Commit 706c32c9 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.6.2'

Update to upstream version '1.6.2'
with Debian dir 709e57568379856beca5301ab2678ceffca94a99
parents a82b926a 5beab31f
iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark --loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark --invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
......@@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric)
for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
if (sctp_chunk_names[i].chunk_type == chunknum)
printf("%s", sctp_chunk_names[chunknum].name);
printf("%s", sctp_chunk_names[i].name);
}
}
......
iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop
iptables-translate -A INPUT -p sctp --sport 50 -j DROP
nft add rule ip filter INPUT sctp sport 50 counter drop
iptables-translate -A INPUT -p sctp ! --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport != 80 counter drop
iptables-translate -A INPUT -p sctp ! --sport 50 -j DROP
nft add rule ip filter INPUT sctp sport != 50 counter drop
iptables-translate -A INPUT -p sctp --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 50:56 -j ACCEPT
nft add rule ip filter INPUT sctp dport 50-56 counter accept
iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
iptables-translate -A OUTPUT -m statistic --mode nth --every 10 --packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 --packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
iptables-translate -A OUTPUT -m statistic --mode random --probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
iptables-translate -A INPUT -p tcp -i eth0 --sport 53 -j ACCEPT
nft add rule ip filter INPUT iifname eth0 tcp sport 53 counter accept
iptables-translate -A OUTPUT -p tcp -o eth0 --dport 53:66 -j DROP
nft add rule ip filter OUTPUT oifname eth0 tcp dport 53-66 counter drop
iptables-translate -I OUTPUT -p tcp -d 8.8.8.8 -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol tcp ip daddr 8.8.8.8 counter accept
iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT
nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop
iptables-translate -A INPUT -p tcp --syn -j ACCEPT
nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept
iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT
nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept
......@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
mssinfo->mss_min = cb->val.u16_range[0];
mssinfo->mss_max = mssinfo->mss_min;
if (cb->nvals == 2)
if (cb->nvals == 2) {
mssinfo->mss_max = cb->val.u16_range[1];
if (mssinfo->mss_max < mssinfo->mss_min)
xtables_error(PARAMETER_PROBLEM,
"tcpmss: invalid range given");
}
if (cb->invert)
mssinfo->invert = 1;
}
......
This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
.TP
[\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
Match a given TCP MSS value or range.
Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
nft add rule ip filter INPUT iifname eth0 udp sport 53 counter accept
iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP
nft add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop
iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept
iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT
nft insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -17,7 +17,17 @@
# -*- Makefile -*-
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
......@@ -81,9 +91,6 @@ build_triplet = @build@
host_triplet = @host@
@ENABLE_LIBIPQ_TRUE@am__append_1 = libipq/libipq.h
subdir = include
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(srcdir)/xtables-version.h.in $(am__include_HEADERS_DIST) \
$(nobase_include_HEADERS)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
......@@ -91,6 +98,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__include_HEADERS_DIST) \
$(nobase_include_HEADERS) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = xtables-version.h
......@@ -163,6 +172,7 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/xtables-version.h.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
pkgdatadir = @pkgdatadir@
ACLOCAL = @ACLOCAL@
......@@ -207,6 +217,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
......@@ -304,6 +315,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
regular_CFLAGS = @regular_CFLAGS@
regular_CPPFLAGS = @regular_CPPFLAGS@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
......@@ -332,7 +344,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu include/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu include/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
......@@ -606,6 +617,8 @@ uninstall-am: uninstall-includeHEADERS uninstall-nobase_includeHEADERS
uninstall-am uninstall-includeHEADERS \
uninstall-nobase_includeHEADERS
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
......
......@@ -23,6 +23,7 @@ enum {
XT_HASHLIMIT_HASH_SPT = 1 << 3,
XT_HASHLIMIT_INVERT = 1 << 4,
XT_HASHLIMIT_BYTES = 1 << 5,
XT_HASHLIMIT_RATE_MATCH = 1 << 6,
};
struct hashlimit_cfg {
......@@ -77,6 +78,21 @@ struct hashlimit_cfg2 {
__u8 srcmask, dstmask;
};
struct hashlimit_cfg3 {
__u64 avg; /* Average secs between packets * scale */
__u64 burst; /* Period multiplier for upper limit. */
__u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
/* user specified */
__u32 size; /* how many buckets */
__u32 max; /* max number of entries */
__u32 gc_interval; /* gc interval */
__u32 expire; /* when do entries expire? */
__u32 interval; /* in seconds*/
__u8 srcmask, dstmask;
};
struct xt_hashlimit_mtinfo1 {
char name[IFNAMSIZ];
struct hashlimit_cfg1 cfg;
......@@ -93,4 +109,12 @@ struct xt_hashlimit_mtinfo2 {
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
struct xt_hashlimit_mtinfo3 {
char name[NAME_MAX];
struct hashlimit_cfg3 cfg;
/* Used internally by the kernel */
struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
};
#endif /*_XT_HASHLIMIT_H*/
#ifndef _IP6T_SRH_H
#define _IP6T_SRH_H
#include <linux/types.h>
#include <linux/netfilter.h>
/* Values for "mt_flags" field in struct ip6t_srh */
#define IP6T_SRH_NEXTHDR 0x0001
#define IP6T_SRH_LEN_EQ 0x0002
#define IP6T_SRH_LEN_GT 0x0004
#define IP6T_SRH_LEN_LT 0x0008
#define IP6T_SRH_SEGS_EQ 0x0010
#define IP6T_SRH_SEGS_GT 0x0020
#define IP6T_SRH_SEGS_LT 0x0040
#define IP6T_SRH_LAST_EQ 0x0080
#define IP6T_SRH_LAST_GT 0x0100
#define IP6T_SRH_LAST_LT 0x0200
#define IP6T_SRH_TAG 0x0400
#define IP6T_SRH_MASK 0x07FF
/* Values for "mt_invflags" field in struct ip6t_srh */
#define IP6T_SRH_INV_NEXTHDR 0x0001
#define IP6T_SRH_INV_LEN_EQ 0x0002
#define IP6T_SRH_INV_LEN_GT 0x0004
#define IP6T_SRH_INV_LEN_LT 0x0008
#define IP6T_SRH_INV_SEGS_EQ 0x0010
#define IP6T_SRH_INV_SEGS_GT 0x0020
#define IP6T_SRH_INV_SEGS_LT 0x0040
#define IP6T_SRH_INV_LAST_EQ 0x0080
#define IP6T_SRH_INV_LAST_GT 0x0100
#define IP6T_SRH_INV_LAST_LT 0x0200
#define IP6T_SRH_INV_TAG 0x0400
#define IP6T_SRH_INV_MASK 0x07FF
/**
* struct ip6t_srh - SRH match options
* @ next_hdr: Next header field of SRH
* @ hdr_len: Extension header length field of SRH
* @ segs_left: Segments left field of SRH
* @ last_entry: Last entry field of SRH
* @ tag: Tag field of SRH
* @ mt_flags: match options
* @ mt_invflags: Invert the sense of match options
*/
struct ip6t_srh {
__u8 next_hdr;
__u8 hdr_len;
__u8 segs_left;
__u8 last_entry;
__u16 tag;
__u16 mt_flags;
__u16 mt_invflags;
};
#endif /*_IP6T_SRH_H*/
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
......@@ -18,7 +18,17 @@
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
......@@ -98,14 +108,6 @@ host_triplet = @host@
sbin_PROGRAMS = xtables-multi$(EXEEXT) $(am__EXEEXT_1)
@ENABLE_NFTABLES_TRUE@am__append_10 = xtables-compat-multi
subdir = iptables
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(srcdir)/xtables.pc.in $(srcdir)/iptables.8.in \
$(srcdir)/iptables-extensions.8.tmpl.in \
$(srcdir)/iptables-save.8.in $(srcdir)/iptables-restore.8.in \
$(srcdir)/iptables-apply.8.in $(srcdir)/iptables-xml.1.in \
xtables-config-parser.h xtables-config-parser.c \
xtables-config-syntax.c $(top_srcdir)/build-aux/depcomp \
$(top_srcdir)/build-aux/ylwrap
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
......@@ -113,6 +115,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \
$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = xtables.pc iptables.8 iptables-extensions.8.tmpl \
......@@ -305,6 +308,13 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/iptables-apply.8.in \
$(srcdir)/iptables-extensions.8.tmpl.in \
$(srcdir)/iptables-restore.8.in $(srcdir)/iptables-save.8.in \
$(srcdir)/iptables-xml.1.in $(srcdir)/iptables.8.in \
$(srcdir)/xtables.pc.in $(top_srcdir)/build-aux/depcomp \
$(top_srcdir)/build-aux/ylwrap xtables-config-parser.c \
xtables-config-parser.h xtables-config-syntax.c
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
pkgdatadir = @pkgdatadir@
ACLOCAL = @ACLOCAL@
......@@ -349,6 +359,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
......@@ -446,6 +457,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
regular_CFLAGS = @regular_CFLAGS@
regular_CPPFLAGS = @regular_CPPFLAGS@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
......@@ -523,7 +535,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu iptables/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu iptables/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
......@@ -1463,6 +1474,8 @@ uninstall-man: uninstall-man1 uninstall-man8
uninstall-man1 uninstall-man8 uninstall-pkgconfigDATA \
uninstall-sbinPROGRAMS
.PRECIOUS: Makefile
# yacc and lex generate dirty code
@ENABLE_NFTABLES_TRUE@xtables_compat_multi-xtables-config-parser.o xtables_compat_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
......
......@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
#include "ip6tables.h"
#include "xshared.h"
#include "xtables.h"
#include "libiptc/libip6tc.h"
#include "ip6tables-multi.h"
......@@ -25,34 +26,43 @@
#define DEBUGP(x, args...)
#endif
static int counters = 0, verbose = 0, noflush = 0;
static int counters, verbose, noflush, wait;
static struct timeval wait_interval = {
.tv_sec = 1,
};
/* Keeping track of external matches and targets. */
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "verbose", .has_arg = false, .val = 'v'},
{.name = "test", .has_arg = false, .val = 't'},
{.name = "help", .has_arg = false, .val = 'h'},
{.name = "noflush", .has_arg = false, .val = 'n'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "table", .has_arg = true, .val = 'T'},
{.name = "counters", .has_arg = 0, .val = 'c'},
{.name = "verbose", .has_arg = 0, .val = 'v'},
{.name = "version", .has_arg = 0, .val = 'V'},
{.name = "test", .has_arg = 0, .val = 't'},
{.name = "help", .has_arg = 0, .val = 'h'},
{.name = "noflush", .has_arg = 0, .val = 'n'},
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "table", .has_arg = 1, .val = 'T'},
{.name = "wait", .has_arg = 2, .val = 'w'},
{.name = "wait-interval", .has_arg = 2, .val = 'W'},
{NULL},
};
static void print_usage(const char *name, const char *version) __attribute__((noreturn));
#define prog_name ip6tables_globals.program_name
#define prog_vers ip6tables_globals.program_version
static void print_usage(const char *name, const char *version)
{
fprintf(stderr, "Usage: %s [-c] [-v] [-t] [-h] [-n] [-T table] [-M command]\n"
fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command]\n"
" [ --counters ]\n"
" [ --verbose ]\n"
" [ --version]\n"
" [ --test ]\n"
" [ --help ]\n"
" [ --noflush ]\n"
" [ --wait=<seconds>\n"
" [ --wait-interval=<usecs>\n"
" [ --table=<TABLE> ]\n"
" [ --modprobe=<command> ]\n", name);
exit(1);
}
static struct xtc_handle *create_handle(const char *tablename)
......@@ -69,8 +79,7 @@ static struct xtc_handle *create_handle(const char *tablename)
if (!handle) {
xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize "
"table '%s'\n", ip6tables_globals.program_name,
tablename);
"table '%s'\n", prog_name, tablename);
exit(1);
}
return handle;
......@@ -156,8 +165,11 @@ static void add_param_to_argv(char *parsestart)
param_buffer[param_len] = '\0';
/* check if table name specified */
if (!strncmp(param_buffer, "-t", 2)
|| !strncmp(param_buffer, "--table", 8)) {
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be "
"used in ip6tables-restore.\n", line);
......@@ -181,7 +193,7 @@ int ip6tables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
char buffer[10240];
int c;
int c, lock;
char curtable[XT_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
......@@ -189,6 +201,7 @@ int ip6tables_restore_main(int argc, char *argv[])
const struct xtc_ops *ops = &ip6tc_ops;
line = 0;
lock = XT_LOCK_NOT_ACQUIRED;
ip6tables_globals.program_name = "ip6tables-restore";
c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
......@@ -203,7 +216,7 @@ int ip6tables_restore_main(int argc, char *argv[])
init_extensions6();
#endif
while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
......@@ -214,22 +227,35 @@ int ip6tables_restore_main(int argc, char *argv[])
case 'v':
verbose = 1;
break;
case 'V':
printf("%s v%s\n", prog_name, prog_vers);
exit(0);
case 't':
testing = 1;
break;
case 'h':
print_usage("ip6tables-restore",
IPTABLES_VERSION);
break;
exit(0);
case 'n':
noflush = 1;
break;
case 'w':
wait = parse_wait_time(argc, argv);
break;
case 'W':
parse_wait_interval(argc, argv, &wait_interval);
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'T':
tablename = optarg;
break;
default:
fprintf(stderr,
"Try `ip6tables-restore -h' for more information.\n");
exit(1);
}
}
......@@ -247,6 +273,11 @@ int ip6tables_restore_main(int argc, char *argv[])
}
else in = stdin;
if (!wait_interval.tv_sec && !wait) {
fprintf(stderr, "Option --wait-interval requires option --wait\n");
exit(1);
}
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
......@@ -268,8 +299,18 @@ int ip6tables_restore_main(int argc, char *argv[])
DEBUGP("Not calling commit, testing\n");
ret = 1;
}
/* Done with the current table, release the lock. */
if (lock >= 0) {
xtables_unlock(lock);
lock = XT_LOCK_NOT_ACQUIRED;
}
in_table = 0;
} else if ((buffer[0] == '*') && (!in_table)) {
/* Acquire a lock before we create a new table handle */
lock = xtables_lock_or_exit(wait, &wait_interval);
/* New table */
char *table;
......
......@@ -14,17 +14,19 @@
#include <time.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
#include "ip6tables-multi.h"
static int show_counters = 0;
static int show_counters;
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
{NULL},
};
......@@ -128,7 +130,8 @@ static int do_output(const char *tablename)
int ip6tables_save_main(int argc, char *argv[])
{
const char *tablename = NULL;
int c;
FILE *file = NULL;
int ret, c;
ip6tables_globals.program_name = "ip6tables-save";
c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6);
......@@ -143,7 +146,7 @@ int ip6tables_save_main(int argc, char *argv[])
init_extensions6();
#endif
while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
......@@ -159,9 +162,28 @@ int ip6tables_save_main(int argc, char *argv[])
case 'M':
xtables_modprobe_program = optarg;
break;
case 'f':
file = fopen(optarg, "w");
if (file == NULL) {
fprintf(stderr, "Failed to open file, error: %s\n",
strerror(errno));
exit(1);
}
ret = dup2(fileno(file), STDOUT_FILENO);
if (ret == -1) {
fprintf(stderr, "Failed to redirect stdout, error: %s\n",
strerror(errno));
exit(1);
}
fclose(file);
break;
case 'd':
do_output(tablename);
exit(0);
default:
fprintf(stderr,
"Look at manual page `ip6tables-save.8' for more information.\n");
exit(1);
}
}
......
......@@ -1400,8 +1400,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_DELETE, CMD_NONE,
cs.invert);
chain = optarg;
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!') {
if (xs_has_arg(argc, argv)) {
rulenum = parse_rulenumber(argv[optind++]);
command = CMD_DELETE_NUM;
}
......@@ -1411,8 +1410,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_REPLACE, CMD_NONE,
cs.invert);
chain = optarg;
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
else
xtables_error(PARAMETER_PROBLEM,
......@@ -1424,8 +1422,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_INSERT, CMD_NONE,
cs.invert);
chain = optarg;
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
else rulenum = 1;
break;
......@@ -1434,11 +1431,9 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_LIST,
CMD_ZERO | CMD_ZERO_NUM, cs.invert);
if (optarg) chain = optarg;
else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
break;
......@@ -1446,11 +1441,9 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_LIST_RULES,
CMD_ZERO | CMD_ZERO_NUM, cs.invert);
if (optarg) chain = optarg;
else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
rulenum = parse_rulenumber(argv[optind++]);
break;
......@@ -1458,8 +1451,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_FLUSH, CMD_NONE,
cs.invert);
if (optarg) chain = optarg;
else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
break;
......@@ -1467,11 +1459,9 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES,
cs.invert);
if (optarg) chain = optarg;
else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!') {
if (xs_has_arg(argc, argv)) {
rulenum = parse_rulenumber(argv[optind++]);
command = CMD_ZERO_NUM;
}
......@@ -1488,8 +1478,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_DELETE_CHAIN, CMD_NONE,
cs.invert);
if (optarg) chain = optarg;
else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
else if (xs_has_arg(argc, argv))
chain = argv[optind++];
break;
......@@ -1497,8 +1486,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_RENAME_CHAIN, CMD_NONE,
cs.invert);
chain = optarg;
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
newname = argv[optind++];
else
xtables_error(PARAMETER_PROBLEM,
......@@ -1511,8 +1499,7 @@ int do_command6(int argc, char *argv[], char **table,
add_command(&command, CMD_SET_POLICY, CMD_NONE,
cs.invert);
chain = optarg;
if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (xs_has_arg(argc, argv))
policy = argv[optind++];
else
xtables_error(PARAMETER_PROBLEM,
......@@ -1622,16 +1609,7 @@ int do_command6(int argc, char *argv[], char **table,
"You cannot use `-w' from "
"ip6tables-restore");
}
wait = -1;
if (optarg) {
if (sscanf(optarg, "%i", &wait) != 1)
xtables_error(PARAMETER_PROBLEM,
"wait seconds not numeric");
} else if (optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (sscanf(argv[optind++], "%i", &wait) != 1)
xtables_error(PARAMETER_PROBLEM,
"wait seconds not numeric");
wait = parse_wait_time(argc, argv);
break;
case 'W':
......@@ -1640,14 +1618,7 @@ int do_command6(int argc, char *argv[], char **table,
"You cannot use `-W' from "
"ip6tables-restore");
}
if (optarg)
parse_wait_interval(optarg, &wait_interval);
else if (optind < argc &&
argv[optind][0] != '-' &&
argv[optind][0] != '!')
parse_wait_interval(argv[optind++],
&wait_interval);
parse_wait_interval(argc, argv, &wait_interval);
wait_interval_set = true;
break;
......@@ -1697,8 +1668,7 @@ int do_command6(int argc, char *argv[], char **table,
bcnt = strchr(pcnt + 1, ',');
if (bcnt)
bcnt++;
if (!bcnt && optind < argc && argv[optind][0] != '-'
&& argv[optind][0] != '!')
if (!bcnt && xs_has_arg(argc, argv))
bcnt = argv[optind++];
if (!bcnt)
xtables_error(PARAMETER_PROBLEM,
......@@ -1809,15 +1779,8 @@ int do_command6(int argc, char *argv[], char **table,
generic_opt_check(command, cs.options);
/* Attempt to acquire the xtables lock */
if (!restore && !xtables_lock(wait, &wait_interval)) {
fprintf(stderr, "Another app is currently holding the xtables lock. ");
if (wait == 0)
fprintf(stderr, "Perhaps you want to use the -w option?\n");
else
fprintf(stderr, "Stopped waiting after %ds.\n", wait);
xtables_free_opts(1);
exit(RESOURCE_PROBLEM);
}
if (!restore)
xtables_lock_or_exit(wait, &wait_interval);
/* only allocate handle if we weren't called with a handle */
if (!*handle)
......
......@@ -23,11 +23,13 @@ iptables-restore \(em Restore IP Tables
.P
ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP] [\fBfile\fP]
\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP]
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fBfile\fP]
.P
\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP] [\fBfile\fP]
\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP]
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fBfile\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
......@@ -53,6 +55,24 @@ Only parse and construct the ruleset, but do not commit it.
\fB\-v\fP, \fB\-\-verbose\fP
Print additional debug info during ruleset processing.
.TP
\fB\-V\fP, \fB\-\-version\fP
Print the program version number.
.TP
\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP]
Wait for the xtables lock.
To prevent multiple instances of the program from running concurrently,
an attempt will be made to obtain an exclusive lock at launch. By default,
the program will exit if the lock cannot be obtained. This option will
make the program wait (indefinitely or for optional \fIseconds\fP) until
the exclusive lock can be obtained.
.TP
\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
Interval to wait per each iteration.
When running latency sensitive applications, waiting for the xtables lock
for extended durations may not be acceptable. This option will make each
iteration take the amount of time specified. The default interval is
1 second. This option only works with \fB\-w\fP.
.TP
\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
Specify the path to the modprobe program. By default, iptables-restore will
inspect /proc/sys/kernel/modprobe to determine the executable's path.
......
......@@ -12,6 +12,7 @@
#include <stdio.h>
#include <stdlib.h>
#include "iptables.h"
#include "xshared.h"
#include "xtables.h"
#include "libiptc/libiptc.h"
#include "iptables-multi.h"
......@@ -22,36 +23,43 @@
#define DEBUGP(x, args...)
#endif
static int counters = 0, verbose = 0, noflush = 0;
static int counters, verbose, noflush, wait;
static struct timeval wait_interval = {
.tv_sec = 1,
};
/* Keeping track of external matches and targets. */
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "verbose", .has_arg = false, .val = 'v'},
{.name = "test", .has_arg = false, .val = 't'},
{.name = "help", .has_arg = false, .val = 'h'},
{.name = "noflush", .has_arg = false, .val = 'n'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "table", .has_arg = true, .val = 'T'},
{.name = "counters", .has_arg = 0, .val = 'c'},
{.name = "verbose", .has_arg = 0, .val = 'v'},
{.name = "version", .has_arg = 0, .val = 'V'},
{.name = "test", .has_arg = 0, .val = 't'},
{.name = "help", .has_arg = 0, .val = 'h'},
{.name = "noflush", .has_arg = 0, .val = 'n'},
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "table", .has_arg = 1, .val = 'T'},
{.name = "wait", .has_arg = 2, .val = 'w'},
{.name = "wait-interval", .has_arg = 2, .val = 'W'},
{NULL},
};
static void print_usage(const char *name, const char *version) __attribute__((noreturn));
#define prog_name iptables_globals.program_name
#define prog_vers iptables_globals.program_version
static void print_usage(const char *name, const char *version)
{
fprintf(stderr, "Usage: %s [-c] [-v] [-t] [-h] [-n] [-T table] [-M command]\n"
fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command]\n"
" [ --counters ]\n"
" [ --verbose ]\n"
" [ --version]\n"
" [ --test ]\n"
" [ --help ]\n"
" [ --noflush ]\n"
" [ --wait=<seconds>\n"
" [ --wait-interval=<usecs>\n"
" [ --table=<TABLE> ]\n"
" [ --modprobe=<command> ]\n", name);
exit(1);
}
static struct xtc_handle *create_handle(const char *tablename)
......@@ -154,8 +162,11 @@ static void add_param_to_argv(char *parsestart)
param_buffer[param_len] = '\0';
/* check if table name specified */
if (!strncmp(param_buffer, "-t", 2)
|| !strncmp(param_buffer, "--table", 8)) {
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be "
"used in iptables-restore.\n", line);
......@@ -180,7 +191,7 @@ iptables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
char buffer[10240];
int c;
int c, lock;
char curtable[XT_TABLE_MAXNAMELEN + 1];
FILE *in;
int in_table = 0, testing = 0;
......@@ -188,6 +199,7 @@ iptables_restore_main(int argc, char *argv[])
const struct xtc_ops *ops = &iptc_ops;
line = 0;
lock = XT_LOCK_NOT_ACQUIRED;
iptables_globals.program_name = "iptables-restore";
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
......@@ -202,7 +214,7 @@ iptables_restore_main(int argc, char *argv[])
init_extensions4();
#endif
while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
......@@ -213,22 +225,35 @@ iptables_restore_main(int argc, char *argv[])
case 'v':
verbose = 1;
break;
case 'V':
printf("%s v%s\n", prog_name, prog_vers);
exit(0);
case 't':
testing = 1;
break;
case 'h':
print_usage("iptables-restore",
IPTABLES_VERSION);
break;
exit(0);
case 'n':
noflush = 1;
break;
case 'w':
wait = parse_wait_time(argc, argv);
break;
case 'W':
parse_wait_interval(argc, argv, &wait_interval);
break;
case 'M':
xtables_modprobe_program = optarg;
break;
case 'T':
tablename = optarg;
break;
default:
fprintf(stderr,
"Try `iptables-restore -h' for more information.\n");
exit(1);
}
}
......@@ -246,6 +271,11 @@ iptables_restore_main(int argc, char *argv[])
}
else in = stdin;
if (!wait_interval.tv_sec && !wait) {
fprintf(stderr, "Option --wait-interval requires option --wait\n");
exit(1);
}
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret = 0;
......@@ -267,8 +297,18 @@ iptables_restore_main(int argc, char *argv[])
DEBUGP("Not calling commit, testing\n");
ret = 1;
}
/* Done with the current table, release the lock. */
if (lock >= 0) {
xtables_unlock(lock);
lock = XT_LOCK_NOT_ACQUIRED;
}
in_table = 0;
} else if ((buffer[0] == '*') && (!in_table)) {
/* Acquire a lock before we create a new table handle */
lock = xtables_lock_or_exit(wait, &wait_interval);
/* New table */
char *table;
......
......@@ -19,27 +19,31 @@
.\"
.\"
.SH NAME
iptables-save \(em dump iptables rules to stdout
iptables-save \(em dump iptables rules
.P
ip6tables-save \(em dump iptables rules to stdout
ip6tables-save \(em dump iptables rules
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
[\fB\-t\fP \fItable\fP]
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.P
\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
[\fB\-t\fP \fItable\fP]
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
.B iptables-save
and
.B ip6tables-save
are used to dump the contents of IP or IPv6 Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
either to STDOUT or to a specified file.
.TP
\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
Specify the path to the modprobe program. By default, iptables-save will
inspect /proc/sys/kernel/modprobe to determine the executable's path.
.TP
\fB\-f\fR, \fB\-\-file\fR \fIfilename\fP
Specify a filename to log the output to. If not specified, iptables-save
will log to STDOUT.
.TP
\fB\-c\fR, \fB\-\-counters\fR
include the current values of all packet and byte counters in the output
.TP
......
......@@ -13,17 +13,19 @@
#include <string.h>
#include <time.h>
#include <netdb.h>
#include <unistd.h>
#include "libiptc/libiptc.h"
#include "iptables.h"
#include "iptables-multi.h"
static int show_counters = 0;
static int show_counters;
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
{NULL},
};
......@@ -127,7 +129,8 @@ int
iptables_save_main(int argc, char *argv[])
{
const char *tablename = NULL;
int c;
FILE *file = NULL;
int ret, c;
iptables_globals.program_name = "iptables-save";
c = xtables_init_all(&iptables_globals, NFPROTO_IPV4);
......@@ -142,7 +145,7 @@ iptables_save_main(int argc, char *argv[])
init_extensions4();
#endif
while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
......@@ -158,9 +161,28 @@ iptables_save_main(int argc, char *argv[])
case 'M':
xtables_modprobe_program = optarg;
break;
case 'f':
file = fopen(optarg, "w");
if (file == NULL) {
fprintf(stderr, "Failed to open file, error: %s\n",
strerror(errno));
exit(1);
}
ret = dup2(fileno(file), STDOUT_FILENO);
if (ret == -1) {
fprintf(stderr, "Failed to redirect stdout, error: %s\n",
strerror(errno));
exit(1);
}
fclose(file);
break;
case 'd':
do_output(tablename);
exit(0);
default:
fprintf(stderr,
"Look at manual page `iptables-save.8' for more information.\n");
exit(1);
}
}
......
......@@ -73,10 +73,9 @@ iptables_main(int argc, char *argv[])
fprintf(stderr, "iptables: %s.\n",
iptc_strerror(errno));
}
if (errno == EAGAIN) {
if (errno == EAGAIN)
exit(RESOURCE_PROBLEM);
}
}
exit(!ret);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment