SOURCES: iptables-20060829.patch (NEW) - diff 1.3.5 and snap 20060...
cieciwa
cieciwa at pld-linux.org
Tue Aug 29 12:56:46 CEST 2006
Author: cieciwa Date: Tue Aug 29 10:56:46 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- diff 1.3.5 and snap 20060829.
---- Files affected:
SOURCES:
iptables-20060829.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/iptables-20060829.patch
diff -u /dev/null SOURCES/iptables-20060829.patch:1.1
--- /dev/null Tue Aug 29 12:56:46 2006
+++ SOURCES/iptables-20060829.patch Tue Aug 29 12:56:41 2006
@@ -0,0 +1,2987 @@
+diff -Nur iptables-1.3.5/extensions/.connbytes-test iptables/extensions/.connbytes-test
+--- iptables-1.3.5/extensions/.connbytes-test 2004-10-10 09:56:26.000000000 +0000
++++ iptables/extensions/.connbytes-test 2006-08-28 10:40:02.000000000 +0000
+@@ -1,2 +1,2 @@
+ #! /bin/sh
+-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_connbytes.c ] && echo connbytes
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connbytes.h ] && echo connbytes
+diff -Nur iptables-1.3.5/extensions/.esp-test6 iptables/extensions/.esp-test6
+--- iptables-1.3.5/extensions/.esp-test6 2004-10-10 09:56:24.000000000 +0000
++++ iptables/extensions/.esp-test6 2006-08-28 10:40:02.000000000 +0000
+@@ -1,2 +1,2 @@
+ #!/bin/sh
+-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_esp.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_esp.h ] && echo esp
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_esp.h ] && echo esp
+diff -Nur iptables-1.3.5/extensions/libip6t_CONNSECMARK.c iptables/extensions/libip6t_CONNSECMARK.c
+--- iptables-1.3.5/extensions/libip6t_CONNSECMARK.c 1970-01-01 00:00:00.000000000 +0000
++++ iptables/extensions/libip6t_CONNSECMARK.c 2006-08-28 10:40:02.000000000 +0000
+@@ -0,0 +1,124 @@
++/*
++ * Shared library add-on to ip6tables to add CONNSECMARK target support.
++ *
++ * Based on the MARK and CONNMARK targets.
++ *
++ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris at redhat.com>
++ */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ip6tables.h>
++#include <linux/netfilter/xt_CONNSECMARK.h>
++
++#define PFX "CONNSECMARK target: "
++
++static void help(void)
++{
++ printf(
++"CONNSECMARK target v%s options:\n"
++" --save Copy security mark from packet to conntrack\n"
++" --restore Copy security mark from connection to packet\n"
++"\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "save", 0, 0, '1' },
++ { "restore", 0, 0, '2' },
++ { 0 }
++};
++
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ip6t_entry *entry, struct ip6t_entry_target **target)
++{
++ struct xt_connsecmark_target_info *info =
++ (struct xt_connsecmark_target_info*)(*target)->data;
++
++ switch (c) {
++ case '1':
++ if (*flags & CONNSECMARK_SAVE)
++ exit_error(PARAMETER_PROBLEM, PFX
++ "Can't specify --save twice");
++ info->mode = CONNSECMARK_SAVE;
++ *flags |= CONNSECMARK_SAVE;
++ break;
++
++ case '2':
++ if (*flags & CONNSECMARK_RESTORE)
++ exit_error(PARAMETER_PROBLEM, PFX
++ "Can't specify --restore twice");
++ info->mode = CONNSECMARK_RESTORE;
++ *flags |= CONNSECMARK_RESTORE;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
++
++ if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
++ exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
++ "or --restore is allowed");
++}
++
++static void print_connsecmark(struct xt_connsecmark_target_info *info)
++{
++ switch (info->mode) {
++ case CONNSECMARK_SAVE:
++ printf("save ");
++ break;
++
++ case CONNSECMARK_RESTORE:
++ printf("restore ");
++ break;
++
++ default:
++ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
++ }
++}
++
++static void print(const struct ip6t_ip6 *ip,
++ const struct ip6t_entry_target *target, int numeric)
++{
++ struct xt_connsecmark_target_info *info =
++ (struct xt_connsecmark_target_info*)(target)->data;
++
++ printf("CONNSECMARK ");
++ print_connsecmark(info);
++}
++
++static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
++{
++ struct xt_connsecmark_target_info *info =
++ (struct xt_connsecmark_target_info*)target->data;
++
++ printf("--");
++ print_connsecmark(info);
++}
++
++static struct ip6tables_target connsecmark = {
++ .name = "CONNSECMARK",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
++ .parse = &parse,
++ .help = &help,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ register_target6(&connsecmark);
++}
+diff -Nur iptables-1.3.5/extensions/libip6t_CONNSECMARK.man iptables/extensions/libip6t_CONNSECMARK.man
+--- iptables-1.3.5/extensions/libip6t_CONNSECMARK.man 1970-01-01 00:00:00.000000000 +0000
++++ iptables/extensions/libip6t_CONNSECMARK.man 2006-08-28 10:40:02.000000000 +0000
+@@ -0,0 +1,15 @@
++This module copies security markings from packets to connections
++(if unlabeled), and from connections back to packets (also only
++if unlabeled). Typically used in conjunction with SECMARK, it is
++only valid in the
++.B mangle
++table.
++.TP
++.B --save
++If the packet has a security marking, copy it to the connection
++if the connection is not marked.
++.TP
++.B --restore
++If the packet does not have a security marking, and the connection
++does, copy the security marking from the connection to the packet.
++
+diff -Nur iptables-1.3.5/extensions/libip6t_esp.c iptables/extensions/libip6t_esp.c
+--- iptables-1.3.5/extensions/libip6t_esp.c 2004-10-10 09:56:27.000000000 +0000
++++ iptables/extensions/libip6t_esp.c 2006-08-28 10:40:02.000000000 +0000
+@@ -61,6 +61,9 @@
+
+ spis[0] = buffer[0] ? parse_esp_spi(buffer) : 0;
+ spis[1] = cp[0] ? parse_esp_spi(cp) : 0xFFFFFFFF;
++ if (spis[0] > spis[1])
++ exit_error(PARAMETER_PROBLEM,
++ "Invalid ESP spi range: %s", spistring);
+ }
+ free(buffer);
+ }
+diff -Nur iptables-1.3.5/extensions/libip6t_icmp6.c iptables/extensions/libip6t_icmp6.c
+--- iptables-1.3.5/extensions/libip6t_icmp6.c 1970-01-01 00:00:00.000000000 +0000
++++ iptables/extensions/libip6t_icmp6.c 2006-08-28 10:40:02.000000000 +0000
+@@ -0,0 +1,278 @@
++/* Shared library add-on to iptables to add ICMP support. */
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++
++struct icmpv6_names {
++ const char *name;
++ u_int8_t type;
++ u_int8_t code_min, code_max;
++};
++
++static const struct icmpv6_names icmpv6_codes[] = {
++ { "destination-unreachable", 1, 0, 0xFF },
++ { "no-route", 1, 0, 0 },
++ { "communication-prohibited", 1, 1, 1 },
++ { "address-unreachable", 1, 3, 3 },
++ { "port-unreachable", 1, 4, 4 },
++
++ { "packet-too-big", 2, 0, 0xFF },
++
++ { "time-exceeded", 3, 0, 0xFF },
++ /* Alias */ { "ttl-exceeded", 3, 0, 0xFF },
++ { "ttl-zero-during-transit", 3, 0, 0 },
++ { "ttl-zero-during-reassembly", 3, 1, 1 },
++
++ { "parameter-problem", 4, 0, 0xFF },
++ { "bad-header", 4, 0, 0 },
++ { "unknown-header-type", 4, 1, 1 },
++ { "unknown-option", 4, 2, 2 },
++
++ { "echo-request", 128, 0, 0xFF },
++ /* Alias */ { "ping", 128, 0, 0xFF },
++
++ { "echo-reply", 129, 0, 0xFF },
++ /* Alias */ { "pong", 129, 0, 0xFF },
++
++ { "router-solicitation", 133, 0, 0xFF },
++
++ { "router-advertisement", 134, 0, 0xFF },
++
++ { "neighbour-solicitation", 135, 0, 0xFF },
++ /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF },
++
++ { "neighbour-advertisement", 136, 0, 0xFF },
++ /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF },
++
++ { "redirect", 137, 0, 0xFF },
++
++};
++
++static void
++print_icmpv6types()
++{
++ unsigned int i;
++ printf("Valid ICMPv6 Types:");
++
++ for (i = 0; i < sizeof(icmpv6_codes)/sizeof(struct icmpv6_names); i++) {
++ if (i && icmpv6_codes[i].type == icmpv6_codes[i-1].type) {
++ if (icmpv6_codes[i].code_min == icmpv6_codes[i-1].code_min
++ && (icmpv6_codes[i].code_max
++ == icmpv6_codes[i-1].code_max))
++ printf(" (%s)", icmpv6_codes[i].name);
++ else
++ printf("\n %s", icmpv6_codes[i].name);
++ }
++ else
++ printf("\n%s", icmpv6_codes[i].name);
++ }
++ printf("\n");
++}
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"ICMPv6 v%s options:\n"
++" --icmpv6-type [!] typename match icmpv6 type\n"
++" (or numeric type or type/code)\n"
++"\n", IPTABLES_VERSION);
++ print_icmpv6types();
++}
++
++static struct option opts[] = {
++ { "icmpv6-type", 1, 0, '1' },
++ {0}
++};
++
++static void
++parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[])
++{
++ unsigned int limit = sizeof(icmpv6_codes)/sizeof(struct icmpv6_names);
++ unsigned int match = limit;
++ unsigned int i;
++
++ for (i = 0; i < limit; i++) {
++ if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type))
++ == 0) {
++ if (match != limit)
++ exit_error(PARAMETER_PROBLEM,
++ "Ambiguous ICMPv6 type `%s':"
++ " `%s' or `%s'?",
++ icmpv6type,
++ icmpv6_codes[match].name,
++ icmpv6_codes[i].name);
++ match = i;
++ }
++ }
++
++ if (match != limit) {
++ *type = icmpv6_codes[match].type;
++ code[0] = icmpv6_codes[match].code_min;
++ code[1] = icmpv6_codes[match].code_max;
++ } else {
++ char *slash;
++ char buffer[strlen(icmpv6type) + 1];
++ unsigned int number;
++
++ strcpy(buffer, icmpv6type);
++ slash = strchr(buffer, '/');
++
++ if (slash)
++ *slash = '\0';
++
++ if (string_to_number(buffer, 0, 255, &number) == -1)
++ exit_error(PARAMETER_PROBLEM,
++ "Invalid ICMPv6 type `%s'\n", buffer);
++ *type = number;
++ if (slash) {
++ if (string_to_number(slash+1, 0, 255, &number) == -1)
++ exit_error(PARAMETER_PROBLEM,
++ "Invalid ICMPv6 code `%s'\n",
++ slash+1);
++ code[0] = code[1] = number;
++ } else {
++ code[0] = 0;
++ code[1] = 0xFF;
++ }
++ }
++}
++
++/* Initialize the match. */
++static void
++init(struct ip6t_entry_match *m, unsigned int *nfcache)
++{
++ struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)m->data;
++
++ icmpv6info->code[1] = 0xFF;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ip6t_entry *entry,
++ unsigned int *nfcache,
++ struct ip6t_entry_match **match)
++{
++ struct ip6t_icmp *icmpv6info = (struct ip6t_icmp *)(*match)->data;
++
++ switch (c) {
++ case '1':
++ if (*flags == 1)
++ exit_error(PARAMETER_PROBLEM,
++ "icmpv6 match: only use --icmpv6-type once!");
++ check_inverse(optarg, &invert, &optind, 0);
++ parse_icmpv6(argv[optind-1], &icmpv6info->type,
++ icmpv6info->code);
++ if (invert)
++ icmpv6info->invflags |= IP6T_ICMP_INV;
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++static void print_icmpv6type(u_int8_t type,
++ u_int8_t code_min, u_int8_t code_max,
++ int invert,
++ int numeric)
++{
++ if (!numeric) {
++ unsigned int i;
++
++ for (i = 0;
++ i < sizeof(icmpv6_codes)/sizeof(struct icmpv6_names);
++ i++) {
++ if (icmpv6_codes[i].type == type
++ && icmpv6_codes[i].code_min == code_min
++ && icmpv6_codes[i].code_max == code_max)
++ break;
++ }
++
++ if (i != sizeof(icmpv6_codes)/sizeof(struct icmpv6_names)) {
++ printf("%s%s ",
++ invert ? "!" : "",
++ icmpv6_codes[i].name);
++ return;
++ }
++ }
++
++ if (invert)
++ printf("!");
++
++ printf("type %u", type);
++ if (code_min == 0 && code_max == 0xFF)
++ printf(" ");
++ else if (code_min == code_max)
++ printf(" code %u ", code_min);
++ else
++ printf(" codes %u-%u ", code_min, code_max);
++}
++
++/* Prints out the union ipt_matchinfo. */
++static void
++print(const struct ip6t_ip6 *ip,
++ const struct ip6t_entry_match *match,
++ int numeric)
++{
++ const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
++
++ printf("ipv6-icmp ");
++ print_icmpv6type(icmpv6->type, icmpv6->code[0], icmpv6->code[1],
++ icmpv6->invflags & IP6T_ICMP_INV,
++ numeric);
++
++ if (icmpv6->invflags & ~IP6T_ICMP_INV)
++ printf("Unknown invflags: 0x%X ",
++ icmpv6->invflags & ~IP6T_ICMP_INV);
++}
++
++/* Saves the match in parsable form to stdout. */
++static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
++{
++ const struct ip6t_icmp *icmpv6 = (struct ip6t_icmp *)match->data;
++
++ if (icmpv6->invflags & IP6T_ICMP_INV)
++ printf("! ");
++
++ printf("--icmpv6-type %u", icmpv6->type);
++ if (icmpv6->code[0] != 0 || icmpv6->code[1] != 0xFF)
++ printf("/%u", icmpv6->code[0]);
++ printf(" ");
++}
++
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "icmpv6 match: You must specify `--icmpv6-type'");
++}
++
++static struct ip6tables_match icmpv6 = {
++ .name = "icmp6",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_icmp)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts,
++};
++
++void _init(void)
++{
++ register_match6(&icmpv6);
++}
+diff -Nur iptables-1.3.5/extensions/libip6t_icmp6.man iptables/extensions/libip6t_icmp6.man
+--- iptables-1.3.5/extensions/libip6t_icmp6.man 1970-01-01 00:00:00.000000000 +0000
++++ iptables/extensions/libip6t_icmp6.man 2006-08-28 10:40:02.000000000 +0000
+@@ -0,0 +1,14 @@
++This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
++specified. It provides the following option:
++.TP
++.BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
++This allows specification of the ICMPv6 type, which can be a numeric
++ICMPv6
++.IR type ,
++.IR type
++and
++.IR code ,
++or one of the ICMPv6 type names shown by the command
++.nf
++ ip6tables -p ipv6-icmp -h
++.fi
+diff -Nur iptables-1.3.5/extensions/libip6t_icmpv6.c iptables/extensions/libip6t_icmpv6.c
+--- iptables-1.3.5/extensions/libip6t_icmpv6.c 2005-02-19 19:19:17.000000000 +0000
++++ iptables/extensions/libip6t_icmpv6.c 1970-01-01 00:00:00.000000000 +0000
+@@ -1,272 +0,0 @@
+-/* Shared library add-on to iptables to add ICMP support. */
+-#include <stdio.h>
+-#include <netdb.h>
+-#include <string.h>
+-#include <stdlib.h>
+-#include <getopt.h>
+-#include <ip6tables.h>
+-#include <linux/netfilter_ipv6/ip6_tables.h>
+-
+-struct icmpv6_names {
+- const char *name;
+- u_int8_t type;
+- u_int8_t code_min, code_max;
+-};
+-
+-static const struct icmpv6_names icmpv6_codes[] = {
+- { "destination-unreachable", 1, 0, 0xFF },
+- { "no-route", 1, 0, 0 },
+- { "communication-prohibited", 1, 1, 1 },
+- { "address-unreachable", 1, 3, 3 },
+- { "port-unreachable", 1, 4, 4 },
+-
+- { "packet-too-big", 2, 0, 0xFF },
+-
+- { "time-exceeded", 3, 0, 0xFF },
+- /* Alias */ { "ttl-exceeded", 3, 0, 0xFF },
+- { "ttl-zero-during-transit", 3, 0, 0 },
+- { "ttl-zero-during-reassembly", 3, 1, 1 },
+-
+- { "parameter-problem", 4, 0, 0xFF },
+- { "bad-header", 4, 0, 0 },
+- { "unknown-header-type", 4, 1, 1 },
+- { "unknown-option", 4, 2, 2 },
+-
+- { "echo-request", 128, 0, 0xFF },
+- /* Alias */ { "ping", 128, 0, 0xFF },
+-
+- { "echo-reply", 129, 0, 0xFF },
+- /* Alias */ { "pong", 129, 0, 0xFF },
+-
+- { "router-solicitation", 133, 0, 0xFF },
+-
+- { "router-advertisement", 134, 0, 0xFF },
+-
+- { "neighbour-solicitation", 135, 0, 0xFF },
+- /* Alias */ { "neighbor-solicitation", 135, 0, 0xFF },
+-
+- { "neighbour-advertisement", 136, 0, 0xFF },
+- /* Alias */ { "neighbor-advertisement", 136, 0, 0xFF },
+-
+- { "redirect", 137, 0, 0xFF },
+-
+-};
+-
+-static void
+-print_icmpv6types()
+-{
+- unsigned int i;
+- printf("Valid ICMPv6 Types:");
+-
+- for (i = 0; i < sizeof(icmpv6_codes)/sizeof(struct icmpv6_names); i++) {
+- if (i && icmpv6_codes[i].type == icmpv6_codes[i-1].type) {
+- if (icmpv6_codes[i].code_min == icmpv6_codes[i-1].code_min
+- && (icmpv6_codes[i].code_max
+- == icmpv6_codes[i-1].code_max))
+- printf(" (%s)", icmpv6_codes[i].name);
+- else
+- printf("\n %s", icmpv6_codes[i].name);
+- }
+- else
+- printf("\n%s", icmpv6_codes[i].name);
+- }
+- printf("\n");
+-}
+-
+-/* Function which prints out usage message. */
+-static void
+-help(void)
+-{
+- printf(
+-"ICMPv6 v%s options:\n"
+-" --icmpv6-type [!] typename match icmpv6 type\n"
+-" (or numeric type or type/code)\n"
+-"\n", IPTABLES_VERSION);
+- print_icmpv6types();
+-}
+-
+-static struct option opts[] = {
+- { "icmpv6-type", 1, 0, '1' },
+- {0}
+-};
+-
+-static void
+-parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[])
+-{
+- unsigned int limit = sizeof(icmpv6_codes)/sizeof(struct icmpv6_names);
+- unsigned int match = limit;
+- unsigned int i;
+-
+- for (i = 0; i < limit; i++) {
+- if (strncasecmp(icmpv6_codes[i].name, icmpv6type, strlen(icmpv6type))
+- == 0) {
+- if (match != limit)
+- exit_error(PARAMETER_PROBLEM,
+- "Ambiguous ICMPv6 type `%s':"
+- " `%s' or `%s'?",
+- icmpv6type,
+- icmpv6_codes[match].name,
+- icmpv6_codes[i].name);
+- match = i;
+- }
+- }
+-
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list