1 diff -urN -x CVS -x .cvsignore iptables-1.2.8/INCOMPATIBILITIES userspace/INCOMPATIBILITIES
2 --- iptables-1.2.8/INCOMPATIBILITIES Thu Jan 1 01:00:00 1970
3 +++ userspace/INCOMPATIBILITIES Sat May 24 13:44:18 2003
7 +- The REJECT target has an '--reject-with admin-prohib' option which used
8 + with kernels that do not support it, will result in a plain DROP instead
9 + of REJECT. Use with caution.
10 + Kernels that do support it:
11 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.IPMARK-test userspace/extensions/.IPMARK-test
12 --- iptables-1.2.8/extensions/.IPMARK-test Thu Jan 1 01:00:00 1970
13 +++ userspace/extensions/.IPMARK-test Sat May 31 19:31:31 2003
16 +# True if IPMARK patch is applied.
17 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
18 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.NETLINK-test userspace/extensions/.NETLINK-test
19 --- iptables-1.2.8/extensions/.NETLINK-test Thu Jan 1 01:00:00 1970
20 +++ userspace/extensions/.NETLINK-test Thu Feb 15 09:05:09 2001
23 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NETLINK.c ] && echo NETLINK
24 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.NETLINK.test userspace/extensions/.NETLINK.test
25 --- iptables-1.2.8/extensions/.NETLINK.test Thu Feb 15 09:05:09 2001
26 +++ userspace/extensions/.NETLINK.test Thu Jan 1 01:00:00 1970
29 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NETLINK.c ] && echo NETLINK
30 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.NOTRACK-test userspace/extensions/.NOTRACK-test
31 --- iptables-1.2.8/extensions/.NOTRACK-test Thu Jan 1 01:00:00 1970
32 +++ userspace/extensions/.NOTRACK-test Wed May 21 12:31:08 2003
35 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NOTRACK.c ] && echo NOTRACK
36 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.TRACE-test userspace/extensions/.TRACE-test
37 --- iptables-1.2.8/extensions/.TRACE-test Thu Jan 1 01:00:00 1970
38 +++ userspace/extensions/.TRACE-test Wed May 21 12:31:08 2003
41 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TRACE.c ] && echo TRACE
42 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.TRACE-test6 userspace/extensions/.TRACE-test6
43 --- iptables-1.2.8/extensions/.TRACE-test6 Thu Jan 1 01:00:00 1970
44 +++ userspace/extensions/.TRACE-test6 Wed May 21 12:31:08 2003
47 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ip6t_TRACE.c ] && echo TRACE
48 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.XOR-test userspace/extensions/.XOR-test
49 --- iptables-1.2.8/extensions/.XOR-test Thu Jan 1 01:00:00 1970
50 +++ userspace/extensions/.XOR-test Sat May 31 19:11:49 2003
53 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_XOR.c ] && echo XOR
54 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.addrtype-test userspace/extensions/.addrtype-test
55 --- iptables-1.2.8/extensions/.addrtype-test Thu Jan 1 01:00:00 1970
56 +++ userspace/extensions/.addrtype-test Wed May 7 18:51:40 2003
60 +if test -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_addrtype.h; then
63 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.connbytes-test userspace/extensions/.connbytes-test
64 --- iptables-1.2.8/extensions/.connbytes-test Thu Jan 1 01:00:00 1970
65 +++ userspace/extensions/.connbytes-test Thu Jun 19 14:23:37 2003
68 +[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_connbytes.c ] && echo connbytes
69 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.iprange-test userspace/extensions/.iprange-test
70 --- iptables-1.2.8/extensions/.iprange-test Thu Jan 1 01:00:00 1970
71 +++ userspace/extensions/.iprange-test Wed Apr 23 15:27:09 2003
74 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_iprange.h ] && echo iprange
75 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.nth-test6 userspace/extensions/.nth-test6
76 --- iptables-1.2.8/extensions/.nth-test6 Thu Jan 1 01:00:00 1970
77 +++ userspace/extensions/.nth-test6 Sat May 3 15:55:06 2003
80 +# True if nth is applied.
81 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_nth.h ] && echo nth
82 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/.random-test6 userspace/extensions/.random-test6
83 --- iptables-1.2.8/extensions/.random-test6 Thu Jan 1 01:00:00 1970
84 +++ userspace/extensions/.random-test6 Sat May 3 15:46:18 2003
87 +# True if random is applied.
88 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_random.h ] && echo random
89 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/Makefile userspace/extensions/Makefile
90 --- iptables-1.2.8/extensions/Makefile Wed Mar 5 12:39:31 2003
91 +++ userspace/extensions/Makefile Thu May 22 16:33:34 2003
93 # header files are present in the include/linux directory of this iptables
96 -PF_EXT_SLIB:=ah conntrack dscp ecn esp helper stealth icmp length limit mac mark multiport owner physdev pkttype rpc standard state tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TTL ULOG IMQ
97 +PF_EXT_SLIB:=ah connlimit conntrack dscp ecn esp helper stealth icmp length limit mac mark multiport owner physdev pkttype rpc standard state tcp tcpmss tos ttl udp unclean DNAT DSCP ECN LOG MARK MASQUERADE MIRROR REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TTL ULOG IMQ
98 PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK
101 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_LOG.c userspace/extensions/libip6t_LOG.c
102 --- iptables-1.2.8/extensions/libip6t_LOG.c Sat Sep 7 16:31:01 2002
103 +++ userspace/extensions/libip6t_LOG.c Tue Jul 15 15:29:20 2003
105 if (strcmp(loginfo->prefix, "") != 0)
106 printf("--log-prefix \"%s\" ", loginfo->prefix);
108 - if (loginfo->level != LOG_DEFAULT_LEVEL) {
110 - i < sizeof(ip6t_log_names) / sizeof(struct ip6t_log_names);
112 - if (loginfo->level == ip6t_log_names[i].level) {
113 - printf("--log-level %s ", ip6t_log_names[i].name);
118 + if (loginfo->level != LOG_DEFAULT_LEVEL)
119 + printf("--log-level %d ", loginfo->level);
121 if (loginfo->logflags & IP6T_LOG_TCPSEQ)
122 printf("--log-tcp-sequence ");
123 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_TRACE.c userspace/extensions/libip6t_TRACE.c
124 --- iptables-1.2.8/extensions/libip6t_TRACE.c Thu Jan 1 01:00:00 1970
125 +++ userspace/extensions/libip6t_TRACE.c Wed May 21 12:31:08 2003
127 +/* Shared library add-on to iptables to add TRACE target support. */
133 +#include <ip6tables.h>
134 +#include <linux/netfilter_ipv6/ip6_tables.h>
136 +/* Function which prints out usage message. */
141 +"TRACE target v%s takes no options\n",
145 +static struct option opts[] = {
149 +/* Initialize the target. */
151 +init(struct ip6t_entry_target *t, unsigned int *nfcache)
155 +/* Function which parses command options; returns true if it
158 +parse(int c, char **argv, int invert, unsigned int *flags,
159 + const struct ip6t_entry *entry,
160 + struct ip6t_entry_target **target)
166 +final_check(unsigned int flags)
171 +struct ip6tables_target trace
174 + .version = IPTABLES_VERSION,
175 + .size = IP6T_ALIGN(0),
176 + .userspacesize = IP6T_ALIGN(0),
180 + .final_check = &final_check,
181 + .print = NULL, /* print */
182 + .save = NULL, /* save */
188 + register_target6(&trace);
190 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_condition.c userspace/extensions/libip6t_condition.c
191 --- iptables-1.2.8/extensions/libip6t_condition.c Wed Mar 26 15:42:35 2003
192 +++ userspace/extensions/libip6t_condition.c Thu May 22 16:33:34 2003
194 +/* Shared library add-on to ip6tables for condition match */
199 struct condition6_info *info =
200 (struct condition6_info *) (*match)->data;
202 - check_inverse(optarg, &invert, &optind, 0);
206 exit_error(PARAMETER_PROBLEM,
207 "Can't specify multiple conditions");
209 + check_inverse(optarg, &invert, &optind, 0);
211 if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
212 strcpy(info->name, argv[optind - 1]);
215 const struct condition6_info *info =
216 (const struct condition6_info *) match->data;
218 - printf("--condition %s%s ", (info->invert) ? "! " : "", info->name);
219 + printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
223 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_fuzzy.c userspace/extensions/libip6t_fuzzy.c
224 --- iptables-1.2.8/extensions/libip6t_fuzzy.c Fri Apr 11 12:30:36 2003
225 +++ userspace/extensions/libip6t_fuzzy.c Mon Jun 16 13:39:36 2003
228 2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
229 2003-04-08 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
230 +2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
231 +the save function , thanks to information given by Jean-Francois Patenaude.
237 const struct ip6t_fuzzy_info *fuzzyinfo
238 = (const struct ip6t_fuzzy_info *)match->data;
240 - printf("--upper-limit %u ",fuzzyinfo->minimum_rate);
241 - printf("--lower-limit %u ",fuzzyinfo->maximum_rate);
242 + printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
243 + printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
247 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_hl.c userspace/extensions/libip6t_hl.c
248 --- iptables-1.2.8/extensions/libip6t_hl.c Wed Jan 8 10:14:20 2003
249 +++ userspace/extensions/libip6t_hl.c Thu May 22 16:33:34 2003
251 * Maciej Soltysiak <solt@dns.toxicfilms.tv>
252 * Based on HW's ttl match
253 * This program is released under the terms of GNU GPL
254 + * Cleanups by Stephane Ouellette <ouellettes@videotron.ca>
261 "HL match v%s options:\n"
262 -" --hl-eq value Match hop limit value\n"
263 +" --hl-eq [!] value Match hop limit value\n"
264 " --hl-lt value Match HL < value\n"
265 " --hl-gt value Match HL > value\n"
277 exit_error(PARAMETER_PROBLEM,
278 "HL match: You must specify one of "
279 - "`--hl-eq', `--hl-lt', `--hl-gt");
280 + "`--hl-eq', `--hl-lt', `--hl-gt'");
283 static void print(const struct ip6t_ip6 *ip,
284 const struct ip6t_entry_match *match,
287 + static const char *op[] = {
288 + [IP6T_HL_EQ] = "==",
289 + [IP6T_HL_NE] = "!=",
290 + [IP6T_HL_LT] = "<",
291 + [IP6T_HL_GT] = ">" };
293 const struct ip6t_hl_info *info =
294 (struct ip6t_hl_info *) match->data;
296 - printf("HL match ");
297 - switch (info->mode) {
311 - printf("%u ", info->hop_limit);
312 + printf("HL match HL %s %u ", op[info->mode], info->hop_limit);
315 static void save(const struct ip6t_ip6 *ip,
316 const struct ip6t_entry_match *match)
318 + static const char *op[] = {
319 + [IP6T_HL_EQ] = "eq",
320 + [IP6T_HL_NE] = "eq !",
321 + [IP6T_HL_LT] = "lt",
322 + [IP6T_HL_GT] = "gt" };
324 const struct ip6t_hl_info *info =
325 (struct ip6t_hl_info *) match->data;
327 - switch (info->mode) {
329 - printf("--hl-eq ");
332 - printf("! --hl-eq ");
335 - printf("--hl-lt ");
338 - printf("--hl-gt ");
344 - printf("%u ", info->hop_limit);
345 + printf("--hl-%s %u ", op[info->mode], info->hop_limit);
348 static struct option opts[] = {
349 - { "hl", 1, 0, '2' },
350 - { "hl-eq", 1, 0, '2'},
351 - { "hl-lt", 1, 0, '3'},
352 - { "hl-gt", 1, 0, '4'},
353 + { .name = "hl", .has_arg = 1, .flag = 0, .val = '2' },
354 + { .name = "hl-eq", .has_arg = 1, .flag = 0, .val = '2' },
355 + { .name = "hl-lt", .has_arg = 1, .flag = 0, .val = '3' },
356 + { .name = "hl-gt", .has_arg = 1, .flag = 0, .val = '4' },
361 struct ip6tables_match hl = {
365 - IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
366 - IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
375 + .version = IPTABLES_VERSION,
376 + .size = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
377 + .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
381 + .final_check = &final_check,
388 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_mac.c userspace/extensions/libip6t_mac.c
389 --- iptables-1.2.8/extensions/libip6t_mac.c Mon Jan 6 14:04:53 2003
390 +++ userspace/extensions/libip6t_mac.c Mon Jun 16 13:39:36 2003
395 -static void print_mac(unsigned char macaddress[ETH_ALEN], int invert)
396 +static void print_mac(unsigned char macaddress[ETH_ALEN])
400 - printf("%s%02X", invert ? "! " : "", macaddress[0]);
401 + printf("%02X", macaddress[0]);
402 for (i = 1; i < ETH_ALEN; i++)
403 printf(":%02X", macaddress[i]);
405 @@ -111,16 +111,21 @@
409 - print_mac(((struct ip6t_mac_info *)match->data)->srcaddr,
410 - ((struct ip6t_mac_info *)match->data)->invert);
412 + if (((struct ip6t_mac_info *)match->data)->invert)
415 + print_mac(((struct ip6t_mac_info *)match->data)->srcaddr);
418 /* Saves the union ip6t_matchinfo in parsable form to stdout. */
419 static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
421 + if (((struct ip6t_mac_info *)match->data)->invert)
424 printf("--mac-source ");
425 - print_mac(((struct ip6t_mac_info *)match->data)->srcaddr,
426 - ((struct ip6t_mac_info *)match->data)->invert);
427 + print_mac(((struct ip6t_mac_info *)match->data)->srcaddr);
431 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_multiport.c userspace/extensions/libip6t_multiport.c
432 --- iptables-1.2.8/extensions/libip6t_multiport.c Wed May 29 15:08:16 2002
433 +++ userspace/extensions/libip6t_multiport.c Tue Jul 15 15:29:20 2003
436 for (i=0; i < multiinfo->count; i++) {
437 printf("%s", i ? "," : "");
438 - print_port(multiinfo->ports[i], ip->proto, 0);
439 + print_port(multiinfo->ports[i], ip->proto, 1);
443 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_nth.c userspace/extensions/libip6t_nth.c
444 --- iptables-1.2.8/extensions/libip6t_nth.c Thu Jan 1 01:00:00 1970
445 +++ userspace/extensions/libip6t_nth.c Sat May 3 15:55:06 2003
448 + Shared library add-on to iptables to add match support for every Nth packet
450 + This file is distributed under the terms of the GNU General Public
451 + License (GPL). Copies of the GPL can be obtained from:
452 + ftp://prep.ai.mit.edu/pub/gnu/GPL
454 + 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
455 + 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
456 + * added support for multiple counters
457 + * added support for matching on individual packets
458 + in the counter cycle
467 +#include <ip6tables.h>
468 +#include <linux/netfilter_ipv6/ip6_tables.h>
469 +#include <linux/netfilter_ipv6/ip6t_nth.h>
472 +/* Function which prints out usage message. */
477 +"nth v%s options:\n"
478 +" --every Nth Match every Nth packet\n"
479 +" [--counter] num Use counter 0-%u (default:0)\n"
480 +" [--start] num Initialize the counter at the number 'num'\n"
481 +" instead of 0. Must be between 0 and Nth-1\n"
482 +" [--packet] num Match on 'num' packet. Must be between 0\n"
484 +" If --packet is used for a counter than\n"
485 +" there must be Nth number of --packet\n"
486 +" rules, covering all values between 0 and\n"
487 +" Nth-1 inclusively.\n",
488 +IPTABLES_VERSION, IP6T_NTH_NUM_COUNTERS-1);
491 +static struct option opts[] = {
492 + { "every", 1, 0, '1' },
493 + { "start", 1, 0, '2' },
494 + { "counter", 1, 0, '3' },
495 + { "packet", 1, 0, '4' },
499 +/* Initialize the target. */
501 +init(struct ip6t_entry_match *m, unsigned int *nfcache)
503 + *nfcache |= NFC_UNKNOWN;
506 +#define IP6T_NTH_OPT_EVERY 0x01
507 +#define IP6T_NTH_OPT_NOT_EVERY 0x02
508 +#define IP6T_NTH_OPT_START 0x04
509 +#define IP6T_NTH_OPT_COUNTER 0x08
510 +#define IP6T_NTH_OPT_PACKET 0x10
512 +/* Function which parses command options; returns true if it
515 +parse(int c, char **argv, int invert, unsigned int *flags,
516 + const struct ip6t_entry *entry,
517 + unsigned int *nfcache,
518 + struct ip6t_entry_match **match)
520 + struct ip6t_nth_info *nthinfo = (struct ip6t_nth_info *)(*match)->data;
525 + /* check for common mistakes... */
526 + if ((!invert) && (*flags & IP6T_NTH_OPT_EVERY))
527 + exit_error(PARAMETER_PROBLEM,
528 + "Can't specify --every twice");
529 + if (invert && (*flags & IP6T_NTH_OPT_NOT_EVERY))
530 + exit_error(PARAMETER_PROBLEM,
531 + "Can't specify ! --every twice");
532 + if ((!invert) && (*flags & IP6T_NTH_OPT_NOT_EVERY))
533 + exit_error(PARAMETER_PROBLEM,
534 + "Can't specify --every with ! --every");
535 + if (invert && (*flags & IP6T_NTH_OPT_EVERY))
536 + exit_error(PARAMETER_PROBLEM,
537 + "Can't specify ! --every with --every");
539 + /* Remember, this function will interpret a leading 0 to be
540 + Octal, a leading 0x to be hexdecimal... */
541 + if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
542 + exit_error(PARAMETER_PROBLEM,
543 + "bad --every `%s', must be between 2 and 100", optarg);
545 + /* assign the values */
546 + nthinfo->every = num-1;
547 + nthinfo->startat = 0;
548 + nthinfo->packet = 0xFF;
549 + if(!(*flags & IP6T_NTH_OPT_EVERY))
551 + nthinfo->counter = 0;
555 + *flags |= IP6T_NTH_OPT_NOT_EVERY;
560 + *flags |= IP6T_NTH_OPT_EVERY;
565 + /* check for common mistakes... */
566 + if (!((*flags & IP6T_NTH_OPT_EVERY) ||
567 + (*flags & IP6T_NTH_OPT_NOT_EVERY)))
568 + exit_error(PARAMETER_PROBLEM,
569 + "Can't specify --start before --every");
571 + exit_error(PARAMETER_PROBLEM,
572 + "Can't specify with ! --start");
573 + if (*flags & IP6T_NTH_OPT_START)
574 + exit_error(PARAMETER_PROBLEM,
575 + "Can't specify --start twice");
576 + if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
577 + exit_error(PARAMETER_PROBLEM,
578 + "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
579 + *flags |= IP6T_NTH_OPT_START;
580 + nthinfo->startat = num;
583 + /* check for common mistakes... */
585 + exit_error(PARAMETER_PROBLEM,
586 + "Can't specify with ! --counter");
587 + if (*flags & IP6T_NTH_OPT_COUNTER)
588 + exit_error(PARAMETER_PROBLEM,
589 + "Can't specify --counter twice");
590 + if (string_to_number(optarg, 0, IP6T_NTH_NUM_COUNTERS-1, &num) == -1)
591 + exit_error(PARAMETER_PROBLEM,
592 + "bad --counter `%s', must between 0 and %u", optarg, IP6T_NTH_NUM_COUNTERS-1);
593 + /* assign the values */
594 + *flags |= IP6T_NTH_OPT_COUNTER;
595 + nthinfo->counter = num;
598 + /* check for common mistakes... */
599 + if (!((*flags & IP6T_NTH_OPT_EVERY) ||
600 + (*flags & IP6T_NTH_OPT_NOT_EVERY)))
601 + exit_error(PARAMETER_PROBLEM,
602 + "Can't specify --packet before --every");
603 + if ((*flags & IP6T_NTH_OPT_NOT_EVERY))
604 + exit_error(PARAMETER_PROBLEM,
605 + "Can't specify --packet with ! --every");
607 + exit_error(PARAMETER_PROBLEM,
608 + "Can't specify with ! --packet");
609 + if (*flags & IP6T_NTH_OPT_PACKET)
610 + exit_error(PARAMETER_PROBLEM,
611 + "Can't specify --packet twice");
612 + if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
613 + exit_error(PARAMETER_PROBLEM,
614 + "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
615 + *flags |= IP6T_NTH_OPT_PACKET;
616 + nthinfo->packet = num;
624 +/* Final check; nothing. */
625 +static void final_check(unsigned int flags)
629 +/* Prints out the targinfo. */
631 +print(const struct ip6t_ip6 *ip,
632 + const struct ip6t_entry_match *match,
635 + const struct ip6t_nth_info *nthinfo
636 + = (const struct ip6t_nth_info *)match->data;
638 + if (nthinfo->not == 1)
640 + printf("every %uth ", (nthinfo->every +1));
641 + if (nthinfo->counter != 0)
642 + printf("counter #%u ", (nthinfo->counter));
643 + if (nthinfo->packet != 0xFF)
644 + printf("packet #%u ", nthinfo->packet);
645 + if (nthinfo->startat != 0)
646 + printf("start at %u ", nthinfo->startat);
649 +/* Saves the union ip6t_targinfo in parsable form to stdout. */
651 +save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
653 + const struct ip6t_nth_info *nthinfo
654 + = (const struct ip6t_nth_info *)match->data;
656 + if (nthinfo->not == 1)
658 + printf("--every %u ", (nthinfo->every +1));
659 + printf("--counter %u ", (nthinfo->counter));
660 + if (nthinfo->startat != 0)
661 + printf("--start %u ", nthinfo->startat );
662 + if (nthinfo->packet != 0xFF)
663 + printf("--packet %u ", nthinfo->packet );
666 +struct ip6tables_match nth
670 + IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
671 + IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
683 + register_match6(&nth);
685 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_owner.c userspace/extensions/libip6t_owner.c
686 --- iptables-1.2.8/extensions/libip6t_owner.c Wed May 29 15:08:16 2002
687 +++ userspace/extensions/libip6t_owner.c Tue Jul 15 15:29:20 2003
692 +#ifdef IP6T_OWNER_COMM
694 "OWNER match v%s options:\n"
695 "[!] --uid-owner userid Match local uid\n"
696 "[!] --gid-owner groupid Match local gid\n"
697 "[!] --pid-owner processid Match local pid\n"
698 "[!] --sid-owner sessionid Match local sid\n"
699 +"[!] --cmd-owner name Match local command name\n"
704 +"OWNER match v%s options:\n"
705 +"[!] --uid-owner userid Match local uid\n"
706 +"[!] --gid-owner groupid Match local gid\n"
707 +"[!] --pid-owner processid Match local pid\n"
708 +"[!] --sid-owner sessionid Match local sid\n"
711 +#endif /* IP6T_OWNER_COMM */
714 static struct option opts[] = {
716 { "gid-owner", 1, 0, '2' },
717 { "pid-owner", 1, 0, '3' },
718 { "sid-owner", 1, 0, '4' },
719 +#ifdef IP6T_OWNER_COMM
720 + { "cmd-owner", 1, 0, '5' },
729 +#ifdef IP6T_OWNER_COMM
731 + check_inverse(optarg, &invert, &optind, 0);
732 + if(strlen(optarg) > sizeof(ownerinfo->comm))
733 + exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
735 + strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
738 + ownerinfo->invert |= IP6T_OWNER_COMM;
739 + ownerinfo->match |= IP6T_OWNER_COMM;
750 if (info->invert & flag)
751 - fputc('!', stdout);
754 switch(info->match & flag) {
758 printf("%u ", info->sid);
760 +#ifdef IP6T_OWNER_COMM
761 + case IP6T_OWNER_COMM:
762 + printf("%.*s ", (int)sizeof(info->comm), info->comm);
769 print_item(info, IP6T_OWNER_GID, numeric, "OWNER GID match ");
770 print_item(info, IP6T_OWNER_PID, numeric, "OWNER PID match ");
771 print_item(info, IP6T_OWNER_SID, numeric, "OWNER SID match ");
772 +#ifdef IP6T_OWNER_COMM
773 + print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
777 /* Saves the union ip6t_matchinfo in parsable form to stdout. */
779 print_item(info, IP6T_OWNER_GID, 0, "--gid-owner ");
780 print_item(info, IP6T_OWNER_PID, 0, "--pid-owner ");
781 print_item(info, IP6T_OWNER_SID, 0, "--sid-owner ");
782 +#ifdef IP6T_OWNER_COMM
783 + print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
788 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libip6t_random.c userspace/extensions/libip6t_random.c
789 --- iptables-1.2.8/extensions/libip6t_random.c Thu Jan 1 01:00:00 1970
790 +++ userspace/extensions/libip6t_random.c Sat May 3 15:46:18 2003
793 + Shared library add-on to iptables to add match support for random match.
795 + This file is distributed under the terms of the GNU General Public
796 + License (GPL). Copies of the GPL can be obtained from:
797 + ftp://prep.ai.mit.edu/pub/gnu/GPL
799 + 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
800 + 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 port.
809 +#include <ip6tables.h>
810 +#include <linux/netfilter_ipv6/ip6_tables.h>
811 +#include <linux/netfilter_ipv6/ip6t_random.h>
814 + * The kernel random routing returns numbers between 0 and 255.
815 + * To ease the task of the user in choosing the probability
816 + * of matching, we want him to be able to use percentages.
817 + * Therefore we have to accept numbers in percentage here,
818 + * turn them into number between 0 and 255 for the kernel module,
819 + * and turn them back to percentages when we print/save
824 +/* Function which prints out usage message. */
829 +"random v%s options:\n"
830 +" [--average] percent The probability in percentage of the match\n"
831 +" If ommited, a probability of 50%% percent is set.\n"
832 +" Percentage must be within : 1 <= percent <= 99.\n\n",
836 +static struct option opts[] = {
837 + { "average", 1, 0, '1' },
841 +/* Initialize the target. */
843 +init(struct ip6t_entry_match *m, unsigned int *nfcache)
845 + struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
846 + *nfcache |= NFC_UNKNOWN;
848 + /* We assign the average to be 50 which is our default value */
849 + /* 50 * 2.55 = 128 */
850 + randinfo->average = 128;
853 +#define IP6T_RAND_OPT_AVERAGE 0x01
855 +/* Function which parses command options; returns true if it
858 +parse(int c, char **argv, int invert, unsigned int *flags,
859 + const struct ip6t_entry *entry,
860 + unsigned int *nfcache,
861 + struct ip6t_entry_match **match)
863 + struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(*match)->data;
868 + /* check for common mistakes... */
870 + exit_error(PARAMETER_PROBLEM,
871 + "Can't specify ! --average");
872 + if (*flags & IP6T_RAND_OPT_AVERAGE)
873 + exit_error(PARAMETER_PROBLEM,
874 + "Can't specify --average twice");
876 + /* Remember, this function will interpret a leading 0 to be
877 + Octal, a leading 0x to be hexdecimal... */
878 + if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
879 + exit_error(PARAMETER_PROBLEM,
880 + "bad --average `%s', must be between 1 and 99", optarg);
882 + /* assign the values */
883 + randinfo->average = (int)(num * 2.55);
884 + *flags |= IP6T_RAND_OPT_AVERAGE;
892 +/* Final check; nothing. */
893 +static void final_check(unsigned int flags)
897 +/* Prints out the targinfo. */
899 +print(const struct ip6t_ip6 *ip,
900 + const struct ip6t_entry_match *match,
903 + const struct ip6t_rand_info *randinfo
904 + = (const struct ip6t_rand_info *)match->data;
905 + div_t result = div((randinfo->average*100), 255);
906 + if (result.rem > 127) /* round up... */
909 + printf(" random %u%% ", result.quot);
912 +/* Saves the union ip6t_targinfo in parsable form to stdout. */
914 +save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
916 + const struct ip6t_rand_info *randinfo
917 + = (const struct ip6t_rand_info *)match->data;
918 + div_t result = div((randinfo->average *100), 255);
919 + if (result.rem > 127) /* round up... */
922 + printf("--average %u ", result.quot);
925 +struct ip6tables_match rand_match
929 + IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
930 + IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
942 + register_match6(&rand_match);
944 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_IPMARK.c userspace/extensions/libipt_IPMARK.c
945 --- iptables-1.2.8/extensions/libipt_IPMARK.c Thu Jan 1 01:00:00 1970
946 +++ userspace/extensions/libipt_IPMARK.c Tue Jul 15 15:29:20 2003
948 +/* Shared library add-on to iptables to add IPMARK target support.
949 + * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
951 + * based on original MARK target
953 + * This program is distributed under the terms of GNU GPL
960 +#include <iptables.h>
961 +#include <linux/netfilter_ipv4/ip_tables.h>
962 +#include <linux/netfilter_ipv4/ipt_IPMARK.h>
964 +#define IPT_ADDR_USED 1
965 +#define IPT_AND_MASK_USED 2
966 +#define IPT_OR_MASK_USED 4
969 + struct ipt_entry_target t;
970 + struct ipt_ipmark_target_info ipmark;
973 +/* Function which prints out usage message. */
978 +"IPMARK target v%s options:\n"
979 +" --addr src/dst use source or destination ip address\n"
980 +" --and-mask value logical AND ip address with this value becomes MARK\n"
981 +" --or-mask value logical OR ip address with this value becomes MARK\n"
986 +static struct option opts[] = {
987 + { "addr", 1, 0, '1' },
988 + { "and-mask", 1, 0, '2' },
989 + { "or-mask", 1, 0, '3' },
993 +/* Initialize the target. */
995 +init(struct ipt_entry_target *t, unsigned int *nfcache)
997 + struct ipt_ipmark_target_info *ipmarkinfo =
998 + (struct ipt_ipmark_target_info *)t->data;
1000 + ipmarkinfo->andmask=0xffffffff;
1001 + ipmarkinfo->ormask=0;
1003 + *nfcache |= NFC_UNKNOWN;
1006 +/* Function which parses command options; returns true if it
1009 +parse(int c, char **argv, int invert, unsigned int *flags,
1010 + const struct ipt_entry *entry,
1011 + struct ipt_entry_target **target)
1013 + struct ipt_ipmark_target_info *ipmarkinfo
1014 + = (struct ipt_ipmark_target_info *)(*target)->data;
1019 + if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
1020 + else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
1021 + else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
1022 + if (*flags & IPT_ADDR_USED)
1023 + exit_error(PARAMETER_PROBLEM,
1024 + "IPMARK target: Can't specify --addr twice");
1025 + *flags |= IPT_ADDR_USED;
1029 + ipmarkinfo->andmask = strtoul(optarg, &end, 0);
1030 + if (*end != '\0' || end == optarg)
1031 + exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
1032 + if (*flags & IPT_AND_MASK_USED)
1033 + exit_error(PARAMETER_PROBLEM,
1034 + "IPMARK target: Can't specify --and-mask twice");
1035 + *flags |= IPT_AND_MASK_USED;
1038 + ipmarkinfo->ormask = strtoul(optarg, &end, 0);
1039 + if (*end != '\0' || end == optarg)
1040 + exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
1041 + if (*flags & IPT_OR_MASK_USED)
1042 + exit_error(PARAMETER_PROBLEM,
1043 + "IPMARK target: Can't specify --or-mask twice");
1044 + *flags |= IPT_OR_MASK_USED;
1055 +final_check(unsigned int flags)
1057 + if (!(flags & IPT_ADDR_USED))
1058 + exit_error(PARAMETER_PROBLEM,
1059 + "IPMARK target: Parameter --addr is required");
1060 + if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
1061 + exit_error(PARAMETER_PROBLEM,
1062 + "IPMARK target: Parameter --and-mask or --or-mask is required");
1065 +/* Prints out the targinfo. */
1067 +print(const struct ipt_ip *ip,
1068 + const struct ipt_entry_target *target,
1071 + const struct ipt_ipmark_target_info *ipmarkinfo =
1072 + (const struct ipt_ipmark_target_info *)target->data;
1074 + if(ipmarkinfo->addr == IPT_IPMARK_SRC)
1075 + printf("IPMARK src");
1077 + printf("IPMARK dst");
1078 + printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
1081 +/* Saves the union ipt_targinfo in parsable form to stdout. */
1083 +save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
1085 + const struct ipt_ipmark_target_info *ipmarkinfo =
1086 + (const struct ipt_ipmark_target_info *)target->data;
1088 + if(ipmarkinfo->addr == IPT_IPMARK_SRC)
1089 + printf("--addr=src ");
1091 + printf("--addr=dst ");
1092 + if(ipmarkinfo->andmask != 0xffffffff)
1093 + printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
1094 + if(ipmarkinfo->ormask != 0)
1095 + printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
1099 +struct iptables_target ipmark
1103 + IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
1104 + IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
1116 + register_target(&ipmark);
1118 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_LOG.c userspace/extensions/libipt_LOG.c
1119 --- iptables-1.2.8/extensions/libipt_LOG.c Sat Sep 7 16:31:01 2002
1120 +++ userspace/extensions/libipt_LOG.c Tue Jul 15 15:29:20 2003
1121 @@ -230,16 +230,8 @@
1122 if (strcmp(loginfo->prefix, "") != 0)
1123 printf("--log-prefix \"%s\" ", loginfo->prefix);
1125 - if (loginfo->level != LOG_DEFAULT_LEVEL) {
1127 - i < sizeof(ipt_log_names) / sizeof(struct ipt_log_names);
1129 - if (loginfo->level == ipt_log_names[i].level) {
1130 - printf("--log-level %s ", ipt_log_names[i].name);
1135 + if (loginfo->level != LOG_DEFAULT_LEVEL)
1136 + printf("--log-level %d ", loginfo->level);
1138 if (loginfo->logflags & IPT_LOG_TCPSEQ)
1139 printf("--log-tcp-sequence ");
1140 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_NOTRACK.c userspace/extensions/libipt_NOTRACK.c
1141 --- iptables-1.2.8/extensions/libipt_NOTRACK.c Thu Jan 1 01:00:00 1970
1142 +++ userspace/extensions/libipt_NOTRACK.c Wed May 21 12:31:08 2003
1144 +/* Shared library add-on to iptables to add NOTRACK target support. */
1146 +#include <string.h>
1147 +#include <stdlib.h>
1148 +#include <getopt.h>
1150 +#include <iptables.h>
1151 +#include <linux/netfilter_ipv4/ip_tables.h>
1153 +/* Function which prints out usage message. */
1158 +"NOTRACK target v%s takes no options\n",
1162 +static struct option opts[] = {
1166 +/* Initialize the target. */
1168 +init(struct ipt_entry_target *t, unsigned int *nfcache)
1172 +/* Function which parses command options; returns true if it
1175 +parse(int c, char **argv, int invert, unsigned int *flags,
1176 + const struct ipt_entry *entry,
1177 + struct ipt_entry_target **target)
1183 +final_check(unsigned int flags)
1188 +struct iptables_target notrack
1190 + .name = "NOTRACK",
1191 + .version = IPTABLES_VERSION,
1192 + .size = IPT_ALIGN(0),
1193 + .userspacesize = IPT_ALIGN(0),
1197 + .final_check = &final_check,
1198 + .print = NULL, /* print */
1199 + .save = NULL, /* save */
1200 + .extra_opts = opts
1205 + register_target(¬rack);
1207 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_REJECT.c userspace/extensions/libipt_REJECT.c
1208 --- iptables-1.2.8/extensions/libipt_REJECT.c Wed May 29 15:08:16 2002
1209 +++ userspace/extensions/libipt_REJECT.c Tue May 27 19:44:29 2003
1211 #include <iptables.h>
1212 #include <linux/netfilter_ipv4/ip_tables.h>
1213 #include <linux/netfilter_ipv4/ipt_REJECT.h>
1214 +#include <linux/version.h>
1216 +/* If we are compiling against a kernel that does not support
1217 + * IPT_ICMP_ADMIN_PROHIBITED, we are emulating it.
1218 + * The result will be a plain DROP of the packet instead of
1219 + * reject. -- Maciej Soltysiak <solt@dns.toxicfilms.tv>
1221 +#ifndef IPT_ICMP_ADMIN_PROHIBITED
1222 +#define IPT_ICMP_ADMIN_PROHIBITED IPT_TCP_RESET + 1
1225 struct reject_names {
1228 {"icmp-host-prohibited", "host-prohib",
1229 IPT_ICMP_HOST_PROHIBITED, "ICMP host prohibited"},
1230 {"tcp-reset", "tcp-reset",
1231 - IPT_TCP_RESET, "TCP RST packet"}
1232 + IPT_TCP_RESET, "TCP RST packet"},
1233 + {"icmp-admin-prohibited", "admin-prohib",
1234 + IPT_ICMP_ADMIN_PROHIBITED, "ICMP administratively prohibited (*)"}
1239 " a reply packet according to type:\n");
1241 print_reject_types();
1243 + printf("(*) See man page or read the INCOMPATIBILITES file for compatibility issues.\n");
1246 static struct option opts[] = {
1247 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_TRACE.c userspace/extensions/libipt_TRACE.c
1248 --- iptables-1.2.8/extensions/libipt_TRACE.c Thu Jan 1 01:00:00 1970
1249 +++ userspace/extensions/libipt_TRACE.c Wed May 21 12:31:08 2003
1251 +/* Shared library add-on to iptables to add TRACE target support. */
1253 +#include <string.h>
1254 +#include <stdlib.h>
1255 +#include <getopt.h>
1257 +#include <iptables.h>
1258 +#include <linux/netfilter_ipv4/ip_tables.h>
1260 +/* Function which prints out usage message. */
1265 +"TRACE target v%s takes no options\n",
1269 +static struct option opts[] = {
1273 +/* Initialize the target. */
1275 +init(struct ipt_entry_target *t, unsigned int *nfcache)
1279 +/* Function which parses command options; returns true if it
1282 +parse(int c, char **argv, int invert, unsigned int *flags,
1283 + const struct ipt_entry *entry,
1284 + struct ipt_entry_target **target)
1290 +final_check(unsigned int flags)
1295 +struct iptables_target trace
1298 + .version = IPTABLES_VERSION,
1299 + .size = IPT_ALIGN(0),
1300 + .userspacesize = IPT_ALIGN(0),
1304 + .final_check = &final_check,
1305 + .print = NULL, /* print */
1306 + .save = NULL, /* save */
1307 + .extra_opts = opts
1312 + register_target(&trace);
1314 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_XOR.c userspace/extensions/libipt_XOR.c
1315 --- iptables-1.2.8/extensions/libipt_XOR.c Thu Jan 1 01:00:00 1970
1316 +++ userspace/extensions/libipt_XOR.c Sat May 31 19:11:49 2003
1318 +/* Shared library add-on to iptables for the XOR target
1319 + * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
1320 + * Based on libipt_TTL.c
1324 + * This program is distributed under the terms of GNU GPL
1328 +#include <string.h>
1329 +#include <stdlib.h>
1330 +#include <getopt.h>
1331 +#include <iptables.h>
1333 +#include <linux/netfilter_ipv4/ip_tables.h>
1334 +#include <linux/netfilter_ipv4/ipt_XOR.h>
1336 +#define IPT_KEY_SET 1
1337 +#define IPT_BLOCKSIZE_SET 2
1339 +static void init(struct ipt_entry_target *t, unsigned int *nfcache)
1343 +static void help(void)
1346 + "XOR target v%s options\n"
1347 + " --key string Set key to \"string\"\n"
1348 + " --block-size Set block size\n",
1349 + IPTABLES_VERSION);
1352 +static int parse(int c, char **argv, int invert, unsigned int *flags,
1353 + const struct ipt_entry *entry,
1354 + struct ipt_entry_target **target)
1356 + struct ipt_XOR_info *info = (struct ipt_XOR_info *) (*target)->data;
1359 + exit_error(PARAMETER_PROBLEM, "XOR: too few arguments");
1361 + if (check_inverse(optarg, &invert, NULL, 0))
1362 + exit_error(PARAMETER_PROBLEM, "XOR: unexpected '!'");
1366 + strncpy(info->key, optarg, 30);
1367 + *flags |= IPT_KEY_SET;
1370 + info->block_size = atoi(optarg);
1371 + *flags |= IPT_BLOCKSIZE_SET;
1380 +static void final_check(unsigned int flags)
1382 + if (!(flags & IPT_KEY_SET))
1383 + exit_error(PARAMETER_PROBLEM, "XOR: You must specify a key");
1384 + if (!(flags & IPT_BLOCKSIZE_SET))
1385 + exit_error(PARAMETER_PROBLEM, "XOR: You must specify a block-size");
1388 +static void save (const struct ipt_ip *ip,
1389 + const struct ipt_entry_target *target)
1391 + const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
1393 + printf("--key %s ", info->key);
1394 + printf("--block-size %u ", info->block_size);
1397 +static void print (const struct ipt_ip *ip,
1398 + const struct ipt_entry_target *target, int numeric)
1400 + const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
1402 + printf("key: %s ", info->key);
1403 + printf("block-size: %u ", info->block_size);
1406 +static struct option opts[] = {
1407 + { "key", 1, 0, '1' },
1408 + { "block-size", 1, 0, '2' },
1412 +static struct iptables_target XOR = { NULL,
1415 + IPT_ALIGN(sizeof(struct ipt_XOR_info)),
1416 + IPT_ALIGN(sizeof(struct ipt_XOR_info)),
1428 + register_target(&XOR);
1430 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_addrtype.c userspace/extensions/libipt_addrtype.c
1431 --- iptables-1.2.8/extensions/libipt_addrtype.c Thu Jan 1 01:00:00 1970
1432 +++ userspace/extensions/libipt_addrtype.c Wed May 7 18:51:40 2003
1434 +/* Shared library add-on to iptables to add addrtype matching support
1436 + * This program is released under the terms of GNU GPL */
1439 +#include <stdlib.h>
1440 +#include <string.h>
1441 +#include <getopt.h>
1442 +#include <iptables.h>
1444 +#include <linux/netfilter_ipv4/ip_tables.h>
1445 +#include <linux/netfilter_ipv4/ipt_addrtype.h>
1447 +/* from linux/rtnetlink.h, must match order of enumeration */
1448 +static char *rtn_names[] = {
1464 +static void help_types(void)
1468 + for (i = 0; rtn_names[i]; i++)
1469 + printf(" %s\n", rtn_names[i]);
1472 +static void help(void)
1475 +"Address type match v%s options:\n"
1476 +" [!] --src-type type[,...] Match source address type\n"
1477 +" [!] --dst-type type[,...] Match destination address type\n"
1480 +, IPTABLES_VERSION);
1484 +static void init(struct ipt_entry_match *m, unsigned int *nfcache)
1486 + /* caching not yet implemented */
1487 + *nfcache |= NFC_UNKNOWN;
1491 +parse_type(const char *name, size_t strlen, u_int16_t *mask)
1495 + for (i = 0; rtn_names[i]; i++)
1496 + if (strncasecmp(name, rtn_names[i], strlen) == 0) {
1497 + /* build up bitmask for kernel module */
1498 + *mask |= (1 << i);
1505 +static void parse_types(const char *arg, u_int16_t *mask)
1507 + const char *comma;
1509 + while ((comma = strchr(arg, ',')) != NULL) {
1510 + if (comma == arg || !parse_type(arg, comma-arg, mask))
1511 + exit_error(PARAMETER_PROBLEM,
1512 + "addrtype: bad type `%s'", arg);
1516 + if (strlen(arg) == 0 || !parse_type(arg, strlen(arg), mask))
1517 + exit_error(PARAMETER_PROBLEM, "addrtype: bad type `%s'", arg);
1520 +#define IPT_ADDRTYPE_OPT_SRCTYPE 0x1
1521 +#define IPT_ADDRTYPE_OPT_DSTTYPE 0x2
1523 +static int parse(int c, char **argv, int invert, unsigned int *flags,
1524 + const struct ipt_entry *entry, unsigned int *nfcache,
1525 + struct ipt_entry_match **match)
1527 + struct ipt_addrtype_info *info =
1528 + (struct ipt_addrtype_info *) (*match)->data;
1532 + if (*flags&IPT_ADDRTYPE_OPT_SRCTYPE)
1533 + exit_error(PARAMETER_PROBLEM,
1534 + "addrtype: can't specify src-type twice");
1535 + check_inverse(optarg, &invert, &optind, 0);
1536 + parse_types(argv[optind-1], &info->source);
1538 + info->invert_source = 1;
1539 + *flags |= IPT_ADDRTYPE_OPT_SRCTYPE;
1542 + if (*flags&IPT_ADDRTYPE_OPT_DSTTYPE)
1543 + exit_error(PARAMETER_PROBLEM,
1544 + "addrtype: can't specify dst-type twice");
1545 + check_inverse(optarg, &invert, &optind, 0);
1546 + parse_types(argv[optind-1], &info->dest);
1548 + info->invert_dest = 1;
1549 + *flags |= IPT_ADDRTYPE_OPT_DSTTYPE;
1558 +static void final_check(unsigned int flags)
1560 + if (!(flags & (IPT_ADDRTYPE_OPT_SRCTYPE|IPT_ADDRTYPE_OPT_DSTTYPE)))
1561 + exit_error(PARAMETER_PROBLEM,
1562 + "addrtype: you must specify --src-type or --dst-type");
1565 +static void print_types(u_int16_t mask)
1567 + const char *sep = "";
1570 + for (i = 0; rtn_names[i]; i++)
1571 + if (mask & (1 << i)) {
1572 + printf("%s%s", sep, rtn_names[i]);
1579 +static void print(const struct ipt_ip *ip,
1580 + const struct ipt_entry_match *match,
1583 + const struct ipt_addrtype_info *info =
1584 + (struct ipt_addrtype_info *) match->data;
1586 + printf("ADDRTYPE match ");
1587 + if (info->source) {
1588 + printf("src-type ");
1589 + if (info->invert_source)
1591 + print_types(info->source);
1594 + printf("dst-type ");
1595 + if (info->invert_dest)
1597 + print_types(info->dest);
1601 +static void save(const struct ipt_ip *ip,
1602 + const struct ipt_entry_match *match)
1604 + const struct ipt_addrtype_info *info =
1605 + (struct ipt_addrtype_info *) match->data;
1607 + if (info->source) {
1608 + printf("--src-type ");
1609 + if (info->invert_source)
1611 + print_types(info->source);
1614 + printf("--dst-type ");
1615 + if (info->invert_dest)
1617 + print_types(info->dest);
1621 +static struct option opts[] = {
1622 + { "src-type", 1, 0, '1' },
1623 + { "dst-type", 1, 0, '2' },
1628 +struct iptables_match addrtype = {
1632 + IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
1633 + IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
1646 + register_match(&addrtype);
1648 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_condition.c userspace/extensions/libipt_condition.c
1649 --- iptables-1.2.8/extensions/libipt_condition.c Wed Mar 26 15:42:35 2003
1650 +++ userspace/extensions/libipt_condition.c Thu May 22 16:33:34 2003
1652 +/* Shared library add-on to iptables for condition match */
1657 struct condition_info *info =
1658 (struct condition_info *) (*match)->data;
1660 - check_inverse(optarg, &invert, &optind, 0);
1664 exit_error(PARAMETER_PROBLEM,
1665 "Can't specify multiple conditions");
1667 + check_inverse(optarg, &invert, &optind, 0);
1669 if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
1670 strcpy(info->name, argv[optind - 1]);
1673 const struct condition_info *info =
1674 (const struct condition_info *) match->data;
1676 - printf("--condition %s%s ", (info->invert) ? "! " : "", info->name);
1677 + printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
1681 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_connbytes.c userspace/extensions/libipt_connbytes.c
1682 --- iptables-1.2.8/extensions/libipt_connbytes.c Thu Jan 1 01:00:00 1970
1683 +++ userspace/extensions/libipt_connbytes.c Thu Jun 19 14:23:37 2003
1685 +/* Shared library add-on to iptables to add byte tracking support. */
1688 +#include <string.h>
1689 +#include <stdlib.h>
1690 +#include <getopt.h>
1691 +#include <iptables.h>
1692 +#include <linux/netfilter_ipv4/ip_conntrack.h>
1693 +#include <linux/netfilter_ipv4/ipt_connbytes.h>
1695 +/* Function which prints out usage message. */
1700 +"connbytes v%s options:\n"
1701 +" [!] --connbytes from:[to]\n"
1702 +" Transfered byte range to match\n"
1703 +"\n", IPTABLES_VERSION);
1706 +static struct option opts[] = {
1707 + { "connbytes", 1, 0, '1' },
1711 +/* Initialize the match. */
1713 +init(struct ipt_entry_match *m, unsigned int *nfcache)
1715 + /* Can't cache this */
1716 + *nfcache |= NFC_UNKNOWN;
1720 +parse_range(const char *arg, struct ipt_connbytes_info *si)
1724 + si->from = strtol(arg,&colon,10);
1725 + if (*colon != ':')
1726 + exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
1727 + si->to = strtol(colon+1,&p,10);
1728 + if (p == colon+1) {
1729 + /* second number omited */
1730 + si->to = 0xffffffff;
1732 + if (si->from > si->to)
1733 + exit_error(PARAMETER_PROBLEM, "%lu should be less than %lu", si->from,si->to);
1736 +/* Function which parses command options; returns true if it
1739 +parse(int c, char **argv, int invert, unsigned int *flags,
1740 + const struct ipt_entry *entry,
1741 + unsigned int *nfcache,
1742 + struct ipt_entry_match **match)
1744 + struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)(*match)->data;
1749 + if (check_inverse(optarg, &invert, optind, 0))
1752 + parse_range(argv[optind-1], sinfo);
1755 + sinfo->from = sinfo->to;
1768 +static void final_check(unsigned int flags)
1771 + exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'");
1774 +/* Prints out the matchinfo. */
1776 +print(const struct ipt_ip *ip,
1777 + const struct ipt_entry_match *match,
1780 + struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
1782 + if (sinfo->from > sinfo->to)
1783 + printf("connbytes ! %lu:%lu",sinfo->to,sinfo->from);
1785 + printf("connbytes %lu:%lu",sinfo->from,sinfo->to);
1788 +/* Saves the matchinfo in parsable form to stdout. */
1789 +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
1791 + struct ipt_connbytes_info *sinfo = (struct ipt_connbytes_info *)match->data;
1793 + if (sinfo->from > sinfo->to)
1794 + printf("! --connbytes %lu:%lu",sinfo->to,sinfo->from);
1796 + printf("--connbytes %lu:%lu",sinfo->from,sinfo->to);
1800 +struct iptables_match state
1804 + IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
1805 + IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
1817 + register_match(&state);
1819 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_connlimit.c userspace/extensions/libipt_connlimit.c
1820 --- iptables-1.2.8/extensions/libipt_connlimit.c Thu Jan 1 01:00:00 1970
1821 +++ userspace/extensions/libipt_connlimit.c Wed Apr 30 18:54:48 2003
1823 +/* Shared library add-on to iptables to add connection limit support. */
1826 +#include <string.h>
1827 +#include <stdlib.h>
1828 +#include <stddef.h>
1829 +#include <getopt.h>
1830 +#include <iptables.h>
1831 +#include <linux/netfilter_ipv4/ip_conntrack.h>
1832 +#include <linux/netfilter_ipv4/ipt_connlimit.h>
1834 +/* Function which prints out usage message. */
1839 +"connlimit v%s options:\n"
1840 +"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n"
1841 +" --connlimit-mask n group hosts using mask\n"
1842 +"\n", IPTABLES_VERSION);
1845 +static struct option opts[] = {
1846 + { "connlimit-above", 1, 0, '1' },
1847 + { "connlimit-mask", 1, 0, '2' },
1851 +/* Initialize the match. */
1853 +init(struct ipt_entry_match *m, unsigned int *nfcache)
1855 + /* Can't cache this */
1856 + *nfcache |= NFC_UNKNOWN;
1859 +/* Function which parses command options; returns true if it
1862 +parse(int c, char **argv, int invert, unsigned int *flags,
1863 + const struct ipt_entry *entry,
1864 + unsigned int *nfcache,
1865 + struct ipt_entry_match **match)
1867 + struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
1869 + if (0 == (*flags & 2)) {
1870 + /* set default mask unless we've already seen a mask option */
1871 + info->mask = htonl(0xFFFFFFFF);
1876 + check_inverse(optarg, &invert, &optind, 0);
1877 + info->limit = atoi(argv[optind-1]);
1878 + info->inverse = invert;
1883 + info->mask = htonl(0xFFFFFFFF << (32 - atoi(argv[optind-1])));
1895 +static void final_check(unsigned int flags)
1898 + exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
1902 +count_bits(u_int32_t mask)
1906 + for (bits = 0, i = 31; i >= 0; i--) {
1907 + if (mask & htonl((u_int32_t)1 << i)) {
1916 +/* Prints out the matchinfo. */
1918 +print(const struct ipt_ip *ip,
1919 + const struct ipt_entry_match *match,
1922 + struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
1924 + printf("#conn/%d %s %d ", count_bits(info->mask),
1925 + info->inverse ? "<" : ">", info->limit);
1928 +/* Saves the matchinfo in parsable form to stdout. */
1929 +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
1931 + struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
1933 + printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
1934 + printf("--connlimit-mask %d ",count_bits(info->mask));
1937 +static struct iptables_match connlimit = {
1938 + name: "connlimit",
1939 + version: IPTABLES_VERSION,
1940 + size: IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
1941 + userspacesize: offsetof(struct ipt_connlimit_info,data),
1945 + final_check: final_check,
1953 + register_match(&connlimit);
1955 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_fuzzy.c userspace/extensions/libipt_fuzzy.c
1956 --- iptables-1.2.8/extensions/libipt_fuzzy.c Mon Aug 26 18:10:30 2002
1957 +++ userspace/extensions/libipt_fuzzy.c Mon Jun 16 13:39:36 2003
1959 ftp://prep.ai.mit.edu/pub/gnu/GPL
1961 2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
1962 +2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
1963 +the save function , thanks to information given by Jean-Francois Patenaude .
1968 const struct ipt_fuzzy_info *fuzzyinfo
1969 = (const struct ipt_fuzzy_info *)match->data;
1971 - printf("--upper-limit %u ",fuzzyinfo->minimum_rate);
1972 - printf("--lower-limit %u ",fuzzyinfo->maximum_rate);
1973 + printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
1974 + printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
1978 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_iplimit.c userspace/extensions/libipt_iplimit.c
1979 --- iptables-1.2.8/extensions/libipt_iplimit.c Wed May 29 15:08:16 2002
1980 +++ userspace/extensions/libipt_iplimit.c Thu Jan 1 01:00:00 1970
1982 -/* Shared library add-on to iptables to add state tracking support. */
1985 -#include <string.h>
1986 -#include <stdlib.h>
1987 -#include <stddef.h>
1988 -#include <getopt.h>
1989 -#include <iptables.h>
1990 -#include <linux/netfilter_ipv4/ip_conntrack.h>
1991 -#include <linux/netfilter_ipv4/ipt_iplimit.h>
1993 -/* Function which prints out usage message. */
1998 -"iplimit v%s options:\n"
1999 -"[!] --iplimit-above n match if the number of existing tcp connections is (not) above n\n"
2000 -" --iplimit-mask n group hosts using mask\n"
2001 -"\n", IPTABLES_VERSION);
2004 -static struct option opts[] = {
2005 - { "iplimit-above", 1, 0, '1' },
2006 - { "iplimit-mask", 1, 0, '2' },
2010 -/* Initialize the match. */
2012 -init(struct ipt_entry_match *m, unsigned int *nfcache)
2014 - /* Can't cache this */
2015 - *nfcache |= NFC_UNKNOWN;
2018 -/* Function which parses command options; returns true if it
2021 -parse(int c, char **argv, int invert, unsigned int *flags,
2022 - const struct ipt_entry *entry,
2023 - unsigned int *nfcache,
2024 - struct ipt_entry_match **match)
2026 - struct ipt_iplimit_info *info = (struct ipt_iplimit_info*)(*match)->data;
2028 - if (0 == (*flags & 2)) {
2029 - /* set default mask unless we've already seen a mask option */
2030 - info->mask = htonl(0xFFFFFFFF);
2035 - check_inverse(optarg, &invert, &optind, 0);
2036 - info->limit = atoi(argv[optind-1]);
2037 - info->inverse = invert;
2042 - info->mask = htonl(0xFFFFFFFF << (32 - atoi(argv[optind-1])));
2054 -static void final_check(unsigned int flags)
2057 - exit_error(PARAMETER_PROBLEM, "You must specify `--iplimit-above'");
2061 -count_bits(u_int32_t mask)
2065 - for (bits = 0, i = 31; i >= 0; i--) {
2066 - if (mask & htonl((u_int32_t)1 << i)) {
2075 -/* Prints out the matchinfo. */
2077 -print(const struct ipt_ip *ip,
2078 - const struct ipt_entry_match *match,
2081 - struct ipt_iplimit_info *info = (struct ipt_iplimit_info*)match->data;
2083 - printf("#conn/%d %s %d ", count_bits(info->mask),
2084 - info->inverse ? "<" : ">", info->limit);
2087 -/* Saves the matchinfo in parsable form to stdout. */
2088 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2090 - struct ipt_iplimit_info *info = (struct ipt_iplimit_info*)match->data;
2092 - printf("%s--iplimit-above %d ",info->inverse ? "! " : "",info->limit);
2093 - printf("--iplimit-mask %d ",count_bits(info->mask));
2096 -static struct iptables_match iplimit = {
2098 - version: IPTABLES_VERSION,
2099 - size: IPT_ALIGN(sizeof(struct ipt_iplimit_info)),
2100 - userspacesize: offsetof(struct ipt_iplimit_info,data),
2104 - final_check: final_check,
2112 - register_match(&iplimit);
2114 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_iprange.c userspace/extensions/libipt_iprange.c
2115 --- iptables-1.2.8/extensions/libipt_iprange.c Thu Jan 1 01:00:00 1970
2116 +++ userspace/extensions/libipt_iprange.c Wed Apr 23 15:27:09 2003
2118 +/* Shared library add-on to iptables to add IP range matching support. */
2121 +#include <string.h>
2122 +#include <stdlib.h>
2123 +#include <getopt.h>
2125 +#include <iptables.h>
2126 +#include <linux/netfilter_ipv4/ipt_iprange.h>
2128 +/* Function which prints out usage message. */
2133 +"iprange match v%s options:\n"
2134 +"[!] --src-range ip-ip Match source IP in the specified range\n"
2135 +"[!] --dst-range ip-ip Match destination IP in the specified range\n"
2140 +static struct option opts[] = {
2141 + { "src-range", 1, 0, '1' },
2142 + { "dst-range", 1, 0, '2' },
2146 +/* Initialize the match. */
2148 +init(struct ipt_entry_match *m, unsigned int *nfcache)
2150 + /* Can't cache this. */
2151 + *nfcache |= NFC_UNKNOWN;
2155 +parse_iprange(char *arg, struct ipt_iprange *range)
2158 + struct in_addr *ip;
2160 + dash = strchr(arg, '-');
2164 + ip = dotted_to_addr(arg);
2166 + exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
2168 + range->min_ip = ip->s_addr;
2171 + ip = dotted_to_addr(dash+1);
2173 + exit_error(PARAMETER_PROBLEM, "iprange match: Bad IP address `%s'\n",
2175 + range->max_ip = ip->s_addr;
2177 + range->max_ip = range->min_ip;
2180 +/* Function which parses command options; returns true if it
2183 +parse(int c, char **argv, int invert, unsigned int *flags,
2184 + const struct ipt_entry *entry,
2185 + unsigned int *nfcache,
2186 + struct ipt_entry_match **match)
2188 + struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data;
2192 + if (*flags & IPRANGE_SRC)
2193 + exit_error(PARAMETER_PROBLEM,
2194 + "iprange match: Only use --src-range ONCE!");
2195 + *flags |= IPRANGE_SRC;
2197 + info->flags |= IPRANGE_SRC;
2198 + check_inverse(optarg, &invert, &optind, 0);
2200 + info->flags |= IPRANGE_SRC_INV;
2203 + parse_iprange(optarg, &info->src);
2208 + if (*flags & IPRANGE_DST)
2209 + exit_error(PARAMETER_PROBLEM,
2210 + "iprange match: Only use --dst-range ONCE!");
2211 + *flags |= IPRANGE_DST;
2213 + info->flags |= IPRANGE_DST;
2214 + check_inverse(optarg, &invert, &optind, 0);
2216 + info->flags |= IPRANGE_DST_INV;
2218 + parse_iprange(optarg, &info->dst);
2228 +/* Final check; must have specified --src-range or --dst-range. */
2230 +final_check(unsigned int flags)
2233 + exit_error(PARAMETER_PROBLEM,
2234 + "iprange match: You must specify `--src-range' or `--dst-range'");
2238 +print_iprange(const struct ipt_iprange *range)
2240 + const unsigned char *byte_min, *byte_max;
2242 + byte_min = (const unsigned char *) &(range->min_ip);
2243 + byte_max = (const unsigned char *) &(range->max_ip);
2244 + printf("%d.%d.%d.%d-%d.%d.%d.%d ",
2245 + byte_min[0], byte_min[1], byte_min[2], byte_min[3],
2246 + byte_max[0], byte_max[1], byte_max[2], byte_max[3]);
2249 +/* Prints out the info. */
2251 +print(const struct ipt_ip *ip,
2252 + const struct ipt_entry_match *match,
2255 + struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data;
2257 + if (info->flags & IPRANGE_SRC) {
2258 + printf("source IP range ");
2259 + if (info->flags & IPRANGE_SRC_INV)
2261 + print_iprange(&info->src);
2263 + if (info->flags & IPRANGE_DST) {
2264 + printf("destination IP range ");
2265 + if (info->flags & IPRANGE_DST_INV)
2267 + print_iprange(&info->dst);
2271 +/* Saves the union ipt_info in parsable form to stdout. */
2273 +save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2275 + struct ipt_iprange_info *info = (struct ipt_iprange_info *)match->data;
2277 + if (info->flags & IPRANGE_SRC) {
2278 + if (info->flags & IPRANGE_SRC_INV)
2280 + printf("--src-range ");
2281 + print_iprange(&info->src);
2282 + if (info->flags & IPRANGE_DST)
2283 + fputc(' ', stdout);
2285 + if (info->flags & IPRANGE_DST) {
2286 + if (info->flags & IPRANGE_DST_INV)
2288 + printf("--dst-range ");
2289 + print_iprange(&info->dst);
2294 +struct iptables_match iprange
2298 + IPT_ALIGN(sizeof(struct ipt_iprange_info)),
2299 + IPT_ALIGN(sizeof(struct ipt_iprange_info)),
2311 + register_match(&iprange);
2313 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_mac.c userspace/extensions/libipt_mac.c
2314 --- iptables-1.2.8/extensions/libipt_mac.c Wed Oct 2 15:52:17 2002
2315 +++ userspace/extensions/libipt_mac.c Mon Jun 16 13:39:36 2003
2320 -static void print_mac(unsigned char macaddress[ETH_ALEN], int invert)
2321 +static void print_mac(unsigned char macaddress[ETH_ALEN])
2325 - printf("%s%02X", invert ? "! " : "", macaddress[0]);
2326 + printf("%02X", macaddress[0]);
2327 for (i = 1; i < ETH_ALEN; i++)
2328 printf(":%02X", macaddress[i]);
2330 @@ -111,16 +111,21 @@
2334 - print_mac(((struct ipt_mac_info *)match->data)->srcaddr,
2335 - ((struct ipt_mac_info *)match->data)->invert);
2337 + if (((struct ipt_mac_info *)match->data)->invert)
2340 + print_mac(((struct ipt_mac_info *)match->data)->srcaddr);
2343 /* Saves the union ipt_matchinfo in parsable form to stdout. */
2344 static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2346 + if (((struct ipt_mac_info *)match->data)->invert)
2349 printf("--mac-source ");
2350 - print_mac(((struct ipt_mac_info *)match->data)->srcaddr,
2351 - ((struct ipt_mac_info *)match->data)->invert);
2352 + print_mac(((struct ipt_mac_info *)match->data)->srcaddr);
2356 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_mport.c userspace/extensions/libipt_mport.c
2357 --- iptables-1.2.8/extensions/libipt_mport.c Wed May 29 15:08:16 2002
2358 +++ userspace/extensions/libipt_mport.c Tue Jul 15 15:29:20 2003
2359 @@ -276,10 +276,10 @@
2360 && minfo->ports[i-1] == minfo->ports[i])
2362 printf("%s", i ? "," : "");
2363 - print_port(minfo->ports[i], ip->proto, 0);
2364 + print_port(minfo->ports[i], ip->proto, 1);
2365 if (pflags & (1<<i)) {
2367 - print_port(minfo->ports[++i], ip->proto, 0);
2368 + print_port(minfo->ports[++i], ip->proto, 1);
2372 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_multiport.c userspace/extensions/libipt_multiport.c
2373 --- iptables-1.2.8/extensions/libipt_multiport.c Wed May 29 15:08:16 2002
2374 +++ userspace/extensions/libipt_multiport.c Tue Jul 15 15:29:20 2003
2377 for (i=0; i < multiinfo->count; i++) {
2378 printf("%s", i ? "," : "");
2379 - print_port(multiinfo->ports[i], ip->proto, 0);
2380 + print_port(multiinfo->ports[i], ip->proto, 1);
2384 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_owner.c userspace/extensions/libipt_owner.c
2385 --- iptables-1.2.8/extensions/libipt_owner.c Mon Jan 6 13:40:33 2003
2386 +++ userspace/extensions/libipt_owner.c Thu May 22 16:33:34 2003
2388 if(info->match & flag) {
2390 if (info->invert & flag)
2391 - fputc('!', stdout);
2396 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_physdev.c userspace/extensions/libipt_physdev.c
2397 --- iptables-1.2.8/extensions/libipt_physdev.c Tue Feb 11 21:19:04 2003
2398 +++ userspace/extensions/libipt_physdev.c Thu May 22 16:33:34 2003
2402 "physdev v%s options:\n"
2403 -" --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n"
2404 +" --physdev-in [!] input name[+] bridge port name ([+] for wildcard)\n"
2405 " --physdev-out [!] output name[+] bridge port name ([+] for wildcard)\n"
2406 +" [!] --physdev-is-in arrived on a bridge device\n"
2407 +" [!] --physdev-is-out will leave on a bridge device\n"
2408 +" [!] --physdev-is-bridged it's a bridged packet\n"
2409 "\n", IPTABLES_VERSION);
2412 static struct option opts[] = {
2413 { "physdev-in", 1, 0, '1' },
2414 { "physdev-out", 1, 0, '2' },
2415 + { "physdev-is-in", 0, 0, '3' },
2416 + { "physdev-is-out", 0, 0, '4' },
2417 + { "physdev-is-bridged", 0, 0, '5' },
2425 - if (*flags & IPT_PHYSDEV_OP_MATCH_IN)
2426 - exit_error(PARAMETER_PROBLEM,
2427 - "multiple --physdev-in not allowed");
2428 + if (*flags & IPT_PHYSDEV_OP_IN)
2429 + goto multiple_use;
2430 check_inverse(optarg, &invert, &optind, 0);
2431 parse_interface(argv[optind-1], info->physindev, info->in_mask);
2433 - info->invert |= IPT_PHYSDEV_OP_MATCH_IN;
2434 - *flags |= IPT_PHYSDEV_OP_MATCH_IN;
2435 + info->invert |= IPT_PHYSDEV_OP_IN;
2436 + info->bitmask |= IPT_PHYSDEV_OP_IN;
2437 + *flags |= IPT_PHYSDEV_OP_IN;
2441 - if (*flags & IPT_PHYSDEV_OP_MATCH_OUT)
2442 - exit_error(PARAMETER_PROBLEM,
2443 - "multiple --physdev-out not allowed");
2444 + if (*flags & IPT_PHYSDEV_OP_OUT)
2445 + goto multiple_use;
2446 check_inverse(optarg, &invert, &optind, 0);
2447 parse_interface(argv[optind-1], info->physoutdev,
2450 - info->invert |= IPT_PHYSDEV_OP_MATCH_OUT;
2451 - *flags |= IPT_PHYSDEV_OP_MATCH_OUT;
2452 + info->invert |= IPT_PHYSDEV_OP_OUT;
2453 + info->bitmask |= IPT_PHYSDEV_OP_OUT;
2454 + *flags |= IPT_PHYSDEV_OP_OUT;
2458 + if (*flags & IPT_PHYSDEV_OP_ISIN)
2459 + goto multiple_use;
2460 + check_inverse(optarg, &invert, &optind, 0);
2461 + info->bitmask |= IPT_PHYSDEV_OP_ISIN;
2463 + info->invert |= IPT_PHYSDEV_OP_ISIN;
2464 + *flags |= IPT_PHYSDEV_OP_ISIN;
2468 + if (*flags & IPT_PHYSDEV_OP_ISOUT)
2469 + goto multiple_use;
2470 + check_inverse(optarg, &invert, &optind, 0);
2471 + info->bitmask |= IPT_PHYSDEV_OP_ISOUT;
2473 + info->invert |= IPT_PHYSDEV_OP_ISOUT;
2474 + *flags |= IPT_PHYSDEV_OP_ISOUT;
2478 + if (*flags & IPT_PHYSDEV_OP_BRIDGED)
2479 + goto multiple_use;
2480 + check_inverse(optarg, &invert, &optind, 0);
2482 + info->invert |= IPT_PHYSDEV_OP_BRIDGED;
2483 + *flags |= IPT_PHYSDEV_OP_BRIDGED;
2484 + info->bitmask |= IPT_PHYSDEV_OP_BRIDGED;
2488 @@ -110,26 +146,16 @@
2494 + exit_error(PARAMETER_PROBLEM,
2495 + "multiple use of the same physdev option is not allowed");
2497 -static void final_check(unsigned int flags)
2501 -static void print_iface(u_int8_t invert, char *dev, char *prefix)
2502 +static void final_check(unsigned int flags)
2504 - char iface[IFNAMSIZ+2];
2512 - if (dev[0] != '\0') {
2513 - strcat(iface, dev);
2514 - printf("%s%s", prefix, iface);
2517 + exit_error(PARAMETER_PROBLEM, "PHYSDEV: no physdev option specified");
2521 @@ -141,10 +167,22 @@
2522 (struct ipt_physdev_info*)match->data;
2524 printf("PHYSDEV match");
2525 - print_iface(info->invert & IPT_PHYSDEV_OP_MATCH_IN, info->physindev,
2527 - print_iface(info->invert & IPT_PHYSDEV_OP_MATCH_OUT, info->physoutdev,
2529 + if (info->bitmask & IPT_PHYSDEV_OP_ISIN)
2530 + printf("%s --physdev-is-in",
2531 + info->invert & IPT_PHYSDEV_OP_ISIN ? " !":"");
2532 + if (info->bitmask & IPT_PHYSDEV_OP_IN)
2533 + printf("%s --physdev-in %s",
2534 + (info->invert & IPT_PHYSDEV_OP_IN) ? " !":"", info->physindev);
2536 + if (info->bitmask & IPT_PHYSDEV_OP_ISOUT)
2537 + printf("%s --physdev-is-out",
2538 + info->invert & IPT_PHYSDEV_OP_ISOUT ? " !":"");
2539 + if (info->bitmask & IPT_PHYSDEV_OP_OUT)
2540 + printf("%s --physdev-out %s",
2541 + (info->invert & IPT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev);
2542 + if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED)
2543 + printf("%s --physdev-is-bridged",
2544 + info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":"");
2548 @@ -153,10 +191,22 @@
2549 struct ipt_physdev_info *info =
2550 (struct ipt_physdev_info*)match->data;
2552 - print_iface(info->invert & IPT_PHYSDEV_OP_MATCH_IN, info->physindev,
2554 - print_iface(info->invert & IPT_PHYSDEV_OP_MATCH_OUT, info->physoutdev,
2555 - "--physdev-out ");
2556 + if (info->bitmask & IPT_PHYSDEV_OP_ISIN)
2557 + printf("%s --physdev-is-in",
2558 + info->invert & IPT_PHYSDEV_OP_ISIN ? " !":"");
2559 + if (info->bitmask & IPT_PHYSDEV_OP_IN)
2560 + printf("%s --physdev-in %s",
2561 + (info->invert & IPT_PHYSDEV_OP_IN) ? " !":"", info->physindev);
2563 + if (info->bitmask & IPT_PHYSDEV_OP_ISOUT)
2564 + printf("%s --physdev-is-out",
2565 + info->invert & IPT_PHYSDEV_OP_ISOUT ? " !":"");
2566 + if (info->bitmask & IPT_PHYSDEV_OP_OUT)
2567 + printf("%s --physdev-out %s",
2568 + (info->invert & IPT_PHYSDEV_OP_OUT) ? " !":"", info->physoutdev);
2569 + if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED)
2570 + printf("%s --physdev-is-bridged",
2571 + info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":"");
2575 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_psd.c userspace/extensions/libipt_psd.c
2576 --- iptables-1.2.8/extensions/libipt_psd.c Wed May 29 15:08:16 2002
2577 +++ userspace/extensions/libipt_psd.c Tue Jul 15 15:29:20 2003
2579 2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
2580 2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
2581 2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
2582 + 2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
2588 struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)(*match)->data;
2590 - char storage[strlen(optarg) + 2];
2593 + exit_error(PARAMETER_PROBLEM, "missing optarg");
2595 /* string_to_number needs a leading space */
2597 - strcpy(&storage[1], optarg);
2600 /* PSD-weight-threshold */
2602 exit_error(PARAMETER_PROBLEM,
2603 "Can't specify --psd-weight-threshold "
2605 - if (string_to_number(storage, 0, 10000, &num) == -1)
2606 + if (string_to_number(optarg, 0, 10000, &num) == -1)
2607 exit_error(PARAMETER_PROBLEM,
2608 "bad --psd-weight-threshold `%s'", optarg);
2609 psdinfo->weight_threshold = num;
2611 if (*flags & IPT_PSD_OPT_DTRESH)
2612 exit_error(PARAMETER_PROBLEM,
2613 "Can't specify --psd-delay-threshold twice");
2614 - if (string_to_number(storage, 0, 10000, &num) == -1)
2615 + if (string_to_number(optarg, 0, 10000, &num) == -1)
2616 exit_error(PARAMETER_PROBLEM,
2617 "bad --psd-delay-threshold `%s'", optarg);
2618 psdinfo->delay_threshold = num;
2620 if (*flags & IPT_PSD_OPT_LPWEIGHT)
2621 exit_error(PARAMETER_PROBLEM,
2622 "Can't specify --psd-lo-ports-weight twice");
2623 - if (string_to_number(storage, 0, 10000, &num) == -1)
2624 + if (string_to_number(optarg, 0, 10000, &num) == -1)
2625 exit_error(PARAMETER_PROBLEM,
2626 "bad --psd-lo-ports-weight `%s'", optarg);
2627 psdinfo->lo_ports_weight = num;
2629 if (*flags & IPT_PSD_OPT_HPWEIGHT)
2630 exit_error(PARAMETER_PROBLEM,
2631 "Can't specify --psd-hi-ports-weight twice");
2632 - if (string_to_number(storage, 0, 10000, &num) == -1)
2633 + if (string_to_number(optarg, 0, 10000, &num) == -1)
2634 exit_error(PARAMETER_PROBLEM,
2635 "bad --psd-hi-ports-weight `%s'", optarg);
2636 psdinfo->hi_ports_weight = num;
2637 @@ -160,10 +161,10 @@
2638 = (const struct ipt_psd_info *)match->data;
2641 - printf("weight-threshold: %u ",psdinfo->weight_threshold);
2642 - printf("delay-threshold: %u ",psdinfo->delay_threshold);
2643 - printf("lo-ports-weight: %u ",psdinfo->lo_ports_weight);
2644 - printf("hi-ports-weight: %u ",psdinfo->hi_ports_weight);
2645 + printf("weight-threshold: %u ", psdinfo->weight_threshold);
2646 + printf("delay-threshold: %u ", psdinfo->delay_threshold);
2647 + printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
2648 + printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
2651 /* Saves the union ipt_targinfo in parsable form to stdout. */
2654 printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
2655 printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
2656 - printf("--psd-lo-ports-weight %u ",psdinfo->lo_ports_weight);
2657 - printf("--psd-hi-ports-weight %u ",psdinfo->hi_ports_weight);
2658 + printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
2659 + printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
2663 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_recent.c userspace/extensions/libipt_recent.c
2664 --- iptables-1.2.8/extensions/libipt_recent.c Sun Mar 30 22:26:42 2003
2665 +++ userspace/extensions/libipt_recent.c Tue Jun 3 20:18:04 2003
2667 #include <iptables.h>
2668 #include <linux/netfilter_ipv4/ipt_recent.h>
2670 -/* need thos two to not fail compilation with old kernel, new userspace */
2671 +/* Need these in order to not fail when compiling against an older kernel. */
2673 #define RECENT_NAME "ipt_recent"
2674 #endif /* RECENT_NAME */
2677 #define RECENT_VER "unknown"
2678 #endif /* RECENT_VER */
2680 #ifndef IPT_RECENT_NAME_LEN
2681 -#define IPT_RECENT_NAME_LEN 200
2682 +#define IPT_RECENT_NAME_LEN 200
2683 #endif /* IPT_RECENT_NAME_LEN */
2685 +/* Options for this module */
2686 +static struct option opts[] = {
2687 + { .name = "set", .has_arg = 0, .flag = 0, .val = 201 },
2688 + { .name = "rcheck", .has_arg = 0, .flag = 0, .val = 202 },
2689 + { .name = "update", .has_arg = 0, .flag = 0, .val = 203 },
2690 + { .name = "seconds", .has_arg = 1, .flag = 0, .val = 204 },
2691 + { .name = "hitcount", .has_arg = 1, .flag = 0, .val = 205 },
2692 + { .name = "remove", .has_arg = 0, .flag = 0, .val = 206 },
2693 + { .name = "rttl", .has_arg = 0, .flag = 0, .val = 207 },
2694 + { .name = "name", .has_arg = 1, .flag = 0, .val = 208 },
2695 + { .name = "rsource", .has_arg = 0, .flag = 0, .val = 209 },
2696 + { .name = "rdest", .has_arg = 0, .flag = 0, .val = 210 },
2697 + { .name = 0, .has_arg = 0, .flag = 0, .val = 0 }
2700 /* Function which prints out usage message. */
2704 " Useful if you have problems with people spoofing their source address in order\n"
2705 " to DoS you via this module.\n"
2706 " --name name Name of the recent list to be used. DEFAULT used if none given.\n"
2707 -" --rsource Save the source address of each packet in the recent list table (default).\n"
2708 -" --rdest Save the destination address of each packet in the recent list table.\n"
2709 +" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
2710 +" --rdest Match/Save the destination address of each packet in the recent list table.\n"
2711 RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n"
2717 -static struct option opts[] = {
2718 - { "set", 0, 0, 201 },
2719 - { "rcheck", 0, 0, 202 },
2720 - { "update", 0, 0, 203 },
2721 - { "seconds", 1, 0, 204 },
2722 - { "hitcount", 1, 0, 205 },
2723 - { "remove",0, 0, 206 },
2724 - { "rttl",0, 0, 207},
2725 - { "name", 1, 0, 208},
2726 - { "rsource", 0, 0, 209},
2727 - { "rdest", 0, 0, 210},
2731 /* Initialize the match. */
2733 init(struct ipt_entry_match *match, unsigned int *nfcache)
2736 struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
2738 - if (info->invert) fputc('!', stdout);
2740 + fputc('!', stdout);
2743 if(info->check_set & IPT_RECENT_SET) printf("SET ");
2744 @@ -194,37 +198,37 @@
2746 save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2748 - struct ipt_recent_info *info = (struct ipt_recent_info *)match;
2749 + struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
2751 - if (info->invert) fputc('!', stdout);
2755 - printf("recent: ");
2756 if(info->check_set & IPT_RECENT_SET) printf("--set ");
2757 if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
2758 if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
2759 if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
2760 if(info->seconds) printf("--seconds %d ",info->seconds);
2761 if(info->hit_count) printf("--hitcount %d ",info->hit_count);
2762 - if(info->check_set & IPT_RECENT_TTL) printf("-rttl ");
2763 + if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
2764 if(info->name) printf("--name %s ",info->name);
2765 if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
2766 if(info->side == IPT_RECENT_DEST) printf("--rdest ");
2770 -struct iptables_match recent
2774 - IPT_ALIGN(sizeof(struct ipt_recent_info)),
2775 - IPT_ALIGN(sizeof(struct ipt_recent_info)),
2783 +/* Structure for iptables to use to communicate with module */
2784 +static struct iptables_match recent = {
2787 + .version = IPTABLES_VERSION,
2788 + .size = IPT_ALIGN(sizeof(struct ipt_recent_info)),
2789 + .userspacesize = IPT_ALIGN(sizeof(struct ipt_recent_info)),
2793 + .final_check = &final_check,
2796 + .extra_opts = opts
2800 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_sctp.c userspace/extensions/libipt_sctp.c
2801 --- iptables-1.2.8/extensions/libipt_sctp.c Thu Jan 1 01:00:00 1970
2802 +++ userspace/extensions/libipt_sctp.c Sat May 3 20:05:58 2003
2804 +/* Shared library add-on to iptables for SCTP matching
2806 + * (C) 2003 by Harald Welte <laforge@gnumonks.org>
2808 + * This program is distributed under the terms of GNU GPL v2, 1991
2810 + * libipt_ecn.c borrowed heavily from libipt_dscp.c
2814 +#include <string.h>
2815 +#include <stdlib.h>
2816 +#include <getopt.h>
2819 +#include <iptables.h>
2820 +#include <linux/netfilter_ipv4/ip_tables.h>
2821 +#include <linux/netfilter_ipv4/ipt_sctp.h>
2823 +/* Initialize the match. */
2825 +init(struct ipt_entry_match *m, unsigned int *nfcache)
2827 + struct ipt_sctp_info *einfo = (struct ipt_sctp_info *)m->data;
2829 + einfo->spts[1] = einfo->dpts[1] = 0xFFFF;
2832 +static void help(void)
2835 +"SCTP match v%s options\n"
2836 +" --sctp-chunks [!] mask comp match when SCTP chunks & mask == comp\n"
2837 +" --source-port [!] port[:port]\n"
2839 +" match source port(s)"
2840 +" --destination-port [!] port[:port]\n"
2841 +" --dport ...\n\n",
2842 + IPTABLES_VERSION);
2845 +static struct option opts[] = {
2846 + { .name = "source-port", .has_arg = 1, .flag = 0, .val = '1' },
2847 + { .name = "sport", .has_arg = 1, .flag = 0, .val = '1' },
2848 + { .name = "destination-port", .has_arg = 1, .flag = 0, .val = '2' },
2849 + { .name = "dport", .has_arg = 1, .flag = 0, .val = '2' },
2850 + { .name = "sctp-chunks", .has_arg = 1, .flag = 0, .val = '3' },
2855 +service_to_port(const char *name)
2857 + struct servent *service;
2859 + if ((service = getservbyname(name, "sctp")) != NULL)
2860 + return ntohs((unsigned short) service->s_port);
2866 +parse_sctp_port(const char *port)
2868 + unsigned int portnum;
2870 + if (string_to_number(port, 0, 65535, &portnum) != -1 ||
2871 + (portnum = service_to_port(port)) != -1)
2872 + return (u_int16_t)portnum;
2874 + exit_error(PARAMETER_PROBLEM,
2875 + "invalid TCP port/service `%s' specified", port);
2880 +parse_sctp_ports(const char *portstring, u_int16_t *ports)
2885 + buffer = strdup(portstring);
2886 + if ((cp = strchr(buffer, ':')) == NULL)
2887 + ports[0] = ports[1] = parse_sctp_port(buffer);
2892 + ports[0] = buffer[0] ? parse_sctp_port(buffer) : 0;
2893 + ports[1] = cp[0] ? parse_sctp_port(cp) : 0xFFFF;
2895 + if (ports[0] > ports[1])
2896 + exit_error(PARAMETER_PROBLEM,
2897 + "invalid portrange (min > max)");
2902 +struct sctp_chunk_names {
2904 + unsigned int flag;
2908 +#define ALL_CHUNKS 0xabcdef
2909 +static struct sctp_chunk_names sctp_chunk_names[]
2910 += { { .name = "DATA", .flag = (1 << 0) },
2911 + { .name = "INIT", .flag = (1 << 1) },
2912 + { .name = "INIT_ACK", .flag = (1 << 2) },
2913 + { .name = "SACK", .flag = (1 << 3) },
2914 + { .name = "HEARTBEAT", .flag = (1 << 4) },
2915 + { .name = "HEARTBEAT_ACK", .flag = (1 << 5) },
2916 + { .name = "ABORT", .flag = (1 << 6) },
2917 + { .name = "SHUTDOWN", .flag = (1 << 7) },
2918 + { .name = "SHUTDOWN_ACK", .flag = (1 << 8) },
2919 + { .name = "ERROR", .flag = (1 << 9) },
2920 + { .name = "COOKIE_ECHO", .flag = (1 << 10) },
2921 + { .name = "COOKIE_ACK", .flag = (1 << 11) },
2922 + { .name = "ECN_ECNE", .flag = (1 << 12) },
2923 + { .name = "ECN_CWR", .flag = (1 << 13) },
2924 + { .name = "SHUTDOWN_COMPLETE", .flag = (1 << 14) },
2925 + { .name = "ASCONF", .flag = (1 << 31) },
2926 + { .name = "ASCONF_ACK", .flag = (1 << 30) },
2927 + { .name = "ALL", .flag = ALL_CHUNKS },
2928 + { .name = "NONE", .flag = 0 },
2932 +static unsigned int
2933 +parse_sctp_chunk(const char *flags)
2935 + unsigned int ret = 0;
2939 + buffer = strdup(flags);
2941 + for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
2945 + i < sizeof(sctp_chunk_names)/sizeof(struct sctp_chunk_names);
2947 + if (strcasecmp(sctp_chunk_names[i].name, ptr) == 0) {
2948 + ret |= sctp_chunk_names[i].flag;
2954 + exit_error(PARAMETER_PROBLEM,
2955 + "Unknown sctp chunk `%s'", ptr);
2963 +parse_sctp_chunks(struct ipt_sctp_info *einfo,
2968 + einfo->chunks = parse_sctp_chunk(mask);
2969 + einfo->chunk_mask = parse_sctp_chunk(cmp);
2972 + einfo->invflags |= IPT_SCTP_INV_CHUNKS;
2975 +#define SCTP_SRC_PORTS 0x01
2976 +#define SCTP_DST_PORTS 0x02
2977 +#define SCTP_CHUNKS 0x03
2980 +parse(int c, char **argv, int invert, unsigned int *flags,
2981 + const struct ipt_entry *entry,
2982 + unsigned int *nfcache,
2983 + struct ipt_entry_match **match)
2985 + struct ipt_sctp_info *einfo
2986 + = (struct ipt_sctp_info *)(*match)->data;
2990 + if (*flags & SCTP_SRC_PORTS)
2991 + exit_error(PARAMETER_PROBLEM,
2992 + "Only one `--source-port' allowed");
2993 + check_inverse(optarg, &invert, &optind, 0);
2994 + parse_sctp_ports(argv[optind-1], einfo->spts);
2996 + einfo->invflags |= IPT_SCTP_INV_SRCPT;
2997 + *flags |= SCTP_SRC_PORTS;
2998 + *nfcache |= NFC_IP_SRC_PT;
3002 + if (*flags & SCTP_DST_PORTS)
3003 + exit_error(PARAMETER_PROBLEM,
3004 + "Only one `--destination-port' allowed");
3005 + check_inverse(optarg, &invert, &optind, 0);
3006 + parse_sctp_ports(argv[optind-1], einfo->dpts);
3008 + einfo->invflags |= IPT_SCTP_INV_DSTPT;
3009 + *flags |= SCTP_DST_PORTS;
3010 + *nfcache |= NFC_IP_DST_PT;
3014 + if (*flags & SCTP_CHUNKS)
3015 + exit_error(PARAMETER_PROBLEM,
3016 + "Only one `--sctp-chunks' allowed");
3017 + check_inverse(optarg, &invert, &optind, 0);
3020 + || argv[optind][0] == '-' || argv[optind][0] == '!')
3021 + exit_error(PARAMETER_PROBLEM,
3022 + "--sctp-chunks requires two args");
3024 + parse_sctp_chunks(einfo, argv[optind-1], argv[optind], invert);
3026 + *flags |= SCTP_CHUNKS;
3036 +final_check(unsigned int flags)
3041 +port_to_service(int port)
3043 + struct servent *service;
3045 + if ((service = getservbyport(htons(port), "sctp")))
3046 + return service->s_name;
3052 +print_port(u_int16_t port, int numeric)
3056 + if (numeric || (service = port_to_service(port)) == NULL)
3057 + printf("%u", port);
3059 + printf("%s", service);
3063 +print_ports(const char *name, u_int16_t min, u_int16_t max,
3064 + int invert, int numeric)
3066 + const char *inv = invert ? "!" : "";
3068 + if (min != 0 || max != 0xFFFF || invert) {
3069 + printf("%s", name);
3071 + printf(":%s", inv);
3072 + print_port(min, numeric);
3074 + printf("s:%s", inv);
3075 + print_port(min, numeric);
3077 + print_port(max, numeric);
3084 +print_chunk(u_int32_t chunks)
3086 + unsigned int have_flag = 0;
3091 + for (i = 0; (chunks & sctp_chunk_names[i].flag) == 0; i++);
3095 + printf("%s", sctp_chunk_names[i].name);
3098 + chunks &= ~sctp_chunk_names[i].flag;
3106 +print_chunks(u_int32_t mask, u_int32_t cmp, int invert, int numeric)
3108 + if (mask || invert) {
3109 + printf("flags:%s", invert ? "!" : "");
3111 + printf("0x%04X/0x%04X ", mask, cmp);
3113 + print_chunk(mask);
3121 +/* Prints out the matchinfo. */
3123 +print(const struct ipt_ip *ip,
3124 + const struct ipt_entry_match *match,
3127 + const struct ipt_sctp_info *einfo =
3128 + (const struct ipt_sctp_info *)match->data;
3132 + print_ports("spt", einfo->spts[0], einfo->spts[1],
3133 + einfo->invflags & IPT_SCTP_INV_SRCPT,
3135 + print_ports("dpt", einfo->dpts[0], einfo->dpts[1],
3136 + einfo->invflags & IPT_SCTP_INV_DSTPT,
3139 + print_chunks(einfo->chunks, einfo->chunk_mask,
3140 + einfo->invflags & ~IPT_SCTP_INV_MASK,
3144 +/* Saves the union ipt_matchinfo in parsable form to stdout. */
3146 +save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
3148 + const struct ipt_sctp_info *einfo =
3149 + (const struct ipt_sctp_info *)match->data;
3151 + if (einfo->spts[0] != 0
3152 + || einfo->spts[1] != 0xFFFF) {
3153 + if (einfo->invflags & IPT_SCTP_INV_SRCPT)
3155 + if (einfo->spts[0] != einfo->spts[1])
3156 + printf("--sport %u:%u ",
3157 + einfo->spts[0], einfo->spts[1]);
3159 + printf("--sport %u ", einfo->spts[0]);
3162 + if (einfo->dpts[0] != 0
3163 + || einfo->dpts[1] != 0xFFFF) {
3164 + if (einfo->invflags & IPT_SCTP_INV_DSTPT)
3166 + if (einfo->dpts[0] != einfo->dpts[1])
3167 + printf("--dport %u:%u ",
3168 + einfo->dpts[0], einfo->dpts[1]);
3170 + printf("--dport %u ", einfo->dpts[0]);
3174 + || (einfo->invflags & IPT_SCTP_INV_CHUNKS)) {
3175 + if (einfo->invflags & IPT_SCTP_INV_CHUNKS)
3177 + printf("--sctp-chunks ");
3178 + if (einfo->chunks != ALL_CHUNKS) {
3179 + print_chunk(einfo->chunks);
3182 + print_chunk(einfo->chunk_mask);
3188 +struct iptables_match sctp
3189 += { .name = "sctp",
3190 + .version = IPTABLES_VERSION,
3191 + .size = IPT_ALIGN(sizeof(struct ipt_sctp_info)),
3192 + .userspacesize = IPT_ALIGN(sizeof(struct ipt_sctp_info)),
3196 + .final_check = &final_check,
3199 + .extra_opts = opts
3204 + register_match(&sctp);
3206 diff -urN -x CVS -x .cvsignore iptables-1.2.8/extensions/libipt_string.c userspace/extensions/libipt_string.c
3207 --- iptables-1.2.8/extensions/libipt_string.c Wed Feb 26 18:34:13 2003
3208 +++ userspace/extensions/libipt_string.c Thu May 22 16:33:34 2003
3210 #include <iptables.h>
3211 #include <linux/netfilter_ipv4/ipt_string.h>
3214 /* Function which prints out usage message. */
3219 "STRING match v%s options:\n"
3220 -"--string [!] string Match a string in a packet\n",
3221 +"--string [!] string Match a string in a packet\n"
3222 +"--hex-string [!] string Match a hex string in a packet\n",
3225 - fputc('\n', stdout);
3229 static struct option opts[] = {
3230 - { "string", 1, 0, '1' },
3232 + { .name = "string", .has_arg = 1, .flag = 0, .val = '1' },
3233 + { .name = "hex-string", .has_arg = 1, .flag = 0, .val = '2' },
3238 /* Initialize the match. */
3240 init(struct ipt_entry_match *m, unsigned int *nfcache)
3242 *nfcache |= NFC_UNKNOWN;
3247 parse_string(const unsigned char *s, struct ipt_string_info *info)
3249 + if (strlen(s) <= BM_MAX_NLEN) strcpy(info->string, s);
3250 + else exit_error(PARAMETER_PROBLEM, "STRING too long `%s'", s);
3255 +parse_hex_string(const unsigned char *s, struct ipt_string_info *info)
3257 int i=0, slen, sindex=0, schar;
3258 short hex_f = 0, literal_f = 0;
3261 /* must end with a "|" */
3262 exit_error(PARAMETER_PROBLEM, "Invalid hex block");
3264 + if (! isxdigit(s[i])) /* check for valid hex char */
3265 + exit_error(PARAMETER_PROBLEM, "Invalid hex char `%c'", s[i]);
3266 + if (! isxdigit(s[i+1])) /* check for valid hex char */
3267 + exit_error(PARAMETER_PROBLEM, "Invalid hex char `%c'", s[i+1]);
3271 @@ -109,8 +125,10 @@
3272 exit_error(PARAMETER_PROBLEM, "STRING too long `%s'", s);
3275 + info->len = sindex;
3279 /* Function which parses command options; returns true if it
3282 @@ -123,11 +141,27 @@
3287 + exit_error(PARAMETER_PROBLEM,
3288 + "Can't specify multiple strings");
3290 check_inverse(optarg, &invert, &optind, 0);
3291 parse_string(argv[optind-1], stringinfo);
3293 stringinfo->invert = 1;
3294 - stringinfo->len=strlen((char *)&stringinfo->string);
3295 + stringinfo->len=strlen((char *)&stringinfo->string);
3301 + exit_error(PARAMETER_PROBLEM,
3302 + "Can't specify multiple strings");
3304 + check_inverse(optarg, &invert, &optind, 0);
3305 + parse_hex_string(argv[optind-1], stringinfo); /* sets length */
3307 + stringinfo->invert = 1;
3311 @@ -137,14 +171,6 @@
3316 -print_string(char string[], int invert, int numeric)
3320 - fputc('!', stdout);
3321 - printf("%s ",string);
3324 /* Final check; must have specified --string. */
3326 @@ -155,42 +181,46 @@
3327 "STRING match: You must specify `--string'");
3331 /* Prints out the matchinfo. */
3333 print(const struct ipt_ip *ip,
3334 const struct ipt_entry_match *match,
3337 - printf("STRING match ");
3338 - print_string(((struct ipt_string_info *)match->data)->string,
3339 - ((struct ipt_string_info *)match->data)->invert, numeric);
3340 + const struct ipt_string_info *info =
3341 + (const struct ipt_string_info*) match->data;
3343 + printf("STRING match %s%s ", (info->invert) ? "!" : "", info->string);
3346 -/* Saves the union ipt_matchinfo in parsable form to stdout. */
3348 +/* Saves the union ipt_matchinfo in parseable form to stdout. */
3350 save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
3352 - printf("--string ");
3353 - print_string(((struct ipt_string_info *)match->data)->string,
3354 - ((struct ipt_string_info *)match->data)->invert, 0);
3358 -struct iptables_match string
3362 - IPT_ALIGN(sizeof(struct ipt_string_info)),
3363 - IPT_ALIGN(sizeof(struct ipt_string_info)),
3371 + const struct ipt_string_info *info =
3372 + (const struct ipt_string_info*) match->data;
3374 + printf("--string %s%s ", (info->invert) ? "! ": "", info->string);
3378 +static struct iptables_match string = {
3380 + .version = IPTABLES_VERSION,
3381 + .size = IPT_ALIGN(sizeof(struct ipt_string_info)),
3382 + .userspacesize = IPT_ALIGN(sizeof(struct ipt_string_info)),
3386 + .final_check = &final_check,
3389 + .extra_opts = opts
3395 register_match(&string);
3396 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/libiptc/libip6tc.h userspace/include/libiptc/libip6tc.h
3397 --- iptables-1.2.8/include/libiptc/libip6tc.h Mon Feb 25 10:00:36 2002
3398 +++ userspace/include/libiptc/libip6tc.h Thu May 22 16:33:34 2003
3400 /* Take a snapshot of the rules. Returns NULL on error. */
3401 ip6tc_handle_t ip6tc_init(const char *tablename);
3403 +/* Cleanup after ip6tc_init(). */
3404 +void ip6tc_free(ip6tc_handle_t *h);
3406 /* Iterator functions to run through the chains. Returns NULL at end. */
3407 const char *ip6tc_first_chain(ip6tc_handle_t *handle);
3408 const char *ip6tc_next_chain(ip6tc_handle_t *handle);
3409 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/libiptc/libiptc.h userspace/include/libiptc/libiptc.h
3410 --- iptables-1.2.8/include/libiptc/libiptc.h Thu Apr 19 18:35:39 2001
3411 +++ userspace/include/libiptc/libiptc.h Thu May 22 16:33:34 2003
3413 /* Take a snapshot of the rules. Returns NULL on error. */
3414 iptc_handle_t iptc_init(const char *tablename);
3416 +/* Cleanup after iptc_init(). */
3417 +void iptc_free(iptc_handle_t *h);
3419 /* Iterator functions to run through the chains. Returns NULL at end. */
3420 const char *iptc_first_chain(iptc_handle_t *handle);
3421 const char *iptc_next_chain(iptc_handle_t *handle);
3422 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/linux/netfilter_ipv4/ipt_connlimit.h userspace/include/linux/netfilter_ipv4/ipt_connlimit.h
3423 --- iptables-1.2.8/include/linux/netfilter_ipv4/ipt_connlimit.h Thu Jan 1 01:00:00 1970
3424 +++ userspace/include/linux/netfilter_ipv4/ipt_connlimit.h Wed Apr 30 18:54:48 2003
3426 +#ifndef _IPT_CONNLIMIT_H
3427 +#define _IPT_CONNLIMIT_H
3429 +struct ipt_connlimit_data;
3431 +struct ipt_connlimit_info {
3435 + struct ipt_connlimit_data *data;
3437 +#endif /* _IPT_CONNLIMIT_H */
3438 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/linux/netfilter_ipv4/ipt_iplimit.h userspace/include/linux/netfilter_ipv4/ipt_iplimit.h
3439 --- iptables-1.2.8/include/linux/netfilter_ipv4/ipt_iplimit.h Wed Feb 28 12:21:54 2001
3440 +++ userspace/include/linux/netfilter_ipv4/ipt_iplimit.h Thu Jan 1 01:00:00 1970
3442 -#ifndef _IPT_IPLIMIT_H
3443 -#define _IPT_IPLIMIT_H
3445 -struct ipt_iplimit_data;
3447 -struct ipt_iplimit_info {
3451 - struct ipt_iplimit_data *data;
3453 -#endif /* _IPT_IPLIMIT_H */
3454 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/linux/netfilter_ipv4/ipt_physdev.h userspace/include/linux/netfilter_ipv4/ipt_physdev.h
3455 --- iptables-1.2.8/include/linux/netfilter_ipv4/ipt_physdev.h Tue Feb 11 21:19:04 2003
3456 +++ userspace/include/linux/netfilter_ipv4/ipt_physdev.h Thu May 22 16:33:34 2003
3458 #include <linux/if.h>
3461 -#define IPT_PHYSDEV_OP_MATCH_IN 0x01
3462 -#define IPT_PHYSDEV_OP_MATCH_OUT 0x02
3463 +#define IPT_PHYSDEV_OP_IN 0x01
3464 +#define IPT_PHYSDEV_OP_OUT 0x02
3465 +#define IPT_PHYSDEV_OP_BRIDGED 0x04
3466 +#define IPT_PHYSDEV_OP_ISIN 0x08
3467 +#define IPT_PHYSDEV_OP_ISOUT 0x10
3468 +#define IPT_PHYSDEV_OP_MASK (0x20 - 1)
3470 struct ipt_physdev_info {
3473 char physindev[IFNAMSIZ];
3474 char in_mask[IFNAMSIZ];
3475 char physoutdev[IFNAMSIZ];
3476 diff -urN -x CVS -x .cvsignore iptables-1.2.8/include/linux/netfilter_ipv4/ipt_sctp.h userspace/include/linux/netfilter_ipv4/ipt_sctp.h
3477 --- iptables-1.2.8/include/linux/netfilter_ipv4/ipt_sctp.h Thu Jan 1 01:00:00 1970
3478 +++ userspace/include/linux/netfilter_ipv4/ipt_sctp.h Sat May 3 20:05:58 2003
3480 +/* iptables module for matching the SCTP header
3482 + * (C) 2003 Harald Welte <laforge@gnumonks.org>
3484 + * This software is distributed under GNU GPL v2, 1991
3488 +#ifndef _IPT_SCTP_H
3489 +#define _IPT_SCTP_H
3491 +struct ipt_sctp_info {
3492 + u_int16_t spts[2]; /* Souce port range */
3493 + u_int16_t dpts[2]; /* Destination port range */
3494 + u_int32_t chunks; /* chunks to be matched */
3495 + u_int32_t chunk_mask; /* chunk mask to be matched */
3496 + u_int8_t invflags; /* Inverse flags */
3499 +#define IPT_SCTP_INV_SRCPT 0x01 /* Invert the sense of source ports */
3500 +#define IPT_SCTP_INV_DSTPT 0x02 /* Invert the sense of dest ports */
3501 +#define IPT_SCTP_INV_CHUNKS 0x03 /* Invert the sense of chunks */
3502 +#define IPT_SCTP_INV_MASK 0x03 /* All possible flags */
3504 +#endif /* _IPT_SCTP_H */
3505 diff -urN -x CVS -x .cvsignore iptables-1.2.8/ip6tables-restore.c userspace/ip6tables-restore.c
3506 --- iptables-1.2.8/ip6tables-restore.c Wed Mar 5 08:46:15 2003
3507 +++ userspace/ip6tables-restore.c Thu May 22 16:33:34 2003
3509 * Rusty Russell <rusty@linuxcare.com.au>
3510 * This code is distributed under the terms of GNU GPL v2
3519 int main(int argc, char *argv[])
3521 - ip6tc_handle_t handle;
3522 + ip6tc_handle_t handle = NULL;
3525 char curtable[IP6T_TABLE_MAXNAMELEN + 1];
3528 strncpy(curtable, table, IP6T_TABLE_MAXNAMELEN);
3531 + ip6tc_free(&handle);
3533 handle = create_handle(table, modprobe);
3535 DEBUGP("Cleaning all chains of table '%s'\n",
3536 diff -urN -x CVS -x .cvsignore iptables-1.2.8/ip6tables-save.c userspace/ip6tables-save.c
3537 --- iptables-1.2.8/ip6tables-save.c Wed Aug 14 13:40:41 2002
3538 +++ userspace/ip6tables-save.c Thu May 22 16:33:34 2003
3540 exit_error(OTHER_PROBLEM, "Binary NYI\n");
3548 diff -urN -x CVS -x .cvsignore iptables-1.2.8/ip6tables.8 userspace/ip6tables.8
3549 --- iptables-1.2.8/ip6tables.8 Wed Aug 7 11:56:14 2002
3550 +++ userspace/ip6tables.8 Tue Jul 15 15:29:20 2003
3553 ip6tables \- IPv6 packet filter administration
3555 -.BR "ip6tables [-t table] -[ADC] " "chain rule-specification [options]"
3556 +.BR "ip6tables [-t table] -[AD] " "chain rule-specification [options]"
3558 .BR "ip6tables [-t table] -I " "chain [rulenum] rule-specification [options]"
3561 that table if it is not already there.
3563 The tables are as follows:
3569 This is the default table (if no -t option is passed). It contains
3574 (for locally-generated packets).
3578 This table is used for specialized packet alteration. Until kernel
3579 2.4.17 it had two built-in chains:
3582 (for altering packets being routed through the box), and
3584 (for altering packets as they are about to go out).
3587 The options that are recognized by
3589 @@ -157,10 +159,10 @@
3590 .BR "-L, --list " "[\fIchain\fP]"
3591 List all rules in the selected chain. If no chain is selected, all
3592 chains are listed. As every other iptables command, it applies to the
3593 -specified table (filter is the default), so NAT rules get listed by
3595 - iptables -t nat -n -L
3597 +specified table (filter is the default), so mangle rules get listed by
3599 + ip6tables -t mangle -n -L
3601 Please note that it is often used with the
3603 option, in order to avoid long reverse DNS lookups.
3605 (zero) option as well, in which case the chain(s) will be atomically
3606 listed and zeroed. The exact output is affected by the other
3607 arguments given. The exact rules are suppressed until you use
3614 .BR "-F, --flush " "[\fIchain\fP]"
3615 Flush the selected chain (all the chains in the table if none is given).
3616 @@ -398,14 +400,14 @@
3618 .BR "SYN ACK FIN RST URG PSH ALL NONE" .
3622 ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
3625 will only match packets with the SYN flag set, and the ACK, FIN and
3629 -Only match TCP packets with the SYN bit set and the ACK and FIN bits
3630 +Only match TCP packets with the SYN bit set and the ACK and RST bits
3631 cleared. Such packets are used to request TCP connection initiation;
3632 for example, blocking such packets coming in an interface will prevent
3633 incoming TCP connections, but outgoing TCP connections will be
3635 .BR "--icmpv6-type " "[!] \fItypename\fP"
3636 This allows specification of the ICMP type, which can be a numeric
3637 IPv6-ICMP type, or one of the IPv6-ICMP type names shown by the command
3640 ip6tables -p ipv6-icmp -h
3645 .BR "--mac-source " "[!] \fIaddress\fP"
3646 @@ -607,15 +609,17 @@
3649 .BI "--reject-with " "type"
3650 -The type given can be
3651 -.BR icmp6-no-route ,
3653 -.BR icmp6-adm-prohibited ,
3654 -.BR adm-prohibited ,
3655 -.BR icmp6-addr-unreachable ,
3657 -.BR icmp6-port-unreachable ,
3659 +The type given can be
3661 +.B " icmp6-no-route"
3663 +.B " icmp6-adm-prohibited"
3664 +.B " adm-prohibited"
3665 +.B " icmp6-addr-unreachable"
3667 +.B " icmp6-port-unreachable"
3670 which return the appropriate IPv6-ICMP error message (\fBport-unreach\fP is
3671 the default). Finally, the option
3675 are only traversed for packets coming into the local host and
3676 originating from the local host respectively. Hence every packet only
3677 -passes through one of the three chains; previously a forwarded packet
3678 +passes through one of the three chains (except loopback traffic, which
3679 +involves both INPUT and OUTPUT chains); previously a forwarded packet
3680 would pass through all three.
3682 The other main difference is that
3683 @@ -805,12 +810,11 @@
3685 Harald Welte wrote the ULOG target, TTL match+target and libipulog.
3687 -The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, James Morris,
3688 -Harald Welte and Rusty Russell.
3689 +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
3690 +James Morris, Harald Welte and Rusty Russell.
3692 ip6tables man page created by Andras Kis-Szabo, based on
3693 iptables man page written by Herve Eychenne <rv@wallfire.org>.
3695 .\" .. and did I mention that we are incredibly cool people?
3697 .\" .. witty, charming, powerful ..
3698 diff -urN -x CVS -x .cvsignore iptables-1.2.8/ip6tables.c userspace/ip6tables.c
3699 --- iptables-1.2.8/ip6tables.c Wed Mar 5 08:46:15 2003
3700 +++ userspace/ip6tables.c Tue Jul 15 15:29:20 2003
3701 @@ -578,10 +578,13 @@
3703 mask_to_numeric(const struct in6_addr *addrp)
3705 - static char buf[20];
3706 + static char buf[50+2];
3707 int l = ipv6_prefix_length(addrp);
3709 - return addr_to_numeric(addrp);
3712 + strcat(buf, addr_to_numeric(addrp));
3715 sprintf(buf, "/%d", l);
3718 diff -urN -x CVS -x .cvsignore iptables-1.2.8/iptables-restore.c userspace/iptables-restore.c
3719 --- iptables-1.2.8/iptables-restore.c Thu Mar 6 12:56:31 2003
3720 +++ userspace/iptables-restore.c Thu May 22 16:33:34 2003
3723 * This code is distributed under the terms of GNU GPL v2
3732 int main(int argc, char *argv[])
3734 - iptc_handle_t handle;
3735 + iptc_handle_t handle = NULL;
3738 char curtable[IPT_TABLE_MAXNAMELEN + 1];
3741 strncpy(curtable, table, IPT_TABLE_MAXNAMELEN);
3744 + iptc_free(&handle);
3746 handle = create_handle(table, modprobe);
3748 DEBUGP("Cleaning all chains of table '%s'\n",
3749 diff -urN -x CVS -x .cvsignore iptables-1.2.8/iptables-save.c userspace/iptables-save.c
3750 --- iptables-1.2.8/iptables-save.c Wed Aug 7 11:07:41 2002
3751 +++ userspace/iptables-save.c Thu May 22 16:33:34 2003
3753 exit_error(OTHER_PROBLEM, "Binary NYI\n");
3761 diff -urN -x CVS -x .cvsignore iptables-1.2.8/iptables.8 userspace/iptables.8
3762 --- iptables-1.2.8/iptables.8 Mon Mar 3 23:23:22 2003
3763 +++ userspace/iptables.8 Tue Jul 15 15:29:20 2003
3766 iptables \- administration tool for IPv4 packet filtering and NAT
3768 -.BR "iptables [-t table] -[ADC] " "chain rule-specification [options]"
3769 +.BR "iptables [-t table] -[AD] " "chain rule-specification [options]"
3771 .BR "iptables [-t table] -I " "chain [rulenum] rule-specification [options]"
3774 that table if it is not already there.
3776 The tables are as follows:
3782 This is the default table (if no -t option is passed). It contains
3787 (for locally-generated packets).
3791 This table is consulted when a packet that creates a new
3792 connection is encountered. It consists of three built-ins:
3796 (for altering packets as they are about to go out).
3800 This table is used for specialized packet alteration. Until kernel
3801 2.4.17 it had two built-in chains:
3804 (for altering packets being routed through the box), and
3806 (for altering packets as they are about to go out).
3809 The options that are recognized by
3812 List all rules in the selected chain. If no chain is selected, all
3813 chains are listed. As every other iptables command, it applies to the
3814 specified table (filter is the default), so NAT rules get listed by
3817 iptables -t nat -n -L
3820 Please note that it is often used with the
3822 option, in order to avoid long reverse DNS lookups.
3824 (zero) option as well, in which case the chain(s) will be atomically
3825 listed and zeroed. The exact output is affected by the other
3826 arguments given. The exact rules are suppressed until you use
3833 .BR "-F, --flush " "[\fIchain\fP]"
3834 Flush the selected chain (all the chains in the table if none is given).
3835 @@ -450,12 +452,13 @@
3837 .BI "--helper " "string"
3838 Matches packets related to the specified conntrack-helper.
3842 string can be "ftp" for packets related to a ftp-session on default port.
3843 For other ports append -portnr to the value, ie. "ftp-2121".
3846 Same rules apply for other conntrack-helpers.
3850 This extension is loaded if `--protocol icmp' is specified. It
3851 provides the following option:
3853 .BR "--icmp-type " "[!] \fItypename\fP"
3854 This allows specification of the ICMP type, which can be a numeric
3855 ICMP type, or one of the ICMP type names shown by the command
3862 This module matches the length of a packet against a specific value
3865 supporting this feature)
3867 This module matches on the bridge port input and output devices enslaved
3868 -to a bridge device. This is only useful if the input device or output device
3869 -is a bridge device. This module is a part of the infrastructure that enables
3870 +to a bridge device. This module is a part of the infrastructure that enables
3871 a transparent bridging IP firewall and is only useful for kernel versions
3872 above version 2.5.44.
3877 chains). If the interface name ends in a "+", then any
3878 -interface which begins with this name will match.
3879 +interface which begins with this name will match. If the packet didn't arrive
3880 +through a bridge device, this packet won't match this option, unless '!' is used.
3882 .B --physdev-out name
3883 Name of a bridge port via which a packet is going to be sent (for packets
3884 @@ -585,7 +588,19 @@
3886 chains one cannot match on the bridge output port, however one can in the
3889 +chain. If the packet won't leave by a bridge device or it is yet unknown what
3890 +the output device will be, then the packet won't match this option, unless
3894 +Matches if the packet has entered through a bridge interface.
3896 +.B --physdev-is-out
3897 +Matches if the packet will leave through a bridge interface.
3899 +.B --physdev-is-bridged
3900 +Matches if the packet is being bridged and therefore is not being routed.
3901 +This is only useful in the FORWARD and POSTROUTING chains.
3903 This module matches the link-layer packet type.
3906 Where state is a comma separated list of the connection states to
3907 match. Possible states are
3909 -meaning that the packet is associated with no known connection,
3910 +meaning that the packet could not be identified for some reason which
3911 +includes running out of memory and ICMP errors which don't correspond to any
3914 meaning that the packet is associated with a connection which has seen
3915 packets in both directions,
3918 .BR "SYN ACK FIN RST URG PSH ALL NONE" .
3922 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
3925 will only match packets with the SYN flag set, and the ACK, FIN and
3930 If no port range is specified, then the destination port will never be
3935 You can add several --to-destination options. If you specify more
3936 than one destination address, either via an address range or multiple
3937 --to-destination options, a simple round-robin (one after another in
3938 @@ -848,12 +866,15 @@
3940 .BI "--reject-with " "type"
3941 The type given can be
3942 -.BR icmp-net-unreachable ,
3943 -.BR icmp-host-unreachable ,
3944 -.BR icmp-port-unreachable ,
3945 -.BR icmp-proto-unreachable ,
3946 -.BR "icmp-net-prohibited or"
3947 -.BR icmp-host-prohibited ,
3949 +.B " icmp-net-unreachable"
3950 +.B " icmp-host-unreachable"
3951 +.B " icmp-port-unreachable"
3952 +.B " icmp-proto-unreachable"
3953 +.B " icmp-net-prohibited"
3954 +.B " icmp-host-prohibited or"
3955 +.B " icmp-admin-prohibited (*)"
3957 which return the appropriate ICMP error message (\fBport-unreachable\fP is
3958 the default). The option
3962 (113/tcp) probes which frequently occur when sending mail to broken mail
3963 hosts (which won't accept your mail otherwise).
3965 +(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT
3967 This target is only valid in the
3970 mapped to other ports below 512: those between 512 and 1023 inclusive
3971 will be mapped to ports below 1024, and other ports will be mapped to
3972 1024 or above. Where possible, no port alteration will occur.
3976 You can add several --to-source options. If you specify more
3977 than one source address, either via an address range or multiple
3978 --to-source options, a simple round-robin (one after another in
3979 @@ -900,19 +924,25 @@
3980 problem are that everything works fine from your Linux
3981 firewall/router, but machines behind it can never exchange large
3984 - 1) Web browsers connect, then hang with no data received.
3986 - 2) Small mail works fine, but large emails hang.
3988 - 3) ssh works fine, but scp hangs after initial handshaking.
3994 +Web browsers connect, then hang with no data received.
3997 +Small mail works fine, but large emails hang.
4000 +ssh works fine, but scp hangs after initial handshaking.
4003 Workaround: activate this option and add a rule to your firewall
4007 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
4009 -j TCPMSS --clamp-mss-to-pmtu
4012 .BI "--set-mss " "value"
4013 Explicitly set MSS option to specified value.
4016 .BI "--set-tos " "tos"
4017 You can use a numeric TOS values, or use
4023 to see the list of valid TOS names.
4025 This target provides userspace logging of matching packets. When this
4026 @@ -979,7 +1009,8 @@
4028 are only traversed for packets coming into the local host and
4029 originating from the local host respectively. Hence every packet only
4030 -passes through one of the three chains; previously a forwarded packet
4031 +passes through one of the three chains (except loopback traffic, which
4032 +involves both INPUT and OUTPUT chains); previously a forwarded packet
4033 would pass through all three.
4035 The other main difference is that
4036 @@ -996,13 +1027,11 @@
4037 optional extension modules. This should simplify much of the previous
4038 confusion over the combination of IP masquerading and packet filtering
4039 seen previously. So the following options are handled differently:
4049 There are several other changes in iptables.
4051 .BR iptables-save (8),
4052 @@ -1033,11 +1062,10 @@
4054 Harald Welte wrote the ULOG target, TTL, DSCP, ECN matches and targets.
4056 -The Netfilter Core Team is: Marc Boucher, Jozsef Kadlecsik, James Morris,
4057 -Harald Welte and Rusty Russell.
4058 +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
4059 +James Morris, Harald Welte and Rusty Russell.
4061 Man page written by Herve Eychenne <rv@wallfire.org>.
4063 .\" .. and did I mention that we are incredibly cool people?
4065 .\" .. witty, charming, powerful ..
4066 diff -urN -x CVS -x .cvsignore iptables-1.2.8/iptables.c userspace/iptables.c
4067 --- iptables-1.2.8/iptables.c Mon Mar 31 14:11:55 2003
4068 +++ userspace/iptables.c Tue Jun 3 20:18:04 2003
4070 exit_tryhelp(int status)
4073 - fprintf(stderr, "Error occured at line: %d\n", line);
4074 + fprintf(stderr, "Error occurred at line: %d\n", line);
4075 fprintf(stderr, "Try `%s -h' or '%s --help' for more information.\n",
4076 program_name, program_name );
4078 @@ -1254,14 +1254,14 @@
4080 fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
4081 if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
4082 - printf(FMT("%-19s","-> %s"), "anywhere");
4083 + printf(FMT("%-19s ","-> %s"), "anywhere");
4085 if (format & FMT_NUMERIC)
4086 sprintf(buf, "%s", addr_to_dotted(&(fw->ip.dst)));
4088 sprintf(buf, "%s", addr_to_anyname(&(fw->ip.dst)));
4089 strcat(buf, mask_to_dotted(&(fw->ip.dmsk)));
4090 - printf(FMT("%-19s","-> %s"), buf);
4091 + printf(FMT("%-19s ","-> %s"), buf);
4094 if (format & FMT_NOTABLE)
4095 diff -urN -x CVS -x .cvsignore iptables-1.2.8/libiptc/libip4tc.c userspace/libiptc/libip4tc.c
4096 --- iptables-1.2.8/libiptc/libip4tc.c Wed Jun 12 21:22:29 2002
4097 +++ userspace/libiptc/libip4tc.c Thu May 22 16:33:35 2003
4099 #define TC_SET_POLICY iptc_set_policy
4100 #define TC_GET_RAW_SOCKET iptc_get_raw_socket
4101 #define TC_INIT iptc_init
4102 +#define TC_FREE iptc_free
4103 #define TC_COMMIT iptc_commit
4104 #define TC_STRERROR iptc_strerror
4106 diff -urN -x CVS -x .cvsignore iptables-1.2.8/libiptc/libip6tc.c userspace/libiptc/libip6tc.c
4107 --- iptables-1.2.8/libiptc/libip6tc.c Thu Feb 14 00:13:23 2002
4108 +++ userspace/libiptc/libip6tc.c Tue Jul 15 15:29:20 2003
4110 #define TC_SET_POLICY ip6tc_set_policy
4111 #define TC_GET_RAW_SOCKET ip6tc_get_raw_socket
4112 #define TC_INIT ip6tc_init
4113 +#define TC_FREE ip6tc_free
4114 #define TC_COMMIT ip6tc_commit
4115 #define TC_STRERROR ip6tc_strerror
4118 #include "libiptc.c"
4120 #define BIT6(a, l) \
4121 - (((a->in6_u.u6_addr32[(l) / 32]) >> ((l) & 31)) & 1)
4122 + ((ntohl(a->in6_u.u6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
4125 ipv6_prefix_length(const struct in6_addr *a)
4126 diff -urN -x CVS -x .cvsignore iptables-1.2.8/libiptc/libiptc.c userspace/libiptc/libiptc.c
4127 --- iptables-1.2.8/libiptc/libiptc.c Wed May 29 15:08:16 2002
4128 +++ userspace/libiptc/libiptc.c Tue Jul 15 15:29:20 2003
4130 -/* Library which manipulates firewall rules. Version $Revision$ */
4131 +/* Library which manipulates firewall rules. Version $Revision$ */
4133 /* Architecture of firewall rules is as follows:
4136 * and a POLICY for built-ins.
4139 -/* (C)1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
4140 - COPYING for details). */
4141 +/* (C) 1999 Paul ``Rusty'' Russell - Placed under the GNU GPL (See
4142 + * COPYING for details).
4143 + * (C) 2000-2003 by the Netfilter Core Team <coreteam@netfilter.org>
4145 + * 2003-Jun-20: Harald Welte <laforge@netfilter.org>:
4146 + * - Reimplementation of chain cache to use offsets instead of entries
4147 + * 2003-Jun-23: Harald Welte <laforge@netfilter.org>:
4148 + * - performance optimization, sponsored by Astaro AG (http://www.astaro.com/)
4149 + * don't rebuild the chain cache after every operation, instead fix it
4150 + * up after a ruleset change.
4154 #define IPT_LIB_DIR "/usr/local/lib/iptables"
4157 char name[TABLE_MAXNAMELEN];
4158 /* This is the first rule in chain. */
4159 - STRUCT_ENTRY *start;
4160 + unsigned int start_off;
4161 /* Last rule in chain */
4162 - STRUCT_ENTRY *end;
4163 + unsigned int end_off;
4169 set_changed(TC_HANDLE_T h)
4171 - if (h->cache_chain_heads) {
4172 - free(h->cache_chain_heads);
4173 - h->cache_chain_heads = NULL;
4174 - h->cache_num_chains = 0;
4175 - h->cache_chain_iteration = NULL;
4176 - h->cache_rule_end = NULL;
4181 @@ -171,15 +173,28 @@
4182 static inline unsigned long
4183 entry2offset(const TC_HANDLE_T h, const STRUCT_ENTRY *e)
4185 - return (char *)e - (char *)h->entries.entrytable;
4186 + return (void *)e - (void *)h->entries.entrytable;
4189 -static unsigned long
4190 +static inline unsigned long
4191 index2offset(TC_HANDLE_T h, unsigned int index)
4193 return entry2offset(h, index2entry(h, index));
4196 +static inline STRUCT_ENTRY *
4197 +offset2entry(TC_HANDLE_T h, unsigned int offset)
4199 + return (STRUCT_ENTRY *) ((void *)h->entries.entrytable+offset);
4202 +static inline unsigned int
4203 +offset2index(const TC_HANDLE_T h, unsigned int offset)
4205 + return entry2index(h, offset2entry(h, offset));
4210 get_errorlabel(TC_HANDLE_T h, unsigned int offset)
4212 @@ -234,25 +249,32 @@
4217 + if (sockfd != -1) {
4222 + if (strlen(tablename) >= TABLE_MAXNAMELEN) {
4227 sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
4232 - if (strlen(tablename) >= TABLE_MAXNAMELEN) {
4237 strcpy(info.name, tablename);
4238 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_INFO, &info, &s) < 0)
4241 if ((h = alloc_handle(info.name, info.size, info.num_entries))
4253 if (getsockopt(sockfd, TC_IPPROTO, SO_GET_ENTRIES, &h->entries,
4260 @@ -292,6 +316,17 @@
4265 +TC_FREE(TC_HANDLE_T *h)
4269 + if ((*h)->cache_chain_heads)
4270 + free((*h)->cache_chain_heads);
4276 print_match(const STRUCT_ENTRY_MATCH *m)
4279 /* Last entry. End it. */
4280 if (entry2offset(h, e) + e->next_offset == h->entries.size) {
4281 /* This is the ERROR node at end of the table */
4282 - h->cache_chain_heads[h->cache_num_chains-1].end = *prev;
4283 + h->cache_chain_heads[h->cache_num_chains-1].end_off =
4284 + entry2offset(h, *prev);
4288 @@ -357,24 +393,24 @@
4289 target, or a hook entry point */
4290 if (strcmp(GET_TARGET(e)->u.user.name, ERROR_TARGET) == 0) {
4291 /* prev was last entry in previous chain */
4292 - h->cache_chain_heads[h->cache_num_chains-1].end
4294 + h->cache_chain_heads[h->cache_num_chains-1].end_off
4295 + = entry2offset(h, *prev);
4297 strcpy(h->cache_chain_heads[h->cache_num_chains].name,
4298 (const char *)GET_TARGET(e)->data);
4299 - h->cache_chain_heads[h->cache_num_chains].start
4300 - = (void *)e + e->next_offset;
4301 + h->cache_chain_heads[h->cache_num_chains].start_off
4302 + = entry2offset(h, (void *)e + e->next_offset);
4303 h->cache_num_chains++;
4304 } else if ((builtin = is_hook_entry(e, h)) != 0) {
4305 if (h->cache_num_chains > 0)
4306 /* prev was last entry in previous chain */
4307 - h->cache_chain_heads[h->cache_num_chains-1].end
4309 + h->cache_chain_heads[h->cache_num_chains-1].end_off
4310 + = entry2offset(h, *prev);
4312 strcpy(h->cache_chain_heads[h->cache_num_chains].name,
4313 h->hooknames[builtin-1]);
4314 - h->cache_chain_heads[h->cache_num_chains].start
4316 + h->cache_chain_heads[h->cache_num_chains].start_off
4317 + = entry2offset(h, (void *)e);
4318 h->cache_num_chains++;
4321 @@ -421,6 +457,81 @@
4326 +correct_cache(TC_HANDLE_T h, unsigned int offset, int delta)
4328 + int i; /* needs to be signed because deleting first
4329 + chain can make it drop to -1 */
4334 + for (i = 0; i < h->cache_num_chains; i++) {
4335 + struct chain_cache *cc = &h->cache_chain_heads[i];
4338 + /* take care about deleted chains */
4339 + if (cc->start_off > offset+delta
4340 + && cc->end_off < offset) {
4341 + /* this chain is within the deleted range,
4342 + * let's remove it from the cache */
4344 + unsigned int size;
4346 + h->cache_num_chains--;
4348 + /* no need for memmove since we are
4349 + * removing the last entry */
4350 + if (i >= h->cache_num_chains)
4353 + start = &h->cache_chain_heads[i+1];
4354 + size = (h->cache_num_chains-i)
4355 + * sizeof(struct chain_cache);
4356 + memmove(cc, start, size);
4358 + /* iterate over same index again, since
4359 + * it is now a different chain */
4365 + if (cc->start_off > offset)
4366 + cc->start_off += delta;
4368 + if (cc->end_off >= offset)
4369 + cc->end_off += delta;
4371 + /* HW_FIXME: sorting might be needed, but just in case a new chain was
4378 +add_chain_cache(TC_HANDLE_T h, const char *name, unsigned int start_off,
4379 + unsigned int end_off)
4381 + struct chain_cache *ccs = realloc(h->cache_chain_heads,
4382 + (h->new_number / 2 + 4 + 1)
4383 + * sizeof(struct chain_cache));
4384 + struct chain_cache *newcc;
4389 + h->cache_chain_heads = ccs;
4390 + newcc = &h->cache_chain_heads[h->cache_num_chains];
4391 + h->cache_num_chains++;
4393 + strncpy(newcc->name, name, TABLE_MAXNAMELEN-1);
4394 + newcc->start_off = start_off;
4395 + newcc->end_off = end_off;
4400 /* Returns cache ptr if found, otherwise NULL. */
4401 static struct chain_cache *
4402 find_label(const char *name, TC_HANDLE_T handle)
4403 @@ -523,11 +634,11 @@
4406 /* Empty chain: single return/policy rule */
4407 - if (c->start == c->end)
4408 + if (c->start_off == c->end_off)
4411 - (*handle)->cache_rule_end = c->end;
4413 + (*handle)->cache_rule_end = offset2entry(*handle, c->end_off);
4414 + return offset2entry(*handle, c->start_off);
4417 /* Returns NULL when rules run out. */
4419 return target_name(*handle, e);
4424 correct_verdict(STRUCT_ENTRY *e,
4426 unsigned int offset, int delta_offset)
4427 @@ -767,8 +878,16 @@
4428 newh->entries.size = (*handle)->entries.size + rules_size;
4429 newh->hooknames = (*handle)->hooknames;
4431 - if ((*handle)->cache_chain_heads)
4432 - free((*handle)->cache_chain_heads);
4433 + newh->cache_chain_heads = (*handle)->cache_chain_heads;
4434 + newh->cache_num_builtins = (*handle)->cache_num_builtins;
4435 + newh->cache_num_chains = (*handle)->cache_num_chains;
4436 + newh->cache_rule_end = (*handle)->cache_rule_end;
4437 + newh->cache_chain_iteration = (*handle)->cache_chain_iteration;
4438 + if (!correct_cache(newh, offset, rules_size)) {
4446 @@ -827,6 +946,10 @@
4447 (*handle)->new_number -= num_rules;
4448 (*handle)->entries.size -= rules_size;
4450 + /* Fix the chain cache */
4451 + if (!correct_cache(*handle, offset+rules_size, -(int)rules_size))
4454 return set_verdict(offset, -(int)rules_size, handle);
4457 @@ -884,7 +1007,7 @@
4459 c = find_label(t->u.user.name, handle);
4461 - return standard_map(e, entry2offset(handle, c->start));
4462 + return standard_map(e, c->start_off);
4465 /* Must be a module? If not, kernel will reject... */
4466 @@ -924,10 +1047,10 @@
4470 - chainindex = entry2index(*handle, c->start);
4471 + chainindex = offset2index(*handle, c->start_off);
4473 tmp = index2entry(*handle, chainindex + rulenum);
4474 - if (!tmp || tmp > c->end) {
4475 + if (!tmp || tmp > offset2entry(*handle, c->end_off)) {
4479 @@ -964,10 +1087,10 @@
4483 - chainindex = entry2index(*handle, c->start);
4484 + chainindex = offset2index(*handle, c->start_off);
4486 tmp = index2entry(*handle, chainindex + rulenum);
4487 - if (!tmp || tmp >= c->end) {
4488 + if (!tmp || tmp >= offset2entry(*handle, c->end_off)) {
4492 @@ -1005,13 +1128,11 @@
4495 if (!map_target(*handle, (STRUCT_ENTRY *)e,
4496 - entry2offset(*handle, c->end), &old))
4497 + c->end_off, &old))
4500 - ret = insert_rules(1, e->next_offset, e,
4501 - entry2offset(*handle, c->end),
4502 - entry2index(*handle, c->end),
4504 + ret = insert_rules(1, e->next_offset, e, c->end_off,
4505 + offset2index(*handle, c->end_off), 0, handle);
4506 unmap_target((STRUCT_ENTRY *)e, &old);
4509 @@ -1085,8 +1206,7 @@
4513 - for (offset = entry2offset(*handle, c->start);
4514 - offset < entry2offset(*handle, c->end);
4515 + for (offset = c->start_off; offset < c->end_off;
4516 offset += e->next_offset) {
4517 STRUCT_ENTRY_TARGET discard;
4519 @@ -1135,9 +1255,9 @@
4523 - index = entry2index(*handle, c->start) + rulenum;
4524 + index = offset2index(*handle, c->start_off) + rulenum;
4526 - if (index >= entry2index(*handle, c->end)) {
4527 + if (index >= offset2index(*handle, c->end_off)) {
4531 @@ -1169,6 +1289,7 @@
4532 TC_FLUSH_ENTRIES(const IPT_CHAINLABEL chain, TC_HANDLE_T *handle)
4534 unsigned int startindex, endindex;
4535 + STRUCT_ENTRY *startentry, *endentry;
4536 struct chain_cache *c;
4539 @@ -1177,12 +1298,14 @@
4543 - startindex = entry2index(*handle, c->start);
4544 - endindex = entry2index(*handle, c->end);
4545 + startindex = offset2index(*handle, c->start_off);
4546 + endindex = offset2index(*handle, c->end_off);
4547 + startentry = offset2entry(*handle, c->start_off);
4548 + endentry = offset2entry(*handle, c->end_off);
4550 ret = delete_rules(endindex - startindex,
4551 - (char *)c->end - (char *)c->start,
4552 - entry2offset(*handle, c->start), startindex,
4553 + (char *)endentry - (char *)startentry,
4554 + c->start_off, startindex,
4558 @@ -1199,8 +1322,8 @@
4562 - i = entry2index(*handle, c->start);
4563 - end = entry2index(*handle, c->end);
4564 + i = offset2index(*handle, c->start_off);
4565 + end = offset2index(*handle, c->end_off);
4567 for (; i <= end; i++) {
4568 if ((*handle)->counter_map[i].maptype ==COUNTER_MAP_NORMAL_MAP)
4569 @@ -1228,8 +1351,8 @@
4573 - chainindex = entry2index(*handle, c->start);
4574 - end = entry2index(*handle, c->end);
4575 + chainindex = offset2index(*handle, c->start_off);
4576 + end = offset2index(*handle, c->end_off);
4578 if (chainindex + rulenum > end) {
4580 @@ -1258,8 +1381,8 @@
4584 - chainindex = entry2index(*handle, c->start);
4585 - end = entry2index(*handle, c->end);
4586 + chainindex = offset2index(*handle, c->start_off);
4587 + end = offset2index(*handle, c->end_off);
4589 if (chainindex + rulenum > end) {
4591 @@ -1297,8 +1420,8 @@
4595 - chainindex = entry2index(*handle, c->start);
4596 - end = entry2index(*handle, c->end);
4597 + chainindex = offset2index(*handle, c->start_off);
4598 + end = offset2index(*handle, c->end_off);
4600 if (chainindex + rulenum > end) {
4602 @@ -1330,6 +1453,7 @@
4604 STRUCT_STANDARD_TARGET target;
4606 + unsigned int destination;
4608 iptc_fn = TC_CREATE_CHAIN;
4610 @@ -1367,11 +1491,21 @@
4611 = ALIGN(sizeof(STRUCT_STANDARD_TARGET));
4612 newc.target.verdict = RETURN;
4614 + destination = index2offset(*handle, (*handle)->new_number -1);
4616 /* Add just before terminal entry */
4617 ret = insert_rules(2, sizeof(newc), &newc.head,
4618 - index2offset(*handle, (*handle)->new_number - 1),
4620 (*handle)->new_number - 1,
4623 + set_changed(*handle);
4625 + /* add chain cache info for this chain */
4626 + add_chain_cache(*handle, chain,
4627 + destination+newc.head.next_offset,
4628 + destination+newc.head.next_offset);
4633 @@ -1405,7 +1539,7 @@
4635 ENTRY_ITERATE((*handle)->entries.entrytable,
4636 (*handle)->entries.size,
4637 - count_ref, entry2offset(*handle, c->start), ref);
4638 + count_ref, c->start_off, ref);
4642 @@ -1417,6 +1551,7 @@
4643 unsigned int references;
4644 struct chain_cache *c;
4646 + STRUCT_ENTRY *start;
4648 if (!TC_GET_REFERENCES(&references, chain, handle))
4650 @@ -1438,18 +1573,20 @@
4654 - if ((void *)c->start != c->end) {
4655 + if (c->start_off != c->end_off) {
4660 /* Need label index: preceeds chain start */
4661 - labelidx = entry2index(*handle, c->start) - 1;
4662 + labelidx = offset2index(*handle, c->start_off) - 1;
4663 labeloff = index2offset(*handle, labelidx);
4665 + start = offset2entry(*handle, c->start_off);
4667 ret = delete_rules(2,
4668 get_entry(*handle, labeloff)->next_offset
4669 - + c->start->next_offset,
4670 + + start->next_offset,
4671 labeloff, labelidx, handle);
4674 @@ -1488,7 +1625,7 @@
4677 /* Need label index: preceeds chain start */
4678 - labelidx = entry2index(*handle, c->start) - 1;
4679 + labelidx = offset2index(*handle, c->start_off) - 1;
4680 labeloff = index2offset(*handle, labelidx);
4682 t = (struct ipt_error_target *)
4683 @@ -1496,6 +1633,11 @@
4685 memset(t->error, 0, sizeof(t->error));
4686 strcpy(t->error, newname);
4688 + /* update chain cache */
4689 + memset(c->name, 0, sizeof(c->name));
4690 + strcpy(c->name, newname);
4692 set_changed(*handle);
4695 @@ -1582,11 +1724,13 @@
4696 STRUCT_REPLACE *repl;
4697 STRUCT_COUNTERS_INFO *newcounters;
4700 - = sizeof(STRUCT_COUNTERS_INFO)
4701 - + sizeof(STRUCT_COUNTERS) * (*handle)->new_number;
4702 + size_t counterlen;
4706 + counterlen = sizeof(STRUCT_COUNTERS_INFO)
4707 + + sizeof(STRUCT_COUNTERS) * (*handle)->new_number;
4710 TC_DUMP_ENTRIES(*handle);
4712 @@ -1713,10 +1857,7 @@
4716 - if ((*handle)->cache_chain_heads)
4717 - free((*handle)->cache_chain_heads);
4724 diff -urN -x CVS -x .cvsignore iptables-1.2.8/libipulog/Makefile userspace/libipulog/Makefile
4725 --- iptables-1.2.8/libipulog/Makefile Thu Jan 1 01:00:00 1970
4726 +++ userspace/libipulog/Makefile Fri Mar 16 14:40:52 2001
4728 +EXTRAS+=libipulog/libipulog.a
4730 +DEVEL_LIBS+=libipulog/libipulog.a
4732 +ifndef TOPLEVEL_INCLUDED
4734 + cd .. && $(MAKE) $(KERN_TARGETS) $(SHARED_LIBS) $(EXTRAS)
4737 +EXTRA_DEPENDS+=echo libipulog/libipulog.d
4739 +libipulog/libipulog.a: libipulog/libipulog.a(libipulog/libipulog.o)
4741 +libipulog/libipulog.d: %.d: %.c
4742 + @-$(CC) -M -MG $(CFLAGS) $< | sed -e 's@^.*\.o:@$*.d $*.a($*.o):@' > $@
4744 diff -urN -x CVS -x .cvsignore iptables-1.2.8/libipulog/libipulog.c userspace/libipulog/libipulog.c
4745 --- iptables-1.2.8/libipulog/libipulog.c Thu Jan 1 01:00:00 1970
4746 +++ userspace/libipulog/libipulog.c Tue Jan 30 13:05:43 2001
4749 + * libipulog.c, 1.6
4751 + * netfilter ULOG userspace library.
4753 + * (C) 2000 by Harald Welte <laforge@gnumonks.org>
4754 + * released under the terms of GNU GPL
4756 + * This library is still under development, so be aware of sudden interface
4759 + * libipulog.c,v 1.6 2001/01/30 09:28:04 laforge Exp
4762 +#include <stdlib.h>
4764 +#include <string.h>
4765 +#include <unistd.h>
4766 +#include <net/if.h>
4767 +#include <libipulog/libipulog.h>
4769 +struct ipulog_handle
4772 + u_int8_t blocking;
4773 + struct sockaddr_nl local;
4774 + struct sockaddr_nl peer;
4775 + struct nlmsghdr* last_nlhdr;
4782 + IPULOG_ERR_NONE = 0,
4784 + IPULOG_ERR_HANDLE,
4785 + IPULOG_ERR_SOCKET,
4787 + IPULOG_ERR_RECVBUF,
4795 +#define IPULOG_MAXERR IPULOG_ERR_INVNL
4797 +static int ipulog_errno = IPULOG_ERR_NONE;
4799 +struct ipulog_errmap_t
4803 +} ipulog_errmap[] =
4805 + { IPULOG_ERR_NONE, "No error" },
4806 + { IPULOG_ERR_IMPL, "Not implemented yet" },
4807 + { IPULOG_ERR_HANDLE, "Unable to create netlink handle" },
4808 + { IPULOG_ERR_SOCKET, "Unable to create netlink socket" },
4809 + { IPULOG_ERR_BIND, "Unable to bind netlink socket" },
4810 + { IPULOG_ERR_RECVBUF, "Receive buffer size invalid" },
4811 + { IPULOG_ERR_RECV, "Error during netlink receive" },
4812 + { IPULOG_ERR_NLEOF, "Received EOF on netlink socket" },
4813 + { IPULOG_ERR_TRUNC, "Receive message truncated" },
4814 + { IPULOG_ERR_INVGR, "Invalid group specified" },
4815 + { IPULOG_ERR_INVNL, "Invalid netlink message" },
4818 +static ssize_t ipulog_netlink_recvfrom(const struct ipulog_handle *h,
4819 + unsigned char *buf, size_t len)
4821 + int addrlen, status;
4822 + struct nlmsghdr *nlh;
4824 + if (len < sizeof(struct nlmsgerr)) {
4825 + ipulog_errno = IPULOG_ERR_RECVBUF;
4828 + addrlen = sizeof(h->peer);
4829 + status = recvfrom(h->fd, buf, len, 0, (struct sockaddr *)&h->peer,
4833 + ipulog_errno = IPULOG_ERR_RECV;
4836 + if (addrlen != sizeof (h->peer))
4838 + ipulog_errno = IPULOG_ERR_RECV;
4843 + ipulog_errno = IPULOG_ERR_NLEOF;
4846 + nlh = (struct nlmsghdr *)buf;
4847 + if (nlh->nlmsg_flags & MSG_TRUNC || status > len)
4849 + ipulog_errno = IPULOG_ERR_TRUNC;
4855 +static char *ipulog_strerror(int errcode)
4857 + if (errcode < 0 || errcode > IPULOG_MAXERR)
4858 + errcode = IPULOG_ERR_IMPL;
4859 + return ipulog_errmap[errcode].message;
4865 +/* convert a netlink group (1-32) to a group_mask suitable for create_handle */
4866 +u_int32_t ipulog_group2gmask(u_int32_t group)
4868 + if (group < 1 || group > 32)
4870 + ipulog_errno = IPULOG_ERR_INVGR;
4873 + return (1 << (group - 1));
4876 +/* create a ipulog handle for the reception of packets sent to gmask */
4877 +struct ipulog_handle *ipulog_create_handle(unsigned int gmask)
4879 + struct ipulog_handle *h;
4882 + h = (struct ipulog_handle *) malloc(sizeof(struct ipulog_handle));
4885 + ipulog_errno = IPULOG_ERR_HANDLE;
4888 + memset(h, 0, sizeof(struct ipulog_handle));
4889 + h->fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_NFLOG);
4892 + ipulog_errno = IPULOG_ERR_SOCKET;
4897 + memset(&h->local, 0, sizeof(struct sockaddr_nl));
4898 + h->local.nl_family = AF_NETLINK;
4899 + h->local.nl_pid = getpid();
4900 + h->local.nl_groups = gmask;
4901 + status = bind(h->fd, (struct sockaddr *)&h->local, sizeof(h->local));
4904 + ipulog_errno = IPULOG_ERR_BIND;
4909 + memset(&h->peer, 0, sizeof(struct sockaddr_nl));
4910 + h->peer.nl_family = AF_NETLINK;
4911 + h->peer.nl_pid = 0;
4912 + h->peer.nl_groups = gmask;
4917 +/* destroy a ipulog handle */
4918 +void ipulog_destroy_handle(struct ipulog_handle *h)
4925 +int ipulog_set_mode()
4930 +/* do a BLOCKING read on an ipulog handle */
4931 +ssize_t ipulog_read(struct ipulog_handle *h, unsigned char *buf,
4932 + size_t len, int timeout)
4934 + return ipulog_netlink_recvfrom(h, buf, len);
4937 +/* get a pointer to the actual start of the ipulog packet,
4938 + use this to strip netlink header */
4939 +ulog_packet_msg_t *ipulog_get_packet(struct ipulog_handle *h,
4940 + const unsigned char *buf,
4943 + struct nlmsghdr *nlh;
4944 + size_t remain_len;
4946 + /* if last header in handle not inside this buffer,
4947 + * drop reference to last header */
4948 + if ((unsigned char *)h->last_nlhdr > (buf + len) ||
4949 + (unsigned char *)h->last_nlhdr < buf) {
4950 + h->last_nlhdr = NULL;
4953 + if (!h->last_nlhdr) {
4954 + /* fist message in buffer */
4955 + nlh = (struct nlmsghdr *) buf;
4956 + if (!NLMSG_OK(nlh, len)) {
4958 + ipulog_errno = IPULOG_ERR_INVNL;
4962 + /* we are in n-th part of multilink message */
4963 + if (h->last_nlhdr->nlmsg_type == NLMSG_DONE) {
4964 + /* if last part in multilink message, return */
4965 + h->last_nlhdr = NULL;
4969 + /* calculate remaining lenght from lasthdr to end of buffer */
4970 + remain_len = (len -
4971 + ((unsigned char *)h->last_nlhdr - buf));
4972 + nlh = NLMSG_NEXT(h->last_nlhdr, remain_len);
4975 + /* update last_nlhdr field */
4976 + if (nlh->nlmsg_flags & NLM_F_MULTI) {
4977 + h->last_nlhdr = nlh;
4980 + return NLMSG_DATA(nlh);
4983 +/* print a human readable description of the last error to stderr */
4984 +void ipulog_perror(const char *s)
4989 + fputs("ERROR", stderr);
4991 + fprintf(stderr, ": %s", ipulog_strerror(ipulog_errno));
4993 + fprintf(stderr, ": %s", strerror(errno));
4994 + fputc('\n', stderr);