New upstream version 1.6.1

extensions/libxt_mac.t

-:INPUT,FORWARD
--m mac --mac-source 42:01:02:03:04:05;=;OK
--m mac --mac-source 42:01:02:03:04;=;FAIL
--m mac --mac-source 42:01:02:03:04:05:06;=;FAIL
--m mac;;FAIL

extensions/libxt_mark.t

-:INPUT,FORWARD,OUTPUT
--m mark --mark 0xfeedcafe/0xfeedcafe;=;OK
--m mark --mark 0;=;OK
--m mark --mark 4294967295;-m mark --mark 0xffffffff;OK
--m mark --mark 4294967296;;FAIL
--m mark --mark -1;;FAIL
--m mark;;FAIL

extensions/libxt_multiport.c

@@ -108,7 +108,6 @@ parse_multi_ports_v1(const char *portstring,
 {
 	char *buffer, *cp, *next, *range;
 	unsigned int i;
-	uint16_t m;
 
 	buffer = strdup(portstring);
 	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
@@ -133,7 +132,6 @@ parse_multi_ports_v1(const char *portstring,
 			if (multiinfo->ports[i-1] >= multiinfo->ports[i])
 				xtables_error(PARAMETER_PROBLEM,
 					   "invalid portrange specified");
-			m <<= 1;
 		}
  	}
 	multiinfo->count = i;

extensions/libxt_multiport.t

-:INPUT,FORWARD,OUTPUT
--p tcp -m multiport --sports 53,1024:65535;=;OK
--p tcp -m multiport --dports 53,1024:65535;=;OK
--p udp -m multiport --sports 53,1024:65535;=;OK
--p udp -m multiport --dports 53,1024:65535;=;OK
--p udp -m multiport --ports 53,1024:65535;=;OK
--p udp -m multiport --ports 53,1024:65535;=;OK
--p sctp -m multiport --sports 53,1024:65535;=;OK
--p sctp -m multiport --dports 53,1024:65535;=;OK
--p dccp -m multiport --sports 53,1024:65535;=;OK
--p dccp -m multiport --dports 53,1024:65535;=;OK
--p udplite -m multiport --sports 53,1024:65535;=;OK
--p udplite -m multiport --dports 53,1024:65535;=;OK
--p tcp -m multiport --sports 1024:65536;;FAIL
--p udp -m multiport --sports 1024:65536;;FAIL
--p tcp -m multiport --ports 1024:65536;;FAIL
--p udp -m multiport --ports 1024:65536;;FAIL
--p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15;=;OK
-# fix manpage, it says "up to 15 ports supported"
-# ERROR: should fail: iptables -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16
-# -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16;;FAIL
--p tcp --multiport;;FAIL
--m multiport;;FAIL

extensions/libxt_nfacct.t

-:INPUT,FORWARD,OUTPUT
-@nfacct add test
-#
-# extra space in iptables-save output, fix it
-#
-# ERROR: cannot load: iptables -A INPUT -m nfacct --nfacct-name test
-#-m nfacct --nfacct-name test;=;OK
--m nfacct --nfacct-name wrong;;FAIL
--m nfacct;;FAIL
-@nfacct del test

extensions/libxt_osf.t

-:INPUT,FORWARD
--m osf --genre linux --ttl 0 --log 0;;FAIL
--p tcp -m osf --genre linux --ttl 0 --log 0;=;OK
--p tcp -m osf --genre linux --ttl 3 --log 0;;FAIL

extensions/libxt_owner.t

-:OUTPUT,POSTROUTING
-*mangle
--m owner --uid-owner root;-m owner --uid-owner 0;OK
--m owner --uid-owner 0-10;=;OK
--m owner --gid-owner root;-m owner --gid-owner 0;OK
--m owner --gid-owner 0-10;=;OK
--m owner --uid-owner root --gid-owner root;-m owner --uid-owner 0 --gid-owner 0;OK
--m owner --uid-owner 0-10 --gid-owner 0-10;=;OK
--m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK
--m owner --socket-exists;=;OK
-:INPUT
--m owner --uid-owner root;;FAIL

extensions/libxt_physdev.t

-:INPUT,FORWARD
--m physdev --physdev-in lo;=;OK
--m physdev --physdev-is-in --physdev-in lo;=;OK
-:OUTPUT,FORWARD
-# xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
-# ERROR: should fail: iptables -A FORWARD -m physdev --physdev-out lo
-#-m physdev --physdev-out lo;;FAIL
-# ERROR: cannot load: iptables -A OUTPUT -m physdev --physdev-is-out --physdev-out lo
-#-m physdev --physdev-is-out --physdev-out lo;=;OK
-:FORWARD
--m physdev --physdev-in lo --physdev-is-bridged;=;OK
-:POSTROUTING
-*mangle
--m physdev --physdev-out lo --physdev-is-bridged;=;OK

extensions/libxt_pkttype.t

-:INPUT,FORWARD,OUTPUT
--m pkttype --pkt-type unicast;=;OK
--m pkttype --pkt-type broadcast;=;OK
--m pkttype --pkt-type multicast;=;OK
--m pkttype --pkt-type wrong;;FAIL
--m pkttype;;FAIL

extensions/libxt_policy.t

-:INPUT,FORWARD
--m policy --dir in --pol ipsec;=;OK
--m policy --dir in --pol ipsec --strict;;FAIL
--m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
--m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL

extensions/libxt_quota.t

-:INPUT,FORWARD,OUTPUT
--m quota --quota 0;=;OK
--m quota ! --quota 0;=;OK
--m quota --quota 18446744073709551615;=;OK
--m quota ! --quota 18446744073709551615;=;OK
--m quota --quota 18446744073709551616;;FAIL
--m quota;;FAIL

extensions/libxt_rateest.t

-:INPUT,FORWARD,OUTPUT
-@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
--m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit;=;OK
--m rateest --rateest RE1 --rateest-eq --rateest-pps 5;=;OK
--m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit;-m rateest --rateest RE1 --rateest-gt --rateest-bps 5000bit;OK
--m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit;=;OK
-@iptables -I INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
--m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2;=;OK
--m rateest --rateest-delta --rateest1 RE1 --rateest-pps1 0 --rateest-lt --rateest-pps2 42 --rateest2 RE2;=;OK
--m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit;=;OK
--m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit;=;OK
--m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9;=;OK
--m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9;=;OK
--m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9;=;OK
-@iptables -D INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-@iptables -D INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms

extensions/libxt_recent.t

-:INPUT,FORWARD,OUTPUT
--m recent --set;=;OK
--m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --update --rttl;=;OK
--m recent --set --rttl;;FAIL
--m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;;FAIL
-# nonsensical, but all should load successfully:
--m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
--m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK

extensions/libxt_rpfilter.c

@@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match)
 	return rpfilter_print_prefix(ip, match->data, "--");
 }
 
+static int rpfilter_xlate(struct xt_xlate *xl,
+			  const struct xt_xlate_mt_params *params)
+{
+	const struct xt_rpfilter_info *info = (void *)params->match->data;
+	bool invert = info->flags & XT_RPFILTER_INVERT;
+
+	if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
+		if (invert)
+			xt_xlate_add(xl, "fib saddr type != local ");
+		else
+			return 0;
+	}
+
+	xt_xlate_add(xl, "fib saddr ");
+
+	if (info->flags & XT_RPFILTER_VALID_MARK)
+		xt_xlate_add(xl, ". mark ");
+	if (!(info->flags & XT_RPFILTER_LOOSE))
+		xt_xlate_add(xl, ". iif ");
+
+	xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
+
+	return 1;
+}
+
 static struct xtables_match rpfilter_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "rpfilter",
@@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = {
 	.save		= rpfilter_save,
 	.x6_parse	= rpfilter_parse,
 	.x6_options	= rpfilter_opts,
+	.xlate		= rpfilter_xlate,
 };
 
 void _init(void)

extensions/libxt_rpfilter.t

-:PREROUTING
-*mangle
--m rpfilter;=;OK
--m rpfilter --loose --validmark --accept-local --invert;=;OK

extensions/libxt_sctp.t

-:INPUT,FORWARD,OUTPUT
--p sctp -m sctp --sport 1;=;OK
--p sctp -m sctp --sport 65535;=;OK
--p sctp -m sctp --sport 1:65535;=;OK
--p sctp -m sctp --sport -1;;FAIL
--p sctp -m sctp --sport 65536;;FAIL
--p sctp -m sctp --dport 1;=;OK
--p sctp -m sctp --dport 1:65535;=;OK
--p sctp -m sctp --dport 65535;=;OK
--p sctp -m sctp --dport -1;;FAIL
--p sctp -m sctp --dport 65536;;FAIL
--p sctp -m sctp --chunk-types all DATA;=;OK
--p sctp -m sctp --chunk-types all INIT;=;OK
--p sctp -m sctp --chunk-types all INIT_ACK;=;OK
--p sctp -m sctp --chunk-types all SACK;=;OK
--p sctp -m sctp --chunk-types all HEARTBEAT;=;OK
--p sctp -m sctp --chunk-types all HEARTBEAT_ACK;=;OK
--p sctp -m sctp --chunk-types all ABORT;=;OK
--p sctp -m sctp --chunk-types all SHUTDOWN;=;OK
--p sctp -m sctp --chunk-types all SHUTDOWN_ACK;=;OK
--p sctp -m sctp --chunk-types all ERROR;=;OK
--p sctp -m sctp --chunk-types all COOKIE_ECHO;=;OK
--p sctp -m sctp --chunk-types all COOKIE_ACK;=;OK
--p sctp -m sctp --chunk-types all ECN_ECNE;=;OK
--p sctp -m sctp --chunk-types all ECN_CWR;=;OK
-# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF
-# -p sctp -m sctp --chunk-types all ASCONF;=;OK
-# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF_ACK
-# -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK
-# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all FORWARD_TSN
-# -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK
--p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK

extensions/libxt_set.t

-:INPUT,FORWARD,OUTPUT
--m set --match-set foo;;FAIL
-# fails: foo does not exist
--m set --match-set foo src,dst;;FAIL

extensions/libxt_socket.t

-:PREROUTING,INPUT
-*mangle
--m socket;=;OK
--m socket --transparent --nowildcard;=;OK
--m socket --transparent --nowildcard --restore-skmark;=;OK
--m socket --transparent --restore-skmark;=;OK
--m socket --nowildcard --restore-skmark;=;OK
--m socket --restore-skmark;=;OK

extensions/libxt_standard.t

-:INPUT,FORWARD,OUTPUT
--j DROP;=;OK
--j ACCEPT;=;OK
--j RETURN;=;OK

extensions/libxt_state.t

-:INPUT,FORWARD,OUTPUT
--m state --state INVALID;=;OK
--m state --state NEW,RELATED;=;OK
--m state --state UNTRACKED;=;OK
--m state wrong;;FAIL
--m state;;FAIL