Commit 290749d4 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

New upstream version 1.8.4

parent 89c92f0c
...@@ -10,7 +10,6 @@ Makefile ...@@ -10,7 +10,6 @@ Makefile
Makefile.in Makefile.in
/include/xtables-version.h /include/xtables-version.h
/include/iptables/internal.h
/aclocal.m4 /aclocal.m4
/autom4te.cache/ /autom4te.cache/
......
...@@ -30,4 +30,4 @@ tarball: ...@@ -30,4 +30,4 @@ tarball:
rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
config.status: extensions/GNUmakefile.in \ config.status: extensions/GNUmakefile.in \
include/xtables-version.h.in include/iptables/internal.h.in include/xtables-version.h.in
...@@ -93,10 +93,10 @@ host_triplet = @host@ ...@@ -93,10 +93,10 @@ host_triplet = @host@
@ENABLE_LIBIPQ_TRUE@am__append_2 = libipq @ENABLE_LIBIPQ_TRUE@am__append_2 = libipq
subdir = . subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \ DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
...@@ -106,8 +106,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ ...@@ -106,8 +106,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = config.h CONFIG_HEADER = config.h
CONFIG_CLEAN_FILES = extensions/GNUmakefile \ CONFIG_CLEAN_FILES = extensions/GNUmakefile
include/iptables/internal.h
CONFIG_CLEAN_VPATH_FILES = CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@) AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
...@@ -204,8 +203,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ ...@@ -204,8 +203,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(top_srcdir)/build-aux/install-sh \ $(top_srcdir)/build-aux/install-sh \
$(top_srcdir)/build-aux/ltmain.sh \ $(top_srcdir)/build-aux/ltmain.sh \
$(top_srcdir)/build-aux/missing \ $(top_srcdir)/build-aux/missing \
$(top_srcdir)/extensions/GNUmakefile.in \ $(top_srcdir)/extensions/GNUmakefile.in COPYING INSTALL \
$(top_srcdir)/include/iptables/internal.h.in COPYING INSTALL \
build-aux/ar-lib build-aux/compile build-aux/config.guess \ build-aux/ar-lib build-aux/compile build-aux/config.guess \
build-aux/config.sub build-aux/install-sh build-aux/ltmain.sh \ build-aux/config.sub build-aux/install-sh build-aux/ltmain.sh \
build-aux/missing build-aux/missing
...@@ -285,9 +283,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ ...@@ -285,9 +283,6 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@ LD = @LD@
LDFLAGS = @LDFLAGS@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
LIBOBJS = @LIBOBJS@ LIBOBJS = @LIBOBJS@
LIBS = @LIBS@ LIBS = @LIBS@
LIBTOOL = @LIBTOOL@ LIBTOOL = @LIBTOOL@
...@@ -321,8 +316,6 @@ SET_MAKE = @SET_MAKE@ ...@@ -321,8 +316,6 @@ SET_MAKE = @SET_MAKE@
SHELL = @SHELL@ SHELL = @SHELL@
STRIP = @STRIP@ STRIP = @STRIP@
VERSION = @VERSION@ VERSION = @VERSION@
YACC = @YACC@
YFLAGS = @YFLAGS@
abs_builddir = @abs_builddir@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@ abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@ abs_top_builddir = @abs_top_builddir@
...@@ -367,7 +360,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@ ...@@ -367,7 +360,6 @@ kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
ksourcedir = @ksourcedir@ ksourcedir = @ksourcedir@
libdir = @libdir@ libdir = @libdir@
libexecdir = @libexecdir@ libexecdir = @libexecdir@
libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@
libmnl_CFLAGS = @libmnl_CFLAGS@ libmnl_CFLAGS = @libmnl_CFLAGS@
libmnl_LIBS = @libmnl_LIBS@ libmnl_LIBS = @libmnl_LIBS@
libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@ libnetfilter_conntrack_CFLAGS = @libnetfilter_conntrack_CFLAGS@
...@@ -464,8 +456,6 @@ distclean-hdr: ...@@ -464,8 +456,6 @@ distclean-hdr:
-rm -f config.h stamp-h1 -rm -f config.h stamp-h1
extensions/GNUmakefile: $(top_builddir)/config.status $(top_srcdir)/extensions/GNUmakefile.in extensions/GNUmakefile: $(top_builddir)/config.status $(top_srcdir)/extensions/GNUmakefile.in
cd $(top_builddir) && $(SHELL) ./config.status $@ cd $(top_builddir) && $(SHELL) ./config.status $@
include/iptables/internal.h: $(top_builddir)/config.status $(top_srcdir)/include/iptables/internal.h.in
cd $(top_builddir) && $(SHELL) ./config.status $@
mostlyclean-libtool: mostlyclean-libtool:
-rm -f *.lo -rm -f *.lo
...@@ -930,7 +920,7 @@ tarball: ...@@ -930,7 +920,7 @@ tarball:
rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
config.status: extensions/GNUmakefile.in \ config.status: extensions/GNUmakefile.in \
include/xtables-version.h.in include/iptables/internal.h.in include/xtables-version.h.in
# Tell versions [3.59,3.63) of GNU make to not export all variables. # Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded. # Otherwise a system limit (for SysV at least) may be exceeded.
......
...@@ -981,24 +981,6 @@ fi ...@@ -981,24 +981,6 @@ fi
rmdir .tst 2>/dev/null rmdir .tst 2>/dev/null
AC_SUBST([am__leading_dot])]) AC_SUBST([am__leading_dot])])
# Copyright (C) 1998-2014 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_PROG_LEX
# -----------
# Autoconf leaves LEX=: if lex or flex can't be found. Change that to a
# "missing" invocation, for better error output.
AC_DEFUN([AM_PROG_LEX],
[AC_PREREQ([2.50])dnl
AC_REQUIRE([AM_MISSING_HAS_RUN])dnl
AC_REQUIRE([AC_PROG_LEX])dnl
if test "$LEX" = :; then
LEX=${am_missing_run}flex
fi])
# Check to see how 'make' treats includes. -*- Autoconf -*- # Check to see how 'make' treats includes. -*- Autoconf -*-
# Copyright (C) 2001-2014 Free Software Foundation, Inc. # Copyright (C) 2001-2014 Free Software Foundation, Inc.
...@@ -1504,7 +1486,6 @@ AC_SUBST([am__tar]) ...@@ -1504,7 +1486,6 @@ AC_SUBST([am__tar])
AC_SUBST([am__untar]) AC_SUBST([am__untar])
]) # _AM_PROG_TAR ]) # _AM_PROG_TAR
m4_include([m4/ax_check_linker_flags.m4])
m4_include([m4/libtool.m4]) m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4]) m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4]) m4_include([m4/ltsugar.m4])
......
#! /bin/sh
# ylwrap - wrapper for lex/yacc invocations.
scriptversion=2013-01-12.17; # UTC
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
#
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
get_dirname ()
{
case $1 in
*/*|*\\*) printf '%s\n' "$1" | sed -e 's|\([\\/]\)[^\\/]*$|\1|';;
# Otherwise, we want the empty string (not ".").
esac
}
# guard FILE
# ----------
# The CPP macro used to guard inclusion of FILE.
guard ()
{
printf '%s\n' "$1" \
| sed \
-e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \
-e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g' \
-e 's/__*/_/g'
}
# quote_for_sed [STRING]
# ----------------------
# Return STRING (or stdin) quoted to be used as a sed pattern.
quote_for_sed ()
{
case $# in
0) cat;;
1) printf '%s\n' "$1";;
esac \
| sed -e 's|[][\\.*]|\\&|g'
}
case "$1" in
'')
echo "$0: No files given. Try '$0 --help' for more information." 1>&2
exit 1
;;
--basedir)
basedir=$2
shift 2
;;
-h|--h*)
cat <<\EOF
Usage: ylwrap [--help|--version] INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]...
Wrapper for lex/yacc invocations, renaming files as desired.
INPUT is the input file
OUTPUT is one file PROG generates
DESIRED is the file we actually want instead of OUTPUT
PROGRAM is program to run
ARGS are passed to PROG
Any number of OUTPUT,DESIRED pairs may be used.
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v|--v*)
echo "ylwrap $scriptversion"
exit $?
;;
esac
# The input.
input=$1
shift
# We'll later need for a correct munging of "#line" directives.
input_sub_rx=`get_dirname "$input" | quote_for_sed`
case $input in
[\\/]* | ?:[\\/]*)
# Absolute path; do nothing.
;;
*)
# Relative path. Make it absolute.
input=`pwd`/$input
;;
esac
input_rx=`get_dirname "$input" | quote_for_sed`
# Since DOS filename conventions don't allow two dots,
# the DOS version of Bison writes out y_tab.c instead of y.tab.c
# and y_tab.h instead of y.tab.h. Test to see if this is the case.
y_tab_nodot=false
if test -f y_tab.c || test -f y_tab.h; then
y_tab_nodot=true
fi
# The parser itself, the first file, is the destination of the .y.c
# rule in the Makefile.
parser=$1
# A sed program to s/FROM/TO/g for all the FROM/TO so that, for
# instance, we rename #include "y.tab.h" into #include "parse.h"
# during the conversion from y.tab.c to parse.c.
sed_fix_filenames=
# Also rename header guards, as Bison 2.7 for instance uses its header
# guard in its implementation file.
sed_fix_header_guards=
while test $# -ne 0; do
if test x"$1" = x"--"; then
shift
break
fi
from=$1
# Handle y_tab.c and y_tab.h output by DOS
if $y_tab_nodot; then
case $from in
"y.tab.c") from=y_tab.c;;
"y.tab.h") from=y_tab.h;;
esac
fi
shift
to=$1
shift
sed_fix_filenames="${sed_fix_filenames}s|"`quote_for_sed "$from"`"|$to|g;"
sed_fix_header_guards="${sed_fix_header_guards}s|"`guard "$from"`"|"`guard "$to"`"|g;"
done
# The program to run.
prog=$1
shift
# Make any relative path in $prog absolute.
case $prog in
[\\/]* | ?:[\\/]*) ;;
*[\\/]*) prog=`pwd`/$prog ;;
esac
dirname=ylwrap$$
do_exit="cd '`pwd`' && rm -rf $dirname > /dev/null 2>&1;"' (exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
mkdir $dirname || exit 1
cd $dirname
case $# in
0) "$prog" "$input" ;;
*) "$prog" "$@" "$input" ;;
esac
ret=$?
if test $ret -eq 0; then
for from in *
do
to=`printf '%s\n' "$from" | sed "$sed_fix_filenames"`
if test -f "$from"; then
# If $2 is an absolute path name, then just use that,
# otherwise prepend '../'.
case $to in
[\\/]* | ?:[\\/]*) target=$to;;
*) target=../$to;;
esac
# Do not overwrite unchanged header files to avoid useless
# recompilations. Always update the parser itself: it is the
# destination of the .y.c rule in the Makefile. Divert the
# output of all other files to a temporary file so we can
# compare them to existing versions.
if test $from != $parser; then
realtarget=$target
target=tmp-`printf '%s\n' "$target" | sed 's|.*[\\/]||g'`
fi
# Munge "#line" or "#" directives. Don't let the resulting
# debug information point at an absolute srcdir. Use the real
# output file name, not yy.lex.c for instance. Adjust the
# include guards too.
sed -e "/^#/!b" \
-e "s|$input_rx|$input_sub_rx|" \
-e "$sed_fix_filenames" \
-e "$sed_fix_header_guards" \
"$from" >"$target" || ret=$?
# Check whether files must be updated.
if test "$from" != "$parser"; then
if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
echo "$to is unchanged"
rm -f "$target"
else
echo "updating $to"
mv -f "$target" "$realtarget"
fi
fi
else
# A missing file is only an error for the parser. This is a
# blatant hack to let us support using "yacc -d". If -d is not
# specified, don't fail when the header file is "missing".
if test "$from" = "$parser"; then
ret=1
fi
fi
done
fi
# Remove the directory.
cd ..
rm -rf $dirname
exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
...@@ -83,7 +83,3 @@ ...@@ -83,7 +83,3 @@
/* Location of the iptables lock file */ /* Location of the iptables lock file */
#undef XT_LOCK_NAME #undef XT_LOCK_NAME
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for iptables 1.8.3. # Generated by GNU Autoconf 2.69 for iptables 1.8.4.
# #
# #
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
...@@ -587,8 +587,8 @@ MAKEFLAGS= ...@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='iptables' PACKAGE_NAME='iptables'
PACKAGE_TARNAME='iptables' PACKAGE_TARNAME='iptables'
PACKAGE_VERSION='1.8.3' PACKAGE_VERSION='1.8.4'
PACKAGE_STRING='iptables 1.8.3' PACKAGE_STRING='iptables 1.8.4'
PACKAGE_BUGREPORT='' PACKAGE_BUGREPORT=''
PACKAGE_URL='' PACKAGE_URL=''
...@@ -658,11 +658,6 @@ HAVE_LIBNFTNL_FALSE ...@@ -658,11 +658,6 @@ HAVE_LIBNFTNL_FALSE
HAVE_LIBNFTNL_TRUE HAVE_LIBNFTNL_TRUE
HAVE_LIBMNL_FALSE HAVE_LIBMNL_FALSE
HAVE_LIBMNL_TRUE HAVE_LIBMNL_TRUE
YFLAGS
YACC
LEXLIB
LEX_OUTPUT_ROOT
LEX
libnftnl_LIBS libnftnl_LIBS
libnftnl_CFLAGS libnftnl_CFLAGS
libmnl_LIBS libmnl_LIBS
...@@ -696,7 +691,6 @@ ENABLE_SHARED_FALSE ...@@ -696,7 +691,6 @@ ENABLE_SHARED_FALSE
ENABLE_SHARED_TRUE ENABLE_SHARED_TRUE
ENABLE_STATIC_FALSE ENABLE_STATIC_FALSE
ENABLE_STATIC_TRUE ENABLE_STATIC_TRUE
libiptc_LDFLAGS2
CPP CPP
LT_SYS_LIBRARY_PATH LT_SYS_LIBRARY_PATH
OTOOL64 OTOOL64
...@@ -859,8 +853,6 @@ libmnl_CFLAGS ...@@ -859,8 +853,6 @@ libmnl_CFLAGS
libmnl_LIBS libmnl_LIBS
libnftnl_CFLAGS libnftnl_CFLAGS
libnftnl_LIBS libnftnl_LIBS
YACC
YFLAGS
libnetfilter_conntrack_CFLAGS libnetfilter_conntrack_CFLAGS
libnetfilter_conntrack_LIBS' libnetfilter_conntrack_LIBS'
...@@ -1413,7 +1405,7 @@ if test "$ac_init_help" = "long"; then ...@@ -1413,7 +1405,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures iptables 1.8.3 to adapt to many kinds of systems. \`configure' configures iptables 1.8.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
...@@ -1484,7 +1476,7 @@ fi ...@@ -1484,7 +1476,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of iptables 1.8.3:";; short | recursive ) echo "Configuration of iptables 1.8.4:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
...@@ -1563,12 +1555,6 @@ Some influential environment variables: ...@@ -1563,12 +1555,6 @@ Some influential environment variables:
C compiler flags for libnftnl, overriding pkg-config C compiler flags for libnftnl, overriding pkg-config
libnftnl_LIBS libnftnl_LIBS
linker flags for libnftnl, overriding pkg-config linker flags for libnftnl, overriding pkg-config
YACC The `Yet Another Compiler Compiler' implementation to use.
Defaults to the first program found out of: `bison -y', `byacc',
`yacc'.
YFLAGS The list of arguments that will be passed by default to $YACC.
This script will default YFLAGS to the empty string to avoid a
default value of `-d' given by some make applications.
libnetfilter_conntrack_CFLAGS libnetfilter_conntrack_CFLAGS
C compiler flags for libnetfilter_conntrack, overriding C compiler flags for libnetfilter_conntrack, overriding
pkg-config pkg-config
...@@ -1641,7 +1627,7 @@ fi ...@@ -1641,7 +1627,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
iptables configure 1.8.3 iptables configure 1.8.4
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
...@@ -2189,7 +2175,7 @@ cat >config.log <<_ACEOF ...@@ -2189,7 +2175,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by iptables $as_me 1.8.3, which was It was created by iptables $as_me 1.8.4, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
...@@ -3060,7 +3046,7 @@ fi ...@@ -3060,7 +3046,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE='iptables' PACKAGE='iptables'
VERSION='1.8.3' VERSION='1.8.4'
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
...@@ -12561,47 +12547,6 @@ else ...@@ -12561,47 +12547,6 @@ else
fi fi
libiptc_LDFLAGS2="";
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--no-as-needed" >&5
$as_echo_n "checking whether the linker accepts -Wl,--no-as-needed... " >&6; }
if ${ax_cv_linker_flags__Wl___no_as_needed+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_save_FLAGS=$LDFLAGS
LDFLAGS="-Wl,--no-as-needed"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_linker_flags__Wl___no_as_needed=yes
else
ax_cv_linker_flags__Wl___no_as_needed=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_save_FLAGS
fi
eval ax_check_linker_flags=$ax_cv_linker_flags__Wl___no_as_needed
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_check_linker_flags" >&5
$as_echo "$ax_check_linker_flags" >&6; }
if test "x$ax_check_linker_flags" = xyes; then
libiptc_LDFLAGS2="-Wl,--no-as-needed"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $LD knows -Wl,--no-undefined" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $LD knows -Wl,--no-undefined" >&5
$as_echo_n "checking whether $LD knows -Wl,--no-undefined... " >&6; } $as_echo_n "checking whether $LD knows -Wl,--no-undefined... " >&6; }
saved_LDFLAGS="$LDFLAGS"; saved_LDFLAGS="$LDFLAGS";
...@@ -13185,225 +13130,6 @@ fi ...@@ -13185,225 +13130,6 @@ fi
echo " iptables-compat over nftables support." echo " iptables-compat over nftables support."
exit 1 exit 1
fi fi
for ac_prog in flex lex
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_LEX+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$LEX"; then
ac_cv_prog_LEX="$LEX" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_LEX="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
LEX=$ac_cv_prog_LEX
if test -n "$LEX"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $LEX" >&5
$as_echo "$LEX" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
test -n "$LEX" && break
done
test -n "$LEX" || LEX=":"
if test "x$LEX" != "x:"; then
cat >conftest.l <<_ACEOF
%%
a { ECHO; }
b { REJECT; }
c { yymore (); }
d { yyless (1); }
e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */
yyless ((input () != 0)); }
f { unput (yytext[0]); }
. { BEGIN INITIAL; }
%%
#ifdef YYTEXT_POINTER
extern char *yytext;
#endif
int
main (void)
{
return ! yylex () + ! yywrap ();
}
_ACEOF
{ { ac_try="$LEX conftest.l"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
$as_echo "$ac_try_echo"; } >&5
(eval "$LEX conftest.l") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5
$as_echo_n "checking lex output file root... " >&6; }
if ${ac_cv_prog_lex_root+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -f lex.yy.c; then
ac_cv_prog_lex_root=lex.yy
elif test -f lexyy.c; then
ac_cv_prog_lex_root=lexyy
else
as_fn_error $? "cannot find output from $LEX; giving up" "$LINENO" 5
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5
$as_echo "$ac_cv_prog_lex_root" >&6; }
LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
if test -z "${LEXLIB+set}"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5
$as_echo_n "checking lex library... " >&6; }
if ${ac_cv_lib_lex+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_save_LIBS=$LIBS
ac_cv_lib_lex='none needed'
for ac_lib in '' -lfl -ll; do
LIBS="$ac_lib $ac_save_LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
`cat $LEX_OUTPUT_ROOT.c`
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_lex=$ac_lib
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
test "$ac_cv_lib_lex" != 'none needed' && break
done
LIBS=$ac_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lex" >&5
$as_echo "$ac_cv_lib_lex" >&6; }
test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5
$as_echo_n "checking whether yytext is a pointer... " >&6; }
if ${ac_cv_prog_lex_yytext_pointer+:} false; then :
$as_echo_n "(cached) " >&6
else
# POSIX says lex can declare yytext either as a pointer or an array; the
# default is implementation-dependent. Figure out which it is, since
# not all implementations provide the %pointer and %array declarations.
ac_cv_prog_lex_yytext_pointer=no
ac_save_LIBS=$LIBS
LIBS="$LEXLIB $ac_save_LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#define YYTEXT_POINTER 1
`cat $LEX_OUTPUT_ROOT.c`
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_prog_lex_yytext_pointer=yes
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_yytext_pointer" >&5
$as_echo "$ac_cv_prog_lex_yytext_pointer" >&6; }
if test $ac_cv_prog_lex_yytext_pointer = yes; then
$as_echo "#define YYTEXT_POINTER 1" >>confdefs.h
fi
rm -f conftest.l $LEX_OUTPUT_ROOT.c
fi
if test "$LEX" = :; then
LEX=${am_missing_run}flex
fi
for ac_prog in 'bison -y' byacc
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
if ${ac_cv_prog_YACC+:} false; then :
$as_echo_n "(cached) " >&6
else
if test -n "$YACC"; then
ac_cv_prog_YACC="$YACC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
ac_cv_prog_YACC="$ac_prog"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
YACC=$ac_cv_prog_YACC
if test -n "$YACC"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5
$as_echo "$YACC" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
test -n "$YACC" && break
done
test -n "$YACC" || YACC="yacc"
if test -z "$ac_cv_prog_YACC"
then
echo "*** Error: No suitable bison/yacc found. ***"
echo " Please install the 'bison' package."
exit 1
fi
if test -z "$ac_cv_prog_LEX"
then
echo "*** Error: No suitable flex/lex found. ***"
echo " Please install the 'flex' package."
exit 1
fi
fi fi
if test "$mnl" = 1; then if test "$mnl" = 1; then
...@@ -13562,7 +13288,7 @@ cat >>confdefs.h <<_ACEOF ...@@ -13562,7 +13288,7 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc iptables/iptables.8 iptables/iptables-extensions.8.tmpl iptables/iptables-save.8 iptables/iptables-restore.8 iptables/iptables-apply.8 iptables/iptables-xml.1 libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables-version.h include/iptables/internal.h iptables/xtables-monitor.8 utils/nfnl_osf.8 utils/nfbpf_compile.8" ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile iptables/Makefile iptables/xtables.pc iptables/iptables.8 iptables/iptables-extensions.8.tmpl iptables/iptables-save.8 iptables/iptables-restore.8 iptables/iptables-apply.8 iptables/iptables-xml.1 libipq/Makefile libipq/libipq.pc libiptc/Makefile libiptc/libiptc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc libxtables/Makefile utils/Makefile include/xtables-version.h iptables/xtables-monitor.8 utils/nfnl_osf.8 utils/nfbpf_compile.8"
cat >confcache <<\_ACEOF cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure # This file is a shell script that caches the results of configure
...@@ -14154,7 +13880,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ...@@ -14154,7 +13880,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by iptables $as_me 1.8.3, which was This file was extended by iptables $as_me 1.8.4, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
...@@ -14220,7 +13946,7 @@ _ACEOF ...@@ -14220,7 +13946,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
iptables config.status 1.8.3 iptables config.status 1.8.4
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"
...@@ -14655,7 +14381,6 @@ do ...@@ -14655,7 +14381,6 @@ do
"libxtables/Makefile") CONFIG_FILES="$CONFIG_FILES libxtables/Makefile" ;; "libxtables/Makefile") CONFIG_FILES="$CONFIG_FILES libxtables/Makefile" ;;
"utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;; "utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;;
"include/xtables-version.h") CONFIG_FILES="$CONFIG_FILES include/xtables-version.h" ;; "include/xtables-version.h") CONFIG_FILES="$CONFIG_FILES include/xtables-version.h" ;;
"include/iptables/internal.h") CONFIG_FILES="$CONFIG_FILES include/iptables/internal.h" ;;
"iptables/xtables-monitor.8") CONFIG_FILES="$CONFIG_FILES iptables/xtables-monitor.8" ;; "iptables/xtables-monitor.8") CONFIG_FILES="$CONFIG_FILES iptables/xtables-monitor.8" ;;
"utils/nfnl_osf.8") CONFIG_FILES="$CONFIG_FILES utils/nfnl_osf.8" ;; "utils/nfnl_osf.8") CONFIG_FILES="$CONFIG_FILES utils/nfnl_osf.8" ;;
"utils/nfbpf_compile.8") CONFIG_FILES="$CONFIG_FILES utils/nfbpf_compile.8" ;; "utils/nfbpf_compile.8") CONFIG_FILES="$CONFIG_FILES utils/nfbpf_compile.8" ;;
......
AC_INIT([iptables], [1.8.3]) AC_INIT([iptables], [1.8.4])
# See libtool.info "Libtool's versioning system" # See libtool.info "Libtool's versioning system"
libxtables_vcurrent=14 libxtables_vcurrent=14
...@@ -73,11 +73,6 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], ...@@ -73,11 +73,6 @@ AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH],
[xt_lock_name="$withval"], [xt_lock_name="$withval"],
[xt_lock_name="/run/xtables.lock"]) [xt_lock_name="/run/xtables.lock"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
[libiptc_LDFLAGS2="-Wl,--no-as-needed"])
AC_SUBST([libiptc_LDFLAGS2])
AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined]) AC_MSG_CHECKING([whether $LD knows -Wl,--no-undefined])
saved_LDFLAGS="$LDFLAGS"; saved_LDFLAGS="$LDFLAGS";
LDFLAGS="-Wl,--no-undefined"; LDFLAGS="-Wl,--no-undefined";
...@@ -146,22 +141,6 @@ if test "x$enable_nftables" = "xyes"; then ...@@ -146,22 +141,6 @@ if test "x$enable_nftables" = "xyes"; then
echo " iptables-compat over nftables support." echo " iptables-compat over nftables support."
exit 1 exit 1
fi fi
AM_PROG_LEX
AC_PROG_YACC
if test -z "$ac_cv_prog_YACC"
then
echo "*** Error: No suitable bison/yacc found. ***"
echo " Please install the 'bison' package."
exit 1
fi
if test -z "$ac_cv_prog_LEX"
then
echo "*** Error: No suitable flex/lex found. ***"
echo " Please install the 'flex' package."
exit 1
fi
fi fi
AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1]) AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
...@@ -250,7 +229,7 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile ...@@ -250,7 +229,7 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
libiptc/Makefile libiptc/libiptc.pc libiptc/Makefile libiptc/libiptc.pc
libiptc/libip4tc.pc libiptc/libip6tc.pc libiptc/libip4tc.pc libiptc/libip6tc.pc
libxtables/Makefile utils/Makefile libxtables/Makefile utils/Makefile
include/xtables-version.h include/iptables/internal.h include/xtables-version.h
iptables/xtables-monitor.8 iptables/xtables-monitor.8
utils/nfnl_osf.8 utils/nfnl_osf.8
utils/nfbpf_compile.8]) utils/nfbpf_compile.8])
......
/* ebt_among
*
* Authors:
* Grzegorz Borowiak <grzes@gnu.univ.gda.pl>
*
* August, 2003
*/
#include <ctype.h>
#include <fcntl.h>
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <xtables.h>
#include <arpa/inet.h>
#include <netinet/ether.h>
#include <netinet/in.h>
#include <linux/if_ether.h>
#include <linux/netfilter_bridge/ebt_among.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include "iptables/nft.h"
#include "iptables/nft-bridge.h"
#define AMONG_DST '1'
#define AMONG_SRC '2'
#define AMONG_DST_F '3'
#define AMONG_SRC_F '4'
static const struct option bramong_opts[] = {
{"among-dst", required_argument, 0, AMONG_DST},
{"among-src", required_argument, 0, AMONG_SRC},
{"among-dst-file", required_argument, 0, AMONG_DST_F},
{"among-src-file", required_argument, 0, AMONG_SRC_F},
{0}
};
static void bramong_print_help(void)
{
printf(
"`among' options:\n"
"--among-dst [!] list : matches if ether dst is in list\n"
"--among-src [!] list : matches if ether src is in list\n"
"--among-dst-file [!] file : obtain dst list from file\n"
"--among-src-file [!] file : obtain src list from file\n"
"list has form:\n"
" xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]"
",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]\n"
"Things in brackets are optional.\n"
"If you want to allow two (or more) IP addresses to one MAC address, you\n"
"can specify two (or more) pairs with the same MAC, e.g.\n"
" 00:00:00:fa:eb:fe=153.19.120.250,00:00:00:fa:eb:fe=192.168.0.1\n"
);
}
static void
parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
{
char *sep = index(buf, '=');
struct ether_addr *ether;
if (have_ip ^ !!sep)
xtables_error(PARAMETER_PROBLEM,
"among: Mixed MAC and MAC=IP not allowed.");
if (sep) {
*sep = '\0';
if (!inet_aton(sep + 1, &pair->in))
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address '%s'\n", sep + 1);
}
ether = ether_aton(buf);
if (!ether)
xtables_error(PARAMETER_PROBLEM,
"Invalid MAC address '%s'\n", buf);
memcpy(&pair->ether, ether, sizeof(*ether));
}
static void
parse_nft_among_pairs(struct nft_among_pair *pairs, char *buf,
size_t cnt, bool have_ip)
{
size_t tmpcnt = 0;
buf = strtok(buf, ",");
while (buf) {
struct nft_among_pair pair = {};
parse_nft_among_pair(buf, &pair, have_ip);
nft_among_insert_pair(pairs, &tmpcnt, &pair);
buf = strtok(NULL, ",");
}
}
static size_t count_nft_among_pairs(char *buf)
{
size_t cnt = 0;
char *p = buf;
if (!*buf)
return 0;
do {
cnt++;
p = index(++p, ',');
} while (p);
return cnt;
}
static bool nft_among_pairs_have_ip(char *buf)
{
return !!index(buf, '=');
}
static int bramong_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry,
struct xt_entry_match **match)
{
struct nft_among_data *data = (struct nft_among_data *)(*match)->data;
struct xt_entry_match *new_match;
bool have_ip, dst = false;
size_t new_size, cnt;
struct stat stats;
int fd = -1, poff;
long flen = 0;
switch (c) {
case AMONG_DST_F:
dst = true;
/* fall through */
case AMONG_SRC_F:
if ((fd = open(optarg, O_RDONLY)) == -1)
xtables_error(PARAMETER_PROBLEM,
"Couldn't open file '%s'", optarg);
fstat(fd, &stats);
flen = stats.st_size;
/* use mmap because the file will probably be big */
optarg = mmap(0, flen, PROT_READ | PROT_WRITE,
MAP_PRIVATE, fd, 0);
if (optarg == MAP_FAILED)
xtables_error(PARAMETER_PROBLEM,
"Couldn't map file to memory");
if (optarg[flen-1] != '\n')
xtables_error(PARAMETER_PROBLEM,
"File should end with a newline");
if (strchr(optarg, '\n') != optarg+flen-1)
xtables_error(PARAMETER_PROBLEM,
"File should only contain one line");
optarg[flen-1] = '\0';
/* fall through */
case AMONG_DST:
if (c == AMONG_DST)
dst = true;
/* fall through */
case AMONG_SRC:
break;
default:
return 0;
}
cnt = count_nft_among_pairs(optarg);
if (cnt == 0)
return 0;
new_size = data->src.cnt + data->dst.cnt + cnt;
new_size *= sizeof(struct nft_among_pair);
new_size += XT_ALIGN(sizeof(struct xt_entry_match)) +
sizeof(struct nft_among_data);
new_match = xtables_calloc(1, new_size);
memcpy(new_match, *match, (*match)->u.match_size);
new_match->u.match_size = new_size;
data = (struct nft_among_data *)new_match->data;
have_ip = nft_among_pairs_have_ip(optarg);
poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip);
parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip);
free(*match);
*match = new_match;
if (c == AMONG_DST_F || c == AMONG_SRC_F) {
munmap(argv, flen);
close(fd);
}
return 1;
}
static void __bramong_print(struct nft_among_pair *pairs,
int cnt, bool inv, bool have_ip)
{
const char *isep = inv ? "! " : "";
int i;
for (i = 0; i < cnt; i++) {
printf("%s", isep);
isep = ",";
printf("%s", ether_ntoa(&pairs[i].ether));
if (have_ip)
printf("=%s", inet_ntoa(pairs[i].in));
}
printf(" ");
}
static void bramong_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
struct nft_among_data *data = (struct nft_among_data *)match->data;
if (data->src.cnt) {
printf("--among-src ");
__bramong_print(data->pairs,
data->src.cnt, data->src.inv, data->src.ip);
}
if (data->dst.cnt) {
printf("--among-dst ");
__bramong_print(data->pairs + data->src.cnt,
data->dst.cnt, data->dst.inv, data->dst.ip);
}
}
static struct xtables_match bramong_match = {
.name = "among",
.revision = 0,
.version = XTABLES_VERSION,
.family = NFPROTO_BRIDGE,
.size = XT_ALIGN(sizeof(struct nft_among_data)),
.userspacesize = XT_ALIGN(sizeof(struct nft_among_data)),
.help = bramong_print_help,
.parse = bramong_parse,
.print = bramong_print,
.extra_opts = bramong_opts,
};
void _init(void)
{
xtables_register_match(&bramong_match);
}
:INPUT,FORWARD,OUTPUT
--among-dst de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be;--among-dst c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;OK
--among-dst ! c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK
--among-src be:ef:0:c0:ff:ee,c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK
--among-src de:ad:0:be:ee:ff=10.0.0.1,c0:ff:ee:0:ba:be=192.168.1.1;--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;OK
--among-src ! c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;=;OK
--among-src de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK
--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK
--among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK
--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK
--among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK
--among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK
--among-src;=;FAIL
--among-src 00:11=10.0.0.1;=;FAIL
--among-src de:ad:0:be:ee:ff=10.256.0.1;=;FAIL
--among-src de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be=192.168.1.1;=;FAIL
...@@ -9,3 +9,20 @@ ...@@ -9,3 +9,20 @@
-p ! ARP -j ACCEPT;=;OK -p ! ARP -j ACCEPT;=;OK
-p 0 -j ACCEPT;=;FAIL -p 0 -j ACCEPT;=;FAIL
-p ! 0 -j ACCEPT;=;FAIL -p ! 0 -j ACCEPT;=;FAIL
:INPUT
-i foobar;=;OK
-o foobar;=;FAIL
:FORWARD
-i foobar;=;OK
-o foobar;=;OK
:OUTPUT
-i foobar;=;FAIL
-o foobar;=;OK
:PREROUTING
*nat
-i foobar;=;OK
-o foobar;=;FAIL
:POSTROUTING
*nat
-i foobar;=;FAIL
-o foobar;=;OK
...@@ -24,6 +24,7 @@ Randomize source port mapping ...@@ -24,6 +24,7 @@ Randomize source port mapping
If option If option
\fB\-\-random\fP \fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.21). is used then port mapping will be randomized (kernel >= 2.6.21).
Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP.
.TP .TP
\fB\-\-random-fully\fP \fB\-\-random-fully\fP
Full randomize source port mapping Full randomize source port mapping
......
...@@ -8,7 +8,8 @@ chains, and user-defined chains which are only called from those ...@@ -8,7 +8,8 @@ chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the localhost address, (locally-generated packets are mapped to the localhost address,
127.0.0.1 for IPv4 and ::1 for IPv6). 127.0.0.1 for IPv4 and ::1 for IPv6, and packets arriving on
interfaces that don't have an IP address configured are dropped).
.TP .TP
\fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
This specifies a destination port or range of ports to use: without This specifies a destination port or range of ports to use: without
......
...@@ -106,6 +106,28 @@ static void SYNPROXY_save(const void *ip, const struct xt_entry_target *target) ...@@ -106,6 +106,28 @@ static void SYNPROXY_save(const void *ip, const struct xt_entry_target *target)
printf(" --ecn"); printf(" --ecn");
} }
static int SYNPROXY_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct xt_synproxy_info *info =
(const struct xt_synproxy_info *)params->target->data;
xt_xlate_add(xl, "synproxy ");
if (info->options & XT_SYNPROXY_OPT_SACK_PERM)
xt_xlate_add(xl, "sack-perm ");
if (info->options & XT_SYNPROXY_OPT_TIMESTAMP)
xt_xlate_add(xl, "timestamp ");
if (info->options & XT_SYNPROXY_OPT_WSCALE)
xt_xlate_add(xl, "wscale %u ", info->wscale);
if (info->options & XT_SYNPROXY_OPT_MSS)
xt_xlate_add(xl, "mss %u ", info->mss);
if (info->options & XT_SYNPROXY_OPT_ECN)
xt_xlate_add(xl, "ecn ");
return 1;
}
static struct xtables_target synproxy_tg_reg = { static struct xtables_target synproxy_tg_reg = {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.name = "SYNPROXY", .name = "SYNPROXY",
...@@ -119,6 +141,7 @@ static struct xtables_target synproxy_tg_reg = { ...@@ -119,6 +141,7 @@ static struct xtables_target synproxy_tg_reg = {
.x6_parse = SYNPROXY_parse, .x6_parse = SYNPROXY_parse,
.x6_fcheck = SYNPROXY_check, .x6_fcheck = SYNPROXY_check,
.x6_options = SYNPROXY_opts, .x6_options = SYNPROXY_opts,
.xlate = SYNPROXY_xlate,
}; };
void _init(void) void _init(void)
......
iptables-translate -t mangle -A INPUT -i iifname -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
nft add rule ip mangle INPUT iifname "iifname" tcp dport 80 ct state invalid,untracked counter synproxy sack-perm timestamp wscale 7 mss 1460
...@@ -1257,8 +1257,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, ...@@ -1257,8 +1257,6 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
} }
if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
if (sinfo->status_mask == 1)
return 0;
xt_xlate_add(xl, "%sct status %s", space, xt_xlate_add(xl, "%sct status %s", space,
sinfo->invert_flags & XT_CONNTRACK_STATUS ? sinfo->invert_flags & XT_CONNTRACK_STATUS ?
"!= " : ""); "!= " : "");
......
...@@ -28,6 +28,9 @@ nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept ...@@ -28,6 +28,9 @@ nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
nft add rule ip filter INPUT ct status expected counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
nft add rule ip filter INPUT ct status != confirmed counter accept nft add rule ip filter INPUT ct status != confirmed counter accept
......
...@@ -772,7 +772,7 @@ static void hashlimit_mt_check(struct xt_fcheck_call *cb) ...@@ -772,7 +772,7 @@ static void hashlimit_mt_check(struct xt_fcheck_call *cb)
if (cb->xflags & F_BURST) { if (cb->xflags & F_BURST) {
if (info->cfg.burst < cost_to_bytes(info->cfg.avg)) if (info->cfg.burst < cost_to_bytes(info->cfg.avg))
xtables_error(PARAMETER_PROBLEM, xtables_error(PARAMETER_PROBLEM,
"burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg)); "burst cannot be smaller than %"PRIu64"b", cost_to_bytes(info->cfg.avg));
burst = info->cfg.burst; burst = info->cfg.burst;
burst /= cost_to_bytes(info->cfg.avg); burst /= cost_to_bytes(info->cfg.avg);
......
...@@ -70,8 +70,10 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match) ...@@ -70,8 +70,10 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match)
nfacct_print_name(info, "--"); nfacct_print_name(info, "--");
} }
static struct xtables_match nfacct_match = { static struct xtables_match nfacct_matches[] = {
{
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision = 0,
.name = "nfacct", .name = "nfacct",
.version = XTABLES_VERSION, .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nfacct_match_info)), .size = XT_ALIGN(sizeof(struct xt_nfacct_match_info)),
...@@ -81,9 +83,23 @@ static struct xtables_match nfacct_match = { ...@@ -81,9 +83,23 @@ static struct xtables_match nfacct_match = {
.print = nfacct_print, .print = nfacct_print,
.save = nfacct_save, .save = nfacct_save,
.x6_options = nfacct_opts, .x6_options = nfacct_opts,
},
{
.family = NFPROTO_UNSPEC,
.revision = 1,
.name = "nfacct",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_nfacct_match_info_v1)),
.userspacesize = offsetof(struct xt_nfacct_match_info_v1, nfacct),
.help = nfacct_help,
.x6_parse = nfacct_parse,
.print = nfacct_print,
.save = nfacct_save,
.x6_options = nfacct_opts,
},
}; };
void _init(void) void _init(void)
{ {
xtables_register_match(&nfacct_match); xtables_register_matches(nfacct_matches, ARRAY_SIZE(nfacct_matches));
} }
...@@ -56,6 +56,7 @@ enum { ...@@ -56,6 +56,7 @@ enum {
O_PROCESS, O_PROCESS,
O_SESSION, O_SESSION,
O_COMM, O_COMM,
O_SUPPL_GROUPS,
}; };
static void owner_mt_help_v0(void) static void owner_mt_help_v0(void)
...@@ -87,7 +88,8 @@ static void owner_mt_help(void) ...@@ -87,7 +88,8 @@ static void owner_mt_help(void)
"owner match options:\n" "owner match options:\n"
"[!] --uid-owner userid[-userid] Match local UID\n" "[!] --uid-owner userid[-userid] Match local UID\n"
"[!] --gid-owner groupid[-groupid] Match local GID\n" "[!] --gid-owner groupid[-groupid] Match local GID\n"
"[!] --socket-exists Match if socket exists\n"); "[!] --socket-exists Match if socket exists\n"
" --suppl-groups Also match supplementary groups set with --gid-owner\n");
} }
#define s struct ipt_owner_info #define s struct ipt_owner_info
...@@ -131,6 +133,7 @@ static const struct xt_option_entry owner_mt_opts[] = { ...@@ -131,6 +133,7 @@ static const struct xt_option_entry owner_mt_opts[] = {
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
{.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE, {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
{.name = "suppl-groups", .id = O_SUPPL_GROUPS, .type = XTTYPE_NONE},
XTOPT_TABLEEND, XTOPT_TABLEEND,
}; };
...@@ -275,6 +278,11 @@ static void owner_mt_parse(struct xt_option_call *cb) ...@@ -275,6 +278,11 @@ static void owner_mt_parse(struct xt_option_call *cb)
info->invert |= XT_OWNER_SOCKET; info->invert |= XT_OWNER_SOCKET;
info->match |= XT_OWNER_SOCKET; info->match |= XT_OWNER_SOCKET;
break; break;
case O_SUPPL_GROUPS:
if (!(info->match & XT_OWNER_GID))
xtables_param_act(XTF_BAD_VALUE, "owner", "--suppl-groups", "you need to use --gid-owner first");
info->match |= XT_OWNER_SUPPL_GROUPS;
break;
} }
} }
...@@ -458,6 +466,7 @@ static void owner_mt_print(const void *ip, const struct xt_entry_match *match, ...@@ -458,6 +466,7 @@ static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric); owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric);
owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric); owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric); owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
owner_mt_print_item(info, "incl. suppl. groups", XT_OWNER_SUPPL_GROUPS, numeric);
} }
static void static void
...@@ -490,6 +499,7 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match) ...@@ -490,6 +499,7 @@ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true); owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true);
owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true); owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true);
owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true); owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
owner_mt_print_item(info, "--suppl-groups", XT_OWNER_SUPPL_GROUPS, true);
} }
static int static int
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment