Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
adam.huang
Pkg Iptables
Commits
c2234165
Commit
c2234165
authored
Feb 10, 2017
by
Arturo Borrero Gonzalez
Browse files
Merge tag 'upstream/1.6.1'
Upstream version 1.6.1
parents
475b9a99
f1f129da
Changes
156
Show whitespace changes
Inline
Side-by-side
extensions/libipt_ECN.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
FORWARD
,
OUTPUT
,
POSTROUTING
*mangle
-
j
ECN
;;
FAIL
-
p
tcp
-
j
ECN
;;
FAIL
-
p
tcp
-
j
ECN
--
ecn
-
tcp
-
remove
;
=
;
OK
extensions/libipt_LOG.c
View file @
c2234165
...
...
@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
(
const
struct
ipt_log_info
*
)
params
->
target
->
data
;
unsigned
int
i
=
0
;
xt_xlate_add
(
xl
,
"log
"
);
xt_xlate_add
(
xl
,
"log"
);
if
(
strcmp
(
loginfo
->
prefix
,
""
)
!=
0
)
{
if
(
params
->
escape_quotes
)
xt_xlate_add
(
xl
,
"prefix
\\\"
%s
\\\"
"
,
loginfo
->
prefix
);
xt_xlate_add
(
xl
,
"
prefix
\\\"
%s
\\\"
"
,
loginfo
->
prefix
);
else
xt_xlate_add
(
xl
,
"prefix
\"
%s
\"
"
,
loginfo
->
prefix
);
xt_xlate_add
(
xl
,
"
prefix
\"
%s
\"
"
,
loginfo
->
prefix
);
}
for
(
i
=
0
;
i
<
ARRAY_SIZE
(
ipt_log_xlate_names
);
++
i
)
if
(
loginfo
->
level
!=
LOG_DEFAULT_LEVEL
&&
loginfo
->
level
==
ipt_log_xlate_names
[
i
].
level
)
{
xt_xlate_add
(
xl
,
"level %s
"
,
xt_xlate_add
(
xl
,
"
level %s"
,
ipt_log_xlate_names
[
i
].
name
);
break
;
}
if
((
loginfo
->
logflags
&
IPT_LOG_MASK
)
==
IPT_LOG_MASK
)
{
xt_xlate_add
(
xl
,
" flags all"
);
}
else
{
if
(
loginfo
->
logflags
&
(
IPT_LOG_TCPSEQ
|
IPT_LOG_TCPOPT
))
{
const
char
*
delim
=
" "
;
xt_xlate_add
(
xl
,
" flags tcp"
);
if
(
loginfo
->
logflags
&
IPT_LOG_TCPSEQ
)
{
xt_xlate_add
(
xl
,
" sequence"
);
delim
=
","
;
}
if
(
loginfo
->
logflags
&
IPT_LOG_TCPOPT
)
xt_xlate_add
(
xl
,
"%soptions"
,
delim
);
}
if
(
loginfo
->
logflags
&
IPT_LOG_IPOPT
)
xt_xlate_add
(
xl
,
" flags ip options"
);
if
(
loginfo
->
logflags
&
IPT_LOG_UID
)
xt_xlate_add
(
xl
,
" flags skuid"
);
if
(
loginfo
->
logflags
&
IPT_LOG_MACDECODE
)
xt_xlate_add
(
xl
,
" flags ether"
);
}
return
1
;
}
static
struct
xtables_target
log_tg_reg
=
{
...
...
extensions/libipt_LOG.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
j
LOG
;
-
j
LOG
;
OK
-
j
LOG
--
log
-
prefix
"
test:
";
=
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
level
1
;
=
;
OK
# iptables displays the log-level output using the number; not the string
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
level
alert
;
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
level
1
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
tcp
-
sequence
;
=
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
tcp
-
options
;
=
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
ip
-
options
;
=
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
uid
;
=
;
OK
-
j
LOG
--
log
-
prefix
"
test:
"
--
log
-
level
bad
;;
FAIL
-
j
LOG
--
log
-
prefix
;;
FAIL
extensions/libipt_MASQUERADE.t
deleted
100644 → 0
View file @
475b9a99
:
POSTROUTING
*nat
-
j
MASQUERADE
;
=
;
OK
-
j
MASQUERADE
--
random
;
=
;
OK
-
p
tcp
-
j
MASQUERADE
--
to
-
ports
1024
;
=
;
OK
-
p
udp
-
j
MASQUERADE
--
to
-
ports
1024
-
65535
;
=
;
OK
-
p
udp
-
j
MASQUERADE
--
to
-
ports
1024
-
65536
;;
FAIL
-
p
udp
-
j
MASQUERADE
--
to
-
ports
-
1
;;
FAIL
extensions/libipt_NETMAP.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
INPUT
,
OUTPUT
,
POSTROUTING
*nat
-
j
NETMAP
--
to
1.2.3.0
/
24
;
=
;
OK
-
j
NETMAP
--
to
1.2.3.4
;
=
;
OK
extensions/libipt_REDIRECT.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
OUTPUT
*nat
-
p
tcp
-
j
REDIRECT
--
to
-
ports
42
;
=
;
OK
-
p
udp
-
j
REDIRECT
--
to
-
ports
42
-
1234
;
=
;
OK
-
p
tcp
-
j
REDIRECT
--
to
-
ports
42
-
1234
--
random
;
=
;
OK
-
j
REDIRECT
--
to
-
ports
42
;;
FAIL
extensions/libipt_REJECT.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
j
REJECT
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
net
-
unreachable
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
host
-
unreachable
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
port
-
unreachable
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
proto
-
unreachable
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
net
-
prohibited
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
host
-
prohibited
;
=
;
OK
-
j
REJECT
--
reject
-
with
icmp
-
admin
-
prohibited
;
=
;
OK
extensions/libipt_SNAT.t
deleted
100644 → 0
View file @
475b9a99
:
POSTROUTING
*nat
-
j
SNAT
--
to
-
source
1.1.1.1
;
=
;
OK
-
j
SNAT
--
to
-
source
1.1.1.1
-
1.1.1.10
;
=
;
OK
-
p
tcp
-
j
SNAT
--
to
-
source
1.1.1.1
:
1025
-
65535
;
=
;
OK
-
p
tcp
-
j
SNAT
--
to
-
source
1.1.1.1
-
1.1.1.10
:
1025
-
65535
;
=
;
OK
-
p
tcp
-
j
SNAT
--
to
-
source
1.1.1.1
-
1.1.1.10
:
1025
-
65536
;;
FAIL
-
j
SNAT
;;
FAIL
extensions/libipt_TTL.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
INPUT
,
FORWARD
,
OUTPUT
,
POSTROUTING
*mangle
-
j
TTL
--
ttl
-
set
42
;
=
;
OK
-
j
TTL
--
ttl
-
inc
1
;
=
;
OK
-
j
TTL
--
ttl
-
dec
1
;
=
;
OK
-
j
TTL
--
ttl
-
set
256
;;
FAIL
-
j
TTL
--
ttl
-
inc
0
;;
FAIL
-
j
TTL
--
ttl
-
dec
0
;;
FAIL
-
j
TTL
--
ttl
-
dec
1
--
ttl
-
inc
1
;;
FAIL
-
j
TTL
--
ttl
-
set
--
ttl
-
inc
1
;;
FAIL
extensions/libipt_ULOG.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
j
ULOG
--
ulog
-
nlgroup
1
;
-
j
ULOG
;
OK
-
j
ULOG
--
ulog
-
nlgroup
32
;
=
;
OK
-
j
ULOG
--
ulog
-
nlgroup
33
;;
FAIL
-
j
ULOG
--
ulog
-
nlgroup
0
;;
FAIL
-
j
ULOG
--
ulog
-
cprange
1
;
=
;
OK
-
j
ULOG
--
ulog
-
cprange
4294967295
;
=
;
OK
# This below outputs 0 in iptables-save
# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-cprange 4294967296
#-j ULOG --ulog-cprange 4294967296;;FAIL
# supports up to 31 characters
-
j
ULOG
--
ulog
-
prefix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;
=
;
OK
# ERROR: should fail: iptables -A INPUT -j ULOG --ulog-prefix xxxxxx [...]
#-j ULOG --ulog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
-
j
ULOG
--
ulog
-
qthreshold
1
;
-
j
ULOG
;
OK
-
j
ULOG
--
ulog
-
qthreshold
0
;;
FAIL
-
j
ULOG
--
ulog
-
qthreshold
50
;
=
;
OK
-
j
ULOG
--
ulog
-
qthreshold
51
;;
FAIL
-
j
ULOG
;
=
;
OK
extensions/libipt_ah.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
p
ah
-
m ah --a
hspi
0
;
=
;
OK
-
p
ah
-
m ah --a
hspi
4294967295
;
=
;
OK
-
p
ah
-
m ah --a
hspi
0
:
4294967295
;
-
p
ah
-
m ah;OK
-p a
h
-
m ah ! --a
hspi
0
;
=
;
OK
-
p
ah
-
m ah --a
hspi
-
1
;;
FAIL
-
p
ah
-
m ah --a
hspi
4294967296
;;
FAIL
-
p
ah
-
m ah --a
hspi
invalid
;;
FAIL
-
p
ah
-
m ah --a
hspi
0
:
invalid
;;
FAIL
-
m ah --a
hspi
0
;;
FAIL
-
m ah --a
hspi
;;
FAIL
-
m ah;;FAIL
-p a
h
-
m
ah
;
=
;
OK
extensions/libipt_icmp.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
p
icmp
-
m icmp --icmp
-
type
any
;
=
;
OK
# output uses the number, better use the name?
# ERROR: cannot find: iptables -I INPUT -p icmp -m icmp --icmp-type echo-reply
# -p icmp -m icmp --icmp-type echo-reply;=;OK
# output uses the number, better use the name?
# ERROR: annot find: iptables -I INPUT -p icmp -m icmp --icmp-type destination-unreachable
# -p icmp -m icmp --icmp-type destination-unreachable;=;OK
# it does not acccept name/name, should we accept this?
# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable
# -p icmp -m icmp --icmp-type destination-unreachable/network-unreachable;=;OK
-
m icmp;;FAIL
# we accept "ip
tables
-
I
INPUT
-
p
tcp
-
m tcp", why not
this
below
?
# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
# -p icmp -m icmp;=;OK
extensions/libipt_realm.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
m realm --r
ealm
0x1
/
0x2a
;
=
;
OK
-
m realm --r
ealm
0x2a
;
=
;
OK
-
m
realm
;;
FAIL
extensions/libipt_ttl.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
m ttl
--
ttl
-
eq
0
;
=
;
OK
-
m ttl
--
ttl
-
eq
255
;
=
;
OK
-
m ttl
!
--
ttl
-
eq
0
;
=
;
OK
-
m ttl
!
--
ttl
-
eq
255
;
=
;
OK
-
m ttl
--
ttl
-
gt
0
;
=
;
OK
# not possible have anything greater than 255, TTL is 8-bit long
# ERROR: should fail: iptables -A INPUT -m ttl --ttl-gt 255
## -m ttl --ttl-gt 255;;FAIL
# not possible have anything below 0
# ERROR: should fail: iptables -A INPUT -m ttl --ttl-lt 0
## -m ttl --ttl-lt 0;;FAIL
-
m ttl
--
ttl
-
eq
256
;;
FAIL
-
m ttl
--
ttl
-
eq
-
1
;;
FAIL
-
m ttl
;;
FAIL
extensions/libxt_AUDIT.t
deleted
100644 → 0
View file @
475b9a99
:
INPUT
,
FORWARD
,
OUTPUT
-
j
AUDIT
--
type
accept
;
=
;
OK
-
j
AUDIT
--
type
drop
;
=
;
OK
-
j
AUDIT
--
type
reject
;
=
;
OK
-
j
AUDIT
;;
FAIL
-
j
AUDIT
--
type
wrong
;;
FAIL
extensions/libxt_CHECKSUM.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
FORWARD
,
POSTROUTING
*mangle
-
j
CHECKSUM
--
checksum
-
fill
;
=
;
OK
-
j
CHECKSUM
;;
FAIL
extensions/libxt_CLASSIFY.t
deleted
100644 → 0
View file @
475b9a99
:
FORWARD
,
OUTPUT
,
POSTROUTING
*mangle
-
j
CLASSIFY
--
set
-
class
0000
:
ffff
;
=
;
OK
# maximum handle accepted by tc is 0xffff
# ERROR : should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 0000:ffffffff
# -j CLASSIFY --set-class 0000:ffffffff;;FAIL
# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1
# -j CLASSIFY --set-class 1:-1;;FAIL
-
j
CLASSIFY
;;
FAIL
extensions/libxt_CONNMARK.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
FORWARD
,
OUTPUT
,
POSTROUTING
*mangle
-
j
CONNMARK
--
restore
-
mark
;
=
;
OK
-
j
CONNMARK
--
save
-
mark
;
=
;
OK
-
j
CONNMARK
--
save
-
mark
--
nfmask
0xfffffff
--
ctmask
0xffffffff
;
-
j
CONNMARK
--
save
-
mark
;
OK
-
j
CONNMARK
--
restore
-
mark
--
nfmask
0xfffffff
--
ctmask
0xffffffff
;
-
j
CONNMARK
--
restore
-
mark
;
OK
-
j
CONNMARK
;;
FAIL
extensions/libxt_CONNSECMARK.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
FORWARD
,
OUTPUT
,
POSTROUTING
*mangle
-
j
CONNSECMARK
--
restore
;
=
;
OK
-
j
CONNSECMARK
--
save
;
=
;
OK
-
j
CONNSECMARK
;;
FAIL
extensions/libxt_CT.t
deleted
100644 → 0
View file @
475b9a99
:
PREROUTING
,
OUTPUT
*raw
-
j
CT
--
notrack
;
=
;
OK
-
j
CT
--
ctevents
new
,
related
,
destroy
,
reply
,
assured
,
protoinfo
,
helper
,
mark
;
=
;
OK
-
j
CT
--
expevents
new
;
=
;
OK
# ERROR: cannot find: iptables -I PREROUTING -t raw -j CT --zone 0
# -j CT --zone 0;=;OK
-
j
CT
--
zone
65535
;
=
;
OK
-
j
CT
--
zone
65536
;;
FAIL
-
j
CT
--
zone
-
1
;;
FAIL
# ERROR: should fail: iptables -A PREROUTING -t raw -j CT
# -j CT;;FAIL
@nfct
timeout
add
test
inet
tcp
ESTABLISHED
100
# cannot load: iptables -A PREROUTING -t raw -j CT --timeout test
# -j CT --timeout test;=;OK
@nfct
timeout
del
test
@nfct
helper
add
rpc
inet
tcp
# cannot load: iptables -A PREROUTING -t raw -j CT --helper rpc
# -j CT --helper rpc;=;OK
@nfct
helper
del
rpc
Prev
1
2
3
4
5
6
7
8
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment