp dport 80 counter redirect to :10-22' + +iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random +nft 'add rule ip nat prerouting tcp dport 80 counter redirect to :8080 random' + +iptables-translate -t nat -A prerouting -j REDIRECT --random +nft 'add rule ip nat prerouting counter redirect random' + +ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT +nft 'add rule ip6 nat prerouting tcp dport 80 counter redirect' + +ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 +nft 'add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080' + +ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random +nft 'add rule ip6 nat prerouting tcp dport 80 counter redirect to :8080 random'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_SECMARK.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_SECMARK.c
Changed
@@ -29,6 +29,13 @@ XTOPT_TABLEEND, }; +static const struct xt_option_entry SECMARK_opts_v1 = { + {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, + .flags = XTOPT_MAND | XTOPT_PUT, + XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, + XTOPT_TABLEEND, +}; + static void SECMARK_parse(struct xt_option_call *cb) { struct xt_secmark_target_info *info = cb->data; @@ -37,15 +44,23 @@ info->mode = SECMARK_MODE_SEL; } -static void print_secmark(const struct xt_secmark_target_info *info) +static void SECMARK_parse_v1(struct xt_option_call *cb) +{ + struct xt_secmark_target_info_v1 *info = cb->data; + + xtables_option_parse(cb); + info->mode = SECMARK_MODE_SEL; +} + +static void print_secmark(__u8 mode, const char *secctx) { - switch (info->mode) { + switch (mode) { case SECMARK_MODE_SEL: - printf("selctx %s", info->secctx); + printf("selctx %s", secctx); break; - + default: - xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); + xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu", mode); } } @@ -56,7 +71,17 @@ (struct xt_secmark_target_info*)(target)->data; printf(" SECMARK "); - print_secmark(info); + print_secmark(info->mode, info->secctx); +} + +static void SECMARK_print_v1(const void *ip, + const struct xt_entry_target *target, int numeric) +{ + const struct xt_secmark_target_info_v1 *info = + (struct xt_secmark_target_info_v1 *)(target)->data; + + printf(" SECMARK "); + print_secmark(info->mode, info->secctx); } static void SECMARK_save(const void *ip, const struct xt_entry_target *target) @@ -65,24 +90,49 @@ (struct xt_secmark_target_info*)target->data; printf(" --"); - print_secmark(info); + print_secmark(info->mode, info->secctx); } -static struct xtables_target secmark_target = { - .family = NFPROTO_UNSPEC, - .name = "SECMARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), - .help = SECMARK_help, - .print = SECMARK_print, - .save = SECMARK_save, - .x6_parse = SECMARK_parse, - .x6_options = SECMARK_opts, +static void SECMARK_save_v1(const void *ip, + const struct xt_entry_target *target) +{ + const struct xt_secmark_target_info_v1 *info = + (struct xt_secmark_target_info_v1 *)target->data; + + printf(" --"); + print_secmark(info->mode, info->secctx); +} + +static struct xtables_target secmark_tg_reg = { + { + .family = NFPROTO_UNSPEC, + .name = "SECMARK", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), + .help = SECMARK_help, + .print = SECMARK_print, + .save = SECMARK_save, + .x6_parse = SECMARK_parse, + .x6_options = SECMARK_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "SECMARK", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), + .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), + .help = SECMARK_help, + .print = SECMARK_print_v1, + .save = SECMARK_save_v1, + .x6_parse = SECMARK_parse_v1, + .x6_options = SECMARK_opts_v1, + } }; void _init(void) { - xtables_register_target(&secmark_target); + xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); }
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_SECMARK.t
Added
@@ -0,0 +1,4 @@ +:INPUT,FORWARD,OUTPUT +*security +-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK +-j SECMARK;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_SNAT.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_SNAT.man
Changed
@@ -19,22 +19,12 @@ mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur. -In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those -kernels, if you specify more than one source address, either via an address -range or multiple \-\-to\-source options, a simple round-robin (one after another -in cycle) takes place between these addresses. -Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges -anymore. .TP \fB\-\-random\fP -If option -\fB\-\-random\fP -is used then port mapping will be randomized through a hash-based algorithm (kernel >= 2.6.21). +Randomize source port mapping through a hash-based algorithm (kernel >= 2.6.21). .TP \fB\-\-random-fully\fP -If option -\fB\-\-random-fully\fP -is used then port mapping will be fully randomized through a PRNG (kernel >= 3.14). +Fully randomize source port mapping through a PRNG (kernel >= 3.14). .TP \fB\-\-persistent\fP Gives a client the same source-/destination-address for each connection.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_SYNPROXY.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_SYNPROXY.txlate
Changed
@@ -1,2 +1,2 @@ iptables-translate -t mangle -A INPUT -i iifname -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -nft add rule ip mangle INPUT iifname "iifname" tcp dport 80 ct state invalid,untracked counter synproxy sack-perm timestamp wscale 7 mss 1460 +nft 'add rule ip mangle INPUT iifname "iifname" tcp dport 80 ct state invalid,untracked counter synproxy sack-perm timestamp wscale 7 mss 1460'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TCPMSS.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TCPMSS.c
Changed
@@ -131,6 +131,7 @@ .x6_parse = TCPMSS_parse, .x6_fcheck = TCPMSS_check, .x6_options = TCPMSS6_opts, + .xlate = TCPMSS_xlate, }, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TCPMSS.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TCPMSS.t
Changed
@@ -1,6 +1,6 @@ :FORWARD,OUTPUT,POSTROUTING *mangle -j TCPMSS;;FAIL --p tcp -j TCPMSS --set-mss 42;;FAIL +-p tcp -j TCPMSS --set-mss 42;;FAIL;LEGACY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 42;=;OK -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TCPMSS.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TCPMSS.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu +nft 'add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu' iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90 -nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set 90 +nft 'add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TCPOPTSTRIP.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TCPOPTSTRIP.c
Changed
@@ -142,6 +142,13 @@ } } +static bool tcpoptstrip_empty(const struct xt_tcpoptstrip_target_info *info) +{ + static const struct xt_tcpoptstrip_target_info empty = {}; + + return memcmp(info, &empty, sizeof(empty)) == 0; +} + static void tcpoptstrip_tg_print(const void *ip, const struct xt_entry_target *target, int numeric) @@ -149,6 +156,9 @@ const struct xt_tcpoptstrip_target_info *info = (const void *)target->data; + if (tcpoptstrip_empty(info)) + return; + printf(" TCPOPTSTRIP options "); tcpoptstrip_print_list(info, numeric); } @@ -159,6 +169,9 @@ const struct xt_tcpoptstrip_target_info *info = (const void *)target->data; + if (tcpoptstrip_empty(info)) + return; + printf(" --strip-options "); tcpoptstrip_print_list(info, true); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TEE.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TEE.txlate
Changed
@@ -1,11 +1,11 @@ # iptables-translate -t mangle -A PREROUTING -j TEE --gateway 192.168.0.2 --oif eth0 -# nft add rule ip mangle PREROUTING counter dup to 192.168.0.2 device eth0 +# nft 'add rule ip mangle PREROUTING counter dup to 192.168.0.2 device eth0 # # iptables-translate -t mangle -A PREROUTING -j TEE --gateway 192.168.0.2 -# nft add rule ip mangle PREROUTING counter dup to 192.168.0.2 +# nft 'add rule ip mangle PREROUTING counter dup to 192.168.0.2 ip6tables-translate -t mangle -A PREROUTING -j TEE --gateway ab12:00a1:1112:acba:: -nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: +nft 'add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba::' ip6tables-translate -t mangle -A PREROUTING -j TEE --gateway ab12:00a1:1112:acba:: --oif eth0 -nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: device eth0 +nft 'add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: device eth0'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TOS.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TOS.c
Changed
@@ -183,28 +183,41 @@ printf(" --set-tos 0x%02x/0x%02x", info->tos_value, info->tos_mask); } +static int __tos_xlate(struct xt_xlate *xl, const char *ip, + uint8_t tos, uint8_t tosmask) +{ + xt_xlate_add(xl, "%s dscp set ", ip); + if ((tosmask & 0x3f) == 0x3f) + xt_xlate_add(xl, "0x%02x", tos >> 2); + else if (!tos) + xt_xlate_add(xl, "%s dscp and 0x%02x", + ip, (uint8_t)~tosmask >> 2); + else if (tos == tosmask) + xt_xlate_add(xl, "%s dscp or 0x%02x", ip, tos >> 2); + else if (!tosmask) + xt_xlate_add(xl, "%s dscp xor 0x%02x", ip, tos >> 2); + else + xt_xlate_add(xl, "%s dscp and 0x%02x xor 0x%02x", + ip, (uint8_t)~tosmask >> 2, tos >> 2); + return 1; +} + static int tos_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { const struct ipt_tos_target_info *info = (struct ipt_tos_target_info *) params->target->data; - uint8_t dscp = info->tos >> 2; - - xt_xlate_add(xl, "ip dscp set 0x%02x", dscp); - return 1; + return __tos_xlate(xl, "ip", info->tos, UINT8_MAX); } static int tos_xlate6(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { - const struct ipt_tos_target_info *info = - (struct ipt_tos_target_info *) params->target->data; - uint8_t dscp = info->tos >> 2; + const struct xt_tos_target_info *info = + (struct xt_tos_target_info *)params->target->data; - xt_xlate_add(xl, "ip6 dscp set 0x%02x", dscp); - - return 1; + return __tos_xlate(xl, "ip6", info->tos_value, info->tos_mask); } static struct xtables_target tos_tg_reg = {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TOS.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TOS.t
Changed
@@ -1,15 +1,15 @@ :PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING *mangle --j TOS --set-tos 0x1f;=;OK +-j TOS --set-tos 0x1f;-j TOS --set-tos 0x1f/0xff;OK -j TOS --set-tos 0x1f/0x1f;=;OK # maximum TOS is 0x1f (5 bits) # ERROR: should fail: iptables -A PREROUTING -t mangle -j TOS --set-tos 0xff # -j TOS --set-tos 0xff;;FAIL --j TOS --set-tos Minimize-Delay;-j TOS --set-tos 0x10;OK --j TOS --set-tos Maximize-Throughput;-j TOS --set-tos 0x08;OK --j TOS --set-tos Maximize-Reliability;-j TOS --set-tos 0x04;OK --j TOS --set-tos Minimize-Cost;-j TOS --set-tos 0x02;OK --j TOS --set-tos Normal-Service;-j TOS --set-tos 0x00;OK +-j TOS --set-tos Minimize-Delay;-j TOS --set-tos 0x10/0x3f;OK +-j TOS --set-tos Maximize-Throughput;-j TOS --set-tos 0x08/0x3f;OK +-j TOS --set-tos Maximize-Reliability;-j TOS --set-tos 0x04/0x3f;OK +-j TOS --set-tos Minimize-Cost;-j TOS --set-tos 0x02/0x3f;OK +-j TOS --set-tos Normal-Service;-j TOS --set-tos 0x00/0x3f;OK -j TOS --and-tos 0x12;-j TOS --set-tos 0x00/0xed;OK -j TOS --or-tos 0x12;-j TOS --set-tos 0x12/0x12;OK -j TOS --xor-tos 0x12;-j TOS --set-tos 0x12/0x00;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TOS.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TOS.txlate
Changed
@@ -1,23 +1,26 @@ ip6tables-translate -A INPUT -j TOS --set-tos 0x1f -nft add rule ip6 filter INPUT counter ip6 dscp set 0x07 +nft 'add rule ip6 filter INPUT counter ip6 dscp set 0x07' ip6tables-translate -A INPUT -j TOS --set-tos 0xff -nft add rule ip6 filter INPUT counter ip6 dscp set 0x3f +nft 'add rule ip6 filter INPUT counter ip6 dscp set 0x3f' ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Delay -nft add rule ip6 filter INPUT counter ip6 dscp set 0x04 +nft 'add rule ip6 filter INPUT counter ip6 dscp set 0x04' ip6tables-translate -A INPUT -j TOS --set-tos Minimize-Cost -nft add rule ip6 filter INPUT counter ip6 dscp set 0x00 +nft 'add rule ip6 filter INPUT counter ip6 dscp set 0x00' ip6tables-translate -A INPUT -j TOS --set-tos Normal-Service -nft add rule ip6 filter INPUT counter ip6 dscp set 0x00 +nft 'add rule ip6 filter INPUT counter ip6 dscp set 0x00' ip6tables-translate -A INPUT -j TOS --and-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x00 +nft 'add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp and 0x04' ip6tables-translate -A INPUT -j TOS --or-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x04 +nft 'add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp or 0x04' ip6tables-translate -A INPUT -j TOS --xor-tos 0x12 -nft add rule ip6 filter INPUT counter ip6 dscp set 0x04 +nft 'add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp xor 0x04' + +ip6tables-translate -A INPUT -j TOS --set-tos 0x12/0x34 +nft 'add rule ip6 filter INPUT counter ip6 dscp set ip6 dscp and 0x32 xor 0x04'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_TRACE.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_TRACE.txlate
Changed
@@ -1,2 +1,2 @@ iptables-translate -t raw -A PREROUTING -j TRACE -nft add rule ip raw PREROUTING counter nftrace set 1 +nft 'add rule ip raw PREROUTING counter nftrace set 1'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_addrtype.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_addrtype.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -A INPUT -m addrtype --src-type LOCAL -nft add rule ip filter INPUT fib saddr type local counter +nft 'add rule ip filter INPUT fib saddr type local counter' iptables-translate -A INPUT -m addrtype --dst-type LOCAL -nft add rule ip filter INPUT fib daddr type local counter +nft 'add rule ip filter INPUT fib daddr type local counter' iptables-translate -A INPUT -m addrtype ! --dst-type ANYCAST,LOCAL -nft add rule ip filter INPUT fib daddr type != { local, anycast } counter +nft 'add rule ip filter INPUT fib daddr type != { local, anycast } counter' iptables-translate -A INPUT -m addrtype --limit-iface-in --dst-type ANYCAST,LOCAL -nft add rule ip filter INPUT fib daddr . iif type { local, anycast } counter +nft 'add rule ip filter INPUT fib daddr . iif type { local, anycast } counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_bpf.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_bpf.c
Changed
@@ -83,8 +83,7 @@ attr.file_flags = 0; return syscall(__NR_bpf, BPF_OBJ_GET, &attr, sizeof(attr)); #else - xtables_error(OTHER_PROBLEM, - "No bpf header, kernel headers too old?\n"); + xtables_error(OTHER_PROBLEM, "No bpf header, kernel headers too old?"); return -EINVAL; #endif }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_cgroup.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_cgroup.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT -nft add rule ip filter INPUT meta cgroup 0 counter accept +nft 'add rule ip filter INPUT meta cgroup 0 counter accept' iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT -nft add rule ip filter INPUT meta cgroup != 0 counter accept +nft 'add rule ip filter INPUT meta cgroup != 0 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_cluster.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_cluster.txlate
Changed
@@ -1,26 +1,26 @@ iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-node 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 32 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 32 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 6 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 6 meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-nodemask 9 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef { 0, 3 } meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef { 0, 3 } meta pkttype set host counter meta mark set 0xffff' iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set 0xffff +nft 'add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set 0xffff'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_comment.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_comment.c
Changed
@@ -55,12 +55,7 @@ char commentXT_MAX_COMMENT_LEN + sizeof("\\\"\\\""); commentinfo->commentXT_MAX_COMMENT_LEN - 1 = '\0'; - if (params->escape_quotes) - snprintf(comment, sizeof(comment), "\\\"%s\\\"", - commentinfo->comment); - else - snprintf(comment, sizeof(comment), "\"%s\"", - commentinfo->comment); + snprintf(comment, sizeof(comment), "\"%s\"", commentinfo->comment); xt_xlate_add_comment(xl, comment);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_comment.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_comment.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" -nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" +nft 'add rule ip filter INPUT ip saddr 192.168.0.0 counter comment "A privatized IP block"' iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" -nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\" +nft 'add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment "foobar"' iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment -nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter drop comment \"singlecomment\" +nft 'add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter drop comment "singlecomment"'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connbytes.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connbytes.txlate
Changed
@@ -1,14 +1,14 @@ iptables-translate -A OUTPUT -m connbytes --connbytes 200 --connbytes-dir original --connbytes-mode packets -nft add rule ip filter OUTPUT ct original packets ge 200 counter +nft 'add rule ip filter OUTPUT ct original packets ge 200 counter' iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 --connbytes-dir reply --connbytes-mode packets -nft add rule ip filter OUTPUT ct reply packets lt 200 counter +nft 'add rule ip filter OUTPUT ct reply packets lt 200 counter' iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes -nft add rule ip filter OUTPUT ct bytes 200-600 counter +nft 'add rule ip filter OUTPUT ct bytes 200-600 counter' iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes -nft add rule ip filter OUTPUT ct bytes != 200-600 counter +nft 'add rule ip filter OUTPUT ct bytes != 200-600 counter' iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 --connbytes-dir both --connbytes-mode avgpkt -nft add rule ip filter OUTPUT ct avgpkt 200 counter +nft 'add rule ip filter OUTPUT ct avgpkt 200 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connlabel.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connlabel.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A INPUT -m connlabel --label 40 -nft add rule ip filter INPUT ct label 40 counter +nft 'add rule ip filter INPUT ct label 40 counter' iptables-translate -A INPUT -m connlabel ! --label 40 --set -nft add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter +nft 'add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connlimit.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connlimit.c
Changed
@@ -2,6 +2,8 @@ #include <netdb.h> #include <string.h> #include <xtables.h> +#include <arpa/inet.h> + #include <linux/netfilter/xt_connlimit.h> enum { @@ -183,6 +185,51 @@ } } +static int connlimit_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_connlimit_info *info = (const void *)params->match->data; + static uint32_t connlimit_id; + char netmask128 = {}; + char addr64 = {}; + uint32_t mask; + + switch (xt_xlate_get_family(xl)) { + case AF_INET: + mask = count_bits4(info->v4_mask); + if (mask != 32) { + struct in_addr *in = (struct in_addr *)&info->v4_mask; + + inet_ntop(AF_INET, in, addr, sizeof(addr)); + snprintf(netmask, sizeof(netmask), "and %s ", addr); + } + break; + case AF_INET6: + mask = count_bits6(info->v6_mask); + if (mask != 128) { + struct in6_addr *in6 = (struct in6_addr *)&info->v6_mask; + + inet_ntop(AF_INET6, in6, addr, sizeof(addr)); + snprintf(netmask, sizeof(netmask), "and %s ", addr); + } + break; + default: + return 0; + } + + xt_xlate_set_add(xl, "connlimit%u { type ipv4_addr; flags dynamic; }", + connlimit_id); + xt_xlate_rule_add(xl, "add @connlimit%u { %s %s %sct count %s%u }", + connlimit_id++, + xt_xlate_get_family(xl) == AF_INET ? "ip" : "ip6", + info->flags & XT_CONNLIMIT_DADDR ? "daddr" : "saddr", + netmask, + info->flags & XT_CONNLIMIT_INVERT ? "" : "over ", + info->limit); + + return 1; +} + static struct xtables_match connlimit_mt_reg = { { .name = "connlimit", @@ -228,6 +275,7 @@ .print = connlimit_print4, .save = connlimit_save4, .x6_options = connlimit_opts, + .xlate = connlimit_xlate, }, { .name = "connlimit", @@ -243,6 +291,7 @@ .print = connlimit_print6, .save = connlimit_save6, .x6_options = connlimit_opts, + .xlate = connlimit_xlate, }, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connlimit.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connlimit.t
Changed
@@ -1,11 +1,11 @@ :INPUT,FORWARD,OUTPUT --m connlimit --connlimit-upto 0;=;OK --m connlimit --connlimit-upto 4294967295;=;OK --m connlimit --connlimit-upto 4294967296;;FAIL +-m connlimit --connlimit-upto 0;-m connlimit --connlimit-upto 0 --connlimit-mask 32 --connlimit-saddr;OK +-m connlimit --connlimit-upto 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK +-m connlimit --connlimit-upto 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL -m connlimit --connlimit-upto -1;;FAIL --m connlimit --connlimit-above 0;=;OK --m connlimit --connlimit-above 4294967295;=;OK --m connlimit --connlimit-above 4294967296;;FAIL +-m connlimit --connlimit-above 0;-m connlimit --connlimit-above 0 --connlimit-mask 32 --connlimit-saddr;OK +-m connlimit --connlimit-above 4294967295 --connlimit-mask 32 --connlimit-saddr;=;OK +-m connlimit --connlimit-above 4294967296 --connlimit-mask 32 --connlimit-saddr;;FAIL -m connlimit --connlimit-above -1;;FAIL -m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL -m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connlimit.txlate
Added
@@ -0,0 +1,15 @@ +iptables-translate -A INPUT -m connlimit --connlimit-above 2 +nft 'add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }' +nft 'add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter' + +iptables-translate -A INPUT -m connlimit --connlimit-upto 2 +nft 'add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }' +nft 'add rule ip filter INPUT add @connlimit0 { ip saddr ct count 2 } counter' + +iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-mask 24 +nft 'add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }' +nft 'add rule ip filter INPUT add @connlimit0 { ip saddr and 255.255.255.0 ct count 2 } counter' + +iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-daddr +nft 'add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }' +nft 'add rule ip filter INPUT add @connlimit0 { ip daddr ct count 2 } counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connmark.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connmark.t
Changed
@@ -2,8 +2,8 @@ *mangle -m connmark --mark 0xffffffff;=;OK -m connmark --mark 0xffffffff/0xffffffff;-m connmark --mark 0xffffffff;OK --m connmark --mark 0xffffffff/0;=;OK --m connmark --mark 0/0xffffffff;-m connmark --mark 0;OK +-m connmark --mark 0xffffffff/0x0;=;OK +-m connmark --mark 0/0xffffffff;-m connmark --mark 0x0;OK -m connmark --mark -1;;FAIL -m connmark --mark 0xfffffffff;;FAIL -m connmark;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_connmark.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_connmark.txlate
Changed
@@ -1,14 +1,14 @@ iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT -nft add rule ip filter INPUT ct mark 0x2 counter accept +nft 'add rule ip filter INPUT ct mark 0x2 counter accept' iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT -nft add rule ip filter INPUT ct mark != 0x2 counter accept +nft 'add rule ip filter INPUT ct mark != 0x2 counter accept' iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT -nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept +nft 'add rule ip filter INPUT ct mark and 0xa == 0xa counter accept' iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT -nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept +nft 'add rule ip filter INPUT ct mark and 0xa != 0xa counter accept' iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m connmark --mark 0x40 -nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter +nft 'add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_conntrack.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_conntrack.c
Changed
@@ -778,7 +778,7 @@ static void conntrack_dump_ports(const char *prefix, const char *opt, - u_int16_t port_low, u_int16_t port_high) + uint16_t port_low, uint16_t port_high) { if (port_high == 0 || port_low == port_high) printf(" %s%s %u", prefix, opt, port_low); @@ -1148,10 +1148,13 @@ state_print_state(sinfo->statemask); } -static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask) +static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted) { const char *sep = ""; + if (inverted) + xt_xlate_add(xl, "! "); + if (statemask & XT_CONNTRACK_STATE_INVALID) { xt_xlate_add(xl, "%s%s", sep, "invalid"); sep = ","; @@ -1180,17 +1183,19 @@ const struct xt_conntrack_mtinfo3 *sinfo = (const void *)params->match->data; - xt_xlate_add(xl, "ct state %s", sinfo->invert_flags & XT_CONNTRACK_STATE ? - "!= " : ""); - state_xlate_print(xl, sinfo->state_mask); - xt_xlate_add(xl, " "); + xt_xlate_add(xl, "ct state "); + state_xlate_print(xl, sinfo->state_mask, + sinfo->invert_flags & XT_CONNTRACK_STATE); return 1; } -static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask) +static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted) { const char *sep = ""; + if (inverted) + xt_xlate_add(xl, "! "); + if (statusmask & IPS_EXPECTED) { xt_xlate_add(xl, "%s%s", sep, "expected"); sep = ","; @@ -1256,19 +1261,17 @@ sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat"); space = " "; } else { - xt_xlate_add(xl, "%sct state %s", space, - sinfo->invert_flags & XT_CONNTRACK_STATE ? - "!= " : ""); - state_xlate_print(xl, sinfo->state_mask); + xt_xlate_add(xl, "%sct state ", space); + state_xlate_print(xl, sinfo->state_mask, + sinfo->invert_flags & XT_CONNTRACK_STATE); space = " "; } } if (sinfo->match_flags & XT_CONNTRACK_STATUS) { - xt_xlate_add(xl, "%sct status %s", space, - sinfo->invert_flags & XT_CONNTRACK_STATUS ? - "!= " : ""); - status_xlate_print(xl, sinfo->status_mask); + xt_xlate_add(xl, "%sct status ", space); + status_xlate_print(xl, sinfo->status_mask, + sinfo->invert_flags & XT_CONNTRACK_STATUS); space = " "; } @@ -1285,9 +1288,6 @@ } if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC) { - if (&sinfo->origsrc_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct original saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGSRC ? "!= " : ""); @@ -1297,9 +1297,6 @@ } if (sinfo->match_flags & XT_CONNTRACK_ORIGDST) { - if (&sinfo->origdst_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct original daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGDST ? "!= " : ""); @@ -1309,9 +1306,6 @@ } if (sinfo->match_flags & XT_CONNTRACK_REPLSRC) { - if (&sinfo->replsrc_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct reply saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLSRC ? "!= " : ""); @@ -1321,9 +1315,6 @@ } if (sinfo->match_flags & XT_CONNTRACK_REPLDST) { - if (&sinfo->repldst_addr == 0L) - return 0; - xt_xlate_add(xl, "%sct reply daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLDST ? "!= " : "");
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_conntrack.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_conntrack.txlate
Changed
@@ -1,51 +1,60 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT -nft add rule ip filter INPUT ct state new,related counter accept +nft 'add rule ip filter INPUT ct state new,related counter accept' ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT -nft add rule ip6 filter INPUT ct state != new,related counter accept +nft 'add rule ip6 filter INPUT ct state ! new,related counter accept' + +ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT +nft 'add rule ip6 filter INPUT ct state ! new counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT -nft add rule ip filter INPUT ct original protocol 17 counter accept +nft 'add rule ip filter INPUT ct original protocol 17 counter accept' iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT -nft add rule ip filter INPUT ct original protocol != 17 counter accept +nft 'add rule ip filter INPUT ct original protocol != 17 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT -nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept +nft 'add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT -nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept +nft 'add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT -nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept +nft 'add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT -nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept +nft 'add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT -nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept +nft 'add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT -nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept +nft 'add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT -nft add rule ip filter INPUT ct status expected counter accept +nft 'add rule ip filter INPUT ct status expected counter accept' iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT -nft add rule ip filter INPUT ct status != confirmed counter accept +nft 'add rule ip filter INPUT ct status ! confirmed counter accept' + +iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft 'add rule ip filter INPUT ct status ! assured,confirmed counter accept' + +iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft 'add rule ip filter INPUT ct status assured,confirmed counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT -nft add rule ip filter INPUT ct expiration 3 counter accept +nft 'add rule ip filter INPUT ct expiration 3 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT -nft add rule ip filter INPUT ct direction original counter accept +nft 'add rule ip filter INPUT ct direction original counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW --ctproto tcp --ctorigsrc 192.168.0.1 --ctorigdst 192.168.0.1 --ctreplsrc 192.168.0.1 --ctrepldst 192.168.0.1 --ctorigsrcport 12 --ctorigdstport 14 --ctreplsrcport 16 --ctrepldstport 18 --ctexpire 10 --ctstatus SEEN_REPLY --ctdir ORIGINAL -j ACCEPT -nft add rule ip filter INPUT ct direction original ct original protocol 6 ct state new ct status seen-reply ct expiration 10 ct original saddr 192.168.0.1 ct original daddr 192.168.0.1 ct reply saddr 192.168.0.1 ct reply daddr 192.168.0.1 ct original proto-src 12 ct original proto-dst 14 ct reply proto-src 16 ct reply proto-dst 18 counter accept +nft 'add rule ip filter INPUT ct direction original ct original protocol 6 ct state new ct status seen-reply ct expiration 10 ct original saddr 192.168.0.1 ct original daddr 192.168.0.1 ct reply saddr 192.168.0.1 ct reply daddr 192.168.0.1 ct original proto-src 12 ct original proto-dst 14 ct reply proto-src 16 ct reply proto-dst 18 counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctstate SNAT -j ACCEPT -nft add rule ip filter INPUT ct status snat counter accept +nft 'add rule ip filter INPUT ct status snat counter accept' iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT -nft add rule ip filter INPUT ct status dnat counter accept +nft 'add rule ip filter INPUT ct status dnat counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_cpu.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_cpu.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT -nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept +nft 'add rule ip filter INPUT tcp dport 80 cpu 0 counter accept' iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT -nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept +nft 'add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_dccp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_dccp.c
Changed
@@ -85,7 +85,7 @@ uint16_t typemask = 0; char *ptr, *buffer; - buffer = strdup(typestring); + buffer = xtables_strdup(typestring); for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { unsigned int i; @@ -343,7 +343,6 @@ { const struct xt_dccp_info *einfo = (const struct xt_dccp_info *)params->match->data; - char *space = ""; int ret = 1; if (einfo->flags & XT_DCCP_SRC_PORTS) { @@ -353,27 +352,21 @@ if (einfo->spts0 != einfo->spts1) xt_xlate_add(xl, "-%u", einfo->spts1); - - space = " "; } if (einfo->flags & XT_DCCP_DEST_PORTS) { - xt_xlate_add(xl, "%sdccp dport%s %u", space, + xt_xlate_add(xl, "dccp dport%s %u", einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", einfo->dpts0); if (einfo->dpts0 != einfo->dpts1) xt_xlate_add(xl, "-%u", einfo->dpts1); - - space = " "; } if (einfo->flags & XT_DCCP_TYPE && einfo->typemask) { - xt_xlate_add(xl, "%sdccp type%s ", space, + xt_xlate_add(xl, "dccp type%s ", einfo->invflags & XT_DCCP_TYPE ? " !=" : ""); ret = dccp_type_xlate(einfo, xl); - - space = " "; } /* FIXME: no dccp option support in nftables yet */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_dccp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_dccp.txlate
Changed
@@ -1,20 +1,20 @@ iptables-translate -A INPUT -p dccp -m dccp --sport 100 -nft add rule ip filter INPUT dccp sport 100 counter +nft 'add rule ip filter INPUT dccp sport 100 counter' iptables-translate -A INPUT -p dccp -m dccp --dport 100:200 -nft add rule ip filter INPUT dccp dport 100-200 counter +nft 'add rule ip filter INPUT dccp dport 100-200 counter' iptables-translate -A INPUT -p dccp -m dccp ! --dport 100 -nft add rule ip filter INPUT dccp dport != 100 counter +nft 'add rule ip filter INPUT dccp dport != 100 counter' iptables-translate -A INPUT -p dccp -m dccp --dccp-types CLOSE -nft add rule ip filter INPUT dccp type close counter +nft 'add rule ip filter INPUT dccp type close counter' iptables-translate -A INPUT -p dccp -m dccp --dccp-types INVALID -nft add rule ip filter INPUT dccp type 10-15 counter +nft 'add rule ip filter INPUT dccp type 10-15 counter' iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK,INVALID -nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack, 10-15} counter +nft 'add rule ip filter INPUT dccp dport 100 dccp type { request, response, data, ack, dataack, closereq, close, sync, syncack, 10-15 } counter' iptables-translate -A INPUT -p dccp -m dccp --sport 200 --dport 100 -nft add rule ip filter INPUT dccp sport 200 dccp dport 100 counter +nft 'add rule ip filter INPUT dccp sport 200 dccp dport 100 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_devgroup.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_devgroup.c
Changed
@@ -129,7 +129,6 @@ struct xt_xlate *xl, int numeric) { enum xt_op op = XT_OP_EQ; - char *space = ""; if (info->flags & XT_DEVGROUP_MATCH_SRC) { if (info->flags & XT_DEVGROUP_INVERT_SRC) @@ -137,13 +136,12 @@ xt_xlate_add(xl, "iifgroup "); print_devgroup_xlate(info->src_group, op, info->src_mask, xl, numeric); - space = " "; } if (info->flags & XT_DEVGROUP_MATCH_DST) { if (info->flags & XT_DEVGROUP_INVERT_DST) op = XT_OP_NEQ; - xt_xlate_add(xl, "%soifgroup ", space); + xt_xlate_add(xl, "oifgroup "); print_devgroup_xlate(info->dst_group, op, info->dst_mask, xl, numeric); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_devgroup.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_devgroup.man
Changed
@@ -1,4 +1,4 @@ -Match device group of a packets incoming/outgoing interface. +Match device group of a packet's incoming/outgoing interface. .TP \fB!\fP \fB\-\-src\-group\fP \fIname\fP Match device group of incoming device
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_devgroup.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_devgroup.txlate
Changed
@@ -1,17 +1,17 @@ iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT -nft add rule ip filter FORWARD iifgroup 0x2 counter accept +nft 'add rule ip filter FORWARD iifgroup 0x2 counter accept' iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT -nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept +nft 'add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept' iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT -nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept +nft 'add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept' iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT -nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept +nft 'add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept' iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT -nft add rule ip filter FORWARD iifgroup != 0x2 counter accept +nft 'add rule ip filter FORWARD iifgroup != 0x2 counter accept' iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 --dst-group 0xc/0xc -j ACCEPT -nft add rule ip filter FORWARD iifgroup != 0x2 oifgroup and 0xc != 0xc counter accept +nft 'add rule ip filter FORWARD iifgroup != 0x2 oifgroup and 0xc != 0xc counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_dscp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_dscp.t
Changed
@@ -1,5 +1,5 @@ :INPUT,FORWARD,OUTPUT --m dscp --dscp 0;=;OK +-m dscp --dscp 0x00;=;OK -m dscp --dscp 0x3f;=;OK -m dscp --dscp -1;;FAIL -m dscp --dscp 0x40;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_dscp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_dscp.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT -nft add rule ip filter INPUT ip dscp 0x32 counter accept +nft 'add rule ip filter INPUT ip dscp 0x32 counter accept' ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT -nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept +nft 'add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_ecn.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_ecn.c
Changed
@@ -156,6 +156,8 @@ case 3: xt_xlate_add(xl, "ce"); break; + default: + return 0; } } return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_ecn.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_ecn.txlate
Changed
@@ -1,29 +1,29 @@ iptables-translate -A INPUT -m ecn --ecn-ip-ect 0 -nft add rule ip filter INPUT ip ecn not-ect counter +nft 'add rule ip filter INPUT ip ecn not-ect counter' iptables-translate -A INPUT -m ecn --ecn-ip-ect 1 -nft add rule ip filter INPUT ip ecn ect1 counter +nft 'add rule ip filter INPUT ip ecn ect1 counter' iptables-translate -A INPUT -m ecn --ecn-ip-ect 2 -nft add rule ip filter INPUT ip ecn ect0 counter +nft 'add rule ip filter INPUT ip ecn ect0 counter' iptables-translate -A INPUT -m ecn --ecn-ip-ect 3 -nft add rule ip filter INPUT ip ecn ce counter +nft 'add rule ip filter INPUT ip ecn ce counter' iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0 -nft add rule ip filter INPUT ip ecn != not-ect counter +nft 'add rule ip filter INPUT ip ecn != not-ect counter' iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1 -nft add rule ip filter INPUT ip ecn != ect1 counter +nft 'add rule ip filter INPUT ip ecn != ect1 counter' iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2 -nft add rule ip filter INPUT ip ecn != ect0 counter +nft 'add rule ip filter INPUT ip ecn != ect0 counter' iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3 -nft add rule ip filter INPUT ip ecn != ce counter +nft 'add rule ip filter INPUT ip ecn != ce counter' iptables-translate -A INPUT -m ecn ! --ecn-tcp-ece -nft add rule ip filter INPUT tcp flags != ecn counter +nft 'add rule ip filter INPUT tcp flags != ecn counter' iptables-translate -A INPUT -m ecn --ecn-tcp-cwr -nft add rule ip filter INPUT tcp flags cwr counter +nft 'add rule ip filter INPUT tcp flags cwr counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_esp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_esp.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -A FORWARD -p esp -j ACCEPT -nft add rule ip filter FORWARD ip protocol esp counter accept +nft 'add rule ip filter FORWARD ip protocol esp counter accept' iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT -nft add rule ip filter INPUT iifname "wan" ip protocol esp counter accept +nft 'add rule ip filter INPUT iifname "wan" ip protocol esp counter accept' iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP -nft add rule ip filter INPUT esp spi 500 counter drop +nft 'add rule ip filter INPUT esp spi 500 counter drop' iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP -nft add rule ip filter INPUT esp spi 500-600 counter drop +nft 'add rule ip filter INPUT esp spi 500-600 counter drop'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_hashlimit.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_hashlimit.c
Changed
@@ -356,12 +356,12 @@ tmp = (uint64_t) r * factor; if (tmp > max) xtables_error(PARAMETER_PROBLEM, - "Rate value too large \"%"PRIu64"\" (max %"PRIu64")\n", - tmp, max); + "Rate value too large \"%"PRIu64"\" (max %"PRIu64")", + tmp, max); tmp = bytes_to_cost(tmp); if (tmp == 0) - xtables_error(PARAMETER_PROBLEM, "Rate too high \"%s\"\n", rate); + xtables_error(PARAMETER_PROBLEM, "Rate too high \"%s\"", rate); ud->mult = XT_HASHLIMIT_BYTE_EXPIRE; @@ -407,7 +407,7 @@ * The rate maps to infinity. (1/day is the minimum they can * specify, so we are ok at that end). */ - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"", rate); if(revision == 1) *((uint32_t*)val) = tmp; @@ -508,10 +508,7 @@ static int parse_mode(uint32_t *mode, const char *option_arg) { char *tok; - char *arg = strdup(option_arg); - - if (!arg) - return -1; + char *arg = xtables_strdup(option_arg); for (tok = strtok(arg, ",|"); tok; @@ -1273,7 +1270,7 @@ } } - xt_xlate_add(xl, fmt, acm); + xt_xlate_add_nospc(xl, fmt, acm); if (nblocks > 0) xt_xlate_add(xl, "%c", sep); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_hashlimit.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_hashlimit.t
Changed
@@ -3,14 +3,12 @@ -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK -# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" --m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL +-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK -# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" --m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL +-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_hashlimit.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_hashlimit.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip --hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW -j DROP -nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second burst 1 mbytes} ct state new counter drop +nft 'add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second burst 1 mbytes } ct state new counter drop' iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP -nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop +nft 'add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets } ct state new counter drop'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_helper.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_helper.c
Changed
@@ -50,12 +50,8 @@ { const struct xt_helper_info *info = (const void *)params->match->data; - if (params->escape_quotes) - xt_xlate_add(xl, "ct helper%s \\\"%s\\\"", - info->invert ? " !=" : "", info->name); - else - xt_xlate_add(xl, "ct helper%s \"%s\"", - info->invert ? " !=" : "", info->name); + xt_xlate_add(xl, "ct helper%s \"%s\"", + info->invert ? " !=" : "", info->name); return 1; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_helper.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_helper.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A FORWARD -m helper --helper sip -nft add rule ip filter FORWARD ct helper \"sip\" counter +nft 'add rule ip filter FORWARD ct helper "sip" counter' iptables-translate -A FORWARD -m helper ! --helper ftp -nft add rule ip filter FORWARD ct helper != \"ftp\" counter +nft 'add rule ip filter FORWARD ct helper != "ftp" counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_icmp.h -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_icmp.h
Changed
@@ -1,25 +1,249 @@ -struct xt_icmp_names { +static const struct xt_icmp_names { const char *name; uint8_t type; uint8_t code_min, code_max; +} icmp_codes = { + { "any", 0xFF, 0, 0xFF }, + { "echo-reply", 0, 0, 0xFF }, + /* Alias */ { "pong", 0, 0, 0xFF }, + + { "destination-unreachable", 3, 0, 0xFF }, + { "network-unreachable", 3, 0, 0 }, + { "host-unreachable", 3, 1, 1 }, + { "protocol-unreachable", 3, 2, 2 }, + { "port-unreachable", 3, 3, 3 }, + { "fragmentation-needed", 3, 4, 4 }, + { "source-route-failed", 3, 5, 5 }, + { "network-unknown", 3, 6, 6 }, + { "host-unknown", 3, 7, 7 }, + { "network-prohibited", 3, 9, 9 }, + { "host-prohibited", 3, 10, 10 }, + { "TOS-network-unreachable", 3, 11, 11 }, + { "TOS-host-unreachable", 3, 12, 12 }, + { "communication-prohibited", 3, 13, 13 }, + { "host-precedence-violation", 3, 14, 14 }, + { "precedence-cutoff", 3, 15, 15 }, + + { "source-quench", 4, 0, 0xFF }, + + { "redirect", 5, 0, 0xFF }, + { "network-redirect", 5, 0, 0 }, + { "host-redirect", 5, 1, 1 }, + { "TOS-network-redirect", 5, 2, 2 }, + { "TOS-host-redirect", 5, 3, 3 }, + + { "echo-request", 8, 0, 0xFF }, + /* Alias */ { "ping", 8, 0, 0xFF }, + + { "router-advertisement", 9, 0, 0xFF }, + + { "router-solicitation", 10, 0, 0xFF }, + + { "time-exceeded", 11, 0, 0xFF }, + /* Alias */ { "ttl-exceeded", 11, 0, 0xFF }, + { "ttl-zero-during-transit", 11, 0, 0 }, + { "ttl-zero-during-reassembly", 11, 1, 1 }, + + { "parameter-problem", 12, 0, 0xFF }, + { "ip-header-bad", 12, 0, 0 }, + { "required-option-missing", 12, 1, 1 }, + + { "timestamp-request", 13, 0, 0xFF }, + + { "timestamp-reply", 14, 0, 0xFF }, + + { "address-mask-request", 17, 0, 0xFF }, + + { "address-mask-reply", 18, 0, 0xFF } +}, icmpv6_codes = { + { "destination-unreachable", 1, 0, 0xFF }, + { "no-route", 1, 0, 0 }, + { "communication-prohibited", 1, 1, 1 }, + { "beyond-scope", 1, 2, 2 }, + { "address-unreachable", 1, 3, 3 }, + { "port-unreachable", 1, 4, 4 }, + { "failed-policy", 1, 5, 5 }, + { "reject-route", 1, 6, 6 }, + + { "packet-too-big", 2, 0, 0xFF }, + + { "time-exceeded", 3, 0, 0xFF }, + /* Alias */ { "ttl-exceeded", 3, 0, 0xFF }, + { "ttl-zero-during-transit", 3, 0, 0 }, + { "ttl-zero-during-reassembly", 3, 1, 1 }, + + { "parameter-problem", 4, 0, 0xFF }, + { "bad-header", 4, 0, 0 }, + { "unknown-header-type", 4, 1, 1 }, + { "unknown-option", 4, 2, 2 }, + + { "echo-request", 128, 0, 0xFF }, + /* Alias */ { "ping", 128, 0, 0xFF }, + + { "echo-reply", 129, 0, 0xFF }, + /* Alias */ { "pong", 129, 0, 0xFF }, + + { "router-solicitation", 133, 0, 0xFF }, + + { "router-advertisement", 134, 0, 0xFF }, + + { "neighbour-solicitation", 135, 0, 0xFF }, + /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF }, + + { "neighbour-advertisement", 136, 0, 0xFF }, + /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF }, + + { "redirect", 137, 0, 0xFF }, +}, igmp_types = { + { "membership-query", 0x11 }, + { "membership-report-v1", 0x12 }, + { "membership-report-v2", 0x16 }, + { "leave-group", 0x17 }, + { "membership-report-v3", 0x22 }, }; -static void xt_print_icmp_types(const struct xt_icmp_names *icmp_codes, +static inline char *parse_range(const char *str, unsigned int res) +{ + char *next; + + if (!xtables_strtoui(str, &next, &res0, 0, 255)) + return NULL; + + res1 = res0; + if (*next == ':') { + str = next + 1; + if (!xtables_strtoui(str, &next, &res1, 0, 255)) + return NULL; + } + + return next; +} + +static void +__parse_icmp(const struct xt_icmp_names codes, size_t n_codes, + const char *codes_name, const char *fmtstring, + uint8_t type, uint8_t code) +{ + unsigned int match = n_codes; + unsigned int i, number2; + + for (i = 0; i < n_codes; i++) { + if (strncasecmp(codesi.name, fmtstring, strlen(fmtstring))) + continue; + if (match != n_codes) + xtables_error(PARAMETER_PROBLEM, + "Ambiguous %s type `%s': `%s' or `%s'?", + codes_name, fmtstring, codesmatch.name, + codesi.name); + match = i; + } + + if (match < n_codes) { + type0 = type1 = codesmatch.type; + if (code) { + code0 = codesmatch.code_min; + code1 = codesmatch.code_max; + } + } else { + char *next = parse_range(fmtstring, number); + if (!next) + xtables_error(PARAMETER_PROBLEM, "Unknown %s type `%s'", + codes_name, fmtstring); + type0 = (uint8_t) number0; + type1 = (uint8_t) number1; + switch (*next) { + case 0: + if (code) { + code0 = 0; + code1 = 255; + } + return; + case '/': + if (!code) + break; + + next = parse_range(next + 1, number); + if (!next) + xtables_error(PARAMETER_PROBLEM, + "Unknown %s code `%s'", + codes_name, fmtstring); + code0 = (uint8_t) number0; + code1 = (uint8_t) number1; + if (!*next) + break; + /* fallthrough */ + default: + xtables_error(PARAMETER_PROBLEM, + "unknown character %c", *next); + } + } +} + +static inline void +__ipt_parse_icmp(const struct xt_icmp_names *codes, size_t n_codes, + const char *codes_name, const char *fmtstr, + uint8_t *type, uint8_t code) +{ + uint8_t types2; + + __parse_icmp(codes, n_codes, codes_name, fmtstr, types, code); + if (types1 != types0) + xtables_error(PARAMETER_PROBLEM, + "%s type range not supported", codes_name); + *type = types0; +} + +static inline void +ipt_parse_icmp(const char *str, uint8_t *type, uint8_t code) +{ + __ipt_parse_icmp(icmp_codes, ARRAY_SIZE(icmp_codes), + "ICMP", str, type, code); +} + +static inline void +ipt_parse_icmpv6(const char *str, uint8_t *type, uint8_t code) +{ + __ipt_parse_icmp(icmpv6_codes, ARRAY_SIZE(icmpv6_codes), + "ICMPv6", str, type, code); +} + +static inline void +ebt_parse_icmp(const char *str, uint8_t type, uint8_t code) +{ + __parse_icmp(icmp_codes, ARRAY_SIZE(icmp_codes), + "ICMP", str, type, code); +} + +static inline void +ebt_parse_icmpv6(const char *str, uint8_t type, uint8_t code) +{ + __parse_icmp(icmpv6_codes, ARRAY_SIZE(icmpv6_codes), + "ICMPv6", str, type, code); +} + +static inline void +ebt_parse_igmp(const char *str, uint8_t type) +{ + __parse_icmp(igmp_types, ARRAY_SIZE(igmp_types), + "IGMP", str, type, NULL); +} + +static void xt_print_icmp_types(const struct xt_icmp_names *_icmp_codes, unsigned int n_codes) { unsigned int i; for (i = 0; i < n_codes; ++i) { - if (i && icmp_codesi.type == icmp_codesi-1.type) { - if (icmp_codesi.code_min == icmp_codesi-1.code_min - && (icmp_codesi.code_max - == icmp_codesi-1.code_max)) - printf(" (%s)", icmp_codesi.name); + if (i && _icmp_codesi.type == _icmp_codesi-1.type) { + if (_icmp_codesi.code_min == _icmp_codesi-1.code_min + && (_icmp_codesi.code_max + == _icmp_codesi-1.code_max)) + printf(" (%s)", _icmp_codesi.name); else - printf("\n %s", icmp_codesi.name); + printf("\n %s", _icmp_codesi.name); } else - printf("\n%s", icmp_codesi.name); + printf("\n%s", _icmp_codesi.name); } printf("\n"); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_ipcomp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_ipcomp.c
Changed
@@ -101,6 +101,8 @@ const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)params->match->data; + /* ignore compinfo->hdrres like kernel's xt_ipcomp.c does */ + xt_xlate_add(xl, "comp cpi %s", compinfo->invflags & XT_IPCOMP_INV_SPI ? "!= " : ""); if (compinfo->spis0 != compinfo->spis1)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_ipcomp.c.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_ipcomp.c.man
Changed
@@ -2,6 +2,3 @@ .TP \fB!\fP \fB\-\-ipcompspi\fP \fIspi\fP\fB:\fP\fIspi\fP Matches IPcomp header CPI value. -.TP -\fB\-\-compres\fP -Matches if the reserved field is filled with zero.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_ipcomp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_ipcomp.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT -nft add rule ip filter INPUT comp cpi 18 counter accept +nft 'add rule ip filter INPUT comp cpi 18 counter accept' iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT -nft add rule ip filter INPUT comp cpi != 18 counter accept +nft 'add rule ip filter INPUT comp cpi != 18 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_iprange.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_iprange.c
Changed
@@ -73,11 +73,9 @@ static void iprange_parse_range(const char *oarg, union nf_inet_addr *range, uint8_t family, const char *optname) { - char *arg = strdup(oarg); + char *arg = xtables_strdup(oarg); char *dash; - if (arg == NULL) - xtables_error(RESOURCE_PROBLEM, "strdup"); dash = strchr(arg, '-'); if (dash == NULL) { iprange_parse_spec(arg, arg, range, family, optname); @@ -319,16 +317,14 @@ const struct xt_xlate_mt_params *params) { const struct ipt_iprange_info *info = (const void *)params->match->data; - char *space = ""; if (info->flags & IPRANGE_SRC) { xt_xlate_add(xl, "ip saddr%s", info->flags & IPRANGE_SRC_INV ? " !=" : ""); print_iprange_xlate(&info->src, xl); - space = " "; } if (info->flags & IPRANGE_DST) { - xt_xlate_add(xl, "%sip daddr%s", space, + xt_xlate_add(xl, "ip daddr%s", info->flags & IPRANGE_DST_INV ? " !=" : ""); print_iprange_xlate(&info->dst, xl); } @@ -341,7 +337,6 @@ { const struct xt_iprange_mtinfo *info = (const void *)params->match->data; - char *space = ""; if (info->flags & IPRANGE_SRC) { xt_xlate_add(xl, "ip saddr%s %s", @@ -349,10 +344,9 @@ xtables_ipaddr_to_numeric(&info->src_min.in)); xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&info->src_max.in)); - space = " "; } if (info->flags & IPRANGE_DST) { - xt_xlate_add(xl, "%sip daddr%s %s", space, + xt_xlate_add(xl, "ip daddr%s %s", info->flags & IPRANGE_DST_INV ? " !=" : "", xtables_ipaddr_to_numeric(&info->dst_min.in)); xt_xlate_add(xl, "-%s", @@ -367,7 +361,6 @@ { const struct xt_iprange_mtinfo *info = (const void *)params->match->data; - char *space = ""; if (info->flags & IPRANGE_SRC) { xt_xlate_add(xl, "ip6 saddr%s %s", @@ -375,10 +368,9 @@ xtables_ip6addr_to_numeric(&info->src_min.in6)); xt_xlate_add(xl, "-%s", xtables_ip6addr_to_numeric(&info->src_max.in6)); - space = " "; } if (info->flags & IPRANGE_DST) { - xt_xlate_add(xl, "%sip6 daddr%s %s", space, + xt_xlate_add(xl, "ip6 daddr%s %s", info->flags & IPRANGE_DST_INV ? " !=" : "", xtables_ip6addr_to_numeric(&info->dst_min.in6)); xt_xlate_add(xl, "-%s",
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_iprange.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_iprange.txlate
Changed
@@ -1,14 +1,14 @@ iptables-translate -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT -nft add rule ip filter INPUT ip saddr 192.168.25.149-192.168.25.151 counter accept +nft 'add rule ip filter INPUT ip saddr 192.168.25.149-192.168.25.151 counter accept' iptables-translate -A INPUT -m iprange --dst-range 192.168.25.149-192.168.25.151 -j ACCEPT -nft add rule ip filter INPUT ip daddr 192.168.25.149-192.168.25.151 counter accept +nft 'add rule ip filter INPUT ip daddr 192.168.25.149-192.168.25.151 counter accept' iptables-translate -A INPUT -m iprange --dst-range 3.3.3.3-6.6.6.6 --src-range 4.4.4.4-7.7.7.7 -j ACCEPT -nft add rule ip filter INPUT ip saddr 4.4.4.4-7.7.7.7 ip daddr 3.3.3.3-6.6.6.6 counter accept +nft 'add rule ip filter INPUT ip saddr 4.4.4.4-7.7.7.7 ip daddr 3.3.3.3-6.6.6.6 counter accept' ip6tables-translate -A INPUT -m iprange ! --dst-range ::2d01-::2d03 -j ACCEPT -nft add rule ip6 filter INPUT ip6 daddr != ::2d01-::2d03 counter accept +nft 'add rule ip6 filter INPUT ip6 daddr != ::2d01-::2d03 counter accept' ip6tables-translate -A INPUT -m iprange ! --dst-range ::2d01-::2d03 --src-range ::2d01-::2d03 -j ACCEPT -nft add rule ip6 filter INPUT ip6 saddr ::2d01-::2d03 ip6 daddr != ::2d01-::2d03 counter accept +nft 'add rule ip6 filter INPUT ip6 saddr ::2d01-::2d03 ip6 daddr != ::2d01-::2d03 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_length.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_length.t
Changed
@@ -2,7 +2,7 @@ -m length --length 1;=;OK -m length --length :2;-m length --length 0:2;OK -m length --length 0:3;=;OK --m length --length 4:;=;OK +-m length --length 4:;-m length --length 4:65535;OK -m length --length 0:65535;=;OK -m length ! --length 0:65535;=;OK -m length --length 0:65536;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_length.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_length.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP -nft add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop +nft 'add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop' iptables-translate -A INPUT -p udp -m length --length :400 -nft add rule ip filter INPUT ip protocol udp meta length 0-400 counter +nft 'add rule ip filter INPUT ip protocol udp meta length 0-400 counter' iptables-translate -A INPUT -p udp -m length --length 40 -nft add rule ip filter INPUT ip protocol udp meta length 40 counter +nft 'add rule ip filter INPUT ip protocol udp meta length 40 counter' iptables-translate -A INPUT -p udp -m length ! --length 40 -nft add rule ip filter INPUT ip protocol udp meta length != 40 counter +nft 'add rule ip filter INPUT ip protocol udp meta length != 40 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_limit.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_limit.c
Changed
@@ -77,7 +77,7 @@ * The rate maps to infinity. (1/day is the minimum they can * specify, so we are ok at that end). */ - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"", rate); return 1; } @@ -93,7 +93,7 @@ /* FIXME: handle overflow: if (r->avg*r->burst/r->burst != r->avg) xtables_error(PARAMETER_PROBLEM, - "Sorry: burst too large for that avg rate.\n"); + "Sorry: burst too large for that avg rate."); */ static void limit_parse(struct xt_option_call *cb)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_limit.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_limit.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3 -nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter +nft 'add rule ip filter INPUT limit rate 3/minute burst 3 packets counter' iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 -nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter +nft 'add rule ip filter INPUT limit rate 10/second burst 5 packets counter' iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 -nft add rule ip filter INPUT limit rate 10/second counter +nft 'add rule ip filter INPUT limit rate 10/second counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_mac.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_mac.c
Changed
@@ -42,10 +42,10 @@ { const struct xt_mac_info *info = (void *)match->data; - printf(" MAC"); + printf(" MAC "); if (info->invert) - printf(" !"); + printf("! "); xtables_print_mac(info->srcaddr); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_mac.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_mac.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A INPUT -m mac --mac-source 0a:12:3e:4f:b2:c6 -j DROP -nft add rule ip filter INPUT ether saddr 0a:12:3e:4f:b2:c6 counter drop +nft 'add rule ip filter INPUT ether saddr 0a:12:3e:4f:b2:c6 counter drop' iptables-translate -A INPUT -p tcp --dport 80 -m mac --mac-source 0a:12:3e:4f:b2:c6 -j ACCEPT -nft add rule ip filter INPUT tcp dport 80 ether saddr 0a:12:3e:4f:b2:c6 counter accept +nft 'add rule ip filter INPUT tcp dport 80 ether saddr 0a:12:3e:4f:b2:c6 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_mark.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_mark.t
Changed
@@ -1,7 +1,8 @@ :INPUT,FORWARD,OUTPUT -m mark --mark 0xfeedcafe/0xfeedcafe;=;OK --m mark --mark 0;=;OK +-m mark --mark 0x0;=;OK -m mark --mark 4294967295;-m mark --mark 0xffffffff;OK -m mark --mark 4294967296;;FAIL -m mark --mark -1;;FAIL -m mark;;FAIL +-s 1.2.0.0/15 -m mark --mark 0x0/0xff0;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_mark.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_mark.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -I INPUT -p tcp -m mark ! --mark 0xa/0xa -nft insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter +nft 'insert rule ip filter INPUT ip protocol tcp mark and 0xa != 0xa counter' iptables-translate -I INPUT -p tcp -m mark ! --mark 0x1 -nft insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter +nft 'insert rule ip filter INPUT ip protocol tcp mark != 0x1 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_multiport.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_multiport.c
Changed
@@ -87,8 +87,7 @@ char *buffer, *cp, *next; unsigned int i; - buffer = strdup(portstring); - if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); + buffer = xtables_strdup(portstring); for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) { @@ -109,8 +108,7 @@ char *buffer, *cp, *next, *range; unsigned int i; - buffer = strdup(portstring); - if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); + buffer = xtables_strdup(portstring); for (i=0; i<XT_MULTI_PORTS; i++) multiinfo->pflagsi = 0; @@ -467,7 +465,8 @@ } static int __multiport_xlate(struct xt_xlate *xl, - const struct xt_xlate_mt_params *params) + const struct xt_xlate_mt_params *params, + uint8_t proto) { const struct xt_multiport *multiinfo = (const struct xt_multiport *)params->match->data; @@ -481,14 +480,24 @@ xt_xlate_add(xl, " dport "); break; case XT_MULTIPORT_EITHER: - return 0; + xt_xlate_add(xl, " sport . %s dport { ", proto_to_name(proto)); + for (i = 0; i < multiinfo->count; i++) { + if (i != 0) + xt_xlate_add(xl, ", "); + + xt_xlate_add(xl, "0-65535 . %u, %u . 0-65535", + multiinfo->portsi, multiinfo->portsi); + } + xt_xlate_add(xl, " }"); + + return 1; } if (multiinfo->count > 1) xt_xlate_add(xl, "{ "); for (i = 0; i < multiinfo->count; i++) - xt_xlate_add(xl, "%s%u", i ? "," : "", multiinfo->portsi); + xt_xlate_add(xl, "%s%u", i ? ", " : "", multiinfo->portsi); if (multiinfo->count > 1) xt_xlate_add(xl, "}"); @@ -502,7 +511,7 @@ uint8_t proto = ((const struct ipt_ip *)params->ip)->proto; xt_xlate_add(xl, "%s", proto_to_name(proto)); - return __multiport_xlate(xl, params); + return __multiport_xlate(xl, params, proto); } static int multiport_xlate6(struct xt_xlate *xl, @@ -511,11 +520,12 @@ uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto; xt_xlate_add(xl, "%s", proto_to_name(proto)); - return __multiport_xlate(xl, params); + return __multiport_xlate(xl, params, proto); } static int __multiport_xlate_v1(struct xt_xlate *xl, - const struct xt_xlate_mt_params *params) + const struct xt_xlate_mt_params *params, + uint8_t proto) { const struct xt_multiport_v1 *multiinfo = (const struct xt_multiport_v1 *)params->match->data; @@ -529,7 +539,17 @@ xt_xlate_add(xl, " dport "); break; case XT_MULTIPORT_EITHER: - return 0; + xt_xlate_add(xl, " sport . %s dport { ", proto_to_name(proto)); + for (i = 0; i < multiinfo->count; i++) { + if (i != 0) + xt_xlate_add(xl, ", "); + + xt_xlate_add(xl, "0-65535 . %u, %u . 0-65535", + multiinfo->portsi, multiinfo->portsi); + } + xt_xlate_add(xl, " }"); + + return 1; } if (multiinfo->invert) @@ -540,7 +560,7 @@ xt_xlate_add(xl, "{ "); for (i = 0; i < multiinfo->count; i++) { - xt_xlate_add(xl, "%s%u", i ? "," : "", multiinfo->portsi); + xt_xlate_add(xl, "%s%u", i ? ", " : "", multiinfo->portsi); if (multiinfo->pflagsi) xt_xlate_add(xl, "-%u", multiinfo->ports++i); } @@ -558,7 +578,7 @@ uint8_t proto = ((const struct ipt_ip *)params->ip)->proto; xt_xlate_add(xl, "%s", proto_to_name(proto)); - return __multiport_xlate_v1(xl, params); + return __multiport_xlate_v1(xl, params, proto); } static int multiport_xlate6_v1(struct xt_xlate *xl, @@ -567,7 +587,7 @@ uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto; xt_xlate_add(xl, "%s", proto_to_name(proto)); - return __multiport_xlate_v1(xl, params); + return __multiport_xlate_v1(xl, params, proto); } static struct xtables_match multiport_mt_reg = {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_multiport.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_multiport.txlate
Changed
@@ -1,11 +1,14 @@ iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT -nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept +nft 'add rule ip filter INPUT ip protocol tcp tcp dport { 80, 81 } counter accept' iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT -nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept +nft 'add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept' iptables-translate -t filter -A INPUT -p tcp -m multiport ! --dports 80:88 -j ACCEPT -nft add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept +nft 'add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept' iptables-translate -t filter -A INPUT -p tcp -m multiport --sports 50 -j ACCEPT -nft add rule ip filter INPUT ip protocol tcp tcp sport 50 counter accept +nft 'add rule ip filter INPUT ip protocol tcp tcp sport 50 counter accept' + +iptables-translate -t filter -I INPUT -p tcp -m multiport --ports 10 +nft 'insert rule ip filter INPUT ip protocol tcp tcp sport . tcp dport { 0-65535 . 10, 10 . 0-65535 } counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_owner.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_owner.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT -nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept +nft 'add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept' iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT -nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept +nft 'add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept' iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner 1000 -j ACCEPT -nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept +nft 'add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_pkttype.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_pkttype.c
Changed
@@ -30,8 +30,8 @@ {"unicast", PACKET_HOST, 1, "to us"}, {"broadcast", PACKET_BROADCAST, 1, "to all"}, {"multicast", PACKET_MULTICAST, 1, "to group"}, -/* {"otherhost", PACKET_OTHERHOST, 1, "to someone else"}, +/* {"outgoing", PACKET_OUTGOING, 1, "outgoing of any type"}, */ /* aliases */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_pkttype.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_pkttype.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A INPUT -m pkttype --pkt-type broadcast -j DROP -nft add rule ip filter INPUT pkttype broadcast counter drop +nft 'add rule ip filter INPUT pkttype broadcast counter drop' iptables-translate -A INPUT -m pkttype ! --pkt-type unicast -j DROP -nft add rule ip filter INPUT pkttype != unicast counter drop +nft 'add rule ip filter INPUT pkttype != unicast counter drop' iptables-translate -A INPUT -m pkttype --pkt-type multicast -j ACCEPT -nft add rule ip filter INPUT pkttype multicast counter accept +nft 'add rule ip filter INPUT pkttype multicast counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_policy.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_policy.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A INPUT -m policy --pol ipsec --dir in -nft add rule ip filter INPUT meta secpath exists counter +nft 'add rule ip filter INPUT meta secpath exists counter' iptables-translate -A INPUT -m policy --pol none --dir in -nft add rule ip filter INPUT meta secpath missing counter +nft 'add rule ip filter INPUT meta secpath missing counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_quota.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_quota.txlate
Changed
@@ -1,5 +1,5 @@ iptables-translate -A OUTPUT -m quota --quota 111 -nft add rule ip filter OUTPUT quota 111 bytes counter +nft 'add rule ip filter OUTPUT quota 111 bytes counter' iptables-translate -A OUTPUT -m quota ! --quota 111 -nft add rule ip filter OUTPUT quota over 111 bytes counter +nft 'add rule ip filter OUTPUT quota over 111 bytes counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_recent.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_recent.t
Changed
@@ -1,8 +1,8 @@ :INPUT,FORWARD,OUTPUT --m recent --set;=;OK +-m recent --set;-m recent --set --name DEFAULT --mask 255.255.255.255 --rsource;OK -m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK --m recent --update --rttl;=;OK +-m recent --update --rttl;-m recent --update --rttl --name DEFAULT --mask 255.255.255.255 --rsource;OK -m recent --set --rttl;;FAIL -m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;;FAIL # nonsensical, but all should load successfully:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_rpfilter.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_rpfilter.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -t mangle -A PREROUTING -m rpfilter -nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter +nft 'add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter' iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark --loose -nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter +nft 'add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter' ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark --invert -nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter +nft 'add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_sctp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_sctp.c
Changed
@@ -69,7 +69,7 @@ char *buffer; char *cp; - buffer = strdup(portstring); + buffer = xtables_strdup(portstring); DEBUGP("%s\n", portstring); if ((cp = strchr(buffer, ':')) == NULL) { ports0 = ports1 = xtables_parse_port(buffer, "sctp"); @@ -92,28 +92,33 @@ const char *name; unsigned int chunk_type; const char *valid_flags; + const char *nftname; }; /*'ALL' and 'NONE' will be treated specially. */ static const struct sctp_chunk_names sctp_chunk_names -= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, - { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, - { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, - { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, - { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, - { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, - { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, - { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, - { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, - { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, - { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, - { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, - { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, - { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, - { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, - { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, - { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, - { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, += { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE", .nftname = "data" }, + { .name = "INIT", .chunk_type = 1, .valid_flags = "--------", .nftname = "init" }, + { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------", .nftname = "init-ack" }, + { .name = "SACK", .chunk_type = 3, .valid_flags = "--------", .nftname = "sack" }, + { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------", .nftname = "heartbeat" }, + { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------", .nftname = "heartbeat-ack" }, + { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T", .nftname = "abort" }, + { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------", .nftname = "shutdown" }, + { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------", .nftname = "shutdown-ack" }, + { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------", .nftname = "error" }, + { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------", .nftname = "cookie-echo" }, + { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------", .nftname = "cookie-ack" }, + { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" }, + { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" }, + { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" }, + { .name = "I_DATA", .chunk_type = 64, .valid_flags = "----IUBE", .nftname = "i-data"}, + { .name = "RE_CONFIG", .chunk_type = 130, .valid_flags = "--------", .nftname = "re-config"}, + { .name = "PAD", .chunk_type = 132, .valid_flags = "--------", .nftname = "pad"}, + { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" }, + { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" }, + { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" }, + { .name = "I_FORWARD_TSN", .chunk_type = 194, .valid_flags = "--------", .nftname = "i-forward-tsn" }, }; static void @@ -139,10 +144,8 @@ } if (*flag_count == XT_NUM_SCTP_FLAGS) { - xtables_error (PARAMETER_PROBLEM, - "Number of chunk types with flags exceeds currently allowed limit." - "Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and" - "recompiling both the kernel space and user space modules\n"); + xtables_error(PARAMETER_PROBLEM, + "Number of chunk types with flags exceeds currently allowed limit. Increasing this limit involves changing IPT_NUM_SCTP_FLAGS and recompiling both the kernel space and user space modules"); } flag_info*flag_count.chunktype = chunktype; @@ -163,7 +166,7 @@ int found = 0; char *chunk_flags; - buffer = strdup(chunks); + buffer = xtables_strdup(chunks); DEBUGP("Buffer: %s\n", buffer); SCTP_CHUNKMAP_RESET(einfo->chunkmap); @@ -214,7 +217,8 @@ isupper(chunk_flagsj)); } else { xtables_error(PARAMETER_PROBLEM, - "Invalid flags for chunk type %d\n", i); + "Invalid flags for chunk type %d", + i); } } } @@ -485,41 +489,85 @@ } } +static void sctp_xlate_chunk(struct xt_xlate *xl, + const struct xt_sctp_info *einfo, + const struct sctp_chunk_names *scn) +{ + bool inv = einfo->invflags & XT_SCTP_CHUNK_TYPES; + const struct xt_sctp_flag_info *flag_info = NULL; + int i; + + if (!scn->nftname) + return; + + if (!SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, scn->chunk_type)) { + if (einfo->chunk_match_type != SCTP_CHUNK_MATCH_ONLY) + return; + + xt_xlate_add(xl, "sctp chunk %s %s", + scn->nftname, inv ? "exists" : "missing"); + return; + } + + for (i = 0; i < einfo->flag_count; i++) { + if (einfo->flag_infoi.chunktype == scn->chunk_type) { + flag_info = &einfo->flag_infoi; + break; + } + } + + if (!flag_info) { + xt_xlate_add(xl, "sctp chunk %s %s", + scn->nftname, inv ? "missing" : "exists"); + return; + } + + xt_xlate_add(xl, "sctp chunk %s flags & 0x%x %s 0x%x", + scn->nftname, flag_info->flag_mask, + inv ? "!=" : "==", flag_info->flag); +} + static int sctp_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct xt_sctp_info *einfo = (const struct xt_sctp_info *)params->match->data; - char *space = ""; if (!einfo->flags) return 0; - xt_xlate_add(xl, "sctp "); - if (einfo->flags & XT_SCTP_SRC_PORTS) { if (einfo->spts0 != einfo->spts1) - xt_xlate_add(xl, "sport%s %u-%u", + xt_xlate_add(xl, "sctp sport%s %u-%u", einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", einfo->spts0, einfo->spts1); else - xt_xlate_add(xl, "sport%s %u", + xt_xlate_add(xl, "sctp sport%s %u", einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", einfo->spts0); - space = " "; } if (einfo->flags & XT_SCTP_DEST_PORTS) { if (einfo->dpts0 != einfo->dpts1) - xt_xlate_add(xl, "%sdport%s %u-%u", space, + xt_xlate_add(xl, "sctp dport%s %u-%u", einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", einfo->dpts0, einfo->dpts1); else - xt_xlate_add(xl, "%sdport%s %u", space, + xt_xlate_add(xl, "sctp dport%s %u", einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", einfo->dpts0); } + if (einfo->flags & XT_SCTP_CHUNK_TYPES) { + int i; + + if (einfo->chunk_match_type == SCTP_CHUNK_MATCH_ANY) + return 0; + + for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); i++) + sctp_xlate_chunk(xl, einfo, &sctp_chunk_namesi); + } + return 1; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_sctp.man -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_sctp.man
Changed
@@ -8,12 +8,25 @@ The flag letter in upper case indicates that the flag is to match if set, in the lower case indicates to match if unset. -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN +Match types: +.TP +all +Match if all given chunk types are present and flags match. +.TP +any +Match if any of the given chunk types is present with given flags. +.TP +only +Match if only the given chunk types are present with given flags and none are missing. + +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN chunk type available flags .br DATA I U B E i u b e .br +I_DATA I U B E i u b e +.br ABORT T t .br SHUTDOWN_COMPLETE T t
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_sctp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_sctp.t
Changed
@@ -27,3 +27,7 @@ -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK -p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK +-p sctp -m sctp --chunk-types all I_DATA;=;OK +-p sctp -m sctp --chunk-types all RE_CONFIG;=;OK +-p sctp -m sctp --chunk-types all PAD;=;OK +-p sctp -m sctp --chunk-types all I_FORWARD_TSN;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_sctp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_sctp.txlate
Changed
@@ -1,38 +1,44 @@ iptables-translate -A INPUT -p sctp --dport 80 -j DROP -nft add rule ip filter INPUT sctp dport 80 counter drop +nft 'add rule ip filter INPUT sctp dport 80 counter drop' iptables-translate -A INPUT -p sctp --sport 50 -j DROP -nft add rule ip filter INPUT sctp sport 50 counter drop +nft 'add rule ip filter INPUT sctp sport 50 counter drop' iptables-translate -A INPUT -p sctp ! --dport 80 -j DROP -nft add rule ip filter INPUT sctp dport != 80 counter drop +nft 'add rule ip filter INPUT sctp dport != 80 counter drop' iptables-translate -A INPUT -p sctp ! --sport 50 -j DROP -nft add rule ip filter INPUT sctp sport != 50 counter drop +nft 'add rule ip filter INPUT sctp sport != 50 counter drop' iptables-translate -A INPUT -p sctp --sport 80:100 -j ACCEPT -nft add rule ip filter INPUT sctp sport 80-100 counter accept +nft 'add rule ip filter INPUT sctp sport 80-100 counter accept' iptables-translate -A INPUT -p sctp --dport 50:56 -j ACCEPT -nft add rule ip filter INPUT sctp dport 50-56 counter accept +nft 'add rule ip filter INPUT sctp dport 50-56 counter accept' iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT -nft add rule ip filter INPUT sctp sport != 80-100 counter accept +nft 'add rule ip filter INPUT sctp sport != 80-100 counter accept' iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT -nft add rule ip filter INPUT sctp dport != 50-56 counter accept +nft 'add rule ip filter INPUT sctp dport != 50-56 counter accept' iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT -nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept +nft 'add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept' iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT -nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept +nft 'add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept' iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT -nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept +nft 'add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept' iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT -nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept +nft 'add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept' iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT -nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept +nft 'add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept' + +iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT +nft 'add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept' + +iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT +nft 'add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk i-data missing sctp chunk re-config missing sctp chunk pad missing sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing sctp chunk i-forward-tsn missing counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_set.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_set.c
Changed
@@ -22,6 +22,12 @@ #include <linux/netfilter/xt_set.h> #include "libxt_set.h" +#ifdef DEBUG +#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +#else +#define DEBUGP(x, args...) +#endif + /* Revision 0 */ static void @@ -328,8 +334,7 @@ if (!xtables_strtoul(opt, NULL, &value, 0, UINT64_MAX)) xtables_error(PARAMETER_PROBLEM, - "Cannot parse %s as a counter value\n", - opt); + "Cannot parse %s as a counter value", opt); return (uint64_t)value; } @@ -348,60 +353,54 @@ case '0': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--bytes-gt option cannot be inverted\n"); + "--bytes-gt option cannot be inverted"); info->bytes.op = IPSET_COUNTER_GT; info->bytes.value = parse_counter(optarg); break; case '9': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--bytes-lt option cannot be inverted\n"); + "--bytes-lt option cannot be inverted"); info->bytes.op = IPSET_COUNTER_LT; info->bytes.value = parse_counter(optarg); break; case '8': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); info->bytes.op = invert ? IPSET_COUNTER_NE : IPSET_COUNTER_EQ; info->bytes.value = parse_counter(optarg); break; case '7': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--packets-gt option cannot be inverted\n"); + "--packets-gt option cannot be inverted"); info->packets.op = IPSET_COUNTER_GT; info->packets.value = parse_counter(optarg); break; case '6': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--packets-lt option cannot be inverted\n"); + "--packets-lt option cannot be inverted"); info->packets.op = IPSET_COUNTER_LT; info->packets.value = parse_counter(optarg); break; case '5': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); info->packets.op = invert ? IPSET_COUNTER_NE : IPSET_COUNTER_EQ; info->packets.value = parse_counter(optarg); break; @@ -412,7 +411,7 @@ case '3': if (invert) xtables_error(PARAMETER_PROBLEM, - "--return-nomatch flag cannot be inverted\n"); + "--return-nomatch flag cannot be inverted"); info->flags |= IPSET_FLAG_RETURN_NOMATCH; break; case '2': @@ -517,60 +516,54 @@ case '0': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--bytes-gt option cannot be inverted\n"); + "--bytes-gt option cannot be inverted"); info->bytes.op = IPSET_COUNTER_GT; info->bytes.value = parse_counter(optarg); break; case '9': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--bytes-lt option cannot be inverted\n"); + "--bytes-lt option cannot be inverted"); info->bytes.op = IPSET_COUNTER_LT; info->bytes.value = parse_counter(optarg); break; case '8': if (info->bytes.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --bytes-eq|lt|gt" - " is allowed\n"); + "only one of the --bytes-eq|lt|gt is allowed"); info->bytes.op = invert ? IPSET_COUNTER_NE : IPSET_COUNTER_EQ; info->bytes.value = parse_counter(optarg); break; case '7': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--packets-gt option cannot be inverted\n"); + "--packets-gt option cannot be inverted"); info->packets.op = IPSET_COUNTER_GT; info->packets.value = parse_counter(optarg); break; case '6': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); if (invert) xtables_error(PARAMETER_PROBLEM, - "--packets-lt option cannot be inverted\n"); + "--packets-lt option cannot be inverted"); info->packets.op = IPSET_COUNTER_LT; info->packets.value = parse_counter(optarg); break; case '5': if (info->packets.op != IPSET_COUNTER_NONE) xtables_error(PARAMETER_PROBLEM, - "only one of the --packets-eq|lt|gt" - " is allowed\n"); + "only one of the --packets-eq|lt|gt is allowed"); info->packets.op = invert ? IPSET_COUNTER_NE : IPSET_COUNTER_EQ; info->packets.value = parse_counter(optarg); break; @@ -581,7 +574,7 @@ case '3': if (invert) xtables_error(PARAMETER_PROBLEM, - "--return-nomatch flag cannot be inverted\n"); + "--return-nomatch flag cannot be inverted"); info->flags |= IPSET_FLAG_RETURN_NOMATCH; break; case '2':
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_set.h -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_set.h
Changed
@@ -6,7 +6,6 @@ #include <sys/types.h> #include <sys/socket.h> #include <errno.h> -#include "../iptables/xshared.h" static int get_version(unsigned *version) @@ -141,7 +140,7 @@ static void parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) { - char *saved = strdup(opt_arg); + char *saved = xtables_strdup(opt_arg); char *ptr, *tmp = saved; int i = 0; @@ -167,7 +166,7 @@ static void parse_dirs(const char *opt_arg, struct xt_set_info *info) { - char *saved = strdup(opt_arg); + char *saved = xtables_strdup(opt_arg); char *ptr, *tmp = saved; while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_standard.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_standard.t
Changed
@@ -9,3 +9,15 @@ -j ACCEPT;=;OK -j RETURN;=;OK ! -p 0 -j ACCEPT;=;FAIL +-s 10.11.12.13/8;-s 10.0.0.0/8;OK +-s 10.11.12.13/9;-s 10.0.0.0/9;OK +-s 10.11.12.13/10;-s 10.0.0.0/10;OK +-s 10.11.12.13/11;-s 10.0.0.0/11;OK +-s 10.11.12.13/12;-s 10.0.0.0/12;OK +-s 10.11.12.13/30;-s 10.11.12.12/30;OK +-s 10.11.12.13/31;-s 10.11.12.12/31;OK +-s 10.11.12.13/32;-s 10.11.12.13/32;OK +-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK +-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK +-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK +-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_statistic.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_statistic.c
Changed
@@ -141,13 +141,19 @@ switch (info->mode) { case XT_STATISTIC_MODE_RANDOM: - return 0; + xt_xlate_add(xl, "meta random & %u %s %u", + INT_MAX, + info->flags & XT_STATISTIC_INVERT ? ">=" : "<", + info->u.random.probability); + break; case XT_STATISTIC_MODE_NTH: xt_xlate_add(xl, "numgen inc mod %u %s%u", info->u.nth.every + 1, info->flags & XT_STATISTIC_INVERT ? "!= " : "", info->u.nth.packet); break; + default: + return 0; } return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_statistic.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_statistic.txlate
Changed
@@ -1,8 +1,8 @@ iptables-translate -A OUTPUT -m statistic --mode nth --every 10 --packet 1 -nft add rule ip filter OUTPUT numgen inc mod 10 1 counter +nft 'add rule ip filter OUTPUT numgen inc mod 10 1 counter' iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 --packet 5 -nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter +nft 'add rule ip filter OUTPUT numgen inc mod 10 != 5 counter' iptables-translate -A OUTPUT -m statistic --mode random --probability 0.1 -nft # -A OUTPUT -m statistic --mode random --probability 0.1 +nft 'add rule ip filter OUTPUT meta random & 2147483647 < 214748365 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_string.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_string.c
Changed
@@ -78,14 +78,13 @@ static void parse_string(const char *s, struct xt_string_info *info) -{ +{ /* xt_string does not need \0 at the end of the pattern */ - if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { - strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); - info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE); - return; - } - xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); + if (strlen(s) > sizeof(info->pattern)) + xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); + + info->patlen = strnlen(s, sizeof(info->pattern)); + memcpy(info->pattern, s, info->patlen); } static void @@ -269,7 +268,7 @@ printf(" ALGO name %s", info->algo); if (info->from_offset != 0) printf(" FROM %u", info->from_offset); - if (info->to_offset != 0) + if (info->to_offset != UINT16_MAX) printf(" TO %u", info->to_offset); if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE) printf(" ICASE"); @@ -293,7 +292,7 @@ printf(" --algo %s", info->algo); if (info->from_offset != 0) printf(" --from %u", info->from_offset); - if (info->to_offset != 0) + if (info->to_offset != UINT16_MAX) printf(" --to %u", info->to_offset); if (revision > 0 && info->u.v1.flags & XT_STRING_FLAG_IGNORECASE) printf(" --icase");
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_string.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_string.t
Changed
@@ -1,18 +1,11 @@ :INPUT,FORWARD,OUTPUT -# ERROR: cannot find: iptables -I INPUT -m string --algo bm --string "test" -# -m string --algo bm --string "test";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo kmp --string "test") -# -m string --algo kmp --string "test";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo kmp ! --string "test" -# -m string --algo kmp ! --string "test";=;OK -# cannot find: iptables -I INPUT -m string --algo bm --string "xxxxxxxxxxx" .... -# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK -# ERROR: cannot load: iptables -A INPUT -m string --algo bm --string "xxxx" -# -m string --algo bm --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";=;OK -# ERROR: cannot load: iptables -A INPUT -m string --algo bm --hexstring "|0a0a0a0a|" -# -m string --algo bm --hexstring "|0a0a0a0a|";=;OK -# ERROR: cannot find: iptables -I INPUT -m string --algo bm --from 0 --to 65535 --string "test" -# -m string --algo bm --from 0 --to 65535 --string "test";=;OK +-m string --algo bm --string "test";-m string --string "test" --algo bm;OK +-m string --string "test" --algo kmp;=;OK +-m string ! --string "test" --algo kmp;=;OK +-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK +-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL +-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK +-m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK -m string --algo wrong;;FAIL -m string --algo bm;;FAIL -m string;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_tcp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tcp.c
Changed
@@ -43,7 +43,7 @@ char *buffer; char *cp; - buffer = strdup(portstring); + buffer = xtables_strdup(portstring); if ((cp = strchr(buffer, ':')) == NULL) ports0 = ports1 = xtables_parse_port(buffer, "tcp"); else { @@ -83,7 +83,7 @@ char *ptr; char *buffer; - buffer = strdup(flags); + buffer = xtables_strdup(flags); for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { unsigned int i; @@ -380,10 +380,9 @@ for (i = 0; (flags & tcp_flag_names_xlatei.flag) == 0; i++); - if (have_flag) - xt_xlate_add(xl, "|"); - - xt_xlate_add(xl, "%s", tcp_flag_names_xlatei.name); + xt_xlate_add(xl, "%s%s", + have_flag ? "," : "", + tcp_flag_names_xlatei.name); have_flag = 1; flags &= ~tcp_flag_names_xlatei.flag; @@ -398,7 +397,6 @@ { const struct xt_tcp *tcpinfo = (const struct xt_tcp *)params->match->data; - char *space= ""; if (tcpinfo->spts0 != 0 || tcpinfo->spts1 != 0xffff) { if (tcpinfo->spts0 != tcpinfo->spts1) { @@ -412,34 +410,33 @@ "!= " : "", tcpinfo->spts0); } - space = " "; } if (tcpinfo->dpts0 != 0 || tcpinfo->dpts1 != 0xffff) { if (tcpinfo->dpts0 != tcpinfo->dpts1) { - xt_xlate_add(xl, "%stcp dport %s%u-%u", space, + xt_xlate_add(xl, "tcp dport %s%u-%u", tcpinfo->invflags & XT_TCP_INV_DSTPT ? "!= " : "", tcpinfo->dpts0, tcpinfo->dpts1); } else { - xt_xlate_add(xl, "%stcp dport %s%u", space, + xt_xlate_add(xl, "tcp dport %s%u", tcpinfo->invflags & XT_TCP_INV_DSTPT ? "!= " : "", tcpinfo->dpts0); } - space = " "; } - /* XXX not yet implemented */ - if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION)) - return 0; + if (tcpinfo->option) + xt_xlate_add(xl, "tcp option %u %s", tcpinfo->option, + tcpinfo->invflags & XT_TCP_INV_OPTION ? + "missing" : "exists"); if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) { - xt_xlate_add(xl, "%stcp flags & (", space); - print_tcp_xlate(xl, tcpinfo->flg_mask); - xt_xlate_add(xl, ") %s ", - tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "=="); + xt_xlate_add(xl, "tcp flags %s", + tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!= ": ""); print_tcp_xlate(xl, tcpinfo->flg_cmp); + xt_xlate_add(xl, " / "); + print_tcp_xlate(xl, tcpinfo->flg_mask); } return 1;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_tcp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tcp.t
Changed
@@ -22,5 +22,8 @@ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN;=;OK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST;=;OK +-m tcp --dport 1;;FAIL +-m tcp --dport 1 -p tcp;-p tcp -m tcp --dport 1;OK +-m tcp --dport 1 -p 6;-p tcp -m tcp --dport 1;OK # should we accept this below? -p tcp -m tcp;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_tcp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tcp.txlate
Changed
@@ -1,26 +1,32 @@ iptables-translate -A INPUT -p tcp -i eth0 --sport 53 -j ACCEPT -nft add rule ip filter INPUT iifname "eth0" tcp sport 53 counter accept +nft 'add rule ip filter INPUT iifname "eth0" tcp sport 53 counter accept' iptables-translate -A OUTPUT -p tcp -o eth0 --dport 53:66 -j DROP -nft add rule ip filter OUTPUT oifname "eth0" tcp dport 53-66 counter drop +nft 'add rule ip filter OUTPUT oifname "eth0" tcp dport 53-66 counter drop' iptables-translate -I OUTPUT -p tcp -d 8.8.8.8 -j ACCEPT -nft insert rule ip filter OUTPUT ip protocol tcp ip daddr 8.8.8.8 counter accept +nft 'insert rule ip filter OUTPUT ip protocol tcp ip daddr 8.8.8.8 counter accept' iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT -nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept +nft 'insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept' iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP -nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop +nft 'add rule ip filter INPUT tcp flags fin / fin,ack counter drop' iptables-translate -A INPUT -p tcp --syn -j ACCEPT -nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept +nft 'add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter accept' iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT -nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept +nft 'add rule ip filter INPUT tcp dport 80 tcp flags syn / fin,syn,rst,ack counter accept' iptables-translate -A INPUT -f -p tcp -nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter +nft 'add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter' iptables-translate -A INPUT ! -f -p tcp --dport 22 -nft add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter +nft 'add rule ip filter INPUT ip frag-off & 0x1fff 0 tcp dport 22 counter' + +iptables-translate -A INPUT -p tcp --tcp-option 23 +nft 'add rule ip filter INPUT tcp option 23 exists counter' + +iptables-translate -A INPUT -p tcp ! --tcp-option 23 +nft 'add rule ip filter INPUT tcp option 23 missing counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_tcpmss.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tcpmss.c
Changed
@@ -60,6 +60,21 @@ printf("%u:%u", info->mss_min, info->mss_max); } +static int tcpmss_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_tcpmss_match_info *info = (void *)params->match->data; + + xt_xlate_add(xl, "tcp option maxseg size %s", info->invert ? "!= " : ""); + + if (info->mss_min == info->mss_max) + xt_xlate_add(xl, "%u", info->mss_min); + else + xt_xlate_add(xl, "%u-%u", info->mss_min, info->mss_max); + + return 1; +} + static struct xtables_match tcpmss_match = { .family = NFPROTO_UNSPEC, .name = "tcpmss", @@ -71,6 +86,7 @@ .save = tcpmss_save, .x6_parse = tcpmss_parse, .x6_options = tcpmss_opts, + .xlate = tcpmss_xlate, }; void _init(void)
View file
_service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tcpmss.txlate
Added
@@ -0,0 +1,11 @@ +iptables-translate -A INPUT -m tcpmss --mss 42 +nft 'add rule ip filter INPUT tcp option maxseg size 42 counter' + +iptables-translate -A INPUT -m tcpmss ! --mss 42 +nft 'add rule ip filter INPUT tcp option maxseg size != 42 counter' + +iptables-translate -A INPUT -m tcpmss --mss 42:1024 +nft 'add rule ip filter INPUT tcp option maxseg size 42-1024 counter' + +iptables-translate -A INPUT -m tcpmss ! --mss 1461:65535 +nft 'add rule ip filter INPUT tcp option maxseg size != 1461-65535 counter'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_time.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_time.c
Changed
@@ -466,9 +466,10 @@ const struct xt_time_info *info = (const struct xt_time_info *)params->match->data; unsigned int h, m, s, - i, sep, mask, count; + i, mask, count; time_t tt_start, tt_stop; struct tm *t_start, *t_stop; + const char *sep = ""; if (info->date_start != 0 || info->date_stop != INT_MAX) { @@ -498,7 +499,6 @@ if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS) return 0; if (info->weekdays_match != XT_TIME_ALL_WEEKDAYS) { - sep = 0; mask = info->weekdays_match; count = time_count_weekdays(mask); @@ -507,12 +507,8 @@ xt_xlate_add(xl, "{"); for (i = 1; i <= 7; ++i) if (mask & (1 << i)) { - if (sep) - xt_xlate_add(xl, ",%u", i%7); - else { - xt_xlate_add(xl, "%u", i%7); - ++sep; - } + xt_xlate_add(xl, "%s%u", sep, i%7); + sep = ", "; } if (count > 1) xt_xlate_add(xl, "}");
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_time.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_time.txlate
Changed
@@ -1,26 +1,26 @@ iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --weekdays Sa,Su -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta day {6,0} counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta day { 6, 0 } counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestart 12:00 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta hour "12:00:00"-"23:59:59" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta hour "12:00:00"-"23:59:59" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestop 12:00 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta hour "00:00:00"-"12:00:00" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta hour "00:00:00"-"12:00:00" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2021 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "2021-01-01 00:00:00"-"2038-01-19 03:14:07" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "2021-01-01 00:00:00"-"2038-01-19 03:14:07" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-01 00:00:00" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-01 00:00:00" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021-01-29T00:00:00 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-29 00:00:00" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-29 00:00:00" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"23:59:59" counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"23:59:59" counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {1,2,3,4,5} counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day { 1, 2, 3, 4, 5 } counter reject' iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 ! --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT -nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {6,0} counter reject +nft 'add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day { 6, 0 } counter reject'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_tos.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_tos.t
Changed
@@ -4,10 +4,10 @@ -m tos --tos Maximize-Reliability;-m tos --tos 0x04/0x3f;OK -m tos --tos Minimize-Cost;-m tos --tos 0x02/0x3f;OK -m tos --tos Normal-Service;-m tos --tos 0x00/0x3f;OK --m tos --tos 0xff;=;OK --m tos ! --tos 0xff;=;OK --m tos --tos 0x00;=;OK --m tos --tos 0x0f;=;OK +-m tos --tos 0xff;-m tos --tos 0xff/0xff;OK +-m tos ! --tos 0xff;-m tos ! --tos 0xff/0xff;OK +-m tos --tos 0x00;-m tos --tos 0x00/0xff;OK +-m tos --tos 0x0f;-m tos --tos 0x0f/0xff;OK -m tos --tos 0x0f/0x0f;=;OK -m tos --tos wrong;;FAIL -m tos;;FAIL
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_udp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_udp.c
Changed
@@ -156,7 +156,6 @@ const struct xt_xlate_mt_params *params) { const struct xt_udp *udpinfo = (struct xt_udp *)params->match->data; - char *space= ""; if (udpinfo->spts0 != 0 || udpinfo->spts1 != 0xFFFF) { if (udpinfo->spts0 != udpinfo->spts1) { @@ -170,17 +169,16 @@ "!= ": "", udpinfo->spts0); } - space = " "; } if (udpinfo->dpts0 != 0 || udpinfo->dpts1 != 0xFFFF) { if (udpinfo->dpts0 != udpinfo->dpts1) { - xt_xlate_add(xl,"%sudp dport %s%u-%u", space, + xt_xlate_add(xl,"udp dport %s%u-%u", udpinfo->invflags & XT_UDP_INV_SRCPT ? "!= ": "", udpinfo->dpts0, udpinfo->dpts1); } else { - xt_xlate_add(xl,"%sudp dport %s%u", space, + xt_xlate_add(xl,"udp dport %s%u", udpinfo->invflags & XT_UDP_INV_SRCPT ? "!= ": "", udpinfo->dpts0);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_udp.t -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_udp.t
Changed
@@ -18,5 +18,8 @@ # -p udp -m udp --sport 65536;;FAIL -p udp -m udp --sport -1;;FAIL -p udp -m udp --dport -1;;FAIL +-m udp --dport 1;;FAIL +-m udp --dport 1 -p udp;-p udp -m udp --dport 1;OK +-m udp --dport 1 -p 17;-p udp -m udp --dport 1;OK # should we accept this below? -p udp -m udp;=;OK
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/extensions/libxt_udp.txlate -> _service:tar_scm:iptables-1.8.9.tar.xz/extensions/libxt_udp.txlate
Changed
@@ -1,11 +1,11 @@ iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT -nft add rule ip filter INPUT iifname "eth0" udp sport 53 counter accept +nft 'add rule ip filter INPUT iifname "eth0" udp sport 53 counter accept' iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP -nft add rule ip filter OUTPUT oifname "eth0" udp dport 53-66 counter drop +nft 'add rule ip filter OUTPUT oifname "eth0" udp dport 53-66 counter drop' iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT -nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept +nft 'insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept' iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT -nft insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept +nft 'insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept'
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/include/Makefile.am
Changed
@@ -1,16 +1,18 @@ # -*- Makefile -*- -include_HEADERS = -nobase_include_HEADERS = xtables.h xtables-version.h +include_HEADERS = xtables.h +nodist_include_HEADERS = xtables-version.h if ENABLE_LIBIPQ include_HEADERS += libipq/libipq.h endif -nobase_include_HEADERS += \ +nobase_include_HEADERS = \ libiptc/ipt_kernel_headers.h libiptc/libiptc.h \ libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h +EXTRA_DIST = iptables linux iptables.h ip6tables.h + uninstall-hook: dir=${includedir}/libiptc; { \ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; \
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/include/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -123,7 +123,7 @@ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac -am__include_HEADERS_DIST = libipq/libipq.h +am__include_HEADERS_DIST = xtables.h libipq/libipq.h am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -151,8 +151,10 @@ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" -HEADERS = $(include_HEADERS) $(nobase_include_HEADERS) +am__installdirs = "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" \ + "$(DESTDIR)$(includedir)" +HEADERS = $(include_HEADERS) $(nobase_include_HEADERS) \ + $(nodist_include_HEADERS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -310,6 +312,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -320,10 +323,13 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ -include_HEADERS = $(am__append_1) -nobase_include_HEADERS = xtables.h xtables-version.h \ +include_HEADERS = xtables.h $(am__append_1) +nodist_include_HEADERS = xtables-version.h +nobase_include_HEADERS = \ libiptc/ipt_kernel_headers.h libiptc/libiptc.h \ libiptc/libip6tc.h libiptc/libxtc.h libiptc/xtcshared.h + +EXTRA_DIST = iptables linux iptables.h ip6tables.h all: all-am .SUFFIXES: @@ -409,6 +415,27 @@ @list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \ $(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \ dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) +install-nodist_includeHEADERS: $(nodist_include_HEADERS) + @$(NORMAL_INSTALL) + @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ + done + +uninstall-nodist_includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -499,7 +526,7 @@ check: check-am all-am: Makefile $(HEADERS) installdirs: - for dir in "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \ + for dir in "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -552,7 +579,8 @@ info-am: -install-data-am: install-includeHEADERS install-nobase_includeHEADERS +install-data-am: install-includeHEADERS install-nobase_includeHEADERS \ + install-nodist_includeHEADERS install-dvi: install-dvi-am @@ -596,7 +624,8 @@ ps-am: -uninstall-am: uninstall-includeHEADERS uninstall-nobase_includeHEADERS +uninstall-am: uninstall-includeHEADERS uninstall-nobase_includeHEADERS \ + uninstall-nodist_includeHEADERS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) uninstall-hook .MAKE: install-am install-strip uninstall-am @@ -608,13 +637,15 @@ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-includeHEADERS install-info install-info-am \ - install-man install-nobase_includeHEADERS install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-man install-nobase_includeHEADERS \ + install-nodist_includeHEADERS install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ uninstall-am uninstall-hook uninstall-includeHEADERS \ - uninstall-nobase_includeHEADERS + uninstall-nobase_includeHEADERS \ + uninstall-nodist_includeHEADERS .PRECIOUS: Makefile
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/libipq/libipq.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/libipq/libipq.h
Changed
@@ -24,7 +24,7 @@ #include <errno.h> #include <unistd.h> #include <fcntl.h> -#include <sys/types.h> +#include <stdint.h> #include <sys/socket.h> #include <sys/uio.h> #include <asm/types.h> @@ -48,19 +48,19 @@ struct ipq_handle { int fd; - u_int8_t blocking; + uint8_t blocking; struct sockaddr_nl local; struct sockaddr_nl peer; }; -struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol); +struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol); int ipq_destroy_handle(struct ipq_handle *h); ssize_t ipq_read(const struct ipq_handle *h, unsigned char *buf, size_t len, int timeout); -int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len); +int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len); ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/libiptc/libxtc.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/libiptc/libxtc.h
Changed
@@ -10,7 +10,7 @@ #endif #ifndef XT_MIN_ALIGN -/* xt_entry has pointers and u_int64_t's in it, so if you align to +/* xt_entry has pointers and uint64_t's in it, so if you align to it, you'll also align to any crazy matches and targets someone might write */ #define XT_MIN_ALIGN (__alignof__(struct xt_entry))
View file
_service:tar_scm:iptables-1.8.9.tar.xz/include/linux/netfilter/nf_log.h
Added
@@ -0,0 +1,15 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _NETFILTER_NF_LOG_H +#define _NETFILTER_NF_LOG_H + +#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define NF_LOG_TCPOPT 0x02 /* Log TCP options */ +#define NF_LOG_IPOPT 0x04 /* Log IP options */ +#define NF_LOG_UID 0x08 /* Log UID owning local socket */ +#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define NF_LOG_MASK 0x2f + +#define NF_LOG_PREFIXLEN 128 + +#endif /* _NETFILTER_NF_LOG_H */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/linux/netfilter/nf_tables.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/linux/netfilter/nf_tables.h
Changed
@@ -8,6 +8,7 @@ #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_USERDATA_MAXLEN 256 +#define NFT_OSF_MAXGENRELEN 16 /** * enum nft_registers - nf_tables registers @@ -47,6 +48,7 @@ #define NFT_REG_SIZE 16 #define NFT_REG32_SIZE 4 +#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) /** * enum nft_verdicts - nf_tables internal verdicts @@ -131,7 +133,7 @@ * @NFTA_LIST_ELEM: list element (NLA_NESTED) */ enum nft_list_attributes { - NFTA_LIST_UNPEC, + NFTA_LIST_UNSPEC, NFTA_LIST_ELEM, __NFTA_LIST_MAX }; @@ -143,12 +145,14 @@ * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) * @NFTA_HOOK_DEV: netdevice name (NLA_STRING) + * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED) */ enum nft_hook_attributes { NFTA_HOOK_UNSPEC, NFTA_HOOK_HOOKNUM, NFTA_HOOK_PRIORITY, NFTA_HOOK_DEV, + NFTA_HOOK_DEVS, __NFTA_HOOK_MAX }; #define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) @@ -160,7 +164,10 @@ */ enum nft_table_flags { NFT_TABLE_F_DORMANT = 0x1, + NFT_TABLE_F_OWNER = 0x2, }; +#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \ + NFT_TABLE_F_OWNER) /** * enum nft_table_attributes - nf_tables table netlink attributes @@ -168,6 +175,8 @@ * @NFTA_TABLE_NAME: name of the table (NLA_STRING) * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) + * @NFTA_TABLE_USERDATA: user data (NLA_BINARY) + * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, @@ -176,10 +185,21 @@ NFTA_TABLE_USE, NFTA_TABLE_HANDLE, NFTA_TABLE_PAD, + NFTA_TABLE_USERDATA, + NFTA_TABLE_OWNER, __NFTA_TABLE_MAX }; #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) +enum nft_chain_flags { + NFT_CHAIN_BASE = (1 << 0), + NFT_CHAIN_HW_OFFLOAD = (1 << 1), + NFT_CHAIN_BINDING = (1 << 2), +}; +#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \ + NFT_CHAIN_HW_OFFLOAD | \ + NFT_CHAIN_BINDING) + /** * enum nft_chain_attributes - nf_tables chain netlink attributes * @@ -191,6 +211,9 @@ * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) + * @NFTA_CHAIN_FLAGS: chain flags + * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32) + * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY) */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -203,6 +226,9 @@ NFTA_CHAIN_TYPE, NFTA_CHAIN_COUNTERS, NFTA_CHAIN_PAD, + NFTA_CHAIN_FLAGS, + NFTA_CHAIN_ID, + NFTA_CHAIN_USERDATA, __NFTA_CHAIN_MAX }; #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) @@ -218,6 +244,7 @@ * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) + * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32) */ enum nft_rule_attributes { NFTA_RULE_UNSPEC, @@ -230,6 +257,8 @@ NFTA_RULE_USERDATA, NFTA_RULE_PAD, NFTA_RULE_ID, + NFTA_RULE_POSITION_ID, + NFTA_RULE_CHAIN_ID, __NFTA_RULE_MAX }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) @@ -266,8 +295,10 @@ * @NFT_SET_INTERVAL: set contains intervals * @NFT_SET_MAP: set is used as a dictionary * @NFT_SET_TIMEOUT: set uses timeouts - * @NFT_SET_EVAL: set contains expressions for evaluation + * @NFT_SET_EVAL: set can be updated from the evaluation path * @NFT_SET_OBJECT: set contains stateful objects + * @NFT_SET_CONCAT: set contains a concatenation + * @NFT_SET_EXPR: set contains expressions */ enum nft_set_flags { NFT_SET_ANONYMOUS = 0x1, @@ -277,6 +308,8 @@ NFT_SET_TIMEOUT = 0x10, NFT_SET_EVAL = 0x20, NFT_SET_OBJECT = 0x40, + NFT_SET_CONCAT = 0x80, + NFT_SET_EXPR = 0x100, }; /** @@ -294,15 +327,29 @@ * enum nft_set_desc_attributes - set element description * * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) + * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED) */ enum nft_set_desc_attributes { NFTA_SET_DESC_UNSPEC, NFTA_SET_DESC_SIZE, + NFTA_SET_DESC_CONCAT, __NFTA_SET_DESC_MAX }; #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) /** + * enum nft_set_field_attributes - attributes of concatenated fields + * + * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) + */ +enum nft_set_field_attributes { + NFTA_SET_FIELD_UNSPEC, + NFTA_SET_FIELD_LEN, + __NFTA_SET_FIELD_MAX +}; +#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) + +/** * enum nft_set_attributes - nf_tables set netlink attributes * * @NFTA_SET_TABLE: table name (NLA_STRING) @@ -320,6 +367,8 @@ * @NFTA_SET_USERDATA: user data (NLA_BINARY) * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) * @NFTA_SET_HANDLE: set handle (NLA_U64) + * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes) + * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_set_attributes { NFTA_SET_UNSPEC, @@ -339,6 +388,8 @@ NFTA_SET_PAD, NFTA_SET_OBJ_TYPE, NFTA_SET_HANDLE, + NFTA_SET_EXPR, + NFTA_SET_EXPRESSIONS, __NFTA_SET_MAX }; #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) @@ -347,9 +398,11 @@ * enum nft_set_elem_flags - nf_tables set element flags * * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval + * @NFT_SET_ELEM_CATCHALL: special catch-all element */ enum nft_set_elem_flags { NFT_SET_ELEM_INTERVAL_END = 0x1, + NFT_SET_ELEM_CATCHALL = 0x2, }; /** @@ -363,6 +416,8 @@ * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) + * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data) + * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_set_elem_attributes { NFTA_SET_ELEM_UNSPEC, @@ -375,6 +430,8 @@ NFTA_SET_ELEM_EXPR, NFTA_SET_ELEM_PAD, NFTA_SET_ELEM_OBJREF, + NFTA_SET_ELEM_KEY_END, + NFTA_SET_ELEM_EXPRESSIONS, __NFTA_SET_ELEM_MAX }; #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) @@ -440,11 +497,13 @@ * * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) + * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32) */ enum nft_verdict_attributes { NFTA_VERDICT_UNSPEC, NFTA_VERDICT_CODE, NFTA_VERDICT_CHAIN, + NFTA_VERDICT_CHAIN_ID, __NFTA_VERDICT_MAX }; #define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) @@ -478,6 +537,20 @@ #define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) /** + * enum nft_bitwise_ops - nf_tables bitwise operations + * + * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and + * XOR boolean operations + * @NFT_BITWISE_LSHIFT: left-shift operation + * @NFT_BITWISE_RSHIFT: right-shift operation + */ +enum nft_bitwise_ops { + NFT_BITWISE_BOOL, + NFT_BITWISE_LSHIFT, + NFT_BITWISE_RSHIFT, +}; + +/** * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes * * @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers) @@ -485,16 +558,20 @@ * @NFTA_BITWISE_LEN: length of operands (NLA_U32) * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) + * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) + * @NFTA_BITWISE_DATA: argument for non-boolean operations + * (NLA_NESTED: nft_data_attributes) * - * The bitwise expression performs the following operation: + * The bitwise expression supports boolean and shift operations. It implements + * the boolean operations by performing the following operation: * * dreg = (sreg & mask) ^ xor * - * which allow to express all bitwise operations: + * with these mask and xor values: * * mask xor * NOT: 1 1 - * OR: 0 x + * OR: ~x x * XOR: 1 x * AND: x 0 */ @@ -505,6 +582,8 @@ NFTA_BITWISE_LEN, NFTA_BITWISE_MASK, NFTA_BITWISE_XOR, + NFTA_BITWISE_OP, + NFTA_BITWISE_DATA, __NFTA_BITWISE_MAX }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) @@ -631,10 +710,12 @@ enum nft_dynset_ops { NFT_DYNSET_OP_ADD, NFT_DYNSET_OP_UPDATE, + NFT_DYNSET_OP_DELETE, }; enum nft_dynset_flags { NFT_DYNSET_F_INV = (1 << 0), + NFT_DYNSET_F_EXPR = (1 << 1), }; /** @@ -648,6 +729,7 @@ * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_DYNSET_FLAGS: flags (NLA_U32) + * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) */ enum nft_dynset_attributes { NFTA_DYNSET_UNSPEC, @@ -660,6 +742,7 @@ NFTA_DYNSET_EXPR, NFTA_DYNSET_PAD, NFTA_DYNSET_FLAGS, + NFTA_DYNSET_EXPRESSIONS, __NFTA_DYNSET_MAX, }; #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) @@ -682,10 +765,12 @@ * * @NFT_PAYLOAD_CSUM_NONE: no checksumming * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) + * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309) */ enum nft_payload_csum_types { NFT_PAYLOAD_CSUM_NONE, NFT_PAYLOAD_CSUM_INET, + NFT_PAYLOAD_CSUM_SCTP, }; enum nft_payload_csum_flags { @@ -727,10 +812,14 @@ * * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_TCP: match against tcp options + * @NFT_EXTHDR_OP_IPV4: match against ipv4 options + * @NFT_EXTHDR_OP_SCTP: match against sctp chunks */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, + NFT_EXTHDR_OP_IPV4, + NFT_EXTHDR_OP_SCTP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) @@ -788,6 +877,15 @@ * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) + * @NFT_META_BRI_IIFPVID: packet input bridge port pvid + * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto + * @NFT_META_TIME_NS: time since epoch (in nanoseconds) + * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) + * @NFT_META_TIME_HOUR: hour of day (in seconds) + * @NFT_META_SDIF: slave device interface index + * @NFT_META_SDIFNAME: slave device interface name */ enum nft_meta_keys { NFT_META_LEN, @@ -816,6 +914,15 @@ NFT_META_CGROUP, NFT_META_PRANDOM, NFT_META_SECPATH, + NFT_META_IIFKIND, + NFT_META_OIFKIND, + NFT_META_BRI_IIFPVID, + NFT_META_BRI_IIFVPROTO, + NFT_META_TIME_NS, + NFT_META_TIME_DAY, + NFT_META_TIME_HOUR, + NFT_META_SDIF, + NFT_META_SDIFNAME, }; /** @@ -825,13 +932,17 @@ * @NFT_RT_NEXTHOP4: routing nexthop for IPv4 * @NFT_RT_NEXTHOP6: routing nexthop for IPv6 * @NFT_RT_TCPMSS: fetch current path tcp mss + * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL */ enum nft_rt_keys { NFT_RT_CLASSID, NFT_RT_NEXTHOP4, NFT_RT_NEXTHOP6, NFT_RT_TCPMSS, + NFT_RT_XFRM, + __NFT_RT_MAX }; +#define NFT_RT_MAX (__NFT_RT_MAX - 1) /** * enum nft_hash_types - nf_tables hash expression types @@ -854,6 +965,8 @@ * @NFTA_HASH_SEED: seed value (NLA_U32) * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) + * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING) + * @NFTA_HASH_SET_ID: id of the map (NLA_U32) */ enum nft_hash_attributes { NFTA_HASH_UNSPEC, @@ -864,6 +977,8 @@ NFTA_HASH_SEED, NFTA_HASH_OFFSET, NFTA_HASH_TYPE, + NFTA_HASH_SET_NAME, /* deprecated */ + NFTA_HASH_SET_ID, /* deprecated */ __NFTA_HASH_MAX, }; #define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) @@ -899,6 +1014,39 @@ #define NFTA_RT_MAX (__NFTA_RT_MAX - 1) /** + * enum nft_socket_attributes - nf_tables socket expression netlink attributes + * + * @NFTA_SOCKET_KEY: socket key to match + * @NFTA_SOCKET_DREG: destination register + * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2) + */ +enum nft_socket_attributes { + NFTA_SOCKET_UNSPEC, + NFTA_SOCKET_KEY, + NFTA_SOCKET_DREG, + NFTA_SOCKET_LEVEL, + __NFTA_SOCKET_MAX +}; +#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) + +/* + * enum nft_socket_keys - nf_tables socket expression keys + * + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option + * @NFT_SOCKET_MARK: Value of the socket mark + * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) + * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2 + */ +enum nft_socket_keys { + NFT_SOCKET_TRANSPARENT, + NFT_SOCKET_MARK, + NFT_SOCKET_WILDCARD, + NFT_SOCKET_CGROUPV2, + __NFT_SOCKET_MAX +}; +#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) + +/** * enum nft_ct_keys - nf_tables ct expression keys * * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info) @@ -909,8 +1057,8 @@ * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms * @NFT_CT_HELPER: connection tracking helper assigned to conntrack * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol - * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address) - * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address) + * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated) + * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated) * @NFT_CT_PROTOCOL: conntrack layer 4 protocol * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination @@ -920,6 +1068,11 @@ * @NFT_CT_AVGPKT: conntrack average bytes per packet * @NFT_CT_ZONE: conntrack zone * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack + * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address) + * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) + * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) + * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) + * @NFT_CT_ID: conntrack id */ enum nft_ct_keys { NFT_CT_STATE, @@ -941,7 +1094,14 @@ NFT_CT_AVGPKT, NFT_CT_ZONE, NFT_CT_EVENTMASK, + NFT_CT_SRC_IP, + NFT_CT_DST_IP, + NFT_CT_SRC_IP6, + NFT_CT_DST_IP6, + NFT_CT_ID, + __NFT_CT_MAX }; +#define NFT_CT_MAX (__NFT_CT_MAX - 1) /** * enum nft_ct_attributes - nf_tables ct expression netlink attributes @@ -1002,6 +1162,24 @@ }; #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) +enum nft_connlimit_flags { + NFT_CONNLIMIT_F_INV = (1 << 0), +}; + +/** + * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes + * + * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32) + * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags) + */ +enum nft_connlimit_attributes { + NFTA_CONNLIMIT_UNSPEC, + NFTA_CONNLIMIT_COUNT, + NFTA_CONNLIMIT_FLAGS, + __NFTA_CONNLIMIT_MAX +}; +#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1) + /** * enum nft_counter_attributes - nf_tables counter expression netlink attributes * @@ -1018,6 +1196,21 @@ #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) /** + * enum nft_last_attributes - nf_tables last expression netlink attributes + * + * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32) + * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64) + */ +enum nft_last_attributes { + NFTA_LAST_UNSPEC, + NFTA_LAST_SET, + NFTA_LAST_MSECS, + NFTA_LAST_PAD, + __NFTA_LAST_MAX +}; +#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1) + +/** * enum nft_log_attributes - nf_tables log expression netlink attributes * * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32) @@ -1040,6 +1233,33 @@ #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) /** + * enum nft_log_level - nf_tables log levels + * + * @NFT_LOGLEVEL_EMERG: system is unusable + * @NFT_LOGLEVEL_ALERT: action must be taken immediately + * @NFT_LOGLEVEL_CRIT: critical conditions + * @NFT_LOGLEVEL_ERR: error conditions + * @NFT_LOGLEVEL_WARNING: warning conditions + * @NFT_LOGLEVEL_NOTICE: normal but significant condition + * @NFT_LOGLEVEL_INFO: informational + * @NFT_LOGLEVEL_DEBUG: debug-level messages + * @NFT_LOGLEVEL_AUDIT: enabling audit logging + */ +enum nft_log_level { + NFT_LOGLEVEL_EMERG, + NFT_LOGLEVEL_ALERT, + NFT_LOGLEVEL_CRIT, + NFT_LOGLEVEL_ERR, + NFT_LOGLEVEL_WARNING, + NFT_LOGLEVEL_NOTICE, + NFT_LOGLEVEL_INFO, + NFT_LOGLEVEL_DEBUG, + NFT_LOGLEVEL_AUDIT, + __NFT_LOGLEVEL_MAX +}; +#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1) + +/** * enum nft_queue_attributes - nf_tables queue expression netlink attributes * * @NFTA_QUEUE_NUM: netlink queue to send messages to (NLA_U16) @@ -1084,6 +1304,21 @@ #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) /** + * enum nft_secmark_attributes - nf_tables secmark object netlink attributes + * + * @NFTA_SECMARK_CTX: security context (NLA_STRING) + */ +enum nft_secmark_attributes { + NFTA_SECMARK_UNSPEC, + NFTA_SECMARK_CTX, + __NFTA_SECMARK_MAX, +}; +#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) + +/* Max security context length */ +#define NFT_SECMARK_CTX_MAXLEN 256 + +/** * enum nft_reject_types - nf_tables reject expression reject types * * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable @@ -1165,6 +1400,22 @@ #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) /** + * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes + * + * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers) + * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers) + * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers) + */ +enum nft_tproxy_attributes { + NFTA_TPROXY_UNSPEC, + NFTA_TPROXY_FAMILY, + NFTA_TPROXY_REG_ADDR, + NFTA_TPROXY_REG_PORT, + __NFTA_TPROXY_MAX +}; +#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1) + +/** * enum nft_masq_attributes - nf_tables masquerade expression attributes * * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) @@ -1214,10 +1465,14 @@ * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes * * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register) + * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register) + * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto) */ enum nft_fwd_attributes { NFTA_FWD_UNSPEC, NFTA_FWD_SREG_DEV, + NFTA_FWD_SREG_ADDR, + NFTA_FWD_NFPROTO, __NFTA_FWD_MAX }; #define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1) @@ -1302,12 +1557,38 @@ }; #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) +enum nft_ct_timeout_timeout_attributes { + NFTA_CT_TIMEOUT_UNSPEC, + NFTA_CT_TIMEOUT_L3PROTO, + NFTA_CT_TIMEOUT_L4PROTO, + NFTA_CT_TIMEOUT_DATA, + __NFTA_CT_TIMEOUT_MAX, +}; +#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) + +enum nft_ct_expectation_attributes { + NFTA_CT_EXPECT_UNSPEC, + NFTA_CT_EXPECT_L3PROTO, + NFTA_CT_EXPECT_L4PROTO, + NFTA_CT_EXPECT_DPORT, + NFTA_CT_EXPECT_TIMEOUT, + NFTA_CT_EXPECT_SIZE, + __NFTA_CT_EXPECT_MAX, +}; +#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1) + #define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_QUOTA 2 #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 -#define __NFT_OBJECT_MAX 5 +#define NFT_OBJECT_CONNLIMIT 5 +#define NFT_OBJECT_TUNNEL 6 +#define NFT_OBJECT_CT_TIMEOUT 7 +#define NFT_OBJECT_SECMARK 8 +#define NFT_OBJECT_CT_EXPECT 9 +#define NFT_OBJECT_SYNPROXY 10 +#define __NFT_OBJECT_MAX 11 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** @@ -1319,6 +1600,7 @@ * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) * @NFTA_OBJ_USE: number of references to this expression (NLA_U32) * @NFTA_OBJ_HANDLE: object handle (NLA_U64) + * @NFTA_OBJ_USERDATA: user data (NLA_BINARY) */ enum nft_object_attributes { NFTA_OBJ_UNSPEC, @@ -1329,11 +1611,25 @@ NFTA_OBJ_USE, NFTA_OBJ_HANDLE, NFTA_OBJ_PAD, + NFTA_OBJ_USERDATA, __NFTA_OBJ_MAX }; #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) /** + * enum nft_flowtable_flags - nf_tables flowtable flags + * + * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled + * @NFT_FLOWTABLE_COUNTER: enable flow counters + */ +enum nft_flowtable_flags { + NFT_FLOWTABLE_HW_OFFLOAD = 0x1, + NFT_FLOWTABLE_COUNTER = 0x2, + NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD | + NFT_FLOWTABLE_COUNTER) +}; + +/** * enum nft_flowtable_attributes - nf_tables flow table netlink attributes * * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) @@ -1341,6 +1637,7 @@ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) + * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) */ enum nft_flowtable_attributes { NFTA_FLOWTABLE_UNSPEC, @@ -1350,6 +1647,7 @@ NFTA_FLOWTABLE_USE, NFTA_FLOWTABLE_HANDLE, NFTA_FLOWTABLE_PAD, + NFTA_FLOWTABLE_FLAGS, __NFTA_FLOWTABLE_MAX }; #define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1) @@ -1371,6 +1669,42 @@ #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) /** + * enum nft_osf_attributes - nftables osf expression netlink attributes + * + * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) + * @NFTA_OSF_FLAGS: flags (NLA_U32) + */ +enum nft_osf_attributes { + NFTA_OSF_UNSPEC, + NFTA_OSF_DREG, + NFTA_OSF_TTL, + NFTA_OSF_FLAGS, + __NFTA_OSF_MAX, +}; +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) + +enum nft_osf_flags { + NFT_OSF_F_VERSION = (1 << 0), +}; + +/** + * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes + * + * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) + * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) + * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) + */ +enum nft_synproxy_attributes { + NFTA_SYNPROXY_UNSPEC, + NFTA_SYNPROXY_MSS, + NFTA_SYNPROXY_WSCALE, + NFTA_SYNPROXY_FLAGS, + __NFTA_SYNPROXY_MAX, +}; +#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) + +/** * enum nft_device_attributes - nf_tables device netlink attributes * * @NFTA_DEVICE_NAME: name of this device (NLA_STRING) @@ -1382,6 +1716,35 @@ }; #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) +/* + * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes + * + * @NFTA_XFRM_DREG: destination register (NLA_U32) + * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32) + * @NFTA_XFRM_DIR: direction (NLA_U8) + * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32) + */ +enum nft_xfrm_attributes { + NFTA_XFRM_UNSPEC, + NFTA_XFRM_DREG, + NFTA_XFRM_KEY, + NFTA_XFRM_DIR, + NFTA_XFRM_SPNUM, + __NFTA_XFRM_MAX +}; +#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1) + +enum nft_xfrm_keys { + NFT_XFRM_KEY_UNSPEC, + NFT_XFRM_KEY_DADDR_IP4, + NFT_XFRM_KEY_DADDR_IP6, + NFT_XFRM_KEY_SADDR_IP4, + NFT_XFRM_KEY_SADDR_IP6, + NFT_XFRM_KEY_REQID, + NFT_XFRM_KEY_SPI, + __NFT_XFRM_KEY_MAX, +}; +#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1) /** * enum nft_trace_attributes - nf_tables trace netlink attributes @@ -1442,6 +1805,8 @@ * @NFTA_NG_MODULUS: maximum counter value (NLA_U32) * @NFTA_NG_TYPE: operation type (NLA_U32) * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32) + * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING) + * @NFTA_NG_SET_ID: id of the map (NLA_U32) */ enum nft_ng_attributes { NFTA_NG_UNSPEC, @@ -1449,6 +1814,8 @@ NFTA_NG_MODULUS, NFTA_NG_TYPE, NFTA_NG_OFFSET, + NFTA_NG_SET_NAME, /* deprecated */ + NFTA_NG_SET_ID, /* deprecated */ __NFTA_NG_MAX }; #define NFTA_NG_MAX (__NFTA_NG_MAX - 1) @@ -1460,4 +1827,104 @@ }; #define NFT_NG_MAX (__NFT_NG_MAX - 1) +enum nft_tunnel_key_ip_attributes { + NFTA_TUNNEL_KEY_IP_UNSPEC, + NFTA_TUNNEL_KEY_IP_SRC, + NFTA_TUNNEL_KEY_IP_DST, + __NFTA_TUNNEL_KEY_IP_MAX +}; +#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1) + +enum nft_tunnel_ip6_attributes { + NFTA_TUNNEL_KEY_IP6_UNSPEC, + NFTA_TUNNEL_KEY_IP6_SRC, + NFTA_TUNNEL_KEY_IP6_DST, + NFTA_TUNNEL_KEY_IP6_FLOWLABEL, + __NFTA_TUNNEL_KEY_IP6_MAX +}; +#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1) + +enum nft_tunnel_opts_attributes { + NFTA_TUNNEL_KEY_OPTS_UNSPEC, + NFTA_TUNNEL_KEY_OPTS_VXLAN, + NFTA_TUNNEL_KEY_OPTS_ERSPAN, + NFTA_TUNNEL_KEY_OPTS_GENEVE, + __NFTA_TUNNEL_KEY_OPTS_MAX +}; +#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) + +enum nft_tunnel_opts_vxlan_attributes { + NFTA_TUNNEL_KEY_VXLAN_UNSPEC, + NFTA_TUNNEL_KEY_VXLAN_GBP, + __NFTA_TUNNEL_KEY_VXLAN_MAX +}; +#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1) + +enum nft_tunnel_opts_erspan_attributes { + NFTA_TUNNEL_KEY_ERSPAN_UNSPEC, + NFTA_TUNNEL_KEY_ERSPAN_VERSION, + NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, + NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, + NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, + __NFTA_TUNNEL_KEY_ERSPAN_MAX +}; +#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) + +enum nft_tunnel_opts_geneve_attributes { + NFTA_TUNNEL_KEY_GENEVE_UNSPEC, + NFTA_TUNNEL_KEY_GENEVE_CLASS, + NFTA_TUNNEL_KEY_GENEVE_TYPE, + NFTA_TUNNEL_KEY_GENEVE_DATA, + __NFTA_TUNNEL_KEY_GENEVE_MAX +}; +#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1) + +enum nft_tunnel_flags { + NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), + NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), + NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2), +}; +#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \ + NFT_TUNNEL_F_DONT_FRAGMENT | \ + NFT_TUNNEL_F_SEQ_NUMBER) + +enum nft_tunnel_key_attributes { + NFTA_TUNNEL_KEY_UNSPEC, + NFTA_TUNNEL_KEY_ID, + NFTA_TUNNEL_KEY_IP, + NFTA_TUNNEL_KEY_IP6, + NFTA_TUNNEL_KEY_FLAGS, + NFTA_TUNNEL_KEY_TOS, + NFTA_TUNNEL_KEY_TTL, + NFTA_TUNNEL_KEY_SPORT, + NFTA_TUNNEL_KEY_DPORT, + NFTA_TUNNEL_KEY_OPTS, + __NFTA_TUNNEL_KEY_MAX +}; +#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) + +enum nft_tunnel_keys { + NFT_TUNNEL_PATH, + NFT_TUNNEL_ID, + __NFT_TUNNEL_MAX +}; +#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) + +enum nft_tunnel_mode { + NFT_TUNNEL_MODE_NONE, + NFT_TUNNEL_MODE_RX, + NFT_TUNNEL_MODE_TX, + __NFT_TUNNEL_MODE_MAX +}; +#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1) + +enum nft_tunnel_attributes { + NFTA_TUNNEL_UNSPEC, + NFTA_TUNNEL_KEY, + NFTA_TUNNEL_DREG, + NFTA_TUNNEL_MODE, + __NFTA_TUNNEL_MAX +}; +#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1) + #endif /* _LINUX_NF_TABLES_H */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/linux/netfilter/xt_SECMARK.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/linux/netfilter/xt_SECMARK.h
Changed
@@ -19,4 +19,10 @@ char secctxSECMARK_SECCTX_MAX; }; +struct xt_secmark_target_info_v1 { + __u8 mode; + char secctxSECMARK_SECCTX_MAX; + __u32 secid; +}; + #endif /*_XT_SECMARK_H_target */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/linux/netfilter_arp/arpt_mangle.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/linux/netfilter_arp/arpt_mangle.h
Changed
@@ -13,7 +13,7 @@ union { struct in_addr tgt_ip; } u_t; - u_int8_t flags; + __u8 flags; int target; };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/linux/netfilter_bridge/ebt_ip.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/linux/netfilter_bridge/ebt_ip.h
Changed
@@ -23,8 +23,10 @@ #define EBT_IP_PROTO 0x08 #define EBT_IP_SPORT 0x10 #define EBT_IP_DPORT 0x20 +#define EBT_IP_ICMP 0x40 +#define EBT_IP_IGMP 0x80 #define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\ - EBT_IP_SPORT | EBT_IP_DPORT ) + EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP | EBT_IP_IGMP) #define EBT_IP_MATCH "ip" /* the same values are used for the invflags */ @@ -37,8 +39,15 @@ __u8 protocol; __u8 bitmask; __u8 invflags; - __u16 sport2; - __u16 dport2; + union { + __u16 sport2; + __u8 icmp_type2; + __u8 igmp_type2; + }; + union { + __u16 dport2; + __u8 icmp_code2; + }; }; #endif
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/include/xtables.h -> _service:tar_scm:iptables-1.8.9.tar.xz/include/xtables.h
Changed
@@ -211,14 +211,14 @@ const void *ip; const struct xt_entry_match *match; int numeric; - bool escape_quotes; + bool escape_quotes; /* not used anymore, retained for ABI */ }; struct xt_xlate_tg_params { const void *ip; const struct xt_entry_target *target; int numeric; - bool escape_quotes; + bool escape_quotes; /* not used anymore, retained for ABI */ }; /* Include file for additions: new matches and targets. */ @@ -453,6 +453,7 @@ extern void *xtables_calloc(size_t, size_t); extern void *xtables_malloc(size_t); extern void *xtables_realloc(void *, size_t); +char *xtables_strdup(const char *); extern int xtables_insmod(const char *, const char *, bool); extern int xtables_load_ko(const char *, bool); @@ -584,18 +585,6 @@ xtables_print_val_mask(mark, mask, NULL); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) -# ifdef _INIT -# undef _init -# define _init _INIT -# endif - extern void init_extensions(void); - extern void init_extensions4(void); - extern void init_extensions6(void); -#else -# define _init __attribute__((constructor)) _INIT -#endif - extern const struct xtables_pprot xtables_chain_protos; extern uint16_t xtables_parse_protocol(const char *s); @@ -632,9 +621,21 @@ struct xt_xlate *xt_xlate_alloc(int size); void xt_xlate_free(struct xt_xlate *xl); void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3))); +void xt_xlate_add_nospc(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3))); +#define xt_xlate_rule_add xt_xlate_add +#define xt_xlate_rule_add_nospc xt_xlate_add_nospc +void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3))); +void xt_xlate_set_add_nospc(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3))); void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment); const char *xt_xlate_get_comment(struct xt_xlate *xl); +void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family); +uint8_t xt_xlate_get_family(struct xt_xlate *xl); const char *xt_xlate_get(struct xt_xlate *xl); +#define xt_xlate_rule_get xt_xlate_get +const char *xt_xlate_set_get(struct xt_xlate *xl); + +/* informed target lookups */ +void xtables_announce_chain(const char *name); #ifdef XTABLES_INTERNAL @@ -644,9 +645,55 @@ # define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) # endif +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) +# ifdef _INIT +# undef _init +# define _init _INIT +# endif + extern void init_extensions(void); + extern void init_extensions4(void); + extern void init_extensions6(void); + extern void init_extensionsa(void); + extern void init_extensionsb(void); +#else +# define _init __attribute__((constructor)) _INIT +# define EMPTY_FUNC_DEF(x) static inline void x(void) {} + EMPTY_FUNC_DEF(init_extensions) + EMPTY_FUNC_DEF(init_extensions4) + EMPTY_FUNC_DEF(init_extensions6) + EMPTY_FUNC_DEF(init_extensionsa) + EMPTY_FUNC_DEF(init_extensionsb) +# undef EMPTY_FUNC_DEF +#endif + extern void _init(void); -#endif +/** + * xtables_afinfo - protocol family dependent information + * @kmod: kernel module basename (e.g. "ip_tables") + * @proc_exists: file which exists in procfs when module already loaded + * @libprefix: prefix of .so library name (e.g. "libipt_") + * @family: nfproto family + * @ipproto: used by setsockopt (e.g. IPPROTO_IP) + * @so_rev_match: optname to check revision support of match + * @so_rev_target: optname to check revision support of target + */ +struct xtables_afinfo { + const char *kmod; + const char *proc_exists; + const char *libprefix; + uint8_t family; + uint8_t ipproto; + int so_rev_match; + int so_rev_target; +}; + +extern const struct xtables_afinfo *afinfo; + +/* base offset of merged extensions' consecutive options */ +#define XT_OPTION_OFFSET_SCALE 256 + +#endif /* XTABLES_INTERNAL */ #ifdef __cplusplus } /* extern "C" */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables-test.py -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables-test.py
Changed
@@ -32,30 +32,34 @@ LOGFILE="/tmp/iptables-test.log" log_file = None +STDOUT_IS_TTY = sys.stdout.isatty() +STDERR_IS_TTY = sys.stderr.isatty() -class Colors: - HEADER = '\03395m' - BLUE = '\03394m' - GREEN = '\03392m' - YELLOW = '\03393m' - RED = '\03391m' - ENDC = '\0330m' +def maybe_colored(color, text, isatty): + terminal_sequences = { + 'green': '\03392m', + 'red': '\03391m', + } + + return ( + terminal_sequencescolor + text + '\0330m' if isatty else text + ) def print_error(reason, filename=None, lineno=None): ''' Prints an error with nice colors, indicating file and line number. ''' - print(filename + ": " + Colors.RED + "ERROR" + - Colors.ENDC + ": line %d (%s)" % (lineno, reason)) + print(filename + ": " + maybe_colored('red', "ERROR", STDERR_IS_TTY) + + ": line %d (%s)" % (lineno, reason), file=sys.stderr) -def delete_rule(iptables, rule, filename, lineno): +def delete_rule(iptables, rule, filename, lineno, netns = None): ''' Removes an iptables rule ''' cmd = iptables + " -D " + rule - ret = execute_cmd(cmd, filename, lineno) + ret = execute_cmd(cmd, filename, lineno, netns) if ret == 1: reason = "cannot delete: " + iptables + " -I " + rule print_error(reason, filename, lineno) @@ -69,26 +73,24 @@ Executes an unit test. Returns the output of delete_rule(). Parameters: - :param iptables: string with the iptables command to execute + :param iptables: string with the iptables command to execute :param rule: string with iptables arguments for the rule to test - :param rule_save: string to find the rule in the output of iptables -save + :param rule_save: string to find the rule in the output of iptables-save :param res: expected result of the rule. Valid values: "OK", "FAIL" :param filename: name of the file tested (used for print_error purposes) :param lineno: line number being tested (used for print_error purposes) + :param netns: network namespace to call commands in (or None) ''' ret = 0 cmd = iptables + " -A " + rule - if netns: - cmd = "ip netns exec ____iptables-container-test " + EXECUTEABLE + " " + cmd - - ret = execute_cmd(cmd, filename, lineno) + ret = execute_cmd(cmd, filename, lineno, netns) # # report failed test # if ret: - if res == "OK": + if res != "FAIL": reason = "cannot load: " + cmd print_error(reason, filename, lineno) return -1 @@ -99,32 +101,32 @@ if res == "FAIL": reason = "should fail: " + cmd print_error(reason, filename, lineno) - delete_rule(iptables, rule, filename, lineno) + delete_rule(iptables, rule, filename, lineno, netns) return -1 matching = 0 - splitted = iptables.split(" ") - if len(splitted) == 2: - if splitted1 == '-4': + tokens = iptables.split(" ") + if len(tokens) == 2: + if tokens1 == '-4': command = IPTABLES_SAVE - elif splitted1 == '-6': + elif tokens1 == '-6': command = IP6TABLES_SAVE - elif len(splitted) == 1: - if splitted0 == IPTABLES: + elif len(tokens) == 1: + if tokens0 == IPTABLES: command = IPTABLES_SAVE - elif splitted0 == IP6TABLES: + elif tokens0 == IP6TABLES: command = IP6TABLES_SAVE - elif splitted0 == ARPTABLES: + elif tokens0 == ARPTABLES: command = ARPTABLES_SAVE - elif splitted0 == EBTABLES: + elif tokens0 == EBTABLES: command = EBTABLES_SAVE - command = EXECUTEABLE + " " + command + command = EXECUTABLE + " " + command if netns: - command = "ip netns exec ____iptables-container-test " + command + command = "ip netns exec " + netns + " " + command - args = splitted1: + args = tokens1: proc = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -136,16 +138,26 @@ if proc.returncode == -11: reason = "iptables-save segfaults: " + cmd print_error(reason, filename, lineno) - delete_rule(iptables, rule, filename, lineno) + delete_rule(iptables, rule, filename, lineno, netns) return -1 # find the rule matching = out.find(rule_save.encode('utf-8')) if matching < 0: - reason = "cannot find: " + iptables + " -I " + rule - print_error(reason, filename, lineno) - delete_rule(iptables, rule, filename, lineno) - return -1 + if res == "OK": + reason = "cannot find: " + iptables + " -I " + rule + print_error(reason, filename, lineno) + delete_rule(iptables, rule, filename, lineno, netns) + return -1 + else: + # do not report this error + return 0 + else: + if res != "OK": + reason = "should not match: " + cmd + print_error(reason, filename, lineno) + delete_rule(iptables, rule, filename, lineno, netns) + return -1 # Test "ip netns del NETNS" path with rules in place if netns: @@ -153,7 +165,7 @@ return delete_rule(iptables, rule, filename, lineno) -def execute_cmd(cmd, filename, lineno): +def execute_cmd(cmd, filename, lineno = 0, netns = None): ''' Executes a command, checking for segfaults and returning the command exit code. @@ -161,10 +173,14 @@ :param cmd: string with the command to be executed :param filename: name of the file tested (used for print_error purposes) :param lineno: line number being tested (used for print_error purposes) + :param netns: network namespace to run command in ''' global log_file if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '): - cmd = EXECUTEABLE + " " + cmd + cmd = EXECUTABLE + " " + cmd + + if netns: + cmd = "ip netns exec " + netns + " " + cmd print("command: {}".format(cmd), file=log_file) ret = subprocess.call(cmd, shell=True, universal_newlines=True, @@ -172,17 +188,197 @@ log_file.flush() # generic check for segfaults - if ret == -11: + if ret == -11: reason = "command segfaults: " + cmd print_error(reason, filename, lineno) return ret +def variant_res(res, variant, alt_res=None): + ''' + Adjust expected result with given variant + + If expected result is scoped to a variant, the other one yields a different + result. Therefore map @res to itself if given variant is current, use the + alternate result, @alt_res, if specified, invert @res otherwise. + + :param res: expected result from test spec ("OK", "FAIL" or "NOMATCH") + :param variant: variant @res is scoped to by test spec ("NFT" or "LEGACY") + :param alt_res: optional expected result for the alternate variant. + ''' + variant_executable = { + "NFT": "xtables-nft-multi", + "LEGACY": "xtables-legacy-multi" + } + res_inverse = { + "OK": "FAIL", + "FAIL": "OK", + "NOMATCH": "OK" + } + + if variant_executablevariant == EXECUTABLE: + return res + if alt_res is not None: + return alt_res + return res_inverseres + +def fast_run_possible(filename): + ''' + Keep things simple, run only for simple test files: + - no external commands + - no multiple tables + - no variant-specific results + ''' + table = None + rulecount = 0 + for line in open(filename): + if line0 in "#", ":" or len(line.strip()) == 0: + continue + if line0 == "*": + if table or rulecount > 0: + return False + table = line.rstrip()1: + if line0 in "@", "%": + return False + if len(line.split(";")) > 3: + return False + rulecount += 1 + + return True + +def run_test_file_fast(iptables, filename, netns): + ''' + Run a test file, but fast + + :param filename: name of the file with the test rules + :param netns: network namespace to perform test run in + ''' + + f = open(filename) + + rules = {} + table = "filter" + chain_array = + tests = 0 + + for lineno, line in enumerate(f): + if line0 == "#" or len(line.strip()) == 0: + continue + + if line0 == "*": + table = line.rstrip()1: + continue + + if line0 == ":": + chain_array = line.rstrip()1:.split(",") + continue + + if len(chain_array) == 0: + return -1 + + tests += 1 + + for chain in chain_array: + item = line.split(";") + rule = chain + " " + item0 + + if item1 == "=": + rule_save = chain + " " + item0 + else: + rule_save = chain + " " + item1 + + if iptables == EBTABLES and rule_save.find('-j') < 0: + rule_save += " -j CONTINUE" + + res = item2.rstrip() + if res != "OK": + rule = chain + " -t " + table + " " + item0 + ret = run_test(iptables, rule, rule_save, + res, filename, lineno + 1, netns) + + if ret < 0: + return -1 + continue + + if not chain in rules.keys(): + ruleschain = + ruleschain.append((rule, rule_save)) + + restore_data = "*" + table + out_expect = + for chain in "PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING": + if not chain in rules.keys(): + continue + for rule in ruleschain: + restore_data.append("-A " + rule0) + out_expect.append("-A " + rule1) + restore_data.append("COMMIT") + + out_expect = "\n".join(out_expect) + + # load all rules via iptables_restore + + command = EXECUTABLE + " " + iptables + "-restore" + if netns: + command = "ip netns exec " + netns + " " + command + + for line in restore_data: + print(iptables + "-restore: " + line, file=log_file) + + proc = subprocess.Popen(command, shell = True, text = True, + stdin = subprocess.PIPE, + stdout = subprocess.PIPE, + stderr = subprocess.PIPE) + restore_data = "\n".join(restore_data) + "\n" + out, err = proc.communicate(input = restore_data) + + if proc.returncode == -11: + reason = iptables + "-restore segfaults: " + cmd + print_error(reason, filename, lineno) + return -1 + + if proc.returncode != 0: + print("%s-restore returned %d: %s" % (iptables, proc.returncode, err), + file=log_file) + return -1 + + # find all rules in iptables_save output + + command = EXECUTABLE + " " + iptables + "-save" + if netns: + command = "ip netns exec " + netns + " " + command + + proc = subprocess.Popen(command, shell = True, + stdin = subprocess.PIPE, + stdout = subprocess.PIPE, + stderr = subprocess.PIPE) + out, err = proc.communicate() + + if proc.returncode == -11: + reason = iptables + "-save segfaults: " + cmd + print_error(reason, filename, lineno) + return -1 + + cmd = iptables + " -F -t " + table + execute_cmd(cmd, filename, 0, netns) + + out = out.decode('utf-8').rstrip() + if out.find(out_expect) < 0: + msg = "dumps differ!" + msg.extend("expect: " + l for l in out_expect.split("\n")) + msg.extend("got: " + l for l in out.split("\n") + if not l0 in '*', ':', '#') + print("\n".join(msg), file=log_file) + return -1 + + return tests + def run_test_file(filename, netns): ''' Runs a test file :param filename: name of the file with the test rules + :param netns: network namespace to perform test run in ''' # # if this is not a test file, skip. @@ -198,27 +394,36 @@ iptables = IPTABLES elif "libarpt_" in filename: # only supported with nf_tables backend - if EXECUTEABLE != "xtables-nft-multi": + if EXECUTABLE != "xtables-nft-multi": return 0, 0 iptables = ARPTABLES elif "libebt_" in filename: # only supported with nf_tables backend - if EXECUTEABLE != "xtables-nft-multi": + if EXECUTABLE != "xtables-nft-multi": return 0, 0 iptables = EBTABLES else: # default to iptables if not known prefix iptables = IPTABLES + fast_failed = False + if fast_run_possible(filename): + tests = run_test_file_fast(iptables, filename, netns) + if tests > 0: + print(filename + ": " + maybe_colored('green', "OK", STDOUT_IS_TTY)) + return tests, tests + fast_failed = True + f = open(filename) tests = 0 passed = 0 table = "" + chain_array = total_test_passed = True if netns: - execute_cmd("ip netns add ____iptables-container-test", filename, 0) + execute_cmd("ip netns add " + netns, filename) for lineno, line in enumerate(f): if line0 == "#" or len(line.strip()) == 0: @@ -228,20 +433,11 @@ chain_array = line.rstrip()1:.split(",") continue - # external non-iptables invocation, executed as is. - if line0 == "@": + # external command invocation, executed as is. + # detects iptables commands to prefix with EXECUTABLE automatically + if line0 in "@", "%": external_cmd = line.rstrip()1: - if netns: - external_cmd = "ip netns exec ____iptables-container-test " + external_cmd - execute_cmd(external_cmd, filename, lineno) - continue - - # external iptables invocation, executed as is. - if line0 == "%": - external_cmd = line.rstrip()1: - if netns: - external_cmd = "ip netns exec ____iptables-container-test " + EXECUTEABLE + " " + external_cmd - execute_cmd(external_cmd, filename, lineno) + execute_cmd(external_cmd, filename, lineno, netns) continue if line0 == "*": @@ -249,8 +445,10 @@ continue if len(chain_array) == 0: - print("broken test, missing chain, leaving") - sys.exit() + print_error("broken test, missing chain", + filename = filename, lineno = lineno) + total_test_passed = False + break test_passed = True tests += 1 @@ -268,6 +466,14 @@ rule_save = chain + " " + item1 res = item2.rstrip() + if len(item) > 3: + variant = item3.rstrip() + if len(item) > 4: + alt_res = item4.rstrip() + else: + alt_res = None + res = variant_res(res, variant, alt_res) + ret = run_test(iptables, rule, rule_save, res, filename, lineno + 1, netns) @@ -280,9 +486,12 @@ passed += 1 if netns: - execute_cmd("ip netns del ____iptables-container-test", filename, 0) + execute_cmd("ip netns del " + netns, filename) if total_test_passed: - print(filename + ": " + Colors.GREEN + "OK" + Colors.ENDC) + suffix = "" + if fast_failed: + suffix = maybe_colored('red', " but fast mode failed!", STDOUT_IS_TTY) + print(filename + ": " + maybe_colored('green', "OK", STDOUT_IS_TTY) + suffix) f.close() return tests, passed @@ -304,6 +513,31 @@ print('\n'.join(missing)) +def spawn_netns(): + # prefer unshare module + try: + import unshare + unshare.unshare(unshare.CLONE_NEWNET) + return True + except: + pass + + # sledgehammer style: + # - call ourselves prefixed by 'unshare -n' if found + # - pass extra --no-netns parameter to avoid another recursion + try: + import shutil + + unshare = shutil.which("unshare") + if unshare is None: + return False + + sys.argv.append("--no-netns") + os.execv(unshare, unshare, "-n", sys.executable + sys.argv) + except: + pass + + return False # # main @@ -321,8 +555,11 @@ help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', help='Test iptables-over-nftables') - parser.add_argument('-N', '--netns', action='store_true', + parser.add_argument('-N', '--netns', action='store_const', + const='____iptables-container-test', help='Test netnamespace path') + parser.add_argument('--no-netns', action='store_true', + help='Do not run testsuite in own network namespace') args = parser.parse_args() # @@ -332,56 +569,72 @@ show_missing() return - global EXECUTEABLE - EXECUTEABLE = "xtables-legacy-multi" + variants = + if args.legacy: + variants.append("legacy") if args.nftables: - EXECUTEABLE = "xtables-nft-multi" + variants.append("nft") + if len(variants) == 0: + variants = "legacy", "nft" if os.getuid() != 0: - print("You need to be root to run this, sorry") - return + print("You need to be root to run this, sorry", file=sys.stderr) + return 77 + + if not args.netns and not args.no_netns and not spawn_netns(): + print("Cannot run in own namespace, connectivity might break", + file=sys.stderr) if not args.host: os.putenv("XTABLES_LIBDIR", os.path.abspath(EXTENSIONS_PATH)) os.putenv("PATH", "%s/iptables:%s" % (os.path.abspath(os.path.curdir), os.getenv("PATH"))) - test_files = 0 - tests = 0 - passed = 0 - - # setup global var log file - global log_file - try: - log_file = open(LOGFILE, 'w') - except IOError: - print("Couldn't open log file %s" % LOGFILE) - return + total_test_files = 0 + total_passed = 0 + total_tests = 0 + for variant in variants: + global EXECUTABLE + EXECUTABLE = "xtables-" + variant + "-multi" - if args.filename: - file_list = args.filename - else: - file_list = os.path.join(EXTENSIONS_PATH, i) - for i in os.listdir(EXTENSIONS_PATH) - if i.endswith('.t') - file_list.sort() + test_files = 0 + tests = 0 + passed = 0 - if not args.netns: + # setup global var log file + global log_file try: - import unshare - unshare.unshare(unshare.CLONE_NEWNET) - except: - print("Cannot run in own namespace, connectivity might break") - - for filename in file_list: - file_tests, file_passed = run_test_file(filename, args.netns) - if file_tests: - tests += file_tests - passed += file_passed - test_files += 1 - - print("%d test files, %d unit tests, %d passed" % (test_files, tests, passed)) + log_file = open(LOGFILE, 'w') + except IOError: + print("Couldn't open log file %s" % LOGFILE, file=sys.stderr) + return + if args.filename: + file_list = args.filename + else: + file_list = os.path.join(EXTENSIONS_PATH, i) + for i in os.listdir(EXTENSIONS_PATH) + if i.endswith('.t') + file_list.sort() + + for filename in file_list: + file_tests, file_passed = run_test_file(filename, args.netns) + if file_tests: + tests += file_tests + passed += file_passed + test_files += 1 + + print("%s: %d test files, %d unit tests, %d passed" + % (variant, test_files, tests, passed)) + + total_passed += passed + total_tests += tests + total_test_files = max(total_test_files, test_files) + + if len(variants) > 1: + print("total: %d test files, %d unit tests, %d passed" + % (total_test_files, total_tests, total_passed)) + return total_passed - total_tests if __name__ == '__main__': - main() + sys.exit(main())
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/Makefile.am
Changed
@@ -2,49 +2,56 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} BUILT_SOURCES = -xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c -xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} -xtables_legacy_multi_LDADD = ../extensions/libext.a +common_sources = iptables-xml.c xtables-multi.h xshared.c xshared.h +common_ldadd = ../extensions/libext.a ../libxtables/libxtables.la -lm +common_cflags = ${AM_CFLAGS} if ENABLE_STATIC -xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE +common_cflags += -DALL_INCLUSIVE endif + +xtables_legacy_multi_SOURCES = ${common_sources} xtables-legacy-multi.c \ + iptables-restore.c iptables-save.c +xtables_legacy_multi_CFLAGS = ${common_cflags} +xtables_legacy_multi_LDADD = ${common_ldadd} if ENABLE_IPV4 -xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c +xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c iptables-multi.h xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a endif if ENABLE_IPV6 -xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c +xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c ip6tables-multi.h xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a endif -xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c -xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm # iptables using nf_tables api if ENABLE_NFTABLES -xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c -xtables_nft_multi_CFLAGS = ${AM_CFLAGS} -xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a -if ENABLE_STATIC -xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE -endif +xtables_nft_multi_SOURCES = ${common_sources} xtables-nft-multi.c +xtables_nft_multi_CFLAGS = ${common_cflags} +xtables_nft_multi_LDADD = ${common_ldadd} \ + ../extensions/libext_arpt.a \ + ../extensions/libext_ebt.a \ + ../extensions/libext4.a \ + ../extensions/libext6.a \ + ${libmnl_LIBS} ${libnftnl_LIBS} \ + ${libnetfilter_conntrack_LIBS} xtables_nft_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6 -xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \ - xtables-standalone.c xtables.c nft.c \ - nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \ - xtables-monitor.c nft-cache.c \ - xtables-arp-standalone.c xtables-arp.c \ - nft-bridge.c nft-cmd.c nft-chain.c \ - xtables-eb-standalone.c xtables-eb.c \ - xtables-eb-translate.c \ - xtables-translate.c -xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a -xtables_nft_multi_SOURCES += xshared.c -xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm +xtables_nft_multi_SOURCES += nft.c nft.h \ + nft-arp.c nft-ipv4.c nft-ipv6.c \ + nft-bridge.c nft-bridge.h \ + nft-cache.c nft-cache.h \ + nft-chain.c nft-chain.h \ + nft-cmd.c nft-cmd.h \ + nft-shared.c nft-shared.h \ + xtables-monitor.c \ + xtables.c xtables-arp.c xtables-eb.c \ + xtables-standalone.c xtables-eb-standalone.c \ + xtables-translate.c xtables-eb-translate.c \ + xtables-save.c xtables-restore.c endif sbin_PROGRAMS = xtables-legacy-multi @@ -56,22 +63,19 @@ ip6tables-save.8 iptables-extensions.8 \ iptables-apply.8 ip6tables-apply.8 -sbin_SCRIPTS = iptables-apply +dist_sbin_SCRIPTS = iptables-apply +dist_pkgdata_DATA = iptables.xslt if ENABLE_NFTABLES -man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ - iptables-translate.8 ip6tables-translate.8 \ +man_MANS += iptables-translate.8 ip6tables-translate.8 \ iptables-restore-translate.8 ip6tables-restore-translate.8 \ - xtables-monitor.8 \ - arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ - ebtables-nft.8 + xtables-monitor.8 ebtables-translate.8 + +dist_man_MANS = xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ + arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ + ebtables-nft.8 endif -CLEANFILES = iptables.8 xtables-monitor.8 \ - iptables-xml.1 iptables-apply.8 \ - iptables-extensions.8 iptables-extensions.8.tmpl \ - iptables-restore.8 iptables-save.8 \ - iptables-restore-translate.8 ip6tables-restore-translate.8 \ - iptables-translate.8 ip6tables-translate.8 +CLEANFILES = ${man_MANS} iptables-extensions.8.tmpl vx_bin_links = iptables-xml if ENABLE_IPV4 @@ -85,7 +89,7 @@ if ENABLE_NFTABLES x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \ ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \ - iptables-translate ip6tables-translate \ + iptables-translate ip6tables-translate ebtables-translate \ iptables-restore-translate ip6tables-restore-translate \ arptables-nft arptables \ arptables-nft-restore arptables-restore \ @@ -101,9 +105,12 @@ -e '/@MATCH@/ r ../extensions/matches.man' \ -e '/@TARGET@/ r ../extensions/targets.man' $< >$@; -iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8: +iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8 ebtables-translate.8: ${AM_VERBOSE_GEN} echo '.so man8/xtables-translate.8' >$@ +ip6tables.8 ip6tables-apply.8 ip6tables-restore.8 ip6tables-save.8: + ${AM_VERBOSE_GEN} echo "$@" | sed 's|^ip6|.so man8/ip|' >$@ + pkgconfig_DATA = xtables.pc # Using if..fi avoids an ugly "error (ignored)" message :) @@ -138,3 +145,5 @@ ); \ ( cd "$$dir" && rm -f ip6tables-apply ); \ } + +EXTRA_DIST = tests
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -92,21 +92,17 @@ build_triplet = @build@ host_triplet = @host@ @ENABLE_STATIC_TRUE@am__append_1 = -DALL_INCLUSIVE -@ENABLE_IPV4_TRUE@am__append_2 = iptables-standalone.c iptables.c +@ENABLE_IPV4_TRUE@am__append_2 = iptables-standalone.c iptables.c iptables-multi.h @ENABLE_IPV4_TRUE@am__append_3 = -DENABLE_IPV4 @ENABLE_IPV4_TRUE@am__append_4 = ../libiptc/libip4tc.la ../extensions/libext4.a -@ENABLE_IPV6_TRUE@am__append_5 = ip6tables-standalone.c ip6tables.c +@ENABLE_IPV6_TRUE@am__append_5 = ip6tables-standalone.c ip6tables.c ip6tables-multi.h @ENABLE_IPV6_TRUE@am__append_6 = -DENABLE_IPV6 @ENABLE_IPV6_TRUE@am__append_7 = ../libiptc/libip6tc.la ../extensions/libext6.a -@ENABLE_NFTABLES_TRUE@@ENABLE_STATIC_TRUE@am__append_8 = -DALL_INCLUSIVE sbin_PROGRAMS = xtables-legacy-multi$(EXEEXT) $(am__EXEEXT_1) -@ENABLE_NFTABLES_TRUE@am__append_9 = xtables-nft-multi -@ENABLE_NFTABLES_TRUE@am__append_10 = xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ -@ENABLE_NFTABLES_TRUE@ iptables-translate.8 ip6tables-translate.8 \ +@ENABLE_NFTABLES_TRUE@am__append_8 = xtables-nft-multi +@ENABLE_NFTABLES_TRUE@am__append_9 = iptables-translate.8 ip6tables-translate.8 \ @ENABLE_NFTABLES_TRUE@ iptables-restore-translate.8 ip6tables-restore-translate.8 \ -@ENABLE_NFTABLES_TRUE@ xtables-monitor.8 \ -@ENABLE_NFTABLES_TRUE@ arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ -@ENABLE_NFTABLES_TRUE@ ebtables-nft.8 +@ENABLE_NFTABLES_TRUE@ xtables-monitor.8 ebtables-translate.8 subdir = iptables ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -116,7 +112,8 @@ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_sbin_SCRIPTS) \ + $(dist_pkgdata_DATA) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = xtables.pc iptables.8 iptables-extensions.8.tmpl \ @@ -126,25 +123,29 @@ @ENABLE_NFTABLES_TRUE@am__EXEEXT_1 = xtables-nft-multi$(EXEEXT) am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sbindir)" \ "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" \ - "$(DESTDIR)$(pkgconfigdir)" + "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(pkgconfigdir)" PROGRAMS = $(sbin_PROGRAMS) -am__xtables_legacy_multi_SOURCES_DIST = xtables-legacy-multi.c \ - iptables-xml.c iptables-standalone.c iptables.c \ - ip6tables-standalone.c ip6tables.c xshared.c \ - iptables-restore.c iptables-save.c -@ENABLE_IPV4_TRUE@am__objects_1 = xtables_legacy_multi-iptables-standalone.$(OBJEXT) \ +am__xtables_legacy_multi_SOURCES_DIST = iptables-xml.c xtables-multi.h \ + xshared.c xshared.h xtables-legacy-multi.c iptables-restore.c \ + iptables-save.c iptables-standalone.c iptables.c \ + iptables-multi.h ip6tables-standalone.c ip6tables.c \ + ip6tables-multi.h +am__objects_1 = xtables_legacy_multi-iptables-xml.$(OBJEXT) \ + xtables_legacy_multi-xshared.$(OBJEXT) +@ENABLE_IPV4_TRUE@am__objects_2 = xtables_legacy_multi-iptables-standalone.$(OBJEXT) \ @ENABLE_IPV4_TRUE@ xtables_legacy_multi-iptables.$(OBJEXT) -@ENABLE_IPV6_TRUE@am__objects_2 = xtables_legacy_multi-ip6tables-standalone.$(OBJEXT) \ +@ENABLE_IPV6_TRUE@am__objects_3 = xtables_legacy_multi-ip6tables-standalone.$(OBJEXT) \ @ENABLE_IPV6_TRUE@ xtables_legacy_multi-ip6tables.$(OBJEXT) -am_xtables_legacy_multi_OBJECTS = \ +am_xtables_legacy_multi_OBJECTS = $(am__objects_1) \ xtables_legacy_multi-xtables-legacy-multi.$(OBJEXT) \ - xtables_legacy_multi-iptables-xml.$(OBJEXT) $(am__objects_1) \ - $(am__objects_2) xtables_legacy_multi-xshared.$(OBJEXT) \ xtables_legacy_multi-iptables-restore.$(OBJEXT) \ - xtables_legacy_multi-iptables-save.$(OBJEXT) + xtables_legacy_multi-iptables-save.$(OBJEXT) $(am__objects_2) \ + $(am__objects_3) xtables_legacy_multi_OBJECTS = $(am_xtables_legacy_multi_OBJECTS) -xtables_legacy_multi_DEPENDENCIES = ../extensions/libext.a \ - $(am__append_4) $(am__append_7) ../libxtables/libxtables.la +am__DEPENDENCIES_1 = ../extensions/libext.a \ + ../libxtables/libxtables.la +xtables_legacy_multi_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__append_4) $(am__append_7) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -153,49 +154,48 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(xtables_legacy_multi_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \ - iptables-xml.c xtables-save.c xtables-restore.c \ - xtables-standalone.c xtables.c nft.c nft-shared.c nft-ipv4.c \ - nft-ipv6.c nft-arp.c xtables-monitor.c nft-cache.c \ - xtables-arp-standalone.c xtables-arp.c nft-bridge.c nft-cmd.c \ - nft-chain.c xtables-eb-standalone.c xtables-eb.c \ - xtables-eb-translate.c xtables-translate.c xshared.c -@ENABLE_NFTABLES_TRUE@am_xtables_nft_multi_OBJECTS = xtables_nft_multi-xtables-nft-multi.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-iptables-xml.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-save.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-restore.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-standalone.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables.$(OBJEXT) \ +am__xtables_nft_multi_SOURCES_DIST = iptables-xml.c xtables-multi.h \ + xshared.c xshared.h xtables-nft-multi.c nft.c nft.h nft-arp.c \ + nft-ipv4.c nft-ipv6.c nft-bridge.c nft-bridge.h nft-cache.c \ + nft-cache.h nft-chain.c nft-chain.h nft-cmd.c nft-cmd.h \ + nft-shared.c nft-shared.h xtables-monitor.c xtables.c \ + xtables-arp.c xtables-eb.c xtables-standalone.c \ + xtables-eb-standalone.c xtables-translate.c \ + xtables-eb-translate.c xtables-save.c xtables-restore.c +am__objects_4 = xtables_nft_multi-iptables-xml.$(OBJEXT) \ + xtables_nft_multi-xshared.$(OBJEXT) +@ENABLE_NFTABLES_TRUE@am_xtables_nft_multi_OBJECTS = $(am__objects_4) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-nft-multi.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-shared.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-arp.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-ipv4.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-ipv6.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-arp.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-monitor.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cache.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp-standalone.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-bridge.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cmd.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cache.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-chain.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-standalone.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cmd.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-shared.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-monitor.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-translate.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-standalone.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-standalone.$(OBJEXT) \ @ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-translate.$(OBJEXT) \ -@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xshared.$(OBJEXT) +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-translate.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-save.$(OBJEXT) \ +@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-restore.$(OBJEXT) xtables_nft_multi_OBJECTS = $(am_xtables_nft_multi_OBJECTS) -am__DEPENDENCIES_1 = +am__DEPENDENCIES_2 = @ENABLE_NFTABLES_TRUE@xtables_nft_multi_DEPENDENCIES = \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ -@ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_1) \ -@ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_1) \ @ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_1) \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext_arpt.a \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ @ENABLE_NFTABLES_TRUE@ ../extensions/libext4.a \ @ENABLE_NFTABLES_TRUE@ ../extensions/libext6.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_arpt.a \ -@ENABLE_NFTABLES_TRUE@ ../libxtables/libxtables.la +@ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_2) \ +@ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_2) \ +@ENABLE_NFTABLES_TRUE@ $(am__DEPENDENCIES_2) xtables_nft_multi_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(xtables_nft_multi_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ @@ -227,7 +227,7 @@ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -SCRIPTS = $(sbin_SCRIPTS) +SCRIPTS = $(dist_sbin_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -264,7 +264,6 @@ ./$(DEPDIR)/xtables_nft_multi-nft-shared.Po \ ./$(DEPDIR)/xtables_nft_multi-nft.Po \ ./$(DEPDIR)/xtables_nft_multi-xshared.Po \ - ./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po \ ./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po \ ./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po \ ./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po \ @@ -306,8 +305,8 @@ man1dir = $(mandir)/man1 man8dir = $(mandir)/man8 NROFF = nroff -MANS = $(man_MANS) -DATA = $(pkgconfig_DATA) +MANS = $(dist_man_MANS) $(man_MANS) +DATA = $(dist_pkgdata_DATA) $(pkgconfig_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -327,7 +326,8 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/iptables-apply.8.in \ +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(srcdir)/iptables-apply.8.in \ $(srcdir)/iptables-extensions.8.tmpl.in \ $(srcdir)/iptables-restore.8.in $(srcdir)/iptables-save.8.in \ $(srcdir)/iptables-xml.1.in $(srcdir)/iptables.8.in \ @@ -470,6 +470,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -482,51 +483,55 @@ xtlibdir = @xtlibdir@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} BUILT_SOURCES = -xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c \ - $(am__append_2) $(am__append_5) xshared.c iptables-restore.c \ - iptables-save.c -xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} $(am__append_1) \ - $(am__append_3) $(am__append_6) -xtables_legacy_multi_LDADD = ../extensions/libext.a $(am__append_4) \ - $(am__append_7) ../libxtables/libxtables.la -lm +common_sources = iptables-xml.c xtables-multi.h xshared.c xshared.h +common_ldadd = ../extensions/libext.a ../libxtables/libxtables.la -lm +common_cflags = ${AM_CFLAGS} $(am__append_1) +xtables_legacy_multi_SOURCES = ${common_sources} \ + xtables-legacy-multi.c iptables-restore.c iptables-save.c \ + $(am__append_2) $(am__append_5) +xtables_legacy_multi_CFLAGS = ${common_cflags} $(am__append_3) \ + $(am__append_6) +xtables_legacy_multi_LDADD = ${common_ldadd} $(am__append_4) \ + $(am__append_7) # iptables using nf_tables api -@ENABLE_NFTABLES_TRUE@xtables_nft_multi_SOURCES = xtables-nft-multi.c \ -@ENABLE_NFTABLES_TRUE@ iptables-xml.c xtables-save.c \ -@ENABLE_NFTABLES_TRUE@ xtables-restore.c xtables-standalone.c \ -@ENABLE_NFTABLES_TRUE@ xtables.c nft.c nft-shared.c nft-ipv4.c \ -@ENABLE_NFTABLES_TRUE@ nft-ipv6.c nft-arp.c xtables-monitor.c \ -@ENABLE_NFTABLES_TRUE@ nft-cache.c xtables-arp-standalone.c \ -@ENABLE_NFTABLES_TRUE@ xtables-arp.c nft-bridge.c nft-cmd.c \ -@ENABLE_NFTABLES_TRUE@ nft-chain.c xtables-eb-standalone.c \ -@ENABLE_NFTABLES_TRUE@ xtables-eb.c xtables-eb-translate.c \ -@ENABLE_NFTABLES_TRUE@ xtables-translate.c xshared.c -@ENABLE_NFTABLES_TRUE@xtables_nft_multi_CFLAGS = ${AM_CFLAGS} \ -@ENABLE_NFTABLES_TRUE@ $(am__append_8) -DENABLE_NFTABLES \ -@ENABLE_NFTABLES_TRUE@ -DENABLE_IPV4 -DENABLE_IPV6 -@ENABLE_NFTABLES_TRUE@xtables_nft_multi_LDADD = \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ -@ENABLE_NFTABLES_TRUE@ ${libmnl_LIBS} ${libnftnl_LIBS} \ -@ENABLE_NFTABLES_TRUE@ ${libnetfilter_conntrack_LIBS} \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext4.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext6.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ -@ENABLE_NFTABLES_TRUE@ ../extensions/libext_arpt.a \ -@ENABLE_NFTABLES_TRUE@ ../libxtables/libxtables.la -lm +@ENABLE_NFTABLES_TRUE@xtables_nft_multi_SOURCES = ${common_sources} \ +@ENABLE_NFTABLES_TRUE@ xtables-nft-multi.c nft.c nft.h \ +@ENABLE_NFTABLES_TRUE@ nft-arp.c nft-ipv4.c nft-ipv6.c \ +@ENABLE_NFTABLES_TRUE@ nft-bridge.c nft-bridge.h nft-cache.c \ +@ENABLE_NFTABLES_TRUE@ nft-cache.h nft-chain.c nft-chain.h \ +@ENABLE_NFTABLES_TRUE@ nft-cmd.c nft-cmd.h nft-shared.c \ +@ENABLE_NFTABLES_TRUE@ nft-shared.h xtables-monitor.c xtables.c \ +@ENABLE_NFTABLES_TRUE@ xtables-arp.c xtables-eb.c \ +@ENABLE_NFTABLES_TRUE@ xtables-standalone.c \ +@ENABLE_NFTABLES_TRUE@ xtables-eb-standalone.c \ +@ENABLE_NFTABLES_TRUE@ xtables-translate.c \ +@ENABLE_NFTABLES_TRUE@ xtables-eb-translate.c xtables-save.c \ +@ENABLE_NFTABLES_TRUE@ xtables-restore.c +@ENABLE_NFTABLES_TRUE@xtables_nft_multi_CFLAGS = ${common_cflags} \ +@ENABLE_NFTABLES_TRUE@ -DENABLE_NFTABLES -DENABLE_IPV4 \ +@ENABLE_NFTABLES_TRUE@ -DENABLE_IPV6 +@ENABLE_NFTABLES_TRUE@xtables_nft_multi_LDADD = ${common_ldadd} \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext_arpt.a \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext_ebt.a \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext4.a \ +@ENABLE_NFTABLES_TRUE@ ../extensions/libext6.a \ +@ENABLE_NFTABLES_TRUE@ ${libmnl_LIBS} ${libnftnl_LIBS} \ +@ENABLE_NFTABLES_TRUE@ ${libnetfilter_conntrack_LIBS} + man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 iptables-extensions.8 iptables-apply.8 \ - ip6tables-apply.8 $(am__append_10) -sbin_SCRIPTS = iptables-apply -CLEANFILES = iptables.8 xtables-monitor.8 \ - iptables-xml.1 iptables-apply.8 \ - iptables-extensions.8 iptables-extensions.8.tmpl \ - iptables-restore.8 iptables-save.8 \ - iptables-restore-translate.8 ip6tables-restore-translate.8 \ - iptables-translate.8 ip6tables-translate.8 + ip6tables-apply.8 $(am__append_9) +dist_sbin_SCRIPTS = iptables-apply +dist_pkgdata_DATA = iptables.xslt +@ENABLE_NFTABLES_TRUE@dist_man_MANS = xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ +@ENABLE_NFTABLES_TRUE@ arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ +@ENABLE_NFTABLES_TRUE@ ebtables-nft.8 +CLEANFILES = ${man_MANS} iptables-extensions.8.tmpl vx_bin_links = iptables-xml @ENABLE_IPV4_TRUE@v4_sbin_links = iptables-legacy iptables-legacy-restore iptables-legacy-save \ @ENABLE_IPV4_TRUE@ iptables iptables-restore iptables-save @@ -536,7 +541,7 @@ @ENABLE_NFTABLES_TRUE@x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \ @ENABLE_NFTABLES_TRUE@ ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \ -@ENABLE_NFTABLES_TRUE@ iptables-translate ip6tables-translate \ +@ENABLE_NFTABLES_TRUE@ iptables-translate ip6tables-translate ebtables-translate \ @ENABLE_NFTABLES_TRUE@ iptables-restore-translate ip6tables-restore-translate \ @ENABLE_NFTABLES_TRUE@ arptables-nft arptables \ @ENABLE_NFTABLES_TRUE@ arptables-nft-restore arptables-restore \ @@ -547,6 +552,7 @@ @ENABLE_NFTABLES_TRUE@ xtables-monitor pkgconfig_DATA = xtables.pc +EXTRA_DIST = tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -654,9 +660,9 @@ xtables-nft-multi$(EXEEXT): $(xtables_nft_multi_OBJECTS) $(xtables_nft_multi_DEPENDENCIES) $(EXTRA_xtables_nft_multi_DEPENDENCIES) @rm -f xtables-nft-multi$(EXEEXT) $(AM_V_CCLD)$(xtables_nft_multi_LINK) $(xtables_nft_multi_OBJECTS) $(xtables_nft_multi_LDADD) $(LIBS) -install-sbinSCRIPTS: $(sbin_SCRIPTS) +install-dist_sbinSCRIPTS: $(dist_sbin_SCRIPTS) @$(NORMAL_INSTALL) - @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + @list='$(dist_sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ @@ -683,9 +689,9 @@ } \ ; done -uninstall-sbinSCRIPTS: +uninstall-dist_sbinSCRIPTS: @$(NORMAL_UNINSTALL) - @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + @list='$(dist_sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 's,.*/,,;$(transform)'`; \ dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) @@ -716,7 +722,6 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-shared.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xshared.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po@am__quote@ # am--include-marker @@ -756,6 +761,34 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +xtables_legacy_multi-iptables-xml.o: iptables-xml.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-xml.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo -c -o xtables_legacy_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-xml.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-xml.c' object='xtables_legacy_multi-iptables-xml.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c + +xtables_legacy_multi-iptables-xml.obj: iptables-xml.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-xml.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo -c -o xtables_legacy_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-xml.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-xml.c' object='xtables_legacy_multi-iptables-xml.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` + +xtables_legacy_multi-xshared.o: xshared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-xshared.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-xshared.Tpo -c -o xtables_legacy_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-xshared.Tpo $(DEPDIR)/xtables_legacy_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_legacy_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c + +xtables_legacy_multi-xshared.obj: xshared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-xshared.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-xshared.Tpo -c -o xtables_legacy_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-xshared.Tpo $(DEPDIR)/xtables_legacy_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_legacy_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` + xtables_legacy_multi-xtables-legacy-multi.o: xtables-legacy-multi.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-xtables-legacy-multi.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Tpo -c -o xtables_legacy_multi-xtables-legacy-multi.o `test -f 'xtables-legacy-multi.c' || echo '$(srcdir)/'`xtables-legacy-multi.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Tpo $(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po @@ -770,19 +803,33 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-xtables-legacy-multi.obj `if test -f 'xtables-legacy-multi.c'; then $(CYGPATH_W) 'xtables-legacy-multi.c'; else $(CYGPATH_W) '$(srcdir)/xtables-legacy-multi.c'; fi` -xtables_legacy_multi-iptables-xml.o: iptables-xml.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-xml.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo -c -o xtables_legacy_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-xml.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-xml.c' object='xtables_legacy_multi-iptables-xml.o' libtool=no @AMDEPBACKSLASH@ +xtables_legacy_multi-iptables-restore.o: iptables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-restore.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo -c -o xtables_legacy_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-restore.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-restore.c' object='xtables_legacy_multi-iptables-restore.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c -xtables_legacy_multi-iptables-xml.obj: iptables-xml.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-xml.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo -c -o xtables_legacy_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-xml.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-xml.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-xml.c' object='xtables_legacy_multi-iptables-xml.obj' libtool=no @AMDEPBACKSLASH@ +xtables_legacy_multi-iptables-restore.obj: iptables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-restore.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo -c -o xtables_legacy_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-restore.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-restore.c' object='xtables_legacy_multi-iptables-restore.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` + +xtables_legacy_multi-iptables-save.o: iptables-save.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-save.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo -c -o xtables_legacy_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-save.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-save.c' object='xtables_legacy_multi-iptables-save.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c + +xtables_legacy_multi-iptables-save.obj: iptables-save.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-save.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo -c -o xtables_legacy_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-save.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-save.c' object='xtables_legacy_multi-iptables-save.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` xtables_legacy_multi-iptables-standalone.o: iptables-standalone.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-standalone.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-standalone.Tpo -c -o xtables_legacy_multi-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c @@ -840,62 +887,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi` -xtables_legacy_multi-xshared.o: xshared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-xshared.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-xshared.Tpo -c -o xtables_legacy_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-xshared.Tpo $(DEPDIR)/xtables_legacy_multi-xshared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_legacy_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c - -xtables_legacy_multi-xshared.obj: xshared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-xshared.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-xshared.Tpo -c -o xtables_legacy_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-xshared.Tpo $(DEPDIR)/xtables_legacy_multi-xshared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_legacy_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` - -xtables_legacy_multi-iptables-restore.o: iptables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-restore.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo -c -o xtables_legacy_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-restore.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-restore.c' object='xtables_legacy_multi-iptables-restore.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c - -xtables_legacy_multi-iptables-restore.obj: iptables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-restore.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo -c -o xtables_legacy_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-restore.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-restore.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-restore.c' object='xtables_legacy_multi-iptables-restore.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` - -xtables_legacy_multi-iptables-save.o: iptables-save.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-save.o -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo -c -o xtables_legacy_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-save.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-save.c' object='xtables_legacy_multi-iptables-save.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c - -xtables_legacy_multi-iptables-save.obj: iptables-save.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -MT xtables_legacy_multi-iptables-save.obj -MD -MP -MF $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo -c -o xtables_legacy_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_legacy_multi-iptables-save.Tpo $(DEPDIR)/xtables_legacy_multi-iptables-save.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='iptables-save.c' object='xtables_legacy_multi-iptables-save.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_legacy_multi_CFLAGS) $(CFLAGS) -c -o xtables_legacy_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` - -xtables_nft_multi-xtables-nft-multi.o: xtables-nft-multi.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-nft-multi.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo -c -o xtables_nft_multi-xtables-nft-multi.o `test -f 'xtables-nft-multi.c' || echo '$(srcdir)/'`xtables-nft-multi.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-nft-multi.c' object='xtables_nft_multi-xtables-nft-multi.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-nft-multi.o `test -f 'xtables-nft-multi.c' || echo '$(srcdir)/'`xtables-nft-multi.c - -xtables_nft_multi-xtables-nft-multi.obj: xtables-nft-multi.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-nft-multi.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo -c -o xtables_nft_multi-xtables-nft-multi.obj `if test -f 'xtables-nft-multi.c'; then $(CYGPATH_W) 'xtables-nft-multi.c'; else $(CYGPATH_W) '$(srcdir)/xtables-nft-multi.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-nft-multi.c' object='xtables_nft_multi-xtables-nft-multi.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-nft-multi.obj `if test -f 'xtables-nft-multi.c'; then $(CYGPATH_W) 'xtables-nft-multi.c'; else $(CYGPATH_W) '$(srcdir)/xtables-nft-multi.c'; fi` - xtables_nft_multi-iptables-xml.o: iptables-xml.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-iptables-xml.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-iptables-xml.Tpo -c -o xtables_nft_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-iptables-xml.Tpo $(DEPDIR)/xtables_nft_multi-iptables-xml.Po @@ -910,61 +901,33 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` -xtables_nft_multi-xtables-save.o: xtables-save.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-save.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo -c -o xtables_nft_multi-xtables-save.o `test -f 'xtables-save.c' || echo '$(srcdir)/'`xtables-save.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo $(DEPDIR)/xtables_nft_multi-xtables-save.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-save.c' object='xtables_nft_multi-xtables-save.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-save.o `test -f 'xtables-save.c' || echo '$(srcdir)/'`xtables-save.c - -xtables_nft_multi-xtables-save.obj: xtables-save.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-save.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo -c -o xtables_nft_multi-xtables-save.obj `if test -f 'xtables-save.c'; then $(CYGPATH_W) 'xtables-save.c'; else $(CYGPATH_W) '$(srcdir)/xtables-save.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo $(DEPDIR)/xtables_nft_multi-xtables-save.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-save.c' object='xtables_nft_multi-xtables-save.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-save.obj `if test -f 'xtables-save.c'; then $(CYGPATH_W) 'xtables-save.c'; else $(CYGPATH_W) '$(srcdir)/xtables-save.c'; fi` - -xtables_nft_multi-xtables-restore.o: xtables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-restore.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo -c -o xtables_nft_multi-xtables-restore.o `test -f 'xtables-restore.c' || echo '$(srcdir)/'`xtables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo $(DEPDIR)/xtables_nft_multi-xtables-restore.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-restore.c' object='xtables_nft_multi-xtables-restore.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-restore.o `test -f 'xtables-restore.c' || echo '$(srcdir)/'`xtables-restore.c - -xtables_nft_multi-xtables-restore.obj: xtables-restore.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-restore.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo -c -o xtables_nft_multi-xtables-restore.obj `if test -f 'xtables-restore.c'; then $(CYGPATH_W) 'xtables-restore.c'; else $(CYGPATH_W) '$(srcdir)/xtables-restore.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo $(DEPDIR)/xtables_nft_multi-xtables-restore.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-restore.c' object='xtables_nft_multi-xtables-restore.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-restore.obj `if test -f 'xtables-restore.c'; then $(CYGPATH_W) 'xtables-restore.c'; else $(CYGPATH_W) '$(srcdir)/xtables-restore.c'; fi` - -xtables_nft_multi-xtables-standalone.o: xtables-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo -c -o xtables_nft_multi-xtables-standalone.o `test -f 'xtables-standalone.c' || echo '$(srcdir)/'`xtables-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-standalone.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-standalone.c' object='xtables_nft_multi-xtables-standalone.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xshared.o: xshared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xshared.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xshared.Tpo -c -o xtables_nft_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xshared.Tpo $(DEPDIR)/xtables_nft_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_nft_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-standalone.o `test -f 'xtables-standalone.c' || echo '$(srcdir)/'`xtables-standalone.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c -xtables_nft_multi-xtables-standalone.obj: xtables-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-standalone.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo -c -o xtables_nft_multi-xtables-standalone.obj `if test -f 'xtables-standalone.c'; then $(CYGPATH_W) 'xtables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-standalone.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-standalone.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-standalone.c' object='xtables_nft_multi-xtables-standalone.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xshared.obj: xshared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xshared.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xshared.Tpo -c -o xtables_nft_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xshared.Tpo $(DEPDIR)/xtables_nft_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_nft_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-standalone.obj `if test -f 'xtables-standalone.c'; then $(CYGPATH_W) 'xtables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-standalone.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` -xtables_nft_multi-xtables.o: xtables.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables.Tpo -c -o xtables_nft_multi-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables.Tpo $(DEPDIR)/xtables_nft_multi-xtables.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables.c' object='xtables_nft_multi-xtables.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-nft-multi.o: xtables-nft-multi.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-nft-multi.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo -c -o xtables_nft_multi-xtables-nft-multi.o `test -f 'xtables-nft-multi.c' || echo '$(srcdir)/'`xtables-nft-multi.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-nft-multi.c' object='xtables_nft_multi-xtables-nft-multi.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-nft-multi.o `test -f 'xtables-nft-multi.c' || echo '$(srcdir)/'`xtables-nft-multi.c -xtables_nft_multi-xtables.obj: xtables.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables.Tpo -c -o xtables_nft_multi-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables.Tpo $(DEPDIR)/xtables_nft_multi-xtables.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables.c' object='xtables_nft_multi-xtables.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-nft-multi.obj: xtables-nft-multi.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-nft-multi.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo -c -o xtables_nft_multi-xtables-nft-multi.obj `if test -f 'xtables-nft-multi.c'; then $(CYGPATH_W) 'xtables-nft-multi.c'; else $(CYGPATH_W) '$(srcdir)/xtables-nft-multi.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Tpo $(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-nft-multi.c' object='xtables_nft_multi-xtables-nft-multi.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-nft-multi.obj `if test -f 'xtables-nft-multi.c'; then $(CYGPATH_W) 'xtables-nft-multi.c'; else $(CYGPATH_W) '$(srcdir)/xtables-nft-multi.c'; fi` xtables_nft_multi-nft.o: nft.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft.Tpo -c -o xtables_nft_multi-nft.o `test -f 'nft.c' || echo '$(srcdir)/'`nft.c @@ -980,19 +943,19 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft.obj `if test -f 'nft.c'; then $(CYGPATH_W) 'nft.c'; else $(CYGPATH_W) '$(srcdir)/nft.c'; fi` -xtables_nft_multi-nft-shared.o: nft-shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-shared.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo -c -o xtables_nft_multi-nft-shared.o `test -f 'nft-shared.c' || echo '$(srcdir)/'`nft-shared.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo $(DEPDIR)/xtables_nft_multi-nft-shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-shared.c' object='xtables_nft_multi-nft-shared.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-nft-arp.o: nft-arp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-arp.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo -c -o xtables_nft_multi-nft-arp.o `test -f 'nft-arp.c' || echo '$(srcdir)/'`nft-arp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo $(DEPDIR)/xtables_nft_multi-nft-arp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-arp.c' object='xtables_nft_multi-nft-arp.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-shared.o `test -f 'nft-shared.c' || echo '$(srcdir)/'`nft-shared.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-arp.o `test -f 'nft-arp.c' || echo '$(srcdir)/'`nft-arp.c -xtables_nft_multi-nft-shared.obj: nft-shared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-shared.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo -c -o xtables_nft_multi-nft-shared.obj `if test -f 'nft-shared.c'; then $(CYGPATH_W) 'nft-shared.c'; else $(CYGPATH_W) '$(srcdir)/nft-shared.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo $(DEPDIR)/xtables_nft_multi-nft-shared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-shared.c' object='xtables_nft_multi-nft-shared.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-nft-arp.obj: nft-arp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-arp.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo -c -o xtables_nft_multi-nft-arp.obj `if test -f 'nft-arp.c'; then $(CYGPATH_W) 'nft-arp.c'; else $(CYGPATH_W) '$(srcdir)/nft-arp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo $(DEPDIR)/xtables_nft_multi-nft-arp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-arp.c' object='xtables_nft_multi-nft-arp.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-shared.obj `if test -f 'nft-shared.c'; then $(CYGPATH_W) 'nft-shared.c'; else $(CYGPATH_W) '$(srcdir)/nft-shared.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-arp.obj `if test -f 'nft-arp.c'; then $(CYGPATH_W) 'nft-arp.c'; else $(CYGPATH_W) '$(srcdir)/nft-arp.c'; fi` xtables_nft_multi-nft-ipv4.o: nft-ipv4.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-ipv4.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-ipv4.Tpo -c -o xtables_nft_multi-nft-ipv4.o `test -f 'nft-ipv4.c' || echo '$(srcdir)/'`nft-ipv4.c @@ -1022,19 +985,75 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-ipv6.obj `if test -f 'nft-ipv6.c'; then $(CYGPATH_W) 'nft-ipv6.c'; else $(CYGPATH_W) '$(srcdir)/nft-ipv6.c'; fi` -xtables_nft_multi-nft-arp.o: nft-arp.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-arp.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo -c -o xtables_nft_multi-nft-arp.o `test -f 'nft-arp.c' || echo '$(srcdir)/'`nft-arp.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo $(DEPDIR)/xtables_nft_multi-nft-arp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-arp.c' object='xtables_nft_multi-nft-arp.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-nft-bridge.o: nft-bridge.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-bridge.c' object='xtables_nft_multi-nft-bridge.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-arp.o `test -f 'nft-arp.c' || echo '$(srcdir)/'`nft-arp.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c -xtables_nft_multi-nft-arp.obj: nft-arp.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-arp.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo -c -o xtables_nft_multi-nft-arp.obj `if test -f 'nft-arp.c'; then $(CYGPATH_W) 'nft-arp.c'; else $(CYGPATH_W) '$(srcdir)/nft-arp.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-arp.Tpo $(DEPDIR)/xtables_nft_multi-nft-arp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-arp.c' object='xtables_nft_multi-nft-arp.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-nft-bridge.obj: nft-bridge.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.obj `if test -f 'nft-bridge.c'; then $(CYGPATH_W) 'nft-bridge.c'; else $(CYGPATH_W) '$(srcdir)/nft-bridge.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-bridge.c' object='xtables_nft_multi-nft-bridge.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-arp.obj `if test -f 'nft-arp.c'; then $(CYGPATH_W) 'nft-arp.c'; else $(CYGPATH_W) '$(srcdir)/nft-arp.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-bridge.obj `if test -f 'nft-bridge.c'; then $(CYGPATH_W) 'nft-bridge.c'; else $(CYGPATH_W) '$(srcdir)/nft-bridge.c'; fi` + +xtables_nft_multi-nft-cache.o: nft-cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c + +xtables_nft_multi-nft-cache.obj: nft-cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi` + +xtables_nft_multi-nft-chain.o: nft-chain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-chain.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo -c -o xtables_nft_multi-nft-chain.o `test -f 'nft-chain.c' || echo '$(srcdir)/'`nft-chain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo $(DEPDIR)/xtables_nft_multi-nft-chain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-chain.c' object='xtables_nft_multi-nft-chain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-chain.o `test -f 'nft-chain.c' || echo '$(srcdir)/'`nft-chain.c + +xtables_nft_multi-nft-chain.obj: nft-chain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-chain.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo -c -o xtables_nft_multi-nft-chain.obj `if test -f 'nft-chain.c'; then $(CYGPATH_W) 'nft-chain.c'; else $(CYGPATH_W) '$(srcdir)/nft-chain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo $(DEPDIR)/xtables_nft_multi-nft-chain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-chain.c' object='xtables_nft_multi-nft-chain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-chain.obj `if test -f 'nft-chain.c'; then $(CYGPATH_W) 'nft-chain.c'; else $(CYGPATH_W) '$(srcdir)/nft-chain.c'; fi` + +xtables_nft_multi-nft-cmd.o: nft-cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c + +xtables_nft_multi-nft-cmd.obj: nft-cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi` + +xtables_nft_multi-nft-shared.o: nft-shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-shared.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo -c -o xtables_nft_multi-nft-shared.o `test -f 'nft-shared.c' || echo '$(srcdir)/'`nft-shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo $(DEPDIR)/xtables_nft_multi-nft-shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-shared.c' object='xtables_nft_multi-nft-shared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-shared.o `test -f 'nft-shared.c' || echo '$(srcdir)/'`nft-shared.c + +xtables_nft_multi-nft-shared.obj: nft-shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-shared.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo -c -o xtables_nft_multi-nft-shared.obj `if test -f 'nft-shared.c'; then $(CYGPATH_W) 'nft-shared.c'; else $(CYGPATH_W) '$(srcdir)/nft-shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-shared.Tpo $(DEPDIR)/xtables_nft_multi-nft-shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-shared.c' object='xtables_nft_multi-nft-shared.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-shared.obj `if test -f 'nft-shared.c'; then $(CYGPATH_W) 'nft-shared.c'; else $(CYGPATH_W) '$(srcdir)/nft-shared.c'; fi` xtables_nft_multi-xtables-monitor.o: xtables-monitor.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-monitor.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-monitor.Tpo -c -o xtables_nft_multi-xtables-monitor.o `test -f 'xtables-monitor.c' || echo '$(srcdir)/'`xtables-monitor.c @@ -1050,33 +1069,19 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-monitor.obj `if test -f 'xtables-monitor.c'; then $(CYGPATH_W) 'xtables-monitor.c'; else $(CYGPATH_W) '$(srcdir)/xtables-monitor.c'; fi` -xtables_nft_multi-nft-cache.o: nft-cache.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c - -xtables_nft_multi-nft-cache.obj: nft-cache.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables.o: xtables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables.Tpo -c -o xtables_nft_multi-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables.Tpo $(DEPDIR)/xtables_nft_multi-xtables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables.c' object='xtables_nft_multi-xtables.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c -xtables_nft_multi-xtables-arp-standalone.o: xtables-arp-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-arp-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo -c -o xtables_nft_multi-xtables-arp-standalone.o `test -f 'xtables-arp-standalone.c' || echo '$(srcdir)/'`xtables-arp-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-arp-standalone.c' object='xtables_nft_multi-xtables-arp-standalone.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-arp-standalone.o `test -f 'xtables-arp-standalone.c' || echo '$(srcdir)/'`xtables-arp-standalone.c - -xtables_nft_multi-xtables-arp-standalone.obj: xtables-arp-standalone.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-arp-standalone.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo -c -o xtables_nft_multi-xtables-arp-standalone.obj `if test -f 'xtables-arp-standalone.c'; then $(CYGPATH_W) 'xtables-arp-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-arp-standalone.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-arp-standalone.c' object='xtables_nft_multi-xtables-arp-standalone.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables.obj: xtables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables.Tpo -c -o xtables_nft_multi-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables.Tpo $(DEPDIR)/xtables_nft_multi-xtables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables.c' object='xtables_nft_multi-xtables.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-arp-standalone.obj `if test -f 'xtables-arp-standalone.c'; then $(CYGPATH_W) 'xtables-arp-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-arp-standalone.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` xtables_nft_multi-xtables-arp.o: xtables-arp.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-arp.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-arp.Tpo -c -o xtables_nft_multi-xtables-arp.o `test -f 'xtables-arp.c' || echo '$(srcdir)/'`xtables-arp.c @@ -1092,47 +1097,33 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-arp.obj `if test -f 'xtables-arp.c'; then $(CYGPATH_W) 'xtables-arp.c'; else $(CYGPATH_W) '$(srcdir)/xtables-arp.c'; fi` -xtables_nft_multi-nft-bridge.o: nft-bridge.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-bridge.c' object='xtables_nft_multi-nft-bridge.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-bridge.o `test -f 'nft-bridge.c' || echo '$(srcdir)/'`nft-bridge.c - -xtables_nft_multi-nft-bridge.obj: nft-bridge.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-bridge.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo -c -o xtables_nft_multi-nft-bridge.obj `if test -f 'nft-bridge.c'; then $(CYGPATH_W) 'nft-bridge.c'; else $(CYGPATH_W) '$(srcdir)/nft-bridge.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-bridge.Tpo $(DEPDIR)/xtables_nft_multi-nft-bridge.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-bridge.c' object='xtables_nft_multi-nft-bridge.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-bridge.obj `if test -f 'nft-bridge.c'; then $(CYGPATH_W) 'nft-bridge.c'; else $(CYGPATH_W) '$(srcdir)/nft-bridge.c'; fi` - -xtables_nft_multi-nft-cmd.o: nft-cmd.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-eb.o: xtables-eb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo -c -o xtables_nft_multi-xtables-eb.o `test -f 'xtables-eb.c' || echo '$(srcdir)/'`xtables-eb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo $(DEPDIR)/xtables_nft_multi-xtables-eb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-eb.c' object='xtables_nft_multi-xtables-eb.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb.o `test -f 'xtables-eb.c' || echo '$(srcdir)/'`xtables-eb.c -xtables_nft_multi-nft-cmd.obj: nft-cmd.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-eb.obj: xtables-eb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo -c -o xtables_nft_multi-xtables-eb.obj `if test -f 'xtables-eb.c'; then $(CYGPATH_W) 'xtables-eb.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo $(DEPDIR)/xtables_nft_multi-xtables-eb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-eb.c' object='xtables_nft_multi-xtables-eb.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb.obj `if test -f 'xtables-eb.c'; then $(CYGPATH_W) 'xtables-eb.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb.c'; fi` -xtables_nft_multi-nft-chain.o: nft-chain.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-chain.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo -c -o xtables_nft_multi-nft-chain.o `test -f 'nft-chain.c' || echo '$(srcdir)/'`nft-chain.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo $(DEPDIR)/xtables_nft_multi-nft-chain.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-chain.c' object='xtables_nft_multi-nft-chain.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-standalone.o: xtables-standalone.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo -c -o xtables_nft_multi-xtables-standalone.o `test -f 'xtables-standalone.c' || echo '$(srcdir)/'`xtables-standalone.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-standalone.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-standalone.c' object='xtables_nft_multi-xtables-standalone.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-chain.o `test -f 'nft-chain.c' || echo '$(srcdir)/'`nft-chain.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-standalone.o `test -f 'xtables-standalone.c' || echo '$(srcdir)/'`xtables-standalone.c -xtables_nft_multi-nft-chain.obj: nft-chain.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-chain.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo -c -o xtables_nft_multi-nft-chain.obj `if test -f 'nft-chain.c'; then $(CYGPATH_W) 'nft-chain.c'; else $(CYGPATH_W) '$(srcdir)/nft-chain.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-chain.Tpo $(DEPDIR)/xtables_nft_multi-nft-chain.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-chain.c' object='xtables_nft_multi-nft-chain.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-standalone.obj: xtables-standalone.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-standalone.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo -c -o xtables_nft_multi-xtables-standalone.obj `if test -f 'xtables-standalone.c'; then $(CYGPATH_W) 'xtables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-standalone.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-standalone.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-standalone.c' object='xtables_nft_multi-xtables-standalone.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-chain.obj `if test -f 'nft-chain.c'; then $(CYGPATH_W) 'nft-chain.c'; else $(CYGPATH_W) '$(srcdir)/nft-chain.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-standalone.obj `if test -f 'xtables-standalone.c'; then $(CYGPATH_W) 'xtables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-standalone.c'; fi` xtables_nft_multi-xtables-eb-standalone.o: xtables-eb-standalone.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Tpo -c -o xtables_nft_multi-xtables-eb-standalone.o `test -f 'xtables-eb-standalone.c' || echo '$(srcdir)/'`xtables-eb-standalone.c @@ -1148,19 +1139,19 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb-standalone.obj `if test -f 'xtables-eb-standalone.c'; then $(CYGPATH_W) 'xtables-eb-standalone.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb-standalone.c'; fi` -xtables_nft_multi-xtables-eb.o: xtables-eb.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo -c -o xtables_nft_multi-xtables-eb.o `test -f 'xtables-eb.c' || echo '$(srcdir)/'`xtables-eb.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo $(DEPDIR)/xtables_nft_multi-xtables-eb.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-eb.c' object='xtables_nft_multi-xtables-eb.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-translate.o: xtables-translate.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-translate.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo -c -o xtables_nft_multi-xtables-translate.o `test -f 'xtables-translate.c' || echo '$(srcdir)/'`xtables-translate.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo $(DEPDIR)/xtables_nft_multi-xtables-translate.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-translate.c' object='xtables_nft_multi-xtables-translate.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb.o `test -f 'xtables-eb.c' || echo '$(srcdir)/'`xtables-eb.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-translate.o `test -f 'xtables-translate.c' || echo '$(srcdir)/'`xtables-translate.c -xtables_nft_multi-xtables-eb.obj: xtables-eb.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo -c -o xtables_nft_multi-xtables-eb.obj `if test -f 'xtables-eb.c'; then $(CYGPATH_W) 'xtables-eb.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-eb.Tpo $(DEPDIR)/xtables_nft_multi-xtables-eb.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-eb.c' object='xtables_nft_multi-xtables-eb.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-translate.obj: xtables-translate.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-translate.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo -c -o xtables_nft_multi-xtables-translate.obj `if test -f 'xtables-translate.c'; then $(CYGPATH_W) 'xtables-translate.c'; else $(CYGPATH_W) '$(srcdir)/xtables-translate.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo $(DEPDIR)/xtables_nft_multi-xtables-translate.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-translate.c' object='xtables_nft_multi-xtables-translate.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb.obj `if test -f 'xtables-eb.c'; then $(CYGPATH_W) 'xtables-eb.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-translate.obj `if test -f 'xtables-translate.c'; then $(CYGPATH_W) 'xtables-translate.c'; else $(CYGPATH_W) '$(srcdir)/xtables-translate.c'; fi` xtables_nft_multi-xtables-eb-translate.o: xtables-eb-translate.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb-translate.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Tpo -c -o xtables_nft_multi-xtables-eb-translate.o `test -f 'xtables-eb-translate.c' || echo '$(srcdir)/'`xtables-eb-translate.c @@ -1176,43 +1167,43 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-eb-translate.obj `if test -f 'xtables-eb-translate.c'; then $(CYGPATH_W) 'xtables-eb-translate.c'; else $(CYGPATH_W) '$(srcdir)/xtables-eb-translate.c'; fi` -xtables_nft_multi-xtables-translate.o: xtables-translate.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-translate.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo -c -o xtables_nft_multi-xtables-translate.o `test -f 'xtables-translate.c' || echo '$(srcdir)/'`xtables-translate.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo $(DEPDIR)/xtables_nft_multi-xtables-translate.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-translate.c' object='xtables_nft_multi-xtables-translate.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-save.o: xtables-save.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-save.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo -c -o xtables_nft_multi-xtables-save.o `test -f 'xtables-save.c' || echo '$(srcdir)/'`xtables-save.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo $(DEPDIR)/xtables_nft_multi-xtables-save.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-save.c' object='xtables_nft_multi-xtables-save.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-translate.o `test -f 'xtables-translate.c' || echo '$(srcdir)/'`xtables-translate.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-save.o `test -f 'xtables-save.c' || echo '$(srcdir)/'`xtables-save.c -xtables_nft_multi-xtables-translate.obj: xtables-translate.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-translate.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo -c -o xtables_nft_multi-xtables-translate.obj `if test -f 'xtables-translate.c'; then $(CYGPATH_W) 'xtables-translate.c'; else $(CYGPATH_W) '$(srcdir)/xtables-translate.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-translate.Tpo $(DEPDIR)/xtables_nft_multi-xtables-translate.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-translate.c' object='xtables_nft_multi-xtables-translate.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-save.obj: xtables-save.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-save.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo -c -o xtables_nft_multi-xtables-save.obj `if test -f 'xtables-save.c'; then $(CYGPATH_W) 'xtables-save.c'; else $(CYGPATH_W) '$(srcdir)/xtables-save.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo $(DEPDIR)/xtables_nft_multi-xtables-save.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-save.c' object='xtables_nft_multi-xtables-save.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-translate.obj `if test -f 'xtables-translate.c'; then $(CYGPATH_W) 'xtables-translate.c'; else $(CYGPATH_W) '$(srcdir)/xtables-translate.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-save.obj `if test -f 'xtables-save.c'; then $(CYGPATH_W) 'xtables-save.c'; else $(CYGPATH_W) '$(srcdir)/xtables-save.c'; fi` -xtables_nft_multi-xshared.o: xshared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xshared.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xshared.Tpo -c -o xtables_nft_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xshared.Tpo $(DEPDIR)/xtables_nft_multi-xshared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_nft_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-restore.o: xtables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-restore.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo -c -o xtables_nft_multi-xtables-restore.o `test -f 'xtables-restore.c' || echo '$(srcdir)/'`xtables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo $(DEPDIR)/xtables_nft_multi-xtables-restore.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-restore.c' object='xtables_nft_multi-xtables-restore.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-restore.o `test -f 'xtables-restore.c' || echo '$(srcdir)/'`xtables-restore.c -xtables_nft_multi-xshared.obj: xshared.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xshared.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xshared.Tpo -c -o xtables_nft_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xshared.Tpo $(DEPDIR)/xtables_nft_multi-xshared.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xshared.c' object='xtables_nft_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ +xtables_nft_multi-xtables-restore.obj: xtables-restore.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-restore.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo -c -o xtables_nft_multi-xtables-restore.obj `if test -f 'xtables-restore.c'; then $(CYGPATH_W) 'xtables-restore.c'; else $(CYGPATH_W) '$(srcdir)/xtables-restore.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-restore.Tpo $(DEPDIR)/xtables_nft_multi-xtables-restore.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-restore.c' object='xtables_nft_multi-xtables-restore.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-restore.obj `if test -f 'xtables-restore.c'; then $(CYGPATH_W) 'xtables-restore.c'; else $(CYGPATH_W) '$(srcdir)/xtables-restore.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man1: $(man_MANS) +install-man1: $(dist_man_MANS) $(man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS) $(man_MANS)'; \ test -n "$(man1dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -1247,15 +1238,15 @@ @$(NORMAL_UNINSTALL) @list=''; test -n "$(man1dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS) $(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.1a-z*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^^10-9a-z*$$,1,;x' \ -e 's,\.0-9a-z*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) -install-man8: $(man_MANS) +install-man8: $(dist_man_MANS) $(man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS) $(man_MANS)'; \ test -n "$(man8dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -1290,11 +1281,32 @@ @$(NORMAL_UNINSTALL) @list=''; test -n "$(man8dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS) $(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.8a-z*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^^80-9a-z*$$,8,;x' \ -e 's,\.0-9a-z*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_pkgdataDATA: $(dist_pkgdata_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgdatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \ + done + +uninstall-dist_pkgdataDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir) install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ @@ -1407,12 +1419,13 @@ $(MAKE) $(AM_MAKEFLAGS) check-am all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(pkgconfigdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -1469,7 +1482,6 @@ -rm -f ./$(DEPDIR)/xtables_nft_multi-nft-shared.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-nft.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xshared.Po - -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po @@ -1497,13 +1509,14 @@ info-am: -install-data-am: install-man install-pkgconfigDATA +install-data-am: install-dist_pkgdataDATA install-man \ + install-pkgconfigDATA install-dvi: install-dvi-am install-dvi-am: -install-exec-am: install-sbinPROGRAMS install-sbinSCRIPTS +install-exec-am: install-dist_sbinSCRIPTS install-sbinPROGRAMS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook install-html: install-html-am @@ -1547,7 +1560,6 @@ -rm -f ./$(DEPDIR)/xtables_nft_multi-nft-shared.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-nft.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xshared.Po - -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po -rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po @@ -1575,32 +1587,34 @@ ps-am: -uninstall-am: uninstall-man uninstall-pkgconfigDATA \ - uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS +uninstall-am: uninstall-dist_pkgdataDATA uninstall-dist_sbinSCRIPTS \ + uninstall-man uninstall-pkgconfigDATA uninstall-sbinPROGRAMS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) uninstall-hook uninstall-man: uninstall-man1 uninstall-man8 -.MAKE: all check install install-am install-exec-am install-strip \ - uninstall-am +.MAKE: all check install install-am install-exec install-exec-am \ + install-strip uninstall-am .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-generic clean-libtool clean-sbinPROGRAMS cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-exec-hook install-html install-html-am \ - install-info install-info-am install-man install-man1 \ - install-man8 install-pdf install-pdf-am install-pkgconfigDATA \ - install-ps install-ps-am install-sbinPROGRAMS \ - install-sbinSCRIPTS install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am uninstall-hook uninstall-man uninstall-man1 \ - uninstall-man8 uninstall-pkgconfigDATA uninstall-sbinPROGRAMS \ - uninstall-sbinSCRIPTS + install-data-am install-dist_pkgdataDATA \ + install-dist_sbinSCRIPTS install-dvi install-dvi-am \ + install-exec install-exec-am install-exec-hook install-html \ + install-html-am install-info install-info-am install-man \ + install-man1 install-man8 install-pdf install-pdf-am \ + install-pkgconfigDATA install-ps install-ps-am \ + install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-dist_pkgdataDATA \ + uninstall-dist_sbinSCRIPTS uninstall-hook uninstall-man \ + uninstall-man1 uninstall-man8 uninstall-pkgconfigDATA \ + uninstall-sbinPROGRAMS .PRECIOUS: Makefile @@ -1610,9 +1624,12 @@ -e '/@MATCH@/ r ../extensions/matches.man' \ -e '/@TARGET@/ r ../extensions/targets.man' $< >$@; -iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8: +iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8 ebtables-translate.8: ${AM_VERBOSE_GEN} echo '.so man8/xtables-translate.8' >$@ +ip6tables.8 ip6tables-apply.8 ip6tables-restore.8 ip6tables-save.8: + ${AM_VERBOSE_GEN} echo "$@" | sed 's|^ip6|.so man8/ip|' >$@ + # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ebtables-nft.8 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/ebtables-nft.8
Changed
@@ -44,12 +44,6 @@ .br .BR "ebtables " -t " table " --init-table .br -.BR "ebtables " -t " table " --atomic-file " file " --atomic-commit -.br -.BR "ebtables " -t " table " --atomic-file " file " --atomic-init -.br -.BR "ebtables " -t " table " --atomic-file " file " --atomic-save -.br .SH DESCRIPTION .B ebtables @@ -149,11 +143,9 @@ Only one command may be used on the command line at a time, except when the commands .BR -L " and " -Z -are combined, the commands +are combined or the commands .BR -N " and " -P -are combined, or when -.B --atomic-file -is used. +are combined. .TP .B "-A, --append" Append a rule to the end of the selected chain. @@ -313,41 +305,14 @@ .TP .B "--init-table" Replace the current table data by the initial table data. -.TP -.B "--atomic-init" -Copy the kernel's initial data of the table to the specified -file. This can be used as the first action, after which rules are added -to the file. The file can be specified using the -.B --atomic-file -command or through the -.IR EBTABLES_ATOMIC_FILE " environment variable." -.TP -.B "--atomic-save" -Copy the kernel's current data of the table to the specified -file. This can be used as the first action, after which rules are added -to the file. The file can be specified using the -.B --atomic-file -command or through the -.IR EBTABLES_ATOMIC_FILE " environment variable." -.TP -.B "--atomic-commit" -Replace the kernel table data with the data contained in the specified -file. This is a useful command that allows you to load all your rules of a -certain table into the kernel at once, saving the kernel a lot of precious -time and allowing atomic updates of the tables. The file which contains -the table data is constructed by using either the -.B "--atomic-init" -or the -.B "--atomic-save" -command to generate a starting file. After that, using the -.B "--atomic-file" -command when constructing rules or setting the -.IR EBTABLES_ATOMIC_FILE " environment variable" -allows you to extend the file and build the complete table before -committing it to the kernel. This command can be very useful in boot scripts -to populate the ebtables tables in a fast way. .SS MISCELLANOUS COMMANDS .TP +.B "-v, --verbose" +Verbose mode. +For appending, insertion, deletion and replacement, this causes +detailed information on the rule or rules to be printed. \fB\-v\fP may be +specified multiple times to possibly emit more detailed debug statements. +.TP .B "-V, --version" Show the version of the ebtables userspace program. .TP @@ -371,16 +336,6 @@ .BR "TARGET EXTENSIONS" ")" or a user-defined chain name. .TP -.B --atomic-file "\fIfile\fP" -Let the command operate on the specified -.IR file . -The data of the table to -operate on will be extracted from the file and the result of the operation -will be saved back into the file. If specified, this option should come -before the command specification. An alternative that should be preferred, -is setting the -.IR EBTABLES_ATOMIC_FILE " environment variable." -.TP .B -M, --modprobe "\fIprogram\fP" When talking to the kernel, use this .I program @@ -1100,8 +1055,6 @@ .br .SH FILES .I /etc/ethertypes -.SH ENVIRONMENT VARIABLES -.I EBTABLES_ATOMIC_FILE .SH MAILINGLISTS .BR "" "See " http://netfilter.org/mailinglists.html .SH BUGS @@ -1109,7 +1062,12 @@ .B broute table. Also there is no support for .B string -match. And finally, this list is probably not complete. +match. Further, support for atomic-options +.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) +has not been implemented, although +.BR ebtables-save " and " ebtables-restore +might replace them entirely given the inherent atomicity of nftables. +Finally, this list is probably not complete. .SH SEE ALSO .BR xtables-nft "(8), " iptables "(8), " ip (8) .PP
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables-standalone.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/ip6tables-standalone.c
Changed
@@ -52,11 +52,8 @@ ip6tables_globals.program_version); exit(1); } - -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions6(); -#endif ret = do_command6(argc, argv, &table, &handle, false); if (ret) {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/ip6tables.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/ip6tables.c
Changed
@@ -87,149 +87,13 @@ {NULL}, }; -void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); struct xtables_globals ip6tables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (legacy)", .orig_opts = original_opts, - .exit_err = ip6tables_exit_error, .compat_rev = xtables_compatible_revision, }; -static const unsigned int inverse_for_optionsNUMBER_OF_OPT = -{ -/* -n */ 0, -/* -s */ IP6T_INV_SRCIP, -/* -d */ IP6T_INV_DSTIP, -/* -p */ XT_INV_PROTO, -/* -j */ 0, -/* -v */ 0, -/* -x */ 0, -/* -i */ IP6T_INV_VIA_IN, -/* -o */ IP6T_INV_VIA_OUT, -/*--line*/ 0, -/* -c */ 0, -}; - -#define opts ip6tables_globals.opts -#define prog_name ip6tables_globals.program_name -#define prog_vers ip6tables_globals.program_version - -static void __attribute__((noreturn)) -exit_tryhelp(int status) -{ - if (line != -1) - fprintf(stderr, "Error occurred at line: %d\n", line); - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - prog_name, prog_name); - xtables_free_opts(1); - exit(status); -} - -static void -exit_printhelp(const struct xtables_rule_match *matches) -{ - printf("%s v%s\n\n" -"Usage: %s -ACD chain rule-specification options\n" -" %s -I chain rulenum rule-specification options\n" -" %s -R chain rulenum rule-specification options\n" -" %s -D chain rulenum options\n" -" %s -LS chain rulenum options\n" -" %s -FZ chain options\n" -" %s -NX chain\n" -" %s -E old-chain-name new-chain-name\n" -" %s -P chain target options\n" -" %s -h (print this help information)\n\n", - prog_name, prog_vers, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name); - - printf( -"Commands:\n" -"Either long or short options are allowed.\n" -" --append -A chain Append to chain\n" -" --check -C chain Check for the existence of a rule\n" -" --delete -D chain Delete matching rule from chain\n" -" --delete -D chain rulenum\n" -" Delete rule rulenum (1 = first) from chain\n" -" --insert -I chain rulenum\n" -" Insert in chain as rulenum (default 1=first)\n" -" --replace -R chain rulenum\n" -" Replace rule rulenum (1 = first) in chain\n" -" --list -L chain rulenum\n" -" List the rules in a chain or all chains\n" -" --list-rules -S chain rulenum\n" -" Print the rules in a chain or all chains\n" -" --flush -F chain Delete all rules in chain or all chains\n" -" --zero -Z chain rulenum\n" -" Zero counters in chain or all chains\n" -" --new -N chain Create a new user-defined chain\n" -" --delete-chain\n" -" -X chain Delete a user-defined chain\n" -" --policy -P chain target\n" -" Change policy on chain to target\n" -" --rename-chain\n" -" -E old-chain new-chain\n" -" Change chain name, (moving any references)\n" - -"Options:\n" -" --ipv4 -4 Error (line is ignored by ip6tables-restore)\n" -" --ipv6 -6 Nothing (line is ignored by iptables-restore)\n" -"! --protocol -p proto protocol: by number or name, eg. `tcp'\n" -"! --source -s address/mask,...\n" -" source specification\n" -"! --destination -d address/mask,...\n" -" destination specification\n" -"! --in-interface -i input name+\n" -" network interface name (+ for wildcard)\n" -" --jump -j target\n" -" target for rule (may load target extension)\n" -#ifdef IP6T_F_GOTO -" --goto -g chain\n" -" jump to chain with no return\n" -#endif -" --match -m match\n" -" extended match (may load extension)\n" -" --numeric -n numeric output of addresses and ports\n" -"! --out-interface -o output name+\n" -" network interface name (+ for wildcard)\n" -" --table -t table table to manipulate (default: `filter')\n" -" --verbose -v verbose mode\n" -" --wait -w seconds maximum wait to acquire xtables lock before give up\n" -" --wait-interval -W usecs wait time to try to acquire xtables lock\n" -" interval to wait for xtables lock\n" -" default is 1 second\n" -" --line-numbers print line numbers when listing\n" -" --exact -x expand numbers (display exact values)\n" -/*"! --fragment -f match second or further fragments only\n"*/ -" --modprobe=<command> try to insert modules using this command\n" -" --set-counters PKTS BYTES set the counter during insert/append\n" -"! --version -V print package version.\n"); - - print_extension_helps(xtables_targets, matches); - exit(0); -} - -void -ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) -{ - va_list args; - - va_start(args, msg); - fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers); - vfprintf(stderr, msg, args); - va_end(args); - fprintf(stderr, "\n"); - if (status == PARAMETER_PROBLEM) - exit_tryhelp(status); - if (status == VERSION_PROBLEM) - fprintf(stderr, - "Perhaps ip6tables or your kernel needs to be upgraded.\n"); - /* On error paths, make sure that we don't leak memory */ - xtables_free_opts(1); - exit(status); -} - /* * All functions starting with "parse" should succeed, otherwise * the program fails. @@ -239,113 +103,6 @@ * return global static data. */ -/* These are invalid numbers as upper layer protocol */ -static int is_exthdr(uint16_t proto) -{ - return (proto == IPPROTO_ROUTING || - proto == IPPROTO_FRAGMENT || - proto == IPPROTO_AH || - proto == IPPROTO_DSTOPTS); -} - -static void -parse_chain(const char *chainname) -{ - const char *ptr; - - if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %u chars)", - chainname, XT_EXTENSION_MAXNAMELEN); - - if (*chainname == '-' || *chainname == '!') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *chainname); - - if (xtables_find_target(chainname, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - - for (ptr = chainname; *ptr; ptr++) - if (isspace(*ptr)) - xtables_error(PARAMETER_PROBLEM, - "Invalid chain name `%s'", chainname); -} - -static void -set_option(unsigned int *options, unsigned int option, uint8_t *invflg, - int invert) -{ - if (*options & option) - xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", - opt2char(option)); - *options |= option; - - if (invert) { - unsigned int i; - for (i = 0; 1 << i != option; i++); - - if (!inverse_for_optionsi) - xtables_error(PARAMETER_PROBLEM, - "cannot have ! before -%c", - opt2char(option)); - *invflg |= inverse_for_optionsi; - } -} - - -static void -print_header(unsigned int format, const char *chain, struct xtc_handle *handle) -{ - struct xt_counters counters; - const char *pol = ip6tc_get_policy(chain, &counters, handle); - printf("Chain %s", chain); - if (pol) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters.pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters.bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - unsigned int refs; - if (!ip6tc_get_references(&refs, chain, handle)) - printf(" (ERROR obtaining refs)\n"); - else - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - - static int print_match(const struct xt_entry_match *m, const struct ip6t_ip6 *ip, @@ -365,6 +122,9 @@ printf("%s%s ", match->name, unsupported_rev); else printf("%s ", match->name); + + if (match->next == match) + free(match); } else { if (name0) printf("UNKNOWN match `%s' ", name); @@ -392,33 +152,10 @@ t = ip6t_get_target((struct ip6t_entry *)fw); - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); + print_rule_details(num, &fw->counters, targname, fw->ipv6.proto, + fw->ipv6.flags, fw->ipv6.invflags, format); - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname); - - fputc(fw->ipv6.invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = proto_to_name(fw->ipv6.proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), fw->ipv6.proto); - } - - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(' ', stdout); /* Invert flag of FRAG */ - fputc(' ', stdout); /* -f */ - fputc(' ', stdout); - } + print_fragment(fw->ipv6.flags, fw->ipv6.invflags, format, true); print_ifaces(fw->ipv6.iniface, fw->ipv6.outiface, fw->ipv6.invflags, format); @@ -445,6 +182,9 @@ tg->print(&fw->ipv6, t, format & FMT_NUMERIC); else if (target->print) printf(" %s%s", target->name, unsupported_rev); + + if (target->next == target) + free(target); } else if (t->u.target_size != sizeof(*t)) printf("%u bytes of unknown target data ", (unsigned int)(t->u.target_size - sizeof(*t))); @@ -543,40 +283,6 @@ return ret; } -static unsigned char * -make_delete_mask(const struct xtables_rule_match *matches, - const struct xtables_target *target) -{ - /* Establish mask for comparison */ - unsigned int size; - const struct xtables_rule_match *matchp; - unsigned char *mask, *mptr; - - size = sizeof(struct ip6t_entry); - for (matchp = matches; matchp; matchp = matchp->next) - size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - - mask = xtables_calloc(1, size - + XT_ALIGN(sizeof(struct xt_entry_target)) - + target->size); - - memset(mask, 0xFF, sizeof(struct ip6t_entry)); - mptr = mask + sizeof(struct ip6t_entry); - - for (matchp = matches; matchp; matchp = matchp->next) { - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_match)) - + matchp->match->userspacesize); - mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - } - - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_target)) - + target->userspacesize); - - return mask; -} - static int delete_entry(const xt_chainlabel chain, struct ip6t_entry *fw, @@ -595,7 +301,7 @@ int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(*fw)); for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrsi; fw->ipv6.smsk = smasksi; @@ -625,7 +331,7 @@ int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(fw)); for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrsi; fw->ipv6.smsk = smasksi; @@ -748,8 +454,18 @@ if (found) printf("\n"); - if (!rulenum) - print_header(format, this, handle); + if (!rulenum) { + struct xt_counters counters; + unsigned int urefs; + const char *pol; + int refs = - 1; + + pol = ip6tc_get_policy(this, &counters, handle); + if (!pol && ip6tc_get_references(&urefs, this, handle)) + refs = urefs; + + print_header(format, this, pol, &counters, refs, 0); + } i = ip6tc_first_rule(this, handle); num = 0; @@ -770,109 +486,6 @@ return found; } -/* This assumes that mask is contiguous, and byte-bounded. */ -static void -print_iface(char letter, const char *iface, const unsigned char *mask, - int invert) -{ - unsigned int i; - - if (mask0 == 0) - return; - - printf("%s -%c ", invert ? " !" : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (maski != 0) { - if (ifacei != '\0') - printf("%c", ifacei); - } else { - /* we can access ifacei-1 here, because - * a few lines above we make sure that mask0 != 0 */ - if (ifacei-1 != '\0') - printf("+"); - break; - } - } -} - -/* The ip6tables looks up the /etc/protocols. */ -static void print_proto(uint16_t proto, int invert) -{ - if (proto) { - unsigned int i; - const char *invertstr = invert ? " !" : ""; - - const struct protoent *pent = getprotobynumber(proto); - if (pent) { - printf("%s -p %s", - invertstr, pent->p_name); - return; - } - - for (i = 0; xtables_chain_protosi.name != NULL; ++i) - if (xtables_chain_protosi.num == proto) { - printf("%s -p %s", - invertstr, xtables_chain_protosi.name); - return; - } - - printf("%s -p %u", invertstr, proto); - } -} - -static int print_match_save(const struct xt_entry_match *e, - const struct ip6t_ip6 *ip) -{ - const char *name = e->u.user.name; - const int revision = e->u.user.revision; - struct xtables_match *match, *mt, *mt2; - - match = xtables_find_match(name, XTF_TRY_LOAD, NULL); - if (match) { - mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD, - match, revision); - if (!mt2) - mt2 = match; - printf(" -m %s", mt2->alias ? mt2->alias(e) : name); - - /* some matches don't provide a save function */ - if (mt && mt->save) - mt->save(ip, e); - else if (match->save) - printf(unsupported_rev); - } else { - if (e->u.match_size) { - fprintf(stderr, - "Can't find library for match `%s'\n", - name); - exit(1); - } - } - return 0; -} - -/* Print a given ip including mask if necessary. */ -static void print_ip(const char *prefix, const struct in6_addr *ip, - const struct in6_addr *mask, int invert) -{ - char buf51; - int l = xtables_ip6mask_to_cidr(mask); - - if (l == 0 && !invert) - return; - - printf("%s %s %s", - invert ? " !" : "", - prefix, - inet_ntop(AF_INET6, ip, buf, sizeof buf)); - - if (l == -1) - printf("/%s", inet_ntop(AF_INET6, mask, buf, sizeof buf)); - else - printf("/%d", l); -} - /* We want this to be readable, so only print out necessary fields. * Because that's the kind of world I want to live in. */ @@ -890,19 +503,15 @@ printf("-A %s", chain); /* Print IP part. */ - print_ip("-s", &(e->ipv6.src), &(e->ipv6.smsk), - e->ipv6.invflags & IP6T_INV_SRCIP); - - print_ip("-d", &(e->ipv6.dst), &(e->ipv6.dmsk), - e->ipv6.invflags & IP6T_INV_DSTIP); + save_ipv6_addr('s', &e->ipv6.src, &e->ipv6.smsk, + e->ipv6.invflags & IP6T_INV_SRCIP); - print_iface('i', e->ipv6.iniface, e->ipv6.iniface_mask, - e->ipv6.invflags & IP6T_INV_VIA_IN); + save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk, + e->ipv6.invflags & IP6T_INV_DSTIP); - print_iface('o', e->ipv6.outiface, e->ipv6.outiface_mask, - e->ipv6.invflags & IP6T_INV_VIA_OUT); - - print_proto(e->ipv6.proto, e->ipv6.invflags & XT_INV_PROTO); + save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask, + e->ipv6.outiface, e->ipv6.outiface_mask, + e->ipv6.proto, 0, e->ipv6.invflags); #if 0 /* not definied in ipv6 @@ -1057,10 +666,23 @@ int do_command6(int argc, char *argv, char **table, struct xtc_handle **handle, bool restore) { + struct xt_cmd_parse_ops cmd_parse_ops = { + .proto_parse = ipv6_proto_parse, + .post_parse = ipv6_post_parse, + }; + struct xt_cmd_parse p = { + .table = *table, + .restore = restore, + .line = line, + .ops = &cmd_parse_ops, + }; struct iptables_command_state cs = { .jumpto = "", .argv = argv, }; + struct xtables_args args = { + .family = AF_INET6, + }; struct ip6t_entry *e = NULL; unsigned int nsaddrs = 0, ndaddrs = 0; struct in6_addr *saddrs = NULL, *daddrs = NULL; @@ -1068,452 +690,31 @@ int verbose = 0; int wait = 0; - struct timeval wait_interval = { - .tv_sec = 1, - }; - bool wait_interval_set = false; const char *chain = NULL; - const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; const char *policy = NULL, *newname = NULL; unsigned int rulenum = 0, command = 0; - const char *pcnt = NULL, *bcnt = NULL; int ret = 1; - struct xtables_match *m; - struct xtables_rule_match *matchp; - struct xtables_target *t; - unsigned long long cnt; - bool table_set = false; - - /* re-set optind to 0 in case do_command6 gets called - * a second time */ - optind = 0; - - /* clear mflags in case do_command6 gets called a second time - * (we clear the global list of all matches for security)*/ - for (m = xtables_matches; m; m = m->next) - m->mflags = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - - opts = xt_params->orig_opts; - while ((cs.c = getopt_long(argc, argv, - "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::W::nt:m:xc:g:46", - opts, NULL)) != -1) { - switch (cs.c) { - /* - * Command selection - */ - case 'A': - add_command(&command, CMD_APPEND, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'C': - add_command(&command, CMD_CHECK, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'D': - add_command(&command, CMD_DELETE, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argvoptind++); - command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&command, CMD_REPLACE, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&command, CMD_INSERT, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else rulenum = 1; - break; - - case 'L': - add_command(&command, CMD_LIST, - CMD_ZERO | CMD_ZERO_NUM, cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - break; - - case 'S': - add_command(&command, CMD_LIST_RULES, - CMD_ZERO | CMD_ZERO_NUM, cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - break; - - case 'F': - add_command(&command, CMD_FLUSH, CMD_NONE, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'Z': - add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argvoptind++); - command = CMD_ZERO_NUM; - } - break; - - case 'N': - parse_chain(optarg); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'X': - add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'E': - add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - newname = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&command, CMD_SET_POLICY, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - policy = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argvoptind; - - /* ip6tables -p icmp -h */ - if (!cs.matches && cs.protocol) - xtables_find_match(cs.protocol, XTF_TRY_LOAD, - &cs.matches); - - exit_printhelp(cs.matches); - - /* - * Option selection - */ - case 'p': - set_option(&cs.options, OPT_PROTOCOL, &cs.fw6.ipv6.invflags, - cs.invert); - /* Canonicalize into lower case */ - for (cs.protocol = optarg; *cs.protocol; cs.protocol++) - *cs.protocol = tolower(*cs.protocol); - - cs.protocol = optarg; - cs.fw6.ipv6.proto = xtables_parse_protocol(cs.protocol); - cs.fw6.ipv6.flags |= IP6T_F_PROTO; - - if (cs.fw6.ipv6.proto == 0 - && (cs.fw6.ipv6.invflags & XT_INV_PROTO)) - xtables_error(PARAMETER_PROBLEM, - "rule would never match protocol"); - - if (is_exthdr(cs.fw6.ipv6.proto) - && (cs.fw6.ipv6.invflags & XT_INV_PROTO) == 0) - fprintf(stderr, - "Warning: never matched protocol: %s. " - "use extension match instead.\n", - cs.protocol); - break; - - case 's': - set_option(&cs.options, OPT_SOURCE, &cs.fw6.ipv6.invflags, - cs.invert); - shostnetworkmask = optarg; - break; - - case 'd': - set_option(&cs.options, OPT_DESTINATION, &cs.fw6.ipv6.invflags, - cs.invert); - dhostnetworkmask = optarg; - break; - -#ifdef IP6T_F_GOTO - case 'g': - set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags, - cs.invert); - cs.fw6.ipv6.flags |= IP6T_F_GOTO; - cs.jumpto = xt_parse_target(optarg); - break; -#endif - - case 'j': - set_option(&cs.options, OPT_JUMP, &cs.fw6.ipv6.invflags, - cs.invert); - command_jump(&cs, optarg); - break; - - - case 'i': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs.options, OPT_VIANAMEIN, &cs.fw6.ipv6.invflags, - cs.invert); - xtables_parse_interface(optarg, - cs.fw6.ipv6.iniface, - cs.fw6.ipv6.iniface_mask); - break; - - case 'o': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw6.ipv6.invflags, - cs.invert); - xtables_parse_interface(optarg, - cs.fw6.ipv6.outiface, - cs.fw6.ipv6.outiface_mask); - break; - - case 'v': - if (!verbose) - set_option(&cs.options, OPT_VERBOSE, - &cs.fw6.ipv6.invflags, cs.invert); - verbose++; - break; - - case 'w': - if (restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-w' from " - "ip6tables-restore"); - } - wait = parse_wait_time(argc, argv); - break; - - case 'W': - if (restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-W' from " - "ip6tables-restore"); - } - parse_wait_interval(argc, argv, &wait_interval); - wait_interval_set = true; - break; - - case 'm': - command_match(&cs); - break; - - case 'n': - set_option(&cs.options, OPT_NUMERIC, &cs.fw6.ipv6.invflags, - cs.invert); - break; - - case 't': - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - if (restore && table_set) - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - *table = optarg; - table_set = true; - break; - - case 'x': - set_option(&cs.options, OPT_EXPANDED, &cs.fw6.ipv6.invflags, - cs.invert); - break; - - case 'V': - if (cs.invert) - printf("Not %s ;-)\n", prog_vers); - else - printf("%s v%s (legacy)\n", - prog_name, prog_vers); - exit(0); - - case '0': - set_option(&cs.options, OPT_LINENUMBERS, &cs.fw6.ipv6.invflags, - cs.invert); - break; - - case 'M': - xtables_modprobe_program = optarg; - break; - - case 'c': - - set_option(&cs.options, OPT_COUNTERS, &cs.fw6.ipv6.invflags, - cs.invert); - pcnt = optarg; - bcnt = strchr(pcnt + 1, ','); - if (bcnt) - bcnt++; - if (!bcnt && xs_has_arg(argc, argv)) - bcnt = argvoptind++; - if (!bcnt) - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(pcnt, "%llu", &cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - cs.fw6.counters.pcnt = cnt; - - if (sscanf(bcnt, "%llu", &cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - cs.fw6.counters.bcnt = cnt; - break; - - case '4': - /* This is not the IPv4 iptables */ - if (line != -1) - return 1; /* success: line ignored */ - fprintf(stderr, "This is the IPv6 version of ip6tables.\n"); - exit_tryhelp(2); - - case '6': - /* This is indeed the IPv6 ip6tables */ - break; - - case 1: /* non option */ - if (optarg0 == '!' && optarg1 == '\0') { - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - cs.invert = true; - optarg0 = '\0'; - continue; - } - fprintf(stderr, "Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (command_default(&cs, &ip6tables_globals) == 1) - /* - * If new options were loaded, we must retry - * getopt immediately and not allow - * cs.invert=false to be executed. - */ - continue; - break; - } - cs.invert = false; - } - - if (!wait && wait_interval_set) - xtables_error(PARAMETER_PROBLEM, - "--wait-interval only makes sense with --wait\n"); - - if (strcmp(*table, "nat") == 0 && - ((policy != NULL && strcmp(policy, "DROP") == 0) || - (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) - xtables_error(PARAMETER_PROBLEM, - "\nThe \"nat\" table is not intended for filtering, " - "the use of DROP is therefore inhibited.\n\n"); - - for (matchp = cs.matches; matchp; matchp = matchp->next) - xtables_option_mfcall(matchp->match); - if (cs.target != NULL) - xtables_option_tfcall(cs.target); - - /* Fix me: must put inverse options checking here --MN */ - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (!command) - xtables_error(PARAMETER_PROBLEM, "no command specified"); - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND | CMD_CHECK)) { - if (!(cs.options & OPT_DESTINATION)) - dhostnetworkmask = "::0/0"; - if (!(cs.options & OPT_SOURCE)) - shostnetworkmask = "::0/0"; - } - - if (shostnetworkmask) - xtables_ip6parse_multiple(shostnetworkmask, &saddrs, - &smasks, &nsaddrs); - - if (dhostnetworkmask) - xtables_ip6parse_multiple(dhostnetworkmask, &daddrs, - &dmasks, &ndaddrs); - - if ((nsaddrs > 1 || ndaddrs > 1) && - (cs.fw6.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" - " source or destination IP addresses"); - - if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - generic_opt_check(command, cs.options); + do_parse(argc, argv, &p, &cs, &args); + + command = p.command; + chain = p.chain; + *table = p.table; + rulenum = p.rulenum; + policy = p.policy; + newname = p.newname; + verbose = p.verbose; + wait = args.wait; + nsaddrs = args.s.naddrs; + ndaddrs = args.d.naddrs; + saddrs = args.s.addr.v6; + daddrs = args.d.addr.v6; + smasks = args.s.mask.v6; + dmasks = args.d.mask.v6; /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) @@ -1533,26 +734,6 @@ || command == CMD_CHECK || command == CMD_INSERT || command == CMD_REPLACE) { - if (strcmp(chain, "PREROUTING") == 0 - || strcmp(chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (cs.options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - chain); - } - - if (strcmp(chain, "POSTROUTING") == 0 - || strcmp(chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (cs.options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - chain); - } - if (cs.target && ip6tc_is_chain(cs.jumpto, *handle)) { fprintf(stderr, "Warning: using chain %s, not extension\n", @@ -1591,13 +772,12 @@ #ifdef IP6T_F_GOTO if (cs.fw6.ipv6.flags & IP6T_F_GOTO) xtables_error(PARAMETER_PROBLEM, - "goto '%s' is not a chain\n", - cs.jumpto); + "goto '%s' is not a chain", + cs.jumpto); #endif xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw6, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -1688,15 +868,18 @@ case CMD_SET_POLICY: ret = ip6tc_set_policy(chain, policy, cs.options&OPT_COUNTERS ? &cs.fw6.counters : NULL, *handle); break; + case CMD_NONE: + /* do_parse ignored the line (eg: -4 with ip6tables-restore) */ + break; default: /* We should never reach this... */ - exit_tryhelp(2); + exit_tryhelp(2, line); } if (verbose > 1) dump_entries6(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-apply -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-apply
Changed
@@ -231,7 +231,6 @@ "$RUNCMD" & CMD_PID=$! ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & - CMDTIMEOUT_PID=$! if ! wait "$CMD_PID"; then echo "failed." echo "Error: unknown error running command: $RUNCMD" >&2
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-restore.8.in -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-restore.8.in
Changed
@@ -54,6 +54,7 @@ .TP \fB\-v\fP, \fB\-\-verbose\fP Print additional debug info during ruleset processing. +Specify multiple times to increase debug level. .TP \fB\-V\fP, \fB\-\-version\fP Print the program version number. @@ -66,13 +67,6 @@ make the program wait (indefinitely or for optional \fIseconds\fP) until the exclusive lock can be obtained. .TP -\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP -Interval to wait per each iteration. -When running latency sensitive applications, waiting for the xtables lock -for extended durations may not be acceptable. This option will make each -iteration take the amount of time specified. The default interval is -1 second. This option only works with \fB\-w\fP. -.TP \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP Specify the path to the modprobe program. By default, iptables-restore will inspect /proc/sys/kernel/modprobe to determine the executable's path.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-restore.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-restore.c
Changed
@@ -22,10 +22,6 @@ static int counters, verbose, noflush, wait; -static struct timeval wait_interval = { - .tv_sec = 1, -}; - /* Keeping track of external matches and targets. */ static const struct option options = { {.name = "counters", .has_arg = 0, .val = 'c'}, @@ -51,7 +47,6 @@ " --help \n" " --noflush \n" " --wait=<seconds>\n" - " --wait-interval=<usecs>\n" " --table=<TABLE> \n" " --modprobe=<command> \n", name); } @@ -83,8 +78,9 @@ } if (!handle) - xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " - "table '%s'\n", xt_params->program_name, tablename); + xtables_error(PARAMETER_PROBLEM, + "%s: unable to initialize table '%s'", + xt_params->program_name, tablename); return handle; } @@ -101,6 +97,7 @@ FILE *in; int in_table = 0, testing = 0; const char *tablename = NULL; + bool wait_interval_set = false; line = 0; lock = XT_LOCK_NOT_ACQUIRED; @@ -114,10 +111,10 @@ counters = 1; break; case 'v': - verbose = 1; + verbose++; break; case 'V': - printf("%s v%s (legacy)\n", + printf("%s v%s\n", xt_params->program_name, xt_params->program_version); exit(0); @@ -135,7 +132,8 @@ wait = parse_wait_time(argc, argv); break; case 'W': - parse_wait_interval(argc, argv, &wait_interval); + parse_wait_interval(argc, argv); + wait_interval_set = true; break; case 'M': xtables_modprobe_program = optarg; @@ -165,7 +163,7 @@ } else in = stdin; - if (!wait_interval.tv_sec && !wait) { + if (wait_interval_set && !wait) { fprintf(stderr, "Option --wait-interval requires option --wait\n"); exit(1); } @@ -187,12 +185,12 @@ if (!testing) { DEBUGP("Calling commit\n"); ret = cb->ops->commit(handle); - cb->ops->free(handle); - handle = NULL; } else { DEBUGP("Not calling commit, testing\n"); ret = 1; } + cb->ops->free(handle); + handle = NULL; /* Done with the current table, release the lock. */ if (lock >= 0) { @@ -203,7 +201,7 @@ in_table = 0; } else if ((buffer0 == '*') && (!in_table)) { /* Acquire a lock before we create a new table handle */ - lock = xtables_lock_or_exit(wait, &wait_interval); + lock = xtables_lock_or_exit(wait); /* New table */ char *table; @@ -212,8 +210,8 @@ DEBUGP("line %u, table '%s'\n", line, table); if (!table) xtables_error(PARAMETER_PROBLEM, - "%s: line %u table name invalid\n", - xt_params->program_name, line); + "%s: line %u table name invalid", + xt_params->program_name, line); strncpy(curtable, table, XT_TABLE_MAXNAMELEN); curtableXT_TABLE_MAXNAMELEN = '\0'; @@ -252,8 +250,8 @@ DEBUGP("line %u, chain '%s'\n", line, chain); if (!chain) xtables_error(PARAMETER_PROBLEM, - "%s: line %u chain name invalid\n", - xt_params->program_name, line); + "%s: line %u chain name invalid", + xt_params->program_name, line); if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, @@ -266,16 +264,14 @@ DEBUGP("Flushing existing user defined chain '%s'\n", chain); if (!cb->ops->flush_entries(chain, handle)) xtables_error(PARAMETER_PROBLEM, - "error flushing chain " - "'%s':%s\n", chain, - strerror(errno)); + "error flushing chain '%s':%s", + chain, strerror(errno)); } else { DEBUGP("Creating new chain '%s'\n", chain); if (!cb->ops->create_chain(chain, handle)) xtables_error(PARAMETER_PROBLEM, - "error creating chain " - "'%s':%s\n", chain, - strerror(errno)); + "error creating chain '%s':%s", + chain, strerror(errno)); } } @@ -283,8 +279,8 @@ DEBUGP("line %u, policy '%s'\n", line, policy); if (!policy) xtables_error(PARAMETER_PROBLEM, - "%s: line %u policy invalid\n", - xt_params->program_name, line); + "%s: line %u policy invalid", + xt_params->program_name, line); if (strcmp(policy, "-") != 0) { struct xt_counters count = {}; @@ -295,8 +291,8 @@ if (!ctrs || !parse_counters(ctrs, &count)) xtables_error(PARAMETER_PROBLEM, - "invalid policy counters " - "for chain '%s'\n", chain); + "invalid policy counters for chain '%s'", + chain); } DEBUGP("Setting policy of chain %s to %s\n", @@ -305,23 +301,27 @@ if (!cb->ops->set_policy(chain, policy, &count, handle)) xtables_error(OTHER_PROBLEM, - "Can't set policy `%s'" - " on `%s' line %u: %s\n", - policy, chain, line, - cb->ops->strerror(errno)); + "Can't set policy `%s' on `%s' line %u: %s", + policy, chain, line, + cb->ops->strerror(errno)); } + xtables_announce_chain(chain); ret = 1; } else if (in_table) { char *pcnt = NULL; char *bcnt = NULL; char *parsestart = buffer; + int i; add_argv(&av_store, argv0, 0); add_argv(&av_store, "-t", 0); add_argv(&av_store, curtable, 0); + for (i = 0; !noflush && i < verbose; i++) + add_argv(&av_store, "-v", 0); + tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line); if (counters && pcnt && bcnt) { add_argv(&av_store, "--set-counters", 0); @@ -382,10 +382,8 @@ iptables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); -#endif ret = ip46tables_restore_main(&ipt_restore_cb, argc, argv); @@ -416,10 +414,8 @@ ip6tables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions6(); -#endif ret = ip46tables_restore_main(&ip6t_restore_cb, argc, argv);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-save.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-save.c
Changed
@@ -61,8 +61,7 @@ while (fgets(tablename, sizeof(tablename), procfile)) { if (tablenamestrlen(tablename) - 1 != '\n') xtables_error(OTHER_PROBLEM, - "Badly formed tablename `%s'\n", - tablename); + "Badly formed tablename `%s'", tablename); tablenamestrlen(tablename) - 1 = '\0'; ret &= func(cb, tablename); } @@ -85,7 +84,7 @@ h = cb->ops->init(tablename); } if (!h) - xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n", + xtables_error(OTHER_PROBLEM, "Cannot initialize: %s", cb->ops->strerror(errno)); time_t now = time(NULL); @@ -173,7 +172,7 @@ do_output(cb, tablename); exit(0); case 'V': - printf("%s v%s (legacy)\n", + printf("%s v%s\n", xt_params->program_name, xt_params->program_version); exit(0); @@ -227,10 +226,8 @@ iptables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); -#endif ret = do_iptables_save(&ipt_save_cb, argc, argv); @@ -273,10 +270,8 @@ ip6tables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions6(); -#endif ret = do_iptables_save(&ip6t_save_cb, argc, argv);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-standalone.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-standalone.c
Changed
@@ -53,10 +53,8 @@ iptables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); -#endif ret = do_command4(argc, argv, &table, &handle, false); if (ret) {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables-xml.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables-xml.c
Changed
@@ -210,11 +210,11 @@ { if (nextChain >= maxChains) xtables_error(PARAMETER_PROBLEM, - "%s: line %u chain name invalid\n", - prog_name, line); + "%s: line %u chain name invalid", + prog_name, line); - chainsnextChain.chain = strdup(chain); - chainsnextChain.policy = strdup(policy); + chainsnextChain.chain = xtables_strdup(chain); + chainsnextChain.policy = xtables_strdup(policy); chainsnextChain.count = *ctr; chainsnextChain.created = 0; nextChain++; @@ -225,13 +225,13 @@ { int c; - for (c = 0; c < nextChain; c++) - if (!chainsc.created) { + for (c = 0; c < nextChain; c++) { + if (!chainsc.created) openChain(chainsc.chain, chainsc.policy, &(chainsc.count), '/'); - free(chainsc.chain); - free(chainsc.policy); - } + free(chainsc.chain); + free(chainsc.policy); + } nextChain = 0; } @@ -610,8 +610,8 @@ DEBUGP("line %u, table '%s'\n", line, table); if (!table) xtables_error(PARAMETER_PROBLEM, - "%s: line %u table name invalid\n", - prog_name, line); + "%s: line %u table name invalid", + prog_name, line); openTable(table); @@ -626,8 +626,8 @@ DEBUGP("line %u, chain '%s'\n", line, chain); if (!chain) xtables_error(PARAMETER_PROBLEM, - "%s: line %u chain name invalid\n", - prog_name, line); + "%s: line %u chain name invalid", + prog_name, line); DEBUGP("Creating new chain '%s'\n", chain); @@ -635,8 +635,8 @@ DEBUGP("line %u, policy '%s'\n", line, policy); if (!policy) xtables_error(PARAMETER_PROBLEM, - "%s: line %u policy invalid\n", - prog_name, line); + "%s: line %u policy invalid", + prog_name, line); ctrs = strtok(NULL, " \t\n"); parse_counters(ctrs, &count);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables.8.in -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables.8.in
Changed
@@ -25,10 +25,10 @@ .SH NAME iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT .SH SYNOPSIS -\fBiptables\fP \fB\-t\fP \fItable\fP {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP} +\fBiptables\fP \fB\-t\fP \fItable\fP {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP|\fB-V\fP} \fIchain\fP \fIrule-specification\fP .P -\fBip6tables\fP \fB\-t\fP \fItable\fP {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP} +\fBip6tables\fP \fB\-t\fP \fItable\fP {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP|\fB-V\fP} \fIchain rule-specification\fP .PP \fBiptables\fP \fB\-t\fP \fItable\fP \fB\-I\fP \fIchain\fP \fIrulenum\fP \fIrule-specification\fP @@ -220,11 +220,11 @@ target of that name already. .TP \fB\-X\fP, \fB\-\-delete\-chain\fP \fIchain\fP -Delete the optional user-defined chain specified. There must be no references +Delete the chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain -any rules. If no argument is given, it will attempt to delete every -non-builtin chain in the table. +any rules. If no argument is given, it will delete all empty chains in the +table. Empty builtin chains can only be deleted with \fBiptables-nft\fP. .TP \fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP Set the policy for the built-in (non-user-defined) chain to the given target. @@ -360,7 +360,14 @@ the \fB\-x\fP flag to change this). For appending, insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed. \fB\-v\fP may be -specified multiple times to possibly emit more detailed debug statements. +specified multiple times to possibly emit more detailed debug statements: +Specified twice, \fBiptables-legacy\fP will dump table info and entries in +libiptc, \fBiptables-nft\fP dumps rules in netlink (VM code) presentation. +Specified three times, \fBiptables-nft\fP will also dump any netlink messages +sent to kernel. +.TP +\fB\-V\fP, \fB\-\-version\fP +Show program version and the kernel API used. .TP \fB\-w\fP, \fB\-\-wait\fP \fIseconds\fP Wait for the xtables lock. @@ -370,13 +377,6 @@ make the program wait (indefinitely or for optional \fIseconds\fP) until the exclusive lock can be obtained. .TP -\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP -Interval to wait per each iteration. -When running latency sensitive applications, waiting for the xtables lock -for extended durations may not be acceptable. This option will make each -iteration take the amount of time specified. The default interval is -1 second. This option only works with \fB\-w\fP. -.TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. IP addresses and port numbers will be printed in numeric format. @@ -417,6 +417,11 @@ .SH BUGS Bugs? What's this? ;-) Well, you might want to have a look at http://bugzilla.netfilter.org/ +\fBiptables\fP will exit immediately with an error code of 111 if it finds +that it was called as a setuid-to-root program. +iptables cannot be used safely in this manner because it trusts +the shared libraries (matches, targets) loaded at run time, the search +path can be set using environment variables. .SH COMPATIBILITY WITH IPCHAINS This \fBiptables\fP is very similar to ipchains by Rusty Russell. The main difference is
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/iptables.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/iptables.c
Changed
@@ -84,150 +84,13 @@ {NULL}, }; -void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); - struct xtables_globals iptables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (legacy)", .orig_opts = original_opts, - .exit_err = iptables_exit_error, .compat_rev = xtables_compatible_revision, }; -static const int inverse_for_optionsNUMBER_OF_OPT = -{ -/* -n */ 0, -/* -s */ IPT_INV_SRCIP, -/* -d */ IPT_INV_DSTIP, -/* -p */ XT_INV_PROTO, -/* -j */ 0, -/* -v */ 0, -/* -x */ 0, -/* -i */ IPT_INV_VIA_IN, -/* -o */ IPT_INV_VIA_OUT, -/*--line*/ 0, -/* -c */ 0, -/* -f */ IPT_INV_FRAG, -}; - -#define opts iptables_globals.opts -#define prog_name iptables_globals.program_name -#define prog_vers iptables_globals.program_version - -static void __attribute__((noreturn)) -exit_tryhelp(int status) -{ - if (line != -1) - fprintf(stderr, "Error occurred at line: %d\n", line); - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - prog_name, prog_name); - xtables_free_opts(1); - exit(status); -} - -static void -exit_printhelp(const struct xtables_rule_match *matches) -{ - printf("%s v%s\n\n" -"Usage: %s -ACD chain rule-specification options\n" -" %s -I chain rulenum rule-specification options\n" -" %s -R chain rulenum rule-specification options\n" -" %s -D chain rulenum options\n" -" %s -LS chain rulenum options\n" -" %s -FZ chain options\n" -" %s -NX chain\n" -" %s -E old-chain-name new-chain-name\n" -" %s -P chain target options\n" -" %s -h (print this help information)\n\n", - prog_name, prog_vers, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name); - - printf( -"Commands:\n" -"Either long or short options are allowed.\n" -" --append -A chain Append to chain\n" -" --check -C chain Check for the existence of a rule\n" -" --delete -D chain Delete matching rule from chain\n" -" --delete -D chain rulenum\n" -" Delete rule rulenum (1 = first) from chain\n" -" --insert -I chain rulenum\n" -" Insert in chain as rulenum (default 1=first)\n" -" --replace -R chain rulenum\n" -" Replace rule rulenum (1 = first) in chain\n" -" --list -L chain rulenum\n" -" List the rules in a chain or all chains\n" -" --list-rules -S chain rulenum\n" -" Print the rules in a chain or all chains\n" -" --flush -F chain Delete all rules in chain or all chains\n" -" --zero -Z chain rulenum\n" -" Zero counters in chain or all chains\n" -" --new -N chain Create a new user-defined chain\n" -" --delete-chain\n" -" -X chain Delete a user-defined chain\n" -" --policy -P chain target\n" -" Change policy on chain to target\n" -" --rename-chain\n" -" -E old-chain new-chain\n" -" Change chain name, (moving any references)\n" - -"Options:\n" -" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n" -" --ipv6 -6 Error (line is ignored by iptables-restore)\n" -"! --protocol -p proto protocol: by number or name, eg. `tcp'\n" -"! --source -s address/mask...\n" -" source specification\n" -"! --destination -d address/mask...\n" -" destination specification\n" -"! --in-interface -i input name+\n" -" network interface name (+ for wildcard)\n" -" --jump -j target\n" -" target for rule (may load target extension)\n" -#ifdef IPT_F_GOTO -" --goto -g chain\n" -" jump to chain with no return\n" -#endif -" --match -m match\n" -" extended match (may load extension)\n" -" --numeric -n numeric output of addresses and ports\n" -"! --out-interface -o output name+\n" -" network interface name (+ for wildcard)\n" -" --table -t table table to manipulate (default: `filter')\n" -" --verbose -v verbose mode\n" -" --wait -w seconds maximum wait to acquire xtables lock before give up\n" -" --wait-interval -W usecs wait time to try to acquire xtables lock\n" -" default is 1 second\n" -" --line-numbers print line numbers when listing\n" -" --exact -x expand numbers (display exact values)\n" -"! --fragment -f match second or further fragments only\n" -" --modprobe=<command> try to insert modules using this command\n" -" --set-counters PKTS BYTES set the counter during insert/append\n" -"! --version -V print package version.\n"); - - print_extension_helps(xtables_targets, matches); - exit(0); -} - -void -iptables_exit_error(enum xtables_exittype status, const char *msg, ...) -{ - va_list args; - - va_start(args, msg); - fprintf(stderr, "%s v%s (legacy): ", prog_name, prog_vers); - vfprintf(stderr, msg, args); - va_end(args); - fprintf(stderr, "\n"); - if (status == PARAMETER_PROBLEM) - exit_tryhelp(status); - if (status == VERSION_PROBLEM) - fprintf(stderr, - "Perhaps iptables or your kernel needs to be upgraded.\n"); - /* On error paths, make sure that we don't leak memory */ - xtables_free_opts(1); - exit(status); -} - /* * All functions starting with "parse" should succeed, otherwise * the program fails. @@ -239,102 +102,6 @@ /* Christophe Burki wants `-p 6' to imply `-m tcp'. */ -static void -parse_chain(const char *chainname) -{ - const char *ptr; - - if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %u chars)", - chainname, XT_EXTENSION_MAXNAMELEN); - - if (*chainname == '-' || *chainname == '!') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *chainname); - - if (xtables_find_target(chainname, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - - for (ptr = chainname; *ptr; ptr++) - if (isspace(*ptr)) - xtables_error(PARAMETER_PROBLEM, - "Invalid chain name `%s'", chainname); -} - -static void -set_option(unsigned int *options, unsigned int option, uint8_t *invflg, - int invert) -{ - if (*options & option) - xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", - opt2char(option)); - *options |= option; - - if (invert) { - unsigned int i; - for (i = 0; 1 << i != option; i++); - - if (!inverse_for_optionsi) - xtables_error(PARAMETER_PROBLEM, - "cannot have ! before -%c", - opt2char(option)); - *invflg |= inverse_for_optionsi; - } -} - -static void -print_header(unsigned int format, const char *chain, struct xtc_handle *handle) -{ - struct xt_counters counters; - const char *pol = iptc_get_policy(chain, &counters, handle); - printf("Chain %s", chain); - if (pol) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters.pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters.bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - unsigned int refs; - if (!iptc_get_references(&refs, chain, handle)) - printf(" (ERROR obtaining refs)\n"); - else - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - static int print_match(const struct xt_entry_match *m, @@ -355,6 +122,9 @@ printf("%s%s ", match->name, unsupported_rev); else printf("%s ", match->name); + + if (match->next == match) + free(match); } else { if (name0) printf("UNKNOWN match `%s' ", name); @@ -373,7 +143,6 @@ { struct xtables_target *target, *tg; const struct xt_entry_target *t; - uint8_t flags; if (!iptc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); @@ -382,35 +151,11 @@ XTF_LOAD_MUST_SUCCEED); t = ipt_get_target((struct ipt_entry *)fw); - flags = fw->ip.flags; - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname); - - fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), fw->ip.proto); - } + print_rule_details(num, &fw->counters, targname, fw->ip.proto, + fw->ip.flags, fw->ip.invflags, format); - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(fw->ip.invflags & IPT_INV_FRAG ? '!' : '-', stdout); - fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); - fputc(' ', stdout); - } + print_fragment(fw->ip.flags, fw->ip.invflags, format, false); print_ifaces(fw->ip.iniface, fw->ip.outiface, fw->ip.invflags, format); @@ -436,6 +181,9 @@ tg->print(&fw->ip, t, format & FMT_NUMERIC); else if (target->print) printf(" %s%s", target->name, unsupported_rev); + + if (target->next == target) + free(target); } else if (t->u.target_size != sizeof(*t)) printf("%u bytes of unknown target data ", (unsigned int)(t->u.target_size - sizeof(*t))); @@ -534,40 +282,6 @@ return ret; } -static unsigned char * -make_delete_mask(const struct xtables_rule_match *matches, - const struct xtables_target *target) -{ - /* Establish mask for comparison */ - unsigned int size; - const struct xtables_rule_match *matchp; - unsigned char *mask, *mptr; - - size = sizeof(struct ipt_entry); - for (matchp = matches; matchp; matchp = matchp->next) - size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - - mask = xtables_calloc(1, size - + XT_ALIGN(sizeof(struct xt_entry_target)) - + target->size); - - memset(mask, 0xFF, sizeof(struct ipt_entry)); - mptr = mask + sizeof(struct ipt_entry); - - for (matchp = matches; matchp; matchp = matchp->next) { - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_match)) - + matchp->match->userspacesize); - mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; - } - - memset(mptr, 0xFF, - XT_ALIGN(sizeof(struct xt_entry_target)) - + target->userspacesize); - - return mask; -} - static int delete_entry(const xt_chainlabel chain, struct ipt_entry *fw, @@ -586,7 +300,7 @@ int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(*fw)); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrsi.s_addr; fw->ip.smsk.s_addr = smasksi.s_addr; @@ -616,7 +330,7 @@ int ret = 1; unsigned char *mask; - mask = make_delete_mask(matches, target); + mask = make_delete_mask(matches, target, sizeof(*fw)); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrsi.s_addr; fw->ip.smsk.s_addr = smasksi.s_addr; @@ -739,8 +453,18 @@ if (found) printf("\n"); - if (!rulenum) - print_header(format, this, handle); + if (!rulenum) { + struct xt_counters counters; + unsigned int urefs; + const char *pol; + int refs = -1; + + pol = iptc_get_policy(this, &counters, handle); + if (!pol && iptc_get_references(&urefs, this, handle)) + refs = urefs; + + print_header(format, this, pol, &counters, refs, 0); + } i = iptc_first_rule(this, handle); num = 0; @@ -761,29 +485,6 @@ return found; } -static void print_proto(uint16_t proto, int invert) -{ - if (proto) { - unsigned int i; - const char *invertstr = invert ? " !" : ""; - - const struct protoent *pent = getprotobynumber(proto); - if (pent) { - printf("%s -p %s", invertstr, pent->p_name); - return; - } - - for (i = 0; xtables_chain_protosi.name != NULL; ++i) - if (xtables_chain_protosi.num == proto) { - printf("%s -p %s", - invertstr, xtables_chain_protosi.name); - return; - } - - printf("%s -p %u", invertstr, proto); - } -} - #define IP_PARTS_NATIVE(n) \ (unsigned int)((n)>>24)&0xFF, \ (unsigned int)((n)>>16)&0xFF, \ @@ -792,93 +493,6 @@ #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) -/* This assumes that mask is contiguous, and byte-bounded. */ -static void -print_iface(char letter, const char *iface, const unsigned char *mask, - int invert) -{ - unsigned int i; - - if (mask0 == 0) - return; - - printf("%s -%c ", invert ? " !" : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (maski != 0) { - if (ifacei != '\0') - printf("%c", ifacei); - } else { - /* we can access ifacei-1 here, because - * a few lines above we make sure that mask0 != 0 */ - if (ifacei-1 != '\0') - printf("+"); - break; - } - } -} - -static int print_match_save(const struct xt_entry_match *e, - const struct ipt_ip *ip) -{ - const char *name = e->u.user.name; - const int revision = e->u.user.revision; - struct xtables_match *match, *mt, *mt2; - - match = xtables_find_match(name, XTF_TRY_LOAD, NULL); - if (match) { - mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD, - match, revision); - if (!mt2) - mt2 = match; - printf(" -m %s", mt2->alias ? mt2->alias(e) : name); - - /* some matches don't provide a save function */ - if (mt && mt->save) - mt->save(ip, e); - else if (match->save) - printf(unsupported_rev); - } else { - if (e->u.match_size) { - fprintf(stderr, - "Can't find library for match `%s'\n", - name); - exit(1); - } - } - return 0; -} - -/* Print a given ip including mask if necessary. */ -static void print_ip(const char *prefix, uint32_t ip, - uint32_t mask, int invert) -{ - uint32_t bits, hmask = ntohl(mask); - int i; - - if (!mask && !ip && !invert) - return; - - printf("%s %s %u.%u.%u.%u", - invert ? " !" : "", - prefix, - IP_PARTS(ip)); - - if (mask == 0xFFFFFFFFU) { - printf("/32"); - return; - } - - i = 32; - bits = 0xFFFFFFFEU; - while (--i >= 0 && hmask != bits) - bits <<= 1; - if (i >= 0) - printf("/%u", i); - else - printf("/%u.%u.%u.%u", IP_PARTS(mask)); -} - /* We want this to be readable, so only print out necessary fields. * Because that's the kind of world I want to live in. */ @@ -896,23 +510,16 @@ printf("-A %s", chain); /* Print IP part. */ - print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr, - e->ip.invflags & IPT_INV_SRCIP); + save_ipv4_addr('s', &e->ip.src, &e->ip.smsk, + e->ip.invflags & IPT_INV_SRCIP); - print_ip("-d", e->ip.dst.s_addr, e->ip.dmsk.s_addr, + save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk, e->ip.invflags & IPT_INV_DSTIP); - print_iface('i', e->ip.iniface, e->ip.iniface_mask, - e->ip.invflags & IPT_INV_VIA_IN); - - print_iface('o', e->ip.outiface, e->ip.outiface_mask, - e->ip.invflags & IPT_INV_VIA_OUT); - - print_proto(e->ip.proto, e->ip.invflags & XT_INV_PROTO); - - if (e->ip.flags & IPT_F_FRAG) - printf("%s -f", - e->ip.invflags & IPT_INV_FRAG ? " !" : ""); + save_rule_details(e->ip.iniface, e->ip.iniface_mask, + e->ip.outiface, e->ip.outiface_mask, + e->ip.proto, e->ip.flags & IPT_F_FRAG, + e->ip.invflags); /* Print matchinfo part */ if (e->target_offset) @@ -1053,455 +660,54 @@ int do_command4(int argc, char *argv, char **table, struct xtc_handle **handle, bool restore) { + struct xt_cmd_parse_ops cmd_parse_ops = { + .proto_parse = ipv4_proto_parse, + .post_parse = ipv4_post_parse, + }; + struct xt_cmd_parse p = { + .table = *table, + .restore = restore, + .line = line, + .ops = &cmd_parse_ops, + }; struct iptables_command_state cs = { .jumpto = "", .argv = argv, }; + struct xtables_args args = { + .family = AF_INET, + }; struct ipt_entry *e = NULL; unsigned int nsaddrs = 0, ndaddrs = 0; struct in_addr *saddrs = NULL, *smasks = NULL; struct in_addr *daddrs = NULL, *dmasks = NULL; - struct timeval wait_interval = { - .tv_sec = 1, - }; - bool wait_interval_set = false; int verbose = 0; int wait = 0; const char *chain = NULL; - const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; const char *policy = NULL, *newname = NULL; unsigned int rulenum = 0, command = 0; - const char *pcnt = NULL, *bcnt = NULL; int ret = 1; - struct xtables_match *m; - struct xtables_rule_match *matchp; - struct xtables_target *t; - unsigned long long cnt; - bool table_set = false; - - /* re-set optind to 0 in case do_command4 gets called - * a second time */ - optind = 0; - - /* clear mflags in case do_command4 gets called a second time - * (we clear the global list of all matches for security)*/ - for (m = xtables_matches; m; m = m->next) - m->mflags = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - opts = xt_params->orig_opts; - while ((cs.c = getopt_long(argc, argv, - "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", - opts, NULL)) != -1) { - switch (cs.c) { - /* - * Command selection - */ - case 'A': - add_command(&command, CMD_APPEND, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'C': - add_command(&command, CMD_CHECK, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'D': - add_command(&command, CMD_DELETE, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argvoptind++); - command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&command, CMD_REPLACE, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&command, CMD_INSERT, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else rulenum = 1; - break; - - case 'L': - add_command(&command, CMD_LIST, - CMD_ZERO | CMD_ZERO_NUM, cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - break; - - case 'S': - add_command(&command, CMD_LIST_RULES, - CMD_ZERO|CMD_ZERO_NUM, cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - break; - - case 'F': - add_command(&command, CMD_FLUSH, CMD_NONE, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'Z': - add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argvoptind++); - command = CMD_ZERO_NUM; - } - break; - - case 'N': - parse_chain(optarg); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; - break; - - case 'X': - add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, - cs.invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'E': - add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - newname = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&command, CMD_SET_POLICY, CMD_NONE, - cs.invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - policy = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argvoptind; - - /* iptables -p icmp -h */ - if (!cs.matches && cs.protocol) - xtables_find_match(cs.protocol, - XTF_TRY_LOAD, &cs.matches); - exit_printhelp(cs.matches); - - /* - * Option selection - */ - case 'p': - set_option(&cs.options, OPT_PROTOCOL, &cs.fw.ip.invflags, - cs.invert); - - /* Canonicalize into lower case */ - for (cs.protocol = optarg; *cs.protocol; cs.protocol++) - *cs.protocol = tolower(*cs.protocol); - - cs.protocol = optarg; - cs.fw.ip.proto = xtables_parse_protocol(cs.protocol); - - if (cs.fw.ip.proto == 0 - && (cs.fw.ip.invflags & XT_INV_PROTO)) - xtables_error(PARAMETER_PROBLEM, - "rule would never match protocol"); - break; - - case 's': - set_option(&cs.options, OPT_SOURCE, &cs.fw.ip.invflags, - cs.invert); - shostnetworkmask = optarg; - break; - - case 'd': - set_option(&cs.options, OPT_DESTINATION, &cs.fw.ip.invflags, - cs.invert); - dhostnetworkmask = optarg; - break; - -#ifdef IPT_F_GOTO - case 'g': - set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags, - cs.invert); - cs.fw.ip.flags |= IPT_F_GOTO; - cs.jumpto = xt_parse_target(optarg); - break; -#endif - - case 'j': - set_option(&cs.options, OPT_JUMP, &cs.fw.ip.invflags, - cs.invert); - command_jump(&cs, optarg); - break; - - - case 'i': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs.options, OPT_VIANAMEIN, &cs.fw.ip.invflags, - cs.invert); - xtables_parse_interface(optarg, - cs.fw.ip.iniface, - cs.fw.ip.iniface_mask); - break; - - case 'o': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs.options, OPT_VIANAMEOUT, &cs.fw.ip.invflags, - cs.invert); - xtables_parse_interface(optarg, - cs.fw.ip.outiface, - cs.fw.ip.outiface_mask); - break; - - case 'f': - set_option(&cs.options, OPT_FRAGMENT, &cs.fw.ip.invflags, - cs.invert); - cs.fw.ip.flags |= IPT_F_FRAG; - break; - - case 'v': - if (!verbose) - set_option(&cs.options, OPT_VERBOSE, - &cs.fw.ip.invflags, cs.invert); - verbose++; - break; - - case 'w': - if (restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-w' from " - "iptables-restore"); - } - wait = parse_wait_time(argc, argv); - break; - - case 'W': - if (restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-W' from " - "iptables-restore"); - } - parse_wait_interval(argc, argv, &wait_interval); - wait_interval_set = true; - break; - - case 'm': - command_match(&cs); - break; - - case 'n': - set_option(&cs.options, OPT_NUMERIC, &cs.fw.ip.invflags, - cs.invert); - break; - - case 't': - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - if (restore && table_set) - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - *table = optarg; - table_set = true; - break; - - case 'x': - set_option(&cs.options, OPT_EXPANDED, &cs.fw.ip.invflags, - cs.invert); - break; - - case 'V': - if (cs.invert) - printf("Not %s ;-)\n", prog_vers); - else - printf("%s v%s (legacy)\n", - prog_name, prog_vers); - exit(0); - - case '0': - set_option(&cs.options, OPT_LINENUMBERS, &cs.fw.ip.invflags, - cs.invert); - break; - - case 'M': - xtables_modprobe_program = optarg; - break; - - case 'c': - - set_option(&cs.options, OPT_COUNTERS, &cs.fw.ip.invflags, - cs.invert); - pcnt = optarg; - bcnt = strchr(pcnt + 1, ','); - if (bcnt) - bcnt++; - if (!bcnt && xs_has_arg(argc, argv)) - bcnt = argvoptind++; - if (!bcnt) - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(pcnt, "%llu", &cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - cs.fw.counters.pcnt = cnt; - - if (sscanf(bcnt, "%llu", &cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - cs.fw.counters.bcnt = cnt; - break; - - case '4': - /* This is indeed the IPv4 iptables */ - break; - - case '6': - /* This is not the IPv6 ip6tables */ - if (line != -1) - return 1; /* success: line ignored */ - fprintf(stderr, "This is the IPv4 version of iptables.\n"); - exit_tryhelp(2); - - case 1: /* non option */ - if (optarg0 == '!' && optarg1 == '\0') { - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - cs.invert = true; - optarg0 = '\0'; - continue; - } - fprintf(stderr, "Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (command_default(&cs, &iptables_globals) == 1) - /* cf. ip6tables.c */ - continue; - break; - } - cs.invert = false; - } - - if (!wait && wait_interval_set) - xtables_error(PARAMETER_PROBLEM, - "--wait-interval only makes sense with --wait\n"); - - if (strcmp(*table, "nat") == 0 && - ((policy != NULL && strcmp(policy, "DROP") == 0) || - (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) - xtables_error(PARAMETER_PROBLEM, - "\nThe \"nat\" table is not intended for filtering, " - "the use of DROP is therefore inhibited.\n\n"); - - for (matchp = cs.matches; matchp; matchp = matchp->next) - xtables_option_mfcall(matchp->match); - if (cs.target != NULL) - xtables_option_tfcall(cs.target); - - /* Fix me: must put inverse options checking here --MN */ - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (!command) - xtables_error(PARAMETER_PROBLEM, "no command specified"); - if (cs.invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND | CMD_CHECK)) { - if (!(cs.options & OPT_DESTINATION)) - dhostnetworkmask = "0.0.0.0/0"; - if (!(cs.options & OPT_SOURCE)) - shostnetworkmask = "0.0.0.0/0"; - } - - if (shostnetworkmask) - xtables_ipparse_multiple(shostnetworkmask, &saddrs, - &smasks, &nsaddrs); - - if (dhostnetworkmask) - xtables_ipparse_multiple(dhostnetworkmask, &daddrs, - &dmasks, &ndaddrs); - - if ((nsaddrs > 1 || ndaddrs > 1) && - (cs.fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" - " source or destination IP addresses"); - - if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - generic_opt_check(command, cs.options); + do_parse(argc, argv, &p, &cs, &args); + + command = p.command; + chain = p.chain; + *table = p.table; + rulenum = p.rulenum; + policy = p.policy; + newname = p.newname; + verbose = p.verbose; + wait = args.wait; + nsaddrs = args.s.naddrs; + ndaddrs = args.d.naddrs; + saddrs = args.s.addr.v4; + daddrs = args.d.addr.v4; + smasks = args.s.mask.v4; + dmasks = args.d.mask.v4; /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) @@ -1521,26 +727,6 @@ || command == CMD_CHECK || command == CMD_INSERT || command == CMD_REPLACE) { - if (strcmp(chain, "PREROUTING") == 0 - || strcmp(chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (cs.options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - chain); - } - - if (strcmp(chain, "POSTROUTING") == 0 - || strcmp(chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (cs.options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - chain); - } - if (cs.target && iptc_is_chain(cs.jumpto, *handle)) { fprintf(stderr, "Warning: using chain %s, not extension\n", @@ -1581,13 +767,12 @@ #ifdef IPT_F_GOTO if (cs.fw.ip.flags & IPT_F_GOTO) xtables_error(PARAMETER_PROBLEM, - "goto '%s' is not a chain\n", - cs.jumpto); + "goto '%s' is not a chain", + cs.jumpto); #endif xtables_find_target(cs.jumpto, XTF_LOAD_MUST_SUCCEED); } else { e = generate_entry(&cs.fw, cs.matches, cs.target->t); - free(cs.target->t); } } @@ -1678,15 +863,18 @@ case CMD_SET_POLICY: ret = iptc_set_policy(chain, policy, cs.options&OPT_COUNTERS ? &cs.fw.counters : NULL, *handle); break; + case CMD_NONE: + /* do_parse ignored the line (eg: -4 with ip6tables-restore) */ + break; default: /* We should never reach this... */ - exit_tryhelp(2); + exit_tryhelp(2, line); } if (verbose > 1) dump_entries(*handle); - xtables_rule_matches_free(&cs.matches); + xtables_clear_iptables_command_state(&cs); if (e != NULL) { free(e);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-arp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-arp.c
Changed
@@ -25,94 +25,8 @@ #include <linux/netfilter/nf_tables.h> #include "nft-shared.h" -#include "nft-arp.h" #include "nft.h" - -/* a few names */ -char *arp_opcodes = -{ - "Request", - "Reply", - "Request_Reverse", - "Reply_Reverse", - "DRARP_Request", - "DRARP_Reply", - "DRARP_Error", - "InARP_Request", - "ARP_NAK", -}; - -static char * -addr_to_dotted(const struct in_addr *addrp) -{ - static char buf20; - const unsigned char *bytep; - - bytep = (const unsigned char *) &(addrp->s_addr); - sprintf(buf, "%d.%d.%d.%d", bytep0, bytep1, bytep2, bytep3); - return buf; -} - -static char * -addr_to_host(const struct in_addr *addr) -{ - struct hostent *host; - - if ((host = gethostbyaddr((char *) addr, - sizeof(struct in_addr), AF_INET)) != NULL) - return (char *) host->h_name; - - return (char *) NULL; -} - -static char * -addr_to_network(const struct in_addr *addr) -{ - struct netent *net; - - if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL) - return (char *) net->n_name; - - return (char *) NULL; -} - -static char * -addr_to_anyname(const struct in_addr *addr) -{ - char *name; - - if ((name = addr_to_host(addr)) != NULL || - (name = addr_to_network(addr)) != NULL) - return name; - - return addr_to_dotted(addr); -} - -static char * -mask_to_dotted(const struct in_addr *mask) -{ - int i; - static char buf22; - u_int32_t maskaddr, bits; - - maskaddr = ntohl(mask->s_addr); - - if (maskaddr == 0xFFFFFFFFL) - /* we don't want to see "/32" */ - return ""; - - i = 32; - bits = 0xFFFFFFFEL; - while (--i >= 0 && maskaddr != bits) - bits <<= 1; - if (i >= 0) - sprintf(buf, "/%d", i); - else - /* mask was not a decent combination of 1's and 0's */ - snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask)); - - return buf; -} +#include "xshared.h" static bool need_devaddr(struct arpt_devaddr_info *info) { @@ -126,59 +40,65 @@ return false; } -static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data) +static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct arpt_entry *fw = &cs->arp; uint32_t op; int ret = 0; if (fw->arp.iniface0 != '\0') { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_IN); - add_iniface(r, fw->arp.iniface, op); + add_iniface(h, r, fw->arp.iniface, op); } if (fw->arp.outiface0 != '\0') { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_OUT); - add_outiface(r, fw->arp.outiface, op); + add_outiface(h, r, fw->arp.outiface, op); } if (fw->arp.arhrd != 0 || fw->arp.invflags & IPT_INV_ARPHRD) { + uint8_t reg; + op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHRD); - add_payload(r, offsetof(struct arphdr, ar_hrd), 2, - NFT_PAYLOAD_NETWORK_HEADER); - add_cmp_u16(r, fw->arp.arhrd, op); + add_payload(h, r, offsetof(struct arphdr, ar_hrd), 2, + NFT_PAYLOAD_NETWORK_HEADER, ®); + add_cmp_u16(r, fw->arp.arhrd, op, reg); } if (fw->arp.arpro != 0 || fw->arp.invflags & IPT_INV_PROTO) { + uint8_t reg; + op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_PROTO); - add_payload(r, offsetof(struct arphdr, ar_pro), 2, - NFT_PAYLOAD_NETWORK_HEADER); - add_cmp_u16(r, fw->arp.arpro, op); + add_payload(h, r, offsetof(struct arphdr, ar_pro), 2, + NFT_PAYLOAD_NETWORK_HEADER, ®); + add_cmp_u16(r, fw->arp.arpro, op, reg); } if (fw->arp.arhln != 0 || fw->arp.invflags & IPT_INV_ARPHLN) { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHLN); - add_proto(r, offsetof(struct arphdr, ar_hln), 1, + add_proto(h, r, offsetof(struct arphdr, ar_hln), 1, fw->arp.arhln, op); } - add_proto(r, offsetof(struct arphdr, ar_pln), 1, 4, NFT_CMP_EQ); + add_proto(h, r, offsetof(struct arphdr, ar_pln), 1, 4, NFT_CMP_EQ); if (fw->arp.arpop != 0 || fw->arp.invflags & IPT_INV_ARPOP) { + uint8_t reg; + op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPOP); - add_payload(r, offsetof(struct arphdr, ar_op), 2, - NFT_PAYLOAD_NETWORK_HEADER); - add_cmp_u16(r, fw->arp.arpop, op); + add_payload(h, r, offsetof(struct arphdr, ar_op), 2, + NFT_PAYLOAD_NETWORK_HEADER, ®); + add_cmp_u16(r, fw->arp.arpop, op, reg); } if (need_devaddr(&fw->arp.src_devaddr)) { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCDEVADDR); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, sizeof(struct arphdr), &fw->arp.src_devaddr.addr, &fw->arp.src_devaddr.mask, @@ -190,7 +110,7 @@ fw->arp.smsk.s_addr != 0 || fw->arp.invflags & IPT_INV_SRCIP) { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, sizeof(struct arphdr) + fw->arp.arhln, &fw->arp.src.s_addr, &fw->arp.smsk.s_addr, sizeof(struct in_addr), op); @@ -199,7 +119,7 @@ if (need_devaddr(&fw->arp.tgt_devaddr)) { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_TGTDEVADDR); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr), &fw->arp.tgt_devaddr.addr, &fw->arp.tgt_devaddr.mask, @@ -210,7 +130,7 @@ fw->arp.tmsk.s_addr != 0 || fw->arp.invflags & IPT_INV_DSTIP) { op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_DSTIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr) + fw->arp.arhln, &fw->arp.tgt.s_addr, &fw->arp.tmsk.s_addr, sizeof(struct in_addr), op); @@ -240,34 +160,30 @@ return ret; } -static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data) +static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct arpt_entry *fw = &cs->arp; uint8_t flags = 0; - parse_meta(e, ctx->meta.key, fw->arp.iniface, fw->arp.iniface_mask, + if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, fw->arp.iniface_mask, fw->arp.outiface, fw->arp.outiface_mask, - &flags); - - fw->arp.invflags |= flags; -} - -static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; + &flags) == 0) { + fw->arp.invflags |= flags; + return; + } - cs->jumpto = jumpto; + ctx->errmsg = "Unknown arp meta key"; } -static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) +static void parse_mask_ipv4(const struct nft_xt_ctx_reg *reg, struct in_addr *mask) { - mask->s_addr = ctx->bitwise.mask0; + mask->s_addr = reg->bitwise.mask0; } -static bool nft_arp_parse_devaddr(struct nft_xt_ctx *ctx, +static bool nft_arp_parse_devaddr(const struct nft_xt_ctx_reg *reg, struct nftnl_expr *e, struct arpt_devaddr_info *info) { @@ -281,28 +197,27 @@ get_cmp_data(e, info->addr, ETH_ALEN, &inv); - if (ctx->flags & NFT_XT_CTX_BITWISE) { - memcpy(info->mask, ctx->bitwise.mask, ETH_ALEN); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + memcpy(info->mask, reg->bitwise.mask, ETH_ALEN); + else memset(info->mask, 0xff, - min(ctx->payload.len, ETH_ALEN)); - } + min(reg->payload.len, ETH_ALEN)); return inv; } static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct arpt_entry *fw = &cs->arp; struct in_addr addr; uint16_t ar_hrd, ar_pro, ar_op; - uint8_t ar_hln; + uint8_t ar_hln, ar_pln; bool inv; - switch (ctx->payload.offset) { + switch (reg->payload.offset) { case offsetof(struct arphdr, ar_hrd): get_cmp_data(e, &ar_hrd, sizeof(ar_hrd), &inv); fw->arp.arhrd = ar_hrd; @@ -331,47 +246,50 @@ if (inv) fw->arp.invflags |= IPT_INV_ARPOP; break; + case offsetof(struct arphdr, ar_pln): + get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); + if (ar_pln != 4 || inv) + ctx->errmsg = "unexpected ARP protocol length match"; + break; default: - if (ctx->payload.offset == sizeof(struct arphdr)) { - if (nft_arp_parse_devaddr(ctx, e, &fw->arp.src_devaddr)) + if (reg->payload.offset == sizeof(struct arphdr)) { + if (nft_arp_parse_devaddr(reg, e, &fw->arp.src_devaddr)) fw->arp.invflags |= IPT_INV_SRCDEVADDR; - } else if (ctx->payload.offset == sizeof(struct arphdr) + + } else if (reg->payload.offset == sizeof(struct arphdr) + fw->arp.arhln) { get_cmp_data(e, &addr, sizeof(addr), &inv); fw->arp.src.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv4(ctx, &fw->arp.smsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + parse_mask_ipv4(reg, &fw->arp.smsk); + else memset(&fw->arp.smsk, 0xff, - min(ctx->payload.len, + min(reg->payload.len, sizeof(struct in_addr))); - } if (inv) fw->arp.invflags |= IPT_INV_SRCIP; - } else if (ctx->payload.offset == sizeof(struct arphdr) + + } else if (reg->payload.offset == sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr)) { - if (nft_arp_parse_devaddr(ctx, e, &fw->arp.tgt_devaddr)) + if (nft_arp_parse_devaddr(reg, e, &fw->arp.tgt_devaddr)) fw->arp.invflags |= IPT_INV_TGTDEVADDR; - } else if (ctx->payload.offset == sizeof(struct arphdr) + + } else if (reg->payload.offset == sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr) + fw->arp.arhln) { get_cmp_data(e, &addr, sizeof(addr), &inv); fw->arp.tgt.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv4(ctx, &fw->arp.tmsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + parse_mask_ipv4(reg, &fw->arp.tmsk); + else memset(&fw->arp.tmsk, 0xff, - min(ctx->payload.len, + min(reg->payload.len, sizeof(struct in_addr))); - } if (inv) fw->arp.invflags |= IPT_INV_DSTIP; + } else { + ctx->errmsg = "unknown payload offset"; } break; } @@ -380,11 +298,10 @@ static void nft_arp_print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, - bool basechain, uint32_t refs, - uint32_t entries) + int refs, uint32_t entries) { printf("Chain %s", chain); - if (basechain && pol) { + if (pol) { printf(" (policy %s", pol); if (!(format & FMT_NOCOUNTS)) { fputc(' ', stdout); @@ -395,7 +312,7 @@ } printf(")\n"); } else { - printf(" (%u references)\n", refs); + printf(" (%d references)\n", refs); } } @@ -403,7 +320,6 @@ unsigned int format) { const struct arpt_entry *fw = &cs->arp; - char bufBUFSIZ; char ifaceIFNAMSIZ+2; const char *sep = ""; int print_iface = 0; @@ -450,15 +366,10 @@ } if (fw->arp.smsk.s_addr != 0L) { - printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP - ? "! " : ""); - if (format & FMT_NUMERIC) - sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); - else - sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); - strncat(buf, mask_to_dotted(&(fw->arp.smsk)), - sizeof(buf) - strlen(buf) - 1); - printf("-s %s", buf); + printf("%s%s-s %s", sep, + fw->arp.invflags & IPT_INV_SRCIP ? "! " : "", + ipv4_addr_to_string(&fw->arp.src, + &fw->arp.smsk, format)); sep = " "; } @@ -476,15 +387,10 @@ after_devsrc: if (fw->arp.tmsk.s_addr != 0L) { - printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP - ? "! " : ""); - if (format & FMT_NUMERIC) - sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); - else - sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); - strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), - sizeof(buf) - strlen(buf) - 1); - printf("-d %s", buf); + printf("%s%s-d %s", sep, + fw->arp.invflags & IPT_INV_DSTIP ? "! " : "", + ipv4_addr_to_string(&fw->arp.tgt, + &fw->arp.tmsk, format)); sep = " "; } @@ -516,7 +422,7 @@ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPOP ? "! " : ""); - if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC)) + if (tmp <= ARP_NUMOPCODES && !(format & FMT_NUMERIC)) printf("--opcode %s", arp_opcodestmp-1); else printf("--opcode %d", tmp); @@ -556,12 +462,11 @@ } static void -nft_arp_save_rule(const void *data, unsigned int format) +nft_arp_save_rule(const struct iptables_command_state *cs, unsigned int format) { - const struct iptables_command_state *cs = data; - format |= FMT_NUMERIC; + printf(" "); nft_arp_print_rule_details(cs, format); if (cs->target && cs->target->save) cs->target->save(&cs->fw, cs->target->t); @@ -592,14 +497,14 @@ if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); + xtables_clear_iptables_command_state(&cs); } -static bool nft_arp_is_same(const void *data_a, - const void *data_b) +static bool nft_arp_is_same(const struct iptables_command_state *cs_a, + const struct iptables_command_state *cs_b) { - const struct arpt_entry *a = data_a; - const struct arpt_entry *b = data_b; + const struct arpt_entry *a = &cs_a->arp; + const struct arpt_entry *b = &cs_b->arp; if (a->arp.src.s_addr != b->arp.src.s_addr || a->arp.tgt.s_addr != b->arp.tgt.s_addr @@ -629,19 +534,270 @@ printf(":%s %s\n", chain, policy ?: "-"); } +static int getlength_and_mask(const char *from, uint8_t *to, uint8_t *mask) +{ + char *dup = strdup(from); + char *p, *buffer; + int i, ret = -1; + + if (!dup) + return -1; + + if ( (p = strrchr(dup, '/')) != NULL) { + *p = '\0'; + i = strtol(p+1, &buffer, 10); + if (*buffer != '\0' || i < 0 || i > 255) + goto out_err; + *mask = (uint8_t)i; + } else + *mask = 255; + i = strtol(dup, &buffer, 10); + if (*buffer != '\0' || i < 0 || i > 255) + goto out_err; + *to = (uint8_t)i; + ret = 0; +out_err: + free(dup); + return ret; + +} + +static int get16_and_mask(const char *from, uint16_t *to, + uint16_t *mask, int base) +{ + char *dup = strdup(from); + char *p, *buffer; + int i, ret = -1; + + if (!dup) + return -1; + + if ( (p = strrchr(dup, '/')) != NULL) { + *p = '\0'; + i = strtol(p+1, &buffer, base); + if (*buffer != '\0' || i < 0 || i > 65535) + goto out_err; + *mask = htons((uint16_t)i); + } else + *mask = 65535; + i = strtol(dup, &buffer, base); + if (*buffer != '\0' || i < 0 || i > 65535) + goto out_err; + *to = htons((uint16_t)i); + ret = 0; +out_err: + free(dup); + return ret; +} + +static void nft_arp_post_parse(int command, + struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->arp.arp.invflags = args->invflags; + + memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ); + + memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ); + + cs->arp.counters.pcnt = args->pcnt_cnt; + cs->arp.counters.bcnt = args->bcnt_cnt; + + if (command & (CMD_REPLACE | CMD_INSERT | + CMD_DELETE | CMD_APPEND | CMD_CHECK)) { + if (!(cs->options & OPT_DESTINATION)) + args->dhostnetworkmask = "0.0.0.0/0"; + if (!(cs->options & OPT_SOURCE)) + args->shostnetworkmask = "0.0.0.0/0"; + } + + if (args->shostnetworkmask) + xtables_ipparse_multiple(args->shostnetworkmask, + &args->s.addr.v4, &args->s.mask.v4, + &args->s.naddrs); + if (args->dhostnetworkmask) + xtables_ipparse_multiple(args->dhostnetworkmask, + &args->d.addr.v4, &args->d.mask.v4, + &args->d.naddrs); + + if ((args->s.naddrs > 1 || args->d.naddrs > 1) && + (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) + xtables_error(PARAMETER_PROBLEM, + "! not allowed with multiple" + " source or destination IP addresses"); + + if (args->src_mac && + xtables_parse_mac_and_mask(args->src_mac, + cs->arp.arp.src_devaddr.addr, + cs->arp.arp.src_devaddr.mask)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified source mac"); + if (args->dst_mac && + xtables_parse_mac_and_mask(args->dst_mac, + cs->arp.arp.tgt_devaddr.addr, + cs->arp.arp.tgt_devaddr.mask)) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified destination mac"); + if (args->arp_hlen) { + getlength_and_mask(args->arp_hlen, &cs->arp.arp.arhln, + &cs->arp.arp.arhln_mask); + + if (cs->arp.arp.arhln != 6) + xtables_error(PARAMETER_PROBLEM, + "Only harware address length of 6 is supported currently."); + } + if (args->arp_opcode) { + if (get16_and_mask(args->arp_opcode, &cs->arp.arp.arpop, + &cs->arp.arp.arpop_mask, 10)) { + int i; + + for (i = 0; i < ARP_NUMOPCODES; i++) + if (!strcasecmp(arp_opcodesi, + args->arp_opcode)) + break; + if (i == ARP_NUMOPCODES) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified opcode"); + cs->arp.arp.arpop = htons(i+1); + } + } + if (args->arp_htype) { + if (get16_and_mask(args->arp_htype, &cs->arp.arp.arhrd, + &cs->arp.arp.arhrd_mask, 16)) { + if (strcasecmp(args->arp_htype, "Ethernet")) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified hardware type"); + cs->arp.arp.arhrd = htons(1); + } + } + if (args->arp_ptype) { + if (get16_and_mask(args->arp_ptype, &cs->arp.arp.arpro, + &cs->arp.arp.arpro_mask, 0)) { + if (strcasecmp(args->arp_ptype, "ipv4")) + xtables_error(PARAMETER_PROBLEM, + "Problem with specified protocol type"); + cs->arp.arp.arpro = htons(0x800); + } + } +} + +static void nft_arp_init_cs(struct iptables_command_state *cs) +{ + cs->arp.arp.arhln = 6; + cs->arp.arp.arhln_mask = 255; + cs->arp.arp.arhrd = htons(ARPHRD_ETHER); + cs->arp.arp.arhrd_mask = 65535; +} + +static int +nft_arp_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4i.s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4j.s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4j.s_addr; + if (append) { + ret = nft_cmd_rule_append(h, chain, table, cs, NULL, + verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, cs, + rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_arp_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4i.s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4j.s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4j.s_addr; + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_arp_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->arp.arp.src.s_addr = args->s.addr.v4i.s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->arp.arp.tgt.s_addr = args->d.addr.v4j.s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4j.s_addr; + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_arp_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + cs->arp.arp.src.s_addr = args->s.addr.v4->s_addr; + cs->arp.arp.tgt.s_addr = args->d.addr.v4->s_addr; + cs->arp.arp.smsk.s_addr = args->s.mask.v4->s_addr; + cs->arp.arp.tmsk.s_addr = args->d.mask.v4->s_addr; + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_arp = { .add = nft_arp_add, .is_same = nft_arp_is_same, .print_payload = NULL, .parse_meta = nft_arp_parse_meta, .parse_payload = nft_arp_parse_payload, - .parse_immediate = nft_arp_parse_immediate, .print_header = nft_arp_print_header, .print_rule = nft_arp_print_rule, .save_rule = nft_arp_save_rule, .save_chain = nft_arp_save_chain, - .post_parse = NULL, + .cmd_parse = { + .post_parse = nft_arp_post_parse, + }, .rule_to_cs = nft_rule_to_iptables_command_state, - .clear_cs = nft_clear_iptables_command_state, + .init_cs = nft_arp_init_cs, + .clear_cs = xtables_clear_iptables_command_state, .parse_target = nft_ipv46_parse_target, + .add_entry = nft_arp_add_entry, + .delete_entry = nft_arp_delete_entry, + .check_entry = nft_arp_check_entry, + .replace_entry = nft_arp_replace_entry, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-bridge.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-bridge.c
Changed
@@ -65,30 +65,34 @@ xtables_print_mac_and_mask(mac, mask); } -static void add_logical_iniface(struct nftnl_rule *r, char *iface, uint32_t op) +static void add_logical_iniface(struct nft_handle *h, struct nftnl_rule *r, + char *iface, uint32_t op) { int iface_len; + uint8_t reg; iface_len = strlen(iface); - add_meta(r, NFT_META_BRI_IIFNAME); + add_meta(h, r, NFT_META_BRI_IIFNAME, ®); if (ifaceiface_len - 1 == '+') - add_cmp_ptr(r, op, iface, iface_len - 1); + add_cmp_ptr(r, op, iface, iface_len - 1, reg); else - add_cmp_ptr(r, op, iface, iface_len + 1); + add_cmp_ptr(r, op, iface, iface_len + 1, reg); } -static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op) +static void add_logical_outiface(struct nft_handle *h, struct nftnl_rule *r, + char *iface, uint32_t op) { int iface_len; + uint8_t reg; iface_len = strlen(iface); - add_meta(r, NFT_META_BRI_OIFNAME); + add_meta(h, r, NFT_META_BRI_OIFNAME, ®); if (ifaceiface_len - 1 == '+') - add_cmp_ptr(r, op, iface, iface_len - 1); + add_cmp_ptr(r, op, iface, iface_len - 1, reg); else - add_cmp_ptr(r, op, iface, iface_len + 1); + add_cmp_ptr(r, op, iface, iface_len + 1, reg); } static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) @@ -96,60 +100,81 @@ return add_action(r, cs, false); } +static int +nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw, + struct nftnl_rule *r, struct xt_entry_match *m) +{ + if (!strcmp(m->u.user.name, "802_3") && + !(fw->bitmask & EBT_802_3)) + xtables_error(PARAMETER_PROBLEM, + "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH"); + + return add_match(h, r, m); +} + static int nft_bridge_add(struct nft_handle *h, - struct nftnl_rule *r, void *data) + struct nftnl_rule *r, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct ebt_match *iter; struct ebt_entry *fw = &cs->eb; uint32_t op; if (fw->in0 != '\0') { op = nft_invflags2cmp(fw->invflags, EBT_IIN); - add_iniface(r, fw->in, op); + add_iniface(h, r, fw->in, op); } if (fw->out0 != '\0') { op = nft_invflags2cmp(fw->invflags, EBT_IOUT); - add_outiface(r, fw->out, op); + add_outiface(h, r, fw->out, op); } if (fw->logical_in0 != '\0') { op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALIN); - add_logical_iniface(r, fw->logical_in, op); + add_logical_iniface(h, r, fw->logical_in, op); } if (fw->logical_out0 != '\0') { op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALOUT); - add_logical_outiface(r, fw->logical_out, op); + add_logical_outiface(h, r, fw->logical_out, op); } if (fw->bitmask & EBT_ISOURCE) { op = nft_invflags2cmp(fw->invflags, EBT_ISOURCE); - add_addr(r, NFT_PAYLOAD_LL_HEADER, + add_addr(h, r, NFT_PAYLOAD_LL_HEADER, offsetof(struct ethhdr, h_source), fw->sourcemac, fw->sourcemsk, ETH_ALEN, op); } if (fw->bitmask & EBT_IDEST) { op = nft_invflags2cmp(fw->invflags, EBT_IDEST); - add_addr(r, NFT_PAYLOAD_LL_HEADER, + add_addr(h, r, NFT_PAYLOAD_LL_HEADER, offsetof(struct ethhdr, h_dest), fw->destmac, fw->destmsk, ETH_ALEN, op); } if ((fw->bitmask & EBT_NOPROTO) == 0) { + uint16_t ethproto = fw->ethproto; + uint8_t reg; + op = nft_invflags2cmp(fw->invflags, EBT_IPROTO); - add_payload(r, offsetof(struct ethhdr, h_proto), 2, - NFT_PAYLOAD_LL_HEADER); - add_cmp_u16(r, fw->ethproto, op); + add_payload(h, r, offsetof(struct ethhdr, h_proto), 2, + NFT_PAYLOAD_LL_HEADER, ®); + + if (fw->bitmask & EBT_802_3) { + op = (op == NFT_CMP_EQ ? NFT_CMP_LT : NFT_CMP_GTE); + ethproto = htons(0x0600); + } + + add_cmp_u16(r, ethproto, op, reg); } add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO); for (iter = cs->match_list; iter; iter = iter->next) { if (iter->ismatch) { - if (add_match(h, r, iter->u.match->m)) + if (nft_bridge_add_match(h, fw, r, iter->u.match->m)) break; } else { if (add_target(r, iter->u.watcher->t)) @@ -164,16 +189,25 @@ } static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct ebt_entry *fw = &cs->eb; uint8_t invflags = 0; char iifnameIFNAMSIZ = {}, oifnameIFNAMSIZ = {}; - parse_meta(e, ctx->meta.key, iifname, NULL, oifname, NULL, &invflags); + switch (reg->meta_dreg.key) { + case NFT_META_PROTOCOL: + return; + } + + if (parse_meta(ctx, e, reg->meta_dreg.key, iifname, NULL, oifname, NULL, &invflags) < 0) { + ctx->errmsg = "unknown meta key"; + return; + } - switch (ctx->meta.key) { + switch (reg->meta_dreg.key) { case NFT_META_BRI_IIFNAME: if (invflags & IPT_INV_VIA_IN) cs->eb.invflags |= EBT_ILOGICALIN; @@ -195,21 +229,24 @@ snprintf(fw->out, sizeof(fw->out), "%s", oifname); break; default: + ctx->errmsg = "unknown bridge meta key"; break; } } static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct ebt_entry *fw = &cs->eb; unsigned char addrETH_ALEN; unsigned short int ethproto; + uint8_t op; bool inv; int i; - switch (ctx->payload.offset) { + switch (reg->payload.offset) { case offsetof(struct ethhdr, h_dest): get_cmp_data(e, addr, sizeof(addr), &inv); for (i = 0; i < ETH_ALEN; i++) @@ -217,13 +254,11 @@ if (inv) fw->invflags |= EBT_IDEST; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - memcpy(fw->destmsk, ctx->bitwise.mask, ETH_ALEN); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + memcpy(fw->destmsk, reg->bitwise.mask, ETH_ALEN); + else memset(&fw->destmsk, 0xff, - min(ctx->payload.len, ETH_ALEN)); - } + min(reg->payload.len, ETH_ALEN)); fw->bitmask |= EBT_IDEST; break; case offsetof(struct ethhdr, h_source): @@ -232,33 +267,33 @@ fw->sourcemaci = addri; if (inv) fw->invflags |= EBT_ISOURCE; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - memcpy(fw->sourcemsk, ctx->bitwise.mask, ETH_ALEN); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + memcpy(fw->sourcemsk, reg->bitwise.mask, ETH_ALEN); + else memset(&fw->sourcemsk, 0xff, - min(ctx->payload.len, ETH_ALEN)); - } + min(reg->payload.len, ETH_ALEN)); fw->bitmask |= EBT_ISOURCE; break; case offsetof(struct ethhdr, h_proto): - get_cmp_data(e, ðproto, sizeof(ethproto), &inv); - fw->ethproto = ethproto; + __get_cmp_data(e, ðproto, sizeof(ethproto), &op); + if (ethproto == htons(0x0600)) { + fw->bitmask |= EBT_802_3; + inv = (op == NFT_CMP_GTE); + } else { + fw->ethproto = ethproto; + inv = (op == NFT_CMP_NEQ); + } if (inv) fw->invflags |= EBT_IPROTO; fw->bitmask &= ~EBT_NOPROTO; break; + default: + DEBUGP("unknown payload offset %d\n", reg->payload.offset); + ctx->errmsg = "unknown payload offset"; + break; } } -static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; -} - /* return 0 if saddr, 1 if daddr, -1 on error */ static int lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len) @@ -296,49 +331,74 @@ /* Make sure previous payload expression(s) is/are consistent and extract if * matching on source or destination address and if matching on MAC and IP or * only MAC address. */ -static int lookup_analyze_payloads(const struct nft_xt_ctx *ctx, +static int lookup_analyze_payloads(struct nft_xt_ctx *ctx, + enum nft_registers sreg, + uint32_t key_len, bool *dst, bool *ip) { + const struct nft_xt_ctx_reg *reg; int val, val2 = -1; - if (ctx->flags & NFT_XT_CTX_PREV_PAYLOAD) { - val = lookup_check_ether_payload(ctx->prev_payload.base, - ctx->prev_payload.offset, - ctx->prev_payload.len); + reg = nft_xt_ctx_get_sreg(ctx, sreg); + if (!reg) + return -1; + + if (reg->type != NFT_XT_REG_PAYLOAD) { + ctx->errmsg = "lookup reg is not payload type"; + return -1; + } + + switch (key_len) { + case 12: /* ether + ipv4addr */ + val = lookup_check_ether_payload(reg->payload.base, + reg->payload.offset, + reg->payload.len); if (val < 0) { DEBUGP("unknown payload base/offset/len %d/%d/%d\n", - ctx->prev_payload.base, ctx->prev_payload.offset, - ctx->prev_payload.len); + reg->payload.base, reg->payload.offset, + reg->payload.len); + return -1; + } + + sreg = nft_get_next_reg(sreg, ETH_ALEN); + + reg = nft_xt_ctx_get_sreg(ctx, sreg); + if (!reg) { + ctx->errmsg = "next lookup register is invalid"; return -1; } - if (!(ctx->flags & NFT_XT_CTX_PAYLOAD)) { - DEBUGP("Previous but no current payload?\n"); + + if (reg->type != NFT_XT_REG_PAYLOAD) { + ctx->errmsg = "next lookup reg is not payload type"; return -1; } - val2 = lookup_check_iphdr_payload(ctx->payload.base, - ctx->payload.offset, - ctx->payload.len); + + val2 = lookup_check_iphdr_payload(reg->payload.base, + reg->payload.offset, + reg->payload.len); if (val2 < 0) { DEBUGP("unknown payload base/offset/len %d/%d/%d\n", - ctx->payload.base, ctx->payload.offset, - ctx->payload.len); + reg->payload.base, reg->payload.offset, + reg->payload.len); return -1; } else if (val != val2) { DEBUGP("mismatching payload match offsets\n"); return -1; } - } else if (ctx->flags & NFT_XT_CTX_PAYLOAD) { - val = lookup_check_ether_payload(ctx->payload.base, - ctx->payload.offset, - ctx->payload.len); + break; + case 6: /* ether */ + val = lookup_check_ether_payload(reg->payload.base, + reg->payload.offset, + reg->payload.len); if (val < 0) { DEBUGP("unknown payload base/offset/len %d/%d/%d\n", - ctx->payload.base, ctx->payload.offset, - ctx->payload.len); + reg->payload.base, reg->payload.offset, + reg->payload.len); return -1; } - } else { - DEBUGP("unknown LHS of lookup expression\n"); + break; + default: + ctx->errmsg = "unsupported lookup key length"; return -1; } @@ -405,7 +465,7 @@ } static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + struct nftnl_expr *e) { struct xtables_match *match = NULL; struct nft_among_data *among_data; @@ -415,14 +475,17 @@ size_t poff, size; uint32_t cnt; - if (lookup_analyze_payloads(ctx, &is_dst, &have_ip)) - return; - s = set_from_lookup_expr(ctx, e); if (!s) xtables_error(OTHER_PROBLEM, "BUG: lookup expression references unknown set"); + if (lookup_analyze_payloads(ctx, + nftnl_expr_get_u32(e, NFTNL_EXPR_LOOKUP_SREG), + nftnl_set_get_u32(s, NFTNL_SET_KEY_LEN), + &is_dst, &have_ip)) + return; + cnt = nftnl_set_get_u32(s, NFTNL_SET_DESC_SIZE); for (ematch = ctx->cs->match_list; ematch; ematch = ematch->next) { @@ -470,18 +533,12 @@ if (set_elems_to_among_pairs(among_data->pairs + poff, s, cnt)) xtables_error(OTHER_PROBLEM, "ebtables among pair parsing failed"); - - ctx->flags &= ~(NFT_XT_CTX_PAYLOAD | NFT_XT_CTX_PREV_PAYLOAD); } static void parse_watcher(void *object, struct ebt_match **match_list, bool ismatch) { - struct ebt_match *m; - - m = calloc(1, sizeof(struct ebt_match)); - if (m == NULL) - xtables_error(OTHER_PROBLEM, "Can't allocate memory"); + struct ebt_match *m = xtables_calloc(1, sizeof(struct ebt_match)); if (ismatch) m->u.match = object; @@ -495,17 +552,15 @@ (*match_list)->next = m; } -static void nft_bridge_parse_match(struct xtables_match *m, void *data) +static void nft_bridge_parse_match(struct xtables_match *m, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - parse_watcher(m, &cs->match_list, true); } -static void nft_bridge_parse_target(struct xtables_target *t, void *data) +static void nft_bridge_parse_target(struct xtables_target *t, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - /* harcoded names :-( */ if (strcmp(t->name, "log") == 0 || strcmp(t->name, "nflog") == 0) { @@ -514,14 +569,15 @@ } cs->target = t; + cs->jumpto = t->name; } -static void nft_rule_to_ebtables_command_state(struct nft_handle *h, +static bool nft_rule_to_ebtables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs) { cs->eb.bitmask = EBT_NOPROTO; - nft_rule_to_iptables_command_state(h, r, cs); + return nft_rule_to_iptables_command_state(h, r, cs); } static void print_iface(const char *option, const char *name, bool invert) @@ -538,7 +594,7 @@ static void nft_bridge_print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, - bool basechain, uint32_t refs, uint32_t entries) + int refs, uint32_t entries) { printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, entries, pol ?: "RETURN"); @@ -594,7 +650,7 @@ printf("! "); if (bitmask & EBT_802_3) { - printf("length "); + printf("Length "); return; } @@ -605,11 +661,10 @@ printf("%s ", ent->e_name); } -static void nft_bridge_save_rule(const void *data, unsigned int format) +static void __nft_bridge_save_rule(const struct iptables_command_state *cs, + unsigned int format) { - const struct iptables_command_state *cs = data; - - if (cs->eb.ethproto) + if (!(cs->eb.bitmask & EBT_NOPROTO)) print_protocol(cs->eb.ethproto, cs->eb.invflags & EBT_IPROTO, cs->eb.bitmask); if (cs->eb.bitmask & EBT_ISOURCE) @@ -656,6 +711,13 @@ fputc('\n', stdout); } +static void nft_bridge_save_rule(const struct iptables_command_state *cs, + unsigned int format) +{ + printf(" "); + __nft_bridge_save_rule(cs, format); +} + static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format) { @@ -665,7 +727,7 @@ printf("%d ", num); nft_rule_to_ebtables_command_state(h, r, &cs); - nft_bridge_save_rule(&cs, format); + __nft_bridge_save_rule(&cs, format); ebt_cs_clean(&cs); } @@ -677,10 +739,11 @@ printf(":%s %s\n", chain, policy ?: "ACCEPT"); } -static bool nft_bridge_is_same(const void *data_a, const void *data_b) +static bool nft_bridge_is_same(const struct iptables_command_state *cs_a, + const struct iptables_command_state *cs_b) { - const struct ebt_entry *a = data_a; - const struct ebt_entry *b = data_b; + const struct ebt_entry *a = &cs_a->eb; + const struct ebt_entry *b = &cs_b->eb; int i; if (a->ethproto != b->ethproto || @@ -732,7 +795,6 @@ struct xt_xlate_mt_params mt_params = { .ip = (const void *)&cs->eb, .numeric = numeric, - .escape_quotes = false, .match = matchp->m, }; @@ -745,7 +807,6 @@ struct xt_xlate_tg_params wt_params = { .ip = (const void *)&cs->eb, .numeric = numeric, - .escape_quotes = false, .target = watcherp->t, }; @@ -776,7 +837,6 @@ else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) xt_xlate_add(xl, " return"); else if (cs->target->xlate) { - xt_xlate_add(xl, " "); struct xt_xlate_tg_params params = { .ip = (const void *)&cs->eb, .target = cs->target->t, @@ -810,25 +870,23 @@ xt_xlate_add(xl, "ether %s %s", type, invert ? "!= " : ""); - xlate_mac(xl, mac); - if (memcmp(mask, one_msk, ETH_ALEN)) { int i; - xt_xlate_add(xl, " and "); + xt_xlate_add(xl, "and"); xlate_mac(xl, mask); xt_xlate_add(xl, " == %02x", mac0 & mask0); for (i=1; i < ETH_ALEN; i++) xt_xlate_add(xl, ":%02x", maci & maski); + } else { + xlate_mac(xl, mac); } - - xt_xlate_add(xl, " "); } -static int nft_bridge_xlate(const void *data, struct xt_xlate *xl) +static int nft_bridge_xlate(const struct iptables_command_state *cs, + struct xt_xlate *xl) { - const struct iptables_command_state *cs = data; int ret; xlate_ifname(xl, "iifname", cs->eb.in, @@ -840,7 +898,10 @@ xlate_ifname(xl, "meta obrname", cs->eb.logical_out, cs->eb.invflags & EBT_ILOGICALOUT); - if ((cs->eb.bitmask & EBT_NOPROTO) == 0) { + if (cs->eb.bitmask & EBT_802_3) { + xt_xlate_add(xl, "ether type %s 0x0600 ", + cs->eb.invflags & EBT_IPROTO ? ">=" : "<"); + } else if ((cs->eb.bitmask & EBT_NOPROTO) == 0) { const char *implicit = NULL; switch (ntohs(cs->eb.ethproto)) { @@ -863,9 +924,6 @@ ntohs(cs->eb.ethproto)); } - if (cs->eb.bitmask & EBT_802_3) - return 0; - if (cs->eb.bitmask & EBT_ISOURCE) nft_bridge_xlate_mac(xl, "saddr", cs->eb.invflags & EBT_ISOURCE, cs->eb.sourcemac, cs->eb.sourcemsk); @@ -889,7 +947,6 @@ .print_payload = NULL, .parse_meta = nft_bridge_parse_meta, .parse_payload = nft_bridge_parse_payload, - .parse_immediate = nft_bridge_parse_immediate, .parse_lookup = nft_bridge_parse_lookup, .parse_match = nft_bridge_parse_match, .parse_target = nft_bridge_parse_target, @@ -898,7 +955,6 @@ .print_rule = nft_bridge_print_rule, .save_rule = nft_bridge_save_rule, .save_chain = nft_bridge_save_chain, - .post_parse = NULL, .rule_to_cs = nft_rule_to_ebtables_command_state, .clear_cs = ebt_cs_clean, .xlate = nft_bridge_xlate,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-cache.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-cache.c
Changed
@@ -40,7 +40,7 @@ } new = xtables_malloc(sizeof(*new)); - new->name = strdup(name); + new->name = xtables_strdup(name); list_add_tail(&new->head, pos ? &pos->head : list); } @@ -56,7 +56,7 @@ return; if (!req->table) - req->table = strdup(cmd->table); + req->table = xtables_strdup(cmd->table); else assert(!strcmp(req->table, cmd->table)); @@ -105,7 +105,8 @@ return; xtables_error(RESOURCE_PROBLEM, - "Could not fetch rule set generation id: %s\n", nft_strerror(errno)); + "Could not fetch rule set generation id: %s", + nft_strerror(errno)); } static int nftnl_table_list_cb(const struct nlmsghdr *nlh, void *data) @@ -141,8 +142,8 @@ char buf16536; int i, ret; - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family, - NLM_F_DUMP, h->seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family, + NLM_F_DUMP, h->seq); ret = mnl_talk(h, nlh, nftnl_table_list_cb, h); if (ret < 0 && errno == EINTR) @@ -202,42 +203,111 @@ return NULL; } +static int +nft_cache_add_base_chain(struct nft_handle *h, const struct builtin_table *t, + struct nft_chain *nc) +{ + uint32_t hooknum = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_HOOKNUM); + const char *name = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_NAME); + const char *type = nftnl_chain_get_str(nc->nftnl, NFTNL_CHAIN_TYPE); + uint32_t prio = nftnl_chain_get_u32(nc->nftnl, NFTNL_CHAIN_PRIO); + const struct builtin_chain *bc = NULL; + int i; + + for (i = 0; i < NF_IP_NUMHOOKS && t->chainsi.name != NULL; i++) { + if (hooknum == t->chainsi.hook) { + bc = &t->chainsi; + break; + } + } + + if (!bc || + prio != bc->prio || + strcmp(name, bc->name) || + strcmp(type, bc->type)) + return -EINVAL; + + nc->base_slot = &h->cache->tablet->type.base_chainshooknum; + if (*nc->base_slot) + return -EEXIST; + + *nc->base_slot = nc; + return 0; +} + int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, struct nftnl_chain *c) { const char *cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); struct nft_chain *nc = nft_chain_alloc(c); + int ret; if (nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) { - uint32_t hooknum = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM); - - if (hooknum >= NF_INET_NUMHOOKS) { + ret = nft_cache_add_base_chain(h, t, nc); + if (ret) { + h->cache->tablet->type.tainted = true; nft_chain_free(nc); - return -EINVAL; + return ret; } + } else { + list_add_tail(&nc->head, + &h->cache->tablet->type.chains->list); + } + hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname)); + return 0; +} - if (h->cache->tablet->type.base_chainshooknum) { - nft_chain_free(nc); - return -EEXIST; - } +static void __nft_chain_list_sort(struct list_head *list, + int (*cmp)(struct nft_chain *a, + struct nft_chain *b)) +{ + struct nft_chain *pivot, *cur, *sav; + LIST_HEAD(sublist); - h->cache->tablet->type.base_chainshooknum = nc; - } else { - struct nft_chain_list *clist = h->cache->tablet->type.chains; - struct list_head *pos = &clist->list; - struct nft_chain *cur; - const char *n; - - list_for_each_entry(cur, &clist->list, head) { - n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME); - if (strcmp(cname, n) <= 0) { - pos = &cur->head; - break; - } + if (list_empty(list)) + return; + + /* grab first item as pivot (dividing) value */ + pivot = list_entry(list->next, struct nft_chain, head); + list_del(&pivot->head); + + /* move any smaller value into sublist */ + list_for_each_entry_safe(cur, sav, list, head) { + if (cmp(pivot, cur) > 0) { + list_del(&cur->head); + list_add_tail(&cur->head, &sublist); } - list_add_tail(&nc->head, pos); } - hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname)); + /* conquer divided */ + __nft_chain_list_sort(&sublist, cmp); + __nft_chain_list_sort(list, cmp); + + /* merge divided and pivot again */ + list_add_tail(&pivot->head, &sublist); + list_splice(&sublist, list); +} + +static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b) +{ + const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME); + const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME); + + return strcmp(aname, bname); +} + +int nft_cache_sort_chains(struct nft_handle *h, const char *table) +{ + const struct builtin_table *t = nft_table_builtin_find(h, table); + + if (!t) + return -1; + + if (h->cache->tablet->type.sorted) + return 0; + + __nft_chain_list_sort(&h->cache->tablet->type.chains->list, + nft_chain_cmp_byname); + h->cache->tablet->type.sorted = true; return 0; } @@ -271,9 +341,7 @@ goto out; } - if (nft_cache_add_chain(h, t, c)) - goto out; - + nft_cache_add_chain(h, t, c); return MNL_CB_OK; out: nftnl_chain_free(c); @@ -386,8 +454,8 @@ } } - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, - h->family, flags, h->seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, + h->family, flags, h->seq); if (s) { nftnl_set_nlmsg_build_payload(nlh, s); @@ -429,8 +497,8 @@ struct nlmsghdr *nlh; int ret; - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, h->family, - c ? NLM_F_ACK : NLM_F_DUMP, h->seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, h->family, + c ? NLM_F_ACK : NLM_F_DUMP, h->seq); if (c) nftnl_chain_nlmsg_build_payload(nlh, c); @@ -471,9 +539,15 @@ return ret; } +struct rule_list_cb_data { + struct nftnl_chain *chain; + int verbose; +}; + static int nftnl_rule_list_cb(const struct nlmsghdr *nlh, void *data) { - struct nftnl_chain *c = data; + struct rule_list_cb_data *rld = data; + struct nftnl_chain *c = rld->chain; struct nftnl_rule *r; r = nftnl_rule_alloc(); @@ -485,6 +559,10 @@ return MNL_CB_OK; } + if (rld->verbose > 1) { + nftnl_rule_fprintf(stdout, r, 0, 0); + fprintf(stdout, "\n"); + } nftnl_chain_rule_add_tail(r, c); return MNL_CB_OK; } @@ -493,6 +571,10 @@ { struct nftnl_chain *c = nc->nftnl; struct nft_handle *h = data; + struct rule_list_cb_data rld = { + .chain = c, + .verbose = h->verbose, + }; char buf16536; struct nlmsghdr *nlh; struct nftnl_rule *rule; @@ -510,11 +592,11 @@ nftnl_rule_set_str(rule, NFTNL_RULE_CHAIN, nftnl_chain_get_str(c, NFTNL_CHAIN_NAME)); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, h->family, - NLM_F_DUMP, h->seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, h->family, + NLM_F_DUMP, h->seq); nftnl_rule_nlmsg_build_payload(nlh, rule); - ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c); + ret = mnl_talk(h, nlh, nftnl_rule_list_cb, &rld); if (ret < 0 && errno == EINTR) assert(nft_restart(h) >= 0); @@ -663,6 +745,7 @@ flush_base_chain_cache(c->tabletable->type.base_chains); nft_chain_foreach(h, tablename, __flush_chain_cache, NULL); + c->tabletable->type.sorted = false; if (c->tabletable->type.sets) nftnl_set_list_foreach(c->tabletable->type.sets, @@ -678,6 +761,7 @@ if (c->tablei.chains) { nft_chain_list_free(c->tablei.chains); c->tablei.chains = NULL; + c->tablei.sorted = false; } if (c->tablei.sets) {
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-cache.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-cache.h
Changed
@@ -16,6 +16,7 @@ void nft_cache_build(struct nft_handle *h); int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, struct nftnl_chain *c); +int nft_cache_sort_chains(struct nft_handle *h, const char *table); struct nft_chain * nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-chain.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-chain.h
Changed
@@ -9,6 +9,7 @@ struct nft_chain { struct list_head head; struct hlist_node hnode; + struct nft_chain **base_slot; struct nftnl_chain *nftnl; };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-cmd.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-cmd.c
Changed
@@ -11,6 +11,7 @@ #include <stdlib.h> #include <string.h> +#include <xtables.h> #include "nft.h" #include "nft-cmd.h" @@ -22,26 +23,26 @@ struct nftnl_rule *rule; struct nft_cmd *cmd; - cmd = calloc(1, sizeof(struct nft_cmd)); - if (!cmd) - return NULL; - + cmd = xtables_calloc(1, sizeof(struct nft_cmd)); + cmd->error.lineno = h->error.lineno; cmd->command = command; - cmd->table = strdup(table); + cmd->table = xtables_strdup(table); if (chain) - cmd->chain = strdup(chain); + cmd->chain = xtables_strdup(chain); cmd->rulenum = rulenum; cmd->verbose = verbose; if (state) { rule = nft_rule_new(h, chain, table, state); - if (!rule) + if (!rule) { + nft_cmd_free(cmd); return NULL; + } cmd->obj.rule = rule; if (!state->target && strlen(state->jumpto) > 0) - cmd->jumpto = strdup(state->jumpto); + cmd->jumpto = xtables_strdup(state->jumpto); } list_add_tail(&cmd->head, &h->cmd_list); @@ -167,7 +168,9 @@ if (!cmd) return 0; - if (chain || verbose) + if (h->family == NFPROTO_BRIDGE) + nft_cache_level_set(h, NFT_CL_RULES, cmd); + else if (chain || verbose) nft_cache_level_set(h, NFT_CL_CHAINS, cmd); else nft_cache_level_set(h, NFT_CL_TABLES, cmd); @@ -185,7 +188,7 @@ if (!cmd) return 0; - nft_cache_level_set(h, NFT_CL_CHAINS, cmd); + nft_cache_level_set(h, NFT_CL_RULES, cmd); return 1; } @@ -205,12 +208,12 @@ return 1; } -int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose) +int nft_cmd_chain_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose) { struct nft_cmd *cmd; - cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_USER_DEL, table, chain, NULL, -1, + cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_DEL, table, chain, NULL, -1, verbose); if (!cmd) return 0; @@ -218,7 +221,7 @@ /* This triggers nft_bridge_chain_postprocess() when fetching the * rule cache. */ - if (h->family == NFPROTO_BRIDGE) + if (h->family == NFPROTO_BRIDGE || !chain) nft_cache_level_set(h, NFT_CL_RULES, cmd); else nft_cache_level_set(h, NFT_CL_CHAINS, cmd); @@ -236,7 +239,7 @@ if (!cmd) return 0; - cmd->rename = strdup(newname); + cmd->rename = xtables_strdup(newname); nft_cache_level_set(h, NFT_CL_CHAINS, cmd); @@ -302,7 +305,7 @@ if (!cmd) return 0; - cmd->policy = strdup(policy); + cmd->policy = xtables_strdup(policy); if (counters) cmd->counters = *counters; @@ -317,7 +320,7 @@ if (verbose) { return nft_cmd_rule_flush(h, NULL, table, verbose) && - nft_cmd_chain_user_del(h, NULL, table, verbose); + nft_cmd_chain_del(h, NULL, table, verbose); } cmd = nft_cmd_new(h, NFT_COMPAT_TABLE_FLUSH, table, NULL, NULL, -1, @@ -387,7 +390,7 @@ if (!cmd) return 0; - cmd->policy = strdup(policy); + cmd->policy = xtables_strdup(policy); nft_cache_level_set(h, NFT_CL_RULES, cmd);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-cmd.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-cmd.h
Changed
@@ -24,6 +24,9 @@ struct xt_counters counters; const char *rename; int counters_save; + struct { + unsigned int lineno; + } error; }; struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, @@ -49,8 +52,8 @@ const char *table, bool verbose); int nft_cmd_chain_user_add(struct nft_handle *h, const char *chain, const char *table); -int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose); +int nft_cmd_chain_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose); int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); int nft_cmd_rule_list(struct nft_handle *h, const char *chain,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-ipv4.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-ipv4.c
Changed
@@ -26,54 +26,56 @@ #include "nft.h" #include "nft-shared.h" -static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data) +static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct xtables_rule_match *matchp; uint32_t op; int ret; if (cs->fw.ip.iniface0 != '\0') { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_IN); - add_iniface(r, cs->fw.ip.iniface, op); + add_iniface(h, r, cs->fw.ip.iniface, op); } if (cs->fw.ip.outiface0 != '\0') { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_OUT); - add_outiface(r, cs->fw.ip.outiface, op); + add_outiface(h, r, cs->fw.ip.outiface, op); } if (cs->fw.ip.proto != 0) { op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO); - add_l4proto(r, cs->fw.ip.proto, op); + add_l4proto(h, r, cs->fw.ip.proto, op); } if (cs->fw.ip.src.s_addr || cs->fw.ip.smsk.s_addr || cs->fw.ip.invflags & IPT_INV_SRCIP) { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_SRCIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, &cs->fw.ip.smsk.s_addr, sizeof(struct in_addr), op); } if (cs->fw.ip.dst.s_addr || cs->fw.ip.dmsk.s_addr || cs->fw.ip.invflags & IPT_INV_DSTIP) { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_DSTIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, &cs->fw.ip.dmsk.s_addr, sizeof(struct in_addr), op); } if (cs->fw.ip.flags & IPT_F_FRAG) { - add_payload(r, offsetof(struct iphdr, frag_off), 2, - NFT_PAYLOAD_NETWORK_HEADER); + uint8_t reg; + + add_payload(h, r, offsetof(struct iphdr, frag_off), 2, + NFT_PAYLOAD_NETWORK_HEADER, ®); /* get the 13 bits that contain the fragment offset */ - add_bitwise_u16(r, htons(0x1fff), 0); + add_bitwise_u16(h, r, htons(0x1fff), 0, reg, ®); /* if offset is non-zero, this is a fragment */ op = NFT_CMP_NEQ; if (cs->fw.ip.invflags & IPT_INV_FRAG) op = NFT_CMP_EQ; - add_cmp_u16(r, 0, op); + add_cmp_u16(r, 0, op, reg); } add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); @@ -93,12 +95,9 @@ return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); } -static bool nft_ipv4_is_same(const void *data_a, - const void *data_b) +static bool nft_ipv4_is_same(const struct iptables_command_state *a, + const struct iptables_command_state *b) { - const struct iptables_command_state *a = data_a; - const struct iptables_command_state *b = data_b; - if (a->fw.ip.src.s_addr != b->fw.ip.src.s_addr || a->fw.ip.dst.s_addr != b->fw.ip.dst.s_addr || a->fw.ip.smsk.s_addr != b->fw.ip.smsk.s_addr @@ -116,56 +115,28 @@ b->fw.ip.iniface_mask, b->fw.ip.outiface_mask); } -static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv) +static bool get_frag(const struct nft_xt_ctx_reg *reg, struct nftnl_expr *e) { uint8_t op; /* we assume correct mask and xor */ - if (!(ctx->flags & NFT_XT_CTX_BITWISE)) - return; + if (!reg->bitwise.set) + return false; /* we assume correct data */ op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP); if (op == NFT_CMP_EQ) - *inv = true; - else - *inv = false; - - ctx->flags &= ~NFT_XT_CTX_BITWISE; -} - -static const char *mask_to_str(uint32_t mask) -{ - static char mask_strsizeof("255.255.255.255"); - uint32_t bits, hmask = ntohl(mask); - struct in_addr mask_addr = { - .s_addr = mask, - }; - int i; - - if (mask == 0xFFFFFFFFU) { - sprintf(mask_str, "32"); - return mask_str; - } + return true; - i = 32; - bits = 0xFFFFFFFEU; - while (--i >= 0 && hmask != bits) - bits <<= 1; - if (i >= 0) - sprintf(mask_str, "%u", i); - else - sprintf(mask_str, "%s", inet_ntoa(mask_addr)); - - return mask_str; + return false; } -static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data) +static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - switch (ctx->meta.key) { + switch (reg->meta_dreg.key) { case NFT_META_L4PROTO: cs->fw.ip.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA); if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) @@ -175,34 +146,37 @@ break; } - parse_meta(e, ctx->meta.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask, + if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask, cs->fw.ip.outiface, cs->fw.ip.outiface_mask, - &cs->fw.ip.invflags); + &cs->fw.ip.invflags) == 0) + return; + + ctx->errmsg = "unknown ipv4 meta key"; } -static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) +static void parse_mask_ipv4(const struct nft_xt_ctx_reg *sreg, struct in_addr *mask) { - mask->s_addr = ctx->bitwise.mask0; + mask->s_addr = sreg->bitwise.mask0; } static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + const struct nft_xt_ctx_reg *sreg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct in_addr addr; uint8_t proto; bool inv; - switch(ctx->payload.offset) { + switch (sreg->payload.offset) { case offsetof(struct iphdr, saddr): get_cmp_data(e, &addr, sizeof(addr), &inv); cs->fw.ip.src.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv4(ctx, &cs->fw.ip.smsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; + if (sreg->bitwise.set) { + parse_mask_ipv4(sreg, &cs->fw.ip.smsk); } else { memset(&cs->fw.ip.smsk, 0xff, - min(ctx->payload.len, sizeof(struct in_addr))); + min(sreg->payload.len, sizeof(struct in_addr))); } if (inv) @@ -211,13 +185,11 @@ case offsetof(struct iphdr, daddr): get_cmp_data(e, &addr, sizeof(addr), &inv); cs->fw.ip.dst.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv4(ctx, &cs->fw.ip.dmsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (sreg->bitwise.set) + parse_mask_ipv4(sreg, &cs->fw.ip.dmsk); + else memset(&cs->fw.ip.dmsk, 0xff, - min(ctx->payload.len, sizeof(struct in_addr))); - } + min(sreg->payload.len, sizeof(struct in_addr))); if (inv) cs->fw.ip.invflags |= IPT_INV_DSTIP; @@ -230,39 +202,24 @@ break; case offsetof(struct iphdr, frag_off): cs->fw.ip.flags |= IPT_F_FRAG; - inv = false; - get_frag(ctx, e, &inv); + inv = get_frag(sreg, e); if (inv) cs->fw.ip.invflags |= IPT_INV_FRAG; break; + case offsetof(struct iphdr, ttl): + if (nft_parse_hl(ctx, e, cs) < 0) + ctx->errmsg = "invalid ttl field match"; + break; default: - DEBUGP("unknown payload offset %d\n", ctx->payload.offset); + DEBUGP("unknown payload offset %d\n", sreg->payload.offset); + ctx->errmsg = "unknown payload offset"; break; } } -static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, - void *data) -{ - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw.ip.flags |= IPT_F_GOTO; -} - -static void print_fragment(unsigned int flags, unsigned int invflags, - unsigned int format) +static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) { - if (!(format & FMT_OPTIONS)) - return; - - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout); - fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); - fputc(' ', stdout); + cs->fw.ip.flags |= IPT_F_GOTO; } static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, @@ -272,9 +229,9 @@ nft_rule_to_iptables_command_state(h, r, &cs); - print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags, - cs.fw.ip.invflags, cs.fw.ip.proto, num, format); - print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format); + print_rule_details(num, &cs.counters, cs.jumpto, cs.fw.ip.proto, + cs.fw.ip.flags, cs.fw.ip.invflags, format); + print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format, false); print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags, format); print_ipv4_addresses(&cs.fw, format); @@ -292,100 +249,57 @@ if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); -} - -static void save_ipv4_addr(char letter, const struct in_addr *addr, - uint32_t mask, int invert) -{ - if (!mask && !invert && !addr->s_addr) - return; - - printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr), - mask_to_str(mask)); + xtables_clear_iptables_command_state(&cs); } -static void nft_ipv4_save_rule(const void *data, unsigned int format) +static void nft_ipv4_save_rule(const struct iptables_command_state *cs, + unsigned int format) { - const struct iptables_command_state *cs = data; - - save_ipv4_addr('s', &cs->fw.ip.src, cs->fw.ip.smsk.s_addr, + save_ipv4_addr('s', &cs->fw.ip.src, &cs->fw.ip.smsk, cs->fw.ip.invflags & IPT_INV_SRCIP); - save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr, + save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk, cs->fw.ip.invflags & IPT_INV_DSTIP); - save_rule_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto, - cs->fw.ip.iniface, cs->fw.ip.iniface_mask, - cs->fw.ip.outiface, cs->fw.ip.outiface_mask); - - if (cs->fw.ip.flags & IPT_F_FRAG) { - if (cs->fw.ip.invflags & IPT_INV_FRAG) - printf("! "); - printf("-f "); - } + save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask, + cs->fw.ip.outiface, cs->fw.ip.outiface_mask, + cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG, + cs->fw.ip.invflags); save_matches_and_target(cs, cs->fw.ip.flags & IPT_F_GOTO, &cs->fw, format); } -static void nft_ipv4_proto_parse(struct iptables_command_state *cs, - struct xtables_args *args) -{ - cs->fw.ip.proto = args->proto; - cs->fw.ip.invflags = args->invflags; -} - -static void nft_ipv4_post_parse(int command, - struct iptables_command_state *cs, - struct xtables_args *args) +static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, + const struct in_addr *mask, + bool inv, struct xt_xlate *xl) { - cs->fw.ip.flags = args->flags; - /* We already set invflags in proto_parse, but we need to refresh it - * to include new parsed options. - */ - cs->fw.ip.invflags = args->invflags; - - strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw.ip.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); + char mbufINET_ADDRSTRLEN, abufINET_ADDRSTRLEN; + const char *op = inv ? "!= " : ""; + int cidr; - strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw.ip.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - - if (args->goto_set) - cs->fw.ip.flags |= IPT_F_GOTO; + if (!inv && !addr->s_addr && !mask->s_addr) + return; - cs->counters.pcnt = args->pcnt_cnt; - cs->counters.bcnt = args->bcnt_cnt; + inet_ntop(AF_INET, addr, abuf, sizeof(abuf)); - if (command & (CMD_REPLACE | CMD_INSERT | - CMD_DELETE | CMD_APPEND | CMD_CHECK)) { - if (!(cs->options & OPT_DESTINATION)) - args->dhostnetworkmask = "0.0.0.0/0"; - if (!(cs->options & OPT_SOURCE)) - args->shostnetworkmask = "0.0.0.0/0"; + cidr = xtables_ipmask_to_cidr(mask); + switch (cidr) { + case -1: + xt_xlate_add(xl, "%s & %s %s %s ", selector, + inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)), + inv ? "!=" : "==", abuf); + break; + case 32: + xt_xlate_add(xl, "%s %s%s ", selector, op, abuf); + break; + default: + xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr); } - - if (args->shostnetworkmask) - xtables_ipparse_multiple(args->shostnetworkmask, - &args->s.addr.v4, &args->s.mask.v4, - &args->s.naddrs); - if (args->dhostnetworkmask) - xtables_ipparse_multiple(args->dhostnetworkmask, - &args->d.addr.v4, &args->d.mask.v4, - &args->d.naddrs); - - if ((args->s.naddrs > 1 || args->d.naddrs > 1) && - (cs->fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, - "! not allowed with multiple" - " source or destination IP addresses"); } -static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) +static int nft_ipv4_xlate(const struct iptables_command_state *cs, + struct xt_xlate *xl) { - const struct iptables_command_state *cs = data; const char *comment; int ret; @@ -417,18 +331,10 @@ } } - if (cs->fw.ip.src.s_addr != 0) { - xt_xlate_add(xl, "ip saddr %s%s%s ", - cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "", - inet_ntoa(cs->fw.ip.src), - xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); - } - if (cs->fw.ip.dst.s_addr != 0) { - xt_xlate_add(xl, "ip daddr %s%s%s ", - cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "", - inet_ntoa(cs->fw.ip.dst), - xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); - } + xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, + cs->fw.ip.invflags & IPT_INV_SRCIP, xl); + xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk, + cs->fw.ip.invflags & IPT_INV_DSTIP, xl); ret = xlate_matches(cs, xl); if (!ret) @@ -445,20 +351,115 @@ return ret; } +static int +nft_ipv4_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4i.s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4j.s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4j.s_addr; + + if (append) { + ret = nft_cmd_rule_append(h, chain, table, + cs, NULL, verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, + cs, rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_ipv4_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4i.s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4j.s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4j.s_addr; + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv4_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + cs->fw.ip.src.s_addr = args->s.addr.v4i.s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4i.s_addr; + for (j = 0; j < args->d.naddrs; j++) { + cs->fw.ip.dst.s_addr = args->d.addr.v4j.s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4j.s_addr; + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv4_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + cs->fw.ip.src.s_addr = args->s.addr.v4->s_addr; + cs->fw.ip.dst.s_addr = args->d.addr.v4->s_addr; + cs->fw.ip.smsk.s_addr = args->s.mask.v4->s_addr; + cs->fw.ip.dmsk.s_addr = args->d.mask.v4->s_addr; + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_ipv4 = { .add = nft_ipv4_add, .is_same = nft_ipv4_is_same, .parse_meta = nft_ipv4_parse_meta, .parse_payload = nft_ipv4_parse_payload, - .parse_immediate = nft_ipv4_parse_immediate, + .set_goto_flag = nft_ipv4_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv4_print_rule, .save_rule = nft_ipv4_save_rule, .save_chain = nft_ipv46_save_chain, - .proto_parse = nft_ipv4_proto_parse, - .post_parse = nft_ipv4_post_parse, + .cmd_parse = { + .proto_parse = ipv4_proto_parse, + .post_parse = ipv4_post_parse, + }, .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, - .clear_cs = nft_clear_iptables_command_state, + .clear_cs = xtables_clear_iptables_command_state, .xlate = nft_ipv4_xlate, + .add_entry = nft_ipv4_add_entry, + .delete_entry = nft_ipv4_delete_entry, + .check_entry = nft_ipv4_check_entry, + .replace_entry = nft_ipv4_replace_entry, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-ipv6.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-ipv6.c
Changed
@@ -25,33 +25,33 @@ #include "nft.h" #include "nft-shared.h" -static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) +static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct xtables_rule_match *matchp; uint32_t op; int ret; if (cs->fw6.ipv6.iniface0 != '\0') { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_IN); - add_iniface(r, cs->fw6.ipv6.iniface, op); + add_iniface(h, r, cs->fw6.ipv6.iniface, op); } if (cs->fw6.ipv6.outiface0 != '\0') { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_OUT); - add_outiface(r, cs->fw6.ipv6.outiface, op); + add_outiface(h, r, cs->fw6.ipv6.outiface, op); } if (cs->fw6.ipv6.proto != 0) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, XT_INV_PROTO); - add_l4proto(r, cs->fw6.ipv6.proto, op); + add_l4proto(h, r, cs->fw6.ipv6.proto, op); } if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src) || !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.smsk) || (cs->fw6.ipv6.invflags & IPT_INV_SRCIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_SRCIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, sizeof(struct in6_addr), op); @@ -60,7 +60,7 @@ !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dmsk) || (cs->fw6.ipv6.invflags & IPT_INV_DSTIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_DSTIP); - add_addr(r, NFT_PAYLOAD_NETWORK_HEADER, + add_addr(h, r, NFT_PAYLOAD_NETWORK_HEADER, offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, sizeof(struct in6_addr), op); @@ -82,12 +82,9 @@ return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); } -static bool nft_ipv6_is_same(const void *data_a, - const void *data_b) +static bool nft_ipv6_is_same(const struct iptables_command_state *a, + const struct iptables_command_state *b) { - const struct iptables_command_state *a = data_a; - const struct iptables_command_state *b = data_b; - if (memcmp(a->fw6.ipv6.src.s6_addr, b->fw6.ipv6.src.s6_addr, sizeof(struct in6_addr)) != 0 || memcmp(a->fw6.ipv6.dst.s6_addr, b->fw6.ipv6.dst.s6_addr, @@ -107,12 +104,12 @@ b->fw6.ipv6.outiface_mask); } -static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data) +static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - switch (ctx->meta.key) { + switch (reg->meta_dreg.key) { case NFT_META_L4PROTO: cs->fw6.ipv6.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA); if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) @@ -122,35 +119,38 @@ break; } - parse_meta(e, ctx->meta.key, cs->fw6.ipv6.iniface, + if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, cs->fw6.ipv6.outiface, - cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags); + cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags) == 0) + return; + + ctx->errmsg = "unknown ipv6 meta key"; } -static void parse_mask_ipv6(struct nft_xt_ctx *ctx, struct in6_addr *mask) +static void parse_mask_ipv6(const struct nft_xt_ctx_reg *reg, + struct in6_addr *mask) { - memcpy(mask, ctx->bitwise.mask, sizeof(struct in6_addr)); + memcpy(mask, reg->bitwise.mask, sizeof(struct in6_addr)); } static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, - struct nftnl_expr *e, void *data) + const struct nft_xt_ctx_reg *reg, + struct nftnl_expr *e, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; struct in6_addr addr; uint8_t proto; bool inv; - switch (ctx->payload.offset) { + switch (reg->payload.offset) { case offsetof(struct ip6_hdr, ip6_src): get_cmp_data(e, &addr, sizeof(addr), &inv); memcpy(cs->fw6.ipv6.src.s6_addr, &addr, sizeof(addr)); - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + parse_mask_ipv6(reg, &cs->fw6.ipv6.smsk); + else memset(&cs->fw6.ipv6.smsk, 0xff, - min(ctx->payload.len, sizeof(struct in6_addr))); - } + min(reg->payload.len, sizeof(struct in6_addr))); if (inv) cs->fw6.ipv6.invflags |= IP6T_INV_SRCIP; @@ -158,13 +158,11 @@ case offsetof(struct ip6_hdr, ip6_dst): get_cmp_data(e, &addr, sizeof(addr), &inv); memcpy(cs->fw6.ipv6.dst.s6_addr, &addr, sizeof(addr)); - if (ctx->flags & NFT_XT_CTX_BITWISE) { - parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk); - ctx->flags &= ~NFT_XT_CTX_BITWISE; - } else { + if (reg->bitwise.set) + parse_mask_ipv6(reg, &cs->fw6.ipv6.dmsk); + else memset(&cs->fw6.ipv6.dmsk, 0xff, - min(ctx->payload.len, sizeof(struct in6_addr))); - } + min(reg->payload.len, sizeof(struct in6_addr))); if (inv) cs->fw6.ipv6.invflags |= IP6T_INV_DSTIP; @@ -174,21 +172,20 @@ cs->fw6.ipv6.proto = proto; if (inv) cs->fw6.ipv6.invflags |= IP6T_INV_PROTO; + case offsetof(struct ip6_hdr, ip6_hlim): + if (nft_parse_hl(ctx, e, cs) < 0) + ctx->errmsg = "invalid ttl field match"; + break; default: - DEBUGP("unknown payload offset %d\n", ctx->payload.offset); + DEBUGP("unknown payload offset %d\n", reg->payload.offset); + ctx->errmsg = "unknown payload offset"; break; } } -static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, - void *data) +static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - - cs->jumpto = jumpto; - - if (nft_goto) - cs->fw6.ipv6.flags |= IP6T_F_GOTO; + cs->fw6.ipv6.flags |= IP6T_F_GOTO; } static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, @@ -198,14 +195,9 @@ nft_rule_to_iptables_command_state(h, r, &cs); - print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags, - cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto, - num, format); - if (format & FMT_OPTIONS) { - if (format & FMT_NOTABLE) - fputs("opt ", stdout); - fputs(" ", stdout); - } + print_rule_details(num, &cs.counters, cs.jumpto, cs.fw6.ipv6.proto, + cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format); + print_fragment(cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, format, true); print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface, cs.fw6.ipv6.invflags, format); print_ipv6_addresses(&cs.fw6, format); @@ -221,135 +213,55 @@ if (!(format & FMT_NONEWLINE)) fputc('\n', stdout); - nft_clear_iptables_command_state(&cs); + xtables_clear_iptables_command_state(&cs); } -static void save_ipv6_addr(char letter, const struct in6_addr *addr, - const struct in6_addr *mask, - int invert) +static void nft_ipv6_save_rule(const struct iptables_command_state *cs, + unsigned int format) { - char addr_strINET6_ADDRSTRLEN; - int l = xtables_ip6mask_to_cidr(mask); - - if (!invert && l == 0) - return; - - printf("%s-%c %s", - invert ? "! " : "", letter, - inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); - - if (l == -1) - printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str))); - else - printf("/%d ", l); -} - -static void nft_ipv6_save_rule(const void *data, unsigned int format) -{ - const struct iptables_command_state *cs = data; - save_ipv6_addr('s', &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, cs->fw6.ipv6.invflags & IP6T_INV_SRCIP); save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, cs->fw6.ipv6.invflags & IP6T_INV_DSTIP); - save_rule_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto, - cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, - cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask); + save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, + cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask, + cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags); save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO, &cs->fw6, format); } -/* These are invalid numbers as upper layer protocol */ -static int is_exthdr(uint16_t proto) -{ - return (proto == IPPROTO_ROUTING || - proto == IPPROTO_FRAGMENT || - proto == IPPROTO_AH || - proto == IPPROTO_DSTOPTS); -} - -static void nft_ipv6_proto_parse(struct iptables_command_state *cs, - struct xtables_args *args) -{ - cs->fw6.ipv6.proto = args->proto; - cs->fw6.ipv6.invflags = args->invflags; - - if (is_exthdr(cs->fw6.ipv6.proto) - && (cs->fw6.ipv6.invflags & XT_INV_PROTO) == 0) - fprintf(stderr, - "Warning: never matched protocol: %s. " - "use extension match instead.\n", - cs->protocol); -} - -static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, - struct xtables_args *args) -{ - cs->fw6.ipv6.flags = args->flags; - /* We already set invflags in proto_parse, but we need to refresh it - * to include new parsed options. - */ - cs->fw6.ipv6.invflags = args->invflags; - - strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - - strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - - if (args->goto_set) - cs->fw6.ipv6.flags |= IP6T_F_GOTO; - - cs->fw6.counters.pcnt = args->pcnt_cnt; - cs->fw6.counters.bcnt = args->bcnt_cnt; - - if (command & (CMD_REPLACE | CMD_INSERT | - CMD_DELETE | CMD_APPEND | CMD_CHECK)) { - if (!(cs->options & OPT_DESTINATION)) - args->dhostnetworkmask = "::0/0"; - if (!(cs->options & OPT_SOURCE)) - args->shostnetworkmask = "::0/0"; - } - - if (args->shostnetworkmask) - xtables_ip6parse_multiple(args->shostnetworkmask, - &args->s.addr.v6, - &args->s.mask.v6, - &args->s.naddrs); - if (args->dhostnetworkmask) - xtables_ip6parse_multiple(args->dhostnetworkmask, - &args->d.addr.v6, - &args->d.mask.v6, - &args->d.naddrs); - - if ((args->s.naddrs > 1 || args->d.naddrs > 1) && - (cs->fw6.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, - "! not allowed with multiple" - " source or destination IP addresses"); -} - static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, const struct in6_addr *mask, int invert, struct xt_xlate *xl) { + const char *op = invert ? "!= " : ""; char addr_strINET6_ADDRSTRLEN; + int cidr; - if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) + if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask)) return; inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); - xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str, - xtables_ip6mask_to_numeric(mask)); + cidr = xtables_ip6mask_to_cidr(mask); + switch (cidr) { + case -1: + xt_xlate_add(xl, "%s & %s %s %s ", selector, + xtables_ip6addr_to_numeric(mask), + invert ? "!=" : "==", addr_str); + break; + case 128: + xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str); + break; + default: + xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr); + } } -static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) +static int nft_ipv6_xlate(const struct iptables_command_state *cs, + struct xt_xlate *xl) { - const struct iptables_command_state *cs = data; const char *comment; int ret; @@ -397,20 +309,126 @@ return ret; } +static int +nft_ipv6_add_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6i, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6i, sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6j, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6j, sizeof(struct in6_addr)); + if (append) { + ret = nft_cmd_rule_append(h, chain, table, + cs, NULL, verbose); + } else { + ret = nft_cmd_rule_insert(h, chain, table, + cs, rulenum, verbose); + } + } + } + + return ret; +} + +static int +nft_ipv6_delete_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6i, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6i, sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6j, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6j, sizeof(struct in6_addr)); + ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv6_check_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose) +{ + unsigned int i, j; + int ret = 1; + + for (i = 0; i < args->s.naddrs; i++) { + memcpy(&cs->fw6.ipv6.src, + &args->s.addr.v6i, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, + &args->s.mask.v6i, sizeof(struct in6_addr)); + for (j = 0; j < args->d.naddrs; j++) { + memcpy(&cs->fw6.ipv6.dst, + &args->d.addr.v6j, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, + &args->d.mask.v6j, sizeof(struct in6_addr)); + ret = nft_cmd_rule_check(h, chain, table, cs, verbose); + } + } + + return ret; +} + +static int +nft_ipv6_replace_entry(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum) +{ + memcpy(&cs->fw6.ipv6.src, args->s.addr.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dst, args->d.addr.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.smsk, args->s.mask.v6, sizeof(struct in6_addr)); + memcpy(&cs->fw6.ipv6.dmsk, args->d.mask.v6, sizeof(struct in6_addr)); + + return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); +} + struct nft_family_ops nft_family_ops_ipv6 = { .add = nft_ipv6_add, .is_same = nft_ipv6_is_same, .parse_meta = nft_ipv6_parse_meta, .parse_payload = nft_ipv6_parse_payload, - .parse_immediate = nft_ipv6_parse_immediate, + .set_goto_flag = nft_ipv6_set_goto_flag, .print_header = print_header, .print_rule = nft_ipv6_print_rule, .save_rule = nft_ipv6_save_rule, .save_chain = nft_ipv46_save_chain, - .proto_parse = nft_ipv6_proto_parse, - .post_parse = nft_ipv6_post_parse, + .cmd_parse = { + .proto_parse = ipv6_proto_parse, + .post_parse = ipv6_post_parse, + }, .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, - .clear_cs = nft_clear_iptables_command_state, + .clear_cs = xtables_clear_iptables_command_state, .xlate = nft_ipv6_xlate, + .add_entry = nft_ipv6_add_entry, + .delete_entry = nft_ipv6_delete_entry, + .check_entry = nft_ipv6_check_entry, + .replace_entry = nft_ipv6_replace_entry, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-shared.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-shared.c
Changed
@@ -10,6 +10,7 @@ * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ +#include <assert.h> #include <string.h> #include <stdio.h> #include <stdlib.h> @@ -20,8 +21,14 @@ #include <xtables.h> +#include <linux/netfilter/nf_log.h> #include <linux/netfilter/xt_comment.h> #include <linux/netfilter/xt_limit.h> +#include <linux/netfilter/xt_NFLOG.h> +#include <linux/netfilter/xt_mark.h> +#include <linux/netfilter/xt_pkttype.h> + +#include <linux/netfilter_ipv6/ip6t_hl.h> #include <libmnl/libmnl.h> #include <libnftnl/rule.h> @@ -37,136 +44,166 @@ extern struct nft_family_ops nft_family_ops_arp; extern struct nft_family_ops nft_family_ops_bridge; -void add_meta(struct nftnl_rule *r, uint32_t key) +static struct nftnl_expr *xt_nftnl_expr_alloc(const char *name) +{ + struct nftnl_expr *expr = nftnl_expr_alloc(name); + + if (expr) + return expr; + + xtables_error(RESOURCE_PROBLEM, + "Failed to allocate nftnl expression '%s'", name); +} + +void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key, + uint8_t *dreg) { struct nftnl_expr *expr; + uint8_t reg; - expr = nftnl_expr_alloc("meta"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("meta"); + reg = NFT_REG_1; nftnl_expr_set_u32(expr, NFTNL_EXPR_META_KEY, key); - nftnl_expr_set_u32(expr, NFTNL_EXPR_META_DREG, NFT_REG_1); - + nftnl_expr_set_u32(expr, NFTNL_EXPR_META_DREG, reg); nftnl_rule_add_expr(r, expr); + + *dreg = reg; } -void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base) +void add_payload(struct nft_handle *h, struct nftnl_rule *r, + int offset, int len, uint32_t base, uint8_t *dreg) { struct nftnl_expr *expr; + uint8_t reg; - expr = nftnl_expr_alloc("payload"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("payload"); + reg = NFT_REG_1; nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_BASE, base); - nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_DREG, NFT_REG_1); + nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_DREG, reg); nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_OFFSET, offset); nftnl_expr_set_u32(expr, NFTNL_EXPR_PAYLOAD_LEN, len); - nftnl_rule_add_expr(r, expr); + + *dreg = reg; } /* bitwise operation is = sreg & mask ^ xor */ -void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor) +void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r, + uint16_t mask, uint16_t xor, uint8_t sreg, uint8_t *dreg) { struct nftnl_expr *expr; + uint8_t reg; - expr = nftnl_expr_alloc("bitwise"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("bitwise"); - nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, NFT_REG_1); - nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, NFT_REG_1); + reg = NFT_REG_1; + nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg); + nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, reg); nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_LEN, sizeof(uint16_t)); nftnl_expr_set(expr, NFTNL_EXPR_BITWISE_MASK, &mask, sizeof(uint16_t)); nftnl_expr_set(expr, NFTNL_EXPR_BITWISE_XOR, &xor, sizeof(uint16_t)); - nftnl_rule_add_expr(r, expr); + + *dreg = reg; } -void add_bitwise(struct nftnl_rule *r, uint8_t *mask, size_t len) +void add_bitwise(struct nft_handle *h, struct nftnl_rule *r, + uint8_t *mask, size_t len, uint8_t sreg, uint8_t *dreg) { struct nftnl_expr *expr; uint32_t xor4 = { 0 }; + uint8_t reg = *dreg; - expr = nftnl_expr_alloc("bitwise"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("bitwise"); - nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, NFT_REG_1); - nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, NFT_REG_1); + nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_SREG, sreg); + nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_DREG, reg); nftnl_expr_set_u32(expr, NFTNL_EXPR_BITWISE_LEN, len); nftnl_expr_set(expr, NFTNL_EXPR_BITWISE_MASK, mask, len); nftnl_expr_set(expr, NFTNL_EXPR_BITWISE_XOR, &xor, len); - nftnl_rule_add_expr(r, expr); + + *dreg = reg; } -void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len) +void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, + uint8_t sreg) { struct nftnl_expr *expr; - expr = nftnl_expr_alloc("cmp"); - if (expr == NULL) - return; + expr = xt_nftnl_expr_alloc("cmp"); - nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_SREG, NFT_REG_1); + nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_SREG, sreg); nftnl_expr_set_u32(expr, NFTNL_EXPR_CMP_OP, op); nftnl_expr_set(expr, NFTNL_EXPR_CMP_DATA, data, len); - nftnl_rule_add_expr(r, expr); } -void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op) +void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg) { - add_cmp_ptr(r, op, &val, sizeof(val)); + add_cmp_ptr(r, op, &val, sizeof(val), sreg); } -void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op) +void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg) { - add_cmp_ptr(r, op, &val, sizeof(val)); + add_cmp_ptr(r, op, &val, sizeof(val), sreg); } -void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op) +void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg) { - add_cmp_ptr(r, op, &val, sizeof(val)); + add_cmp_ptr(r, op, &val, sizeof(val), sreg); } -void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op) +void add_iniface(struct nft_handle *h, struct nftnl_rule *r, + char *iface, uint32_t op) { int iface_len; + uint8_t reg; iface_len = strlen(iface); - add_meta(r, NFT_META_IIFNAME); + add_meta(h, r, NFT_META_IIFNAME, ®); if (ifaceiface_len - 1 == '+') { if (iface_len > 1) - add_cmp_ptr(r, op, iface, iface_len - 1); - } else - add_cmp_ptr(r, op, iface, iface_len + 1); + add_cmp_ptr(r, op, iface, iface_len - 1, reg); + else if (op != NFT_CMP_EQ) + add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D", + strlen("INVAL/D") + 1, reg); + } else { + add_cmp_ptr(r, op, iface, iface_len + 1, reg); + } } -void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op) +void add_outiface(struct nft_handle *h, struct nftnl_rule *r, + char *iface, uint32_t op) { int iface_len; + uint8_t reg; iface_len = strlen(iface); - add_meta(r, NFT_META_OIFNAME); + add_meta(h, r, NFT_META_OIFNAME, ®); if (ifaceiface_len - 1 == '+') { if (iface_len > 1) - add_cmp_ptr(r, op, iface, iface_len - 1); - } else - add_cmp_ptr(r, op, iface, iface_len + 1); + add_cmp_ptr(r, op, iface, iface_len - 1, reg); + else if (op != NFT_CMP_EQ) + add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D", + strlen("INVAL/D") + 1, reg); + } else { + add_cmp_ptr(r, op, iface, iface_len + 1, reg); + } } -void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, +void add_addr(struct nft_handle *h, struct nftnl_rule *r, + enum nft_payload_bases base, int offset, void *data, void *mask, size_t len, uint32_t op) { const unsigned char *m = mask; bool bitwise = false; - int i; + uint8_t reg; + int i, j; for (i = 0; i < len; i++) { if (mi != 0xff) { @@ -174,29 +211,36 @@ break; } } + for (j = i + 1; !bitwise && j < len; j++) + bitwise = !!mj; if (!bitwise) len = i; - add_payload(r, offset, len, base); + add_payload(h, r, offset, len, base, ®); if (bitwise) - add_bitwise(r, mask, len); + add_bitwise(h, r, mask, len, reg, ®); - add_cmp_ptr(r, op, data, len); + add_cmp_ptr(r, op, data, len, reg); } -void add_proto(struct nftnl_rule *r, int offset, size_t len, - uint8_t proto, uint32_t op) +void add_proto(struct nft_handle *h, struct nftnl_rule *r, + int offset, size_t len, uint8_t proto, uint32_t op) { - add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER); - add_cmp_u8(r, proto, op); + uint8_t reg; + + add_payload(h, r, offset, len, NFT_PAYLOAD_NETWORK_HEADER, ®); + add_cmp_u8(r, proto, op, reg); } -void add_l4proto(struct nftnl_rule *r, uint8_t proto, uint32_t op) +void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, + uint8_t proto, uint32_t op) { - add_meta(r, NFT_META_L4PROTO); - add_cmp_u8(r, proto, op); + uint8_t reg; + + add_meta(h, r, NFT_META_L4PROTO, ®); + add_cmp_u8(r, proto, op, reg); } bool is_same_interfaces(const char *a_iniface, const char *a_outiface, @@ -241,7 +285,7 @@ memcpy(dst, name, len); if (namelen - 1 == '\0') { if (mask) - memset(mask, 0xff, len); + memset(mask, 0xff, strlen(name) + 1); return; } @@ -257,9 +301,82 @@ memset(mask, 0xff, len - 2); } -int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, - unsigned char *iniface_mask, char *outiface, - unsigned char *outiface_mask, uint8_t *invflags) +static struct xtables_match * +nft_create_match(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + const char *name); + +static uint32_t get_meta_mask(struct nft_xt_ctx *ctx, enum nft_registers sreg) +{ + struct nft_xt_ctx_reg *reg = nft_xt_ctx_get_sreg(ctx, sreg); + + if (reg->bitwise.set) + return reg->bitwise.mask0; + + return ~0u; +} + +static int parse_meta_mark(struct nft_xt_ctx *ctx, struct nftnl_expr *e) +{ + struct xt_mark_mtinfo1 *mark; + struct xtables_match *match; + uint32_t value; + + match = nft_create_match(ctx, ctx->cs, "mark"); + if (!match) + return -1; + + mark = (void*)match->m->data; + + if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) + mark->invert = 1; + + value = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_DATA); + mark->mark = value; + mark->mask = get_meta_mask(ctx, nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_SREG)); + + return 0; +} + +static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e) +{ + struct xt_pkttype_info *pkttype; + struct xtables_match *match; + uint8_t value; + + match = nft_create_match(ctx, ctx->cs, "pkttype"); + if (!match) + return -1; + + pkttype = (void*)match->m->data; + + if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) + pkttype->invert = 1; + + value = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA); + pkttype->pkttype = value; + + return 0; +} + +static void parse_invalid_iface(char *iface, unsigned char *mask, + uint8_t *invflags, uint8_t invbit) +{ + if (*invflags & invbit || strcmp(iface, "INVAL/D")) + return; + + /* nft's poor "! -o +" excuse */ + *invflags |= invbit; + iface0 = '+'; + iface1 = '\0'; + mask0 = 0xff; + mask1 = 0xff; + memset(mask + 2, 0, IFNAMSIZ - 2); +} + +int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, + char *iniface, unsigned char *iniface_mask, + char *outiface, unsigned char *outiface_mask, uint8_t *invflags) { uint32_t value; const void *ifname; @@ -291,6 +408,8 @@ *invflags |= IPT_INV_VIA_IN; parse_ifname(ifname, len, iniface, iniface_mask); + parse_invalid_iface(iniface, iniface_mask, + invflags, IPT_INV_VIA_IN); break; case NFT_META_BRI_OIFNAME: case NFT_META_OIFNAME: @@ -299,6 +418,14 @@ *invflags |= IPT_INV_VIA_OUT; parse_ifname(ifname, len, outiface, outiface_mask); + parse_invalid_iface(outiface, outiface_mask, + invflags, IPT_INV_VIA_OUT); + break; + case NFT_META_MARK: + parse_meta_mark(ctx, e); + break; + case NFT_META_PKTTYPE: + parse_meta_pkttype(ctx, e); break; default: return -1; @@ -315,11 +442,12 @@ struct xtables_target *target; struct xt_entry_target *t; size_t size; - void *data = ctx->cs; target = xtables_find_target(targname, XTF_TRY_LOAD); - if (target == NULL) + if (target == NULL) { + ctx->errmsg = "target extension not found"; return; + } size = XT_ALIGN(sizeof(struct xt_entry_target)) + tg_len; @@ -331,7 +459,7 @@ target->t = t; - ctx->h->ops->parse_target(target, data); + ctx->h->ops->parse_target(target, ctx->cs); } static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e) @@ -356,8 +484,10 @@ } match = xtables_find_match(mt_name, XTF_TRY_LOAD, matches); - if (match == NULL) + if (match == NULL) { + ctx->errmsg = "match extension not found"; return; + } m = xtables_calloc(1, sizeof(struct xt_entry_match) + mt_len); memcpy(&m->data, mt_info, mt_len); @@ -371,54 +501,61 @@ ctx->h->ops->parse_match(match, ctx->cs); } -void print_proto(uint16_t proto, int invert) +void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op) { - const struct protoent *pent = getprotobynumber(proto); - - if (invert) - printf("! "); - - if (pent) { - printf("-p %s ", pent->p_name); - return; - } + uint32_t len; - printf("-p %u ", proto); + memcpy(data, nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len), dlen); + *op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP); } void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv) { - uint32_t len; uint8_t op; - memcpy(data, nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len), dlen); - op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP); - if (op == NFT_CMP_NEQ) - *inv = true; - else - *inv = false; + __get_cmp_data(e, data, dlen, &op); + *inv = (op == NFT_CMP_NEQ); } -static void nft_meta_set_to_target(struct nft_xt_ctx *ctx) +static void nft_meta_set_to_target(struct nft_xt_ctx *ctx, + struct nftnl_expr *e) { struct xtables_target *target; + struct nft_xt_ctx_reg *sreg; + enum nft_registers sregnum; struct xt_entry_target *t; unsigned int size; const char *targname; - switch (ctx->meta.key) { + sregnum = nftnl_expr_get_u32(e, NFTNL_EXPR_META_SREG); + sreg = nft_xt_ctx_get_sreg(ctx, sregnum); + if (!sreg) + return; + + switch (nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY)) { case NFT_META_NFTRACE: - if (ctx->immediate.data0 == 0) + if ((sreg->type != NFT_XT_REG_IMMEDIATE)) { + ctx->errmsg = "meta nftrace but reg not immediate"; return; + } + + if (sreg->immediate.data0 == 0) { + ctx->errmsg = "trace is cleared"; + return; + } + targname = "TRACE"; break; default: + ctx->errmsg = "meta sreg key not supported"; return; } target = xtables_find_target(targname, XTF_TRY_LOAD); - if (target == NULL) + if (target == NULL) { + ctx->errmsg = "target TRACE not found"; return; + } size = XT_ALIGN(sizeof(struct xt_entry_target)) + target->size; @@ -434,68 +571,544 @@ static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { - ctx->meta.key = nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY); + struct nft_xt_ctx_reg *reg; - if (nftnl_expr_is_set(e, NFTNL_EXPR_META_SREG) && - (ctx->flags & NFT_XT_CTX_IMMEDIATE) && - nftnl_expr_get_u32(e, NFTNL_EXPR_META_SREG) == ctx->immediate.reg) { - ctx->flags &= ~NFT_XT_CTX_IMMEDIATE; - nft_meta_set_to_target(ctx); + if (nftnl_expr_is_set(e, NFTNL_EXPR_META_SREG)) { + nft_meta_set_to_target(ctx, e); return; } - ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); - ctx->flags |= NFT_XT_CTX_META; + reg = nft_xt_ctx_get_dreg(ctx, nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG)); + if (!reg) + return; + + reg->meta_dreg.key = nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY); + reg->type = NFT_XT_REG_META_DREG; } static void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { - if (ctx->flags & NFT_XT_CTX_PAYLOAD) { - memcpy(&ctx->prev_payload, &ctx->payload, - sizeof(ctx->prev_payload)); - ctx->flags |= NFT_XT_CTX_PREV_PAYLOAD; - } + enum nft_registers regnum = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG); + struct nft_xt_ctx_reg *reg = nft_xt_ctx_get_dreg(ctx, regnum); - ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); - ctx->payload.base = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE); - ctx->payload.offset = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET); - ctx->payload.len = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN); - ctx->flags |= NFT_XT_CTX_PAYLOAD; + if (!reg) + return; + + reg->type = NFT_XT_REG_PAYLOAD; + reg->payload.base = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE); + reg->payload.offset = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET); + reg->payload.len = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN); } static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { - uint32_t reg, len; + enum nft_registers sregnum = nftnl_expr_get_u32(e, NFTNL_EXPR_BITWISE_SREG); + enum nft_registers dregnum = nftnl_expr_get_u32(e, NFTNL_EXPR_BITWISE_DREG); + struct nft_xt_ctx_reg *sreg = nft_xt_ctx_get_sreg(ctx, sregnum); + struct nft_xt_ctx_reg *dreg = sreg; const void *data; + uint32_t len; - reg = nftnl_expr_get_u32(e, NFTNL_EXPR_BITWISE_SREG); - if (ctx->reg && reg != ctx->reg) + if (!sreg) return; + if (sregnum != dregnum) { + dreg = nft_xt_ctx_get_sreg(ctx, dregnum); /* sreg, do NOT clear ... */ + if (!dreg) + return; + + *dreg = *sreg; /* .. and copy content instead */ + } + data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_XOR, &len); - memcpy(ctx->bitwise.xor, data, len); + + if (len > sizeof(dreg->bitwise.xor)) { + ctx->errmsg = "bitwise xor too large"; + return; + } + + memcpy(dreg->bitwise.xor, data, len); + data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_MASK, &len); - memcpy(ctx->bitwise.mask, data, len); - ctx->flags |= NFT_XT_CTX_BITWISE; + + if (len > sizeof(dreg->bitwise.mask)) { + ctx->errmsg = "bitwise mask too large"; + return; + } + + memcpy(dreg->bitwise.mask, data, len); + + dreg->bitwise.set = true; +} + +static struct xtables_match * +nft_create_match(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + const char *name) +{ + struct xtables_match *match; + struct xt_entry_match *m; + unsigned int size; + + match = xtables_find_match(name, XTF_TRY_LOAD, + &cs->matches); + if (!match) + return NULL; + + size = XT_ALIGN(sizeof(struct xt_entry_match)) + match->size; + m = xtables_calloc(1, size); + m->u.match_size = size; + m->u.user.revision = match->revision; + + strcpy(m->u.user.name, match->name); + match->m = m; + + xs_init_match(match); + + return match; +} + +static struct xt_udp *nft_udp_match(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs) +{ + struct xt_udp *udp = ctx->tcpudp.udp; + struct xtables_match *match; + + if (!udp) { + match = nft_create_match(ctx, cs, "udp"); + if (!match) + return NULL; + + udp = (void*)match->m->data; + ctx->tcpudp.udp = udp; + } + + return udp; +} + +static struct xt_tcp *nft_tcp_match(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs) +{ + struct xt_tcp *tcp = ctx->tcpudp.tcp; + struct xtables_match *match; + + if (!tcp) { + match = nft_create_match(ctx, cs, "tcp"); + if (!match) { + ctx->errmsg = "tcp match extension not found"; + return NULL; + } + tcp = (void*)match->m->data; + ctx->tcpudp.tcp = tcp; + } + + return tcp; +} + +static void nft_parse_udp_range(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + int sport_from, int sport_to, + int dport_from, int dport_to, + uint8_t op) +{ + struct xt_udp *udp = nft_udp_match(ctx, cs); + + if (!udp) + return; + + if (sport_from >= 0) { + switch (op) { + case NFT_RANGE_NEQ: + udp->invflags |= XT_UDP_INV_SRCPT; + /* fallthrough */ + case NFT_RANGE_EQ: + udp->spts0 = sport_from; + udp->spts1 = sport_to; + break; + } + } + + if (dport_to >= 0) { + switch (op) { + case NFT_CMP_NEQ: + udp->invflags |= XT_UDP_INV_DSTPT; + /* fallthrough */ + case NFT_CMP_EQ: + udp->dpts0 = dport_from; + udp->dpts1 = dport_to; + break; + } + } +} + +static void nft_parse_tcp_range(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + int sport_from, int sport_to, + int dport_from, int dport_to, + uint8_t op) +{ + struct xt_tcp *tcp = nft_tcp_match(ctx, cs); + + if (!tcp) + return; + + if (sport_from >= 0) { + switch (op) { + case NFT_RANGE_NEQ: + tcp->invflags |= XT_TCP_INV_SRCPT; + /* fallthrough */ + case NFT_RANGE_EQ: + tcp->spts0 = sport_from; + tcp->spts1 = sport_to; + break; + } + } + + if (dport_to >= 0) { + switch (op) { + case NFT_CMP_NEQ: + tcp->invflags |= XT_TCP_INV_DSTPT; + /* fallthrough */ + case NFT_CMP_EQ: + tcp->dpts0 = dport_from; + tcp->dpts1 = dport_to; + break; + } + } +} + +static void port_match_single_to_range(__u16 *ports, __u8 *invflags, + uint8_t op, int port, __u8 invflag) +{ + if (port < 0) + return; + + switch (op) { + case NFT_CMP_NEQ: + *invflags |= invflag; + /* fallthrough */ + case NFT_CMP_EQ: + ports0 = port; + ports1 = port; + break; + case NFT_CMP_LT: + ports1 = max(port - 1, 1); + break; + case NFT_CMP_LTE: + ports1 = port; + break; + case NFT_CMP_GT: + ports0 = min(port + 1, UINT16_MAX); + break; + case NFT_CMP_GTE: + ports0 = port; + break; + } +} + +static void nft_parse_udp(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + int sport, int dport, + uint8_t op) +{ + struct xt_udp *udp = nft_udp_match(ctx, cs); + + if (!udp) + return; + + port_match_single_to_range(udp->spts, &udp->invflags, + op, sport, XT_UDP_INV_SRCPT); + port_match_single_to_range(udp->dpts, &udp->invflags, + op, dport, XT_UDP_INV_DSTPT); +} + +static void nft_parse_tcp(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + int sport, int dport, + uint8_t op) +{ + struct xt_tcp *tcp = nft_tcp_match(ctx, cs); + + if (!tcp) + return; + + port_match_single_to_range(tcp->spts, &tcp->invflags, + op, sport, XT_TCP_INV_SRCPT); + port_match_single_to_range(tcp->dpts, &tcp->invflags, + op, dport, XT_TCP_INV_DSTPT); +} + +static void nft_parse_icmp(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + struct nft_xt_ctx_reg *sreg, + uint8_t op, const char *data, size_t dlen) +{ + struct xtables_match *match; + struct ipt_icmp icmp = { + .type = UINT8_MAX, + .code = { 0, UINT8_MAX }, + }; + + if (dlen < 1) + goto out_err_len; + + switch (sreg->payload.offset) { + case 0: + icmp.type = data0; + if (dlen == 1) + break; + dlen--; + data++; + /* fall through */ + case 1: + if (dlen > 1) + goto out_err_len; + icmp.code0 = icmp.code1 = data0; + break; + default: + ctx->errmsg = "unexpected payload offset"; + return; + } + + switch (ctx->h->family) { + case NFPROTO_IPV4: + match = nft_create_match(ctx, cs, "icmp"); + break; + case NFPROTO_IPV6: + if (icmp.type == UINT8_MAX) { + ctx->errmsg = "icmp6 code with any type match not supported"; + return; + } + match = nft_create_match(ctx, cs, "icmp6"); + break; + default: + ctx->errmsg = "unexpected family for icmp match"; + return; + } + + if (!match) { + ctx->errmsg = "icmp match extension not found"; + return; + } + memcpy(match->m->data, &icmp, sizeof(icmp)); + return; + +out_err_len: + ctx->errmsg = "unexpected RHS data length"; +} + +static void nft_parse_th_port(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + uint8_t proto, + int sport, int dport, uint8_t op) +{ + switch (proto) { + case IPPROTO_UDP: + nft_parse_udp(ctx, cs, sport, dport, op); + break; + case IPPROTO_TCP: + nft_parse_tcp(ctx, cs, sport, dport, op); + break; + default: + ctx->errmsg = "unknown layer 4 protocol for TH match"; + } +} + +static void nft_parse_th_port_range(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + uint8_t proto, + int sport_from, int sport_to, + int dport_from, int dport_to, uint8_t op) +{ + switch (proto) { + case IPPROTO_UDP: + nft_parse_udp_range(ctx, cs, sport_from, sport_to, dport_from, dport_to, op); + break; + case IPPROTO_TCP: + nft_parse_tcp_range(ctx, cs, sport_from, sport_to, dport_from, dport_to, op); + break; + } +} + +static void nft_parse_tcp_flags(struct nft_xt_ctx *ctx, + struct iptables_command_state *cs, + uint8_t op, uint8_t flags, uint8_t mask) +{ + struct xt_tcp *tcp = nft_tcp_match(ctx, cs); + + if (!tcp) + return; + + if (op == NFT_CMP_NEQ) + tcp->invflags |= XT_TCP_INV_FLAGS; + tcp->flg_cmp = flags; + tcp->flg_mask = mask; +} + +static void nft_parse_transport(struct nft_xt_ctx *ctx, + struct nftnl_expr *e, + struct iptables_command_state *cs) +{ + struct nft_xt_ctx_reg *sreg; + enum nft_registers reg; + uint32_t sdport; + uint16_t port; + uint8_t proto, op; + unsigned int len; + + switch (ctx->h->family) { + case NFPROTO_IPV4: + proto = ctx->cs->fw.ip.proto; + break; + case NFPROTO_IPV6: + proto = ctx->cs->fw6.ipv6.proto; + break; + default: + ctx->errmsg = "invalid family for TH match"; + return; + } + + nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len); + op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP); + + reg = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_SREG); + sreg = nft_xt_ctx_get_sreg(ctx, reg); + if (!sreg) + return; + + if (sreg->type != NFT_XT_REG_PAYLOAD) { + ctx->errmsg = "sgreg not payload"; + return; + } + + switch (proto) { + case IPPROTO_UDP: + case IPPROTO_TCP: + break; + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + nft_parse_icmp(ctx, cs, sreg, op, + nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len), + len); + return; + default: + ctx->errmsg = "unsupported layer 4 protocol value"; + return; + } + + switch(sreg->payload.offset) { + case 0: /* th->sport */ + switch (len) { + case 2: /* load sport only */ + port = ntohs(nftnl_expr_get_u16(e, NFTNL_EXPR_CMP_DATA)); + nft_parse_th_port(ctx, cs, proto, port, -1, op); + return; + case 4: /* load both src and dst port */ + sdport = ntohl(nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_DATA)); + nft_parse_th_port(ctx, cs, proto, sdport >> 16, sdport & 0xffff, op); + return; + } + break; + case 2: /* th->dport */ + switch (len) { + case 2: + port = ntohs(nftnl_expr_get_u16(e, NFTNL_EXPR_CMP_DATA)); + nft_parse_th_port(ctx, cs, proto, -1, port, op); + return; + } + break; + case 13: /* th->flags */ + if (len == 1 && proto == IPPROTO_TCP) { + uint8_t flags = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA); + uint8_t mask = ~0; + + if (sreg->bitwise.set) + memcpy(&mask, &sreg->bitwise.mask, sizeof(mask)); + + nft_parse_tcp_flags(ctx, cs, op, flags, mask); + } + return; + } +} + +static void nft_parse_transport_range(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *sreg, + struct nftnl_expr *e, + struct iptables_command_state *cs) +{ + unsigned int len_from, len_to; + uint8_t proto, op; + uint16_t from, to; + + switch (ctx->h->family) { + case NFPROTO_IPV4: + proto = ctx->cs->fw.ip.proto; + break; + case NFPROTO_IPV6: + proto = ctx->cs->fw6.ipv6.proto; + break; + default: + proto = 0; + break; + } + + nftnl_expr_get(e, NFTNL_EXPR_RANGE_FROM_DATA, &len_from); + nftnl_expr_get(e, NFTNL_EXPR_RANGE_FROM_DATA, &len_to); + if (len_to != len_from || len_to != 2) + return; + + op = nftnl_expr_get_u32(e, NFTNL_EXPR_RANGE_OP); + + from = ntohs(nftnl_expr_get_u16(e, NFTNL_EXPR_RANGE_FROM_DATA)); + to = ntohs(nftnl_expr_get_u16(e, NFTNL_EXPR_RANGE_TO_DATA)); + + switch (sreg->payload.offset) { + case 0: + nft_parse_th_port_range(ctx, cs, proto, from, to, -1, -1, op); + return; + case 2: + to = ntohs(nftnl_expr_get_u16(e, NFTNL_EXPR_RANGE_TO_DATA)); + nft_parse_th_port_range(ctx, cs, proto, -1, -1, from, to, op); + return; + } } static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { - void *data = ctx->cs; + struct nft_xt_ctx_reg *sreg; uint32_t reg; reg = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_SREG); - if (ctx->reg && reg != ctx->reg) + + sreg = nft_xt_ctx_get_sreg(ctx, reg); + if (!sreg) return; - if (ctx->flags & NFT_XT_CTX_META) { - ctx->h->ops->parse_meta(ctx, e, data); - ctx->flags &= ~NFT_XT_CTX_META; - } - /* bitwise context is interpreted from payload */ - if (ctx->flags & NFT_XT_CTX_PAYLOAD) { - ctx->h->ops->parse_payload(ctx, e, data); - ctx->flags &= ~NFT_XT_CTX_PAYLOAD; + switch (sreg->type) { + case NFT_XT_REG_UNDEF: + ctx->errmsg = "cmp sreg undef"; + break; + case NFT_XT_REG_META_DREG: + ctx->h->ops->parse_meta(ctx, sreg, e, ctx->cs); + break; + case NFT_XT_REG_PAYLOAD: + switch (sreg->payload.base) { + case NFT_PAYLOAD_LL_HEADER: + if (ctx->h->family == NFPROTO_BRIDGE) + ctx->h->ops->parse_payload(ctx, sreg, e, ctx->cs); + break; + case NFT_PAYLOAD_NETWORK_HEADER: + ctx->h->ops->parse_payload(ctx, sreg, e, ctx->cs); + break; + case NFT_PAYLOAD_TRANSPORT_HEADER: + nft_parse_transport(ctx, e, ctx->cs); + break; + } + + break; + default: + ctx->errmsg = "cmp sreg has unknown type"; + break; } } @@ -508,24 +1121,30 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN); - const char *jumpto = NULL; - bool nft_goto = false; - void *data = ctx->cs; + struct iptables_command_state *cs = ctx->cs; + struct xt_entry_target *t; + uint32_t size; int verdict; if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { + struct nft_xt_ctx_reg *dreg; const void *imm_data; uint32_t len; - imm_data = nftnl_expr_get_data(e, NFTNL_EXPR_IMM_DATA, &len); + imm_data = nftnl_expr_get(e, NFTNL_EXPR_IMM_DATA, &len); + dreg = nft_xt_ctx_get_dreg(ctx, nftnl_expr_get_u32(e, NFTNL_EXPR_IMM_DREG)); + if (!dreg) + return; - if (len > sizeof(ctx->immediate.data)) + if (len > sizeof(dreg->immediate.data)) { + ctx->errmsg = "oversized immediate data"; return; + } + + memcpy(dreg->immediate.data, imm_data, len); + dreg->immediate.len = len; + dreg->type = NFT_XT_REG_IMMEDIATE; - memcpy(ctx->immediate.data, imm_data, len); - ctx->immediate.len = len; - ctx->immediate.reg = nftnl_expr_get_u32(e, NFTNL_EXPR_IMM_DREG); - ctx->flags |= NFT_XT_CTX_IMMEDIATE; return; } @@ -533,23 +1152,37 @@ /* Standard target? */ switch(verdict) { case NF_ACCEPT: - jumpto = "ACCEPT"; + cs->jumpto = "ACCEPT"; break; case NF_DROP: - jumpto = "DROP"; + cs->jumpto = "DROP"; break; case NFT_RETURN: - jumpto = "RETURN"; + cs->jumpto = "RETURN"; break;; case NFT_GOTO: - nft_goto = true; + if (ctx->h->ops->set_goto_flag) + ctx->h->ops->set_goto_flag(cs); /* fall through */ case NFT_JUMP: - jumpto = chain; - break; + cs->jumpto = chain; + /* fall through */ + default: + return; + } + + cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); + if (!cs->target) { + ctx->errmsg = "verdict extension not found"; + return; } - ctx->h->ops->parse_immediate(jumpto, nft_goto, data); + size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; + t = xtables_calloc(1, size); + t->u.target_size = size; + t->u.user.revision = cs->target->revision; + strcpy(t->u.user.name, cs->jumpto); + cs->target->t = t; } static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) @@ -575,8 +1208,10 @@ } match = xtables_find_match("limit", XTF_TRY_LOAD, matches); - if (match == NULL) + if (match == NULL) { + ctx->errmsg = "limit match extension not found"; return; + } size = XT_ALIGN(sizeof(struct xt_entry_match)) + match->size; match->m = xtables_calloc(1, size); @@ -593,14 +1228,92 @@ ctx->h->ops->parse_match(match, ctx->cs); } +static void nft_parse_log(struct nft_xt_ctx *ctx, struct nftnl_expr *e) +{ + struct xtables_target *target; + struct xt_entry_target *t; + size_t target_size; + /* + * In order to handle the longer log-prefix supported by nft, instead of + * using struct xt_nflog_info, we use a struct with a compatible layout, but + * a larger buffer for the prefix. + */ + struct xt_nflog_info_nft { + __u32 len; + __u16 group; + __u16 threshold; + __u16 flags; + __u16 pad; + char prefixNF_LOG_PREFIXLEN; + } info = { + .group = nftnl_expr_get_u16(e, NFTNL_EXPR_LOG_GROUP), + .threshold = nftnl_expr_get_u16(e, NFTNL_EXPR_LOG_QTHRESHOLD), + }; + if (nftnl_expr_is_set(e, NFTNL_EXPR_LOG_SNAPLEN)) { + info.len = nftnl_expr_get_u32(e, NFTNL_EXPR_LOG_SNAPLEN); + info.flags = XT_NFLOG_F_COPY_LEN; + } + if (nftnl_expr_is_set(e, NFTNL_EXPR_LOG_PREFIX)) + snprintf(info.prefix, sizeof(info.prefix), "%s", + nftnl_expr_get_str(e, NFTNL_EXPR_LOG_PREFIX)); + + target = xtables_find_target("NFLOG", XTF_TRY_LOAD); + if (target == NULL) { + ctx->errmsg = "NFLOG target extension not found"; + return; + } + + target_size = XT_ALIGN(sizeof(struct xt_entry_target)) + + XT_ALIGN(sizeof(struct xt_nflog_info_nft)); + + t = xtables_calloc(1, target_size); + t->u.target_size = target_size; + strcpy(t->u.user.name, target->name); + t->u.user.revision = target->revision; + + target->t = t; + + memcpy(&target->t->data, &info, sizeof(info)); + + ctx->h->ops->parse_target(target, ctx->cs); +} + static void nft_parse_lookup(struct nft_xt_ctx *ctx, struct nft_handle *h, struct nftnl_expr *e) { if (ctx->h->ops->parse_lookup) - ctx->h->ops->parse_lookup(ctx, e, NULL); + ctx->h->ops->parse_lookup(ctx, e); +} + +static void nft_parse_range(struct nft_xt_ctx *ctx, struct nftnl_expr *e) +{ + struct nft_xt_ctx_reg *sreg; + uint32_t reg; + + reg = nftnl_expr_get_u32(e, NFTNL_EXPR_RANGE_SREG); + sreg = nft_xt_ctx_get_sreg(ctx, reg); + + switch (sreg->type) { + case NFT_XT_REG_UNDEF: + ctx->errmsg = "range sreg undef"; + break; + case NFT_XT_REG_PAYLOAD: + switch (sreg->payload.base) { + case NFT_PAYLOAD_TRANSPORT_HEADER: + nft_parse_transport_range(ctx, sreg, e, ctx->cs); + break; + default: + ctx->errmsg = "range with unknown payload base"; + break; + } + break; + default: + ctx->errmsg = "range sreg type unsupported"; + break; + } } -void nft_rule_to_iptables_command_state(struct nft_handle *h, +bool nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs) { @@ -611,10 +1324,11 @@ .h = h, .table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE), }; + bool ret = true; iter = nftnl_expr_iter_create(r); if (iter == NULL) - return; + return false; ctx.iter = iter; expr = nftnl_expr_iter_next(iter); @@ -642,6 +1356,16 @@ nft_parse_limit(&ctx, expr); else if (strcmp(name, "lookup") == 0) nft_parse_lookup(&ctx, h, expr); + else if (strcmp(name, "log") == 0) + nft_parse_log(&ctx, expr); + else if (strcmp(name, "range") == 0) + nft_parse_range(&ctx, expr); + + if (ctx.errmsg) { + fprintf(stderr, "Error: %s\n", ctx.errmsg); + ctx.errmsg = NULL; + ret = false; + } expr = nftnl_expr_iter_next(iter); } @@ -662,7 +1386,7 @@ match = xtables_find_match("comment", XTF_TRY_LOAD, &cs->matches); if (match == NULL) - return; + return false; size = XT_ALIGN(sizeof(struct xt_entry_match)) + match->size; @@ -677,163 +1401,12 @@ } } - if (cs->target != NULL) { - cs->jumpto = cs->target->name; - } else if (cs->jumpto != NULL) { - struct xt_entry_target *t; - uint32_t size; - - cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); - if (!cs->target) - return; - - size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; - t = xtables_calloc(1, size); - t->u.target_size = size; - t->u.user.revision = cs->target->revision; - strcpy(t->u.user.name, cs->jumpto); - cs->target->t = t; - } else { + if (!cs->jumpto) cs->jumpto = ""; - } -} - -void nft_clear_iptables_command_state(struct iptables_command_state *cs) -{ - xtables_rule_matches_free(&cs->matches); - if (cs->target) { - free(cs->target->t); - cs->target->t = NULL; - - if (cs->target == cs->target->next) { - free(cs->target); - cs->target = NULL; - } - } -} - -void print_header(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries) -{ - printf("Chain %s", chain); - if (basechain) { - printf(" (policy %s", pol); - if (!(format & FMT_NOCOUNTS)) { - fputc(' ', stdout); - xtables_print_num(counters->pcnt, (format|FMT_NOTABLE)); - fputs("packets, ", stdout); - xtables_print_num(counters->bcnt, (format|FMT_NOTABLE)); - fputs("bytes", stdout); - } - printf(")\n"); - } else { - printf(" (%u references)\n", refs); - } - - if (format & FMT_LINENUMBERS) - printf(FMT("%-4s ", "%s "), "num"); - if (!(format & FMT_NOCOUNTS)) { - if (format & FMT_KILOMEGAGIGA) { - printf(FMT("%5s ","%s "), "pkts"); - printf(FMT("%5s ","%s "), "bytes"); - } else { - printf(FMT("%8s ","%s "), "pkts"); - printf(FMT("%10s ","%s "), "bytes"); - } - } - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ","%s "), "target"); - fputs(" prot ", stdout); - if (format & FMT_OPTIONS) - fputs("opt", stdout); - if (format & FMT_VIA) { - printf(FMT(" %-6s ","%s "), "in"); - printf(FMT("%-6s ","%s "), "out"); - } - printf(FMT(" %-19s ","%s "), "source"); - printf(FMT(" %-19s "," %s "), "destination"); - printf("\n"); -} - -void print_rule_details(const struct iptables_command_state *cs, - const char *targname, uint8_t flags, - uint8_t invflags, uint8_t proto, - unsigned int num, unsigned int format) -{ - if (format & FMT_LINENUMBERS) - printf(FMT("%-4u ", "%u "), num); - - if (!(format & FMT_NOCOUNTS)) { - xtables_print_num(cs->counters.pcnt, format); - xtables_print_num(cs->counters.bcnt, format); - } - - if (!(format & FMT_NOTARGET)) - printf(FMT("%-9s ", "%s "), targname ? targname : ""); - - fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout); - { - const char *pname = - proto_to_name(proto, format&FMT_NUMERIC); - if (pname) - printf(FMT("%-5s", "%s "), pname); - else - printf(FMT("%-5hu", "%hu "), proto); - } -} - -static void -print_iface(char letter, const char *iface, const unsigned char *mask, int inv) -{ - unsigned int i; - - if (mask0 == 0) - return; - - printf("%s-%c ", inv ? "! " : "", letter); - - for (i = 0; i < IFNAMSIZ; i++) { - if (maski != 0) { - if (ifacei != '\0') - printf("%c", ifacei); - } else { - if (ifacei-1 != '\0') - printf("+"); - break; - } - } - - printf(" "); -} - -void save_rule_details(const struct iptables_command_state *cs, - uint8_t invflags, uint16_t proto, - const char *iniface, - unsigned const char *iniface_mask, - const char *outiface, - unsigned const char *outiface_mask) -{ - if (iniface != NULL) { - print_iface('i', iniface, iniface_mask, - invflags & IPT_INV_VIA_IN); - } - if (outiface != NULL) { - print_iface('o', outiface, outiface_mask, - invflags & IPT_INV_VIA_OUT); - } - - if (proto > 0) { - const struct protoent *pent = getprotobynumber(proto); - - if (invflags & XT_INV_PROTO) - printf("! "); - if (pent) - printf("-p %s ", pent->p_name); - else - printf("-p %u ", proto); - } + if (!ret) + xtables_error(VERSION_PROBLEM, "Parsing nftables rule failed"); + return ret; } void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy) @@ -854,33 +1427,33 @@ for (matchp = cs->matches; matchp; matchp = matchp->next) { if (matchp->match->alias) { - printf("-m %s", + printf(" -m %s", matchp->match->alias(matchp->match->m)); } else - printf("-m %s", matchp->match->name); + printf(" -m %s", matchp->match->name); if (matchp->match->save != NULL) { /* cs->fw union makes the trick */ matchp->match->save(fw, matchp->match->m); } - printf(" "); } if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS) - printf("-c %llu %llu ", + printf(" -c %llu %llu", (unsigned long long)cs->counters.pcnt, (unsigned long long)cs->counters.bcnt); if (cs->target != NULL) { if (cs->target->alias) { - printf("-j %s", cs->target->alias(cs->target->t)); + printf(" -j %s", cs->target->alias(cs->target->t)); } else - printf("-j %s", cs->jumpto); + printf(" -j %s", cs->jumpto); - if (cs->target->save != NULL) + if (cs->target->save != NULL) { cs->target->save(fw, cs->target->t); + } } else if (strlen(cs->jumpto) > 0) { - printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto); + printf(" -%c %s", goto_flag ? 'g' : 'j', cs->jumpto); } printf("\n"); @@ -979,17 +1552,18 @@ return true; } -void nft_ipv46_parse_target(struct xtables_target *t, void *data) +void nft_ipv46_parse_target(struct xtables_target *t, + struct iptables_command_state *cs) { - struct iptables_command_state *cs = data; - cs->target = t; + cs->jumpto = t->name; } void nft_check_xt_legacy(int family, bool is_ipt_save) { static const char tables6 = "/proc/net/ip6_tables_names"; static const char tables4 = "/proc/net/ip_tables_names"; + static const char tablesa = "/proc/net/arp_tables_names"; const char *prefix = "ip"; FILE *fp = NULL; char buf1024; @@ -1002,6 +1576,10 @@ fp = fopen(tables6, "r"); prefix = "ip6"; break; + case NFPROTO_ARP: + fp = fopen(tablesa, "r"); + prefix = "arp"; + break; default: break; } @@ -1014,3 +1592,84 @@ prefix, prefix, is_ipt_save ? "-save" : ""); fclose(fp); } + +int nft_parse_hl(struct nft_xt_ctx *ctx, + struct nftnl_expr *e, + struct iptables_command_state *cs) +{ + struct xtables_match *match; + struct ip6t_hl_info *info; + uint8_t hl, mode; + int op; + + hl = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA); + op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP); + + switch (op) { + case NFT_CMP_NEQ: + mode = IP6T_HL_NE; + break; + case NFT_CMP_EQ: + mode = IP6T_HL_EQ; + break; + case NFT_CMP_LT: + mode = IP6T_HL_LT; + break; + case NFT_CMP_GT: + mode = IP6T_HL_GT; + break; + case NFT_CMP_LTE: + mode = IP6T_HL_LT; + if (hl == 255) + return -1; + hl++; + break; + case NFT_CMP_GTE: + mode = IP6T_HL_GT; + if (hl == 0) + return -1; + hl--; + break; + default: + return -1; + } + + /* ipt_ttl_info and ip6t_hl_info have same layout, + * IPT_TTL_x and IP6T_HL_x are aliases as well, so + * just use HL for both ipv4 and ipv6. + */ + switch (ctx->h->family) { + case NFPROTO_IPV4: + match = nft_create_match(ctx, ctx->cs, "ttl"); + break; + case NFPROTO_IPV6: + match = nft_create_match(ctx, ctx->cs, "hl"); + break; + default: + return -1; + } + + if (!match) + return -1; + + info = (void*)match->m->data; + info->hop_limit = hl; + info->mode = mode; + + return 0; +} + +enum nft_registers nft_get_next_reg(enum nft_registers reg, size_t size) +{ + /* convert size to NETLINK_ALIGN-sized chunks */ + size = (size + NETLINK_ALIGN - 1) / NETLINK_ALIGN; + + /* map 16byte reg to 4byte one */ + if (reg < __NFT_REG_MAX) + reg = NFT_REG32_00 + (reg - 1) * NFT_REG_SIZE / NFT_REG32_SIZE; + + reg += size; + assert(reg <= NFT_REG32_15); + + return reg; +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft-shared.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft-shared.h
Changed
@@ -13,7 +13,6 @@ #include "xshared.h" #ifdef DEBUG -#define NLDEBUG #define DEBUG_DEL #endif @@ -39,12 +38,36 @@ struct nft_handle; struct xt_xlate; -enum { - NFT_XT_CTX_PAYLOAD = (1 << 0), - NFT_XT_CTX_META = (1 << 1), - NFT_XT_CTX_BITWISE = (1 << 2), - NFT_XT_CTX_IMMEDIATE = (1 << 3), - NFT_XT_CTX_PREV_PAYLOAD = (1 << 4), +enum nft_ctx_reg_type { + NFT_XT_REG_UNDEF, + NFT_XT_REG_PAYLOAD, + NFT_XT_REG_IMMEDIATE, + NFT_XT_REG_META_DREG, +}; + +struct nft_xt_ctx_reg { + enum nft_ctx_reg_type type:8; + + union { + struct { + uint32_t base; + uint32_t offset; + uint32_t len; + } payload; + struct { + uint32_t data4; + uint8_t len; + } immediate; + struct { + uint32_t key; + } meta_dreg; + }; + + struct { + uint32_t mask4; + uint32_t xor4; + bool set; + } bitwise; }; struct nft_xt_ctx { @@ -53,80 +76,129 @@ struct nft_handle *h; uint32_t flags; const char *table; + union { + struct xt_tcp *tcp; + struct xt_udp *udp; + } tcpudp; - uint32_t reg; - struct { - uint32_t base; - uint32_t offset; - uint32_t len; - } payload, prev_payload; - struct { - uint32_t key; - } meta; - struct { - uint32_t data4; - uint32_t len, reg; - } immediate; - struct { - uint32_t mask4; - uint32_t xor4; - } bitwise; + struct nft_xt_ctx_reg regs1 + 16; + + const char *errmsg; }; +static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_sreg(struct nft_xt_ctx *ctx, enum nft_registers reg) +{ + switch (reg) { + case NFT_REG_VERDICT: + return &ctx->regs0; + case NFT_REG_1: + return &ctx->regs1; + case NFT_REG_2: + return &ctx->regs5; + case NFT_REG_3: + return &ctx->regs9; + case NFT_REG_4: + return &ctx->regs13; + case NFT_REG32_00...NFT_REG32_15: + return &ctx->regsreg - NFT_REG32_00; + default: + ctx->errmsg = "Unknown register requested"; + break; + } + + return NULL; +} + +static inline void nft_xt_reg_clear(struct nft_xt_ctx_reg *r) +{ + r->type = 0; + r->bitwise.set = false; +} + +static inline struct nft_xt_ctx_reg *nft_xt_ctx_get_dreg(struct nft_xt_ctx *ctx, enum nft_registers reg) +{ + struct nft_xt_ctx_reg *r = nft_xt_ctx_get_sreg(ctx, reg); + + if (r) + nft_xt_reg_clear(r); + + return r; +} + struct nft_family_ops { - int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data); - bool (*is_same)(const void *data_a, - const void *data_b); + int (*add)(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs); + bool (*is_same)(const struct iptables_command_state *cs_a, + const struct iptables_command_state *cs_b); void (*print_payload)(struct nftnl_expr *e, struct nftnl_expr_iter *iter); - void (*parse_meta)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_payload)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_bitwise)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); - void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); + void (*parse_meta)(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *sreg, + struct nftnl_expr *e, + struct iptables_command_state *cs); + void (*parse_payload)(struct nft_xt_ctx *ctx, + const struct nft_xt_ctx_reg *sreg, + struct nftnl_expr *e, + struct iptables_command_state *cs); + void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e); + void (*set_goto_flag)(struct iptables_command_state *cs); void (*print_table_header)(const char *tablename); void (*print_header)(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); + const struct xt_counters *counters, + int refs, uint32_t entries); void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format); - void (*save_rule)(const void *data, unsigned int format); + void (*save_rule)(const struct iptables_command_state *cs, + unsigned int format); void (*save_chain)(const struct nftnl_chain *c, const char *policy); - void (*proto_parse)(struct iptables_command_state *cs, - struct xtables_args *args); - void (*post_parse)(int command, struct iptables_command_state *cs, - struct xtables_args *args); - void (*parse_match)(struct xtables_match *m, void *data); - void (*parse_target)(struct xtables_target *t, void *data); - void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, + struct xt_cmd_parse_ops cmd_parse; + void (*parse_match)(struct xtables_match *m, + struct iptables_command_state *cs); + void (*parse_target)(struct xtables_target *t, + struct iptables_command_state *cs); + void (*init_cs)(struct iptables_command_state *cs); + bool (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void (*clear_cs)(struct iptables_command_state *cs); - int (*xlate)(const void *data, struct xt_xlate *xl); + int (*xlate)(const struct iptables_command_state *cs, + struct xt_xlate *xl); + int (*add_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + bool append, int rulenum); + int (*delete_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*check_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose); + int (*replace_entry)(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + struct xtables_args *args, bool verbose, + int rulenum); }; -void add_meta(struct nftnl_rule *r, uint32_t key); -void add_payload(struct nftnl_rule *r, int offset, int len, uint32_t base); -void add_bitwise(struct nftnl_rule *r, uint8_t *mask, size_t len); -void add_bitwise_u16(struct nftnl_rule *r, uint16_t mask, uint16_t xor); -void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len); -void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op); -void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op); -void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op); -void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op); -void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op); -void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, +void add_meta(struct nft_handle *h, struct nftnl_rule *r, uint32_t key, uint8_t *dreg); +void add_payload(struct nft_handle *h, struct nftnl_rule *r, int offset, int len, uint32_t base, uint8_t *dreg); +void add_bitwise(struct nft_handle *h, struct nftnl_rule *r, uint8_t *mask, size_t len, uint8_t sreg, uint8_t *dreg); +void add_bitwise_u16(struct nft_handle *h, struct nftnl_rule *r, uint16_t mask, uint16_t xor, uint8_t sreg, uint8_t *dreg); +void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, uint8_t sreg); +void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg); +void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg); +void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg); +void add_iniface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op); +void add_outiface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op); +void add_addr(struct nft_handle *h, struct nftnl_rule *r, enum nft_payload_bases base, int offset, void *data, void *mask, size_t len, uint32_t op); -void add_proto(struct nftnl_rule *r, int offset, size_t len, +void add_proto(struct nft_handle *h, struct nftnl_rule *r, int offset, size_t len, uint8_t proto, uint32_t op); -void add_l4proto(struct nftnl_rule *r, uint8_t proto, uint32_t op); +void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint32_t op); void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); bool is_same_interfaces(const char *a_iniface, const char *a_outiface, @@ -136,30 +208,16 @@ unsigned const char *b_iniface_mask, unsigned const char *b_outiface_mask); -int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, - unsigned char *iniface_mask, char *outiface, - unsigned char *outiface_mask, uint8_t *invflags); -void print_proto(uint16_t proto, int invert); +int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, + char *iniface, unsigned char *iniface_mask, char *outiface, + unsigned char *outiface_mask, uint8_t *invflags); +void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); -void nft_rule_to_iptables_command_state(struct nft_handle *h, +bool nft_rule_to_iptables_command_state(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); -void nft_clear_iptables_command_state(struct iptables_command_state *cs); -void print_header(unsigned int format, const char *chain, const char *pol, - const struct xt_counters *counters, bool basechain, - uint32_t refs, uint32_t entries); -void print_rule_details(const struct iptables_command_state *cs, - const char *targname, uint8_t flags, - uint8_t invflags, uint8_t proto, - unsigned int num, unsigned int format); void print_matches_and_target(struct iptables_command_state *cs, unsigned int format); -void save_rule_details(const struct iptables_command_state *cs, - uint8_t invflags, uint16_t proto, - const char *iniface, - unsigned const char *iniface_mask, - const char *outiface, - unsigned const char *outiface_mask); void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy); void save_matches_and_target(const struct iptables_command_state *cs, bool goto_flag, const void *fw, @@ -167,55 +225,12 @@ struct nft_family_ops *nft_family_ops_lookup(int family); -void nft_ipv46_parse_target(struct xtables_target *t, void *data); +void nft_ipv46_parse_target(struct xtables_target *t, + struct iptables_command_state *cs); bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2); bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2); -struct addr_mask { - union { - struct in_addr *v4; - struct in6_addr *v6; - } addr; - - unsigned int naddrs; - - union { - struct in_addr *v4; - struct in6_addr *v6; - } mask; -}; - -struct xtables_args { - int family; - uint16_t proto; - uint8_t flags; - uint8_t invflags; - char inifaceIFNAMSIZ, outifaceIFNAMSIZ; - unsigned char iniface_maskIFNAMSIZ, outiface_maskIFNAMSIZ; - bool goto_set; - const char *shostnetworkmask, *dhostnetworkmask; - const char *pcnt, *bcnt; - struct addr_mask s, d; - unsigned long long pcnt_cnt, bcnt_cnt; -}; - -struct nft_xt_cmd_parse { - unsigned int command; - unsigned int rulenum; - char *table; - const char *chain; - const char *newname; - const char *policy; - bool restore; - int verbose; - bool xlate; -}; - -void do_parse(struct nft_handle *h, int argc, char *argv, - struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, - struct xtables_args *args); - struct nftnl_chain_list; struct nft_xt_restore_cb { @@ -249,7 +264,14 @@ void nft_check_xt_legacy(int family, bool is_ipt_save); +int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e, struct iptables_command_state *cs); + #define min(x, y) ((x) < (y) ? (x) : (y)) #define max(x, y) ((x) > (y) ? (x) : (y)) +/* simplified nftables:include/netlink.h, netlink_padded_len() */ +#define NETLINK_ALIGN 4 + +enum nft_registers nft_get_next_reg(enum nft_registers reg, size_t size); + #endif
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft.c
Changed
@@ -39,6 +39,8 @@ #include <linux/netfilter/nf_tables_compat.h> #include <linux/netfilter/xt_limit.h> +#include <linux/netfilter/xt_NFLOG.h> +#include <linux/netfilter/xt_mark.h> #include <libmnl/libmnl.h> #include <libnftnl/gen.h> @@ -88,11 +90,11 @@ #define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize()) -/* selected batch page is 256 Kbytes long to load ruleset of - * half a million rules without hitting -EMSGSIZE due to large - * iovec. +/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M + * rules matching on source and destination address as well as input and output + * interfaces. This is what legacy iptables supports. */ -#define BATCH_PAGE_SIZE getpagesize() * 32 +#define BATCH_PAGE_SIZE 2 * 1024 * 1024 static struct nftnl_batch *mnl_batch_init(void) { @@ -143,7 +145,7 @@ static void mnl_err_list_node_add(struct list_head *err_list, int error, int seqnum) { - struct mnl_err *err = malloc(sizeof(struct mnl_err)); + struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err)); err->seqnum = seqnum; err->err = error; @@ -220,8 +222,10 @@ int err = 0; ret = mnl_nft_socket_sendmsg(h, numcmds); - if (ret == -1) + if (ret == -1) { + fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno)); return -1; + } FD_ZERO(&readfds); FD_SET(fd, &readfds); @@ -288,7 +292,7 @@ NFT_COMPAT_TABLE_FLUSH = "TABLE_FLUSH", NFT_COMPAT_CHAIN_ADD = "CHAIN_ADD", NFT_COMPAT_CHAIN_USER_ADD = "CHAIN_USER_ADD", - NFT_COMPAT_CHAIN_USER_DEL = "CHAIN_USER_DEL", + NFT_COMPAT_CHAIN_DEL = "CHAIN_DEL", NFT_COMPAT_CHAIN_USER_FLUSH = "CHAIN_USER_FLUSH", NFT_COMPAT_CHAIN_UPDATE = "CHAIN_UPDATE", NFT_COMPAT_CHAIN_RENAME = "CHAIN_RENAME", @@ -319,7 +323,7 @@ case NFT_COMPAT_CHAIN_ADD: case NFT_COMPAT_CHAIN_ZERO: case NFT_COMPAT_CHAIN_USER_ADD: - case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_DEL: case NFT_COMPAT_CHAIN_USER_FLUSH: case NFT_COMPAT_CHAIN_UPDATE: case NFT_COMPAT_CHAIN_RENAME: @@ -360,10 +364,7 @@ { struct obj_update *obj; - obj = calloc(1, sizeof(struct obj_update)); - if (obj == NULL) - return NULL; - + obj = xtables_calloc(1, sizeof(struct obj_update)); obj->ptr = ptr; obj->error.lineno = h->error.lineno; obj->type = type; @@ -657,6 +658,7 @@ if (t == NULL) return -1; + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, h->family); nftnl_table_set_str(t, NFTNL_TABLE_NAME, _t->name); ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t) ? 0 : - 1; @@ -665,7 +667,7 @@ } static struct nftnl_chain * -nft_chain_builtin_alloc(const struct builtin_table *table, +nft_chain_builtin_alloc(int family, const char *tname, const struct builtin_chain *chain, int policy) { struct nftnl_chain *c; @@ -674,7 +676,8 @@ if (c == NULL) return NULL; - nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table->name); + nftnl_chain_set_u32(c, NFTNL_CHAIN_FAMILY, family); + nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, tname); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name); nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook); nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio); @@ -693,7 +696,7 @@ { struct nftnl_chain *c; - c = nft_chain_builtin_alloc(table, chain, NF_ACCEPT); + c = nft_chain_builtin_alloc(h->family, table->name, chain, NF_ACCEPT); if (c == NULL) return; @@ -864,7 +867,22 @@ return 0; } -int nft_init(struct nft_handle *h, int family, const struct builtin_table *t) +static const struct builtin_table *builtin_tables_lookup(int family) +{ + switch (family) { + case AF_INET: + case AF_INET6: + return xtables_ipv4; + case NFPROTO_ARP: + return xtables_arp; + case NFPROTO_BRIDGE: + return xtables_bridge; + default: + return NULL; + } +} + +int nft_init(struct nft_handle *h, int family) { memset(h, 0, sizeof(*h)); @@ -882,7 +900,7 @@ xtables_error(PARAMETER_PROBLEM, "Unknown family"); h->portid = mnl_socket_get_portid(h->nl); - h->tables = t; + h->tables = builtin_tables_lookup(family); h->cache = &h->__cache0; h->family = family; @@ -911,15 +929,16 @@ mnl_socket_close(h->nl); } -static void nft_chain_print_debug(struct nftnl_chain *c, struct nlmsghdr *nlh) +static void nft_chain_print_debug(struct nft_handle *h, + struct nftnl_chain *c, struct nlmsghdr *nlh) { -#ifdef NLDEBUG - char tmp1024; - - nftnl_chain_snprintf(tmp, sizeof(tmp), c, 0, 0); - printf("DEBUG: chain: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif + if (h->verbose > 1) { + nftnl_chain_fprintf(stdout, c, 0, 0); + fprintf(stdout, "\n"); + } + if (h->verbose > 2) + mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, + sizeof(struct nfgenmsg)); } static struct nftnl_chain *nft_chain_new(struct nft_handle *h, @@ -943,7 +962,7 @@ _c = nft_chain_builtin_find(_t, chain); if (_c != NULL) { /* This is a built-in chain */ - c = nft_chain_builtin_alloc(_t, _c, policy); + c = nft_chain_builtin_alloc(h->family, _t->name, _c, policy); if (c == NULL) return NULL; } else { @@ -995,10 +1014,7 @@ nftnl_expr_set(e, NFTNL_EXPR_MT_NAME, m->u.user.name, strlen(m->u.user.name)); nftnl_expr_set_u32(e, NFTNL_EXPR_MT_REV, m->u.user.revision); - info = calloc(1, m->u.match_size); - if (info == NULL) - return -ENOMEM; - + info = xtables_calloc(1, m->u.match_size); memcpy(info, m->data, m->u.match_size - sizeof(*m)); nftnl_expr_set(e, NFTNL_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m)); @@ -1074,16 +1090,32 @@ } static struct nftnl_expr * -gen_payload(uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg) +__gen_payload(uint32_t base, uint32_t offset, uint32_t len, uint8_t reg) { struct nftnl_expr *e = nftnl_expr_alloc("payload"); if (!e) return NULL; + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base); nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset); nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len); - nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg); + nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, reg); + + return e; +} + +static struct nftnl_expr * +gen_payload(struct nft_handle *h, uint32_t base, uint32_t offset, uint32_t len, + uint8_t *dreg) +{ + struct nftnl_expr *e; + uint8_t reg; + + reg = NFT_REG_1; + e = __gen_payload(base, offset, len, reg); + *dreg = reg; + return e; } @@ -1101,9 +1133,6 @@ return e; } -/* simplified nftables:include/netlink.h, netlink_padded_len() */ -#define NETLINK_ALIGN 4 - /* from nftables:include/datatype.h, TYPE_BITS */ #define CONCAT_TYPE_BITS 6 @@ -1128,13 +1157,14 @@ struct nftnl_expr *e; struct nftnl_set *s; uint32_t flags = 0; + uint8_t reg; int idx = 0; if (ip) { type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR; len += sizeof(struct in_addr) + NETLINK_ALIGN - 1; len &= ~(NETLINK_ALIGN - 1); - flags = NFT_SET_INTERVAL; + flags = NFT_SET_INTERVAL | NFT_SET_CONCAT; } s = add_anon_set(h, table, flags, type, len, cnt); @@ -1168,21 +1198,23 @@ nftnl_set_elem_add(s, elem); } - e = gen_payload(NFT_PAYLOAD_LL_HEADER, - eth_addr_offdst, ETH_ALEN, NFT_REG_1); + e = gen_payload(h, NFT_PAYLOAD_LL_HEADER, + eth_addr_offdst, ETH_ALEN, ®); if (!e) return -ENOMEM; nftnl_rule_add_expr(r, e); if (ip) { - e = gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_offdst, - sizeof(struct in_addr), NFT_REG32_02); + reg = nft_get_next_reg(reg, ETH_ALEN); + e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_offdst, + sizeof(struct in_addr), reg); if (!e) return -ENOMEM; nftnl_rule_add_expr(r, e); } - e = gen_lookup(NFT_REG_1, "__set%d", set_id, inv); + reg = NFT_REG_1; + e = gen_lookup(reg, "__set%d", set_id, inv); if (!e) return -ENOMEM; nftnl_rule_add_expr(r, e); @@ -1199,9 +1231,10 @@ if ((data->src.cnt && data->src.ip) || (data->dst.cnt && data->dst.ip)) { uint16_t eth_p_ip = htons(ETH_P_IP); + uint8_t reg; - add_meta(r, NFT_META_PROTOCOL); - add_cmp_ptr(r, NFT_CMP_EQ, ð_p_ip, 2); + add_meta(h, r, NFT_META_PROTOCOL, ®); + add_cmp_ptr(r, NFT_CMP_EQ, ð_p_ip, 2, reg); } if (data->src.cnt) @@ -1214,6 +1247,208 @@ return 0; } +static int expr_gen_range_cmp16(struct nftnl_rule *r, + uint16_t lo, + uint16_t hi, + bool invert, uint8_t reg) +{ + struct nftnl_expr *e; + + if (lo == hi) { + add_cmp_u16(r, htons(lo), invert ? NFT_CMP_NEQ : NFT_CMP_EQ, reg); + return 0; + } + + if (lo == 0 && hi < 0xffff) { + add_cmp_u16(r, htons(hi) , invert ? NFT_CMP_GT : NFT_CMP_LTE, reg); + return 0; + } + + e = nftnl_expr_alloc("range"); + if (!e) + return -ENOMEM; + + nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_SREG, reg); + nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_OP, invert ? NFT_RANGE_NEQ : NFT_RANGE_EQ); + + lo = htons(lo); + nftnl_expr_set(e, NFTNL_EXPR_RANGE_FROM_DATA, &lo, sizeof(lo)); + hi = htons(hi); + nftnl_expr_set(e, NFTNL_EXPR_RANGE_TO_DATA, &hi, sizeof(hi)); + + nftnl_rule_add_expr(r, e); + return 0; +} + +static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, + uint16_t src2, bool invert_src, + uint16_t dst2, bool invert_dst) +{ + struct nftnl_expr *expr; + uint8_t op = NFT_CMP_EQ; + uint8_t reg; + int ret; + + if (src0 && src0 == src1 && + dst0 && dst0 == dst1 && + invert_src == invert_dst) { + uint32_t combined = dst0 | (src0 << 16); + + if (invert_src) + op = NFT_CMP_NEQ; + + expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, ®); + if (!expr) + return -ENOMEM; + + nftnl_rule_add_expr(r, expr); + add_cmp_u32(r, htonl(combined), op, reg); + return 0; + } + + if (src0 || src1 < 0xffff) { + expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 2, ®); + if (!expr) + return -ENOMEM; + + nftnl_rule_add_expr(r, expr); + ret = expr_gen_range_cmp16(r, src0, src1, invert_src, reg); + if (ret) + return ret; + } + + if (dst0 || dst1 < 0xffff) { + expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 2, 2, ®); + if (!expr) + return -ENOMEM; + + nftnl_rule_add_expr(r, expr); + ret = expr_gen_range_cmp16(r, dst0, dst1, invert_dst, reg); + if (ret) + return ret; + } + + return 0; +} + +/* without this, "iptables -A INPUT -m udp" is + * turned into "iptables -A INPUT", which isn't + * compatible with iptables-legacy behaviour. + */ +static bool udp_all_zero(const struct xt_udp *u) +{ + static const struct xt_udp zero = { + .spts1 = 0xffff, + .dpts1 = 0xffff, + }; + + return memcmp(u, &zero, sizeof(*u)) == 0; +} + +static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_match *m) +{ + struct xt_udp *udp = (void *)m->data; + + if (udp->invflags > XT_UDP_INV_MASK || + udp_all_zero(udp)) { + struct nftnl_expr *expr = nftnl_expr_alloc("match"); + int ret; + + ret = __add_match(expr, m); + nftnl_rule_add_expr(r, expr); + return ret; + } + + if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP) + xtables_error(PARAMETER_PROBLEM, "UDP match requires '-p udp'"); + + return add_nft_tcpudp(h, r, udp->spts, udp->invflags & XT_UDP_INV_SRCPT, + udp->dpts, udp->invflags & XT_UDP_INV_DSTPT); +} + +static int add_nft_tcpflags(struct nft_handle *h, struct nftnl_rule *r, + uint8_t cmp, uint8_t mask, + bool invert) +{ + struct nftnl_expr *e; + uint8_t reg; + + e = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 13, 1, ®); + + if (!e) + return -ENOMEM; + + nftnl_rule_add_expr(r, e); + + add_bitwise(h, r, &mask, 1, reg, ®); + add_cmp_u8(r, cmp, invert ? NFT_CMP_NEQ : NFT_CMP_EQ, reg); + + return 0; +} + +static bool tcp_all_zero(const struct xt_tcp *t) +{ + static const struct xt_tcp zero = { + .spts1 = 0xffff, + .dpts1 = 0xffff, + }; + + return memcmp(t, &zero, sizeof(*t)) == 0; +} + +static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_match *m) +{ + static const uint8_t supported = XT_TCP_INV_SRCPT | XT_TCP_INV_DSTPT | XT_TCP_INV_FLAGS; + struct xt_tcp *tcp = (void *)m->data; + + if (tcp->invflags & ~supported || tcp->option || + tcp_all_zero(tcp)) { + struct nftnl_expr *expr = nftnl_expr_alloc("match"); + int ret; + + ret = __add_match(expr, m); + nftnl_rule_add_expr(r, expr); + return ret; + } + + if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_TCP) + xtables_error(PARAMETER_PROBLEM, "TCP match requires '-p tcp'"); + + if (tcp->flg_mask) { + int ret = add_nft_tcpflags(h, r, tcp->flg_cmp, tcp->flg_mask, + tcp->invflags & XT_TCP_INV_FLAGS); + + if (ret < 0) + return ret; + } + + return add_nft_tcpudp(h, r, tcp->spts, tcp->invflags & XT_TCP_INV_SRCPT, + tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); +} + +static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_match *m) +{ + struct xt_mark_mtinfo1 *mark = (void *)m->data; + uint8_t reg; + int op; + + add_meta(h, r, NFT_META_MARK, ®); + if (mark->mask != 0xffffffff) + add_bitwise(h, r, (uint8_t *)&mark->mask, sizeof(uint32_t), reg, ®); + + if (mark->invert) + op = NFT_CMP_NEQ; + else + op = NFT_CMP_EQ; + + add_cmp_u32(r, mark->mark, op, reg); + + return 0; +} + int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { @@ -1224,6 +1459,12 @@ return add_nft_limit(r, m); else if (!strcmp(m->u.user.name, "among")) return add_nft_among(h, r, m); + else if (!strcmp(m->u.user.name, "udp")) + return add_nft_udp(h, r, m); + else if (!strcmp(m->u.user.name, "tcp")) + return add_nft_tcp(h, r, m); + else if (!strcmp(m->u.user.name, "mark")) + return add_nft_mark(h, r, m); expr = nftnl_expr_alloc("match"); if (expr == NULL) @@ -1243,10 +1484,7 @@ strlen(t->u.user.name)); nftnl_expr_set_u32(e, NFTNL_EXPR_TG_REV, t->u.user.revision); - info = calloc(1, t->u.target_size); - if (info == NULL) - return -ENOMEM; - + info = xtables_calloc(1, t->u.target_size); memcpy(info, t->data, t->u.target_size - sizeof(*t)); nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t)); @@ -1327,38 +1565,66 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set) { - int ret = 0; - - /* If no target at all, add nothing (default to continue) */ - if (cs->target != NULL) { - /* Standard target? */ - if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0) - ret = add_verdict(r, NF_ACCEPT); - else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0) - ret = add_verdict(r, NF_DROP); - else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) - ret = add_verdict(r, NFT_RETURN); - else - ret = add_target(r, cs->target->t); - } else if (strlen(cs->jumpto) > 0) { - /* Not standard, then it's a go / jump to chain */ - if (goto_set) - ret = add_jumpto(r, cs->jumpto, NFT_GOTO); - else - ret = add_jumpto(r, cs->jumpto, NFT_JUMP); - } - return ret; -} - -static void nft_rule_print_debug(struct nftnl_rule *r, struct nlmsghdr *nlh) -{ -#ifdef NLDEBUG - char tmp1024; - - nftnl_rule_snprintf(tmp, sizeof(tmp), r, 0, 0); - printf("DEBUG: rule: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif + int ret = 0; + + /* If no target at all, add nothing (default to continue) */ + if (cs->target != NULL) { + /* Standard target? */ + if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0) + ret = add_verdict(r, NF_ACCEPT); + else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0) + ret = add_verdict(r, NF_DROP); + else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) + ret = add_verdict(r, NFT_RETURN); + else if (strcmp(cs->jumpto, "NFLOG") == 0) + ret = add_log(r, cs); + else + ret = add_target(r, cs->target->t); + } else if (strlen(cs->jumpto) > 0) { + /* Not standard, then it's a go / jump to chain */ + if (goto_set) + ret = add_jumpto(r, cs->jumpto, NFT_GOTO); + else + ret = add_jumpto(r, cs->jumpto, NFT_JUMP); + } + return ret; +} + +int add_log(struct nftnl_rule *r, struct iptables_command_state *cs) +{ + struct nftnl_expr *expr; + struct xt_nflog_info *info = (struct xt_nflog_info *)cs->target->t->data; + + expr = nftnl_expr_alloc("log"); + if (!expr) + return -ENOMEM; + + if (info->prefix0 != '\0') + nftnl_expr_set_str(expr, NFTNL_EXPR_LOG_PREFIX, + cs->target->udata); + + nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_GROUP, info->group); + if (info->flags & XT_NFLOG_F_COPY_LEN) + nftnl_expr_set_u32(expr, NFTNL_EXPR_LOG_SNAPLEN, + info->len); + if (info->threshold) + nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_QTHRESHOLD, + info->threshold); + + nftnl_rule_add_expr(r, expr); + return 0; +} + +static void nft_rule_print_debug(struct nft_handle *h, + struct nftnl_rule *r, struct nlmsghdr *nlh) +{ + if (h->verbose > 1) { + nftnl_rule_fprintf(stdout, r, 0, 0); + fprintf(stdout, "\n"); + } + if (h->verbose > 2) + mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, + sizeof(struct nfgenmsg)); } int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes) @@ -1427,7 +1693,7 @@ struct nftnl_rule * nft_rule_new(struct nft_handle *h, const char *chain, const char *table, - void *data) + struct iptables_command_state *cs) { struct nftnl_rule *r; @@ -1439,7 +1705,7 @@ nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); - if (h->ops->add(h, r, data) < 0) + if (h->ops->add(h, r, cs) < 0) goto err; return r; @@ -1488,15 +1754,16 @@ return 1; } -void +bool nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, enum nft_rule_print type, unsigned int format) { const char *chain = nftnl_rule_get_str(r, NFTNL_RULE_CHAIN); struct iptables_command_state cs = {}; struct nft_family_ops *ops = h->ops; + bool ret; - ops->rule_to_cs(h, r, &cs); + ret = ops->rule_to_cs(h, r, &cs); if (!(format & (FMT_NOCOUNTS | FMT_C_COUNTS))) printf("%llu:%llu ", (unsigned long long)cs.counters.pcnt, @@ -1505,10 +1772,10 @@ /* print chain name */ switch(type) { case NFT_RULE_APPEND: - printf("-A %s ", chain); + printf("-A %s", chain); break; case NFT_RULE_DEL: - printf("-D %s ", chain); + printf("-D %s", chain); break; } @@ -1517,6 +1784,8 @@ if (ops->clear_cs) ops->clear_cs(&cs); + + return ret; } static bool nft_rule_is_policy_rule(struct nftnl_rule *r) @@ -1627,6 +1896,7 @@ struct nft_rule_save_data { struct nft_handle *h; unsigned int format; + unsigned int errors; }; static int nft_rule_save_cb(struct nft_chain *c, void *data) @@ -1641,7 +1911,11 @@ r = nftnl_rule_iter_next(iter); while (r != NULL) { - nft_rule_print_save(d->h, r, NFT_RULE_APPEND, d->format); + bool ret = nft_rule_print_save(d->h, r, NFT_RULE_APPEND, d->format); + + if (!ret) + d->errors++; + r = nftnl_rule_iter_next(iter); } @@ -1659,6 +1933,9 @@ ret = nft_chain_foreach(h, table, nft_rule_save_cb, &d); + if (ret == 0 && d.errors) + xtables_error(VERSION_PROBLEM, "Cannot decode all rules provided by kernel"); + /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; } @@ -1754,6 +2031,8 @@ return 1; } + nft_cache_sort_chains(h, table); + ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d); /* the core expects 1 for success and 0 for error */ @@ -1778,6 +2057,7 @@ if (c == NULL) return 0; + nftnl_chain_set_u32(c, NFTNL_CHAIN_FAMILY, h->family); nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain); if (h->family == NFPROTO_BRIDGE) @@ -1808,6 +2088,7 @@ if (!c) return 0; + nftnl_chain_set_u32(c, NFTNL_CHAIN_FAMILY, h->family); nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain); created = true; @@ -1841,51 +2122,71 @@ #define NLM_F_NONREC 0x100 /* Do not delete recursively */ #endif -struct chain_user_del_data { +struct chain_del_data { struct nft_handle *handle; + const char *chain; bool verbose; - int builtin_err; }; -static int __nft_chain_user_del(struct nft_chain *nc, void *data) +static bool nft_may_delete_chain(struct nftnl_chain *c) { - struct chain_user_del_data *d = data; + if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY) && + nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY) != NF_ACCEPT) + return false; + + return nftnl_rule_lookup_byindex(c, 0) == NULL; +} + +static int __nft_chain_del(struct nft_chain *nc, void *data) +{ + struct chain_del_data *d = data; struct nftnl_chain *c = nc->nftnl; struct nft_handle *h = d->handle; + bool builtin = nft_chain_builtin(c); + struct obj_update *obj; + int ret = 0; - /* don't delete built-in chain */ - if (nft_chain_builtin(c)) - return d->builtin_err; - - if (d->verbose) + if (d->verbose && !builtin) fprintf(stdout, "Deleting chain `%s'\n", nftnl_chain_get_str(c, NFTNL_CHAIN_NAME)); /* XXX This triggers a fast lookup from the kernel. */ nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); - if (!batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c)) + obj = batch_chain_add(h, NFT_COMPAT_CHAIN_DEL, c); + if (!obj) return -1; + if (builtin) { + obj->skip = !nft_may_delete_chain(c); + if (obj->skip && d->chain) { + /* complain if explicitly requested */ + errno = EBUSY; + ret = -1; + } + *nc->base_slot = NULL; + } + /* nftnl_chain is freed when deleting the batch object */ nc->nftnl = NULL; nft_chain_list_del(nc); nft_chain_free(nc); - return 0; + return ret; } -int nft_chain_user_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose) +int nft_chain_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose) { - struct chain_user_del_data d = { + struct chain_del_data d = { .handle = h, + .chain = chain, .verbose = verbose, }; struct nft_chain *c; int ret = 0; - nft_fn = nft_chain_user_del; + nft_fn = nft_chain_del; if (chain) { c = nft_chain_find(h, table, chain); @@ -1893,14 +2194,15 @@ errno = ENOENT; return 0; } - d.builtin_err = -2; - ret = __nft_chain_user_del(c, &d); - if (ret == -2) - errno = EINVAL; + + ret = __nft_chain_del(c, &d); goto out; } - ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d); + if (verbose) + nft_cache_sort_chains(h, table); + + ret = nft_chain_foreach(h, table, __nft_chain_del, &d); out: /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; @@ -1948,6 +2250,7 @@ if (c == NULL) return 0; + nftnl_chain_set_u32(c, NFTNL_CHAIN_FAMILY, h->family); nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, newname); nftnl_chain_set_u64(c, NFTNL_CHAIN_HANDLE, handle); @@ -1996,6 +2299,7 @@ if (t == NULL) return -1; + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, h->family); nftnl_table_set_str(t, NFTNL_TABLE_NAME, table); obj = batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, t); @@ -2054,15 +2358,18 @@ struct nftnl_rule *rule) { struct iptables_command_state _cs = {}, this = {}, *cs = &_cs; - bool ret = false; + bool ret = false, ret_this, ret_that; - h->ops->rule_to_cs(h, r, &this); - h->ops->rule_to_cs(h, rule, cs); + ret_this = h->ops->rule_to_cs(h, r, &this); + ret_that = h->ops->rule_to_cs(h, rule, cs); DEBUGP("comparing with... "); #ifdef DEBUG_DEL nft_rule_print_save(h, r, NFT_RULE_APPEND, 0); #endif + if (!ret_this || !ret_that) + DEBUGP("Cannot convert rules: %d %d\n", ret_this, ret_that); + if (!h->ops->is_same(cs, &this)) goto out; @@ -2367,7 +2674,6 @@ { struct nftnl_chain *c = nc->nftnl; const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); - bool basechain = !!nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM); uint32_t refs = nftnl_chain_get_u32(c, NFTNL_CHAIN_USE); uint32_t entries = nft_rule_count(h, c); struct xt_counters ctrs = { @@ -2376,11 +2682,12 @@ }; const char *pname = NULL; - if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY)) + if (nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) && + nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY)) pname = policy_namenftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY); h->ops->print_header(format, chain_name, pname, - &ctrs, basechain, refs - entries, entries); + &ctrs, refs - entries, entries); } struct nft_rule_list_cb_data { @@ -2437,6 +2744,8 @@ return 1; } + nft_cache_sort_chains(h, table); + if (ops->print_table_header) ops->print_table_header(table); @@ -2540,6 +2849,8 @@ return nft_rule_list_cb(c, &d); } + nft_cache_sort_chains(h, table); + /* Dump policies and custom chains first */ nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters); @@ -2569,10 +2880,11 @@ goto error; } - nft_rule_to_iptables_command_state(h, r, &cs); - + h->ops->rule_to_cs(h, r, &cs); cs.counters.pcnt = cs.counters.bcnt = 0; new_rule = nft_rule_new(h, chain, table, &cs); + h->ops->clear_cs(&cs); + if (!new_rule) return 1; @@ -2582,15 +2894,28 @@ return ret; } +static void nft_table_print_debug(struct nft_handle *h, + struct nftnl_table *t, struct nlmsghdr *nlh) +{ + if (h->verbose > 1) { + nftnl_table_fprintf(stdout, t, 0, 0); + fprintf(stdout, "\n"); + } + if (h->verbose > 2) + mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, + sizeof(struct nfgenmsg)); +} + static void nft_compat_table_batch_add(struct nft_handle *h, uint16_t type, uint16_t flags, uint32_t seq, struct nftnl_table *table) { struct nlmsghdr *nlh; - nlh = nftnl_table_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), - type, h->family, flags, seq); + nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), + type, h->family, flags, seq); nftnl_table_nlmsg_build_payload(nlh, table); + nft_table_print_debug(h, table, nlh); } static void nft_compat_set_batch_add(struct nft_handle *h, uint16_t type, @@ -2632,10 +2957,10 @@ { struct nlmsghdr *nlh; - nlh = nftnl_chain_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), - type, h->family, flags, seq); + nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), + type, h->family, flags, seq); nftnl_chain_nlmsg_build_payload(nlh, chain); - nft_chain_print_debug(chain, nlh); + nft_chain_print_debug(h, chain, nlh); } static void nft_compat_rule_batch_add(struct nft_handle *h, uint16_t type, @@ -2644,10 +2969,10 @@ { struct nlmsghdr *nlh; - nlh = nftnl_rule_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), - type, h->family, flags, seq); + nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(h->batch), + type, h->family, flags, seq); nftnl_rule_nlmsg_build_payload(nlh, rule); - nft_rule_print_debug(rule, nlh); + nft_rule_print_debug(h, rule, nlh); } static void batch_obj_del(struct nft_handle *h, struct obj_update *o) @@ -2661,7 +2986,7 @@ case NFT_COMPAT_CHAIN_USER_ADD: case NFT_COMPAT_CHAIN_ADD: break; - case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_DEL: case NFT_COMPAT_CHAIN_USER_FLUSH: case NFT_COMPAT_CHAIN_UPDATE: case NFT_COMPAT_CHAIN_RENAME: @@ -2743,10 +3068,14 @@ n->skip = !nft_chain_find(h, tablename, chainname); break; + case NFT_COMPAT_CHAIN_DEL: + if (!nftnl_chain_get(n->chain, NFTNL_CHAIN_HOOKNUM)) + break; + n->skip = !nft_may_delete_chain(n->chain); + break; case NFT_COMPAT_TABLE_ADD: case NFT_COMPAT_CHAIN_ADD: case NFT_COMPAT_CHAIN_ZERO: - case NFT_COMPAT_CHAIN_USER_DEL: case NFT_COMPAT_CHAIN_USER_FLUSH: case NFT_COMPAT_CHAIN_UPDATE: case NFT_COMPAT_CHAIN_RENAME: @@ -2812,7 +3141,7 @@ NLM_F_EXCL, n->seq, n->chain); break; - case NFT_COMPAT_CHAIN_USER_DEL: + case NFT_COMPAT_CHAIN_DEL: nft_compat_chain_batch_add(h, NFT_MSG_DELCHAIN, NLM_F_NONREC, n->seq, n->chain); @@ -3050,6 +3379,8 @@ nft_cache_build(h); list_for_each_entry_safe(cmd, next, &h->cmd_list, head) { + h->error.lineno = cmd->error.lineno; + switch (cmd->command) { case NFT_COMPAT_TABLE_FLUSH: ret = nft_table_flush(h, cmd->table); @@ -3057,9 +3388,9 @@ case NFT_COMPAT_CHAIN_USER_ADD: ret = nft_chain_user_add(h, cmd->chain, cmd->table); break; - case NFT_COMPAT_CHAIN_USER_DEL: - ret = nft_chain_user_del(h, cmd->chain, cmd->table, - cmd->verbose); + case NFT_COMPAT_CHAIN_DEL: + ret = nft_chain_del(h, cmd->chain, cmd->table, + cmd->verbose); break; case NFT_COMPAT_CHAIN_RESTORE: ret = nft_chain_restore(h, cmd->chain, cmd->table); @@ -3115,7 +3446,7 @@ case NFT_COMPAT_RULE_CHECK: assert_chain_exists(h, cmd->table, cmd->jumpto); ret = nft_rule_check(h, cmd->chain, cmd->table, - cmd->obj.rule, cmd->rulenum); + cmd->obj.rule, cmd->verbose); break; case NFT_COMPAT_RULE_ZERO: ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, @@ -3245,6 +3576,20 @@ err: mnl_socket_close(nl); + /* ignore EPERM and errors for revision 0 - + * this is required for printing extension help texts as user, also + * helps error messaging on unavailable kernel extension */ + if (ret < 0) { + if (errno == EPERM) + return 1; + if (rev == 0) { + fprintf(stderr, + "Warning: Extension %s revision 0 not supported, missing kernel module?\n", + name); + return 1; + } + } + return ret < 0 ? 0 : 1; } @@ -3258,10 +3603,9 @@ const char *message; } table = { - { nft_chain_user_del, ENOTEMPTY, "Chain is not empty" }, - { nft_chain_user_del, EINVAL, "Can't delete built-in chain" }, - { nft_chain_user_del, EBUSY, "Directory not empty" }, - { nft_chain_user_del, EMLINK, + { nft_chain_del, ENOTEMPTY, "Chain is not empty" }, + { nft_chain_del, EBUSY, "Directory not empty" }, + { nft_chain_del, EMLINK, "Can't delete chain with references left" }, { nft_chain_user_add, EEXIST, "Chain already exists" }, { nft_chain_user_rename, EEXIST, "File exists" }, @@ -3431,6 +3775,9 @@ goto err; } + if (verbose) + nft_cache_sort_chains(h, table); + ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d); err: /* the core expects 1 for success and 0 for error */ @@ -3455,6 +3802,7 @@ "counter", "immediate", "lookup", + "range", }; @@ -3473,6 +3821,10 @@ nftnl_expr_get_u32(expr, NFTNL_EXPR_LIMIT_FLAGS) == 0) return 0; + if (!strcmp(name, "log") && + nftnl_expr_is_set(expr, NFTNL_EXPR_LOG_GROUP)) + return 0; + return -1; } @@ -3484,38 +3836,8 @@ static int nft_is_chain_compatible(struct nft_chain *nc, void *data) { struct nftnl_chain *c = nc->nftnl; - const struct builtin_table *table; - const struct builtin_chain *chain; - const char *tname, *cname, *type; - struct nft_handle *h = data; - enum nf_inet_hooks hook; - int prio; - - if (nftnl_rule_foreach(c, nft_is_rule_compatible, NULL)) - return -1; - - if (!nft_chain_builtin(c)) - return 0; - tname = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE); - table = nft_table_builtin_find(h, tname); - if (!table) - return -1; - - cname = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); - chain = nft_chain_builtin_find(table, cname); - if (!chain) - return -1; - - type = nftnl_chain_get_str(c, NFTNL_CHAIN_TYPE); - prio = nftnl_chain_get_u32(c, NFTNL_CHAIN_PRIO); - hook = nftnl_chain_get_u32(c, NFTNL_CHAIN_HOOKNUM); - if (strcmp(type, chain->type) || - prio != chain->prio || - hook != chain->hook) - return -1; - - return 0; + return nftnl_rule_foreach(c, nft_is_rule_compatible, NULL); } bool nft_is_table_compatible(struct nft_handle *h, @@ -3530,13 +3852,24 @@ return !nft_chain_foreach(h, table, nft_is_chain_compatible, h); } +bool nft_is_table_tainted(struct nft_handle *h, const char *table) +{ + const struct builtin_table *t = nft_table_builtin_find(h, table); + + return t ? h->cache->tablet->type.tainted : false; +} + void nft_assert_table_compatible(struct nft_handle *h, const char *table, const char *chain) { const char *pfx = "", *sfx = ""; - if (nft_is_table_compatible(h, table, chain)) + if (nft_is_table_compatible(h, table, chain)) { + if (nft_is_table_tainted(h, table)) + printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n", + table); return; + } if (chain) { pfx = "chain `"; @@ -3545,6 +3878,6 @@ chain = ""; } xtables_error(OTHER_PROBLEM, - "%s%s%stable `%s' is incompatible, use 'nft' tool.\n", + "%s%s%stable `%s' is incompatible, use 'nft' tool.", pfx, chain, sfx, table); }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/nft.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/nft.h
Changed
@@ -44,6 +44,8 @@ struct nft_chain_list *chains; struct nftnl_set_list *sets; bool exists; + bool sorted; + bool tainted; } tableNFT_TABLE_MAX; }; @@ -52,7 +54,7 @@ NFT_COMPAT_TABLE_FLUSH, NFT_COMPAT_CHAIN_ADD, NFT_COMPAT_CHAIN_USER_ADD, - NFT_COMPAT_CHAIN_USER_DEL, + NFT_COMPAT_CHAIN_DEL, NFT_COMPAT_CHAIN_USER_FLUSH, NFT_COMPAT_CHAIN_UPDATE, NFT_COMPAT_CHAIN_RENAME, @@ -107,6 +109,7 @@ int8_t config_done; struct list_head cmd_list; bool cache_init; + int verbose; /* meta data, for error reporting */ struct { @@ -121,7 +124,7 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, int (*cb)(const struct nlmsghdr *nlh, void *data), void *data); -int nft_init(struct nft_handle *h, int family, const struct builtin_table *t); +int nft_init(struct nft_handle *h, int family); void nft_fini(struct nft_handle *h); int nft_restart(struct nft_handle *h); @@ -146,7 +149,7 @@ int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); int nft_chain_save(struct nft_chain *c, void *data); int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table); -int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); +int nft_chain_del(struct nft_handle *h, const char *chain, const char *table, bool verbose); int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table); int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname); int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose); @@ -170,7 +173,7 @@ */ struct nftnl_rule; -struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, void *data); +struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cs); int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose); int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); @@ -192,6 +195,7 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); +int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); char *get_comment(const void *data, uint32_t data_len); enum nft_rule_print { @@ -199,7 +203,7 @@ NFT_RULE_DEL, }; -void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, +bool nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, enum nft_rule_print type, unsigned int format); uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); @@ -261,6 +265,7 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *table, const char *chain); +bool nft_is_table_tainted(struct nft_handle *h, const char *table); void nft_assert_table_compatible(struct nft_handle *h, const char *table, const char *chain);
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/run-tests.sh -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/run-tests.sh
Changed
@@ -21,7 +21,6 @@ msg_error() { echo "E: $1 ..." >&2 - exit 1 } msg_warn() { @@ -34,10 +33,12 @@ if "$(id -u)" != "0" ; then msg_error "this requires root!" + exit 77 fi if ! -d "$TESTDIR" ; then msg_error "missing testdir $TESTDIR" + exit 99 fi # support matching repeated pattern in SINGLE check below @@ -76,6 +77,7 @@ ;; *) msg_error "unknown parameter '$1'" + exit 99 ;; esac done @@ -122,7 +124,8 @@ if "$VALGRIND" == "y" ; then tmpd=$(mktemp -d) msg_info "writing valgrind logs to $tmpd" - chmod a+rx $tmpd + # let nobody write logs, too (././testcases/iptables/0008-unprivileged_0) + chmod 777 $tmpd printscript "$XTABLES_NFT_MULTI" "$tmpd" >${tmpd}/xtables-nft-multi printscript "$XTABLES_LEGACY_MULTI" "$tmpd" >${tmpd}/xtables-legacy-multi trap "rm ${tmpd}/xtables-*-multi" EXIT @@ -195,4 +198,4 @@ msg_info "combined results: OK $ok FAILED $failed TOTAL $((ok+failed))" -exit 0 +exit -$failed
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/chain/0004extra-base_0
Added
@@ -0,0 +1,37 @@ +#!/bin/bash + +case $XT_MULTI in +*xtables-nft-multi) + ;; +*) + echo skip $XT_MULTI + exit 0 + ;; +esac + +set -e + +nft -f - <<EOF +table ip filter { + chain a { + type filter hook input priority filter + } + + chain INPUT { + type filter hook input priority filter + counter packets 218 bytes 91375 accept + } + + chain x { + type filter hook input priority filter + } +} +EOF + +EXPECT="# Table \`filter' contains incompatible base-chains, use 'nft' tool to list them. +-P INPUT ACCEPT +-P FORWARD ACCEPT +-P OUTPUT ACCEPT +-A INPUT -j ACCEPT" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S)
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/chain/0005base-delete_0
Added
@@ -0,0 +1,34 @@ +#!/bin/bash -x + +$XT_MULTI iptables -N foo || exit 1 +$XT_MULTI iptables -P FORWARD DROP || exit 1 +$XT_MULTI iptables -X || exit 1 +$XT_MULTI iptables -X foo && exit 1 + +# indefinite -X fails if a non-empty user-defined chain exists +$XT_MULTI iptables -N foo +$XT_MULTI iptables -N bar +$XT_MULTI iptables -A bar -j ACCEPT +$XT_MULTI iptables -X && exit 1 +$XT_MULTI iptables -D bar -j ACCEPT +$XT_MULTI iptables -X || exit 1 + +# make sure OUTPUT chain is created by iptables-nft +$XT_MULTI iptables -A OUTPUT -j ACCEPT || exit 1 +$XT_MULTI iptables -D OUTPUT -j ACCEPT || exit 1 + +case $XT_MULTI in +*xtables-nft-multi) + # must not delete chain FORWARD, its policy is not ACCEPT + $XT_MULTI iptables -X FORWARD && exit 1 + nft list chain ip filter FORWARD || exit 1 + # this should evict chain OUTPUT + $XT_MULTI iptables -X OUTPUT || exit 1 + nft list chain ip filter OUTPUT && exit 1 + ;; +*) + $XT_MULTI iptables -X FORWARD && exit 1 + $XT_MULTI iptables -X OUTPUT && exit 1 + ;; +esac +exit 0
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/chain/0006rename-segfault_0
Added
@@ -0,0 +1,19 @@ +#!/bin/bash +# +# Cover for a bug in libiptc: +# - the chain 'node-98-tmp' is the last in the list sorted by name +# - there are 81 chains in total, so three chain index buckets +# - the last index bucket contains only the 'node-98-tmp' chain +# => rename temporarily removes it from the bucket, leaving a NULL bucket +# behind which is dereferenced later when inserting the chain again with new +# name again + +( + echo "*filter" + for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do + echo ":$chain - 0:0" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore +$XT_MULTI iptables -E node-98-tmp node-98 +exit $?
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
Changed
@@ -13,8 +13,8 @@ $XT_MULTI ebtables -P FORWARD DROP $XT_MULTI ebtables -A OUTPUT -s ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -j DROP $XT_MULTI ebtables -N foo -$XT_MULTI ebtables -A foo --802_3-sap 0x23 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT #$XT_MULTI ebtables -A foo --among-dst fe:ed:ba:be:00:01,fe:ed:ba:be:00:02,fe:ed:ba:be:00:03 -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-gratuitous -j ACCEPT $XT_MULTI ebtables -A foo -p ARP --arp-opcode Request -j ACCEPT @@ -44,7 +44,7 @@ $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT #$XT_MULTI ebtables -A foo --vlan-id 42 -j ACCEPT -$XT_MULTI ebtables -A foo --802_3-sap 0x23 --limit 100 -j ACCEPT +$XT_MULTI ebtables -A foo -p length --802_3-sap 0x23 --limit 100 -j ACCEPT $XT_MULTI ebtables -A foo --pkttype-type multicast --log $XT_MULTI ebtables -A foo --pkttype-type multicast --limit 100 -j ACCEPT @@ -75,8 +75,8 @@ -A INPUT -p IPv4 -i lo -j ACCEPT -A FORWARD -j foo -A OUTPUT -s Broadcast -j DROP --A foo --802_3-sap 0x23 -j ACCEPT --A foo --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT +-A foo -p Length --802_3-sap 0x23 -j ACCEPT +-A foo -p Length --802_3-sap 0xaa --802_3-type 0x1337 -j ACCEPT -A foo -p ARP --arp-gratuitous -j ACCEPT -A foo -p ARP --arp-op Request -j ACCEPT -A foo -p ARP --arp-ip-src 10.0.0.1 -j ACCEPT @@ -91,13 +91,13 @@ -A foo -p IPv6 --ip6-dst feed:babe::/64 -j ACCEPT -A foo -p IPv6 --ip6-proto tcp -j ACCEPT -A foo --limit 100/sec --limit-burst 42 -j ACCEPT --A foo --log-level notice --log-prefix "" -j CONTINUE +-A foo --log-level notice -j CONTINUE -A foo -j mark --mark-set 0x23 --mark-target ACCEPT -A foo --nflog-group 1 -j CONTINUE -A foo --pkttype-type multicast -j ACCEPT -A foo --stp-type config -j ACCEPT --A foo --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT --A foo --pkttype-type multicast --log-level notice --log-prefix "" -j CONTINUE +-A foo -p Length --802_3-sap 0x23 --limit 100/sec --limit-burst 5 -j ACCEPT +-A foo --pkttype-type multicast --log-level notice -j CONTINUE -A foo --pkttype-type multicast --limit 100/sec --limit-burst 5 -j ACCEPT *nat :PREROUTING ACCEPT
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0
Changed
@@ -24,7 +24,7 @@ -A FORWARD --limit 100/sec --limit-burst 42 -j ACCEPT -A FORWARD --limit 1000/sec --limit-burst 5 -j ACCEPT -A FORWARD --log-level notice --log-prefix "foobar" -j CONTINUE --A FORWARD --log-level notice --log-prefix "" -j CONTINUE' +-A FORWARD --log-level notice -j CONTINUE' $XT_MULTI ebtables --init-table $XT_MULTI ebtables-restore <<<$DUMP
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ebtables/0006-flush_0
Added
@@ -0,0 +1,47 @@ +#!/bin/bash + +set -e + +# there is no legacy backend to test + $XT_MULTI == *xtables-nft-multi || { echo "skip $XT_MULTI"; exit 0; } + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:90:90=192.168.0.1 -j DROP' + +$XT_MULTI ebtables-restore <<<$RULESET +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A FORWARD --among-dst fe:ed:ba:be:13:37=10.0.0.1 -j ACCEPT +-A OUTPUT --among-src c0:ff:ee:90:0:0=192.168.0.1 -j DROP +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t nat -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#') + +RULESET='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +*nat +:PREROUTING ACCEPT +:OUTPUT ACCEPT +:POSTROUTING ACCEPT' + +$XT_MULTI ebtables -t filter -F +diff -u <(echo -e "$RULESET") <($XT_MULTI ebtables-save | grep -v '^#')
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0
Added
@@ -0,0 +1,41 @@ +#!/bin/bash + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e + +# ebtables supports policies in user-defined chains %) +# and the default policy is ACCEPT ... +$XT_MULTI ebtables -N FOO -P DROP +$XT_MULTI ebtables -N BAR +$XT_MULTI ebtables -P BAR RETURN +$XT_MULTI ebtables -N BAZ + +EXPECT_BASE="*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT" + +EXPECT="$EXPECT_BASE +:BAR RETURN +:BAZ ACCEPT +:FOO DROP" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# rule commands must not break the policies +$XT_MULTI ebtables -A FOO -j ACCEPT +$XT_MULTI ebtables -D FOO -j ACCEPT +$XT_MULTI ebtables -F +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# dropping the chains must implicitly remove the policy rule as well +$XT_MULTI ebtables -X +diff -u -Z <(echo -e "$EXPECT_BASE") <($XT_MULTI ebtables-save | grep -v '^#')
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
Added
@@ -0,0 +1,98 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +sfx=$(mktemp -u "XXXXXXXX") +nsa="nsa-$sfx" +nsb="nsb-$sfx" +nsc="nsc-$sfx" + +cleanup() +{ + ip netns del "$nsa" + ip netns del "$nsb" + ip netns del "$nsc" +} + +trap cleanup EXIT + +assert_fail() +{ + if $1 -eq 0 ; then + echo "FAILED: $2" + exit 1 + fi +} + +assert_pass() +{ + if $1 -ne 0 ; then + echo "FAILED: $2" + exit 2 + fi +} + +ip netns add "$nsa" +ip netns add "$nsb" +ip netns add "$nsc" + +ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb" +ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb" +ip netns exec "$nsb" ip link add name br0 type bridge + +ip -net "$nsb" link set b_c up +ip netns exec "$nsb" ip link set b_s up +ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0 +ip netns exec "$nsb" ip link set br0 up +ip netns exec "$nsb" ip link set b_c master br0 +ip netns exec "$nsb" ip link set b_s master br0 +ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b +ip netns exec "$nsc" ip link set c_b up +ip -net "$nsa" addr add 10.167.11.1/24 dev s_b +ip -net "$nsa" link set s_b up + +ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1 + +bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address` +bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address` +bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address` +bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address` + +bf_server_ip1="10.167.11.1" +bf_bridge_ip0="10.167.11.254" +bf_client_ip1="10.167.11.2" +pktsize=64 + +# --among-src mac,IP +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_fail $? "--among-src match" + +# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc + +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null +assert_pass $? "--among-src not match" + +# --among-dst mac,IP +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_fail $? "--among-dst match" + +# --among-dst ! mac,IP +ip netns exec "$nsb" $XT_MULTI ebtables -F +ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null +ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null +assert_pass $? "--among-dst not match" + +exit 0
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ip6tables/0002-verbose-output_0
Changed
@@ -6,23 +6,38 @@ # ensure verbose output is identical between legacy and nft tools RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT' -VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2' +VOUT1='ACCEPT all opt -- in eth2 out eth3 feed:babe::1 -> feed:babe::2' RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT' -VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5' +VOUT2='ACCEPT all opt -- in eth2 out eth3 feed:babe::4 -> feed:babe::5' +RULE3='-p icmpv6 -m icmp6 --icmpv6-type no-route' +VOUT3=' ipv6-icmp opt -- in * out * ::/0 -> ::/0 ipv6-icmptype 1 code 0' +RULE4='-m dst --dst-len 42 -m rt --rt-type 23' +VOUT4=' all opt -- in * out * ::/0 -> ::/0 dst length:42 rt type:23' +RULE5='-m frag --fragid 1337 -j LOG' +VOUT5='LOG all opt -- in * out * ::/0 -> ::/0 frag id:1337 LOG flags 0 level 4' diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -A FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -A FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -A FORWARD $RULE5) diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1) diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2) +diff -u -Z <(echo -e "$VOUT3") <($XT_MULTI ip6tables -v -C FORWARD $RULE3) +diff -u -Z <(echo -e "$VOUT4") <($XT_MULTI ip6tables -v -C FORWARD $RULE4) +diff -u -Z <(echo -e "$VOUT5") <($XT_MULTI ip6tables -v -C FORWARD $RULE5) EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2 - 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::1 feed:babe::2 + 0 0 ACCEPT 0 -- eth2 eth3 feed:babe::4 feed:babe::5 + 0 0 58 -- * * ::/0 ::/0 ipv6-icmptype 1 code 0 + 0 0 0 -- * * ::/0 ::/0 dst length:42 rt type:23 + 0 0 LOG 0 -- * * ::/0 ::/0 frag id:1337 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination'
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
Added
@@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -s feed:babe::/ffff::0 +-A FORWARD -s feed:babe::/ffff:ff00::0 +-A FORWARD -s feed:babe::/ffff:fff0::0 +-A FORWARD -s feed:babe::/ffff:ffff::0 +-A FORWARD -s feed:babe::/0:ffff::0 +-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0 +COMMIT +EOF + +EXPECT='-P FORWARD ACCEPT +-A FORWARD -s feed::/16 +-A FORWARD -s feed:ba00::/24 +-A FORWARD -s feed:bab0::/28 +-A FORWARD -s feed:babe::/32 +-A FORWARD -s 0:babe::/0:ffff:: +-A FORWARD -s feed::babe:0/ffff::ffff:0' + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0
Changed
@@ -2,7 +2,7 @@ set -e -# make sure wait and wait-interval options are accepted +# make sure wait options are accepted clean_tempfile() { @@ -18,4 +18,3 @@ $XT_MULTI iptables-save -f $tmpfile $XT_MULTI iptables-restore $tmpfile $XT_MULTI iptables-restore -w 5 $tmpfile -$XT_MULTI iptables-restore -w 5 -W 1 $tmpfile
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
Changed
@@ -12,5 +12,5 @@ EXPECT='Chain FORWARD (policy ACCEPT) target prot opt source destination -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ' +ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ' diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
Changed
@@ -33,6 +33,7 @@ Flushing chain \`foo' Deleting chain \`bar' Deleting chain \`foo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`INPUT' Flushing chain \`OUTPUT' @@ -41,6 +42,7 @@ Flushing chain \`natfoo' Deleting chain \`natbar' Deleting chain \`natfoo' +ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 Flushing chain \`PREROUTING' Flushing chain \`OUTPUT' Flushing chain \`rawfoo' @@ -58,9 +60,10 @@ Flushing chain \`secfoo' Deleting chain \`secfoo'" -for ipt in iptables-restore ip6tables-restore; do - diff -u -Z <(echo "$EXPECT") <($XT_MULTI $ipt -v <<< "$DUMP") -done +EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' <<< "$EXPECT") + +diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP") +diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP") DUMP="*filter :baz - 0:0
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
Changed
@@ -1,13 +1,5 @@ #!/bin/bash -case "$(basename $XT_MULTI)" in - xtables-legacy-multi) - ;; - *) - echo "skip $XT_MULTI" - exit 0 - ;; -esac - dump=$(dirname $0)/dumps/fedora27-iptables diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml <$dump) +diff -u -Z <(cat ${dump}.xml) <($XT_MULTI iptables-xml -c <$dump)
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
Added
@@ -0,0 +1,37 @@ +#!/bin/bash + +# Test recent performance improvements in iptables-save due to reduced +# overhead. + +strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } + +RULESET=$( + echo "*filter" + for ((i = 0; i < 100; i++)); do + echo ":mychain$i -" + echo "-A FORWARD -p tcp --dport 22 -j mychain$i" + done + echo "COMMIT" +) + +RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) +SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) + +do_grep() { # (name, threshold, pattern) + local cnt=$(grep -c "$3") + $cnt -le $2 && return 0 + echo "ERROR: Too many $3 lookups for $1: $cnt > $2" + exit 1 +} + +# iptables prefers hard-coded protocol names instead of looking them up first + +do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" + +# iptables-nft-save pointlessly checked whether chain jumps are targets + +do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" +do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" + +exit 0
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
Changed
@@ -21,8 +21,8 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2 - 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5 + 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.1 10.0.0.2 + 0 0 ACCEPT 0 -- eth2 eth3 10.0.0.4 10.0.0.5 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination' @@ -54,3 +54,14 @@ diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) + +# make sure non-verbose mode is silent +diff -u <(echo -n "") <( + $XT_MULTI iptables -N foobar + $XT_MULTI iptables -A foobar $RULE1 + $XT_MULTI iptables -A foobar $RULE2 + $XT_MULTI iptables -C foobar $RULE1 + $XT_MULTI iptables -D foobar $RULE2 + $XT_MULTI iptables -F foobar + $XT_MULTI iptables -X foobar +)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/tests/shell/testcases/iptables/0004-return-codes_0 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/iptables/0004-return-codes_0
Changed
@@ -39,7 +39,7 @@ E2BIG_R=": Index of replacement too big." EBADRULE=": Bad rule (does a matching rule exist in that chain?)." #ENOTGT=" v0-9\.* ^ *: Couldn't load target \`foobar':No such file or directory" -ENOMTH=" v0-9\.* ^ *: Couldn't load match \`foobar':No such file or directory" +ENOMTH=" v0-9\.* ^ *: Couldn't \(load\|find\) match \`foobar'\(:No such file or directory\|\)" ENOTBL=": can't initialize iptables table \`foobar': Table does not exist" # test chain creation
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
Added
@@ -0,0 +1,79 @@ +#!/bin/bash + +RC=0 +COUNTR=$RANDOM$RANDOM + +$XT_MULTI iptables-restore -c <<EOF +*filter +:INPUT ACCEPT 1:23 +:FOO - 0:0 +12:345 -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +22:123 -A FOO -m comment --comment one +44:123 -A FOO -m comment --comment two +66:123 -A FOO -m comment --comment three +COMMIT +EOF +EXPECT="*filter +:INPUT ACCEPT 0:0 +:FORWARD ACCEPT 0:0 +:OUTPUT ACCEPT 0:0 +:FOO - 0:0 +0:0 -A INPUT -i lo -p icmp -m comment --comment "$COUNTR" +0:0 -A FOO -m comment --comment one +0:0 -A FOO -m comment --comment two +0:0 -A FOO -m comment --comment three +COMMIT" + +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if $COUNTER != "12:345" ; then + echo "Counter $COUNTER is wrong, expected 12:345" + RC=1 +fi + +$XT_MULTI iptables -Z FOO 2 +COUNTER=$($XT_MULTI iptables-save -c | grep "comment two"| cut -f 1 -d " ") +if $COUNTER != "0:0" ; then + echo "Counter $COUNTER is wrong, should have been zeroed" + RC=1 +fi +COUNTER=$($XT_MULTI iptables-save -c | grep "comment three"| cut -f 1 -d " ") +if $COUNTER != "66:123" ; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + +$XT_MULTI iptables -Z FOO +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") +if $COUNTER = "0:0" ; then + echo "Counter $COUNTER is wrong, should not have been zeroed" + RC=1 +fi + +for c in one two; do + COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ") + if $COUNTER != "0:0" ; then + echo "Counter $COUNTER is wrong, should have been zeroed at rule $c" + RC=1 + fi +done + +$XT_MULTI iptables -Z +COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ") + +if $COUNTER != "0:0" ; then + echo "Counter $COUNTER is wrong, expected 0:0 after -Z" + RC=1 +fi + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#') +if $? -ne 0 ; then + echo "Diff error: counters were not zeroed" + RC=1 +fi + +$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR" +$XT_MULTI iptables -D FOO -m comment --comment one +$XT_MULTI iptables -D FOO -m comment --comment two +$XT_MULTI iptables -D FOO -m comment --comment three +$XT_MULTI iptables -X FOO +exit $RC
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
Added
@@ -0,0 +1,66 @@ +#!/bin/bash + +# iptables may print match/target specific help texts +# help output should work for unprivileged users + +run() { + echo "running: $*" >&2 + runuser -u nobody -- "$@" +} + +grep_or_rc() { + declare -g rc + grep -q "$*" && return 0 + echo "missing in output: $*" >&2 + return 1 +} + +out=$(run $XT_MULTI iptables --help) +let "rc+=$?" +grep_or_rc "iptables -h (print this help information)" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -m limit --help) +let "rc+=$?" +grep_or_rc "limit match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + +# TEE has no revision 0 +out=$(run $XT_MULTI iptables -j TEE --help) +let "rc+=$?" +grep_or_rc "TEE target options:" <<< "$out" +let "rc+=$?" + +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "tcp match options:" <<< "$out" +let "rc+=$?" +out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) +let "rc+=$?" +grep_or_rc "DNAT target options:" <<< "$out" +let "rc+=$?" + + +run $XT_MULTI iptables -L 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \ + grep_or_rc "Permission denied" +let "rc+=$?" + +exit $rc
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/nft-only/0010-iptables-nft-save.txt
Added
@@ -0,0 +1,26 @@ +*filter +:INPUT ACCEPT 0:0 +:FORWARD ACCEPT 0:0 +:OUTPUT ACCEPT 0:0 +-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 23 -j ACCEPT +-A INPUT -s 1.2.3.0/24 -d 0.0.0.0/32 -p udp -m udp --dport 67:69 -j DROP +-A INPUT -s 1.0.0.0/8 -d 0.0.0.0/32 -p tcp -m tcp --sport 1024:65535 --dport 443 --tcp-flags SYN,ACK SYN -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 ! --tcp-flags SYN NONE -m comment --comment "checks if SYN bit is set" +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "same as iptables --syn" +-A INPUT -p tcp -m tcp --tcp-flags SYN SYN +-A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK SYN,ACK +-A INPUT -d 0.0.0.0/1 -m ttl --ttl-eq 1 -j DROP +-A INPUT -d 0.0.0.0/2 -m ttl --ttl-gt 2 -j ACCEPT +-A INPUT -d 0.0.0.0/3 -m ttl --ttl-lt 254 -j ACCEPT +-A INPUT -d 0.0.0.0/4 -m ttl ! --ttl-eq 255 -j DROP +-A INPUT -d 8.0.0.0/5 -p icmp -m icmp --icmp-type 1 -j ACCEPT +-A INPUT -d 8.0.0.0/6 -p icmp -m icmp --icmp-type 2/3 -j ACCEPT +-A INPUT -d 10.0.0.0/7 -p icmp -m icmp --icmp-type 8 -j ACCEPT +-A INPUT -m pkttype --pkt-type broadcast -j ACCEPT +-A INPUT -m pkttype ! --pkt-type unicast -j DROP +-A INPUT -p tcp +-A INPUT -d 0.0.0.0/1 -p udp +-A FORWARD -m limit --limit 10/day +-A FORWARD -p udp -m udp --dport 42 +-A FORWARD -i lo -o lo+ -j NFLOG --nflog-prefix "should use NFLOG" --nflog-group 1 --nflog-size 123 --nflog-threshold 42 +COMMIT
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/nft-only/0010-native-delinearize_0
Added
@@ -0,0 +1,9 @@ +#!/bin/bash + + $XT_MULTI == *xtables-nft-multi || { echo "skip $XT_MULTI"; exit 0; } +nft -v >/dev/null || exit 0 + +set -e + +unshare -n bash -c "nft -f $(dirname $0)/0010-nft-native.txt; + diff -u -Z $(dirname $0)/0010-iptables-nft-save.txt <($XT_MULTI iptables-save | grep -v '^#')"
View file
_service:tar_scm:iptables-1.8.9.tar.xz/iptables/tests/shell/testcases/nft-only/0010-nft-native.txt
Added
@@ -0,0 +1,41 @@ +table ip filter { + chain INPUT { + type filter hook input priority filter; policy accept; + + ip saddr 1.2.3.4 tcp dport 23 accept + ip saddr 1.2.3.0/24 ip daddr 0.0.0.0 udp dport 67-69 drop + + ip saddr 1.0.0.0/8 ip daddr 0.0.0.0 tcp sport 1024-65535 tcp dport 443 tcp flags syn / syn,ack accept + tcp dport 443 tcp flags syn comment "checks if SYN bit is set" + tcp flags syn / syn,rst,ack,fin comment "same as iptables --syn" + tcp flags & syn == syn + tcp flags & (syn | ack) != (syn | ack ) + + ip daddr 0.0.0.0/1 ip ttl 1 drop + ip daddr 0.0.0.0/2 ip ttl > 2 accept + ip daddr 0.0.0.0/3 ip ttl < 254 accept + ip daddr 0.0.0.0/4 ip ttl != 255 drop + + ip daddr 8.0.0.0/5 icmp type 1 accept + ip daddr 8.0.0.0/6 icmp type 2 icmp code port-unreachable accept + ip daddr 10.0.0.0/7 icmp type echo-request accept + + meta pkttype broadcast accept + meta pkttype != host drop + + ip saddr 0.0.0.0/0 ip protocol tcp + ip daddr 0.0.0.0/1 ip protocol udp + } + + chain FORWARD { + type filter hook forward priority filter; + limit rate 10/day counter + udp dport 42 counter + + # FIXME: can't dissect plain syslog + # meta iif "lo" log prefix "just doing a log" level alert flags tcp sequence,options + + # iif, not iifname, and wildcard + meta iif "lo" oifname "lo*" log group 1 prefix "should use NFLOG" queue-threshold 42 snaplen 123 + } +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xshared.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xshared.c
Changed
@@ -9,23 +9,38 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <arpa/inet.h> #include <sys/file.h> #include <sys/socket.h> #include <sys/un.h> -#include <sys/time.h> #include <unistd.h> #include <fcntl.h> #include <xtables.h> #include <math.h> +#include <signal.h> #include "xshared.h" +/* a few arp opcode names */ +char *arp_opcodes = +{ + "Request", + "Reply", + "Request_Reverse", + "Reply_Reverse", + "DRARP_Request", + "DRARP_Reply", + "DRARP_Error", + "InARP_Request", + "ARP_NAK", +}; + /* * Print out any special helps. A user might like to be able to add a --help * to the commandline, and see expected results. So we call help for all * specified matches and targets. */ -void print_extension_helps(const struct xtables_target *t, - const struct xtables_rule_match *m) +static void print_extension_helps(const struct xtables_target *t, + const struct xtables_rule_match *m) { for (; t != NULL; t = t->next) { if (t->used) { @@ -47,21 +62,21 @@ } } -const char * -proto_to_name(uint8_t proto, int nolookup) +static const char * +proto_to_name(uint16_t proto, int nolookup) { unsigned int i; + for (i = 0; xtables_chain_protosi.name != NULL; ++i) + if (xtables_chain_protosi.num == proto) + return xtables_chain_protosi.name; + if (proto && !nolookup) { struct protoent *pent = getprotobynumber(proto); if (pent) return pent->p_name; } - for (i = 0; xtables_chain_protosi.name != NULL; ++i) - if (xtables_chain_protosi.num == proto) - return xtables_chain_protosi.name; - return NULL; } @@ -106,7 +121,7 @@ return !cs->proto_used; } -struct xtables_match *load_proto(struct iptables_command_state *cs) +static struct xtables_match *load_proto(struct iptables_command_state *cs) { if (!should_load_proto(cs)) return NULL; @@ -114,8 +129,8 @@ cs->options & OPT_NUMERIC, &cs->matches); } -int command_default(struct iptables_command_state *cs, - struct xtables_globals *gl) +static int command_default(struct iptables_command_state *cs, + struct xtables_globals *gl, bool invert) { struct xtables_rule_match *matchp; struct xtables_match *m; @@ -124,7 +139,7 @@ (cs->target->parse != NULL || cs->target->x6_parse != NULL) && cs->c >= cs->target->option_offset && cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) { - xtables_option_tpcall(cs->c, cs->argv, cs->invert, + xtables_option_tpcall(cs->c, cs->argv, invert, cs->target, &cs->fw); return 0; } @@ -138,7 +153,7 @@ if (cs->c < matchp->match->option_offset || cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE) continue; - xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw); + xtables_option_mpcall(cs->c, cs->argv, invert, m, &cs->fw); return 0; } @@ -220,9 +235,7 @@ { if (target->udata_size != 0) { free(target->udata); - target->udata = calloc(1, target->udata_size); - if (target->udata == NULL) - xtables_error(RESOURCE_PROBLEM, "malloc"); + target->udata = xtables_calloc(1, target->udata_size); } if (target->init != NULL) target->init(target->t); @@ -238,22 +251,20 @@ * Same goes for target. */ free(match->udata); - match->udata = calloc(1, match->udata_size); - if (match->udata == NULL) - xtables_error(RESOURCE_PROBLEM, "malloc"); + match->udata = xtables_calloc(1, match->udata_size); } if (match->init != NULL) match->init(match->m); } -static int xtables_lock(int wait, struct timeval *wait_interval) +static void alarm_ignore(int i) { +} + +static int xtables_lock(int wait) { - struct timeval time_left, wait_time; + struct sigaction sigact_alarm; const char *lock_file; - int fd, i = 0; - - time_left.tv_sec = wait; - time_left.tv_usec = 0; + int fd; lock_file = getenv("XTABLES_LOCKFILE"); if (lock_file == NULL || lock_file0 == '\0') @@ -266,31 +277,24 @@ return XT_LOCK_FAILED; } - if (wait == -1) { - if (flock(fd, LOCK_EX) == 0) - return fd; - - fprintf(stderr, "Can't lock %s: %s\n", lock_file, - strerror(errno)); - return XT_LOCK_BUSY; + if (wait != -1) { + sigact_alarm.sa_handler = alarm_ignore; + sigact_alarm.sa_flags = SA_RESETHAND; + sigemptyset(&sigact_alarm.sa_mask); + sigaction(SIGALRM, &sigact_alarm, NULL); + alarm(wait); } - while (1) { - if (flock(fd, LOCK_EX | LOCK_NB) == 0) - return fd; - else if (timercmp(&time_left, wait_interval, <)) - return XT_LOCK_BUSY; - - if (++i % 10 == 0) { - fprintf(stderr, "Another app is currently holding the xtables lock; " - "still %lds %ldus time ahead to have a chance to grab the lock...\n", - time_left.tv_sec, time_left.tv_usec); - } + if (flock(fd, LOCK_EX) == 0) + return fd; - wait_time = *wait_interval; - select(0, NULL, NULL, NULL, &wait_time); - timersub(&time_left, wait_interval, &time_left); + if (errno == EINTR) { + errno = EWOULDBLOCK; } + + fprintf(stderr, "Can't lock %s: %s\n", lock_file, + strerror(errno)); + return XT_LOCK_BUSY; } void xtables_unlock(int lock) @@ -299,9 +303,9 @@ close(lock); } -int xtables_lock_or_exit(int wait, struct timeval *wait_interval) +int xtables_lock_or_exit(int wait) { - int lock = xtables_lock(wait, wait_interval); + int lock = xtables_lock(wait); if (lock == XT_LOCK_FAILED) { xtables_free_opts(1); @@ -337,7 +341,7 @@ return wait; } -void parse_wait_interval(int argc, char *argv, struct timeval *wait_interval) +void parse_wait_interval(int argc, char *argv) { const char *arg; unsigned int usec; @@ -357,8 +361,7 @@ "too long usec wait %u > 999999 usec", usec); - wait_interval->tv_sec = 0; - wait_interval->tv_usec = usec; + fprintf(stderr, "Ignoring deprecated --wait-interval option.\n"); return; } xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); @@ -397,15 +400,15 @@ ptr = strchr(buffer, ''); if (!ptr) - xtables_error(PARAMETER_PROBLEM, "Bad line %u: need \n", line); + xtables_error(PARAMETER_PROBLEM, "Bad line %u: need ", line); pcnt = strtok(buffer+1, ":"); if (!pcnt) - xtables_error(PARAMETER_PROBLEM, "Bad line %u: need :\n", line); + xtables_error(PARAMETER_PROBLEM, "Bad line %u: need :", line); bcnt = strtok(NULL, ""); if (!bcnt) - xtables_error(PARAMETER_PROBLEM, "Bad line %u: need \n", line); + xtables_error(PARAMETER_PROBLEM, "Bad line %u: need ", line); *pcntp = pcnt; *bcntp = bcnt; @@ -430,12 +433,12 @@ if (store->argc + 1 >= MAX_ARGC) xtables_error(PARAMETER_PROBLEM, - "Parser cannot handle more arguments\n"); + "Parser cannot handle more arguments"); if (!what) xtables_error(PARAMETER_PROBLEM, - "Trying to store NULL argument\n"); + "Trying to store NULL argument"); - store->argvstore->argc = strdup(what); + store->argvstore->argc = xtables_strdup(what); store->argvattrstore->argc = quoted; store->argv++store->argc = NULL; } @@ -550,9 +553,55 @@ } #endif -static const char *ipv4_addr_to_string(const struct in_addr *addr, - const struct in_addr *mask, - unsigned int format) +void print_header(unsigned int format, const char *chain, const char *pol, + const struct xt_counters *counters, + int refs, uint32_t entries) +{ + printf("Chain %s", chain); + if (pol) { + printf(" (policy %s", pol); + if (!(format & FMT_NOCOUNTS)) { + fputc(' ', stdout); + xtables_print_num(counters->pcnt, (format|FMT_NOTABLE)); + fputs("packets, ", stdout); + xtables_print_num(counters->bcnt, (format|FMT_NOTABLE)); + fputs("bytes", stdout); + } + printf(")\n"); + } else if (refs < 0) { + printf(" (ERROR obtaining refs)\n"); + } else { + printf(" (%d references)\n", refs); + } + + if (format & FMT_LINENUMBERS) + printf(FMT("%-4s ", "%s "), "num"); + if (!(format & FMT_NOCOUNTS)) { + if (format & FMT_KILOMEGAGIGA) { + printf(FMT("%5s ","%s "), "pkts"); + printf(FMT("%5s ","%s "), "bytes"); + } else { + printf(FMT("%8s ","%s "), "pkts"); + printf(FMT("%10s ","%s "), "bytes"); + } + } + if (!(format & FMT_NOTARGET)) + printf(FMT("%-9s ","%s "), "target"); + fputs(" prot ", stdout); + if (format & FMT_OPTIONS) + fputs("opt", stdout); + if (format & FMT_VIA) { + printf(FMT(" %-6s ","%s "), "in"); + printf(FMT("%-6s ","%s "), "out"); + } + printf(FMT(" %-19s ","%s "), "source"); + printf(FMT(" %-19s "," %s "), "destination"); + printf("\n"); +} + +const char *ipv4_addr_to_string(const struct in_addr *addr, + const struct in_addr *mask, + unsigned int format) { static char bufBUFSIZ; @@ -582,6 +631,42 @@ ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); } +static const char *mask_to_str(const struct in_addr *mask) +{ + uint32_t bits, hmask = ntohl(mask->s_addr); + static char mask_strINET_ADDRSTRLEN; + int i; + + if (mask->s_addr == 0xFFFFFFFFU) { + sprintf(mask_str, "32"); + return mask_str; + } + + i = 32; + bits = 0xFFFFFFFEU; + while (--i >= 0 && hmask != bits) + bits <<= 1; + if (i >= 0) + sprintf(mask_str, "%u", i); + else + inet_ntop(AF_INET, mask, mask_str, sizeof(mask_str)); + + return mask_str; +} + +void save_ipv4_addr(char letter, const struct in_addr *addr, + const struct in_addr *mask, int invert) +{ + char addrbufINET_ADDRSTRLEN; + + if (!mask->s_addr && !invert && !addr->s_addr) + return; + + printf("%s -%c %s/%s", invert ? " !" : "", letter, + inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), + mask_to_str(mask)); +} + static const char *ipv6_addr_to_string(const struct in6_addr *addr, const struct in6_addr *mask, unsigned int format) @@ -616,6 +701,44 @@ &fw6->ipv6.dmsk, format)); } +void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert) +{ + int l = xtables_ip6mask_to_cidr(mask); + char addr_strINET6_ADDRSTRLEN; + + if (!invert && l == 0) + return; + + printf("%s -%c %s", + invert ? " !" : "", letter, + inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); + + if (l == -1) + printf("/%s", inet_ntop(AF_INET6, mask, + addr_str, sizeof(addr_str))); + else + printf("/%d", l); +} + +void print_fragment(unsigned int flags, unsigned int invflags, + unsigned int format, bool fake) +{ + if (!(format & FMT_OPTIONS)) + return; + + if (format & FMT_NOTABLE) + fputs("opt ", stdout); + + if (fake) { + fputs("--", stdout); + } else { + fputc(invflags & IPT_INV_FRAG ? '!' : '-', stdout); + fputc(flags & IPT_F_FRAG ? 'f' : '-', stdout); + } + fputc(' ', stdout); +} + /* Luckily, IPT_INV_VIA_IN and IPT_INV_VIA_OUT * have the same values as IP6T_INV_VIA_IN and IP6T_INV_VIA_OUT * so this function serves for both iptables and ip6tables */ @@ -641,13 +764,38 @@ printf(FMT("%-6s ", "out %s "), iface); } -void command_match(struct iptables_command_state *cs) +/* This assumes that mask is contiguous, and byte-bounded. */ +void save_iface(char letter, const char *iface, + const unsigned char *mask, int invert) +{ + unsigned int i; + + if (mask0 == 0) + return; + + printf("%s -%c ", invert ? " !" : "", letter); + + for (i = 0; i < IFNAMSIZ; i++) { + if (maski != 0) { + if (ifacei != '\0') + printf("%c", ifacei); + } else { + /* we can access ifacei-1 here, because + * a few lines above we make sure that mask0 != 0 */ + if (ifacei-1 != '\0') + printf("+"); + break; + } + } +} + +static void command_match(struct iptables_command_state *cs, bool invert) { struct option *opts = xt_params->opts; struct xtables_match *m; size_t size; - if (cs->invert) + if (invert) xtables_error(PARAMETER_PROBLEM, "unexpected ! flag before --match"); @@ -679,7 +827,7 @@ xt_params->opts = opts; } -const char *xt_parse_target(const char *targetname) +static const char *xt_parse_target(const char *targetname) { const char *ptr; @@ -741,7 +889,7 @@ xt_params->opts = opts; } -char cmd2char(int option) +static char cmd2char(int option) { /* cmdflags index corresponds with position of bit in CMD_* values */ static const char cmdflags = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', @@ -752,24 +900,23 @@ ; if (i >= ARRAY_SIZE(cmdflags)) xtables_error(OTHER_PROBLEM, - "cmd2char(): Invalid command number %u.\n", - 1 << i); + "cmd2char(): Invalid command number %u.", 1 << i); return cmdflagsi; } -void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert) +static void add_command(unsigned int *cmd, const int newcmd, + const int othercmds, int invert) { if (invert) xtables_error(PARAMETER_PROBLEM, "unexpected '!' flag"); if (*cmd & (~othercmds)) - xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c\n", - cmd2char(newcmd), cmd2char(*cmd & (~othercmds))); + xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c", + cmd2char(newcmd), cmd2char(*cmd & (~othercmds))); *cmd |= newcmd; } /* Can't be zero. */ -int parse_rulenumber(const char *rule) +static int parse_rulenumber(const char *rule) { unsigned int rulenum; @@ -780,6 +927,10 @@ return rulenum; } +#define NUMBER_OF_OPT ARRAY_SIZE(optflags) +static const char optflags += { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; + /* Table of legal combinations of commands and options. If any of the * given commands make an option legal, that option is legal (applies to * CMD_LIST and CMD_ZERO only). @@ -809,7 +960,7 @@ /*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' ',' ',' ',' ',' ',' ',' '}, }; -void generic_opt_check(int command, int options) +static void generic_opt_check(int command, int options) { int i, j, legal = 0; @@ -827,9 +978,8 @@ if (!(options & (1<<i))) { if (commands_v_optionsji == '+') xtables_error(PARAMETER_PROBLEM, - "You need to supply the `-%c' " - "option for this command\n", - optflagsi); + "You need to supply the `-%c' option for this command", + optflagsi); } else { if (commands_v_optionsji != 'x') legal = 1; @@ -839,12 +989,12 @@ } if (legal == -1) xtables_error(PARAMETER_PROBLEM, - "Illegal option `-%c' with this command\n", - optflagsi); + "Illegal option `-%c' with this command", + optflagsi); } } -char opt2char(int option) +static char opt2char(int option) { const char *ptr; @@ -853,3 +1003,1052 @@ return *ptr; } + +static const int inverse_for_optionsNUMBER_OF_OPT = +{ +/* -n */ 0, +/* -s */ IPT_INV_SRCIP, +/* -d */ IPT_INV_DSTIP, +/* -p */ XT_INV_PROTO, +/* -j */ 0, +/* -v */ 0, +/* -x */ 0, +/* -i */ IPT_INV_VIA_IN, +/* -o */ IPT_INV_VIA_OUT, +/*--line*/ 0, +/* -c */ 0, +/* -f */ IPT_INV_FRAG, +/* 2 */ IPT_INV_SRCDEVADDR, +/* 3 */ IPT_INV_TGTDEVADDR, +/* -l */ IPT_INV_ARPHLN, +/* 4 */ IPT_INV_ARPOP, +/* 5 */ IPT_INV_ARPHRD, +/* 6 */ IPT_INV_PROTO, +}; + +static void +set_option(unsigned int *options, unsigned int option, uint16_t *invflg, + bool invert) +{ + if (*options & option) + xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", + opt2char(option)); + *options |= option; + + if (invert) { + unsigned int i; + for (i = 0; 1 << i != option; i++); + + if (!inverse_for_optionsi) + xtables_error(PARAMETER_PROBLEM, + "cannot have ! before -%c", + opt2char(option)); + *invflg |= inverse_for_optionsi; + } +} + +void assert_valid_chain_name(const char *chainname) +{ + const char *ptr; + + if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "chain name `%s' too long (must be under %u chars)", + chainname, XT_EXTENSION_MAXNAMELEN); + + if (*chainname == '-' || *chainname == '!') + xtables_error(PARAMETER_PROBLEM, + "chain name not allowed to start with `%c'", + *chainname); + + if (xtables_find_target(chainname, XTF_TRY_LOAD)) + xtables_error(PARAMETER_PROBLEM, + "chain name may not clash with target name"); + + for (ptr = chainname; *ptr; ptr++) + if (isspace(*ptr)) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s'", chainname); +} + +void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, + const char *targname, uint8_t proto, uint8_t flags, + uint8_t invflags, unsigned int format) +{ + const char *pname = proto_to_name(proto, format&FMT_NUMERIC); + + if (format & FMT_LINENUMBERS) + printf(FMT("%-4u ", "%u "), linenum); + + if (!(format & FMT_NOCOUNTS)) { + xtables_print_num(ctrs->pcnt, format); + xtables_print_num(ctrs->bcnt, format); + } + + if (!(format & FMT_NOTARGET)) + printf(FMT("%-9s ", "%s "), targname ? targname : ""); + + fputc(invflags & XT_INV_PROTO ? '!' : ' ', stdout); + + if (((format & (FMT_NUMERIC | FMT_NOTABLE)) == FMT_NUMERIC) || !pname) + printf(FMT("%-4hu ", "%hu "), proto); + else + printf(FMT("%-4s ", "%s "), pname); +} + +void save_rule_details(const char *iniface, unsigned const char *iniface_mask, + const char *outiface, unsigned const char *outiface_mask, + uint16_t proto, int frag, uint8_t invflags) +{ + if (iniface != NULL) { + save_iface('i', iniface, iniface_mask, + invflags & IPT_INV_VIA_IN); + } + if (outiface != NULL) { + save_iface('o', outiface, outiface_mask, + invflags & IPT_INV_VIA_OUT); + } + + if (proto > 0) { + const char *pname = proto_to_name(proto, 0); + + if (invflags & XT_INV_PROTO) + printf(" !"); + + if (pname) + printf(" -p %s", pname); + else + printf(" -p %u", proto); + } + + if (frag) { + if (invflags & IPT_INV_FRAG) + printf(" !"); + printf(" -f"); + } +} + +int print_match_save(const struct xt_entry_match *e, const void *ip) +{ + const char *name = e->u.user.name; + const int revision = e->u.user.revision; + struct xtables_match *match, *mt, *mt2; + + match = xtables_find_match(name, XTF_TRY_LOAD, NULL); + if (match) { + mt = mt2 = xtables_find_match_revision(name, XTF_TRY_LOAD, + match, revision); + if (!mt2) + mt2 = match; + printf(" -m %s", mt2->alias ? mt2->alias(e) : name); + + /* some matches don't provide a save function */ + if (mt && mt->save) + mt->save(ip, e); + else if (match->save) + printf(" unsupported revision"); + } else { + if (e->u.match_size) { + fprintf(stderr, + "Can't find library for match `%s'\n", + name); + exit(1); + } + } + return 0; +} + +static void +xtables_printhelp(const struct xtables_rule_match *matches) +{ + const char *prog_name = xt_params->program_name; + const char *prog_vers = xt_params->program_version; + + printf("%s v%s\n\n" +"Usage: %s -ACD chain rule-specification options\n" +" %s -I chain rulenum rule-specification options\n" +" %s -R chain rulenum rule-specification options\n" +" %s -D chain rulenum options\n" +" %s -LS chain rulenum options\n" +" %s -FZ chain options\n" +" %s -NX chain\n" +" %s -E old-chain-name new-chain-name\n" +" %s -P chain target options\n" +" %s -h (print this help information)\n\n", + prog_name, prog_vers, prog_name, prog_name, + prog_name, prog_name, prog_name, prog_name, + prog_name, prog_name, prog_name, prog_name); + + printf( +"Commands:\n" +"Either long or short options are allowed.\n" +" --append -A chain Append to chain\n" +" --check -C chain Check for the existence of a rule\n" +" --delete -D chain Delete matching rule from chain\n" +" --delete -D chain rulenum\n" +" Delete rule rulenum (1 = first) from chain\n" +" --insert -I chain rulenum\n" +" Insert in chain as rulenum (default 1=first)\n" +" --replace -R chain rulenum\n" +" Replace rule rulenum (1 = first) in chain\n" +" --list -L chain rulenum\n" +" List the rules in a chain or all chains\n" +" --list-rules -S chain rulenum\n" +" Print the rules in a chain or all chains\n" +" --flush -F chain Delete all rules in chain or all chains\n" +" --zero -Z chain rulenum\n" +" Zero counters in chain or all chains\n" +" --new -N chain Create a new user-defined chain\n" +" --delete-chain\n" +" -X chain Delete a user-defined chain\n" +" --policy -P chain target\n" +" Change policy on chain to target\n" +" --rename-chain\n" +" -E old-chain new-chain\n" +" Change chain name, (moving any references)\n" +"\n" +"Options:\n"); + + if (afinfo->family == NFPROTO_ARP) { + printf( +"! --source-ip -s address/mask\n" +" source specification\n" +"! --destination-ip -d address/mask\n" +" destination specification\n" +"! --source-mac address/mask\n" +"! --destination-mac address/mask\n" +" --h-length -l length/mask hardware length (nr of bytes)\n" +" --opcode code/mask operation code (2 bytes)\n" +" --h-type type/mask hardware type (2 bytes, hexadecimal)\n" +" --proto-type type/mask protocol type (2 bytes)\n"); + } else { + printf( +" --ipv4 -4 %s (line is ignored by ip6tables-restore)\n" +" --ipv6 -6 %s (line is ignored by iptables-restore)\n" +"! --protocol -p proto protocol: by number or name, eg. `tcp'\n" +"! --source -s address/mask...\n" +" source specification\n" +"! --destination -d address/mask...\n" +" destination specification\n", + afinfo->family == NFPROTO_IPV4 ? "Nothing" : "Error", + afinfo->family == NFPROTO_IPV4 ? "Error" : "Nothing"); + } + + printf( +"! --in-interface -i input name+\n" +" network interface name (+ for wildcard)\n" +" --jump -j target\n" +" target for rule (may load target extension)\n"); + + if (0 +#ifdef IPT_F_GOTO + || afinfo->family == NFPROTO_IPV4 +#endif +#ifdef IP6T_F_GOTO + || afinfo->family == NFPROTO_IPV6 +#endif + ) + printf( +" --goto -g chain\n" +" jump to chain with no return\n"); + printf( +" --match -m match\n" +" extended match (may load extension)\n" +" --numeric -n numeric output of addresses and ports\n" +"! --out-interface -o output name+\n" +" network interface name (+ for wildcard)\n" +" --table -t table table to manipulate (default: `filter')\n" +" --verbose -v verbose mode\n" +" --wait -w seconds maximum wait to acquire xtables lock before give up\n" +" --line-numbers print line numbers when listing\n" +" --exact -x expand numbers (display exact values)\n"); + + if (afinfo->family == NFPROTO_IPV4) + printf( +"! --fragment -f match second or further fragments only\n"); + + printf( +" --modprobe=<command> try to insert modules using this command\n" +" --set-counters -c PKTS BYTES set the counter during insert/append\n" +"! --version -V print package version.\n"); + + if (afinfo->family == NFPROTO_ARP) { + int i; + + printf(" opcode strings: \n"); + for (i = 0; i < ARP_NUMOPCODES; i++) + printf(" %d = %s\n", i + 1, arp_opcodesi); + printf( + " hardware type string: 1 = Ethernet\n" + " protocol type string: 0x800 = IPv4\n"); + + xtables_find_target("standard", XTF_TRY_LOAD); + xtables_find_target("mangle", XTF_TRY_LOAD); + xtables_find_target("CLASSIFY", XTF_TRY_LOAD); + xtables_find_target("MARK", XTF_TRY_LOAD); + } + + print_extension_helps(xtables_targets, matches); +} + +void exit_tryhelp(int status, int line) +{ + if (line != -1) + fprintf(stderr, "Error occurred at line: %d\n", line); + fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", + xt_params->program_name, xt_params->program_name); + xtables_free_opts(1); + exit(status); +} + +static void check_empty_interface(struct xtables_args *args, const char *arg) +{ + const char *msg = "Empty interface is likely to be undesired"; + + if (*arg != '\0') + return; + + if (args->family != NFPROTO_ARP) + xtables_error(PARAMETER_PROBLEM, "%s", msg); + + fprintf(stderr, "%s", msg); +} + +static void check_inverse(struct xtables_args *args, const char option, + bool *invert, int *optidx, int argc) +{ + switch (args->family) { + case NFPROTO_ARP: + break; + default: + return; + } + + if (!option || strcmp(option, "!")) + return; + + fprintf(stderr, "Using intrapositioned negation (`--option ! this`) " + "is deprecated in favor of extrapositioned (`! --option this`).\n"); + + if (*invert) + xtables_error(PARAMETER_PROBLEM, + "Multiple `!' flags not allowed"); + *invert = true; + if (optidx) { + *optidx = *optidx + 1; + if (argc && *optidx > argc) + xtables_error(PARAMETER_PROBLEM, + "no argument following `!'"); + } +} + +static const char *optstring_lookup(int family) +{ + switch (family) { + case AF_INET: + case AF_INET6: + return IPT_OPTSTRING; + case NFPROTO_ARP: + return ARPT_OPTSTRING; + case NFPROTO_BRIDGE: + return EBT_OPTSTRING; + } + return ""; +} + +void xtables_clear_iptables_command_state(struct iptables_command_state *cs) +{ + xtables_rule_matches_free(&cs->matches); + if (cs->target) { + free(cs->target->t); + cs->target->t = NULL; + + free(cs->target->udata); + cs->target->udata = NULL; + + if (cs->target == cs->target->next) { + free(cs->target); + cs->target = NULL; + } + } +} + +void do_parse(int argc, char *argv, + struct xt_cmd_parse *p, struct iptables_command_state *cs, + struct xtables_args *args) +{ + struct xtables_match *m; + struct xtables_rule_match *matchp; + bool wait_interval_set = false; + struct xtables_target *t; + bool table_set = false; + bool invert = false; + + /* re-set optind to 0 in case do_command4 gets called + * a second time */ + optind = 0; + + /* clear mflags in case do_command4 gets called a second time + * (we clear the global list of all matches for security)*/ + for (m = xtables_matches; m; m = m->next) + m->mflags = 0; + + for (t = xtables_targets; t; t = t->next) { + t->tflags = 0; + t->used = 0; + } + + /* Suppress error messages: we may add new options if we + demand-load a protocol. */ + opterr = 0; + + xt_params->opts = xt_params->orig_opts; + while ((cs->c = getopt_long(argc, argv, + optstring_lookup(afinfo->family), + xt_params->opts, NULL)) != -1) { + switch (cs->c) { + /* + * Command selection + */ + case 'A': + add_command(&p->command, CMD_APPEND, CMD_NONE, invert); + p->chain = optarg; + break; + + case 'C': + add_command(&p->command, CMD_CHECK, CMD_NONE, invert); + p->chain = optarg; + break; + + case 'D': + add_command(&p->command, CMD_DELETE, CMD_NONE, invert); + p->chain = optarg; + if (xs_has_arg(argc, argv)) { + p->rulenum = parse_rulenumber(argvoptind++); + p->command = CMD_DELETE_NUM; + } + break; + + case 'R': + add_command(&p->command, CMD_REPLACE, CMD_NONE, invert); + p->chain = optarg; + if (xs_has_arg(argc, argv)) + p->rulenum = parse_rulenumber(argvoptind++); + else + xtables_error(PARAMETER_PROBLEM, + "-%c requires a rule number", + cmd2char(CMD_REPLACE)); + break; + + case 'I': + add_command(&p->command, CMD_INSERT, CMD_NONE, invert); + p->chain = optarg; + if (xs_has_arg(argc, argv)) + p->rulenum = parse_rulenumber(argvoptind++); + else + p->rulenum = 1; + break; + + case 'L': + add_command(&p->command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, invert); + if (optarg) + p->chain = optarg; + else if (xs_has_arg(argc, argv)) + p->chain = argvoptind++; + if (xs_has_arg(argc, argv)) + p->rulenum = parse_rulenumber(argvoptind++); + break; + + case 'S': + add_command(&p->command, CMD_LIST_RULES, + CMD_ZERO|CMD_ZERO_NUM, invert); + if (optarg) + p->chain = optarg; + else if (xs_has_arg(argc, argv)) + p->chain = argvoptind++; + if (xs_has_arg(argc, argv)) + p->rulenum = parse_rulenumber(argvoptind++); + break; + + case 'F': + add_command(&p->command, CMD_FLUSH, CMD_NONE, invert); + if (optarg) + p->chain = optarg; + else if (xs_has_arg(argc, argv)) + p->chain = argvoptind++; + break; + + case 'Z': + add_command(&p->command, CMD_ZERO, + CMD_LIST|CMD_LIST_RULES, invert); + if (optarg) + p->chain = optarg; + else if (xs_has_arg(argc, argv)) + p->chain = argvoptind++; + if (xs_has_arg(argc, argv)) { + p->rulenum = parse_rulenumber(argvoptind++); + p->command = CMD_ZERO_NUM; + } + break; + + case 'N': + assert_valid_chain_name(optarg); + add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, + invert); + p->chain = optarg; + break; + + case 'X': + add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE, + invert); + if (optarg) + p->chain = optarg; + else if (xs_has_arg(argc, argv)) + p->chain = argvoptind++; + break; + + case 'E': + add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE, + invert); + p->chain = optarg; + if (xs_has_arg(argc, argv)) + p->newname = argvoptind++; + else + xtables_error(PARAMETER_PROBLEM, + "-%c requires old-chain-name and " + "new-chain-name", + cmd2char(CMD_RENAME_CHAIN)); + break; + + case 'P': + add_command(&p->command, CMD_SET_POLICY, CMD_NONE, + invert); + p->chain = optarg; + if (xs_has_arg(argc, argv)) + p->policy = argvoptind++; + else + xtables_error(PARAMETER_PROBLEM, + "-%c requires a chain and a policy", + cmd2char(CMD_SET_POLICY)); + break; + + case 'h': + if (!optarg) + optarg = argvoptind; + + /* iptables -p icmp -h */ + if (!cs->matches && cs->protocol) + xtables_find_match(cs->protocol, + XTF_TRY_LOAD, &cs->matches); + + xtables_printhelp(cs->matches); + xtables_clear_iptables_command_state(cs); + xtables_free_opts(1); + xtables_fini(); + exit(0); + + /* + * Option selection + */ + case 'p': + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_PROTOCOL, + &args->invflags, invert); + + /* Canonicalize into lower case */ + for (cs->protocol = argvoptind - 1; + *cs->protocol; cs->protocol++) + *cs->protocol = tolower(*cs->protocol); + + cs->protocol = argvoptind - 1; + args->proto = xtables_parse_protocol(cs->protocol); + + if (args->proto == 0 && + (args->invflags & XT_INV_PROTO)) + xtables_error(PARAMETER_PROBLEM, + "rule would never match protocol"); + + /* This needs to happen here to parse extensions */ + if (p->ops->proto_parse) + p->ops->proto_parse(cs, args); + break; + + case 's': + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_SOURCE, + &args->invflags, invert); + args->shostnetworkmask = argvoptind - 1; + break; + + case 'd': + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_DESTINATION, + &args->invflags, invert); + args->dhostnetworkmask = argvoptind - 1; + break; + +#ifdef IPT_F_GOTO + case 'g': + set_option(&cs->options, OPT_JUMP, &args->invflags, + invert); + args->goto_set = true; + cs->jumpto = xt_parse_target(optarg); + break; +#endif + + case 2:/* src-mac */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_S_MAC, &args->invflags, + invert); + args->src_mac = argvoptind - 1; + break; + + case 3:/* dst-mac */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_D_MAC, &args->invflags, + invert); + args->dst_mac = argvoptind - 1; + break; + + case 'l':/* hardware length */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_H_LENGTH, &args->invflags, + invert); + args->arp_hlen = argvoptind - 1; + break; + + case 8: /* was never supported, not even in arptables-legacy */ + xtables_error(PARAMETER_PROBLEM, "not supported"); + case 4:/* opcode */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_OPCODE, &args->invflags, + invert); + args->arp_opcode = argvoptind - 1; + break; + + case 5:/* h-type */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_H_TYPE, &args->invflags, + invert); + args->arp_htype = argvoptind - 1; + break; + + case 6:/* proto-type */ + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_P_TYPE, &args->invflags, + invert); + args->arp_ptype = argvoptind - 1; + break; + + case 'j': + set_option(&cs->options, OPT_JUMP, &args->invflags, + invert); + command_jump(cs, argvoptind - 1); + break; + + case 'i': + check_empty_interface(args, optarg); + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_VIANAMEIN, + &args->invflags, invert); + xtables_parse_interface(argvoptind - 1, + args->iniface, + args->iniface_mask); + break; + + case 'o': + check_empty_interface(args, optarg); + check_inverse(args, optarg, &invert, &optind, argc); + set_option(&cs->options, OPT_VIANAMEOUT, + &args->invflags, invert); + xtables_parse_interface(argvoptind - 1, + args->outiface, + args->outiface_mask); + break; + + case 'f': + if (args->family == AF_INET6) { + xtables_error(PARAMETER_PROBLEM, + "`-f' is not supported in IPv6, " + "use -m frag instead"); + } + set_option(&cs->options, OPT_FRAGMENT, &args->invflags, + invert); + args->flags |= IPT_F_FRAG; + break; + + case 'v': + if (!p->verbose) + set_option(&cs->options, OPT_VERBOSE, + &args->invflags, invert); + p->verbose++; + break; + + case 'm': + command_match(cs, invert); + break; + + case 'n': + set_option(&cs->options, OPT_NUMERIC, &args->invflags, + invert); + break; + + case 't': + if (invert) + xtables_error(PARAMETER_PROBLEM, + "unexpected ! flag before --table"); + if (p->restore && table_set) + xtables_error(PARAMETER_PROBLEM, + "The -t option cannot be used in %s.\n", + xt_params->program_name); + p->table = optarg; + table_set = true; + break; + + case 'x': + set_option(&cs->options, OPT_EXPANDED, &args->invflags, + invert); + break; + + case 'V': + if (invert) + printf("Not %s ;-)\n", + xt_params->program_version); + else + printf("%s v%s\n", + xt_params->program_name, + xt_params->program_version); + exit(0); + + case 'w': + if (p->restore) { + xtables_error(PARAMETER_PROBLEM, + "You cannot use `-w' from " + "iptables-restore"); + } + + args->wait = parse_wait_time(argc, argv); + break; + + case 'W': + if (p->restore) { + xtables_error(PARAMETER_PROBLEM, + "You cannot use `-W' from " + "iptables-restore"); + } + + parse_wait_interval(argc, argv); + wait_interval_set = true; + break; + + case '0': + set_option(&cs->options, OPT_LINENUMBERS, + &args->invflags, invert); + break; + + case 'M': + xtables_modprobe_program = optarg; + break; + + case 'c': + set_option(&cs->options, OPT_COUNTERS, &args->invflags, + invert); + args->pcnt = optarg; + args->bcnt = strchr(args->pcnt + 1, ','); + if (args->bcnt) + args->bcnt++; + if (!args->bcnt && xs_has_arg(argc, argv)) + args->bcnt = argvoptind++; + if (!args->bcnt) + xtables_error(PARAMETER_PROBLEM, + "-%c requires packet and byte counter", + opt2char(OPT_COUNTERS)); + + if (sscanf(args->pcnt, "%llu", &args->pcnt_cnt) != 1) + xtables_error(PARAMETER_PROBLEM, + "-%c packet counter not numeric", + opt2char(OPT_COUNTERS)); + + if (sscanf(args->bcnt, "%llu", &args->bcnt_cnt) != 1) + xtables_error(PARAMETER_PROBLEM, + "-%c byte counter not numeric", + opt2char(OPT_COUNTERS)); + break; + + case '4': + if (args->family == AF_INET) + break; + + if (p->restore && args->family == AF_INET6) + return; + + exit_tryhelp(2, p->line); + + case '6': + if (args->family == AF_INET6) + break; + + if (p->restore && args->family == AF_INET) + return; + + exit_tryhelp(2, p->line); + + case 1: /* non option */ + if (optarg0 == '!' && optarg1 == '\0') { + if (invert) + xtables_error(PARAMETER_PROBLEM, + "multiple consecutive ! not" + " allowed"); + invert = true; + optarg0 = '\0'; + continue; + } + fprintf(stderr, "Bad argument `%s'\n", optarg); + exit_tryhelp(2, p->line); + + default: + if (command_default(cs, xt_params, invert)) + /* cf. ip6tables.c */ + continue; + break; + } + invert = false; + } + + if (strcmp(p->table, "nat") == 0 && + ((p->policy != NULL && strcmp(p->policy, "DROP") == 0) || + (cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0))) + xtables_error(PARAMETER_PROBLEM, + "\nThe \"nat\" table is not intended for filtering, " + "the use of DROP is therefore inhibited.\n\n"); + + if (!args->wait && wait_interval_set) + xtables_error(PARAMETER_PROBLEM, + "--wait-interval only makes sense with --wait\n"); + + for (matchp = cs->matches; matchp; matchp = matchp->next) + xtables_option_mfcall(matchp->match); + if (cs->target != NULL) + xtables_option_tfcall(cs->target); + + /* Fix me: must put inverse options checking here --MN */ + + if (optind < argc) + xtables_error(PARAMETER_PROBLEM, + "unknown arguments found on commandline"); + if (!p->command) + xtables_error(PARAMETER_PROBLEM, "no command specified"); + if (invert) + xtables_error(PARAMETER_PROBLEM, + "nothing appropriate following !"); + + if (p->ops->post_parse) + p->ops->post_parse(p->command, cs, args); + + if (p->command == CMD_REPLACE && + (args->s.naddrs != 1 || args->d.naddrs != 1)) + xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " + "specify a unique address"); + + generic_opt_check(p->command, cs->options); + + if (p->chain != NULL && strlen(p->chain) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "chain name `%s' too long (must be under %u chars)", + p->chain, XT_EXTENSION_MAXNAMELEN); + + if (p->command == CMD_APPEND || + p->command == CMD_DELETE || + p->command == CMD_DELETE_NUM || + p->command == CMD_CHECK || + p->command == CMD_INSERT || + p->command == CMD_REPLACE) { + if (strcmp(p->chain, "PREROUTING") == 0 + || strcmp(p->chain, "INPUT") == 0) { + /* -o not valid with incoming packets. */ + if (cs->options & OPT_VIANAMEOUT) + xtables_error(PARAMETER_PROBLEM, + "Can't use -%c with %s\n", + opt2char(OPT_VIANAMEOUT), + p->chain); + } + + if (strcmp(p->chain, "POSTROUTING") == 0 + || strcmp(p->chain, "OUTPUT") == 0) { + /* -i not valid with outgoing packets */ + if (cs->options & OPT_VIANAMEIN) + xtables_error(PARAMETER_PROBLEM, + "Can't use -%c with %s\n", + opt2char(OPT_VIANAMEIN), + p->chain); + } + } +} + +void ipv4_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->fw.ip.proto = args->proto; + cs->fw.ip.invflags = args->invflags; +} + +/* These are invalid numbers as upper layer protocol */ +static int is_exthdr(uint16_t proto) +{ + return (proto == IPPROTO_ROUTING || + proto == IPPROTO_FRAGMENT || + proto == IPPROTO_AH || + proto == IPPROTO_DSTOPTS); +} + +void ipv6_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->fw6.ipv6.proto = args->proto; + cs->fw6.ipv6.invflags = args->invflags; + + /* this is needed for ip6tables-legacy only */ + args->flags |= IP6T_F_PROTO; + cs->fw6.ipv6.flags |= IP6T_F_PROTO; + + if (is_exthdr(cs->fw6.ipv6.proto) + && (cs->fw6.ipv6.invflags & XT_INV_PROTO) == 0) + fprintf(stderr, + "Warning: never matched protocol: %s. " + "use extension match instead.\n", + cs->protocol); +} + +void ipv4_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->fw.ip.flags = args->flags; + /* We already set invflags in proto_parse, but we need to refresh it + * to include new parsed options. + */ + cs->fw.ip.invflags = args->invflags; + + memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->fw.ip.iniface_mask, + args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); + + memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->fw.ip.outiface_mask, + args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); + + if (args->goto_set) + cs->fw.ip.flags |= IPT_F_GOTO; + + /* nft-variants use cs->counters, legacy uses cs->fw.counters */ + cs->counters.pcnt = args->pcnt_cnt; + cs->counters.bcnt = args->bcnt_cnt; + cs->fw.counters.pcnt = args->pcnt_cnt; + cs->fw.counters.bcnt = args->bcnt_cnt; + + if (command & (CMD_REPLACE | CMD_INSERT | + CMD_DELETE | CMD_APPEND | CMD_CHECK)) { + if (!(cs->options & OPT_DESTINATION)) + args->dhostnetworkmask = "0.0.0.0/0"; + if (!(cs->options & OPT_SOURCE)) + args->shostnetworkmask = "0.0.0.0/0"; + } + + if (args->shostnetworkmask) + xtables_ipparse_multiple(args->shostnetworkmask, + &args->s.addr.v4, &args->s.mask.v4, + &args->s.naddrs); + if (args->dhostnetworkmask) + xtables_ipparse_multiple(args->dhostnetworkmask, + &args->d.addr.v4, &args->d.mask.v4, + &args->d.naddrs); + + if ((args->s.naddrs > 1 || args->d.naddrs > 1) && + (cs->fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) + xtables_error(PARAMETER_PROBLEM, + "! not allowed with multiple" + " source or destination IP addresses"); +} + +void ipv6_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->fw6.ipv6.flags = args->flags; + /* We already set invflags in proto_parse, but we need to refresh it + * to include new parsed options. + */ + cs->fw6.ipv6.invflags = args->invflags; + + memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); + memcpy(cs->fw6.ipv6.iniface_mask, + args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); + + memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); + memcpy(cs->fw6.ipv6.outiface_mask, + args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); + + if (args->goto_set) + cs->fw6.ipv6.flags |= IP6T_F_GOTO; + + cs->fw6.counters.pcnt = args->pcnt_cnt; + cs->fw6.counters.bcnt = args->bcnt_cnt; + + if (command & (CMD_REPLACE | CMD_INSERT | + CMD_DELETE | CMD_APPEND | CMD_CHECK)) { + if (!(cs->options & OPT_DESTINATION)) + args->dhostnetworkmask = "::0/0"; + if (!(cs->options & OPT_SOURCE)) + args->shostnetworkmask = "::0/0"; + } + + if (args->shostnetworkmask) + xtables_ip6parse_multiple(args->shostnetworkmask, + &args->s.addr.v6, + &args->s.mask.v6, + &args->s.naddrs); + if (args->dhostnetworkmask) + xtables_ip6parse_multiple(args->dhostnetworkmask, + &args->d.addr.v6, + &args->d.mask.v6, + &args->d.naddrs); + + if ((args->s.naddrs > 1 || args->d.naddrs > 1) && + (cs->fw6.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP))) + xtables_error(PARAMETER_PROBLEM, + "! not allowed with multiple" + " source or destination IP addresses"); +} + +unsigned char * +make_delete_mask(const struct xtables_rule_match *matches, + const struct xtables_target *target, + size_t entry_size) +{ + /* Establish mask for comparison */ + unsigned int size = entry_size; + const struct xtables_rule_match *matchp; + unsigned char *mask, *mptr; + + for (matchp = matches; matchp; matchp = matchp->next) + size += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; + + mask = xtables_calloc(1, size + + XT_ALIGN(sizeof(struct xt_entry_target)) + + target->size); + + memset(mask, 0xFF, entry_size); + mptr = mask + entry_size; + + for (matchp = matches; matchp; matchp = matchp->next) { + memset(mptr, 0xFF, + XT_ALIGN(sizeof(struct xt_entry_match)) + + matchp->match->userspacesize); + mptr += XT_ALIGN(sizeof(struct xt_entry_match)) + matchp->match->size; + } + + memset(mptr, 0xFF, + XT_ALIGN(sizeof(struct xt_entry_target)) + + target->userspacesize); + + return mask; +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xshared.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xshared.h
Changed
@@ -6,7 +6,6 @@ #include <stdint.h> #include <netinet/in.h> #include <net/if.h> -#include <sys/time.h> #include <linux/netfilter_arp/arp_tables.h> #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> @@ -38,12 +37,13 @@ OPT_OPCODE = 1 << 15, OPT_H_TYPE = 1 << 16, OPT_P_TYPE = 1 << 17, + /* below are for ebtables only */ + OPT_LOGICALIN = 1 << 18, + OPT_LOGICALOUT = 1 << 19, + OPT_COMMAND = 1 << 20, + OPT_ZERO = 1 << 21, }; -#define NUMBER_OF_OPT ARRAY_SIZE(optflags) -static const char optflags -= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 }; - enum { CMD_NONE = 0, CMD_INSERT = 1 << 0, @@ -68,25 +68,17 @@ struct xtables_rule_match; struct xtables_target; -/** - * xtables_afinfo - protocol family dependent information - * @kmod: kernel module basename (e.g. "ip_tables") - * @proc_exists: file which exists in procfs when module already loaded - * @libprefix: prefix of .so library name (e.g. "libipt_") - * @family: nfproto family - * @ipproto: used by setsockopt (e.g. IPPROTO_IP) - * @so_rev_match: optname to check revision support of match - * @so_rev_target: optname to check revision support of target - */ -struct xtables_afinfo { - const char *kmod; - const char *proc_exists; - const char *libprefix; - uint8_t family; - uint8_t ipproto; - int so_rev_match; - int so_rev_target; -}; +#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" +#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" +#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ +#define EBT_OPTSTRING OPTSTRING_COMMON "hv" + +/* define invflags which won't collide with IPT ones */ +#define IPT_INV_SRCDEVADDR 0x0080 +#define IPT_INV_TGTDEVADDR 0x0100 +#define IPT_INV_ARPHLN 0x0200 +#define IPT_INV_ARPOP 0x0400 +#define IPT_INV_ARPHRD 0x0800 /* trick for ebtables-compat, since watchers are targets */ struct ebt_match { @@ -125,7 +117,6 @@ struct ip6t_entry fw6; struct arpt_entry arp; }; - int invert; int c; unsigned int options; struct xtables_rule_match *matches; @@ -139,6 +130,8 @@ bool restore; }; +void xtables_clear_iptables_command_state(struct iptables_command_state *cs); + typedef int (*mainfunc_t)(int, char **); struct subcommand { @@ -146,16 +139,6 @@ mainfunc_t main; }; -enum { - XT_OPTION_OFFSET_SCALE = 256, -}; - -extern void print_extension_helps(const struct xtables_target *, - const struct xtables_rule_match *); -extern const char *proto_to_name(uint8_t, int); -extern int command_default(struct iptables_command_state *, - struct xtables_globals *); -extern struct xtables_match *load_proto(struct iptables_command_state *); extern int subcmd_main(int, char **, const struct subcommand *); extern void xs_init_target(struct xtables_target *); extern void xs_init_match(struct xtables_match *); @@ -179,16 +162,14 @@ XT_LOCK_NOT_ACQUIRED = -3, }; extern void xtables_unlock(int lock); -extern int xtables_lock_or_exit(int wait, struct timeval *tv); +extern int xtables_lock_or_exit(int wait); int parse_wait_time(int argc, char *argv); -void parse_wait_interval(int argc, char *argv, struct timeval *wait_interval); +void parse_wait_interval(int argc, char *argv); int parse_counters(const char *string, struct xt_counters *ctr); bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); bool xs_has_arg(int argc, char *argv); -extern const struct xtables_afinfo *afinfo; - #define MAX_ARGC 255 struct argv_store { int argc; @@ -206,22 +187,116 @@ # define debug_print_argv(...) /* nothing */ #endif +const char *ipv4_addr_to_string(const struct in_addr *addr, + const struct in_addr *mask, + unsigned int format); +void print_header(unsigned int format, const char *chain, const char *pol, + const struct xt_counters *counters, + int refs, uint32_t entries); void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); +void save_ipv4_addr(char letter, const struct in_addr *addr, + const struct in_addr *mask, int invert); void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); +void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert); void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags, unsigned int format); +void save_iface(char letter, const char *iface, + const unsigned char *mask, int invert); + +void print_fragment(unsigned int flags, unsigned int invflags, + unsigned int format, bool fake); -void command_match(struct iptables_command_state *cs); -const char *xt_parse_target(const char *targetname); void command_jump(struct iptables_command_state *cs, const char *jumpto); -char cmd2char(int option); -void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert); -int parse_rulenumber(const char *rule); +void assert_valid_chain_name(const char *chainname); + +void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs, + const char *targname, uint8_t proto, uint8_t flags, + uint8_t invflags, unsigned int format); +void save_rule_details(const char *iniface, unsigned const char *iniface_mask, + const char *outiface, unsigned const char *outiface_mask, + uint16_t proto, int frag, uint8_t invflags); + +int print_match_save(const struct xt_entry_match *e, const void *ip); + +void exit_tryhelp(int status, int line) __attribute__((noreturn)); + +struct addr_mask { + union { + struct in_addr *v4; + struct in6_addr *v6; + void *ptr; + } addr; + + unsigned int naddrs; + + union { + struct in_addr *v4; + struct in6_addr *v6; + void *ptr; + } mask; +}; + +struct xtables_args { + int family; + uint16_t proto; + uint8_t flags; + uint16_t invflags; + char inifaceIFNAMSIZ, outifaceIFNAMSIZ; + unsigned char iniface_maskIFNAMSIZ, outiface_maskIFNAMSIZ; + bool goto_set; + const char *shostnetworkmask, *dhostnetworkmask; + const char *pcnt, *bcnt; + struct addr_mask s, d; + const char *src_mac, *dst_mac; + const char *arp_hlen, *arp_opcode; + const char *arp_htype, *arp_ptype; + unsigned long long pcnt_cnt, bcnt_cnt; + int wait; +}; + +struct xt_cmd_parse_ops { + void (*proto_parse)(struct iptables_command_state *cs, + struct xtables_args *args); + void (*post_parse)(int command, + struct iptables_command_state *cs, + struct xtables_args *args); +}; + +struct xt_cmd_parse { + unsigned int command; + unsigned int rulenum; + char *table; + const char *chain; + const char *newname; + const char *policy; + bool restore; + int line; + int verbose; + bool xlate; + struct xt_cmd_parse_ops *ops; +}; + +void do_parse(int argc, char *argv, + struct xt_cmd_parse *p, struct iptables_command_state *cs, + struct xtables_args *args); + +void ipv4_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args); +void ipv6_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args); +void ipv4_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args); +void ipv6_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args); + +extern char *arp_opcodes; +#define ARP_NUMOPCODES 9 -void generic_opt_check(int command, int options); -char opt2char(int option); +unsigned char *make_delete_mask(const struct xtables_rule_match *matches, + const struct xtables_target *target, + size_t entry_size); #endif /* IPTABLES_XSHARED_H */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-arp.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-arp.c
Changed
@@ -30,35 +30,22 @@ #include "config.h" #include <getopt.h> #include <string.h> -#include <netdb.h> -#include <errno.h> #include <stdio.h> #include <stdlib.h> -#include <inttypes.h> -#include <dlfcn.h> -#include <ctype.h> -#include <stdarg.h> -#include <limits.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/wait.h> -#include <net/if.h> -#include <netinet/ether.h> -#include <iptables.h> #include <xtables.h> #include "xshared.h" #include "nft.h" -#include "nft-arp.h" -#include <linux/netfilter_arp/arp_tables.h> static struct option original_opts = { { "append", 1, 0, 'A' }, { "delete", 1, 0, 'D' }, + { "check", 1, 0, 'C'}, { "insert", 1, 0, 'I' }, { "replace", 1, 0, 'R' }, { "list", 2, 0, 'L' }, + { "list-rules", 2, 0, 'S'}, { "flush", 2, 0, 'F' }, { "zero", 2, 0, 'Z' }, { "new-chain", 1, 0, 'N' }, @@ -96,337 +83,13 @@ #define opts xt_params->opts -extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); struct xtables_globals arptables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (nf_tables)", .orig_opts = original_opts, - .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, }; -/* index relates to bit of each OPT_* value */ -static int inverse_for_options = -{ -/* -n */ 0, -/* -s */ IPT_INV_SRCIP, -/* -d */ IPT_INV_DSTIP, -/* -p */ 0, -/* -j */ 0, -/* -v */ 0, -/* -x */ 0, -/* -i */ IPT_INV_VIA_IN, -/* -o */ IPT_INV_VIA_OUT, -/*--line*/ 0, -/* -c */ 0, -/* -f */ 0, -/* 2 */ IPT_INV_SRCDEVADDR, -/* 3 */ IPT_INV_TGTDEVADDR, -/* -l */ IPT_INV_ARPHLN, -/* 4 */ IPT_INV_ARPOP, -/* 5 */ IPT_INV_ARPHRD, -/* 6 */ IPT_INV_PROTO, -}; - -/***********************************************/ -/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */ -/***********************************************/ - -static int getlength_and_mask(char *from, uint8_t *to, uint8_t *mask) -{ - char *p, *buffer; - int i; - - if ( (p = strrchr(from, '/')) != NULL) { - *p = '\0'; - i = strtol(p+1, &buffer, 10); - if (*buffer != '\0' || i < 0 || i > 255) - return -1; - *mask = (uint8_t)i; - } else - *mask = 255; - i = strtol(from, &buffer, 10); - if (*buffer != '\0' || i < 0 || i > 255) - return -1; - *to = (uint8_t)i; - return 0; -} - -static int get16_and_mask(char *from, uint16_t *to, uint16_t *mask, int base) -{ - char *p, *buffer; - int i; - - if ( (p = strrchr(from, '/')) != NULL) { - *p = '\0'; - i = strtol(p+1, &buffer, base); - if (*buffer != '\0' || i < 0 || i > 65535) - return -1; - *mask = htons((uint16_t)i); - } else - *mask = 65535; - i = strtol(from, &buffer, base); - if (*buffer != '\0' || i < 0 || i > 65535) - return -1; - *to = htons((uint16_t)i); - return 0; -} - -/*********************************************/ -/* ARPTABLES SPECIFIC NEW FUNCTIONS END HERE */ -/*********************************************/ - -static void -exit_tryhelp(int status) -{ - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(status); -} - -static void -printhelp(void) -{ - struct xtables_target *t = NULL; - int i; - - printf("%s v%s\n\n" -"Usage: %s -AD chain rule-specification options\n" -" %s -RI chain rulenum rule-specification options\n" -" %s -D chain rulenum options\n" -" %s -LFZ chain options\n" -" %s -NX chain\n" -" %s -E old-chain-name new-chain-name\n" -" %s -P chain target options\n" -" %s -h (print this help information)\n\n", - arptables_globals.program_name, - arptables_globals.program_version, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name, - arptables_globals.program_name); - printf( -"Commands:\n" -"Either long or short options are allowed.\n" -" --append -A chain Append to chain\n" -" --delete -D chain Delete matching rule from chain\n" -" --delete -D chain rulenum\n" -" Delete rule rulenum (1 = first) from chain\n" -" --insert -I chain rulenum\n" -" Insert in chain as rulenum (default 1=first)\n" -" --replace -R chain rulenum\n" -" Replace rule rulenum (1 = first) in chain\n" -" --list -L chain List the rules in a chain or all chains\n" -" --flush -F chain Delete all rules in chain or all chains\n" -" --zero -Z chain Zero counters in chain or all chains\n" -" --new -N chain Create a new user-defined chain\n" -" --delete-chain\n" -" -X chain Delete a user-defined chain\n" -" --policy -P chain target\n" -" Change policy on chain to target\n" -" --rename-chain\n" -" -E old-chain new-chain\n" -" Change chain name, (moving any references)\n" - -"Options:\n" -" --source-ip -s ! address/mask\n" -" source specification\n" -" --destination-ip -d ! address/mask\n" -" destination specification\n" -" --source-mac ! address/mask\n" -" --destination-mac ! address/mask\n" -" --h-length -l length/mask hardware length (nr of bytes)\n" -" --opcode code/mask operation code (2 bytes)\n" -" --h-type type/mask hardware type (2 bytes, hexadecimal)\n" -" --proto-type type/mask protocol type (2 bytes)\n" -" --in-interface -i ! input name+\n" -" network interface name (+ for wildcard)\n" -" --out-interface -o ! output name+\n" -" network interface name (+ for wildcard)\n" -" --jump -j target\n" -" target for rule (may load target extension)\n" -" --match -m match\n" -" extended match (may load extension)\n" -" --numeric -n numeric output of addresses and ports\n" -" --table -t table table to manipulate (default: `filter')\n" -" --verbose -v verbose mode\n" -" --line-numbers print line numbers when listing\n" -" --exact -x expand numbers (display exact values)\n" -" --modprobe=<command> try to insert modules using this command\n" -" --set-counters -c PKTS BYTES set the counter during insert/append\n" -"! --version -V print package version.\n"); - printf(" opcode strings: \n"); - for (i = 0; i < NUMOPCODES; i++) - printf(" %d = %s\n", i + 1, arp_opcodesi); - printf( -" hardware type string: 1 = Ethernet\n" -" protocol type string: 0x800 = IPv4\n"); - - /* Print out any special helps. A user might like to be able - to add a --help to the commandline, and see expected - results. So we call help for all matches & targets */ - for (t = xtables_targets; t; t = t->next) { - if (strcmp(t->name, "CLASSIFY") && strcmp(t->name, "mangle")) - continue; - printf("\n"); - t->help(); - } -} - -static int -check_inverse(const char option, int *invert, int *optidx, int argc) -{ - if (option && strcmp(option, "!") == 0) { - if (*invert) - xtables_error(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - *invert = true; - if (optidx) { - *optidx = *optidx+1; - if (argc && *optidx > argc) - xtables_error(PARAMETER_PROBLEM, - "no argument following `!'"); - } - - return true; - } - return false; -} - -static void -set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, - int invert) -{ - if (*options & option) - xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", - opt2char(option)); - *options |= option; - - if (invert) { - unsigned int i; - for (i = 0; 1 << i != option; i++); - - if (!inverse_for_optionsi) - xtables_error(PARAMETER_PROBLEM, - "cannot have ! before -%c", - opt2char(option)); - *invflg |= inverse_for_optionsi; - } -} - -static int -list_entries(struct nft_handle *h, const char *chain, const char *table, - int rulenum, int verbose, int numeric, int expanded, - int linenumbers) -{ - unsigned int format; - - format = FMT_OPTIONS; - if (!verbose) - format |= FMT_NOCOUNTS; - else - format |= FMT_VIA; - - if (numeric) - format |= FMT_NUMERIC; - - if (!expanded) - format |= FMT_KILOMEGAGIGA; - - if (linenumbers) - format |= FMT_LINENUMBERS; - - return nft_cmd_rule_list(h, chain, table, rulenum, format); -} - -static int -append_entry(struct nft_handle *h, - const char *chain, - const char *table, - struct iptables_command_state *cs, - int rulenum, - unsigned int nsaddrs, - const struct in_addr saddrs, - const struct in_addr smasks, - unsigned int ndaddrs, - const struct in_addr daddrs, - const struct in_addr dmasks, - bool verbose, bool append) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrsi.s_addr; - cs->arp.arp.smsk.s_addr = smasksi.s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrsj.s_addr; - cs->arp.arp.tmsk.s_addr = dmasksj.s_addr; - if (append) { - ret = nft_cmd_rule_append(h, chain, table, cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, cs, - rulenum, verbose); - } - } - } - - return ret; -} - -static int -replace_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int rulenum, - const struct in_addr *saddr, - const struct in_addr *smask, - const struct in_addr *daddr, - const struct in_addr *dmask, - bool verbose, struct nft_handle *h) -{ - cs->arp.arp.src.s_addr = saddr->s_addr; - cs->arp.arp.tgt.s_addr = daddr->s_addr; - cs->arp.arp.smsk.s_addr = smask->s_addr; - cs->arp.arp.tmsk.s_addr = dmask->s_addr; - - return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); -} - -static int -delete_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - unsigned int nsaddrs, - const struct in_addr saddrs, - const struct in_addr smasks, - unsigned int ndaddrs, - const struct in_addr daddrs, - const struct in_addr dmasks, - bool verbose, struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < nsaddrs; i++) { - cs->arp.arp.src.s_addr = saddrsi.s_addr; - cs->arp.arp.smsk.s_addr = smasksi.s_addr; - for (j = 0; j < ndaddrs; j++) { - cs->arp.arp.tgt.s_addr = daddrsj.s_addr; - cs->arp.arp.tmsk.s_addr = dmasksj.s_addr; - ret = nft_cmd_rule_delete(h, chain, table, cs, verbose); - } - } - - return ret; -} - int nft_init_arp(struct nft_handle *h, const char *pname) { arptables_globals.program_name = pname; @@ -436,536 +99,12 @@ arptables_globals.program_version); exit(1); } - -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); init_extensionsa(); -#endif - if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0) + if (nft_init(h, NFPROTO_ARP) < 0) xtables_error(OTHER_PROBLEM, "Could not initialize nftables layer."); return 0; } - -int do_commandarp(struct nft_handle *h, int argc, char *argv, char **table, - bool restore) -{ - struct iptables_command_state cs = { - .jumpto = "", - .arp.arp = { - .arhln = 6, - .arhln_mask = 255, - .arhrd = htons(ARPHRD_ETHER), - .arhrd_mask = 65535, - }, - }; - int invert = 0; - unsigned int nsaddrs = 0, ndaddrs = 0; - struct in_addr *saddrs = NULL, *smasks = NULL; - struct in_addr *daddrs = NULL, *dmasks = NULL; - - int c, verbose = 0; - const char *chain = NULL; - const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; - const char *policy = NULL, *newname = NULL; - unsigned int rulenum = 0, options = 0, command = 0; - const char *pcnt = NULL, *bcnt = NULL; - int ret = 1; - struct xtables_target *t; - - /* re-set optind to 0 in case do_command gets called - * a second time */ - optind = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - - opts = xt_params->orig_opts; - while ((c = getopt_long(argc, argv, - "-A:D:R:I:L::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:l:i:vnt:m:c:", - opts, NULL)) != -1) { - switch (c) { - /* - * Command selection - */ - case 'A': - add_command(&command, CMD_APPEND, CMD_NONE, - invert); - chain = optarg; - break; - - case 'D': - add_command(&command, CMD_DELETE, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) { - rulenum = parse_rulenumber(argvoptind++); - command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&command, CMD_REPLACE, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&command, CMD_INSERT, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - rulenum = parse_rulenumber(argvoptind++); - else rulenum = 1; - break; - - case 'L': - add_command(&command, CMD_LIST, CMD_ZERO, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'F': - add_command(&command, CMD_FLUSH, CMD_NONE, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'Z': - add_command(&command, CMD_ZERO, CMD_LIST, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'N': - if (optarg && *optarg == '-') - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `-'\n"); - if (xtables_find_target(optarg, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - invert); - chain = optarg; - break; - - case 'X': - add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, - invert); - if (optarg) chain = optarg; - else if (xs_has_arg(argc, argv)) - chain = argvoptind++; - break; - - case 'E': - add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - newname = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&command, CMD_SET_POLICY, CMD_NONE, - invert); - chain = optarg; - if (xs_has_arg(argc, argv)) - policy = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argvoptind; - - printhelp(); - command = CMD_NONE; - break; - case 's': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_SOURCE, &cs.arp.arp.invflags, - invert); - shostnetworkmask = argvoptind-1; - break; - - case 'd': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_DESTINATION, &cs.arp.arp.invflags, - invert); - dhostnetworkmask = argvoptind-1; - break; - - case 2:/* src-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_S_MAC, &cs.arp.arp.invflags, - invert); - if (xtables_parse_mac_and_mask(argvoptind - 1, - cs.arp.arp.src_devaddr.addr, cs.arp.arp.src_devaddr.mask)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified " - "source mac"); - break; - - case 3:/* dst-mac */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_D_MAC, &cs.arp.arp.invflags, - invert); - - if (xtables_parse_mac_and_mask(argvoptind - 1, - cs.arp.arp.tgt_devaddr.addr, cs.arp.arp.tgt_devaddr.mask)) - xtables_error(PARAMETER_PROBLEM, "Problem with specified " - "destination mac"); - break; - - case 'l':/* hardware length */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_LENGTH, &cs.arp.arp.invflags, - invert); - getlength_and_mask(argvoptind - 1, &cs.arp.arp.arhln, - &cs.arp.arp.arhln_mask); - - if (cs.arp.arp.arhln != 6) { - xtables_error(PARAMETER_PROBLEM, - "Only harware address length of" - " 6 is supported currently."); - } - - break; - - case 8: /* was never supported, not even in arptables-legacy */ - xtables_error(PARAMETER_PROBLEM, "not supported"); - case 4:/* opcode */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_OPCODE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argvoptind - 1, &cs.arp.arp.arpop, - &cs.arp.arp.arpop_mask, 10)) { - int i; - - for (i = 0; i < NUMOPCODES; i++) - if (!strcasecmp(arp_opcodesi, optarg)) - break; - if (i == NUMOPCODES) - xtables_error(PARAMETER_PROBLEM, "Problem with specified opcode"); - cs.arp.arp.arpop = htons(i+1); - } - break; - - case 5:/* h-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_TYPE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argvoptind - 1, &cs.arp.arp.arhrd, - &cs.arp.arp.arhrd_mask, 16)) { - if (strcasecmp(argvoptind-1, "Ethernet")) - xtables_error(PARAMETER_PROBLEM, "Problem with specified hardware type"); - cs.arp.arp.arhrd = htons(1); - } - break; - - case 6:/* proto-type */ - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_P_TYPE, &cs.arp.arp.invflags, - invert); - if (get16_and_mask(argvoptind - 1, &cs.arp.arp.arpro, - &cs.arp.arp.arpro_mask, 0)) { - if (strcasecmp(argvoptind-1, "ipv4")) - xtables_error(PARAMETER_PROBLEM, "Problem with specified protocol type"); - cs.arp.arp.arpro = htons(0x800); - } - break; - - case 'j': - set_option(&options, OPT_JUMP, &cs.arp.arp.invflags, - invert); - command_jump(&cs, optarg); - break; - - case 'i': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEIN, &cs.arp.arp.invflags, - invert); - xtables_parse_interface(argvoptind-1, - cs.arp.arp.iniface, - cs.arp.arp.iniface_mask); - break; - - case 'o': - check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEOUT, &cs.arp.arp.invflags, - invert); - xtables_parse_interface(argvoptind-1, - cs.arp.arp.outiface, - cs.arp.arp.outiface_mask); - break; - - case 'v': - if (!verbose) - set_option(&options, OPT_VERBOSE, - &cs.arp.arp.invflags, invert); - verbose++; - break; - - case 'm': /* ignored by arptables-legacy */ - break; - case 'n': - set_option(&options, OPT_NUMERIC, &cs.arp.arp.invflags, - invert); - break; - - case 't': - if (invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - /* ignore this option. - * arptables-legacy parses it, but libarptc doesn't use it. - * arptables only has a 'filter' table anyway. - */ - break; - - case 'V': - if (invert) - printf("Not %s ;-)\n", arptables_globals.program_version); - else - printf("%s v%s (nf_tables)\n", - arptables_globals.program_name, - arptables_globals.program_version); - exit(0); - - case '0': - set_option(&options, OPT_LINENUMBERS, &cs.arp.arp.invflags, - invert); - break; - - case 'M': - //modprobe = optarg; - break; - - case 'c': - - set_option(&options, OPT_COUNTERS, &cs.arp.arp.invflags, - invert); - pcnt = optarg; - if (xs_has_arg(argc, argv)) - bcnt = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(pcnt, "%llu", &cs.arp.counters.pcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - - if (sscanf(bcnt, "%llu", &cs.arp.counters.bcnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - - break; - - - case 1: /* non option */ - if (optarg0 == '!' && optarg1 == '\0') { - if (invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - invert = true; - optarg0 = '\0'; - continue; - } - printf("Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (cs.target) { - xtables_option_tpcall(c, argv, - invert, cs.target, &cs.arp); - } - break; - } - invert = false; - } - - if (cs.target) - xtables_option_tfcall(cs.target); - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - if (command & (CMD_REPLACE | CMD_INSERT | CMD_DELETE | CMD_APPEND)) { - if (!(options & OPT_DESTINATION)) - dhostnetworkmask = "0.0.0.0/0"; - if (!(options & OPT_SOURCE)) - shostnetworkmask = "0.0.0.0/0"; - } - - if (shostnetworkmask) - xtables_ipparse_multiple(shostnetworkmask, &saddrs, - &smasks, &nsaddrs); - - if (dhostnetworkmask) - xtables_ipparse_multiple(dhostnetworkmask, &daddrs, - &dmasks, &ndaddrs); - - if ((nsaddrs > 1 || ndaddrs > 1) && - (cs.arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" - " source or destination IP addresses"); - - if (command == CMD_REPLACE && (nsaddrs != 1 || ndaddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - if (chain && strlen(chain) > ARPT_FUNCTION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %i chars)", - chain, ARPT_FUNCTION_MAXNAMELEN); - - if (command == CMD_APPEND - || command == CMD_DELETE - || command == CMD_INSERT - || command == CMD_REPLACE) { - if (strcmp(chain, "PREROUTING") == 0 - || strcmp(chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - chain); - } - - if (strcmp(chain, "POSTROUTING") == 0 - || strcmp(chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - chain); - } - } - - switch (command) { - case CMD_APPEND: - ret = append_entry(h, chain, *table, &cs, 0, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, true); - break; - case CMD_DELETE: - ret = delete_entry(chain, *table, &cs, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, h); - break; - case CMD_DELETE_NUM: - ret = nft_cmd_rule_delete_num(h, chain, *table, rulenum - 1, verbose); - break; - case CMD_REPLACE: - ret = replace_entry(chain, *table, &cs, rulenum - 1, - saddrs, smasks, daddrs, dmasks, - options&OPT_VERBOSE, h); - break; - case CMD_INSERT: - ret = append_entry(h, chain, *table, &cs, rulenum - 1, - nsaddrs, saddrs, smasks, - ndaddrs, daddrs, dmasks, - options&OPT_VERBOSE, false); - break; - case CMD_LIST: - ret = list_entries(h, chain, *table, - rulenum, - options&OPT_VERBOSE, - options&OPT_NUMERIC, - /*options&OPT_EXPANDED*/0, - options&OPT_LINENUMBERS); - break; - case CMD_FLUSH: - ret = nft_cmd_rule_flush(h, chain, *table, options & OPT_VERBOSE); - break; - case CMD_ZERO: - ret = nft_cmd_chain_zero_counters(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_LIST|CMD_ZERO: - ret = list_entries(h, chain, *table, rulenum, - options&OPT_VERBOSE, - options&OPT_NUMERIC, - /*options&OPT_EXPANDED*/0, - options&OPT_LINENUMBERS); - if (ret) - ret = nft_cmd_chain_zero_counters(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_NEW_CHAIN: - ret = nft_cmd_chain_user_add(h, chain, *table); - break; - case CMD_DELETE_CHAIN: - ret = nft_cmd_chain_user_del(h, chain, *table, - options & OPT_VERBOSE); - break; - case CMD_RENAME_CHAIN: - ret = nft_cmd_chain_user_rename(h, chain, *table, newname); - break; - case CMD_SET_POLICY: - ret = nft_cmd_chain_set(h, *table, chain, policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", - policy); - break; - case CMD_NONE: - break; - default: - /* We should never reach this... */ - exit_tryhelp(2); - } - - free(saddrs); - free(smasks); - free(daddrs); - free(dmasks); - - nft_clear_iptables_command_state(&cs); - xtables_free_opts(1); - -/* if (verbose > 1) - dump_entries(*handle);*/ - - return ret; -}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-eb-translate.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-eb-translate.c
Changed
@@ -64,22 +64,6 @@ return rule_nr; } -static int get_current_chain(const char *chain) -{ - if (strcmp(chain, "PREROUTING") == 0) - return NF_BR_PRE_ROUTING; - else if (strcmp(chain, "INPUT") == 0) - return NF_BR_LOCAL_IN; - else if (strcmp(chain, "FORWARD") == 0) - return NF_BR_FORWARD; - else if (strcmp(chain, "OUTPUT") == 0) - return NF_BR_LOCAL_OUT; - else if (strcmp(chain, "POSTROUTING") == 0) - return NF_BR_POST_ROUTING; - - return -1; -} - /* * The original ebtables parser */ @@ -103,7 +87,6 @@ /* Default command line options. Do not mess around with the already * assigned numbers unless you know what you are doing */ extern struct option ebt_original_options; -extern struct xtables_globals ebtables_globals; #define opts ebtables_globals.opts #define prog_name ebtables_globals.program_name #define prog_vers ebtables_globals.program_version @@ -169,21 +152,21 @@ printf("\n"); } -static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct nft_xt_cmd_parse *p, +static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct xt_cmd_parse *p, const struct iptables_command_state *cs, bool append) { struct xt_xlate *xl = xt_xlate_alloc(10240); + const char *tick = cs->restore ? "" : "'"; int ret; - if (append) { - xt_xlate_add(xl, "add rule bridge %s %s ", p->table, p->chain); - } else { - xt_xlate_add(xl, "insert rule bridge %s %s ", p->table, p->chain); - } + xt_xlate_add(xl, "%s%s rule bridge %s %s ", tick, + append ? "add" : "insert", p->table, p->chain); ret = h->ops->xlate(cs, xl); if (ret) - printf("%s\n", xt_xlate_get(xl)); + printf("%s%s\n", xt_xlate_get(xl), tick); + else + printf("%s ", tick); xt_xlate_free(xl); return ret; @@ -208,7 +191,7 @@ int selected_chain = -1; struct xtables_rule_match *xtrm_i; struct ebt_match *match; - struct nft_xt_cmd_parse p = { + struct xt_cmd_parse p = { .table = *table, }; @@ -220,7 +203,6 @@ while ((c = getopt_long(argc, argv, "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { cs.c = c; - cs.invert = ebt_invert; switch (c) { case 'A': /* Add a rule */ case 'D': /* Delete a rule */ @@ -241,7 +223,7 @@ "Multiple commands are not allowed"); command = c; chain = optarg; - selected_chain = get_current_chain(chain); + selected_chain = ebt_get_current_chain(chain); p.chain = chain; flags |= OPT_COMMAND; @@ -312,7 +294,7 @@ "Multiple commands are not allowed"); if (exec_style == EXEC_STYLE_DAEMON) xtables_error(PARAMETER_PROBLEM, - "%s %s\n", prog_name, prog_vers); + "%s %s", prog_name, prog_vers); printf("%s %s\n", prog_name, prog_vers); exit(0); case 'h':
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-eb.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-eb.c
Changed
@@ -157,22 +157,6 @@ /* Checks whether a command has already been specified */ #define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO) -#define OPT_COMMAND 0x01 -#define OPT_TABLE 0x02 -#define OPT_IN 0x04 -#define OPT_OUT 0x08 -#define OPT_JUMP 0x10 -#define OPT_PROTOCOL 0x20 -#define OPT_SOURCE 0x40 -#define OPT_DEST 0x80 -#define OPT_ZERO 0x100 -#define OPT_LOGICALIN 0x200 -#define OPT_LOGICALOUT 0x400 -#define OPT_KERNELDATA 0x800 /* This value is also defined in ebtablesd.c */ -#define OPT_COUNT 0x1000 /* This value is also defined in libebtc.c */ -#define OPT_CNT_INCR 0x2000 /* This value is also defined in libebtc.c */ -#define OPT_CNT_DECR 0x4000 /* This value is also defined in libebtc.c */ - /* Default command line options. Do not mess around with the already * assigned numbers unless you know what you are doing */ struct option ebt_original_options = @@ -195,6 +179,7 @@ { "out-interface" , required_argument, 0, 'o' }, { "out-if" , required_argument, 0, 'o' }, { "version" , no_argument , 0, 'V' }, + { "verbose" , no_argument , 0, 'v' }, { "help" , no_argument , 0, 'h' }, { "jump" , required_argument, 0, 'j' }, { "set-counters" , required_argument, 0, 'c' }, @@ -211,21 +196,16 @@ { "new-chain" , required_argument, 0, 'N' }, { "rename-chain" , required_argument, 0, 'E' }, { "delete-chain" , optional_argument, 0, 'X' }, - { "atomic-init" , no_argument , 0, 7 }, - { "atomic-commit" , no_argument , 0, 8 }, - { "atomic-file" , required_argument, 0, 9 }, - { "atomic-save" , no_argument , 0, 10 }, { "init-table" , no_argument , 0, 11 }, { "concurrent" , no_argument , 0, 13 }, + { "check" , required_argument, 0, 14 }, { 0 } }; -extern void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); struct xtables_globals ebtables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (nf_tables)", .orig_opts = ebt_original_options, - .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, }; @@ -278,9 +258,7 @@ ebtables_globals.option_offset += OPTION_OFFSET; *options_offset = ebtables_globals.option_offset; - merge = malloc(sizeof(struct option) * (num_new + num_old + 1)); - if (!merge) - return NULL; + merge = xtables_malloc(sizeof(struct option) * (num_new + num_old + 1)); memcpy(merge, oldopts, num_old * sizeof(struct option)); for (i = 0; i < num_new; i++) { mergenum_old + i = newoptsi; @@ -320,10 +298,6 @@ "--new-chain -N chain : create a user defined chain\n" "--rename-chain -E old new : rename a chain\n" "--delete-chain -X chain : delete a user defined chain\n" -"--atomic-commit : update the kernel w/t table contained in <FILE>\n" -"--atomic-init : put the initial kernel table into <FILE>\n" -"--atomic-save : put the current kernel table into <FILE>\n" -"--atomic-file file : set <FILE> to file\n\n" "Options:\n" "--proto -p ! proto : protocol hexadecimal, by name or LENGTH\n" "--src -s ! address/mask: source mac address\n" @@ -336,6 +310,7 @@ " pcnt bcnt : set the counters of the to be added rule\n" "--modprobe -M program : try to insert modules using this program\n" "--concurrent : use a file lock to support concurrent scripts\n" +"--verbose -v : verbose mode\n" "--version -V : print package version\n\n" "Environment variable:\n" /*ATOMIC_ENV_VARIABLE " : if set <FILE> (see above) will equal its value"*/ @@ -579,10 +554,7 @@ m->mflags = 0; /* glue code for watchers */ - newnode = calloc(1, sizeof(struct ebt_match)); - if (newnode == NULL) - xtables_error(OTHER_PROBLEM, "Unable to alloc memory"); - + newnode = xtables_calloc(1, sizeof(struct ebt_match)); newnode->ismatch = true; newnode->u.match = newm; @@ -611,10 +583,7 @@ watcher->tflags = 0; - newnode = calloc(1, sizeof(struct ebt_match)); - if (newnode == NULL) - xtables_error(OTHER_PROBLEM, "Unable to alloc memory"); - + newnode = xtables_calloc(1, sizeof(struct ebt_match)); newnode->u.watcher = clone; for (matchp = &cs->match_list; *matchp; matchp = &(*matchp)->next) @@ -683,12 +652,10 @@ ebtables_globals.program_version); exit(1); } - -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); init_extensionsb(); -#endif - if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0) + if (nft_init(h, NFPROTO_BRIDGE) < 0) xtables_error(OTHER_PROBLEM, "Could not initialize nftables layer."); @@ -743,15 +710,17 @@ struct ebt_match *match; bool table_set = false; + /* avoid cumulating verbosity with ebtables-restore */ + h->verbose = 0; + /* prevent getopt to spoil our error reporting */ optind = 0; opterr = false; /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, - "-A:D:C:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { + while ((c = getopt_long(argc, argv, EBT_OPTSTRING, + opts, NULL)) != -1) { cs.c = c; - cs.invert = ebt_invert; switch (c) { case 'A': /* Add a rule */ @@ -762,6 +731,7 @@ case 'N': /* Make a user defined chain */ case 'E': /* Rename chain */ case 'X': /* Delete chain */ + case 14: /* check a rule */ /* We allow -N chainname -P policy */ if (command == 'N' && c == 'P') { command = c; @@ -788,7 +758,7 @@ chain = argvoptind; optind++; } - ret = nft_cmd_chain_user_del(h, chain, *table, 0); + ret = nft_cmd_chain_del(h, chain, *table, 0); break; } @@ -872,11 +842,15 @@ optind++; } break; + case 'v': /* verbose */ + flags |= OPT_VERBOSE; + h->verbose++; + break; case 'V': /* Version */ if (OPT_COMMANDS) xtables_error(PARAMETER_PROBLEM, "Multiple commands are not allowed"); - printf("%s %s (nf_tables)\n", prog_name, prog_vers); + printf("%s %s\n", prog_name, prog_vers); exit(0); case 'h': /* Help */ if (OPT_COMMANDS) @@ -909,15 +883,17 @@ } break; case 't': /* Table */ - ebt_check_option2(&flags, OPT_TABLE); if (restore && table_set) xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) + "The -t option cannot be used in %s.", + xt_params->program_name); + else if (table_set) xtables_error(PARAMETER_PROBLEM, - "Table name length cannot exceed %d characters", - EBT_TABLE_MAXNAMELEN - 1); + "Multiple use of same option not allowed"); + if (!nft_table_builtin_find(h, optarg)) + xtables_error(VERSION_PROBLEM, + "table '%s' does not exist", + optarg); *table = optarg; table_set = true; break; @@ -933,11 +909,12 @@ if (!OPT_COMMANDS) xtables_error(PARAMETER_PROBLEM, "No command specified"); - if (command != 'A' && command != 'D' && command != 'I' && command != 'C') + if (command != 'A' && command != 'D' && + command != 'I' && command != 'C' && command != 14) xtables_error(PARAMETER_PROBLEM, "Command and option do not match"); if (c == 'i') { - ebt_check_option2(&flags, OPT_IN); + ebt_check_option2(&flags, OPT_VIANAMEIN); if (selected_chain > 2 && selected_chain < NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains"); @@ -957,7 +934,7 @@ ebtables_parse_interface(optarg, cs.eb.logical_in); break; } else if (c == 'o') { - ebt_check_option2(&flags, OPT_OUT); + ebt_check_option2(&flags, OPT_VIANAMEOUT); if (selected_chain < 2 || selected_chain == NF_BR_BROUTING) xtables_error(PARAMETER_PROBLEM, "Use -o only in OUTPUT, FORWARD and POSTROUTING chains"); @@ -994,7 +971,7 @@ cs.eb.bitmask |= EBT_SOURCEMAC; break; } else if (c == 'd') { - ebt_check_option2(&flags, OPT_DEST); + ebt_check_option2(&flags, OPT_DESTINATION); if (ebt_check_inverse2(optarg, argc, argv)) cs.eb.invflags |= EBT_IDEST; @@ -1005,7 +982,7 @@ cs.eb.bitmask |= EBT_DESTMAC; break; } else if (c == 'c') { - ebt_check_option2(&flags, OPT_COUNT); + ebt_check_option2(&flags, OPT_COUNTERS); if (ebt_check_inverse2(optarg, argc, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected '!' after -c"); @@ -1088,54 +1065,12 @@ "Use --Lmac2 with -L"); flags |= LIST_MAC2; break; - case 8 : /* atomic-commit */ -/* - replace->command = c; - if (OPT_COMMANDS) - ebt_print_error2("Multiple commands are not allowed"); - replace->flags |= OPT_COMMAND; - if (!replace->filename) - ebt_print_error2("No atomic file specified");*/ - /* Get the information from the file */ - /*ebt_get_table(replace, 0);*/ - /* We don't want the kernel giving us its counters, - * they would overwrite the counters extracted from - * the file */ - /*replace->num_counters = 0;*/ - /* Make sure the table will be written to the kernel */ - /*free(replace->filename); - replace->filename = NULL; - break;*/ - /*case 7 :*/ /* atomic-init */ - /*case 10:*/ /* atomic-save */ case 11: /* init-table */ + if (restore) + xtables_error(PARAMETER_PROBLEM, + "--init-table is not supported in daemon mode"); nft_cmd_table_flush(h, *table, false); return 1; - /* - replace->command = c; - if (OPT_COMMANDS) - ebt_print_error2("Multiple commands are not allowed"); - if (c != 11 && !replace->filename) - ebt_print_error2("No atomic file specified"); - replace->flags |= OPT_COMMAND; - { - char *tmp = replace->filename;*/ - - /* Get the kernel table */ - /*replace->filename = NULL; - ebt_get_kernel_table(replace, c == 10 ? 0 : 1); - replace->filename = tmp; - } - break; - case 9 :*/ /* atomic */ - /* - if (OPT_COMMANDS) - ebt_print_error2("--atomic has to come before the command");*/ - /* A possible memory leak here, but this is not - * executed in daemon mode */ - /*replace->filename = (char *)malloc(strlen(optarg) + 1); - strcpy(replace->filename, optarg); - break; */ case 13 : break; case 1 : @@ -1156,7 +1091,7 @@ argvoptind); if (command != 'A' && command != 'I' && - command != 'D' && command != 'C') + command != 'D' && command != 'C' && command != 14) xtables_error(PARAMETER_PROBLEM, "Extensions only for -A, -I, -D and -C"); } @@ -1177,7 +1112,7 @@ /* Do the final checks */ if (command == 'A' || command == 'I' || - command == 'D' || command == 'C') { + command == 'D' || command == 'C' || command == 14) { for (xtrm_i = cs.matches; xtrm_i; xtrm_i = xtrm_i->next) xtables_option_mfcall(xtrm_i->match); @@ -1209,24 +1144,29 @@ } } else if (command == 'L') { ret = list_rules(h, chain, *table, rule_nr, - 0, + flags & OPT_VERBOSE, 0, /*flags&OPT_EXPANDED*/0, flags&LIST_N, flags&LIST_C); } if (flags & OPT_ZERO) { - ret = nft_cmd_chain_zero_counters(h, chain, *table, 0); + ret = nft_cmd_chain_zero_counters(h, chain, *table, + flags & OPT_VERBOSE); } else if (command == 'F') { - ret = nft_cmd_rule_flush(h, chain, *table, 0); + ret = nft_cmd_rule_flush(h, chain, *table, flags & OPT_VERBOSE); } else if (command == 'A') { - ret = append_entry(h, chain, *table, &cs, 0, 0, true); + ret = append_entry(h, chain, *table, &cs, 0, + flags & OPT_VERBOSE, true); } else if (command == 'I') { ret = append_entry(h, chain, *table, &cs, rule_nr - 1, - 0, false); + flags & OPT_VERBOSE, false); } else if (command == 'D') { ret = delete_entry(h, chain, *table, &cs, rule_nr - 1, - rule_nr_end, 0); + rule_nr_end, flags & OPT_VERBOSE); + } else if (command == 14) { + ret = nft_cmd_rule_check(h, chain, *table, + &cs, flags & OPT_VERBOSE); } /*else if (replace->command == 'C') { ebt_change_counters(replace, new_entry, rule_nr, rule_nr_end, &(new_entry->cnt_surplus), chcounter); if (ebt_errormsg0 != '\0')
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-legacy-multi.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-legacy-multi.c
Changed
@@ -14,10 +14,6 @@ #include "ip6tables-multi.h" #endif -#ifdef ENABLE_NFTABLES -#include "xtables-multi.h" -#endif - static const struct subcommand multi_subcommands = { #ifdef ENABLE_IPV4 {"iptables", iptables_main},
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-monitor.8.in -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-monitor.8.in
Changed
@@ -51,9 +51,9 @@ and packet headers such as source and destination addresses are shown. The third line shows that the packet completed traversal of the raw table -PREROUTING chain, and is returning, followed by use the chain policy to make accept/drop +PREROUTING chain, and is returning, followed by use of the chain policy to make accept/drop decision (the example shows accept being applied). -The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables +The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter table's INPUT chain matched the packet. It then got DROPPED by the policy of the INPUT table, as shown by line six. The last line shows another packet arriving \-\- the packet id is different. @@ -81,7 +81,7 @@ chains automatically when needed, so this is expected when a table was not yet initialized or when it is re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP) being added, followed by addition a few rules. the last line shows that a new ruleset generation has -become active, i.e., the rule set changes are now active. This also lists the process id and the programs name. +become active, i.e., the rule set changes are now active. This also lists the process id and the program name. .SH LIMITATIONS .B xtables-monitor only works with rules added using iptables-nftables, rules added using
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-monitor.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-monitor.c
Changed
@@ -37,7 +37,6 @@ #include "iptables.h" /* for xtables_globals */ #include "xtables-multi.h" #include "nft.h" -#include "nft-arp.h" struct cb_arg { uint32_t nfproto; @@ -228,7 +227,7 @@ exit(EXIT_FAILURE); } - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, 0, 0); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, 0, 0); nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family); nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); @@ -340,7 +339,7 @@ inet_ntop(AF_INET, &iph->daddr, addrbuf, sizeof(addrbuf)); printf("DST=%s ", addrbuf); - printf("LEN=%d TOS=0x%x TTL=%d ID=%d", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id)); + printf("LEN=%d TOS=0x%x TTL=%d ID=%d ", ntohs(iph->tot_len), iph->tos, iph->ttl, ntohs(iph->id)); if (iph->frag_off & htons(0x8000)) printf("CE "); if (iph->frag_off & htons(IP_DF)) @@ -363,7 +362,7 @@ printf("OPT ("); for (i = 0; i < optsize; i++) printf("%02X", opi); - printf(")"); + printf(") "); } break; } @@ -625,12 +624,13 @@ xtables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); -#endif + init_extensions6(); + init_extensionsa(); + init_extensionsb(); - if (nft_init(&h, AF_INET, xtables_ipv4)) { + if (nft_init(&h, AF_INET)) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-multi.h -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-multi.h
Changed
@@ -22,6 +22,9 @@ extern int xtables_eb_save_main(int, char **); extern int xtables_config_main(int, char **); extern int xtables_monitor_main(int, char **); + +extern struct xtables_globals arptables_globals; +extern struct xtables_globals ebtables_globals; #endif #endif /* _XTABLES_MULTI_H */
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-restore.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-restore.c
Changed
@@ -115,14 +115,14 @@ DEBUGP("line %u, table '%s'\n", line, table); if (!table) xtables_error(PARAMETER_PROBLEM, - "%s: line %u table name invalid\n", - xt_params->program_name, line); + "%s: line %u table name invalid", + xt_params->program_name, line); state->curtable = nft_table_builtin_find(h, table); if (!state->curtable) xtables_error(PARAMETER_PROBLEM, - "%s: line %u table name '%s' invalid\n", - xt_params->program_name, line, table); + "%s: line %u table name '%s' invalid", + xt_params->program_name, line, table); if (p->tablename && (strcmp(p->tablename, table) != 0)) return; @@ -152,20 +152,18 @@ DEBUGP("line %u, chain '%s'\n", line, chain); if (!chain) xtables_error(PARAMETER_PROBLEM, - "%s: line %u chain name invalid\n", - xt_params->program_name, line); + "%s: line %u chain name invalid", + xt_params->program_name, line); - if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "Invalid chain name `%s' (%u chars max)", - chain, XT_EXTENSION_MAXNAMELEN - 1); + xtables_announce_chain(chain); + assert_valid_chain_name(chain); policy = strtok(NULL, " \t\n"); DEBUGP("line %u, policy '%s'\n", line, policy); if (!policy) xtables_error(PARAMETER_PROBLEM, - "%s: line %u policy invalid\n", - xt_params->program_name, line); + "%s: line %u policy invalid", + xt_params->program_name, line); if (nft_chain_builtin_find(state->curtable, chain)) { if (counters) { @@ -174,15 +172,15 @@ if (!ctrs || !parse_counters(ctrs, &count)) xtables_error(PARAMETER_PROBLEM, - "invalid policy counters for chain '%s'\n", - chain); + "invalid policy counters for chain '%s'", + chain); } if (cb->chain_set && cb->chain_set(h, state->curtable->name, chain, policy, &count) < 0) { xtables_error(OTHER_PROBLEM, - "Can't set policy `%s' on `%s' line %u: %s\n", + "Can't set policy `%s' on `%s' line %u: %s", policy, chain, line, strerror(errno)); } @@ -191,13 +189,13 @@ } else if (cb->chain_restore(h, chain, state->curtable->name) < 0 && errno != EEXIST) { xtables_error(PARAMETER_PROBLEM, - "cannot create chain '%s' (%s)\n", + "cannot create chain '%s' (%s)", chain, strerror(errno)); } else if (h->family == NFPROTO_BRIDGE && !ebt_cmd_user_chain_policy(h, state->curtable->name, chain, policy)) { xtables_error(OTHER_PROBLEM, - "Can't set policy `%s' on `%s' line %u: %s\n", + "Can't set policy `%s' on `%s' line %u: %s", policy, chain, line, strerror(errno)); } @@ -206,11 +204,15 @@ char *pcnt = NULL; char *bcnt = NULL; char *parsestart = buffer; + int i; add_argv(&state->av_store, xt_params->program_name, 0); add_argv(&state->av_store, "-t", 0); add_argv(&state->av_store, state->curtable->name, 0); + for (i = 0; !h->noflush && i < verbose; i++) + add_argv(&state->av_store, "-v", 0); + tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line); if (counters && pcnt && bcnt) { add_argv(&state->av_store, "--set-counters", 0); @@ -247,8 +249,11 @@ (strcmp(p->tablename, state->curtable->name) != 0)) return; if (!ret) { - fprintf(stderr, "%s: line %u failed\n", - xt_params->program_name, line); + fprintf(stderr, "%s: line %u failed", + xt_params->program_name, h->error.lineno); + if (errno) + fprintf(stderr, ": %s.", nft_strerror(errno)); + fprintf(stderr, "\n"); exit(1); } } @@ -281,7 +286,6 @@ static int xtables_restore_main(int family, const char *progname, int argc, char *argv) { - const struct builtin_table *tables; struct nft_xt_restore_parse p = { .commit = true, .cb = &restore_cb, @@ -310,10 +314,10 @@ counters = 1; break; case 'v': - verbose = 1; + verbose++; break; case 'V': - printf("%s v%s (nf_tables)\n", prog_name, prog_vers); + printf("%s v%s\n", prog_name, prog_vers); exit(0); case 't': p.testing = 1; @@ -357,27 +361,26 @@ p.in = stdin; } + init_extensions(); switch (family) { case NFPROTO_IPV4: - case NFPROTO_IPV6: /* fallthough, same table */ - tables = xtables_ipv4; -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); init_extensions4(); -#endif + break; + case NFPROTO_IPV6: + init_extensions6(); break; case NFPROTO_ARP: - tables = xtables_arp; + init_extensionsa(); break; case NFPROTO_BRIDGE: - tables = xtables_bridge; + init_extensionsb(); break; default: fprintf(stderr, "Unknown family %d\n", family); return 1; } - if (nft_init(&h, family, tables) < 0) { + if (nft_init(&h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, @@ -417,6 +420,7 @@ static const struct option ebt_restore_options = { {.name = "noflush", .has_arg = 0, .val = 'n'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, { 0 } }; @@ -430,15 +434,18 @@ struct nft_handle h; int c; - while ((c = getopt_long(argc, argv, "n", + while ((c = getopt_long(argc, argv, "nv", ebt_restore_options, NULL)) != -1) { switch(c) { case 'n': noflush = 1; break; + case 'v': + verbose++; + break; default: fprintf(stderr, - "Usage: ebtables-restore --noflush \n"); + "Usage: ebtables-restore --verbose --noflush \n"); exit(1); break; } @@ -455,7 +462,7 @@ static const struct nft_xt_restore_cb arp_restore_cb = { .commit = nft_commit, .table_flush = nft_cmd_table_flush, - .do_command = do_commandarp, + .do_command = do_commandx, .chain_set = nft_cmd_chain_set, .chain_restore = nft_cmd_chain_restore, };
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-save.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-save.c
Changed
@@ -78,6 +78,9 @@ printf("# Table `%s' is incompatible, use 'nft' tool.\n", tablename); return 0; + } else if (nft_is_table_tainted(h, tablename)) { + printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n", + tablename); } now = time(NULL); @@ -87,6 +90,7 @@ printf("*%s\n", tablename); /* Dump out chain names first, * thereby preventing dependency conflicts */ + nft_cache_sort_chains(h, tablename); nft_chain_foreach(h, tablename, nft_chain_save, h); nft_rule_save(h, tablename, d->format); if (d->commit) @@ -127,7 +131,6 @@ xtables_save_main(int family, int argc, char *argv, const char *optstring, const struct option *longopts) { - const struct builtin_table *tables; const char *tablename = NULL; struct do_output_data d = { .format = FMT_NOCOUNTS, @@ -181,7 +184,7 @@ dump = true; break; case 'V': - printf("%s v%s (nf_tables)\n", prog_name, prog_vers); + printf("%s v%s\n", prog_name, prog_vers); exit(0); default: fprintf(stderr, @@ -196,18 +199,18 @@ exit(1); } + init_extensions(); switch (family) { case NFPROTO_IPV4: - case NFPROTO_IPV6: /* fallthough, same table */ -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); init_extensions4(); -#endif - tables = xtables_ipv4; + d.commit = true; + break; + case NFPROTO_IPV6: + init_extensions6(); d.commit = true; break; case NFPROTO_ARP: - tables = xtables_arp; + init_extensionsa(); break; case NFPROTO_BRIDGE: { const char *ctr = getenv("EBTABLES_SAVE_COUNTER"); @@ -218,7 +221,7 @@ d.format &= ~FMT_NOCOUNTS; d.format |= FMT_C_COUNTS | FMT_EBT_SAVE; } - tables = xtables_bridge; + init_extensionsb(); break; } default: @@ -226,7 +229,7 @@ return 1; } - if (nft_init(&h, family, tables) < 0) { + if (nft_init(&h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-standalone.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-standalone.c
Changed
@@ -39,31 +39,53 @@ #include "xtables-multi.h" #include "nft.h" +static struct xtables_globals *xtables_globals_lookup(int family) +{ + switch (family) { + case AF_INET: + case AF_INET6: + return &xtables_globals; + case NFPROTO_ARP: + return &arptables_globals; + case NFPROTO_BRIDGE: + return &ebtables_globals; + default: + xtables_error(OTHER_PROBLEM, "Unknown family value %d", family); + } +} + static int xtables_main(int family, const char *progname, int argc, char *argv) { - int ret; char *table = "filter"; struct nft_handle h; + int ret; - xtables_globals.program_name = progname; - ret = xtables_init_all(&xtables_globals, family); + ret = xtables_init_all(xtables_globals_lookup(family), family); if (ret < 0) { - fprintf(stderr, "%s/%s Failed to initialize xtables\n", - xtables_globals.program_name, - xtables_globals.program_version); - exit(1); + fprintf(stderr, "%s: Failed to initialize xtables\n", progname); + exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + xt_params->program_name = progname; init_extensions(); - init_extensions4(); -#endif + switch (family) { + case NFPROTO_IPV4: + init_extensions4(); + break; + case NFPROTO_IPV6: + init_extensions6(); + break; + case NFPROTO_ARP: + init_extensionsa(); + break; + case NFPROTO_BRIDGE: + init_extensionsb(); + break; + } - if (nft_init(&h, family, xtables_ipv4) < 0) { - fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", - xtables_globals.program_name, - xtables_globals.program_version, - strerror(errno)); + if (nft_init(&h, family) < 0) { + fprintf(stderr, "%s: Failed to initialize nft: %s\n", + xt_params->program_name, strerror(errno)); exit(EXIT_FAILURE); } @@ -95,3 +117,8 @@ { return xtables_main(NFPROTO_IPV6, "ip6tables", argc, argv); } + +int xtables_arp_main(int argc, char *argv) +{ + return xtables_main(NFPROTO_ARP, "arptables", argc, argv); +}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-translate.8 -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-translate.8
Changed
@@ -28,9 +28,12 @@ iptables-translate \(em translation tool to migrate from iptables to nftables .P ip6tables-translate \(em translation tool to migrate from ip6tables to nftables +.P +ebtables-translate \(em translation tool to migrate from ebtables to nftables .SH DESCRIPTION There is a set of tools to help the system administrator translate a given -ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP. +ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP and \fBebtables(8)\fP to +\fBnftables(8)\fP. The available commands are: @@ -42,9 +45,12 @@ ip6tables-translate .IP \bu ip6tables-restore-translate +.IP \bu 2 +ebtables-translate .SH USAGE -They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and +They take as input the original +\fBiptables(8)\fP/\fBip6tables(8)\fP/\fBebtables(8)\fP syntax and output the native \fBnftables(8)\fP syntax. The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax @@ -117,8 +123,7 @@ reason (for example, they were considered obsolete, or we didn't have the time to work on them). -There are no translations available for \fBebtables(8)\fP and -\fBarptables(8)\fP. +There is no translation available for \fBarptables(8)\fP. To get up-to-date information about this, please head to \fBhttps://wiki.nftables.org/\fP.
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables-translate.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables-translate.c
Changed
@@ -41,7 +41,9 @@ for (i = 0, j = 0; i < ifaclen + 1; i++, j++) { switch (ifnamei) { case '*': - ifacej++ = '\\'; + /* asterisk is non-special mid-string */ + if (i == ifaclen - 1) + ifacej++ = '\\'; /* fall through */ default: ifacej = ifnamei; @@ -83,12 +85,10 @@ else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) xt_xlate_add(xl, " return"); else if (cs->target->xlate) { - xt_xlate_add(xl, " "); struct xt_xlate_tg_params params = { .ip = (const void *)&cs->fw, .target = cs->target->t, .numeric = numeric, - .escape_quotes = !cs->restore, }; ret = cs->target->xlate(xl, ¶ms); } @@ -115,17 +115,12 @@ .ip = (const void *)&cs->fw, .match = matchp->match->m, .numeric = numeric, - .escape_quotes = !cs->restore, }; if (!matchp->match->xlate) return 0; ret = matchp->match->xlate(xl, ¶ms); - - if (strcmp(matchp->match->name, "comment") != 0) - xt_xlate_add(xl, " "); - if (!ret) break; } @@ -150,34 +145,47 @@ }; static int nft_rule_xlate_add(struct nft_handle *h, - const struct nft_xt_cmd_parse *p, + const struct xt_cmd_parse *p, const struct iptables_command_state *cs, bool append) { struct xt_xlate *xl = xt_xlate_alloc(10240); + const char *tick = cs->restore ? "" : "'"; + const char *set; int ret; - if (append) { - xt_xlate_add(xl, "add rule %s %s %s ", - family2strh->family, p->table, p->chain); - } else { - xt_xlate_add(xl, "insert rule %s %s %s ", - family2strh->family, p->table, p->chain); + xl_xlate_set_family(xl, h->family); + ret = h->ops->xlate(cs, xl); + if (!ret) + goto err_out; + + set = xt_xlate_set_get(xl); + if (set0) { + printf("%sadd set %s %s %s%s\n", + tick, family2strh->family, p->table, + xt_xlate_set_get(xl), tick); + + if (!cs->restore && p->command != CMD_NONE) + printf("nft "); } - ret = h->ops->xlate(cs, xl); - if (ret) - printf("%s\n", xt_xlate_get(xl)); + printf("%s%s rule %s %s %s ", + tick, + append ? "add" : "insert", + family2strh->family, p->table, p->chain); + printf("%s%s\n", xt_xlate_rule_get(xl), tick); + +err_out: xt_xlate_free(xl); return ret; } -static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p, +static int xlate(struct nft_handle *h, struct xt_cmd_parse *p, struct iptables_command_state *cs, struct xtables_args *args, bool append, int (*cb)(struct nft_handle *h, - const struct nft_xt_cmd_parse *p, + const struct xt_cmd_parse *p, const struct iptables_command_state *cs, bool append)) { @@ -235,17 +243,26 @@ char **table, bool restore) { int ret = 0; - struct nft_xt_cmd_parse p = { + struct xt_cmd_parse p = { .table = *table, .restore = restore, + .line = line, .xlate = true, + .ops = &h->ops->cmd_parse, + }; + struct iptables_command_state cs = { + .jumpto = "", + .argv = argv, }; - struct iptables_command_state cs; + struct xtables_args args = { .family = h->family, }; - do_parse(h, argc, argv, &p, &cs, &args); + if (h->ops->init_cs) + h->ops->init_cs(&cs); + + do_parse(argc, argv, &p, &cs, &args); cs.restore = restore; @@ -319,7 +336,7 @@ exit(1); } - nft_clear_iptables_command_state(&cs); + h->ops->clear_cs(&cs); if (h->family == AF_INET) { free(args.s.addr.v4); @@ -341,9 +358,10 @@ { fprintf(stderr, "%s %s " "(c) 2014 by Pablo Neira Ayuso <pablo@netfilter.org>\n" - "Usage: %s -h -f\n" + "Usage: %s -h -f <FILE> -V\n" " --help \n" - " --file=<FILE> \n", name, version, name); + " --file=<FILE> \n" + " --version \n", name, version, name); exit(1); } @@ -451,7 +469,6 @@ int family, const char *progname) { - const struct builtin_table *tables; int ret; xtables_globals.program_name = progname; @@ -463,27 +480,26 @@ xtables_globals.program_version); return 1; } + init_extensions(); switch (family) { case NFPROTO_IPV4: - case NFPROTO_IPV6: /* fallthrough: same table */ -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -#endif - tables = xtables_ipv4; + init_extensions4(); + break; + case NFPROTO_IPV6: + init_extensions6(); break; case NFPROTO_ARP: - tables = xtables_arp; + init_extensionsa(); break; case NFPROTO_BRIDGE: - tables = xtables_bridge; + init_extensionsb(); break; default: fprintf(stderr, "Unknown family %d\n", family); return 1; } - if (nft_init(h, family, tables) < 0) { + if (nft_init(h, family) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version,
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/iptables/xtables.c -> _service:tar_scm:iptables-1.8.9.tar.xz/iptables/xtables.c
Changed
@@ -36,6 +36,7 @@ #include <stdarg.h> #include <limits.h> #include <unistd.h> +#include <netinet/ether.h> #include <iptables.h> #include <xtables.h> #include <fcntl.h> @@ -84,149 +85,13 @@ {NULL}, }; -void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); - struct xtables_globals xtables_globals = { .option_offset = 0, - .program_version = PACKAGE_VERSION, + .program_version = PACKAGE_VERSION " (nf_tables)", .orig_opts = original_opts, - .exit_err = xtables_exit_error, .compat_rev = nft_compatible_revision, }; -static const int inverse_for_optionsNUMBER_OF_OPT = -{ -/* -n */ 0, -/* -s */ IPT_INV_SRCIP, -/* -d */ IPT_INV_DSTIP, -/* -p */ XT_INV_PROTO, -/* -j */ 0, -/* -v */ 0, -/* -x */ 0, -/* -i */ IPT_INV_VIA_IN, -/* -o */ IPT_INV_VIA_OUT, -/*--line*/ 0, -/* -c */ 0, -/* -f */ IPT_INV_FRAG, -}; - -#define opts xt_params->opts -#define prog_name xt_params->program_name -#define prog_vers xt_params->program_version - -static void __attribute__((noreturn)) -exit_tryhelp(int status) -{ - if (line != -1) - fprintf(stderr, "Error occurred at line: %d\n", line); - fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", - prog_name, prog_name); - xtables_free_opts(1); - exit(status); -} - -static void -printhelp(const struct xtables_rule_match *matches) -{ - printf("%s v%s\n\n" -"Usage: %s -ACD chain rule-specification options\n" -" %s -I chain rulenum rule-specification options\n" -" %s -R chain rulenum rule-specification options\n" -" %s -D chain rulenum options\n" -" %s -LS chain rulenum options\n" -" %s -FZ chain options\n" -" %s -NX chain\n" -" %s -E old-chain-name new-chain-name\n" -" %s -P chain target options\n" -" %s -h (print this help information)\n\n", - prog_name, prog_vers, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name, - prog_name, prog_name, prog_name, prog_name); - - printf( -"Commands:\n" -"Either long or short options are allowed.\n" -" --append -A chain Append to chain\n" -" --check -C chain Check for the existence of a rule\n" -" --delete -D chain Delete matching rule from chain\n" -" --delete -D chain rulenum\n" -" Delete rule rulenum (1 = first) from chain\n" -" --insert -I chain rulenum\n" -" Insert in chain as rulenum (default 1=first)\n" -" --replace -R chain rulenum\n" -" Replace rule rulenum (1 = first) in chain\n" -" --list -L chain rulenum\n" -" List the rules in a chain or all chains\n" -" --list-rules -S chain rulenum\n" -" Print the rules in a chain or all chains\n" -" --flush -F chain Delete all rules in chain or all chains\n" -" --zero -Z chain rulenum\n" -" Zero counters in chain or all chains\n" -" --new -N chain Create a new user-defined chain\n" -" --delete-chain\n" -" -X chain Delete a user-defined chain\n" -" --policy -P chain target\n" -" Change policy on chain to target\n" -" --rename-chain\n" -" -E old-chain new-chain\n" -" Change chain name, (moving any references)\n" - -"Options:\n" -" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n" -" --ipv6 -6 Error (line is ignored by iptables-restore)\n" -"! --proto -p proto protocol: by number or name, eg. `tcp'\n" -"! --source -s address/mask...\n" -" source specification\n" -"! --destination -d address/mask...\n" -" destination specification\n" -"! --in-interface -i input name+\n" -" network interface name (+ for wildcard)\n" -" --jump -j target\n" -" target for rule (may load target extension)\n" -#ifdef IPT_F_GOTO -" --goto -g chain\n" -" jump to chain with no return\n" -#endif -" --match -m match\n" -" extended match (may load extension)\n" -" --numeric -n numeric output of addresses and ports\n" -"! --out-interface -o output name+\n" -" network interface name (+ for wildcard)\n" -" --table -t table table to manipulate (default: `filter')\n" -" --verbose -v verbose mode\n" -" --wait -w seconds maximum wait to acquire xtables lock before give up\n" -" --wait-interval -W usecs wait time to try to acquire xtables lock\n" -" default is 1 second\n" -" --line-numbers print line numbers when listing\n" -" --exact -x expand numbers (display exact values)\n" -"! --fragment -f match second or further fragments only\n" -" --modprobe=<command> try to insert modules using this command\n" -" --set-counters PKTS BYTES set the counter during insert/append\n" -"! --version -V print package version.\n"); - - print_extension_helps(xtables_targets, matches); -} - -void -xtables_exit_error(enum xtables_exittype status, const char *msg, ...) -{ - va_list args; - - va_start(args, msg); - fprintf(stderr, "%s v%s (nf_tables): ", prog_name, prog_vers); - vfprintf(stderr, msg, args); - va_end(args); - fprintf(stderr, "\n"); - if (status == PARAMETER_PROBLEM) - exit_tryhelp(status); - if (status == VERSION_PROBLEM) - fprintf(stderr, - "Perhaps iptables or your kernel needs to be upgraded.\n"); - /* On error paths, make sure that we don't leak memory */ - xtables_free_opts(1); - exit(status); -} - /* * All functions starting with "parse" should succeed, otherwise * the program fails. @@ -238,189 +103,6 @@ /* Christophe Burki wants `-p 6' to imply `-m tcp'. */ -static void -set_option(unsigned int *options, unsigned int option, uint8_t *invflg, - int invert) -{ - if (*options & option) - xtables_error(PARAMETER_PROBLEM, "multiple -%c flags not allowed", - opt2char(option)); - *options |= option; - - if (invert) { - unsigned int i; - for (i = 0; 1 << i != option; i++); - - if (!inverse_for_optionsi) - xtables_error(PARAMETER_PROBLEM, - "cannot have ! before -%c", - opt2char(option)); - *invflg |= inverse_for_optionsi; - } -} - -static int -add_entry(const char *chain, - const char *table, - struct iptables_command_state *cs, - int rulenum, int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h, bool append) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4i.s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4i.s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4j.s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4j.s_addr; - - if (append) { - ret = nft_cmd_rule_append(h, chain, table, - cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, - cs, rulenum, - verbose); - } - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6i, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6i, sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6j, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6j, sizeof(struct in6_addr)); - if (append) { - ret = nft_cmd_rule_append(h, chain, table, - cs, NULL, - verbose); - } else { - ret = nft_cmd_rule_insert(h, chain, table, - cs, rulenum, - verbose); - } - } - } - } - - return ret; -} - -static int -replace_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - unsigned int rulenum, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h) -{ - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4->s_addr; - cs->fw.ip.dst.s_addr = d.addr.v4->s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4->s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4->s_addr; - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, s.addr.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dst, d.addr.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, s.mask.v6, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, d.mask.v6, sizeof(struct in6_addr)); - } else - return 1; - - return nft_cmd_rule_replace(h, chain, table, cs, rulenum, verbose); -} - -static int -delete_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, - struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4i.s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4i.s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4j.s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4j.s_addr; - ret = nft_cmd_rule_delete(h, chain, - table, cs, verbose); - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6i, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6i, sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6j, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6j, sizeof(struct in6_addr)); - ret = nft_cmd_rule_delete(h, chain, - table, cs, verbose); - } - } - } - - return ret; -} - -static int -check_entry(const char *chain, const char *table, - struct iptables_command_state *cs, - int family, - const struct addr_mask s, - const struct addr_mask d, - bool verbose, struct nft_handle *h) -{ - unsigned int i, j; - int ret = 1; - - for (i = 0; i < s.naddrs; i++) { - if (family == AF_INET) { - cs->fw.ip.src.s_addr = s.addr.v4i.s_addr; - cs->fw.ip.smsk.s_addr = s.mask.v4i.s_addr; - for (j = 0; j < d.naddrs; j++) { - cs->fw.ip.dst.s_addr = d.addr.v4j.s_addr; - cs->fw.ip.dmsk.s_addr = d.mask.v4j.s_addr; - ret = nft_cmd_rule_check(h, chain, - table, cs, verbose); - } - } else if (family == AF_INET6) { - memcpy(&cs->fw6.ipv6.src, - &s.addr.v6i, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.smsk, - &s.mask.v6i, sizeof(struct in6_addr)); - for (j = 0; j < d.naddrs; j++) { - memcpy(&cs->fw6.ipv6.dst, - &d.addr.v6j, sizeof(struct in6_addr)); - memcpy(&cs->fw6.ipv6.dmsk, - &d.mask.v6j, sizeof(struct in6_addr)); - ret = nft_cmd_rule_check(h, chain, - table, cs, verbose); - } - } - } - - return ret; -} - static int list_entries(struct nft_handle *h, const char *chain, const char *table, int rulenum, int verbose, int numeric, int expanded, @@ -456,540 +138,61 @@ return nft_cmd_rule_list_save(h, chain, table, rulenum, counters); } -void do_parse(struct nft_handle *h, int argc, char *argv, - struct nft_xt_cmd_parse *p, struct iptables_command_state *cs, - struct xtables_args *args) -{ - struct xtables_match *m; - struct xtables_rule_match *matchp; - bool wait_interval_set = false; - struct timeval wait_interval; - struct xtables_target *t; - bool table_set = false; - int wait = 0; - - memset(cs, 0, sizeof(*cs)); - cs->jumpto = ""; - cs->argv = argv; - - /* re-set optind to 0 in case do_command4 gets called - * a second time */ - optind = 0; - - /* clear mflags in case do_command4 gets called a second time - * (we clear the global list of all matches for security)*/ - for (m = xtables_matches; m; m = m->next) - m->mflags = 0; - - for (t = xtables_targets; t; t = t->next) { - t->tflags = 0; - t->used = 0; - } - - /* Suppress error messages: we may add new options if we - demand-load a protocol. */ - opterr = 0; - - opts = xt_params->orig_opts; - while ((cs->c = getopt_long(argc, argv, - "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", - opts, NULL)) != -1) { - switch (cs->c) { - /* - * Command selection - */ - case 'A': - add_command(&p->command, CMD_APPEND, CMD_NONE, - cs->invert); - p->chain = optarg; - break; - - case 'C': - add_command(&p->command, CMD_CHECK, CMD_NONE, - cs->invert); - p->chain = optarg; - break; - - case 'D': - add_command(&p->command, CMD_DELETE, CMD_NONE, - cs->invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) { - p->rulenum = parse_rulenumber(argvoptind++); - p->command = CMD_DELETE_NUM; - } - break; - - case 'R': - add_command(&p->command, CMD_REPLACE, CMD_NONE, - cs->invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) - p->rulenum = parse_rulenumber(argvoptind++); - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a rule number", - cmd2char(CMD_REPLACE)); - break; - - case 'I': - add_command(&p->command, CMD_INSERT, CMD_NONE, - cs->invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) - p->rulenum = parse_rulenumber(argvoptind++); - else - p->rulenum = 1; - break; - - case 'L': - add_command(&p->command, CMD_LIST, - CMD_ZERO | CMD_ZERO_NUM, cs->invert); - if (optarg) - p->chain = optarg; - else if (xs_has_arg(argc, argv)) - p->chain = argvoptind++; - if (xs_has_arg(argc, argv)) - p->rulenum = parse_rulenumber(argvoptind++); - break; - - case 'S': - add_command(&p->command, CMD_LIST_RULES, - CMD_ZERO|CMD_ZERO_NUM, cs->invert); - if (optarg) - p->chain = optarg; - else if (xs_has_arg(argc, argv)) - p->chain = argvoptind++; - if (xs_has_arg(argc, argv)) - p->rulenum = parse_rulenumber(argvoptind++); - break; - - case 'F': - add_command(&p->command, CMD_FLUSH, CMD_NONE, - cs->invert); - if (optarg) - p->chain = optarg; - else if (xs_has_arg(argc, argv)) - p->chain = argvoptind++; - break; - - case 'Z': - add_command(&p->command, CMD_ZERO, - CMD_LIST|CMD_LIST_RULES, cs->invert); - if (optarg) - p->chain = optarg; - else if (xs_has_arg(argc, argv)) - p->chain = argvoptind++; - if (xs_has_arg(argc, argv)) { - p->rulenum = parse_rulenumber(argvoptind++); - p->command = CMD_ZERO_NUM; - } - break; - - case 'N': - if (optarg && (*optarg == '-' || *optarg == '!')) - xtables_error(PARAMETER_PROBLEM, - "chain name not allowed to start " - "with `%c'\n", *optarg); - if (xtables_find_target(optarg, XTF_TRY_LOAD)) - xtables_error(PARAMETER_PROBLEM, - "chain name may not clash " - "with target name\n"); - add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, - cs->invert); - p->chain = optarg; - break; - - case 'X': - add_command(&p->command, CMD_DELETE_CHAIN, CMD_NONE, - cs->invert); - if (optarg) - p->chain = optarg; - else if (xs_has_arg(argc, argv)) - p->chain = argvoptind++; - break; - - case 'E': - add_command(&p->command, CMD_RENAME_CHAIN, CMD_NONE, - cs->invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) - p->newname = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires old-chain-name and " - "new-chain-name", - cmd2char(CMD_RENAME_CHAIN)); - break; - - case 'P': - add_command(&p->command, CMD_SET_POLICY, CMD_NONE, - cs->invert); - p->chain = optarg; - if (xs_has_arg(argc, argv)) - p->policy = argvoptind++; - else - xtables_error(PARAMETER_PROBLEM, - "-%c requires a chain and a policy", - cmd2char(CMD_SET_POLICY)); - break; - - case 'h': - if (!optarg) - optarg = argvoptind; - - /* iptables -p icmp -h */ - if (!cs->matches && cs->protocol) - xtables_find_match(cs->protocol, - XTF_TRY_LOAD, &cs->matches); - - printhelp(cs->matches); - p->command = CMD_NONE; - return; - - /* - * Option selection - */ - case 'p': - set_option(&cs->options, OPT_PROTOCOL, - &args->invflags, cs->invert); - - /* Canonicalize into lower case */ - for (cs->protocol = optarg; *cs->protocol; cs->protocol++) - *cs->protocol = tolower(*cs->protocol); - - cs->protocol = optarg; - args->proto = xtables_parse_protocol(cs->protocol); - - if (args->proto == 0 && - (args->invflags & XT_INV_PROTO)) - xtables_error(PARAMETER_PROBLEM, - "rule would never match protocol"); - - /* This needs to happen here to parse extensions */ - h->ops->proto_parse(cs, args); - break; - - case 's': - set_option(&cs->options, OPT_SOURCE, - &args->invflags, cs->invert); - args->shostnetworkmask = optarg; - break; - - case 'd': - set_option(&cs->options, OPT_DESTINATION, - &args->invflags, cs->invert); - args->dhostnetworkmask = optarg; - break; - -#ifdef IPT_F_GOTO - case 'g': - set_option(&cs->options, OPT_JUMP, &args->invflags, - cs->invert); - args->goto_set = true; - cs->jumpto = xt_parse_target(optarg); - break; -#endif - - case 'j': - set_option(&cs->options, OPT_JUMP, &cs->fw.ip.invflags, - cs->invert); - command_jump(cs, optarg); - break; - - - case 'i': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs->options, OPT_VIANAMEIN, - &args->invflags, cs->invert); - xtables_parse_interface(optarg, - args->iniface, - args->iniface_mask); - break; - - case 'o': - if (*optarg == '\0') - xtables_error(PARAMETER_PROBLEM, - "Empty interface is likely to be " - "undesired"); - set_option(&cs->options, OPT_VIANAMEOUT, - &args->invflags, cs->invert); - xtables_parse_interface(optarg, - args->outiface, - args->outiface_mask); - break; - - case 'f': - if (args->family == AF_INET6) { - xtables_error(PARAMETER_PROBLEM, - "`-f' is not supported in IPv6, " - "use -m frag instead"); - } - set_option(&cs->options, OPT_FRAGMENT, &args->invflags, - cs->invert); - args->flags |= IPT_F_FRAG; - break; - - case 'v': - if (!p->verbose) - set_option(&cs->options, OPT_VERBOSE, - &args->invflags, cs->invert); - p->verbose++; - break; - - case 'm': - command_match(cs); - break; - - case 'n': - set_option(&cs->options, OPT_NUMERIC, &args->invflags, - cs->invert); - break; - - case 't': - if (cs->invert) - xtables_error(PARAMETER_PROBLEM, - "unexpected ! flag before --table"); - if (p->restore && table_set) - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - if (!nft_table_builtin_find(h, optarg)) - xtables_error(VERSION_PROBLEM, - "table '%s' does not exist", - optarg); - p->table = optarg; - table_set = true; - break; - - case 'x': - set_option(&cs->options, OPT_EXPANDED, &args->invflags, - cs->invert); - break; - - case 'V': - if (cs->invert) - printf("Not %s ;-)\n", prog_vers); - else - printf("%s v%s (nf_tables)\n", - prog_name, prog_vers); - exit(0); - - case 'w': - if (p->restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-w' from " - "iptables-restore"); - } - - wait = parse_wait_time(argc, argv); - break; - - case 'W': - if (p->restore) { - xtables_error(PARAMETER_PROBLEM, - "You cannot use `-W' from " - "iptables-restore"); - } - - parse_wait_interval(argc, argv, &wait_interval); - wait_interval_set = true; - break; - - case '0': - set_option(&cs->options, OPT_LINENUMBERS, - &args->invflags, cs->invert); - break; - - case 'M': - xtables_modprobe_program = optarg; - break; - - case 'c': - set_option(&cs->options, OPT_COUNTERS, &args->invflags, - cs->invert); - args->pcnt = optarg; - args->bcnt = strchr(args->pcnt + 1, ','); - if (args->bcnt) - args->bcnt++; - if (!args->bcnt && xs_has_arg(argc, argv)) - args->bcnt = argvoptind++; - if (!args->bcnt) - xtables_error(PARAMETER_PROBLEM, - "-%c requires packet and byte counter", - opt2char(OPT_COUNTERS)); - - if (sscanf(args->pcnt, "%llu", &args->pcnt_cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c packet counter not numeric", - opt2char(OPT_COUNTERS)); - - if (sscanf(args->bcnt, "%llu", &args->bcnt_cnt) != 1) - xtables_error(PARAMETER_PROBLEM, - "-%c byte counter not numeric", - opt2char(OPT_COUNTERS)); - break; - - case '4': - if (args->family == AF_INET) - break; - - if (p->restore && args->family == AF_INET6) - return; - - exit_tryhelp(2); - - case '6': - if (args->family == AF_INET6) - break; - - if (p->restore && args->family == AF_INET) - return; - - exit_tryhelp(2); - - case 1: /* non option */ - if (optarg0 == '!' && optarg1 == '\0') { - if (cs->invert) - xtables_error(PARAMETER_PROBLEM, - "multiple consecutive ! not" - " allowed"); - cs->invert = true; - optarg0 = '\0'; - continue; - } - fprintf(stderr, "Bad argument `%s'\n", optarg); - exit_tryhelp(2); - - default: - if (command_default(cs, &xtables_globals) == 1) - /* cf. ip6tables.c */ - continue; - break; - } - cs->invert = false; - } - - if (strcmp(p->table, "nat") == 0 && - ((p->policy != NULL && strcmp(p->policy, "DROP") == 0) || - (cs->jumpto != NULL && strcmp(cs->jumpto, "DROP") == 0))) - xtables_error(PARAMETER_PROBLEM, - "\nThe \"nat\" table is not intended for filtering, " - "the use of DROP is therefore inhibited.\n\n"); - - if (!wait && wait_interval_set) - xtables_error(PARAMETER_PROBLEM, - "--wait-interval only makes sense with --wait\n"); - - for (matchp = cs->matches; matchp; matchp = matchp->next) - xtables_option_mfcall(matchp->match); - if (cs->target != NULL) - xtables_option_tfcall(cs->target); - - /* Fix me: must put inverse options checking here --MN */ - - if (optind < argc) - xtables_error(PARAMETER_PROBLEM, - "unknown arguments found on commandline"); - if (!p->command) - xtables_error(PARAMETER_PROBLEM, "no command specified"); - if (cs->invert) - xtables_error(PARAMETER_PROBLEM, - "nothing appropriate following !"); - - /* Set only if required, needed by xtables-restore */ - if (h->family == AF_UNSPEC) - h->family = args->family; - - h->ops->post_parse(p->command, cs, args); - - if (p->command == CMD_REPLACE && - (args->s.naddrs != 1 || args->d.naddrs != 1)) - xtables_error(PARAMETER_PROBLEM, "Replacement rule does not " - "specify a unique address"); - - generic_opt_check(p->command, cs->options); - - if (p->chain != NULL && strlen(p->chain) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %u chars)", - p->chain, XT_EXTENSION_MAXNAMELEN); - - if (p->command == CMD_APPEND || - p->command == CMD_DELETE || - p->command == CMD_DELETE_NUM || - p->command == CMD_CHECK || - p->command == CMD_INSERT || - p->command == CMD_REPLACE) { - if (strcmp(p->chain, "PREROUTING") == 0 - || strcmp(p->chain, "INPUT") == 0) { - /* -o not valid with incoming packets. */ - if (cs->options & OPT_VIANAMEOUT) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEOUT), - p->chain); - } - - if (strcmp(p->chain, "POSTROUTING") == 0 - || strcmp(p->chain, "OUTPUT") == 0) { - /* -i not valid with outgoing packets */ - if (cs->options & OPT_VIANAMEIN) - xtables_error(PARAMETER_PROBLEM, - "Can't use -%c with %s\n", - opt2char(OPT_VIANAMEIN), - p->chain); - } - } -} - int do_commandx(struct nft_handle *h, int argc, char *argv, char **table, bool restore) { int ret = 1; - struct nft_xt_cmd_parse p = { + struct xt_cmd_parse p = { .table = *table, .restore = restore, + .line = line, + .ops = &h->ops->cmd_parse, + }; + struct iptables_command_state cs = { + .jumpto = "", + .argv = argv, }; - struct iptables_command_state cs; struct xtables_args args = { .family = h->family, }; - do_parse(h, argc, argv, &p, &cs, &args); + if (h->ops->init_cs) + h->ops->init_cs(&cs); + + do_parse(argc, argv, &p, &cs, &args); + h->verbose = p.verbose; + if (!nft_table_builtin_find(h, p.table)) + xtables_error(VERSION_PROBLEM, + "table '%s' does not exist", + p.table); switch (p.command) { case CMD_APPEND: - ret = add_entry(p.chain, p.table, &cs, 0, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h, true); + ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, true, + p.rulenum - 1); break; case CMD_DELETE: - ret = delete_entry(p.chain, p.table, &cs, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->delete_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE); break; case CMD_DELETE_NUM: ret = nft_cmd_rule_delete_num(h, p.chain, p.table, p.rulenum - 1, p.verbose); break; case CMD_CHECK: - ret = check_entry(p.chain, p.table, &cs, h->family, - args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->check_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE); break; case CMD_REPLACE: - ret = replace_entry(p.chain, p.table, &cs, p.rulenum - 1, - h->family, args.s, args.d, - cs.options & OPT_VERBOSE, h); + ret = h->ops->replace_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, + p.rulenum - 1); break; case CMD_INSERT: - ret = add_entry(p.chain, p.table, &cs, p.rulenum - 1, - h->family, args.s, args.d, - cs.options&OPT_VERBOSE, h, false); + ret = h->ops->add_entry(h, p.chain, p.table, &cs, &args, + cs.options & OPT_VERBOSE, false, + p.rulenum - 1); break; case CMD_FLUSH: ret = nft_cmd_rule_flush(h, p.chain, p.table, @@ -1040,8 +243,8 @@ ret = nft_cmd_chain_user_add(h, p.chain, p.table); break; case CMD_DELETE_CHAIN: - ret = nft_cmd_chain_user_del(h, p.chain, p.table, - cs.options & OPT_VERBOSE); + ret = nft_cmd_chain_del(h, p.chain, p.table, + cs.options & OPT_VERBOSE); break; case CMD_RENAME_CHAIN: ret = nft_cmd_chain_user_rename(h, p.chain, p.table, p.newname); @@ -1054,24 +257,17 @@ break; default: /* We should never reach this... */ - exit_tryhelp(2); + exit_tryhelp(2, line); } *table = p.table; - nft_clear_iptables_command_state(&cs); + h->ops->clear_cs(&cs); - if (h->family == AF_INET) { - free(args.s.addr.v4); - free(args.s.mask.v4); - free(args.d.addr.v4); - free(args.d.mask.v4); - } else if (h->family == AF_INET6) { - free(args.s.addr.v6); - free(args.s.mask.v6); - free(args.d.addr.v6); - free(args.d.mask.v6); - } + free(args.s.addr.ptr); + free(args.s.mask.ptr); + free(args.d.addr.ptr); + free(args.d.mask.ptr); xtables_free_opts(1); return ret;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libipq/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/libipq/Makefile.am
Changed
@@ -2,10 +2,11 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include +AM_LDFLAGS = ${regular_LDFLAGS} libipq_la_SOURCES = libipq.c lib_LTLIBRARIES = libipq.la -man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ +dist_man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ libipq.3
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libipq/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/libipq/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -184,7 +184,7 @@ esac man3dir = $(mandir)/man3 NROFF = nroff -MANS = $(man_MANS) +MANS = $(dist_man_MANS) DATA = $(pkgconfig_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, @@ -205,8 +205,8 @@ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libipq.pc.in \ - $(top_srcdir)/build-aux/depcomp +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \ + $(srcdir)/libipq.pc.in $(top_srcdir)/build-aux/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) pkgdatadir = @pkgdatadir@ ACLOCAL = @ACLOCAL@ @@ -344,6 +344,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -356,9 +357,10 @@ xtlibdir = @xtlibdir@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include +AM_LDFLAGS = ${regular_LDFLAGS} libipq_la_SOURCES = libipq.c lib_LTLIBRARIES = libipq.la -man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ +dist_man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ libipq.3 @@ -478,10 +480,10 @@ clean-libtool: -rm -rf .libs _libs -install-man3: $(man_MANS) +install-man3: $(dist_man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(man_MANS)'; \ + list2='$(dist_man_MANS)'; \ test -n "$(man3dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -516,7 +518,7 @@ @$(NORMAL_UNINSTALL) @list=''; test -n "$(man3dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.3a-z*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^^30-9a-z*$$,3,;x' \ -e 's,\.0-9a-z*$$,,;$(transform);G;s,\n,.,'`; \
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libipq/ipq_create_handle.3 -> _service:tar_scm:iptables-1.8.9.tar.xz/libipq/ipq_create_handle.3
Changed
@@ -24,7 +24,7 @@ .br .B #include <libipq.h> .sp -.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");" +.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");" .br .BI "int ipq_destroy_handle(struct ipq_handle *" h ); .SH DESCRIPTION
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libipq/ipq_set_mode.3 -> _service:tar_scm:iptables-1.8.9.tar.xz/libipq/ipq_set_mode.3
Changed
@@ -24,7 +24,7 @@ .br .B #include <libipq.h> .sp -.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range ); +.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range ); .SH DESCRIPTION The .B ipq_set_mode
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libiptc/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/libiptc/Makefile.am
Changed
@@ -2,6 +2,7 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} pkgconfig_DATA = libiptc.pc libip4tc.pc libip6tc.pc @@ -10,3 +11,5 @@ libip4tc_la_LDFLAGS = -version-info 2:0:0 libip6tc_la_SOURCES = libip6tc.c libip6tc_la_LDFLAGS = -version-info 2:0:0 + +EXTRA_DIST = libiptc.c linux_list.h
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libiptc/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/libiptc/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -351,6 +351,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -363,12 +364,14 @@ xtlibdir = @xtlibdir@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} pkgconfig_DATA = libiptc.pc libip4tc.pc libip6tc.pc lib_LTLIBRARIES = libip4tc.la libip6tc.la libip4tc_la_SOURCES = libip4tc.c libip4tc_la_LDFLAGS = -version-info 2:0:0 libip6tc_la_SOURCES = libip6tc.c libip6tc_la_LDFLAGS = -version-info 2:0:0 +EXTRA_DIST = libiptc.c linux_list.h all: all-am .SUFFIXES:
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libiptc/libiptc.c -> _service:tar_scm:iptables-1.8.9.tar.xz/libiptc/libiptc.c
Changed
@@ -606,6 +606,15 @@ if (index_ptr == &c->list) { /* Chain used as index ptr */ + /* If this is the last chain in the list, its index bucket just + * became empty. Adjust the size to avoid a NULL-pointer deref + * later. + */ + if (next == &h->chains) { + h->chain_index_sz--; + return 0; + } + /* See if its possible to avoid a rebuild, by shifting * to next pointer. Its possible if the next pointer * is located in the same index bucket. @@ -2545,8 +2554,8 @@ + sizeof(STRUCT_COUNTERS) * new_number; /* These are the old counters we will get from kernel */ - repl->counters = malloc(sizeof(STRUCT_COUNTERS) - * handle->info.num_entries); + repl->counters = calloc(handle->info.num_entries, + sizeof(STRUCT_COUNTERS)); if (!repl->counters) { errno = ENOMEM; goto out_free_repl;
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libxtables/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/libxtables/Makefile.am
Changed
@@ -1,7 +1,8 @@ # -*- Makefile -*- AM_CFLAGS = ${regular_CFLAGS} -AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS} +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} lib_LTLIBRARIES = libxtables.la libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libxtables/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/libxtables/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -351,6 +351,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -362,7 +363,8 @@ top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ AM_CFLAGS = ${regular_CFLAGS} -AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables ${kinclude_CPPFLAGS} +AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir}/iptables -I${top_srcdir} ${kinclude_CPPFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} lib_LTLIBRARIES = libxtables.la libxtables_la_SOURCES = xtables.c xtoptions.c getethertype.c libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libxtables/xtables.c -> _service:tar_scm:iptables-1.8.9.tar.xz/libxtables/xtables.c
Changed
@@ -28,6 +28,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <netinet/ether.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/statfs.h> @@ -48,6 +49,7 @@ #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> #include <libiptc/libxtc.h> +#include <libiptc/linux_list.h> #ifndef NO_SHARED_LIBS #include <dlfcn.h> @@ -62,7 +64,6 @@ #endif #include <getopt.h> #include "iptables/internal.h" -#include "xshared.h" #define NPROTO 255 @@ -70,6 +71,10 @@ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" #endif +#ifndef ETH_ALEN +#define ETH_ALEN 6 +#endif + /* we need this for ip6?tables-restore. ip6?tables-restore.c sets line to the * current line of the input file, in order to give a more precise error * message. ip6?tables itself doesn't need this, so it is initialized to the @@ -89,6 +94,18 @@ vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, "\n"); + if (status == PARAMETER_PROBLEM) { + if (line != -1) + fprintf(stderr, "Error occurred at line: %d\n", line); + fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n", + xt_params->program_name, xt_params->program_name); + } else if (status == VERSION_PROBLEM) { + fprintf(stderr, + "Perhaps %s or your kernel needs to be upgraded.\n", + xt_params->program_name); + } + /* On error paths, make sure that we don't leak memory */ + xtables_free_opts(1); exit(status); } @@ -242,8 +259,83 @@ } #endif +struct notarget { + struct hlist_node node; + char name; +}; + +#define NOTARGET_HSIZE 512 +static struct hlist_head notargetsNOTARGET_HSIZE; + +static void notargets_hlist_init(void) +{ + int i; + + for (i = 0; i < NOTARGET_HSIZE; i++) + INIT_HLIST_HEAD(¬argetsi); +} + +static void notargets_hlist_free(void) +{ + struct hlist_node *pos, *n; + struct notarget *cur; + int i; + + for (i = 0; i < NOTARGET_HSIZE; i++) { + hlist_for_each_entry_safe(cur, pos, n, ¬argetsi, node) { + hlist_del(&cur->node); + free(cur); + } + } +} + +static uint32_t djb_hash(const char *key) +{ + uint32_t i, hash = 5381; + + for (i = 0; i < strlen(key); i++) + hash = ((hash << 5) + hash) + keyi; + + return hash; +} + +static struct notarget *notargets_hlist_lookup(const char *name) +{ + uint32_t key = djb_hash(name) % NOTARGET_HSIZE; + struct hlist_node *node; + struct notarget *cur; + + hlist_for_each_entry(cur, node, ¬argetskey, node) { + if (!strcmp(name, cur->name)) + return cur; + } + return NULL; +} + +static void notargets_hlist_insert(const char *name) +{ + struct notarget *cur; + + if (!name) + return; + + cur = xtables_malloc(sizeof(*cur) + strlen(name) + 1); + strcpy(cur->name, name); + hlist_add_head(&cur->node, ¬argetsdjb_hash(name) % NOTARGET_HSIZE); +} + +void xtables_announce_chain(const char *name) +{ + if (!notargets_hlist_lookup(name)) + notargets_hlist_insert(name); +} + void xtables_init(void) { + /* xtables cannot be used with setuid in a safe way. */ + if (getuid() != geteuid()) + _exit(111); + xtables_libdir = getenv("XTABLES_LIBDIR"); if (xtables_libdir != NULL) return; @@ -267,6 +359,8 @@ return; } xtables_libdir = XTABLES_LIBDIR; + + notargets_hlist_init(); } void xtables_fini(void) @@ -274,6 +368,7 @@ #ifndef NO_SHARED_LIBS dlreg_free(); #endif + notargets_hlist_free(); } void xtables_set_nfproto(uint8_t nfproto) @@ -368,6 +463,18 @@ return p; } +char *xtables_strdup(const char *s) +{ + char *dup = strdup(s); + + if (!dup) { + perror("ip6tables: strdup failed"); + exit(1); + } + + return dup; +} + static char *get_modprobe(void) { int procfile; @@ -668,6 +775,8 @@ struct xtables_match **dptr; struct xtables_match *ptr; const char *icmp6 = "icmp6"; + bool found = false; + bool seen = false; if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, @@ -686,7 +795,10 @@ if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; - if (xtables_fully_register_pending_match(ptr, prev)) { + seen = true; + if (!found && + xtables_fully_register_pending_match(ptr, prev)) { + found = true; prev = ptr; continue; } else if (prev) { @@ -697,6 +809,11 @@ dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_matches; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_match *clone; @@ -788,6 +905,8 @@ struct xtables_target *prev = NULL; struct xtables_target **dptr; struct xtables_target *ptr; + bool found = false; + bool seen = false; /* Standard target? */ if (strcmp(name, "") == 0 @@ -796,13 +915,20 @@ || strcmp(name, XTC_LABEL_QUEUE) == 0 || strcmp(name, XTC_LABEL_RETURN) == 0) name = "standard"; + /* known non-target? */ + else if (notargets_hlist_lookup(name) && + tryload != XTF_LOAD_MUST_SUCCEED) + return NULL; /* Trigger delayed initialization */ for (dptr = &xtables_pending_targets; *dptr; ) { if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { ptr = *dptr; *dptr = (*dptr)->next; - if (xtables_fully_register_pending_target(ptr, prev)) { + seen = true; + if (!found && + xtables_fully_register_pending_target(ptr, prev)) { + found = true; prev = ptr; continue; } else if (prev) { @@ -813,6 +939,11 @@ dptr = &((*dptr)->next); } + if (seen && !found) + fprintf(stderr, + "Warning: Extension %s is not supported, missing kernel module?\n", + name); + for (ptr = xtables_targets; ptr; ptr = ptr->next) { if (extension_cmp(name, ptr->name, ptr->family)) { struct xtables_target *clone; @@ -859,6 +990,8 @@ if (ptr) ptr->used = 1; + else + notargets_hlist_insert(name); return ptr; } @@ -923,7 +1056,12 @@ /* Definitely don't support this? */ if (errno == ENOENT || errno == EPROTONOSUPPORT) { close(sockfd); - return 0; + /* Pretend revision 0 support for better error messaging */ + if (revision == 0) + fprintf(stderr, + "Warning: Extension %s revision 0 not supported, missing kernel module?\n", + name); + return (revision == 0); } else if (errno == ENOPROTOOPT) { close(sockfd); /* Assume only revision 0 support (old kernel) */ @@ -1378,7 +1516,7 @@ const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp) { - static char buf20; + static char buf16; const unsigned char *bytep = (const void *)&addrp->s_addr; sprintf(buf, "%u.%u.%u.%u", bytep0, bytep1, bytep2, bytep3); @@ -1430,16 +1568,11 @@ int i; maskaddr = ntohl(mask->s_addr); - /* shortcut for /32 networks */ - if (maskaddr == 0xFFFFFFFFL) - return 32; - i = 32; - bits = 0xFFFFFFFEL; - while (--i >= 0 && maskaddr != bits) - bits <<= 1; - if (i >= 0) - return i; + for (i = 32, bits = (uint32_t)-1; i >= 0; i--, bits <<= 1) { + if (bits == maskaddr) + return i; + } /* this mask cannot be converted to CIDR notation */ return -1; @@ -1812,9 +1945,8 @@ struct in6_addr *xtables_numeric_to_ip6addr(const char *num) { static struct in6_addr ap; - int err; - if ((err = inet_pton(AF_INET6, num, &ap)) == 1) + if (inet_pton(AF_INET6, num, &ap) == 1) return ≈ return NULL; @@ -2067,10 +2199,11 @@ {"udp", IPPROTO_UDP}, {"udplite", IPPROTO_UDPLITE}, {"icmp", IPPROTO_ICMP}, - {"icmpv6", IPPROTO_ICMPV6}, {"ipv6-icmp", IPPROTO_ICMPV6}, + {"icmpv6", IPPROTO_ICMPV6}, {"esp", IPPROTO_ESP}, {"ah", IPPROTO_AH}, + {"mobility-header", IPPROTO_MH}, {"ipv6-mh", IPPROTO_MH}, {"mh", IPPROTO_MH}, {"all", 0}, @@ -2086,23 +2219,15 @@ if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX)) return proto; - /* first deal with the special case of 'all' to prevent - * people from being able to redefine 'all' in nsswitch - * and/or provoke expensive not working ldap/nis/... - * lookups */ - if (strcmp(s, "all") == 0) - return 0; + for (i = 0; xtables_chain_protosi.name != NULL; ++i) { + if (strcmp(s, xtables_chain_protosi.name) == 0) + return xtables_chain_protosi.num; + } pent = getprotobyname(s); if (pent != NULL) return pent->p_proto; - for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) { - if (xtables_chain_protosi.name == NULL) - continue; - if (strcmp(s, xtables_chain_protosi.name) == 0) - return xtables_chain_protosi.num; - } xt_params->exit_err(PARAMETER_PROBLEM, "unknown protocol \"%s\" specified", s); return -1; @@ -2137,8 +2262,6 @@ printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); } -#include <netinet/ether.h> - static const unsigned char mac_type_unicastETH_ALEN = {}; static const unsigned char msk_type_unicastETH_ALEN = {1}; static const unsigned char mac_type_multicastETH_ALEN = {1}; @@ -2323,32 +2446,35 @@ #include <linux/netfilter/nf_tables.h> +enum xt_xlate_type { + XT_XLATE_RULE = 0, + XT_XLATE_SET, + __XT_XLATE_MAX +}; + struct xt_xlate { - struct { + struct xt_xlate_buf { char *data; int size; int rem; int off; - } buf; + } buf__XT_XLATE_MAX; char commentNFT_USERDATA_MAXLEN; + int family; }; struct xt_xlate *xt_xlate_alloc(int size) { - struct xt_xlate *xl; - - xl = malloc(sizeof(struct xt_xlate)); - if (xl == NULL) - xtables_error(RESOURCE_PROBLEM, "OOM"); - - xl->buf.data = malloc(size); - if (xl->buf.data == NULL) - xtables_error(RESOURCE_PROBLEM, "OOM"); + struct xt_xlate *xl = xtables_malloc(sizeof(struct xt_xlate)); + int i; - xl->buf.data0 = '\0'; - xl->buf.size = size; - xl->buf.rem = size; - xl->buf.off = 0; + for (i = 0; i < __XT_XLATE_MAX; i++) { + xl->bufi.data = xtables_malloc(size); + xl->bufi.data0 = '\0'; + xl->bufi.size = size; + xl->bufi.rem = size; + xl->bufi.off = 0; + } xl->comment0 = '\0'; return xl; @@ -2356,23 +2482,85 @@ void xt_xlate_free(struct xt_xlate *xl) { - free(xl->buf.data); + int i; + + for (i = 0; i < __XT_XLATE_MAX; i++) + free(xl->bufi.data); + free(xl); } -void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...) +static bool isbrace(char c) { - va_list ap; + switch (c) { + case '(': + case ')': + case '{': + case '}': + case '': + case '': + return true; + } + return false; +} + +static void __xt_xlate_add(struct xt_xlate *xl, enum xt_xlate_type type, + bool space, const char *fmt, va_list ap) +{ + struct xt_xlate_buf *buf = &xl->buftype; + char tmpbuf1024 = ""; int len; - va_start(ap, fmt); - len = vsnprintf(xl->buf.data + xl->buf.off, xl->buf.rem, fmt, ap); - if (len < 0 || len >= xl->buf.rem) + len = vsnprintf(tmpbuf, 1024, fmt, ap); + if (len < 0 || len >= buf->rem - 1) xtables_error(RESOURCE_PROBLEM, "OOM"); + if (space && buf->off && + !isspace(buf->databuf->off - 1) && + (isalnum(tmpbuf0) || isbrace(tmpbuf0))) { + buf->databuf->off = ' '; + buf->off++; + buf->rem--; + } + sprintf(buf->data + buf->off, "%s", tmpbuf); + buf->rem -= len; + buf->off += len; +} + +void xt_xlate_rule_add(struct xt_xlate *xl, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + __xt_xlate_add(xl, XT_XLATE_RULE, true, fmt, ap); + va_end(ap); +} + +void xt_xlate_rule_add_nospc(struct xt_xlate *xl, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + __xt_xlate_add(xl, XT_XLATE_RULE, false, fmt, ap); + va_end(ap); +} + +void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + __xt_xlate_add(xl, XT_XLATE_SET, true, fmt, ap); + va_end(ap); +} + +void xt_xlate_set_add_nospc(struct xt_xlate *xl, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + __xt_xlate_add(xl, XT_XLATE_SET, false, fmt, ap); va_end(ap); - xl->buf.rem -= len; - xl->buf.off += len; } void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment) @@ -2386,7 +2574,27 @@ return xl->comment0 ? xl->comment : NULL; } +void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family) +{ + xl->family = family; +} + +uint8_t xt_xlate_get_family(struct xt_xlate *xl) +{ + return xl->family; +} + const char *xt_xlate_get(struct xt_xlate *xl) { - return xl->buf.data; + struct xt_xlate_buf *buf = &xl->bufXT_XLATE_RULE; + + while (buf->off && isspace(buf->databuf->off - 1)) + buf->data--buf->off = '\0'; + + return buf->data; +} + +const char *xt_xlate_set_get(struct xt_xlate *xl) +{ + return xl->bufXT_XLATE_SET.data; }
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/libxtables/xtoptions.c -> _service:tar_scm:iptables-1.8.9.tar.xz/libxtables/xtoptions.c
Changed
@@ -21,7 +21,6 @@ #include <arpa/inet.h> #include <netinet/ip.h> #include "xtables.h" -#include "xshared.h" #ifndef IPTOS_NORMALSVC # define IPTOS_NORMALSVC 0 #endif @@ -604,9 +603,7 @@ unsigned int maxiter; int value; - wp_arg = lo_arg = strdup(cb->arg); - if (lo_arg == NULL) - xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); + wp_arg = lo_arg = xtables_strdup(cb->arg); maxiter = entry->size / esize; if (maxiter == 0) @@ -747,9 +744,7 @@ xtopt_parse_host(cb); return; } - work = strdup(orig_arg); - if (work == NULL) - xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); + work = xtables_strdup(orig_arg); p = strchr(work, '/'); /* by def this can't be NULL now */ *p++ = '\0'; /* @@ -763,6 +758,7 @@ cb->arg = p; xtopt_parse_plenmask(cb); cb->arg = orig_arg; + free(work); } static void xtopt_parse_ethermac(struct xt_option_call *cb) @@ -928,7 +924,7 @@ cb.entry = xtables_option_lookup(t->x6_options, c); if (cb.entry == NULL) xtables_error(OTHER_PROBLEM, - "Extension does not know id %u\n", c); + "Extension does not know id %u", c); cb.arg = optarg; cb.invert = invert; cb.ext_name = t->name; @@ -964,7 +960,7 @@ cb.entry = xtables_option_lookup(m->x6_options, c); if (cb.entry == NULL) xtables_error(OTHER_PROBLEM, - "Extension does not know id %u\n", c); + "Extension does not know id %u", c); cb.arg = optarg; cb.invert = invert; cb.ext_name = m->name; @@ -1138,11 +1134,7 @@ goto out; } lmap_this->id = id; - lmap_this->name = strdup(cur); - if (lmap_this->name == NULL) { - free(lmap_this); - goto out; - } + lmap_this->name = xtables_strdup(cur); lmap_this->next = NULL; if (lmap_prev != NULL)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/m4/libtool.m4 -> _service:tar_scm:iptables-1.8.9.tar.xz/m4/libtool.m4
Changed
@@ -1041,8 +1041,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1071,11 +1071,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -1492,7 +1492,7 @@ m4_defun(_LT_PROG_AR, AC_CHECK_TOOLS(AR, ar, false) : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} _LT_DECL(, AR, 1, The archiver) _LT_DECL(, AR_FLAGS, 1, Flags to create an archive) @@ -4704,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*)
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/utils/Makefile.am -> _service:tar_scm:iptables-1.8.9.tar.xz/utils/Makefile.am
Changed
@@ -3,15 +3,16 @@ AM_CFLAGS = ${regular_CFLAGS} AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ -I${top_srcdir}/include ${libnfnetlink_CFLAGS} +AM_LDFLAGS = ${regular_LDFLAGS} sbin_PROGRAMS = -pkgdata_DATA = +dist_pkgdata_DATA = man_MANS = if HAVE_LIBNFNETLINK man_MANS += nfnl_osf.8 sbin_PROGRAMS += nfnl_osf -pkgdata_DATA += pf.os +dist_pkgdata_DATA += pf.os nfnl_osf_LDADD = ${libnfnetlink_LIBS}
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/utils/Makefile.in -> _service:tar_scm:iptables-1.8.9.tar.xz/utils/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -105,7 +105,8 @@ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_pkgdata_DATA_DIST) \ + $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = nfnl_osf.8 nfbpf_compile.8 @@ -203,7 +204,8 @@ man8dir = $(mandir)/man8 NROFF = nroff MANS = $(man_MANS) -DATA = $(pkgdata_DATA) +am__dist_pkgdata_DATA_DIST = pf.os +DATA = $(dist_pkgdata_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -362,6 +364,7 @@ psdir = @psdir@ regular_CFLAGS = @regular_CFLAGS@ regular_CPPFLAGS = @regular_CPPFLAGS@ +regular_LDFLAGS = @regular_LDFLAGS@ runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ @@ -376,7 +379,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ -I${top_srcdir}/include ${libnfnetlink_CFLAGS} -pkgdata_DATA = $(am__append_3) +AM_LDFLAGS = ${regular_LDFLAGS} +dist_pkgdata_DATA = $(am__append_3) man_MANS = $(am__append_1) $(am__append_4) @HAVE_LIBNFNETLINK_TRUE@nfnl_osf_LDADD = ${libnfnetlink_LIBS} @ENABLE_BPFC_TRUE@nfbpf_compile_LDADD = -lpcap @@ -566,9 +570,9 @@ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^^80-9a-z*$$,8,;x' \ -e 's,\.0-9a-z*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) -install-pkgdataDATA: $(pkgdata_DATA) +install-dist_pkgdataDATA: $(dist_pkgdata_DATA) @$(NORMAL_INSTALL) - @list='$(pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \ $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" || exit 1; \ @@ -582,9 +586,9 @@ $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \ done -uninstall-pkgdataDATA: +uninstall-dist_pkgdataDATA: @$(NORMAL_UNINSTALL) - @list='$(pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir) @@ -737,7 +741,7 @@ info-am: -install-data-am: install-man install-pkgdataDATA +install-data-am: install-dist_pkgdataDATA install-man install-dvi: install-dvi-am @@ -785,7 +789,7 @@ ps-am: -uninstall-am: uninstall-man uninstall-pkgdataDATA \ +uninstall-am: uninstall-dist_pkgdataDATA uninstall-man \ uninstall-sbinPROGRAMS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) uninstall-hook @@ -798,16 +802,16 @@ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-man8 install-pdf \ - install-pdf-am install-pkgdataDATA install-ps install-ps-am \ - install-sbinPROGRAMS install-strip installcheck \ + install-data-am install-dist_pkgdataDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinPROGRAMS install-strip installcheck \ installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-hook \ - uninstall-man uninstall-man8 uninstall-pkgdataDATA \ + tags tags-am uninstall uninstall-am uninstall-dist_pkgdataDATA \ + uninstall-hook uninstall-man uninstall-man8 \ uninstall-sbinPROGRAMS .PRECIOUS: Makefile
View file
_service:tar_scm:iptables-1.8.7.tar.bz2/xlate-test.py -> _service:tar_scm:iptables-1.8.9.tar.xz/xlate-test.py
Changed
@@ -7,6 +7,13 @@ import argparse from subprocess import Popen, PIPE +def run_proc(args, shell = False, input = None): + """A simple wrapper around Popen, returning (rc, stdout, stderr)""" + process = Popen(args, text = True, shell = shell, + stdin = PIPE, stdout = PIPE, stderr = PIPE) + output, error = process.communicate(input) + return (process.returncode, output, error) + keywords = ("iptables-translate", "ip6tables-translate", "ebtables-translate") xtables_nft_multi = 'xtables-nft-multi' @@ -33,82 +40,238 @@ return colors"green" + string + colors"end" +def test_one_xlate(name, sourceline, expected, result): + rc, output, error = run_proc(xtables_nft_multi + shlex.split(sourceline)) + if rc != 0: + result.append(name + ": " + red("Error: ") + "iptables-translate failure") + result.append(error) + return False + + translation = output.rstrip(" \n") + if translation != expected: + result.append(name + ": " + red("Fail")) + result.append(magenta("src: ") + sourceline.rstrip(" \n")) + result.append(magenta("exp: ") + expected) + result.append(magenta("res: ") + translation + "\n") + return False + + return True + +def test_one_replay(name, sourceline, expected, result): + global args + + searchline = None + if sourceline.find(';') >= 0: + sourceline, searchline = sourceline.split(';') + + srcwords = sourceline.split() + + srccmd = srcwords0 + ipt = srccmd.split('-')0 + table_idx = -1 + chain_idx = -1 + table_name = "filter" + chain_name = None + for idx in range(1, len(srcwords)): + if srcwordsidx in "-A", "-I", "--append", "--insert": + chain_idx = idx + chain_name = srcwordsidx + 1 + elif srcwordsidx in "-t", "--table": + table_idx = idx + table_name = srcwordsidx + 1 + + if not chain_name: + return True # nothing to do? + + if searchline is None: + # adjust sourceline as required + checkcmd = srcwords: + checkcmd0 = ipt + checkcmdchain_idx = "--check" + else: + checkcmd = ipt, "-t", table_name + checkcmd += "--check", chain_name, searchline + + fam = "" + if srccmd.startswith("ip6"): + fam = "ip6 " + elif srccmd.startswith("ebt"): + fam = "bridge " + + expected = l.removeprefix("nft ").strip(" '") for l in expected.split("\n") + nft_input = + "flush ruleset", + "add table " + fam + table_name, + "add chain " + fam + table_name + " " + chain_name, + + expected + + rc, output, error = run_proc(args.nft, "-f", "-", shell = False, input = "\n".join(nft_input)) + if rc != 0: + result.append(name + ": " + red("Replay Fail")) + result.append(args.nft + " call failed: " + error.rstrip('\n')) + for line in nft_input: + result.append(magenta("input: ") + line) + return False + + rc, output, error = run_proc(xtables_nft_multi + checkcmd) + if rc != 0: + result.append(name + ": " + red("Check Fail")) + result.append(magenta("check: ") + " ".join(checkcmd)) + result.append(magenta("error: ") + error) + rc, output, error = run_proc(xtables_nft_multi, ipt + "-save") + for l in output.split("\n"): + result.append(magenta("ipt: ") + l) + rc, output, error = run_proc(args.nft, "list", "ruleset") + for l in output.split("\n"): + result.append(magenta("nft: ") + l) + return False + + return True + + def run_test(name, payload): global xtables_nft_multi + global args + test_passed = True tests = passed = failed = errors = 0 result = - for line in payload: - if line.startswith(keywords): + line = payload.readline() + while line: + if not line.startswith(keywords): + line = payload.readline() + continue + + sourceline = replayline = line.rstrip("\n") + if line.find(';') >= 0: + sourceline = line.split(';')0 + + expected = payload.readline().rstrip(" \n") + next_expected = payload.readline() + if next_expected.startswith("nft"): + expected += "\n" + next_expected.rstrip(" \n") + line = payload.readline() + else: + line = next_expected + + tests += 1 + if test_one_xlate(name, sourceline, expected, result): + passed += 1 + else: + errors += 1 + test_passed = False + continue + + if args.replay: tests += 1 - process = Popen( xtables_nft_multi + shlex.split(line), stdout=PIPE, stderr=PIPE) - (output, error) = process.communicate() - if process.returncode == 0: - translation = output.decode("utf-8").rstrip(" \n") - expected = next(payload).rstrip(" \n") - if translation != expected: - test_passed = False - failed += 1 - result.append(name + ": " + red("Fail")) - result.append(magenta("src: ") + line.rstrip(" \n")) - result.append(magenta("exp: ") + expected) - result.append(magenta("res: ") + translation + "\n") - test_passed = False - else: - passed += 1 + if test_one_replay(name, replayline, expected, result): + passed += 1 else: - test_passed = False errors += 1 - result.append(name + ": " + red("Error: ") + "iptables-translate failure") - result.append(error.decode("utf-8")) + test_passed = False + + rc, output, error = run_proc(args.nft, "flush", "ruleset") + if rc != 0: + result.append(name + ": " + red("Fail")) + result.append("nft flush ruleset call failed: " + error) + if (passed == tests) and not args.test: print(name + ": " + green("OK")) if not test_passed: - print("\n".join(result)) - if args.test: - print("1 test file, %d tests, %d tests passed, %d tests failed, %d errors" % (tests, passed, failed, errors)) - else: - return tests, passed, failed, errors + print("\n".join(result), file=sys.stderr) + return tests, passed, failed, errors def load_test_files(): test_files = total_tests = total_passed = total_error = total_failed = 0 - for test in sorted(os.listdir("extensions")): - if test.endswith(".txlate"): - with open("extensions/" + test, "r") as payload: - tests, passed, failed, errors = run_test(test, payload) - test_files += 1 - total_tests += tests - total_passed += passed - total_failed += failed - total_error += errors + tests = sorted(os.listdir("extensions")) + for test in 'extensions/' + f for f in tests if f.endswith(".txlate"): + with open(test, "r") as payload: + tests, passed, failed, errors = run_test(test, payload) + test_files += 1 + total_tests += tests + total_passed += passed + total_failed += failed + total_error += errors + return (test_files, total_tests, total_passed, total_failed, total_error) - print("%d test files, %d tests, %d tests passed, %d tests failed, %d errors" % (test_files, total_tests, total_passed, total_failed, total_error)) +def spawn_netns(): + # prefer unshare module + try: + import unshare + unshare.unshare(unshare.CLONE_NEWNET) + return True + except: + pass + + # sledgehammer style: + # - call ourselves prefixed by 'unshare -n' if found + # - pass extra --no-netns parameter to avoid another recursion + try: + import shutil + + unshare = shutil.which("unshare") + if unshare is None: + return False + + sys.argv.append("--no-netns") + os.execv(unshare, unshare, "-n", sys.executable + sys.argv) + except: + pass + + return False + def main(): global xtables_nft_multi + + if args.replay: + if os.getuid() != 0: + print("Replay test requires root, sorry", file=sys.stderr) + return + if not args.no_netns and not spawn_netns(): + print("Cannot run in own namespace, connectivity might break", + file=sys.stderr) + if not args.host: os.putenv("XTABLES_LIBDIR", os.path.abspath("extensions")) xtables_nft_multi = os.path.abspath(os.path.curdir) \ + '/iptables/' + xtables_nft_multi + files = tests = passed = failed = errors = 0 if args.test: if not args.test.endswith(".txlate"): args.test += ".txlate" try: with open(args.test, "r") as payload: - run_test(args.test, payload) + files = 1 + tests, passed, failed, errors = run_test(args.test, payload) except IOError: - print(red("Error: ") + "test file does not exist") + print(red("Error: ") + "test file does not exist", file=sys.stderr) + return 99 + else: + files, tests, passed, failed, errors = load_test_files() + + if files > 1: + file_word = "files" else: - load_test_files() + file_word = "file" + print("%d test %s, %d tests, %d tests passed, %d tests failed, %d errors" + % (files, file_word, tests, passed, failed, errors)) + return passed - tests parser = argparse.ArgumentParser() parser.add_argument('-H', '--host', action='store_true', help='Run tests against installed binaries') +parser.add_argument('-R', '--replay', action='store_true', + help='Replay tests to check iptables-nft parser') +parser.add_argument('-n', '--nft', type=str, default='nft', + help='Replay using given nft binary (default: \'%(default)s\')') +parser.add_argument('--no-netns', action='store_true', + help='Do not run testsuite in own network namespace') parser.add_argument("test", nargs="?", help="run only the specified test file") args = parser.parse_args() -main() +sys.exit(main())
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2