packages: iptables/iptables-20070806.patch - drop ipv4options (available in...
arekm
arekm at pld-linux.org
Tue Oct 12 21:34:13 CEST 2010
Author: arekm Date: Tue Oct 12 19:34:13 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- drop ipv4options (available in xtables-addons)
---- Files affected:
packages/iptables:
iptables-20070806.patch (1.10 -> 1.11)
---- Diffs:
================================================================
Index: packages/iptables/iptables-20070806.patch
diff -u packages/iptables/iptables-20070806.patch:1.10 packages/iptables/iptables-20070806.patch:1.11
--- packages/iptables/iptables-20070806.patch:1.10 Mon Aug 30 22:55:01 2010
+++ packages/iptables/iptables-20070806.patch Tue Oct 12 21:34:08 2010
@@ -85,353 +85,4 @@
+The target doesn't take any option, and therefore is extremly easy to use :
+
+# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
-diff -urN iptables-1.3.8/extensions/libipt_ipv4options.c iptables/extensions/libipt_ipv4options.c
---- iptables-1.3.8/extensions/libipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_ipv4options.c 2006-12-12 11:34:45.000000000 +0100
-@@ -0,0 +1,310 @@
-+/* Shared library add-on to iptables to add ipv4 options matching support. */
-+#include <stdio.h>
-+#include <netdb.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ipt_ipv4options.h>
-+
-+/* Function which prints out usage message. */
-+static void
-+help(void)
-+{
-+ printf(
-+"ipv4options v%s options:\n"
-+" --ssrr (match strict source routing flag)\n"
-+" --lsrr (match loose source routing flag)\n"
-+" --no-srr (match packets with no source routing)\n\n"
-+" [!] --rr (match record route flag)\n\n"
-+" [!] --ts (match timestamp flag)\n\n"
-+" [!] --ra (match router-alert option)\n\n"
-+" [!] --any-opt (match any option or no option at all if used with '!')\n",
-+XTABLES_VERSION);
-+}
-+
-+static struct option opts[] = {
-+ { "ssrr", 0, 0, '1' },
-+ { "lsrr", 0, 0, '2' },
-+ { "no-srr", 0, 0, '3'},
-+ { "rr", 0, 0, '4'},
-+ { "ts", 0, 0, '5'},
-+ { "ra", 0, 0, '6'},
-+ { "any-opt", 0, 0, '7'},
-+ {0}
-+};
-+
-+/* Function which parses command options; returns true if it
-+ ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const void *entry,
-+ struct xt_entry_match **match)
-+{
-+ struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
-+
-+ switch (c)
-+ {
-+ /* strict-source-routing */
-+ case '1':
-+ if (invert)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "ipv4options: unexpected `!' with --ssrr");
-+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ssrr twice");
-+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ssrr with --lsrr");
-+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ssrr with --no-srr");
-+
-+ info->options |= IPT_IPV4OPTION_MATCH_SSRR;
-+ *flags |= IPT_IPV4OPTION_MATCH_SSRR;
-+ break;
-+
-+ /* loose-source-routing */
-+ case '2':
-+ if (invert)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "ipv4options: unexpected `!' with --lsrr");
-+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --lsrr twice");
-+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --lsrr with --ssrr");
-+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --lsrr with --no-srr");
-+ info->options |= IPT_IPV4OPTION_MATCH_LSRR;
-+ *flags |= IPT_IPV4OPTION_MATCH_LSRR;
-+ break;
-+
-+ /* no-source-routing */
-+ case '3':
-+ if (invert)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "ipv4options: unexpected `!' with --no-srr");
-+ if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --no-srr twice");
-+ if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --no-srr with --ssrr");
-+ if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --no-srr with --lsrr");
-+ info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
-+ *flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
-+ break;
-+
-+ /* record-route */
-+ case '4':
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --rr twice");
-+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --rr twice");
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --rr with ! --rr");
-+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --rr with --rr");
-+ if (invert) {
-+ info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
-+ *flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
-+ }
-+ else {
-+ info->options |= IPT_IPV4OPTION_MATCH_RR;
-+ *flags |= IPT_IPV4OPTION_MATCH_RR;
-+ }
-+ break;
-+
-+ /* timestamp */
-+ case '5':
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ts twice");
-+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --ts twice");
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ts with ! --ts");
-+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --ts with --ts");
-+ if (invert) {
-+ info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
-+ *flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
-+ }
-+ else {
-+ info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
-+ *flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
-+ }
-+ break;
-+
-+ /* router-alert */
-+ case '6':
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ra twice");
-+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --rr twice");
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --ra with ! --ra");
-+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --ra with --ra");
-+ if (invert) {
-+ info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
-+ *flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
-+ }
-+ else {
-+ info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
-+ *flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
-+ }
-+ break;
-+
-+ /* any option */
-+ case '7' :
-+ if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --any-opt twice");
-+ if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --any-opt with --any-opt");
-+ if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --any-opt twice");
-+ if ((!invert) &&
-+ ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
-+ (*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
-+ (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
-+ (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify --any-opt with any other negative ipv4options match");
-+ if (invert &&
-+ ((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
-+ (*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
-+ (*flags & IPT_IPV4OPTION_MATCH_RR) ||
-+ (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
-+ (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
-+ xtables_error(PARAMETER_PROBLEM,
-+ "Can't specify ! --any-opt with any other positive ipv4options match");
-+ if (invert) {
-+ info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
-+ *flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
-+ }
-+ else {
-+ info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
-+ *flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
-+ }
-+ break;
-+
-+ default:
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static void
-+final_check(unsigned int flags)
-+{
-+ if (flags == 0)
-+ xtables_error(PARAMETER_PROBLEM,
-+ "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
-+}
-+
-+/* Prints out the matchinfo. */
-+static void
-+print(const void *ip,
-+ const struct xt_entry_match *match,
-+ int numeric)
-+{
-+ struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-+
-+ printf(" IPV4OPTS");
-+ if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
-+ printf(" SSRR");
-+ else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
-+ printf(" LSRR");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
-+ printf(" !SRR");
-+ if (info->options & IPT_IPV4OPTION_MATCH_RR)
-+ printf(" RR");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
-+ printf(" !RR");
-+ if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
-+ printf(" TS");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
-+ printf(" !TS");
-+ if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
-+ printf(" RA");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
-+ printf(" !RA");
-+ if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
-+ printf(" ANYOPT ");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
-+ printf(" NOOPT");
-+
-+ printf(" ");
-+}
-+
-+/* Saves the data in parsable form to stdout. */
-+static void
-+save(const void *ip, const struct xt_entry_match *match)
-+{
-+ struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-+
-+ if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
-+ printf(" --ssrr");
-+ else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
-+ printf(" --lsrr");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
-+ printf(" --no-srr");
-+ if (info->options & IPT_IPV4OPTION_MATCH_RR)
-+ printf(" --rr");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
-+ printf(" ! --rr");
-+ if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
-+ printf(" --ts");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
-+ printf(" ! --ts");
-+ if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
-+ printf(" --ra");
-+ else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
-+ printf(" ! --ra");
-+ if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
-+ printf(" --any-opt");
-+ if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
-+ printf(" ! --any-opt");
-+
-+ printf(" ");
-+}
-+
-+static struct xtables_match ipv4options_struct = {
-+ .next = NULL,
-+ .name = "ipv4options",
-+ .version = XTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
-+ .help = &help,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ xtables_register_match(&ipv4options_struct);
-+}
-diff -urN iptables-1.3.8/extensions/libipt_ipv4options.man iptables/extensions/libipt_ipv4options.man
---- iptables-1.3.8/extensions/libipt_ipv4options.man 1970-01-01 01:00:00.000000000 +0100
-+++ iptables/extensions/libipt_ipv4options.man 2006-12-12 11:34:45.000000000 +0100
-@@ -0,0 +1,32 @@
-+Match on IPv4 header options like source routing, record route,
-+timestamp and router-alert.
-+.TP
-+.B "--ssrr"
-+To match packets with the flag strict source routing.
-+.TP
-+.B "--lsrr"
-+To match packets with the flag loose source routing.
-+.TP
-+.B "--no-srr"
-+To match packets with no flag for source routing.
-+.TP
-+.B "\fR[\fB!\fR]\fB --rr"
-+To match packets with the RR flag.
-+.TP
-+.B "\fR[\fB!\fR]\fB --ts"
-+To match packets with the TS flag.
-+.TP
-+.B "\fR[\fB!\fR]\fB --ra"
-+To match packets with the router-alert option.
-+.TP
-+.B "\fR[\fB!\fR]\fB --any-opt"
-+To match a packet with at least one IP option, or no IP option
-+at all if ! is chosen.
-+.TP
-+Examples:
-+.TP
-+$ iptables -A input -m ipv4options --rr -j DROP
-+will drop packets with the record-route flag.
-+.TP
-+$ iptables -A input -m ipv4options --ts -j DROP
-+will drop packets with the timestamp flag.
+
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/iptables/iptables-20070806.patch?r1=1.10&r2=1.11&f=u
More information about the pld-cvs-commit
mailing list