Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Pkg Iptables
Commits
290749d4
Commit
290749d4
authored
Dec 03, 2019
by
Arturo Borrero Gonzalez
Browse files
New upstream version 1.8.4
parent
89c92f0c
Changes
87
Show whitespace changes
Inline
Side-by-side
.gitignore
View file @
290749d4
...
...
@@ -10,7 +10,6 @@ Makefile
Makefile.in
/include/xtables-version.h
/include/iptables/internal.h
/aclocal.m4
/autom4te.cache/
...
...
Makefile.am
View file @
290749d4
...
...
@@ -30,4 +30,4 @@ tarball:
rm
-Rf
/tmp/
${PACKAGE_TARNAME}
-
${PACKAGE_VERSION}
;
config.status
:
extensions/GNUmakefile.in
\
include/xtables-version.h.in
include/iptables/internal.h.in
include/xtables-version.h.in
Makefile.in
View file @
290749d4
...
...
@@ -93,10 +93,10 @@ host_triplet = @host@
@ENABLE_LIBIPQ_TRUE@
am__append_2
=
libipq
subdir
=
.
ACLOCAL_M4
=
$(top_srcdir)
/aclocal.m4
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
ax_check_linker_flags
.m4
\
$(top_srcdir)
/m4/l
ibtool
.m4
$(top_srcdir)
/m4/lt
options
.m4
\
$(top_srcdir)
/m4/lt
sugar
.m4
$(top_srcdir)
/m4/lt
version
.m4
\
$(top_srcdir)
/m4/lt~obsolete.m4
$(top_srcdir)
/configure.ac
am__aclocal_m4_deps
=
$(top_srcdir)
/m4/
libtool
.m4
\
$(top_srcdir)
/m4/l
toptions
.m4
$(top_srcdir)
/m4/lt
sugar
.m4
\
$(top_srcdir)
/m4/lt
version
.m4
$(top_srcdir)
/m4/lt
~obsolete
.m4
\
$(top_srcdir)
/configure.ac
am__configure_deps
=
$(am__aclocal_m4_deps)
$(CONFIGURE_DEPENDENCIES)
\
$(ACLOCAL_M4)
DIST_COMMON
=
$(srcdir)
/Makefile.am
$(top_srcdir)
/configure
\
...
...
@@ -106,8 +106,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs
=
$(install_sh)
-d
CONFIG_HEADER
=
config.h
CONFIG_CLEAN_FILES
=
extensions/GNUmakefile
\
include/iptables/internal.h
CONFIG_CLEAN_FILES
=
extensions/GNUmakefile
CONFIG_CLEAN_VPATH_FILES
=
AM_V_P
=
$
(
am__v_P_@AM_V@
)
am__v_P_
=
$
(
am__v_P_@AM_DEFAULT_V@
)
...
...
@@ -204,8 +203,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(top_srcdir)
/build-aux/install-sh
\
$(top_srcdir)
/build-aux/ltmain.sh
\
$(top_srcdir)
/build-aux/missing
\
$(top_srcdir)
/extensions/GNUmakefile.in
\
$(top_srcdir)
/include/iptables/internal.h.in COPYING INSTALL
\
$(top_srcdir)
/extensions/GNUmakefile.in COPYING INSTALL
\
build-aux/ar-lib build-aux/compile build-aux/config.guess
\
build-aux/config.sub build-aux/install-sh build-aux/ltmain.sh
\
build-aux/missing
...
...
@@ -285,9 +283,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM
=
@INSTALL_STRIP_PROGRAM@
LD
=
@LD@
LDFLAGS
=
@LDFLAGS@
LEX
=
@LEX@
LEXLIB
=
@LEXLIB@
LEX_OUTPUT_ROOT
=
@LEX_OUTPUT_ROOT@
LIBOBJS
=
@LIBOBJS@
LIBS
=
@LIBS@
LIBTOOL
=
@LIBTOOL@
...
...
@@ -321,8 +316,6 @@ SET_MAKE = @SET_MAKE@
SHELL
=
@SHELL@
STRIP
=
@STRIP@
VERSION
=
@VERSION@
YACC
=
@YACC@
YFLAGS
=
@YFLAGS@
abs_builddir
=
@abs_builddir@
abs_srcdir
=
@abs_srcdir@
abs_top_builddir
=
@abs_top_builddir@
...
...
@@ -367,7 +360,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir
=
@ksourcedir@
libdir
=
@libdir@
libexecdir
=
@libexecdir@
libiptc_LDFLAGS2
=
@libiptc_LDFLAGS2@
libmnl_CFLAGS
=
@libmnl_CFLAGS@
libmnl_LIBS
=
@libmnl_LIBS@
libnetfilter_conntrack_CFLAGS
=
@libnetfilter_conntrack_CFLAGS@
...
...
@@ -464,8 +456,6 @@ distclean-hdr:
-
rm
-f
config.h stamp-h1
extensions/GNUmakefile
:
$(top_builddir)/config.status $(top_srcdir)/extensions/GNUmakefile.in
cd
$(top_builddir)
&&
$(SHELL)
./config.status
$@
include/iptables/internal.h
:
$(top_builddir)/config.status $(top_srcdir)/include/iptables/internal.h.in
cd
$(top_builddir)
&&
$(SHELL)
./config.status
$@
mostlyclean-libtool
:
-
rm
-f
*
.lo
...
...
@@ -930,7 +920,7 @@ tarball:
rm
-Rf
/tmp/
${PACKAGE_TARNAME}
-
${PACKAGE_VERSION}
;
config.status
:
extensions/GNUmakefile.in
\
include/xtables-version.h.in
include/iptables/internal.h.in
include/xtables-version.h.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
...
...
aclocal.m4
View file @
290749d4
...
...
@@ -981,24 +981,6 @@ fi
rmdir .tst 2>/dev/null
AC_SUBST([am__leading_dot])])
# Copyright (C) 1998-2014 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_PROG_LEX
# -----------
# Autoconf leaves LEX=: if lex or flex can't be found. Change that to a
# "missing" invocation, for better error output.
AC_DEFUN([AM_PROG_LEX],
[AC_PREREQ([2.50])dnl
AC_REQUIRE([AM_MISSING_HAS_RUN])dnl
AC_REQUIRE([AC_PROG_LEX])dnl
if test "$LEX" = :; then
LEX=${am_missing_run}flex
fi])
# Check to see how 'make' treats includes. -*- Autoconf -*-
# Copyright (C) 2001-2014 Free Software Foundation, Inc.
...
...
@@ -1504,7 +1486,6 @@ AC_SUBST([am__tar])
AC_SUBST([am__untar])
]) # _AM_PROG_TAR
m4_include([m4/ax_check_linker_flags.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
...
...
build-aux/ylwrap
deleted
100755 → 0
View file @
89c92f0c
#! /bin/sh
# ylwrap - wrapper for lex/yacc invocations.
scriptversion
=
2013-01-12.17
;
# UTC
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
#
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
get_dirname
()
{
case
$1
in
*
/
*
|
*
\\
*
)
printf
'%s\n'
"
$1
"
|
sed
-e
's|\([\\/]\)[^\\/]*$|\1|'
;;
# Otherwise, we want the empty string (not ".").
esac
}
# guard FILE
# ----------
# The CPP macro used to guard inclusion of FILE.
guard
()
{
printf
'%s\n'
"
$1
"
\
|
sed
\
-e
'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'
\
-e
's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'
\
-e
's/__*/_/g'
}
# quote_for_sed [STRING]
# ----------------------
# Return STRING (or stdin) quoted to be used as a sed pattern.
quote_for_sed
()
{
case
$#
in
0
)
cat
;;
1
)
printf
'%s\n'
"
$1
"
;;
esac
\
|
sed
-e
's|[][\\.*]|\\&|g'
}
case
"
$1
"
in
''
)
echo
"
$0
: No files given. Try '
$0
--help' for more information."
1>&2
exit
1
;;
--basedir
)
basedir
=
$2
shift
2
;;
-h
|
--h
*
)
cat
<<
\
EOF
Usage: ylwrap [--help|--version] INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]...
Wrapper for lex/yacc invocations, renaming files as desired.
INPUT is the input file
OUTPUT is one file PROG generates
DESIRED is the file we actually want instead of OUTPUT
PROGRAM is program to run
ARGS are passed to PROG
Any number of OUTPUT,DESIRED pairs may be used.
Report bugs to <bug-automake@gnu.org>.
EOF
exit
$?
;;
-v
|
--v
*
)
echo
"ylwrap
$scriptversion
"
exit
$?
;;
esac
# The input.
input
=
$1
shift
# We'll later need for a correct munging of "#line" directives.
input_sub_rx
=
`
get_dirname
"
$input
"
| quote_for_sed
`
case
$input
in
[
\\
/]
*
|
?:[
\\
/]
*
)
# Absolute path; do nothing.
;;
*
)
# Relative path. Make it absolute.
input
=
`
pwd
`
/
$input
;;
esac
input_rx
=
`
get_dirname
"
$input
"
| quote_for_sed
`
# Since DOS filename conventions don't allow two dots,
# the DOS version of Bison writes out y_tab.c instead of y.tab.c
# and y_tab.h instead of y.tab.h. Test to see if this is the case.
y_tab_nodot
=
false
if
test
-f
y_tab.c
||
test
-f
y_tab.h
;
then
y_tab_nodot
=
true
fi
# The parser itself, the first file, is the destination of the .y.c
# rule in the Makefile.
parser
=
$1
# A sed program to s/FROM/TO/g for all the FROM/TO so that, for
# instance, we rename #include "y.tab.h" into #include "parse.h"
# during the conversion from y.tab.c to parse.c.
sed_fix_filenames
=
# Also rename header guards, as Bison 2.7 for instance uses its header
# guard in its implementation file.
sed_fix_header_guards
=
while
test
$#
-ne
0
;
do
if
test
x
"
$1
"
=
x
"--"
;
then
shift
break
fi
from
=
$1
# Handle y_tab.c and y_tab.h output by DOS
if
$y_tab_nodot
;
then
case
$from
in
"y.tab.c"
)
from
=
y_tab.c
;;
"y.tab.h"
)
from
=
y_tab.h
;;
esac
fi
shift
to
=
$1
shift
sed_fix_filenames
=
"
${
sed_fix_filenames
}
s|"
`
quote_for_sed
"
$from
"
`
"|
$to
|g;"
sed_fix_header_guards
=
"
${
sed_fix_header_guards
}
s|"
`
guard
"
$from
"
`
"|"
`
guard
"
$to
"
`
"|g;"
done
# The program to run.
prog
=
$1
shift
# Make any relative path in $prog absolute.
case
$prog
in
[
\\
/]
*
|
?:[
\\
/]
*
)
;;
*
[
\\
/]
*
)
prog
=
`
pwd
`
/
$prog
;;
esac
dirname
=
ylwrap
$$
do_exit
=
"cd '
`
pwd
`
' && rm -rf
$dirname
> /dev/null 2>&1;"
' (exit $ret); exit $ret'
trap
"ret=129;
$do_exit
"
1
trap
"ret=130;
$do_exit
"
2
trap
"ret=141;
$do_exit
"
13
trap
"ret=143;
$do_exit
"
15
mkdir
$dirname
||
exit
1
cd
$dirname
case
$#
in
0
)
"
$prog
"
"
$input
"
;;
*
)
"
$prog
"
"
$@
"
"
$input
"
;;
esac
ret
=
$?
if
test
$ret
-eq
0
;
then
for
from
in
*
do
to
=
`
printf
'%s\n'
"
$from
"
|
sed
"
$sed_fix_filenames
"
`
if
test
-f
"
$from
"
;
then
# If $2 is an absolute path name, then just use that,
# otherwise prepend '../'.
case
$to
in
[
\\
/]
*
|
?:[
\\
/]
*
)
target
=
$to
;;
*
)
target
=
../
$to
;;
esac
# Do not overwrite unchanged header files to avoid useless
# recompilations. Always update the parser itself: it is the
# destination of the .y.c rule in the Makefile. Divert the
# output of all other files to a temporary file so we can
# compare them to existing versions.
if
test
$from
!=
$parser
;
then
realtarget
=
$target
target
=
tmp-
`
printf
'%s\n'
"
$target
"
|
sed
's|.*[\\/]||g'
`
fi
# Munge "#line" or "#" directives. Don't let the resulting
# debug information point at an absolute srcdir. Use the real
# output file name, not yy.lex.c for instance. Adjust the
# include guards too.
sed
-e
"/^#/!b"
\
-e
"s|
$input_rx
|
$input_sub_rx
|"
\
-e
"
$sed_fix_filenames
"
\
-e
"
$sed_fix_header_guards
"
\
"
$from
"
>
"
$target
"
||
ret
=
$?
# Check whether files must be updated.
if
test
"
$from
"
!=
"
$parser
"
;
then
if
test
-f
"
$realtarget
"
&&
cmp
-s
"
$realtarget
"
"
$target
"
;
then
echo
"
$to
is unchanged"
rm
-f
"
$target
"
else
echo
"updating
$to
"
mv
-f
"
$target
"
"
$realtarget
"
fi
fi
else
# A missing file is only an error for the parser. This is a
# blatant hack to let us support using "yacc -d". If -d is not
# specified, don't fail when the header file is "missing".
if
test
"
$from
"
=
"
$parser
"
;
then
ret
=
1
fi
fi
done
fi
# Remove the directory.
cd
..
rm
-rf
$dirname
exit
$ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
config.h.in
View file @
290749d4
...
...
@@ -83,7 +83,3 @@
/* Location of the iptables lock file */
#undef XT_LOCK_NAME
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
configure
View file @
290749d4
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for iptables 1.8.
3
.
# Generated by GNU Autoconf 2.69 for iptables 1.8.
4
.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
...
...
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='iptables'
PACKAGE_TARNAME='iptables'
PACKAGE_VERSION
=
'1.8.
3
'
PACKAGE_STRING
=
'iptables 1.8.
3
'
PACKAGE_VERSION='1.8.
4
'
PACKAGE_STRING='iptables 1.8.
4
'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
...
...
@@ -658,11 +658,6 @@ HAVE_LIBNFTNL_FALSE
HAVE_LIBNFTNL_TRUE
HAVE_LIBMNL_FALSE
HAVE_LIBMNL_TRUE
YFLAGS
YACC
LEXLIB
LEX_OUTPUT_ROOT
LEX
libnftnl_LIBS
libnftnl_CFLAGS
libmnl_LIBS
...
...
@@ -696,7 +691,6 @@ ENABLE_SHARED_FALSE
ENABLE_SHARED_TRUE
ENABLE_STATIC_FALSE
ENABLE_STATIC_TRUE
libiptc_LDFLAGS2
CPP
LT_SYS_LIBRARY_PATH
OTOOL64
...
...
@@ -859,8 +853,6 @@ libmnl_CFLAGS
libmnl_LIBS
libnftnl_CFLAGS
libnftnl_LIBS
YACC
YFLAGS
libnetfilter_conntrack_CFLAGS
libnetfilter_conntrack_LIBS'
...
...
@@ -1413,7 +1405,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`
configure' configures iptables 1.8.
3
to adapt to many kinds of systems.
\`configure' configures iptables 1.8.
4
to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
...
...
@@ -1484,7 +1476,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short
|
recursive
)
echo
"Configuration of iptables 1.8.
3
:"
;;
short | recursive ) echo "Configuration of iptables 1.8.
4
:";;
esac
cat <<\_ACEOF
...
...
@@ -1563,12 +1555,6 @@ Some influential environment variables:
C compiler flags for libnftnl, overriding pkg-config
libnftnl_LIBS
linker flags for libnftnl, overriding pkg-config
YACC The `Yet Another Compiler Compiler' implementation to use.
Defaults to the first program found out of: `bison -y', `byacc',
`yacc'.
YFLAGS The list of arguments that will be passed by default to
$YACC
.
This script will default YFLAGS to the empty string to avoid a
default value of `-d' given by some make applications.
libnetfilter_conntrack_CFLAGS
C compiler flags for libnetfilter_conntrack, overriding
pkg-config
...
...
@@ -1641,7 +1627,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
iptables configure 1.8.
3
iptables configure 1.8.
4
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
...
...
@@ -2189,7 +2175,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by iptables
$as_me
1.8.
3
, which was
It was created by iptables $as_me 1.8.
4
, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
...
...
@@ -3060,7 +3046,7 @@ fi
# Define the identity of the package.
PACKAGE='iptables'
VERSION
=
'1.8.
3
'
VERSION='1.8.
4
'
cat >>confdefs.h <<_ACEOF
...
...
@@ -12561,47 +12547,6 @@ else
fi
libiptc_LDFLAGS2
=
""
;
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking whether the linker accepts -Wl,--no-as-needed"
>
&5
$as_echo_n
"checking whether the linker accepts -Wl,--no-as-needed... "
>
&6
;
}
if
${
ax_cv_linker_flags__Wl___no_as_needed
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
ax_save_FLAGS
=
$LDFLAGS
LDFLAGS
=
"-Wl,--no-as-needed"
cat
confdefs.h -
<<
_ACEOF
>conftest.
$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if
ac_fn_c_try_link
"
$LINENO
"
;
then
:
ax_cv_linker_flags__Wl___no_as_needed
=
yes
else
ax_cv_linker_flags__Wl___no_as_needed
=
no
fi
rm
-f
core conftest.err conftest.
$ac_objext
\
conftest
$ac_exeext
conftest.
$ac_ext
LDFLAGS
=
$ax_save_FLAGS
fi
eval
ax_check_linker_flags
=
$ax_cv_linker_flags__Wl___no_as_needed
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$ax_check_linker_flags
"
>
&5
$as_echo
"
$ax_check_linker_flags
"
>
&6
;
}
if
test
"x
$ax_check_linker_flags
"
=
xyes
;
then
libiptc_LDFLAGS2
=
"-Wl,--no-as-needed"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $LD knows -Wl,--no-undefined" >&5
$as_echo_n "checking whether $LD knows -Wl,--no-undefined... " >&6; }
saved_LDFLAGS="$LDFLAGS";
...
...
@@ -13185,225 +13130,6 @@ fi
echo " iptables-compat over nftables support."
exit 1
fi
for
ac_prog
in
flex lex
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set
dummy
$ac_prog
;
ac_word
=
$2
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking for
$ac_word
"
>
&5
$as_echo_n
"checking for
$ac_word
... "
>
&6
;
}
if
${
ac_cv_prog_LEX
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
if
test
-n
"
$LEX
"
;
then
ac_cv_prog_LEX
=
"
$LEX
"
# Let the user override the test.
else
as_save_IFS
=
$IFS
;
IFS
=
$PATH_SEPARATOR
for
as_dir
in
$PATH
do
IFS
=
$as_save_IFS
test
-z
"
$as_dir
"
&&
as_dir
=
.
for
ac_exec_ext
in
''
$ac_executable_extensions
;
do
if
as_fn_executable_p
"
$as_dir
/
$ac_word$ac_exec_ext
"
;
then
ac_cv_prog_LEX
=
"
$ac_prog
"
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: found
$as_dir
/
$ac_word$ac_exec_ext
"
>
&5
break
2
fi
done
done
IFS
=
$as_save_IFS
fi
fi
LEX
=
$ac_cv_prog_LEX
if
test
-n
"
$LEX
"
;
then
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$LEX
"
>
&5
$as_echo
"
$LEX
"
>
&6
;
}
else
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result: no"
>
&5
$as_echo
"no"
>
&6
;
}
fi
test
-n
"
$LEX
"
&&
break
done
test
-n
"
$LEX
"
||
LEX
=
":"
if
test
"x
$LEX
"
!=
"x:"
;
then
cat
>
conftest.l
<<
_ACEOF
%%
a { ECHO; }
b { REJECT; }
c { yymore (); }
d { yyless (1); }
e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */
yyless ((input () != 0)); }
f { unput (yytext[0]); }
. { BEGIN INITIAL; }
%%
#ifdef YYTEXT_POINTER
extern char *yytext;
#endif
int
main (void)
{
return ! yylex () + ! yywrap ();
}
_ACEOF
{
{
ac_try
=
"
$LEX
conftest.l"
case
"((
$ac_try
"
in
*
\"
*
|
*
\`
*
|
*
\\
*
)
ac_try_echo
=
\$
ac_try
;;
*
)
ac_try_echo
=
$ac_try
;;
esac
eval
ac_try_echo
=
"
\"\$
as_me:
${
as_lineno
-
$LINENO
}
:
$ac_try_echo
\"
"
$as_echo
"
$ac_try_echo
"
;
}
>
&5
(
eval
"
$LEX
conftest.l"
)
2>&5
ac_status
=
$?
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
:
\$
? =
$ac_status
"
>
&5
test
$ac_status
=
0
;
}
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking lex output file root"
>
&5
$as_echo_n
"checking lex output file root... "
>
&6
;
}
if
${
ac_cv_prog_lex_root
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
if
test
-f
lex.yy.c
;
then
ac_cv_prog_lex_root
=
lex.yy
elif
test
-f
lexyy.c
;
then
ac_cv_prog_lex_root
=
lexyy
else
as_fn_error
$?
"cannot find output from
$LEX
; giving up"
"
$LINENO
"
5
fi
fi
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$ac_cv_prog_lex_root
"
>
&5
$as_echo
"
$ac_cv_prog_lex_root
"
>
&6
;
}
LEX_OUTPUT_ROOT
=
$ac_cv_prog_lex_root
if
test
-z
"
${
LEXLIB
+set
}
"
;
then
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking lex library"
>
&5
$as_echo_n
"checking lex library... "
>
&6
;
}
if
${
ac_cv_lib_lex
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
ac_save_LIBS
=
$LIBS
ac_cv_lib_lex
=
'none needed'
for
ac_lib
in
''
-lfl
-ll
;
do
LIBS
=
"
$ac_lib
$ac_save_LIBS
"
cat
confdefs.h -
<<
_ACEOF
>conftest.
$ac_ext
/* end confdefs.h. */
`cat
$LEX_OUTPUT_ROOT
.c`
_ACEOF
if
ac_fn_c_try_link
"
$LINENO
"
;
then
:
ac_cv_lib_lex
=
$ac_lib
fi
rm
-f
core conftest.err conftest.
$ac_objext
\
conftest
$ac_exeext
conftest.
$ac_ext
test
"
$ac_cv_lib_lex
"
!=
'none needed'
&&
break
done
LIBS
=
$ac_save_LIBS
fi
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$ac_cv_lib_lex
"
>
&5
$as_echo
"
$ac_cv_lib_lex
"
>
&6
;
}
test
"
$ac_cv_lib_lex
"
!=
'none needed'
&&
LEXLIB
=
$ac_cv_lib_lex
fi
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking whether yytext is a pointer"
>
&5
$as_echo_n
"checking whether yytext is a pointer... "
>
&6
;
}
if
${
ac_cv_prog_lex_yytext_pointer
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
# POSIX says lex can declare yytext either as a pointer or an array; the
# default is implementation-dependent. Figure out which it is, since
# not all implementations provide the %pointer and %array declarations.
ac_cv_prog_lex_yytext_pointer
=
no
ac_save_LIBS
=
$LIBS
LIBS
=
"
$LEXLIB
$ac_save_LIBS
"
cat
confdefs.h -
<<
_ACEOF
>conftest.
$ac_ext
/* end confdefs.h. */
#define YYTEXT_POINTER 1
`cat
$LEX_OUTPUT_ROOT
.c`
_ACEOF
if
ac_fn_c_try_link
"
$LINENO
"
;
then
:
ac_cv_prog_lex_yytext_pointer
=
yes
fi
rm
-f
core conftest.err conftest.
$ac_objext
\
conftest
$ac_exeext
conftest.
$ac_ext
LIBS
=
$ac_save_LIBS
fi
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$ac_cv_prog_lex_yytext_pointer
"
>
&5
$as_echo
"
$ac_cv_prog_lex_yytext_pointer
"
>
&6
;
}
if
test
$ac_cv_prog_lex_yytext_pointer
=
yes
;
then
$as_echo
"#define YYTEXT_POINTER 1"
>>
confdefs.h
fi
rm
-f
conftest.l
$LEX_OUTPUT_ROOT
.c
fi
if
test
"
$LEX
"
=
:
;
then
LEX
=
${
am_missing_run
}
flex
fi
for
ac_prog
in
'bison -y'
byacc
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set
dummy
$ac_prog
;
ac_word
=
$2
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: checking for
$ac_word
"
>
&5
$as_echo_n
"checking for
$ac_word
... "
>
&6
;
}
if
${
ac_cv_prog_YACC
+
:
}
false
;
then
:
$as_echo_n
"(cached) "
>
&6
else
if
test
-n
"
$YACC
"
;
then
ac_cv_prog_YACC
=
"
$YACC
"
# Let the user override the test.
else
as_save_IFS
=
$IFS
;
IFS
=
$PATH_SEPARATOR
for
as_dir
in
$PATH
do
IFS
=
$as_save_IFS
test
-z
"
$as_dir
"
&&
as_dir
=
.
for
ac_exec_ext
in
''
$ac_executable_extensions
;
do
if
as_fn_executable_p
"
$as_dir
/
$ac_word$ac_exec_ext
"
;
then
ac_cv_prog_YACC
=
"
$ac_prog
"
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: found
$as_dir
/
$ac_word$ac_exec_ext
"
>
&5
break
2
fi
done
done
IFS
=
$as_save_IFS
fi
fi
YACC
=
$ac_cv_prog_YACC
if
test
-n
"
$YACC
"
;
then
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result:
$YACC
"
>
&5
$as_echo
"
$YACC
"
>
&6
;
}
else
{
$as_echo
"
$as_me
:
${
as_lineno
-
$LINENO
}
: result: no"
>
&5
$as_echo
"no"
>
&6
;
}
fi
test
-n
"
$YACC
"
&&
break
done
test
-n
"
$YACC
"
||
YACC
=
"yacc"
if
test
-z
"
$ac_cv_prog_YACC
"
then
echo
"*** Error: No suitable bison/yacc found. ***"
echo
" Please install the 'bison' package."
exit
1
fi
if
test
-z
"
$ac_cv_prog_LEX
"
then
echo
"*** Error: No suitable flex/lex found. ***"
echo
" Please install the 'flex' package."
exit
1
fi
fi
if test "$mnl" = 1; then
...
...
@@ -13562,7 +13288,7 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
ac_config_files
=
"
$ac_config_files
Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc iptables/iptables.8 iptables/iptables-extensions.8.tmpl iptables/iptables-save.8 iptables/iptables-restore.8 iptables/iptables-apply.8 iptables/iptables-xml.1 libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables-version.h
include/iptables/internal.h
iptables/xtables-monitor.8 utils/nfnl_osf.8 utils/nfbpf_compile.8"
ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc iptables/iptables.8 iptables/iptables-extensions.8.tmpl iptables/iptables-save.8 iptables/iptables-restore.8 iptables/iptables-apply.8 iptables/iptables-xml.1 libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables-version.h iptables/xtables-monitor.8 utils/nfnl_osf.8 utils/nfbpf_compile.8"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
...
...
@@ -14154,7 +13880,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by iptables
$as_me
1.8.
3
, which was
This file was extended by iptables $as_me 1.8.
4
, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
...
...
@@ -14220,7 +13946,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
iptables config.status 1.8.
3
iptables config.status 1.8.
4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
...
...
@@ -14655,7 +14381,6 @@ do
"libxtables/Makefile") CONFIG_FILES="$CONFIG_FILES libxtables/Makefile" ;;
"utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;;
"include/xtables-version.h") CONFIG_FILES="$CONFIG_FILES include/xtables-version.h" ;;
"include/iptables/internal.h") CONFIG_FILES="
$CONFIG_FILES
include/iptables/internal.h" ;;
"iptables/xtables-monitor.8") CONFIG_FILES="$CONFIG_FILES iptables/xtables-monitor.8" ;;
"utils/nfnl_osf.8") CONFIG_FILES="$CONFIG_FILES utils/nfnl_osf.8" ;;
"utils/nfbpf_compile.8") CONFIG_FILES="$CONFIG_FILES utils/nfbpf_compile.8" ;;
...
...
configure.ac
View file @
290749d4
AC_INIT([iptables], [1.8.
3
])
AC_INIT([iptables], [1.8.
4
])
# See libtool.info "Libtool's versioning system"
libxtables_vcurrent=14
...
...
@@ -73,11 +73,6 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH],
[xt_lock_name="$withval"],
[xt_lock_name="/run/xtables.lock"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
[libiptc_LDFLAGS2="-Wl,--no-as-needed"])
AC_SUBST([libiptc_LDFLAGS2])
AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined])
saved_LDFLAGS="$LDFLAGS";
LDFLAGS="-Wl,--no-undefined";
...
...
@@ -146,22 +141,6 @@ if test "x$enable_nftables" = "xyes"; then
echo " iptables-compat over nftables support."
exit 1
fi
AM_PROG_LEX
AC_PROG_YACC
if test -z "$ac_cv_prog_YACC"
then
echo "*** Error: No suitable bison/yacc found. ***"
echo " Please install the 'bison' package."
exit 1
fi
if test -z "$ac_cv_prog_LEX"
then
echo "*** Error: No suitable flex/lex found. ***"
echo " Please install the 'flex' package."
exit 1
fi
fi
AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
...
...
@@ -250,7 +229,7 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
libiptc/Makefile libiptc/libiptc.pc
libiptc/libip4tc.pc libiptc/libip6tc.pc
libxtables/Makefile utils/Makefile
include/xtables-version.h
include/iptables/internal.h
include/xtables-version.h
iptables/xtables-monitor.8
utils/nfnl_osf.8
utils/nfbpf_compile.8])
...
...
extensions/libebt_among.c
0 → 100644
View file @
290749d4
/* ebt_among
*
* Authors:
* Grzegorz Borowiak <grzes@gnu.univ.gda.pl>
*
* August, 2003
*/
#include <ctype.h>
#include <fcntl.h>
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <xtables.h>
#include <arpa/inet.h>
#include <netinet/ether.h>
#include <netinet/in.h>
#include <linux/if_ether.h>
#include <linux/netfilter_bridge/ebt_among.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include "iptables/nft.h"
#include "iptables/nft-bridge.h"
#define AMONG_DST '1'
#define AMONG_SRC '2'
#define AMONG_DST_F '3'
#define AMONG_SRC_F '4'
static
const
struct
option
bramong_opts
[]
=
{
{
"among-dst"
,
required_argument
,
0
,
AMONG_DST
},
{
"among-src"
,
required_argument
,
0
,
AMONG_SRC
},
{
"among-dst-file"
,
required_argument
,
0
,
AMONG_DST_F
},
{
"among-src-file"
,
required_argument
,
0
,
AMONG_SRC_F
},
{
0
}
};
static
void
bramong_print_help
(
void
)
{
printf
(
"`among' options:
\n
"
"--among-dst [!] list : matches if ether dst is in list
\n
"
"--among-src [!] list : matches if ether src is in list
\n
"
"--among-dst-file [!] file : obtain dst list from file
\n
"
"--among-src-file [!] file : obtain src list from file
\n
"
"list has form:
\n
"
" xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]"
",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]
\n
"
"Things in brackets are optional.
\n
"
"If you want to allow two (or more) IP addresses to one MAC address, you
\n
"
"can specify two (or more) pairs with the same MAC, e.g.
\n
"
" 00:00:00:fa:eb:fe=153.19.120.250,00:00:00:fa:eb:fe=192.168.0.1
\n
"
);
}
static
void
parse_nft_among_pair
(
char
*
buf
,
struct
nft_among_pair
*
pair
,
bool
have_ip
)
{
char
*
sep
=
index
(
buf
,
'='
);
struct
ether_addr
*
ether
;
if
(
have_ip
^
!!
sep
)
xtables_error
(
PARAMETER_PROBLEM
,
"among: Mixed MAC and MAC=IP not allowed."
);
if
(
sep
)
{
*
sep
=
'\0'
;
if
(
!
inet_aton
(
sep
+
1
,
&
pair
->
in
))
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid IP address '%s'
\n
"
,
sep
+
1
);
}
ether
=
ether_aton
(
buf
);
if
(
!
ether
)
xtables_error
(
PARAMETER_PROBLEM
,
"Invalid MAC address '%s'
\n
"
,
buf
);
memcpy
(
&
pair
->
ether
,
ether
,
sizeof
(
*
ether
));
}
static
void
parse_nft_among_pairs
(
struct
nft_among_pair
*
pairs
,
char
*
buf
,
size_t
cnt
,
bool
have_ip
)
{
size_t
tmpcnt
=
0
;
buf
=
strtok
(
buf
,
","
);
while
(
buf
)
{
struct
nft_among_pair
pair
=
{};
parse_nft_among_pair
(
buf
,
&
pair
,
have_ip
);
nft_among_insert_pair
(
pairs
,
&
tmpcnt
,
&
pair
);
buf
=
strtok
(
NULL
,
","
);
}
}
static
size_t
count_nft_among_pairs
(
char
*
buf
)
{
size_t
cnt
=
0
;
char
*
p
=
buf
;
if
(
!*
buf
)
return
0
;
do
{
cnt
++
;
p
=
index
(
++
p
,
','
);
}
while
(
p
);
return
cnt
;
}
static
bool
nft_among_pairs_have_ip
(
char
*
buf
)
{
return
!!
index
(
buf
,
'='
);
}
static
int
bramong_parse
(
int
c
,
char
**
argv
,
int
invert
,
unsigned
int
*
flags
,
const
void
*
entry
,
struct
xt_entry_match
**
match
)
{
struct
nft_among_data
*
data
=
(
struct
nft_among_data
*
)(
*
match
)
->
data
;
struct
xt_entry_match
*
new_match
;
bool
have_ip
,
dst
=
false
;
size_t
new_size
,
cnt
;
struct
stat
stats
;
int
fd
=
-
1
,
poff
;
long
flen
=
0
;
switch
(
c
)
{
case
AMONG_DST_F
:
dst
=
true
;
/* fall through */
case
AMONG_SRC_F
:
if
((
fd
=
open
(
optarg
,
O_RDONLY
))
==
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"Couldn't open file '%s'"
,
optarg
);
fstat
(
fd
,
&
stats
);
flen
=
stats
.
st_size
;
/* use mmap because the file will probably be big */
optarg
=
mmap
(
0
,
flen
,
PROT_READ
|
PROT_WRITE
,
MAP_PRIVATE
,
fd
,
0
);
if
(
optarg
==
MAP_FAILED
)
xtables_error
(
PARAMETER_PROBLEM
,
"Couldn't map file to memory"
);
if
(
optarg
[
flen
-
1
]
!=
'\n'
)
xtables_error
(
PARAMETER_PROBLEM
,
"File should end with a newline"
);
if
(
strchr
(
optarg
,
'\n'
)
!=
optarg
+
flen
-
1
)
xtables_error
(
PARAMETER_PROBLEM
,
"File should only contain one line"
);
optarg
[
flen
-
1
]
=
'\0'
;
/* fall through */
case
AMONG_DST
:
if
(
c
==
AMONG_DST
)
dst
=
true
;
/* fall through */
case
AMONG_SRC
:
break
;
default:
return
0
;
}
cnt
=
count_nft_among_pairs
(
optarg
);
if
(
cnt
==
0
)
return
0
;
new_size
=
data
->
src
.
cnt
+
data
->
dst
.
cnt
+
cnt
;
new_size
*=
sizeof
(
struct
nft_among_pair
);
new_size
+=
XT_ALIGN
(
sizeof
(
struct
xt_entry_match
))
+
sizeof
(
struct
nft_among_data
);
new_match
=
xtables_calloc
(
1
,
new_size
);
memcpy
(
new_match
,
*
match
,
(
*
match
)
->
u
.
match_size
);
new_match
->
u
.
match_size
=
new_size
;
data
=
(
struct
nft_among_data
*
)
new_match
->
data
;
have_ip
=
nft_among_pairs_have_ip
(
optarg
);
poff
=
nft_among_prepare_data
(
data
,
dst
,
cnt
,
invert
,
have_ip
);
parse_nft_among_pairs
(
data
->
pairs
+
poff
,
optarg
,
cnt
,
have_ip
);
free
(
*
match
);
*
match
=
new_match
;
if
(
c
==
AMONG_DST_F
||
c
==
AMONG_SRC_F
)
{
munmap
(
argv
,
flen
);
close
(
fd
);
}
return
1
;
}
static
void
__bramong_print
(
struct
nft_among_pair
*
pairs
,
int
cnt
,
bool
inv
,
bool
have_ip
)
{
const
char
*
isep
=
inv
?
"! "
:
""
;
int
i
;
for
(
i
=
0
;
i
<
cnt
;
i
++
)
{
printf
(
"%s"
,
isep
);
isep
=
","
;
printf
(
"%s"
,
ether_ntoa
(
&
pairs
[
i
].
ether
));
if
(
have_ip
)
printf
(
"=%s"
,
inet_ntoa
(
pairs
[
i
].
in
));
}
printf
(
" "
);
}
static
void
bramong_print
(
const
void
*
ip
,
const
struct
xt_entry_match
*
match
,
int
numeric
)
{
struct
nft_among_data
*
data
=
(
struct
nft_among_data
*
)
match
->
data
;
if
(
data
->
src
.
cnt
)
{
printf
(
"--among-src "
);
__bramong_print
(
data
->
pairs
,
data
->
src
.
cnt
,
data
->
src
.
inv
,
data
->
src
.
ip
);
}
if
(
data
->
dst
.
cnt
)
{
printf
(
"--among-dst "
);
__bramong_print
(
data
->
pairs
+
data
->
src
.
cnt
,
data
->
dst
.
cnt
,
data
->
dst
.
inv
,
data
->
dst
.
ip
);
}
}
static
struct
xtables_match
bramong_match
=
{
.
name
=
"among"
,
.
revision
=
0
,
.
version
=
XTABLES_VERSION
,
.
family
=
NFPROTO_BRIDGE
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
nft_among_data
)),
.
userspacesize
=
XT_ALIGN
(
sizeof
(
struct
nft_among_data
)),
.
help
=
bramong_print_help
,
.
parse
=
bramong_parse
,
.
print
=
bramong_print
,
.
extra_opts
=
bramong_opts
,
};
void
_init
(
void
)
{
xtables_register_match
(
&
bramong_match
);
}
extensions/libebt_among.t
0 → 100644
View file @
290749d4
:
INPUT
,
FORWARD
,
OUTPUT
--
among
-
dst
de:ad:0:be:ee:ff
,
c0:ff:ee:0:ba:be
;
--
among
-
dst
c0:ff:ee:0:ba:be
,
de:ad:0:be:ee:ff
;
OK
--
among
-
dst
!
c0:ff:ee:0:ba:be
,
de:ad:0:be:ee:ff
;
=
;
OK
--
among
-
src
be:ef:0:c0:ff:ee
,
c0:ff:ee:0:ba:be
,
de:ad:0:be:ee:ff
;
=
;
OK
--
among
-
src
de:ad:0:be:ee:ff
=
10.0.0.1
,
c0:ff:ee:0:ba:be
=
192.168.1.1
;
--
among
-
src
c0:ff:ee:0:ba:be
=
192.168.1.1
,
de:ad:0:be:ee:ff
=
10.0.0.1
;
OK
--
among
-
src
!
c0:ff:ee:0:ba:be
=
192.168.1.1
,
de:ad:0:be:ee:ff
=
10.0.0.1
;
=
;
OK
--
among
-
src
de:ad:0:be:ee:ff
--
among
-
dst
c0:ff:ee:0:ba:be
;
=
;
OK
--
among
-
src
de:ad:0:be:ee:ff
=
10.0.0.1
--
among
-
dst
c0:ff:ee:0:ba:be
=
192.168.1.1
;
=
;
OK
--
among
-
src
!
de:ad:0:be:ee:ff
--
among
-
dst
c0:ff:ee:0:ba:be
;
=
;
OK
--
among
-
src
de:ad:0:be:ee:ff
=
10.0.0.1
--
among
-
dst
!
c0:ff:ee:0:ba:be
=
192.168.1.1
;
=
;
OK
--
among
-
src
!
de:ad:0:be:ee:ff
--
among
-
dst
c0:ff:ee:0:ba:be
=
192.168.1.1
;
=
;
OK
--
among
-
src
de:ad:0:be:ee:ff
=
10.0.0.1
--
among
-
dst
!
c0:ff:ee:0:ba:be
=
192.168.1.1
;
=
;
OK
--
among
-
src
;
=
;
FAIL
--
among
-
src
00
:
11
=
10.0.0.1
;
=
;
FAIL
--
among
-
src
de:ad:0:be:ee:ff
=
10.256.0.1
;
=
;
FAIL
--
among
-
src
de:ad:0:be:ee:ff
,
c0:ff:ee:0:ba:be
=
192.168.1.1
;
=
;
FAIL
extensions/libebt_standard.t
View file @
290749d4
...
...
@@ -9,3 +9,20 @@
-
p
!
ARP
-
j
ACCEPT
;
=
;
OK
-
p
0
-
j
ACCEPT
;
=
;
FAIL
-
p
!
0
-
j
ACCEPT
;
=
;
FAIL
:
INPUT
-
i
foobar
;
=
;
OK
-
o
foobar
;
=
;
FAIL
:
FORWARD
-
i
foobar
;
=
;
OK
-
o
foobar
;
=
;
OK
:
OUTPUT
-
i
foobar
;
=
;
FAIL
-
o
foobar
;
=
;
OK
:
PREROUTING
*nat
-
i
foobar
;
=
;
OK
-
o
foobar
;
=
;
FAIL
:
POSTROUTING
*nat
-
i
foobar
;
=
;
FAIL
-
o
foobar
;
=
;
OK
extensions/libxt_MASQUERADE.man
View file @
290749d4
...
...
@@ -24,6 +24,7 @@ Randomize source port mapping
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.21).
Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP.
.TP
\fB\-\-random-fully\fP
Full randomize source port mapping
...
...
extensions/libxt_REDIRECT.man
View file @
290749d4
...
...
@@ -8,7 +8,8 @@ chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the localhost address,
127.0.0.1 for IPv4 and ::1 for IPv6).
127.0.0.1 for IPv4 and ::1 for IPv6, and packets arriving on
interfaces that don't have an IP address configured are dropped).
.TP
\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
This specifies a destination port or range of ports to use: without
...
...
extensions/libxt_SYNPROXY.c
View file @
290749d4
...
...
@@ -106,6 +106,28 @@ static void SYNPROXY_save(const void *ip, const struct xt_entry_target *target)
printf
(
" --ecn"
);
}
static
int
SYNPROXY_xlate
(
struct
xt_xlate
*
xl
,
const
struct
xt_xlate_tg_params
*
params
)
{
const
struct
xt_synproxy_info
*
info
=
(
const
struct
xt_synproxy_info
*
)
params
->
target
->
data
;
xt_xlate_add
(
xl
,
"synproxy "
);
if
(
info
->
options
&
XT_SYNPROXY_OPT_SACK_PERM
)
xt_xlate_add
(
xl
,
"sack-perm "
);
if
(
info
->
options
&
XT_SYNPROXY_OPT_TIMESTAMP
)
xt_xlate_add
(
xl
,
"timestamp "
);
if
(
info
->
options
&
XT_SYNPROXY_OPT_WSCALE
)
xt_xlate_add
(
xl
,
"wscale %u "
,
info
->
wscale
);
if
(
info
->
options
&
XT_SYNPROXY_OPT_MSS
)
xt_xlate_add
(
xl
,
"mss %u "
,
info
->
mss
);
if
(
info
->
options
&
XT_SYNPROXY_OPT_ECN
)
xt_xlate_add
(
xl
,
"ecn "
);
return
1
;
}
static
struct
xtables_target
synproxy_tg_reg
=
{
.
family
=
NFPROTO_UNSPEC
,
.
name
=
"SYNPROXY"
,
...
...
@@ -119,6 +141,7 @@ static struct xtables_target synproxy_tg_reg = {
.
x6_parse
=
SYNPROXY_parse
,
.
x6_fcheck
=
SYNPROXY_check
,
.
x6_options
=
SYNPROXY_opts
,
.
xlate
=
SYNPROXY_xlate
,
};
void
_init
(
void
)
...
...
extensions/libxt_SYNPROXY.txlate
0 → 100644
View file @
290749d4
iptables-translate -t mangle -A INPUT -i iifname -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
nft add rule ip mangle INPUT iifname "iifname" tcp dport 80 ct state invalid,untracked counter synproxy sack-perm timestamp wscale 7 mss 1460
extensions/libxt_conntrack.c
View file @
290749d4
...
...
@@ -1257,8 +1257,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if
(
sinfo
->
match_flags
&
XT_CONNTRACK_STATUS
)
{
if
(
sinfo
->
status_mask
==
1
)
return
0
;
xt_xlate_add
(
xl
,
"%sct status %s"
,
space
,
sinfo
->
invert_flags
&
XT_CONNTRACK_STATUS
?
"!= "
:
""
);
...
...
extensions/libxt_conntrack.txlate
View file @
290749d4
...
...
@@ -28,6 +28,9 @@ nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
nft add rule ip filter INPUT ct status expected counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
nft add rule ip filter INPUT ct status != confirmed counter accept
...
...
extensions/libxt_hashlimit.c
View file @
290749d4
...
...
@@ -772,7 +772,7 @@ static void hashlimit_mt_check(struct xt_fcheck_call *cb)
if
(
cb
->
xflags
&
F_BURST
)
{
if
(
info
->
cfg
.
burst
<
cost_to_bytes
(
info
->
cfg
.
avg
))
xtables_error
(
PARAMETER_PROBLEM
,
"burst cannot be smaller than %
lu
b"
,
cost_to_bytes
(
info
->
cfg
.
avg
));
"burst cannot be smaller than %
"
PRIu64
"
b"
,
cost_to_bytes
(
info
->
cfg
.
avg
));
burst
=
info
->
cfg
.
burst
;
burst
/=
cost_to_bytes
(
info
->
cfg
.
avg
);
...
...
extensions/libxt_nfacct.c
View file @
290749d4
...
...
@@ -70,8 +70,10 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match)
nfacct_print_name
(
info
,
"--"
);
}
static
struct
xtables_match
nfacct_match
=
{
static
struct
xtables_match
nfacct_matches
[]
=
{
{
.
family
=
NFPROTO_UNSPEC
,
.
revision
=
0
,
.
name
=
"nfacct"
,
.
version
=
XTABLES_VERSION
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
xt_nfacct_match_info
)),
...
...
@@ -81,9 +83,23 @@ static struct xtables_match nfacct_match = {
.
print
=
nfacct_print
,
.
save
=
nfacct_save
,
.
x6_options
=
nfacct_opts
,
},
{
.
family
=
NFPROTO_UNSPEC
,
.
revision
=
1
,
.
name
=
"nfacct"
,
.
version
=
XTABLES_VERSION
,
.
size
=
XT_ALIGN
(
sizeof
(
struct
xt_nfacct_match_info_v1
)),
.
userspacesize
=
offsetof
(
struct
xt_nfacct_match_info_v1
,
nfacct
),
.
help
=
nfacct_help
,
.
x6_parse
=
nfacct_parse
,
.
print
=
nfacct_print
,
.
save
=
nfacct_save
,
.
x6_options
=
nfacct_opts
,
},
};
void
_init
(
void
)
{
xtables_register_match
(
&
nfacct_match
);
xtables_register_match
es
(
nfacct_matches
,
ARRAY_SIZE
(
nfacct_match
es
)
);
}
extensions/libxt_owner.c
View file @
290749d4
...
...
@@ -56,6 +56,7 @@ enum {
O_PROCESS
,
O_SESSION
,
O_COMM
,
O_SUPPL_GROUPS
,
};
static
void
owner_mt_help_v0
(
void
)
...
...
@@ -87,7 +88,8 @@ static void owner_mt_help(void)
"owner match options:
\n
"
"[!] --uid-owner userid[-userid] Match local UID
\n
"
"[!] --gid-owner groupid[-groupid] Match local GID
\n
"
"[!] --socket-exists Match if socket exists
\n
"
);
"[!] --socket-exists Match if socket exists
\n
"
" --suppl-groups Also match supplementary groups set with --gid-owner
\n
"
);
}
#define s struct ipt_owner_info
...
...
@@ -131,6 +133,7 @@ static const struct xt_option_entry owner_mt_opts[] = {
.
flags
=
XTOPT_INVERT
},
{.
name
=
"socket-exists"
,
.
id
=
O_SOCK_EXISTS
,
.
type
=
XTTYPE_NONE
,
.
flags
=
XTOPT_INVERT
},
{.
name
=
"suppl-groups"
,
.
id
=
O_SUPPL_GROUPS
,
.
type
=
XTTYPE_NONE
},
XTOPT_TABLEEND
,
};
...
...
@@ -275,6 +278,11 @@ static void owner_mt_parse(struct xt_option_call *cb)
info
->
invert
|=
XT_OWNER_SOCKET
;
info
->
match
|=
XT_OWNER_SOCKET
;
break
;
case
O_SUPPL_GROUPS
:
if
(
!
(
info
->
match
&
XT_OWNER_GID
))
xtables_param_act
(
XTF_BAD_VALUE
,
"owner"
,
"--suppl-groups"
,
"you need to use --gid-owner first"
);
info
->
match
|=
XT_OWNER_SUPPL_GROUPS
;
break
;
}
}
...
...
@@ -458,6 +466,7 @@ static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
owner_mt_print_item
(
info
,
"owner socket exists"
,
XT_OWNER_SOCKET
,
numeric
);
owner_mt_print_item
(
info
,
"owner UID match"
,
XT_OWNER_UID
,
numeric
);
owner_mt_print_item
(
info
,
"owner GID match"
,
XT_OWNER_GID
,
numeric
);
owner_mt_print_item
(
info
,
"incl. suppl. groups"
,
XT_OWNER_SUPPL_GROUPS
,
numeric
);
}
static
void
...
...
@@ -490,6 +499,7 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
owner_mt_print_item
(
info
,
"--socket-exists"
,
XT_OWNER_SOCKET
,
true
);
owner_mt_print_item
(
info
,
"--uid-owner"
,
XT_OWNER_UID
,
true
);
owner_mt_print_item
(
info
,
"--gid-owner"
,
XT_OWNER_GID
,
true
);
owner_mt_print_item
(
info
,
"--suppl-groups"
,
XT_OWNER_SUPPL_GROUPS
,
true
);
}
static
int
...
...
Prev
1
2
3
4
5
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment