New upstream version 1.6.1

extensions/libip6t_LOG.c

@@ -189,22 +189,44 @@ static int LOG_xlate(struct xt_xlate *xl,
 		(const struct ip6t_log_info *)params->target->data;
 	unsigned int i = 0;
 
-	xt_xlate_add(xl, "log ");
+	xt_xlate_add(xl, "log");
 	if (strcmp(loginfo->prefix, "") != 0) {
 		if (params->escape_quotes)
-			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
 		else
-			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+			xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
 	}
 
 	for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
 		if (loginfo->level == ip6t_log_xlate_names[i].level &&
 		    loginfo->level != LOG_DEFAULT_LEVEL) {
-			xt_xlate_add(xl, "level %s",
+			xt_xlate_add(xl, " level %s",
 				   ip6t_log_xlate_names[i].name);
 			break;
 		}
 
+	if ((loginfo->logflags & IP6T_LOG_MASK) == IP6T_LOG_MASK) {
+		xt_xlate_add(xl, " flags all");
+	} else {
+		if (loginfo->logflags & (IP6T_LOG_TCPSEQ | IP6T_LOG_TCPOPT)) {
+			const char *delim = " ";
+
+			xt_xlate_add(xl, " flags tcp");
+			if (loginfo->logflags & IP6T_LOG_TCPSEQ) {
+				xt_xlate_add(xl, " sequence");
+				delim = ",";
+			}
+			if (loginfo->logflags & IP6T_LOG_TCPOPT)
+				xt_xlate_add(xl, "%soptions", delim);
+		}
+		if (loginfo->logflags & IP6T_LOG_IPOPT)
+			xt_xlate_add(xl, " flags ip options");
+		if (loginfo->logflags & IP6T_LOG_UID)
+			xt_xlate_add(xl, " flags skuid");
+		if (loginfo->logflags & IP6T_LOG_MACDECODE)
+			xt_xlate_add(xl, " flags ether");
+	}
+
 	return 1;
 }
 static struct xtables_target log_tg6_reg = {

extensions/libip6t_LOG.t

-:INPUT,FORWARD,OUTPUT
--j LOG;-j LOG;OK
--j LOG --log-prefix "test: ";=;OK
--j LOG --log-prefix "test: " --log-level 1;=;OK
-# iptables displays the log-level output using the number; not the string
--j LOG --log-prefix "test: " --log-level alert;-j LOG --log-prefix "test: " --log-level 1;OK
--j LOG --log-prefix "test: " --log-tcp-sequence;=;OK
--j LOG --log-prefix "test: " --log-tcp-options;=;OK
--j LOG --log-prefix "test: " --log-ip-options;=;OK
--j LOG --log-prefix "test: " --log-uid;=;OK
--j LOG --log-prefix "test: " --log-level bad;;FAIL
--j LOG --log-prefix;;FAIL

extensions/libip6t_MASQUERADE.t

-:POSTROUTING
-*nat
--j MASQUERADE;=;OK
--j MASQUERADE --random;=;OK
--p tcp -j MASQUERADE --to-ports 1024;=;OK
--p udp -j MASQUERADE --to-ports 1024-65535;=;OK
--p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
--p udp -j MASQUERADE --to-ports -1;;FAIL

extensions/libip6t_NETMAP.t

-:PREROUTING,INPUT,OUTPUT,POSTROUTING
-*nat
--j NETMAP --to dead::/64;=;OK
--j NETMAP --to dead::beef;=;OK

extensions/libip6t_REDIRECT.t

-:PREROUTING,OUTPUT
-*nat
--p tcp -j REDIRECT --to-ports 42;=;OK
--p udp -j REDIRECT --to-ports 42-1234;=;OK
--p tcp -j REDIRECT --to-ports 42-1234 --random;=;OK
--j REDIRECT --to-ports 42;;FAIL

extensions/libip6t_REJECT.t

-:INPUT,FORWARD,OUTPUT
--j REJECT;=;OK
-# manpage for IPv6 variant of REJECT does not show up for some reason?
--j REJECT --reject-with icmp6-no-route;=;OK
--j REJECT --reject-with icmp6-adm-prohibited;=;OK
--j REJECT --reject-with icmp6-addr-unreachable;=;OK
--j REJECT --reject-with icmp6-port-unreachable;=;OK
--j REJECT --reject-with icmp6-policy-fail;=;OK
--j REJECT --reject-with icmp6-reject-route;=;OK
--p tcp -j REJECT --reject-with tcp-reset;=;OK
--j REJECT --reject-with tcp-reset;;FAIL

extensions/libip6t_SNAT.t

-:POSTROUTING
-*nat
--j SNAT --to-source dead::beef;=;OK
--j SNAT --to-source dead::beef-dead::fee7;=;OK
--p tcp -j SNAT --to-source [dead::beef]:1025-65535;=;OK
--p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
--p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
--j SNAT;;FAIL

extensions/libip6t_SNPT.t

-:INPUT,POSTROUTING
-*mangle
--j SNPT --src-pfx dead::/64 --dst-pfx 1c3::/64;=;OK
--j SNPT --src-pfx dead::beef --dst-pfx 1c3::/64;;FAIL
--j SNPT --src-pfx dead::/64;;FAIL
--j SNPT --dst-pfx dead::/64;;FAIL
--j SNPT;;FAIL

extensions/libip6t_ah.c

@@ -152,8 +152,13 @@ static int ah_xlate(struct xt_xlate *xl,
 		space = " ";
 	}
 
-	if (ahinfo->hdrres != 0)
+	if (ahinfo->hdrres != 0) {
 		xt_xlate_add(xl, "%sah reserved %u", space, ahinfo->hdrres);
+		space = " ";
+	}
+
+	if (!space[0]) /* plain '-m ah' */
+		xt_xlate_add(xl, "meta l4proto ah");
 
 	return 1;
 }

extensions/libip6t_ah.t

-:INPUT,FORWARD,OUTPUT
--m ah --ahspi 0;=;OK
--m ah --ahspi 4294967295;=;OK
--m ah --ahspi 0:4294967295;-m ah;OK
--m ah ! --ahspi 0;=;OK
-# ERROR: should fail: iptables -A FORWARD -t mangle -j CLASSIFY --set-class 1:-1
-# -m ah --ahres;=;OK
-# ERROR: line 7 (cannot find: ip6tables -I INPUT -m ah --ahlen 32
-# -m ah --ahlen 32;=;OK
--m ah --ahspi -1;;FAIL
--m ah --ahspi 4294967296;;FAIL
--m ah --ahspi invalid;;FAIL
--m ah --ahspi 0:invalid;;FAIL
--m ah --ahspi;;FAIL
--m ah;=;OK

extensions/libip6t_dst.t

-:INPUT,FORWARD,OUTPUT
--m dst --dst-len 0;=;OK
--m dst --dst-opts 149:92,12:12,123:12;=;OK
--m dst ! --dst-len 42;=;OK
--m dst --dst-len 42 --dst-opts 149:92,12:12,123:12;=;OK

extensions/libip6t_eui64.t

-:PREROUTING
-*raw
--m eui64;=;OK
-:INPUT,FORWARD
-*filter
--m eui64;=;OK
-:OUTPUT
--m eui64;;FAIL

extensions/libip6t_frag.t

-:INPUT,FORWARD,OUTPUT
--m frag --fragid 1:42;=;OK
--m frag --fraglen 42;=;OK
--m frag --fragres;=;OK
--m frag --fragfirst;=;OK
--m frag --fragmore;=;OK
--m frag --fraglast;=;OK
--m frag ! --fragid 1 ! --fraglen 42 --fragres --fragfirst;=;OK
--m frag --fragfirst --fragmore;=;OK
--m frag --fragfirst --fraglast;=;OK
--m frag --fraglast --fragmore;;FAIL

extensions/libip6t_hbh.t

-:INPUT,FORWARD,OUTPUT
--m hbh;=;OK
--m hbh --hbh-len 42;=;OK
--m hbh ! --hbh-len 42;=;OK
--m hbh --hbh-len 42 --hbh-opts 1:2,23:42,4:6,8:10,42,23,4:5;=;OK

extensions/libip6t_hl.t

-:INPUT,FORWARD,OUTPUT
--m hl;;FAIL
--m hl --hl-eq 42;=;OK
--m hl ! --hl-eq 42;=;OK
--m hl --hl-lt 42;=;OK
--m hl --hl-gt 42;=;OK
--m hl --hl-gt 42 --hl-eq 42;;FAIL
--m hl --hl-gt;;FAIL

extensions/libip6t_icmp6.t

-:INPUT,FORWARD,OUTPUT
--m icmpv6;;FAIL
--p ipv6-icmp -m icmp6 --icmpv6-type 1/0;=;OK
--p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK
-# cannot use option twice:
--p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL

extensions/libip6t_ipv6header.t

-:INPUT,FORWARD,OUTPUT
--m ipv6header --header hop-by-hop;=;OK
--m ipv6header --header hop-by-hop --soft;=;OK
--m ipv6header --header ipv6-nonxt;=;OK

extensions/libip6t_mh.t

-:INPUT,FORWARD,OUTPUT
--m mh;;FAIL
--p mobility-header -m mh;=;OK
--p mobility-header -m mh --mh-type 1;=;OK
--p mobility-header -m mh ! --mh-type 4;=;OK
--p mobility-header -m mh --mh-type 4:123;=;OK

extensions/libip6t_rt.t

-:INPUT,FORWARD,OUTPUT
--m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK
--m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
--m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
--m rt;=;OK

extensions/libipt_DNAT.t

-:PREROUTING
-*nat
--j DNAT --to-destination 1.1.1.1;=;OK
--j DNAT --to-destination 1.1.1.1-1.1.1.10;=;OK
--p tcp -j DNAT --to-destination 1.1.1.1:1025-65535;=;OK
--p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65535;=;OK
--p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65536;;FAIL
--j DNAT;;FAIL