Commit c2234165 authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Merge tag 'upstream/1.6.1'

Upstream version 1.6.1
parents 475b9a99 f1f129da
:INPUT,FORWARD
-m mac --mac-source 42:01:02:03:04:05;=;OK
-m mac --mac-source 42:01:02:03:04;=;FAIL
-m mac --mac-source 42:01:02:03:04:05:06;=;FAIL
-m mac;;FAIL
:INPUT,FORWARD,OUTPUT
-m mark --mark 0xfeedcafe/0xfeedcafe;=;OK
-m mark --mark 0;=;OK
-m mark --mark 4294967295;-m mark --mark 0xffffffff;OK
-m mark --mark 4294967296;;FAIL
-m mark --mark -1;;FAIL
-m mark;;FAIL
...@@ -108,7 +108,6 @@ parse_multi_ports_v1(const char *portstring, ...@@ -108,7 +108,6 @@ parse_multi_ports_v1(const char *portstring,
{ {
char *buffer, *cp, *next, *range; char *buffer, *cp, *next, *range;
unsigned int i; unsigned int i;
uint16_t m;
buffer = strdup(portstring); buffer = strdup(portstring);
if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
...@@ -133,7 +132,6 @@ parse_multi_ports_v1(const char *portstring, ...@@ -133,7 +132,6 @@ parse_multi_ports_v1(const char *portstring,
if (multiinfo->ports[i-1] >= multiinfo->ports[i]) if (multiinfo->ports[i-1] >= multiinfo->ports[i])
xtables_error(PARAMETER_PROBLEM, xtables_error(PARAMETER_PROBLEM,
"invalid portrange specified"); "invalid portrange specified");
m <<= 1;
} }
} }
multiinfo->count = i; multiinfo->count = i;
......
:INPUT,FORWARD,OUTPUT
-p tcp -m multiport --sports 53,1024:65535;=;OK
-p tcp -m multiport --dports 53,1024:65535;=;OK
-p udp -m multiport --sports 53,1024:65535;=;OK
-p udp -m multiport --dports 53,1024:65535;=;OK
-p udp -m multiport --ports 53,1024:65535;=;OK
-p udp -m multiport --ports 53,1024:65535;=;OK
-p sctp -m multiport --sports 53,1024:65535;=;OK
-p sctp -m multiport --dports 53,1024:65535;=;OK
-p dccp -m multiport --sports 53,1024:65535;=;OK
-p dccp -m multiport --dports 53,1024:65535;=;OK
-p udplite -m multiport --sports 53,1024:65535;=;OK
-p udplite -m multiport --dports 53,1024:65535;=;OK
-p tcp -m multiport --sports 1024:65536;;FAIL
-p udp -m multiport --sports 1024:65536;;FAIL
-p tcp -m multiport --ports 1024:65536;;FAIL
-p udp -m multiport --ports 1024:65536;;FAIL
-p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15;=;OK
# fix manpage, it says "up to 15 ports supported"
# ERROR: should fail: iptables -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16
# -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16;;FAIL
-p tcp --multiport;;FAIL
-m multiport;;FAIL
:INPUT,FORWARD,OUTPUT
@nfacct add test
#
# extra space in iptables-save output, fix it
#
# ERROR: cannot load: iptables -A INPUT -m nfacct --nfacct-name test
#-m nfacct --nfacct-name test;=;OK
-m nfacct --nfacct-name wrong;;FAIL
-m nfacct;;FAIL
@nfacct del test
:INPUT,FORWARD
-m osf --genre linux --ttl 0 --log 0;;FAIL
-p tcp -m osf --genre linux --ttl 0 --log 0;=;OK
-p tcp -m osf --genre linux --ttl 3 --log 0;;FAIL
:OUTPUT,POSTROUTING
*mangle
-m owner --uid-owner root;-m owner --uid-owner 0;OK
-m owner --uid-owner 0-10;=;OK
-m owner --gid-owner root;-m owner --gid-owner 0;OK
-m owner --gid-owner 0-10;=;OK
-m owner --uid-owner root --gid-owner root;-m owner --uid-owner 0 --gid-owner 0;OK
-m owner --uid-owner 0-10 --gid-owner 0-10;=;OK
-m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK
-m owner --socket-exists;=;OK
:INPUT
-m owner --uid-owner root;;FAIL
:INPUT,FORWARD
-m physdev --physdev-in lo;=;OK
-m physdev --physdev-is-in --physdev-in lo;=;OK
:OUTPUT,FORWARD
# xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
# ERROR: should fail: iptables -A FORWARD -m physdev --physdev-out lo
#-m physdev --physdev-out lo;;FAIL
# ERROR: cannot load: iptables -A OUTPUT -m physdev --physdev-is-out --physdev-out lo
#-m physdev --physdev-is-out --physdev-out lo;=;OK
:FORWARD
-m physdev --physdev-in lo --physdev-is-bridged;=;OK
:POSTROUTING
*mangle
-m physdev --physdev-out lo --physdev-is-bridged;=;OK
:INPUT,FORWARD,OUTPUT
-m pkttype --pkt-type unicast;=;OK
-m pkttype --pkt-type broadcast;=;OK
-m pkttype --pkt-type multicast;=;OK
-m pkttype --pkt-type wrong;;FAIL
-m pkttype;;FAIL
:INPUT,FORWARD
-m policy --dir in --pol ipsec;=;OK
-m policy --dir in --pol ipsec --strict;;FAIL
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL
:INPUT,FORWARD,OUTPUT
-m quota --quota 0;=;OK
-m quota ! --quota 0;=;OK
-m quota --quota 18446744073709551615;=;OK
-m quota ! --quota 18446744073709551615;=;OK
-m quota --quota 18446744073709551616;;FAIL
-m quota;;FAIL
:INPUT,FORWARD,OUTPUT
@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit;=;OK
-m rateest --rateest RE1 --rateest-eq --rateest-pps 5;=;OK
-m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit;-m rateest --rateest RE1 --rateest-gt --rateest-bps 5000bit;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit;=;OK
@iptables -I INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2;=;OK
-m rateest --rateest-delta --rateest1 RE1 --rateest-pps1 0 --rateest-lt --rateest-pps2 42 --rateest2 RE2;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9;=;OK
@iptables -D INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
@iptables -D INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
:INPUT,FORWARD,OUTPUT
-m recent --set;=;OK
-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --update --rttl;=;OK
-m recent --set --rttl;;FAIL
-m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;;FAIL
# nonsensical, but all should load successfully:
-m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
...@@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match) ...@@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
return rpfilter_print_prefix(ip, match->data, "--"); return rpfilter_print_prefix(ip, match->data, "--");
} }
static int rpfilter_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_rpfilter_info *info = (void *)params->match->data;
bool invert = info->flags & XT_RPFILTER_INVERT;
if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
if (invert)
xt_xlate_add(xl, "fib saddr type != local ");
else
return 0;
}
xt_xlate_add(xl, "fib saddr ");
if (info->flags & XT_RPFILTER_VALID_MARK)
xt_xlate_add(xl, ". mark ");
if (!(info->flags & XT_RPFILTER_LOOSE))
xt_xlate_add(xl, ". iif ");
xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
return 1;
}
static struct xtables_match rpfilter_match = { static struct xtables_match rpfilter_match = {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.name = "rpfilter", .name = "rpfilter",
...@@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = { ...@@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = {
.save = rpfilter_save, .save = rpfilter_save,
.x6_parse = rpfilter_parse, .x6_parse = rpfilter_parse,
.x6_options = rpfilter_opts, .x6_options = rpfilter_opts,
.xlate = rpfilter_xlate,
}; };
void _init(void) void _init(void)
......
:PREROUTING
*mangle
-m rpfilter;=;OK
-m rpfilter --loose --validmark --accept-local --invert;=;OK
:INPUT,FORWARD,OUTPUT
-p sctp -m sctp --sport 1;=;OK
-p sctp -m sctp --sport 65535;=;OK
-p sctp -m sctp --sport 1:65535;=;OK
-p sctp -m sctp --sport -1;;FAIL
-p sctp -m sctp --sport 65536;;FAIL
-p sctp -m sctp --dport 1;=;OK
-p sctp -m sctp --dport 1:65535;=;OK
-p sctp -m sctp --dport 65535;=;OK
-p sctp -m sctp --dport -1;;FAIL
-p sctp -m sctp --dport 65536;;FAIL
-p sctp -m sctp --chunk-types all DATA;=;OK
-p sctp -m sctp --chunk-types all INIT;=;OK
-p sctp -m sctp --chunk-types all INIT_ACK;=;OK
-p sctp -m sctp --chunk-types all SACK;=;OK
-p sctp -m sctp --chunk-types all HEARTBEAT;=;OK
-p sctp -m sctp --chunk-types all HEARTBEAT_ACK;=;OK
-p sctp -m sctp --chunk-types all ABORT;=;OK
-p sctp -m sctp --chunk-types all SHUTDOWN;=;OK
-p sctp -m sctp --chunk-types all SHUTDOWN_ACK;=;OK
-p sctp -m sctp --chunk-types all ERROR;=;OK
-p sctp -m sctp --chunk-types all COOKIE_ECHO;=;OK
-p sctp -m sctp --chunk-types all COOKIE_ACK;=;OK
-p sctp -m sctp --chunk-types all ECN_ECNE;=;OK
-p sctp -m sctp --chunk-types all ECN_CWR;=;OK
# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF
# -p sctp -m sctp --chunk-types all ASCONF;=;OK
# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF_ACK
# -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK
# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all FORWARD_TSN
# -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK
-p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK
:INPUT,FORWARD,OUTPUT
-m set --match-set foo;;FAIL
# fails: foo does not exist
-m set --match-set foo src,dst;;FAIL
:PREROUTING,INPUT
*mangle
-m socket;=;OK
-m socket --transparent --nowildcard;=;OK
-m socket --transparent --nowildcard --restore-skmark;=;OK
-m socket --transparent --restore-skmark;=;OK
-m socket --nowildcard --restore-skmark;=;OK
-m socket --restore-skmark;=;OK
:INPUT,FORWARD,OUTPUT
-j DROP;=;OK
-j ACCEPT;=;OK
-j RETURN;=;OK
:INPUT,FORWARD,OUTPUT
-m state --state INVALID;=;OK
-m state --state NEW,RELATED;=;OK
-m state --state UNTRACKED;=;OK
-m state wrong;;FAIL
-m state;;FAIL
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment