* A few more iptables patches
@ 2008-04-13 8:25 Jan Engelhardt
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
0 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
Few more patches. The ones you chose not to cherry-pick I have
floated upwards in the stg stack, so the following 8 are against
svn base r7475.
^ permalink raw reply [flat|nested] 25+ messages in thread
* [PATCH 1/8] Import iptables-apply
2008-04-13 8:25 A few more iptables patches Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
` (7 more replies)
0 siblings, 8 replies; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
---
iptables-apply | 174 ++++++++++++++++++++++++++++++++++++++++++++++
iptables-apply.8 | 44 ++++++++++++
2 files changed, 218 insertions(+), 0 deletions(-)
create mode 100755 iptables-apply
create mode 100644 iptables-apply.8
diff --git a/iptables-apply b/iptables-apply
new file mode 100755
index 0000000..5fec76b
--- /dev/null
+++ b/iptables-apply
@@ -0,0 +1,174 @@
+#!/bin/bash
+#
+# iptables-apply -- a safer way to update iptables remotely
+#
+# Copyright © Martin F. Krafft <madduck@madduck.net>
+# Released under the terms of the Artistic Licence 2.0
+#
+set -eu
+
+PROGNAME="${0##*/}";
+VERSION=1.0
+
+TIMEOUT=10
+DEFAULT_FILE=/etc/network/iptables
+
+function blurb()
+{
+ cat <<-_eof
+ $PROGNAME $VERSION -- a safer way to update iptables remotely
+ _eof
+}
+
+function copyright()
+{
+ cat <<-_eof
+ $PROGNAME is C Martin F. Krafft <madduck@madduck.net>.
+
+ The program has been published under the terms of the Artistic Licence 2.0
+ _eof
+}
+
+function about()
+{
+ blurb
+ echo
+ copyright
+}
+
+function usage()
+{
+ cat <<-_eof
+ Usage: $PROGNAME [options] ruleset
+
+ The script will try to apply a new ruleset (as output by iptables-save/read
+ by iptables-restore) to iptables, then prompt the user whether the changes
+ are okay. If the new ruleset cut the existing connection, the user will not
+ be able to answer affirmatively. In this case, the script rolls back to the
+ previous ruleset.
+
+ The following options may be specified, using standard conventions:
+
+ -t | --timeout Specify the timeout in seconds (default: $TIMEOUT)
+ -V | --version Display version information
+ -h | --help Display this help text
+ _eof
+}
+
+SHORTOPTS="t:Vh";
+LONGOPTS="timeout:,version,help";
+
+OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $?
+for opt in $OPTS; do
+ case "$opt" in
+ (-*) unset OPT_STATE;;
+ (*)
+ case "${OPT_STATE:-}" in
+ (SET_TIMEOUT)
+ eval TIMEOUT=$opt
+ case "$TIMEOUT" in
+ ([0-9]*) :;;
+ (*)
+ echo "E: non-numeric timeout value." >&2
+ exit 1
+ ;;
+ esac
+ ;;
+ esac
+ ;;
+ esac
+
+ case "$opt" in
+ (-h|--help) usage >&2; exit 0;;
+ (-V|--version) about >&2; exit 0;;
+ (-t|--timeout) OPT_STATE=SET_TIMEOUT;;
+ (--) break;;
+ esac
+ shift
+done
+
+FILE="${1:-$DEFAULT_FILE}";
+
+if [[ -z "$FILE" ]]; then
+ echo "E: missing file argument." >&2
+ exit 1
+fi
+
+if [[ ! -r "$FILE" ]]; then
+ echo "E: cannot read $FILE" >&2
+ exit 2
+fi
+
+case "${0##*/}" in
+ (*6*)
+ SAVE=ip6tables-save
+ RESTORE=ip6tables-restore
+ ;;
+ (*)
+ SAVE=iptables-save
+ RESTORE=iptables-restore
+ ;;
+esac
+
+COMMANDS=(tempfile "$SAVE" "$RESTORE")
+
+for cmd in "${COMMANDS[@]}"; do
+ if ! command -v $cmd >/dev/null; then
+ echo "E: command not found: $cmd" >&2
+ exit 127
+ fi
+done
+
+umask 0700
+
+TMPFILE=$(tempfile -p iptap)
+trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
+
+if ! "$SAVE" >"$TMPFILE"; then
+ if ! grep -q ipt /proc/modules 2>/dev/null; then
+ echo "E: iptables support lacking from the kernel." >&2
+ exit 3
+ else
+ echo "E: unknown error saving current iptables ruleset." >&2
+ exit 4
+ fi
+fi
+
+[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
+
+echo -n "Applying new ruleset... "
+if ! "$RESTORE" <"$FILE"; then
+ echo "failed."
+ echo "E: unknown error applying new iptables ruleset." >&2
+ exit 5
+else
+ echo done.
+fi
+
+echo -n "Can you establish NEW connections to the machine? (y/N) "
+
+read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
+case "${ret:-}" in
+ (y*|Y*)
+ echo
+ echo ... then my job is done. See you next time.
+ ;;
+ (*)
+ if [[ -z "${ret:-}" ]]; then
+ echo "apparently not..."
+ else
+ echo
+ fi
+ echo "Timeout. Something happened (or did not). Better play it safe..."
+ echo -n "Reverting to old ruleset... "
+ "$RESTORE" <"$TMPFILE";
+ echo done.
+ exit 255
+ ;;
+esac
+
+[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start
+
+exit 0
+
+# vim:noet:sw=8
diff --git a/iptables-apply.8 b/iptables-apply.8
new file mode 100644
index 0000000..8208fd0
--- /dev/null
+++ b/iptables-apply.8
@@ -0,0 +1,44 @@
+.\" Title: iptables-apply
+.\" Author: Martin F. Krafft
+.\" Date: Jun 04, 2006
+.\"
+.TH iptables\-apply 8 2006-06-04
+.\" disable hyphenation
+.nh
+.SH NAME
+iptables-apply \- a safer way to update iptables remotely
+.SH SYNOPSIS
+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
+.SH "DESCRIPTION"
+.PP
+iptables\-apply will try to apply a new ruleset (as output by
+iptables\-save/read by iptables\-restore) to iptables, then prompt the
+user whether the changes are okay. If the new ruleset cut the existing
+connection, the user will not be able to answer affirmatively. In this
+case, the script rolls back to the previous ruleset after the timeout
+expired. The timeout can be set with \fB\-t\fP.
+.PP
+When called as ip6tables\-apply, the script will use
+ip6tables\-save/\-restore instead.
+.SH OPTIONS
+.TP
+\fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
+Sets the timeout after which the script will roll back to the previous
+ruleset.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Display usage information.
+.TP
+\fB\-V\fP, \fB\-\-version\fP
+Display version information.
+.SH "SEE ALSO"
+.PP
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+.SH LEGALESE
+.PP
+iptables\-apply is copyright by Martin F. Krafft.
+.PP
+This manual page was written by Martin F. Krafft <madduck@madduck.net>
+.PP
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the Artistic License 2.0.
--
1.5.5.rc3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 2/8] Add all necessary header files - compilation fix for various cases
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-13 8:29 ` Patrick McHardy
2008-04-14 6:40 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 3/8] Install libiptc header files because xtables.h depends on it Jan Engelhardt
` (6 subsequent siblings)
7 siblings, 2 replies; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
Allow iptables to compile without a kernel source tree. This
implies fixing build for older kernels, such as 2.6.17 which
lack xt_SECMARK.h.
---
Makefile.am | 2 +-
configure.ac | 10 ++-
include/linux/netfilter.h | 2 +
include/linux/netfilter/x_tables.h | 43 +++++++++++++
include/linux/netfilter/xt_SECMARK.h | 26 ++++++++
include/linux/netfilter_ipv4/ip_tables.h | 66 +++------------------
include/linux/netfilter_ipv4/ipt_DSCP.h | 18 ++++++
include/linux/netfilter_ipv4/ipt_LOG.h | 18 ++++++
include/linux/netfilter_ipv4/ipt_REJECT.h | 20 ++++++
include/linux/netfilter_ipv4/ipt_TOS.h | 12 ++++
include/linux/netfilter_ipv4/ipt_dscp.h | 21 +++++++
include/linux/netfilter_ipv4/ipt_owner.h | 20 ++++++
include/linux/netfilter_ipv4/ipt_tos.h | 13 ++++
include/linux/netfilter_ipv6/ip6_tables.h | 46 +++------------
include/linux/netfilter_ipv6/ip6t_LOG.h | 18 ++++++
libipq/Makefile.am | 2 +-
16 files changed, 238 insertions(+), 99 deletions(-)
create mode 100644 include/linux/netfilter/xt_SECMARK.h
create mode 100644 include/linux/netfilter_ipv4/ipt_DSCP.h
create mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
create mode 100644 include/linux/netfilter_ipv4/ipt_REJECT.h
create mode 100644 include/linux/netfilter_ipv4/ipt_TOS.h
create mode 100644 include/linux/netfilter_ipv4/ipt_dscp.h
create mode 100644 include/linux/netfilter_ipv4/ipt_owner.h
create mode 100644 include/linux/netfilter_ipv4/ipt_tos.h
create mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h
diff --git a/Makefile.am b/Makefile.am
index 0a28241..8137c93 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign subdir-objects
regular_CFLAGS := @regular_CFLAGS@
kinclude_CFLAGS := @kinclude_CFLAGS@
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include ${kinclude_CFLAGS}
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
SUBDIRS := extensions
if ENABLE_LIBIPQ
SUBDIRS += libipq
diff --git a/configure.ac b/configure.ac
index 9c42681..10d4380 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,8 +8,6 @@ AM_PROG_CC_C_O
AC_DISABLE_STATIC
AC_PROG_LIBTOOL
-kbuilddir="/lib/modules/$(uname -r)/build";
-ksourcedir="/lib/modules/$(uname -r)/source";
AC_ARG_WITH([kernel],
AS_HELP_STRING([--with-kernel=PATH],
[Path to kernel source/build directory]),
@@ -45,7 +43,13 @@ regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DIPTABLES_VERSION=\\\"$PACKAGE_VERSION\\\" \
-DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL";
-kinclude_CFLAGS="-I\"$kbuilddir/include\" -I\"$ksourcedir/include\"";
+kinclude_CFLAGS="";
+if [[ -n "$kbuilddir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+fi;
+if [[ -n "$ksourcedir" ]]; then
+ kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+fi;
AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
AC_SUBST([kbuilddir])
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 3c5b889..6922c7f 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -1,6 +1,8 @@
#ifndef __LINUX_NETFILTER_H
#define __LINUX_NETFILTER_H
+//#include <linux/compiler.h>
+
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 95bc695..89eae5c 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -126,5 +126,48 @@ struct xt_counters_info
#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */
+/* fn returns 0 to continue iteration */
+#define XT_MATCH_ITERATE(type, e, fn, args...) \
+({ \
+ unsigned int __i; \
+ int __ret = 0; \
+ struct xt_entry_match *__m; \
+ \
+ for (__i = sizeof(type); \
+ __i < (e)->target_offset; \
+ __i += __m->u.match_size) { \
+ __m = (void *)e + __i; \
+ \
+ __ret = fn(__m , ## args); \
+ if (__ret != 0) \
+ break; \
+ } \
+ __ret; \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
+({ \
+ unsigned int __i, __n; \
+ int __ret = 0; \
+ type *__entry; \
+ \
+ for (__i = 0, __n = 0; __i < (size); \
+ __i += __entry->next_offset, __n++) { \
+ __entry = (void *)(entries) + __i; \
+ if (__n < n) \
+ continue; \
+ \
+ __ret = fn(__entry , ## args); \
+ if (__ret != 0) \
+ break; \
+ } \
+ __ret; \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
+ XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+
#endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 0000000..c53fbff
--- /dev/null
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01 /* SELinux */
+#define SECMARK_SELCTX_MAX 256
+
+struct xt_secmark_target_selinux_info {
+ u_int32_t selsid;
+ char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+ u_int8_t mode;
+ union {
+ struct xt_secmark_target_selinux_info sel;
+ } u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 2934cee..fc64b97 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -148,10 +148,10 @@ struct ipt_getinfo
unsigned int valid_hooks;
/* Hook entry points: one per netfilter hook. */
- unsigned int hook_entry[NF_IP_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Number of entries */
unsigned int num_entries;
@@ -177,16 +177,16 @@ struct ipt_replace
unsigned int size;
/* Hook entry points. */
- unsigned int hook_entry[NF_IP_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Information about old entries: */
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
- struct xt_counters __user *counters;
+ struct xt_counters *counters;
/* The entries (hang off end: not really an array). */
struct ipt_entry entries[0];
@@ -221,60 +221,12 @@ ipt_get_target(struct ipt_entry *e)
}
/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ipt_entry_match *__match; \
- \
- for (__i = sizeof(struct ipt_entry); \
- __i < (e)->target_offset; \
- __i += __match->u.match_size) { \
- __match = (void *)(e) + __i; \
- \
- __ret = fn(__match , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ipt_entry *__entry; \
- \
- for (__i = 0; __i < (size); __i += __entry->next_offset) { \
- __entry = (void *)(entries) + __i; \
- \
- __ret = fn(__entry , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
-({ \
- unsigned int __i, __n; \
- int __ret = 0; \
- struct ipt_entry *__entry; \
- \
- for (__i = 0, __n = 0; __i < (size); \
- __i += __entry->next_offset, __n++) { \
- __entry = (void *)(entries) + __i; \
- if (__n < n) \
- continue; \
- \
- __ret = fn(__entry , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
/*
* Main firewall chains definitions and global var's definitions.
diff --git a/include/linux/netfilter_ipv4/ipt_DSCP.h b/include/linux/netfilter_ipv4/ipt_DSCP.h
new file mode 100644
index 0000000..3491e52
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_DSCP.h
@@ -0,0 +1,18 @@
+/* iptables module for setting the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _IPT_DSCP_TARGET_H
+#define _IPT_DSCP_TARGET_H
+#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define ipt_DSCP_info xt_DSCP_info
+
+#endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 0000000..90fa652
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IPT_LOG_IPOPT 0x04 /* Log IP options */
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define IPT_LOG_MASK 0x1f
+
+struct ipt_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 0000000..4293a1a
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+ IPT_ICMP_NET_UNREACHABLE,
+ IPT_ICMP_HOST_UNREACHABLE,
+ IPT_ICMP_PROT_UNREACHABLE,
+ IPT_ICMP_PORT_UNREACHABLE,
+ IPT_ICMP_ECHOREPLY,
+ IPT_ICMP_NET_PROHIBITED,
+ IPT_ICMP_HOST_PROHIBITED,
+ IPT_TCP_RESET,
+ IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+ enum ipt_reject_with with; /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TOS.h b/include/linux/netfilter_ipv4/ipt_TOS.h
new file mode 100644
index 0000000..6bf9e1f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_TOS.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_TOS_H_target
+#define _IPT_TOS_H_target
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+struct ipt_tos_target_info {
+ u_int8_t tos;
+};
+
+#endif /*_IPT_TOS_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_dscp.h
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_dscp.h
@@ -0,0 +1,21 @@
+/* iptables module for matching the IPv4 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _IPT_DSCP_H
+#define _IPT_DSCP_H
+
+#include <linux/netfilter/xt_dscp.h>
+
+#define IPT_DSCP_MASK XT_DSCP_MASK
+#define IPT_DSCP_SHIFT XT_DSCP_SHIFT
+#define IPT_DSCP_MAX XT_DSCP_MAX
+
+#define ipt_dscp_info xt_dscp_info
+
+#endif /* _IPT_DSCP_H */
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
new file mode 100644
index 0000000..92f4bda
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_owner.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_OWNER_H
+#define _IPT_OWNER_H
+
+/* match and invert flags */
+#define IPT_OWNER_UID 0x01
+#define IPT_OWNER_GID 0x02
+#define IPT_OWNER_PID 0x04
+#define IPT_OWNER_SID 0x08
+#define IPT_OWNER_COMM 0x10
+
+struct ipt_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tos.h b/include/linux/netfilter_ipv4/ipt_tos.h
new file mode 100644
index 0000000..a21f5df
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_tos.h
@@ -0,0 +1,13 @@
+#ifndef _IPT_TOS_H
+#define _IPT_TOS_H
+
+struct ipt_tos_info {
+ u_int8_t tos;
+ u_int8_t invert;
+};
+
+#ifndef IPTOS_NORMALSVC
+#define IPTOS_NORMALSVC 0
+#endif
+
+#endif /*_IPT_TOS_H*/
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 36e3301..68b22fc 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -208,10 +208,10 @@ struct ip6t_getinfo
unsigned int valid_hooks;
/* Hook entry points: one per netfilter hook. */
- unsigned int hook_entry[NF_IP6_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP6_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Number of entries */
unsigned int num_entries;
@@ -237,16 +237,16 @@ struct ip6t_replace
unsigned int size;
/* Hook entry points. */
- unsigned int hook_entry[NF_IP6_NUMHOOKS];
+ unsigned int hook_entry[NF_INET_NUMHOOKS];
/* Underflow points. */
- unsigned int underflow[NF_IP6_NUMHOOKS];
+ unsigned int underflow[NF_INET_NUMHOOKS];
/* Information about old entries: */
/* Number of counters (must be equal to current number of entries). */
unsigned int num_counters;
/* The old entries' counters. */
- struct xt_counters __user *counters;
+ struct xt_counters *counters;
/* The entries (hang off end: not really an array). */
struct ip6t_entry entries[0];
@@ -281,40 +281,12 @@ ip6t_get_target(struct ip6t_entry *e)
}
/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ip6t_entry_match *__m; \
- \
- for (__i = sizeof(struct ip6t_entry); \
- __i < (e)->target_offset; \
- __i += __m->u.match_size) { \
- __m = (void *)(e) + __i; \
- \
- __ret = fn(__m , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+ XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-({ \
- unsigned int __i; \
- int __ret = 0; \
- struct ip6t_entry *__e; \
- \
- for (__i = 0; __i < (size); __i += __e->next_offset) { \
- __e = (void *)(entries) + __i; \
- \
- __ret = fn(__e , ## args); \
- if (__ret != 0) \
- break; \
- } \
- __ret; \
-})
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+ XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
/*
* Main firewall chains definitions and global var's definitions.
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 0000000..0d0119b
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,18 @@
+#ifndef _IP6T_LOG_H
+#define _IP6T_LOG_H
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
+#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
+#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
+#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
+#define IP6T_LOG_MASK 0x1f
+
+struct ip6t_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/libipq/Makefile.am b/libipq/Makefile.am
index 942a874..d4245e7 100644
--- a/libipq/Makefile.am
+++ b/libipq/Makefile.am
@@ -1,6 +1,6 @@
# -*- Makefile -*-
-AM_CFLAGS = ${regular_CFLAGS} -I${top_srcdir}/include
+AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include
libipq_a_SOURCES = libipq.c
lib_LIBRARIES = libipq.a
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 3/8] Install libiptc header files because xtables.h depends on it
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:41 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 4/8] iptables: use C99 lists for struct options Jan Engelhardt
` (5 subsequent siblings)
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
---
Makefile.am | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8137c93..bb7dc4f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -75,6 +75,9 @@ man_MANS := iptables.8 iptables-restore.8 iptables-save.8 \
CLEANFILES := iptables.8 ip6tables.8
if ENABLE_DEVEL
include_HEADERS := include/xtables.h include/iptables.h include/ip6tables.h
+iptcdir := ${includedir}/libiptc
+iptc_HEADERS := include/libiptc/libxtc.h \
+ include/libiptc/ipt_kernel_headers.h
endif
if ENABLE_STATIC
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 4/8] iptables: use C99 lists for struct options
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
2008-04-13 8:25 ` [PATCH 3/8] Install libiptc header files because xtables.h depends on it Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:42 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 5/8] Combine ipt and ip6t manpages Jan Engelhardt
` (4 subsequent siblings)
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel, Gáspár Lajos
From: Gáspár Lajos <swifty@freemail.hu>
---
ip6tables-restore.c | 18 ++++++------
ip6tables-save.c | 12 ++++----
ip6tables.c | 60 ++++++++++++++++++++--------------------
iptables-restore.c | 20 +++++++-------
iptables-save.c | 12 ++++----
iptables.c | 64 +++++++++++++++++++++---------------------
6 files changed, 93 insertions(+), 93 deletions(-)
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 2c3e95d..c2703dc 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -29,15 +29,15 @@
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
/* Keeping track of external matches and targets. */
-static struct option options[] = {
- { "binary", 0, 0, 'b' },
- { "counters", 0, 0, 'c' },
- { "verbose", 0, 0, 'v' },
- { "test", 0, 0, 't' },
- { "help", 0, 0, 'h' },
- { "noflush", 0, 0, 'n'},
- { "modprobe", 1, 0, 'M'},
- { 0 }
+static const struct option options[] = {
+ {.name = "binary", .has_arg = false, .val = 'b'},
+ {.name = "counters", .has_arg = false, .val = 'c'},
+ {.name = "verbose", .has_arg = false, .val = 'v'},
+ {.name = "test", .has_arg = false, .val = 't'},
+ {.name = "help", .has_arg = false, .val = 'h'},
+ {.name = "noflush", .has_arg = false, .val = 'n'},
+ {.name = "modprobe", .has_arg = true, .val = 'M'},
+ {NULL},
};
static void print_usage(const char *name, const char *version) __attribute__((noreturn));
diff --git a/ip6tables-save.c b/ip6tables-save.c
index e440887..6e2fea5 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -24,12 +24,12 @@
static int show_binary = 0, show_counters = 0;
-static struct option options[] = {
- { "binary", 0, 0, 'b' },
- { "counters", 0, 0, 'c' },
- { "dump", 0, 0, 'd' },
- { "table", 1, 0, 't' },
- { 0 }
+static const struct option options[] = {
+ {.name = "binary", .has_arg = false, .val = 'b'},
+ {.name = "counters", .has_arg = false, .val = 'c'},
+ {.name = "dump", .has_arg = false, .val = 'd'},
+ {.name = "table", .has_arg = true, .val = 't'},
+ {NULL},
};
diff --git a/ip6tables.c b/ip6tables.c
index c7d4a4f..908700e 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -101,36 +101,36 @@ static const char optflags[NUMBER_OF_OPT]
= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c'};
static struct option original_opts[] = {
- { "append", 1, 0, 'A' },
- { "delete", 1, 0, 'D' },
- { "insert", 1, 0, 'I' },
- { "replace", 1, 0, 'R' },
- { "list", 2, 0, 'L' },
- { "flush", 2, 0, 'F' },
- { "zero", 2, 0, 'Z' },
- { "new-chain", 1, 0, 'N' },
- { "delete-chain", 2, 0, 'X' },
- { "rename-chain", 1, 0, 'E' },
- { "policy", 1, 0, 'P' },
- { "source", 1, 0, 's' },
- { "destination", 1, 0, 'd' },
- { "src", 1, 0, 's' }, /* synonym */
- { "dst", 1, 0, 'd' }, /* synonym */
- { "protocol", 1, 0, 'p' },
- { "in-interface", 1, 0, 'i' },
- { "jump", 1, 0, 'j' },
- { "table", 1, 0, 't' },
- { "match", 1, 0, 'm' },
- { "numeric", 0, 0, 'n' },
- { "out-interface", 1, 0, 'o' },
- { "verbose", 0, 0, 'v' },
- { "exact", 0, 0, 'x' },
- { "version", 0, 0, 'V' },
- { "help", 2, 0, 'h' },
- { "line-numbers", 0, 0, '0' },
- { "modprobe", 1, 0, 'M' },
- { "set-counters", 1, 0, 'c' },
- { 0 }
+ {.name = "append", .has_arg = 1, .val = 'A'},
+ {.name = "delete", .has_arg = 1, .val = 'D'},
+ {.name = "insert", .has_arg = 1, .val = 'I'},
+ {.name = "replace", .has_arg = 1, .val = 'R'},
+ {.name = "list", .has_arg = 2, .val = 'L'},
+ {.name = "flush", .has_arg = 2, .val = 'F'},
+ {.name = "zero", .has_arg = 2, .val = 'Z'},
+ {.name = "new-chain", .has_arg = 1, .val = 'N'},
+ {.name = "delete-chain", .has_arg = 2, .val = 'X'},
+ {.name = "rename-chain", .has_arg = 1, .val = 'E'},
+ {.name = "policy", .has_arg = 1, .val = 'P'},
+ {.name = "source", .has_arg = 1, .val = 's'},
+ {.name = "destination", .has_arg = 1, .val = 'd'},
+ {.name = "src", .has_arg = 1, .val = 's'}, /* synonym */
+ {.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */
+ {.name = "protocol", .has_arg = 1, .val = 'p'},
+ {.name = "in-interface", .has_arg = 1, .val = 'i'},
+ {.name = "jump", .has_arg = 1, .val = 'j'},
+ {.name = "table", .has_arg = 1, .val = 't'},
+ {.name = "match", .has_arg = 1, .val = 'm'},
+ {.name = "numeric", .has_arg = 0, .val = 'n'},
+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
+ {.name = "verbose", .has_arg = 0, .val = 'v'},
+ {.name = "exact", .has_arg = 0, .val = 'x'},
+ {.name = "version", .has_arg = 0, .val = 'V'},
+ {.name = "help", .has_arg = 2, .val = 'h'},
+ {.name = "line-numbers", .has_arg = 0, .val = '0'},
+ {.name = "modprobe", .has_arg = 1, .val = 'M'},
+ {.name = "set-counters", .has_arg = 1, .val = 'c'},
+ {NULL},
};
/* we need this for ip6tables-restore. ip6tables-restore.c sets line to the
diff --git a/iptables-restore.c b/iptables-restore.c
index f556fa5..ecf7b2d 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -26,16 +26,16 @@
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
/* Keeping track of external matches and targets. */
-static struct option options[] = {
- { "binary", 0, 0, 'b' },
- { "counters", 0, 0, 'c' },
- { "verbose", 0, 0, 'v' },
- { "test", 0, 0, 't' },
- { "help", 0, 0, 'h' },
- { "noflush", 0, 0, 'n'},
- { "modprobe", 1, 0, 'M'},
- { "table", 1, 0, 'T'},
- { 0 }
+static const struct option options[] = {
+ {.name = "binary", .has_arg = false, .val = 'b'},
+ {.name = "counters", .has_arg = false, .val = 'c'},
+ {.name = "verbose", .has_arg = false, .val = 'v'},
+ {.name = "test", .has_arg = false, .val = 't'},
+ {.name = "help", .has_arg = false, .val = 'h'},
+ {.name = "noflush", .has_arg = false, .val = 'n'},
+ {.name = "modprobe", .has_arg = true, .val = 'M'},
+ {.name = "table", .has_arg = true, .val = 'T'},
+ {NULL},
};
static void print_usage(const char *name, const char *version) __attribute__((noreturn));
diff --git a/iptables-save.c b/iptables-save.c
index 1ce2090..4272202 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -23,12 +23,12 @@
static int show_binary = 0, show_counters = 0;
-static struct option options[] = {
- { "binary", 0, 0, 'b' },
- { "counters", 0, 0, 'c' },
- { "dump", 0, 0, 'd' },
- { "table", 1, 0, 't' },
- { 0 }
+static const struct option options[] = {
+ {.name = "binary", .has_arg = false, .val = 'b'},
+ {.name = "counters", .has_arg = false, .val = 'c'},
+ {.name = "dump", .has_arg = false, .val = 'd'},
+ {.name = "table", .has_arg = true, .val = 't'},
+ {NULL},
};
#define IP_PARTS_NATIVE(n) \
diff --git a/iptables.c b/iptables.c
index 7cc2448..0300027 100644
--- a/iptables.c
+++ b/iptables.c
@@ -99,38 +99,38 @@ static const char optflags[NUMBER_OF_OPT]
= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', 'f', '0', 'c'};
static struct option original_opts[] = {
- { "append", 1, NULL, 'A' },
- { "delete", 1, NULL, 'D' },
- { "insert", 1, NULL, 'I' },
- { "replace", 1, NULL, 'R' },
- { "list", 2, NULL, 'L' },
- { "flush", 2, NULL, 'F' },
- { "zero", 2, NULL, 'Z' },
- { "new-chain", 1, NULL, 'N' },
- { "delete-chain", 2, NULL, 'X' },
- { "rename-chain", 1, NULL, 'E' },
- { "policy", 1, NULL, 'P' },
- { "source", 1, NULL, 's' },
- { "destination", 1, NULL, 'd' },
- { "src", 1, NULL, 's' }, /* synonym */
- { "dst", 1, NULL, 'd' }, /* synonym */
- { "protocol", 1, NULL, 'p' },
- { "in-interface", 1, NULL, 'i' },
- { "jump", 1, NULL, 'j' },
- { "table", 1, NULL, 't' },
- { "match", 1, NULL, 'm' },
- { "numeric", 0, NULL, 'n' },
- { "out-interface", 1, NULL, 'o' },
- { "verbose", 0, NULL, 'v' },
- { "exact", 0, NULL, 'x' },
- { "fragments", 0, NULL, 'f' },
- { "version", 0, NULL, 'V' },
- { "help", 2, NULL, 'h' },
- { "line-numbers", 0, NULL, '0' },
- { "modprobe", 1, NULL, 'M' },
- { "set-counters", 1, NULL, 'c' },
- { "goto", 1, NULL, 'g' },
- { }
+ {.name = "append", .has_arg = 1, .val = 'A'},
+ {.name = "delete", .has_arg = 1, .val = 'D'},
+ {.name = "insert", .has_arg = 1, .val = 'I'},
+ {.name = "replace", .has_arg = 1, .val = 'R'},
+ {.name = "list", .has_arg = 2, .val = 'L'},
+ {.name = "flush", .has_arg = 2, .val = 'F'},
+ {.name = "zero", .has_arg = 2, .val = 'Z'},
+ {.name = "new-chain", .has_arg = 1, .val = 'N'},
+ {.name = "delete-chain", .has_arg = 2, .val = 'X'},
+ {.name = "rename-chain", .has_arg = 1, .val = 'E'},
+ {.name = "policy", .has_arg = 1, .val = 'P'},
+ {.name = "source", .has_arg = 1, .val = 's'},
+ {.name = "destination", .has_arg = 1, .val = 'd'},
+ {.name = "src", .has_arg = 1, .val = 's'}, /* synonym */
+ {.name = "dst", .has_arg = 1, .val = 'd'}, /* synonym */
+ {.name = "protocol", .has_arg = 1, .val = 'p'},
+ {.name = "in-interface", .has_arg = 1, .val = 'i'},
+ {.name = "jump", .has_arg = 1, .val = 'j'},
+ {.name = "table", .has_arg = 1, .val = 't'},
+ {.name = "match", .has_arg = 1, .val = 'm'},
+ {.name = "numeric", .has_arg = 0, .val = 'n'},
+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
+ {.name = "verbose", .has_arg = 0, .val = 'v'},
+ {.name = "exact", .has_arg = 0, .val = 'x'},
+ {.name = "fragments", .has_arg = 0, .val = 'f'},
+ {.name = "version", .has_arg = 0, .val = 'V'},
+ {.name = "help", .has_arg = 2, .val = 'h'},
+ {.name = "line-numbers", .has_arg = 0, .val = '0'},
+ {.name = "modprobe", .has_arg = 1, .val = 'M'},
+ {.name = "set-counters", .has_arg = 1, .val = 'c'},
+ {.name = "goto", .has_arg = 1, .val = 'g'},
+ {NULL},
};
/* we need this for iptables-restore. iptables-restore.c sets line to the
--
1.5.5.rc3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 5/8] Combine ipt and ip6t manpages
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
` (2 preceding siblings ...)
2008-04-13 8:25 ` [PATCH 4/8] iptables: use C99 lists for struct options Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:44 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 6/8] RATEEST: add manpage Jan Engelhardt
` (3 subsequent siblings)
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
---
extensions/libip6t_TCPMSS.man | 42 ----------
extensions/libip6t_connlimit.man | 27 -------
extensions/libip6t_length.man | 4 -
extensions/libip6t_multiport.man | 20 -----
extensions/libip6t_tcp.man | 45 -----------
extensions/libipt_TRACE.man | 10 ---
extensions/libipt_length.man | 4 -
extensions/libipt_policy.man | 48 ------------
extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} | 8 +-
extensions/{libip6t_TRACE.man => libxt_TRACE.man} | 3 +-
.../{libipt_connlimit.man => libxt_connlimit.man} | 0
extensions/libxt_length.man | 5 +
.../{libipt_multiport.man => libxt_multiport.man} | 0
.../{libip6t_policy.man => libxt_policy.man} | 0
extensions/{libipt_tcp.man => libxt_tcp.man} | 0
15 files changed, 12 insertions(+), 204 deletions(-)
delete mode 100644 extensions/libip6t_TCPMSS.man
delete mode 100644 extensions/libip6t_connlimit.man
delete mode 100644 extensions/libip6t_length.man
delete mode 100644 extensions/libip6t_multiport.man
delete mode 100644 extensions/libip6t_tcp.man
delete mode 100644 extensions/libipt_TRACE.man
delete mode 100644 extensions/libipt_length.man
delete mode 100644 extensions/libipt_policy.man
rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
create mode 100644 extensions/libxt_length.man
rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
rename extensions/{libip6t_policy.man => libxt_policy.man} (100%)
rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man
deleted file mode 100644
index b4c357e..0000000
--- a/extensions/libip6t_TCPMSS.man
+++ /dev/null
@@ -1,42 +0,0 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 60). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-It is only valid in the
-.BR mangle
-table.
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMPv6 Packet Too Big packets or are unable to send them.
-The symptoms of this problem are that everything works fine from your
-Linux firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 60).
-.TP
-These options are mutually exclusive.
-
diff --git a/extensions/libip6t_connlimit.man b/extensions/libip6t_connlimit.man
deleted file mode 100644
index d1a4447..0000000
--- a/extensions/libip6t_connlimit.man
+++ /dev/null
@@ -1,27 +0,0 @@
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-Match if the number of existing connections is (not) above \fIn\fR.
-.TP
-\fB--connlimit-mask\fR \fIprefix_length\fR
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
-ip6tables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
-(ipv6)
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
-16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man
deleted file mode 100644
index d781a04..0000000
--- a/extensions/libip6t_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of the IPv6 payload in octets, or range of it.
-IPv6 header itself isn't counted.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man
deleted file mode 100644
index 6f75a6e..0000000
--- a/extensions/libip6t_multiport.man
+++ /dev/null
@@ -1,20 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction
-with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
deleted file mode 100644
index 41b89a4..0000000
--- a/extensions/libip6t_tcp.man
+++ /dev/null
@@ -1,45 +0,0 @@
-These extensions can be used if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 7fbe8e7..0000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,10 +0,0 @@
-This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ipt_LOG module
-is required for the logging.) The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man
deleted file mode 100644
index 43bbdcf..0000000
--- a/extensions/libipt_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_policy.man b/extensions/libipt_policy.man
deleted file mode 100644
index eed163e..0000000
--- a/extensions/libipt_policy.man
+++ /dev/null
@@ -1,48 +0,0 @@
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
diff --git a/extensions/libipt_TCPMSS.man b/extensions/libxt_TCPMSS.man
similarity index 77%
rename from extensions/libipt_TCPMSS.man
rename to extensions/libxt_TCPMSS.man
index 30668b0..82f93e0 100644
--- a/extensions/libipt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -1,6 +1,7 @@
This target allows to alter the MSS value of TCP SYN packets, to control
the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
+Of course, it can only be used
in conjunction with
.BR "-p tcp" .
It is only valid in the
@@ -8,7 +9,8 @@ It is only valid in the
table.
.br
This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
+packets. The symptoms of this
problem are that everything works fine from your Linux
firewall/router, but machines behind it can never exchange large
packets:
@@ -36,6 +38,6 @@ configuration like:
Explicitly set MSS option to specified value.
.TP
.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
+Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).
.TP
These options are mutually exclusive.
diff --git a/extensions/libip6t_TRACE.man b/extensions/libxt_TRACE.man
similarity index 94%
rename from extensions/libip6t_TRACE.man
rename to extensions/libxt_TRACE.man
index ca3895a..d28c3a0 100644
--- a/extensions/libip6t_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,5 +1,6 @@
This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ip6t_LOG module
+the packets as those traverse the tables, chains, rules. (The ipt_LOG or
+ip6t_LOG module
is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
plain rule, "return" for implicit rule at the end of a user defined chain
diff --git a/extensions/libipt_connlimit.man b/extensions/libxt_connlimit.man
similarity index 100%
rename from extensions/libipt_connlimit.man
rename to extensions/libxt_connlimit.man
diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man
new file mode 100644
index 0000000..5a8198b
--- /dev/null
+++ b/extensions/libxt_length.man
@@ -0,0 +1,5 @@
+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
+f a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_multiport.man b/extensions/libxt_multiport.man
similarity index 100%
rename from extensions/libipt_multiport.man
rename to extensions/libxt_multiport.man
diff --git a/extensions/libip6t_policy.man b/extensions/libxt_policy.man
similarity index 100%
rename from extensions/libip6t_policy.man
rename to extensions/libxt_policy.man
diff --git a/extensions/libipt_tcp.man b/extensions/libxt_tcp.man
similarity index 100%
rename from extensions/libipt_tcp.man
rename to extensions/libxt_tcp.man
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 6/8] RATEEST: add manpage
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
` (3 preceding siblings ...)
2008-04-13 8:25 ` [PATCH 5/8] Combine ipt and ip6t manpages Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:45 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 7/8] Remove support for compilation of conditional extensions Jan Engelhardt
` (2 subsequent siblings)
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
---
extensions/libxt_RATEEST.c | 5 ++---
extensions/libxt_RATEEST.man | 11 +++++++++++
2 files changed, 13 insertions(+), 3 deletions(-)
create mode 100644 extensions/libxt_RATEEST.man
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index 4f52c2e..dd7b503 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -18,12 +18,11 @@ static void
RATEEST_help(void)
{
printf(
-"RATEST target v%s options:\n"
+"RATEEST target options:\n"
" --rateest-name name Rate estimator name\n"
" --rateest-interval sec Rate measurement interval in seconds\n"
" --rateest-ewmalog value Rate measurement averaging time constant\n"
-"\n",
- IPTABLES_VERSION);
+"\n");
}
enum RATEEST_options {
diff --git a/extensions/libxt_RATEEST.man b/extensions/libxt_RATEEST.man
new file mode 100644
index 0000000..6ad802c
--- /dev/null
+++ b/extensions/libxt_RATEEST.man
@@ -0,0 +1,11 @@
+The RATEEST target collects statistics, performs rate estimation calculation
+and saves the results for later evaluation using the \fBrateest\fP match.
+.TP
+\fB--rateest-name\fP \fIname\fP
+Count matched packets into the pool referred to by \fIname\fP, which is freely
+choosable.
+.TP
+\fB--rateest-interval\fP \fIamount\fP{\fBs\fP|\fBms\fP|\fBus\fP}
+Rate measurement interval, in seconds, milliseconds or microseconds.
+.TP
+\fB--rateest-ewmalog\fP \fIvalue\fP
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
` (4 preceding siblings ...)
2008-04-13 8:25 ` [PATCH 6/8] RATEEST: add manpage Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:46 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
2008-04-14 6:38 ` [PATCH 1/8] Import iptables-apply Patrick McHardy
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
---
extensions/.condition-test | 4 -
extensions/.condition-test6 | 4 -
extensions/.set-test | 4 -
extensions/GNUmakefile.in | 27 +----
extensions/libip6t_condition.c | 95 ----------------
extensions/libip6t_condition.man | 4 -
extensions/libipt_SET.c | 174 ------------------------------
extensions/libipt_SET.man | 16 ---
extensions/libipt_condition.c | 94 ----------------
extensions/libipt_condition.man | 4 -
extensions/libipt_set.c | 161 ---------------------------
extensions/libipt_set.h | 104 ------------------
extensions/libipt_set.man | 17 ---
13 files changed, 3 insertions(+), 705 deletions(-)
delete mode 100755 extensions/.condition-test
delete mode 100755 extensions/.condition-test6
delete mode 100755 extensions/.set-test
delete mode 100644 extensions/libip6t_condition.c
delete mode 100644 extensions/libip6t_condition.man
delete mode 100644 extensions/libipt_SET.c
delete mode 100644 extensions/libipt_SET.man
delete mode 100644 extensions/libipt_condition.c
delete mode 100644 extensions/libipt_condition.man
delete mode 100644 extensions/libipt_set.c
delete mode 100644 extensions/libipt_set.h
delete mode 100644 extensions/libipt_set.man
diff --git a/extensions/.condition-test b/extensions/.condition-test
deleted file mode 100755
index 2470a18..0000000
--- a/extensions/.condition-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.condition-test6 b/extensions/.condition-test6
deleted file mode 100755
index 15a0f04..0000000
--- a/extensions/.condition-test6
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.set-test b/extensions/.set-test
deleted file mode 100755
index 754abfd..0000000
--- a/extensions/.set-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#! /bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h" ] && \
-echo "set SET";
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index ee20469..31e6fb7 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -32,30 +32,9 @@ endif
#
# Wildcard module list
#
-pfx_all_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
-pf4_all_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
-pf6_all_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
-
-#
-# Conditional module list
-#
-pfx_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf4_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf6_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-
-#
-# Conditional modules to build
-#
-pfx_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf4_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf6_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-
-#
-# Total list of modules to build
-#
-pfx_build_mod := $(filter-out ${pfx_cond_mod},${pfx_all_mod}) ${pfx_bc_mod}
-pf4_build_mod := $(filter-out ${pf4_cond_mod},${pf4_all_mod}) ${pf4_bc_mod}
-pf6_build_mod := $(filter-out ${pf6_cond_mod},${pf6_all_mod}) ${pf6_bc_mod}
+pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
deleted file mode 100644
index 03e2722..0000000
--- a/extensions/libip6t_condition.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/* Shared library add-on to ip6tables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <ip6tables.h>
-
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int
-condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition6_info *info =
- (struct condition6_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct ip6tables_match condition_match6 = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct condition6_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-
-void
-_init(void)
-{
- register_match6(&condition_match6);
-}
diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man
deleted file mode 100644
index e0bba75..0000000
--- a/extensions/libip6t_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
deleted file mode 100644
index dd42867..0000000
--- a/extensions/libipt_SET.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set mangling target. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void SET_help(void)
-{
- printf("SET v%s options:\n"
- " --add-set name flags\n"
- " --del-set name flags\n"
- " add/del src/dst IP/port from/to named sets,\n"
- " where flags are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option SET_opts[] = {
- {"add-set", 1, 0, '1'},
- {"del-set", 1, 0, '2'},
- {0}
-};
-
-/* Initialize the target. */
-static void SET_init(struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- memset(info, 0, sizeof(struct ipt_set_info_target));
- info->add_set.index =
- info->del_set.index = IP_SET_INVALID_ID;
-
-}
-
-static void
-parse_target(char **argv, int invert, unsigned int *flags,
- struct ipt_set_info *info, const char *what)
-{
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--%s can be specified only once", what);
-
- if (check_inverse(optarg, &invert, NULL, 0))
- exit_error(PARAMETER_PROBLEM,
- "Unexpected `!' after --%s", what);
-
- if (!argv[optind]
- || argv[optind][0] == '-' || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--%s requires two args.", what);
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- optind++;
-
- *flags = 1;
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int SET_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_target **target)
-{
- struct ipt_set_info_target *myinfo =
- (struct ipt_set_info_target *) (*target)->data;
-
- switch (c) {
- case '1': /* --add-set <set> <flags> */
- parse_target(argv, invert, flags,
- &myinfo->add_set, "add-set");
- break;
- case '2': /* --del-set <set>[:<flags>] <flags> */
- parse_target(argv, invert, flags,
- &myinfo->del_set, "del-set");
- break;
-
- default:
- return 0;
- }
- return 1;
-}
-
-/* Final check; must specify at least one. */
-static void SET_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify either `--add-set' or `--del-set'");
-}
-
-static void
-print_target(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- if (info->index == IP_SET_INVALID_ID)
- return;
- get_set_byid(setname, info->index);
- printf("%s %s", prefix, setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the targinfo. */
-static void SET_print(const void *ip, const struct xt_entry_target *target,
- int numeric)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("add-set", &info->add_set);
- print_target("del-set", &info->del_set);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void SET_save(const void *ip, const struct xt_entry_target *target)
-{
- struct ipt_set_info_target *info =
- (struct ipt_set_info_target *) target->data;
-
- print_target("--add-set", &info->add_set);
- print_target("--del-set", &info->del_set);
-}
-
-static struct iptables_target set_target = {
- .name = "SET",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_target)),
- .help = SET_help,
- .init = SET_init,
- .parse = SET_parse,
- .final_check = SET_check,
- .print = SET_print,
- .save = SET_save,
- .extra_opts = SET_opts,
-};
-
-void _init(void)
-{
- register_target(&set_target);
-}
diff --git a/extensions/libipt_SET.man b/extensions/libipt_SET.man
deleted file mode 100644
index 8f25bea..0000000
--- a/extensions/libipt_SET.man
+++ /dev/null
@@ -1,16 +0,0 @@
-This modules adds and/or deletes entries from IP sets which can be defined
-by ipset(8).
-.TP
-.BR "--add-set " "setname flag[,flag...]"
-add the address(es)/port(s) of the packet to the sets
-.TP
-.BR "--del-set " "setname flag[,flag...]"
-delete the address(es)/port(s) of the packet from the sets,
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them.
-.TP
-The bindings to follow must previously be defined in order to use
-multilevel adding/deleting by the SET target.
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
deleted file mode 100644
index 4a98dd8..0000000
--- a/extensions/libipt_condition.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* Shared library add-on to iptables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
-
-static void condition_help(void)
-{
- printf("condition match v%s options:\n"
- "--condition [!] filename "
- "Match on boolean value stored in /proc file\n",
- IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
- { .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
- { .name = 0 }
-};
-
-static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct condition_info *info =
- (struct condition_info *) (*match)->data;
-
- if (c == 'X') {
- if (*flags)
- exit_error(PARAMETER_PROBLEM,
- "Can't specify multiple conditions");
-
- check_inverse(optarg, &invert, &optind, 0);
-
- if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
- exit_error(PARAMETER_PROBLEM,
- "File name too long");
-
- info->invert = invert;
- *flags = 1;
- return 1;
- }
-
- return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
- const struct condition_info *info =
- (const struct condition_info *) match->data;
-
- printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct iptables_match condition_match = {
- .name = "condition",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct condition_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct condition_info)),
- .help = condition_help,
- .parse = condition_parse,
- .final_check = condition_check,
- .print = condition_print,
- .save = condition_save,
- .extra_opts = condition_opts,
-};
-
-
-void
-_init(void)
-{
- register_match(&condition_match);
-}
diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man
deleted file mode 100644
index ce2aa95..0000000
--- a/extensions/libipt_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
diff --git a/extensions/libipt_set.c b/extensions/libipt_set.c
deleted file mode 100644
index 932008b..0000000
--- a/extensions/libipt_set.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- * Patrick Schaaf <bof@bof.de>
- * Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Shared library add-on to iptables to add IP set matching. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
-
-/* Function which prints out usage message. */
-static void set_help(void)
-{
- printf("set v%s options:\n"
- " [!] --set name flags\n"
- " 'name' is the set name from to match,\n"
- " 'flags' are the comma separated list of\n"
- " 'src' and 'dst'.\n"
- "\n", IPTABLES_VERSION);
-}
-
-static const struct option set_opts[] = {
- {"set", 1, 0, '1'},
- {0}
-};
-
-/* Initialize the match. */
-static void set_init(struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
-
- memset(info, 0, sizeof(struct ipt_set_info_match));
-
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int set_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct ipt_set_info_match *myinfo =
- (struct ipt_set_info_match *) (*match)->data;
- struct ipt_set_info *info = &myinfo->match_set;
-
- switch (c) {
- case '1': /* --set <set> <flag>[,<flag> */
- if (info->flags[0])
- exit_error(PARAMETER_PROBLEM,
- "--set can be specified only once");
-
- check_inverse(optarg, &invert, &optind, 0);
- if (invert)
- info->flags[0] |= IPSET_MATCH_INV;
-
- if (!argv[optind]
- || argv[optind][0] == '-'
- || argv[optind][0] == '!')
- exit_error(PARAMETER_PROBLEM,
- "--set requires two args.");
-
- if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1)
- exit_error(PARAMETER_PROBLEM,
- "setname `%s' too long, max %d characters.",
- argv[optind-1], IP_SET_MAXNAMELEN - 1);
-
- get_set_byname(argv[optind - 1], info);
- parse_bindings(argv[optind], info);
- DEBUGP("parse: set index %u\n", info->index);
- optind++;
-
- *flags = 1;
- break;
-
- default:
- return 0;
- }
-
- return 1;
-}
-
-/* Final check; must have specified --set. */
-static void set_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM,
- "You must specify `--set' with proper arguments");
- DEBUGP("final check OK\n");
-}
-
-static void
-print_match(const char *prefix, const struct ipt_set_info *info)
-{
- int i;
- char setname[IP_SET_MAXNAMELEN];
-
- get_set_byid(setname, info->index);
- printf("%s%s %s",
- (info->flags[0] & IPSET_MATCH_INV) ? "! " : "",
- prefix,
- setname);
- for (i = 0; i < IP_SET_MAX_BINDINGS; i++) {
- if (!info->flags[i])
- break;
- printf("%s%s",
- i == 0 ? " " : ",",
- info->flags[i] & IPSET_SRC ? "src" : "dst");
- }
- printf(" ");
-}
-
-/* Prints out the matchinfo. */
-static void set_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("set", &info->match_set);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void set_save(const void *ip, const struct xt_entry_match *match)
-{
- struct ipt_set_info_match *info =
- (struct ipt_set_info_match *) match->data;
-
- print_match("--set", &info->match_set);
-}
-
-static struct iptables_match set_match = {
- .name = "set",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_set_info_match)),
- .help = set_help,
- .init = set_init,
- .parse = set_parse,
- .final_check = set_check,
- .print = set_print,
- .save = set_save,
- .extra_opts = set_opts,
-};
-
-void _init(void)
-{
- register_match(&set_match);
-}
diff --git a/extensions/libipt_set.h b/extensions/libipt_set.h
deleted file mode 100644
index 02de0fa..0000000
--- a/extensions/libipt_set.h
+++ /dev/null
@@ -1,104 +0,0 @@
-#ifndef _LIBIPT_SET_H
-#define _LIBIPT_SET_H
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <errno.h>
-
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
-static void
-parse_bindings(const char *optarg, struct ipt_set_info *info)
-{
- char *saved = strdup(optarg);
- char *ptr, *tmp = saved;
- int i = 0;
-
- while (i < (IP_SET_MAX_BINDINGS - 1) && tmp != NULL) {
- ptr = strsep(&tmp, ",");
- if (strncmp(ptr, "src", 3) == 0)
- info->flags[i++] |= IPSET_SRC;
- else if (strncmp(ptr, "dst", 3) == 0)
- info->flags[i++] |= IPSET_DST;
- else
- exit_error(PARAMETER_PROBLEM,
- "You must spefify (the comma separated list of) 'src' or 'dst'.");
- }
-
- if (tmp)
- exit_error(PARAMETER_PROBLEM,
- "Can't follow bindings deeper than %i.",
- IP_SET_MAX_BINDINGS - 1);
-
- free(saved);
-}
-
-static int get_set_getsockopt(void *data, socklen_t * size)
-{
- int sockfd = -1;
- sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
- if (sockfd < 0)
- exit_error(OTHER_PROBLEM,
- "Can't open socket to ipset.\n");
- /* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
-}
-
-static void get_set_byname(const char *setname, struct ipt_set_info *info)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYNAME;
- req.version = IP_SET_PROTOCOL_VERSION;
- strncpy(req.set.name, setname, IP_SET_MAXNAMELEN);
- req.set.name[IP_SET_MAXNAMELEN - 1] = '\0';
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.index == IP_SET_INVALID_ID)
- exit_error(PARAMETER_PROBLEM,
- "Set %s doesn't exist.\n", setname);
-
- info->index = req.set.index;
-}
-
-static void get_set_byid(char * setname, ip_set_id_t index)
-{
- struct ip_set_req_get_set req;
- socklen_t size = sizeof(struct ip_set_req_get_set);
- int res;
-
- req.op = IP_SET_OP_GET_BYINDEX;
- req.version = IP_SET_PROTOCOL_VERSION;
- req.set.index = index;
- res = get_set_getsockopt(&req, &size);
- if (res != 0)
- exit_error(OTHER_PROBLEM,
- "Problem when communicating with ipset, errno=%d.\n",
- errno);
- if (size != sizeof(struct ip_set_req_get_set))
- exit_error(OTHER_PROBLEM,
- "Incorrect return size from kernel during ipset lookup, "
- "(want %ld, got %ld)\n",
- sizeof(struct ip_set_req_get_set), size);
- if (req.set.name[0] == '\0')
- exit_error(PARAMETER_PROBLEM,
- "Set id %i in kernel doesn't exist.\n", index);
-
- strncpy(setname, req.set.name, IP_SET_MAXNAMELEN);
-}
-
-#endif /*_LIBIPT_SET_H*/
diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man
deleted file mode 100644
index d280577..0000000
--- a/extensions/libipt_set.man
+++ /dev/null
@@ -1,17 +0,0 @@
-This modules macthes IP sets which can be defined by ipset(8).
-.TP
-.BR "--set " "setname flag[,flag...]"
-where flags are
-.BR "src"
-and/or
-.BR "dst"
-and there can be no more than six of them. Hence the command
-.nf
- iptables -A FORWARD -m set --set test src,dst
-.fi
-will match packets, for which (depending on the type of the set) the source
-address or port number of the packet can be found in the specified set. If
-there is a binding belonging to the mached set element or there is a default
-binding for the given set, then the rule will match the packet only if
-additionally (depending on the type of the set) the destination address or
-port number of the packet can be found in the set according to the binding.
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
` (5 preceding siblings ...)
2008-04-13 8:25 ` [PATCH 7/8] Remove support for compilation of conditional extensions Jan Engelhardt
@ 2008-04-13 8:25 ` Jan Engelhardt
2008-04-14 6:47 ` Patrick McHardy
2008-04-14 6:38 ` [PATCH 1/8] Import iptables-apply Patrick McHardy
7 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-13 8:25 UTC (permalink / raw
To: kaber; +Cc: netfilter-devel
When a match or target is registered using
xtables_register_{match,target}, xtables.c will consider AF_UNSPEC as
a wildcard when specified as the .family member. Rules between
two competing matches/targets are:
- higher revision (if usable in kernel) wins over lower revision
- in case of same revision: generic AF_UNSPEC loses to specific AF_...
---
extensions/libxt_CLASSIFY.c | 17 +---------------
extensions/libxt_MARK.c | 18 +----------------
extensions/libxt_RATEEST.c | 22 ++-----------------
extensions/libxt_SECMARK.c | 18 +----------------
extensions/libxt_TRACE.c | 13 +-----------
extensions/libxt_length.c | 17 +---------------
extensions/libxt_limit.c | 17 +---------------
extensions/libxt_mark.c | 36 +--------------------------------
extensions/libxt_pkttype.c | 17 +---------------
extensions/libxt_quota.c | 16 +--------------
extensions/libxt_rateest.c | 21 ++-----------------
extensions/libxt_standard.c | 13 +-----------
extensions/libxt_statistic.c | 18 +----------------
extensions/libxt_string.c | 19 +-----------------
extensions/libxt_time.c | 17 +---------------
extensions/libxt_u32.c | 17 +---------------
xtables.c | 22 +++++++++++++++-----
17 files changed, 37 insertions(+), 281 deletions(-)
diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c
index e39367a..4a3520f 100644
--- a/extensions/libxt_CLASSIFY.c
+++ b/extensions/libxt_CLASSIFY.c
@@ -103,21 +103,7 @@ CLASSIFY_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target classify_target = {
- .family = AF_INET,
- .name = "CLASSIFY",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_classify_target_info)),
- .help = CLASSIFY_help,
- .parse = CLASSIFY_parse,
- .final_check = CLASSIFY_final_check,
- .print = CLASSIFY_print,
- .save = CLASSIFY_save,
- .extra_opts = CLASSIFY_opts,
-};
-
-static struct xtables_target classify_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "CLASSIFY",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_classify_target_info)),
@@ -133,5 +119,4 @@ static struct xtables_target classify_target6 = {
void _init(void)
{
xtables_register_target(&classify_target);
- xtables_register_target(&classify_target6);
}
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index 569d2e8..d7d79d5 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -333,22 +333,7 @@ static struct xtables_target mark_tg_reg_v2 = {
.version = IPTABLES_VERSION,
.name = "MARK",
.revision = 2,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
- .help = mark_tg_help,
- .parse = mark_tg_parse,
- .final_check = mark_tg_check,
- .print = mark_tg_print,
- .save = mark_tg_save,
- .extra_opts = mark_tg_opts,
-};
-
-static struct xtables_target mark_tg6_reg_v2 = {
- .version = IPTABLES_VERSION,
- .name = "MARK",
- .revision = 2,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)),
.help = mark_tg_help,
@@ -365,5 +350,4 @@ void _init(void)
xtables_register_target(&mark_target_v1);
xtables_register_target(&mark_target6_v0);
xtables_register_target(&mark_tg_reg_v2);
- xtables_register_target(&mark_tg6_reg_v2);
}
diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c
index dd7b503..ee0d116 100644
--- a/extensions/libxt_RATEEST.c
+++ b/extensions/libxt_RATEEST.c
@@ -202,23 +202,8 @@ RATEEST_save(const void *ip, const struct xt_entry_target *target)
__RATEEST_print(target, "--rateest-");
}
-static struct xtables_target rateest_target4 = {
- .family = AF_INET,
- .name = "RATEEST",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
- .help = RATEEST_help,
- .init = RATEEST_init,
- .parse = RATEEST_parse,
- .final_check = RATEEST_final_check,
- .print = RATEEST_print,
- .save = RATEEST_save,
- .extra_opts = RATEEST_opts,
-};
-
-static struct xtables_target rateest_target6 = {
- .family = AF_INET6,
+static struct xtables_target rateest_tg_reg = {
+ .family = AF_UNSPEC,
.name = "RATEEST",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_target_info)),
@@ -234,6 +219,5 @@ static struct xtables_target rateest_target6 = {
void _init(void)
{
- xtables_register_target(&rateest_target4);
- xtables_register_target(&rateest_target6);
+ xtables_register_target(&rateest_tg_reg);
}
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index b794e7d..92ba527 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -100,22 +100,7 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
}
static struct xtables_target secmark_target = {
- .family = AF_INET,
- .name = "SECMARK",
- .version = IPTABLES_VERSION,
- .revision = 0,
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .help = SECMARK_help,
- .parse = SECMARK_parse,
- .final_check = SECMARK_check,
- .print = SECMARK_print,
- .save = SECMARK_save,
- .extra_opts = SECMARK_opts,
-};
-
-static struct xtables_target secmark_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "SECMARK",
.version = IPTABLES_VERSION,
.revision = 0,
@@ -132,5 +117,4 @@ static struct xtables_target secmark_target6 = {
void _init(void)
{
xtables_register_target(&secmark_target);
- xtables_register_target(&secmark_target6);
}
diff --git a/extensions/libxt_TRACE.c b/extensions/libxt_TRACE.c
index c70df6a..97e3a03 100644
--- a/extensions/libxt_TRACE.c
+++ b/extensions/libxt_TRACE.c
@@ -24,17 +24,7 @@ static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target trace_target = {
- .family = AF_INET,
- .name = "TRACE",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
- .help = TRACE_help,
- .parse = TRACE_parse,
-};
-
-static struct xtables_target trace_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "TRACE",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(0),
@@ -46,5 +36,4 @@ static struct xtables_target trace_target6 = {
void _init(void)
{
xtables_register_target(&trace_target);
- xtables_register_target(&trace_target6);
}
diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index b812b67..16e00bd 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -125,21 +125,7 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match length_match = {
- .family = AF_INET,
- .name = "length",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_length_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_length_info)),
- .help = length_help,
- .parse = length_parse,
- .final_check = length_check,
- .print = length_print,
- .save = length_save,
- .extra_opts = length_opts,
-};
-
-static struct xtables_match length_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "length",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_length_info)),
@@ -155,5 +141,4 @@ static struct xtables_match length_match6 = {
void _init(void)
{
xtables_register_match(&length_match);
- xtables_register_match(&length_match6);
}
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index 65a8df3..1c86df9 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -165,21 +165,7 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match limit_match = {
- .family = AF_INET,
- .name = "limit",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateinfo)),
- .userspacesize = offsetof(struct xt_rateinfo, prev),
- .help = limit_help,
- .init = limit_init,
- .parse = limit_parse,
- .print = limit_print,
- .save = limit_save,
- .extra_opts = limit_opts,
-};
-
-static struct xtables_match limit_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "limit",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateinfo)),
@@ -195,5 +181,4 @@ static struct xtables_match limit_match6 = {
void _init(void)
{
xtables_register_match(&limit_match);
- xtables_register_match(&limit_match6);
}
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
index af7f844..fab8ecb 100644
--- a/extensions/libxt_mark.c
+++ b/extensions/libxt_mark.c
@@ -149,22 +149,7 @@ mark_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match mark_match = {
- .family = AF_INET,
- .name = "mark",
- .revision = 0,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_mark_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)),
- .help = mark_mt_help,
- .parse = mark_parse,
- .final_check = mark_mt_check,
- .print = mark_print,
- .save = mark_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "mark",
.revision = 0,
.version = IPTABLES_VERSION,
@@ -182,22 +167,7 @@ static struct xtables_match mark_mt_reg = {
.version = IPTABLES_VERSION,
.name = "mark",
.revision = 1,
- .family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
- .help = mark_mt_help,
- .parse = mark_mt_parse,
- .final_check = mark_mt_check,
- .print = mark_mt_print,
- .save = mark_mt_save,
- .extra_opts = mark_mt_opts,
-};
-
-static struct xtables_match mark_mt6_reg = {
- .version = IPTABLES_VERSION,
- .name = "mark",
- .revision = 1,
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)),
.help = mark_mt_help,
@@ -211,7 +181,5 @@ static struct xtables_match mark_mt6_reg = {
void _init(void)
{
xtables_register_match(&mark_match);
- xtables_register_match(&mark_match6);
xtables_register_match(&mark_mt_reg);
- xtables_register_match(&mark_mt6_reg);
}
diff --git a/extensions/libxt_pkttype.c b/extensions/libxt_pkttype.c
index 75194fc..7c469a8 100644
--- a/extensions/libxt_pkttype.c
+++ b/extensions/libxt_pkttype.c
@@ -147,21 +147,7 @@ static void pkttype_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match pkttype_match = {
- .family = AF_INET,
- .name = "pkttype",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_pkttype_info)),
- .help = pkttype_help,
- .parse = pkttype_parse,
- .final_check = pkttype_check,
- .print = pkttype_print,
- .save = pkttype_save,
- .extra_opts = pkttype_opts,
-};
-
-static struct xtables_match pkttype_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "pkttype",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_pkttype_info)),
@@ -177,5 +163,4 @@ static struct xtables_match pkttype_match6 = {
void _init(void)
{
xtables_register_match(&pkttype_match);
- xtables_register_match(&pkttype_match6);
}
diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index b4fb78b..590dbfb 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -78,20 +78,7 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
}
struct xtables_match quota_match = {
- .family = AF_INET,
- .name = "quota",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof (struct xt_quota_info)),
- .userspacesize = offsetof(struct xt_quota_info, quota),
- .help = quota_help,
- .parse = quota_parse,
- .print = quota_print,
- .save = quota_save,
- .extra_opts = quota_opts,
-};
-
-struct xtables_match quota_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "quota",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof (struct xt_quota_info)),
@@ -107,5 +94,4 @@ void
_init(void)
{
xtables_register_match("a_match);
- xtables_register_match("a_match6);
}
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
index 5f13340..a335781 100644
--- a/extensions/libxt_rateest.c
+++ b/extensions/libxt_rateest.c
@@ -426,22 +426,8 @@ rateest_save(const void *ip, const struct xt_entry_match *match)
}
}
-static struct xtables_match rateest_match4 = {
- .family = AF_INET,
- .name = "rateest",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
- .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
- .help = rateest_help,
- .parse = rateest_parse,
- .final_check = rateest_final_check,
- .print = rateest_print,
- .save = rateest_save,
- .extra_opts = rateest_opts,
-};
-
-static struct xtables_match rateest_match6 = {
- .family = AF_INET6,
+static struct xtables_match rateest_mt_reg = {
+ .family = AF_UNSPEC,
.name = "rateest",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
@@ -456,6 +442,5 @@ static struct xtables_match rateest_match6 = {
void _init(void)
{
- xtables_register_match(&rateest_match4);
- xtables_register_match(&rateest_match6);
+ xtables_register_match(&rateest_mt_reg);
}
diff --git a/extensions/libxt_standard.c b/extensions/libxt_standard.c
index eef9369..a50cffe 100644
--- a/extensions/libxt_standard.c
+++ b/extensions/libxt_standard.c
@@ -24,17 +24,7 @@ static int standard_parse(int c, char **argv, int invert, unsigned int *flags,
}
static struct xtables_target standard_target = {
- .family = AF_INET,
- .name = "standard",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(int)),
- .userspacesize = XT_ALIGN(sizeof(int)),
- .help = standard_help,
- .parse = standard_parse,
-};
-
-static struct xtables_target standard_target6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "standard",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(int)),
@@ -46,5 +36,4 @@ static struct xtables_target standard_target6 = {
void _init(void)
{
xtables_register_target(&standard_target);
- xtables_register_target(&standard_target6);
}
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index ebb4e91..2c2464d 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -164,22 +164,7 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match statistic_match = {
- .family = AF_INET,
- .name = "statistic",
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_statistic_info)),
- .userspacesize = offsetof(struct xt_statistic_info, u.nth.count),
- .init = statistic_mt_init,
- .help = statistic_help,
- .parse = statistic_parse,
- .final_check = statistic_check,
- .print = statistic_print,
- .save = statistic_save,
- .extra_opts = statistic_opts,
-};
-
-static struct xtables_match statistic_match6 = {
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.name = "statistic",
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_statistic_info)),
@@ -196,5 +181,4 @@ static struct xtables_match statistic_match6 = {
void _init(void)
{
xtables_register_match(&statistic_match);
- xtables_register_match(&statistic_match6);
}
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index f1030bb..dc2cd9d 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -327,23 +327,7 @@ static void string_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match string_match = {
.name = "string",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_string_info)),
- .userspacesize = offsetof(struct xt_string_info, config),
- .help = string_help,
- .init = string_init,
- .parse = string_parse,
- .final_check = string_check,
- .print = string_print,
- .save = string_save,
- .extra_opts = string_opts,
-};
-
-
-static struct xtables_match string_match6 = {
- .name = "string",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_string_info)),
.userspacesize = offsetof(struct xt_string_info, config),
@@ -359,5 +343,4 @@ static struct xtables_match string_match6 = {
void _init(void)
{
xtables_register_match(&string_match);
- xtables_register_match(&string_match6);
}
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index c39ab1a..c551a6f 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -466,21 +466,7 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match time_match = {
.name = "time",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_time_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
- .help = time_help,
- .init = time_init,
- .parse = time_parse,
- .print = time_print,
- .save = time_save,
- .extra_opts = time_opts,
-};
-
-static struct xtables_match time_match6 = {
- .name = "time",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_time_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_time_info)),
@@ -495,5 +481,4 @@ static struct xtables_match time_match6 = {
void _init(void)
{
xtables_register_match(&time_match);
- xtables_register_match(&time_match6);
}
diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 251b2d4..9360c09 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -272,20 +272,7 @@ static void u32_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match u32_match = {
.name = "u32",
- .family = AF_INET,
- .version = IPTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_u32)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
- .help = u32_help,
- .parse = u32_parse,
- .print = u32_print,
- .save = u32_save,
- .extra_opts = u32_opts,
-};
-
-static struct xtables_match u32_match6 = {
- .name = "u32",
- .family = AF_INET6,
+ .family = AF_UNSPEC,
.version = IPTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_u32)),
.userspacesize = XT_ALIGN(sizeof(struct xt_u32)),
@@ -299,6 +286,4 @@ static struct xtables_match u32_match6 = {
void _init(void)
{
xtables_register_match(&u32_match);
- xtables_register_match(&u32_match6);
- return;
}
diff --git a/xtables.c b/xtables.c
index b26b416..21da4b5 100644
--- a/xtables.c
+++ b/xtables.c
@@ -557,12 +557,13 @@ void xtables_register_match(struct xtables_match *me)
}
/* ignore not interested match */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_match(me->name, DURING_LOAD, NULL);
if (old) {
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: match `%s' already registered.\n",
program_name, me->name);
@@ -574,10 +575,14 @@ void xtables_register_match(struct xtables_match *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new match can be used. */
if (!compatible_match_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_matches; *i!=old; i = &(*i)->next);
*i = old->next;
@@ -623,14 +628,15 @@ void xtables_register_target(struct xtables_target *me)
}
/* ignore not interested target */
- if (me->family != afinfo.family)
+ if (me->family != afinfo.family && me->family != AF_UNSPEC)
return;
old = find_target(me->name, DURING_LOAD);
if (old) {
struct xtables_target **i;
- if (old->revision == me->revision) {
+ if (old->revision == me->revision &&
+ old->family == me->family) {
fprintf(stderr,
"%s: target `%s' already registered.\n",
program_name, me->name);
@@ -642,10 +648,14 @@ void xtables_register_target(struct xtables_target *me)
&& old->revision > me->revision)
return;
- /* Replace if compatible. */
+ /* See if new target can be used. */
if (!compatible_target_revision(me->name, me->revision))
return;
+ /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */
+ if (old->revision == me->revision && me->family == AF_UNSPEC)
+ return;
+
/* Delete old one. */
for (i = &xtables_targets; *i!=old; i = &(*i)->next);
*i = old->next;
--
1.5.5.rc3
^ permalink raw reply related [flat|nested] 25+ messages in thread
* Re: [PATCH 2/8] Add all necessary header files - compilation fix for various cases
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
@ 2008-04-13 8:29 ` Patrick McHardy
2008-04-14 6:40 ` Patrick McHardy
1 sibling, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-13 8:29 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Allow iptables to compile without a kernel source tree. This
> implies fixing build for older kernels, such as 2.6.17 which
> lack xt_SECMARK.h.
My question is still open - what version are these headers
based on. Or differently asked: do they include anything not
merged upstream yet?
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 1/8] Import iptables-apply
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
` (6 preceding siblings ...)
2008-04-13 8:25 ` [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
@ 2008-04-14 6:38 ` Patrick McHardy
7 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:38 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> ---
> iptables-apply | 174 ++++++++++++++++++++++++++++++++++++++++++++++
> iptables-apply.8 | 44 ++++++++++++
> 2 files changed, 218 insertions(+), 0 deletions(-)
> create mode 100755 iptables-apply
> create mode 100644 iptables-apply.8
Applied.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 2/8] Add all necessary header files - compilation fix for various cases
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
2008-04-13 8:29 ` Patrick McHardy
@ 2008-04-14 6:40 ` Patrick McHardy
1 sibling, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:40 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Allow iptables to compile without a kernel source tree. This
> implies fixing build for older kernels, such as 2.6.17 which
> lack xt_SECMARK.h.
Applied including the extra chunk you sent seperate mail.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 3/8] Install libiptc header files because xtables.h depends on it
2008-04-13 8:25 ` [PATCH 3/8] Install libiptc header files because xtables.h depends on it Jan Engelhardt
@ 2008-04-14 6:41 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:41 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> ---
> Makefile.am | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
Applied.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 4/8] iptables: use C99 lists for struct options
2008-04-13 8:25 ` [PATCH 4/8] iptables: use C99 lists for struct options Jan Engelhardt
@ 2008-04-14 6:42 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:42 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel, Gáspár Lajos
Jan Engelhardt wrote:
> From: Gáspár Lajos <swifty@freemail.hu>
>
> ---
> ip6tables-restore.c | 18 ++++++------
> ip6tables-save.c | 12 ++++----
> ip6tables.c | 60 ++++++++++++++++++++--------------------
> iptables-restore.c | 20 +++++++-------
> iptables-save.c | 12 ++++----
> iptables.c | 64 +++++++++++++++++++++---------------------
> 6 files changed, 93 insertions(+), 93 deletions(-)
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 5/8] Combine ipt and ip6t manpages
2008-04-13 8:25 ` [PATCH 5/8] Combine ipt and ip6t manpages Jan Engelhardt
@ 2008-04-14 6:44 ` Patrick McHardy
2008-04-14 6:55 ` Jan Engelhardt
0 siblings, 1 reply; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:44 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> ---
> extensions/libip6t_TCPMSS.man | 42 ----------
> extensions/libip6t_connlimit.man | 27 -------
> extensions/libip6t_length.man | 4 -
> extensions/libip6t_multiport.man | 20 -----
> extensions/libip6t_tcp.man | 45 -----------
> extensions/libipt_TRACE.man | 10 ---
> extensions/libipt_length.man | 4 -
> extensions/libipt_policy.man | 48 ------------
> extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} | 8 +-
> extensions/{libip6t_TRACE.man => libxt_TRACE.man} | 3 +-
> .../{libipt_connlimit.man => libxt_connlimit.man} | 0
> extensions/libxt_length.man | 5 +
> .../{libipt_multiport.man => libxt_multiport.man} | 0
> .../{libip6t_policy.man => libxt_policy.man} | 0
> extensions/{libipt_tcp.man => libxt_tcp.man} | 0
> 15 files changed, 12 insertions(+), 204 deletions(-)
> delete mode 100644 extensions/libip6t_TCPMSS.man
> delete mode 100644 extensions/libip6t_connlimit.man
> delete mode 100644 extensions/libip6t_length.man
> delete mode 100644 extensions/libip6t_multiport.man
> delete mode 100644 extensions/libip6t_tcp.man
> delete mode 100644 extensions/libipt_TRACE.man
> delete mode 100644 extensions/libipt_length.man
> delete mode 100644 extensions/libipt_policy.man
> rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
> rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
> rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
> create mode 100644 extensions/libxt_length.man
> rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
> rename extensions/{libip6t_policy.man => libxt_policy.man} (100%)
> rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
Please send a unidiff that includes all those renames
so I can apply it using "patch".
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 6/8] RATEEST: add manpage
2008-04-13 8:25 ` [PATCH 6/8] RATEEST: add manpage Jan Engelhardt
@ 2008-04-14 6:45 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:45 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> ---
> extensions/libxt_RATEEST.c | 5 ++---
> extensions/libxt_RATEEST.man | 11 +++++++++++
> 2 files changed, 13 insertions(+), 3 deletions(-)
> create mode 100644 extensions/libxt_RATEEST.man
Applied.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-13 8:25 ` [PATCH 7/8] Remove support for compilation of conditional extensions Jan Engelhardt
@ 2008-04-14 6:46 ` Patrick McHardy
2008-04-14 6:53 ` Jan Engelhardt
0 siblings, 1 reply; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:46 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel, Jozsef Kadlecsik
Jan Engelhardt wrote:
> ---
> extensions/.condition-test | 4 -
> extensions/.condition-test6 | 4 -
> extensions/.set-test | 4 -
> extensions/GNUmakefile.in | 27 +----
> extensions/libip6t_condition.c | 95 ----------------
> extensions/libip6t_condition.man | 4 -
> extensions/libipt_SET.c | 174 ------------------------------
> extensions/libipt_SET.man | 16 ---
> extensions/libipt_condition.c | 94 ----------------
> extensions/libipt_condition.man | 4 -
> extensions/libipt_set.c | 161 ---------------------------
> extensions/libipt_set.h | 104 ------------------
> extensions/libipt_set.man | 17 ---
> 13 files changed, 3 insertions(+), 705 deletions(-)
> delete mode 100755 extensions/.condition-test
> delete mode 100755 extensions/.condition-test6
> delete mode 100755 extensions/.set-test
> delete mode 100644 extensions/libip6t_condition.c
> delete mode 100644 extensions/libip6t_condition.man
> delete mode 100644 extensions/libipt_SET.c
> delete mode 100644 extensions/libipt_SET.man
> delete mode 100644 extensions/libipt_condition.c
> delete mode 100644 extensions/libipt_condition.man
> delete mode 100644 extensions/libipt_set.c
> delete mode 100644 extensions/libipt_set.h
> delete mode 100644 extensions/libipt_set.man
Was there some resolution on the discussion that this
is the way to go? I mainly would like to see an ACK
from Jozsef for this change before applying it.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions
2008-04-13 8:25 ` [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
@ 2008-04-14 6:47 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:47 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> When a match or target is registered using
> xtables_register_{match,target}, xtables.c will consider AF_UNSPEC as
> a wildcard when specified as the .family member. Rules between
> two competing matches/targets are:
>
> - higher revision (if usable in kernel) wins over lower revision
> - in case of same revision: generic AF_UNSPEC loses to specific AF_...
> ---
> extensions/libxt_CLASSIFY.c | 17 +---------------
> extensions/libxt_MARK.c | 18 +----------------
> extensions/libxt_RATEEST.c | 22 ++-----------------
> extensions/libxt_SECMARK.c | 18 +----------------
> extensions/libxt_TRACE.c | 13 +-----------
> extensions/libxt_length.c | 17 +---------------
> extensions/libxt_limit.c | 17 +---------------
> extensions/libxt_mark.c | 36 +--------------------------------
> extensions/libxt_pkttype.c | 17 +---------------
> extensions/libxt_quota.c | 16 +--------------
> extensions/libxt_rateest.c | 21 ++-----------------
> extensions/libxt_standard.c | 13 +-----------
> extensions/libxt_statistic.c | 18 +----------------
> extensions/libxt_string.c | 19 +-----------------
> extensions/libxt_time.c | 17 +---------------
> extensions/libxt_u32.c | 17 +---------------
> xtables.c | 22 +++++++++++++++-----
> 17 files changed, 37 insertions(+), 281 deletions(-)
Applied.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-14 6:46 ` Patrick McHardy
@ 2008-04-14 6:53 ` Jan Engelhardt
2008-04-14 6:56 ` Patrick McHardy
0 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-14 6:53 UTC (permalink / raw
To: Patrick McHardy; +Cc: netfilter-devel, Jozsef Kadlecsik
On Monday 2008-04-14 08:46, Patrick McHardy wrote:
> Was there some resolution on the discussion that this
> is the way to go? I mainly would like to see an ACK
> from Jozsef for this change before applying it.
>
There was some sort of positive agreement:
http://www.spinics.net/lists/netfilter-devel/msg02729.html (ipset)
http://www.spinics.net/lists/netfilter-devel/msg02727.html (condition)
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 5/8] Combine ipt and ip6t manpages
2008-04-14 6:44 ` Patrick McHardy
@ 2008-04-14 6:55 ` Jan Engelhardt
2008-04-14 7:00 ` Patrick McHardy
0 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-14 6:55 UTC (permalink / raw
To: Patrick McHardy; +Cc: netfilter-devel
On Monday 2008-04-14 08:44, Patrick McHardy wrote:
>> delete mode 100644 extensions/libipt_policy.man
>> rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
>> rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
>> rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
>> create mode 100644 extensions/libxt_length.man
>> rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
>> rename extensions/{libip6t_policy.man => libxt_policy.man} (100%)
>> rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
>
> Please send a unidiff that includes all those renames
> so I can apply it using "patch".
>
commit 94b7a2a14adc13fdd667d3f06212922e21416e43
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date: Thu Feb 14 03:02:55 2008 +0100
Combine ipt and ip6t manpages
diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man
deleted file mode 100644
index b4c357e..0000000
--- a/extensions/libip6t_TCPMSS.man
+++ /dev/null
@@ -1,42 +0,0 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 60). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-It is only valid in the
-.BR mangle
-table.
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMPv6 Packet Too Big packets or are unable to send them.
-The symptoms of this problem are that everything works fine from your
-Linux firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 60).
-.TP
-These options are mutually exclusive.
-
diff --git a/extensions/libip6t_TRACE.man b/extensions/libip6t_TRACE.man
deleted file mode 100644
index ca3895a..0000000
--- a/extensions/libip6t_TRACE.man
+++ /dev/null
@@ -1,10 +0,0 @@
-This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ip6t_LOG module
-is required for the logging.) The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
diff --git a/extensions/libip6t_connlimit.man b/extensions/libip6t_connlimit.man
deleted file mode 100644
index d1a4447..0000000
--- a/extensions/libip6t_connlimit.man
+++ /dev/null
@@ -1,27 +0,0 @@
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-Match if the number of existing connections is (not) above \fIn\fR.
-.TP
-\fB--connlimit-mask\fR \fIprefix_length\fR
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-ip6tables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
-ip6tables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
-(ipv6)
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
-16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libip6t_length.man b/extensions/libip6t_length.man
deleted file mode 100644
index d781a04..0000000
--- a/extensions/libip6t_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of the IPv6 payload in octets, or range of it.
-IPv6 header itself isn't counted.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libip6t_multiport.man b/extensions/libip6t_multiport.man
deleted file mode 100644
index 6f75a6e..0000000
--- a/extensions/libip6t_multiport.man
+++ /dev/null
@@ -1,20 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. It can only be used in conjunction
-with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libip6t_policy.man b/extensions/libip6t_policy.man
deleted file mode 100644
index eed163e..0000000
--- a/extensions/libip6t_policy.man
+++ /dev/null
@@ -1,48 +0,0 @@
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
diff --git a/extensions/libip6t_tcp.man b/extensions/libip6t_tcp.man
deleted file mode 100644
index 41b89a4..0000000
--- a/extensions/libip6t_tcp.man
+++ /dev/null
@@ -1,45 +0,0 @@
-These extensions can be used if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
diff --git a/extensions/libipt_TCPMSS.man b/extensions/libipt_TCPMSS.man
deleted file mode 100644
index 30668b0..0000000
--- a/extensions/libipt_TCPMSS.man
+++ /dev/null
@@ -1,41 +0,0 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
-the maximum size for that connection (usually limiting it to your
-outgoing interface's MTU minus 40). Of course, it can only be used
-in conjunction with
-.BR "-p tcp" .
-It is only valid in the
-.BR mangle
-table.
-.br
-This target is used to overcome criminally braindead ISPs or servers
-which block ICMP Fragmentation Needed packets. The symptoms of this
-problem are that everything works fine from your Linux
-firewall/router, but machines behind it can never exchange large
-packets:
-.PD 0
-.RS 0.1i
-.TP 0.3i
-1)
-Web browsers connect, then hang with no data received.
-.TP
-2)
-Small mail works fine, but large emails hang.
-.TP
-3)
-ssh works fine, but scp hangs after initial handshaking.
-.RE
-.PD
-Workaround: activate this option and add a rule to your firewall
-configuration like:
-.nf
- iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
- -j TCPMSS --clamp-mss-to-pmtu
-.fi
-.TP
-.BI "--set-mss " "value"
-Explicitly set MSS option to specified value.
-.TP
-.B "--clamp-mss-to-pmtu"
-Automatically clamp MSS value to (path_MTU - 40).
-.TP
-These options are mutually exclusive.
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 7fbe8e7..0000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,10 +0,0 @@
-This target marks packes so that the kernel will log every rule which match
-the packets as those traverse the tables, chains, rules. (The ipt_LOG module
-is required for the logging.) The packets are logged with the string prefix:
-"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
-plain rule, "return" for implicit rule at the end of a user defined chain
-and "policy" for the policy of the built in chains.
-.br
-It can only be used in the
-.BR raw
-table.
diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man
deleted file mode 100644
index dd6a155..0000000
--- a/extensions/libipt_connlimit.man
+++ /dev/null
@@ -1,27 +0,0 @@
-Allows you to restrict the number of parallel connections to a server per
-client IP address (or client address block).
-.TP
-[\fB!\fP] \fB--connlimit-above\fP \fIn\fP
-Match if the number of existing connections is (not) above \fIn\fR.
-.TP
-\fB--connlimit-mask\fR \fIprefix_length\fR
-Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
-iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
-(ipv6)
-ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
-16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libipt_length.man b/extensions/libipt_length.man
deleted file mode 100644
index 43bbdcf..0000000
--- a/extensions/libipt_length.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module matches the length of a packet against a specific value
-or range of values.
-.TP
-.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libipt_multiport.man b/extensions/libipt_multiport.man
deleted file mode 100644
index ba760e9..0000000
--- a/extensions/libipt_multiport.man
+++ /dev/null
@@ -1,20 +0,0 @@
-This module matches a set of source or destination ports. Up to 15
-ports can be specified. A port range (port:port) counts as two
-ports. It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the source port is one of the given ports. The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if the destination port is one of the given ports. The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
-Match if either the source or destination ports are equal to one of
-the given ports.
diff --git a/extensions/libipt_policy.man b/extensions/libipt_policy.man
deleted file mode 100644
index eed163e..0000000
--- a/extensions/libipt_policy.man
+++ /dev/null
@@ -1,48 +0,0 @@
-This modules matches the policy used by IPsec for handling a packet.
-.TP
-.BI "--dir " "in|out"
-Used to select whether to match the policy used for decapsulation or the
-policy that will be used for encapsulation.
-.B in
-is valid in the
-.B PREROUTING, INPUT and FORWARD
-chains,
-.B out
-is valid in the
-.B POSTROUTING, OUTPUT and FORWARD
-chains.
-.TP
-.BI "--pol " "none|ipsec"
-Matches if the packet is subject to IPsec processing.
-.TP
-.BI "--strict"
-Selects whether to match the exact policy or match if any rule of
-the policy matches the given policy.
-.TP
-.BI "--reqid " "id"
-Matches the reqid of the policy rule. The reqid can be specified with
-.B setkey(8)
-using
-.B unique:id
-as level.
-.TP
-.BI "--spi " "spi"
-Matches the SPI of the SA.
-.TP
-.BI "--proto " "ah|esp|ipcomp"
-Matches the encapsulation protocol.
-.TP
-.BI "--mode " "tunnel|transport"
-Matches the encapsulation mode.
-.TP
-.BI "--tunnel-src " "addr[/mask]"
-Matches the source end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--tunnel-dst " "addr[/mask]"
-Matches the destination end-point address of a tunnel mode SA.
-Only valid with --mode tunnel.
-.TP
-.BI "--next"
-Start the next element in the policy specification. Can only be used with
---strict
diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man
deleted file mode 100644
index cfafc9e..0000000
--- a/extensions/libipt_tcp.man
+++ /dev/null
@@ -1,45 +0,0 @@
-These extensions can be used if `--protocol tcp' is specified. It
-provides the following options:
-.TP
-.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
-Source port or port range specification. This can either be a service
-name or a port number. An inclusive range can also be specified,
-using the format
-.IR port : port .
-If the first port is omitted, "0" is assumed; if the last is omitted,
-"65535" is assumed.
-If the second port greater then the first they will be swapped.
-The flag
-.B --sport
-is a convenient alias for this option.
-.TP
-.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
-Destination port or port range specification. The flag
-.B --dport
-is a convenient alias for this option.
-.TP
-.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
-Match when the TCP flags are as specified. The first argument is the
-flags which we should examine, written as a comma-separated list, and
-the second argument is a comma-separated list of flags which must be
-set. Flags are:
-.BR "SYN ACK FIN RST URG PSH ALL NONE" .
-Hence the command
-.nf
- iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
-.fi
-will only match packets with the SYN flag set, and the ACK, FIN and
-RST flags unset.
-.TP
-.B "[!] --syn"
-Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
-cleared. Such packets are used to request TCP connection initiation;
-for example, blocking such packets coming in an interface will prevent
-incoming TCP connections, but outgoing TCP connections will be
-unaffected.
-It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
-If the "!" flag precedes the "--syn", the sense of the
-option is inverted.
-.TP
-.BR "--tcp-option " "[!] \fInumber\fP"
-Match if TCP option set.
diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
new file mode 100644
index 0000000..82f93e0
--- /dev/null
+++ b/extensions/libxt_TCPMSS.man
@@ -0,0 +1,43 @@
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
+Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+It is only valid in the
+.BR mangle
+table.
+.br
+This target is used to overcome criminally braindead ISPs or servers
+which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
+packets. The symptoms of this
+problem are that everything works fine from your Linux
+firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.nf
+ iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+ -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+Explicitly set MSS option to specified value.
+.TP
+.B "--clamp-mss-to-pmtu"
+Automatically clamp MSS value to (path_MTU - 40 for IPv4; -60 for IPv6).
+.TP
+These options are mutually exclusive.
diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
new file mode 100644
index 0000000..d28c3a0
--- /dev/null
+++ b/extensions/libxt_TRACE.man
@@ -0,0 +1,11 @@
+This target marks packes so that the kernel will log every rule which match
+the packets as those traverse the tables, chains, rules. (The ipt_LOG or
+ip6t_LOG module
+is required for the logging.) The packets are logged with the string prefix:
+"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for
+plain rule, "return" for implicit rule at the end of a user defined chain
+and "policy" for the policy of the built in chains.
+.br
+It can only be used in the
+.BR raw
+table.
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
new file mode 100644
index 0000000..dd6a155
--- /dev/null
+++ b/extensions/libxt_connlimit.man
@@ -0,0 +1,27 @@
+Allows you to restrict the number of parallel connections to a server per
+client IP address (or client address block).
+.TP
+[\fB!\fP] \fB--connlimit-above\fP \fIn\fP
+Match if the number of existing connections is (not) above \fIn\fR.
+.TP
+\fB--connlimit-mask\fR \fIprefix_length\fR
+Group hosts using the prefix length. For IPv4, this must be a number between
+(including) 0 and 32. For IPv6, between 0 and 128.
+.P
+Examples:
+.TP
+# allow 2 telnet connections per client host
+iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
+.TP
+# you can also match the other way around:
+iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
+.TP
+# limit the number of parallel HTTP requests to 16 per class C sized \
+network (24 bit netmask)
+iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
+--connlimit-mask 24 -j REJECT
+.TP
+# limit the number of parallel HTTP requests to 16 for the link local network \
+(ipv6)
+ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above
+16 --connlimit-mask 64 -j REJECT
diff --git a/extensions/libxt_length.man b/extensions/libxt_length.man
new file mode 100644
index 0000000..5a8198b
--- /dev/null
+++ b/extensions/libxt_length.man
@@ -0,0 +1,5 @@
+This module matches the length of the layer-3 payload (e.g. layer-4 packet)
+f a packet against a specific value
+or range of values.
+.TP
+.BR "--length " "[!] \fIlength\fP[:\fIlength\fP]"
diff --git a/extensions/libxt_multiport.man b/extensions/libxt_multiport.man
new file mode 100644
index 0000000..ba760e9
--- /dev/null
+++ b/extensions/libxt_multiport.man
@@ -0,0 +1,20 @@
+This module matches a set of source or destination ports. Up to 15
+ports can be specified. A port range (port:port) counts as two
+ports. It can only be used in conjunction with
+.B "-p tcp"
+or
+.BR "-p udp" .
+.TP
+.BR "--source-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
+Match if the source port is one of the given ports. The flag
+.B --sports
+is a convenient alias for this option.
+.TP
+.BR "--destination-ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
+Match if the destination port is one of the given ports. The flag
+.B --dports
+is a convenient alias for this option.
+.TP
+.BR "--ports " "\fI[!] port\fP[,\fIport\fP[,\fIport:port\fP...]]"
+Match if either the source or destination ports are equal to one of
+the given ports.
diff --git a/extensions/libxt_policy.man b/extensions/libxt_policy.man
new file mode 100644
index 0000000..eed163e
--- /dev/null
+++ b/extensions/libxt_policy.man
@@ -0,0 +1,48 @@
+This modules matches the policy used by IPsec for handling a packet.
+.TP
+.BI "--dir " "in|out"
+Used to select whether to match the policy used for decapsulation or the
+policy that will be used for encapsulation.
+.B in
+is valid in the
+.B PREROUTING, INPUT and FORWARD
+chains,
+.B out
+is valid in the
+.B POSTROUTING, OUTPUT and FORWARD
+chains.
+.TP
+.BI "--pol " "none|ipsec"
+Matches if the packet is subject to IPsec processing.
+.TP
+.BI "--strict"
+Selects whether to match the exact policy or match if any rule of
+the policy matches the given policy.
+.TP
+.BI "--reqid " "id"
+Matches the reqid of the policy rule. The reqid can be specified with
+.B setkey(8)
+using
+.B unique:id
+as level.
+.TP
+.BI "--spi " "spi"
+Matches the SPI of the SA.
+.TP
+.BI "--proto " "ah|esp|ipcomp"
+Matches the encapsulation protocol.
+.TP
+.BI "--mode " "tunnel|transport"
+Matches the encapsulation mode.
+.TP
+.BI "--tunnel-src " "addr[/mask]"
+Matches the source end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--tunnel-dst " "addr[/mask]"
+Matches the destination end-point address of a tunnel mode SA.
+Only valid with --mode tunnel.
+.TP
+.BI "--next"
+Start the next element in the policy specification. Can only be used with
+--strict
diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man
new file mode 100644
index 0000000..cfafc9e
--- /dev/null
+++ b/extensions/libxt_tcp.man
@@ -0,0 +1,45 @@
+These extensions can be used if `--protocol tcp' is specified. It
+provides the following options:
+.TP
+.BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
+Source port or port range specification. This can either be a service
+name or a port number. An inclusive range can also be specified,
+using the format
+.IR port : port .
+If the first port is omitted, "0" is assumed; if the last is omitted,
+"65535" is assumed.
+If the second port greater then the first they will be swapped.
+The flag
+.B --sport
+is a convenient alias for this option.
+.TP
+.BR "--destination-port " "[!] \fIport\fP[:\fIport\fP]"
+Destination port or port range specification. The flag
+.B --dport
+is a convenient alias for this option.
+.TP
+.BR "--tcp-flags " "[!] \fImask\fP \fIcomp\fP"
+Match when the TCP flags are as specified. The first argument is the
+flags which we should examine, written as a comma-separated list, and
+the second argument is a comma-separated list of flags which must be
+set. Flags are:
+.BR "SYN ACK FIN RST URG PSH ALL NONE" .
+Hence the command
+.nf
+ iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
+.fi
+will only match packets with the SYN flag set, and the ACK, FIN and
+RST flags unset.
+.TP
+.B "[!] --syn"
+Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits
+cleared. Such packets are used to request TCP connection initiation;
+for example, blocking such packets coming in an interface will prevent
+incoming TCP connections, but outgoing TCP connections will be
+unaffected.
+It is equivalent to \fB--tcp-flags SYN,RST,ACK,FIN SYN\fP.
+If the "!" flag precedes the "--syn", the sense of the
+option is inverted.
+.TP
+.BR "--tcp-option " "[!] \fInumber\fP"
+Match if TCP option set.
^ permalink raw reply related [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-14 6:53 ` Jan Engelhardt
@ 2008-04-14 6:56 ` Patrick McHardy
2008-04-14 13:14 ` Jan Engelhardt
0 siblings, 1 reply; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 6:56 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel, Jozsef Kadlecsik
Jan Engelhardt wrote:
> On Monday 2008-04-14 08:46, Patrick McHardy wrote:
>> Was there some resolution on the discussion that this
>> is the way to go? I mainly would like to see an ACK
>> from Jozsef for this change before applying it.
>>
> There was some sort of positive agreement:
>
> http://www.spinics.net/lists/netfilter-devel/msg02729.html (ipset)
> http://www.spinics.net/lists/netfilter-devel/msg02727.html (condition)
>
Yes, "sort of". So far it seems most convenient to keep ipset in
iptables. What was the exact problem with these extensions again?
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 5/8] Combine ipt and ip6t manpages
2008-04-14 6:55 ` Jan Engelhardt
@ 2008-04-14 7:00 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 7:00 UTC (permalink / raw
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> On Monday 2008-04-14 08:44, Patrick McHardy wrote:
>>> delete mode 100644 extensions/libipt_policy.man
>>> rename extensions/{libipt_TCPMSS.man => libxt_TCPMSS.man} (77%)
>>> rename extensions/{libip6t_TRACE.man => libxt_TRACE.man} (94%)
>>> rename extensions/{libipt_connlimit.man => libxt_connlimit.man} (100%)
>>> create mode 100644 extensions/libxt_length.man
>>> rename extensions/{libipt_multiport.man => libxt_multiport.man} (100%)
>>> rename extensions/{libip6t_policy.man => libxt_policy.man} (100%)
>>> rename extensions/{libipt_tcp.man => libxt_tcp.man} (100%)
>> Please send a unidiff that includes all those renames
>> so I can apply it using "patch".
>>
> commit 94b7a2a14adc13fdd667d3f06212922e21416e43
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Thu Feb 14 03:02:55 2008 +0100
>
> Combine ipt and ip6t manpages
Applied, thanks.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-14 6:56 ` Patrick McHardy
@ 2008-04-14 13:14 ` Jan Engelhardt
2008-04-14 13:20 ` Jozsef Kadlecsik
0 siblings, 1 reply; 25+ messages in thread
From: Jan Engelhardt @ 2008-04-14 13:14 UTC (permalink / raw
To: Patrick McHardy; +Cc: netfilter-devel, Jozsef Kadlecsik
On Monday 2008-04-14 08:56, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Monday 2008-04-14 08:46, Patrick McHardy wrote:
>> > Was there some resolution on the discussion that this
>> > is the way to go? I mainly would like to see an ACK
>> > from Jozsef for this change before applying it.
>> >
>> There was some sort of positive agreement:
>>
>> http://www.spinics.net/lists/netfilter-devel/msg02729.html (ipset)
>> http://www.spinics.net/lists/netfilter-devel/msg02727.html (condition)
>
> Yes, "sort of". So far it seems most convenient to keep ipset in
> iptables. What was the exact problem with these extensions again?
>
The problem is not the extensions themselves; but they do not compile
due to a lack of their header files. Should it just be added?
Should ipset instead be added to the kernel?
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-14 13:14 ` Jan Engelhardt
@ 2008-04-14 13:20 ` Jozsef Kadlecsik
2008-04-14 15:31 ` Patrick McHardy
0 siblings, 1 reply; 25+ messages in thread
From: Jozsef Kadlecsik @ 2008-04-14 13:20 UTC (permalink / raw
To: Jan Engelhardt; +Cc: Patrick McHardy, netfilter-devel
On Mon, 14 Apr 2008, Jan Engelhardt wrote:
>
> On Monday 2008-04-14 08:56, Patrick McHardy wrote:
> > Jan Engelhardt wrote:
> >> On Monday 2008-04-14 08:46, Patrick McHardy wrote:
> >> > Was there some resolution on the discussion that this
> >> > is the way to go? I mainly would like to see an ACK
> >> > from Jozsef for this change before applying it.
> >> >
> >> There was some sort of positive agreement:
> >>
> >> http://www.spinics.net/lists/netfilter-devel/msg02729.html (ipset)
> >> http://www.spinics.net/lists/netfilter-devel/msg02727.html (condition)
> >
> > Yes, "sort of". So far it seems most convenient to keep ipset in
> > iptables. What was the exact problem with these extensions again?
> >
> The problem is not the extensions themselves; but they do not compile
> due to a lack of their header files. Should it just be added?
>
> Should ipset instead be added to the kernel?
No, I think the missing kernel header files (ip_set.h and ipt_set.h)
should be added to the iptables source.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: [PATCH 7/8] Remove support for compilation of conditional extensions
2008-04-14 13:20 ` Jozsef Kadlecsik
@ 2008-04-14 15:31 ` Patrick McHardy
0 siblings, 0 replies; 25+ messages in thread
From: Patrick McHardy @ 2008-04-14 15:31 UTC (permalink / raw
To: Jozsef Kadlecsik; +Cc: Jan Engelhardt, netfilter-devel
Jozsef Kadlecsik wrote:
> On Mon, 14 Apr 2008, Jan Engelhardt wrote:
>
>> On Monday 2008-04-14 08:56, Patrick McHardy wrote:
>>> Jan Engelhardt wrote:
>>>> On Monday 2008-04-14 08:46, Patrick McHardy wrote:
>>>>> Was there some resolution on the discussion that this
>>>>> is the way to go? I mainly would like to see an ACK
>>>>> from Jozsef for this change before applying it.
>>>>>
>>>> There was some sort of positive agreement:
>>>>
>>>> http://www.spinics.net/lists/netfilter-devel/msg02729.html (ipset)
>>>> http://www.spinics.net/lists/netfilter-devel/msg02727.html (condition)
>>> Yes, "sort of". So far it seems most convenient to keep ipset in
>>> iptables. What was the exact problem with these extensions again?
>>>
>> The problem is not the extensions themselves; but they do not compile
>> due to a lack of their header files. Should it just be added?
>>
>> Should ipset instead be added to the kernel?
>
> No, I think the missing kernel header files (ip_set.h and ipt_set.h)
> should be added to the iptables source.
Yes, I agree.
^ permalink raw reply [flat|nested] 25+ messages in thread
end of thread, other threads:[~2008-04-14 15:31 UTC | newest]
Thread overview: 25+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-13 8:25 A few more iptables patches Jan Engelhardt
2008-04-13 8:25 ` [PATCH 1/8] Import iptables-apply Jan Engelhardt
2008-04-13 8:25 ` [PATCH 2/8] Add all necessary header files - compilation fix for various cases Jan Engelhardt
2008-04-13 8:29 ` Patrick McHardy
2008-04-14 6:40 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 3/8] Install libiptc header files because xtables.h depends on it Jan Engelhardt
2008-04-14 6:41 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 4/8] iptables: use C99 lists for struct options Jan Engelhardt
2008-04-14 6:42 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 5/8] Combine ipt and ip6t manpages Jan Engelhardt
2008-04-14 6:44 ` Patrick McHardy
2008-04-14 6:55 ` Jan Engelhardt
2008-04-14 7:00 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 6/8] RATEEST: add manpage Jan Engelhardt
2008-04-14 6:45 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 7/8] Remove support for compilation of conditional extensions Jan Engelhardt
2008-04-14 6:46 ` Patrick McHardy
2008-04-14 6:53 ` Jan Engelhardt
2008-04-14 6:56 ` Patrick McHardy
2008-04-14 13:14 ` Jan Engelhardt
2008-04-14 13:20 ` Jozsef Kadlecsik
2008-04-14 15:31 ` Patrick McHardy
2008-04-13 8:25 ` [PATCH 8/8] Implement AF_UNSPEC as a wildcard for extensions Jan Engelhardt
2008-04-14 6:47 ` Patrick McHardy
2008-04-14 6:38 ` [PATCH 1/8] Import iptables-apply Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.