Commit 712749e7 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.8.5'

Update to upstream version '1.8.5'
with Debian dir 8a97bace31de0bf6fa044da123d7fa2e84e9f6aa
parents 214468ea eb1d7c5f
...@@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster ...@@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
\-\-cluster\-hash\-seed 0xdeadbeef \-\-cluster\-hash\-seed 0xdeadbeef
\-j MARK -\-set\-mark 0xffff \-j MARK \-\-set\-mark 0xffff
.IP .IP
iptables \-A PREROUTING \-t mangle \-i eth1 iptables \-A PREROUTING \-t mangle \-i eth1
\-m mark ! \-\-mark 0xffff \-j DROP \-m mark ! \-\-mark 0xffff \-j DROP
......
...@@ -70,18 +70,15 @@ static int connlabel_value_parse(const char *in) ...@@ -70,18 +70,15 @@ static int connlabel_value_parse(const char *in)
static void connlabel_mt_parse(struct xt_option_call *cb) static void connlabel_mt_parse(struct xt_option_call *cb)
{ {
struct xt_connlabel_mtinfo *info = cb->data; struct xt_connlabel_mtinfo *info = cb->data;
bool have_labelmap = !connlabel_open();
int tmp; int tmp;
xtables_option_parse(cb); xtables_option_parse(cb);
switch (cb->entry->id) { switch (cb->entry->id) {
case O_LABEL: case O_LABEL:
if (have_labelmap)
tmp = nfct_labelmap_get_bit(map, cb->arg);
else
tmp = connlabel_value_parse(cb->arg); tmp = connlabel_value_parse(cb->arg);
if (tmp < 0 && !connlabel_open())
tmp = nfct_labelmap_get_bit(map, cb->arg);
if (tmp < 0) if (tmp < 0)
xtables_error(PARAMETER_PROBLEM, xtables_error(PARAMETER_PROBLEM,
"label '%s' not found or invalid value", "label '%s' not found or invalid value",
......
...@@ -40,7 +40,7 @@ static void osf_help(void) ...@@ -40,7 +40,7 @@ static void osf_help(void)
"--ttl level Use some TTL check extensions to determine OS:\n" "--ttl level Use some TTL check extensions to determine OS:\n"
" 0 true ip and fingerprint TTL comparison. Works for LAN.\n" " 0 true ip and fingerprint TTL comparison. Works for LAN.\n"
" 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n" " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n"
" 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n" " 2 do not compare TTL at all. This allows NMAP detection, but can produce false results.\n"
"--log level Log determined genres into dmesg even if they do not match desired one:\n" "--log level Log determined genres into dmesg even if they do not match desired one:\n"
" 0 log all matched or unknown signatures.\n" " 0 log all matched or unknown signatures.\n"
" 1 log only first one.\n" " 1 log only first one.\n"
......
The osf module does passive operating system fingerprinting. This modules The osf module does passive operating system fingerprinting. This module
compares some data (Window Size, MSS, options and their order, TTL, DF, compares some data (Window Size, MSS, options and their order, TTL, DF,
and others) from packets with the SYN bit set. and others) from packets with the SYN bit set.
.TP .TP
...@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> ...@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
fingerprints from a file, use: fingerprints from a file, use:
.PP .PP
\fBnfnl_osf -f /usr/share/xtables/pf.os\fP \fBnfnl_osf \-f /usr/share/xtables/pf.os\fP
.PP .PP
To remove them again, To remove them again,
.PP .PP
\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP \fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP
.PP .PP
The fingerprint database can be downloaded from The fingerprint database can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
This modules matches the policy used by IPsec for handling a packet. This module matches the policy used by IPsec for handling a packet.
.TP .TP
\fB\-\-dir\fP {\fBin\fP|\fBout\fP} \fB\-\-dir\fP {\fBin\fP|\fBout\fP}
Used to select whether to match the policy used for decapsulation or the Used to select whether to match the policy used for decapsulation or the
......
This module matches Stream Control Transmission Protocol headers.
.TP .TP
[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
.TP .TP
......
...@@ -61,5 +61,5 @@ when the set was defined without counter support. ...@@ -61,5 +61,5 @@ when the set was defined without counter support.
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
not clash with an option of other extensions. not clash with an option of other extensions.
.PP .PP
Use of -m set requires that ipset kernel support is provided, which, for Use of \-m set requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39. standard kernels, is the case since Linux 2.6.39.
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. This module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
.TP .TP
\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} \fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
......
...@@ -258,6 +258,16 @@ static unsigned int time_parse_weekdays(const char *arg) ...@@ -258,6 +258,16 @@ static unsigned int time_parse_weekdays(const char *arg)
return ret; return ret;
} }
static unsigned int time_count_weekdays(unsigned int weekdays_mask)
{
unsigned int ret;
for (ret = 0; weekdays_mask; weekdays_mask >>= 1)
ret += weekdays_mask & 1;
return ret;
}
static void time_parse(struct xt_option_call *cb) static void time_parse(struct xt_option_call *cb)
{ {
struct xt_time_info *info = cb->data; struct xt_time_info *info = cb->data;
...@@ -330,7 +340,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable) ...@@ -330,7 +340,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable)
printf(" "); printf(" ");
for (i = 1; i <= 31; ++i) for (i = 1; i <= 31; ++i)
if (mask & (1 << i)) { if (mask & (1u << i)) {
if (nbdays++ > 0) if (nbdays++ > 0)
printf(","); printf(",");
printf("%u", i); printf("%u", i);
...@@ -450,6 +460,67 @@ static void time_check(struct xt_fcheck_call *cb) ...@@ -450,6 +460,67 @@ static void time_check(struct xt_fcheck_call *cb)
"time: --contiguous only makes sense when stoptime is smaller than starttime"); "time: --contiguous only makes sense when stoptime is smaller than starttime");
} }
static int time_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_time_info *info =
(const struct xt_time_info *)params->match->data;
unsigned int h, m, s,
i, sep, mask, count;
time_t tt_start, tt_stop;
struct tm *t_start, *t_stop;
if (info->date_start != 0 ||
info->date_stop != INT_MAX) {
tt_start = (time_t) info->date_start;
tt_stop = (time_t) info->date_stop;
xt_xlate_add(xl, "meta time ");
t_start = gmtime(&tt_start);
xt_xlate_add(xl, "\"%04u-%02u-%02u %02u:%02u:%02u\"",
t_start->tm_year + 1900, t_start->tm_mon + 1,
t_start->tm_mday, t_start->tm_hour,
t_start->tm_min, t_start->tm_sec);
t_stop = gmtime(&tt_stop);
xt_xlate_add(xl, "-\"%04u-%02u-%02u %02u:%02u:%02u\"",
t_stop->tm_year + 1900, t_stop->tm_mon + 1,
t_stop->tm_mday, t_stop->tm_hour,
t_stop->tm_min, t_stop->tm_sec);
}
if (info->daytime_start != XT_TIME_MIN_DAYTIME ||
info->daytime_stop != XT_TIME_MAX_DAYTIME) {
divide_time(info->daytime_start, &h, &m, &s);
xt_xlate_add(xl, " meta hour \"%02u:%02u:%02u\"", h, m, s);
divide_time(info->daytime_stop, &h, &m, &s);
xt_xlate_add(xl, "-\"%02u:%02u:%02u\"", h, m, s);
}
/* nft_time does not support --monthdays */
if (info->monthdays_match != XT_TIME_ALL_MONTHDAYS)
return 0;
if (info->weekdays_match != XT_TIME_ALL_WEEKDAYS) {
sep = 0;
mask = info->weekdays_match;
count = time_count_weekdays(mask);
xt_xlate_add(xl, " meta day ");
if (count > 1)
xt_xlate_add(xl, "{");
for (i = 1; i <= 7; ++i)
if (mask & (1 << i)) {
if (sep)
xt_xlate_add(xl, ",%u", i%7);
else {
xt_xlate_add(xl, "%u", i%7);
++sep;
}
}
if (count > 1)
xt_xlate_add(xl, "}");
}
return 1;
}
static struct xtables_match time_match = { static struct xtables_match time_match = {
.name = "time", .name = "time",
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
...@@ -463,6 +534,7 @@ static struct xtables_match time_match = { ...@@ -463,6 +534,7 @@ static struct xtables_match time_match = {
.x6_parse = time_parse, .x6_parse = time_parse,
.x6_fcheck = time_check, .x6_fcheck = time_check,
.x6_options = time_opts, .x6_options = time_opts,
.xlate = time_xlate,
}; };
void _init(void) void _init(void)
......
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --weekdays Sa,Su -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta day {6,0} counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestart 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta hour "12:00:00"-"23:59:59" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestop 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta hour "00:00:00"-"12:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2021 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2021-01-01 00:00:00"-"2038-01-19 03:14:07" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-01 00:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestop 2021-01-29T00:00:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "1970-01-01 00:00:00"-"2021-01-29 00:00:00" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"23:59:59" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {1,2,3,4,5} counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 ! --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {6,0} counter reject
# Makefile.in generated by automake 1.15 from Makefile.am. # Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc. # Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation # This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it, # gives unlimited permission to copy and/or distribute it,
...@@ -343,8 +343,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status ...@@ -343,8 +343,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
*config.status*) \ *config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \ *) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac; esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
...@@ -461,7 +461,10 @@ cscopelist-am: $(am__tagged_files) ...@@ -461,7 +461,10 @@ cscopelist-am: $(am__tagged_files)
distclean-tags: distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES) distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \ list='$(DISTFILES)'; \
......
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include <linux/types.h> #include <linux/types.h>
#define MAX_IDLETIMER_LABEL_SIZE 28 #define MAX_IDLETIMER_LABEL_SIZE 28
#define XT_IDLETIMER_ALARM 0x01
struct idletimer_tg_info { struct idletimer_tg_info {
__u32 timeout; __u32 timeout;
...@@ -42,4 +43,15 @@ struct idletimer_tg_info { ...@@ -42,4 +43,15 @@ struct idletimer_tg_info {
struct idletimer_tg *timer __attribute__((aligned(8))); struct idletimer_tg *timer __attribute__((aligned(8)));
}; };
struct idletimer_tg_info_v1 {
__u32 timeout;
char label[MAX_IDLETIMER_LABEL_SIZE];
__u8 send_nl_msg; /* unused: for compatibility with Android */
__u8 timer_type;
/* for kernel module internal use only */
struct idletimer_tg *timer __attribute__((aligned(8)));
};
#endif #endif
...@@ -40,19 +40,19 @@ struct xt_sctp_info { ...@@ -40,19 +40,19 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \ #define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \ do { \
(chunkmap)[type / bytes(__u32)] |= \ (chunkmap)[type / bytes(__u32)] |= \
1 << (type % bytes(__u32)); \ 1u << (type % bytes(__u32)); \
} while (0) } while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \ do { \
(chunkmap)[type / bytes(__u32)] &= \ (chunkmap)[type / bytes(__u32)] &= \
~(1 << (type % bytes(__u32))); \ ~(1u << (type % bytes(__u32))); \
} while (0) } while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \ ({ \
((chunkmap)[type / bytes (__u32)] & \ ((chunkmap)[type / bytes (__u32)] & \
(1 << (type % bytes (__u32)))) ? 1: 0; \ (1u << (type % bytes (__u32)))) ? 1: 0; \
}) })
#define SCTP_CHUNKMAP_RESET(chunkmap) \ #define SCTP_CHUNKMAP_RESET(chunkmap) \
......
...@@ -448,6 +448,7 @@ extern struct xtables_match *xtables_matches; ...@@ -448,6 +448,7 @@ extern struct xtables_match *xtables_matches;
extern struct xtables_target *xtables_targets; extern struct xtables_target *xtables_targets;
extern void xtables_init(void); extern void xtables_init(void);
extern void xtables_fini(void);
extern void xtables_set_nfproto(uint8_t); extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t); extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t); extern void *xtables_malloc(size_t);
......
...@@ -119,8 +119,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): ...@@ -119,8 +119,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
elif splitted[0] == EBTABLES: elif splitted[0] == EBTABLES:
command = EBTABLES_SAVE command = EBTABLES_SAVE
path = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE command = EXECUTEABLE + " " + command
command = path + " " + command
if netns: if netns:
command = "ip netns exec ____iptables-container-test " + command command = "ip netns exec ____iptables-container-test " + command
...@@ -165,7 +164,7 @@ def execute_cmd(cmd, filename, lineno): ...@@ -165,7 +164,7 @@ def execute_cmd(cmd, filename, lineno):
''' '''
global log_file global log_file
if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '): if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '):
cmd = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE + " " + cmd cmd = EXECUTEABLE + " " + cmd
print("command: {}".format(cmd), file=log_file) print("command: {}".format(cmd), file=log_file)
ret = subprocess.call(cmd, shell=True, universal_newlines=True, ret = subprocess.call(cmd, shell=True, universal_newlines=True,
...@@ -222,7 +221,7 @@ def run_test_file(filename, netns): ...@@ -222,7 +221,7 @@ def run_test_file(filename, netns):
execute_cmd("ip netns add ____iptables-container-test", filename, 0) execute_cmd("ip netns add ____iptables-container-test", filename, 0)
for lineno, line in enumerate(f): for lineno, line in enumerate(f):
if line[0] == "#": if line[0] == "#" or len(line.strip()) == 0:
continue continue
if line[0] == ":": if line[0] == ":":
......
...@@ -38,7 +38,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \ ...@@ -38,7 +38,7 @@ xtables_nft_multi_SOURCES += xtables-save.c xtables-restore.c \
nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \ nft-shared.c nft-ipv4.c nft-ipv6.c nft-arp.c \
xtables-monitor.c nft-cache.c \ xtables-monitor.c nft-cache.c \
xtables-arp-standalone.c xtables-arp.c \ xtables-arp-standalone.c xtables-arp.c \
nft-bridge.c \ nft-bridge.c nft-cmd.c \
xtables-eb-standalone.c xtables-eb.c \ xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \ xtables-eb-translate.c \
xtables-translate.c xtables-translate.c
...@@ -53,7 +53,11 @@ sbin_PROGRAMS += xtables-nft-multi ...@@ -53,7 +53,11 @@ sbin_PROGRAMS += xtables-nft-multi
endif endif
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8 ip6tables-save.8 iptables-extensions.8 \
iptables-apply.8 ip6tables-apply.8
sbin_SCRIPT = iptables-apply
if ENABLE_NFTABLES if ENABLE_NFTABLES
man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
iptables-translate.8 ip6tables-translate.8 \ iptables-translate.8 ip6tables-translate.8 \
...@@ -106,3 +110,4 @@ install-exec-hook: ...@@ -106,3 +110,4 @@ install-exec-hook:
for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply"
This diff is collapsed.
...@@ -551,10 +551,6 @@ Same as ...@@ -551,10 +551,6 @@ Same as
.BR "--among-src-file " "[!] \fIfile\fP" .BR "--among-src-file " "[!] \fIfile\fP"
Same as Same as
.BR --among-src " but the list is read in from the specified file." .BR --among-src " but the list is read in from the specified file."
.PP
Note that in this implementation of ebtables, among lists uses must be
internally homogeneous regarding whether IP addresses are present or not. Mixed
use of MAC addresses and MAC/IP address pairs is not supported yet.
.SS arp .SS arp
Specify (R)ARP fields. The protocol must be specified as Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP . .IR ARP " or " RARP .
......
.so man8/iptables-apply.8
...@@ -64,6 +64,8 @@ ip6tables_main(int argc, char *argv[]) ...@@ -64,6 +64,8 @@ ip6tables_main(int argc, char *argv[])
ip6tc_free(handle); ip6tc_free(handle);
} }
xtables_fini();
if (!ret) { if (!ret) {
if (errno == EINVAL) { if (errno == EINVAL) {
fprintf(stderr, "ip6tables: %s. " fprintf(stderr, "ip6tables: %s. "
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment