Commit fad817ca authored by Arturo Borrero Gonzalez's avatar Arturo Borrero Gonzalez
Browse files

Update upstream source from tag 'upstream/1.8.3'

Update to upstream version '1.8.3'
with Debian dir 66f8af1a5343b08e330d9f57b47d05089073b3f9
parents c0846eba 89c92f0c
:INPUT,FORWARD,OUTPUT
-m helper --helper ftp;=;OK
# should be OK?
# ERROR: should fail: iptables -A INPUT -m helper --helper wrong
# -m helper --helper wrong;;FAIL
-m helper;;FAIL
:INPUT,OUTPUT
-p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK
-p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK
:INPUT,FORWARD,OUTPUT
-m iprange --src-range 1.1.1.1-1.1.1.10;=;OK
-m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
-m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
-m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
# -m iprange --src-range 1.1.1.1;;FAIL
# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
#-m iprange --dst-range 1.1.1.1;;FAIL
-m iprange;;FAIL
...@@ -27,7 +27,7 @@ enum { ...@@ -27,7 +27,7 @@ enum {
static const struct xt_option_entry ipvs_mt_opts[] = { static const struct xt_option_entry ipvs_mt_opts[] = {
{.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE, {.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE,
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
{.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING, {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)}, .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)},
{.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK, {.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT}, .flags = XTOPT_INVERT},
...@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb) ...@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb)
xtables_option_parse(cb); xtables_option_parse(cb);
switch (cb->entry->id) { switch (cb->entry->id) {
case O_VPROTO:
data->l4proto = cb->val.protocol;
break;
case O_VADDR: case O_VADDR:
memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr)); memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr));
memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask)); memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask));
...@@ -168,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, ...@@ -168,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data,
if (data->bitmask & XT_IPVS_PROTO) { if (data->bitmask & XT_IPVS_PROTO) {
if (data->invert & XT_IPVS_PROTO) if (data->invert & XT_IPVS_PROTO)
printf(" !"); printf(" !");
printf(" %sproto %u", prefix, data->l4proto); printf(" %svproto %u", prefix, data->l4proto);
} }
if (data->bitmask & XT_IPVS_VADDR) { if (data->bitmask & XT_IPVS_VADDR) {
......
:INPUT,FORWARD,OUTPUT
-m ipvs --ipvs;=;OK
-m ipvs ! --ipvs;=;OK
-m ipvs --vproto tcp;-m ipvs --vproto 6;OK
-m ipvs ! --vproto TCP;-m ipvs ! --vproto 6;OK
-m ipvs --vproto 23;=;OK
-m ipvs --vaddr 1.2.3.4;=;OK
-m ipvs ! --vaddr 1.2.3.4/255.255.255.0;-m ipvs ! --vaddr 1.2.3.4/24;OK
-m ipvs --vport http;-m ipvs --vport 80;OK
-m ipvs ! --vport ssh;-m ipvs ! --vport 22;OK
-m ipvs --vport 22;=;OK
-m ipvs ! --vport 443;=;OK
-m ipvs --vdir ORIGINAL;=;OK
-m ipvs --vdir REPLY;=;OK
-m ipvs --vmethod GATE;=;OK
-m ipvs ! --vmethod IPIP;=;OK
-m ipvs --vmethod MASQ;=;OK
-m ipvs --vportctl 21;=;OK
-m ipvs ! --vportctl 21;=;OK
-m ipvs --vproto 6 --vaddr 1.2.3.4/16 --vport 22 --vdir ORIGINAL --vmethod GATE;=;OK
:INPUT,FORWARD,OUTPUT
-m length --length 1;=;OK
-m length --length :2;-m length --length 0:2;OK
-m length --length 0:3;=;OK
-m length --length 4:;=;OK
-m length --length 0:65535;=;OK
-m length ! --length 0:65535;=;OK
-m length --length 0:65536;;FAIL
-m length --length -1:65535;;FAIL
-m length;;FAIL
:INPUT,FORWARD,OUTPUT
-m limit --limit 1/sec;=;OK
-m limit --limit 1/min;=;OK
-m limit --limit 1000/hour;=;OK
-m limit --limit 1000/day;=;OK
-m limit --limit 1/sec --limit-burst 1;=;OK
:INPUT,FORWARD
-m mac --mac-source 42:01:02:03:04:05;=;OK
-m mac --mac-source 42:01:02:03:04;=;FAIL
-m mac --mac-source 42:01:02:03:04:05:06;=;FAIL
-m mac;;FAIL
:INPUT,FORWARD,OUTPUT
-m mark --mark 0xfeedcafe/0xfeedcafe;=;OK
-m mark --mark 0;=;OK
-m mark --mark 4294967295;-m mark --mark 0xffffffff;OK
-m mark --mark 4294967296;;FAIL
-m mark --mark -1;;FAIL
-m mark;;FAIL
:INPUT,FORWARD,OUTPUT
-p tcp -m multiport --sports 53,1024:65535;=;OK
-p tcp -m multiport --dports 53,1024:65535;=;OK
-p udp -m multiport --sports 53,1024:65535;=;OK
-p udp -m multiport --dports 53,1024:65535;=;OK
-p udp -m multiport --ports 53,1024:65535;=;OK
-p udp -m multiport --ports 53,1024:65535;=;OK
-p sctp -m multiport --sports 53,1024:65535;=;OK
-p sctp -m multiport --dports 53,1024:65535;=;OK
-p dccp -m multiport --sports 53,1024:65535;=;OK
-p dccp -m multiport --dports 53,1024:65535;=;OK
-p udplite -m multiport --sports 53,1024:65535;=;OK
-p udplite -m multiport --dports 53,1024:65535;=;OK
-p tcp -m multiport --sports 1024:65536;;FAIL
-p udp -m multiport --sports 1024:65536;;FAIL
-p tcp -m multiport --ports 1024:65536;;FAIL
-p udp -m multiport --ports 1024:65536;;FAIL
-p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15;=;OK
# fix manpage, it says "up to 15 ports supported"
# ERROR: should fail: iptables -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16
# -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15,16;;FAIL
-p tcp --multiport;;FAIL
-m multiport;;FAIL
:INPUT,FORWARD,OUTPUT
@nfacct add test
#
# extra space in iptables-save output, fix it
#
# ERROR: cannot load: iptables -A INPUT -m nfacct --nfacct-name test
#-m nfacct --nfacct-name test;=;OK
-m nfacct --nfacct-name wrong;;FAIL
-m nfacct;;FAIL
@nfacct del test
...@@ -41,5 +41,5 @@ To remove them again, ...@@ -41,5 +41,5 @@ To remove them again,
.PP .PP
\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP \fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
.PP .PP
The fingerprint database can be downlaoded from The fingerprint database can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
:INPUT,FORWARD
-m osf --genre linux --ttl 0 --log 0;;FAIL
-p tcp -m osf --genre linux --ttl 0 --log 0;=;OK
-p tcp -m osf --genre linux --ttl 3 --log 0;;FAIL
:OUTPUT,POSTROUTING
*mangle
-m owner --uid-owner root;-m owner --uid-owner 0;OK
-m owner --uid-owner 0-10;=;OK
-m owner --gid-owner root;-m owner --gid-owner 0;OK
-m owner --gid-owner 0-10;=;OK
-m owner --uid-owner root --gid-owner root;-m owner --uid-owner 0 --gid-owner 0;OK
-m owner --uid-owner 0-10 --gid-owner 0-10;=;OK
-m owner ! --uid-owner root;-m owner ! --uid-owner 0;OK
-m owner --socket-exists;=;OK
:INPUT
-m owner --uid-owner root;;FAIL
:INPUT,FORWARD
-m physdev --physdev-in lo;=;OK
-m physdev --physdev-is-in --physdev-in lo;=;OK
:OUTPUT,FORWARD
# xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore.
# ERROR: should fail: iptables -A FORWARD -m physdev --physdev-out lo
#-m physdev --physdev-out lo;;FAIL
# ERROR: cannot load: iptables -A OUTPUT -m physdev --physdev-is-out --physdev-out lo
#-m physdev --physdev-is-out --physdev-out lo;=;OK
:FORWARD
-m physdev --physdev-in lo --physdev-is-bridged;=;OK
:POSTROUTING
*mangle
-m physdev --physdev-out lo --physdev-is-bridged;=;OK
:INPUT,FORWARD,OUTPUT
-m pkttype --pkt-type unicast;=;OK
-m pkttype --pkt-type broadcast;=;OK
-m pkttype --pkt-type multicast;=;OK
-m pkttype --pkt-type wrong;;FAIL
-m pkttype;;FAIL
:INPUT,FORWARD
-m policy --dir in --pol ipsec;=;OK
-m policy --dir in --pol ipsec --proto ipcomp;=;OK
-m policy --dir in --pol ipsec --strict;;FAIL
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp;=;OK
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --tunnel-dst 10.0.0.0/8;;FAIL
-m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto ipcomp --mode tunnel --tunnel-dst 10.0.0.0/8 --tunnel-src 10.0.0.0/8 --next --reqid 2;=;OK
:INPUT,FORWARD,OUTPUT
-m quota --quota 0;=;OK
-m quota ! --quota 0;=;OK
-m quota --quota 18446744073709551615;=;OK
-m quota ! --quota 18446744073709551615;=;OK
-m quota --quota 18446744073709551616;;FAIL
-m quota;;FAIL
:INPUT,FORWARD,OUTPUT
%iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit;=;OK
-m rateest --rateest RE1 --rateest-eq --rateest-pps 5;=;OK
-m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit;-m rateest --rateest RE1 --rateest-gt --rateest-bps 5000bit;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit;=;OK
%iptables -I INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2;=;OK
-m rateest --rateest-delta --rateest1 RE1 --rateest-pps1 0 --rateest-lt --rateest-pps2 42 --rateest2 RE2;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9;=;OK
-m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9;=;OK
%iptables -D INPUT -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
%iptables -D INPUT -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
:INPUT,FORWARD,OUTPUT
-m recent --set;=;OK
-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --update --rttl;=;OK
-m recent --set --rttl;;FAIL
-m recent --rcheck --hitcount 999 --name foo --mask 255.255.255.255 --rsource;;FAIL
# nonsensical, but all should load successfully:
-m recent --rcheck --hitcount 3 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 4 --name foo --mask 255.255.255.255 --rsource;=;OK
-m recent --rcheck --hitcount 8 --name foo --mask 255.255.255.255 --rsource -m recent --rcheck --hitcount 12 --name foo --mask 255.255.255.255 --rsource;=;OK
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment