Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Pkg Iptables
Commits
290749d4
Commit
290749d4
authored
5 years ago
by
Arturo Borrero Gonzalez
Browse files
Options
Download
Email Patches
Plain Diff
New upstream version 1.8.4
parent
89c92f0c
master
debian/buster-backports
upstream
upstream/1.8.7
upstream/1.8.6
upstream/1.8.5
upstream/1.8.4
debian/1.8.7-1
debian/1.8.6-1
debian/1.8.5-3
debian/1.8.5-3_bpo10+1
debian/1.8.5-2
debian/1.8.5-1
debian/1.8.4-3
debian/1.8.4-2
debian/1.8.4-1
No related merge requests found
Changes
87
Hide whitespace changes
Inline
Side-by-side
Showing
20 changed files
iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0
+42
-0
...es/tests/shell/testcases/ipt-restore/0007-flush-noflush_0
iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
+22
-0
...tests/shell/testcases/ipt-restore/0008-restore-counters_0
iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0
+30
-0
...sts/shell/testcases/ipt-restore/0009-table-name-comment_0
iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
+13
-0
iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables.xml
+925
-0
...ests/shell/testcases/ipt-save/dumps/fedora27-iptables.xml
iptables/xshared.c
+122
-51
iptables/xshared.c
iptables/xshared.h
+49
-12
iptables/xshared.h
iptables/xtables-arp.c
+57
-445
iptables/xtables-arp.c
iptables/xtables-config-parser.y
+0
-248
iptables/xtables-config-parser.y
iptables/xtables-config-syntax.l
+0
-54
iptables/xtables-config-syntax.l
iptables/xtables-eb-standalone.c
+1
-1
iptables/xtables-eb-standalone.c
iptables/xtables-eb.c
+14
-6
iptables/xtables-eb.c
iptables/xtables-monitor.c
+18
-4
iptables/xtables-monitor.c
iptables/xtables-restore.c
+271
-237
iptables/xtables-restore.c
iptables/xtables-save.c
+62
-189
iptables/xtables-save.c
iptables/xtables-translate.c
+10
-8
iptables/xtables-translate.c
iptables/xtables.c
+19
-48
iptables/xtables.c
libipq/Makefile.in
+4
-10
libipq/Makefile.in
libiptc/Makefile.am
+2
-5
libiptc/Makefile.am
libiptc/Makefile.in
+8
-28
libiptc/Makefile.in
with
1669 additions
and
1346 deletions
+1669
-1346
iptables/tests/shell/testcases/ipt-restore/0007-flush-noflush_0
0 → 100755
View file @
290749d4
#!/bin/bash
# Make sure iptables-restore without --noflush does not flush tables other than
# those contained in the dump it's reading from
set
-e
$XT_MULTI
iptables-restore
<<
EOF
*nat
-A POSTROUTING -j ACCEPT
COMMIT
EOF
EXPECT
=
"*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
COMMIT"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
|
sort
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
|
sort
)
$XT_MULTI
iptables-restore
<<
EOF
*filter
-A FORWARD -j ACCEPT
COMMIT
EOF
EXPECT
=
"*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j ACCEPT
COMMIT"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
|
sort
)
<
(
$XT_MULTI
iptables-save |
grep
-v
'^#'
|
sort
)
This diff is collapsed.
Click to expand it.
iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
0 → 100755
View file @
290749d4
#!/bin/bash
set
-e
DUMP
=
"*filter
:foo - [23:42]
[13:37] -A foo -j ACCEPT
COMMIT
"
EXPECT
=
":foo - [0:0]
[0:0] -A foo -j ACCEPT"
$XT_MULTI
iptables-restore
<<<
"
$DUMP
"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
)
<
(
$XT_MULTI
iptables-save
--counters
|
grep
foo
)
# iptables-*-restore ignores custom chain counters :(
EXPECT
=
":foo - [0:0]
[13:37] -A foo -j ACCEPT"
$XT_MULTI
iptables-restore
--counters
<<<
"
$DUMP
"
diff
-u
-Z
<
(
echo
-e
"
$EXPECT
"
)
<
(
$XT_MULTI
iptables-save
--counters
|
grep
foo
)
This diff is collapsed.
Click to expand it.
iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0
0 → 100755
View file @
290749d4
#!/bin/bash
# when restoring a ruleset, *tables-restore prefixes each rule with
# '-t <tablename>' so standard rule parsing routines may be used. This means
# that it has to detect and reject rules which already contain a table option.
families
=
"ip ip6"
[[
$(
basename
$XT_MULTI
)
==
xtables-nft-multi
]]
&&
families+
=
" eb"
for
fam
in
$families
;
do
$XT_MULTI
${
fam
}
tables-restore
<<
EOF
*filter
-t nat -A FORWARD -j ACCEPT
COMMIT
EOF
[[
$?
!=
0
]]
||
{
echo
"
${
fam
}
tables-restore did not fail when it should have"
exit
1
}
$XT_MULTI
${
fam
}
tables-restore
<<
EOF
*filter
-A FORWARD -j ACCEPT
COMMIT
EOF
[[
$?
==
0
]]
||
{
echo
"
${
fam
}
tables-restore failed when it should not have"
exit
1
}
done
This diff is collapsed.
Click to expand it.
iptables/tests/shell/testcases/ipt-save/0006iptables-xml_0
0 → 100755
View file @
290749d4
#!/bin/bash
case
"
$(
basename
$XT_MULTI
)
"
in
xtables-legacy-multi
)
;;
*
)
echo
"skip
$XT_MULTI
"
exit
0
;;
esac
dump
=
$(
dirname
$0
)
/dumps/fedora27-iptables
diff
-u
-Z
<
(
cat
${
dump
}
.xml
)
<
(
$XT_MULTI
iptables-xml <
$dump
)
This diff is collapsed.
Click to expand it.
iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables.xml
0 → 100644
View file @
290749d4
<iptables-rules
version=
"1.0"
>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table
name=
"mangle"
>
<chain
name=
"PREROUTING"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"1"
byte-count=
"2"
>
<actions>
<call
>
<PREROUTING_direct
/>
</call>
</actions>
</rule>
<rule
packet-count=
"3"
byte-count=
"4"
>
<actions>
<call
>
<PREROUTING_ZONES_SOURCE
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PREROUTING_ZONES
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"INPUT"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<INPUT_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"OUTPUT"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<OUTPUT_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"POSTROUTING"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<o
>
virbr0
</o>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
68
</dport>
</udp>
</conditions>
<actions>
<CHECKSUM
>
<checksum-fill
/>
</CHECKSUM>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<POSTROUTING_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"PREROUTING_ZONES"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
wlp58s0
</i>
</match>
</conditions>
<actions>
<goto
>
<PRE_FedoraWorkstation
/>
</goto>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<goto
>
<PRE_FedoraWorkstation
/>
</goto>
</actions>
</rule>
</chain>
<chain
name=
"PRE_FedoraWorkstation"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_log
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_deny
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_allow
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"INPUT_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"OUTPUT_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"POSTROUTING_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PREROUTING_ZONES_SOURCE"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PREROUTING_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PRE_FedoraWorkstation_allow"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PRE_FedoraWorkstation_deny"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PRE_FedoraWorkstation_log"
packet-count=
"0"
byte-count=
"0"
/>
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table
name=
"raw"
>
<chain
name=
"PREROUTING"
policy=
"ACCEPT"
packet-count=
"1681"
byte-count=
"2620433"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PREROUTING_direct
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PREROUTING_ZONES_SOURCE
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PREROUTING_ZONES
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"OUTPUT"
policy=
"ACCEPT"
packet-count=
"1619"
byte-count=
"171281"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<OUTPUT_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"PREROUTING_ZONES"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
wlp58s0
</i>
</match>
</conditions>
<actions>
<goto
>
<PRE_FedoraWorkstation
/>
</goto>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<goto
>
<PRE_FedoraWorkstation
/>
</goto>
</actions>
</rule>
</chain>
<chain
name=
"PRE_FedoraWorkstation"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_log
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_deny
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<PRE_FedoraWorkstation_allow
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"PRE_FedoraWorkstation_allow"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
137
</dport>
</udp>
</conditions>
<actions>
<CT
>
<helper
>
netbios-ns
</helper>
</CT>
</actions>
</rule>
</chain>
<chain
name=
"OUTPUT_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PREROUTING_ZONES_SOURCE"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PREROUTING_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PRE_FedoraWorkstation_deny"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"PRE_FedoraWorkstation_log"
packet-count=
"0"
byte-count=
"0"
/>
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
<!-- # Generated by iptables*-save v1.6.1 on Sat Feb 17 10:50:33 2018 -->
<table
name=
"filter"
>
<chain
name=
"INPUT"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"5"
byte-count=
"6"
>
<conditions>
<match
>
<i
>
virbr0
</i>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
53
</dport>
</udp>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"123456789"
>
<conditions>
<match
>
<i
>
virbr0
</i>
<p
>
tcp
</p>
</match>
<tcp
>
<dport
>
53
</dport>
</tcp>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
virbr0
</i>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
67
</dport>
</udp>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
virbr0
</i>
<p
>
tcp
</p>
</match>
<tcp
>
<dport
>
67
</dport>
</tcp>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<conntrack
>
<ctstate
>
RELATED,ESTABLISHED
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
lo
</i>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<INPUT_direct
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<INPUT_ZONES_SOURCE
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<INPUT_ZONES
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<conntrack
>
<ctstate
>
INVALID
</ctstate>
</conntrack>
</conditions>
<actions>
<DROP
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<REJECT
>
<reject-with
>
icmp-host-prohibited
</reject-with>
</REJECT>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD"
policy=
"ACCEPT"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<d
>
192.168.122.0/24
</d>
<o
>
virbr0
</o>
</match>
<conntrack
>
<ctstate
>
RELATED,ESTABLISHED
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<s
>
192.168.122.0/24
</s>
<i
>
virbr0
</i>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
virbr0
</i>
<o
>
virbr0
</o>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<o
>
virbr0
</o>
</match>
</conditions>
<actions>
<REJECT
>
<reject-with
>
icmp-port-unreachable
</reject-with>
</REJECT>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
virbr0
</i>
</match>
</conditions>
<actions>
<REJECT
>
<reject-with
>
icmp-port-unreachable
</reject-with>
</REJECT>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<conntrack
>
<ctstate
>
RELATED,ESTABLISHED
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
lo
</i>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_direct
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_IN_ZONES_SOURCE
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_IN_ZONES
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_OUT_ZONES_SOURCE
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FORWARD_OUT_ZONES
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<conntrack
>
<ctstate
>
INVALID
</ctstate>
</conntrack>
</conditions>
<actions>
<DROP
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<REJECT
>
<reject-with
>
icmp-host-prohibited
</reject-with>
</REJECT>
</actions>
</rule>
</chain>
<chain
name=
"OUTPUT"
policy=
"ACCEPT"
packet-count=
"1619"
byte-count=
"171281"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<o
>
virbr0
</o>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
68
</dport>
</udp>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<OUTPUT_direct
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD_IN_ZONES"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
wlp58s0
</i>
</match>
</conditions>
<actions>
<goto
>
<FWDI_FedoraWorkstation
/>
</goto>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<goto
>
<FWDI_FedoraWorkstation
/>
</goto>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD_OUT_ZONES"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<o
>
wlp58s0
</o>
</match>
</conditions>
<actions>
<goto
>
<FWDO_FedoraWorkstation
/>
</goto>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<goto
>
<FWDO_FedoraWorkstation
/>
</goto>
</actions>
</rule>
</chain>
<chain
name=
"FWDI_FedoraWorkstation"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDI_FedoraWorkstation_log
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDI_FedoraWorkstation_deny
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDI_FedoraWorkstation_allow
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
icmp
</p>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
</chain>
<chain
name=
"FWDO_FedoraWorkstation"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDO_FedoraWorkstation_log
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDO_FedoraWorkstation_deny
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<FWDO_FedoraWorkstation_allow
/>
</call>
</actions>
</rule>
</chain>
<chain
name=
"INPUT_ZONES"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<i
>
wlp58s0
</i>
</match>
</conditions>
<actions>
<goto
>
<IN_FedoraWorkstation
/>
</goto>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<goto
>
<IN_FedoraWorkstation
/>
</goto>
</actions>
</rule>
</chain>
<chain
name=
"IN_FedoraWorkstation"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<IN_FedoraWorkstation_log
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<IN_FedoraWorkstation_deny
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<actions>
<call
>
<IN_FedoraWorkstation_allow
/>
</call>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
icmp
</p>
</match>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
</chain>
<chain
name=
"IN_FedoraWorkstation_allow"
packet-count=
"0"
byte-count=
"0"
>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
137
</dport>
</udp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
138
</dport>
</udp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
tcp
</p>
</match>
<tcp
>
<dport
>
22
</dport>
</tcp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<d
>
224.0.0.251/32
</d>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
5353
</dport>
</udp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"0"
byte-count=
"0"
>
<conditions>
<match
>
<p
>
udp
</p>
</match>
<udp
>
<dport
>
1025:65535
</dport>
</udp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
<rule
packet-count=
"7"
byte-count=
"8"
>
<conditions>
<match
>
<p
>
tcp
</p>
</match>
<tcp
>
<dport
>
1025:65535
</dport>
</tcp>
<conntrack
>
<ctstate
>
NEW
</ctstate>
</conntrack>
</conditions>
<actions>
<ACCEPT
/>
</actions>
</rule>
</chain>
<chain
name=
"FORWARD_IN_ZONES_SOURCE"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FORWARD_OUT_ZONES_SOURCE"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FORWARD_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDI_FedoraWorkstation_allow"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDI_FedoraWorkstation_deny"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDI_FedoraWorkstation_log"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDO_FedoraWorkstation_allow"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDO_FedoraWorkstation_deny"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"FWDO_FedoraWorkstation_log"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"INPUT_ZONES_SOURCE"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"INPUT_direct"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"IN_FedoraWorkstation_deny"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"IN_FedoraWorkstation_log"
packet-count=
"0"
byte-count=
"0"
/>
<chain
name=
"OUTPUT_direct"
packet-count=
"0"
byte-count=
"0"
/>
</table>
<!-- # Completed on Sat Feb 17 10:50:33 2018 -->
</iptables-rules>
This diff is collapsed.
Click to expand it.
iptables/xshared.c
View file @
290749d4
...
...
@@ -181,7 +181,6 @@ int command_default(struct iptables_command_state *cs,
xtables_error
(
PARAMETER_PROBLEM
,
"unknown option "
"
\"
%s
\"
"
,
cs
->
argv
[
optind
-
1
]);
xtables_error
(
PARAMETER_PROBLEM
,
"Unknown arg
\"
%s
\"
"
,
optarg
);
return
0
;
}
static
mainfunc_t
subcmd_get
(
const
char
*
cmd
,
const
struct
subcommand
*
cb
)
...
...
@@ -374,6 +373,43 @@ int parse_counters(const char *string, struct xt_counters *ctr)
return
ret
==
2
;
}
/* Tokenize counters argument of typical iptables-restore format rule.
*
* If *bufferp contains counters, update *pcntp and *bcntp to point at them,
* change bytes after counters in *bufferp to nul-bytes, update *bufferp to
* point to after the counters and return true.
* If *bufferp does not contain counters, return false.
* If syntax is wrong in *bufferp, call xtables_error() and hence exit().
* */
bool
tokenize_rule_counters
(
char
**
bufferp
,
char
**
pcntp
,
char
**
bcntp
,
int
line
)
{
char
*
ptr
,
*
buffer
=
*
bufferp
,
*
pcnt
,
*
bcnt
;
if
(
buffer
[
0
]
!=
'['
)
return
false
;
/* we have counters in our input */
ptr
=
strchr
(
buffer
,
']'
);
if
(
!
ptr
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need ]
\n
"
,
line
);
pcnt
=
strtok
(
buffer
+
1
,
":"
);
if
(
!
pcnt
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need :
\n
"
,
line
);
bcnt
=
strtok
(
NULL
,
"]"
);
if
(
!
bcnt
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need ]
\n
"
,
line
);
*
pcntp
=
pcnt
;
*
bcntp
=
bcnt
;
/* start command parsing after counter */
*
bufferp
=
ptr
+
1
;
return
true
;
}
inline
bool
xs_has_arg
(
int
argc
,
char
*
argv
[])
{
return
optind
<
argc
&&
...
...
@@ -381,56 +417,48 @@ inline bool xs_has_arg(int argc, char *argv[])
argv
[
optind
][
0
]
!=
'!'
;
}
/* global new argv and argc */
char
*
newargv
[
255
];
int
newargc
=
0
;
/* saved newargv and newargc from save_argv() */
char
*
oldargv
[
255
];
int
oldargc
=
0
;
/* arg meta data, were they quoted, frinstance */
int
newargvattr
[
255
];
/* function adding one argument to newargv, updating newargc
* returns true if argument added, false otherwise */
int
add_argv
(
const
char
*
what
,
int
quoted
)
/* function adding one argument to store, updating argc
* returns if argument added, does not return otherwise */
void
add_argv
(
struct
argv_store
*
store
,
const
char
*
what
,
int
quoted
)
{
DEBUGP
(
"add_argv: %s
\n
"
,
what
);
if
(
what
&&
newargc
+
1
<
ARRAY_SIZE
(
newargv
))
{
newargv
[
newargc
]
=
strdup
(
what
);
newargvattr
[
newargc
]
=
quoted
;
newargv
[
++
newargc
]
=
NULL
;
return
1
;
}
else
{
if
(
store
->
argc
+
1
>=
MAX_ARGC
)
xtables_error
(
PARAMETER_PROBLEM
,
"Parser cannot handle more arguments
\n
"
);
}
if
(
!
what
)
xtables_error
(
PARAMETER_PROBLEM
,
"Trying to store NULL argument
\n
"
);
store
->
argv
[
store
->
argc
]
=
strdup
(
what
);
store
->
argvattr
[
store
->
argc
]
=
quoted
;
store
->
argv
[
++
store
->
argc
]
=
NULL
;
}
void
free_argv
(
void
)
void
free_argv
(
struct
argv_store
*
store
)
{
while
(
newargc
)
free
(
newargv
[
--
newargc
]);
while
(
oldargc
)
free
(
oldargv
[
--
oldargc
]);
while
(
store
->
argc
)
{
store
->
argc
--
;
free
(
store
->
argv
[
store
->
argc
]);
store
->
argvattr
[
store
->
argc
]
=
0
;
}
}
/* Save parsed rule for comparison with next rule to perform action aggregation
* on duplicate conditions.
*/
void
save_argv
(
void
)
void
save_argv
(
struct
argv_store
*
dst
,
struct
argv_store
*
src
)
{
unsigned
int
i
;
while
(
oldargc
)
free
(
oldargv
[
--
oldargc
]);
int
i
;
oldargc
=
newargc
;
newargc
=
0
;
for
(
i
=
0
;
i
<
oldargc
;
i
++
)
{
oldargv
[
i
]
=
newargv
[
i
];
free_argv
(
dst
);
for
(
i
=
0
;
i
<
src
->
argc
;
i
++
)
{
dst
->
argvattr
[
i
]
=
src
->
argvattr
[
i
];
dst
->
argv
[
i
]
=
src
->
argv
[
i
];
src
->
argv
[
i
]
=
NULL
;
}
dst
->
argc
=
src
->
argc
;
src
->
argc
=
0
;
}
struct
xt_param_buf
{
...
...
@@ -446,9 +474,9 @@ static void add_param(struct xt_param_buf *param, const char *curchar)
"Parameter too long!"
);
}
void
add_param_to_argv
(
char
*
parsestart
,
int
line
)
void
add_param_to_argv
(
struct
argv_store
*
store
,
char
*
parsestart
,
int
line
)
{
int
quote_open
=
0
,
escaped
=
0
;
int
quote_open
=
0
,
escaped
=
0
,
quoted
=
0
;
struct
xt_param_buf
param
=
{};
char
*
curchar
;
...
...
@@ -475,6 +503,7 @@ void add_param_to_argv(char *parsestart, int line)
}
else
{
if
(
*
curchar
==
'"'
)
{
quote_open
=
1
;
quoted
=
1
;
continue
;
}
}
...
...
@@ -497,23 +526,26 @@ void add_param_to_argv(char *parsestart, int line)
}
param
.
buffer
[
param
.
len
]
=
'\0'
;
/* check if table name specified */
if
((
param
.
buffer
[
0
]
==
'-'
&&
param
.
buffer
[
1
]
!=
'-'
&&
strchr
(
param
.
buffer
,
't'
))
||
(
!
strncmp
(
param
.
buffer
,
"--t"
,
3
)
&&
!
strncmp
(
param
.
buffer
,
"--table"
,
strlen
(
param
.
buffer
))))
{
xtables_error
(
PARAMETER_PROBLEM
,
"The -t option (seen in line %u) cannot be used in %s.
\n
"
,
line
,
xt_params
->
program_name
);
}
add_argv
(
param
.
buffer
,
0
);
add_argv
(
store
,
param
.
buffer
,
quoted
);
param
.
len
=
0
;
quoted
=
0
;
}
if
(
param
.
len
)
{
param
.
buffer
[
param
.
len
]
=
'\0'
;
add_argv
(
store
,
param
.
buffer
,
0
);
}
}
#ifdef DEBUG
void
debug_print_argv
(
struct
argv_store
*
store
)
{
int
i
;
for
(
i
=
0
;
i
<
store
->
argc
;
i
++
)
fprintf
(
stderr
,
"argv[%d]: %s
\n
"
,
i
,
store
->
argv
[
i
]);
}
#endif
static
const
char
*
ipv4_addr_to_string
(
const
struct
in_addr
*
addr
,
const
struct
in_addr
*
mask
,
unsigned
int
format
)
...
...
@@ -704,3 +736,42 @@ void command_jump(struct iptables_command_state *cs, const char *jumpto)
xtables_error
(
OTHER_PROBLEM
,
"can't alloc memory!"
);
xt_params
->
opts
=
opts
;
}
char
cmd2char
(
int
option
)
{
/* cmdflags index corresponds with position of bit in CMD_* values */
static
const
char
cmdflags
[]
=
{
'I'
,
'D'
,
'D'
,
'R'
,
'A'
,
'L'
,
'F'
,
'Z'
,
'N'
,
'X'
,
'P'
,
'E'
,
'S'
,
'Z'
,
'C'
};
int
i
;
for
(
i
=
0
;
option
>
1
;
option
>>=
1
,
i
++
)
;
if
(
i
>=
ARRAY_SIZE
(
cmdflags
))
xtables_error
(
OTHER_PROBLEM
,
"cmd2char(): Invalid command number %u.
\n
"
,
1
<<
i
);
return
cmdflags
[
i
];
}
void
add_command
(
unsigned
int
*
cmd
,
const
int
newcmd
,
const
int
othercmds
,
int
invert
)
{
if
(
invert
)
xtables_error
(
PARAMETER_PROBLEM
,
"unexpected '!' flag"
);
if
(
*
cmd
&
(
~
othercmds
))
xtables_error
(
PARAMETER_PROBLEM
,
"Cannot use -%c with -%c
\n
"
,
cmd2char
(
newcmd
),
cmd2char
(
*
cmd
&
(
~
othercmds
)));
*
cmd
|=
newcmd
;
}
/* Can't be zero. */
int
parse_rulenumber
(
const
char
*
rule
)
{
unsigned
int
rulenum
;
if
(
!
xtables_strtoui
(
rule
,
NULL
,
&
rulenum
,
1
,
INT_MAX
))
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid rule number `%s'"
,
rule
);
return
rulenum
;
}
This diff is collapsed.
Click to expand it.
iptables/xshared.h
View file @
290749d4
...
...
@@ -11,7 +11,7 @@
#include <linux/netfilter_ipv6/ip6_tables.h>
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(std
out
, x, ## args)
#define DEBUGP(x, args...) fprintf(std
err
, x, ## args)
#else
#define DEBUGP(x, args...)
#endif
...
...
@@ -29,8 +29,35 @@ enum {
OPT_VIANAMEOUT
=
1
<<
8
,
OPT_LINENUMBERS
=
1
<<
9
,
OPT_COUNTERS
=
1
<<
10
,
/* below are for arptables only */
OPT_S_MAC
=
1
<<
11
,
OPT_D_MAC
=
1
<<
12
,
OPT_H_LENGTH
=
1
<<
13
,
OPT_OPCODE
=
1
<<
14
,
OPT_H_TYPE
=
1
<<
15
,
OPT_P_TYPE
=
1
<<
16
,
};
enum
{
CMD_NONE
=
0
,
CMD_INSERT
=
1
<<
0
,
CMD_DELETE
=
1
<<
1
,
CMD_DELETE_NUM
=
1
<<
2
,
CMD_REPLACE
=
1
<<
3
,
CMD_APPEND
=
1
<<
4
,
CMD_LIST
=
1
<<
5
,
CMD_FLUSH
=
1
<<
6
,
CMD_ZERO
=
1
<<
7
,
CMD_NEW_CHAIN
=
1
<<
8
,
CMD_DELETE_CHAIN
=
1
<<
9
,
CMD_SET_POLICY
=
1
<<
10
,
CMD_RENAME_CHAIN
=
1
<<
11
,
CMD_LIST_RULES
=
1
<<
12
,
CMD_ZERO_NUM
=
1
<<
13
,
CMD_CHECK
=
1
<<
14
,
};
#define NUMBER_OF_CMD 16
struct
xtables_globals
;
struct
xtables_rule_match
;
struct
xtables_target
;
...
...
@@ -151,22 +178,27 @@ extern int xtables_lock_or_exit(int wait, struct timeval *tv);
int
parse_wait_time
(
int
argc
,
char
*
argv
[]);
void
parse_wait_interval
(
int
argc
,
char
*
argv
[],
struct
timeval
*
wait_interval
);
int
parse_counters
(
const
char
*
string
,
struct
xt_counters
*
ctr
);
bool
tokenize_rule_counters
(
char
**
bufferp
,
char
**
pcnt
,
char
**
bcnt
,
int
line
);
bool
xs_has_arg
(
int
argc
,
char
*
argv
[]);
extern
const
struct
xtables_afinfo
*
afinfo
;
extern
char
*
newargv
[];
extern
int
newargc
;
extern
char
*
oldargv
[];
extern
int
oldargc
;
extern
int
newargvattr
[];
#define MAX_ARGC 255
struct
argv_store
{
int
argc
;
char
*
argv
[
MAX_ARGC
];
int
argvattr
[
MAX_ARGC
];
};
int
add_argv
(
const
char
*
what
,
int
quoted
);
void
free_argv
(
void
);
void
save_argv
(
void
);
void
add_param_to_argv
(
char
*
parsestart
,
int
line
);
void
add_argv
(
struct
argv_store
*
store
,
const
char
*
what
,
int
quoted
);
void
free_argv
(
struct
argv_store
*
store
);
void
save_argv
(
struct
argv_store
*
dst
,
struct
argv_store
*
src
);
void
add_param_to_argv
(
struct
argv_store
*
store
,
char
*
parsestart
,
int
line
);
#ifdef DEBUG
void
debug_print_argv
(
struct
argv_store
*
store
);
#else
# define debug_print_argv(...)
/* nothing */
#endif
void
print_ipv4_addresses
(
const
struct
ipt_entry
*
fw
,
unsigned
int
format
);
void
print_ipv6_addresses
(
const
struct
ip6t_entry
*
fw6
,
unsigned
int
format
);
...
...
@@ -178,4 +210,9 @@ void command_match(struct iptables_command_state *cs);
const
char
*
xt_parse_target
(
const
char
*
targetname
);
void
command_jump
(
struct
iptables_command_state
*
cs
,
const
char
*
jumpto
);
char
cmd2char
(
int
option
);
void
add_command
(
unsigned
int
*
cmd
,
const
int
newcmd
,
const
int
othercmds
,
int
invert
);
int
parse_rulenumber
(
const
char
*
rule
);
#endif
/* IPTABLES_XSHARED_H */
This diff is collapsed.
Click to expand it.
iptables/xtables-arp.c
View file @
290749d4
...
...
@@ -27,7 +27,7 @@
This tool is not luser-proof: you can specify an Ethernet source address
and set hardware length to something different than 6, f.e.
*/
#include "config.h"
#include <getopt.h>
#include <string.h>
#include <netdb.h>
...
...
@@ -53,56 +53,6 @@
#include "nft-arp.h"
#include <linux/netfilter_arp/arp_tables.h>
typedef
char
arpt_chainlabel
[
32
];
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
/* XXX: command defined by nft-shared.h do not overlap with these two */
#undef CMD_CHECK
#undef CMD_RENAME_CHAIN
#define CMD_NONE 0x0000U
#define CMD_INSERT 0x0001U
#define CMD_DELETE 0x0002U
#define CMD_DELETE_NUM 0x0004U
#define CMD_REPLACE 0x0008U
#define CMD_APPEND 0x0010U
#define CMD_LIST 0x0020U
#define CMD_FLUSH 0x0040U
#define CMD_ZERO 0x0080U
#define CMD_NEW_CHAIN 0x0100U
#define CMD_DELETE_CHAIN 0x0200U
#define CMD_SET_POLICY 0x0400U
#define CMD_CHECK 0x0800U
#define CMD_RENAME_CHAIN 0x1000U
#define NUMBER_OF_CMD 13
static
const
char
cmdflags
[]
=
{
'I'
,
'D'
,
'D'
,
'R'
,
'A'
,
'L'
,
'F'
,
'Z'
,
'N'
,
'X'
,
'P'
,
'E'
};
#define OPTION_OFFSET 256
#define OPT_NONE 0x00000U
#define OPT_NUMERIC 0x00001U
#define OPT_S_IP 0x00002U
#define OPT_D_IP 0x00004U
#define OPT_S_MAC 0x00008U
#define OPT_D_MAC 0x00010U
#define OPT_H_LENGTH 0x00020U
#define OPT_P_LENGTH 0x00040U
#define OPT_OPCODE 0x00080U
#define OPT_H_TYPE 0x00100U
#define OPT_P_TYPE 0x00200U
#define OPT_JUMP 0x00400U
#define OPT_VERBOSE 0x00800U
#define OPT_VIANAMEIN 0x01000U
#define OPT_VIANAMEOUT 0x02000U
#define OPT_LINENUMBERS 0x04000U
#define OPT_COUNTERS 0x08000U
#define NUMBER_OF_OPT 16
static
const
char
optflags
[
NUMBER_OF_OPT
]
=
{
'n'
,
's'
,
'd'
,
2
,
3
,
7
,
8
,
4
,
5
,
6
,
'j'
,
'v'
,
'i'
,
'o'
,
'0'
,
'c'
};
...
...
@@ -148,85 +98,39 @@ static struct option original_opts[] = {
{
0
}
};
int
RUNTIME_NF_ARP_NUMHOOKS
=
3
;
#define opts xt_params->opts
extern
void
xtables_exit_error
(
enum
xtables_exittype
status
,
const
char
*
msg
,
...)
__attribute__
((
noreturn
,
format
(
printf
,
2
,
3
)));
struct
xtables_globals
arptables_globals
=
{
.
option_offset
=
0
,
.
program_version
=
IPTABLES
_VERSION
,
.
program_version
=
PACKAGE
_VERSION
,
.
orig_opts
=
original_opts
,
.
exit_err
=
xtables_exit_error
,
.
compat_rev
=
nft_compatible_revision
,
};
/* Table of legal combinations of commands and options. If any of the
* given commands make an option legal, that option is legal (applies to
* CMD_LIST and CMD_ZERO only).
* Key:
* + compulsory
* x illegal
* optional
*/
static
char
commands_v_options
[
NUMBER_OF_CMD
][
NUMBER_OF_OPT
]
=
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
/* -n -s -d -p -j -v -x -i -o -f --line */
/*INSERT*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*DELETE*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*DELETE_NUM*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*REPLACE*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*APPEND*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*LIST*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*FLUSH*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*ZERO*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*NEW_CHAIN*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*DEL_CHAIN*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*SET_POLICY*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*CHECK*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
},
/*RENAME*/
{
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
,
' '
}
};
static
int
inverse_for_options
[
NUMBER_OF_OPT
]
=
/* index relates to bit of each OPT_* value */
static
int
inverse_for_options
[]
=
{
/* -n */
0
,
/* -s */
ARPT_INV_SRCIP
,
/* -d */
ARPT_INV_TGTIP
,
/* 2 */
ARPT_INV_SRCDEVADDR
,
/* 3 */
ARPT_INV_TGTDEVADDR
,
/* -l */
ARPT_INV_ARPHLN
,
/* 8 */
0
,
/* 4 */
ARPT_INV_ARPOP
,
/* 5 */
ARPT_INV_ARPHRD
,
/* 6 */
ARPT_INV_ARPPRO
,
/* -p */
0
,
/* -j */
0
,
/* -v */
0
,
/* -x */
0
,
/* -i */
ARPT_INV_VIA_IN
,
/* -o */
ARPT_INV_VIA_OUT
,
/*--line*/
0
,
/* -c */
0
,
/* 2 */
ARPT_INV_SRCDEVADDR
,
/* 3 */
ARPT_INV_TGTDEVADDR
,
/* -l */
ARPT_INV_ARPHLN
,
/* 4 */
ARPT_INV_ARPOP
,
/* 5 */
ARPT_INV_ARPHRD
,
/* 6 */
ARPT_INV_ARPPRO
,
};
/* A few hardcoded protocols for 'all' and in case the user has no
/etc/protocols */
struct
pprot
{
char
*
name
;
u_int8_t
num
;
};
/* Primitive headers... */
/* defined in netinet/in.h */
#if 0
#ifndef IPPROTO_ESP
#define IPPROTO_ESP 50
#endif
#ifndef IPPROTO_AH
#define IPPROTO_AH 51
#endif
#endif
/***********************************************/
/* ARPTABLES SPECIFIC NEW FUNCTIONS ADDED HERE */
/***********************************************/
...
...
@@ -317,89 +221,10 @@ static int get16_and_mask(char *from, uint16_t *to, uint16_t *mask, int base)
return
0
;
}
static
int
string_to_number
(
const
char
*
s
,
unsigned
int
min
,
unsigned
int
max
,
unsigned
int
*
ret
)
{
long
number
;
char
*
end
;
/* Handle hex, octal, etc. */
errno
=
0
;
number
=
strtol
(
s
,
&
end
,
0
);
if
(
*
end
==
'\0'
&&
end
!=
s
)
{
/* we parsed a number, let's see if we want this */
if
(
errno
!=
ERANGE
&&
min
<=
number
&&
number
<=
max
)
{
*
ret
=
number
;
return
0
;
}
}
return
-
1
;
}
/*********************************************/
/* ARPTABLES SPECIFIC NEW FUNCTIONS END HERE */
/*********************************************/
static
struct
in_addr
*
dotted_to_addr
(
const
char
*
dotted
)
{
static
struct
in_addr
addr
;
unsigned
char
*
addrp
;
char
*
p
,
*
q
;
unsigned
int
onebyte
;
int
i
;
char
buf
[
20
];
/* copy dotted string, because we need to modify it */
strncpy
(
buf
,
dotted
,
sizeof
(
buf
)
-
1
);
addrp
=
(
unsigned
char
*
)
&
(
addr
.
s_addr
);
p
=
buf
;
for
(
i
=
0
;
i
<
3
;
i
++
)
{
if
((
q
=
strchr
(
p
,
'.'
))
==
NULL
)
return
(
struct
in_addr
*
)
NULL
;
*
q
=
'\0'
;
if
(
string_to_number
(
p
,
0
,
255
,
&
onebyte
)
==
-
1
)
return
(
struct
in_addr
*
)
NULL
;
addrp
[
i
]
=
(
unsigned
char
)
onebyte
;
p
=
q
+
1
;
}
/* we've checked 3 bytes, now we check the last one */
if
(
string_to_number
(
p
,
0
,
255
,
&
onebyte
)
==
-
1
)
return
(
struct
in_addr
*
)
NULL
;
addrp
[
3
]
=
(
unsigned
char
)
onebyte
;
return
&
addr
;
}
static
struct
in_addr
*
network_to_addr
(
const
char
*
name
)
{
struct
netent
*
net
;
static
struct
in_addr
addr
;
if
((
net
=
getnetbyname
(
name
))
!=
NULL
)
{
if
(
net
->
n_addrtype
!=
AF_INET
)
return
(
struct
in_addr
*
)
NULL
;
addr
.
s_addr
=
htonl
((
unsigned
long
)
net
->
n_net
);
return
&
addr
;
}
return
(
struct
in_addr
*
)
NULL
;
}
static
void
inaddrcpy
(
struct
in_addr
*
dst
,
struct
in_addr
*
src
)
{
/* memcpy(dst, src, sizeof(struct in_addr)); */
dst
->
s_addr
=
src
->
s_addr
;
}
static
void
exit_tryhelp
(
int
status
)
{
...
...
@@ -503,42 +328,6 @@ exit_printhelp(void)
exit
(
0
);
}
static
void
generic_opt_check
(
int
command
,
int
options
)
{
int
i
,
j
,
legal
=
0
;
/* Check that commands are valid with options. Complicated by the
* fact that if an option is legal with *any* command given, it is
* legal overall (ie. -z and -l).
*/
for
(
i
=
0
;
i
<
NUMBER_OF_OPT
;
i
++
)
{
legal
=
0
;
/* -1 => illegal, 1 => legal, 0 => undecided. */
for
(
j
=
0
;
j
<
NUMBER_OF_CMD
;
j
++
)
{
if
(
!
(
command
&
(
1
<<
j
)))
continue
;
if
(
!
(
options
&
(
1
<<
i
)))
{
if
(
commands_v_options
[
j
][
i
]
==
'+'
)
xtables_error
(
PARAMETER_PROBLEM
,
"You need to supply the `-%c' "
"option for this command
\n
"
,
optflags
[
i
]);
}
else
{
if
(
commands_v_options
[
j
][
i
]
!=
'x'
)
legal
=
1
;
else
if
(
legal
==
0
)
legal
=
-
1
;
}
}
if
(
legal
==
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"Illegal option `-%c' with this command
\n
"
,
optflags
[
i
]);
}
}
static
char
opt2char
(
int
option
)
{
...
...
@@ -548,26 +337,6 @@ opt2char(int option)
return
*
ptr
;
}
static
char
cmd2char
(
int
option
)
{
const
char
*
ptr
;
for
(
ptr
=
cmdflags
;
option
>
1
;
option
>>=
1
,
ptr
++
);
return
*
ptr
;
}
static
void
add_command
(
unsigned
int
*
cmd
,
const
int
newcmd
,
const
unsigned
int
othercmds
,
int
invert
)
{
if
(
invert
)
xtables_error
(
PARAMETER_PROBLEM
,
"unexpected ! flag"
);
if
(
*
cmd
&
(
~
othercmds
))
xtables_error
(
PARAMETER_PROBLEM
,
"Can't use -%c with -%c
\n
"
,
cmd2char
(
newcmd
),
cmd2char
(
*
cmd
&
(
~
othercmds
)));
*
cmd
|=
newcmd
;
}
static
int
check_inverse
(
const
char
option
[],
int
*
invert
,
int
*
optidx
,
int
argc
)
{
...
...
@@ -575,7 +344,7 @@ check_inverse(const char option[], int *invert, int *optidx, int argc)
if
(
*
invert
)
xtables_error
(
PARAMETER_PROBLEM
,
"Multiple `!' flags not allowed"
);
*
invert
=
TRUE
;
*
invert
=
true
;
if
(
optidx
)
{
*
optidx
=
*
optidx
+
1
;
if
(
argc
&&
*
optidx
>
argc
)
...
...
@@ -583,181 +352,9 @@ check_inverse(const char option[], int *invert, int *optidx, int argc)
"no argument following `!'"
);
}
return
TRUE
;
return
true
;
}
return
FALSE
;
}
static
struct
in_addr
*
host_to_addr
(
const
char
*
name
,
unsigned
int
*
naddr
)
{
struct
in_addr
*
addr
;
struct
addrinfo
hints
=
{
.
ai_flags
=
AI_CANONNAME
,
.
ai_family
=
AF_INET
,
.
ai_socktype
=
SOCK_RAW
,
};;
struct
addrinfo
*
res
,
*
p
;
int
err
;
unsigned
int
i
;
*
naddr
=
0
;
err
=
getaddrinfo
(
name
,
NULL
,
&
hints
,
&
res
);
if
(
err
!=
0
)
return
NULL
;
else
{
for
(
p
=
res
;
p
!=
NULL
;
p
=
p
->
ai_next
)
(
*
naddr
)
++
;
addr
=
xtables_calloc
(
*
naddr
,
sizeof
(
struct
in_addr
));
for
(
i
=
0
,
p
=
res
;
p
!=
NULL
;
p
=
p
->
ai_next
)
memcpy
(
&
addr
[
i
++
],
&
((
const
struct
sockaddr_in
*
)
p
->
ai_addr
)
->
sin_addr
,
sizeof
(
struct
in_addr
));
freeaddrinfo
(
res
);
return
addr
;
}
return
(
struct
in_addr
*
)
NULL
;
}
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
* Most routines return pointers to static data that may change
* between calls to the same or other routines with a few exceptions:
* "host_to_addr", "parse_hostnetwork", and "parse_hostnetworkmask"
* return global static data.
*/
static
struct
in_addr
*
parse_hostnetwork
(
const
char
*
name
,
unsigned
int
*
naddrs
)
{
struct
in_addr
*
addrp
,
*
addrptmp
;
if
((
addrptmp
=
dotted_to_addr
(
name
))
!=
NULL
||
(
addrptmp
=
network_to_addr
(
name
))
!=
NULL
)
{
addrp
=
xtables_malloc
(
sizeof
(
struct
in_addr
));
inaddrcpy
(
addrp
,
addrptmp
);
*
naddrs
=
1
;
return
addrp
;
}
if
((
addrp
=
host_to_addr
(
name
,
naddrs
))
!=
NULL
)
return
addrp
;
xtables_error
(
PARAMETER_PROBLEM
,
"host/network `%s' not found"
,
name
);
}
static
struct
in_addr
*
parse_mask
(
char
*
mask
)
{
static
struct
in_addr
maskaddr
;
struct
in_addr
*
addrp
;
unsigned
int
bits
;
if
(
mask
==
NULL
)
{
/* no mask at all defaults to 32 bits */
maskaddr
.
s_addr
=
0xFFFFFFFF
;
return
&
maskaddr
;
}
if
((
addrp
=
dotted_to_addr
(
mask
))
!=
NULL
)
/* dotted_to_addr already returns a network byte order addr */
return
addrp
;
if
(
string_to_number
(
mask
,
0
,
32
,
&
bits
)
==
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"invalid mask `%s' specified"
,
mask
);
if
(
bits
!=
0
)
{
maskaddr
.
s_addr
=
htonl
(
0xFFFFFFFF
<<
(
32
-
bits
));
return
&
maskaddr
;
}
maskaddr
.
s_addr
=
0L
;
return
&
maskaddr
;
}
static
void
parse_hostnetworkmask
(
const
char
*
name
,
struct
in_addr
**
addrpp
,
struct
in_addr
*
maskp
,
unsigned
int
*
naddrs
)
{
struct
in_addr
*
addrp
;
char
buf
[
256
];
char
*
p
;
int
i
,
j
,
k
,
n
;
strncpy
(
buf
,
name
,
sizeof
(
buf
)
-
1
);
if
((
p
=
strrchr
(
buf
,
'/'
))
!=
NULL
)
{
*
p
=
'\0'
;
addrp
=
parse_mask
(
p
+
1
);
}
else
addrp
=
parse_mask
(
NULL
);
inaddrcpy
(
maskp
,
addrp
);
/* if a null mask is given, the name is ignored, like in "any/0" */
if
(
maskp
->
s_addr
==
0L
)
strcpy
(
buf
,
"0.0.0.0"
);
addrp
=
*
addrpp
=
parse_hostnetwork
(
buf
,
naddrs
);
n
=
*
naddrs
;
for
(
i
=
0
,
j
=
0
;
i
<
n
;
i
++
)
{
addrp
[
j
++
].
s_addr
&=
maskp
->
s_addr
;
for
(
k
=
0
;
k
<
j
-
1
;
k
++
)
{
if
(
addrp
[
k
].
s_addr
==
addrp
[
j
-
1
].
s_addr
)
{
(
*
naddrs
)
--
;
j
--
;
break
;
}
}
}
}
static
void
parse_interface
(
const
char
*
arg
,
char
*
vianame
,
unsigned
char
*
mask
)
{
int
vialen
=
strlen
(
arg
);
unsigned
int
i
;
memset
(
mask
,
0
,
IFNAMSIZ
);
memset
(
vianame
,
0
,
IFNAMSIZ
);
if
(
vialen
+
1
>
IFNAMSIZ
)
xtables_error
(
PARAMETER_PROBLEM
,
"interface name `%s' must be shorter than IFNAMSIZ"
" (%i)"
,
arg
,
IFNAMSIZ
-
1
);
strcpy
(
vianame
,
arg
);
if
(
vialen
==
0
)
memset
(
mask
,
0
,
IFNAMSIZ
);
else
if
(
vianame
[
vialen
-
1
]
==
'+'
)
{
memset
(
mask
,
0xFF
,
vialen
-
1
);
memset
(
mask
+
vialen
-
1
,
0
,
IFNAMSIZ
-
vialen
+
1
);
/* Don't remove `+' here! -HW */
}
else
{
/* Include nul-terminator in match */
memset
(
mask
,
0xFF
,
vialen
+
1
);
memset
(
mask
+
vialen
+
1
,
0
,
IFNAMSIZ
-
vialen
-
1
);
for
(
i
=
0
;
vianame
[
i
];
i
++
)
{
if
(
!
isalnum
(
vianame
[
i
])
&&
vianame
[
i
]
!=
'_'
&&
vianame
[
i
]
!=
'.'
)
{
printf
(
"Warning: weird character in interface"
" `%s' (No aliases, :, ! or *).
\n
"
,
vianame
);
break
;
}
}
}
}
/* Can't be zero. */
static
int
parse_rulenumber
(
const
char
*
rule
)
{
unsigned
int
rulenum
;
if
(
!
xtables_strtoui
(
rule
,
NULL
,
&
rulenum
,
1
,
INT_MAX
))
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid rule number `%s'"
,
rule
);
return
rulenum
;
return
false
;
}
static
void
...
...
@@ -814,8 +411,10 @@ append_entry(struct nft_handle *h,
int
rulenum
,
unsigned
int
nsaddrs
,
const
struct
in_addr
saddrs
[],
const
struct
in_addr
smasks
[],
unsigned
int
ndaddrs
,
const
struct
in_addr
daddrs
[],
const
struct
in_addr
dmasks
[],
bool
verbose
,
bool
append
)
{
unsigned
int
i
,
j
;
...
...
@@ -823,8 +422,10 @@ append_entry(struct nft_handle *h,
for
(
i
=
0
;
i
<
nsaddrs
;
i
++
)
{
cs
->
arp
.
arp
.
src
.
s_addr
=
saddrs
[
i
].
s_addr
;
cs
->
arp
.
arp
.
smsk
.
s_addr
=
smasks
[
i
].
s_addr
;
for
(
j
=
0
;
j
<
ndaddrs
;
j
++
)
{
cs
->
arp
.
arp
.
tgt
.
s_addr
=
daddrs
[
j
].
s_addr
;
cs
->
arp
.
arp
.
tmsk
.
s_addr
=
dmasks
[
j
].
s_addr
;
if
(
append
)
{
ret
=
nft_rule_append
(
h
,
chain
,
table
,
cs
,
NULL
,
verbose
);
...
...
@@ -844,11 +445,15 @@ replace_entry(const char *chain,
struct
iptables_command_state
*
cs
,
unsigned
int
rulenum
,
const
struct
in_addr
*
saddr
,
const
struct
in_addr
*
smask
,
const
struct
in_addr
*
daddr
,
const
struct
in_addr
*
dmask
,
bool
verbose
,
struct
nft_handle
*
h
)
{
cs
->
arp
.
arp
.
src
.
s_addr
=
saddr
->
s_addr
;
cs
->
arp
.
arp
.
tgt
.
s_addr
=
daddr
->
s_addr
;
cs
->
arp
.
arp
.
smsk
.
s_addr
=
smask
->
s_addr
;
cs
->
arp
.
arp
.
tmsk
.
s_addr
=
dmask
->
s_addr
;
return
nft_rule_replace
(
h
,
chain
,
table
,
cs
,
rulenum
,
verbose
);
}
...
...
@@ -859,8 +464,10 @@ delete_entry(const char *chain,
struct
iptables_command_state
*
cs
,
unsigned
int
nsaddrs
,
const
struct
in_addr
saddrs
[],
const
struct
in_addr
smasks
[],
unsigned
int
ndaddrs
,
const
struct
in_addr
daddrs
[],
const
struct
in_addr
dmasks
[],
bool
verbose
,
struct
nft_handle
*
h
)
{
unsigned
int
i
,
j
;
...
...
@@ -868,8 +475,10 @@ delete_entry(const char *chain,
for
(
i
=
0
;
i
<
nsaddrs
;
i
++
)
{
cs
->
arp
.
arp
.
src
.
s_addr
=
saddrs
[
i
].
s_addr
;
cs
->
arp
.
arp
.
smsk
.
s_addr
=
smasks
[
i
].
s_addr
;
for
(
j
=
0
;
j
<
ndaddrs
;
j
++
)
{
cs
->
arp
.
arp
.
tgt
.
s_addr
=
daddrs
[
j
].
s_addr
;
cs
->
arp
.
arp
.
tmsk
.
s_addr
=
dmasks
[
j
].
s_addr
;
ret
=
nft_rule_delete
(
h
,
chain
,
table
,
cs
,
verbose
);
}
}
...
...
@@ -919,7 +528,8 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
};
int
invert
=
0
;
unsigned
int
nsaddrs
=
0
,
ndaddrs
=
0
;
struct
in_addr
*
saddrs
=
NULL
,
*
daddrs
=
NULL
;
struct
in_addr
*
saddrs
=
NULL
,
*
smasks
=
NULL
;
struct
in_addr
*
daddrs
=
NULL
,
*
dmasks
=
NULL
;
int
c
,
verbose
=
0
;
const
char
*
chain
=
NULL
;
...
...
@@ -1067,14 +677,14 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
break
;
case
's'
:
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
set_option
(
&
options
,
OPT_S
_IP
,
&
cs
.
arp
.
arp
.
invflags
,
set_option
(
&
options
,
OPT_S
OURCE
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
shostnetworkmask
=
argv
[
optind
-
1
];
break
;
case
'd'
:
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
set_option
(
&
options
,
OPT_D
_IP
,
&
cs
.
arp
.
arp
.
invflags
,
set_option
(
&
options
,
OPT_D
ESTINATION
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
dhostnetworkmask
=
argv
[
optind
-
1
];
break
;
...
...
@@ -1168,18 +778,18 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
set_option
(
&
options
,
OPT_VIANAMEIN
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
parse_interface
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
iniface
,
cs
.
arp
.
arp
.
iniface_mask
);
xtables_
parse_interface
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
iniface
,
cs
.
arp
.
arp
.
iniface_mask
);
break
;
case
'o'
:
check_inverse
(
optarg
,
&
invert
,
&
optind
,
argc
);
set_option
(
&
options
,
OPT_VIANAMEOUT
,
&
cs
.
arp
.
arp
.
invflags
,
invert
);
parse_interface
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
outiface
,
cs
.
arp
.
arp
.
outiface_mask
);
xtables_
parse_interface
(
argv
[
optind
-
1
],
cs
.
arp
.
arp
.
outiface
,
cs
.
arp
.
arp
.
outiface_mask
);
break
;
case
'v'
:
...
...
@@ -1255,7 +865,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
xtables_error
(
PARAMETER_PROBLEM
,
"multiple consecutive ! not"
" allowed"
);
invert
=
TRUE
;
invert
=
true
;
optarg
[
0
]
=
'\0'
;
continue
;
}
...
...
@@ -1269,7 +879,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
}
break
;
}
invert
=
FALSE
;
invert
=
false
;
}
if
(
cs
.
target
)
...
...
@@ -1285,19 +895,19 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
"nothing appropriate following !"
);
if
(
command
&
(
CMD_REPLACE
|
CMD_INSERT
|
CMD_DELETE
|
CMD_APPEND
))
{
if
(
!
(
options
&
OPT_D
_IP
))
if
(
!
(
options
&
OPT_D
ESTINATION
))
dhostnetworkmask
=
"0.0.0.0/0"
;
if
(
!
(
options
&
OPT_S
_IP
))
if
(
!
(
options
&
OPT_S
OURCE
))
shostnetworkmask
=
"0.0.0.0/0"
;
}
if
(
shostnetworkmask
)
parse_hostnetworkmask
(
shostnetworkmask
,
&
saddrs
,
&
(
cs
.
arp
.
arp
.
smsk
)
,
&
nsaddrs
);
xtables_ipparse_multiple
(
shostnetworkmask
,
&
saddrs
,
&
smasks
,
&
nsaddrs
);
if
(
dhostnetworkmask
)
parse_hostnetworkmask
(
dhostnetworkmask
,
&
daddrs
,
&
(
cs
.
arp
.
arp
.
tm
sk
)
,
&
ndaddrs
);
xtables_ipparse_multiple
(
dhostnetworkmask
,
&
daddrs
,
&
dma
sk
s
,
&
ndaddrs
);
if
((
nsaddrs
>
1
||
ndaddrs
>
1
)
&&
(
cs
.
arp
.
arp
.
invflags
&
(
ARPT_INV_SRCIP
|
ARPT_INV_TGTIP
)))
...
...
@@ -1308,8 +918,6 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
xtables_error
(
PARAMETER_PROBLEM
,
"Replacement rule does not "
"specify a unique address"
);
generic_opt_check
(
command
,
options
);
if
(
chain
&&
strlen
(
chain
)
>
ARPT_FUNCTION_MAXNAMELEN
)
xtables_error
(
PARAMETER_PROBLEM
,
"chain name `%s' too long (must be under %i chars)"
,
...
...
@@ -1343,12 +951,14 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
switch
(
command
)
{
case
CMD_APPEND
:
ret
=
append_entry
(
h
,
chain
,
*
table
,
&
cs
,
0
,
nsaddrs
,
saddrs
,
ndaddrs
,
daddrs
,
nsaddrs
,
saddrs
,
smasks
,
ndaddrs
,
daddrs
,
dmasks
,
options
&
OPT_VERBOSE
,
true
);
break
;
case
CMD_DELETE
:
ret
=
delete_entry
(
chain
,
*
table
,
&
cs
,
nsaddrs
,
saddrs
,
ndaddrs
,
daddrs
,
nsaddrs
,
saddrs
,
smasks
,
ndaddrs
,
daddrs
,
dmasks
,
options
&
OPT_VERBOSE
,
h
);
break
;
case
CMD_DELETE_NUM
:
...
...
@@ -1356,11 +966,13 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
break
;
case
CMD_REPLACE
:
ret
=
replace_entry
(
chain
,
*
table
,
&
cs
,
rulenum
-
1
,
saddrs
,
daddrs
,
options
&
OPT_VERBOSE
,
h
);
saddrs
,
smasks
,
daddrs
,
dmasks
,
options
&
OPT_VERBOSE
,
h
);
break
;
case
CMD_INSERT
:
ret
=
append_entry
(
h
,
chain
,
*
table
,
&
cs
,
rulenum
-
1
,
nsaddrs
,
saddrs
,
ndaddrs
,
daddrs
,
nsaddrs
,
saddrs
,
smasks
,
ndaddrs
,
daddrs
,
dmasks
,
options
&
OPT_VERBOSE
,
false
);
break
;
case
CMD_LIST
:
...
...
@@ -1409,10 +1021,10 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
exit_tryhelp
(
2
);
}
if
(
n
saddrs
)
free
(
s
addr
s
);
if
(
n
daddrs
)
free
(
d
addr
s
);
free
(
saddrs
)
;
free
(
s
mask
s
);
free
(
daddrs
)
;
free
(
d
mask
s
);
if
(
cs
.
target
)
free
(
cs
.
target
->
t
);
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables-config-parser.y
deleted
100644 → 0
View file @
89c92f0c
%{
/*
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This software has been sponsored by Sophos Astaro <http://www.sophos.com>
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <stdarg.h>
#include <libiptc/linux_list.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>
#include <netinet/in.h>
#include <linux/netfilter.h>
extern char *yytext;
extern int yylineno;
static LIST_HEAD(xtables_stack);
struct stack_elem {
struct list_head head;
int token;
size_t size;
char data[];
};
static void *stack_push(int token, size_t size)
{
struct stack_elem *e;
e = calloc(1, sizeof(struct stack_elem) + size);
e->token = token;
e->size = size;
list_add(&e->head, &xtables_stack);
return e->data;
}
static struct stack_elem *stack_pop(void)
{
struct stack_elem *e;
e = list_entry(xtables_stack.next, struct stack_elem, head);
if (&e->head == &xtables_stack)
return NULL;
list_del(&e->head);
return e;
}
static inline void stack_put_i32(void *data, int value)
{
memcpy(data, &value, sizeof(int));
}
static inline void stack_put_str(void *data, const char *str)
{
memcpy(data, str, strlen(str));
}
static void stack_free(struct stack_elem *e)
{
free(e);
}
%}
%union {
int val;
char *string;
}
%token T_FAMILY
%token T_TABLE
%token T_CHAIN
%token T_HOOK
%token T_PRIO
%token <string> T_STRING
%token <val> T_INTEGER
%%
configfile :
| lines
;
lines : line
| lines line
;
line : family
;
family : T_FAMILY T_STRING '{' tables '}'
{
void *data = stack_push(T_FAMILY, strlen($2)+1);
stack_put_str(data, $2);
}
;
tables : table
| tables table
;
table : T_TABLE T_STRING '{' chains '}'
{
/* added in reverse order to pop it in order */
void *data = stack_push(T_TABLE, strlen($2)+1);
stack_put_str(data, $2);
}
;
chains : chain
| chains chain
;
chain : T_CHAIN T_STRING T_HOOK T_STRING T_PRIO T_INTEGER
{
/* added in reverse order to pop it in order */
void *data = stack_push(T_PRIO, sizeof(int32_t));
stack_put_i32(data, $6);
data = stack_push(T_HOOK, strlen($4)+1);
stack_put_str(data, $4);
data = stack_push(T_CHAIN, strlen($2)+1);
stack_put_str(data, $2);
}
;
%%
int __attribute__((noreturn))
yyerror(char *msg)
{
fprintf(stderr, "parsing config file in line (%d), symbol '%s': %s\n",
yylineno, yytext, msg);
exit(EXIT_FAILURE);
}
static int hooknametonum(const char *hookname)
{
if (strcmp(hookname, "NF_INET_LOCAL_IN") == 0)
return NF_INET_LOCAL_IN;
else if (strcmp(hookname, "NF_INET_FORWARD") == 0)
return NF_INET_FORWARD;
else if (strcmp(hookname, "NF_INET_LOCAL_OUT") == 0)
return NF_INET_LOCAL_OUT;
else if (strcmp(hookname, "NF_INET_PRE_ROUTING") == 0)
return NF_INET_PRE_ROUTING;
else if (strcmp(hookname, "NF_INET_POST_ROUTING") == 0)
return NF_INET_POST_ROUTING;
return -1;
}
static int32_t familytonumber(const char *family)
{
if (strcmp(family, "ipv4") == 0)
return AF_INET;
else if (strcmp(family, "ipv6") == 0)
return AF_INET6;
return -1;
}
int xtables_config_parse(char *filename, struct nftnl_table_list *table_list,
struct nftnl_chain_list *chain_list)
{
FILE *fp;
struct stack_elem *e;
struct nftnl_table *table = NULL;
struct nftnl_chain *chain = NULL;
int prio = 0;
int32_t family = 0;
fp = fopen(filename, "r");
if (!fp)
return -1;
yyrestart(fp);
yyparse();
fclose(fp);
for (e = stack_pop(); e != NULL; e = stack_pop()) {
switch(e->token) {
case T_FAMILY:
family = familytonumber(e->data);
if (family == -1)
return -1;
break;
case T_TABLE:
table = nftnl_table_alloc();
if (table == NULL)
return -1;
nftnl_table_set_u32(table, NFTNL_TABLE_FAMILY, family);
nftnl_table_set(table, NFTNL_TABLE_NAME, e->data);
/* This is intentionally prepending, instead of
* appending, since the elements in the stack are in
* the reverse order that chains appear in the
* configuration file.
*/
nftnl_table_list_add(table, table_list);
break;
case T_PRIO:
memcpy(&prio, e->data, sizeof(int32_t));
break;
case T_CHAIN:
chain = nftnl_chain_alloc();
if (chain == NULL)
return -1;
nftnl_chain_set(chain, NFTNL_CHAIN_TABLE,
(char *)nftnl_table_get(table, NFTNL_TABLE_NAME));
nftnl_chain_set_u32(chain, NFTNL_CHAIN_FAMILY,
nftnl_table_get_u32(table, NFTNL_TABLE_FAMILY));
nftnl_chain_set_s32(chain, NFTNL_CHAIN_PRIO, prio);
nftnl_chain_set(chain, NFTNL_CHAIN_NAME, e->data);
/* Intentionally prepending, instead of appending */
nftnl_chain_list_add(chain, chain_list);
break;
case T_HOOK:
nftnl_chain_set_u32(chain, NFTNL_CHAIN_HOOKNUM,
hooknametonum(e->data));
break;
default:
printf("unknown token type %d\n", e->token);
break;
}
stack_free(e);
}
return 0;
}
This diff is collapsed.
Click to expand it.
iptables/xtables-config-syntax.l
deleted
100644 → 0
View file @
89c92f0c
%{
/*
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This software has been sponsored by Sophos Astaro <http://www.sophos.com>
*/
#include <string.h>
#include "xtables-config-parser.h"
%}
%option yylineno
%option noinput
%option nounput
ws [ \t]+
comment #.*$
nl [\n\r]
is_on [o|O][n|N]
is_off [o|O][f|F][f|F]
integer [\-\+]?[0-9]+
string [a-zA-Z][a-zA-Z0-9\.\-\_]*
%%
"family" { return T_FAMILY; }
"table" { return T_TABLE; }
"chain" { return T_CHAIN; }
"hook" { return T_HOOK; }
"prio" { return T_PRIO; }
{integer} { yylval.val = atoi(yytext); return T_INTEGER; }
{string} { yylval.string = strdup(yytext); return T_STRING; }
{comment} ;
{ws} ;
{nl} ;
<<EOF>> { yyterminate(); }
. { return yytext[0]; }
%%
int
yywrap()
{
return 1;
}
This diff is collapsed.
Click to expand it.
iptables/xtables-eb-standalone.c
View file @
290749d4
...
...
@@ -51,7 +51,7 @@ int xtables_eb_main(int argc, char *argv[])
ret
=
do_commandeb
(
&
h
,
argc
,
argv
,
&
table
,
false
);
if
(
ret
)
ret
=
nft_commit
(
&
h
);
ret
=
nft_
bridge_
commit
(
&
h
);
if
(
!
ret
)
fprintf
(
stderr
,
"ebtables: %s
\n
"
,
nft_strerror
(
errno
));
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables-eb.c
View file @
290749d4
...
...
@@ -20,7 +20,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include <ctype.h>
#include <errno.h>
#include <getopt.h>
...
...
@@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain)
else
if
(
strcmp
(
chain
,
"POSTROUTING"
)
==
0
)
return
NF_BR_POST_ROUTING
;
return
-
1
;
/* placeholder for user defined chain */
return
NF_BR_NUMHOOKS
;
}
/*
...
...
@@ -273,7 +274,7 @@ struct option ebt_original_options[] =
extern
void
xtables_exit_error
(
enum
xtables_exittype
status
,
const
char
*
msg
,
...)
__attribute__
((
noreturn
,
format
(
printf
,
2
,
3
)));
struct
xtables_globals
ebtables_globals
=
{
.
option_offset
=
0
,
.
program_version
=
IPTABLES
_VERSION
,
.
program_version
=
PACKAGE
_VERSION
,
.
orig_opts
=
ebt_original_options
,
.
exit_err
=
xtables_exit_error
,
.
compat_rev
=
nft_compatible_revision
,
...
...
@@ -410,7 +411,7 @@ static int list_rules(struct nft_handle *h, const char *chain, const char *table
{
unsigned
int
format
;
format
=
FMT_OPTIONS
;
format
=
FMT_OPTIONS
|
FMT_C_COUNTS
;
if
(
verbose
)
format
|=
FMT_VIA
;
...
...
@@ -593,6 +594,7 @@ void ebt_load_match_extensions(void)
ebt_load_match
(
"pkttype"
);
ebt_load_match
(
"vlan"
);
ebt_load_match
(
"stp"
);
ebt_load_match
(
"among"
);
ebt_load_watcher
(
"log"
);
ebt_load_watcher
(
"nflog"
);
...
...
@@ -779,6 +781,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
int
selected_chain
=
-
1
;
struct
xtables_rule_match
*
xtrm_i
;
struct
ebt_match
*
match
;
bool
table_set
=
false
;
/* prevent getopt to spoil our error reporting */
optind
=
0
;
...
...
@@ -946,11 +949,16 @@ print_zero:
break
;
case
't'
:
/* Table */
ebt_check_option2
(
&
flags
,
OPT_TABLE
);
if
(
restore
&&
table_set
)
xtables_error
(
PARAMETER_PROBLEM
,
"The -t option (seen in line %u) cannot be used in %s.
\n
"
,
line
,
xt_params
->
program_name
);
if
(
strlen
(
optarg
)
>
EBT_TABLE_MAXNAMELEN
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"Table name length cannot exceed %d characters"
,
EBT_TABLE_MAXNAMELEN
-
1
);
*
table
=
optarg
;
table_set
=
true
;
break
;
case
'i'
:
/* Input interface */
case
2
:
/* Logical input interface */
...
...
@@ -1180,7 +1188,7 @@ print_zero:
if
(
ebt_command_default
(
&
cs
))
xtables_error
(
PARAMETER_PROBLEM
,
"Unknown argument: '%s'"
,
argv
[
optind
-
1
]);
argv
[
optind
]);
if
(
command
!=
'A'
&&
command
!=
'I'
&&
command
!=
'D'
&&
command
!=
'C'
)
...
...
@@ -1223,7 +1231,7 @@ print_zero:
cs
.
eb
.
ethproto
=
htons
(
cs
.
eb
.
ethproto
);
if
(
command
==
'P'
)
{
if
(
selected_chain
<
0
)
{
if
(
selected_chain
>=
NF_BR_NUMHOOKS
)
{
ret
=
ebt_set_user_chain_policy
(
h
,
*
table
,
chain
,
policy
);
}
else
{
if
(
strcmp
(
policy
,
"RETURN"
)
==
0
)
{
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables-monitor.c
View file @
290749d4
...
...
@@ -10,6 +10,8 @@
*/
#define _GNU_SOURCE
#include "config.h"
#include <errno.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
...
...
@@ -40,6 +42,7 @@
struct
cb_arg
{
uint32_t
nfproto
;
bool
is_event
;
struct
nft_handle
*
h
;
};
static
int
table_cb
(
const
struct
nlmsghdr
*
nlh
,
void
*
data
)
...
...
@@ -105,7 +108,7 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
}
printf
(
"-t %s "
,
nftnl_rule_get_str
(
r
,
NFTNL_RULE_TABLE
));
nft_rule_print_save
(
r
,
type
==
NFT_MSG_NEWRULE
?
NFT_RULE_APPEND
:
nft_rule_print_save
(
arg
->
h
,
r
,
type
==
NFT_MSG_NEWRULE
?
NFT_RULE_APPEND
:
NFT_RULE_DEL
,
counters
?
0
:
FMT_NOCOUNTS
);
err_free:
...
...
@@ -592,7 +595,10 @@ int xtables_monitor_main(int argc, char *argv[])
struct
mnl_socket
*
nl
;
char
buf
[
MNL_SOCKET_BUFFER_SIZE
];
uint32_t
nfgroup
=
0
;
struct
cb_arg
cb_arg
=
{};
struct
nft_handle
h
=
{};
struct
cb_arg
cb_arg
=
{
.
h
=
&
h
,
};
int
ret
,
c
;
xtables_globals
.
program_name
=
"xtables-monitor"
;
...
...
@@ -609,6 +615,14 @@ int xtables_monitor_main(int argc, char *argv[])
init_extensions4
();
#endif
if
(
nft_init
(
&
h
,
xtables_ipv4
))
{
fprintf
(
stderr
,
"%s/%s Failed to initialize nft: %s
\n
"
,
xtables_globals
.
program_name
,
xtables_globals
.
program_version
,
strerror
(
errno
));
exit
(
EXIT_FAILURE
);
}
opterr
=
0
;
while
((
c
=
getopt_long
(
argc
,
argv
,
"ceht46V"
,
options
,
NULL
))
!=
-
1
)
{
switch
(
c
)
{
...
...
@@ -631,10 +645,10 @@ int xtables_monitor_main(int argc, char *argv[])
cb_arg
.
nfproto
=
NFPROTO_IPV6
;
break
;
case
'V'
:
printf
(
"xtables-monitor %s
\n
"
,
IPTABLES
_VERSION
);
printf
(
"xtables-monitor %s
\n
"
,
PACKAGE
_VERSION
);
exit
(
0
);
default:
fprintf
(
stderr
,
"xtables-monitor %s: Bad argument.
\n
"
,
IPTABLES
_VERSION
);
fprintf
(
stderr
,
"xtables-monitor %s: Bad argument.
\n
"
,
PACKAGE
_VERSION
);
fprintf
(
stderr
,
"Try `xtables-monitor -h' for more information.
\n
"
);
exit
(
PARAMETER_PROBLEM
);
}
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables-restore.c
View file @
290749d4
...
...
@@ -4,9 +4,10 @@
*
* This code is distributed under the terms of GNU GPL v2
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <libgen.h>
#include <stdbool.h>
#include <string.h>
#include <stdio.h>
...
...
@@ -17,6 +18,7 @@
#include "xtables-multi.h"
#include "nft.h"
#include "nft-bridge.h"
#include "nft-cache.h"
#include <libnftnl/chain.h>
static
int
counters
,
verbose
;
...
...
@@ -43,7 +45,7 @@ static const struct option options[] = {
static
void
print_usage
(
const
char
*
name
,
const
char
*
version
)
{
fprintf
(
stderr
,
"Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6]
\n
"
fprintf
(
stderr
,
"Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6]
[file]
\n
"
" [ --counters ]
\n
"
" [ --verbose ]
\n
"
" [ --version]
\n
"
...
...
@@ -51,25 +53,12 @@ static void print_usage(const char *name, const char *version)
" [ --help ]
\n
"
" [ --noflush ]
\n
"
" [ --table=<TABLE> ]
\n
"
"
[ --modprobe=<command> ]
\n
"
"
[ --modprobe=<command> ]
\n
"
" [ --ipv4 ]
\n
"
" [ --ipv6 ]
\n
"
,
name
);
}
static
struct
nftnl_chain_list
*
get_chain_list
(
struct
nft_handle
*
h
,
const
char
*
table
)
{
struct
nftnl_chain_list
*
chain_list
;
chain_list
=
nft_chain_list_get
(
h
,
table
);
if
(
chain_list
==
NULL
)
xtables_error
(
OTHER_PROBLEM
,
"cannot retrieve chain list
\n
"
);
return
chain_list
;
}
struct
nft_xt_restore_cb
restore_cb
=
{
.
chain_list
=
get_chain_list
,
static
const
struct
nft_xt_restore_cb
restore_cb
=
{
.
commit
=
nft_commit
,
.
abort
=
nft_abort
,
.
table_new
=
nft_table_new
,
...
...
@@ -79,241 +68,285 @@ struct nft_xt_restore_cb restore_cb = {
.
chain_restore
=
nft_chain_restore
,
};
static
const
struct
xtc_ops
xtc_ops
=
{
.
strerror
=
nft_strerror
,
struct
nft_xt_restore_state
{
const
struct
builtin_table
*
curtable
;
struct
argv_store
av_store
;
bool
in_table
;
};
void
xtables_restore_parse
(
struct
nft_handle
*
h
,
struct
nft_xt_restore_parse
*
p
,
struct
nft_xt_restore_
cb
*
cb
,
int
argc
,
char
*
argv
[]
)
static
void
xtables_restore_parse
_line
(
struct
nft_handle
*
h
,
const
struct
nft_xt_restore_parse
*
p
,
struct
nft_xt_restore_
state
*
state
,
char
*
buffer
)
{
const
struct
builtin_table
*
curtable
=
NULL
;
char
buffer
[
10240
];
int
in_table
=
0
;
const
struct
xtc_ops
*
ops
=
&
xtc_ops
;
const
struct
nft_xt_restore_cb
*
cb
=
p
->
cb
;
int
ret
=
0
;
if
(
buffer
[
0
]
==
'\n'
)
return
;
else
if
(
buffer
[
0
]
==
'#'
)
{
if
(
verbose
)
fputs
(
buffer
,
stdout
);
return
;
}
else
if
(
state
->
in_table
&&
(
strncmp
(
buffer
,
"COMMIT"
,
6
)
==
0
)
&&
(
buffer
[
6
]
==
'\0'
||
buffer
[
6
]
==
'\n'
))
{
if
(
!
p
->
testing
)
{
/* Commit per table, although we support
* global commit at once, stick by now to
* the existing behaviour.
*/
DEBUGP
(
"Calling commit
\n
"
);
if
(
cb
->
commit
)
ret
=
cb
->
commit
(
h
);
}
else
{
DEBUGP
(
"Not calling commit, testing
\n
"
);
if
(
cb
->
abort
)
ret
=
cb
->
abort
(
h
);
}
state
->
in_table
=
false
;
}
else
if
((
buffer
[
0
]
==
'*'
)
&&
(
!
state
->
in_table
||
!
p
->
commit
))
{
/* New table */
char
*
table
;
table
=
strtok
(
buffer
+
1
,
"
\t\n
"
);
DEBUGP
(
"line %u, table '%s'
\n
"
,
line
,
table
);
if
(
!
table
)
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u table name invalid
\n
"
,
xt_params
->
program_name
,
line
);
state
->
curtable
=
nft_table_builtin_find
(
h
,
table
);
if
(
!
state
->
curtable
)
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u table name '%s' invalid
\n
"
,
xt_params
->
program_name
,
line
,
table
);
if
(
p
->
tablename
&&
(
strcmp
(
p
->
tablename
,
table
)
!=
0
))
return
;
if
(
h
->
noflush
==
0
)
{
DEBUGP
(
"Cleaning all chains of table '%s'
\n
"
,
table
);
if
(
cb
->
table_flush
)
cb
->
table_flush
(
h
,
table
);
}
line
=
0
;
ret
=
1
;
state
->
in_table
=
true
;
if
(
cb
->
table_new
)
cb
->
table_new
(
h
,
table
);
}
else
if
((
buffer
[
0
]
==
':'
)
&&
state
->
in_table
)
{
/* New chain. */
char
*
policy
,
*
chain
=
NULL
;
struct
xt_counters
count
=
{};
chain
=
strtok
(
buffer
+
1
,
"
\t\n
"
);
DEBUGP
(
"line %u, chain '%s'
\n
"
,
line
,
chain
);
if
(
!
chain
)
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u chain name invalid
\n
"
,
xt_params
->
program_name
,
line
);
if
(
strlen
(
chain
)
>=
XT_EXTENSION_MAXNAMELEN
)
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid chain name `%s' (%u chars max)"
,
chain
,
XT_EXTENSION_MAXNAMELEN
-
1
);
policy
=
strtok
(
NULL
,
"
\t\n
"
);
DEBUGP
(
"line %u, policy '%s'
\n
"
,
line
,
policy
);
if
(
!
policy
)
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u policy invalid
\n
"
,
xt_params
->
program_name
,
line
);
if
(
nft_chain_builtin_find
(
state
->
curtable
,
chain
))
{
if
(
counters
)
{
char
*
ctrs
;
ctrs
=
strtok
(
NULL
,
"
\t\n
"
);
if
(
!
ctrs
||
!
parse_counters
(
ctrs
,
&
count
))
xtables_error
(
PARAMETER_PROBLEM
,
"invalid policy counters for chain '%s'
\n
"
,
chain
);
/* Grab standard input. */
while
(
fgets
(
buffer
,
sizeof
(
buffer
),
p
->
in
))
{
int
ret
=
0
;
line
++
;
h
->
error
.
lineno
=
line
;
if
(
buffer
[
0
]
==
'\n'
)
continue
;
else
if
(
buffer
[
0
]
==
'#'
)
{
if
(
verbose
)
fputs
(
buffer
,
stdout
);
continue
;
}
else
if
((
strcmp
(
buffer
,
"COMMIT
\n
"
)
==
0
)
&&
(
in_table
))
{
if
(
!
p
->
testing
)
{
/* Commit per table, although we support
* global commit at once, stick by now to
* the existing behaviour.
*/
DEBUGP
(
"Calling commit
\n
"
);
if
(
cb
->
commit
)
ret
=
cb
->
commit
(
h
);
}
else
{
DEBUGP
(
"Not calling commit, testing
\n
"
);
if
(
cb
->
abort
)
ret
=
cb
->
abort
(
h
);
}
in_table
=
0
;
}
else
if
((
buffer
[
0
]
==
'*'
)
&&
(
!
in_table
||
!
p
->
commit
))
{
/* New table */
char
*
table
;
table
=
strtok
(
buffer
+
1
,
"
\t\n
"
);
DEBUGP
(
"line %u, table '%s'
\n
"
,
line
,
table
);
if
(
!
table
)
{
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u table name invalid
\n
"
,
xt_params
->
program_name
,
line
);
exit
(
1
);
}
curtable
=
nft_table_builtin_find
(
h
,
table
);
if
(
!
curtable
)
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u table name '%s' invalid
\n
"
,
xt_params
->
program_name
,
line
,
table
);
if
(
p
->
tablename
&&
(
strcmp
(
p
->
tablename
,
table
)
!=
0
))
continue
;
nft_build_cache
(
h
);
if
(
h
->
noflush
==
0
)
{
DEBUGP
(
"Cleaning all chains of table '%s'
\n
"
,
table
);
if
(
cb
->
table_flush
)
cb
->
table_flush
(
h
,
table
);
if
(
cb
->
chain_set
&&
cb
->
chain_set
(
h
,
state
->
curtable
->
name
,
chain
,
policy
,
&
count
)
<
0
)
{
xtables_error
(
OTHER_PROBLEM
,
"Can't set policy `%s' on `%s' line %u: %s
\n
"
,
policy
,
chain
,
line
,
strerror
(
errno
));
}
DEBUGP
(
"Setting policy of chain %s to %s
\n
"
,
chain
,
policy
);
}
else
if
(
cb
->
chain_restore
(
h
,
chain
,
state
->
curtable
->
name
)
<
0
&&
errno
!=
EEXIST
)
{
xtables_error
(
PARAMETER_PROBLEM
,
"cannot create chain '%s' (%s)
\n
"
,
chain
,
strerror
(
errno
));
}
else
if
(
h
->
family
==
NFPROTO_BRIDGE
&&
!
ebt_set_user_chain_policy
(
h
,
state
->
curtable
->
name
,
chain
,
policy
))
{
xtables_error
(
OTHER_PROBLEM
,
"Can't set policy `%s' on `%s' line %u: %s
\n
"
,
policy
,
chain
,
line
,
strerror
(
errno
));
}
ret
=
1
;
}
else
if
(
state
->
in_table
)
{
char
*
pcnt
=
NULL
;
char
*
bcnt
=
NULL
;
char
*
parsestart
=
buffer
;
add_argv
(
&
state
->
av_store
,
xt_params
->
program_name
,
0
);
add_argv
(
&
state
->
av_store
,
"-t"
,
0
);
add_argv
(
&
state
->
av_store
,
state
->
curtable
->
name
,
0
);
tokenize_rule_counters
(
&
parsestart
,
&
pcnt
,
&
bcnt
,
line
);
if
(
counters
&&
pcnt
&&
bcnt
)
{
add_argv
(
&
state
->
av_store
,
"--set-counters"
,
0
);
add_argv
(
&
state
->
av_store
,
pcnt
,
0
);
add_argv
(
&
state
->
av_store
,
bcnt
,
0
);
}
ret
=
1
;
in_table
=
1
;
if
(
cb
->
table_new
)
cb
->
table_new
(
h
,
table
);
add_param_to_argv
(
&
state
->
av_store
,
parsestart
,
line
);
}
else
if
((
buffer
[
0
]
==
':'
)
&&
(
in_table
))
{
/* New chain. */
char
*
policy
,
*
chain
=
NULL
;
struct
xt_counters
count
=
{};
DEBUGP
(
"calling do_command4(%u, argv, &%s, handle):
\n
"
,
state
->
av_store
.
argc
,
state
->
curtable
->
name
);
debug_print_argv
(
&
state
->
av_store
);
chain
=
strtok
(
buffer
+
1
,
"
\t\n
"
);
DEBUGP
(
"line %u, chain '%s'
\n
"
,
line
,
chain
);
if
(
!
chain
)
{
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u chain name invalid
\n
"
,
xt_params
->
program_name
,
line
);
exit
(
1
);
}
ret
=
cb
->
do_command
(
h
,
state
->
av_store
.
argc
,
state
->
av_store
.
argv
,
&
state
->
av_store
.
argv
[
2
],
true
);
if
(
ret
<
0
)
{
if
(
cb
->
abort
)
ret
=
cb
->
abort
(
h
);
else
ret
=
0
;
if
(
strlen
(
chain
)
>=
XT_EXTENSION_MAXNAMELEN
)
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid chain name `%s' "
"(%u chars max)"
,
chain
,
XT_EXTENSION_MAXNAMELEN
-
1
);
policy
=
strtok
(
NULL
,
"
\t\n
"
);
DEBUGP
(
"line %u, policy '%s'
\n
"
,
line
,
policy
);
if
(
!
policy
)
{
xtables_error
(
PARAMETER_PROBLEM
,
"%s: line %u policy invalid
\n
"
,
xt_params
->
program_name
,
line
);
exit
(
1
);
if
(
ret
<
0
)
{
fprintf
(
stderr
,
"failed to abort commit operation
\n
"
);
}
exit
(
1
);
}
if
(
nft_chain_builtin_find
(
curtable
,
chain
))
{
if
(
counters
)
{
char
*
ctrs
;
ctrs
=
strtok
(
NULL
,
"
\t\n
"
);
if
(
!
ctrs
||
!
parse_counters
(
ctrs
,
&
count
))
xtables_error
(
PARAMETER_PROBLEM
,
"invalid policy counters "
"for chain '%s'
\n
"
,
chain
);
}
if
(
cb
->
chain_set
&&
cb
->
chain_set
(
h
,
curtable
->
name
,
chain
,
policy
,
&
count
)
<
0
)
{
xtables_error
(
OTHER_PROBLEM
,
"Can't set policy `%s'"
" on `%s' line %u: %s
\n
"
,
policy
,
chain
,
line
,
ops
->
strerror
(
errno
));
}
DEBUGP
(
"Setting policy of chain %s to %s
\n
"
,
chain
,
policy
);
}
else
if
(
cb
->
chain_restore
(
h
,
chain
,
curtable
->
name
)
<
0
&&
errno
!=
EEXIST
)
{
xtables_error
(
PARAMETER_PROBLEM
,
"cannot create chain "
"'%s' (%s)
\n
"
,
chain
,
strerror
(
errno
));
}
else
if
(
h
->
family
==
NFPROTO_BRIDGE
&&
!
ebt_set_user_chain_policy
(
h
,
curtable
->
name
,
chain
,
policy
))
{
xtables_error
(
OTHER_PROBLEM
,
"Can't set policy `%s'"
" on `%s' line %u: %s
\n
"
,
policy
,
chain
,
line
,
ops
->
strerror
(
errno
));
}
ret
=
1
;
}
else
if
(
in_table
)
{
int
a
;
char
*
pcnt
=
NULL
;
char
*
bcnt
=
NULL
;
char
*
parsestart
;
free_argv
(
&
state
->
av_store
);
fflush
(
stdout
);
}
if
(
p
->
tablename
&&
state
->
curtable
&&
(
strcmp
(
p
->
tablename
,
state
->
curtable
->
name
)
!=
0
))
return
;
if
(
!
ret
)
{
fprintf
(
stderr
,
"%s: line %u failed
\n
"
,
xt_params
->
program_name
,
line
);
exit
(
1
);
}
}
/* reset the newargv */
newargc
=
0
;
/* Return true if given iptables-restore line will require a full cache.
* Typically these are commands referring to an existing rule
* (either by number or content) or commands listing the ruleset. */
static
bool
cmd_needs_full_cache
(
char
*
cmd
)
{
char
c
,
chain
[
32
];
int
rulenum
,
mcount
;
mcount
=
sscanf
(
cmd
,
"-%c %31s %d"
,
&
c
,
chain
,
&
rulenum
);
if
(
mcount
==
3
)
return
true
;
if
(
mcount
<
1
)
return
false
;
switch
(
c
)
{
case
'D'
:
case
'C'
:
case
'S'
:
case
'L'
:
case
'Z'
:
return
true
;
}
if
(
buffer
[
0
]
==
'['
)
{
/* we have counters in our input */
char
*
ptr
=
strchr
(
buffer
,
']'
);
return
false
;
}
if
(
!
ptr
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need ]
\n
"
,
line
);
#define PREBUFSIZ 65536
pcnt
=
strtok
(
buffer
+
1
,
":"
);
if
(
!
pcnt
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need :
\n
"
,
line
)
;
void
xtables_restore_parse
(
struct
nft_handle
*
h
,
const
struct
nft_xt_restore_parse
*
p
)
{
struct
nft_xt_restore_state
state
=
{};
char
preload_buffer
[
PREBUFSIZ
]
=
{},
buffer
[
10240
],
*
ptr
;
bcnt
=
strtok
(
NULL
,
"]"
);
if
(
!
bcnt
)
xtables_error
(
PARAMETER_PROBLEM
,
"Bad line %u: need ]
\n
"
,
line
);
/* start command parsing after counter */
parsestart
=
ptr
+
1
;
}
else
{
/* start command parsing at start of line */
parsestart
=
buffer
;
if
(
!
h
->
noflush
)
{
nft_fake_cache
(
h
);
}
else
{
ssize_t
pblen
=
sizeof
(
preload_buffer
);
bool
do_cache
=
false
;
ptr
=
preload_buffer
;
while
(
fgets
(
buffer
,
sizeof
(
buffer
),
p
->
in
))
{
size_t
blen
=
strlen
(
buffer
);
/* drop trailing newline; xtables_restore_parse_line()
* uses strtok() which replaces them by nul-characters,
* causing unpredictable string delimiting in
* preload_buffer */
if
(
buffer
[
blen
-
1
]
==
'\n'
)
buffer
[
blen
-
1
]
=
'\0'
;
else
blen
++
;
pblen
-=
blen
;
if
(
pblen
<=
0
)
{
/* buffer exhausted */
do_cache
=
true
;
break
;
}
add_argv
(
argv
[
0
],
0
);
add_argv
(
"-t"
,
0
);
add_argv
(
curtable
->
name
,
0
);
if
(
counters
&&
pcnt
&&
bcnt
)
{
add_argv
(
"--set-counters"
,
0
);
add_argv
((
char
*
)
pcnt
,
0
);
add_argv
((
char
*
)
bcnt
,
0
);
if
(
cmd_needs_full_cache
(
buffer
))
{
do_cache
=
true
;
break
;
}
add_param_to_argv
(
parsestart
,
line
);
DEBUGP
(
"calling do_command4(%u, argv, &%s, handle):
\n
"
,
newargc
,
curtable
->
name
);
for
(
a
=
0
;
a
<
newargc
;
a
++
)
DEBUGP
(
"argv[%u]: %s
\n
"
,
a
,
newargv
[
a
]);
/* copy string including terminating nul-char */
memcpy
(
ptr
,
buffer
,
blen
);
ptr
+=
blen
;
buffer
[
0
]
=
'\0'
;
}
ret
=
cb
->
do_command
(
h
,
newargc
,
newargv
,
&
newargv
[
2
],
true
);
if
(
ret
<
0
)
{
if
(
cb
->
abort
)
ret
=
cb
->
abort
(
h
);
else
ret
=
0
;
if
(
ret
<
0
)
{
fprintf
(
stderr
,
"failed to abort "
"commit operation
\n
"
);
}
exit
(
1
);
}
if
(
do_cache
)
nft_build_cache
(
h
,
NULL
);
}
free_argv
();
fflush
(
stdout
);
}
if
(
p
->
tablename
&&
curtable
&&
(
strcmp
(
p
->
tablename
,
curtable
->
name
)
!=
0
))
continue
;
if
(
!
ret
)
{
fprintf
(
stderr
,
"%s: line %u failed
\n
"
,
xt_params
->
program_name
,
line
);
exit
(
1
);
}
line
=
0
;
ptr
=
preload_buffer
;
while
(
*
ptr
)
{
h
->
error
.
lineno
=
++
line
;
DEBUGP
(
"%s: buffered line %d: '%s'
\n
"
,
__func__
,
line
,
ptr
);
xtables_restore_parse_line
(
h
,
p
,
&
state
,
ptr
);
ptr
+=
strlen
(
ptr
)
+
1
;
}
if
(
*
buffer
)
{
h
->
error
.
lineno
=
++
line
;
DEBUGP
(
"%s: overrun line %d: '%s'
\n
"
,
__func__
,
line
,
buffer
);
xtables_restore_parse_line
(
h
,
p
,
&
state
,
buffer
);
}
if
(
in_table
&&
p
->
commit
)
{
while
(
fgets
(
buffer
,
sizeof
(
buffer
),
p
->
in
))
{
h
->
error
.
lineno
=
++
line
;
DEBUGP
(
"%s: input line %d: '%s'
\n
"
,
__func__
,
line
,
buffer
);
xtables_restore_parse_line
(
h
,
p
,
&
state
,
buffer
);
}
if
(
state
.
in_table
&&
p
->
commit
)
{
fprintf
(
stderr
,
"%s: COMMIT expected at line %u
\n
"
,
xt_params
->
program_name
,
line
+
1
);
exit
(
1
);
}
else
if
(
in_table
&&
cb
->
commit
&&
!
cb
->
commit
(
h
))
{
}
else
if
(
state
.
in_table
&&
p
->
cb
->
commit
&&
!
p
->
cb
->
commit
(
h
))
{
xtables_error
(
OTHER_PROBLEM
,
"%s: final implicit COMMIT failed"
,
xt_params
->
program_name
);
}
...
...
@@ -330,6 +363,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
int
c
;
struct
nft_xt_restore_parse
p
=
{
.
commit
=
true
,
.
cb
=
&
restore_cb
,
};
line
=
0
;
...
...
@@ -361,8 +395,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
p
.
testing
=
1
;
break
;
case
'h'
:
print_usage
(
"xtables-restore"
,
IPTABLES_VERSION
);
print_usage
(
prog_name
,
PACKAGE_VERSION
);
exit
(
0
);
case
'n'
:
h
.
noflush
=
1
;
...
...
@@ -387,7 +420,8 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
break
;
default:
fprintf
(
stderr
,
"Try `xtables-restore -h' for more information.
\n
"
);
"Try `%s -h' for more information.
\n
"
,
prog_name
);
exit
(
1
);
}
}
...
...
@@ -434,7 +468,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
exit
(
EXIT_FAILURE
);
}
xtables_restore_parse
(
&
h
,
&
p
,
&
restore_cb
,
argc
,
argv
);
xtables_restore_parse
(
&
h
,
&
p
);
nft_fini
(
&
h
);
fclose
(
p
.
in
);
...
...
@@ -443,13 +477,13 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
int
xtables_ip4_restore_main
(
int
argc
,
char
*
argv
[])
{
return
xtables_restore_main
(
NFPROTO_IPV4
,
"iptables-restore"
,
return
xtables_restore_main
(
NFPROTO_IPV4
,
basename
(
*
argv
)
,
argc
,
argv
);
}
int
xtables_ip6_restore_main
(
int
argc
,
char
*
argv
[])
{
return
xtables_restore_main
(
NFPROTO_IPV6
,
"ip6tables-restore"
,
return
xtables_restore_main
(
NFPROTO_IPV6
,
basename
(
*
argv
)
,
argc
,
argv
);
}
...
...
@@ -460,9 +494,8 @@ static int ebt_table_flush(struct nft_handle *h, const char *table)
return
nft_table_flush
(
h
,
table
);
}
struct
nft_xt_restore_cb
ebt_restore_cb
=
{
.
chain_list
=
get_chain_list
,
.
commit
=
nft_commit
,
static
const
struct
nft_xt_restore_cb
ebt_restore_cb
=
{
.
commit
=
nft_bridge_commit
,
.
table_new
=
nft_table_new
,
.
table_flush
=
ebt_table_flush
,
.
do_command
=
do_commandeb
,
...
...
@@ -479,6 +512,7 @@ int xtables_eb_restore_main(int argc, char *argv[])
{
struct
nft_xt_restore_parse
p
=
{
.
in
=
stdin
,
.
cb
=
&
ebt_restore_cb
,
};
bool
noflush
=
false
;
struct
nft_handle
h
;
...
...
@@ -500,14 +534,13 @@ int xtables_eb_restore_main(int argc, char *argv[])
nft_init_eb
(
&
h
,
"ebtables-restore"
);
h
.
noflush
=
noflush
;
xtables_restore_parse
(
&
h
,
&
p
,
&
ebt_restore_cb
,
argc
,
argv
);
xtables_restore_parse
(
&
h
,
&
p
);
nft_fini
(
&
h
);
return
0
;
}
struct
nft_xt_restore_cb
arp_restore_cb
=
{
.
chain_list
=
get_chain_list
,
static
const
struct
nft_xt_restore_cb
arp_restore_cb
=
{
.
commit
=
nft_commit
,
.
table_new
=
nft_table_new
,
.
table_flush
=
nft_table_flush
,
...
...
@@ -520,11 +553,12 @@ int xtables_arp_restore_main(int argc, char *argv[])
{
struct
nft_xt_restore_parse
p
=
{
.
in
=
stdin
,
.
cb
=
&
arp_restore_cb
,
};
struct
nft_handle
h
;
nft_init_arp
(
&
h
,
"arptables-restore"
);
xtables_restore_parse
(
&
h
,
&
p
,
&
arp_restore_cb
,
argc
,
argv
);
xtables_restore_parse
(
&
h
,
&
p
);
nft_fini
(
&
h
);
return
0
;
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables-save.c
View file @
290749d4
...
...
@@ -6,8 +6,10 @@
* This code is distributed under the terms of GNU GPL v2
*
*/
#include "config.h"
#include <getopt.h>
#include <errno.h>
#include <libgen.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
...
...
@@ -19,6 +21,7 @@
#include "iptables.h"
#include "xtables-multi.h"
#include "nft.h"
#include "nft-cache.h"
#include <libnftnl/chain.h>
...
...
@@ -29,9 +32,8 @@
#define prog_name xtables_globals.program_name
#define prog_vers xtables_globals.program_version
static
bool
show_counters
=
false
;
static
const
struct
option
options
[]
=
{
static
const
char
*
ipt_save_optstring
=
"bcdt:M:f:46V"
;
static
const
struct
option
ipt_save_options
[]
=
{
{.
name
=
"counters"
,
.
has_arg
=
false
,
.
val
=
'c'
},
{.
name
=
"version"
,
.
has_arg
=
false
,
.
val
=
'V'
},
{.
name
=
"dump"
,
.
has_arg
=
false
,
.
val
=
'd'
},
...
...
@@ -43,6 +45,7 @@ static const struct option options[] = {
{
NULL
},
};
static
const
char
*
arp_save_optstring
=
"cM:V"
;
static
const
struct
option
arp_save_options
[]
=
{
{.
name
=
"counters"
,
.
has_arg
=
false
,
.
val
=
'c'
},
{.
name
=
"version"
,
.
has_arg
=
false
,
.
val
=
'V'
},
...
...
@@ -50,6 +53,7 @@ static const struct option arp_save_options[] = {
{
NULL
},
};
static
const
char
*
ebt_save_optstring
=
"ct:M:V"
;
static
const
struct
option
ebt_save_options
[]
=
{
{.
name
=
"counters"
,
.
has_arg
=
false
,
.
val
=
'c'
},
{.
name
=
"version"
,
.
has_arg
=
false
,
.
val
=
'V'
},
...
...
@@ -58,49 +62,55 @@ static const struct option ebt_save_options[] = {
{
NULL
},
};
static
bool
ebt_legacy_counter_format
;
struct
do_output_data
{
unsigned
int
format
;
bool
commit
;
};
static
int
__do_output
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
bool
counters
)
__do_output
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
void
*
data
)
{
struct
nftnl_chain_list
*
chain_list
;
struct
do_output_data
*
d
=
data
;
time_t
now
;
if
(
!
nft_table_builtin_find
(
h
,
tablename
))
return
0
;
if
(
!
nft_is_table_compatible
(
h
,
tablename
))
{
if
(
!
nft_table_builtin_find
(
h
,
tablename
))
printf
(
"# Table `%s' is incompatible, use 'nft' tool.
\n
"
,
tablename
);
if
(
!
nft_is_table_compatible
(
h
,
tablename
,
NULL
))
{
printf
(
"# Table `%s' is incompatible, use 'nft' tool.
\n
"
,
tablename
);
return
0
;
}
chain_list
=
nft_chain_list_get
(
h
,
tablename
);
chain_list
=
nft_chain_list_get
(
h
,
tablename
,
NULL
);
if
(
!
chain_list
)
return
0
;
time_t
now
=
time
(
NULL
);
now
=
time
(
NULL
);
printf
(
"# Generated by %s v%s on %s"
,
prog_name
,
prog_vers
,
ctime
(
&
now
));
printf
(
"# Generated by xtables-save v%s on %s"
,
IPTABLES_VERSION
,
ctime
(
&
now
));
printf
(
"*%s
\n
"
,
tablename
);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
nft_chain_save
(
h
,
chain_list
);
nft_rule_save
(
h
,
tablename
,
counters
?
0
:
FMT_NOCOUNTS
);
nft_rule_save
(
h
,
tablename
,
d
->
format
);
if
(
d
->
commit
)
printf
(
"COMMIT
\n
"
);
now
=
time
(
NULL
);
printf
(
"COMMIT
\n
"
);
printf
(
"# Completed on %s"
,
ctime
(
&
now
));
return
0
;
}
static
int
do_output
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
bool
counters
)
do_output
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
struct
do_output_data
*
d
)
{
int
ret
;
if
(
!
tablename
)
{
ret
=
nft_for_each_table
(
h
,
__do_output
,
counters
);
ret
=
nft_for_each_table
(
h
,
__do_output
,
d
);
nft_check_xt_legacy
(
h
->
family
,
true
);
return
!!
ret
;
}
...
...
@@ -111,7 +121,7 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
return
1
;
}
ret
=
__do_output
(
h
,
tablename
,
counters
);
ret
=
__do_output
(
h
,
tablename
,
d
);
nft_check_xt_legacy
(
h
->
family
,
true
);
return
ret
;
}
...
...
@@ -121,10 +131,14 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
* rule
*/
static
int
xtables_save_main
(
int
family
,
const
char
*
progname
,
int
argc
,
char
*
argv
[])
xtables_save_main
(
int
family
,
int
argc
,
char
*
argv
[],
const
char
*
optstring
,
const
struct
option
*
longopts
)
{
const
struct
builtin_table
*
tables
;
const
char
*
tablename
=
NULL
;
struct
do_output_data
d
=
{
.
format
=
FMT_NOCOUNTS
,
};
bool
dump
=
false
;
struct
nft_handle
h
=
{
.
family
=
family
,
...
...
@@ -132,7 +146,7 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
FILE
*
file
=
NULL
;
int
ret
,
c
;
xtables_globals
.
program_name
=
progname
;
xtables_globals
.
program_name
=
basename
(
*
argv
);
;
c
=
xtables_init_all
(
&
xtables_globals
,
family
);
if
(
c
<
0
)
{
fprintf
(
stderr
,
"%s/%s Failed to initialize xtables
\n
"
,
...
...
@@ -141,13 +155,13 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
exit
(
1
);
}
while
((
c
=
getopt_long
(
argc
,
argv
,
"bcdt:M:f:46V"
,
option
s
,
NULL
))
!=
-
1
)
{
while
((
c
=
getopt_long
(
argc
,
argv
,
optstring
,
longopt
s
,
NULL
))
!=
-
1
)
{
switch
(
c
)
{
case
'b'
:
fprintf
(
stderr
,
"-b/--binary option is not implemented
\n
"
);
break
;
case
'c'
:
show_counters
=
true
;
d
.
format
&=
~
FMT_NOCOUNTS
;
break
;
case
't'
:
...
...
@@ -206,13 +220,23 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
init_extensions4
();
#endif
tables
=
xtables_ipv4
;
d
.
commit
=
true
;
break
;
case
NFPROTO_ARP
:
tables
=
xtables_arp
;
break
;
case
NFPROTO_BRIDGE
:
case
NFPROTO_BRIDGE
:
{
const
char
*
ctr
=
getenv
(
"EBTABLES_SAVE_COUNTER"
);
if
(
!
(
d
.
format
&
FMT_NOCOUNTS
))
{
d
.
format
|=
FMT_EBT_SAVE
;
}
else
if
(
ctr
&&
!
strcmp
(
ctr
,
"yes"
))
{
d
.
format
&=
~
FMT_NOCOUNTS
;
d
.
format
|=
FMT_C_COUNTS
|
FMT_EBT_SAVE
;
}
tables
=
xtables_bridge
;
break
;
}
default:
fprintf
(
stderr
,
"Unknown family %d
\n
"
,
family
);
return
1
;
...
...
@@ -225,8 +249,11 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
strerror
(
errno
));
exit
(
EXIT_FAILURE
);
}
h
.
ops
=
nft_family_ops_lookup
(
h
.
family
);
if
(
!
h
.
ops
)
xtables_error
(
PARAMETER_PROBLEM
,
"Unknown family"
);
ret
=
do_output
(
&
h
,
tablename
,
show_counters
);
ret
=
do_output
(
&
h
,
tablename
,
&
d
);
nft_fini
(
&
h
);
if
(
dump
)
exit
(
0
);
...
...
@@ -236,178 +263,24 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
int
xtables_ip4_save_main
(
int
argc
,
char
*
argv
[])
{
return
xtables_save_main
(
NFPROTO_IPV4
,
"iptables-save"
,
argc
,
argv
);
return
xtables_save_main
(
NFPROTO_IPV4
,
argc
,
argv
,
ipt_save_optstring
,
ipt_save_options
);
}
int
xtables_ip6_save_main
(
int
argc
,
char
*
argv
[])
{
return
xtables_save_main
(
NFPROTO_IPV6
,
"ip6tables-save"
,
argc
,
argv
);
}
static
int
__ebt_save
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
bool
counters
)
{
struct
nftnl_chain_list
*
chain_list
;
unsigned
int
format
=
FMT_NOCOUNTS
;
static
bool
first
=
true
;
time_t
now
;
if
(
!
nft_table_find
(
h
,
tablename
))
{
printf
(
"Table `%s' does not exist
\n
"
,
tablename
);
return
1
;
}
if
(
!
nft_is_table_compatible
(
h
,
tablename
))
{
printf
(
"# Table `%s' is incompatible, use 'nft' tool.
\n
"
,
tablename
);
return
0
;
}
chain_list
=
nft_chain_list_get
(
h
,
tablename
);
if
(
first
)
{
now
=
time
(
NULL
);
printf
(
"# Generated by ebtables-save v%s on %s"
,
IPTABLES_VERSION
,
ctime
(
&
now
));
first
=
false
;
}
printf
(
"*%s
\n
"
,
tablename
);
if
(
counters
)
format
=
ebt_legacy_counter_format
?
FMT_EBT_SAVE
:
0
;
/* Dump out chain names first,
* thereby preventing dependency conflicts */
nft_chain_save
(
h
,
chain_list
);
nft_rule_save
(
h
,
tablename
,
format
);
printf
(
"
\n
"
);
return
0
;
return
xtables_save_main
(
NFPROTO_IPV6
,
argc
,
argv
,
ipt_save_optstring
,
ipt_save_options
);
}
static
int
eb
t
_save
(
struct
nft_handle
*
h
,
const
char
*
tablename
,
bool
counters
)
int
xtables_
eb_save
_main
(
int
argc
,
char
*
argv
[]
)
{
if
(
!
tablename
)
return
nft_for_each_table
(
h
,
__ebt_save
,
counters
);
return
__ebt_save
(
h
,
tablename
,
counters
);
return
xtables_save_main
(
NFPROTO_BRIDGE
,
argc
,
argv
,
ebt_save_optstring
,
ebt_save_options
);
}
int
xtables_
eb
_save_main
(
int
argc
_
,
char
*
argv
_
[])
int
xtables_
arp
_save_main
(
int
argc
,
char
*
argv
[])
{
const
char
*
ctr
=
getenv
(
"EBTABLES_SAVE_COUNTER"
);
const
char
*
tablename
=
NULL
;
struct
nft_handle
h
=
{
.
family
=
NFPROTO_BRIDGE
,
};
int
c
;
if
(
ctr
)
{
if
(
strcmp
(
ctr
,
"yes"
)
==
0
)
{
ebt_legacy_counter_format
=
true
;
show_counters
=
true
;
}
}
xtables_globals
.
program_name
=
"ebtables-save"
;
c
=
xtables_init_all
(
&
xtables_globals
,
h
.
family
);
if
(
c
<
0
)
{
fprintf
(
stderr
,
"%s/%s Failed to initialize xtables
\n
"
,
xtables_globals
.
program_name
,
xtables_globals
.
program_version
);
exit
(
1
);
}
while
((
c
=
getopt_long
(
argc_
,
argv_
,
"ct:M:V"
,
ebt_save_options
,
NULL
))
!=
-
1
)
{
switch
(
c
)
{
case
'c'
:
unsetenv
(
"EBTABLES_SAVE_COUNTER"
);
show_counters
=
true
;
ebt_legacy_counter_format
=
false
;
break
;
case
't'
:
/* Select specific table. */
tablename
=
optarg
;
break
;
case
'M'
:
xtables_modprobe_program
=
optarg
;
break
;
case
'V'
:
printf
(
"%s v%s (nf_tables)
\n
"
,
prog_name
,
prog_vers
);
exit
(
0
);
default:
fprintf
(
stderr
,
"Look at manual page `%s.8' for more information.
\n
"
,
prog_name
);
exit
(
1
);
}
}
if
(
nft_init
(
&
h
,
xtables_bridge
)
<
0
)
{
fprintf
(
stderr
,
"%s/%s Failed to initialize nft: %s
\n
"
,
xtables_globals
.
program_name
,
xtables_globals
.
program_version
,
strerror
(
errno
));
exit
(
EXIT_FAILURE
);
}
ebt_save
(
&
h
,
tablename
,
show_counters
);
nft_fini
(
&
h
);
return
0
;
}
int
xtables_arp_save_main
(
int
argc
,
char
**
argv
)
{
struct
nft_handle
h
=
{
.
family
=
NFPROTO_ARP
,
};
int
c
;
xtables_globals
.
program_name
=
"arptables-save"
;
c
=
xtables_init_all
(
&
xtables_globals
,
h
.
family
);
if
(
c
<
0
)
{
fprintf
(
stderr
,
"%s/%s Failed to initialize xtables
\n
"
,
xtables_globals
.
program_name
,
xtables_globals
.
program_version
);
exit
(
1
);
}
while
((
c
=
getopt_long
(
argc
,
argv
,
"cM:V"
,
arp_save_options
,
NULL
))
!=
-
1
)
{
switch
(
c
)
{
case
'c'
:
show_counters
=
true
;
break
;
case
'M'
:
xtables_modprobe_program
=
optarg
;
break
;
case
'V'
:
printf
(
"%s v%s (nf_tables)
\n
"
,
prog_name
,
prog_vers
);
exit
(
0
);
default:
fprintf
(
stderr
,
"Look at manual page `%s.8' for more information.
\n
"
,
prog_name
);
exit
(
1
);
}
}
if
(
nft_init
(
&
h
,
xtables_arp
)
<
0
)
{
fprintf
(
stderr
,
"%s/%s Failed to initialize nft: %s
\n
"
,
xtables_globals
.
program_name
,
xtables_globals
.
program_version
,
strerror
(
errno
));
exit
(
EXIT_FAILURE
);
}
if
(
!
nft_table_find
(
&
h
,
"filter"
))
return
0
;
if
(
!
nft_is_table_compatible
(
&
h
,
"filter"
))
{
printf
(
"# Table `filter' is incompatible, use 'nft' tool.
\n
"
);
return
0
;
}
printf
(
"*filter
\n
"
);
nft_chain_save
(
&
h
,
nft_chain_list_get
(
&
h
,
"filter"
));
nft_rule_save
(
&
h
,
"filter"
,
show_counters
?
0
:
FMT_NOCOUNTS
);
printf
(
"
\n
"
);
nft_fini
(
&
h
);
return
0
;
return
xtables_save_main
(
NFPROTO_ARP
,
argc
,
argv
,
arp_save_optstring
,
arp_save_options
);
}
This diff is collapsed.
Click to expand it.
iptables/xtables-translate.c
View file @
290749d4
...
...
@@ -6,7 +6,7 @@
* by the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
#include "config.h"
#include <time.h>
#include "xtables-multi.h"
#include "nft.h"
...
...
@@ -413,7 +413,7 @@ static int dummy_compat_rev(const char *name, uint8_t rev, int opt)
return
1
;
}
static
struct
nft_xt_restore_cb
cb_xlate
=
{
static
const
struct
nft_xt_restore_cb
cb_xlate
=
{
.
table_new
=
xlate_table_new
,
.
chain_set
=
xlate_chain_set
,
.
chain_restore
=
xlate_chain_user_restore
,
...
...
@@ -498,7 +498,9 @@ static int xtables_restore_xlate_main(int family, const char *progname,
.
family
=
family
,
};
const
char
*
file
=
NULL
;
struct
nft_xt_restore_parse
p
=
{};
struct
nft_xt_restore_parse
p
=
{
.
cb
=
&
cb_xlate
,
};
time_t
now
=
time
(
NULL
);
int
c
;
...
...
@@ -510,20 +512,20 @@ static int xtables_restore_xlate_main(int family, const char *progname,
while
((
c
=
getopt_long
(
argc
,
argv
,
"hf:V"
,
options
,
NULL
))
!=
-
1
)
{
switch
(
c
)
{
case
'h'
:
print_usage
(
argv
[
0
],
IPTABLES
_VERSION
);
print_usage
(
argv
[
0
],
PACKAGE
_VERSION
);
exit
(
0
);
case
'f'
:
file
=
optarg
;
break
;
case
'V'
:
printf
(
"%s v%s
\n
"
,
argv
[
0
],
IPTABLES
_VERSION
);
printf
(
"%s v%s
\n
"
,
argv
[
0
],
PACKAGE
_VERSION
);
exit
(
0
);
}
}
if
(
file
==
NULL
)
{
fprintf
(
stderr
,
"ERROR: missing file name
\n
"
);
print_usage
(
argv
[
0
],
IPTABLES
_VERSION
);
print_usage
(
argv
[
0
],
PACKAGE
_VERSION
);
exit
(
0
);
}
...
...
@@ -534,8 +536,8 @@ static int xtables_restore_xlate_main(int family, const char *progname,
}
printf
(
"# Translated by %s v%s on %s"
,
argv
[
0
],
IPTABLES
_VERSION
,
ctime
(
&
now
));
xtables_restore_parse
(
&
h
,
&
p
,
&
cb_xlate
,
argc
,
argv
);
argv
[
0
],
PACKAGE
_VERSION
,
ctime
(
&
now
));
xtables_restore_parse
(
&
h
,
&
p
);
printf
(
"# Completed on %s"
,
ctime
(
&
now
));
nft_fini
(
&
h
);
...
...
This diff is collapsed.
Click to expand it.
iptables/xtables.c
View file @
290749d4
...
...
@@ -24,7 +24,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "config.h"
#include <getopt.h>
#include <string.h>
#include <netdb.h>
...
...
@@ -43,17 +43,6 @@
#include "nft-shared.h"
#include "nft.h"
#ifndef TRUE
#define TRUE 1
#endif
#ifndef FALSE
#define FALSE 0
#endif
#define NUMBER_OF_CMD 16
static
const
char
cmdflags
[]
=
{
'I'
,
'D'
,
'D'
,
'R'
,
'A'
,
'L'
,
'F'
,
'Z'
,
'N'
,
'X'
,
'P'
,
'E'
,
'S'
,
'Z'
,
'C'
};
#define OPT_FRAGMENT 0x00800U
#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
static
const
char
optflags
[]
...
...
@@ -104,7 +93,7 @@ void xtables_exit_error(enum xtables_exittype status, const char *msg, ...) __at
struct
xtables_globals
xtables_globals
=
{
.
option_offset
=
0
,
.
program_version
=
IPTABLES
_VERSION
,
.
program_version
=
PACKAGE
_VERSION
,
.
orig_opts
=
original_opts
,
.
exit_err
=
xtables_exit_error
,
.
compat_rev
=
nft_compatible_revision
,
...
...
@@ -319,27 +308,6 @@ opt2char(int option)
return
*
ptr
;
}
static
char
cmd2char
(
int
option
)
{
const
char
*
ptr
;
for
(
ptr
=
cmdflags
;
option
>
1
;
option
>>=
1
,
ptr
++
);
return
*
ptr
;
}
static
void
add_command
(
unsigned
int
*
cmd
,
const
int
newcmd
,
const
int
othercmds
,
int
invert
)
{
if
(
invert
)
xtables_error
(
PARAMETER_PROBLEM
,
"unexpected ! flag"
);
if
(
*
cmd
&
(
~
othercmds
))
xtables_error
(
PARAMETER_PROBLEM
,
"Cannot use -%c with -%c
\n
"
,
cmd2char
(
newcmd
),
cmd2char
(
*
cmd
&
(
~
othercmds
)));
*
cmd
|=
newcmd
;
}
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
...
...
@@ -350,18 +318,6 @@ add_command(unsigned int *cmd, const int newcmd, const int othercmds,
*/
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
/* Can't be zero. */
static
int
parse_rulenumber
(
const
char
*
rule
)
{
unsigned
int
rulenum
;
if
(
!
xtables_strtoui
(
rule
,
NULL
,
&
rulenum
,
1
,
INT_MAX
))
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid rule number `%s'"
,
rule
);
return
rulenum
;
}
static
void
set_option
(
unsigned
int
*
options
,
unsigned
int
option
,
uint8_t
*
invflg
,
...
...
@@ -590,6 +546,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
bool
wait_interval_set
=
false
;
struct
timeval
wait_interval
;
struct
xtables_target
*
t
;
bool
table_set
=
false
;
int
wait
=
0
;
memset
(
cs
,
0
,
sizeof
(
*
cs
));
...
...
@@ -879,11 +836,16 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
if
(
cs
->
invert
)
xtables_error
(
PARAMETER_PROBLEM
,
"unexpected ! flag before --table"
);
if
(
p
->
restore
&&
table_set
)
xtables_error
(
PARAMETER_PROBLEM
,
"The -t option (seen in line %u) cannot be used in %s.
\n
"
,
line
,
xt_params
->
program_name
);
if
(
!
nft_table_builtin_find
(
h
,
optarg
))
xtables_error
(
VERSION_PROBLEM
,
"table '%s' does not exist"
,
optarg
);
p
->
table
=
optarg
;
table_set
=
true
;
break
;
case
'x'
:
...
...
@@ -955,6 +917,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break
;
case
'4'
:
if
(
p
->
restore
&&
args
->
family
==
AF_INET6
)
return
;
if
(
args
->
family
!=
AF_INET
)
exit_tryhelp
(
2
);
...
...
@@ -962,6 +927,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break
;
case
'6'
:
if
(
p
->
restore
&&
args
->
family
==
AF_INET
)
return
;
args
->
family
=
AF_INET6
;
xtables_set_nfproto
(
AF_INET6
);
...
...
@@ -977,7 +945,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
xtables_error
(
PARAMETER_PROBLEM
,
"multiple consecutive ! not"
" allowed"
);
cs
->
invert
=
TRUE
;
cs
->
invert
=
true
;
optarg
[
0
]
=
'\0'
;
continue
;
}
...
...
@@ -990,7 +958,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
continue
;
break
;
}
cs
->
invert
=
FALSE
;
cs
->
invert
=
false
;
}
if
(
strcmp
(
p
->
table
,
"nat"
)
==
0
&&
...
...
@@ -1174,6 +1142,9 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
case
CMD_SET_POLICY
:
ret
=
nft_chain_set
(
h
,
p
.
table
,
p
.
chain
,
p
.
policy
,
NULL
);
break
;
case
CMD_NONE
:
/* do_parse ignored the line (eg: -4 with ip6tables-restore) */
break
;
default:
/* We should never reach this... */
exit_tryhelp
(
2
);
...
...
This diff is collapsed.
Click to expand it.
libipq/Makefile.in
View file @
290749d4
...
...
@@ -92,10 +92,10 @@ build_triplet = @build@
host_triplet
=
@host@
subdir
=
libipq
ACLOCAL_M4
=
$(top_srcdir)
/aclocal.m4
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
ax_check_linker_flags
.m4
\
$(top_srcdir)
/m4/l
ibtool
.m4
$(top_srcdir)
/m4/lt
options
.m4
\
$(top_srcdir)
/m4/lt
sugar
.m4
$(top_srcdir)
/m4/lt
version
.m4
\
$(top_srcdir)
/m4/lt~obsolete.m4
$(top_srcdir)
/configure.ac
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
libtool
.m4
\
$(top_srcdir)
/m4/l
toptions
.m4
$(top_srcdir)
/m4/lt
sugar
.m4
\
$(top_srcdir)
/m4/lt
version
.m4
$(top_srcdir)
/m4/lt
~obsolete
.m4
\
$(top_srcdir)
/configure.ac
am__configure_deps
=
$(am__aclocal_m4_deps)
$(CONFIGURE_DEPENDENCIES)
\
$(ACLOCAL_M4)
DIST_COMMON
=
$(srcdir)
/Makefile.am
$(am__DIST_COMMON)
...
...
@@ -241,9 +241,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM
=
@INSTALL_STRIP_PROGRAM@
LD
=
@LD@
LDFLAGS
=
@LDFLAGS@
LEX
=
@LEX@
LEXLIB
=
@LEXLIB@
LEX_OUTPUT_ROOT
=
@LEX_OUTPUT_ROOT@
LIBOBJS
=
@LIBOBJS@
LIBS
=
@LIBS@
LIBTOOL
=
@LIBTOOL@
...
...
@@ -277,8 +274,6 @@ SET_MAKE = @SET_MAKE@
SHELL
=
@SHELL@
STRIP
=
@STRIP@
VERSION
=
@VERSION@
YACC
=
@YACC@
YFLAGS
=
@YFLAGS@
abs_builddir
=
@abs_builddir@
abs_srcdir
=
@abs_srcdir@
abs_top_builddir
=
@abs_top_builddir@
...
...
@@ -323,7 +318,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir
=
@ksourcedir@
libdir
=
@libdir@
libexecdir
=
@libexecdir@
libiptc_LDFLAGS2
=
@libiptc_LDFLAGS2@
libmnl_CFLAGS
=
@libmnl_CFLAGS@
libmnl_LIBS
=
@libmnl_LIBS@
libnetfilter_conntrack_CFLAGS
=
@libnetfilter_conntrack_CFLAGS@
...
...
This diff is collapsed.
Click to expand it.
libiptc/Makefile.am
View file @
290749d4
...
...
@@ -5,11 +5,8 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}
pkgconfig_DATA
=
libiptc.pc libip4tc.pc libip6tc.pc
lib_LTLIBRARIES
=
libip4tc.la libip6tc.la libiptc.la
libiptc_la_SOURCES
=
libiptc_la_LIBADD
=
libip4tc.la libip6tc.la
libiptc_la_LDFLAGS
=
-version-info
0:0:0
${libiptc_LDFLAGS2}
lib_LTLIBRARIES
=
libip4tc.la libip6tc.la
libip4tc_la_SOURCES
=
libip4tc.c
libip4tc_la_LDFLAGS
=
-version-info
2:0:0
libip6tc_la_SOURCES
=
libip6tc.c
libip6tc_la_LDFLAGS
=
-version-info
2:0:0
${libiptc_LDFLAGS2}
libip6tc_la_LDFLAGS
=
-version-info
2:0:0
This diff is collapsed.
Click to expand it.
libiptc/Makefile.in
View file @
290749d4
...
...
@@ -92,10 +92,10 @@ build_triplet = @build@
host_triplet
=
@host@
subdir
=
libiptc
ACLOCAL_M4
=
$(top_srcdir)
/aclocal.m4
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
ax_check_linker_flags
.m4
\
$(top_srcdir)
/m4/l
ibtool
.m4
$(top_srcdir)
/m4/lt
options
.m4
\
$(top_srcdir)
/m4/lt
sugar
.m4
$(top_srcdir)
/m4/lt
version
.m4
\
$(top_srcdir)
/m4/lt~obsolete.m4
$(top_srcdir)
/configure.ac
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
libtool
.m4
\
$(top_srcdir)
/m4/l
toptions
.m4
$(top_srcdir)
/m4/lt
sugar
.m4
\
$(top_srcdir)
/m4/lt
version
.m4
$(top_srcdir)
/m4/lt
~obsolete
.m4
\
$(top_srcdir)
/configure.ac
am__configure_deps
=
$(am__aclocal_m4_deps)
$(CONFIGURE_DEPENDENCIES)
\
$(ACLOCAL_M4)
DIST_COMMON
=
$(srcdir)
/Makefile.am
$(am__DIST_COMMON)
...
...
@@ -148,12 +148,6 @@ libip6tc_la_OBJECTS = $(am_libip6tc_la_OBJECTS)
libip6tc_la_LINK
=
$(LIBTOOL)
$(AM_V_lt)
--tag
=
CC
$(AM_LIBTOOLFLAGS)
\
$(LIBTOOLFLAGS)
--mode
=
link
$(CCLD)
$(AM_CFLAGS)
$(CFLAGS)
\
$(libip6tc_la_LDFLAGS)
$(LDFLAGS)
-o
$@
libiptc_la_DEPENDENCIES
=
libip4tc.la libip6tc.la
am_libiptc_la_OBJECTS
=
libiptc_la_OBJECTS
=
$(am_libiptc_la_OBJECTS)
libiptc_la_LINK
=
$(LIBTOOL)
$(AM_V_lt)
--tag
=
CC
$(AM_LIBTOOLFLAGS)
\
$(LIBTOOLFLAGS)
--mode
=
link
$(CCLD)
$(AM_CFLAGS)
$(CFLAGS)
\
$(libiptc_la_LDFLAGS)
$(LDFLAGS)
-o
$@
AM_V_P
=
$
(
am__v_P_@AM_V@
)
am__v_P_
=
$
(
am__v_P_@AM_DEFAULT_V@
)
am__v_P_0
=
false
...
...
@@ -188,10 +182,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_
=
$
(
am__v_CCLD_@AM_DEFAULT_V@
)
am__v_CCLD_0
=
@echo
" CCLD "
$@
;
am__v_CCLD_1
=
SOURCES
=
$(libip4tc_la_SOURCES)
$(libip6tc_la_SOURCES)
\
$(libiptc_la_SOURCES)
DIST_SOURCES
=
$(libip4tc_la_SOURCES)
$(libip6tc_la_SOURCES)
\
$(libiptc_la_SOURCES)
SOURCES
=
$(libip4tc_la_SOURCES)
$(libip6tc_la_SOURCES)
DIST_SOURCES
=
$(libip4tc_la_SOURCES)
$(libip6tc_la_SOURCES)
am__can_run_installinfo
=
\
case
$$
AM_UPDATE_INFO_DIR
in
\
n|no|NO
)
false
;;
\
...
...
@@ -255,9 +247,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM
=
@INSTALL_STRIP_PROGRAM@
LD
=
@LD@
LDFLAGS
=
@LDFLAGS@
LEX
=
@LEX@
LEXLIB
=
@LEXLIB@
LEX_OUTPUT_ROOT
=
@LEX_OUTPUT_ROOT@
LIBOBJS
=
@LIBOBJS@
LIBS
=
@LIBS@
LIBTOOL
=
@LIBTOOL@
...
...
@@ -291,8 +280,6 @@ SET_MAKE = @SET_MAKE@
SHELL
=
@SHELL@
STRIP
=
@STRIP@
VERSION
=
@VERSION@
YACC
=
@YACC@
YFLAGS
=
@YFLAGS@
abs_builddir
=
@abs_builddir@
abs_srcdir
=
@abs_srcdir@
abs_top_builddir
=
@abs_top_builddir@
...
...
@@ -337,7 +324,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir
=
@ksourcedir@
libdir
=
@libdir@
libexecdir
=
@libexecdir@
libiptc_LDFLAGS2
=
@libiptc_LDFLAGS2@
libmnl_CFLAGS
=
@libmnl_CFLAGS@
libmnl_LIBS
=
@libmnl_LIBS@
libnetfilter_conntrack_CFLAGS
=
@libnetfilter_conntrack_CFLAGS@
...
...
@@ -375,14 +361,11 @@ xtlibdir = @xtlibdir@
AM_CFLAGS
=
${regular_CFLAGS}
AM_CPPFLAGS
=
${regular_CPPFLAGS}
-I
${top_builddir}
/include
-I
${top_srcdir}
/include
${kinclude_CPPFLAGS}
pkgconfig_DATA
=
libiptc.pc libip4tc.pc libip6tc.pc
lib_LTLIBRARIES
=
libip4tc.la libip6tc.la libiptc.la
libiptc_la_SOURCES
=
libiptc_la_LIBADD
=
libip4tc.la libip6tc.la
libiptc_la_LDFLAGS
=
-version-info
0:0:0
${libiptc_LDFLAGS2}
lib_LTLIBRARIES
=
libip4tc.la libip6tc.la
libip4tc_la_SOURCES
=
libip4tc.c
libip4tc_la_LDFLAGS
=
-version-info
2:0:0
libip6tc_la_SOURCES
=
libip6tc.c
libip6tc_la_LDFLAGS
=
-version-info
2:0:0
${libiptc_LDFLAGS2}
libip6tc_la_LDFLAGS
=
-version-info
2:0:0
all
:
all-am
.SUFFIXES
:
...
...
@@ -464,9 +447,6 @@ libip4tc.la: $(libip4tc_la_OBJECTS) $(libip4tc_la_DEPENDENCIES) $(EXTRA_libip4tc
libip6tc.la
:
$(libip6tc_la_OBJECTS) $(libip6tc_la_DEPENDENCIES) $(EXTRA_libip6tc_la_DEPENDENCIES)
$(AM_V_CCLD)$(libip6tc_la_LINK)
-rpath
$(libdir)
$(libip6tc_la_OBJECTS)
$(libip6tc_la_LIBADD)
$(LIBS)
libiptc.la
:
$(libiptc_la_OBJECTS) $(libiptc_la_DEPENDENCIES) $(EXTRA_libiptc_la_DEPENDENCIES)
$(AM_V_CCLD)$(libiptc_la_LINK)
-rpath
$(libdir)
$(libiptc_la_OBJECTS)
$(libiptc_la_LIBADD)
$(LIBS)
mostlyclean-compile
:
-
rm
-f
*
.
$(OBJEXT)
...
...
This diff is collapsed.
Click to expand it.
Prev
1
2
3
4
5
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help