Merge tag 'upstream/1.6.1'

Upstream version 1.6.1

extensions/libxt_bpf.t

-:INPUT,FORWARD,OUTPUT
--m bpf --bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";=;OK

extensions/libxt_cgroup.t

-:INPUT,OUTPUT,POSTROUTING
-*mangle
--m cgroup --cgroup 1;=;OK
--m cgroup ! --cgroup 1;=;OK
--m cgroup --path "/";=;OK
--m cgroup ! --path "/";=;OK
--m cgroup --cgroup 1 --path "/";;FAIL
--m cgroup ;;FAIL

extensions/libxt_cluster.t

-:PREROUTING,FORWARD,POSTROUTING
-*mangle
--m cluster;;FAIL
--m cluster --cluster-total-nodes 3;;FAIL
--m cluster --cluster-total-nodes 2 --cluster-local-node 2;;FAIL
--m cluster --cluster-total-nodes 2 --cluster-local-node 3 --cluster-hash-seed;;FAIL
-#
-# outputs --cluster-local-nodemask instead of --cluster-local-node
-#
--m cluster --cluster-total-nodes 2 --cluster-local-node 2 --cluster-hash-seed 0xfeedcafe;-m cluster --cluster-local-nodemask 0x00000002 --cluster-total-nodes 2 --cluster-hash-seed 0xfeedcafe;OK

extensions/libxt_comment.t

-:INPUT,FORWARD,OUTPUT
--m comment;;FAIL
--m comment --comment;;FAIL
-#
-# it fails with 256 characters
-#
-# should fail: iptables -A INPUT -m comment --comment xxxxxxxxxxxxxxxxx [....]
-# -m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
-#
-# success with 255 characters
-#
--m comment --comment xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK

extensions/libxt_connbytes.c

@@ -156,6 +156,61 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match)
 	print_direction(sinfo);
 }
 
+
+static int connbytes_xlate(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_connbytes_info *info = (void *)params->match->data;
+	unsigned long long from, to;
+	bool invert = false;
+
+	xt_xlate_add(xl, "ct ");
+
+	switch (info->direction) {
+	case XT_CONNBYTES_DIR_ORIGINAL:
+		xt_xlate_add(xl, "original ");
+		break;
+	case XT_CONNBYTES_DIR_REPLY:
+		xt_xlate_add(xl, "reply ");
+		break;
+	case XT_CONNBYTES_DIR_BOTH:
+		break;
+	default:
+		return 0;
+	}
+
+	switch (info->what) {
+	case XT_CONNBYTES_PKTS:
+		xt_xlate_add(xl, "packets ");
+		break;
+	case XT_CONNBYTES_BYTES:
+		xt_xlate_add(xl, "bytes ");
+		break;
+	case XT_CONNBYTES_AVGPKT:
+		xt_xlate_add(xl, "avgpkt ");
+		break;
+	default:
+		return 0;
+	}
+
+	if (info->count.from > info->count.to) {
+		invert = true;
+		from = info->count.to;
+		to = info->count.from;
+	} else {
+		to = info->count.to;
+		from = info->count.from;
+	}
+
+	if (from == to)
+		xt_xlate_add(xl, "%llu", from);
+	else if (to == UINT64_MAX)
+		xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from);
+	else
+		xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to);
+	return 1;
+}
+
 static struct xtables_match connbytes_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name 		= "connbytes",
@@ -167,6 +222,7 @@ static struct xtables_match connbytes_match = {
 	.save 		= connbytes_save,
 	.x6_parse	= connbytes_parse,
 	.x6_options	= connbytes_opts,
+	.xlate		= connbytes_xlate,
 };
 
 void _init(void)

extensions/libxt_connbytes.t

-:INPUT,FORWARD,OUTPUT
--m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir reply;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir both;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir original;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir reply;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode bytes --connbytes-dir both;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir original;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir reply;=;OK
--m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK
--m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL
--m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL
-# ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both
-# -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK
--m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL
--m connbytes --connbytes 0:1000 --connbytes-mode wrong --connbytes-dir both;;FAIL
--m connbytes --connbytes 0:1000 --connbytes-dir original;;FAIL
--m connbytes --connbytes 0:1000 --connbytes-mode packets;;FAIL
--m connbytes --connbytes-dir original;;FAIL
--m connbytes --connbytes 0:1000;;FAIL
--m connbytes;;FAIL

extensions/libxt_connlabel.t

-:INPUT,FORWARD,OUTPUT
-# Backup the connlabel.conf, then add some label maps for test
-@[ -f /etc/xtables/connlabel.conf ] && mv /etc/xtables/connlabel.conf /tmp/connlabel.conf.bak
-@mkdir -p /etc/xtables
-@echo "40 bit40" > /etc/xtables/connlabel.conf
-@echo "41 bit41" >> /etc/xtables/connlabel.conf
-@echo "128 bit128" >> /etc/xtables/connlabel.conf
--m connlabel --label "bit40";=;OK
--m connlabel ! --label "bit40";=;OK
--m connlabel --label "bit41" --set;=;OK
--m connlabel ! --label "bit41" --set;=;OK
--m connlabel --label "bit128";;FAIL
-@echo > /etc/xtables/connlabel.conf
--m connlabel --label "abc";;FAIL
-@rm -f /etc/xtables/connlabel.conf
--m connlabel --label "abc";;FAIL
-# Restore the original connlabel.conf
-@[ -f /tmp/connlabel.conf.bak ] && mv /tmp/connlabel.conf.bak /etc/xtables/connlabel.conf

extensions/libxt_connlimit.t

-:INPUT,FORWARD,OUTPUT
--m connlimit --connlimit-upto 0;=;OK
--m connlimit --connlimit-upto 4294967295;=;OK
--m connlimit --connlimit-upto 4294967296;;FAIL
--m connlimit --connlimit-upto -1;;FAIL
--m connlimit --connlimit-above 0;=;OK
--m connlimit --connlimit-above 4294967295;=;OK
--m connlimit --connlimit-above 4294967296;;FAIL
--m connlimit --connlimit-above -1;;FAIL
--m connlimit --connlimit-upto 1 --conlimit-above 1;;FAIL
--m connlimit --connlimit-above 10 --connlimit-saddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;OK
--m connlimit --connlimit-above 10 --connlimit-daddr;-m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;OK
--m connlimit --connlimit-above 10 --connlimit-saddr --connlimit-daddr;;FAIL
--m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr;=;OK
--m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr;=;OK
--m connlimit;;FAIL

extensions/libxt_connmark.t

-:PREROUTING,FORWARD,OUTPUT,POSTROUTING
-*mangle
--m connmark --mark 0xffffffff;=;OK
--m connmark --mark 0xffffffff/0xffffffff;-m connmark --mark 0xffffffff;OK
--m connmark --mark 0xffffffff/0;=;OK
--m connmark --mark 0/0xffffffff;-m connmark --mark 0;OK
--m connmark --mark -1;;FAIL
--m connmark --mark 0xfffffffff;;FAIL
--m connmark;;FAIL

extensions/libxt_conntrack.t

-:INPUT,FORWARD,OUTPUT
--m conntrack --ctstate NEW;=;OK
--m conntrack --ctstate NEW,ESTABLISHED;=;OK
--m conntrack --ctstate NEW,RELATED,ESTABLISHED;=;OK
--m conntrack --ctstate INVALID;=;OK
--m conntrack --ctstate UNTRACKED;=;OK
--m conntrack --ctstate SNAT,DNAT;=;OK
--m conntrack --ctstate wrong;;FAIL
-# should we convert this to output "tcp" instead of 6?
--m conntrack --ctproto tcp;-m conntrack --ctproto 6;OK
--m conntrack --ctorigsrc 1.1.1.1;=;OK
--m conntrack --ctorigdst 1.1.1.1;=;OK
--m conntrack --ctreplsrc 1.1.1.1;=;OK
--m conntrack --ctrepldst 1.1.1.1;=;OK
--m conntrack --ctexpire 0;=;OK
--m conntrack --ctexpire 4294967295;=;OK
--m conntrack --ctexpire 0:4294967295;=;OK
--m conntrack --ctexpire 42949672956;;FAIL
--m conntrack --ctexpire -1;;FAIL
--m conntrack --ctdir ORIGINAL;=;OK
--m conntrack --ctdir REPLY;=;OK
--m conntrack --ctstatus NONE;=;OK
--m conntrack --ctstatus CONFIRMED;=;OK
--m conntrack --ctstatus ASSURED;=;OK
--m conntrack --ctstatus EXPECTED;=;OK
--m conntrack --ctstatus SEEN_REPLY;=;OK
--m conntrack;;FAIL

extensions/libxt_cpu.t

-:INPUT,FORWARD,OUTPUT
--m cpu --cpu 0;=;OK
--m cpu ! --cpu 0;=;OK
--m cpu --cpu 4294967295;=;OK
--m cpu --cpu 4294967296;;FAIL
--m cpu;;FAIL

extensions/libxt_dccp.t

-:INPUT,FORWARD,OUTPUT
--p dccp -m dccp --sport 1;=;OK
--p dccp -m dccp --sport 65535;=;OK
--p dccp -m dccp --dport 1;=;OK
--p dccp -m dccp --dport 65535;=;OK
--p dccp -m dccp --sport 1:1023;=;OK
--p dccp -m dccp --sport 1024:65535;=;OK
--p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK
--p dccp -m dccp ! --sport 1;=;OK
--p dccp -m dccp ! --sport 65535;=;OK
--p dccp -m dccp ! --dport 1;=;OK
--p dccp -m dccp ! --dport 65535;=;OK
--p dccp -m dccp --sport 1 --dport 65535;=;OK
--p dccp -m dccp --sport 65535 --dport 1;=;OK
--p dccp -m dccp ! --sport 1 --dport 65535;=;OK
--p dccp -m dccp ! --sport 65535 --dport 1;=;OK
-# ERROR: should fail: iptables -A INPUT -p dccp -m dccp --sport 65536
-# -p dccp -m dccp --sport 65536;;FAIL
--p dccp -m dccp --sport -1;;FAIL
--p dccp -m dccp --dport -1;;FAIL
--p dccp -m dccp --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK
--p dccp -m dccp ! --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,RESET,SYNC,SYNCACK,INVALID;=;OK
-# DCCP option 0 is valid, see http://tools.ietf.org/html/rfc4340#page-29
-# ERROR: cannot load: iptables -A INPUT -p dccp -m dccp --dccp-option 0
-#-p dccp -m dccp --dccp-option 0;=;OK
--p dccp -m dccp --dccp-option 255;=;OK
--p dccp -m dccp --dccp-option 256;;FAIL
--p dccp -m dccp --dccp-option -1;;FAIL
-# should we accept this below?
--p dccp -m dccp;=;OK

extensions/libxt_dscp.t

-:INPUT,FORWARD,OUTPUT
--m dscp --dscp 0;=;OK
--m dscp --dscp 0x3f;=;OK
--m dscp --dscp -1;;FAIL
--m dscp --dscp 0x40;;FAIL
--m dscp --dscp 0x3f --dscp-class CS0;;FAIL
--m dscp --dscp-class CS0;-m dscp --dscp 0x00;OK
--m dscp --dscp-class BE;-m dscp --dscp 0x00;OK
--m dscp --dscp-class EF;-m dscp --dscp 0x2e;OK
--m dscp;;FAIL

extensions/libxt_ecn.t

-:INPUT,FORWARD,OUTPUT
--m ecn --ecn-tcp-cwr;;FAIL
--p tcp -m ecn --ecn-tcp-cwr;=;OK
--p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 2;=;OK
--p tcp -m ecn ! --ecn-tcp-ece ! --ecn-tcp-cwr ! --ecn-ip-ect 2;=;OK

extensions/libxt_esp.t

-:INPUT,FORWARD,OUTPUT
--p esp -m esp --espspi 0;=;OK
--p esp -m esp --espspi :32;-p esp -m esp --espspi 0:32;OK
--p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK
--p esp -m esp ! --espspi 0:4294967294;=;OK
--p esp -m esp --espspi -1;;FAIL
--p esp -m esp;=;OK
--m esp;;FAIL

extensions/libxt_hashlimit.t

-:INPUT,FORWARD,OUTPUT
--m hashlimit --hashlimit-above 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
--m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-expire 2000;=;OK
--m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-max 2000 --hashlimit-htable-gcinterval 60000 --hashlimit-htable-expire 2000;=;OK
--m hashlimit --hashlimit-upto 1/sec --hashlimit-name mini1;-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;OK
--m hashlimit --hashlimit-upto 4kb/s --hashlimit-burst 400kb --hashlimit-name mini5;=;OK
--m hashlimit --hashlimit-upto 10mb/s --hashlimit-name mini6;=;OK
--m hashlimit --hashlimit-upto 123456b/s --hashlimit-burst 1mb --hashlimit-name mini7;=;OK
-# should work, it says "iptables v1.4.15: burst cannot be smaller than 96b"
-# ERROR: cannot load: iptables -A INPUT -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1
-# -m hashlimit --hashlimit-upto 96b/s --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-name mini1;;FAIL
--m hashlimit --hashlimit-upto 1/sec;;FAIL
--m hashlimit;;FAIL

extensions/libxt_helper.t

-:INPUT,FORWARD,OUTPUT
--m helper --helper ftp;=;OK
-# should be OK?
-# ERROR: should fail: iptables -A INPUT -m helper --helper wrong
-# -m helper --helper wrong;;FAIL
--m helper;;FAIL

extensions/libxt_iprange.t

-:INPUT,FORWARD,OUTPUT
--m iprange --src-range 1.1.1.1-1.1.1.10;=;OK
--m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
--m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
--m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
-# -m iprange --src-range 1.1.1.1;;FAIL
-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
-#-m iprange --dst-range 1.1.1.1;;FAIL
--m iprange;;FAIL

extensions/libxt_length.t

-:INPUT,FORWARD,OUTPUT
--m length --length 1;=;OK
--m length --length :2;-m length --length 0:2;OK
--m length --length 0:3;=;OK
--m length --length 4:;=;OK
--m length --length 0:65535;=;OK
--m length ! --length 0:65535;=;OK
--m length --length 0:65536;;FAIL
--m length --length -1:65535;;FAIL
--m length;;FAIL

extensions/libxt_limit.t

-:INPUT,FORWARD,OUTPUT
--m limit --limit 1/sec;=;OK
--m limit --limit 1/min;=;OK
--m limit --limit 1000/hour;=;OK
--m limit --limit 1000/day;=;OK
--m limit --limit 1/sec --limit-burst 1;=;OK