Skip to content

GitLab

Commit 268c6aa1 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'debian/1.8.5-3' into debian/buster-backports 



Debian package 1.8.5-3
Signed-off-by: default avatarArturo Borrero Gonzalez <arturo@debian.org>
parents ada8a2c9 9fa0e185
Hide whitespace changes
Inline Side-by-side
iptables/.gitignore
View file @ 268c6aa1
......@@ -3,6 +3,7 @@
/ip6tables-restore
/ip6tables-static
/ip6tables-translate.8
/ip6tables-restore-translate.8
/iptables
/iptables.8
/iptables-extensions.8
......@@ -13,14 +14,12 @@
/iptables-restore.8
/iptables-static
/iptables-translate.8
/iptables-restore-translate.8
/iptables-xml
/iptables-xml.1
/xtables-multi
/xtables-legacy-multi
/xtables-nft-multi
/xtables-config-parser.c
/xtables-config-parser.h
/xtables-config-syntax.c
/xtables-monitor.8
/xtables.pc
iptables/Makefile.am
View file @ 268c6aa1
......@@ -2,7 +2,6 @@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS}
AM_YFLAGS = -d
BUILT_SOURCES =
......@@ -27,7 +26,6 @@ xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
# iptables using nf_tables api
if ENABLE_NFTABLES
BUILT_SOURCES += xtables-config-parser.h
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
......@@ -35,19 +33,16 @@ if ENABLE_STATIC
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif
xtables_nft_multi_CFLAGS += -DENABLE_NFTABLES -DENABLE_IPV4 -DENABLE_IPV6
xtables_nft_multi_SOURCES += xtables-config-parser.y xtables-config-syntax.l
xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
xtables-standalone.c xtables.c nft.c \
nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c \
xtables-monitor.c nft-cache.c \
xtables-arp-standalone.c xtables-arp.c \
nft-bridge.c \
nft-bridge.c nft-cmd.c \
xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \
xtables-translate.c
xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
# yacc and lex generate dirty code
xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
xtables_nft_multi_SOURCES += xshared.c
xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm
endif
......@@ -59,16 +54,20 @@ endif
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8 \
xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
iptables-translate.8 ip6tables-translate.8 \
xtables-monitor.8
iptables-apply.8 ip6tables-apply.8
sbin_SCRIPT = iptables-apply
if ENABLE_NFTABLES
man_MANS += arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \
ebtables-nft.8
man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
iptables-translate.8 ip6tables-translate.8 \
iptables-restore-translate.8 ip6tables-restore-translate.8 \
xtables-monitor.8 \
arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \
ebtables-nft.8
endif
CLEANFILES = iptables.8 xtables-monitor.8 \
iptables-translate.8 ip6tables-translate.8 \
xtables-config-parser.c xtables-config-syntax.c
iptables-translate.8 ip6tables-translate.8
vx_bin_links = iptables-xml
if ENABLE_IPV4
......@@ -98,7 +97,7 @@ iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../e
-e '/@MATCH@/ r ../extensions/matches.man' \
-e '/@TARGET@/ r ../extensions/targets.man' $< >$@;
iptables-translate.8 ip6tables-translate.8:
iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8:
${AM_VERBOSE_GEN} echo '.so man8/xtables-translate.8' >$@
pkgconfig_DATA = xtables.pc
......@@ -111,3 +110,4 @@ install-exec-hook:
for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply"
iptables/Makefile.in
View file @ 268c6aa1
# Makefile.in generated by automake 1.15 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -97,21 +97,22 @@ host_triplet = @host@
@ENABLE_IPV6_TRUE@am__append_5 = ip6tables-standalone.c ip6tables.c
@ENABLE_IPV6_TRUE@am__append_6 = -DENABLE_IPV6
@ENABLE_IPV6_TRUE@am__append_7 = ../libiptc/libip6tc.la ../extensions/libext6.a
# iptables using nf_tables api
@ENABLE_NFTABLES_TRUE@am__append_8 = xtables-config-parser.h
@ENABLE_NFTABLES_TRUE@@ENABLE_STATIC_TRUE@am__append_9 = -DALL_INCLUSIVE
@ENABLE_NFTABLES_TRUE@@ENABLE_STATIC_TRUE@am__append_8 = -DALL_INCLUSIVE
sbin_PROGRAMS = xtables-legacy-multi$(EXEEXT) $(am__EXEEXT_1)
@ENABLE_NFTABLES_TRUE@am__append_10 = xtables-nft-multi
@ENABLE_NFTABLES_TRUE@am__append_11 = arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \
@ENABLE_NFTABLES_TRUE@ ebtables-nft.8
@ENABLE_NFTABLES_TRUE@am__append_9 = xtables-nft-multi
@ENABLE_NFTABLES_TRUE@am__append_10 = xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
@ENABLE_NFTABLES_TRUE@ iptables-translate.8 ip6tables-translate.8 \
@ENABLE_NFTABLES_TRUE@ iptables-restore-translate.8 ip6tables-restore-translate.8 \
@ENABLE_NFTABLES_TRUE@ xtables-monitor.8 \
@ENABLE_NFTABLES_TRUE@ arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \
@ENABLE_NFTABLES_TRUE@ ebtables-nft.8
subdir = iptables
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
......@@ -151,16 +152,14 @@ xtables_legacy_multi_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(xtables_legacy_multi_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
$(LDFLAGS) -o $@
am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
iptables-xml.c xtables-config-parser.y xtables-config-syntax.l \
xtables-save.c xtables-restore.c xtables-standalone.c \
xtables.c nft.c nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c xtables-arp-standalone.c xtables-arp.c \
nft-bridge.c xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c xtables-translate.c xshared.c
iptables-xml.c xtables-save.c xtables-restore.c \
xtables-standalone.c xtables.c nft.c nft-shared.c nft-ipv4.c \
nft-ipv6.c nft-arp.c xtables-monitor.c nft-cache.c \
xtables-arp-standalone.c xtables-arp.c nft-bridge.c nft-cmd.c \
xtables-eb-standalone.c xtables-eb.c xtables-eb-translate.c \
xtables-translate.c xshared.c
@ENABLE_NFTABLES_TRUE@am_xtables_nft_multi_OBJECTS = xtables_nft_multi-xtables-nft-multi.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-iptables-xml.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-config-parser.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-config-syntax.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-save.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-restore.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-standalone.$(OBJEXT) \
......@@ -171,9 +170,11 @@ am__xtables_nft_multi_SOURCES_DIST = xtables-nft-multi.c \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-ipv6.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-arp.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-monitor.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cache.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp-standalone.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-arp.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-bridge.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-nft-cmd.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-standalone.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb.$(OBJEXT) \
@ENABLE_NFTABLES_TRUE@ xtables_nft_multi-xtables-eb-translate.$(OBJEXT) \
......@@ -210,7 +211,39 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
am__depfiles_maybe = depfiles
am__maybe_remake_depfiles = depfiles
am__depfiles_remade = \
./$(DEPDIR)/xtables_legacy_multi-ip6tables-standalone.Po \
./$(DEPDIR)/xtables_legacy_multi-ip6tables.Po \
./$(DEPDIR)/xtables_legacy_multi-iptables-restore.Po \
./$(DEPDIR)/xtables_legacy_multi-iptables-save.Po \
./$(DEPDIR)/xtables_legacy_multi-iptables-standalone.Po \
./$(DEPDIR)/xtables_legacy_multi-iptables-xml.Po \
./$(DEPDIR)/xtables_legacy_multi-iptables.Po \
./$(DEPDIR)/xtables_legacy_multi-xshared.Po \
./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po \
./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po \
./$(DEPDIR)/xtables_nft_multi-nft-arp.Po \
./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po \
./$(DEPDIR)/xtables_nft_multi-nft-cache.Po \
./$(DEPDIR)/xtables_nft_multi-nft-cmd.Po \
./$(DEPDIR)/xtables_nft_multi-nft-ipv4.Po \
./$(DEPDIR)/xtables_nft_multi-nft-ipv6.Po \
./$(DEPDIR)/xtables_nft_multi-nft-shared.Po \
./$(DEPDIR)/xtables_nft_multi-nft.Po \
./$(DEPDIR)/xtables_nft_multi-xshared.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-eb.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-monitor.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-restore.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-save.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-standalone.Po \
./$(DEPDIR)/xtables_nft_multi-xtables-translate.Po \
./$(DEPDIR)/xtables_nft_multi-xtables.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
......@@ -230,23 +263,6 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
AM_V_LEX = $(am__v_LEX_@AM_V@)
am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
am__v_LEX_0 = @echo " LEX " $@;
am__v_LEX_1 =
YLWRAP = $(top_srcdir)/build-aux/ylwrap
am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
-e s/c++$$/h++/ -e s/c$$/h/
YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
AM_V_YACC = $(am__v_YACC_@AM_V@)
am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
am__v_YACC_0 = @echo " YACC " $@;
am__v_YACC_1 =
SOURCES = $(xtables_legacy_multi_SOURCES) $(xtables_nft_multi_SOURCES)
DIST_SOURCES = $(am__xtables_legacy_multi_SOURCES_DIST) \
$(am__xtables_nft_multi_SOURCES_DIST)
......@@ -311,9 +327,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/iptables-apply.8.in \
$(srcdir)/iptables-restore.8.in $(srcdir)/iptables-save.8.in \
$(srcdir)/iptables-xml.1.in $(srcdir)/iptables.8.in \
$(srcdir)/xtables-monitor.8.in $(srcdir)/xtables.pc.in \
$(top_srcdir)/build-aux/depcomp $(top_srcdir)/build-aux/ylwrap \
xtables-config-parser.c xtables-config-parser.h \
xtables-config-syntax.c
$(top_srcdir)/build-aux/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
pkgdatadir = @pkgdatadir@
ACLOCAL = @ACLOCAL@
......@@ -349,9 +363,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
......@@ -385,8 +396,6 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
......@@ -431,7 +440,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir = @ksourcedir@
libdir = @libdir@
libexecdir = @libexecdir@
libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@
libmnl_CFLAGS = @libmnl_CFLAGS@
libmnl_LIBS = @libmnl_LIBS@
libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@
......@@ -468,8 +476,7 @@ top_srcdir = @top_srcdir@
xtlibdir = @xtlibdir@
AM_CFLAGS = ${regular_CFLAGS}
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -I${top_srcdir} ${kinclude_CPPFLAGS} ${libmnl_CFLAGS} ${libnftnl_CFLAGS} ${libnetfilter_conntrack_CFLAGS}
AM_YFLAGS = -d
BUILT_SOURCES = $(am__append_8)
BUILT_SOURCES =
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c \
$(am__append_2) $(am__append_5) xshared.c iptables-restore.c \
iptables-save.c
......@@ -477,18 +484,20 @@ xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} $(am__append_1) \
$(am__append_3) $(am__append_6)
xtables_legacy_multi_LDADD = ../extensions/libext.a $(am__append_4) \
$(am__append_7) ../libxtables/libxtables.la -lm
# iptables using nf_tables api
@ENABLE_NFTABLES_TRUE@xtables_nft_multi_SOURCES = xtables-nft-multi.c \
@ENABLE_NFTABLES_TRUE@ iptables-xml.c xtables-config-parser.y \
@ENABLE_NFTABLES_TRUE@ xtables-config-syntax.l xtables-save.c \
@ENABLE_NFTABLES_TRUE@ iptables-xml.c xtables-save.c \
@ENABLE_NFTABLES_TRUE@ xtables-restore.c xtables-standalone.c \
@ENABLE_NFTABLES_TRUE@ xtables.c nft.c nft-shared.c nft-ipv4.c \
@ENABLE_NFTABLES_TRUE@ nft-ipv6.c nft-arp.c xtables-monitor.c \
@ENABLE_NFTABLES_TRUE@ xtables-arp-standalone.c xtables-arp.c \
@ENABLE_NFTABLES_TRUE@ nft-bridge.c xtables-eb-standalone.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb.c xtables-eb-translate.c \
@ENABLE_NFTABLES_TRUE@ nft-cache.c xtables-arp-standalone.c \
@ENABLE_NFTABLES_TRUE@ xtables-arp.c nft-bridge.c nft-cmd.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb-standalone.c xtables-eb.c \
@ENABLE_NFTABLES_TRUE@ xtables-eb-translate.c \
@ENABLE_NFTABLES_TRUE@ xtables-translate.c xshared.c
@ENABLE_NFTABLES_TRUE@xtables_nft_multi_CFLAGS = ${AM_CFLAGS} \
@ENABLE_NFTABLES_TRUE@ $(am__append_9) -DENABLE_NFTABLES \
@ENABLE_NFTABLES_TRUE@ $(am__append_8) -DENABLE_NFTABLES \
@ENABLE_NFTABLES_TRUE@ -DENABLE_IPV4 -DENABLE_IPV6
@ENABLE_NFTABLES_TRUE@xtables_nft_multi_LDADD = \
@ENABLE_NFTABLES_TRUE@ ../extensions/libext.a \
......@@ -502,12 +511,11 @@ xtables_legacy_multi_LDADD = ../extensions/libext.a $(am__append_4) \
@ENABLE_NFTABLES_TRUE@ ../libxtables/libxtables.la -lm
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8 xtables-nft.8 \
xtables-translate.8 xtables-legacy.8 iptables-translate.8 \
ip6tables-translate.8 xtables-monitor.8 $(am__append_11)
ip6tables-save.8 iptables-extensions.8 iptables-apply.8 \
ip6tables-apply.8 $(am__append_10)
sbin_SCRIPT = iptables-apply
CLEANFILES = iptables.8 xtables-monitor.8 \
iptables-translate.8 ip6tables-translate.8 \
xtables-config-parser.c xtables-config-syntax.c
iptables-translate.8 ip6tables-translate.8
vx_bin_links = iptables-xml
@ENABLE_IPV4_TRUE@v4_sbin_links = iptables-legacy iptables-legacy-restore iptables-legacy-save \
......@@ -533,7 +541,7 @@ all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .l .lo .o .obj .y
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
......@@ -551,8 +559,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
......@@ -632,9 +640,6 @@ clean-sbinPROGRAMS:
xtables-legacy-multi$(EXEEXT): $(xtables_legacy_multi_OBJECTS) $(xtables_legacy_multi_DEPENDENCIES) $(EXTRA_xtables_legacy_multi_DEPENDENCIES)
@rm -f xtables-legacy-multi$(EXEEXT)
$(AM_V_CCLD)$(xtables_legacy_multi_LINK) $(xtables_legacy_multi_OBJECTS) $(xtables_legacy_multi_LDADD) $(LIBS)
xtables-config-parser.h: xtables-config-parser.c
@if test ! -f $@; then rm -f xtables-config-parser.c; else :; fi
@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) xtables-config-parser.c; else :; fi
xtables-nft-multi$(EXEEXT): $(xtables_nft_multi_OBJECTS) $(xtables_nft_multi_DEPENDENCIES) $(EXTRA_xtables_nft_multi_DEPENDENCIES)
@rm -f xtables-nft-multi$(EXEEXT)
......@@ -646,37 +651,43 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-ip6tables-standalone.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-ip6tables.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-restore.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-save.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-standalone.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-xml.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xshared.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-arp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-ipv4.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-ipv6.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-shared.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xshared.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-config-parser.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-monitor.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-restore.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-save.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-standalone.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-translate.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-ip6tables-standalone.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-ip6tables.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-restore.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-save.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-standalone.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables-xml.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-iptables.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xshared.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-arp.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-cache.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-cmd.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-ipv4.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-ipv6.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft-shared.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-nft.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xshared.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-eb.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-monitor.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-restore.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-save.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-standalone.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables-translate.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables_nft_multi-xtables.Po@am__quote@ # am--include-marker
$(am__depfiles_remade):
@$(MKDIR_P) $(@D)
@echo '# dummy' >$@-t && $(am__mv) $@-t $@
am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
......@@ -853,34 +864,6 @@ xtables_nft_multi-iptables-xml.obj: iptables-xml.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi`
xtables_nft_multi-xtables-config-parser.o: xtables-config-parser.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-config-parser.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Tpo -c -o xtables_nft_multi-xtables-config-parser.o `test -f 'xtables-config-parser.c' || echo '$(srcdir)/'`xtables-config-parser.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Tpo $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-config-parser.c' object='xtables_nft_multi-xtables-config-parser.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-config-parser.o `test -f 'xtables-config-parser.c' || echo '$(srcdir)/'`xtables-config-parser.c
xtables_nft_multi-xtables-config-parser.obj: xtables-config-parser.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-config-parser.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Tpo -c -o xtables_nft_multi-xtables-config-parser.obj `if test -f 'xtables-config-parser.c'; then $(CYGPATH_W) 'xtables-config-parser.c'; else $(CYGPATH_W) '$(srcdir)/xtables-config-parser.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Tpo $(DEPDIR)/xtables_nft_multi-xtables-config-parser.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-config-parser.c' object='xtables_nft_multi-xtables-config-parser.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-config-parser.obj `if test -f 'xtables-config-parser.c'; then $(CYGPATH_W) 'xtables-config-parser.c'; else $(CYGPATH_W) '$(srcdir)/xtables-config-parser.c'; fi`
xtables_nft_multi-xtables-config-syntax.o: xtables-config-syntax.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-config-syntax.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Tpo -c -o xtables_nft_multi-xtables-config-syntax.o `test -f 'xtables-config-syntax.c' || echo '$(srcdir)/'`xtables-config-syntax.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Tpo $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-config-syntax.c' object='xtables_nft_multi-xtables-config-syntax.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-config-syntax.o `test -f 'xtables-config-syntax.c' || echo '$(srcdir)/'`xtables-config-syntax.c
xtables_nft_multi-xtables-config-syntax.obj: xtables-config-syntax.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-config-syntax.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Tpo -c -o xtables_nft_multi-xtables-config-syntax.obj `if test -f 'xtables-config-syntax.c'; then $(CYGPATH_W) 'xtables-config-syntax.c'; else $(CYGPATH_W) '$(srcdir)/xtables-config-syntax.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Tpo $(DEPDIR)/xtables_nft_multi-xtables-config-syntax.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xtables-config-syntax.c' object='xtables_nft_multi-xtables-config-syntax.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-config-syntax.obj `if test -f 'xtables-config-syntax.c'; then $(CYGPATH_W) 'xtables-config-syntax.c'; else $(CYGPATH_W) '$(srcdir)/xtables-config-syntax.c'; fi`
xtables_nft_multi-xtables-save.o: xtables-save.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-save.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo -c -o xtables_nft_multi-xtables-save.o `test -f 'xtables-save.c' || echo '$(srcdir)/'`xtables-save.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-save.Tpo $(DEPDIR)/xtables_nft_multi-xtables-save.Po
......@@ -1021,6 +1004,20 @@ xtables_nft_multi-xtables-monitor.obj: xtables-monitor.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xtables-monitor.obj `if test -f 'xtables-monitor.c'; then $(CYGPATH_W) 'xtables-monitor.c'; else $(CYGPATH_W) '$(srcdir)/xtables-monitor.c'; fi`
xtables_nft_multi-nft-cache.o: nft-cache.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.o `test -f 'nft-cache.c' || echo '$(srcdir)/'`nft-cache.c
xtables_nft_multi-nft-cache.obj: nft-cache.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cache.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cache.Tpo $(DEPDIR)/xtables_nft_multi-nft-cache.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cache.c' object='xtables_nft_multi-nft-cache.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cache.obj `if test -f 'nft-cache.c'; then $(CYGPATH_W) 'nft-cache.c'; else $(CYGPATH_W) '$(srcdir)/nft-cache.c'; fi`
xtables_nft_multi-xtables-arp-standalone.o: xtables-arp-standalone.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-arp-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo -c -o xtables_nft_multi-xtables-arp-standalone.o `test -f 'xtables-arp-standalone.c' || echo '$(srcdir)/'`xtables-arp-standalone.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po
......@@ -1063,6 +1060,20 @@ xtables_nft_multi-nft-bridge.obj: nft-bridge.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-bridge.obj `if test -f 'nft-bridge.c'; then $(CYGPATH_W) 'nft-bridge.c'; else $(CYGPATH_W) '$(srcdir)/nft-bridge.c'; fi`
xtables_nft_multi-nft-cmd.o: nft-cmd.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.o `test -f 'nft-cmd.c' || echo '$(srcdir)/'`nft-cmd.c
xtables_nft_multi-nft-cmd.obj: nft-cmd.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-nft-cmd.obj -MD -MP -MF $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-nft-cmd.Tpo $(DEPDIR)/xtables_nft_multi-nft-cmd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='nft-cmd.c' object='xtables_nft_multi-nft-cmd.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-nft-cmd.obj `if test -f 'nft-cmd.c'; then $(CYGPATH_W) 'nft-cmd.c'; else $(CYGPATH_W) '$(srcdir)/nft-cmd.c'; fi`
xtables_nft_multi-xtables-eb-standalone.o: xtables-eb-standalone.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -MT xtables_nft_multi-xtables-eb-standalone.o -MD -MP -MF $(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Tpo -c -o xtables_nft_multi-xtables-eb-standalone.o `test -f 'xtables-eb-standalone.c' || echo '$(srcdir)/'`xtables-eb-standalone.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Tpo $(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po
......@@ -1133,12 +1144,6 @@ xtables_nft_multi-xshared.obj: xshared.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(xtables_nft_multi_CFLAGS) $(CFLAGS) -c -o xtables_nft_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi`
.l.c:
$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
.y.c:
$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
mostlyclean-libtool:
-rm -f *.lo
......@@ -1304,7 +1309,10 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
......@@ -1374,9 +1382,6 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-rm -f xtables-config-parser.c
-rm -f xtables-config-parser.h
-rm -f xtables-config-syntax.c
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
......@@ -1384,7 +1389,37 @@ clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/xtables_legacy_multi-ip6tables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-ip6tables.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-restore.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-save.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-xml.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-xshared.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-arp.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-cache.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-cmd.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-ipv4.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-ipv6.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-shared.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xshared.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-monitor.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-restore.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-save.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-translate.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
......@@ -1431,7 +1466,37 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -rf ./$(DEPDIR)
-rm -f ./$(DEPDIR)/xtables_legacy_multi-ip6tables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-ip6tables.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-restore.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-save.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables-xml.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-iptables.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-xshared.Po
-rm -f ./$(DEPDIR)/xtables_legacy_multi-xtables-legacy-multi.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-iptables-xml.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-arp.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-bridge.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-cache.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-cmd.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-ipv4.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-ipv6.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft-shared.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-nft.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xshared.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-arp.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb-translate.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-eb.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-monitor.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-nft-multi.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-restore.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-save.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-standalone.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables-translate.Po
-rm -f ./$(DEPDIR)/xtables_nft_multi-xtables.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
......@@ -1455,9 +1520,9 @@ uninstall-man: uninstall-man1 uninstall-man8
.MAKE: all check install install-am install-exec-am install-strip
.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
clean-libtool clean-sbinPROGRAMS cscopelist-am ctags ctags-am \
distclean distclean-compile distclean-generic \
.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
clean-generic clean-libtool clean-sbinPROGRAMS cscopelist-am \
ctags ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
......@@ -1474,15 +1539,13 @@ uninstall-man: uninstall-man1 uninstall-man8
.PRECIOUS: Makefile
# yacc and lex generate dirty code
@ENABLE_NFTABLES_TRUE@xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man
${AM_VERBOSE_GEN} sed \
-e '/@MATCH@/ r ../extensions/matches.man' \
-e '/@TARGET@/ r ../extensions/targets.man' $< >$@;
iptables-translate.8 ip6tables-translate.8:
iptables-translate.8 ip6tables-translate.8 iptables-restore-translate.8 ip6tables-restore-translate.8:
${AM_VERBOSE_GEN} echo '.so man8/xtables-translate.8' >$@
# Using if..fi avoids an ugly "error (ignored)" message :)
......@@ -1493,6 +1556,7 @@ install-exec-hook:
for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply"
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
......
iptables/ebtables-nft.8
View file @ 268c6aa1
......@@ -522,35 +522,35 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
be consulted to determine the payload protocol. This is a two byte
(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
checked for type.
.\" .SS among
.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
.\" and MAC/IP address pairs.
.\" A list entry has the following format:
.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
.\" list entries are separated by a comma, specifying an IP address corresponding to
.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
.\" .TP
.\" .BR "--among-dst " "[!] \fIlist\fP"
.\" Compare the MAC destination to the given list. If the Ethernet frame has type
.\" .IR IPv4 " or " ARP ,
.\" then comparison with MAC/IP destination address pairs from the
.\" list is possible.
.\" .TP
.\" .BR "--among-src " "[!] \fIlist\fP"
.\" Compare the MAC source to the given list. If the Ethernet frame has type
.\" .IR IPv4 " or " ARP ,
.\" then comparison with MAC/IP source address pairs from the list
.\" is possible.
.\" .TP
.\" .BR "--among-dst-file " "[!] \fIfile\fP"
.\" Same as
.\" .BR --among-dst " but the list is read in from the specified file."
.\" .TP
.\" .BR "--among-src-file " "[!] \fIfile\fP"
.\" Same as
.\" .BR --among-src " but the list is read in from the specified file."
.SS among
Match a MAC address or MAC/IP address pair versus a list of MAC addresses
and MAC/IP address pairs.
A list entry has the following format:
.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
list entries are separated by a comma, specifying an IP address corresponding to
the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
but different IP address (and vice versa) can be specified. If the MAC address doesn't
match any entry from the list, the frame doesn't match the rule (unless "!" was used).
.TP
.BR "--among-dst " "[!] \fIlist\fP"
Compare the MAC destination to the given list. If the Ethernet frame has type
.IR IPv4 " or " ARP ,
then comparison with MAC/IP destination address pairs from the
list is possible.
.TP
.BR "--among-src " "[!] \fIlist\fP"
Compare the MAC source to the given list. If the Ethernet frame has type
.IR IPv4 " or " ARP ,
then comparison with MAC/IP source address pairs from the list
is possible.
.TP
.BR "--among-dst-file " "[!] \fIfile\fP"
Same as
.BR --among-dst " but the list is read in from the specified file."
.TP
.BR "--among-src-file " "[!] \fIfile\fP"
Same as
.BR --among-src " but the list is read in from the specified file."
.SS arp
Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP .
......@@ -1108,8 +1108,8 @@ arp message and the hardware address length in the arp header is 6 bytes.
The version of ebtables this man page ships with does not support the
.B broute
table. Also there is no support for
.BR among " and " string
matches. And finally, this list is probably not complete.
.B string
match. And finally, this list is probably not complete.
.SH SEE ALSO
.BR xtables-nft "(8), " iptables "(8), " ip (8)
.PP
......
iptables/ip6tables-apply.8 0 → 100644
View file @ 268c6aa1
.so man8/iptables-apply.8
iptables/ip6tables-standalone.c
View file @ 268c6aa1
......@@ -64,6 +64,8 @@ ip6tables_main(int argc, char *argv[])
ip6tc_free(handle);
}
xtables_fini();
if (!ret) {
if (errno == EINVAL) {
fprintf(stderr, "ip6tables: %s. "
......
iptables/ip6tables.c
View file @ 268c6aa1
......@@ -24,7 +24,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include <getopt.h>
#include <string.h>
#include <netdb.h>
......@@ -45,33 +45,6 @@
#include "ip6tables-multi.h"
#include "xshared.h"
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#define CMD_NONE 0x0000U
#define CMD_INSERT 0x0001U
#define CMD_DELETE 0x0002U
#define CMD_DELETE_NUM 0x0004U
#define CMD_REPLACE 0x0008U
#define CMD_APPEND 0x0010U
#define CMD_LIST 0x0020U
#define CMD_FLUSH 0x0040U
#define CMD_ZERO 0x0080U
#define CMD_NEW_CHAIN 0x0100U
#define CMD_DELETE_CHAIN 0x0200U
#define CMD_SET_POLICY 0x0400U
#define CMD_RENAME_CHAIN 0x0800U
#define CMD_LIST_RULES 0x1000U
#define CMD_ZERO_NUM 0x2000U
#define CMD_CHECK 0x4000U
#define NUMBER_OF_CMD 16
static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
'N', 'X', 'P', 'E', 'S', 'Z', 'C' };
#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
static const char optflags[]
= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c'};
......@@ -121,7 +94,7 @@ static struct option original_opts[] = {
void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
struct xtables_globals ip6tables_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
.program_version = PACKAGE_VERSION,
.orig_opts = original_opts,
.exit_err = ip6tables_exit_error,
.compat_rev = xtables_compatible_revision,
......@@ -175,12 +148,6 @@ static const unsigned int inverse_for_options[NUMBER_OF_OPT] =
#define opts ip6tables_globals.opts
#define prog_name ip6tables_globals.program_name
#define prog_vers ip6tables_globals.program_version
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct pprot {
const char *name;
uint8_t num;
};
static void __attribute__((noreturn))
exit_tryhelp(int status)
......@@ -342,27 +309,6 @@ opt2char(int option)
return *ptr;
}
static char
cmd2char(int option)
{
const char *ptr;
for (ptr = cmdflags; option > 1; option >>= 1, ptr++);
return *ptr;
}
static void
add_command(unsigned int *cmd, const int newcmd, const int othercmds,
int invert)
{
if (invert)
xtables_error(PARAMETER_PROBLEM, "unexpected '!' flag");
if (*cmd & (~othercmds))
xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c\n",
cmd2char(newcmd), cmd2char(*cmd & (~othercmds)));
*cmd |= newcmd;
}
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
......@@ -381,19 +327,6 @@ static int is_exthdr(uint16_t proto)
proto == IPPROTO_DSTOPTS);
}
/* Can't be zero. */
static int
parse_rulenumber(const char *rule)
{
unsigned int rulenum;
if (!xtables_strtoui(rule, NULL, &rulenum, 1, INT_MAX))
xtables_error(PARAMETER_PROBLEM,
"Invalid rule number `%s'", rule);
return rulenum;
}
static void
parse_chain(const char *chainname)
{
......@@ -1228,6 +1161,7 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
/* re-set optind to 0 in case do_command6 gets called
* a second time */
......@@ -1508,7 +1442,12 @@ int do_command6(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
if (restore && table_set)
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
*table = optarg;
table_set = true;
break;
case 'x':
......@@ -1578,7 +1517,7 @@ int do_command6(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"multiple consecutive ! not"
" allowed");
cs.invert = TRUE;
cs.invert = true;
optarg[0] = '\0';
continue;
}
......@@ -1590,12 +1529,12 @@ int do_command6(int argc, char *argv[], char **table,
/*
* If new options were loaded, we must retry
* getopt immediately and not allow
* cs.invert=FALSE to be executed.
* cs.invert=false to be executed.
*/
continue;
break;
}
cs.invert = FALSE;
cs.invert = false;
}
if (!wait && wait_interval_set)
......
iptables/iptables-apply
View file @ 268c6aa1
#!/bin/bash
#
# iptables-apply -- a safer way to update iptables remotely
#
# Copyright © Martin F. Krafft <madduck@madduck.net>
# Usage:
# iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
#
# Versions:
# * 1.0 Copyright 2006 Martin F. Krafft <madduck@madduck.net>
# Original version
# * 1.1 Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>
# Added parameter -c (run command)
# Added parameter -w (save successfully applied rules to file)
# Major code cleanup
#
# Released under the terms of the Artistic Licence 2.0
#
set -eu
PROGNAME="${0##*/}";
VERSION=1.0
PROGNAME="${0##*/}"
VERSION=1.1
### Default settings
DEF_TIMEOUT=10
MODE=0 # apply rulesfile mode
# MODE=1 # run command mode
case "$PROGNAME" in
(*6*)
SAVE=ip6tables-save
RESTORE=ip6tables-restore
DEF_RULESFILE="/etc/network/ip6tables.up.rules"
DEF_SAVEFILE="$DEF_RULESFILE"
DEF_RUNCMD="/etc/network/ip6tables.up.run"
;;
(*)
SAVE=iptables-save
RESTORE=iptables-restore
DEF_RULESFILE="/etc/network/iptables.up.rules"
DEF_SAVEFILE="$DEF_RULESFILE"
DEF_RUNCMD="/etc/network/iptables.up.run"
;;
esac
TIMEOUT=10
### Functions
function blurb()
{
cat <<-_eof
function blurb() {
cat <<-__EOF__
$PROGNAME $VERSION -- a safer way to update iptables remotely
_eof
__EOF__
}
function copyright()
{
cat <<-_eof
$PROGNAME is C Martin F. Krafft <madduck@madduck.net>.
function copyright() {
cat <<-__EOF__
$PROGNAME has been published under the terms of the Artistic Licence 2.0.
The program has been published under the terms of the Artistic Licence 2.0
_eof
Original version - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
__EOF__
}
function about()
{
function about() {
blurb
echo
copyright
}
function usage()
{
cat <<-_eof
Usage: $PROGNAME [options] ruleset
function usage() {
blurb
echo
cat <<-__EOF__
Usage:
$PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
The script will try to apply a new rulesfile (as output by iptables-save,
read by iptables-restore) or run a command to configure iptables and then
prompt the user whether the changes are okay. If the new iptables rules cut
the existing connection, the user will not be able to answer affirmatively.
In this case, the script rolls back to the previous working iptables rules
after the timeout expires.
Successfully applied rules can also be written to savefile and later used
to roll back to this state. This can be used to implement a store last good
configuration mechanism when experimenting with an iptables setup script:
$PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD
The script will try to apply a new ruleset (as output by iptables-save/read
by iptables-restore) to iptables, then prompt the user whether the changes
are okay. If the new ruleset cut the existing connection, the user will not
be able to answer affirmatively. In this case, the script rolls back to the
previous ruleset.
When called as ip6tables-apply, the script will use ip6tables-save/-restore
and IPv6 default values instead. Default value for rulesfile is
'$DEF_RULESFILE'.
Options:
-t seconds, --timeout seconds
Specify the timeout in seconds (default: $DEF_TIMEOUT).
-w savefile, --write savefile
Specify the savefile where successfully applied rules will be written to
(default if empty string is given: $DEF_SAVEFILE).
-c runcmd, --command runcmd
Run command runcmd to configure iptables instead of applying a rulesfile
(default: $DEF_RUNCMD).
-h, --help
Display this help text.
-V, --version
Display version information.
__EOF__
}
The following options may be specified, using standard conventions:
function checkcommands() {
for cmd in "${COMMANDS[@]}"; do
if ! command -v "$cmd" >/dev/null; then
echo "Error: needed command not found: $cmd" >&2
exit 127
fi
done
}
-t | --timeout Specify the timeout in seconds (default: $TIMEOUT)
-V | --version Display version information
-h | --help Display this help text
_eof
function revertrules() {
echo -n "Reverting to old iptables rules... "
"$RESTORE" <"$TMPFILE"
echo "done."
}
SHORTOPTS="t:Vh";
LONGOPTS="timeout:,version,help";
### Parsing and checking parameters
TIMEOUT="$DEF_TIMEOUT"
SAVEFILE=""
SHORTOPTS="t:w:chV";
LONGOPTS="timeout:,write:,command,help,version";
OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $?
for opt in $OPTS; do
case "$opt" in
(-*) unset OPT_STATE;;
(-*)
unset OPT_STATE
;;
(*)
case "${OPT_STATE:-}" in
(SET_TIMEOUT)
eval TIMEOUT=$opt
case "$TIMEOUT" in
([0-9]*) :;;
(*)
echo "E: non-numeric timeout value." >&2
exit 1
;;
esac
(SET_TIMEOUT) eval TIMEOUT=$opt;;
(SET_SAVEFILE)
eval SAVEFILE=$opt
[ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE"
;;
esac
;;
esac
case "$opt" in
(-t|--timeout) OPT_STATE="SET_TIMEOUT";;
(-w|--write) OPT_STATE="SET_SAVEFILE";;
(-c|--command) MODE=1;;
(-h|--help) usage >&2; exit 0;;
(-V|--version) about >&2; exit 0;;
(-t|--timeout) OPT_STATE=SET_TIMEOUT;;
(--) break;;
esac
shift
done
case "$PROGNAME" in
(*6*)
SAVE=ip6tables-save
RESTORE=ip6tables-restore
DEFAULT_FILE=/etc/network/ip6tables
;;
(*)
SAVE=iptables-save
RESTORE=iptables-restore
DEFAULT_FILE=/etc/network/iptables
;;
esac
FILE="${1:-$DEFAULT_FILE}";
if [[ -z "$FILE" ]]; then
echo "E: missing file argument." >&2
# Validate parameters
if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then
TIMEOUT=$(($TIMEOUT))
else
echo "Error: timeout must be a positive number" >&2
exit 1
fi
if [[ ! -r "$FILE" ]]; then
echo "E: cannot read $FILE" >&2
exit 2
if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then
echo "Error: savefile not writable: $SAVEFILE" >&2
exit 8
fi
COMMANDS=(tempfile "$SAVE" "$RESTORE")
case "$MODE" in
(1)
# Treat parameter as runcmd (run command mode)
RUNCMD="${1:-$DEF_RUNCMD}"
if [ ! -x "$RUNCMD" ]; then
echo "Error: runcmd not executable: $RUNCMD" >&2
exit 6
fi
# Needed commands
COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD")
checkcommands
;;
(*)
# Treat parameter as rulesfile (apply rulesfile mode)
RULESFILE="${1:-$DEF_RULESFILE}";
if [ ! -r "$RULESFILE" ]; then
echo "Error: rulesfile not readable: $RULESFILE" >&2
exit 2
fi
# Needed commands
COMMANDS=(mktemp "$SAVE" "$RESTORE")
checkcommands
;;
esac
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
echo "E: command not found: $cmd" >&2
exit 127
fi
done
umask 0700
### Begin work
TMPFILE=$(tempfile -p iptap)
# Store old iptables rules to temporary file
TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX`
trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
FPE USR1 SEGV USR2 PIPE ALRM TERM
if ! "$SAVE" >"$TMPFILE"; then
# An error occured
if ! grep -q ipt /proc/modules 2>/dev/null; then
echo "E: iptables support lacking from the kernel." >&2
echo "Error: iptables support lacking from the kernel" >&2
exit 3
else
echo "E: unknown error saving current iptables ruleset." >&2
echo "Error: unknown error saving old iptables rules: $TMPFILE" >&2
exit 4
fi
fi
# Legacy to stop the fail2ban daemon if present
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
echo -n "Applying new ruleset... "
if ! "$RESTORE" <"$FILE"; then
echo "failed."
echo "E: unknown error applying new iptables ruleset." >&2
exit 5
else
echo "done."
fi
# Configure iptables
case "$MODE" in
(1)
# Run command in background and kill it if it times out
echo -n "Running command '$RUNCMD'... "
"$RUNCMD" &
CMD_PID=$!
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
CMDTIMEOUT_PID=$!
if ! wait "$CMD_PID"; then
echo "failed."
echo "Error: unknown error running command: $RUNCMD" >&2
revertrules
exit 7
else
echo "done."
fi
;;
(*)
# Apply iptables rulesfile
echo -n "Applying new iptables rules from '$RULESFILE'... "
if ! "$RESTORE" <"$RULESFILE"; then
echo "failed."
echo "Error: unknown error applying new iptables rules: $RULESFILE" >&2
revertrules
exit 5
else
echo "done."
fi
;;
esac
# Prompt user for confirmation
echo -n "Can you establish NEW connections to the machine? (y/N) "
read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
read -n1 -t "$TIMEOUT" ret 2>&1 || :
case "${ret:-}" in
(y*|Y*)
# Success
echo
if [ ! -z "$SAVEFILE" ]; then
# Write successfully applied rules to the savefile
echo "Writing successfully applied rules to '$SAVEFILE'..."
if ! "$SAVE" >"$SAVEFILE"; then
echo "Error: unknown error writing successfully applied rules: $SAVEFILE" >&2
exit 9
fi
fi
echo "... then my job is done. See you next time."
;;
(*)
if [[ -z "${ret:-}" ]]; then
echo "apparently not..."
# Failed
echo
if [ -z "${ret:-}" ]; then
echo "Timeout! Something happened (or did not). Better play it safe..."
else
echo
echo "No affirmative response! Better play it safe..."
fi
echo "Timeout. Something happened (or did not). Better play it safe..."
echo -n "Reverting to old ruleset... "
"$RESTORE" <"$TMPFILE";
echo "done."
revertrules
exit 255
;;
esac
# Legacy to start the fail2ban daemon again
[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start
exit 0
......
iptables/iptables-apply.8.in
View file @ 268c6aa1
.\" Title: iptables-apply
.\" Author: Martin F. Krafft
.\" Date: Jun 04, 2006
.\" Author: Martin F. Krafft, GW
.\" Date: May 10, 2010
.\"
.TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
.\" disable hyphenation
......@@ -8,23 +8,37 @@
.SH NAME
iptables-apply \- a safer way to update iptables remotely
.SH SYNOPSIS
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
.SH "DESCRIPTION"
.PP
iptables\-apply will try to apply a new ruleset (as output by
iptables\-save/read by iptables\-restore) to iptables, then prompt the
user whether the changes are okay. If the new ruleset cut the existing
connection, the user will not be able to answer affirmatively. In this
case, the script rolls back to the previous ruleset after the timeout
expired. The timeout can be set with \fB\-t\fP.
iptables\-apply will try to apply a new rulesfile (as output by
iptables-save, read by iptables-restore) or run a command to configure
iptables and then prompt the user whether the changes are okay. If the
new iptables rules cut the existing connection, the user will not be
able to answer affirmatively. In this case, the script rolls back to
the previous working iptables rules after the timeout expires.
.PP
When called as \fBip6tables\-apply\fP, the script will use
ip6tables\-save/\-restore instead.
Successfully applied rules can also be written to savefile and later used
to roll back to this state. This can be used to implement a store last good
configuration mechanism when experimenting with an iptables setup script:
iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/iptables.up.run
.PP
When called as ip6tables\-apply, the script will use
ip6tables\-save/\-restore and IPv6 default values instead. Default
value for rulesfile is '/etc/network/iptables.up.rules'.
.SH OPTIONS
.TP
\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
Sets the timeout after which the script will roll back to the previous
ruleset.
Sets the timeout in seconds after which the script will roll back
to the previous ruleset (default: 10).
.TP
\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR
Specify the savefile where successfully applied rules will be written to
(default if empty string is given: /etc/network/iptables.up.rules).
.TP
\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR
Run command runcmd to configure iptables instead of applying a rulesfile
(default: /etc/network/iptables.up.run).
.TP
\fB\-h\fP, \fB\-\-help\fP
Display usage information.
......@@ -36,9 +50,11 @@ Display version information.
\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
.SH LEGALESE
.PP
iptables\-apply is copyright by Martin F. Krafft.
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
.PP
This manual page was written by Martin F. Krafft <madduck@madduck.net>
This manual page was written by Martin F. Krafft <madduck@madduck.net> and
extended by GW <gw.2010@tnode.com or http://gw.tnode.com/>.
.PP
Permission is granted to copy, distribute and/or modify this document
under the terms of the Artistic License 2.0.
iptables/iptables-restore.8.in
View file @ 268c6aa1
......@@ -87,7 +87,7 @@ from Rusty Russell.
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
\fBiptables\-save\fP(8), \fBiptables\fP(8)
\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
......
iptables/iptables-restore.c
View file @ 268c6aa1
......@@ -4,7 +4,7 @@
*
* This code is distributed under the terms of GNU GPL v2
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <stdbool.h>
......@@ -43,7 +43,7 @@ static const struct option options[] = {
static void print_usage(const char *name, const char *version)
{
fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command]\n"
fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command] [file]\n"
" [ --counters ]\n"
" [ --verbose ]\n"
" [ --version]\n"
......@@ -70,7 +70,7 @@ struct iptables_restore_cb {
};
static struct xtc_handle *
create_handle(struct iptables_restore_cb *cb, const char *tablename)
create_handle(const struct iptables_restore_cb *cb, const char *tablename)
{
struct xtc_handle *handle;
......@@ -82,18 +82,19 @@ create_handle(struct iptables_restore_cb *cb, const char *tablename)
handle = cb->ops->init(tablename);
}
if (!handle) {
if (!handle)
xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
"table '%s'\n", xt_params->program_name, tablename);
exit(1);
}
return handle;
}
static int
ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
ip46tables_restore_main(const struct iptables_restore_cb *cb,
int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
struct argv_store av_store = {};
char buffer[10240];
int c, lock;
char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
......@@ -125,7 +126,7 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
break;
case 'h':
print_usage(xt_params->program_name,
IPTABLES_VERSION);
PACKAGE_VERSION);
exit(0);
case 'n':
noflush = 1;
......@@ -177,8 +178,10 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
if (buffer[0] == '\n')
continue;
else if (buffer[0] == '#') {
if (verbose)
if (verbose) {
fputs(buffer, stdout);
fflush(stdout);
}
continue;
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
......@@ -207,12 +210,11 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
table = strtok(buffer+1, " \t\n");
DEBUGP("line %u, table '%s'\n", line, table);
if (!table) {
if (!table)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
xt_params->program_name, line);
exit(1);
}
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
......@@ -248,12 +250,10 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
chain = strtok(buffer+1, " \t\n");
DEBUGP("line %u, chain '%s'\n", line, chain);
if (!chain) {
if (!chain)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
xt_params->program_name, line);
exit(1);
}
if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
......@@ -281,12 +281,10 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
policy = strtok(NULL, " \t\n");
DEBUGP("line %u, policy '%s'\n", line, policy);
if (!policy) {
if (!policy)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
xt_params->program_name, line);
exit(1);
}
if (strcmp(policy, "-") != 0) {
struct xt_counters count = {};
......@@ -316,61 +314,31 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
ret = 1;
} else if (in_table) {
int a;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
if (buffer[0] == '[') {
/* we have counters in our input */
char *ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
pcnt = strtok(buffer+1, ":");
if (!pcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need :\n",
line);
bcnt = strtok(NULL, "]");
if (!bcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
/* start command parsing after counter */
parsestart = ptr + 1;
} else {
/* start command parsing at start of line */
parsestart = buffer;
}
char *parsestart = buffer;
add_argv(argv[0], 0);
add_argv("-t", 0);
add_argv(curtable, 0);
add_argv(&av_store, argv[0], 0);
add_argv(&av_store, "-t", 0);
add_argv(&av_store, curtable, 0);
tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line);
if (counters && pcnt && bcnt) {
add_argv("--set-counters", 0);
add_argv((char *) pcnt, 0);
add_argv((char *) bcnt, 0);
add_argv(&av_store, "--set-counters", 0);
add_argv(&av_store, pcnt, 0);
add_argv(&av_store, bcnt, 0);
}
add_param_to_argv(parsestart, line);
add_param_to_argv(&av_store, parsestart, line);
DEBUGP("calling do_command(%u, argv, &%s, handle):\n",
newargc, curtable);
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
av_store.argc, curtable);
debug_print_argv(&av_store);
ret = cb->do_command(newargc, newargv,
&newargv[2], &handle, true);
ret = cb->do_command(av_store.argc, av_store.argv,
&av_store.argv[2], &handle, true);
free_argv();
free_argv(&av_store);
fflush(stdout);
}
if (tablename && strcmp(tablename, curtable) != 0)
......@@ -393,7 +361,7 @@ ip46tables_restore_main(struct iptables_restore_cb *cb, int argc, char *argv[])
#if defined ENABLE_IPV4
struct iptables_restore_cb ipt_restore_cb = {
static const struct iptables_restore_cb ipt_restore_cb = {
.ops = &iptc_ops,
.for_each_chain = for_each_chain4,
.flush_entries = flush_entries4,
......@@ -404,7 +372,7 @@ struct iptables_restore_cb ipt_restore_cb = {
int
iptables_restore_main(int argc, char *argv[])
{
int c;
int c, ret;
iptables_globals.program_name = "iptables-restore";
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
......@@ -419,12 +387,15 @@ iptables_restore_main(int argc, char *argv[])
init_extensions4();
#endif
return ip46tables_restore_main(&ipt_restore_cb, argc, argv);
ret = ip46tables_restore_main(&ipt_restore_cb, argc, argv);
xtables_fini();
return ret;
}
#endif
#if defined ENABLE_IPV6
struct iptables_restore_cb ip6t_restore_cb = {
static const struct iptables_restore_cb ip6t_restore_cb = {
.ops = &ip6tc_ops,
.for_each_chain = for_each_chain6,
.flush_entries = flush_entries6,
......@@ -435,7 +406,7 @@ struct iptables_restore_cb ip6t_restore_cb = {
int
ip6tables_restore_main(int argc, char *argv[])
{
int c;
int c, ret;
ip6tables_globals.program_name = "ip6tables-restore";
c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
......@@ -450,6 +421,9 @@ ip6tables_restore_main(int argc, char *argv[])
init_extensions6();
#endif
return ip46tables_restore_main(&ip6t_restore_cb, argc, argv);
ret = ip46tables_restore_main(&ip6t_restore_cb, argc, argv);
xtables_fini();
return ret;
}
#endif
iptables/iptables-save.8.in
View file @ 268c6aa1
......@@ -62,7 +62,7 @@ Rusty Russell <rusty@rustcorp.com.au>
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
\fBiptables\-restore\fP(8), \fBiptables\fP(8)
\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
......
iptables/iptables-save.c
View file @ 268c6aa1
......@@ -5,6 +5,7 @@
* This code is distributed under the terms of GNU GPL v2
*
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <stdio.h>
......@@ -90,7 +91,7 @@ static int do_output(struct iptables_save_cb *cb, const char *tablename)
time_t now = time(NULL);
printf("# Generated by %s v%s on %s",
xt_params->program_name, IPTABLES_VERSION, ctime(&now));
xt_params->program_name, PACKAGE_VERSION, ctime(&now));
printf("*%s\n", tablename);
/* Dump out chain names first,
......@@ -217,6 +218,8 @@ struct iptables_save_cb ipt_save_cb = {
int
iptables_save_main(int argc, char *argv[])
{
int ret;
iptables_globals.program_name = "iptables-save";
if (xtables_init_all(&iptables_globals, NFPROTO_IPV4) < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
......@@ -229,7 +232,10 @@ iptables_save_main(int argc, char *argv[])
init_extensions4();
#endif
return do_iptables_save(&ipt_save_cb, argc, argv);
ret = do_iptables_save(&ipt_save_cb, argc, argv);
xtables_fini();
return ret;
}
#endif /* ENABLE_IPV4 */
......@@ -258,6 +264,8 @@ struct iptables_save_cb ip6t_save_cb = {
int
ip6tables_save_main(int argc, char *argv[])
{
int ret;
ip6tables_globals.program_name = "ip6tables-save";
if (xtables_init_all(&ip6tables_globals, NFPROTO_IPV6) < 0) {
fprintf(stderr, "%s/%s Failed to initialize xtables\n",
......@@ -270,6 +278,9 @@ ip6tables_save_main(int argc, char *argv[])
init_extensions6();
#endif
return do_iptables_save(&ip6t_save_cb, argc, argv);
ret = do_iptables_save(&ip6t_save_cb, argc, argv);
xtables_fini();
return ret;
}
#endif /* ENABLE_IPV6 */
iptables/iptables-standalone.c
View file @ 268c6aa1
......@@ -64,6 +64,8 @@ iptables_main(int argc, char *argv[])
iptc_free(handle);
}
xtables_fini();
if (!ret) {
if (errno == EINVAL) {
fprintf(stderr, "iptables: %s. "
......
iptables/iptables-xml.c
View file @ 268c6aa1
......@@ -5,7 +5,7 @@
*
* This code is distributed under the terms of GNU GPL v2
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <string.h>
......@@ -20,7 +20,7 @@
struct xtables_globals iptables_xml_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
.program_version = PACKAGE_VERSION,
.program_name = "iptables-xml",
};
#define prog_name iptables_xml_globals.program_name
......@@ -208,12 +208,11 @@ needChain(char *chain)
static void
saveChain(char *chain, char *policy, struct xt_counters *ctr)
{
if (nextChain >= maxChains) {
if (nextChain >= maxChains)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
prog_name, line);
exit(1);
};
chains[nextChain].chain = strdup(chain);
chains[nextChain].policy = strdup(policy);
chains[nextChain].count = *ctr;
......@@ -441,7 +440,7 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
}
static int
compareRules(void)
compareRules(int newargc, char *newargv[], int oldargc, char *oldargv[])
{
/* Compare arguments up to -j or -g for match.
* NOTE: We don't want to combine actions if there were no criteria
......@@ -490,11 +489,13 @@ compareRules(void)
/* has a nice parsed rule starting with -A */
static void
do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[],
int oldargc, char *oldargv[])
{
/* are these conditions the same as the previous rule?
* If so, skip arg straight to -j or -g */
if (combine && argc > 2 && !isTarget(argv[2]) && compareRules()) {
if (combine && argc > 2 && !isTarget(argv[2]) &&
compareRules(argc, argv, oldargc, oldargv)) {
xmlComment("Combine action from next rule");
} else {
......@@ -540,6 +541,7 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
int
iptables_xml_main(int argc, char *argv[])
{
struct argv_store last_rule = {}, cur_rule = {};
char buffer[10240];
int c;
FILE *in;
......@@ -557,7 +559,7 @@ iptables_xml_main(int argc, char *argv[])
verbose = 1;
break;
case 'h':
print_usage("iptables-xml", IPTABLES_VERSION);
print_usage("iptables-xml", PACKAGE_VERSION);
break;
}
}
......@@ -606,12 +608,11 @@ iptables_xml_main(int argc, char *argv[])
table = strtok(buffer + 1, " \t\n");
DEBUGP("line %u, table '%s'\n", line, table);
if (!table) {
if (!table)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u table name invalid\n",
prog_name, line);
exit(1);
}
openTable(table);
ret = 1;
......@@ -623,23 +624,19 @@ iptables_xml_main(int argc, char *argv[])
chain = strtok(buffer + 1, " \t\n");
DEBUGP("line %u, chain '%s'\n", line, chain);
if (!chain) {
if (!chain)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u chain name invalid\n",
prog_name, line);
exit(1);
}
DEBUGP("Creating new chain '%s'\n", chain);
policy = strtok(NULL, " \t\n");
DEBUGP("line %u, policy '%s'\n", line, policy);
if (!policy) {
if (!policy)
xtables_error(PARAMETER_PROBLEM,
"%s: line %u policy invalid\n",
prog_name, line);
exit(1);
}
ctrs = strtok(NULL, " \t\n");
parse_counters(ctrs, &count);
......@@ -650,126 +647,32 @@ iptables_xml_main(int argc, char *argv[])
unsigned int a;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
char *parsestart = buffer;
char *chain = NULL;
/* the parser */
char *param_start, *curchar;
int quote_open, quoted;
char param_buffer[1024];
if (buffer[0] == '[') {
/* we have counters in our input */
char *ptr = strchr(buffer, ']');
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
pcnt = strtok(buffer + 1, ":");
if (!pcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need :\n",
line);
bcnt = strtok(NULL, "]");
if (!bcnt)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
line);
/* start command parsing after counter */
parsestart = ptr + 1;
} else {
/* start command parsing at start of line */
parsestart = buffer;
}
/* This is a 'real' parser crafted in artist mode
* not hacker mode. If the author can live with that
* then so can everyone else */
quote_open = 0;
/* We need to know which args were quoted so we
can preserve quote */
quoted = 0;
param_start = parsestart;
for (curchar = parsestart; *curchar; curchar++) {
if (*curchar == '"') {
/* quote_open cannot be true if there
* was no previous character. Thus,
* curchar-1 has to be within bounds */
if (quote_open &&
*(curchar - 1) != '\\') {
quote_open = 0;
*curchar = ' ';
} else {
quote_open = 1;
quoted = 1;
param_start++;
}
}
if (*curchar == ' '
|| *curchar == '\t' || *curchar == '\n') {
int param_len = curchar - param_start;
if (quote_open)
continue;
if (!param_len) {
/* two spaces? */
param_start++;
continue;
}
/* end of one parameter */
strncpy(param_buffer, param_start,
param_len);
*(param_buffer + param_len) = '\0';
/* check if table name specified */
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
xtables_error(PARAMETER_PROBLEM,
"Line %u seems to have a "
"-t table option.\n",
line);
exit(1);
}
add_argv(param_buffer, quoted);
if (newargc >= 2
&& 0 ==
strcmp(newargv[newargc - 2], "-A"))
chain = newargv[newargc - 1];
quoted = 0;
param_start += param_len + 1;
} else {
/* regular character, skip */
}
}
tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line);
add_param_to_argv(&cur_rule, parsestart, line);
DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
newargc, curTable);
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
cur_rule.argc, curTable);
debug_print_argv(&cur_rule);
for (a = 1; a < cur_rule.argc; a++) {
if (strcmp(cur_rule.argv[a - 1], "-A"))
continue;
chain = cur_rule.argv[a];
break;
}
if (!chain) {
fprintf(stderr, "%s: line %u failed - no chain found\n",
prog_name, line);
exit(1);
}
needChain(chain);// Should we explicitly look for -A
do_rule(pcnt, bcnt, newargc, newargv, newargvattr);
do_rule(pcnt, bcnt, cur_rule.argc, cur_rule.argv,
cur_rule.argvattr, last_rule.argc, last_rule.argv);
save_argv();
save_argv(&last_rule, &cur_rule);
ret = 1;
}
if (!ret) {
......@@ -786,7 +689,7 @@ iptables_xml_main(int argc, char *argv[])
fclose(in);
printf("</iptables-rules>\n");
free_argv();
free_argv(&last_rule);
return 0;
}
iptables/iptables.8.in
View file @ 268c6aa1
......@@ -245,13 +245,13 @@ add, delete, insert, replace and append commands).
This option has no effect in iptables and iptables-restore.
If a rule using the \fB\-4\fP option is inserted with (and only with)
ip6tables-restore, it will be silently ignored. Any other uses will throw an
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
error. This option allows IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
.TP
\fB\-6\fP, \fB\-\-ipv6\fP
If a rule using the \fB\-6\fP option is inserted with (and only with)
iptables-restore, it will be silently ignored. Any other uses will throw an
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
error. This option allows IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
This option has no effect in ip6tables and ip6tables-restore.
.TP
......
iptables/iptables.c
View file @ 268c6aa1
......@@ -24,7 +24,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include <getopt.h>
#include <string.h>
#include <netdb.h>
......@@ -41,33 +41,6 @@
#include <fcntl.h>
#include "xshared.h"
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#define CMD_NONE 0x0000U
#define CMD_INSERT 0x0001U
#define CMD_DELETE 0x0002U
#define CMD_DELETE_NUM 0x0004U
#define CMD_REPLACE 0x0008U
#define CMD_APPEND 0x0010U
#define CMD_LIST 0x0020U
#define CMD_FLUSH 0x0040U
#define CMD_ZERO 0x0080U
#define CMD_NEW_CHAIN 0x0100U
#define CMD_DELETE_CHAIN 0x0200U
#define CMD_SET_POLICY 0x0400U
#define CMD_RENAME_CHAIN 0x0800U
#define CMD_LIST_RULES 0x1000U
#define CMD_ZERO_NUM 0x2000U
#define CMD_CHECK 0x4000U
#define NUMBER_OF_CMD 16
static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
'N', 'X', 'P', 'E', 'S', 'Z', 'C' };
#define OPT_FRAGMENT 0x00800U
#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
static const char optflags[]
......@@ -120,7 +93,7 @@ void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __a
struct xtables_globals iptables_globals = {
.option_offset = 0,
.program_version = IPTABLES_VERSION,
.program_version = PACKAGE_VERSION,
.orig_opts = original_opts,
.exit_err = iptables_exit_error,
.compat_rev = xtables_compatible_revision,
......@@ -335,27 +308,6 @@ opt2char(int option)
return *ptr;
}
static char
cmd2char(int option)
{
const char *ptr;
for (ptr = cmdflags; option > 1; option >>= 1, ptr++);
return *ptr;
}
static void
add_command(unsigned int *cmd, const int newcmd, const int othercmds,
int invert)
{
if (invert)
xtables_error(PARAMETER_PROBLEM, "unexpected ! flag");
if (*cmd & (~othercmds))
xtables_error(PARAMETER_PROBLEM, "Cannot use -%c with -%c\n",
cmd2char(newcmd), cmd2char(*cmd & (~othercmds)));
*cmd |= newcmd;
}
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
......@@ -366,18 +318,6 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
*/
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
/* Can't be zero. */
static int
parse_rulenumber(const char *rule)
{
unsigned int rulenum;
if (!xtables_strtoui(rule, NULL, &rulenum, 1, INT_MAX))
xtables_error(PARAMETER_PROBLEM,
"Invalid rule number `%s'", rule);
return rulenum;
}
static void
parse_chain(const char *chainname)
......@@ -1217,6 +1157,7 @@ int do_command4(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
bool table_set = false;
/* re-set optind to 0 in case do_command4 gets called
* a second time */
......@@ -1494,7 +1435,12 @@ int do_command4(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
if (restore && table_set)
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
*table = optarg;
table_set = true;
break;
case 'x':
......@@ -1564,7 +1510,7 @@ int do_command4(int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"multiple consecutive ! not"
" allowed");
cs.invert = TRUE;
cs.invert = true;
optarg[0] = '\0';
continue;
}
......@@ -1577,7 +1523,7 @@ int do_command4(int argc, char *argv[], char **table,
continue;
break;
}
cs.invert = FALSE;
cs.invert = false;
}
if (!wait && wait_interval_set)
......
iptables/nft-arp.c
View file @ 268c6aa1
......@@ -114,29 +114,6 @@ mask_to_dotted(const struct in_addr *mask)
return buf;
}
static void print_mac(const unsigned char *mac, int l)
{
int j;
for (j = 0; j < l; j++)
printf("%02x%s", mac[j],
(j==l-1) ? "" : ":");
}
static void print_mac_and_mask(const unsigned char *mac, const unsigned char *mask, int l)
{
int i;
print_mac(mac, l);
for (i = 0; i < l ; i++)
if (mask[i] != 255)
break;
if (i == l)
return;
printf("/");
print_mac(mask, l);
}
static bool need_devaddr(struct arpt_devaddr_info *info)
{
int i;
......@@ -149,7 +126,7 @@ static bool need_devaddr(struct arpt_devaddr_info *info)
return false;
}
static int nft_arp_add(struct nftnl_rule *r, void *data)
static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct arpt_entry *fw = &cs->arp;
......@@ -506,8 +483,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
printf("%s%s", sep, fw->arp.invflags & ARPT_INV_SRCDEVADDR
? "! " : "");
printf("--src-mac ");
print_mac_and_mask((unsigned char *)fw->arp.src_devaddr.addr,
(unsigned char *)fw->arp.src_devaddr.mask, ETH_ALEN);
xtables_print_mac_and_mask((unsigned char *)fw->arp.src_devaddr.addr,
(unsigned char *)fw->arp.src_devaddr.mask);
sep = " ";
after_devsrc:
......@@ -532,8 +509,8 @@ after_devsrc:
printf("%s%s", sep, fw->arp.invflags & ARPT_INV_TGTDEVADDR
? "! " : "");
printf("--dst-mac ");
print_mac_and_mask((unsigned char *)fw->arp.tgt_devaddr.addr,
(unsigned char *)fw->arp.tgt_devaddr.mask, ETH_ALEN);
xtables_print_mac_and_mask((unsigned char *)fw->arp.tgt_devaddr.addr,
(unsigned char *)fw->arp.tgt_devaddr.mask);
sep = " ";
after_devdst:
......@@ -605,14 +582,15 @@ nft_arp_save_rule(const void *data, unsigned int format)
}
static void
nft_arp_print_rule(struct nftnl_rule *r, unsigned int num, unsigned int format)
nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
if (format & FMT_LINENUMBERS)
printf("%u ", num);
nft_rule_to_iptables_command_state(r, &cs);
nft_rule_to_iptables_command_state(h, r, &cs);
nft_arp_print_rule_details(&cs, format);
print_matches_and_target(&cs, format);
......@@ -626,6 +604,8 @@ nft_arp_print_rule(struct nftnl_rule *r, unsigned int num, unsigned int format)
if (!(format & FMT_NONEWLINE))
fputc('\n', stdout);
nft_clear_iptables_command_state(&cs);
}
static bool nft_arp_is_same(const void *data_a,
......@@ -655,31 +635,6 @@ static bool nft_arp_is_same(const void *data_a,
(unsigned char *)b->arp.outiface_mask);
}
static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
void *data)
{
const struct iptables_command_state *cs = data;
struct iptables_command_state this = {};
bool ret = false;
/* Delete by matching rule case */
nft_rule_to_iptables_command_state(r, &this);
if (!nft_arp_is_same(&cs->arp, &this.arp))
goto out;
if (!compare_targets(cs->target, this.target))
goto out;
if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0)
goto out;
ret = true;
out:
ops->clear_cs(&this);
return ret;
}
static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
{
const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
......@@ -697,11 +652,9 @@ struct nft_family_ops nft_family_ops_arp = {
.print_header = nft_arp_print_header,
.print_rule = nft_arp_print_rule,
.save_rule = nft_arp_save_rule,
.save_counters = save_counters,
.save_chain = nft_arp_save_chain,
.post_parse = NULL,
.rule_to_cs = nft_rule_to_iptables_command_state,
.clear_cs = nft_clear_iptables_command_state,
.rule_find = nft_arp_rule_find,
.parse_target = nft_ipv46_parse_target,
};
iptables/nft-bridge.c
View file @ 268c6aa1
......@@ -17,12 +17,13 @@
#include <libiptc/libxtc.h>
#include <linux/netfilter/nf_tables.h>
#include <libnftnl/set.h>
#include "nft-shared.h"
#include "nft-bridge.h"
#include "nft-cache.h"
#include "nft.h"
static bool ebt_legacy_counter_fmt;
void ebt_cs_clean(struct iptables_command_state *cs)
{
struct ebt_match *m, *nm;
......@@ -128,7 +129,8 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
return add_action(r, cs, false);
}
static int nft_bridge_add(struct nftnl_rule *r, void *data)
static int nft_bridge_add(struct nft_handle *h,
struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct ebt_match *iter;
......@@ -184,7 +186,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
for (iter = cs->match_list; iter; iter = iter->next) {
if (iter->ismatch) {
if (add_match(r, iter->u.match->m))
if (add_match(h, r, iter->u.match->m))
break;
} else {
if (add_target(r, iter->u.watcher->t))
......@@ -292,6 +294,221 @@ static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
cs->jumpto = jumpto;
}
/* return 0 if saddr, 1 if daddr, -1 on error */
static int
lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
{
if (base != 0 || len != ETH_ALEN)
return -1;
switch (offset) {
case offsetof(struct ether_header, ether_dhost):
return 1;
case offsetof(struct ether_header, ether_shost):
return 0;
default:
return -1;
}
}
/* return 0 if saddr, 1 if daddr, -1 on error */
static int
lookup_check_iphdr_payload(uint32_t base, uint32_t offset, uint32_t len)
{
if (base != 1 || len != 4)
return -1;
switch (offset) {
case offsetof(struct iphdr, daddr):
return 1;
case offsetof(struct iphdr, saddr):
return 0;
default:
return -1;
}
}
/* Make sure previous payload expression(s) is/are consistent and extract if
* matching on source or destination address and if matching on MAC and IP or
* only MAC address. */
static int lookup_analyze_payloads(const struct nft_xt_ctx *ctx,
bool *dst, bool *ip)
{
int val, val2 = -1;
if (ctx->flags & NFT_XT_CTX_PREV_PAYLOAD) {
val = lookup_check_ether_payload(ctx->prev_payload.base,
ctx->prev_payload.offset,
ctx->prev_payload.len);
if (val < 0) {
DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
ctx->prev_payload.base, ctx->prev_payload.offset,
ctx->prev_payload.len);
return -1;
}
if (!(ctx->flags & NFT_XT_CTX_PAYLOAD)) {
DEBUGP("Previous but no current payload?\n");
return -1;
}
val2 = lookup_check_iphdr_payload(ctx->payload.base,
ctx->payload.offset,
ctx->payload.len);
if (val2 < 0) {
DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
ctx->payload.base, ctx->payload.offset,
ctx->payload.len);
return -1;
} else if (val != val2) {
DEBUGP("mismatching payload match offsets\n");
return -1;
}
} else if (ctx->flags & NFT_XT_CTX_PAYLOAD) {
val = lookup_check_ether_payload(ctx->payload.base,
ctx->payload.offset,
ctx->payload.len);
if (val < 0) {
DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
ctx->payload.base, ctx->payload.offset,
ctx->payload.len);
return -1;
}
} else {
DEBUGP("unknown LHS of lookup expression\n");
return -1;
}
if (dst)
*dst = (val == 1);
if (ip)
*ip = (val2 != -1);
return 0;
}
static int set_elems_to_among_pairs(struct nft_among_pair *pairs,
const struct nftnl_set *s, int cnt)
{
struct nftnl_set_elems_iter *iter = nftnl_set_elems_iter_create(s);
struct nftnl_set_elem *elem;
size_t tmpcnt = 0;
const void *data;
uint32_t datalen;
int ret = -1;
if (!iter) {
fprintf(stderr, "BUG: set elems iter allocation failed\n");
return ret;
}
while ((elem = nftnl_set_elems_iter_next(iter))) {
data = nftnl_set_elem_get(elem, NFTNL_SET_ELEM_KEY, &datalen);
if (!data) {
fprintf(stderr, "BUG: set elem without key\n");
goto err;
}
if (datalen > sizeof(*pairs)) {
fprintf(stderr, "BUG: overlong set elem\n");
goto err;
}
nft_among_insert_pair(pairs, &tmpcnt, data);
}
ret = 0;
err:
nftnl_set_elems_iter_destroy(iter);
return ret;
}
static struct nftnl_set *set_from_lookup_expr(struct nft_xt_ctx *ctx,
const struct nftnl_expr *e)
{
const char *set_name = nftnl_expr_get_str(e, NFTNL_EXPR_LOOKUP_SET);
uint32_t set_id = nftnl_expr_get_u32(e, NFTNL_EXPR_LOOKUP_SET_ID);
struct nftnl_set_list *slist;
struct nftnl_set *set;
slist = nft_set_list_get(ctx->h, ctx->table, set_name);
if (slist) {
set = nftnl_set_list_lookup_byname(slist, set_name);
if (set)
return set;
set = nft_set_batch_lookup_byid(ctx->h, set_id);
if (set)
return set;
}
return NULL;
}
static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx,
struct nftnl_expr *e, void *data)
{
struct xtables_match *match = NULL;
struct nft_among_data *among_data;
bool is_dst, have_ip, inv;
struct ebt_match *ematch;
struct nftnl_set *s;
size_t poff, size;
uint32_t cnt;
if (lookup_analyze_payloads(ctx, &is_dst, &have_ip))
return;
s = set_from_lookup_expr(ctx, e);
if (!s)
xtables_error(OTHER_PROBLEM,
"BUG: lookup expression references unknown set");
cnt = nftnl_set_get_u32(s, NFTNL_SET_DESC_SIZE);
for (ematch = ctx->cs->match_list; ematch; ematch = ematch->next) {
if (!ematch->ismatch || strcmp(ematch->u.match->name, "among"))
continue;
match = ematch->u.match;
among_data = (struct nft_among_data *)match->m->data;
size = cnt + among_data->src.cnt + among_data->dst.cnt;
size *= sizeof(struct nft_among_pair);
size += XT_ALIGN(sizeof(struct xt_entry_match)) +
sizeof(struct nft_among_data);
match->m = xtables_realloc(match->m, size);
break;
}
if (!match) {
match = xtables_find_match("among", XTF_TRY_LOAD,
&ctx->cs->matches);
size = cnt * sizeof(struct nft_among_pair);
size += XT_ALIGN(sizeof(struct xt_entry_match)) +
sizeof(struct nft_among_data);
match->m = xtables_calloc(1, size);
strcpy(match->m->u.user.name, match->name);
match->m->u.user.revision = match->revision;
xs_init_match(match);
if (ctx->h->ops->parse_match != NULL)
ctx->h->ops->parse_match(match, ctx->cs);
}
if (!match)
return;
match->m->u.match_size = size;
inv = !!(nftnl_expr_get_u32(e, NFTNL_EXPR_LOOKUP_FLAGS) &
NFT_LOOKUP_F_INV);
among_data = (struct nft_among_data *)match->m->data;
poff = nft_among_prepare_data(among_data, is_dst, cnt, inv, have_ip);
if (set_elems_to_among_pairs(among_data->pairs + poff, s, cnt))
xtables_error(OTHER_PROBLEM,
"ebtables among pair parsing failed");
ctx->flags &= ~(NFT_XT_CTX_PAYLOAD | NFT_XT_CTX_PREV_PAYLOAD);
}
static void parse_watcher(void *object, struct ebt_match **match_list,
bool ismatch)
{
......@@ -334,11 +551,12 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
cs->target = t;
}
static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,
static void nft_rule_to_ebtables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
struct iptables_command_state *cs)
{
cs->eb.bitmask = EBT_NOPROTO;
nft_rule_to_iptables_command_state(r, cs);
nft_rule_to_iptables_command_state(h, r, cs);
}
static void print_iface(const char *option, const char *name, bool invert)
......@@ -422,22 +640,6 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)
printf("%s ", ent->e_name);
}
static void nft_bridge_save_counters(const void *data)
{
const char *ctr;
if (ebt_legacy_counter_fmt)
return;
ctr = getenv("EBTABLES_SAVE_COUNTER");
if (ctr) {
ebt_legacy_counter_fmt = true;
return;
}
save_counters(data);
}
static void nft_bridge_save_rule(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
......@@ -474,29 +676,30 @@ static void nft_bridge_save_rule(const void *data, unsigned int format)
cs->target->print(&cs->fw, cs->target->t, format & FMT_NUMERIC);
}
if (format & FMT_EBT_SAVE)
printf(" -c %"PRIu64" %"PRIu64"",
(uint64_t)cs->counters.pcnt,
(uint64_t)cs->counters.bcnt);
if (!(format & FMT_NOCOUNTS))
printf(" , pcnt = %"PRIu64" -- bcnt = %"PRIu64"",
(uint64_t)cs->counters.pcnt,
(uint64_t)cs->counters.bcnt);
if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS) {
if (format & FMT_EBT_SAVE)
printf(" -c %"PRIu64" %"PRIu64"",
(uint64_t)cs->counters.pcnt,
(uint64_t)cs->counters.bcnt);
else
printf(" , pcnt = %"PRIu64" -- bcnt = %"PRIu64"",
(uint64_t)cs->counters.pcnt,
(uint64_t)cs->counters.bcnt);
}
if (!(format & FMT_NONEWLINE))
fputc('\n', stdout);
}
static void nft_bridge_print_rule(struct nftnl_rule *r, unsigned int num,
unsigned int format)
static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
if (format & FMT_LINENUMBERS)
printf("%d ", num);
nft_rule_to_ebtables_command_state(r, &cs);
nft_rule_to_ebtables_command_state(h, r, &cs);
nft_bridge_save_rule(&cs, format);
ebt_cs_clean(&cs);
}
......@@ -553,41 +756,6 @@ static bool nft_bridge_is_same(const void *data_a, const void *data_b)
return strcmp(a->in, b->in) == 0 && strcmp(a->out, b->out) == 0;
}
static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
void *data)
{
struct iptables_command_state *cs = data;
struct iptables_command_state this = {};
bool ret = false;
nft_rule_to_ebtables_command_state(r, &this);
DEBUGP("comparing with... ");
if (!nft_bridge_is_same(cs, &this))
goto out;
if (!compare_matches(cs->matches, this.matches)) {
DEBUGP("Different matches\n");
goto out;
}
if (!compare_targets(cs->target, this.target)) {
DEBUGP("Different target\n");
goto out;
}
if (cs->jumpto != NULL && strcmp(cs->jumpto, this.jumpto) != 0) {
DEBUGP("Different verdict\n");
goto out;
}
ret = true;
out:
ops->clear_cs(&this);
return ret;
}
static int xlate_ebmatches(const struct iptables_command_state *cs, struct xt_xlate *xl)
{
int ret = 1, numeric = cs->options & OPT_NUMERIC;
......@@ -757,17 +925,16 @@ struct nft_family_ops nft_family_ops_bridge = {
.parse_meta = nft_bridge_parse_meta,
.parse_payload = nft_bridge_parse_payload,
.parse_immediate = nft_bridge_parse_immediate,
.parse_lookup = nft_bridge_parse_lookup,
.parse_match = nft_bridge_parse_match,
.parse_target = nft_bridge_parse_target,
.print_table_header = nft_bridge_print_table_header,
.print_header = nft_bridge_print_header,
.print_rule = nft_bridge_print_rule,
.save_rule = nft_bridge_save_rule,
.save_counters = nft_bridge_save_counters,
.save_chain = nft_bridge_save_chain,
.post_parse = NULL,
.rule_to_cs = nft_rule_to_ebtables_command_state,
.clear_cs = ebt_cs_clean,
.rule_find = nft_bridge_rule_find,
.xlate = nft_bridge_xlate,
};
iptables/nft-bridge.h
View file @ 268c6aa1
......@@ -122,4 +122,60 @@ void ebt_add_watcher(struct xtables_target *watcher,
struct iptables_command_state *cs);
int ebt_command_default(struct iptables_command_state *cs);
struct nft_among_pair {
struct ether_addr ether;
struct in_addr in __attribute__((aligned (4)));
};
struct nft_among_data {
struct {
size_t cnt;
bool inv;
bool ip;
} src, dst;
/* first source, then dest pairs */
struct nft_among_pair pairs[0];
};
/* initialize fields, return offset into pairs array to write pairs to */
static inline size_t
nft_among_prepare_data(struct nft_among_data *data, bool dst,
size_t cnt, bool inv, bool ip)
{
size_t poff;
if (dst) {
data->dst.cnt = cnt;
data->dst.inv = inv;
data->dst.ip = ip;
poff = data->src.cnt;
} else {
data->src.cnt = cnt;
data->src.inv = inv;
data->src.ip = ip;
poff = 0;
memmove(data->pairs + cnt, data->pairs,
data->dst.cnt * sizeof(*data->pairs));
}
return poff;
}
static inline void
nft_among_insert_pair(struct nft_among_pair *pairs,
size_t *pcount, const struct nft_among_pair *new)
{
int i;
/* nftables automatically sorts set elements from smallest to largest,
* insert sorted so extension comparison works */
for (i = 0; i < *pcount; i++) {
if (memcmp(new, &pairs[i], sizeof(*new)) < 0)
break;
}
memmove(&pairs[i + 1], &pairs[i], sizeof(*pairs) * (*pcount - i));
memcpy(&pairs[i], new, sizeof(*new));
(*pcount)++;
}
#endif
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment