Commit 89c92f0c authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

New upstream version 1.8.3

parent 0309474b
:INPUT,FORWARD,OUTPUT
--log;=;OK
--log-level crit;=;OK
--log-level 1;--log-level alert --log-prefix "";OK
--log-level emerg --log-ip --log-arp --log-ip6;--log-level emerg --log-prefix "" --log-ip --log-arp --log-ip6 -j CONTINUE;OK
--log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo;--log-level crit --log-prefix "foo" --log-ip --log-arp --log-ip6 -j CONTINUE;OK
:INPUT,FORWARD,OUTPUT
-j mark --mark-set 1;-j mark --mark-set 0x1 --mark-target ACCEPT;OK
-j mark --mark-or 0xa --mark-target CONTINUE;=;OK
-j mark --mark-and 0x1 --mark-target RETURN;=;OK
-j mark --mark-xor 0x1 --mark-target CONTINUE;=;OK
...@@ -86,9 +86,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match, ...@@ -86,9 +86,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match,
{ {
struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data; struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data;
printf("--mark ");
if (info->invert) if (info->invert)
printf("! "); printf("! ");
printf("--mark ");
if (info->bitmask == EBT_MARK_OR) if (info->bitmask == EBT_MARK_OR)
printf("/0x%lx ", info->mask); printf("/0x%lx ", info->mask);
else if (info->mask != 0xffffffff) else if (info->mask != 0xffffffff)
......
:INPUT,FORWARD,OUTPUT
--mark 42;--mark 0x2a;OK
--mark ! 42;--mark ! 0x2a;OK
--mark 42/0xff;--mark 0x2a/0xff;OK
--mark ! 0x1/0xff;=;OK
--mark /0x2;=;OK
:INPUT,FORWARD,OUTPUT
--nflog;=;OK
--nflog-group 42;=;OK
--nflog-range 42;--nflog-group 1 --nflog-range 42 -j CONTINUE;OK
--nflog-threshold 100 --nflog-prefix foo;--nflog-prefix "foo" --nflog-group 1 --nflog-threshold 100 -j CONTINUE;OK
...@@ -75,10 +75,7 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match, ...@@ -75,10 +75,7 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match,
{ {
struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data; struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data;
if (pt->invert) printf("--pkttype-type %s", pt->invert ? "! " : "");
printf("! ");
printf("--pkttype-type ");
if (pt->pkt_type < ARRAY_SIZE(classes)) if (pt->pkt_type < ARRAY_SIZE(classes))
printf("%s ", classes[pt->pkt_type]); printf("%s ", classes[pt->pkt_type]);
......
:INPUT,FORWARD,OUTPUT
! --pkttype-type host;--pkttype-type ! host -j CONTINUE;OK
--pkttype-type host;=;OK
--pkttype-type ! host;=;OK
--pkttype-type broadcast;=;OK
--pkttype-type ! broadcast;=;OK
--pkttype-type multicast;=;OK
--pkttype-type ! multicast;=;OK
--pkttype-type otherhost;=;OK
--pkttype-type ! otherhost;=;OK
--pkttype-type outgoing;=;OK
--pkttype-type ! outgoing;=;OK
--pkttype-type loopback;=;OK
--pkttype-type ! loopback;=;OK
:PREROUTING
*nat
-j redirect;=;OK
-j redirect --redirect-target RETURN;=;OK
:POSTROUTING
*nat
-o someport -j snat --to-source a:b:c:d:e:f;-o someport -j snat --to-src 0a:0b:0c:0d:0e:0f --snat-target ACCEPT;OK
-o someport+ -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE;=;OK
:INPUT,FORWARD,OUTPUT
-d de:ad:be:ef:00:00;=;OK
-s 0:0:0:0:0:0;-s 00:00:00:00:00:00;OK
-d 00:00:00:00:00:00;=;OK
-s de:ad:be:ef:0:00 -j RETURN;-s de:ad:be:ef:00:00 -j RETURN;OK
-d de:ad:be:ef:00:00 -j CONTINUE;=;OK
-d de:ad:be:ef:0:00/ff:ff:ff:ff:0:0 -j DROP;-d de:ad:be:ef:00:00/ff:ff:ff:ff:00:00 -j DROP;OK
-p ARP -j ACCEPT;=;OK
-p ! ARP -j ACCEPT;=;OK
-p 0 -j ACCEPT;=;FAIL
-p ! 0 -j ACCEPT;=;FAIL
...@@ -307,9 +307,8 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match, ...@@ -307,9 +307,8 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match,
for (i = 0; i < STP_NUMOPS; i++) { for (i = 0; i < STP_NUMOPS; i++) {
if (!(stpinfo->bitmask & (1 << i))) if (!(stpinfo->bitmask & (1 << i)))
continue; continue;
if (stpinfo->invflags & (1 << i)) printf("--%s %s", brstp_opts[i].name,
printf("! "); (stpinfo->invflags & (1 << i)) ? "! " : "");
printf("--%s ", brstp_opts[i].name);
if (EBT_STP_TYPE == (1 << i)) { if (EBT_STP_TYPE == (1 << i)) {
if (stpinfo->type == BPDU_TYPE_CONFIG) if (stpinfo->type == BPDU_TYPE_CONFIG)
printf("%s", BPDU_TYPE_CONFIG_STRING); printf("%s", BPDU_TYPE_CONFIG_STRING);
......
:INPUT,FORWARD,OUTPUT
--stp-type 1;=;OK
--stp-flags 0x1;--stp-flags topology-change -j CONTINUE;OK
--stp-root-prio 1 -j ACCEPT;=;OK
--stp-root-addr 0d:ea:d0:0b:ee:f0;=;OK
--stp-root-cost 1;=;OK
--stp-sender-prio 1;=;OK
--stp-sender-addr de:ad:be:ef:00:00;=;OK
--stp-port 1;=;OK
--stp-msg-age 1;=;OK
--stp-max-age 1;=;OK
--stp-hello-time 1;=;OK
--stp-forward-delay 1;=;OK
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
#include <getopt.h> #include <getopt.h>
#include <ctype.h> #include <ctype.h>
#include <xtables.h> #include <xtables.h>
#include <netinet/if_ether.h>
#include <linux/netfilter_bridge/ebt_vlan.h> #include <linux/netfilter_bridge/ebt_vlan.h>
#include <linux/if_ether.h> #include <linux/if_ether.h>
#include "iptables/nft.h" #include "iptables/nft.h"
...@@ -108,19 +109,14 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match, ...@@ -108,19 +109,14 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match,
struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data; struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data;
if (vlaninfo->bitmask & EBT_VLAN_ID) { if (vlaninfo->bitmask & EBT_VLAN_ID) {
if (vlaninfo->invflags & EBT_VLAN_ID) printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id);
printf("! ");
printf("--vlan-id %d ", vlaninfo->id);
} }
if (vlaninfo->bitmask & EBT_VLAN_PRIO) { if (vlaninfo->bitmask & EBT_VLAN_PRIO) {
if (vlaninfo->invflags & EBT_VLAN_PRIO) printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio);
printf("! ");
printf("--vlan-prio %d ", vlaninfo->prio);
} }
if (vlaninfo->bitmask & EBT_VLAN_ENCAP) { if (vlaninfo->bitmask & EBT_VLAN_ENCAP) {
if (vlaninfo->invflags & EBT_VLAN_ENCAP) printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : "");
printf("! "); printf("%4.4X ", ntohs(vlaninfo->encap));
printf("--vlan-encap %4.4X ", ntohs(vlaninfo->encap));
} }
} }
......
:INPUT,FORWARD,OUTPUT
-p 802_1Q --vlan-id 42;=;OK
-p 802_1Q --vlan-id ! 42;=;OK
-p 802_1Q --vlan-prio 1;=;OK
-p 802_1Q --vlan-prio ! 1;=;OK
-p 802_1Q --vlan-encap ip;-p 802_1Q --vlan-encap 0800 -j CONTINUE;OK
-p 802_1Q --vlan-encap 0800 ;=;OK
-p 802_1Q --vlan-encap ! 0800 ;=;OK
-p 802_1Q --vlan-encap IPv6 ! --vlan-id 1;-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD -j CONTINUE;OK
-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD;=;OK
--vlan-encap ip;=;FAIL
--vlan-id 2;=;FAIL
--vlan-prio 1;=;FAIL
:PREROUTING
*nat
-j DNAT --to-destination dead::beef;=;OK
-j DNAT --to-destination dead::beef-dead::fee7;=;OK
-j DNAT --to-destination [dead::beef]:1025-65535;;FAIL
-j DNAT --to-destination [dead::beef] --to-destination [dead::fee7];;FAIL
-p tcp -j DNAT --to-destination [dead::beef]:1025-65535;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65536;;FAIL
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535 --to-destination [dead::beef-dead::fee8]:1025-65535;;FAIL
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/1000;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/3000;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/65535;=;OK
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/0;;FAIL
-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1000-2000/65536;;FAIL
-j DNAT;;FAIL
:PREROUTING
*mangle
-j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK
-j DNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
-j DNPT --src-pfx dead::/64;;FAIL
-j DNPT --dst-pfx dead::/64;;FAIL
-j DNPT;;FAIL
:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
*mangle
-j HL --hl-set 42;=;OK
-j HL --hl-inc 1;=;OK
-j HL --hl-dec 1;=;OK
-j HL --hl-set 256;;FAIL
-j HL --hl-inc 0;;FAIL
-j HL --hl-dec 0;;FAIL
-j HL --hl-dec 1 --hl-inc 1;;FAIL
-j HL --hl-set --hl-inc 1;;FAIL
:INPUT,FORWARD,OUTPUT
-j LOG;-j LOG;OK
-j LOG --log-prefix "test: ";=;OK
-j LOG --log-prefix "test: " --log-level 1;=;OK
# iptables displays the log-level output using the number; not the string
-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK
-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
:POSTROUTING
*nat
-j MASQUERADE;=;OK
-j MASQUERADE --random;=;OK
-j MASQUERADE --random-fully;=;OK
-p tcp -j MASQUERADE --to-ports 1024;=;OK
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
:PREROUTING,INPUT,OUTPUT,POSTROUTING
*nat
-j NETMAP --to dead::/64;=;OK
-j NETMAP --to dead::beef;=;OK
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment