diff options
author | Maciej Żenczykowski <maze@google.com> | 2020-04-08 07:17:05 -0700 |
---|---|---|
committer | Maciej Żenczykowski <maze@google.com> | 2020-04-08 07:17:18 -0700 |
commit | b68f7ec3cad0a37be41b5d25002714b73a7ec800 (patch) | |
tree | d2ba3d14795dab0c12cd6e365eadf46254e00387 /extensions | |
parent | 2ca8cc154dd137be025a8cf20530d064ff731ac3 (diff) | |
parent | 1447b15100fe73810237809c1d4ade3c861b6d96 (diff) | |
download | iptables-b68f7ec3cad0a37be41b5d25002714b73a7ec800.tar.gz |
Merge tag 'v1.8.3' of git://git.netfilter.org/iptables into work
iptables 1.8.3 release
Generated via:
git fetch git://git.netfilter.org/iptables v1.8.3
git merge FETCH_HEAD
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I21995a5fbd05ff46c91d74b96259ed94ef16ff13
Diffstat (limited to 'extensions')
37 files changed, 322 insertions, 146 deletions
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index c0d73cd2..0842a553 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -55,11 +55,12 @@ pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod}) pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) -pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) +pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) +pfx_symlink_files := $(patsubst %,libxt_%.so,${pfx_symlinks}) # @@ -72,8 +73,9 @@ targets_install := @ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} @ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} @ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} -@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} @ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files} .SECONDARY: @@ -81,9 +83,14 @@ targets_install := all: ${targets} -install: ${targets_install} +install: ${targets_install} ${symlinks_install} @mkdir -p "${DESTDIR}${xtlibdir}"; - if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; + if test -n "${targets_install}"; then \ + install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/"; \ + fi; + if test -n "${symlinks_install}"; then \ + cp -P ${symlinks_install} "${DESTDIR}${xtlibdir}/"; \ + fi; clean: rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c; diff --git a/extensions/libarpt_CLASSIFY.t b/extensions/libarpt_CLASSIFY.t index c30480d2..0cf0f2ce 100644 --- a/extensions/libarpt_CLASSIFY.t +++ b/extensions/libarpt_CLASSIFY.t @@ -1,4 +1,4 @@ :OUTPUT -o lo --destination-mac 11:22:33:44:55:66;-o lo --dst-mac 11:22:33:44:55:66;OK --dst-mac Broadcast ;--dst-mac ff:ff:ff:ff:ff:ff;OK -! -o eth+ -d 1.2.3.4/24 -j CLASSIFY --set-class 0000:0000;! -o eth+ -d 1.2.3.0/24 --h-length 6 --h-type 1 -j CLASSIFY --set-class 0000:0000;OK +! -o eth+ -d 1.2.3.4/24 -j CLASSIFY --set-class 0:0;-j CLASSIFY ! -o eth+ -d 1.2.3.0/24 --set-class 0:0;OK diff --git a/extensions/libarpt_MARK.t b/extensions/libarpt_MARK.t index cb4c2cb6..3b13d44f 100644 --- a/extensions/libarpt_MARK.t +++ b/extensions/libarpt_MARK.t @@ -1,4 +1,4 @@ :INPUT,OUTPUT --d 0.0.0.0/8 -j MARK --set-mark 0x1;-d 0.0.0.0/8 --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0xffffffff;OK --s ! 0.0.0.0 -j MARK --and-mark 0x17;! -s 0.0.0.0 --h-length 6 --h-type 1 -j MARK --set-xmark 0x0/0xffffffe8;OK --s 0.0.0.0 -j MARK --or-mark 0x17;-s 0.0.0.0 --h-length 6 --h-type 1 -j MARK --set-xmark 0x17/0x17;OK +-j MARK -d 0.0.0.0/8 --set-mark 1;=;OK +-s ! 0.0.0.0 -j MARK --and-mark 0x17;-j MARK ! -s 0.0.0.0 --and-mark 17;OK +-j MARK -s 0.0.0.0 --or-mark 17;=;OK diff --git a/extensions/libarpt_mangle.t b/extensions/libarpt_mangle.t index 1d4c3977..da966948 100644 --- a/extensions/libarpt_mangle.t +++ b/extensions/libarpt_mangle.t @@ -1,5 +1,5 @@ :OUTPUT --s 1.2.3.4 -j mangle --mangle-ip-s 1.2.3.5;-s 1.2.3.4 --h-length 6 --h-type 1 -j mangle --mangle-ip-s 1.2.3.5;OK --d 1.2.3.4 -j mangle --mangle-ip-d 1.2.3.5;-d 1.2.3.4 --h-length 6 --h-type 1 -j mangle --mangle-ip-d 1.2.3.5;OK --d 1.2.3.4 --h-length 6 --h-type 1 -j mangle --mangle-mac-d 00:01:02:03:04:05;=;OK --d 1.2.3.4 -j mangle --mangle-mac-s 00:01:02:03:04:05;=;FAIL +-j mangle -s 1.2.3.4 --mangle-ip-s 1.2.3.5;=;OK +-j mangle -d 1.2.3.4 --mangle-ip-d 1.2.3.5;=;OK +-j mangle -d 1.2.3.4 --mangle-mac-d 00:01:02:03:04:05;=;OK +-d 1.2.3.4 --h-length 5 -j mangle --mangle-mac-s 00:01:02:03:04:05;=;FAIL diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t index bef682af..e84a00b7 100644 --- a/extensions/libarpt_standard.t +++ b/extensions/libarpt_standard.t @@ -5,8 +5,8 @@ -d 192.168.0.1;=;OK ! -d 0.0.0.0;=;OK -d 0.0.0.0/24;=;OK --i lo;=;OK -! -i lo;=;OK +-j DROP -i lo;=;OK +-j ACCEPT ! -i lo;=;OK -i ppp+;=;OK ! -i ppp+;=;OK -i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK diff --git a/extensions/libebt_802_3.c b/extensions/libebt_802_3.c index 9e91d052..f05d02ea 100644 --- a/extensions/libebt_802_3.c +++ b/extensions/libebt_802_3.c @@ -98,15 +98,15 @@ static void br802_3_print(const void *ip, const struct xt_entry_match *match, struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; if (info->bitmask & EBT_802_3_SAP) { + printf("--802_3-sap "); if (info->invflags & EBT_802_3_SAP) printf("! "); - printf("--802_3-sap "); printf("0x%.2x ", info->sap); } if (info->bitmask & EBT_802_3_TYPE) { + printf("--802_3-type "); if (info->invflags & EBT_802_3_TYPE) printf("! "); - printf("--802_3-type "); printf("0x%.4x ", ntohs(info->type)); } } diff --git a/extensions/libebt_802_3.t b/extensions/libebt_802_3.t index 61081bd6..ddfb2f0a 100644 --- a/extensions/libebt_802_3.t +++ b/extensions/libebt_802_3.t @@ -1,3 +1,3 @@ :INPUT,FORWARD,OUTPUT -! --802_3-sap 0x0a -j CONTINUE;=;OK +--802_3-sap ! 0x0a -j CONTINUE;=;OK --802_3-type 0x000a -j RETURN;=;OK diff --git a/extensions/libebt_arp.c b/extensions/libebt_arp.c index c1b0ab1d..a062b7e7 100644 --- a/extensions/libebt_arp.c +++ b/extensions/libebt_arp.c @@ -338,51 +338,51 @@ static void brarp_print(const void *ip, const struct xt_entry_match *match, int if (arpinfo->bitmask & EBT_ARP_OPCODE) { int opcode = ntohs(arpinfo->opcode); + printf("--arp-op "); if (arpinfo->invflags & EBT_ARP_OPCODE) printf("! "); - printf("--arp-op "); if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes)) printf("%s ", opcodes[opcode - 1]); else printf("%d ", opcode); } if (arpinfo->bitmask & EBT_ARP_HTYPE) { + printf("--arp-htype "); if (arpinfo->invflags & EBT_ARP_HTYPE) printf("! "); - printf("--arp-htype "); printf("%d ", ntohs(arpinfo->htype)); } if (arpinfo->bitmask & EBT_ARP_PTYPE) { + printf("--arp-ptype "); if (arpinfo->invflags & EBT_ARP_PTYPE) printf("! "); - printf("--arp-ptype "); printf("0x%x ", ntohs(arpinfo->ptype)); } if (arpinfo->bitmask & EBT_ARP_SRC_IP) { + printf("--arp-ip-src "); if (arpinfo->invflags & EBT_ARP_SRC_IP) printf("! "); - printf("--arp-ip-src "); printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr), xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk)); } if (arpinfo->bitmask & EBT_ARP_DST_IP) { + printf("--arp-ip-dst "); if (arpinfo->invflags & EBT_ARP_DST_IP) printf("! "); - printf("--arp-ip-dst "); printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr), xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk)); } if (arpinfo->bitmask & EBT_ARP_SRC_MAC) { + printf("--arp-mac-src "); if (arpinfo->invflags & EBT_ARP_SRC_MAC) printf("! "); - printf("--arp-mac-src "); xtables_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk); printf(" "); } if (arpinfo->bitmask & EBT_ARP_DST_MAC) { + printf("--arp-mac-dst "); if (arpinfo->invflags & EBT_ARP_DST_MAC) printf("! "); - printf("--arp-mac-dst "); xtables_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk); printf(" "); } diff --git a/extensions/libebt_arp.t b/extensions/libebt_arp.t index a05ab12d..14ff0f09 100644 --- a/extensions/libebt_arp.t +++ b/extensions/libebt_arp.t @@ -1,11 +1,11 @@ :INPUT,FORWARD,OUTPUT -p ARP --arp-op Request;=;OK --p ARP ! --arp-htype 1;=;OK +-p ARP --arp-htype ! 1;=;OK -p ARP --arp-ptype 0x2;=;OK -p ARP --arp-ip-src 1.2.3.4;=;OK --p ARP ! --arp-ip-dst 1.2.3.4;=;OK --p ARP ! --arp-ip-src 0.0.0.0;=;OK --p ARP ! --arp-ip-dst 0.0.0.0/8;=;OK +-p ARP ! --arp-ip-dst 1.2.3.4;-p ARP --arp-ip-dst ! 1.2.3.4 -j CONTINUE;OK +-p ARP --arp-ip-src ! 0.0.0.0;=;OK +-p ARP --arp-ip-dst ! 0.0.0.0/8;=;OK -p ARP --arp-mac-src 00:de:ad:be:ef:00;=;OK -p ARP --arp-mac-dst de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK -p ARP --arp-gratuitous;=;OK diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c index d48704fe..acb9bfcd 100644 --- a/extensions/libebt_ip.c +++ b/extensions/libebt_ip.c @@ -472,35 +472,35 @@ static void brip_print(const void *ip, const struct xt_entry_match *match, struct in_addr *addrp, *maskp; if (info->bitmask & EBT_IP_SOURCE) { + printf("--ip-src "); if (info->invflags & EBT_IP_SOURCE) printf("! "); - printf("--ip-src "); addrp = (struct in_addr *)&info->saddr; maskp = (struct in_addr *)&info->smsk; printf("%s%s ", xtables_ipaddr_to_numeric(addrp), xtables_ipmask_to_numeric(maskp)); } if (info->bitmask & EBT_IP_DEST) { + printf("--ip-dst "); if (info->invflags & EBT_IP_DEST) printf("! "); - printf("--ip-dst "); addrp = (struct in_addr *)&info->daddr; maskp = (struct in_addr *)&info->dmsk; printf("%s%s ", xtables_ipaddr_to_numeric(addrp), xtables_ipmask_to_numeric(maskp)); } if (info->bitmask & EBT_IP_TOS) { + printf("--ip-tos "); if (info->invflags & EBT_IP_TOS) printf("! "); - printf("--ip-tos "); printf("0x%02X ", info->tos); } if (info->bitmask & EBT_IP_PROTO) { struct protoent *pe; + printf("--ip-proto "); if (info->invflags & EBT_IP_PROTO) printf("! "); - printf("--ip-proto "); pe = getprotobynumber(info->protocol); if (pe == NULL) { printf("%d ", info->protocol); @@ -509,28 +509,28 @@ static void brip_print(const void *ip, const struct xt_entry_match *match, } } if (info->bitmask & EBT_IP_SPORT) { + printf("--ip-sport "); if (info->invflags & EBT_IP_SPORT) printf("! "); - printf("--ip-sport "); print_port_range(info->sport); } if (info->bitmask & EBT_IP_DPORT) { + printf("--ip-dport "); if (info->invflags & EBT_IP_DPORT) printf("! "); - printf("--ip-dport "); print_port_range(info->dport); } if (info->bitmask & EBT_IP_ICMP) { + printf("--ip-icmp-type "); if (info->invflags & EBT_IP_ICMP) printf("! "); - printf("--ip-icmp-type "); ebt_print_icmp_type(icmp_codes, ARRAY_SIZE(icmp_codes), info->icmp_type, info->icmp_code); } if (info->bitmask & EBT_IP_IGMP) { + printf("--ip-igmp-type "); if (info->invflags & EBT_IP_IGMP) printf("! "); - printf("--ip-igmp-type "); ebt_print_icmp_type(igmp_types, ARRAY_SIZE(igmp_types), info->igmp_type, NULL); } diff --git a/extensions/libebt_ip.t b/extensions/libebt_ip.t index 01a91a73..8be5dfbb 100644 --- a/extensions/libebt_ip.t +++ b/extensions/libebt_ip.t @@ -1,13 +1,13 @@ :INPUT,FORWARD,OUTPUT --p ip --ip-src ! 192.168.0.0/24 -j ACCEPT;-p IPv4 ! --ip-src 192.168.0.0/24 -j ACCEPT;OK +-p ip --ip-src ! 192.168.0.0/24 -j ACCEPT;-p IPv4 --ip-src ! 192.168.0.0/24 -j ACCEPT;OK -p IPv4 --ip-dst 10.0.0.1;=;OK -p IPv4 --ip-tos 0xFF;=;OK --p IPv4 ! --ip-tos 0xFF;=;OK +-p IPv4 --ip-tos ! 0xFF;=;OK -p IPv4 --ip-proto tcp --ip-dport 22;=;OK -p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK -p IPv4 --ip-proto 253;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type 1/1;=;OK --p ip --ip-protocol icmp --ip-icmp-type ! 1:10;-p IPv4 --ip-proto icmp ! --ip-icmp-type 1:10/0:255 -j CONTINUE;OK +-p ip --ip-protocol icmp --ip-icmp-type ! 1:10;-p IPv4 --ip-proto icmp --ip-icmp-type ! 1:10/0:255 -j CONTINUE;OK --ip-proto icmp --ip-icmp-type 1/1;=;FAIL ! -p ip --ip-proto icmp --ip-icmp-type 1/1;=;FAIL diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c index b7277649..b8a5a5d8 100644 --- a/extensions/libebt_ip6.c +++ b/extensions/libebt_ip6.c @@ -399,31 +399,31 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match, struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data; if (ipinfo->bitmask & EBT_IP6_SOURCE) { + printf("--ip6-src "); if (ipinfo->invflags & EBT_IP6_SOURCE) printf("! "); - printf("--ip6-src "); printf("%s", xtables_ip6addr_to_numeric(&ipinfo->saddr)); printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->smsk)); } if (ipinfo->bitmask & EBT_IP6_DEST) { + printf("--ip6-dst "); if (ipinfo->invflags & EBT_IP6_DEST) printf("! "); - printf("--ip6-dst "); printf("%s", xtables_ip6addr_to_numeric(&ipinfo->daddr)); printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->dmsk)); } if (ipinfo->bitmask & EBT_IP6_TCLASS) { + printf("--ip6-tclass "); if (ipinfo->invflags & EBT_IP6_TCLASS) printf("! "); - printf("--ip6-tclass "); printf("0x%02X ", ipinfo->tclass); } if (ipinfo->bitmask & EBT_IP6_PROTO) { struct protoent *pe; + printf("--ip6-proto "); if (ipinfo->invflags & EBT_IP6_PROTO) printf("! "); - printf("--ip6-proto "); pe = getprotobynumber(ipinfo->protocol); if (pe == NULL) { printf("%d ", ipinfo->protocol); @@ -432,21 +432,21 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match, } } if (ipinfo->bitmask & EBT_IP6_SPORT) { + printf("--ip6-sport "); if (ipinfo->invflags & EBT_IP6_SPORT) printf("! "); - printf("--ip6-sport "); print_port_range(ipinfo->sport); } if (ipinfo->bitmask & EBT_IP6_DPORT) { + printf("--ip6-dport "); if (ipinfo->invflags & EBT_IP6_DPORT) printf("! "); - printf("--ip6-dport "); print_port_range(ipinfo->dport); } if (ipinfo->bitmask & EBT_IP6_ICMP6) { + printf("--ip6-icmp-type "); if (ipinfo->invflags & EBT_IP6_ICMP6) printf("! "); - printf("--ip6-icmp-type "); print_icmp_type(ipinfo->icmpv6_type, ipinfo->icmpv6_code); } } diff --git a/extensions/libebt_ip6.t b/extensions/libebt_ip6.t index 6b3221ea..fa1038af 100644 --- a/extensions/libebt_ip6.t +++ b/extensions/libebt_ip6.t @@ -1,15 +1,15 @@ :INPUT,FORWARD,OUTPUT --p ip6 ! --ip6-src dead::beef/64 -j ACCEPT;-p IPv6 ! --ip6-src dead::/64 -j ACCEPT;OK +-p ip6 --ip6-src ! dead::beef/64 -j ACCEPT;-p IPv6 --ip6-src ! dead::/64 -j ACCEPT;OK -p IPv6 --ip6-dst dead:beef::/64 -j ACCEPT;=;OK -p IPv6 --ip6-dst f00:ba::;=;OK -p IPv6 --ip6-tclass 0xFF;=;OK -p IPv6 --ip6-proto tcp --ip6-dport 22;=;OK --p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp --ip6-dport ! 22;=;OK -p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK -p IPv6 --ip6-proto 253;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request;=;OK -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1;-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type communication-prohibited -j CONTINUE;OK --p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;OK +-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! 1:10/0:255;=;OK --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL ! -p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL diff --git a/extensions/libebt_mark_m.c b/extensions/libebt_mark_m.c index 64ad926f..2462d0af 100644 --- a/extensions/libebt_mark_m.c +++ b/extensions/libebt_mark_m.c @@ -86,9 +86,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match, { struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data; + printf("--mark "); if (info->invert) printf("! "); - printf("--mark "); if (info->bitmask == EBT_MARK_OR) printf("/0x%lx ", info->mask); else if (info->mask != 0xffffffff) diff --git a/extensions/libebt_mark_m.t b/extensions/libebt_mark_m.t index 9ad41704..00035427 100644 --- a/extensions/libebt_mark_m.t +++ b/extensions/libebt_mark_m.t @@ -1,6 +1,6 @@ :INPUT,FORWARD,OUTPUT --mark 42;--mark 0x2a;OK ---mark ! 42;! --mark 0x2a;OK +--mark ! 42;--mark ! 0x2a;OK --mark 42/0xff;--mark 0x2a/0xff;OK -! --mark 0x1/0xff;=;OK +--mark ! 0x1/0xff;=;OK --mark /0x2;=;OK diff --git a/extensions/libebt_pkttype.c b/extensions/libebt_pkttype.c index 265674d1..4e2d19de 100644 --- a/extensions/libebt_pkttype.c +++ b/extensions/libebt_pkttype.c @@ -75,10 +75,7 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match, { struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data; - if (pt->invert) - printf("! "); - - printf("--pkttype-type "); + printf("--pkttype-type %s", pt->invert ? "! " : ""); if (pt->pkt_type < ARRAY_SIZE(classes)) printf("%s ", classes[pt->pkt_type]); diff --git a/extensions/libebt_pkttype.t b/extensions/libebt_pkttype.t index f870f5c7..e3b95ded 100644 --- a/extensions/libebt_pkttype.t +++ b/extensions/libebt_pkttype.t @@ -1,13 +1,14 @@ :INPUT,FORWARD,OUTPUT +! --pkttype-type host;--pkttype-type ! host -j CONTINUE;OK --pkttype-type host;=;OK -! --pkttype-type host;=;OK +--pkttype-type ! host;=;OK --pkttype-type broadcast;=;OK -! --pkttype-type broadcast;=;OK +--pkttype-type ! broadcast;=;OK --pkttype-type multicast;=;OK -! --pkttype-type multicast;=;OK +--pkttype-type ! multicast;=;OK --pkttype-type otherhost;=;OK -! --pkttype-type otherhost;=;OK +--pkttype-type ! otherhost;=;OK --pkttype-type outgoing;=;OK -! --pkttype-type outgoing;=;OK +--pkttype-type ! outgoing;=;OK --pkttype-type loopback;=;OK -! --pkttype-type loopback;=;OK +--pkttype-type ! loopback;=;OK diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t index 72081fd6..0d678fb2 100644 --- a/extensions/libebt_standard.t +++ b/extensions/libebt_standard.t @@ -6,6 +6,6 @@ -d de:ad:be:ef:00:00 -j CONTINUE;=;OK -d de:ad:be:ef:0:00/ff:ff:ff:ff:0:0 -j DROP;-d de:ad:be:ef:00:00/ff:ff:ff:ff:00:00 -j DROP;OK -p ARP -j ACCEPT;=;OK -! -p ARP -j ACCEPT;=;OK +-p ! ARP -j ACCEPT;=;OK -p 0 -j ACCEPT;=;FAIL -! -p 0 -j ACCEPT;=;FAIL +-p ! 0 -j ACCEPT;=;FAIL diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c index 33e4c8d9..06cf93b8 100644 --- a/extensions/libebt_stp.c +++ b/extensions/libebt_stp.c @@ -307,9 +307,8 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match, for (i = 0; i < STP_NUMOPS; i++) { if (!(stpinfo->bitmask & (1 << i))) continue; - if (stpinfo->invflags & (1 << i)) - printf("! "); - printf("--%s ", brstp_opts[i].name); + printf("--%s %s", brstp_opts[i].name, + (stpinfo->invflags & (1 << i)) ? "! " : ""); if (EBT_STP_TYPE == (1 << i)) { if (stpinfo->type == BPDU_TYPE_CONFIG) printf("%s", BPDU_TYPE_CONFIG_STRING); diff --git a/extensions/libebt_vlan.c b/extensions/libebt_vlan.c index 4a2eb712..fa697921 100644 --- a/extensions/libebt_vlan.c +++ b/extensions/libebt_vlan.c @@ -12,6 +12,7 @@ #include <getopt.h> #include <ctype.h> #include <xtables.h> +#include <netinet/if_ether.h> #include <linux/netfilter_bridge/ebt_vlan.h> #include <linux/if_ether.h> #include "iptables/nft.h" @@ -108,19 +109,14 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match, struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data; if (vlaninfo->bitmask & EBT_VLAN_ID) { - if (vlaninfo->invflags & EBT_VLAN_ID) - printf("! "); - printf("--vlan-id %d ", vlaninfo->id); + printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id); } if (vlaninfo->bitmask & EBT_VLAN_PRIO) { - if (vlaninfo->invflags & EBT_VLAN_PRIO) - printf("! "); - printf("--vlan-prio %d ", vlaninfo->prio); + printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio); } if (vlaninfo->bitmask & EBT_VLAN_ENCAP) { - if (vlaninfo->invflags & EBT_VLAN_ENCAP) - printf("! "); - printf("--vlan-encap %4.4X ", ntohs(vlaninfo->encap)); + printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : ""); + printf("%4.4X ", ntohs(vlaninfo->encap)); } } diff --git a/extensions/libebt_vlan.t b/extensions/libebt_vlan.t index 106374cd..81c79585 100644 --- a/extensions/libebt_vlan.t +++ b/extensions/libebt_vlan.t @@ -1,13 +1,13 @@ :INPUT,FORWARD,OUTPUT -p 802_1Q --vlan-id 42;=;OK --p 802_1Q ! --vlan-id 42;=;OK +-p 802_1Q --vlan-id ! 42;=;OK -p 802_1Q --vlan-prio 1;=;OK --p 802_1Q ! --vlan-prio 1;=;OK +-p 802_1Q --vlan-prio ! 1;=;OK -p 802_1Q --vlan-encap ip;-p 802_1Q --vlan-encap 0800 -j CONTINUE;OK -p 802_1Q --vlan-encap 0800 ;=;OK --p 802_1Q ! --vlan-encap 0800 ;=;OK --p 802_1Q --vlan-encap IPv6 ! --vlan-id 1;-p 802_1Q ! --vlan-id 1 --vlan-encap 86DD -j CONTINUE;OK --p 802_1Q ! --vlan-id 1 --vlan-encap 86DD;=;OK +-p 802_1Q --vlan-encap ! 0800 ;=;OK +-p 802_1Q --vlan-encap IPv6 ! --vlan-id 1;-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD -j CONTINUE;OK +-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD;=;OK --vlan-encap ip;=;FAIL --vlan-id 2;=;FAIL --vlan-prio 1;=;FAIL diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c index 45a71875..cc7bfaeb 100644 --- a/extensions/libip6t_icmp6.c +++ b/extensions/libip6t_icmp6.c @@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, type_name = icmp6_type_xlate(icmptype); if (type_name) { - xt_xlate_add(xl, type_name); + xt_xlate_add(xl, "%s", type_name); } else { for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) if (icmpv6_codes[i].type == icmptype && @@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, break; if (i != ARRAY_SIZE(icmpv6_codes)) - xt_xlate_add(xl, icmpv6_codes[i].name); + xt_xlate_add(xl, "%s", icmpv6_codes[i].name); else return 0; } diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index ccc07c3d..f5d638c0 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -1,5 +1,5 @@ ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT -nft add rule ip6 filter INPUT meta l4proto 135 mh type 1 counter accept +nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT -nft add rule ip6 filter INPUT meta l4proto 135 mh type 1-3 counter accept +nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c index 54189976..e76257c5 100644 --- a/extensions/libipt_icmp.c +++ b/extensions/libipt_icmp.c @@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, if (icmp_codes[i].type == icmptype && icmp_codes[i].code_min == code_min && icmp_codes[i].code_max == code_max) { - xt_xlate_add(xl, icmp_codes[i].name); + xt_xlate_add(xl, "%s", icmp_codes[i].name); return 1; } } diff --git a/extensions/libipt_realm.man b/extensions/libipt_realm.man index a40b1adc..72dff9b2 100644 --- a/extensions/libipt_realm.man +++ b/extensions/libipt_realm.man @@ -5,3 +5,5 @@ setups involving dynamic routing protocols like BGP. Matches a given realm number (and optionally mask). If not a number, value can be a named realm from /etc/iproute2/rt_realms (mask can not be used in that case). +Both value and mask are four byte unsigned integers and may be specified in +decimal, hex (by prefixing with "0x") or octal (if a leading zero is given). diff --git a/extensions/libxt_AUDIT.man b/extensions/libxt_AUDIT.man index cd796967..4f5562e8 100644 --- a/extensions/libxt_AUDIT.man +++ b/extensions/libxt_AUDIT.man @@ -3,12 +3,14 @@ It can be used to record accepted, dropped, and rejected packets. See auditd(8) for additional details. .TP \fB\-\-type\fP {\fBaccept\fP|\fBdrop\fP|\fBreject\fP} -Set type of audit record. +Set type of audit record. Starting with linux-4.12, this option has no effect +on generated audit messages anymore. It is still accepted by iptables for +compatibility reasons, but ignored. .PP Example: .IP iptables \-N AUDIT_DROP .IP -iptables \-A AUDIT_DROP \-j AUDIT \-\-type drop +iptables \-A AUDIT_DROP \-j AUDIT .IP iptables \-A AUDIT_DROP \-j DROP diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c index f90082dc..75aaf0c4 100644 --- a/extensions/libxt_CLASSIFY.c +++ b/extensions/libxt_CLASSIFY.c @@ -73,6 +73,24 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target) TC_H_MAJ(clinfo->priority)>>16, TC_H_MIN(clinfo->priority)); } +static void +CLASSIFY_arp_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_classify_target_info *clinfo = + (const struct xt_classify_target_info *)target->data; + + printf(" --set-class %x:%x", + TC_H_MAJ(clinfo->priority)>>16, TC_H_MIN(clinfo->priority)); +} + +static void +CLASSIFY_arp_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + CLASSIFY_arp_save(ip, target); +} + static int CLASSIFY_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { @@ -98,21 +116,36 @@ static int CLASSIFY_xlate(struct xt_xlate *xl, return 1; } -static struct xtables_target classify_target = { - .family = NFPROTO_UNSPEC, - .name = "CLASSIFY", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_classify_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)), - .help = CLASSIFY_help, - .print = CLASSIFY_print, - .save = CLASSIFY_save, - .x6_parse = CLASSIFY_parse, - .x6_options = CLASSIFY_opts, - .xlate = CLASSIFY_xlate, +static struct xtables_target classify_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "CLASSIFY", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_classify_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)), + .help = CLASSIFY_help, + .print = CLASSIFY_print, + .save = CLASSIFY_save, + .x6_parse = CLASSIFY_parse, + .x6_options = CLASSIFY_opts, + .xlate = CLASSIFY_xlate, + }, + { + .family = NFPROTO_ARP, + .name = "CLASSIFY", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_classify_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)), + .help = CLASSIFY_help, + .print = CLASSIFY_arp_print, + .save = CLASSIFY_arp_save, + .x6_parse = CLASSIFY_parse, + .x6_options = CLASSIFY_opts, + .xlate = CLASSIFY_xlate, + } }; void _init(void) { - xtables_register_target(&classify_target); + xtables_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg)); } diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c index 43aa9779..b765af6c 100644 --- a/extensions/libxt_MARK.c +++ b/extensions/libxt_MARK.c @@ -1,3 +1,4 @@ +#include <getopt.h> #include <stdbool.h> #include <stdio.h> #include <xtables.h> @@ -245,6 +246,87 @@ static void mark_tg_save(const void *ip, const struct xt_entry_target *target) printf(" --set-xmark 0x%x/0x%x", info->mark, info->mask); } +static void mark_tg_arp_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_mark_tginfo2 *info = (const void *)target->data; + + if (info->mark == 0) + printf(" --and-mark %x", (unsigned int)(uint32_t)~info->mask); + else if (info->mark == info->mask) + printf(" --or-mark %x", info->mark); + else + printf(" --set-mark %x", info->mark); +} + +static void mark_tg_arp_print(const void *ip, + const struct xt_entry_target *target, int numeric) +{ + mark_tg_arp_save(ip, target); +} + +#define MARK_OPT 1 +#define AND_MARK_OPT 2 +#define OR_MARK_OPT 3 + +static struct option mark_tg_arp_opts[] = { + { .name = "set-mark", .has_arg = required_argument, .flag = 0, .val = MARK_OPT }, + { .name = "and-mark", .has_arg = required_argument, .flag = 0, .val = AND_MARK_OPT }, + { .name = "or-mark", .has_arg = required_argument, .flag = 0, .val = OR_MARK_OPT }, + { .name = NULL} +}; + +static int +mark_tg_arp_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_mark_tginfo2 *info = + (struct xt_mark_tginfo2 *)(*target)->data; + int i; + + switch (c) { + case MARK_OPT: + if (sscanf(argv[optind-1], "%x", &i) != 1) { + xtables_error(PARAMETER_PROBLEM, + "Bad mark value `%s'", optarg); + return 0; + } + info->mark = i; + if (*flags) + xtables_error(PARAMETER_PROBLEM, + "MARK: Can't specify --set-mark twice"); + *flags = 1; + break; + case AND_MARK_OPT: + if (sscanf(argv[optind-1], "%x", &i) != 1) { + xtables_error(PARAMETER_PROBLEM, + "Bad mark value `%s'", optarg); + return 0; + } + info->mark = 0; + info->mask = ~i; + if (*flags) + xtables_error(PARAMETER_PROBLEM, + "MARK: Can't specify --and-mark twice"); + *flags = 1; + break; + case OR_MARK_OPT: + if (sscanf(argv[optind-1], "%x", &i) != 1) { + xtables_error(PARAMETER_PROBLEM, + "Bad mark value `%s'", optarg); + return 0; + } + info->mark = info->mask = i; + if (*flags) + xtables_error(PARAMETER_PROBLEM, + "MARK: Can't specify --or-mark twice"); + *flags = 1; + break; + default: + return 0; + } + return 1; +} + static int mark_tg_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { @@ -335,6 +417,19 @@ static struct xtables_target mark_tg_reg[] = { .x6_options = mark_tg_opts, .xlate = mark_tg_xlate, }, + { + .version = XTABLES_VERSION, + .name = "MARK", + .revision = 2, + .family = NFPROTO_ARP, + .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .help = mark_tg_help, + .print = mark_tg_arp_print, + .save = mark_tg_arp_save, + .parse = mark_tg_arp_parse, + .extra_opts = mark_tg_arp_opts, + }, }; void _init(void) diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man index 25325fc2..30a71ed2 100644 --- a/extensions/libxt_SYNPROXY.man +++ b/extensions/libxt_SYNPROXY.man @@ -1,6 +1,8 @@ This target will process TCP three-way-handshake parallel in netfilter context to protect either local or backend system. This target requires connection tracking because sequence numbers need to be translated. +The kernels ability to absorb SYNFLOOD was greatly improved starting with +Linux 4.4, so this target should not be needed anymore to protect Linux servers. .TP \fB\-\-mss\fP \fImaximum segment size\fP Maximum segment size announced to clients. This must match the backend. diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man index 8d590a52..5187a8d2 100644 --- a/extensions/libxt_TRACE.man +++ b/extensions/libxt_TRACE.man @@ -1,13 +1,20 @@ This target marks packets so that the kernel will log every rule which match -the packets as those traverse the tables, chains, rules. +the packets as those traverse the tables, chains, rules. It can only be used in +the +.BR raw +table. .PP -A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this -to be visible. +With iptables-legacy, a logging backend, such as ip(6)t_LOG or nfnetlink_log, +must be loaded for this to be visible. The packets are logged with the string prefix: "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. -.br -It can only be used in the -.BR raw -table. +.PP +With iptables-nft, the target is translated into nftables' +.B "meta nftrace" +expression. Hence the kernel sends trace events via netlink to userspace where +they may be displayed using +.B "xtables-monitor --trace" +command. For details, refer to +.BR xtables-monitor (8). diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t index f12cd668..f0c8fb99 100644 --- a/extensions/libxt_comment.t +++ b/extensions/libxt_comment.t @@ -1,6 +1,8 @@ :INPUT,FORWARD,OUTPUT -m comment;;FAIL -m comment --comment;;FAIL +-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK +-p tcp -m comment --comment foo -m tcp --dport 22;=;OK # # it fails with 256 characters # diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c index d06bb27a..5a01fe72 100644 --- a/extensions/libxt_connlabel.c +++ b/extensions/libxt_connlabel.c @@ -1,8 +1,10 @@ +#define _GNU_SOURCE #include <errno.h> #include <stdbool.h> #include <string.h> #include <stdio.h> #include <stdint.h> +#include <stdlib.h> #include <xtables.h> #include <linux/netfilter/xt_connlabel.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> @@ -32,40 +34,59 @@ static const struct xt_option_entry connlabel_mt_opts[] = { /* cannot do this via _init, else static builds might spew error message * for every iptables invocation. */ -static void connlabel_open(void) +static int connlabel_open(void) { const char *fname; if (map) - return; + return 0; map = nfct_labelmap_new(NULL); if (map != NULL) - return; + return 0; fname = nfct_labels_get_path(); if (errno) { - xtables_error(RESOURCE_PROBLEM, - "cannot open %s: %s", fname, strerror(errno)); + fprintf(stderr, "Warning: cannot open %s: %s\n", + fname, strerror(errno)); } else { xtables_error(RESOURCE_PROBLEM, "cannot parse %s: no labels found", fname); } + return 1; +} + +static int connlabel_value_parse(const char *in) +{ + char *end; + unsigned long value = strtoul(in, &end, 0); + + if (in[0] == '\0' || *end != '\0') + return -1; + + return value; } static void connlabel_mt_parse(struct xt_option_call *cb) { struct xt_connlabel_mtinfo *info = cb->data; + bool have_labelmap = !connlabel_open(); int tmp; - connlabel_open(); xtables_option_parse(cb); switch (cb->entry->id) { case O_LABEL: - tmp = nfct_labelmap_get_bit(map, cb->arg); + if (have_labelmap) + tmp = nfct_labelmap_get_bit(map, cb->arg); + else + tmp = connlabel_value_parse(cb->arg); + if (tmp < 0) - xtables_error(PARAMETER_PROBLEM, "label '%s' not found", cb->arg); + xtables_error(PARAMETER_PROBLEM, + "label '%s' not found or invalid value", + cb->arg); + info->bit = tmp; if (cb->invert) info->options |= XT_CONNLABEL_OP_INVERT; @@ -81,7 +102,8 @@ static const char *connlabel_get_name(int b) { const char *name; - connlabel_open(); + if (connlabel_open()) + return NULL; name = nfct_labelmap_get_name(map, b); if (name && strcmp(name, "")) @@ -134,9 +156,13 @@ static int connlabel_mt_xlate(struct xt_xlate *xl, const struct xt_connlabel_mtinfo *info = (const void *)params->match->data; const char *name = connlabel_get_name(info->bit); + char *valbuf = NULL; - if (name == NULL) - return 0; + if (name == NULL) { + if (asprintf(&valbuf, "%u", info->bit) < 0) + return 0; + name = valbuf; + } if (info->options & XT_CONNLABEL_OP_SET) xt_xlate_add(xl, "ct label set %s ", name); @@ -146,6 +172,7 @@ static int connlabel_mt_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "and %s != ", name); xt_xlate_add(xl, "%s", name); + free(valbuf); return 1; } diff --git a/extensions/libxt_connlabel.t b/extensions/libxt_connlabel.t index aad1032b..7265bd47 100644 --- a/extensions/libxt_connlabel.t +++ b/extensions/libxt_connlabel.t @@ -1,18 +1,7 @@ :INPUT,FORWARD,OUTPUT -# Backup the connlabel.conf, then add some label maps for test -@[ -f /etc/xtables/connlabel.conf ] && mv /etc/xtables/connlabel.conf /tmp/connlabel.conf.bak -@mkdir -p /etc/xtables -@echo "40 bit40" > /etc/xtables/connlabel.conf -@echo "41 bit41" >> /etc/xtables/connlabel.conf -@echo "128 bit128" >> /etc/xtables/connlabel.conf --m connlabel --label "bit40";=;OK --m connlabel ! --label "bit40";=;OK --m connlabel --label "bit41" --set;=;OK --m connlabel ! --label "bit41" --set;=;OK --m connlabel --label "bit128";;FAIL -@echo > /etc/xtables/connlabel.conf --m connlabel --label "abc";;FAIL -@rm -f /etc/xtables/connlabel.conf --m connlabel --label "abc";;FAIL -# Restore the original connlabel.conf -@[ -f /tmp/connlabel.conf.bak ] && mv /tmp/connlabel.conf.bak /etc/xtables/connlabel.conf +-m connlabel --label "40";=;OK +-m connlabel ! --label "40";=;OK +-m connlabel --label "41" --set;=;OK +-m connlabel ! --label "41" --set;=;OK +-m connlabel --label "2048";;FAIL +-m connlabel --label "foobar_not_there";;FAIL diff --git a/extensions/libxt_connlabel.txlate b/extensions/libxt_connlabel.txlate index 5be42204..12e4ac03 100644 --- a/extensions/libxt_connlabel.txlate +++ b/extensions/libxt_connlabel.txlate @@ -1,5 +1,5 @@ -iptables-translate -A INPUT -m connlabel --label bit40 -nft add rule ip filter INPUT ct label bit40 counter +iptables-translate -A INPUT -m connlabel --label 40 +nft add rule ip filter INPUT ct label 40 counter -iptables-translate -A INPUT -m connlabel ! --label bit40 --set -nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter +iptables-translate -A INPUT -m connlabel ! --label 40 --set +nft add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c index a6c57a03..51952be4 100644 --- a/extensions/libxt_ipvs.c +++ b/extensions/libxt_ipvs.c @@ -27,7 +27,7 @@ enum { static const struct xt_option_entry ipvs_mt_opts[] = { {.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE, .flags = XTOPT_INVERT}, - {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING, + {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL, .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)}, {.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK, .flags = XTOPT_INVERT}, @@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb) xtables_option_parse(cb); switch (cb->entry->id) { - case O_VPROTO: - data->l4proto = cb->val.protocol; - break; case O_VADDR: memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr)); memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask)); @@ -168,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, if (data->bitmask & XT_IPVS_PROTO) { if (data->invert & XT_IPVS_PROTO) printf(" !"); - printf(" %sproto %u", prefix, data->l4proto); + printf(" %svproto %u", prefix, data->l4proto); } if (data->bitmask & XT_IPVS_VADDR) { diff --git a/extensions/libxt_ipvs.t b/extensions/libxt_ipvs.t new file mode 100644 index 00000000..c2acc666 --- /dev/null +++ b/extensions/libxt_ipvs.t @@ -0,0 +1,20 @@ +:INPUT,FORWARD,OUTPUT +-m ipvs --ipvs;=;OK +-m ipvs ! --ipvs;=;OK +-m ipvs --vproto tcp;-m ipvs --vproto 6;OK +-m ipvs ! --vproto TCP;-m ipvs ! --vproto 6;OK +-m ipvs --vproto 23;=;OK +-m ipvs --vaddr 1.2.3.4;=;OK +-m ipvs ! --vaddr 1.2.3.4/255.255.255.0;-m ipvs ! --vaddr 1.2.3.4/24;OK +-m ipvs --vport http;-m ipvs --vport 80;OK +-m ipvs ! --vport ssh;-m ipvs ! --vport 22;OK +-m ipvs --vport 22;=;OK +-m ipvs ! --vport 443;=;OK +-m ipvs --vdir ORIGINAL;=;OK +-m ipvs --vdir REPLY;=;OK +-m ipvs --vmethod GATE;=;OK +-m ipvs ! --vmethod IPIP;=;OK +-m ipvs --vmethod MASQ;=;OK +-m ipvs --vportctl 21;=;OK +-m ipvs ! --vportctl 21;=;OK +-m ipvs --vproto 6 --vaddr 1.2.3.4/16 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man index f3a85fb0..5ba92ce0 100644 --- a/extensions/libxt_osf.man +++ b/extensions/libxt_osf.man @@ -41,5 +41,5 @@ To remove them again, .PP \fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP .PP -The fingerprint database can be downlaoded from +The fingerprint database can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . |