SOURCES: iptables-20060329.patch (NEW), iptables-comment-20060329....
cieciwa
cieciwa at pld-linux.org
Wed Mar 29 11:42:06 CEST 2006
Author: cieciwa Date: Wed Mar 29 09:42:06 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- netfilter snap 2006-03-29.
---- Files affected:
SOURCES:
iptables-20060329.patch (NONE -> 1.1) (NEW), iptables-comment-20060329.patch (NONE -> 1.1) (NEW), iptables-expire-20060329.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/iptables-20060329.patch
diff -u /dev/null SOURCES/iptables-20060329.patch:1.1
--- /dev/null Wed Mar 29 11:42:06 2006
+++ SOURCES/iptables-20060329.patch Wed Mar 29 11:42:01 2006
@@ -0,0 +1,367 @@
+diff -Nur iptables-1.3.5/include/ip6tables.h iptables-20060329/include/ip6tables.h
+--- iptables-1.3.5/include/ip6tables.h 2006-01-30 09:43:09.000000000 +0100
++++ iptables-20060329/include/ip6tables.h 2006-03-29 08:40:40.000000000 +0200
+@@ -13,6 +13,10 @@
+ struct ip6tables_rule_match *next;
+
+ struct ip6tables_match *match;
++
++ /* Multiple matches of the same type: the ones before
++ the current one are completed from parsing point of view */
++ unsigned int completed;
+ };
+
+ /* Include file for additions: new matches and targets. */
+diff -Nur iptables-1.3.5/include/iptables.h iptables-20060329/include/iptables.h
+--- iptables-1.3.5/include/iptables.h 2006-01-30 09:43:09.000000000 +0100
++++ iptables-20060329/include/iptables.h 2006-03-29 08:40:40.000000000 +0200
+@@ -29,6 +29,10 @@
+ struct iptables_rule_match *next;
+
+ struct iptables_match *match;
++
++ /* Multiple matches of the same type: the ones before
++ the current one are completed from parsing point of view */
++ unsigned int completed;
+ };
+
+ /* Include file for additions: new matches and targets. */
+diff -Nur iptables-1.3.5/ip6tables-restore.c iptables-20060329/ip6tables-restore.c
+--- iptables-1.3.5/ip6tables-restore.c 2005-06-24 18:34:19.000000000 +0200
++++ iptables-20060329/ip6tables-restore.c 2006-03-29 08:40:45.000000000 +0200
+@@ -7,7 +7,7 @@
+ * Rusty Russell <rusty at linuxcare.com.au>
+ * This code is distributed under the terms of GNU GPL v2
+ *
+- * $Id$
++ * $Id$
+ */
+
+ #include <getopt.h>
+@@ -266,7 +266,10 @@
+ char *ctrs;
+ ctrs = strtok(NULL, " \t\n");
+
+- parse_counters(ctrs, &count);
++ if (!ctrs || !parse_counters(ctrs, &count))
++ exit_error(PARAMETER_PROBLEM,
++ "invalid policy counters "
++ "for chain '%s'\n", chain);
+
+ } else {
+ memset(&count, 0,
+diff -Nur iptables-1.3.5/ip6tables.c iptables-20060329/ip6tables.c
+--- iptables-1.3.5/ip6tables.c 2006-01-30 09:43:12.000000000 +0100
++++ iptables-20060329/ip6tables.c 2006-03-29 08:40:45.000000000 +0200
+@@ -224,7 +224,6 @@
+ { "icmpv6", IPPROTO_ICMPV6 },
+ { "esp", IPPROTO_ESP },
+ { "ah", IPPROTO_AH },
+- { "all", 0 },
+ };
+
+ static char *
+@@ -710,37 +709,46 @@
+ }
+
+ struct ip6tables_match *
+-find_match(const char *name, enum ip6t_tryload tryload, struct ip6tables_rule_match **matches)
++find_match(const char *match_name, enum ip6t_tryload tryload, struct ip6tables_rule_match **matches)
+ {
+ struct ip6tables_match *ptr;
+- int icmphack = 0;
++ const char *icmp6 = "icmp6";
++ const char *name;
+
+ /* This is ugly as hell. Nonetheless, there is no way of changing
+ * this without hurting backwards compatibility */
+- if ( (strcmp(name,"icmpv6") == 0) ||
+- (strcmp(name,"ipv6-icmp") == 0) ||
+- (strcmp(name,"icmp6") == 0) ) icmphack = 1;
++ if ( (strcmp(match_name,"icmpv6") == 0) ||
++ (strcmp(match_name,"ipv6-icmp") == 0) ||
++ (strcmp(match_name,"icmp6") == 0) )
++ name = icmp6;
++ else
++ name = match_name;
+
+- if (!icmphack) {
+- for (ptr = ip6tables_matches; ptr; ptr = ptr->next) {
+- if (strcmp(name, ptr->name) == 0)
+- break;
+- }
+- } else {
+- for (ptr = ip6tables_matches; ptr; ptr = ptr->next) {
+- if (strcmp("icmp6", ptr->name) == 0)
+- break;
+- }
+- }
++ for (ptr = ip6tables_matches; ptr; ptr = ptr->next) {
++ if (strcmp(name, ptr->name) == 0) {
++ struct ip6tables_match *clone;
++
++ /* First match of this type: */
++ if (ptr->m == NULL)
++ break;
++
++ /* Second and subsequent clones */
++ clone = fw_malloc(sizeof(struct ip6tables_match));
++ memcpy(clone, ptr, sizeof(struct ip6tables_match));
++ clone->mflags = 0;
++ /* This is a clone: */
++ clone->next = clone;
++
++ ptr = clone;
++ break;
++ }
++ }
+
+ #ifndef NO_SHARED_LIBS
+ if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
+ char path[strlen(lib_dir) + sizeof("/libip6t_.so")
+ + strlen(name)];
+- if (!icmphack)
+- sprintf(path, "%s/libip6t_%s.so", lib_dir, name);
+- else
+- sprintf(path, "%s/libip6t_%s.so", lib_dir, "icmpv6");
++ sprintf(path, "%s/libip6t_%s.so", lib_dir, name);
+ if (dlopen(path, RTLD_NOW)) {
+ /* Found library. If it didn't register itself,
+ maybe they specified target as match. */
+@@ -774,8 +782,12 @@
+
+ newentry = fw_malloc(sizeof(struct ip6tables_rule_match));
+
+- for (i = matches; *i; i = &(*i)->next);
++ for (i = matches; *i; i = &(*i)->next) {
++ if (strcmp(name, (*i)->match->name) == 0)
++ (*i)->completed = 1;
++ }
+ newentry->match = ptr;
++ newentry->completed = 0;
+ newentry->next = NULL;
+ *i = newentry;
+ }
+@@ -808,6 +820,13 @@
+ if (string_to_number(s, 0, 255, &proto) == -1) {
+ struct protoent *pent;
+
++ /* first deal with the special case of 'all' to prevent
++ * people from being able to redefine 'all' in nsswitch
++ * and/or provoke expensive [not working] ldap/nis/...
++ * lookups */
++ if (!strcmp(s, "all"))
++ return 0;
++
+ if ((pent = getprotobyname(s)))
+ proto = pent->p_proto;
+ else {
+@@ -1691,8 +1710,14 @@
+
+ for (matchp = *matches; matchp;) {
+ tmp = matchp->next;
+- if (matchp->match->m)
++ if (matchp->match->m) {
+ free(matchp->match->m);
++ matchp->match->m = NULL;
++ }
++ if (matchp->match == matchp->match->next) {
++ free(matchp->match);
++ matchp->match = NULL;
++ }
+ free(matchp);
+ matchp = tmp;
+ }
+@@ -1980,7 +2005,9 @@
+ strcpy(m->m->u.user.name, m->name);
+ if (m->init != NULL)
+ m->init(m->m, &fw.nfcache);
+- opts = merge_options(opts, m->extra_opts, &m->option_offset);
++ if (m != m->next)
++ /* Merge options for non-cloned matches */
++ opts = merge_options(opts, m->extra_opts, &m->option_offset);
+ }
+ break;
+
+@@ -2058,14 +2085,14 @@
+ exit_tryhelp(2);
+
+ default:
+- /* FIXME: This scheme doesn't allow two of the same
+- matches --RR */
+ if (!target
+ || !(target->parse(c - target->option_offset,
+ argv, invert,
+ &target->tflags,
+ &fw, &target->t))) {
+ for (matchp = matches; matchp; matchp = matchp->next) {
++ if (matchp->completed)
++ continue;
+ if (matchp->match->parse(c - matchp->match->option_offset,
+ argv, invert,
+ &matchp->match->mflags,
+@@ -2080,7 +2107,7 @@
+ actually hear this code suck. */
+
+ /* some explanations (after four different bugs
+- * in 3 different releases): If we encountere a
++ * in 3 different releases): If we encounter a
+ * parameter, that has not been parsed yet,
+ * it's not an option of an explicitly loaded
+ * match or a target. However, we support
+diff -Nur iptables-1.3.5/iptables-restore.c iptables-20060329/iptables-restore.c
+--- iptables-1.3.5/iptables-restore.c 2005-06-24 18:34:19.000000000 +0200
++++ iptables-20060329/iptables-restore.c 2006-03-29 08:40:45.000000000 +0200
+@@ -4,7 +4,7 @@
+ *
+ * This code is distributed under the terms of GNU GPL v2
+ *
+- * $Id$
++ * $Id$
+ */
+
+ #include <getopt.h>
+@@ -269,7 +269,10 @@
+ char *ctrs;
+ ctrs = strtok(NULL, " \t\n");
+
+- parse_counters(ctrs, &count);
++ if (!ctrs || !parse_counters(ctrs, &count))
++ exit_error(PARAMETER_PROBLEM,
++ "invalid policy counters "
++ "for chain '%s'\n", chain);
+
+ } else {
+ memset(&count, 0,
+diff -Nur iptables-1.3.5/iptables.c iptables-20060329/iptables.c
+--- iptables-1.3.5/iptables.c 2006-01-30 09:43:09.000000000 +0100
++++ iptables-20060329/iptables.c 2006-03-29 08:40:45.000000000 +0200
+@@ -229,7 +229,6 @@
+ { "esp", IPPROTO_ESP },
+ { "ah", IPPROTO_AH },
+ { "sctp", IPPROTO_SCTP },
+- { "all", 0 },
+ };
+
+ static char *
+@@ -680,9 +679,24 @@
+ struct iptables_match *ptr;
+
+ for (ptr = iptables_matches; ptr; ptr = ptr->next) {
+- if (strcmp(name, ptr->name) == 0)
++ if (strcmp(name, ptr->name) == 0) {
++ struct iptables_match *clone;
++
++ /* First match of this type: */
++ if (ptr->m == NULL)
++ break;
++
++ /* Second and subsequent clones */
++ clone = fw_malloc(sizeof(struct iptables_match));
++ memcpy(clone, ptr, sizeof(struct iptables_match));
++ clone->mflags = 0;
++ /* This is a clone: */
++ clone->next = clone;
++
++ ptr = clone;
+ break;
+- }
++ }
++ }
+
+ #ifndef NO_SHARED_LIBS
+ if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
+@@ -722,8 +736,12 @@
+
+ newentry = fw_malloc(sizeof(struct iptables_rule_match));
+
+- for (i = matches; *i; i = &(*i)->next);
++ for (i = matches; *i; i = &(*i)->next) {
++ if (strcmp(name, (*i)->match->name) == 0)
++ (*i)->completed = 1;
++ }
+ newentry->match = ptr;
++ newentry->completed = 0;
+ newentry->next = NULL;
+ *i = newentry;
+ }
+@@ -756,6 +774,13 @@
+ if (string_to_number(s, 0, 255, &proto) == -1) {
+ struct protoent *pent;
+
++ /* first deal with the special case of 'all' to prevent
++ * people from being able to redefine 'all' in nsswitch
++ * and/or provoke expensive [not working] ldap/nis/...
++ * lookups */
++ if (!strcmp(s, "all"))
++ return 0;
++
+ if ((pent = getprotobyname(s)))
+ proto = pent->p_proto;
+ else {
+@@ -1800,8 +1825,14 @@
+
+ for (matchp = *matches; matchp;) {
+ tmp = matchp->next;
+- if (matchp->match->m)
++ if (matchp->match->m) {
+ free(matchp->match->m);
++ matchp->match->m = NULL;
++ }
++ if (matchp->match == matchp->match->next) {
++ free(matchp->match);
++ matchp->match = NULL;
++ }
+ free(matchp);
+ matchp = tmp;
+ }
+@@ -2126,7 +2157,9 @@
+ set_revision(m->m->u.user.name, m->revision);
+ if (m->init != NULL)
+ m->init(m->m, &fw.nfcache);
+- opts = merge_options(opts, m->extra_opts, &m->option_offset);
++ if (m != m->next)
++ /* Merge options for non-cloned matches */
++ opts = merge_options(opts, m->extra_opts, &m->option_offset);
+ }
+ break;
+
+@@ -2204,14 +2237,14 @@
+ exit_tryhelp(2);
+
+ default:
+- /* FIXME: This scheme doesn't allow two of the same
+- matches --RR */
+ if (!target
+ || !(target->parse(c - target->option_offset,
+ argv, invert,
+ &target->tflags,
+ &fw, &target->t))) {
+ for (matchp = matches; matchp; matchp = matchp->next) {
++ if (matchp->completed)
++ continue;
+ if (matchp->match->parse(c - matchp->match->option_offset,
+ argv, invert,
+ &matchp->match->mflags,
+@@ -2226,7 +2259,7 @@
+ actually hear this code suck. */
+
+ /* some explanations (after four different bugs
+- * in 3 different releases): If we encountere a
++ * in 3 different releases): If we encounter a
+ * parameter, that has not been parsed yet,
+ * it's not an option of an explicitly loaded
+ * match or a target. However, we support
+diff -Nur iptables-1.3.5/libiptc/Makefile iptables-20060329/libiptc/Makefile
+--- iptables-1.3.5/libiptc/Makefile 2004-10-10 11:56:24.000000000 +0200
++++ iptables-20060329/libiptc/Makefile 2006-03-29 08:40:41.000000000 +0200
+@@ -2,7 +2,8 @@
+
+ EXTRAS+=libiptc/libiptc.a
+
+-DEVEL_LIBS+=libiptc/libiptc.a
++# libiptc is not a public interface and therefore not installed
++# DEVEL_LIBS+=libiptc/libiptc.a
+
+ ifndef TOPLEVEL_INCLUDED
+ local:
================================================================
Index: SOURCES/iptables-comment-20060329.patch
diff -u /dev/null SOURCES/iptables-comment-20060329.patch:1.1
--- /dev/null Wed Mar 29 11:42:06 2006
+++ SOURCES/iptables-comment-20060329.patch Wed Mar 29 11:42:01 2006
@@ -0,0 +1,115 @@
+ .comment-test | 2 +
+ libipt_comment.c | 58 ++++++++++++++++++++++++++++++-------------------------
+ 2 files changed, 34 insertions(+), 26 deletions(-)
+
+diff -urN --exclude '*.orig' iptables.org/extensions/.comment-test iptables/extensions/.comment-test
+--- iptables.org/extensions/.comment-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/.comment-test 2006-03-29 09:11:08.000000000 +0200
+@@ -0,0 +1,2 @@
++#!/bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_comment.h ] && echo comment
+diff -urN --exclude '*.orig' iptables.org/extensions/libipt_comment.c iptables/extensions/libipt_comment.c
+--- iptables.org/extensions/libipt_comment.c 2006-03-29 08:40:45.000000000 +0200
++++ iptables/extensions/libipt_comment.c 2006-03-29 09:11:08.000000000 +0200
+@@ -1,5 +1,5 @@
+-/* Shared library add-on to iptables to add comment match support.
+- *
++/* Shared library add-on to iptables to add comment match support.
++ *
+ * ChangeLog
+ * 2003-05-13: Brad Fisher <brad at info-link.net>
+ * Initial comment match
+@@ -29,16 +29,24 @@
+ {0}
+ };
+
++/* Initialize the match. */
+ static void
+-parse_comment(const char *s, struct ipt_comment_info *info)
++init(struct ipt_entry_match *m, unsigned int *nfcache)
++{
++ *nfcache |= NFC_UNKNOWN;
++}
++
++static void
++parse_comment(const unsigned char *s, struct ipt_comment_info *info)
+ {
+ int slen = strlen(s);
+
+- if (slen >= IPT_MAX_COMMENT_LEN) {
++ if (slen > IPT_MAX_COMMENT_LEN) {
+ exit_error(PARAMETER_PROBLEM,
+ "COMMENT must be shorter than %i characters", IPT_MAX_COMMENT_LEN);
+ }
+- strcpy((char *)info->comment, s);
++
++ strcpy(info->comment, s);
+ }
+
+ /* Function which parses command options; returns true if it
+@@ -53,11 +61,12 @@
+
+ switch (c) {
+ case '1':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
++ check_inverse(optarg, &invert, &optind, 0);
+ if (invert) {
+ exit_error(PARAMETER_PROBLEM,
+ "Sorry, you can't have an inverted comment");
+ }
++
+ parse_comment(argv[optind-1], commentinfo);
+ *flags = 1;
+ break;
+@@ -83,34 +92,31 @@
+ const struct ipt_entry_match *match,
+ int numeric)
+ {
+- struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data;
+-
+- commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0';
+- printf("/* %s */ ", commentinfo->comment);
++ printf("/* %s */ ", ((struct ipt_comment_info *)match->data)->comment);
+ }
+
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+ static void
+ save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+ {
+- struct ipt_comment_info *commentinfo = (struct ipt_comment_info *)match->data;
+-
+- commentinfo->comment[IPT_MAX_COMMENT_LEN-1] = '\0';
+- printf("--comment \"%s\" ", commentinfo->comment);
++/* I wonder whether this works? */
++ printf("--comment \"%s\" ", ((struct ipt_comment_info *)match->data)->comment );
+ }
+
+-static struct iptables_match comment = {
+- .next = NULL,
+- .name = "comment",
+- .version = IPTABLES_VERSION,
+- .size = IPT_ALIGN(sizeof(struct ipt_comment_info)),
+- .userspacesize = IPT_ALIGN(sizeof(struct ipt_comment_info)),
+- .help = &help,
+- .parse = &parse,
+- .final_check = &final_check,
+- .print = &print,
+- .save = &save,
+- .extra_opts = opts
++static
++struct iptables_match comment
++= { .next = NULL,
++ .name = "comment",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_comment_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_comment_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
+ };
+
+ void _init(void)
================================================================
Index: SOURCES/iptables-expire-20060329.patch
diff -u /dev/null SOURCES/iptables-expire-20060329.patch:1.1
--- /dev/null Wed Mar 29 11:42:06 2006
+++ SOURCES/iptables-expire-20060329.patch Wed Mar 29 11:42:01 2006
@@ -0,0 +1,388 @@
+ .expire-test | 3
+ .expire-test6 | 3
+ libip6t_expire.c | 170 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ libip6t_expire.man | 5 +
+ libipt_expire.c | 170 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ libipt_expire.man | 5 +
+ 6 files changed, 356 insertions(+)
+
+diff -urN --exclude '*.orig' iptables.org/extensions/.expire-test iptables/extensions/.expire-test
+--- iptables.org/extensions/.expire-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/.expire-test 2006-03-29 09:22:51.000000000 +0200
+@@ -0,0 +1,3 @@
++#!/bin/sh
++
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_expire.h ] && echo expire
+diff -urN --exclude '*.orig' iptables.org/extensions/.expire-test6 iptables/extensions/.expire-test6
+--- iptables.org/extensions/.expire-test6 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/.expire-test6 2006-03-29 09:22:52.000000000 +0200
+@@ -0,0 +1,3 @@
++#!/bin/sh
++
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_expire.h ] && echo expire
+diff -urN --exclude '*.orig' iptables.org/extensions/libip6t_expire.c iptables/extensions/libip6t_expire.c
+--- iptables.org/extensions/libip6t_expire.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables/extensions/libip6t_expire.c 2006-03-29 09:22:52.000000000 +0200
+@@ -0,0 +1,170 @@
++/* This library manipulates expiring firewall rules
++ *
++ * This library is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this library; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <dillo at seas.upenn.edu>
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <time.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6t_expire.h>
++
++static void ip6t_exp_help(void);
++static int ip6t_exp_parse(int, char **, int, unsigned int *,
++ const struct ip6t_entry *, unsigned int *,
++ struct ip6t_entry_match **);
++static void ip6t_exp_final_check(unsigned int);
++static void ip6t_exp_print(const struct ip6t_ip *,
++ const struct ip6t_entry_match *, int);
++static void ip6t_exp_save(const struct ip6t_ip *, const struct ip6t_entry_match *);
++
++/**
++ * options
++ */
++static struct option ip6t_exp_opts[] = {
++ { "expiration", 1, 0, 'e' },
++ { 0 }
++};
++
++/**
++ * match
++ */
++static struct iptables_match ip6t_expire_match = {
++ .next = NULL,
++ .name = "expire",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_exp_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_exp_info)),
++ .help = &ip6t_exp_help,
++ .parse = &ip6t_exp_parse,
++ .final_check = &ip6t_exp_final_check,
++ .print = &ip6t_exp_print,
++ .save = &ip6t_exp_save,
++ .extra_opts = ip6t_exp_opts
++};
++
++/**
++ * shared library initialization
++ * @see register_match()
++ */
++void
++_init(void)
++{
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list