Skip to content

GitLab

Commit 268c6aa1 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'debian/1.8.5-3' into debian/buster-backports 



Debian package 1.8.5-3
Signed-off-by: default avatarArturo Borrero Gonzalez <arturo@debian.org>
parents ada8a2c9 9fa0e185
Hide whitespace changes
Inline Side-by-side
extensions/libxt_nfacct.c
View file @ 268c6aa1
...@@ -70,20 +70,36 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match) ...@@ -70,20 +70,36 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match)
nfacct_print_name(info, "--"); nfacct_print_name(info, "--");
} }
static struct xtables_match nfacct_match = { static struct xtables_match nfacct_matches[] = {
.family = NFPROTO_UNSPEC, {
.name = "nfacct", .family = NFPROTO_UNSPEC,
.version = XTABLES_VERSION, .revision = 0,
.size = XT_ALIGN(sizeof(struct xt_nfacct_match_info)), .name = "nfacct",
.userspacesize = offsetof(struct xt_nfacct_match_info, nfacct), .version = XTABLES_VERSION,
.help = nfacct_help, .size = XT_ALIGN(sizeof(struct xt_nfacct_match_info)),
.x6_parse = nfacct_parse, .userspacesize = offsetof(struct xt_nfacct_match_info, nfacct),
.print = nfacct_print, .help = nfacct_help,
.save = nfacct_save, .x6_parse = nfacct_parse,
.x6_options = nfacct_opts, .print = nfacct_print,
.save = nfacct_save,
.x6_options = nfacct_opts,
},
{
.family = NFPROTO_UNSPEC,
.revision = 1,
.name = "nfacct",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nfacct_match_info_v1)),
.userspacesize = offsetof(struct xt_nfacct_match_info_v1, nfacct),
.help = nfacct_help,
.x6_parse = nfacct_parse,
.print = nfacct_print,
.save = nfacct_save,
.x6_options = nfacct_opts,
},
}; };
void _init(void) void _init(void)
{ {
xtables_register_match(&nfacct_match); xtables_register_matches(nfacct_matches, ARRAY_SIZE(nfacct_matches));
} }
extensions/libxt_osf.c
View file @ 268c6aa1
...@@ -40,7 +40,7 @@ static void osf_help(void) ...@@ -40,7 +40,7 @@ static void osf_help(void)
"--ttl level Use some TTL check extensions to determine OS:\n" "--ttl level Use some TTL check extensions to determine OS:\n"
" 0 true ip and fingerprint TTL comparison. Works for LAN.\n" " 0 true ip and fingerprint TTL comparison. Works for LAN.\n"
" 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n" " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n"
" 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n" " 2 do not compare TTL at all. This allows NMAP detection, but can produce false results.\n"
"--log level Log determined genres into dmesg even if they do not match desired one:\n" "--log level Log determined genres into dmesg even if they do not match desired one:\n"
" 0 log all matched or unknown signatures.\n" " 0 log all matched or unknown signatures.\n"
" 1 log only first one.\n" " 1 log only first one.\n"
......
extensions/libxt_osf.man
View file @ 268c6aa1
The osf module does passive operating system fingerprinting. This modules The osf module does passive operating system fingerprinting. This module
compares some data (Window Size, MSS, options and their order, TTL, DF, compares some data (Window Size, MSS, options and their order, TTL, DF,
and others) from packets with the SYN bit set. and others) from packets with the SYN bit set.
.TP .TP
...@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> ...@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
fingerprints from a file, use: fingerprints from a file, use:
.PP .PP
\fBnfnl_osf -f /usr/share/xtables/pf.os\fP \fBnfnl_osf \-f /usr/share/xtables/pf.os\fP
.PP .PP
To remove them again, To remove them again,
.PP .PP
\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP \fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP
.PP .PP
The fingerprint database can be downloaded from The fingerprint database can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
extensions/libxt_owner.c
View file @ 268c6aa1
...@@ -56,6 +56,7 @@ enum { ...@@ -56,6 +56,7 @@ enum {
O_PROCESS, O_PROCESS,
O_SESSION, O_SESSION,
O_COMM, O_COMM,
O_SUPPL_GROUPS,
}; };
static void owner_mt_help_v0(void) static void owner_mt_help_v0(void)
...@@ -87,7 +88,8 @@ static void owner_mt_help(void) ...@@ -87,7 +88,8 @@ static void owner_mt_help(void)
"owner match options:\n" "owner match options:\n"
"[!] --uid-owner userid[-userid] Match local UID\n" "[!] --uid-owner userid[-userid] Match local UID\n"
"[!] --gid-owner groupid[-groupid] Match local GID\n" "[!] --gid-owner groupid[-groupid] Match local GID\n"
"[!] --socket-exists Match if socket exists\n"); "[!] --socket-exists Match if socket exists\n"
" --suppl-groups Also match supplementary groups set with --gid-owner\n");
} }
#define s struct ipt_owner_info #define s struct ipt_owner_info
...@@ -131,6 +133,7 @@ static const struct xt_option_entry owner_mt_opts[] = { ...@@ -131,6 +133,7 @@ static const struct xt_option_entry owner_mt_opts[] = {
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE, {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
{.name = "suppl-groups", .id = O_SUPPL_GROUPS, .type = XTTYPE_NONE},
XTOPT_TABLEEND, XTOPT_TABLEEND,
}; };
...@@ -275,6 +278,11 @@ static void owner_mt_parse(struct xt_option_call *cb) ...@@ -275,6 +278,11 @@ static void owner_mt_parse(struct xt_option_call *cb)
info->invert |= XT_OWNER_SOCKET; info->invert |= XT_OWNER_SOCKET;
info->match |= XT_OWNER_SOCKET; info->match |= XT_OWNER_SOCKET;
break; break;
case O_SUPPL_GROUPS:
if (!(info->match & XT_OWNER_GID))
xtables_param_act(XTF_BAD_VALUE, "owner", "--suppl-groups", "you need to use --gid-owner first");
info->match |= XT_OWNER_SUPPL_GROUPS;
break;
} }
} }
...@@ -455,9 +463,10 @@ static void owner_mt_print(const void *ip, const struct xt_entry_match *match, ...@@ -455,9 +463,10 @@ static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
{ {
const struct xt_owner_match_info *info = (void *)match->data; const struct xt_owner_match_info *info = (void *)match->data;
owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric); owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric);
owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric); owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric); owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
owner_mt_print_item(info, "incl. suppl. groups", XT_OWNER_SUPPL_GROUPS, numeric);
} }
static void static void
...@@ -487,9 +496,10 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match) ...@@ -487,9 +496,10 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
{ {
const struct xt_owner_match_info *info = (void *)match->data; const struct xt_owner_match_info *info = (void *)match->data;
owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true); owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true);
owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true); owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true);
owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true); owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
owner_mt_print_item(info, "--suppl-groups", XT_OWNER_SUPPL_GROUPS, true);
} }
static int static int
......
extensions/libxt_owner.man
View file @ 268c6aa1
...@@ -15,5 +15,9 @@ given user. You may also specify a numerical UID, or an UID range. ...@@ -15,5 +15,9 @@ given user. You may also specify a numerical UID, or an UID range.
Matches if the packet socket's file structure is owned by the given group. Matches if the packet socket's file structure is owned by the given group.
You may also specify a numerical GID, or a GID range. You may also specify a numerical GID, or a GID range.
.TP .TP
\fB\-\-suppl\-groups\fP
Causes group(s) specified with \fB\-\-gid-owner\fP to be also checked in the
supplementary groups of a process.
.TP
[\fB!\fP] \fB\-\-socket\-exists\fP [\fB!\fP] \fB\-\-socket\-exists\fP
Matches if the packet is associated with a socket. Matches if the packet is associated with a socket.
extensions/libxt_owner.t
View file @ 268c6aa1
...@@ -8,5 +8,9 @@ ...@@ -8,5 +8,9 @@
-m owner --uid-owner 0-10 --gid-owner 0-10;=;OK -m owner --uid-owner 0-10 --gid-owner 0-10;=;OK
-m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK -m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK
-m owner --socket-exists;=;OK -m owner --socket-exists;=;OK
-m owner --gid-owner 0-10 --suppl-groups;=;OK
-m owner --suppl-groups --gid-owner 0-10;;FAIL
-m owner --gid-owner 0-10 ! --suppl-groups;;FAIL
-m owner --suppl-groups;;FAIL
:INPUT :INPUT
-m owner --uid-owner root;;FAIL -m owner --uid-owner root;;FAIL
extensions/libxt_policy.man
View file @ 268c6aa1
This modules matches the policy used by IPsec for handling a packet. This module matches the policy used by IPsec for handling a packet.
.TP .TP
\fB\-\-dir\fP {\fBin\fP|\fBout\fP} \fB\-\-dir\fP {\fBin\fP|\fBout\fP}
Used to select whether to match the policy used for decapsulation or the Used to select whether to match the policy used for decapsulation or the
......
extensions/libxt_sctp.man
View file @ 268c6aa1
This module matches Stream Control Transmission Protocol headers.
.TP .TP
[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP .TP
......
extensions/libxt_set.man
View file @ 268c6aa1
...@@ -61,5 +61,5 @@ when the set was defined without counter support. ...@@ -61,5 +61,5 @@ when the set was defined without counter support.
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
not clash with an option of other extensions. not clash with an option of other extensions.
.PP .PP
Use of -m set requires that ipset kernel support is provided, which, for Use of \-m set requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39. standard kernels, is the case since Linux 2.6.39.
extensions/libxt_string.man
View file @ 268c6aa1
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. This module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
.TP .TP
\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} \fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
......
extensions/libxt_time.c
View file @ 268c6aa1
...@@ -258,6 +258,16 @@ static unsigned int time_parse_weekdays(const char *arg) ...@@ -258,6 +258,16 @@ static unsigned int time_parse_weekdays(const char *arg)
return ret; return ret;
} }
static unsigned int time_count_weekdays(unsigned int weekdays_mask)
{
unsigned int ret;
for (ret = 0; weekdays_mask; weekdays_mask >>= 1)
ret += weekdays_mask & 1;
return ret;
}
static void time_parse(struct xt_option_call *cb) static void time_parse(struct xt_option_call *cb)
{ {
struct xt_time_info *info = cb->data; struct xt_time_info *info = cb->data;
...@@ -330,7 +340,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable) ...@@ -330,7 +340,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable)
printf(" "); printf(" ");
for (i = 1; i <= 31; ++i) for (i = 1; i <= 31; ++i)
if (mask & (1 << i)) { if (mask & (1u << i)) {
if (nbdays++ > 0) if (nbdays++ > 0)
printf(","); printf(",");
printf("%u", i); printf("%u", i);
...@@ -450,6 +460,67 @@ static void time_check(struct xt_fcheck_call *cb) ...@@ -450,6 +460,67 @@ static void time_check(struct xt_fcheck_call *cb)
"time: --contiguous only makes sense when stoptime is smaller than starttime"); "time: --contiguous only makes sense when stoptime is smaller than starttime");
} }
static int time_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_time_info *info =
(const struct xt_time_info *)params->match->data;
unsigned int h, m, s,
i, sep, mask, count;
time_t tt_start, tt_stop;
struct tm *t_start, *t_stop;
if (info->date_start != 0 ||
info->date_stop != INT_MAX) {
tt_start = (time_t) info->date_start;
tt_stop = (time_t) info->date_stop;
xt_xlate_add(xl, "meta time ");
t_start = gmtime(&tt_start);
xt_xlate_add(xl, "\"%04u-%02u-%02u %02u:%02u:%02u\"",
t_start->tm_year + 1900, t_start->tm_mon + 1,
t_start->tm_mday, t_start->tm_hour,
t_start->tm_min, t_start->tm_sec);
t_stop = gmtime(&tt_stop);
xt_xlate_add(xl, "-\"%04u-%02u-%02u %02u:%02u:%02u\"",
t_stop->tm_year + 1900, t_stop->tm_mon + 1,
t_stop->tm_mday, t_stop->tm_hour,
t_stop->tm_min, t_stop->tm_sec);
}
if (info->daytime_start != XT_TIME_MIN_DAYTIME ||
info->daytime_stop != XT_TIME_MAX_DAYTIME) {
divide_time(info->daytime_start, &h, &m, &s);
xt_xlate_add(xl, " meta hour \"%02u:%02u:%02u\"", h, m, s);
divide_time(info->daytime_stop, &h, &m, &s);
xt_xlate_add(xl, "-\"%02u:%02u:%02u\"", h, m, s);
}
/* nft_time does not support --monthdays */
if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS)
return 0;
if (info->weekdays_match != XT_TIME_ALL_WEEKDAYS) {
sep = 0;
mask = info->weekdays_match;
count = time_count_weekdays(mask);
xt_xlate_add(xl, " meta day ");
if (count > 1)
xt_xlate_add(xl, "{");
for (i = 1; i <= 7; ++i)
if (mask & (1 << i)) {
if (sep)
xt_xlate_add(xl, ",%u", i%7);
else {
xt_xlate_add(xl, "%u", i%7);
++sep;
}
}
if (count > 1)
xt_xlate_add(xl, "}");
}
return 1;
}
static struct xtables_match time_match = { static struct xtables_match time_match = {
.name = "time", .name = "time",
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
...@@ -463,6 +534,7 @@ static struct xtables_match time_match = { ...@@ -463,6 +534,7 @@ static struct xtables_match time_match = {
.x6_parse = time_parse, .x6_parse = time_parse,
.x6_fcheck = time_check, .x6_fcheck = time_check,
.x6_options = time_opts, .x6_options = time_opts,
.xlate = time_xlate,
}; };
void _init(void) void _init(void)
......
extensions/libxt_time.txlate 0 → 100644
View file @ 268c6aa1
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --weekdays Sa,Su -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta day {6,0} counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestart 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta hour "12:00:00"-"23:59:59" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestop 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta hour "00:00:00"-"12:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2021 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2021-01-01 00:00:00"-"2038-01-19 03:14:07" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-01 00:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021-01-29T00:00:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-29 00:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"23:59:59" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {1,2,3,4,5} counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 ! --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {6,0} counter reject
include/Makefile.in
View file @ 268c6aa1
# Makefile.in generated by automake 1.15 from Makefile.am. # Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc. # Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation # This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it, # gives unlimited permission to copy and/or distribute it,
...@@ -92,10 +92,10 @@ host_triplet = @host@ ...@@ -92,10 +92,10 @@ host_triplet = @host@
@ENABLE_LIBIPQ_TRUE@am__append_1 = libipq/libipq.h @ENABLE_LIBIPQ_TRUE@am__append_1 = libipq/libipq.h
subdir = include subdir = include
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__include_HEADERS_DIST) \ DIST_COMMON = $(srcdir)/Makefile.am $(am__include_HEADERS_DIST) \
...@@ -208,9 +208,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ ...@@ -208,9 +208,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@ LD = @LD@
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
LIBOBJS = @LIBOBJS@ LIBOBJS = @LIBOBJS@
LIBS = @LIBS@ LIBS = @LIBS@
LIBTOOL = @LIBTOOL@ LIBTOOL = @LIBTOOL@
...@@ -244,8 +241,6 @@ SET_MAKE = @SET_MAKE@ ...@@ -244,8 +241,6 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@ SHELL = @SHELL@
STRIP = @STRIP@ STRIP = @STRIP@
VERSION = @VERSION@ VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
abs_builddir = @abs_builddir@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@ abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@ abs_top_builddir = @abs_top_builddir@
...@@ -290,7 +285,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ ...@@ -290,7 +285,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir = @ksourcedir@ ksourcedir = @ksourcedir@
libdir = @libdir@ libdir = @libdir@
libexecdir = @libexecdir@ libexecdir = @libexecdir@
libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@
libmnl_CFLAGS = @libmnl_CFLAGS@ libmnl_CFLAGS = @libmnl_CFLAGS@
libmnl_LIBS = @libmnl_LIBS@ libmnl_LIBS = @libmnl_LIBS@
libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@ libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@
...@@ -349,8 +343,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status ...@@ -349,8 +343,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
*config.status*) \ *config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \ *) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac; esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
...@@ -467,7 +461,10 @@ cscopelist-am: $(am__tagged_files) ...@@ -467,7 +461,10 @@ cscopelist-am: $(am__tagged_files)
distclean-tags: distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES) distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \ list='$(DISTFILES)'; \
......
include/iptables/internal.h.in include/iptables/internal.h
View file @ 268c6aa1
#ifndef IPTABLES_INTERNAL_H #ifndef IPTABLES_INTERNAL_H
#define IPTABLES_INTERNAL_H 1 #define IPTABLES_INTERNAL_H 1
#define IPTABLES_VERSION "@PACKAGE_VERSION@"
/** /**
* Program's own name and version. * Program's own name and version.
*/ */
......
include/linux/netfilter/xt_IDLETIMER.h
View file @ 268c6aa1
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include <linux/types.h> #include <linux/types.h>
#define MAX_IDLETIMER_LABEL_SIZE 28 #define MAX_IDLETIMER_LABEL_SIZE 28
#define XT_IDLETIMER_ALARM 0x01
struct idletimer_tg_info { struct idletimer_tg_info {
__u32 timeout; __u32 timeout;
...@@ -42,4 +43,15 @@ struct idletimer_tg_info { ...@@ -42,4 +43,15 @@ struct idletimer_tg_info {
struct idletimer_tg *timer __attribute__((aligned(8))); struct idletimer_tg *timer __attribute__((aligned(8)));
}; };
struct idletimer_tg_info_v1 {
__u32 timeout;
char label[MAX_IDLETIMER_LABEL_SIZE];
__u8 send_nl_msg; /* unused: for compatibility with Android */
__u8 timer_type;
/* for kernel module internal use only */
struct idletimer_tg *timer __attribute__((aligned(8)));
};
#endif #endif
include/linux/netfilter/xt_nfacct.h
View file @ 268c6aa1
...@@ -14,4 +14,9 @@ struct xt_nfacct_match_info { ...@@ -14,4 +14,9 @@ struct xt_nfacct_match_info {
struct nf_acct *nfacct; struct nf_acct *nfacct;
}; };
struct xt_nfacct_match_info_v1 {
char name[NFACCT_NAME_MAX];
struct nf_acct *nfacct __attribute__((aligned(8)));
};
#endif /* _XT_NFACCT_MATCH_H */ #endif /* _XT_NFACCT_MATCH_H */
include/linux/netfilter/xt_owner.h
View file @ 268c6aa1
...@@ -4,9 +4,10 @@ ...@@ -4,9 +4,10 @@
#include <linux/types.h> #include <linux/types.h>
enum { enum {
XT_OWNER_UID = 1 << 0, XT_OWNER_UID = 1 << 0,
XT_OWNER_GID = 1 << 1, XT_OWNER_GID = 1 << 1,
XT_OWNER_SOCKET = 1 << 2, XT_OWNER_SOCKET = 1 << 2,
XT_OWNER_SUPPL_GROUPS = 1 << 3,
}; };
struct xt_owner_match_info { struct xt_owner_match_info {
......
include/linux/netfilter/xt_sctp.h
View file @ 268c6aa1
...@@ -40,19 +40,19 @@ struct xt_sctp_info { ...@@ -40,19 +40,19 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \ #define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \ do { \
(chunkmap)[type / bytes(__u32)] |= \ (chunkmap)[type / bytes(__u32)] |= \
1 << (type % bytes(__u32)); \ 1u << (type % bytes(__u32)); \
} while (0) } while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \ do { \
(chunkmap)[type / bytes(__u32)] &= \ (chunkmap)[type / bytes(__u32)] &= \
~(1 << (type % bytes(__u32))); \ ~(1u << (type % bytes(__u32))); \
} while (0) } while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \ ({ \
((chunkmap)[type / bytes (__u32)] & \ ((chunkmap)[type / bytes (__u32)] & \
(1 << (type % bytes (__u32)))) ? 1: 0; \ (1u << (type % bytes (__u32)))) ? 1: 0; \
}) })
#define SCTP_CHUNKMAP_RESET(chunkmap) \ #define SCTP_CHUNKMAP_RESET(chunkmap) \
......
include/xtables.h
View file @ 268c6aa1
...@@ -448,6 +448,7 @@ extern struct xtables_match *xtables_matches; ...@@ -448,6 +448,7 @@ extern struct xtables_match *xtables_matches;
extern struct xtables_target *xtables_targets; extern struct xtables_target *xtables_targets;
extern void xtables_init(void); extern void xtables_init(void);
extern void xtables_fini(void);
extern void xtables_set_nfproto(uint8_t); extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t); extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t); extern void *xtables_malloc(size_t);
......
iptables-test.py
View file @ 268c6aa1
#!/usr/bin/python #!/usr/bin/env python
# #
# (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> # (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
# #
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
# This software has been sponsored by Sophos Astaro <http://www.sophos.com> # This software has been sponsored by Sophos Astaro <http://www.sophos.com>
# #
from __future__ import print_function
import sys import sys
import os import os
import subprocess import subprocess
...@@ -45,7 +46,7 @@ def print_error(reason, filename=None, lineno=None): ...@@ -45,7 +46,7 @@ def print_error(reason, filename=None, lineno=None):
''' '''
Prints an error with nice colors, indicating file and line number. Prints an error with nice colors, indicating file and line number.
''' '''
print (filename + ": " + Colors.RED + "ERROR" + print(filename + ": " + Colors.RED + "ERROR" +
Colors.ENDC + ": line %d (%s)" % (lineno, reason)) Colors.ENDC + ": line %d (%s)" % (lineno, reason))
...@@ -118,8 +119,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): ...@@ -118,8 +119,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
elif splitted[0] == EBTABLES: elif splitted[0] == EBTABLES:
command = EBTABLES_SAVE command = EBTABLES_SAVE
path = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE command = EXECUTEABLE + " " + command
command = path + " " + command
if netns: if netns:
command = "ip netns exec ____iptables-container-test " + command command = "ip netns exec ____iptables-container-test " + command
...@@ -140,7 +140,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): ...@@ -140,7 +140,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
return -1 return -1
# find the rule # find the rule
matching = out.find(rule_save) matching = out.find(rule_save.encode('utf-8'))
if matching < 0: if matching < 0:
reason = "cannot find: " + iptables + " -I " + rule reason = "cannot find: " + iptables + " -I " + rule
print_error(reason, filename, lineno) print_error(reason, filename, lineno)
...@@ -164,9 +164,9 @@ def execute_cmd(cmd, filename, lineno): ...@@ -164,9 +164,9 @@ def execute_cmd(cmd, filename, lineno):
''' '''
global log_file global log_file
if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '): if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '):
cmd = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE + " " + cmd cmd = EXECUTEABLE + " " + cmd
print >> log_file, "command: %s" % cmd print("command: {}".format(cmd), file=log_file)
ret = subprocess.call(cmd, shell=True, universal_newlines=True, ret = subprocess.call(cmd, shell=True, universal_newlines=True,
stderr=subprocess.STDOUT, stdout=log_file) stderr=subprocess.STDOUT, stdout=log_file)
log_file.flush() log_file.flush()
...@@ -221,7 +221,7 @@ def run_test_file(filename, netns): ...@@ -221,7 +221,7 @@ def run_test_file(filename, netns):
execute_cmd("ip netns add ____iptables-container-test", filename, 0) execute_cmd("ip netns add ____iptables-container-test", filename, 0)
for lineno, line in enumerate(f): for lineno, line in enumerate(f):
if line[0] == "#": if line[0] == "#" or len(line.strip()) == 0:
continue continue
if line[0] == ":": if line[0] == ":":
...@@ -249,7 +249,7 @@ def run_test_file(filename, netns): ...@@ -249,7 +249,7 @@ def run_test_file(filename, netns):
continue continue
if len(chain_array) == 0: if len(chain_array) == 0:
print "broken test, missing chain, leaving" print("broken test, missing chain, leaving")
sys.exit() sys.exit()
test_passed = True test_passed = True
...@@ -282,7 +282,7 @@ def run_test_file(filename, netns): ...@@ -282,7 +282,7 @@ def run_test_file(filename, netns):
if netns: if netns:
execute_cmd("ip netns del ____iptables-container-test", filename, 0) execute_cmd("ip netns del ____iptables-container-test", filename, 0)
if total_test_passed: if total_test_passed:
print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC print(filename + ": " + Colors.GREEN + "OK" + Colors.ENDC)
f.close() f.close()
return tests, passed return tests, passed
...@@ -302,7 +302,7 @@ def show_missing(): ...@@ -302,7 +302,7 @@ def show_missing():
missing = [test_name(i) for i in libfiles missing = [test_name(i) for i in libfiles
if not test_name(i) in testfiles] if not test_name(i) in testfiles]
print '\n'.join(missing) print('\n'.join(missing))
# #
...@@ -313,6 +313,8 @@ def main(): ...@@ -313,6 +313,8 @@ def main():
parser.add_argument('filename', nargs='?', parser.add_argument('filename', nargs='?',
metavar='path/to/file.t', metavar='path/to/file.t',
help='Run only this test') help='Run only this test')
parser.add_argument('-H', '--host', action='store_true',
help='Run tests against installed binaries')
parser.add_argument('-l', '--legacy', action='store_true', parser.add_argument('-l', '--legacy', action='store_true',
help='Test iptables-legacy') help='Test iptables-legacy')
parser.add_argument('-m', '--missing', action='store_true', parser.add_argument('-m', '--missing', action='store_true',
...@@ -336,11 +338,13 @@ def main(): ...@@ -336,11 +338,13 @@ def main():
EXECUTEABLE = "xtables-nft-multi" EXECUTEABLE = "xtables-nft-multi"
if os.getuid() != 0: if os.getuid() != 0:
print "You need to be root to run this, sorry" print("You need to be root to run this, sorry")
return return
os.putenv("XTABLES_LIBDIR", os.path.abspath(EXTENSIONS_PATH)) if not args.host:
os.putenv("PATH", "%s/iptables:%s" % (os.path.abspath(os.path.curdir), os.getenv("PATH"))) os.putenv("XTABLES_LIBDIR", os.path.abspath(EXTENSIONS_PATH))
os.putenv("PATH", "%s/iptables:%s" % (os.path.abspath(os.path.curdir),
os.getenv("PATH")))
test_files = 0 test_files = 0
tests = 0 tests = 0
...@@ -351,13 +355,17 @@ def main(): ...@@ -351,13 +355,17 @@ def main():
try: try:
log_file = open(LOGFILE, 'w') log_file = open(LOGFILE, 'w')
except IOError: except IOError:
print "Couldn't open log file %s" % LOGFILE print("Couldn't open log file %s" % LOGFILE)
return return
file_list = [os.path.join(EXTENSIONS_PATH, i)
for i in os.listdir(EXTENSIONS_PATH)]
if args.filename: if args.filename:
file_list = [args.filename] file_list = [args.filename]
else:
file_list = [os.path.join(EXTENSIONS_PATH, i)
for i in os.listdir(EXTENSIONS_PATH)
if i.endswith('.t')]
file_list.sort()
for filename in file_list: for filename in file_list:
file_tests, file_passed = run_test_file(filename, args.netns) file_tests, file_passed = run_test_file(filename, args.netns)
if file_tests: if file_tests:
...@@ -365,8 +373,7 @@ def main(): ...@@ -365,8 +373,7 @@ def main():
passed += file_passed passed += file_passed
test_files += 1 test_files += 1
print ("%d test files, %d unit tests, %d passed" % print("%d test files, %d unit tests, %d passed" % (test_files, tests, passed))
(test_files, tests, passed))
if __name__ == '__main__': if __name__ == '__main__':
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment