Merge tag 'upstream/1.6.1'

Upstream version 1.6.1

Merge tag 'upstream/1.6.1'
Upstream version 1.6.1
c2234165 · Arturo Borrero Gonzalez · 475b9a99 · f1f129da · 475b9a99 · c2234165
Commit c2234165 authored Feb 10, 2017 by Arturo Borrero Gonzalez
--- a/extensions/libipt_ECN.t
+++ b/extensions/libipt_ECN.t
-:PREROUTING,FORWARD,OUTPUT,POSTROUTING
-*mangle
-j ECN;;FAIL
-p tcp -j ECN;;FAIL
-p tcp -j ECN --ecn-tcp-remove;=;OK
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
 		(const struct ipt_log_info *)params->target->data;
 	unsigned int i = 0;

-	xt_xlate_add(xl, "log ");
+	xt_xlate_add(xl, "log");
 	if (strcmp(loginfo->prefix, "") != 0) {
 		if (params->escape_quotes)
-			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
 		else
-			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
 	}

 	for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
 		if (loginfo->level != LOG_DEFAULT_LEVEL &&
 		    loginfo->level == ipt_log_xlate_names[i].level) {
-			xt_xlate_add(xl, "level %s ",
+			xt_xlate_add(xl, " level %s",
 				   ipt_log_xlate_names[i].name);
 			break;
 		}

+	if ((loginfo->logflags & IPT_LOG_MASK) == IPT_LOG_MASK) {
+		xt_xlate_add(xl, " flags all");
+	} else {
+		if (loginfo->logflags & (IPT_LOG_TCPSEQ | IPT_LOG_TCPOPT)) {
+			const char *delim = " ";
+
+			xt_xlate_add(xl, " flags tcp");
+			if (loginfo->logflags & IPT_LOG_TCPSEQ) {
+				xt_xlate_add(xl, " sequence");
+				delim = ",";
+			}
+			if (loginfo->logflags & IPT_LOG_TCPOPT)
+				xt_xlate_add(xl, "%soptions", delim);
+		}
+		if (loginfo->logflags & IPT_LOG_IPOPT)
+			xt_xlate_add(xl, " flags ip options");
+		if (loginfo->logflags & IPT_LOG_UID)
+			xt_xlate_add(xl, " flags skuid");
+		if (loginfo->logflags & IPT_LOG_MACDECODE)
+			xt_xlate_add(xl, " flags ether");
+	}
+
 	return 1;
 }
 static struct xtables_target log_tg_reg = {

--- a/extensions/libipt_LOG.t
+++ b/extensions/libipt_LOG.t
-:INPUT,FORWARD,OUTPUT
-j LOG;-j LOG;OK
-j LOG --log-prefix "test: ";=;OK
-j LOG --log-prefix "test: " --log-level 1;=;OK
-# iptables displays the log-level output using the number; not the string
-j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK
-j LOG --log-prefix "test: " --log-tcp-sequence;=;OK
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
--- a/extensions/libipt_MASQUERADE.t
+++ b/extensions/libipt_MASQUERADE.t
-:POSTROUTING
-*nat
-j MASQUERADE;=;OK
-j MASQUERADE --random;=;OK
-p tcp -j MASQUERADE --to-ports 1024;=;OK
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
--- a/extensions/libipt_NETMAP.t
+++ b/extensions/libipt_NETMAP.t
-:PREROUTING,INPUT,OUTPUT,POSTROUTING
-*nat
-j NETMAP --to 1.2.3.0/24;=;OK
-j NETMAP --to 1.2.3.4;=;OK
--- a/extensions/libipt_REDIRECT.t
+++ b/extensions/libipt_REDIRECT.t
-:PREROUTING,OUTPUT
-*nat
-p tcp -j REDIRECT --to-ports 42;=;OK
-p udp -j REDIRECT --to-ports 42-1234;=;OK
-p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
-j REDIRECT --to-ports 42;;FAIL
--- a/extensions/libipt_REJECT.t
+++ b/extensions/libipt_REJECT.t
-:INPUT,FORWARD,OUTPUT
-j REJECT;=;OK
-j REJECT --reject-with icmp-net-unreachable;=;OK
-j REJECT --reject-with icmp-host-unreachable;=;OK
-j REJECT --reject-with icmp-port-unreachable;=;OK
-j REJECT --reject-with icmp-proto-unreachable;=;OK
-j REJECT --reject-with icmp-net-prohibited;=;OK
-j REJECT --reject-with icmp-host-prohibited;=;OK
-j REJECT --reject-with icmp-admin-prohibited;=;OK
--- a/extensions/libipt_SNAT.t
+++ b/extensions/libipt_SNAT.t
-:POSTROUTING
-*nat
-j SNAT --to-source 1.1.1.1;=;OK
-j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK
-p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
-j SNAT;;FAIL
--- a/extensions/libipt_TTL.t
+++ b/extensions/libipt_TTL.t
-:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
-*mangle
-j TTL --ttl-set 42;=;OK
-j TTL --ttl-inc 1;=;OK
-j TTL --ttl-dec 1;=;OK
-j TTL --ttl-set 256;;FAIL
-j TTL --ttl-inc 0;;FAIL
-j TTL --ttl-dec 0;;FAIL
-j TTL --ttl-dec 1 --ttl-inc 1;;FAIL
-j TTL --ttl-set --ttl-inc 1;;FAIL
--- a/extensions/libipt_ULOG.t
+++ b/extensions/libipt_ULOG.t
-:INPUT,FORWARD,OUTPUT
-j ULOG --ulog-nlgroup 1;-j ULOG;OK
-j ULOG --ulog-nlgroup 32;=;OK
-j ULOG --ulog-nlgroup 33;;FAIL
-j ULOG --ulog-nlgroup 0;;FAIL
-j ULOG --ulog-cprange 1;=;OK
-j ULOG --ulog-cprange 4294967295;=;OK
-# This below outputs 0 in iptables-save
-# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-cprange 4294967296
-#-j ULOG --ulog-cprange 4294967296;;FAIL
-# supports up to 31 characters
-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
-# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-prefix  xxxxxx [...]
-#-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
-j ULOG --ulog-qthreshold 1;-j ULOG;OK
-j ULOG --ulog-qthreshold 0;;FAIL
-j ULOG --ulog-qthreshold 50;=;OK
-j ULOG --ulog-qthreshold 51;;FAIL
-j ULOG;=;OK
--- a/extensions/libipt_ah.t
+++ b/extensions/libipt_ah.t
-:INPUT,FORWARD,OUTPUT
-p ah -m ah --ahspi 0;=;OK
-p ah -m ah --ahspi 4294967295;=;OK
-p ah -m ah --ahspi 0:4294967295;-p ah -m ah;OK
-p ah -m ah ! --ahspi 0;=;OK
-p ah -m ah --ahspi -1;;FAIL
-p ah -m ah --ahspi 4294967296;;FAIL
-p ah -m ah --ahspi invalid;;FAIL
-p ah -m ah --ahspi 0:invalid;;FAIL
-m ah --ahspi 0;;FAIL
-m ah --ahspi;;FAIL
-m ah;;FAIL
-p ah -m ah;=;OK
--- a/extensions/libipt_icmp.t
+++ b/extensions/libipt_icmp.t
-:INPUT,FORWARD,OUTPUT
-p icmp -m icmp --icmp-type any;=;OK
-# output uses the number, better use the name?
-# ERROR: cannot find: iptables -I INPUT -p icmp -m icmp --icmp-type echo-reply
-# -p icmp -m icmp --icmp-type echo-reply;=;OK
-# output uses the number, better use the name?
-# ERROR: annot find: iptables -I INPUT -p icmp -m icmp --icmp-type destination-unreachable
-# -p icmp -m icmp --icmp-type destination-unreachable;=;OK
-# it does not acccept name/name, should we accept this?
-# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable
-# -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable;=;OK
-m icmp;;FAIL
-# we accept "iptables -I INPUT -p tcp -m tcp", why not this below?
-# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
-# -p icmp -m icmp;=;OK
--- a/extensions/libipt_realm.t
+++ b/extensions/libipt_realm.t
-:INPUT,FORWARD,OUTPUT
-m realm --realm 0x1/0x2a;=;OK
-m realm --realm 0x2a;=;OK
-m realm;;FAIL
--- a/extensions/libipt_ttl.t
+++ b/extensions/libipt_ttl.t
-:INPUT,FORWARD,OUTPUT
-m ttl --ttl-eq 0;=;OK
-m ttl --ttl-eq 255;=;OK
-m ttl ! --ttl-eq 0;=;OK
-m ttl ! --ttl-eq 255;=;OK
-m ttl --ttl-gt 0;=;OK
-# not possible have anything greater than 255, TTL is 8-bit long
-# ERROR: should fail: iptables -A INPUT -m ttl --ttl-gt 255
-## -m ttl --ttl-gt 255;;FAIL
-# not possible have anything below 0
-# ERROR: should fail: iptables -A INPUT -m ttl --ttl-lt 0
-## -m ttl --ttl-lt 0;;FAIL
-m ttl --ttl-eq 256;;FAIL
-m ttl --ttl-eq -1;;FAIL
-m ttl;;FAIL
--- a/extensions/libxt_AUDIT.t
+++ b/extensions/libxt_AUDIT.t
-:INPUT,FORWARD,OUTPUT
-j AUDIT --type accept;=;OK
-j AUDIT --type drop;=;OK
-j AUDIT --type reject;=;OK
-j AUDIT;;FAIL
-j AUDIT --type wrong;;FAIL
--- a/extensions/libxt_CHECKSUM.t
+++ b/extensions/libxt_CHECKSUM.t
-:PREROUTING,FORWARD,POSTROUTING
-*mangle
-j CHECKSUM --checksum-fill;=;OK
-j CHECKSUM;;FAIL
--- a/extensions/libxt_CLASSIFY.t
+++ b/extensions/libxt_CLASSIFY.t
-:FORWARD,OUTPUT,POSTROUTING
-*mangle
-j CLASSIFY --set-class 0000:ffff;=;OK
-# maximum handle accepted by tc is 0xffff
-# ERROR : should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class  0000:ffffffff
-# -j CLASSIFY --set-class 0000:ffffffff;;FAIL
-# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1
-# -j CLASSIFY --set-class 1:-1;;FAIL
-j CLASSIFY;;FAIL
--- a/extensions/libxt_CONNMARK.t
+++ b/extensions/libxt_CONNMARK.t
-:PREROUTING,FORWARD,OUTPUT,POSTROUTING
-*mangle
-j CONNMARK --restore-mark;=;OK
-j CONNMARK --save-mark;=;OK
-j CONNMARK --save-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --save-mark;OK
-j CONNMARK --restore-mark --nfmask 0xfffffff --ctmask 0xffffffff;-j CONNMARK --restore-mark;OK
-j CONNMARK;;FAIL
--- a/extensions/libxt_CONNSECMARK.t
+++ b/extensions/libxt_CONNSECMARK.t
-:PREROUTING,FORWARD,OUTPUT,POSTROUTING
-*mangle
-j CONNSECMARK --restore;=;OK
-j CONNSECMARK --save;=;OK
-j CONNSECMARK;;FAIL
--- a/extensions/libxt_CT.t
+++ b/extensions/libxt_CT.t
-:PREROUTING,OUTPUT
-*raw
-j CT --notrack;=;OK
-j CT --ctevents new,related,destroy,reply,assured,protoinfo,helper,mark;=;OK
-j CT --expevents new;=;OK
-# ERROR: cannot find: iptables -I PREROUTING -t raw -j CT --zone 0
-# -j CT --zone 0;=;OK
-j CT --zone 65535;=;OK
-j CT --zone 65536;;FAIL
-j CT --zone -1;;FAIL
-# ERROR: should fail: iptables -A PREROUTING -t raw -j CT
-# -j CT;;FAIL
-@nfct timeout add test inet tcp ESTABLISHED 100
-# cannot load: iptables -A PREROUTING -t raw -j CT --timeout test
-# -j CT --timeout test;=;OK
-@nfct timeout del test
-@nfct helper add rpc inet tcp
-# cannot load: iptables -A PREROUTING -t raw -j CT --helper rpc
-# -j CT --helper rpc;=;OK
-@nfct helper del rpc