1 diff -x .svn -Nur iptables-1.3.7/extensions/.account-test iptables-svn/extensions/.account-test
2 --- iptables-1.3.7/extensions/.account-test 2006-12-04 12:15:19.000000000 +0100
3 +++ iptables-svn/extensions/.account-test 1970-01-01 01:00:00.000000000 +0100
6 -# True if account match patch is applied.
7 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_account.h ] && echo account
8 diff -x .svn -Nur iptables-1.3.7/extensions/.BALANCE-test iptables-svn/extensions/.BALANCE-test
9 --- iptables-1.3.7/extensions/.BALANCE-test 2006-12-04 12:15:19.000000000 +0100
10 +++ iptables-svn/extensions/.BALANCE-test 1970-01-01 01:00:00.000000000 +0100
13 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_BALANCE.c ] && echo BALANCE
14 diff -x .svn -Nur iptables-1.3.7/extensions/.childlevel-test iptables-svn/extensions/.childlevel-test
15 --- iptables-1.3.7/extensions/.childlevel-test 2006-12-04 12:15:19.000000000 +0100
16 +++ iptables-svn/extensions/.childlevel-test 1970-01-01 01:00:00.000000000 +0100
19 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_childlevel.h ] && echo childlevel
20 diff -x .svn -Nur iptables-1.3.7/extensions/.connrate-test iptables-svn/extensions/.connrate-test
21 --- iptables-1.3.7/extensions/.connrate-test 2006-12-04 12:15:20.000000000 +0100
22 +++ iptables-svn/extensions/.connrate-test 1970-01-01 01:00:00.000000000 +0100
25 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connrate.h ] && echo connrate
26 diff -x .svn -Nur iptables-1.3.7/extensions/.dstlimit-test iptables-svn/extensions/.dstlimit-test
27 --- iptables-1.3.7/extensions/.dstlimit-test 2006-12-04 12:15:19.000000000 +0100
28 +++ iptables-svn/extensions/.dstlimit-test 1970-01-01 01:00:00.000000000 +0100
31 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_dstlimit.c ] && echo dstlimit
32 diff -x .svn -Nur iptables-1.3.7/extensions/.FTOS-test iptables-svn/extensions/.FTOS-test
33 --- iptables-1.3.7/extensions/.FTOS-test 2006-12-04 12:15:20.000000000 +0100
34 +++ iptables-svn/extensions/.FTOS-test 1970-01-01 01:00:00.000000000 +0100
37 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_FTOS.h ] && echo FTOS
38 diff -x .svn -Nur iptables-1.3.7/extensions/.fuzzy-test iptables-svn/extensions/.fuzzy-test
39 --- iptables-1.3.7/extensions/.fuzzy-test 2006-12-04 12:15:20.000000000 +0100
40 +++ iptables-svn/extensions/.fuzzy-test 1970-01-01 01:00:00.000000000 +0100
43 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_fuzzy.h ] && echo fuzzy
44 diff -x .svn -Nur iptables-1.3.7/extensions/.fuzzy-test6 iptables-svn/extensions/.fuzzy-test6
45 --- iptables-1.3.7/extensions/.fuzzy-test6 2006-12-04 12:15:20.000000000 +0100
46 +++ iptables-svn/extensions/.fuzzy-test6 1970-01-01 01:00:00.000000000 +0100
49 -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_fuzzy.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_fuzzy.h ] && echo fuzzy
50 diff -x .svn -Nur iptables-1.3.7/extensions/.IPMARK-test iptables-svn/extensions/.IPMARK-test
51 --- iptables-1.3.7/extensions/.IPMARK-test 2006-12-04 12:15:19.000000000 +0100
52 +++ iptables-svn/extensions/.IPMARK-test 1970-01-01 01:00:00.000000000 +0100
55 -# True if IPMARK patch is applied.
56 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
57 diff -x .svn -Nur iptables-1.3.7/extensions/.ipv4options-test iptables-svn/extensions/.ipv4options-test
58 --- iptables-1.3.7/extensions/.ipv4options-test 2006-12-04 12:15:19.000000000 +0100
59 +++ iptables-svn/extensions/.ipv4options-test 1970-01-01 01:00:00.000000000 +0100
62 -# True if ipv4options is applied.
63 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
64 diff -x .svn -Nur iptables-1.3.7/extensions/.IPV4OPTSSTRIP-test iptables-svn/extensions/.IPV4OPTSSTRIP-test
65 --- iptables-1.3.7/extensions/.IPV4OPTSSTRIP-test 2006-12-04 12:15:19.000000000 +0100
66 +++ iptables-svn/extensions/.IPV4OPTSSTRIP-test 1970-01-01 01:00:00.000000000 +0100
69 -# True if IPV4OPTSSTRIP patch is applied.
70 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ] && echo IPV4OPTSSTRIP
71 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_eui64.man iptables-svn/extensions/libip6t_eui64.man
72 --- iptables-1.3.7/extensions/libip6t_eui64.man 2006-12-04 12:15:20.000000000 +0100
73 +++ iptables-svn/extensions/libip6t_eui64.man 2007-05-31 12:46:30.000000000 +0200
75 This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
76 -It compares the EUI-64 derived from the source MAC address in Ehternet frame
77 +It compares the EUI-64 derived from the source MAC address in Ethernet frame
78 with the lower 64 bits of the IPv6 source address. But "Universal/Local"
79 bit is not compared. This module doesn't match other link layer frame, and
81 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_fuzzy.c iptables-svn/extensions/libip6t_fuzzy.c
82 --- iptables-1.3.7/extensions/libip6t_fuzzy.c 2006-12-04 12:15:20.000000000 +0100
83 +++ iptables-svn/extensions/libip6t_fuzzy.c 1970-01-01 01:00:00.000000000 +0100
86 - Shared library add-on to iptables to add match support for the fuzzy match.
88 - This file is distributed under the terms of the GNU General Public
89 - License (GPL). Copies of the GPL can be obtained from:
90 - ftp://prep.ai.mit.edu/pub/gnu/GPL
92 -2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
93 -2003-04-08 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
94 -2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
95 -the save function , thanks to information given by Jean-Francois Patenaude.
105 -#include <ip6tables.h>
106 -#include <linux/netfilter_ipv6/ip6_tables.h>
107 -#include <linux/netfilter_ipv6/ip6t_fuzzy.h>
114 -"fuzzy v%s options:\n"
115 -" --lower-limit number (in packets per second)\n"
116 -" --upper-limit number\n"
120 -static struct option opts[] = {
121 - { .name = "lower-limit", .has_arg = 1, .flag = 0, .val = '1' },
122 - { .name = "upper-limit", .has_arg = 1, .flag = 0, .val = '2' },
126 -/* Initialize data structures */
128 -init(struct ip6t_entry_match *m, unsigned int *nfcache)
130 - struct ip6t_fuzzy_info *presentinfo = (struct ip6t_fuzzy_info *)(m)->data;
132 - * Default rates ( I'll improve this very soon with something based
133 - * on real statistics of the running machine ) .
136 - presentinfo->minimum_rate = 1000;
137 - presentinfo->maximum_rate = 2000;
140 -#define IP6T_FUZZY_OPT_MINIMUM 0x01
141 -#define IP6T_FUZZY_OPT_MAXIMUM 0x02
144 -parse(int c, char **argv, int invert, unsigned int *flags,
145 - const struct ip6t_entry *entry,
146 - unsigned int *nfcache,
147 - struct ip6t_entry_match **match)
149 - struct ip6t_fuzzy_info *fuzzyinfo =
150 - (struct ip6t_fuzzy_info *)(*match)->data;
159 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
161 - if (*flags & IP6T_FUZZY_OPT_MINIMUM)
162 - exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
164 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
165 - exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
167 - fuzzyinfo->minimum_rate = num ;
169 - *flags |= IP6T_FUZZY_OPT_MINIMUM;
176 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
178 - if (*flags & IP6T_FUZZY_OPT_MAXIMUM)
179 - exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
181 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
182 - exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
184 - fuzzyinfo->maximum_rate = num;
186 - *flags |= IP6T_FUZZY_OPT_MAXIMUM;
196 -static void final_check(unsigned int flags)
201 -print(const struct ip6t_ip6 *ipv6,
202 - const struct ip6t_entry_match *match,
205 - const struct ip6t_fuzzy_info *fuzzyinfo
206 - = (const struct ip6t_fuzzy_info *)match->data;
208 - printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",
209 - fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
212 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
214 -save(const struct ip6t_ip6 *ipv6, const struct ip6t_entry_match *match)
216 - const struct ip6t_fuzzy_info *fuzzyinfo
217 - = (const struct ip6t_fuzzy_info *)match->data;
219 - printf("--lower-limit %u --upper-limit %u ",
220 - fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
223 -struct ip6tables_match fuzzy_match = {
225 - .version = IPTABLES_VERSION,
226 - .size = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
227 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
231 - .final_check = &final_check,
239 - register_match6(&fuzzy_match);
241 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_fuzzy.man iptables-svn/extensions/libip6t_fuzzy.man
242 --- iptables-1.3.7/extensions/libip6t_fuzzy.man 2006-12-04 12:15:20.000000000 +0100
243 +++ iptables-svn/extensions/libip6t_fuzzy.man 1970-01-01 01:00:00.000000000 +0100
245 -This module matches a rate limit based on a fuzzy logic controller [FLC]
247 -.BI "--lower-limit " "number"
248 -Specifies the lower limit (in packets per second).
250 -.BI "--upper-limit " "number"
251 -Specifies the upper limit (in packets per second).
252 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_icmp6.man iptables-svn/extensions/libip6t_icmp6.man
253 --- iptables-1.3.7/extensions/libip6t_icmp6.man 2006-12-04 12:15:19.000000000 +0100
254 +++ iptables-svn/extensions/libip6t_icmp6.man 2007-05-31 12:46:30.000000000 +0200
256 -This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
257 +This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' is
258 specified. It provides the following option:
260 .BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
261 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_mh.c iptables-svn/extensions/libip6t_mh.c
262 --- iptables-1.3.7/extensions/libip6t_mh.c 1970-01-01 01:00:00.000000000 +0100
263 +++ iptables-svn/extensions/libip6t_mh.c 2007-05-31 12:46:30.000000000 +0200
265 +/* Shared library add-on to ip6tables to add mobility header support. */
267 + * Copyright (C)2006 USAGI/WIDE Project
269 + * This program is free software; you can redistribute it and/or modify
270 + * it under the terms of the GNU General Public License version 2 as
271 + * published by the Free Software Foundation.
274 + * Masahide NAKAMURA @USAGI <masahide.nakamura.cz@hitachi.com>
276 + * Based on libip6t_{icmpv6,udp}.c
283 +#include <ip6tables.h>
284 +#include <linux/netfilter_ipv6/ip6_tables.h>
285 +#include <linux/netfilter_ipv6/ip6t_mh.h>
292 +static const struct mh_name mh_names[] = {
293 + { "binding-refresh-request", 0, },
294 + /* Alias */ { "brr", 0, },
295 + { "home-test-init", 1, },
296 + /* Alias */ { "hoti", 1, },
297 + { "careof-test-init", 2, },
298 + /* Alias */ { "coti", 2, },
299 + { "home-test", 3, },
300 + /* Alias */ { "hot", 3, },
301 + { "careof-test", 4, },
302 + /* Alias */ { "cot", 4, },
303 + { "binding-update", 5, },
304 + /* Alias */ { "bu", 5, },
305 + { "binding-acknowledgement", 6, },
306 + /* Alias */ { "ba", 6, },
307 + { "binding-error", 7, },
308 + /* Alias */ { "be", 7, },
311 +static void print_types_all(void)
314 + printf("Valid MH types:");
316 + for (i = 0; i < sizeof(mh_names)/sizeof(struct mh_name); i++) {
317 + if (i && mh_names[i].type == mh_names[i-1].type)
318 + printf(" (%s)", mh_names[i].name);
320 + printf("\n%s", mh_names[i].name);
325 +static void help(void)
329 +" --mh-type [!] type[:type] match mh type\n",
334 +static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
336 + struct ip6t_mh *mhinfo = (struct ip6t_mh *)m->data;
338 + mhinfo->types[1] = 0xFF;
341 +static unsigned int name_to_type(const char *name)
343 + int namelen = strlen(name);
344 + unsigned int limit = sizeof(mh_names)/sizeof(struct mh_name);
345 + unsigned int match = limit;
348 + for (i = 0; i < limit; i++) {
349 + if (strncasecmp(mh_names[i].name, name, namelen) == 0) {
350 + int len = strlen(mh_names[i].name);
351 + if (match == limit || len == namelen)
356 + if (match != limit) {
357 + return mh_names[match].type;
359 + unsigned int number;
361 + if (string_to_number(name, 0, 255, &number) == -1)
362 + exit_error(PARAMETER_PROBLEM,
363 + "Invalid MH type `%s'\n", name);
368 +static void parse_mh_types(const char *mhtype, u_int8_t *types)
373 + buffer = strdup(mhtype);
374 + if ((cp = strchr(buffer, ':')) == NULL)
375 + types[0] = types[1] = name_to_type(buffer);
380 + types[0] = buffer[0] ? name_to_type(buffer) : 0;
381 + types[1] = cp[0] ? name_to_type(cp) : 0xFF;
383 + if (types[0] > types[1])
384 + exit_error(PARAMETER_PROBLEM,
385 + "Invalid MH type range (min > max)");
390 +#define MH_TYPES 0x01
392 +static int parse(int c, char **argv, int invert, unsigned int *flags,
393 + const struct ip6t_entry *entry,
394 + unsigned int *nfcache,
395 + struct ip6t_entry_match **match)
397 + struct ip6t_mh *mhinfo = (struct ip6t_mh *)(*match)->data;
401 + if (*flags & MH_TYPES)
402 + exit_error(PARAMETER_PROBLEM,
403 + "Only one `--mh-type' allowed");
404 + check_inverse(optarg, &invert, &optind, 0);
405 + parse_mh_types(argv[optind-1], mhinfo->types);
407 + mhinfo->invflags |= IP6T_MH_INV_TYPE;
408 + *flags |= MH_TYPES;
418 +/* Final check; we don't care. */
419 +static void final_check(unsigned int flags)
423 +static const char *type_to_name(u_int8_t type)
427 + for (i = 0; i < sizeof(mh_names)/sizeof(struct mh_name); i++) {
428 + if (mh_names[i].type == type)
429 + return mh_names[i].name;
435 +static void print_type(u_int8_t type, int numeric)
438 + if (numeric || !(name = type_to_name(type)))
439 + printf("%u", type);
441 + printf("%s", name);
444 +static void print_types(u_int8_t min, u_int8_t max, int invert, int numeric)
446 + const char *inv = invert ? "!" : "";
448 + if (min != 0 || max != 0xFF || invert) {
451 + print_type(min, numeric);
454 + print_type(min, numeric);
456 + print_type(max, numeric);
462 +static void print(const struct ip6t_ip6 *ip,
463 + const struct ip6t_entry_match *match,
466 + const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
469 + print_types(mhinfo->types[0], mhinfo->types[1],
470 + mhinfo->invflags & IP6T_MH_INV_TYPE,
472 + if (mhinfo->invflags & ~IP6T_MH_INV_MASK)
473 + printf("Unknown invflags: 0x%X ",
474 + mhinfo->invflags & ~IP6T_MH_INV_MASK);
477 +static void save(const struct ip6t_ip6 *ip,
478 + const struct ip6t_entry_match *match)
480 + const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
482 + if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
485 + if (mhinfo->invflags & IP6T_MH_INV_TYPE)
488 + if (mhinfo->types[0] != mhinfo->types[1])
489 + printf("--mh-type %u:%u ", mhinfo->types[0], mhinfo->types[1]);
491 + printf("--mh-type %u ", mhinfo->types[0]);
494 +static struct option opts[] = {
495 + { "mh-type", 1, 0, '1' },
499 +static struct ip6tables_match mh = {
501 + .version = IPTABLES_VERSION,
502 + .size = IP6T_ALIGN(sizeof(struct ip6t_mh)),
503 + .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mh)),
507 + .final_check = &final_check,
510 + .extra_opts = opts,
515 + register_match6(&mh);
517 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_mh.man iptables-svn/extensions/libip6t_mh.man
518 --- iptables-1.3.7/extensions/libip6t_mh.man 1970-01-01 01:00:00.000000000 +0100
519 +++ iptables-svn/extensions/libip6t_mh.man 2007-05-31 12:46:30.000000000 +0200
521 +This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is
522 +specified. It provides the following option:
524 +.BR "--mh-type " "[!] \fItype\fP[:\fItype\fP]"
525 +This allows specification of the Mobility Header(MH) type, which can be
529 +or one of the MH type names shown by the command
531 + ip6tables -p ipv6-mh -h
533 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_NFLOG.c iptables-svn/extensions/libip6t_NFLOG.c
534 --- iptables-1.3.7/extensions/libip6t_NFLOG.c 2006-12-04 12:15:20.000000000 +0100
535 +++ iptables-svn/extensions/libip6t_NFLOG.c 2007-05-31 12:46:30.000000000 +0200
538 struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
540 - info->group = XT_NFLOG_DEFAULT_GROUP;
542 info->threshold = XT_NFLOG_DEFAULT_THRESHOLD;
546 "Unexpected `!' after --nflog-group");
549 - if (n < 1 || n > 32)
551 exit_error(PARAMETER_PROBLEM,
552 - "--nflog-group has to be between 1 and 32");
553 - info->group = 1 << (n - 1);
554 + "--nflog-group can not be negative");
558 if (*flags & NFLOG_PREFIX)
561 if (info->prefix[0] != '\0')
562 printf("%snflog-prefix \"%s\" ", prefix, info->prefix);
563 - if (info->group != XT_NFLOG_DEFAULT_GROUP)
564 - printf("%snflog-group %u ", prefix, ffs(info->group));
566 + printf("%snflog-group %u ", prefix, info->group);
568 printf("%snflog-range %u ", prefix, info->len);
569 if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
570 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_nth.c iptables-svn/extensions/libip6t_nth.c
571 --- iptables-1.3.7/extensions/libip6t_nth.c 2006-12-04 12:15:20.000000000 +0100
572 +++ iptables-svn/extensions/libip6t_nth.c 1970-01-01 01:00:00.000000000 +0100
575 - Shared library add-on to iptables to add match support for every Nth packet
577 - This file is distributed under the terms of the GNU General Public
578 - License (GPL). Copies of the GPL can be obtained from:
579 - ftp://prep.ai.mit.edu/pub/gnu/GPL
581 - 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
582 - 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
583 - * added support for multiple counters
584 - * added support for matching on individual packets
585 - in the counter cycle
594 -#include <ip6tables.h>
595 -#include <linux/netfilter_ipv6/ip6_tables.h>
596 -#include <linux/netfilter_ipv6/ip6t_nth.h>
599 -/* Function which prints out usage message. */
604 -"nth v%s options:\n"
605 -" --every Nth Match every Nth packet\n"
606 -" [--counter] num Use counter 0-%u (default:0)\n"
607 -" [--start] num Initialize the counter at the number 'num'\n"
608 -" instead of 0. Must be between 0 and Nth-1\n"
609 -" [--packet] num Match on 'num' packet. Must be between 0\n"
611 -" If --packet is used for a counter than\n"
612 -" there must be Nth number of --packet\n"
613 -" rules, covering all values between 0 and\n"
614 -" Nth-1 inclusively.\n",
615 -IPTABLES_VERSION, IP6T_NTH_NUM_COUNTERS-1);
618 -static struct option opts[] = {
619 - { "every", 1, 0, '1' },
620 - { "start", 1, 0, '2' },
621 - { "counter", 1, 0, '3' },
622 - { "packet", 1, 0, '4' },
626 -#define IP6T_NTH_OPT_EVERY 0x01
627 -#define IP6T_NTH_OPT_NOT_EVERY 0x02
628 -#define IP6T_NTH_OPT_START 0x04
629 -#define IP6T_NTH_OPT_COUNTER 0x08
630 -#define IP6T_NTH_OPT_PACKET 0x10
632 -/* Function which parses command options; returns true if it
635 -parse(int c, char **argv, int invert, unsigned int *flags,
636 - const struct ip6t_entry *entry,
637 - unsigned int *nfcache,
638 - struct ip6t_entry_match **match)
640 - struct ip6t_nth_info *nthinfo = (struct ip6t_nth_info *)(*match)->data;
645 - /* check for common mistakes... */
646 - if ((!invert) && (*flags & IP6T_NTH_OPT_EVERY))
647 - exit_error(PARAMETER_PROBLEM,
648 - "Can't specify --every twice");
649 - if (invert && (*flags & IP6T_NTH_OPT_NOT_EVERY))
650 - exit_error(PARAMETER_PROBLEM,
651 - "Can't specify ! --every twice");
652 - if ((!invert) && (*flags & IP6T_NTH_OPT_NOT_EVERY))
653 - exit_error(PARAMETER_PROBLEM,
654 - "Can't specify --every with ! --every");
655 - if (invert && (*flags & IP6T_NTH_OPT_EVERY))
656 - exit_error(PARAMETER_PROBLEM,
657 - "Can't specify ! --every with --every");
659 - /* Remember, this function will interpret a leading 0 to be
660 - Octal, a leading 0x to be hexdecimal... */
661 - if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
662 - exit_error(PARAMETER_PROBLEM,
663 - "bad --every `%s', must be between 2 and 100", optarg);
665 - /* assign the values */
666 - nthinfo->every = num-1;
667 - nthinfo->startat = 0;
668 - nthinfo->packet = 0xFF;
669 - if(!(*flags & IP6T_NTH_OPT_EVERY))
671 - nthinfo->counter = 0;
675 - *flags |= IP6T_NTH_OPT_NOT_EVERY;
680 - *flags |= IP6T_NTH_OPT_EVERY;
685 - /* check for common mistakes... */
686 - if (!((*flags & IP6T_NTH_OPT_EVERY) ||
687 - (*flags & IP6T_NTH_OPT_NOT_EVERY)))
688 - exit_error(PARAMETER_PROBLEM,
689 - "Can't specify --start before --every");
691 - exit_error(PARAMETER_PROBLEM,
692 - "Can't specify with ! --start");
693 - if (*flags & IP6T_NTH_OPT_START)
694 - exit_error(PARAMETER_PROBLEM,
695 - "Can't specify --start twice");
696 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
697 - exit_error(PARAMETER_PROBLEM,
698 - "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
699 - *flags |= IP6T_NTH_OPT_START;
700 - nthinfo->startat = num;
703 - /* check for common mistakes... */
705 - exit_error(PARAMETER_PROBLEM,
706 - "Can't specify with ! --counter");
707 - if (*flags & IP6T_NTH_OPT_COUNTER)
708 - exit_error(PARAMETER_PROBLEM,
709 - "Can't specify --counter twice");
710 - if (string_to_number(optarg, 0, IP6T_NTH_NUM_COUNTERS-1, &num) == -1)
711 - exit_error(PARAMETER_PROBLEM,
712 - "bad --counter `%s', must between 0 and %u", optarg, IP6T_NTH_NUM_COUNTERS-1);
713 - /* assign the values */
714 - *flags |= IP6T_NTH_OPT_COUNTER;
715 - nthinfo->counter = num;
718 - /* check for common mistakes... */
719 - if (!((*flags & IP6T_NTH_OPT_EVERY) ||
720 - (*flags & IP6T_NTH_OPT_NOT_EVERY)))
721 - exit_error(PARAMETER_PROBLEM,
722 - "Can't specify --packet before --every");
723 - if ((*flags & IP6T_NTH_OPT_NOT_EVERY))
724 - exit_error(PARAMETER_PROBLEM,
725 - "Can't specify --packet with ! --every");
727 - exit_error(PARAMETER_PROBLEM,
728 - "Can't specify with ! --packet");
729 - if (*flags & IP6T_NTH_OPT_PACKET)
730 - exit_error(PARAMETER_PROBLEM,
731 - "Can't specify --packet twice");
732 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
733 - exit_error(PARAMETER_PROBLEM,
734 - "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
735 - *flags |= IP6T_NTH_OPT_PACKET;
736 - nthinfo->packet = num;
744 -/* Final check; nothing. */
745 -static void final_check(unsigned int flags)
749 -/* Prints out the targinfo. */
751 -print(const struct ip6t_ip6 *ip,
752 - const struct ip6t_entry_match *match,
755 - const struct ip6t_nth_info *nthinfo
756 - = (const struct ip6t_nth_info *)match->data;
758 - if (nthinfo->not == 1)
760 - printf("every %uth ", (nthinfo->every +1));
761 - if (nthinfo->counter != 0)
762 - printf("counter #%u ", (nthinfo->counter));
763 - if (nthinfo->packet != 0xFF)
764 - printf("packet #%u ", nthinfo->packet);
765 - if (nthinfo->startat != 0)
766 - printf("start at %u ", nthinfo->startat);
769 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
771 -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
773 - const struct ip6t_nth_info *nthinfo
774 - = (const struct ip6t_nth_info *)match->data;
776 - if (nthinfo->not == 1)
778 - printf("--every %u ", (nthinfo->every +1));
779 - printf("--counter %u ", (nthinfo->counter));
780 - if (nthinfo->startat != 0)
781 - printf("--start %u ", nthinfo->startat );
782 - if (nthinfo->packet != 0xFF)
783 - printf("--packet %u ", nthinfo->packet );
786 -struct ip6tables_match nth = {
788 - .version = IPTABLES_VERSION,
789 - .size = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
790 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
793 - .final_check = &final_check,
796 - .extra_opts = opts,
801 - register_match6(&nth);
803 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_nth.man iptables-svn/extensions/libip6t_nth.man
804 --- iptables-1.3.7/extensions/libip6t_nth.man 2006-12-04 12:15:19.000000000 +0100
805 +++ iptables-svn/extensions/libip6t_nth.man 1970-01-01 01:00:00.000000000 +0100
807 -This module matches every `n'th packet
809 -.BI "--every " "value"
810 -Match every `value' packet
812 -.BI "[" "--counter " "num" "]"
813 -Use internal counter number `num'. Default is `0'.
815 -.BI "[" "--start " "num" "]"
816 -Initialize the counter at the number `num' insetad of `0'. Most between `0'
819 -.BI "[" "--packet " "num" "]"
820 -Match on `num' packet. Most be between `0' and `value'-1.
821 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_random.c iptables-svn/extensions/libip6t_random.c
822 --- iptables-1.3.7/extensions/libip6t_random.c 2006-12-04 12:15:19.000000000 +0100
823 +++ iptables-svn/extensions/libip6t_random.c 1970-01-01 01:00:00.000000000 +0100
826 - Shared library add-on to iptables to add match support for random match.
828 - This file is distributed under the terms of the GNU General Public
829 - License (GPL). Copies of the GPL can be obtained from:
830 - ftp://prep.ai.mit.edu/pub/gnu/GPL
832 - 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
833 - 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 port.
842 -#include <ip6tables.h>
843 -#include <linux/netfilter_ipv6/ip6_tables.h>
844 -#include <linux/netfilter_ipv6/ip6t_random.h>
847 - * The kernel random routing returns numbers between 0 and 255.
848 - * To ease the task of the user in choosing the probability
849 - * of matching, we want him to be able to use percentages.
850 - * Therefore we have to accept numbers in percentage here,
851 - * turn them into number between 0 and 255 for the kernel module,
852 - * and turn them back to percentages when we print/save
857 -/* Function which prints out usage message. */
862 -"random v%s options:\n"
863 -" [--average] percent The probability in percentage of the match\n"
864 -" If ommited, a probability of 50%% percent is set.\n"
865 -" Percentage must be within : 1 <= percent <= 99.\n\n",
869 -static struct option opts[] = {
870 - { "average", 1, 0, '1' },
874 -/* Initialize the target. */
876 -init(struct ip6t_entry_match *m, unsigned int *nfcache)
878 - struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
880 - /* We assign the average to be 50 which is our default value */
881 - /* 50 * 2.55 = 128 */
882 - randinfo->average = 128;
885 -#define IP6T_RAND_OPT_AVERAGE 0x01
887 -/* Function which parses command options; returns true if it
890 -parse(int c, char **argv, int invert, unsigned int *flags,
891 - const struct ip6t_entry *entry,
892 - unsigned int *nfcache,
893 - struct ip6t_entry_match **match)
895 - struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(*match)->data;
900 - /* check for common mistakes... */
902 - exit_error(PARAMETER_PROBLEM,
903 - "Can't specify ! --average");
904 - if (*flags & IP6T_RAND_OPT_AVERAGE)
905 - exit_error(PARAMETER_PROBLEM,
906 - "Can't specify --average twice");
908 - /* Remember, this function will interpret a leading 0 to be
909 - Octal, a leading 0x to be hexdecimal... */
910 - if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
911 - exit_error(PARAMETER_PROBLEM,
912 - "bad --average `%s', must be between 1 and 99", optarg);
914 - /* assign the values */
915 - randinfo->average = (int)(num * 2.55);
916 - *flags |= IP6T_RAND_OPT_AVERAGE;
924 -/* Final check; nothing. */
925 -static void final_check(unsigned int flags)
929 -/* Prints out the targinfo. */
931 -print(const struct ip6t_ip6 *ip,
932 - const struct ip6t_entry_match *match,
935 - const struct ip6t_rand_info *randinfo
936 - = (const struct ip6t_rand_info *)match->data;
937 - div_t result = div((randinfo->average*100), 255);
938 - if (result.rem > 127) /* round up... */
941 - printf(" random %u%% ", result.quot);
944 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
946 -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
948 - const struct ip6t_rand_info *randinfo
949 - = (const struct ip6t_rand_info *)match->data;
950 - div_t result = div((randinfo->average *100), 255);
951 - if (result.rem > 127) /* round up... */
954 - printf("--average %u ", result.quot);
957 -struct ip6tables_match rand_match = {
959 - .version = IPTABLES_VERSION,
960 - .size = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
961 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
965 - .final_check = &final_check,
968 - .extra_opts = opts,
973 - register_match6(&rand_match);
975 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_random.man iptables-svn/extensions/libip6t_random.man
976 --- iptables-1.3.7/extensions/libip6t_random.man 2006-12-04 12:15:19.000000000 +0100
977 +++ iptables-svn/extensions/libip6t_random.man 1970-01-01 01:00:00.000000000 +0100
979 -This module randomly matches a certain percentage of all packets.
981 -.BI "--average " "percent"
982 -Matches the given percentage. If omitted, a probability of 50% is set.
983 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_ROUTE.c iptables-svn/extensions/libip6t_ROUTE.c
984 --- iptables-1.3.7/extensions/libip6t_ROUTE.c 2006-12-04 12:15:20.000000000 +0100
985 +++ iptables-svn/extensions/libip6t_ROUTE.c 1970-01-01 01:00:00.000000000 +0100
987 -/* Shared library add-on to iptables to add ROUTE v6 target support.
988 - * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
996 -#include <sys/types.h>
997 -#include <sys/socket.h>
998 -#include <arpa/inet.h>
1000 -#include <ip6tables.h>
1001 -#include <linux/netfilter_ipv6/ip6_tables.h>
1002 -#include <linux/netfilter_ipv6/ip6t_ROUTE.h>
1004 -/* compile IP6T_ROUTE_TEE support even if kernel headers are unpatched */
1005 -#ifndef IP6T_ROUTE_TEE
1006 -#define IP6T_ROUTE_TEE 0x02
1009 -/* Function which prints out usage message. */
1014 -"ROUTE target v%s options:\n"
1015 -" --oif \tifname \t\tRoute the packet through `ifname' network interface\n"
1016 -" --gw \tip \t\tRoute the packet via this gateway\n"
1017 -" --continue\t \t\tRoute packet and continue traversing the\n"
1018 -" \t \t\trules. Not valid with --iif or --tee.\n"
1019 -" --tee\t \t\tDuplicate packet, route the duplicate,\n"
1020 -" \t \t\tcontinue traversing with original packet.\n"
1021 -" \t \t\tNot valid with --iif or --continue.\n"
1026 -static struct option opts[] = {
1027 - { "oif", 1, 0, '1' },
1028 - { "iif", 1, 0, '2' },
1029 - { "gw", 1, 0, '3' },
1030 - { "continue", 0, 0, '4' },
1031 - { "tee", 0, 0, '5' },
1035 -/* Initialize the target. */
1037 -init(struct ip6t_entry_target *t, unsigned int *nfcache)
1039 - struct ip6t_route_target_info *route_info =
1040 - (struct ip6t_route_target_info*)t->data;
1042 - route_info->oif[0] = '\0';
1043 - route_info->iif[0] = '\0';
1044 - route_info->gw[0] = 0;
1045 - route_info->gw[1] = 0;
1046 - route_info->gw[2] = 0;
1047 - route_info->gw[3] = 0;
1048 - route_info->flags = 0;
1052 -#define IP6T_ROUTE_OPT_OIF 0x01
1053 -#define IP6T_ROUTE_OPT_IIF 0x02
1054 -#define IP6T_ROUTE_OPT_GW 0x04
1055 -#define IP6T_ROUTE_OPT_CONTINUE 0x08
1056 -#define IP6T_ROUTE_OPT_TEE 0x10
1058 -/* Function which parses command options; returns true if it
1061 -parse(int c, char **argv, int invert, unsigned int *flags,
1062 - const struct ip6t_entry *entry,
1063 - struct ip6t_entry_target **target)
1065 - struct ip6t_route_target_info *route_info =
1066 - (struct ip6t_route_target_info*)(*target)->data;
1070 - if (*flags & IP6T_ROUTE_OPT_OIF)
1071 - exit_error(PARAMETER_PROBLEM,
1072 - "Can't specify --oif twice");
1074 - if (check_inverse(optarg, &invert, NULL, 0))
1075 - exit_error(PARAMETER_PROBLEM,
1076 - "Unexpected `!' after --oif");
1078 - if (strlen(optarg) > sizeof(route_info->oif) - 1)
1079 - exit_error(PARAMETER_PROBLEM,
1080 - "Maximum interface name length %u",
1081 - sizeof(route_info->oif) - 1);
1083 - strcpy(route_info->oif, optarg);
1084 - *flags |= IP6T_ROUTE_OPT_OIF;
1088 - exit_error(PARAMETER_PROBLEM,
1089 - "--iif option not implemented");
1093 - if (*flags & IP6T_ROUTE_OPT_GW)
1094 - exit_error(PARAMETER_PROBLEM,
1095 - "Can't specify --gw twice");
1097 - if (check_inverse(optarg, &invert, NULL, 0))
1098 - exit_error(PARAMETER_PROBLEM,
1099 - "Unexpected `!' after --gw");
1101 - if (!inet_pton(AF_INET6, optarg, (struct in6_addr*)&route_info->gw)) {
1102 - exit_error(PARAMETER_PROBLEM,
1103 - "Invalid IPv6 address %s",
1107 - *flags |= IP6T_ROUTE_OPT_GW;
1111 - if (*flags & IP6T_ROUTE_OPT_CONTINUE)
1112 - exit_error(PARAMETER_PROBLEM,
1113 - "Can't specify --continue twice");
1114 - if (*flags & IP6T_ROUTE_OPT_TEE)
1115 - exit_error(PARAMETER_PROBLEM,
1116 - "Can't specify --continue AND --tee");
1118 - route_info->flags |= IP6T_ROUTE_CONTINUE;
1119 - *flags |= IP6T_ROUTE_OPT_CONTINUE;
1124 - if (*flags & IP6T_ROUTE_OPT_TEE)
1125 - exit_error(PARAMETER_PROBLEM,
1126 - "Can't specify --tee twice");
1127 - if (*flags & IP6T_ROUTE_OPT_CONTINUE)
1128 - exit_error(PARAMETER_PROBLEM,
1129 - "Can't specify --tee AND --continue");
1131 - route_info->flags |= IP6T_ROUTE_TEE;
1132 - *flags |= IP6T_ROUTE_OPT_TEE;
1145 -final_check(unsigned int flags)
1148 - exit_error(PARAMETER_PROBLEM,
1149 - "ROUTE target: oif or gw option required");
1153 -/* Prints out the targinfo. */
1155 -print(const struct ip6t_ip6 *ip,
1156 - const struct ip6t_entry_target *target,
1159 - const struct ip6t_route_target_info *route_info
1160 - = (const struct ip6t_route_target_info *)target->data;
1164 - if (route_info->oif[0])
1165 - printf("oif:%s ", route_info->oif);
1167 - if (route_info->gw[0]
1168 - || route_info->gw[1]
1169 - || route_info->gw[2]
1170 - || route_info->gw[3]) {
1171 - char address[INET6_ADDRSTRLEN];
1172 - printf("gw:%s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
1175 - if (route_info->flags & IP6T_ROUTE_CONTINUE)
1176 - printf("continue");
1178 - if (route_info->flags & IP6T_ROUTE_TEE)
1184 -static void save(const struct ip6t_ip6 *ip,
1185 - const struct ip6t_entry_target *target)
1187 - const struct ip6t_route_target_info *route_info
1188 - = (const struct ip6t_route_target_info *)target->data;
1190 - if (route_info->oif[0])
1191 - printf("--oif %s ", route_info->oif);
1193 - if (route_info->gw[0]
1194 - || route_info->gw[1]
1195 - || route_info->gw[2]
1196 - || route_info->gw[3]) {
1197 - char address[INET6_ADDRSTRLEN];
1198 - printf("--gw %s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
1201 - if (route_info->flags & IP6T_ROUTE_CONTINUE)
1202 - printf("--continue ");
1204 - if (route_info->flags & IP6T_ROUTE_TEE)
1209 -static struct ip6tables_target route = {
1211 - .version = IPTABLES_VERSION,
1212 - .size = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
1213 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
1217 - .final_check = &final_check,
1220 - .extra_opts = opts,
1225 - register_target6(&route);
1227 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_ROUTE.man iptables-svn/extensions/libip6t_ROUTE.man
1228 --- iptables-1.3.7/extensions/libip6t_ROUTE.man 2006-12-04 12:15:20.000000000 +0100
1229 +++ iptables-svn/extensions/libip6t_ROUTE.man 1970-01-01 01:00:00.000000000 +0100
1231 -This is used to explicitly override the core network stack's routing decision.
1235 -.BI "--oif " "ifname"
1236 -Route the packet through `ifname' network interface
1238 -.BI "--gw " "IPv6_address"
1239 -Route the packet via this gateway
1242 -Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
1245 -Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--continue'
1246 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_state.c iptables-svn/extensions/libip6t_state.c
1247 --- iptables-1.3.7/extensions/libip6t_state.c 2006-12-04 12:15:19.000000000 +0100
1248 +++ iptables-svn/extensions/libip6t_state.c 2007-05-31 12:46:30.000000000 +0200
1252 #include <ip6tables.h>
1253 -#include <linux/netfilter_ipv4/ip_conntrack.h>
1254 +#include <linux/netfilter/nf_conntrack_common.h>
1255 #include <linux/netfilter_ipv4/ipt_state.h>
1257 #ifndef IPT_STATE_UNTRACKED
1258 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_tcp.man iptables-svn/extensions/libip6t_tcp.man
1259 --- iptables-1.3.7/extensions/libip6t_tcp.man 2006-12-04 12:15:19.000000000 +0100
1260 +++ iptables-svn/extensions/libip6t_tcp.man 2007-05-31 12:46:30.000000000 +0200
1262 -These extensions are loaded if `--protocol tcp' is specified. It
1263 +These extensions can be used if `--protocol tcp' is specified. It
1264 provides the following options:
1266 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
1267 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TCPMSS.c iptables-svn/extensions/libip6t_TCPMSS.c
1268 --- iptables-1.3.7/extensions/libip6t_TCPMSS.c 1970-01-01 01:00:00.000000000 +0100
1269 +++ iptables-svn/extensions/libip6t_TCPMSS.c 2007-05-31 12:46:30.000000000 +0200
1271 +/* Shared library add-on to iptables to add TCPMSS target support.
1273 + * Copyright (c) 2000 Marc Boucher
1276 +#include <string.h>
1277 +#include <stdlib.h>
1278 +#include <getopt.h>
1280 +#include <ip6tables.h>
1281 +#include <linux/netfilter_ipv6/ip6_tables.h>
1282 +#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
1285 + struct ip6t_entry_target t;
1286 + struct ip6t_tcpmss_info mss;
1289 +/* Function which prints out usage message. */
1294 +"TCPMSS target v%s mutually-exclusive options:\n"
1295 +" --set-mss value explicitly set MSS option to specified value\n"
1296 +" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 60)\n",
1300 +static struct option opts[] = {
1301 + { "set-mss", 1, 0, '1' },
1302 + { "clamp-mss-to-pmtu", 0, 0, '2' },
1306 +/* Initialize the target. */
1308 +init(struct ip6t_entry_target *t, unsigned int *nfcache)
1312 +/* Function which parses command options; returns true if it
1315 +parse(int c, char **argv, int invert, unsigned int *flags,
1316 + const struct ip6t_entry *entry,
1317 + struct ip6t_entry_target **target)
1319 + struct ip6t_tcpmss_info *mssinfo
1320 + = (struct ip6t_tcpmss_info *)(*target)->data;
1323 + unsigned int mssval;
1327 + exit_error(PARAMETER_PROBLEM,
1328 + "TCPMSS target: Only one option may be specified");
1329 + if (string_to_number(optarg, 0, 65535 - 60, &mssval) == -1)
1330 + exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg);
1332 + mssinfo->mss = mssval;
1338 + exit_error(PARAMETER_PROBLEM,
1339 + "TCPMSS target: Only one option may be specified");
1340 + mssinfo->mss = IP6T_TCPMSS_CLAMP_PMTU;
1352 +final_check(unsigned int flags)
1355 + exit_error(PARAMETER_PROBLEM,
1356 + "TCPMSS target: At least one parameter is required");
1359 +/* Prints out the targinfo. */
1361 +print(const struct ip6t_ip6 *ip6,
1362 + const struct ip6t_entry_target *target,
1365 + const struct ip6t_tcpmss_info *mssinfo =
1366 + (const struct ip6t_tcpmss_info *)target->data;
1367 + if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
1368 + printf("TCPMSS clamp to PMTU ");
1370 + printf("TCPMSS set %u ", mssinfo->mss);
1373 +/* Saves the union ip6t_targinfo in parsable form to stdout. */
1375 +save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
1377 + const struct ip6t_tcpmss_info *mssinfo =
1378 + (const struct ip6t_tcpmss_info *)target->data;
1380 + if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
1381 + printf("--clamp-mss-to-pmtu ");
1383 + printf("--set-mss %u ", mssinfo->mss);
1386 +static struct ip6tables_target mss = {
1389 + .version = IPTABLES_VERSION,
1390 + .size = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
1391 + .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
1395 + .final_check = &final_check,
1398 + .extra_opts = opts
1403 + register_target6(&mss);
1405 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TCPMSS.man iptables-svn/extensions/libip6t_TCPMSS.man
1406 --- iptables-1.3.7/extensions/libip6t_TCPMSS.man 1970-01-01 01:00:00.000000000 +0100
1407 +++ iptables-svn/extensions/libip6t_TCPMSS.man 2007-05-31 12:46:30.000000000 +0200
1409 +This target allows to alter the MSS value of TCP SYN packets, to control
1410 +the maximum size for that connection (usually limiting it to your
1411 +outgoing interface's MTU minus 60). Of course, it can only be used
1412 +in conjunction with
1414 +It is only valid in the
1418 +This target is used to overcome criminally braindead ISPs or servers
1419 +which block ICMPv6 Packet Too Big packets or are unable to send them.
1420 +The symptoms of this problem are that everything works fine from your
1421 +Linux firewall/router, but machines behind it can never exchange large
1427 +Web browsers connect, then hang with no data received.
1430 +Small mail works fine, but large emails hang.
1433 +ssh works fine, but scp hangs after initial handshaking.
1436 +Workaround: activate this option and add a rule to your firewall
1437 +configuration like:
1439 + ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
1440 + -j TCPMSS --clamp-mss-to-pmtu
1443 +.BI "--set-mss " "value"
1444 +Explicitly set MSS option to specified value.
1446 +.B "--clamp-mss-to-pmtu"
1447 +Automatically clamp MSS value to (path_MTU - 60).
1449 +These options are mutually exclusive.
1451 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TRACE.c iptables-svn/extensions/libip6t_TRACE.c
1452 --- iptables-1.3.7/extensions/libip6t_TRACE.c 2006-12-04 12:15:19.000000000 +0100
1453 +++ iptables-svn/extensions/libip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100
1455 -/* Shared library add-on to iptables to add TRACE target support. */
1457 -#include <string.h>
1458 -#include <stdlib.h>
1459 -#include <getopt.h>
1461 -#include <ip6tables.h>
1462 -#include <linux/netfilter_ipv6/ip6_tables.h>
1464 -/* Function which prints out usage message. */
1469 -"TRACE target v%s takes no options\n",
1473 -static struct option opts[] = {
1477 -/* Initialize the target. */
1479 -init(struct ip6t_entry_target *t, unsigned int *nfcache)
1483 -/* Function which parses command options; returns true if it
1486 -parse(int c, char **argv, int invert, unsigned int *flags,
1487 - const struct ip6t_entry *entry,
1488 - struct ip6t_entry_target **target)
1494 -final_check(unsigned int flags)
1499 -struct ip6tables_target trace
1502 - .version = IPTABLES_VERSION,
1503 - .size = IP6T_ALIGN(0),
1504 - .userspacesize = IP6T_ALIGN(0),
1508 - .final_check = &final_check,
1509 - .print = NULL, /* print */
1510 - .save = NULL, /* save */
1511 - .extra_opts = opts
1516 - register_target6(&trace);
1518 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TRACE.man iptables-svn/extensions/libip6t_TRACE.man
1519 --- iptables-1.3.7/extensions/libip6t_TRACE.man 2006-12-04 12:15:19.000000000 +0100
1520 +++ iptables-svn/extensions/libip6t_TRACE.man 1970-01-01 01:00:00.000000000 +0100
1522 -This target has no options. It just turns on
1524 -for all packets that match this rule.
1525 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_udp.man iptables-svn/extensions/libip6t_udp.man
1526 --- iptables-1.3.7/extensions/libip6t_udp.man 2006-12-04 12:15:20.000000000 +0100
1527 +++ iptables-svn/extensions/libip6t_udp.man 2007-05-31 12:46:30.000000000 +0200
1529 -These extensions are loaded if `--protocol udp' is specified. It
1530 +These extensions can be used if `--protocol udp' is specified. It
1531 provides the following options:
1533 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
1534 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_account.c iptables-svn/extensions/libipt_account.c
1535 --- iptables-1.3.7/extensions/libipt_account.c 2006-12-04 12:15:19.000000000 +0100
1536 +++ iptables-svn/extensions/libipt_account.c 1970-01-01 01:00:00.000000000 +0100
1539 - * accounting match helper (libipt_account.c)
1540 - * (C) 2003,2004 by Piotr Gasid³o (quaker@barbara.eu.org)
1544 - * This software is distributed under the terms of GNU GPL
1548 -#include <stdlib.h>
1549 -#include <iptables.h>
1550 -#include <string.h>
1551 -#include <getopt.h>
1553 -#include <linux/netfilter_ipv4/ipt_account.h>
1556 -#define HIPQUAD(addr) \
1557 - ((unsigned char *)&addr)[3], \
1558 - ((unsigned char *)&addr)[2], \
1559 - ((unsigned char *)&addr)[1], \
1560 - ((unsigned char *)&addr)[0]
1563 -static void help(void) {
1565 - "account v%s options:\n"
1566 - "--aaddr network/netmask\n"
1567 - " defines network/netmask for which make statistics.\n"
1569 - " defines name of list where statistics will be kept. If no is\n"
1570 - " specified DEFAULT will be used.\n"
1572 - " table will colect only short statistics (only total counters\n"
1573 - " without splitting it into protocols.\n"
1575 - IPTABLES_VERSION);
1578 -static struct option opts[] = {
1579 - { .name = "aaddr", .has_arg = 1, .flag = NULL, .val = 201 },
1580 - { .name = "aname", .has_arg = 1, .flag = NULL, .val = 202 },
1581 - { .name = "ashort", .has_arg = 0, .flag = NULL, .val = 203 },
1582 - { .name = 0, .has_arg = 0, .flag = 0, .val = 0 }
1585 -/* Helper functions for parse_network */
1586 -int parseip(const char *parameter, u_int32_t *ip) {
1588 - char buffer[16], *bufferptr, *dot;
1589 - unsigned int i, shift, part;
1591 - if (strlen(parameter) > 15)
1594 - strncpy(buffer, parameter, 15);
1597 - bufferptr = buffer;
1599 - for (i = 0, shift = 24, *ip = 0; i < 3; i++, shift -= 8) {
1601 - if ((dot = strchr(bufferptr, '.')) == NULL)
1603 - /* not a number */
1604 - if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
1606 - /* to big number */
1609 - *ip |= part << shift;
1610 - bufferptr = dot + 1;
1612 - /* not a number */
1613 - if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
1615 - /* to big number */
1622 -static void parsenetwork(const char *parameter, u_int32_t *network) {
1623 - if (!parseip(parameter, network))
1624 - exit_error(PARAMETER_PROBLEM, "account: wrong ip in network");
1627 -static void parsenetmaskasbits(const char *parameter, u_int32_t *netmask) {
1631 - if ((bits = strtol(parameter, (char **)NULL, 10)) < 0 || bits > 32)
1632 - exit_error(PARAMETER_PROBLEM, "account: wrong netmask");
1634 - *netmask = 0xffffffff << (32 - bits);
1637 -static void parsenetmaskasip(const char *parameter, u_int32_t *netmask) {
1638 - if (!parseip(parameter, netmask))
1639 - exit_error(PARAMETER_PROBLEM, "account: wrong ip in netmask");
1642 -static void parsenetmask(const char *parameter, u_int32_t *netmask)
1644 - if (strchr(parameter, '.') != NULL)
1645 - parsenetmaskasip(parameter, netmask);
1647 - parsenetmaskasbits(parameter, netmask);
1650 -static void parsenetworkandnetmask(const char *parameter, u_int32_t *network, u_int32_t *netmask)
1653 - char buffer[32], *slash;
1655 - if (strlen(parameter) > 31)
1656 - /* text is to long, even for 255.255.255.255/255.255.255.255 */
1657 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1659 - strncpy(buffer, parameter, 31);
1662 - /* check whether netmask is given */
1663 - if ((slash = strchr(buffer, '/')) != NULL) {
1664 - parsenetmask(slash + 1, netmask);
1667 - *netmask = 0xffffffff;
1668 - parsenetwork(buffer, network);
1670 - if ((*network & *netmask) != *network)
1671 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1675 -/* Function gets network & netmask from argument after --aaddr */
1676 -static void parse_network(const char *parameter, struct t_ipt_account_info *info) {
1678 - parsenetworkandnetmask(parameter, &info->network, &info->netmask);
1682 -/* validate netmask */
1683 -inline int valid_netmask(u_int32_t netmask) {
1684 - while (netmask & 0x80000000)
1691 -/* validate network/netmask pair */
1692 -inline int valid_network_and_netmask(struct t_ipt_account_info *info) {
1693 - if (!valid_netmask(info->netmask))
1695 - if ((info->network & info->netmask) != info->network)
1702 -/* Function initializes match */
1703 -static void init(struct ipt_entry_match *match,
1704 - unsigned int *nfcache) {
1706 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)(match)->data;
1709 - /* set default table name to DEFAULT */
1710 - strncpy(info->name, "DEFAULT", IPT_ACCOUNT_NAME_LEN);
1711 - info->shortlisting = 0;
1715 -/* Function parses match's arguments */
1716 -static int parse(int c, char **argv,
1718 - unsigned int *flags,
1719 - const struct ipt_entry *entry,
1720 - unsigned int *nfcache,
1721 - struct ipt_entry_match **match) {
1723 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)(*match)->data;
1729 - parse_network(optarg, info);
1730 - if (!valid_network_and_netmask(info))
1731 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1737 - if (strlen(optarg) < IPT_ACCOUNT_NAME_LEN)
1738 - strncpy(info->name, optarg, IPT_ACCOUNT_NAME_LEN);
1740 - exit_error(PARAMETER_PROBLEM, "account: Too long table name");
1744 - info->shortlisting = 1;
1752 -/* Final check whether network/netmask was specified */
1753 -static void final_check(unsigned int flags) {
1755 - exit_error(PARAMETER_PROBLEM, "account: You need specify '--aaddr' parameter");
1758 -/* Function used for printing rule with account match for iptables -L */
1759 -static void print(const struct ipt_ip *ip,
1760 - const struct ipt_entry_match *match,
1763 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
1765 - printf("account: ");
1766 - printf("network/netmask: ");
1767 - printf("%u.%u.%u.%u/%u.%u.%u.%u ",
1768 - HIPQUAD(info->network),
1769 - HIPQUAD(info->netmask)
1772 - printf("name: %s ", info->name);
1773 - if (info->shortlisting)
1774 - printf("short-listing ");
1777 -/* Function used for saving rule containing account match */
1778 -static void save(const struct ipt_ip *ip,
1779 - const struct ipt_entry_match *match) {
1781 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
1783 - printf("--aaddr ");
1784 - printf("%u.%u.%u.%u/%u.%u.%u.%u ",
1785 - HIPQUAD(info->network),
1786 - HIPQUAD(info->netmask)
1789 - printf("--aname %s ", info->name);
1790 - if (info->shortlisting)
1791 - printf("--ashort ");
1794 -static struct iptables_match account = {
1796 - .name = "account",
1797 - .version = IPTABLES_VERSION,
1798 - .size = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
1799 - .userspacesize = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
1803 - .final_check = &final_check,
1806 - .extra_opts = opts
1809 -/* Function which registers match */
1812 - register_match(&account);
1815 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_account.man iptables-svn/extensions/libipt_account.man
1816 --- iptables-1.3.7/extensions/libipt_account.man 2006-12-04 12:15:19.000000000 +0100
1817 +++ iptables-svn/extensions/libipt_account.man 1970-01-01 01:00:00.000000000 +0100
1819 -Account traffic for all hosts in defined network/netmask.
1823 -- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
1825 -- one iptables rule for all hosts in network/netmask
1827 -- loading/saving counters (by reading/writting to procfs entries)
1830 -.BI "--aaddr " "network/netmask"
1831 -defines network/netmask for which make statistics.
1833 -.BI "--aname " "name"
1834 -defines name of list where statistics will be kept. If no is
1835 -specified DEFAULT will be used.
1838 -table will colect only short statistics (only total counters
1839 -without splitting it into protocols.
1843 -account traffic for/to 192.168.0.0/24 network into table mynetwork:
1845 -# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
1847 -account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
1849 -# iptables -A INPUT -p tcp --dport 80
1850 - -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
1852 -# iptables -A OUTPUT -p tcp --sport 80
1853 - -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
1857 -# cat /proc/net/ipt_account/mynetwork
1858 -# cat /proc/net/ipt_account/mywwwserver
1862 -# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
1865 - http://www.barbara.eu.org/~quaker/ipt_account/
1866 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_BALANCE.c iptables-svn/extensions/libipt_BALANCE.c
1867 --- iptables-1.3.7/extensions/libipt_BALANCE.c 2006-12-04 12:15:20.000000000 +0100
1868 +++ iptables-svn/extensions/libipt_BALANCE.c 1970-01-01 01:00:00.000000000 +0100
1870 -/* Shared library add-on to iptables to add simple load-balance support. */
1873 -#include <string.h>
1874 -#include <stdlib.h>
1875 -#include <getopt.h>
1876 -#include <iptables.h>
1877 -#include <linux/netfilter_ipv4/ip_tables.h>
1878 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
1880 -#define BREAKUP_IP(x) (x)>>24, ((x)>>16) & 0xFF, ((x)>>8) & 0xFF, (x) & 0xFF
1882 -/* Function which prints out usage message. */
1887 -"BALANCE v%s options:\n"
1888 -" --to-destination <ipaddr>-<ipaddr>\n"
1889 -" Addresses to map destination to.\n",
1893 -static struct option opts[] = {
1894 - { "to-destination", 1, 0, '1' },
1898 -/* Initialize the target. */
1900 -init(struct ipt_entry_target *t, unsigned int *nfcache)
1902 - struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
1904 - /* Actually, it's 0, but it's ignored at the moment. */
1905 - mr->rangesize = 1;
1909 -/* Parses range of IPs */
1911 -parse_to(char *arg, struct ip_nat_range *range)
1914 - struct in_addr *ip;
1916 - range->flags |= IP_NAT_RANGE_MAP_IPS;
1917 - dash = strchr(arg, '-');
1921 - exit_error(PARAMETER_PROBLEM, "Bad IP range `%s'\n", arg);
1923 - ip = dotted_to_addr(arg);
1925 - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
1927 - range->min_ip = ip->s_addr;
1928 - ip = dotted_to_addr(dash+1);
1930 - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
1932 - range->max_ip = ip->s_addr;
1935 -/* Function which parses command options; returns true if it
1938 -parse(int c, char **argv, int invert, unsigned int *flags,
1939 - const struct ipt_entry *entry,
1940 - struct ipt_entry_target **target)
1942 - struct ip_nat_multi_range *mr
1943 - = (struct ip_nat_multi_range *)(*target)->data;
1947 - if (check_inverse(optarg, &invert, NULL, 0))
1948 - exit_error(PARAMETER_PROBLEM,
1949 - "Unexpected `!' after --to-destination");
1951 - parse_to(optarg, &mr->range[0]);
1960 -/* Final check; need --to-dest. */
1961 -static void final_check(unsigned int flags)
1964 - exit_error(PARAMETER_PROBLEM,
1965 - "BALANCE needs --to-destination");
1968 -/* Prints out the targinfo. */
1970 -print(const struct ipt_ip *ip,
1971 - const struct ipt_entry_target *target,
1974 - struct ip_nat_multi_range *mr
1975 - = (struct ip_nat_multi_range *)target->data;
1976 - struct ip_nat_range *r = &mr->range[0];
1979 - a.s_addr = r->min_ip;
1981 - printf("balance %s", addr_to_dotted(&a));
1982 - a.s_addr = r->max_ip;
1983 - printf("-%s ", addr_to_dotted(&a));
1986 -/* Saves the union ipt_targinfo in parsable form to stdout. */
1988 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
1990 - struct ip_nat_multi_range *mr
1991 - = (struct ip_nat_multi_range *)target->data;
1992 - struct ip_nat_range *r = &mr->range[0];
1995 - a.s_addr = r->min_ip;
1996 - printf("--to-destination %s", addr_to_dotted(&a));
1997 - a.s_addr = r->max_ip;
1998 - printf("-%s ", addr_to_dotted(&a));
2001 -static struct iptables_target balance = {
2003 - .name = "BALANCE",
2004 - .version = IPTABLES_VERSION,
2005 - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
2006 - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
2010 - .final_check = &final_check,
2013 - .extra_opts = opts
2018 - register_target(&balance);
2020 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_BALANCE.man iptables-svn/extensions/libipt_BALANCE.man
2021 --- iptables-1.3.7/extensions/libipt_BALANCE.man 2006-12-04 12:15:20.000000000 +0100
2022 +++ iptables-svn/extensions/libipt_BALANCE.man 1970-01-01 01:00:00.000000000 +0100
2024 -This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
2026 -.BI "--to-destination " "ipaddr-ipaddr"
2027 -Address range to round-robin over.
2028 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_childlevel.c iptables-svn/extensions/libipt_childlevel.c
2029 --- iptables-1.3.7/extensions/libipt_childlevel.c 2006-12-04 12:15:20.000000000 +0100
2030 +++ iptables-svn/extensions/libipt_childlevel.c 1970-01-01 01:00:00.000000000 +0100
2033 - Shared library add-on to iptables to add layer 7 matching support.
2035 - http://l7-filter.sf.net
2037 - By Matthew Strait <quadong@users.sf.net>, Dec 2003.
2039 - This program is free software; you can redistribute it and/or
2040 - modify it under the terms of the GNU General Public License
2041 - as published by the Free Software Foundation; either version
2042 - 2 of the License, or (at your option) any later version.
2043 - http://www.gnu.org/licenses/gpl.txt
2046 -#define _GNU_SOURCE
2049 -#include <string.h>
2050 -#include <stdlib.h>
2051 -#include <getopt.h>
2053 -#include <dirent.h>
2055 -#include <iptables.h>
2056 -#include <linux/netfilter_ipv4/ipt_childlevel.h>
2058 -/* Function which prints out usage message. */
2059 -static void help(void)
2062 - "CHILDLEVEL match v%s options:\n"
2063 - "--level <n> : Match childlevel n (0 == master)\n",
2064 - IPTABLES_VERSION);
2065 - fputc('\n', stdout);
2068 -static struct option opts[] = {
2069 - { .name = "level", .has_arg = 1, .flag = 0, .val = '1' },
2073 -/* Function which parses command options; returns true if it ate an option */
2074 -static int parse(int c, char **argv, int invert, unsigned int *flags,
2075 - const struct ipt_entry *entry, unsigned int *nfcache,
2076 - struct ipt_entry_match **match)
2078 - struct ipt_childlevel_info *childlevelinfo =
2079 - (struct ipt_childlevel_info *)(*match)->data;
2083 - check_inverse(optarg, &invert, &optind, 0);
2084 - childlevelinfo->childlevel = atoi(argv[optind-1]);
2086 - childlevelinfo->invert = 1;
2096 -/* Final check; must have specified --level. */
2097 -static void final_check(unsigned int flags)
2100 - exit_error(PARAMETER_PROBLEM,
2101 - "CHILDLEVEL match: You must specify `--level'");
2104 -static void print_protocol(int n, int invert, int numeric)
2106 - fputs("childlevel ", stdout);
2107 - if (invert) fputc('!', stdout);
2111 -/* Prints out the matchinfo. */
2112 -static void print(const struct ipt_ip *ip,
2113 - const struct ipt_entry_match *match,
2116 - printf("CHILDLEVEL ");
2118 - print_protocol(((struct ipt_childlevel_info *)match->data)->childlevel,
2119 - ((struct ipt_childlevel_info *)match->data)->invert, numeric);
2121 -/* Saves the union ipt_matchinfo in parsable form to stdout. */
2122 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2124 - const struct ipt_childlevel_info *info =
2125 - (const struct ipt_childlevel_info*) match->data;
2127 - printf("--childlevel %s%d ", (info->invert) ? "! ": "", info->childlevel);
2130 -static struct iptables_match childlevel = {
2131 - .name = "childlevel",
2132 - .version = IPTABLES_VERSION,
2133 - .size = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
2134 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
2137 - .final_check = &final_check,
2140 - .extra_opts = opts
2145 - register_match(&childlevel);
2147 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_childlevel.man iptables-svn/extensions/libipt_childlevel.man
2148 --- iptables-1.3.7/extensions/libipt_childlevel.man 2006-12-04 12:15:19.000000000 +0100
2149 +++ iptables-svn/extensions/libipt_childlevel.man 1970-01-01 01:00:00.000000000 +0100
2151 -This is an experimental module. It matches on whether the
2152 -packet is part of a master connection or one of its children (or grandchildren,
2153 -etc). For instance, most packets are level 0. FTP data transfer is level 1.
2155 -.BR "--childlevel " "[!] \fIlevel\fP"
2156 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connbytes.c iptables-svn/extensions/libipt_connbytes.c
2157 --- iptables-1.3.7/extensions/libipt_connbytes.c 2006-12-04 12:15:20.000000000 +0100
2158 +++ iptables-svn/extensions/libipt_connbytes.c 2007-05-31 12:46:30.000000000 +0200
2162 #include <iptables.h>
2163 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2164 +#include <linux/netfilter/nf_conntrack_common.h>
2165 #include <linux/netfilter_ipv4/ipt_connbytes.h>
2167 /* Function which prints out usage message. */
2168 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connlimit.c iptables-svn/extensions/libipt_connlimit.c
2169 --- iptables-1.3.7/extensions/libipt_connlimit.c 2006-12-04 12:15:19.000000000 +0100
2170 +++ iptables-svn/extensions/libipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100
2172 -/* Shared library add-on to iptables to add connection limit support. */
2175 -#include <string.h>
2176 -#include <stdlib.h>
2177 -#include <stddef.h>
2178 -#include <getopt.h>
2179 -#include <iptables.h>
2180 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2181 -#include <linux/netfilter_ipv4/ipt_connlimit.h>
2183 -/* Function which prints out usage message. */
2188 -"connlimit v%s options:\n"
2189 -"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n"
2190 -" --connlimit-mask n group hosts using mask\n"
2191 -"\n", IPTABLES_VERSION);
2194 -static struct option opts[] = {
2195 - { "connlimit-above", 1, 0, '1' },
2196 - { "connlimit-mask", 1, 0, '2' },
2200 -/* Function which parses command options; returns true if it
2203 -parse(int c, char **argv, int invert, unsigned int *flags,
2204 - const struct ipt_entry *entry,
2205 - unsigned int *nfcache,
2206 - struct ipt_entry_match **match)
2208 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
2211 - if (0 == (*flags & 2)) {
2212 - /* set default mask unless we've already seen a mask option */
2213 - info->mask = htonl(0xFFFFFFFF);
2218 - check_inverse(optarg, &invert, &optind, 0);
2219 - info->limit = atoi(argv[optind-1]);
2220 - info->inverse = invert;
2225 - i = atoi(argv[optind-1]);
2226 - if ((i < 0) || (i > 32))
2227 - exit_error(PARAMETER_PROBLEM,
2228 - "--connlimit-mask must be between 0 and 32");
2233 - info->mask = htonl(0xFFFFFFFF << (32 - i));
2245 -static void final_check(unsigned int flags)
2248 - exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
2252 -count_bits(u_int32_t mask)
2256 - for (bits = 0, i = 31; i >= 0; i--) {
2257 - if (mask & htonl((u_int32_t)1 << i)) {
2266 -/* Prints out the matchinfo. */
2268 -print(const struct ipt_ip *ip,
2269 - const struct ipt_entry_match *match,
2272 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
2274 - printf("#conn/%d %s %d ", count_bits(info->mask),
2275 - info->inverse ? "<" : ">", info->limit);
2278 -/* Saves the matchinfo in parsable form to stdout. */
2279 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2281 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
2283 - printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
2284 - printf("--connlimit-mask %d ",count_bits(info->mask));
2287 -static struct iptables_match connlimit = {
2288 - .name = "connlimit",
2289 - .version = IPTABLES_VERSION,
2290 - .size = IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
2291 - .userspacesize = offsetof(struct ipt_connlimit_info,data),
2294 - .final_check = final_check,
2297 - .extra_opts = opts
2302 - register_match(&connlimit);
2304 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connlimit.man iptables-svn/extensions/libipt_connlimit.man
2305 --- iptables-1.3.7/extensions/libipt_connlimit.man 2006-12-04 12:15:19.000000000 +0100
2306 +++ iptables-svn/extensions/libipt_connlimit.man 1970-01-01 01:00:00.000000000 +0100
2308 -Allows you to restrict the number of parallel TCP connections to a
2309 -server per client IP address (or address block).
2311 -[\fB!\fR] \fB--connlimit-above \fIn\fR
2312 -match if the number of existing tcp connections is (not) above n
2314 -.BI "--connlimit-mask " "bits"
2315 -group hosts using mask
2319 -# allow 2 telnet connections per client host
2320 -iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
2322 -# you can also match the other way around:
2323 -iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
2325 -# limit the nr of parallel http requests to 16 per class C sized \
2326 -network (24 bit netmask)
2327 -iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
2328 ---connlimit-mask 24 -j REJECT
2329 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connrate.c iptables-svn/extensions/libipt_connrate.c
2330 --- iptables-1.3.7/extensions/libipt_connrate.c 2006-12-04 12:15:20.000000000 +0100
2331 +++ iptables-svn/extensions/libipt_connrate.c 2007-05-31 12:46:30.000000000 +0200
2335 #include <iptables.h>
2336 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2337 +#include <linux/netfilter/nf_conntrack_common.h>
2338 #include <linux/netfilter_ipv4/ipt_connrate.h>
2340 /* Function which prints out usage message. */
2341 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_conntrack.c iptables-svn/extensions/libipt_conntrack.c
2342 --- iptables-1.3.7/extensions/libipt_conntrack.c 2006-12-04 12:15:19.000000000 +0100
2343 +++ iptables-svn/extensions/libipt_conntrack.c 2007-05-31 12:46:30.000000000 +0200
2347 #include <iptables.h>
2348 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2349 +#include <linux/netfilter/nf_conntrack_common.h>
2350 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
2351 /* For 64bit kernel / 32bit userspace */
2352 #include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
2353 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_DNAT.c iptables-svn/extensions/libipt_DNAT.c
2354 --- iptables-1.3.7/extensions/libipt_DNAT.c 2006-12-04 12:15:19.000000000 +0100
2355 +++ iptables-svn/extensions/libipt_DNAT.c 2007-05-31 12:46:30.000000000 +0200
2358 #include <iptables.h>
2359 #include <linux/netfilter_ipv4/ip_tables.h>
2360 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
2361 +#include <linux/netfilter/nf_nat.h>
2363 +#define IPT_DNAT_OPT_DEST 0x1
2364 +#define IPT_DNAT_OPT_RANDOM 0x2
2366 /* Dest NAT data consists of a multi-range, indicating where to map
2369 "DNAT v%s options:\n"
2370 " --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
2371 " Address to map destination to.\n"
2372 -" (You can use this more than once)\n\n",
2378 static struct option opts[] = {
2379 { "to-destination", 1, 0, '1' },
2380 + { "random", 0, 0, '2' },
2384 @@ -163,9 +168,18 @@
2385 "Multiple --to-destination not supported");
2387 *target = parse_to(optarg, portok, info);
2389 + /* WTF do we need this for?? */
2390 + if (*flags & IPT_DNAT_OPT_RANDOM)
2391 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
2392 + *flags |= IPT_DNAT_OPT_DEST;
2396 + if (*flags & IPT_DNAT_OPT_DEST) {
2397 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
2398 + *flags |= IPT_DNAT_OPT_RANDOM;
2400 + *flags |= IPT_DNAT_OPT_RANDOM;
2405 for (i = 0; i < info->mr.rangesize; i++) {
2406 print_range(&info->mr.range[i]);
2408 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
2409 + printf("random ");
2414 printf("--to-destination ");
2415 print_range(&info->mr.range[i]);
2417 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
2418 + printf("--random ");
2422 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_DNAT.man iptables-svn/extensions/libipt_DNAT.man
2423 --- iptables-1.3.7/extensions/libipt_DNAT.man 2006-12-04 12:15:20.000000000 +0100
2424 +++ iptables-svn/extensions/libipt_DNAT.man 2007-05-31 12:46:30.000000000 +0200
2426 If no port range is specified, then the destination port will never be
2427 modified. If no IP address is specified then only the destination port
2432 In Kernels up to 2.6.10 you can add several --to-destination options. For
2433 those kernels, if you specify more than one destination address, either via an
2434 address range or multiple --to-destination options, a simple round-robin (one
2435 after another in cycle) load balancing takes place between these addresses.
2436 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
2443 +is used then port mapping will be randomized (kernel >= 2.6.22).
2446 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_dstlimit.c iptables-svn/extensions/libipt_dstlimit.c
2447 --- iptables-1.3.7/extensions/libipt_dstlimit.c 2006-12-04 12:15:19.000000000 +0100
2448 +++ iptables-svn/extensions/libipt_dstlimit.c 1970-01-01 01:00:00.000000000 +0100
2450 -/* iptables match extension for limiting packets per destination
2452 - * (C) 2003 by Harald Welte <laforge@netfilter.org>
2454 - * Development of this code was funded by Astaro AG, http://www.astaro.com/
2456 - * Based on ipt_limit.c by
2457 - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
2458 - * Hervé Eychenne <rv@wallfire.org>
2462 -#include <string.h>
2463 -#include <stdlib.h>
2464 -#include <getopt.h>
2465 -#include <iptables.h>
2466 -#include <stddef.h>
2467 -#include <linux/netfilter_ipv4/ip_tables.h>
2468 -#include <linux/netfilter_ipv4/ipt_dstlimit.h>
2470 -#define IPT_DSTLIMIT_BURST 5
2473 -#define IPT_DSTLIMIT_GCINTERVAL 1000
2474 -#define IPT_DSTLIMIT_EXPIRE 10000
2476 -/* Function which prints out usage message. */
2481 -"dstlimit v%s options:\n"
2482 -"--dstlimit <avg> max average match rate\n"
2483 -" [Packets per second unless followed by \n"
2484 -" /sec /minute /hour /day postfixes]\n"
2485 -"--dstlimit-mode <mode> mode\n"
2489 -" srcip-dstip-dstport\n"
2490 -"--dstlimit-name <name> name for /proc/net/ipt_dstlimit/\n"
2491 -"[--dstlimit-burst <num>] number to match in a burst, default %u\n"
2492 -"[--dstlimit-htable-size <num>] number of hashtable buckets\n"
2493 -"[--dstlimit-htable-max <num>] number of hashtable entries\n"
2494 -"[--dstlimit-htable-gcinterval] interval between garbage collection runs\n"
2495 -"[--dstlimit-htable-expire] after which time are idle entries expired?\n"
2496 -"\n", IPTABLES_VERSION, IPT_DSTLIMIT_BURST);
2499 -static struct option opts[] = {
2500 - { "dstlimit", 1, 0, '%' },
2501 - { "dstlimit-burst", 1, 0, '$' },
2502 - { "dstlimit-htable-size", 1, 0, '&' },
2503 - { "dstlimit-htable-max", 1, 0, '*' },
2504 - { "dstlimit-htable-gcinterval", 1, 0, '(' },
2505 - { "dstlimit-htable-expire", 1, 0, ')' },
2506 - { "dstlimit-mode", 1, 0, '_' },
2507 - { "dstlimit-name", 1, 0, '"' },
2512 -int parse_rate(const char *rate, u_int32_t *val)
2514 - const char *delim;
2516 - u_int32_t mult = 1; /* Seconds by default. */
2518 - delim = strchr(rate, '/');
2520 - if (strlen(delim+1) == 0)
2523 - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
2525 - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
2527 - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
2529 - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
2538 - /* This would get mapped to infinite (1/day is minimum they
2539 - can specify, so we're ok at that end). */
2540 - if (r / mult > IPT_DSTLIMIT_SCALE)
2541 - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate);
2543 - *val = IPT_DSTLIMIT_SCALE * mult / r;
2547 -/* Initialize the match. */
2549 -init(struct ipt_entry_match *m, unsigned int *nfcache)
2551 - struct ipt_dstlimit_info *r = (struct ipt_dstlimit_info *)m->data;
2553 - r->cfg.burst = IPT_DSTLIMIT_BURST;
2554 - r->cfg.gc_interval = IPT_DSTLIMIT_GCINTERVAL;
2555 - r->cfg.expire = IPT_DSTLIMIT_EXPIRE;
2559 -#define PARAM_LIMIT 0x00000001
2560 -#define PARAM_BURST 0x00000002
2561 -#define PARAM_MODE 0x00000004
2562 -#define PARAM_NAME 0x00000008
2563 -#define PARAM_SIZE 0x00000010
2564 -#define PARAM_MAX 0x00000020
2565 -#define PARAM_GCINTERVAL 0x00000040
2566 -#define PARAM_EXPIRE 0x00000080
2568 -/* Function which parses command options; returns true if it
2571 -parse(int c, char **argv, int invert, unsigned int *flags,
2572 - const struct ipt_entry *entry,
2573 - unsigned int *nfcache,
2574 - struct ipt_entry_match **match)
2576 - struct ipt_dstlimit_info *r =
2577 - (struct ipt_dstlimit_info *)(*match)->data;
2582 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2583 - if (!parse_rate(optarg, &r->cfg.avg))
2584 - exit_error(PARAMETER_PROBLEM,
2585 - "bad rate `%s'", optarg);
2586 - *flags |= PARAM_LIMIT;
2590 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2591 - if (string_to_number(optarg, 0, 10000, &num) == -1)
2592 - exit_error(PARAMETER_PROBLEM,
2593 - "bad --dstlimit-burst `%s'", optarg);
2594 - r->cfg.burst = num;
2595 - *flags |= PARAM_BURST;
2598 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2599 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2600 - exit_error(PARAMETER_PROBLEM,
2601 - "bad --dstlimit-htable-size: `%s'", optarg);
2602 - r->cfg.size = num;
2603 - *flags |= PARAM_SIZE;
2606 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2607 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2608 - exit_error(PARAMETER_PROBLEM,
2609 - "bad --dstlimit-htable-max: `%s'", optarg);
2611 - *flags |= PARAM_MAX;
2614 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2615 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2616 - exit_error(PARAMETER_PROBLEM,
2617 - "bad --dstlimit-htable-gcinterval: `%s'",
2619 - /* FIXME: not HZ dependent!! */
2620 - r->cfg.gc_interval = num;
2621 - *flags |= PARAM_GCINTERVAL;
2624 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2625 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2626 - exit_error(PARAMETER_PROBLEM,
2627 - "bad --dstlimit-htable-expire: `%s'", optarg);
2628 - /* FIXME: not HZ dependent */
2629 - r->cfg.expire = num;
2630 - *flags |= PARAM_EXPIRE;
2633 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2634 - if (!strcmp(optarg, "dstip"))
2635 - r->cfg.mode = IPT_DSTLIMIT_HASH_DIP;
2636 - else if (!strcmp(optarg, "dstip-destport") ||
2637 - !strcmp(optarg, "dstip-dstport"))
2638 - r->cfg.mode = IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
2639 - else if (!strcmp(optarg, "srcip-dstip"))
2640 - r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP;
2641 - else if (!strcmp(optarg, "srcip-dstip-destport") ||
2642 - !strcmp(optarg, "srcip-dstip-dstport"))
2643 - r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
2645 - exit_error(PARAMETER_PROBLEM,
2646 - "bad --dstlimit-mode: `%s'\n", optarg);
2647 - *flags |= PARAM_MODE;
2650 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2651 - if (strlen(optarg) == 0)
2652 - exit_error(PARAMETER_PROBLEM, "Zero-length name?");
2653 - strncpy(r->name, optarg, sizeof(r->name));
2654 - *flags |= PARAM_NAME;
2661 - exit_error(PARAMETER_PROBLEM,
2662 - "dstlimit does not support invert");
2667 -/* Final check; nothing. */
2668 -static void final_check(unsigned int flags)
2670 - if (!(flags & PARAM_LIMIT))
2671 - exit_error(PARAMETER_PROBLEM,
2672 - "You have to specify --dstlimit");
2673 - if (!(flags & PARAM_MODE))
2674 - exit_error(PARAMETER_PROBLEM,
2675 - "You have to specify --dstlimit-mode");
2676 - if (!(flags & PARAM_NAME))
2677 - exit_error(PARAMETER_PROBLEM,
2678 - "You have to specify --dstlimit-name");
2681 -static struct rates
2685 -} rates[] = { { "day", IPT_DSTLIMIT_SCALE*24*60*60 },
2686 - { "hour", IPT_DSTLIMIT_SCALE*60*60 },
2687 - { "min", IPT_DSTLIMIT_SCALE*60 },
2688 - { "sec", IPT_DSTLIMIT_SCALE } };
2690 -static void print_rate(u_int32_t period)
2694 - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) {
2695 - if (period > rates[i].mult
2696 - || rates[i].mult/period < rates[i].mult%period)
2700 - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
2703 -/* Prints out the matchinfo. */
2705 -print(const struct ipt_ip *ip,
2706 - const struct ipt_entry_match *match,
2709 - struct ipt_dstlimit_info *r =
2710 - (struct ipt_dstlimit_info *)match->data;
2711 - printf("limit: avg "); print_rate(r->cfg.avg);
2712 - printf("burst %u ", r->cfg.burst);
2713 - switch (r->cfg.mode) {
2714 - case (IPT_DSTLIMIT_HASH_DIP):
2715 - printf("mode dstip ");
2717 - case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2718 - printf("mode dstip-dstport ");
2720 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
2721 - printf("mode srcip-dstip ");
2723 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2724 - printf("mode srcip-dstip-dstport ");
2728 - printf("htable-size %u ", r->cfg.size);
2730 - printf("htable-max %u ", r->cfg.max);
2731 - if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
2732 - printf("htable-gcinterval %u ", r->cfg.gc_interval);
2733 - if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
2734 - printf("htable-expire %u ", r->cfg.expire);
2737 -/* FIXME: Make minimalist: only print rate if not default --RR */
2738 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2740 - struct ipt_dstlimit_info *r =
2741 - (struct ipt_dstlimit_info *)match->data;
2743 - printf("--dstlimit "); print_rate(r->cfg.avg);
2744 - if (r->cfg.burst != IPT_DSTLIMIT_BURST)
2745 - printf("--dstlimit-burst %u ", r->cfg.burst);
2746 - switch (r->cfg.mode) {
2747 - case (IPT_DSTLIMIT_HASH_DIP):
2748 - printf("--mode dstip ");
2750 - case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2751 - printf("--mode dstip-dstport ");
2753 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
2754 - printf("--mode srcip-dstip ");
2756 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2757 - printf("--mode srcip-dstip-dstport ");
2761 - printf("--dstlimit-htable-size %u ", r->cfg.size);
2763 - printf("--dstlimit-htable-max %u ", r->cfg.max);
2764 - if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
2765 - printf("--dstlimit-htable-gcinterval %u", r->cfg.gc_interval);
2766 - if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
2767 - printf("--dstlimit-htable-expire %u ", r->cfg.expire);
2770 -static struct iptables_match dstlimit = {
2772 - .name = "dstlimit",
2773 - .version = IPTABLES_VERSION,
2774 - .size = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
2775 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
2776 - //offsetof(struct ipt_dstlimit_info, prev),
2780 - .final_check = &final_check,
2783 - .extra_opts = opts
2788 - register_match(&dstlimit);
2790 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_dstlimit.man iptables-svn/extensions/libipt_dstlimit.man
2791 --- iptables-1.3.7/extensions/libipt_dstlimit.man 2006-12-04 12:15:20.000000000 +0100
2792 +++ iptables-svn/extensions/libipt_dstlimit.man 1970-01-01 01:00:00.000000000 +0100
2794 -This module allows you to limit the packet per second (pps) rate on a per
2795 -destination IP or per destination port base. As opposed to the `limit' match,
2796 -every destination ip / destination port has it's own limit.
2798 -THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY ``hashlimit''
2800 -.BI "--dstlimit " "avg"
2801 -Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
2803 -.BI "--dstlimit-mode " "mode"
2804 -The limiting hashmode. Is the specified limit per
2805 -.B dstip, dstip-dstport
2809 -.B srcipdstip-dstport
2812 -.BI "--dstlimit-name " "name"
2813 -Name for /proc/net/ipt_dstlimit/* file entry
2815 -.BI "[" "--dstlimit-burst " "burst" "]"
2816 -Number of packets to match in a burst. Default: 5
2818 -.BI "[" "--dstlimit-htable-size " "size" "]"
2819 -Number of buckets in the hashtable
2821 -.BI "[" "--dstlimit-htable-max " "max" "]"
2822 -Maximum number of entries in the hashtable
2824 -.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
2825 -Interval between garbage collection runs of the hashtable (in miliseconds).
2826 -Default is 1000 (1 second).
2828 -.BI "[" "--dstlimit-htable-expire " "time"
2829 -After which time are idle entries expired from hashtable (in miliseconds)?
2830 -Default is 10000 (10 seconds).
2831 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_FTOS.c iptables-svn/extensions/libipt_FTOS.c
2832 --- iptables-1.3.7/extensions/libipt_FTOS.c 2006-12-04 12:15:19.000000000 +0100
2833 +++ iptables-svn/extensions/libipt_FTOS.c 1970-01-01 01:00:00.000000000 +0100
2835 -/* Shared library add-on to iptables for FTOS
2837 - * (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
2839 - * This program is distributed under the terms of GNU GPL v2, 1991
2841 - * libipt_FTOS.c borrowed heavily from libipt_TOS.c 11/09/2000
2845 -#include <string.h>
2846 -#include <stdlib.h>
2847 -#include <getopt.h>
2849 -#include <iptables.h>
2850 -#include <linux/netfilter_ipv4/ip_tables.h>
2851 -#include <linux/netfilter_ipv4/ipt_FTOS.h>
2854 - struct ipt_entry_target t;
2858 -static void init(struct ipt_entry_target *t, unsigned int *nfcache)
2862 -static void help(void)
2865 -"FTOS target options\n"
2866 -" --set-ftos value Set TOS field in packet header to value\n"
2867 -" This value can be in decimal (ex: 32)\n"
2868 -" or in hex (ex: 0x20)\n"
2872 -static struct option opts[] = {
2873 - { "set-ftos", 1, 0, 'F' },
2878 -parse_ftos(const unsigned char *s, struct ipt_FTOS_info *finfo)
2880 - unsigned int ftos;
2882 - if (string_to_number(s, 0, 255, &ftos) == -1)
2883 - exit_error(PARAMETER_PROBLEM,
2884 - "Invalid ftos `%s'\n", s);
2885 - finfo->ftos = (u_int8_t )ftos;
2890 -parse(int c, char **argv, int invert, unsigned int *flags,
2891 - const struct ipt_entry *entry,
2892 - struct ipt_entry_target **target)
2894 - struct ipt_FTOS_info *finfo
2895 - = (struct ipt_FTOS_info *)(*target)->data;
2900 - exit_error(PARAMETER_PROBLEM,
2901 - "FTOS target: Only use --set-ftos ONCE!");
2902 - parse_ftos(optarg, finfo);
2914 -final_check(unsigned int flags)
2917 - exit_error(PARAMETER_PROBLEM,
2918 - "FTOS target: Parameter --set-ftos is required");
2922 -print_ftos(u_int8_t ftos, int numeric)
2924 - printf("0x%02x ", ftos);
2927 -/* Prints out the targinfo. */
2929 -print(const struct ipt_ip *ip,
2930 - const struct ipt_entry_target *target,
2933 - const struct ipt_FTOS_info *finfo =
2934 - (const struct ipt_FTOS_info *)target->data;
2935 - printf("TOS set ");
2936 - print_ftos(finfo->ftos, numeric);
2939 -/* Saves the union ipt_targinfo in parsable form to stdout. */
2941 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
2943 - const struct ipt_FTOS_info *finfo =
2944 - (const struct ipt_FTOS_info *)target->data;
2946 - printf("--set-ftos 0x%02x ", finfo->ftos);
2949 -static struct iptables_target ftos = {
2952 - .version = IPTABLES_VERSION,
2953 - .size = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
2954 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
2958 - .final_check = &final_check,
2961 - .extra_opts = opts
2966 - register_target(&ftos);
2968 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_fuzzy.c iptables-svn/extensions/libipt_fuzzy.c
2969 --- iptables-1.3.7/extensions/libipt_fuzzy.c 2006-12-04 12:15:19.000000000 +0100
2970 +++ iptables-svn/extensions/libipt_fuzzy.c 1970-01-01 01:00:00.000000000 +0100
2973 - Shared library add-on to iptables to add match support for the fuzzy match.
2975 - This file is distributed under the terms of the GNU General Public
2976 - License (GPL). Copies of the GPL can be obtained from:
2977 - ftp://prep.ai.mit.edu/pub/gnu/GPL
2979 -2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
2980 -2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
2981 -the save function , thanks to information given by Jean-Francois Patenaude .
2987 -#include <string.h>
2988 -#include <stdlib.h>
2989 -#include <syslog.h>
2990 -#include <getopt.h>
2991 -#include <iptables.h>
2992 -#include <linux/netfilter_ipv4/ip_tables.h>
2993 -#include <linux/netfilter_ipv4/ipt_fuzzy.h>
3000 -"fuzzy v%s options:\n"
3001 -" --lower-limit number (in packets per second)\n"
3002 -" --upper-limit number\n"
3003 -,IPTABLES_VERSION);
3006 -static struct option opts[] = {
3007 - { "lower-limit", 1 , 0 , '1' } ,
3008 - { "upper-limit", 1 , 0 , '2' } ,
3012 -/* Initialize data structures */
3014 -init(struct ipt_entry_match *m, unsigned int *nfcache)
3016 - struct ipt_fuzzy_info *presentinfo = (struct ipt_fuzzy_info *)(m)->data;
3019 - * Default rates ( I'll improve this very soon with something based
3020 - * on real statistics of the running machine ) .
3023 - presentinfo->minimum_rate = 1000;
3024 - presentinfo->maximum_rate = 2000;
3027 -#define IPT_FUZZY_OPT_MINIMUM 0x01
3028 -#define IPT_FUZZY_OPT_MAXIMUM 0x02
3031 -parse(int c, char **argv, int invert, unsigned int *flags,
3032 - const struct ipt_entry *entry,
3033 - unsigned int *nfcache,
3034 - struct ipt_entry_match **match)
3037 -struct ipt_fuzzy_info *fuzzyinfo = (struct ipt_fuzzy_info *)(*match)->data;
3046 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
3048 - if (*flags & IPT_FUZZY_OPT_MINIMUM)
3049 - exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
3051 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
3052 - exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
3054 - fuzzyinfo->minimum_rate = num ;
3056 - *flags |= IPT_FUZZY_OPT_MINIMUM;
3063 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
3065 - if (*flags & IPT_FUZZY_OPT_MAXIMUM)
3066 - exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
3068 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
3069 - exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
3071 - fuzzyinfo->maximum_rate = num ;
3073 - *flags |= IPT_FUZZY_OPT_MAXIMUM;
3083 -static void final_check(unsigned int flags)
3088 -print(const struct ipt_ip *ip,
3089 - const struct ipt_entry_match *match,
3092 - const struct ipt_fuzzy_info *fuzzyinfo
3093 - = (const struct ipt_fuzzy_info *)match->data;
3095 - printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",fuzzyinfo->minimum_rate,fuzzyinfo->maximum_rate);
3099 -/* Saves the union ipt_targinfo in parsable form to stdout. */
3101 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
3103 - const struct ipt_fuzzy_info *fuzzyinfo
3104 - = (const struct ipt_fuzzy_info *)match->data;
3106 - printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
3107 - printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
3111 -static struct iptables_match fuzzy_match = {
3114 - .version = IPTABLES_VERSION,
3115 - .size = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
3116 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
3120 - .final_check = &final_check,
3123 - .extra_opts = opts
3128 - register_match(&fuzzy_match);
3130 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_fuzzy.man iptables-svn/extensions/libipt_fuzzy.man
3131 --- iptables-1.3.7/extensions/libipt_fuzzy.man 2006-12-04 12:15:19.000000000 +0100
3132 +++ iptables-svn/extensions/libipt_fuzzy.man 1970-01-01 01:00:00.000000000 +0100
3134 -This module matches a rate limit based on a fuzzy logic controller [FLC]
3136 -.BI "--lower-limit " "number"
3137 -Specifies the lower limit (in packets per second).
3139 -.BI "--upper-limit " "number"
3140 -Specifies the upper limit (in packets per second).
3141 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_icmp.c iptables-svn/extensions/libipt_icmp.c
3142 --- iptables-1.3.7/extensions/libipt_icmp.c 2006-12-04 12:15:19.000000000 +0100
3143 +++ iptables-svn/extensions/libipt_icmp.c 2007-05-31 12:46:30.000000000 +0200
3148 -/* Final check; we don't care. */
3149 +/* Final check; we don't care. We can pass 0xFF to match any type */
3150 static void final_check(unsigned int flags)
3153 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_icmp.man iptables-svn/extensions/libipt_icmp.man
3154 --- iptables-1.3.7/extensions/libipt_icmp.man 2006-12-04 12:15:20.000000000 +0100
3155 +++ iptables-svn/extensions/libipt_icmp.man 2007-05-31 12:46:30.000000000 +0200
3157 -This extension is loaded if `--protocol icmp' is specified. It
3158 +This extension can be used if `--protocol icmp' is specified. It
3159 provides the following option:
3161 .BR "--icmp-type " "[!] \fItypename\fP"
3162 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPMARK.c iptables-svn/extensions/libipt_IPMARK.c
3163 --- iptables-1.3.7/extensions/libipt_IPMARK.c 2006-12-04 12:15:20.000000000 +0100
3164 +++ iptables-svn/extensions/libipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100
3166 -/* Shared library add-on to iptables to add IPMARK target support.
3167 - * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
3169 - * based on original MARK target
3171 - * This program is distributed under the terms of GNU GPL
3174 -#include <string.h>
3175 -#include <stdlib.h>
3176 -#include <getopt.h>
3178 -#include <iptables.h>
3179 -#include <linux/netfilter_ipv4/ip_tables.h>
3180 -#include <linux/netfilter_ipv4/ipt_IPMARK.h>
3182 -#define IPT_ADDR_USED 1
3183 -#define IPT_AND_MASK_USED 2
3184 -#define IPT_OR_MASK_USED 4
3186 -struct ipmarkinfo {
3187 - struct ipt_entry_target t;
3188 - struct ipt_ipmark_target_info ipmark;
3191 -/* Function which prints out usage message. */
3196 -"IPMARK target v%s options:\n"
3197 -" --addr src/dst use source or destination ip address\n"
3198 -" --and-mask value logical AND ip address with this value becomes MARK\n"
3199 -" --or-mask value logical OR ip address with this value becomes MARK\n"
3204 -static struct option opts[] = {
3205 - { "addr", 1, 0, '1' },
3206 - { "and-mask", 1, 0, '2' },
3207 - { "or-mask", 1, 0, '3' },
3211 -/* Initialize the target. */
3213 -init(struct ipt_entry_target *t, unsigned int *nfcache)
3215 - struct ipt_ipmark_target_info *ipmarkinfo =
3216 - (struct ipt_ipmark_target_info *)t->data;
3218 - ipmarkinfo->andmask=0xffffffff;
3219 - ipmarkinfo->ormask=0;
3223 -/* Function which parses command options; returns true if it
3226 -parse(int c, char **argv, int invert, unsigned int *flags,
3227 - const struct ipt_entry *entry,
3228 - struct ipt_entry_target **target)
3230 - struct ipt_ipmark_target_info *ipmarkinfo
3231 - = (struct ipt_ipmark_target_info *)(*target)->data;
3236 - if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
3237 - else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
3238 - else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
3239 - if (*flags & IPT_ADDR_USED)
3240 - exit_error(PARAMETER_PROBLEM,
3241 - "IPMARK target: Can't specify --addr twice");
3242 - *flags |= IPT_ADDR_USED;
3246 - ipmarkinfo->andmask = strtoul(optarg, &end, 0);
3247 - if (*end != '\0' || end == optarg)
3248 - exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
3249 - if (*flags & IPT_AND_MASK_USED)
3250 - exit_error(PARAMETER_PROBLEM,
3251 - "IPMARK target: Can't specify --and-mask twice");
3252 - *flags |= IPT_AND_MASK_USED;
3255 - ipmarkinfo->ormask = strtoul(optarg, &end, 0);
3256 - if (*end != '\0' || end == optarg)
3257 - exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
3258 - if (*flags & IPT_OR_MASK_USED)
3259 - exit_error(PARAMETER_PROBLEM,
3260 - "IPMARK target: Can't specify --or-mask twice");
3261 - *flags |= IPT_OR_MASK_USED;
3272 -final_check(unsigned int flags)
3274 - if (!(flags & IPT_ADDR_USED))
3275 - exit_error(PARAMETER_PROBLEM,
3276 - "IPMARK target: Parameter --addr is required");
3277 - if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
3278 - exit_error(PARAMETER_PROBLEM,
3279 - "IPMARK target: Parameter --and-mask or --or-mask is required");
3282 -/* Prints out the targinfo. */
3284 -print(const struct ipt_ip *ip,
3285 - const struct ipt_entry_target *target,
3288 - const struct ipt_ipmark_target_info *ipmarkinfo =
3289 - (const struct ipt_ipmark_target_info *)target->data;
3291 - if(ipmarkinfo->addr == IPT_IPMARK_SRC)
3292 - printf("IPMARK src");
3294 - printf("IPMARK dst");
3295 - printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
3298 -/* Saves the union ipt_targinfo in parsable form to stdout. */
3300 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
3302 - const struct ipt_ipmark_target_info *ipmarkinfo =
3303 - (const struct ipt_ipmark_target_info *)target->data;
3305 - if(ipmarkinfo->addr == IPT_IPMARK_SRC)
3306 - printf("--addr=src ");
3308 - printf("--addr=dst ");
3309 - if(ipmarkinfo->andmask != 0xffffffff)
3310 - printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
3311 - if(ipmarkinfo->ormask != 0)
3312 - printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
3315 -static struct iptables_target ipmark = {
3318 - .version = IPTABLES_VERSION,
3319 - .size = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
3320 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
3324 - .final_check = &final_check,
3327 - .extra_opts = opts
3332 - register_target(&ipmark);
3334 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPMARK.man iptables-svn/extensions/libipt_IPMARK.man
3335 --- iptables-1.3.7/extensions/libipt_IPMARK.man 2006-12-04 12:15:19.000000000 +0100
3336 +++ iptables-svn/extensions/libipt_IPMARK.man 1970-01-01 01:00:00.000000000 +0100
3338 -Allows you to mark a received packet basing on its IP address. This
3339 -can replace many mangle/mark entries with only one, if you use
3340 -firewall based classifier.
3342 -This target is to be used inside the mangle table, in the PREROUTING,
3343 -POSTROUTING or FORWARD hooks.
3345 -.BI "--addr " "src/dst"
3346 -Use source or destination IP address.
3348 -.BI "--and-mask " "mask"
3349 -Perform bitwise `and' on the IP address and this mask.
3351 -.BI "--or-mask " "mask"
3352 -Perform bitwise `or' on the IP address and this mask.
3354 -The order of IP address bytes is reversed to meet "human order of bytes":
3355 -192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
3360 -We create a queue for each user, the queue number is adequate
3361 -to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
3362 -are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
3364 -We have one classifier rule:
3366 -tc filter add dev eth3 parent 1:0 protocol ip fw
3368 -Earlier we had many rules just like below:
3370 -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
3373 -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
3376 -Using IPMARK target we can replace all the mangle/mark rules with only one:
3378 -iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
3379 ---and-mask=0xffff --or-mask=0x10000
3381 -On the routers with hundreds of users there should be significant load
3382 -decrease (e.g. twice).
3383 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_ipv4options.c iptables-svn/extensions/libipt_ipv4options.c
3384 --- iptables-1.3.7/extensions/libipt_ipv4options.c 2006-12-04 12:15:19.000000000 +0100
3385 +++ iptables-svn/extensions/libipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
3387 -/* Shared library add-on to iptables to add ipv4 options matching support. */
3390 -#include <string.h>
3391 -#include <stdlib.h>
3392 -#include <getopt.h>
3394 -#include <iptables.h>
3395 -#include <linux/netfilter_ipv4/ipt_ipv4options.h>
3397 -/* Function which prints out usage message. */
3402 -"ipv4options v%s options:\n"
3403 -" --ssrr (match strict source routing flag)\n"
3404 -" --lsrr (match loose source routing flag)\n"
3405 -" --no-srr (match packets with no source routing)\n\n"
3406 -" [!] --rr (match record route flag)\n\n"
3407 -" [!] --ts (match timestamp flag)\n\n"
3408 -" [!] --ra (match router-alert option)\n\n"
3409 -" [!] --any-opt (match any option or no option at all if used with '!')\n",
3413 -static struct option opts[] = {
3414 - { "ssrr", 0, 0, '1' },
3415 - { "lsrr", 0, 0, '2' },
3416 - { "no-srr", 0, 0, '3'},
3417 - { "rr", 0, 0, '4'},
3418 - { "ts", 0, 0, '5'},
3419 - { "ra", 0, 0, '6'},
3420 - { "any-opt", 0, 0, '7'},
3424 -/* Function which parses command options; returns true if it
3427 -parse(int c, char **argv, int invert, unsigned int *flags,
3428 - const struct ipt_entry *entry,
3429 - unsigned int *nfcache,
3430 - struct ipt_entry_match **match)
3432 - struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
3436 - /* strict-source-routing */
3439 - exit_error(PARAMETER_PROBLEM,
3440 - "ipv4options: unexpected `!' with --ssrr");
3441 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3442 - exit_error(PARAMETER_PROBLEM,
3443 - "Can't specify --ssrr twice");
3444 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3445 - exit_error(PARAMETER_PROBLEM,
3446 - "Can't specify --ssrr with --lsrr");
3447 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3448 - exit_error(PARAMETER_PROBLEM,
3449 - "Can't specify --ssrr with --no-srr");
3451 - info->options |= IPT_IPV4OPTION_MATCH_SSRR;
3452 - *flags |= IPT_IPV4OPTION_MATCH_SSRR;
3455 - /* loose-source-routing */
3458 - exit_error(PARAMETER_PROBLEM,
3459 - "ipv4options: unexpected `!' with --lsrr");
3460 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3461 - exit_error(PARAMETER_PROBLEM,
3462 - "Can't specify --lsrr twice");
3463 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3464 - exit_error(PARAMETER_PROBLEM,
3465 - "Can't specify --lsrr with --ssrr");
3466 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3467 - exit_error(PARAMETER_PROBLEM,
3468 - "Can't specify --lsrr with --no-srr");
3469 - info->options |= IPT_IPV4OPTION_MATCH_LSRR;
3470 - *flags |= IPT_IPV4OPTION_MATCH_LSRR;
3473 - /* no-source-routing */
3476 - exit_error(PARAMETER_PROBLEM,
3477 - "ipv4options: unexpected `!' with --no-srr");
3478 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3479 - exit_error(PARAMETER_PROBLEM,
3480 - "Can't specify --no-srr twice");
3481 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3482 - exit_error(PARAMETER_PROBLEM,
3483 - "Can't specify --no-srr with --ssrr");
3484 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3485 - exit_error(PARAMETER_PROBLEM,
3486 - "Can't specify --no-srr with --lsrr");
3487 - info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
3488 - *flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
3491 - /* record-route */
3493 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
3494 - exit_error(PARAMETER_PROBLEM,
3495 - "Can't specify --rr twice");
3496 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
3497 - exit_error(PARAMETER_PROBLEM,
3498 - "Can't specify ! --rr twice");
3499 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
3500 - exit_error(PARAMETER_PROBLEM,
3501 - "Can't specify --rr with ! --rr");
3502 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
3503 - exit_error(PARAMETER_PROBLEM,
3504 - "Can't specify ! --rr with --rr");
3506 - info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
3507 - *flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
3510 - info->options |= IPT_IPV4OPTION_MATCH_RR;
3511 - *flags |= IPT_IPV4OPTION_MATCH_RR;
3517 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
3518 - exit_error(PARAMETER_PROBLEM,
3519 - "Can't specify --ts twice");
3520 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
3521 - exit_error(PARAMETER_PROBLEM,
3522 - "Can't specify ! --ts twice");
3523 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
3524 - exit_error(PARAMETER_PROBLEM,
3525 - "Can't specify --ts with ! --ts");
3526 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
3527 - exit_error(PARAMETER_PROBLEM,
3528 - "Can't specify ! --ts with --ts");
3530 - info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
3531 - *flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
3534 - info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
3535 - *flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
3539 - /* router-alert */
3541 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
3542 - exit_error(PARAMETER_PROBLEM,
3543 - "Can't specify --ra twice");
3544 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3545 - exit_error(PARAMETER_PROBLEM,
3546 - "Can't specify ! --rr twice");
3547 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3548 - exit_error(PARAMETER_PROBLEM,
3549 - "Can't specify --ra with ! --ra");
3550 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
3551 - exit_error(PARAMETER_PROBLEM,
3552 - "Can't specify ! --ra with --ra");
3554 - info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
3555 - *flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
3558 - info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
3559 - *flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
3565 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
3566 - exit_error(PARAMETER_PROBLEM,
3567 - "Can't specify --any-opt twice");
3568 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
3569 - exit_error(PARAMETER_PROBLEM,
3570 - "Can't specify ! --any-opt with --any-opt");
3571 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3572 - exit_error(PARAMETER_PROBLEM,
3573 - "Can't specify ! --any-opt twice");
3575 - ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
3576 - (*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
3577 - (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
3578 - (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
3579 - exit_error(PARAMETER_PROBLEM,
3580 - "Can't specify --any-opt with any other negative ipv4options match");
3582 - ((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
3583 - (*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
3584 - (*flags & IPT_IPV4OPTION_MATCH_RR) ||
3585 - (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
3586 - (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
3587 - exit_error(PARAMETER_PROBLEM,
3588 - "Can't specify ! --any-opt with any other positive ipv4options match");
3590 - info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
3591 - *flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
3594 - info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
3595 - *flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
3606 -final_check(unsigned int flags)
3609 - exit_error(PARAMETER_PROBLEM,
3610 - "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
3613 -/* Prints out the matchinfo. */
3615 -print(const struct ipt_ip *ip,
3616 - const struct ipt_entry_match *match,
3619 - struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
3621 - printf(" IPV4OPTS");
3622 - if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
3624 - else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
3626 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
3628 - if (info->options & IPT_IPV4OPTION_MATCH_RR)
3630 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
3632 - if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
3634 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
3636 - if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
3638 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
3640 - if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
3641 - printf(" ANYOPT ");
3642 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
3648 -/* Saves the data in parsable form to stdout. */
3650 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
3652 - struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
3654 - if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
3655 - printf(" --ssrr");
3656 - else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
3657 - printf(" --lsrr");
3658 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
3659 - printf(" --no-srr");
3660 - if (info->options & IPT_IPV4OPTION_MATCH_RR)
3662 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
3663 - printf(" ! --rr");
3664 - if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
3666 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
3667 - printf(" ! --ts");
3668 - if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
3670 - else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
3671 - printf(" ! --ra");
3672 - if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
3673 - printf(" --any-opt");
3674 - if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
3675 - printf(" ! --any-opt");
3680 -static struct iptables_match ipv4options_struct = {
3682 - .name = "ipv4options",
3683 - .version = IPTABLES_VERSION,
3684 - .size = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
3685 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
3688 - .final_check = &final_check,
3691 - .extra_opts = opts
3696 - register_match(&ipv4options_struct);
3698 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_ipv4options.man iptables-svn/extensions/libipt_ipv4options.man
3699 --- iptables-1.3.7/extensions/libipt_ipv4options.man 2006-12-04 12:15:19.000000000 +0100
3700 +++ iptables-svn/extensions/libipt_ipv4options.man 1970-01-01 01:00:00.000000000 +0100
3702 -Match on IPv4 header options like source routing, record route,
3703 -timestamp and router-alert.
3706 -To match packets with the flag strict source routing.
3709 -To match packets with the flag loose source routing.
3712 -To match packets with no flag for source routing.
3714 -.B "\fR[\fB!\fR]\fB --rr"
3715 -To match packets with the RR flag.
3717 -.B "\fR[\fB!\fR]\fB --ts"
3718 -To match packets with the TS flag.
3720 -.B "\fR[\fB!\fR]\fB --ra"
3721 -To match packets with the router-alert option.
3723 -.B "\fR[\fB!\fR]\fB --any-opt"
3724 -To match a packet with at least one IP option, or no IP option
3725 -at all if ! is chosen.
3729 -$ iptables -A input -m ipv4options --rr -j DROP
3730 -will drop packets with the record-route flag.
3732 -$ iptables -A input -m ipv4options --ts -j DROP
3733 -will drop packets with the timestamp flag.
3734 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPV4OPTSSTRIP.c iptables-svn/extensions/libipt_IPV4OPTSSTRIP.c
3735 --- iptables-1.3.7/extensions/libipt_IPV4OPTSSTRIP.c 2006-12-04 12:15:20.000000000 +0100
3736 +++ iptables-svn/extensions/libipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100
3738 -/* Shared library add-on to iptables for IPV4OPTSSTRIP
3739 - * This modules strip all the IP options.
3741 - * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
3742 - * This program is distributed under the terms of GNU GPL v2, 1991
3746 -#include <string.h>
3747 -#include <stdlib.h>
3748 -#include <getopt.h>
3750 -#include <iptables.h>
3751 -#include <linux/netfilter_ipv4/ip_tables.h>
3753 -static void help(void)
3755 - printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
3756 - IPTABLES_VERSION);
3759 -static struct option opts[] = {
3763 -/* Function which parses command options; returns true if it
3766 -parse(int c, char **argv, int invert, unsigned int *flags,
3767 - const struct ipt_entry *entry,
3768 - struct ipt_entry_target **target)
3774 -final_check(unsigned int flags)
3778 -/* Prints out the targinfo. */
3780 -print(const struct ipt_ip *ip,
3781 - const struct ipt_entry_target *target,
3784 - /* nothing to print, we don't take option... */
3787 -/* Saves the stuff in parsable form to stdout. */
3789 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
3791 - /* nothing to print, we don't take option... */
3794 -static struct iptables_target IPV4OPTSSTRIP = {
3796 - .name = "IPV4OPTSSTRIP",
3797 - .version = IPTABLES_VERSION,
3798 - .size = IPT_ALIGN(0),
3799 - .userspacesize = IPT_ALIGN(0),
3802 - .final_check = &final_check,
3805 - .extra_opts = opts
3810 - register_target(&IPV4OPTSSTRIP);
3812 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPV4OPTSSTRIP.man iptables-svn/extensions/libipt_IPV4OPTSSTRIP.man
3813 --- iptables-1.3.7/extensions/libipt_IPV4OPTSSTRIP.man 2006-12-04 12:15:19.000000000 +0100
3814 +++ iptables-svn/extensions/libipt_IPV4OPTSSTRIP.man 1970-01-01 01:00:00.000000000 +0100
3816 -Strip all the IP options from a packet.
3818 -The target doesn't take any option, and therefore is extremly easy to use :
3820 -# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
3821 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_MASQUERADE.c iptables-svn/extensions/libipt_MASQUERADE.c
3822 --- iptables-1.3.7/extensions/libipt_MASQUERADE.c 2006-12-04 12:15:19.000000000 +0100
3823 +++ iptables-svn/extensions/libipt_MASQUERADE.c 2007-05-31 12:46:30.000000000 +0200
3826 #include <iptables.h>
3827 #include <linux/netfilter_ipv4/ip_tables.h>
3828 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
3829 +#include <linux/netfilter/nf_nat.h>
3831 /* Function which prints out usage message. */
3835 "MASQUERADE v%s options:\n"
3836 " --to-ports <port>[-<port>]\n"
3837 -" Port (range) to map to.\n\n",
3838 +" Port (range) to map to.\n"
3840 +" Randomize source port.\n"
3846 static struct option opts[] = {
3847 { "to-ports", 1, 0, '1' },
3848 + { "random", 0, 0, '2' },
3852 @@ -100,6 +105,10 @@
3853 parse_ports(optarg, mr);
3857 + mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
3864 printf("-%hu", ntohs(r->max.tcp.port));
3868 + if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
3869 + printf("random ");
3872 /* Saves the union ipt_targinfo in parsable form to stdout. */
3874 printf("-%hu", ntohs(r->max.tcp.port));
3878 + if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
3879 + printf("--random ");
3882 static struct iptables_target masq = { NULL,
3883 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_MASQUERADE.man iptables-svn/extensions/libipt_MASQUERADE.man
3884 --- iptables-1.3.7/extensions/libipt_MASQUERADE.man 2006-12-04 12:15:19.000000000 +0100
3885 +++ iptables-svn/extensions/libipt_MASQUERADE.man 2007-05-31 12:46:30.000000000 +0200
3892 +Randomize source port mapping
3895 +is used then port mapping will be randomized (kernel >= 2.6.21).
3898 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_mport.c iptables-svn/extensions/libipt_mport.c
3899 --- iptables-1.3.7/extensions/libipt_mport.c 2006-12-04 12:15:19.000000000 +0100
3900 +++ iptables-svn/extensions/libipt_mport.c 1970-01-01 01:00:00.000000000 +0100
3902 -/* Shared library add-on to iptables to add multiple TCP port support. */
3905 -#include <string.h>
3906 -#include <stdlib.h>
3907 -#include <getopt.h>
3908 -#include <iptables.h>
3909 -#include <linux/netfilter_ipv4/ipt_mport.h>
3911 -/* Function which prints out usage message. */
3916 -"mport v%s options:\n"
3917 -" --source-ports port[,port:port,port...]\n"
3919 -" match source port(s)\n"
3920 -" --destination-ports port[,port:port,port...]\n"
3922 -" match destination port(s)\n"
3923 -" --ports port[,port:port,port]\n"
3924 -" match both source and destination port(s)\n",
3928 -static struct option opts[] = {
3929 - { "source-ports", 1, 0, '1' },
3930 - { "sports", 1, 0, '1' }, /* synonym */
3931 - { "destination-ports", 1, 0, '2' },
3932 - { "dports", 1, 0, '2' }, /* synonym */
3933 - { "ports", 1, 0, '3' },
3938 -parse_multi_ports(const char *portstring, struct ipt_mport *minfo,
3939 - const char *proto)
3941 - char *buffer, *cp, *next, *range;
3945 - buffer = strdup(portstring);
3946 - if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
3948 - minfo->pflags = 0;
3950 - for (cp=buffer, i=0, m=1; cp && i<IPT_MULTI_PORTS; cp=next,i++,m<<=1)
3952 - next=strchr(cp, ',');
3953 - if (next) *next++='\0';
3954 - range = strchr(cp, ':');
3956 - if (i == IPT_MULTI_PORTS-1)
3957 - exit_error(PARAMETER_PROBLEM,
3958 - "too many ports specified");
3961 - minfo->ports[i] = parse_port(cp, proto);
3963 - minfo->pflags |= m;
3964 - minfo->ports[++i] = parse_port(range, proto);
3965 - if (minfo->ports[i-1] >= minfo->ports[i])
3966 - exit_error(PARAMETER_PROBLEM,
3967 - "invalid portrange specified");
3971 - if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
3972 - if (i == IPT_MULTI_PORTS-1)
3973 - minfo->ports[i] = minfo->ports[i-1];
3974 - else if (i < IPT_MULTI_PORTS-1) {
3975 - minfo->ports[i] = ~0;
3976 - minfo->pflags |= 1<<i;
3981 -/* Initialize the match. */
3983 -init(struct ipt_entry_match *m, unsigned int *nfcache)
3987 -static const char *
3988 -check_proto(const struct ipt_entry *entry)
3990 - if (entry->ip.proto == IPPROTO_TCP)
3992 - else if (entry->ip.proto == IPPROTO_UDP)
3994 - else if (!entry->ip.proto)
3995 - exit_error(PARAMETER_PROBLEM,
3996 - "multiport needs `-p tcp' or `-p udp'");
3998 - exit_error(PARAMETER_PROBLEM,
3999 - "multiport only works with TCP or UDP");
4002 -/* Function which parses command options; returns true if it
4005 -parse(int c, char **argv, int invert, unsigned int *flags,
4006 - const struct ipt_entry *entry,
4007 - unsigned int *nfcache,
4008 - struct ipt_entry_match **match)
4010 - const char *proto;
4011 - struct ipt_mport *minfo
4012 - = (struct ipt_mport *)(*match)->data;
4016 - check_inverse(argv[optind-1], &invert, &optind, 0);
4017 - proto = check_proto(entry);
4018 - parse_multi_ports(argv[optind-1], minfo, proto);
4019 - minfo->flags = IPT_MPORT_SOURCE;
4023 - check_inverse(argv[optind-1], &invert, &optind, 0);
4024 - proto = check_proto(entry);
4025 - parse_multi_ports(argv[optind-1], minfo, proto);
4026 - minfo->flags = IPT_MPORT_DESTINATION;
4030 - check_inverse(argv[optind-1], &invert, &optind, 0);
4031 - proto = check_proto(entry);
4032 - parse_multi_ports(argv[optind-1], minfo, proto);
4033 - minfo->flags = IPT_MPORT_EITHER;
4041 - exit_error(PARAMETER_PROBLEM,
4042 - "multiport does not support invert");
4045 - exit_error(PARAMETER_PROBLEM,
4046 - "multiport can only have one option");
4051 -/* Final check; must specify something. */
4053 -final_check(unsigned int flags)
4056 - exit_error(PARAMETER_PROBLEM, "mport expects an option");
4060 -port_to_service(int port, u_int8_t proto)
4062 - struct servent *service;
4064 - if ((service = getservbyport(htons(port),
4065 - proto == IPPROTO_TCP ? "tcp" : "udp")))
4066 - return service->s_name;
4072 -print_port(u_int16_t port, u_int8_t protocol, int numeric)
4076 - if (numeric || (service = port_to_service(port, protocol)) == NULL)
4077 - printf("%u", port);
4079 - printf("%s", service);
4082 -/* Prints out the matchinfo. */
4084 -print(const struct ipt_ip *ip,
4085 - const struct ipt_entry_match *match,
4088 - const struct ipt_mport *minfo
4089 - = (const struct ipt_mport *)match->data;
4091 - u_int16_t pflags = minfo->pflags;
4095 - switch (minfo->flags) {
4096 - case IPT_MPORT_SOURCE:
4097 - printf("sports ");
4100 - case IPT_MPORT_DESTINATION:
4101 - printf("dports ");
4104 - case IPT_MPORT_EITHER:
4113 - for (i=0; i < IPT_MULTI_PORTS; i++) {
4114 - if (pflags & (1<<i)
4115 - && minfo->ports[i] == 65535)
4117 - if (i == IPT_MULTI_PORTS-1
4118 - && minfo->ports[i-1] == minfo->ports[i])
4120 - printf("%s", i ? "," : "");
4121 - print_port(minfo->ports[i], ip->proto, numeric);
4122 - if (pflags & (1<<i)) {
4124 - print_port(minfo->ports[++i], ip->proto, numeric);
4130 -/* Saves the union ipt_matchinfo in parsable form to stdout. */
4131 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
4133 - const struct ipt_mport *minfo
4134 - = (const struct ipt_mport *)match->data;
4136 - u_int16_t pflags = minfo->pflags;
4138 - switch (minfo->flags) {
4139 - case IPT_MPORT_SOURCE:
4140 - printf("--sports ");
4143 - case IPT_MPORT_DESTINATION:
4144 - printf("--dports ");
4147 - case IPT_MPORT_EITHER:
4148 - printf("--ports ");
4152 - for (i=0; i < IPT_MULTI_PORTS; i++) {
4153 - if (pflags & (1<<i)
4154 - && minfo->ports[i] == 65535)
4156 - if (i == IPT_MULTI_PORTS-1
4157 - && minfo->ports[i-1] == minfo->ports[i])
4159 - printf("%s", i ? "," : "");
4160 - print_port(minfo->ports[i], ip->proto, 1);
4161 - if (pflags & (1<<i)) {
4163 - print_port(minfo->ports[++i], ip->proto, 1);
4169 -static struct iptables_match mport = {
4172 - .version = IPTABLES_VERSION,
4173 - .size = IPT_ALIGN(sizeof(struct ipt_mport)),
4174 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_mport)),
4178 - .final_check = &final_check,
4181 - .extra_opts = opts
4187 - register_match(&mport);
4189 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_mport.man iptables-svn/extensions/libipt_mport.man
4190 --- iptables-1.3.7/extensions/libipt_mport.man 2006-12-04 12:15:20.000000000 +0100
4191 +++ iptables-svn/extensions/libipt_mport.man 1970-01-01 01:00:00.000000000 +0100
4193 -This module matches a set of source or destination ports. Up to 15
4194 -ports can be specified. It can only be used in conjunction with
4199 -.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
4200 -Match if the source port is one of the given ports. The flag
4202 -is a convenient alias for this option.
4204 -.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
4205 -Match if the destination port is one of the given ports. The flag
4207 -is a convenient alias for this option.
4209 -.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
4210 -Match if the both the source and destination ports are equal to each
4211 -other and to one of the given ports.
4212 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_multiport.c iptables-svn/extensions/libipt_multiport.c
4213 --- iptables-1.3.7/extensions/libipt_multiport.c 2006-12-04 12:15:19.000000000 +0100
4214 +++ iptables-svn/extensions/libipt_multiport.c 2007-05-31 12:46:30.000000000 +0200
4219 + case IPPROTO_UDPLITE:
4224 @@ -141,16 +143,17 @@
4226 if (entry->ip.invflags & IPT_INV_PROTO)
4227 exit_error(PARAMETER_PROBLEM,
4228 - "multiport only works with TCP or UDP");
4229 + "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
4231 if ((proto = proto_to_name(entry->ip.proto)) != NULL)
4233 else if (!entry->ip.proto)
4234 exit_error(PARAMETER_PROBLEM,
4235 - "multiport needs `-p tcp', `-p udp', `-p sctp' or `-p dccp'");
4236 + "multiport needs `-p tcp', `-p udp', `-p udplite', "
4237 + "`-p sctp' or `-p dccp'");
4239 exit_error(PARAMETER_PROBLEM,
4240 - "multiport only works with TCP, UDP, SCTP and DCCP");
4241 + "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
4244 /* Function which parses command options; returns true if it
4245 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_NETLINK.c iptables-svn/extensions/libipt_NETLINK.c
4246 --- iptables-1.3.7/extensions/libipt_NETLINK.c 2006-12-04 12:15:20.000000000 +0100
4247 +++ iptables-svn/extensions/libipt_NETLINK.c 1970-01-01 01:00:00.000000000 +0100
4249 -/* Provides a NETLINK target, identical to that of the ipchains -o flag */
4250 -/* AUTHOR: Gianni Tedesco <gianni@ecsc.co.uk> */
4253 -#include <string.h>
4254 -#include <stdlib.h>
4255 -#include <syslog.h>
4256 -#include <getopt.h>
4257 -#include <iptables.h>
4258 -#include <linux/netfilter_ipv4/ip_tables.h>
4259 -#include <linux/netfilter_ipv4/ipt_NETLINK.h>
4261 -static void help(void)
4263 - printf("NETLINK v%s options:\n"
4264 - " --nldrop Drop the packet too\n"
4265 - " --nlmark <number> Mark the packet\n"
4266 - " --nlsize <bytes> Limit packet size\n",
4267 - IPTABLES_VERSION);
4270 -static struct option opts[] = {
4271 - {"nldrop", 0, 0, 'd'},
4272 - {"nlmark", 1, 0, 'm'},
4273 - {"nlsize", 1, 0, 's'},
4277 -static void init(struct ipt_entry_target *t, unsigned int *nfcache)
4279 - struct ipt_nldata *nld = (struct ipt_nldata *) t->data;
4285 -/* Parse command options */
4286 -static int parse(int c, char **argv, int invert, unsigned int *flags,
4287 - const struct ipt_entry *entry,
4288 - struct ipt_entry_target **target)
4290 - struct ipt_nldata *nld=(struct ipt_nldata *)(*target)->data;
4294 - if (MASK(*flags, USE_DROP))
4295 - exit_error(PARAMETER_PROBLEM,
4296 - "Can't specify --nldrop twice");
4298 - if ( check_inverse(optarg, &invert, NULL, 0) ) {
4299 - MASK_UNSET(nld->flags, USE_DROP);
4301 - MASK_SET(nld->flags, USE_DROP);
4304 - MASK_SET(*flags, USE_DROP);
4308 - if (MASK(*flags, USE_MARK))
4309 - exit_error(PARAMETER_PROBLEM,
4310 - "Can't specify --nlmark twice");
4312 - if (check_inverse(optarg, &invert, NULL, 0)) {
4313 - MASK_UNSET(nld->flags, USE_MARK);
4315 - MASK_SET(nld->flags, USE_MARK);
4316 - nld->mark=atoi(optarg);
4319 - MASK_SET(*flags, USE_MARK);
4322 - if (MASK(*flags, USE_SIZE))
4323 - exit_error(PARAMETER_PROBLEM,
4324 - "Can't specify --nlsize twice");
4326 - if ( atoi(optarg) <= 0 )
4327 - exit_error(PARAMETER_PROBLEM,
4328 - "--nlsize must be larger than zero");
4331 - if (check_inverse(optarg, &invert, NULL, 0)) {
4332 - MASK_UNSET(nld->flags, USE_SIZE);
4334 - MASK_SET(nld->flags, USE_SIZE);
4335 - nld->size=atoi(optarg);
4337 - MASK_SET(*flags, USE_SIZE);
4346 -static void final_check(unsigned int flags)
4351 -/* Saves the union ipt_targinfo in parsable form to stdout. */
4352 -static void save(const struct ipt_ip *ip,
4353 - const struct ipt_entry_target *target)
4355 - const struct ipt_nldata *nld
4356 - = (const struct ipt_nldata *) target->data;
4358 - if ( MASK(nld->flags, USE_DROP) )
4359 - printf("--nldrop ");
4361 - if ( MASK(nld->flags, USE_MARK) )
4362 - printf("--nlmark %i ", nld->mark);
4364 - if ( MASK(nld->flags, USE_SIZE) )
4365 - printf("--nlsize %i ", nld->size);
4368 -/* Prints out the targinfo. */
4370 -print(const struct ipt_ip *ip,
4371 - const struct ipt_entry_target *target, int numeric)
4373 - const struct ipt_nldata *nld
4374 - = (const struct ipt_nldata *) target->data;
4376 - if ( MASK(nld->flags, USE_DROP) )
4377 - printf("nldrop ");
4379 - if ( MASK(nld->flags, USE_MARK) )
4380 - printf("nlmark %i ", nld->mark);
4382 - if ( MASK(nld->flags, USE_SIZE) )
4383 - printf("nlsize %i ", nld->size);
4386 -static struct iptables_target netlink = {
4388 - .name = "NETLINK",
4389 - .version = IPTABLES_VERSION,
4390 - .size = IPT_ALIGN(sizeof(struct ipt_nldata)),
4391 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_nldata)),
4395 - .final_check = &final_check,
4398 - .extra_opts = opts
4403 - register_target(&netlink);
4406 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_NETMAP.c iptables-svn/extensions/libipt_NETMAP.c
4407 --- iptables-1.3.7/extensions/libipt_NETMAP.c 2006-12-04 12:15:19.000000000 +0100
4408 +++ iptables-svn/extensions/libipt_NETMAP.c 2007-05-31 12:46:30.000000000 +0200
4411 #include <iptables.h>
4412 #include <linux/netfilter_ipv4/ip_tables.h>
4413 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
4414 +#include <linux/netfilter/nf_nat.h>
4416 #define MODULENAME "NETMAP"
4418 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_NFLOG.c iptables-svn/extensions/libipt_NFLOG.c
4419 --- iptables-1.3.7/extensions/libipt_NFLOG.c 2006-12-04 12:15:19.000000000 +0100
4420 +++ iptables-svn/extensions/libipt_NFLOG.c 2007-05-31 12:46:30.000000000 +0200
4423 struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
4425 - info->group = XT_NFLOG_DEFAULT_GROUP;
4427 info->threshold = XT_NFLOG_DEFAULT_THRESHOLD;
4431 "Unexpected `!' after --nflog-group");
4434 - if (n < 1 || n > 32)
4436 exit_error(PARAMETER_PROBLEM,
4437 - "--nflog-group has to be between 1 and 32");
4438 - info->group = 1 << (n - 1);
4439 + "--nflog-group can not be negative");
4443 if (*flags & NFLOG_PREFIX)
4446 if (info->prefix[0] != '\0')
4447 printf("%snflog-prefix \"%s\" ", prefix, info->prefix);
4448 - if (info->group != XT_NFLOG_DEFAULT_GROUP)
4449 - printf("%snflog-group %u ", prefix, ffs(info->group));
4451 + printf("%snflog-group %u ", prefix, info->group);
4453 printf("%snflog-range %u ", prefix, info->len);
4454 if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
4455 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_nth.c iptables-svn/extensions/libipt_nth.c
4456 --- iptables-1.3.7/extensions/libipt_nth.c 2006-12-04 12:15:19.000000000 +0100
4457 +++ iptables-svn/extensions/libipt_nth.c 1970-01-01 01:00:00.000000000 +0100
4460 - Shared library add-on to iptables to add match support for every Nth packet
4462 - This file is distributed under the terms of the GNU General Public
4463 - License (GPL). Copies of the GPL can be obtained from:
4464 - ftp://prep.ai.mit.edu/pub/gnu/GPL
4466 - 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
4467 - 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
4468 - * added support for multiple counters
4469 - * added support for matching on individual packets
4470 - in the counter cycle
4475 -#include <string.h>
4476 -#include <stdlib.h>
4477 -#include <syslog.h>
4478 -#include <getopt.h>
4479 -#include <iptables.h>
4480 -#include <linux/netfilter_ipv4/ip_tables.h>
4481 -#include <linux/netfilter_ipv4/ipt_nth.h>
4484 -/* Function which prints out usage message. */
4489 -"nth v%s options:\n"
4490 -" --every Nth Match every Nth packet\n"
4491 -" [--counter num ] Use counter 0-%u (default:0)\n"
4492 -" [--start num ] Initialize the counter at the number 'num'\n"
4493 -" instead of 0. Must be between 0 and Nth-1\n"
4494 -" [--packet num ] Match on 'num' packet. Must be between 0\n"
4496 -" If --packet is used for a counter than\n"
4497 -" there must be Nth number of --packet\n"
4498 -" rules, covering all values between 0 and\n"
4499 -" Nth-1 inclusively.\n",
4500 -IPTABLES_VERSION, IPT_NTH_NUM_COUNTERS-1);
4503 -static struct option opts[] = {
4504 - { "every", 1, 0, '1' },
4505 - { "start", 1, 0, '2' },
4506 - { "counter", 1, 0, '3' },
4507 - { "packet", 1, 0, '4' },
4511 -#define IPT_NTH_OPT_EVERY 0x01
4512 -#define IPT_NTH_OPT_NOT_EVERY 0x02
4513 -#define IPT_NTH_OPT_START 0x04
4514 -#define IPT_NTH_OPT_COUNTER 0x08
4515 -#define IPT_NTH_OPT_PACKET 0x10
4517 -/* Function which parses command options; returns true if it
4520 -parse(int c, char **argv, int invert, unsigned int *flags,
4521 - const struct ipt_entry *entry,
4522 - unsigned int *nfcache,
4523 - struct ipt_entry_match **match)
4525 - struct ipt_nth_info *nthinfo = (struct ipt_nth_info *)(*match)->data;
4530 - /* check for common mistakes... */
4531 - if ((!invert) && (*flags & IPT_NTH_OPT_EVERY))
4532 - exit_error(PARAMETER_PROBLEM,
4533 - "Can't specify --every twice");
4534 - if (invert && (*flags & IPT_NTH_OPT_NOT_EVERY))
4535 - exit_error(PARAMETER_PROBLEM,
4536 - "Can't specify ! --every twice");
4537 - if ((!invert) && (*flags & IPT_NTH_OPT_NOT_EVERY))
4538 - exit_error(PARAMETER_PROBLEM,
4539 - "Can't specify --every with ! --every");
4540 - if (invert && (*flags & IPT_NTH_OPT_EVERY))
4541 - exit_error(PARAMETER_PROBLEM,
4542 - "Can't specify ! --every with --every");
4544 - /* Remember, this function will interpret a leading 0 to be
4545 - Octal, a leading 0x to be hexdecimal... */
4546 - if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
4547 - exit_error(PARAMETER_PROBLEM,
4548 - "bad --every `%s', must be between 2 and 100", optarg);
4550 - /* assign the values */
4551 - nthinfo->every = num-1;
4552 - nthinfo->startat = 0;
4553 - nthinfo->packet = 0xFF;
4554 - if(!(*flags & IPT_NTH_OPT_EVERY))
4556 - nthinfo->counter = 0;
4560 - *flags |= IPT_NTH_OPT_NOT_EVERY;
4565 - *flags |= IPT_NTH_OPT_EVERY;
4570 - /* check for common mistakes... */
4571 - if (!((*flags & IPT_NTH_OPT_EVERY) ||
4572 - (*flags & IPT_NTH_OPT_NOT_EVERY)))
4573 - exit_error(PARAMETER_PROBLEM,
4574 - "Can't specify --start before --every");
4576 - exit_error(PARAMETER_PROBLEM,
4577 - "Can't specify with ! --start");
4578 - if (*flags & IPT_NTH_OPT_START)
4579 - exit_error(PARAMETER_PROBLEM,
4580 - "Can't specify --start twice");
4581 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
4582 - exit_error(PARAMETER_PROBLEM,
4583 - "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
4584 - *flags |= IPT_NTH_OPT_START;
4585 - nthinfo->startat = num;
4588 - /* check for common mistakes... */
4590 - exit_error(PARAMETER_PROBLEM,
4591 - "Can't specify with ! --counter");
4592 - if (*flags & IPT_NTH_OPT_COUNTER)
4593 - exit_error(PARAMETER_PROBLEM,
4594 - "Can't specify --counter twice");
4595 - if (string_to_number(optarg, 0, IPT_NTH_NUM_COUNTERS-1, &num) == -1)
4596 - exit_error(PARAMETER_PROBLEM,
4597 - "bad --counter `%s', must between 0 and %u", optarg, IPT_NTH_NUM_COUNTERS-1);
4598 - /* assign the values */
4599 - *flags |= IPT_NTH_OPT_COUNTER;
4600 - nthinfo->counter = num;
4603 - /* check for common mistakes... */
4604 - if (!((*flags & IPT_NTH_OPT_EVERY) ||
4605 - (*flags & IPT_NTH_OPT_NOT_EVERY)))
4606 - exit_error(PARAMETER_PROBLEM,
4607 - "Can't specify --packet before --every");
4608 - if ((*flags & IPT_NTH_OPT_NOT_EVERY))
4609 - exit_error(PARAMETER_PROBLEM,
4610 - "Can't specify --packet with ! --every");
4612 - exit_error(PARAMETER_PROBLEM,
4613 - "Can't specify with ! --packet");
4614 - if (*flags & IPT_NTH_OPT_PACKET)
4615 - exit_error(PARAMETER_PROBLEM,
4616 - "Can't specify --packet twice");
4617 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
4618 - exit_error(PARAMETER_PROBLEM,
4619 - "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
4620 - *flags |= IPT_NTH_OPT_PACKET;
4621 - nthinfo->packet = num;
4629 -/* Final check; nothing. */
4630 -static void final_check(unsigned int flags)
4634 -/* Prints out the targinfo. */
4636 -print(const struct ipt_ip *ip,
4637 - const struct ipt_entry_match *match,
4640 - const struct ipt_nth_info *nthinfo
4641 - = (const struct ipt_nth_info *)match->data;
4643 - if (nthinfo->not == 1)
4645 - printf("every %uth ", (nthinfo->every +1));
4646 - if (nthinfo->counter != 0)
4647 - printf("counter #%u ", (nthinfo->counter));
4648 - if (nthinfo->packet != 0xFF)
4649 - printf("packet #%u ", nthinfo->packet);
4650 - if (nthinfo->startat != 0)
4651 - printf("start at %u ", nthinfo->startat);
4654 -/* Saves the union ipt_targinfo in parsable form to stdout. */
4656 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
4658 - const struct ipt_nth_info *nthinfo
4659 - = (const struct ipt_nth_info *)match->data;
4661 - if (nthinfo->not == 1)
4663 - printf("--every %u ", (nthinfo->every +1));
4664 - printf("--counter %u ", (nthinfo->counter));
4665 - if (nthinfo->startat != 0)
4666 - printf("--start %u ", nthinfo->startat );
4667 - if (nthinfo->packet != 0xFF)
4668 - printf("--packet %u ", nthinfo->packet );
4671 -static struct iptables_match nth = {
4674 - .version = IPTABLES_VERSION,
4675 - .size = IPT_ALIGN(sizeof(struct ipt_nth_info)),
4676 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_nth_info)),
4679 - .final_check = &final_check,
4682 - .extra_opts = opts
4687 - register_match(&nth);
4689 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_nth.man iptables-svn/extensions/libipt_nth.man
4690 --- iptables-1.3.7/extensions/libipt_nth.man 2006-12-04 12:15:20.000000000 +0100
4691 +++ iptables-svn/extensions/libipt_nth.man 1970-01-01 01:00:00.000000000 +0100
4693 -This module matches every `n'th packet
4695 -.BI "--every " "value"
4696 -Match every `value' packet
4698 -.BI "[" "--counter " "num" "]"
4699 -Use internal counter number `num'. Default is `0'.
4701 -.BI "[" "--start " "num" "]"
4702 -Initialize the counter at the number `num' insetad of `0'. Most between `0'
4705 -.BI "[" "--packet " "num" "]"
4706 -Match on `num' packet. Most be between `0' and `value'-1.
4707 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_osf.c iptables-svn/extensions/libipt_osf.c
4708 --- iptables-1.3.7/extensions/libipt_osf.c 2006-12-04 12:15:20.000000000 +0100
4709 +++ iptables-svn/extensions/libipt_osf.c 1970-01-01 01:00:00.000000000 +0100
4714 - * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
4717 - * This program is free software; you can redistribute it and/or modify
4718 - * it under the terms of the GNU General Public License as published by
4719 - * the Free Software Foundation; either version 2 of the License, or
4720 - * (at your option) any later version.
4722 - * This program is distributed in the hope that it will be useful,
4723 - * but WITHOUT ANY WARRANTY; without even the implied warranty of
4724 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
4725 - * GNU General Public License for more details.
4727 - * You should have received a copy of the GNU General Public License
4728 - * along with this program; if not, write to the Free Software
4729 - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
4733 - * iptables interface for OS fingerprint matching module.
4738 -#include <string.h>
4739 -#include <stdlib.h>
4740 -#include <getopt.h>
4743 -#include <iptables.h>
4744 -#include <linux/netfilter_ipv4/ipt_osf.h>
4746 -static void help(void)
4748 - printf("OS fingerprint match options:\n"
4749 - "--genre [!] string Match a OS genre by passive fingerprinting.\n"
4750 - "--smart Use some smart extensions to determine OS (do not use TTL).\n"
4751 - "--log level Log all(or only first) determined genres even if "
4752 - "they do not match desired one. "
4753 - "Level may be 0(all) or 1(only first entry).\n"
4754 - "--netlink Log through netlink(NETLINK_NFLOG).\n",
4755 - "--connector Log through kernel connector [in 2.6.12-mm+].\n"
4760 -static struct option opts[] = {
4761 - { .name = "genre", .has_arg = 1, .flag = 0, .val = '1' },
4762 - { .name = "smart", .has_arg = 0, .flag = 0, .val = '2' },
4763 - { .name = "log", .has_arg = 1, .flag = 0, .val = '3' },
4764 - { .name = "netlink", .has_arg = 0, .flag = 0, .val = '4' },
4765 - { .name = "connector", .has_arg = 0, .flag = 0, .val = '5' },
4769 -static void parse_string(const unsigned char *s, struct ipt_osf_info *info)
4771 - if (strlen(s) < MAXGENRELEN)
4772 - strcpy(info->genre, s);
4774 - exit_error(PARAMETER_PROBLEM, "Genre string too long `%s' [%d], max=%d",
4775 - s, strlen(s), MAXGENRELEN);
4778 -static int parse(int c, char **argv, int invert, unsigned int *flags,
4779 - const struct ipt_entry *entry,
4780 - unsigned int *nfcache,
4781 - struct ipt_entry_match **match)
4783 - struct ipt_osf_info *info = (struct ipt_osf_info *)(*match)->data;
4787 - case '1': /* --genre */
4788 - if (*flags & IPT_OSF_GENRE)
4789 - exit_error(PARAMETER_PROBLEM, "Can't specify multiple genre parameter");
4790 - check_inverse(optarg, &invert, &optind, 0);
4791 - parse_string(argv[optind-1], info);
4794 - info->len=strlen((char *)info->genre);
4795 - *flags |= IPT_OSF_GENRE;
4797 - case '2': /* --smart */
4798 - if (*flags & IPT_OSF_SMART)
4799 - exit_error(PARAMETER_PROBLEM, "Can't specify multiple smart parameter");
4800 - *flags |= IPT_OSF_SMART;
4801 - info->flags |= IPT_OSF_SMART;
4803 - case '3': /* --log */
4804 - if (*flags & IPT_OSF_LOG)
4805 - exit_error(PARAMETER_PROBLEM, "Can't specify multiple log parameter");
4806 - *flags |= IPT_OSF_LOG;
4807 - info->loglevel = atoi(argv[optind-1]);
4808 - info->flags |= IPT_OSF_LOG;
4810 - case '4': /* --netlink */
4811 - if (*flags & IPT_OSF_NETLINK)
4812 - exit_error(PARAMETER_PROBLEM, "Can't specify multiple netlink parameter");
4813 - *flags |= IPT_OSF_NETLINK;
4814 - info->flags |= IPT_OSF_NETLINK;
4816 - case '5': /* --connector */
4817 - if (*flags & IPT_OSF_CONNECTOR)
4818 - exit_error(PARAMETER_PROBLEM, "Can't specify multiple connector parameter");
4819 - *flags |= IPT_OSF_CONNECTOR;
4820 - info->flags |= IPT_OSF_CONNECTOR;
4829 -static void final_check(unsigned int flags)
4832 - exit_error(PARAMETER_PROBLEM, "OS fingerprint match: You must specify `--genre'");
4835 -static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
4837 - const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
4839 - printf("OS fingerprint match %s%s ", (info->invert) ? "!" : "", info->genre);
4842 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
4844 - const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
4846 - printf("--genre %s%s ", (info->invert) ? "! ": "", info->genre);
4847 - if (info->flags & IPT_OSF_SMART)
4848 - printf("--smart ");
4849 - if (info->flags & IPT_OSF_LOG)
4850 - printf("--log %d ", info->loglevel);
4851 - if (info->flags & IPT_OSF_NETLINK)
4852 - printf("--netlink ");
4853 - if (info->flags & IPT_OSF_CONNECTOR)
4854 - printf("--connector ");
4858 -static struct iptables_match osf_match = {
4860 - .version = IPTABLES_VERSION,
4861 - .size = IPT_ALIGN(sizeof(struct ipt_osf_info)),
4862 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_osf_info)),
4865 - .final_check = &final_check,
4868 - .extra_opts = opts
4874 - register_match(&osf_match);
4876 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_osf.man iptables-svn/extensions/libipt_osf.man
4877 --- iptables-1.3.7/extensions/libipt_osf.man 2006-12-04 12:15:19.000000000 +0100
4878 +++ iptables-svn/extensions/libipt_osf.man 1970-01-01 01:00:00.000000000 +0100
4880 -The idea of passive OS fingerprint matching exists for quite a long time,
4881 -but was created as extension fo OpenBSD pf only some weeks ago.
4882 -Original idea was lurked in some OpenBSD mailing list (thanks
4883 -grange@open...) and than adopted for Linux netfilter in form of this code.
4885 -Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
4887 -This module compares some data(WS, MSS, options and it's order, ttl,
4888 -df and others) from first SYN packet (actually from packets with SYN
4889 -bit set) with dynamically loaded OS fingerprints.
4892 -If present, OSF will log determined genres even if they don't match
4894 -0 - log all determined entries,
4895 -1 - only first one.
4897 -In syslog you find something like this:
4899 -ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
4901 -ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
4904 -if present, OSF will use some smartness to determine remote OS.
4905 -OSF will use initial TTL only if source of connection is in our local network.
4908 -If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
4910 -.BI "--genre " "[!] string"
4911 -Match a OS genre by passive fingerprinting
4915 -#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
4917 -NOTE: -p tcp is obviously required as it is a TCP match.
4919 -Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
4920 -One can flush all fingerprints with following command:
4922 -echo -en FLUSH > /proc/sys/net/ipv4/osf
4924 -Only one fingerprint per open/write/close.
4926 -Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
4927 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_psd.c iptables-svn/extensions/libipt_psd.c
4928 --- iptables-1.3.7/extensions/libipt_psd.c 2006-12-04 12:15:20.000000000 +0100
4929 +++ iptables-svn/extensions/libipt_psd.c 1970-01-01 01:00:00.000000000 +0100
4932 - Shared library add-on to iptables to add PSD support
4934 - Copyright (C) 2000,2001 astaro AG
4936 - This file is distributed under the terms of the GNU General Public
4937 - License (GPL). Copies of the GPL can be obtained from:
4938 - ftp://prep.ai.mit.edu/pub/gnu/GPL
4940 - 2000-05-04 Markus Hennig <hennig@astaro.de> : initial
4941 - 2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
4942 - 2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
4943 - 2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
4944 - 2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
4949 -#include <string.h>
4950 -#include <stdlib.h>
4951 -#include <syslog.h>
4952 -#include <getopt.h>
4953 -#include <iptables.h>
4954 -#include <linux/netfilter_ipv4/ip_tables.h>
4955 -#include <linux/netfilter_ipv4/ipt_psd.h>
4958 -/* Function which prints out usage message. */
4963 -"psd v%s options:\n"
4964 -" --psd-weight-threshold threshhold Portscan detection weight threshold\n\n"
4965 -" --psd-delay-threshold delay Portscan detection delay threshold\n\n"
4966 -" --psd-lo-ports-weight lo Privileged ports weight\n\n"
4967 -" --psd-hi-ports-weight hi High ports weight\n\n",
4971 -static struct option opts[] = {
4972 - { "psd-weight-threshold", 1, 0, '1' },
4973 - { "psd-delay-threshold", 1, 0, '2' },
4974 - { "psd-lo-ports-weight", 1, 0, '3' },
4975 - { "psd-hi-ports-weight", 1, 0, '4' },
4979 -/* Initialize the target. */
4981 -init(struct ipt_entry_match *m, unsigned int *nfcache)
4983 - struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)m->data;
4985 - psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;
4986 - psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
4987 - psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
4988 - psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
4992 -typedef struct _code {
4999 -#define IPT_PSD_OPT_CTRESH 0x01
5000 -#define IPT_PSD_OPT_DTRESH 0x02
5001 -#define IPT_PSD_OPT_LPWEIGHT 0x04
5002 -#define IPT_PSD_OPT_HPWEIGHT 0x08
5004 -/* Function which parses command options; returns true if it
5007 -parse(int c, char **argv, int invert, unsigned int *flags,
5008 - const struct ipt_entry *entry,
5009 - unsigned int *nfcache,
5010 - struct ipt_entry_match **match)
5012 - struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)(*match)->data;
5016 - /* PSD-weight-threshold */
5018 - if (*flags & IPT_PSD_OPT_CTRESH)
5019 - exit_error(PARAMETER_PROBLEM,
5020 - "Can't specify --psd-weight-threshold "
5022 - if (string_to_number(optarg, 0, 10000, &num) == -1)
5023 - exit_error(PARAMETER_PROBLEM,
5024 - "bad --psd-weight-threshold `%s'", optarg);
5025 - psdinfo->weight_threshold = num;
5026 - *flags |= IPT_PSD_OPT_CTRESH;
5029 - /* PSD-delay-threshold */
5031 - if (*flags & IPT_PSD_OPT_DTRESH)
5032 - exit_error(PARAMETER_PROBLEM,
5033 - "Can't specify --psd-delay-threshold twice");
5034 - if (string_to_number(optarg, 0, 10000, &num) == -1)
5035 - exit_error(PARAMETER_PROBLEM,
5036 - "bad --psd-delay-threshold `%s'", optarg);
5037 - psdinfo->delay_threshold = num;
5038 - *flags |= IPT_PSD_OPT_DTRESH;
5041 - /* PSD-lo-ports-weight */
5043 - if (*flags & IPT_PSD_OPT_LPWEIGHT)
5044 - exit_error(PARAMETER_PROBLEM,
5045 - "Can't specify --psd-lo-ports-weight twice");
5046 - if (string_to_number(optarg, 0, 10000, &num) == -1)
5047 - exit_error(PARAMETER_PROBLEM,
5048 - "bad --psd-lo-ports-weight `%s'", optarg);
5049 - psdinfo->lo_ports_weight = num;
5050 - *flags |= IPT_PSD_OPT_LPWEIGHT;
5053 - /* PSD-hi-ports-weight */
5055 - if (*flags & IPT_PSD_OPT_HPWEIGHT)
5056 - exit_error(PARAMETER_PROBLEM,
5057 - "Can't specify --psd-hi-ports-weight twice");
5058 - if (string_to_number(optarg, 0, 10000, &num) == -1)
5059 - exit_error(PARAMETER_PROBLEM,
5060 - "bad --psd-hi-ports-weight `%s'", optarg);
5061 - psdinfo->hi_ports_weight = num;
5062 - *flags |= IPT_PSD_OPT_HPWEIGHT;
5072 -/* Final check; nothing. */
5073 -static void final_check(unsigned int flags)
5077 -/* Prints out the targinfo. */
5079 -print(const struct ipt_ip *ip,
5080 - const struct ipt_entry_match *match,
5083 - const struct ipt_psd_info *psdinfo
5084 - = (const struct ipt_psd_info *)match->data;
5087 - printf("weight-threshold: %u ", psdinfo->weight_threshold);
5088 - printf("delay-threshold: %u ", psdinfo->delay_threshold);
5089 - printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
5090 - printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
5093 -/* Saves the union ipt_targinfo in parsable form to stdout. */
5095 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
5097 - const struct ipt_psd_info *psdinfo
5098 - = (const struct ipt_psd_info *)match->data;
5100 - printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
5101 - printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
5102 - printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
5103 - printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
5106 -static struct iptables_match psd = {
5109 - .version = IPTABLES_VERSION,
5110 - .size = IPT_ALIGN(sizeof(struct ipt_psd_info)),
5111 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_psd_info)),
5115 - .final_check = &final_check,
5118 - .extra_opts = opts
5123 - register_match(&psd);
5125 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_psd.man iptables-svn/extensions/libipt_psd.man
5126 --- iptables-1.3.7/extensions/libipt_psd.man 2006-12-04 12:15:19.000000000 +0100
5127 +++ iptables-svn/extensions/libipt_psd.man 1970-01-01 01:00:00.000000000 +0100
5129 -Attempt to detect TCP and UDP port scans. This match was derived from
5130 -Solar Designer's scanlogd.
5132 -.BI "--psd-weight-threshold " "threshold"
5133 -Total weight of the latest TCP/UDP packets with different
5134 -destination ports coming from the same host to be treated as port
5137 -.BI "--psd-delay-threshold " "delay"
5138 -Delay (in hundredths of second) for the packets with different
5139 -destination ports coming from the same host to be treated as
5140 -possible port scan subsequence.
5142 -.BI "--psd-lo-ports-weight " "weight"
5143 -Weight of the packet with privileged (<=1024) destination port.
5145 -.BI "--psd-hi-ports-weight " "weight"
5146 -Weight of the packet with non-priviliged destination port.
5147 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_quota.man iptables-svn/extensions/libipt_quota.man
5148 --- iptables-1.3.7/extensions/libipt_quota.man 2006-12-04 12:15:20.000000000 +0100
5149 +++ iptables-svn/extensions/libipt_quota.man 2007-05-31 12:46:30.000000000 +0200
5151 .BI "--quota " "bytes"
5154 -KNOWN BUGS: this does not work on SMP systems.
5155 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_random.c iptables-svn/extensions/libipt_random.c
5156 --- iptables-1.3.7/extensions/libipt_random.c 2006-12-04 12:15:19.000000000 +0100
5157 +++ iptables-svn/extensions/libipt_random.c 1970-01-01 01:00:00.000000000 +0100
5160 - Shared library add-on to iptables to add match support for random match.
5162 - This file is distributed under the terms of the GNU General Public
5163 - License (GPL). Copies of the GPL can be obtained from:
5164 - ftp://prep.ai.mit.edu/pub/gnu/GPL
5166 - 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
5171 -#include <string.h>
5172 -#include <stdlib.h>
5173 -#include <syslog.h>
5174 -#include <getopt.h>
5175 -#include <iptables.h>
5176 -#include <linux/netfilter_ipv4/ip_tables.h>
5177 -#include <linux/netfilter_ipv4/ipt_random.h>
5180 - * The kernel random routing returns numbers between 0 and 255.
5181 - * To ease the task of the user in choosing the probability
5182 - * of matching, we want him to be able to use percentages.
5183 - * Therefore we have to accept numbers in percentage here,
5184 - * turn them into number between 0 and 255 for the kernel module,
5185 - * and turn them back to percentages when we print/save
5190 -/* Function which prints out usage message. */
5195 -"random v%s options:\n"
5196 -" [--average percent ] The probability in percentage of the match\n"
5197 -" If ommited, a probability of 50%% percent is set.\n"
5198 -" Percentage must be within : 1 <= percent <= 99.\n\n",
5202 -static struct option opts[] = {
5203 - { "average", 1, 0, '1' },
5207 -/* Initialize the target. */
5209 -init(struct ipt_entry_match *m, unsigned int *nfcache)
5211 - struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(m)->data;
5213 - /* We assign the average to be 50 which is our default value */
5214 - /* 50 * 2.55 = 128 */
5215 - randinfo->average = 128;
5218 -#define IPT_RAND_OPT_AVERAGE 0x01
5220 -/* Function which parses command options; returns true if it
5223 -parse(int c, char **argv, int invert, unsigned int *flags,
5224 - const struct ipt_entry *entry,
5225 - unsigned int *nfcache,
5226 - struct ipt_entry_match **match)
5228 - struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(*match)->data;
5233 - /* check for common mistakes... */
5235 - exit_error(PARAMETER_PROBLEM,
5236 - "Can't specify ! --average");
5237 - if (*flags & IPT_RAND_OPT_AVERAGE)
5238 - exit_error(PARAMETER_PROBLEM,
5239 - "Can't specify --average twice");
5241 - /* Remember, this function will interpret a leading 0 to be
5242 - Octal, a leading 0x to be hexdecimal... */
5243 - if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
5244 - exit_error(PARAMETER_PROBLEM,
5245 - "bad --average `%s', must be between 1 and 99", optarg);
5247 - /* assign the values */
5248 - randinfo->average = (int)(num * 2.55);
5249 - *flags |= IPT_RAND_OPT_AVERAGE;
5257 -/* Final check; nothing. */
5258 -static void final_check(unsigned int flags)
5262 -/* Prints out the targinfo. */
5264 -print(const struct ipt_ip *ip,
5265 - const struct ipt_entry_match *match,
5268 - const struct ipt_rand_info *randinfo
5269 - = (const struct ipt_rand_info *)match->data;
5270 - div_t result = div((randinfo->average*100), 255);
5271 - if (result.rem > 127) /* round up... */
5274 - printf(" random %u%% ", result.quot);
5277 -/* Saves the union ipt_targinfo in parsable form to stdout. */
5279 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
5281 - const struct ipt_rand_info *randinfo
5282 - = (const struct ipt_rand_info *)match->data;
5283 - div_t result = div((randinfo->average *100), 255);
5284 - if (result.rem > 127) /* round up... */
5287 - printf("--average %u ", result.quot);
5290 -struct iptables_match rand_match = {
5293 - .version = IPTABLES_VERSION,
5294 - .size = IPT_ALIGN(sizeof(struct ipt_rand_info)),
5295 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_rand_info)),
5299 - .final_check = &final_check,
5302 - .extra_opts = opts
5307 - register_match(&rand_match);
5309 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_random.man iptables-svn/extensions/libipt_random.man
5310 --- iptables-1.3.7/extensions/libipt_random.man 2006-12-04 12:15:20.000000000 +0100
5311 +++ iptables-svn/extensions/libipt_random.man 1970-01-01 01:00:00.000000000 +0100
5313 -This module randomly matches a certain percentage of all packets.
5315 -.BI "--average " "percent"
5316 -Matches the given percentage. If omitted, a probability of 50% is set.
5317 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_record_rpc.c iptables-svn/extensions/libipt_record_rpc.c
5318 --- iptables-1.3.7/extensions/libipt_record_rpc.c 2006-12-04 12:15:19.000000000 +0100
5319 +++ iptables-svn/extensions/libipt_record_rpc.c 1970-01-01 01:00:00.000000000 +0100
5321 -/* Shared library add-on to iptables for rpc match */
5323 -#include <getopt.h>
5324 -#include <iptables.h>
5326 -/* Function which prints out usage message. */
5331 -"record_rpc v%s takes no options\n"
5332 -"\n", IPTABLES_VERSION);
5335 -static struct option opts[] = {
5339 -/* Function which parses command options; returns true if it
5342 -parse(int c, char **argv, int invert, unsigned int *flags,
5343 - const struct ipt_entry *entry,
5344 - unsigned int *nfcache,
5345 - struct ipt_entry_match **match)
5350 -/* Final check; must have specified --mac. */
5351 -static void final_check(unsigned int flags)
5355 -/* Prints out the union ipt_matchinfo. */
5357 -print(const struct ipt_ip *ip,
5358 - const struct ipt_entry_match *match,
5363 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
5368 -struct iptables_match record_rpc = {
5370 - .name = "record_rpc",
5371 - .version = IPTABLES_VERSION,
5372 - .size = IPT_ALIGN(0),
5373 - .userspacesize = IPT_ALIGN(0),
5376 - .final_check = &final_check,
5379 - .extra_opts = opts
5384 - register_match(&record_rpc);
5386 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_REDIRECT.c iptables-svn/extensions/libipt_REDIRECT.c
5387 --- iptables-1.3.7/extensions/libipt_REDIRECT.c 2006-12-04 12:15:19.000000000 +0100
5388 +++ iptables-svn/extensions/libipt_REDIRECT.c 2007-05-31 12:46:30.000000000 +0200
5391 #include <iptables.h>
5392 #include <linux/netfilter_ipv4/ip_tables.h>
5393 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
5394 +#include <linux/netfilter/nf_nat.h>
5396 +#define IPT_REDIRECT_OPT_DEST 0x01
5397 +#define IPT_REDIRECT_OPT_RANDOM 0x02
5399 /* Function which prints out usage message. */
5403 static struct option opts[] = {
5404 { "to-ports", 1, 0, '1' },
5405 + { "random", 1, 0, '2' },
5409 @@ -101,6 +105,17 @@
5410 "Unexpected `!' after --to-ports");
5412 parse_ports(optarg, mr);
5413 + if (*flags & IPT_REDIRECT_OPT_RANDOM)
5414 + mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
5415 + *flags |= IPT_REDIRECT_OPT_DEST;
5419 + if (*flags & IPT_REDIRECT_OPT_DEST) {
5420 + mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
5421 + *flags |= IPT_REDIRECT_OPT_RANDOM;
5423 + *flags |= IPT_REDIRECT_OPT_RANDOM;
5428 if (r->max.tcp.port != r->min.tcp.port)
5429 printf("-%hu", ntohs(r->max.tcp.port));
5431 + if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
5432 + printf("random ");
5437 if (r->max.tcp.port != r->min.tcp.port)
5438 printf("-%hu", ntohs(r->max.tcp.port));
5440 + if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
5441 + printf("--random ");
5445 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_REDIRECT.man iptables-svn/extensions/libipt_REDIRECT.man
5446 --- iptables-1.3.7/extensions/libipt_REDIRECT.man 2006-12-04 12:15:20.000000000 +0100
5447 +++ iptables-svn/extensions/libipt_REDIRECT.man 2007-05-31 12:46:30.000000000 +0200
5456 +is used then port mapping will be randomized (kernel >= 2.6.22).
5459 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_ROUTE.c iptables-svn/extensions/libipt_ROUTE.c
5460 --- iptables-1.3.7/extensions/libipt_ROUTE.c 2006-12-04 12:15:20.000000000 +0100
5461 +++ iptables-svn/extensions/libipt_ROUTE.c 1970-01-01 01:00:00.000000000 +0100
5463 -/* Shared library add-on to iptables to add ROUTE target support.
5464 - * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
5465 - * v 1.11 2004/11/23
5469 -#include <string.h>
5470 -#include <stdlib.h>
5471 -#include <getopt.h>
5472 -#include <iptables.h>
5473 -#include <net/if.h>
5474 -#include <sys/socket.h>
5475 -#include <netinet/in.h>
5476 -#include <arpa/inet.h>
5477 -#include <linux/netfilter_ipv4/ip_tables.h>
5478 -#include <linux/netfilter_ipv4/ipt_ROUTE.h>
5480 -/* compile IPT_ROUTE_TEE support even if kernel headers are unpatched */
5481 -#ifndef IPT_ROUTE_TEE
5482 -#define IPT_ROUTE_TEE 0x02
5485 -/* Function which prints out usage message. */
5490 -"ROUTE target v%s options:\n"
5491 -" --oif \tifname \t\tRoute packet through `ifname' network interface\n"
5492 -" --iif \tifname \t\tChange packet's incoming interface to `ifname'\n"
5493 -" --gw \tip \t\tRoute packet via this gateway `ip'\n"
5494 -" --continue\t \t\tRoute packet and continue traversing the\n"
5495 -" \t \t\trules. Not valid with --iif or --tee.\n"
5496 -" --tee\t \t\tDuplicate packet, route the duplicate,\n"
5497 -" \t \t\tcontinue traversing with original packet.\n"
5498 -" \t \t\tNot valid with --iif or --continue.\n"
5503 -static struct option opts[] = {
5504 - { "oif", 1, 0, '1' },
5505 - { "iif", 1, 0, '2' },
5506 - { "gw", 1, 0, '3' },
5507 - { "continue", 0, 0, '4' },
5508 - { "tee", 0, 0, '5' },
5512 -/* Initialize the target. */
5514 -init(struct ipt_entry_target *t, unsigned int *nfcache)
5516 - struct ipt_route_target_info *route_info =
5517 - (struct ipt_route_target_info*)t->data;
5519 - route_info->oif[0] = '\0';
5520 - route_info->iif[0] = '\0';
5521 - route_info->gw = 0;
5522 - route_info->flags = 0;
5526 -#define IPT_ROUTE_OPT_OIF 0x01
5527 -#define IPT_ROUTE_OPT_IIF 0x02
5528 -#define IPT_ROUTE_OPT_GW 0x04
5529 -#define IPT_ROUTE_OPT_CONTINUE 0x08
5530 -#define IPT_ROUTE_OPT_TEE 0x10
5532 -/* Function which parses command options; returns true if it
5535 -parse(int c, char **argv, int invert, unsigned int *flags,
5536 - const struct ipt_entry *entry,
5537 - struct ipt_entry_target **target)
5539 - struct ipt_route_target_info *route_info =
5540 - (struct ipt_route_target_info*)(*target)->data;
5544 - if (*flags & IPT_ROUTE_OPT_OIF)
5545 - exit_error(PARAMETER_PROBLEM,
5546 - "Can't specify --oif twice");
5548 - if (*flags & IPT_ROUTE_OPT_IIF)
5549 - exit_error(PARAMETER_PROBLEM,
5550 - "Can't use --oif and --iif together");
5552 - if (check_inverse(optarg, &invert, NULL, 0))
5553 - exit_error(PARAMETER_PROBLEM,
5554 - "Unexpected `!' after --oif");
5556 - if (strlen(optarg) > sizeof(route_info->oif) - 1)
5557 - exit_error(PARAMETER_PROBLEM,
5558 - "Maximum interface name length %u",
5559 - sizeof(route_info->oif) - 1);
5561 - strcpy(route_info->oif, optarg);
5562 - *flags |= IPT_ROUTE_OPT_OIF;
5566 - if (*flags & IPT_ROUTE_OPT_IIF)
5567 - exit_error(PARAMETER_PROBLEM,
5568 - "Can't specify --iif twice");
5570 - if (*flags & IPT_ROUTE_OPT_OIF)
5571 - exit_error(PARAMETER_PROBLEM,
5572 - "Can't use --iif and --oif together");
5574 - if (check_inverse(optarg, &invert, NULL, 0))
5575 - exit_error(PARAMETER_PROBLEM,
5576 - "Unexpected `!' after --iif");
5578 - if (strlen(optarg) > sizeof(route_info->iif) - 1)
5579 - exit_error(PARAMETER_PROBLEM,
5580 - "Maximum interface name length %u",
5581 - sizeof(route_info->iif) - 1);
5583 - strcpy(route_info->iif, optarg);
5584 - *flags |= IPT_ROUTE_OPT_IIF;
5588 - if (*flags & IPT_ROUTE_OPT_GW)
5589 - exit_error(PARAMETER_PROBLEM,
5590 - "Can't specify --gw twice");
5592 - if (check_inverse(optarg, &invert, NULL, 0))
5593 - exit_error(PARAMETER_PROBLEM,
5594 - "Unexpected `!' after --gw");
5596 - if (!inet_aton(optarg, (struct in_addr*)&route_info->gw)) {
5597 - exit_error(PARAMETER_PROBLEM,
5598 - "Invalid IP address %s",
5602 - *flags |= IPT_ROUTE_OPT_GW;
5606 - if (*flags & IPT_ROUTE_OPT_CONTINUE)
5607 - exit_error(PARAMETER_PROBLEM,
5608 - "Can't specify --continue twice");
5609 - if (*flags & IPT_ROUTE_OPT_TEE)
5610 - exit_error(PARAMETER_PROBLEM,
5611 - "Can't specify --continue AND --tee");
5613 - route_info->flags |= IPT_ROUTE_CONTINUE;
5614 - *flags |= IPT_ROUTE_OPT_CONTINUE;
5619 - if (*flags & IPT_ROUTE_OPT_TEE)
5620 - exit_error(PARAMETER_PROBLEM,
5621 - "Can't specify --tee twice");
5622 - if (*flags & IPT_ROUTE_OPT_CONTINUE)
5623 - exit_error(PARAMETER_PROBLEM,
5624 - "Can't specify --tee AND --continue");
5626 - route_info->flags |= IPT_ROUTE_TEE;
5627 - *flags |= IPT_ROUTE_OPT_TEE;
5640 -final_check(unsigned int flags)
5643 - exit_error(PARAMETER_PROBLEM,
5644 - "ROUTE target: oif, iif or gw option required");
5646 - if ((flags & (IPT_ROUTE_OPT_CONTINUE|IPT_ROUTE_OPT_TEE)) && (flags & IPT_ROUTE_OPT_IIF))
5647 - exit_error(PARAMETER_PROBLEM,
5648 - "ROUTE target: can't continue traversing the rules with iif option");
5652 -/* Prints out the targinfo. */
5654 -print(const struct ipt_ip *ip,
5655 - const struct ipt_entry_target *target,
5658 - const struct ipt_route_target_info *route_info
5659 - = (const struct ipt_route_target_info *)target->data;
5663 - if (route_info->oif[0])
5664 - printf("oif:%s ", route_info->oif);
5666 - if (route_info->iif[0])
5667 - printf("iif:%s ", route_info->iif);
5669 - if (route_info->gw) {
5670 - struct in_addr ip = { route_info->gw };
5671 - printf("gw:%s ", inet_ntoa(ip));
5674 - if (route_info->flags & IPT_ROUTE_CONTINUE)
5675 - printf("continue");
5677 - if (route_info->flags & IPT_ROUTE_TEE)
5683 -static void save(const struct ipt_ip *ip,
5684 - const struct ipt_entry_target *target)
5686 - const struct ipt_route_target_info *route_info
5687 - = (const struct ipt_route_target_info *)target->data;
5689 - if (route_info->oif[0])
5690 - printf("--oif %s ", route_info->oif);
5692 - if (route_info->iif[0])
5693 - printf("--iif %s ", route_info->iif);
5695 - if (route_info->gw) {
5696 - struct in_addr ip = { route_info->gw };
5697 - printf("--gw %s ", inet_ntoa(ip));
5700 - if (route_info->flags & IPT_ROUTE_CONTINUE)
5701 - printf("--continue ");
5703 - if (route_info->flags & IPT_ROUTE_TEE)
5708 -static struct iptables_target route = {
5711 - .version = IPTABLES_VERSION,
5712 - .size = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
5713 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_route_target_info)),
5717 - .final_check = &final_check,
5720 - .extra_opts = opts
5725 - register_target(&route);
5727 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_ROUTE.man iptables-svn/extensions/libipt_ROUTE.man
5728 --- iptables-1.3.7/extensions/libipt_ROUTE.man 2006-12-04 12:15:20.000000000 +0100
5729 +++ iptables-svn/extensions/libipt_ROUTE.man 1970-01-01 01:00:00.000000000 +0100
5731 -This is used to explicitly override the core network stack's routing decision.
5735 -.BI "--oif " "ifname"
5736 -Route the packet through `ifname' network interface
5738 -.BI "--iif " "ifname"
5739 -Change the packet's incoming interface to `ifname'
5741 -.BI "--gw " "IP_address"
5742 -Route the packet via this gateway
5745 -Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--tee'
5748 -Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--iif' or `--continue'
5749 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_rpc.c iptables-svn/extensions/libipt_rpc.c
5750 --- iptables-1.3.7/extensions/libipt_rpc.c 2006-12-04 12:15:20.000000000 +0100
5751 +++ iptables-svn/extensions/libipt_rpc.c 1970-01-01 01:00:00.000000000 +0100
5753 -/* RPC extension for IP connection matching, Version 2.2
5754 - * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
5755 - * - original rpc tracking module
5756 - * - "recent" connection handling for kernel 2.3+ netfilter
5758 - * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
5759 - * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
5761 - * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
5762 - * - upgraded conntrack modules to newnat api - kernel 2.4.20+
5763 - * - extended matching to support filtering on procedures
5765 - * libipt_rpc.c,v 2.2 2003/01/12 18:30:00
5767 - * This program is free software; you can redistribute it and/or
5768 - * modify it under the terms of the GNU General Public License
5769 - * as published by the Free Software Foundation; either version
5770 - * 2 of the License, or (at your option) any later version.
5772 - * Userspace library syntax:
5773 - * --rpc [--rpcs procedure1,procedure2,...procedure128] [--static]
5775 - * Procedures can be supplied in either numeric or named formats.
5776 - * Without --rpcs, this module will behave as the old record-rpc.
5780 - * RPCs should not be exposed to the internet - ask the Pentagon;
5782 - * "The unidentified crackers pleaded guilty in July to charges
5783 - * of juvenile delinquency stemming from a string of Pentagon
5784 - * network intrusions in February.
5786 - * The youths, going by the names TooShort and Makaveli, used
5787 - * a common server security hole to break in, according to
5788 - * Dane Jasper, owner of the California Internet service
5789 - * provider, Sonic. They used the hole, known as the 'statd'
5790 - * exploit, to attempt more than 800 break-ins, Jasper said."
5792 - * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
5793 - * URL: http://www.wired.com/news/politics/0,1283,16098,00.html
5799 -#include <string.h>
5800 -#include <stdlib.h>
5801 -#include <getopt.h>
5802 -#include <rpc/rpc.h>
5804 -#include <iptables.h>
5805 -#include <linux/netfilter_ipv4/ipt_rpc.h>
5809 -const int IPT_RPC_RPCS = 1;
5810 -const int IPT_RPC_STRC = 2;
5812 -const int IPT_RPC_INT_LBL = 1;
5813 -const int IPT_RPC_INT_NUM = 2;
5814 -const int IPT_RPC_INT_BTH = 3;
5816 -const int IPT_RPC_CHAR_LEN = 11;
5817 -const int IPT_RPC_MAX_ENTS = 128;
5819 -const char preerr[11] = "RPC match:";
5822 -static int k_itoa(char *string, int number)
5824 - int maxoctet = IPT_RPC_CHAR_LEN - 1;
5825 - int store[IPT_RPC_CHAR_LEN];
5829 - for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) {
5830 - store[counter] = number / 10;
5831 - store[counter] = number - ( store[counter] * 10 );
5832 - number = number / 10;
5835 - for ( ; counter != 0; counter--, string++)
5836 - *string = store[counter - 1] + 48;
5844 -static int k_atoi(char *string)
5846 - unsigned int result = 0;
5847 - int maxoctet = IPT_RPC_CHAR_LEN;
5850 - for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
5855 - if (*string < 48 || *string > 57) {
5858 - result = result * 10 + ( *string - 48 );
5865 -static void print_rpcs(char *c_procs, int i_procs, int labels)
5869 - unsigned int proc_num;
5870 - struct rpcent *rpcent;
5873 - for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
5875 - if ( proc_ctr != 0 )
5878 - proc_ptr = c_procs;
5879 - proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
5880 - proc_num = k_atoi(proc_ptr);
5882 - /* labels(1) == no labels, only numbers
5883 - * labels(2) == no numbers, only labels
5884 - * labels(3) == both labels and numbers
5887 - if (labels == IPT_RPC_INT_LBL || labels == IPT_RPC_INT_BTH ) {
5888 - if ( (rpcent = getrpcbynumber(proc_num)) == NULL )
5889 - printf("unknown");
5891 - printf("%s", rpcent->r_name);
5894 - if (labels == IPT_RPC_INT_BTH )
5897 - if (labels == IPT_RPC_INT_NUM || labels == IPT_RPC_INT_BTH )
5898 - printf("%i", proc_num);
5900 - if (labels == IPT_RPC_INT_BTH )
5908 -static void help(void)
5911 - "RPC v%s options:\n"
5912 - " --rpcs list,of,procedures"
5913 - "\ta list of rpc program numbers to apply\n"
5914 - "\t\t\t\tie. 100003,mountd,rquotad (numeric or\n"
5915 - "\t\t\t\tname form; see /etc/rpc).\n"
5917 - "\t\t\ta flag to force the drop of packets\n"
5918 - "\t\t\t\tnot containing \"get\" portmapper requests.\n",
5919 - IPTABLES_VERSION);
5923 -static struct option opts[] = {
5924 - { "rpcs", 1, 0, '1'},
5925 - { "strict", 0, 0, '2'},
5930 -static void init(struct ipt_entry_match *match, unsigned int *nfcache)
5932 - struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
5936 - /* initialise those funky user vars */
5937 - rpcinfo->i_procs = -1;
5938 - rpcinfo->strict = 0;
5939 - memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs));
5943 -static void parse_rpcs_string(char *string, struct ipt_entry_match **match)
5945 - char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)";
5946 - char err2[64] = "%s unable to resolve rpc name entry: `%s'";
5947 - char err3[64] = "%s maximum number of --rpc options (%i) exceeded";
5954 - struct rpcent *rpcent_ptr;
5955 - struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
5958 - memset(buf, 0, sizeof(buf));
5960 - for (src=string, dst=buf; term != 1 ; src++, dst++) {
5962 - if ( *src != ',' && *src != '\0' ) {
5963 - if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) {
5967 - } else if ( *src >= 48 && *src <= 57 ) {
5971 - exit_error(PARAMETER_PROBLEM, err1, preerr,
5972 - string, src - string + 1);
5978 - if ( idup == 1 ) {
5979 - if ( (rpcent_ptr = getrpcbyname(dup)) == NULL )
5980 - exit_error(PARAMETER_PROBLEM, err2,
5982 - idup = rpcent_ptr->r_number;
5984 - idup = k_atoi(dup);
5987 - rpcinfo->i_procs++;
5988 - if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS )
5989 - exit_error(PARAMETER_PROBLEM, err3, preerr,
5990 - IPT_RPC_MAX_ENTS);
5992 - c_procs = (char *)rpcinfo->c_procs;
5993 - c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN;
5995 - memset(buf, 0, sizeof(buf));
5996 - k_itoa((char *)dup, idup);
5998 - strcpy(c_procs, dup);
6000 - if ( *src == '\0')
6004 - memset(buf, 0, sizeof(buf));
6005 - dst = (char *)buf - 1;
6013 -static int parse(int c, char **argv, int invert, unsigned int *flags,
6014 - const struct ipt_entry *entry,
6015 - unsigned int *nfcache,
6016 - struct ipt_entry_match **match)
6018 - struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
6025 - exit_error(PARAMETER_PROBLEM,
6026 - "%s unexpected '!' with --rpcs\n", preerr);
6027 - if (*flags & IPT_RPC_RPCS)
6028 - exit_error(PARAMETER_PROBLEM,
6029 - "%s repeated use of --rpcs\n", preerr);
6030 - parse_rpcs_string(optarg, match);
6032 - *flags |= IPT_RPC_RPCS;
6037 - exit_error(PARAMETER_PROBLEM,
6038 - "%s unexpected '!' with --strict\n", preerr);
6039 - if (*flags & IPT_RPC_STRC)
6040 - exit_error(PARAMETER_PROBLEM,
6041 - "%s repeated use of --strict\n", preerr);
6042 - rpcinfo->strict = 1;
6043 - *flags |= IPT_RPC_STRC;
6055 -static void final_check(unsigned int flags)
6057 - if (flags != (flags | IPT_RPC_RPCS)) {
6058 - printf("%s option \"--rpcs\" was not used ... reverting ", preerr);
6059 - printf("to old \"record-rpc\" functionality ..\n");
6064 -static void print(const struct ipt_ip *ip,
6065 - const struct ipt_entry_match *match,
6068 - struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
6072 - if(rpcinfo->strict == 1)
6073 - printf("[strict]");
6077 - if(rpcinfo->i_procs == -1) {
6081 - print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH);
6088 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
6090 - struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
6093 - if(rpcinfo->i_procs > -1) {
6094 - printf("--rpcs ");
6095 - print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM);
6099 - if(rpcinfo->strict == 1)
6100 - printf("--strict ");
6105 -static struct iptables_match rpcstruct = {
6108 - .version = IPTABLES_VERSION,
6109 - .size = IPT_ALIGN(sizeof(struct ipt_rpc_info)),
6110 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_rpc_info)),
6114 - .final_check = &final_check,
6117 - .extra_opts = opts
6123 - register_match(&rpcstruct);
6126 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_SAME.c iptables-svn/extensions/libipt_SAME.c
6127 --- iptables-1.3.7/extensions/libipt_SAME.c 2006-12-04 12:15:19.000000000 +0100
6128 +++ iptables-svn/extensions/libipt_SAME.c 2007-05-31 12:46:30.000000000 +0200
6131 #include <iptables.h>
6132 #include <linux/netfilter_ipv4/ip_tables.h>
6133 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
6134 +#include <linux/netfilter/nf_nat.h>
6135 /* For 64bit kernel / 32bit userspace */
6136 #include "../include/linux/netfilter_ipv4/ipt_SAME.h"
6139 " once for multiple ranges.\n"
6141 " Don't use destination-ip in\n"
6142 -" source selection\n",
6143 +" source selection\n"
6145 +" Randomize source port\n"
6150 static struct option opts[] = {
6151 { "to", 1, 0, '1' },
6152 { "nodst", 0, 0, '2'},
6153 + { "random", 0, 0, '3' },
6159 #define IPT_SAME_OPT_TO 0x01
6160 #define IPT_SAME_OPT_NODST 0x02
6161 +#define IPT_SAME_OPT_RANDOM 0x04
6163 /* Function which parses command options; returns true if it
6167 struct ipt_same_info *mr
6168 = (struct ipt_same_info *)(*target)->data;
6173 @@ -102,6 +108,10 @@
6174 "Unexpected `!' after --to");
6176 parse_to(optarg, &mr->range[mr->rangesize]);
6177 + /* WTF do we need this for? */
6178 + if (*flags & IPT_SAME_OPT_RANDOM)
6179 + mr->range[mr->rangesize].flags
6180 + |= IP_NAT_RANGE_PROTO_RANDOM;
6182 *flags |= IPT_SAME_OPT_TO;
6184 @@ -114,7 +124,13 @@
6185 mr->info |= IPT_SAME_NODST;
6186 *flags |= IPT_SAME_OPT_NODST;
6191 + *flags |= IPT_SAME_OPT_RANDOM;
6192 + for (count=0; count < mr->rangesize; count++)
6193 + mr->range[count].flags |= IP_NAT_RANGE_PROTO_RANDOM;
6201 struct ipt_same_info *mr
6202 = (struct ipt_same_info *)target->data;
6207 @@ -155,10 +172,15 @@
6210 printf("-%s ", addr_to_dotted(&a));
6211 + if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
6215 if (mr->info & IPT_SAME_NODST)
6219 + printf("random ");
6222 /* Saves the union ipt_targinfo in parsable form to stdout. */
6225 struct ipt_same_info *mr
6226 = (struct ipt_same_info *)target->data;
6229 for (count = 0; count < mr->rangesize; count++) {
6230 struct ip_nat_range *r = &mr->range[count];
6231 @@ -181,10 +204,15 @@
6234 printf("-%s ", addr_to_dotted(&a));
6235 + if (r->flags & IP_NAT_RANGE_PROTO_RANDOM)
6239 if (mr->info & IPT_SAME_NODST)
6243 + printf("--random ");
6246 static struct iptables_target same = {
6247 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_SAME.man iptables-svn/extensions/libipt_SAME.man
6248 --- iptables-1.3.7/extensions/libipt_SAME.man 2006-12-04 12:15:19.000000000 +0100
6249 +++ iptables-svn/extensions/libipt_SAME.man 2007-05-31 12:46:30.000000000 +0200
6252 Don't use the destination-ip in the calculations when selecting the
6256 +Port mapping will be forcely randomized to avoid attacks based on
6257 +port prediction (kernel >= 2.6.21).
6258 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_set.c iptables-svn/extensions/libipt_set.c
6259 --- iptables-1.3.7/extensions/libipt_set.c 2006-12-04 12:15:19.000000000 +0100
6260 +++ iptables-svn/extensions/libipt_set.c 2007-05-31 12:46:30.000000000 +0200
6264 #include <iptables.h>
6265 -#include <linux/netfilter_ipv4/ip_conntrack.h>
6266 #include <linux/netfilter_ipv4/ipt_set.h>
6267 #include "libipt_set.h"
6269 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_SET.c iptables-svn/extensions/libipt_SET.c
6270 --- iptables-1.3.7/extensions/libipt_SET.c 2006-12-04 12:15:20.000000000 +0100
6271 +++ iptables-svn/extensions/libipt_SET.c 2007-05-31 12:46:30.000000000 +0200
6274 #include <iptables.h>
6275 #include <linux/netfilter_ipv4/ip_tables.h>
6276 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
6277 #include <linux/netfilter_ipv4/ip_set.h>
6278 #include <linux/netfilter_ipv4/ipt_set.h>
6279 #include "libipt_set.h"
6280 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_SNAT.c iptables-svn/extensions/libipt_SNAT.c
6281 --- iptables-1.3.7/extensions/libipt_SNAT.c 2006-12-04 12:15:19.000000000 +0100
6282 +++ iptables-svn/extensions/libipt_SNAT.c 2007-05-31 12:46:30.000000000 +0200
6285 #include <iptables.h>
6286 #include <linux/netfilter_ipv4/ip_tables.h>
6287 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
6288 +#include <linux/netfilter/nf_nat.h>
6290 +#define IPT_SNAT_OPT_SOURCE 0x01
6291 +#define IPT_SNAT_OPT_RANDOM 0x02
6293 /* Source NAT data consists of a multi-range, indicating where to map
6296 "SNAT v%s options:\n"
6297 " --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
6298 " Address to map source to.\n"
6299 -" (You can use this more than once)\n\n",
6305 static struct option opts[] = {
6306 { "to-source", 1, 0, '1' },
6307 + { "random", 0, 0, '2' },
6312 exit_error(PARAMETER_PROBLEM,
6313 "Unexpected `!' after --to-source");
6316 + if (*flags & IPT_SNAT_OPT_SOURCE) {
6317 if (!kernel_version)
6318 get_kernel_version();
6319 if (kernel_version > LINUX_VERSION(2, 6, 10))
6320 @@ -163,7 +168,18 @@
6321 "Multiple --to-source not supported");
6323 *target = parse_to(optarg, portok, info);
6325 + /* WTF do we need this for?? */
6326 + if (*flags & IPT_SNAT_OPT_RANDOM)
6327 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
6328 + *flags |= IPT_SNAT_OPT_SOURCE;
6332 + if (*flags & IPT_SNAT_OPT_SOURCE) {
6333 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
6334 + *flags |= IPT_SNAT_OPT_RANDOM;
6336 + *flags |= IPT_SNAT_OPT_RANDOM;
6341 /* Final check; must have specfied --to-source. */
6342 static void final_check(unsigned int flags)
6345 + if (!(flags & IPT_SNAT_OPT_SOURCE))
6346 exit_error(PARAMETER_PROBLEM,
6347 "You must specify --to-source");
6350 for (i = 0; i < info->mr.rangesize; i++) {
6351 print_range(&info->mr.range[i]);
6353 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
6354 + printf("random ");
6359 printf("--to-source ");
6360 print_range(&info->mr.range[i]);
6362 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
6363 + printf("--random ");
6367 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_SNAT.man iptables-svn/extensions/libipt_SNAT.man
6368 --- iptables-1.3.7/extensions/libipt_SNAT.man 2006-12-04 12:15:19.000000000 +0100
6369 +++ iptables-svn/extensions/libipt_SNAT.man 2007-05-31 12:46:30.000000000 +0200
6371 If no port range is specified, then source ports below 512 will be
6372 mapped to other ports below 512: those between 512 and 1023 inclusive
6373 will be mapped to ports below 1024, and other ports will be mapped to
6374 -1024 or above. Where possible, no port alteration will occur.
6377 +1024 or above. Where possible, no port alteration will
6379 In Kernels up to 2.6.10, you can add several --to-source options. For those
6380 kernels, if you specify more than one source address, either via an address
6381 range or multiple --to-source options, a simple round-robin (one after another
6382 in cycle) takes place between these addresses.
6383 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
6389 +is used then port mapping will be randomized (kernel >= 2.6.21).
6392 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_state.c iptables-svn/extensions/libipt_state.c
6393 --- iptables-1.3.7/extensions/libipt_state.c 2006-12-04 12:15:20.000000000 +0100
6394 +++ iptables-svn/extensions/libipt_state.c 2007-05-31 12:46:30.000000000 +0200
6398 #include <iptables.h>
6399 -#include <linux/netfilter_ipv4/ip_conntrack.h>
6400 +#include <linux/netfilter/nf_conntrack_common.h>
6401 #include <linux/netfilter_ipv4/ipt_state.h>
6403 #ifndef IPT_STATE_UNTRACKED
6404 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_string.c iptables-svn/extensions/libipt_string.c
6405 --- iptables-1.3.7/extensions/libipt_string.c 2006-12-04 12:15:19.000000000 +0100
6406 +++ iptables-svn/extensions/libipt_string.c 2007-05-31 12:46:30.000000000 +0200
6408 if (info->from_offset != 0)
6409 printf("FROM %u ", info->from_offset);
6410 if (info->to_offset != 0)
6411 - printf("TO %u", info->to_offset);
6412 + printf("TO %u ", info->to_offset);
6416 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_TARPIT.c iptables-svn/extensions/libipt_TARPIT.c
6417 --- iptables-1.3.7/extensions/libipt_TARPIT.c 2006-12-04 12:15:20.000000000 +0100
6418 +++ iptables-svn/extensions/libipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100
6420 -/* Shared library add-on to iptables for TARPIT support */
6422 -#include <getopt.h>
6423 -#include <iptables.h>
6429 -"TARPIT takes no options\n"
6433 -static struct option opts[] = {
6438 -parse(int c, char **argv, int invert, unsigned int *flags,
6439 - const struct ipt_entry *entry,
6440 - struct ipt_entry_target **target)
6445 -static void final_check(unsigned int flags)
6450 -print(const struct ipt_ip *ip,
6451 - const struct ipt_entry_target *target,
6456 -static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
6460 -static struct iptables_target tarpit = {
6463 - .version = IPTABLES_VERSION,
6464 - .size = IPT_ALIGN(0),
6465 - .userspacesize = IPT_ALIGN(0),
6468 - .final_check = &final_check,
6471 - .extra_opts = opts
6476 - register_target(&tarpit);
6478 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_TARPIT.man iptables-svn/extensions/libipt_TARPIT.man
6479 --- iptables-1.3.7/extensions/libipt_TARPIT.man 2006-12-04 12:15:19.000000000 +0100
6480 +++ iptables-svn/extensions/libipt_TARPIT.man 1970-01-01 01:00:00.000000000 +0100
6482 -Captures and holds incoming TCP connections using no local
6483 -per-connection resources. Connections are accepted, but immediately
6484 -switched to the persist state (0 byte window), in which the remote
6485 -side stops sending data and asks to continue every 60-240 seconds.
6486 -Attempts to close the connection are ignored, forcing the remote side
6487 -to time out the connection in 12-24 minutes.
6489 -This offers similar functionality to LaBrea
6490 -<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
6491 -hardware or IPs. Any TCP port that you would normally DROP or REJECT
6492 -can instead become a tarpit.
6494 -To tarpit connections to TCP port 80 destined for the current machine:
6496 -iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
6498 -To significantly slow down Code Red/Nimda-style scans of unused address
6499 -space, forward unused ip addresses to a Linux box not acting as a router
6500 -(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
6501 -forwarding on the Linux box, and add:
6503 -iptables -A FORWARD -p tcp -j TARPIT
6505 -iptables -A FORWARD -j DROP
6508 -If you use the conntrack module while you are using TARPIT, you should
6509 -also use the NOTRACK target, or the kernel will unnecessarily allocate
6510 -resources for each TARPITted connection. To TARPIT incoming
6511 -connections to the standard IRC port while using conntrack, you could:
6513 -iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
6515 -iptables -A INPUT -p tcp --dport 6667 -j TARPIT
6516 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_TCPLAG.c iptables-svn/extensions/libipt_TCPLAG.c
6517 --- iptables-1.3.7/extensions/libipt_TCPLAG.c 2006-12-04 12:15:20.000000000 +0100
6518 +++ iptables-svn/extensions/libipt_TCPLAG.c 1970-01-01 01:00:00.000000000 +0100
6520 -/* libipt_TCPLAG.c -- module for iptables to interface with TCPLAG target
6521 - * Copyright (C) 2002 Telford Tendys <telford@triode.net.au>
6523 - * This program is free software; you can redistribute it and/or modify
6524 - * it under the terms of the GNU General Public License as published by
6525 - * the Free Software Foundation; either version 2 of the License, or
6526 - * (at your option) any later version.
6528 - * This program is distributed in the hope that it will be useful,
6529 - * but WITHOUT ANY WARRANTY; without even the implied warranty of
6530 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
6531 - * GNU General Public License for more details.
6533 - * You should have received a copy of the GNU General Public License
6534 - * along with this program; if not, write to the Free Software
6535 - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
6539 - * Shared library add-on to iptables for TCPLAG target control
6541 - * This allows installation and removal of the TCPLAG target
6542 - * Note that there is a lot more commentary in this file than
6543 - * the average libipt target (i.e. more than none) but these
6544 - * are just my deductions based on examination of the source
6549 -#include <string.h>
6550 -#include <stdlib.h>
6551 -#include <syslog.h>
6552 -#include <getopt.h>
6553 -#include <iptables.h>
6554 -#include <linux/netfilter_ipv4/ip_tables.h>
6555 -#include <linux/netfilter_ipv4/ipt_TCPLAG.h>
6558 - * This merely dumps out text for the user
6559 - * (saves keeping the manpage up to date)
6561 -static void help( void )
6563 - printf( "TCPLAG options:\n"
6564 - " --log-level=n Set the syslog level to n (integer 0 to 7)\n\n"
6565 - " --log-prefix=xx Prefix log messages with xx\n" );
6569 - * See "man getopt_long" for an explanation of this structure
6571 - * If one of our options DOES happen to come up then we get
6572 - * a callback into parse(), our vals must not overlap with any
6573 - * normal iptables short options (I think) because there is only
6574 - * one actual options handler and it can't tell whose options it
6575 - * is really looking at unless they are all distinct.
6577 - * These are exactly the same as the LOG target options
6578 - * and have the same purpose.
6580 -static const struct option opts[] =
6582 - { "log-level", 1, 0, '!' },
6583 - { "log-prefix", 1, 0, '#' },
6588 - * This gives us a chance to install some initial values in
6589 - * our own private data structure (which is at t->data).
6590 - * Probably we could fiddle with t->tflags too but there is
6591 - * no great advantage in doing so.
6593 -static void init( struct ipt_entry_target *t, unsigned int *nfcache )
6595 - struct ipt_tcplag *el = (struct ipt_tcplag *)t->data;
6596 - memset( el, 0, sizeof( struct ipt_tcplag ));
6597 - el->level = 4; /* Default to warning level */
6598 - strcpy( el->prefix, "TCPLAG:" ); /* Give a reasonable default prefix */
6602 - * It doesn't take much thought to see how little thought has gone into
6603 - * this particular API. However, to add to that I'd just like to say that
6604 - * it can be made to work and small miracles are still miracles.
6606 - * The input parameters are as follows:
6608 - * c -- the 'val' from opts[] above, could possibly be something
6609 - * we cannot recognise in which case return(0).
6610 - * If we do recognise it then return(1).
6612 - * argv -- in case we want to take parameters from the command line,
6613 - * not sure how to safely ensure that the parameter that
6614 - * we want to take will really exist, presumably getopt_long()
6615 - * will have already checked such things (what about optional
6616 - * parameters huh?).
6618 - * invert -- if the option parameter had '!' in front of it, usually this
6619 - * would inversion of the matching sense but I don't think it
6620 - * is useful in the case of targets.
6622 - * flags -- always (*target)->tflags for those who feel it is better
6623 - * to access this field indirectly <shrug> starts of
6624 - * zero for a fresh target, gets fed into final_check().
6626 - * entry -- apparently useless
6628 - * target -- the record that holds data about this target,
6629 - * most importantly, our private data is (*target)->data
6630 - * (this has already been malloced for us).
6632 -static int parse( int c, char **argv, int invert, unsigned int *flags,
6633 - const struct ipt_entry *entry, struct ipt_entry_target **target )
6635 - struct ipt_tcplag *el = (struct ipt_tcplag *)( *target )->data;
6637 - * Yeah, we could complain about options being issued twice but
6638 - * is it really worth the trouble? Will it make the world a better place?
6643 - * I really can't be bothered with the syslog naming convention,
6644 - * it isn't terribly useful anyhow.
6647 - el->level = strtol( optarg, 0, 10 );
6650 - * 15 chars should be plenty
6653 - strncpy( el->prefix, optarg, 15 );
6654 - el->prefix[ 14 ] = 0; /* Force termination */
6661 - * This gets given the (*target)->tflags value from
6662 - * the parse() above and it gets called after all the
6663 - * parsing of options is completed. Thus if one option
6664 - * requires another option you can test the flags and
6665 - * decide whether everything is in order.
6667 - * If there is a problem then do something like:
6668 - * exit_error( PARAMETER_PROBLEM, "foobar parameters detected in TCPLAG target");
6670 - * In this case, no errors are possible
6672 -static void final_check( unsigned int flags ) { }
6674 - * This print is for the purpose of user-readable display
6675 - * such as what "iptables -L" would give. The notes in
6676 - * iptables.h say that target could possibly be a null pointer
6677 - * but coding of the various libipt_XX.c modules suggests
6678 - * that it is safe to presume target is correctly initialised.
6680 -static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, int numeric)
6682 - const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
6683 - printf("TCPLAG <%d>", el->level );
6684 - if( el->prefix[ 0 ])
6686 - printf( "%s", el->prefix );
6691 - * As above but command-line style printout
6692 - * (machine-readable for restoring table)
6694 -static void save( const struct ipt_ip *ip, const struct ipt_entry_target *target )
6696 - const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
6697 - printf("TCPLAG --log-level=%d", el->level );
6698 - if( el->prefix[ 0 ])
6701 - * FIXME: Should have smarter quoting
6703 - printf( " --log-prefix='%s'", el->prefix );
6708 - * The version must match the iptables version exactly
6709 - * which is a big pain, could use `iptables -V` in makefile
6710 - * but we can't guarantee compatibility with all iptables
6711 - * so we are stuck with only supporting one particular version.
6713 -static struct iptables_target targ =
6717 -version: IPTABLES_VERSION,
6718 -size: IPT_ALIGN( sizeof( struct ipt_tcplag )),
6719 -userspacesize: IPT_ALIGN( sizeof( struct ipt_tcplag )),
6723 -final_check: &final_check,
6730 - * Always nervous trusting _init() but oh well that is the standard
6731 - * so have to go ahead and use it. This registers your target into
6732 - * the list of available targets so that your options become available.
6734 -void _init( void ) { register_target( &targ ); }
6735 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_tcp.man iptables-svn/extensions/libipt_tcp.man
6736 --- iptables-1.3.7/extensions/libipt_tcp.man 2006-12-04 12:15:20.000000000 +0100
6737 +++ iptables-svn/extensions/libipt_tcp.man 2007-05-31 12:46:30.000000000 +0200
6739 -These extensions are loaded if `--protocol tcp' is specified. It
6740 +These extensions can be used if `--protocol tcp' is specified. It
6741 provides the following options:
6743 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
6746 .BR "--tcp-option " "[!] \fInumber\fP"
6747 Match if TCP option set.
6749 -.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
6750 -Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
6751 -which control the maximum packet size for that connection.
6752 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_tcpmss.man iptables-svn/extensions/libipt_tcpmss.man
6753 --- iptables-1.3.7/extensions/libipt_tcpmss.man 2006-12-04 12:15:20.000000000 +0100
6754 +++ iptables-svn/extensions/libipt_tcpmss.man 2007-05-31 12:46:30.000000000 +0200
6756 This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
6758 -.BI "[!] "--mss " "value[:value]"
6759 +.BI "[!] "--mss " value[:value]"
6760 Match a given TCP MSS value or range.
6761 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_time.c iptables-svn/extensions/libipt_time.c
6762 --- iptables-1.3.7/extensions/libipt_time.c 2006-12-04 12:15:20.000000000 +0100
6763 +++ iptables-svn/extensions/libipt_time.c 1970-01-01 01:00:00.000000000 +0100
6765 -/* Shared library add-on to iptables to add TIME matching support. */
6768 -#include <string.h>
6769 -#include <stdlib.h>
6770 -#include <stddef.h> /* for 'offsetof' */
6771 -#include <getopt.h>
6773 -#include <iptables.h>
6774 -#include <linux/netfilter_ipv4/ipt_time.h>
6777 -static int globaldays;
6779 -/* Function which prints out usage message. */
6784 -"TIME v%s options:\n"
6785 -" [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]\n"
6786 -" timestart value : HH:MM (default 00:00)\n"
6787 -" timestop value : HH:MM (default 23:59)\n"
6788 -" Note: daylight savings time changes are not tracked\n"
6789 -" listofdays value: a list of days to apply\n"
6790 -" from Mon,Tue,Wed,Thu,Fri,Sat,Sun\n"
6791 -" Coma speparated, no space, case sensitive.\n"
6792 -" Defaults to all days.\n"
6793 -" datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
6794 -" If any of month, day, hour, minute or second is\n"
6795 -" not specified, then defaults to their smallest\n"
6796 -" 1900 <= YYYY < 2037\n"
6802 -" datestop value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
6803 -" If the whole option is ommited, default to never stop\n"
6804 -" If any of month, day, hour, minute or second is\n"
6805 -" not specified, then default to their smallest\n",
6809 -static struct option opts[] = {
6810 - { "timestart", 1, 0, '1' },
6811 - { "timestop", 1, 0, '2' },
6812 - { "days", 1, 0, '3'},
6813 - { "datestart", 1, 0, '4' },
6814 - { "datestop", 1, 0, '5' },
6818 -/* Initialize the match. */
6820 -init(struct ipt_entry_match *m, unsigned int *nfcache)
6822 - struct ipt_time_info *info = (struct ipt_time_info *)m->data;
6824 - /* By default, we match on everyday */
6825 - info->days_match = 127;
6826 - /* By default, we match on every hour:min of the day */
6827 - info->time_start = 0;
6828 - info->time_stop = 1439; /* (23*60+59 = 1439 */
6829 - /* By default, we don't have any date-begin or date-end boundaries */
6830 - info->date_start = 0;
6831 - info->date_stop = LONG_MAX;
6835 - * param: part1, a pointer on a string 2 chars maximum long string, that will contain the hours.
6836 - * param: part2, a pointer on a string 2 chars maximum long string, that will contain the minutes.
6837 - * param: str_2_parse, the string to parse.
6838 - * return: 1 if ok, 0 if error.
6841 -split_time(char **part1, char **part2, const char *str_2_parse)
6843 - unsigned short int i,j=0;
6844 - char *rpart1 = *part1;
6845 - char *rpart2 = *part2;
6846 - unsigned char found_column = 0;
6848 - /* Check the length of the string */
6849 - if (strlen(str_2_parse) > 5)
6851 - /* parse the first part until the ':' */
6852 - for (i=0; i<2; i++)
6854 - if (str_2_parse[i] == ':')
6857 - rpart1[i] = str_2_parse[i];
6859 - if (!found_column)
6862 - /* parse the second part */
6863 - for (; i<strlen(str_2_parse); i++)
6865 - rpart2[i-j] = str_2_parse[i];
6867 - /* if we are here, format should be ok. */
6872 -parse_number(char *str, int num_min, int num_max, int *number)
6874 - /* if the number starts with 0, replace it with a space else
6875 - string_to_number() will interpret it as octal !! */
6876 - if (strlen(str) == 0)
6879 - if ((str[0] == '0') && (str[1] != '\0'))
6882 - return string_to_number(str, num_min, num_max, number);
6886 -parse_time_string(int *hour, int *minute, const char *time)
6890 - hours = (char *)malloc(3);
6891 - minutes = (char *)malloc(3);
6892 - memset(hours, 0, 3);
6893 - memset(minutes, 0, 3);
6895 - if (split_time((char **)&hours, (char **)&minutes, time) == 1)
6899 - if ((parse_number((char *)hours, 0, 23, hour) != -1) &&
6900 - (parse_number((char *)minutes, 0, 59, minute) != -1))
6911 - /* If we are here, there was a problem ..*/
6912 - exit_error(PARAMETER_PROBLEM,
6913 - "invalid time `%s' specified, should be HH:MM format", time);
6916 -/* return 1->ok, return 0->error */
6918 -parse_day(int *days, int from, int to, const char *string)
6921 - char *days_str[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
6922 - unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
6925 - dayread = (char *)malloc(4);
6926 - bzero(dayread, 4);
6927 - if ((to-from) != 3) {
6931 - for (i=from; i<to; i++)
6932 - dayread[i-from] = string[i];
6933 - for (i=0; i<7; i++)
6934 - if (strcmp(dayread, days_str[i]) == 0)
6936 - *days |= days_of_week[i];
6940 - /* if we are here, we didn't read a valid day */
6946 -parse_days_string(int *days, const char *daystring)
6950 - char *err = "invalid days `%s' specified, should be Sun,Mon,Tue... format";
6952 - len = strlen(daystring);
6954 - exit_error(PARAMETER_PROBLEM, err, daystring);
6957 - if (parse_day(days, i, i+3, daystring) == 0)
6958 - exit_error(PARAMETER_PROBLEM, err, daystring);
6964 -parse_date_field(const char *str_to_parse, int str_to_parse_s, int start_pos,
6965 - char *dest, int *next_pos)
6967 - unsigned char found_value = 0;
6968 - unsigned char found_column = 0;
6971 - for (i=0; i<2; i++)
6973 - if ((i+start_pos) >= str_to_parse_s) /* don't exit boundaries of the string.. */
6975 - if (str_to_parse[i+start_pos] == ':')
6980 - dest[i] = str_to_parse[i+start_pos];
6983 - if (found_value == 0)
6985 - *next_pos = i + start_pos;
6986 - if (found_column == 0)
6992 -split_date(char *year, char *month, char *day,
6993 - char *hour, char *minute, char *second,
6994 - const char *str_to_parse)
6997 - unsigned char found_column = 0;
6998 - int str_to_parse_s = strlen(str_to_parse);
7000 - /* Check the length of the string */
7001 - if ((str_to_parse_s > 19) || /* YYYY:MM:DD:HH:MM:SS */
7002 - (str_to_parse_s < 4)) /* YYYY*/
7005 - /* Clear the buffers */
7006 - memset(year, 0, 4);
7007 - memset(month, 0, 2);
7008 - memset(day, 0, 2);
7009 - memset(hour, 0, 2);
7010 - memset(minute, 0, 2);
7011 - memset(second, 0, 2);
7013 - /* parse the year YYYY */
7015 - for (i=0; i<5; i++)
7017 - if (i >= str_to_parse_s)
7019 - if (str_to_parse[i] == ':')
7025 - year[i] = str_to_parse[i];
7027 - if (found_column == 1)
7030 - /* parse the month if it exists */
7031 - if (! parse_date_field(str_to_parse, str_to_parse_s, i, month, &i))
7034 - if (! parse_date_field(str_to_parse, str_to_parse_s, i, day, &i))
7037 - if (! parse_date_field(str_to_parse, str_to_parse_s, i, hour, &i))
7040 - if (! parse_date_field(str_to_parse, str_to_parse_s, i, minute, &i))
7043 - parse_date_field(str_to_parse, str_to_parse_s, i, second, &i);
7045 - /* if we are here, format should be ok. */
7050 -parse_date_string(const char *str_to_parse)
7061 - memset(year, 0, 5);
7062 - memset(month, 0, 3);
7063 - memset(day, 0, 3);
7064 - memset(hour, 0, 3);
7065 - memset(minute, 0, 3);
7066 - memset(second, 0, 3);
7068 - if (split_date(year, month, day, hour, minute, second, str_to_parse) == 1)
7070 - memset((void *)&t, 0, sizeof(struct tm));
7073 - if (!((parse_number(year, 1900, 2037, &(t.tm_year)) == -1) ||
7074 - (parse_number(month, 1, 12, &(t.tm_mon)) == -1) ||
7075 - (parse_number(day, 1, 31, &(t.tm_mday)) == -1) ||
7076 - (parse_number(hour, 0, 9999, &(t.tm_hour)) == -1) ||
7077 - (parse_number(minute, 0, 59, &(t.tm_min)) == -1) ||
7078 - (parse_number(second, 0, 59, &(t.tm_sec)) == -1)))
7080 - t.tm_year -= 1900;
7082 - temp_time = mktime(&t);
7083 - if (temp_time != -1)
7087 - exit_error(PARAMETER_PROBLEM,
7088 - "invalid date `%s' specified, should be YYYY[:MM[:DD[:hh[:mm[:ss]]]]] format", str_to_parse);
7091 -#define IPT_TIME_START 0x01
7092 -#define IPT_TIME_STOP 0x02
7093 -#define IPT_TIME_DAYS 0x04
7094 -#define IPT_DATE_START 0x08
7095 -#define IPT_DATE_STOP 0x10
7097 -/* Function which parses command options; returns true if it
7100 -parse(int c, char **argv, int invert, unsigned int *flags,
7101 - const struct ipt_entry *entry,
7102 - unsigned int *nfcache,
7103 - struct ipt_entry_match **match)
7105 - struct ipt_time_info *timeinfo = (struct ipt_time_info *)(*match)->data;
7106 - int hours, minutes;
7114 - exit_error(PARAMETER_PROBLEM,
7115 - "unexpected '!' with --timestart");
7116 - if (*flags & IPT_TIME_START)
7117 - exit_error(PARAMETER_PROBLEM,
7118 - "Can't specify --timestart twice");
7119 - parse_time_string(&hours, &minutes, optarg);
7120 - timeinfo->time_start = (hours * 60) + minutes;
7121 - *flags |= IPT_TIME_START;
7126 - exit_error(PARAMETER_PROBLEM,
7127 - "unexpected '!' with --timestop");
7128 - if (*flags & IPT_TIME_STOP)
7129 - exit_error(PARAMETER_PROBLEM,
7130 - "Can't specify --timestop twice");
7131 - parse_time_string(&hours, &minutes, optarg);
7132 - timeinfo->time_stop = (hours * 60) + minutes;
7133 - *flags |= IPT_TIME_STOP;
7139 - exit_error(PARAMETER_PROBLEM,
7140 - "unexpected '!' with --days");
7141 - if (*flags & IPT_TIME_DAYS)
7142 - exit_error(PARAMETER_PROBLEM,
7143 - "Can't specify --days twice");
7144 - parse_days_string(&globaldays, optarg);
7145 - timeinfo->days_match = globaldays;
7146 - *flags |= IPT_TIME_DAYS;
7152 - exit_error(PARAMETER_PROBLEM,
7153 - "unexpected '!' with --datestart");
7154 - if (*flags & IPT_DATE_START)
7155 - exit_error(PARAMETER_PROBLEM,
7156 - "Can't specify --datestart twice");
7157 - temp_date = parse_date_string(optarg);
7158 - timeinfo->date_start = temp_date;
7159 - *flags |= IPT_DATE_START;
7165 - exit_error(PARAMETER_PROBLEM,
7166 - "unexpected '!' with --datestop");
7167 - if (*flags & IPT_DATE_STOP)
7168 - exit_error(PARAMETER_PROBLEM,
7169 - "Can't specify --datestop twice");
7170 - temp_date = parse_date_string(optarg);
7171 - timeinfo->date_stop = temp_date;
7172 - *flags |= IPT_DATE_STOP;
7182 -final_check(unsigned int flags)
7184 - /* Nothing to do */
7189 -print_days(int daynum)
7191 - char *days[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
7192 - unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
7193 - unsigned short int i, nbdays=0;
7195 - for (i=0; i<7; i++) {
7196 - if ((days_of_week[i] & daynum) == days_of_week[i])
7199 - printf(",%s", days[i]);
7201 - printf("%s", days[i]);
7209 -divide_time(int fulltime, int *hours, int *minutes)
7211 - *hours = fulltime / 60;
7212 - *minutes = fulltime % 60;
7216 -print_date(time_t date, char *command)
7220 - /* If it's default value, don't print..*/
7221 - if (((date == 0) || (date == LONG_MAX)) && (command != NULL))
7223 - t = localtime(&date);
7224 - if (command != NULL)
7225 - printf("%s %d:%d:%d:%d:%d:%d ", command, (t->tm_year + 1900), (t->tm_mon + 1),
7226 - t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
7228 - printf("%d-%d-%d %d:%d:%d ", (t->tm_year + 1900), (t->tm_mon + 1),
7229 - t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
7232 -/* Prints out the matchinfo. */
7234 -print(const struct ipt_ip *ip,
7235 - const struct ipt_entry_match *match,
7238 - struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
7239 - int hour_start, hour_stop, minute_start, minute_stop;
7241 - divide_time(time->time_start, &hour_start, &minute_start);
7242 - divide_time(time->time_stop, &hour_stop, &minute_stop);
7244 - if (time->time_start != 0)
7245 - printf("from %d:%d ", hour_start, minute_start);
7246 - if (time->time_stop != 1439) /* 23*60+59 = 1439 */
7247 - printf("to %d:%d ", hour_stop, minute_stop);
7249 - if (time->days_match == 127)
7250 - printf("all days ");
7252 - print_days(time->days_match);
7253 - if (time->date_start != 0)
7255 - printf("starting from ");
7256 - print_date(time->date_start, NULL);
7258 - if (time->date_stop != LONG_MAX)
7260 - printf("until date ");
7261 - print_date(time->date_stop, NULL);
7265 -/* Saves the data in parsable form to stdout. */
7267 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
7269 - struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
7270 - int hour_start, hour_stop, minute_start, minute_stop;
7272 - divide_time(time->time_start, &hour_start, &minute_start);
7273 - divide_time(time->time_stop, &hour_stop, &minute_stop);
7274 - if (time->time_start != 0)
7275 - printf("--timestart %.2d:%.2d ",
7276 - hour_start, minute_start);
7278 - if (time->time_stop != 1439) /* 23*60+59 = 1439 */
7279 - printf("--timestop %.2d:%.2d ",
7280 - hour_stop, minute_stop);
7282 - if (time->days_match != 127)
7284 - printf("--days ");
7285 - print_days(time->days_match);
7288 - print_date(time->date_start, "--datestart");
7289 - print_date(time->date_stop, "--datestop");
7292 -/* have to use offsetof() instead of IPT_ALIGN(), since kerneltime must not
7293 - * be compared when user deletes rule with '-D' */
7295 -struct iptables_match timestruct = {
7298 - .version = IPTABLES_VERSION,
7299 - .size = IPT_ALIGN(sizeof(struct ipt_time_info)),
7300 - .userspacesize = offsetof(struct ipt_time_info, kerneltime),
7304 - .final_check = &final_check,
7307 - .extra_opts = opts
7312 - register_match(×truct);
7314 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_time.man iptables-svn/extensions/libipt_time.man
7315 --- iptables-1.3.7/extensions/libipt_time.man 2006-12-04 12:15:20.000000000 +0100
7316 +++ iptables-svn/extensions/libipt_time.man 1970-01-01 01:00:00.000000000 +0100
7318 -This matches if the packet arrival time/date is within a given range. All options are facultative.
7320 -.BI " --timestart " "value"
7321 -Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
7323 -.BI "--timestop " "value"
7324 -Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
7326 -.BI "--days " "listofdays"
7327 -Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
7329 -.BI "--datestart " "date"
7330 -Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970)
7332 -.BI "--datestop " "date"
7333 -Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037)
7334 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_TRACE.c iptables-svn/extensions/libipt_TRACE.c
7335 --- iptables-1.3.7/extensions/libipt_TRACE.c 2006-12-04 12:15:20.000000000 +0100
7336 +++ iptables-svn/extensions/libipt_TRACE.c 1970-01-01 01:00:00.000000000 +0100
7338 -/* Shared library add-on to iptables to add TRACE target support. */
7340 -#include <string.h>
7341 -#include <stdlib.h>
7342 -#include <getopt.h>
7344 -#include <iptables.h>
7345 -#include <linux/netfilter_ipv4/ip_tables.h>
7347 -/* Function which prints out usage message. */
7352 -"TRACE target v%s takes no options\n",
7356 -static struct option opts[] = {
7360 -/* Initialize the target. */
7362 -init(struct ipt_entry_target *t, unsigned int *nfcache)
7366 -/* Function which parses command options; returns true if it
7369 -parse(int c, char **argv, int invert, unsigned int *flags,
7370 - const struct ipt_entry *entry,
7371 - struct ipt_entry_target **target)
7377 -final_check(unsigned int flags)
7382 -struct iptables_target trace
7385 - .version = IPTABLES_VERSION,
7386 - .size = IPT_ALIGN(0),
7387 - .userspacesize = IPT_ALIGN(0),
7391 - .final_check = &final_check,
7392 - .print = NULL, /* print */
7393 - .save = NULL, /* save */
7394 - .extra_opts = opts
7399 - register_target(&trace);
7401 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_TRACE.man iptables-svn/extensions/libipt_TRACE.man
7402 --- iptables-1.3.7/extensions/libipt_TRACE.man 2006-12-04 12:15:19.000000000 +0100
7403 +++ iptables-svn/extensions/libipt_TRACE.man 1970-01-01 01:00:00.000000000 +0100
7405 -This target has no options. It just turns on
7407 -for all packets that match this rule.
7408 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_u32.c iptables-svn/extensions/libipt_u32.c
7409 --- iptables-1.3.7/extensions/libipt_u32.c 2006-12-04 12:15:20.000000000 +0100
7410 +++ iptables-svn/extensions/libipt_u32.c 1970-01-01 01:00:00.000000000 +0100
7412 -/* Shared library add-on to iptables to add u32 matching,
7413 - * generalized matching on values found at packet offsets
7415 - * Detailed doc is in the kernel module source
7416 - * net/ipv4/netfilter/ipt_u32.c
7418 - * (C) 2002 by Don Cohen <don-netf@isis.cs3-inc.com>
7419 - * Released under the terms of GNU GPL v2
7423 -#include <string.h>
7424 -#include <stdlib.h>
7425 -#include <getopt.h>
7426 -#include <iptables.h>
7427 -#include <linux/netfilter_ipv4/ipt_u32.h>
7431 -/* Function which prints out usage message. */
7435 - printf( "u32 v%s options:\n"
7437 - " tests := location = value | tests && location = value\n"
7438 - " value := range | value , range\n"
7439 - " range := number | number : number\n"
7440 - " location := number | location operator number\n"
7441 - " operator := & | << | >> | @\n"
7442 - ,IPTABLES_VERSION);
7445 -/* defined in /usr/include/getopt.h maybe in man getopt */
7446 -static struct option opts[] = {
7447 - { "u32", 1, 0, '1' },
7451 -/* shared printing code */
7452 -static void print_u32(struct ipt_u32 *data)
7454 - unsigned int testind;
7456 - for (testind=0; testind < data->ntests; testind++) {
7457 - if (testind) printf("&&");
7461 - printf("0x%x", data->tests[testind].location[0].number);
7462 - for (i = 1; i < data->tests[testind].nnums; i++) {
7463 - switch (data->tests[testind].location[i].nextop) {
7464 - case IPT_U32_AND: printf("&"); break;
7465 - case IPT_U32_LEFTSH: printf("<<"); break;
7466 - case IPT_U32_RIGHTSH: printf(">>"); break;
7467 - case IPT_U32_AT: printf("@"); break;
7469 - printf("0x%x", data->tests[testind].location[i].number);
7472 - for (i = 0; i < data->tests[testind].nvalues; i++) {
7473 - if (i) printf(",");
7474 - if (data->tests[testind].value[i].min
7475 - == data->tests[testind].value[i].max)
7476 - printf("0x%x", data->tests[testind].value[i].min);
7477 - else printf("0x%x:0x%x", data->tests[testind].value[i].min,
7478 - data->tests[testind].value[i].max);
7485 -/* string_to_number is not quite what we need here ... */
7486 -u_int32_t parse_number(char **s, int pos)
7492 - number = strtoul(*s, &end, 0);
7494 - exit_error(PARAMETER_PROBLEM,
7495 - "u32: at char %d expected number", pos);
7497 - exit_error(PARAMETER_PROBLEM,
7498 - "u32: at char %d error reading number", pos);
7503 -/* Function which parses command options; returns true if it ate an option */
7505 -parse(int c, char **argv, int invert, unsigned int *flags,
7506 - const struct ipt_entry *entry,
7507 - unsigned int *nfcache,
7508 - struct ipt_entry_match **match)
7510 - struct ipt_u32 *data = (struct ipt_u32 *)(*match)->data;
7511 - char *arg = argv[optind-1]; /* the argument string */
7512 - char *start = arg;
7513 - int state=0, testind=0, locind=0, valind=0;
7515 - if (c != '1') return 0;
7516 - /* states: 0 = looking for numbers and operations, 1 = looking for ranges */
7517 - while (1) { /* read next operand/number or range */
7518 - while (isspace(*arg))
7519 - arg++; /* skip white space */
7520 - if (! *arg) { /* end of argument found */
7522 - exit_error(PARAMETER_PROBLEM,
7523 - "u32: input ended in location spec");
7525 - exit_error(PARAMETER_PROBLEM,
7526 - "u32: test ended with no value spec");
7527 - data->tests[testind].nnums = locind;
7528 - data->tests[testind].nvalues = valind;
7530 - data->ntests=testind;
7531 - if (testind > U32MAXSIZE)
7532 - exit_error(PARAMETER_PROBLEM,
7533 - "u32: at char %d too many &&'s",
7536 - print_u32(data);printf("\n");
7537 - exit_error(PARAMETER_PROBLEM, "debugging output done"); */
7541 - /* reading location: read a number if nothing read yet,
7542 - otherwise either op number or = to end location spec */
7543 - if (*arg == '=') {
7545 - exit_error(PARAMETER_PROBLEM,
7546 - "u32: at char %d location spec missing", arg-start);
7553 - if (locind) { /* need op before number */
7554 - if (*arg == '&') {
7555 - data->tests[testind].location[locind].nextop = IPT_U32_AND;
7557 - else if (*arg == '<') {
7560 - exit_error(PARAMETER_PROBLEM,
7561 - "u32: at char %d a second < expected", arg-start);
7562 - data->tests[testind].location[locind].nextop = IPT_U32_LEFTSH;
7564 - else if (*arg == '>') {
7567 - exit_error(PARAMETER_PROBLEM,
7568 - "u32: at char %d a second > expected", arg-start);
7569 - data->tests[testind].location[locind].nextop = IPT_U32_RIGHTSH;
7571 - else if (*arg == '@') {
7572 - data->tests[testind].location[locind].nextop = IPT_U32_AT;
7574 - else exit_error(PARAMETER_PROBLEM,
7575 - "u32: at char %d operator expected", arg-start);
7578 - /* now a number; string_to_number skips white space? */
7579 - data->tests[testind].location[locind].number =
7580 - parse_number(&arg, arg-start);
7582 - if (locind > U32MAXSIZE)
7583 - exit_error(PARAMETER_PROBLEM,
7584 - "u32: at char %d too many operators", arg-start);
7588 - /* state 1 - reading values: read a range if nothing read yet,
7589 - otherwise either ,range or && to end test spec */
7590 - if (*arg == '&') {
7593 - exit_error(PARAMETER_PROBLEM,
7594 - "u32: at char %d a second & expected", arg-start);
7596 - exit_error(PARAMETER_PROBLEM,
7597 - "u32: at char %d value spec missing", arg-start);
7599 - data->tests[testind].nnums = locind;
7600 - data->tests[testind].nvalues = valind;
7602 - if (testind > U32MAXSIZE)
7603 - exit_error(PARAMETER_PROBLEM,
7604 - "u32: at char %d too many &&'s", arg-start);
7605 - arg++; state=0; locind=0; valind=0;
7608 - else { /* read value range */
7609 - if (valind) { /* need , before number */
7611 - exit_error(PARAMETER_PROBLEM,
7612 - "u32: at char %d expected , or &&", arg-start);
7615 - data->tests[testind].value[valind].min = parse_number(&arg, arg-start);
7616 - while (isspace(*arg))
7617 - arg++; /* another place white space could be */
7620 - data->tests[testind].value[valind].max
7621 - = parse_number(&arg, arg-start);
7623 - else data->tests[testind].value[valind].max
7624 - = data->tests[testind].value[valind].min;
7626 - if (valind > U32MAXSIZE)
7627 - exit_error(PARAMETER_PROBLEM,
7628 - "u32: at char %d too many ,'s", arg-start);
7634 -/* Final check; must specify something. */
7636 -final_check(unsigned int flags)
7640 -/* Prints out the matchinfo. */
7642 -print(const struct ipt_ip *ip,
7643 - const struct ipt_entry_match *match,
7647 - print_u32((struct ipt_u32 *)match->data);
7650 -/* Saves the union ipt_matchinfo in parsable form to stdout. */
7651 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
7654 - print_u32((struct ipt_u32 *)match->data);
7657 -struct iptables_match u32 = {
7660 - .version = IPTABLES_VERSION,
7661 - .size = IPT_ALIGN(sizeof(struct ipt_u32)),
7662 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_u32)),
7665 - .final_check = &final_check,
7668 - .extra_opts = opts
7674 - register_match(&u32);
7676 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_u32.man iptables-svn/extensions/libipt_u32.man
7677 --- iptables-1.3.7/extensions/libipt_u32.man 2006-12-04 12:15:19.000000000 +0100
7678 +++ iptables-svn/extensions/libipt_u32.man 1970-01-01 01:00:00.000000000 +0100
7680 -U32 allows you to extract quantities of up to 4 bytes from a packet,
7681 -AND them with specified masks, shift them by specified amounts and
7682 -test whether the results are in any of a set of specified ranges.
7683 -The specification of what to extract is general enough to skip over
7684 -headers with lengths stored in the packet, as in IP or TCP header
7687 -Details and examples are in the kernel module source.
7688 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_udp.man iptables-svn/extensions/libipt_udp.man
7689 --- iptables-1.3.7/extensions/libipt_udp.man 2006-12-04 12:15:19.000000000 +0100
7690 +++ iptables-svn/extensions/libipt_udp.man 2007-05-31 12:46:30.000000000 +0200
7692 -These extensions are loaded if `--protocol udp' is specified. It
7693 +These extensions can be used if `--protocol udp' is specified. It
7694 provides the following options:
7696 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
7697 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_XOR.c iptables-svn/extensions/libipt_XOR.c
7698 --- iptables-1.3.7/extensions/libipt_XOR.c 2006-12-04 12:15:20.000000000 +0100
7699 +++ iptables-svn/extensions/libipt_XOR.c 1970-01-01 01:00:00.000000000 +0100
7701 -/* Shared library add-on to iptables for the XOR target
7702 - * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
7703 - * Based on libipt_TTL.c
7707 - * This program is distributed under the terms of GNU GPL
7711 -#include <string.h>
7712 -#include <stdlib.h>
7713 -#include <getopt.h>
7714 -#include <iptables.h>
7716 -#include <linux/netfilter_ipv4/ip_tables.h>
7717 -#include <linux/netfilter_ipv4/ipt_XOR.h>
7719 -#define IPT_KEY_SET 1
7720 -#define IPT_BLOCKSIZE_SET 2
7722 -static void init(struct ipt_entry_target *t, unsigned int *nfcache)
7726 -static void help(void)
7729 - "XOR target v%s options\n"
7730 - " --key string Set key to \"string\"\n"
7731 - " --block-size Set block size\n",
7732 - IPTABLES_VERSION);
7735 -static int parse(int c, char **argv, int invert, unsigned int *flags,
7736 - const struct ipt_entry *entry,
7737 - struct ipt_entry_target **target)
7739 - struct ipt_XOR_info *info = (struct ipt_XOR_info *) (*target)->data;
7742 - exit_error(PARAMETER_PROBLEM, "XOR: too few arguments");
7744 - if (check_inverse(optarg, &invert, NULL, 0))
7745 - exit_error(PARAMETER_PROBLEM, "XOR: unexpected '!'");
7749 - strncpy(info->key, optarg, 30);
7750 - info->key[29] = '\0';
7751 - *flags |= IPT_KEY_SET;
7754 - info->block_size = atoi(optarg);
7755 - *flags |= IPT_BLOCKSIZE_SET;
7764 -static void final_check(unsigned int flags)
7766 - if (!(flags & IPT_KEY_SET))
7767 - exit_error(PARAMETER_PROBLEM, "XOR: You must specify a key");
7768 - if (!(flags & IPT_BLOCKSIZE_SET))
7769 - exit_error(PARAMETER_PROBLEM, "XOR: You must specify a block-size");
7772 -static void save (const struct ipt_ip *ip,
7773 - const struct ipt_entry_target *target)
7775 - const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
7777 - printf("--key %s ", info->key);
7778 - printf("--block-size %u ", info->block_size);
7781 -static void print (const struct ipt_ip *ip,
7782 - const struct ipt_entry_target *target, int numeric)
7784 - const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
7786 - printf("key: %s ", info->key);
7787 - printf("block-size: %u ", info->block_size);
7790 -static struct option opts[] = {
7791 - { "key", 1, 0, '1' },
7792 - { "block-size", 1, 0, '2' },
7796 -static struct iptables_target XOR = {
7799 - .version = IPTABLES_VERSION,
7800 - .size = IPT_ALIGN(sizeof(struct ipt_XOR_info)),
7801 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_XOR_info)),
7805 - .final_check = &final_check,
7808 - .extra_opts = opts
7813 - register_target(&XOR);
7815 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_XOR.man iptables-svn/extensions/libipt_XOR.man
7816 --- iptables-1.3.7/extensions/libipt_XOR.man 2006-12-04 12:15:19.000000000 +0100
7817 +++ iptables-svn/extensions/libipt_XOR.man 1970-01-01 01:00:00.000000000 +0100
7819 -Encrypt TCP and UDP traffic using a simple XOR encryption
7821 -.BI "--key " "string"
7822 -Set key to "string"
7826 diff -x .svn -Nur iptables-1.3.7/extensions/Makefile iptables-svn/extensions/Makefile
7827 --- iptables-1.3.7/extensions/Makefile 2006-12-04 12:15:19.000000000 +0100
7828 +++ iptables-svn/extensions/Makefile 2007-05-31 12:46:30.000000000 +0200
7830 # header files are present in the include/linux directory of this iptables
7833 -PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
7834 -PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
7835 +PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG
7836 +PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TCPMSS
7838 ifeq ($(DO_SELINUX), 1)
7839 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
7840 diff -x .svn -Nur iptables-1.3.7/extensions/.mh-test6 iptables-svn/extensions/.mh-test6
7841 --- iptables-1.3.7/extensions/.mh-test6 1970-01-01 01:00:00.000000000 +0100
7842 +++ iptables-svn/extensions/.mh-test6 2007-05-31 12:46:30.000000000 +0200
7845 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_mh.h ] && echo mh
7846 diff -x .svn -Nur iptables-1.3.7/extensions/.mport-test iptables-svn/extensions/.mport-test
7847 --- iptables-1.3.7/extensions/.mport-test 2006-12-04 12:15:20.000000000 +0100
7848 +++ iptables-svn/extensions/.mport-test 1970-01-01 01:00:00.000000000 +0100
7851 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_mport.c ] && echo mport
7852 diff -x .svn -Nur iptables-1.3.7/extensions/.NETLINK-test iptables-svn/extensions/.NETLINK-test
7853 --- iptables-1.3.7/extensions/.NETLINK-test 2006-12-04 12:15:19.000000000 +0100
7854 +++ iptables-svn/extensions/.NETLINK-test 1970-01-01 01:00:00.000000000 +0100
7857 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NETLINK.c ] && echo NETLINK
7858 diff -x .svn -Nur iptables-1.3.7/extensions/.nth-test iptables-svn/extensions/.nth-test
7859 --- iptables-1.3.7/extensions/.nth-test 2006-12-04 12:15:20.000000000 +0100
7860 +++ iptables-svn/extensions/.nth-test 1970-01-01 01:00:00.000000000 +0100
7863 -# True if nth is applied.
7864 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_nth.h ] && echo nth
7865 diff -x .svn -Nur iptables-1.3.7/extensions/.nth-test6 iptables-svn/extensions/.nth-test6
7866 --- iptables-1.3.7/extensions/.nth-test6 2006-12-04 12:15:19.000000000 +0100
7867 +++ iptables-svn/extensions/.nth-test6 1970-01-01 01:00:00.000000000 +0100
7870 -# True if nth is applied.
7871 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_nth.h ] && echo nth
7872 diff -x .svn -Nur iptables-1.3.7/extensions/.osf-test iptables-svn/extensions/.osf-test
7873 --- iptables-1.3.7/extensions/.osf-test 2006-12-04 12:15:19.000000000 +0100
7874 +++ iptables-svn/extensions/.osf-test 1970-01-01 01:00:00.000000000 +0100
7877 -# True if osf is applied.
7878 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_osf.h ] && echo osf
7879 diff -x .svn -Nur iptables-1.3.7/extensions/.psd-test iptables-svn/extensions/.psd-test
7880 --- iptables-1.3.7/extensions/.psd-test 2006-12-04 12:15:20.000000000 +0100
7881 +++ iptables-svn/extensions/.psd-test 1970-01-01 01:00:00.000000000 +0100
7884 -# True if psd is applied.
7885 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_psd.h ] && echo psd
7886 diff -x .svn -Nur iptables-1.3.7/extensions/.random-test iptables-svn/extensions/.random-test
7887 --- iptables-1.3.7/extensions/.random-test 2006-12-04 12:15:20.000000000 +0100
7888 +++ iptables-svn/extensions/.random-test 1970-01-01 01:00:00.000000000 +0100
7891 -# True if random is applied.
7892 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_random.h ] && echo random
7893 diff -x .svn -Nur iptables-1.3.7/extensions/.random-test6 iptables-svn/extensions/.random-test6
7894 --- iptables-1.3.7/extensions/.random-test6 2006-12-04 12:15:20.000000000 +0100
7895 +++ iptables-svn/extensions/.random-test6 1970-01-01 01:00:00.000000000 +0100
7898 -# True if random is applied.
7899 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_random.h ] && echo random
7900 diff -x .svn -Nur iptables-1.3.7/extensions/.record-rpc-test iptables-svn/extensions/.record-rpc-test
7901 --- iptables-1.3.7/extensions/.record-rpc-test 2006-12-04 12:15:19.000000000 +0100
7902 +++ iptables-svn/extensions/.record-rpc-test 1970-01-01 01:00:00.000000000 +0100
7905 -# True if record rpc is applied.
7906 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_record_rpc.c ] && echo record_rpc
7907 diff -x .svn -Nur iptables-1.3.7/extensions/.ROUTE-test iptables-svn/extensions/.ROUTE-test
7908 --- iptables-1.3.7/extensions/.ROUTE-test 2006-12-04 12:15:19.000000000 +0100
7909 +++ iptables-svn/extensions/.ROUTE-test 1970-01-01 01:00:00.000000000 +0100
7912 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_ROUTE.c ] && echo ROUTE
7913 diff -x .svn -Nur iptables-1.3.7/extensions/.ROUTE-test6 iptables-svn/extensions/.ROUTE-test6
7914 --- iptables-1.3.7/extensions/.ROUTE-test6 2006-12-04 12:15:19.000000000 +0100
7915 +++ iptables-svn/extensions/.ROUTE-test6 1970-01-01 01:00:00.000000000 +0100
7918 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ROUTE.h ] && echo ROUTE
7919 diff -x .svn -Nur iptables-1.3.7/extensions/.TCPLAG-test iptables-svn/extensions/.TCPLAG-test
7920 --- iptables-1.3.7/extensions/.TCPLAG-test 2006-12-04 12:15:19.000000000 +0100
7921 +++ iptables-svn/extensions/.TCPLAG-test 1970-01-01 01:00:00.000000000 +0100
7924 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TCPLAG.c ] && echo TCPLAG
7925 diff -x .svn -Nur iptables-1.3.7/extensions/.time-test iptables-svn/extensions/.time-test
7926 --- iptables-1.3.7/extensions/.time-test 2006-12-04 12:15:20.000000000 +0100
7927 +++ iptables-svn/extensions/.time-test 1970-01-01 01:00:00.000000000 +0100
7930 -# True if time is applied.
7931 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_time.h ] && echo time
7932 diff -x .svn -Nur iptables-1.3.7/extensions/.u32-test iptables-svn/extensions/.u32-test
7933 --- iptables-1.3.7/extensions/.u32-test 2006-12-04 12:15:19.000000000 +0100
7934 +++ iptables-svn/extensions/.u32-test 1970-01-01 01:00:00.000000000 +0100
7937 -# True if u32 is applied.
7938 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_u32.h ] && echo u32
7939 diff -x .svn -Nur iptables-1.3.7/extensions/.XOR-test iptables-svn/extensions/.XOR-test
7940 --- iptables-1.3.7/extensions/.XOR-test 2006-12-04 12:15:19.000000000 +0100
7941 +++ iptables-svn/extensions/.XOR-test 1970-01-01 01:00:00.000000000 +0100
7944 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_XOR.c ] && echo XOR
7945 diff -x .svn -Nur iptables-1.3.7/include/ip6tables.h iptables-svn/include/ip6tables.h
7946 --- iptables-1.3.7/include/ip6tables.h 2006-12-04 12:15:16.000000000 +0100
7947 +++ iptables-svn/include/ip6tables.h 2007-05-31 12:46:27.000000000 +0200
7949 #ifndef IPPROTO_DCCP
7950 #define IPPROTO_DCCP 33
7952 +#ifndef IPPROTO_UDPLITE
7953 +#define IPPROTO_UDPLITE 136
7956 #ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
7957 #define IP6T_SO_GET_REVISION_MATCH 68
7959 extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, ip6tc_handle_t *), int verbose, int builtinstoo, ip6tc_handle_t *handle);
7960 extern int flush_entries(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle);
7961 extern int delete_chain(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle);
7962 -extern int ip6tables_insmod(const char *modname, const char *modprobe);
7963 -extern int load_ip6tables_ko(const char *modprobe);
7965 +ip6tables_insmod(const char *modname, const char *modprobe, int quiet);
7966 +extern int load_ip6tables_ko(const char *modprobe, int quiet);
7968 #endif /*_IP6TABLES_USER_H*/
7969 diff -x .svn -Nur iptables-1.3.7/include/iptables_common.h iptables-svn/include/iptables_common.h
7970 --- iptables-1.3.7/include/iptables_common.h 2006-12-04 12:15:16.000000000 +0100
7971 +++ iptables-svn/include/iptables_common.h 2007-05-31 12:46:27.000000000 +0200
7973 unsigned long long int,
7974 unsigned long long int,
7975 unsigned long long *);
7976 -extern int iptables_insmod(const char *modname, const char *modprobe);
7977 -extern int load_iptables_ko(const char *modprobe);
7979 +iptables_insmod(const char *modname, const char *modprobe, int quiet);
7980 +extern int load_iptables_ko(const char *modprobe, int quiet);
7981 void exit_error(enum exittype, char *, ...)__attribute__((noreturn,
7982 format(printf,2,3)));
7983 extern const char *program_name, *program_version;
7984 diff -x .svn -Nur iptables-1.3.7/include/iptables.h iptables-svn/include/iptables.h
7985 --- iptables-1.3.7/include/iptables.h 2006-12-04 12:15:16.000000000 +0100
7986 +++ iptables-svn/include/iptables.h 2007-05-31 12:46:27.000000000 +0200
7988 #ifndef IPPROTO_DCCP
7989 #define IPPROTO_DCCP 33
7991 +#ifndef IPPROTO_UDPLITE
7992 +#define IPPROTO_UDPLITE 136
7995 #ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
7996 #define IPT_SO_GET_REVISION_MATCH (IPT_BASE_CTL + 2)
7997 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter/nf_conntrack_common.h iptables-svn/include/linux/netfilter/nf_conntrack_common.h
7998 --- iptables-1.3.7/include/linux/netfilter/nf_conntrack_common.h 1970-01-01 01:00:00.000000000 +0100
7999 +++ iptables-svn/include/linux/netfilter/nf_conntrack_common.h 2007-05-31 12:46:26.000000000 +0200
8001 +#ifndef _NF_CONNTRACK_COMMON_H
8002 +#define _NF_CONNTRACK_COMMON_H
8003 +/* Connection state tracking for netfilter. This is separated from,
8004 + but required by, the NAT layer; it can also be used by an iptables
8006 +enum ip_conntrack_info
8008 + /* Part of an established connection (either direction). */
8009 + IP_CT_ESTABLISHED,
8011 + /* Like NEW, but related to an existing connection, or ICMP error
8012 + (in either direction). */
8015 + /* Started a new connection to track (only
8016 + IP_CT_DIR_ORIGINAL); may be a retransmission. */
8019 + /* >= this indicates reply direction */
8022 + /* Number of distinct IP_CT types (no NEW in reply dirn). */
8023 + IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
8026 +/* Bitset representing status of connection. */
8027 +enum ip_conntrack_status {
8028 + /* It's an expected connection: bit 0 set. This bit never changed */
8029 + IPS_EXPECTED_BIT = 0,
8030 + IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
8032 + /* We've seen packets both ways: bit 1 set. Can be set, not unset. */
8033 + IPS_SEEN_REPLY_BIT = 1,
8034 + IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
8036 + /* Conntrack should never be early-expired. */
8037 + IPS_ASSURED_BIT = 2,
8038 + IPS_ASSURED = (1 << IPS_ASSURED_BIT),
8040 + /* Connection is confirmed: originating packet has left box */
8041 + IPS_CONFIRMED_BIT = 3,
8042 + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
8044 + /* Connection needs src nat in orig dir. This bit never changed. */
8045 + IPS_SRC_NAT_BIT = 4,
8046 + IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
8048 + /* Connection needs dst nat in orig dir. This bit never changed. */
8049 + IPS_DST_NAT_BIT = 5,
8050 + IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
8052 + /* Both together. */
8053 + IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
8055 + /* Connection needs TCP sequence adjusted. */
8056 + IPS_SEQ_ADJUST_BIT = 6,
8057 + IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
8059 + /* NAT initialization bits. */
8060 + IPS_SRC_NAT_DONE_BIT = 7,
8061 + IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
8063 + IPS_DST_NAT_DONE_BIT = 8,
8064 + IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
8066 + /* Both together */
8067 + IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
8069 + /* Connection is dying (removed from lists), can not be unset. */
8070 + IPS_DYING_BIT = 9,
8071 + IPS_DYING = (1 << IPS_DYING_BIT),
8073 + /* Connection has fixed timeout. */
8074 + IPS_FIXED_TIMEOUT_BIT = 10,
8075 + IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
8078 +/* Connection tracking event bits */
8079 +enum ip_conntrack_events
8081 + /* New conntrack */
8083 + IPCT_NEW = (1 << IPCT_NEW_BIT),
8085 + /* Expected connection */
8086 + IPCT_RELATED_BIT = 1,
8087 + IPCT_RELATED = (1 << IPCT_RELATED_BIT),
8089 + /* Destroyed conntrack */
8090 + IPCT_DESTROY_BIT = 2,
8091 + IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
8093 + /* Timer has been refreshed */
8094 + IPCT_REFRESH_BIT = 3,
8095 + IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
8097 + /* Status has changed */
8098 + IPCT_STATUS_BIT = 4,
8099 + IPCT_STATUS = (1 << IPCT_STATUS_BIT),
8101 + /* Update of protocol info */
8102 + IPCT_PROTOINFO_BIT = 5,
8103 + IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
8105 + /* Volatile protocol info */
8106 + IPCT_PROTOINFO_VOLATILE_BIT = 6,
8107 + IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
8109 + /* New helper for conntrack */
8110 + IPCT_HELPER_BIT = 7,
8111 + IPCT_HELPER = (1 << IPCT_HELPER_BIT),
8113 + /* Update of helper info */
8114 + IPCT_HELPINFO_BIT = 8,
8115 + IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
8117 + /* Volatile helper info */
8118 + IPCT_HELPINFO_VOLATILE_BIT = 9,
8119 + IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
8122 + IPCT_NATINFO_BIT = 10,
8123 + IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
8125 + /* Counter highest bit has been set */
8126 + IPCT_COUNTER_FILLING_BIT = 11,
8127 + IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
8130 +enum ip_conntrack_expect_events {
8131 + IPEXP_NEW_BIT = 0,
8132 + IPEXP_NEW = (1 << IPEXP_NEW_BIT),
8135 +#endif /* _NF_CONNTRACK_COMMON_H */
8136 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter/nf_conntrack_tuple_common.h iptables-svn/include/linux/netfilter/nf_conntrack_tuple_common.h
8137 --- iptables-1.3.7/include/linux/netfilter/nf_conntrack_tuple_common.h 1970-01-01 01:00:00.000000000 +0100
8138 +++ iptables-svn/include/linux/netfilter/nf_conntrack_tuple_common.h 2007-05-31 12:46:26.000000000 +0200
8140 +#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
8141 +#define _NF_CONNTRACK_TUPLE_COMMON_H
8143 +enum ip_conntrack_dir
8145 + IP_CT_DIR_ORIGINAL,
8150 +#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
8152 +#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
8153 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter/nf_conntrack_tuple.h iptables-svn/include/linux/netfilter/nf_conntrack_tuple.h
8154 --- iptables-1.3.7/include/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
8155 +++ iptables-svn/include/linux/netfilter/nf_conntrack_tuple.h 2007-05-31 12:46:26.000000000 +0200
8158 + * Definitions and Declarations for tuple.
8160 + * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
8161 + * - generalize L3 protocol dependent part.
8163 + * Derived from include/linux/netfiter_ipv4/ip_conntrack_tuple.h
8166 +#ifndef _NF_CONNTRACK_TUPLE_H
8167 +#define _NF_CONNTRACK_TUPLE_H
8169 +#include <linux/netfilter/nf_conntrack_tuple_common.h>
8171 +/* A `tuple' is a structure containing the information to uniquely
8172 + identify a connection. ie. if two packets have the same tuple, they
8173 + are in the same connection; if not, they are not.
8175 + We divide the structure along "manipulatable" and
8176 + "non-manipulatable" lines, for the benefit of the NAT code.
8179 +#define NF_CT_TUPLE_L3SIZE 4
8181 +/* The l3 protocol-specific manipulable parts of the tuple: always in
8183 +union nf_conntrack_address {
8184 + u_int32_t all[NF_CT_TUPLE_L3SIZE];
8189 +/* The protocol-specific manipulable parts of the tuple: always in
8191 +union nf_conntrack_man_proto
8193 + /* Add other protocols here. */
8209 + __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
8213 +/* The manipulable part of the tuple. */
8214 +struct nf_conntrack_man
8216 + union nf_conntrack_address u3;
8217 + union nf_conntrack_man_proto u;
8218 + /* Layer 3 protocol */
8222 +/* This contains the information to distinguish a connection. */
8223 +struct nf_conntrack_tuple
8225 + struct nf_conntrack_man src;
8227 + /* These are the parts of the tuple which are fixed. */
8229 + union nf_conntrack_address u3;
8231 + /* Add other protocols here. */
8241 + u_int8_t type, code;
8251 + /* The protocol. */
8252 + u_int8_t protonum;
8254 + /* The direction (for tuplehash) */
8259 +#endif /* _NF_CONNTRACK_TUPLE_H */
8260 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter/nf_nat.h iptables-svn/include/linux/netfilter/nf_nat.h
8261 --- iptables-1.3.7/include/linux/netfilter/nf_nat.h 1970-01-01 01:00:00.000000000 +0100
8262 +++ iptables-svn/include/linux/netfilter/nf_nat.h 2007-05-31 12:46:26.000000000 +0200
8266 +#include <linux/netfilter_ipv4.h>
8267 +#include <linux/netfilter/nf_conntrack_tuple.h>
8269 +#define NF_NAT_MAPPING_TYPE_MAX_NAMELEN 16
8271 +enum nf_nat_manip_type
8277 +/* SRC manip occurs POST_ROUTING or LOCAL_IN */
8278 +#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
8280 +#define IP_NAT_RANGE_MAP_IPS 1
8281 +#define IP_NAT_RANGE_PROTO_SPECIFIED 2
8282 +#define IP_NAT_RANGE_PROTO_RANDOM 4
8284 +/* Single range specification. */
8285 +struct nf_nat_range
8287 + /* Set to OR of flags above. */
8288 + unsigned int flags;
8290 + /* Inclusive: network order. */
8291 + __be32 min_ip, max_ip;
8293 + /* Inclusive: network order */
8294 + union nf_conntrack_man_proto min, max;
8297 +/* For backwards compat: don't use in modern code. */
8298 +struct nf_nat_multi_range_compat
8300 + unsigned int rangesize; /* Must be 1. */
8302 + /* hangs off end. */
8303 + struct nf_nat_range range[1];
8306 +#define ip_nat_range nf_nat_range
8307 +#define ip_nat_multi_range nf_nat_multi_range_compat
8309 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter_ipv4/ipt_conntrack.h iptables-svn/include/linux/netfilter_ipv4/ipt_conntrack.h
8310 --- iptables-1.3.7/include/linux/netfilter_ipv4/ipt_conntrack.h 2006-12-04 12:15:16.000000000 +0100
8311 +++ iptables-svn/include/linux/netfilter_ipv4/ipt_conntrack.h 2007-05-31 12:46:26.000000000 +0200
8313 #ifndef _IPT_CONNTRACK_H
8314 #define _IPT_CONNTRACK_H
8316 -#include <linux/netfilter_ipv4/ip_conntrack.h>
8317 +#include <linux/netfilter/nf_conntrack_common.h>
8319 /* backwards compatibility crap. only exists in userspace - HW */
8320 #include <linux/version.h>
8321 diff -x .svn -Nur iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_TCPMSS.h iptables-svn/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
8322 --- iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_TCPMSS.h 1970-01-01 01:00:00.000000000 +0100
8323 +++ iptables-svn/include/linux/netfilter_ipv6/ip6t_TCPMSS.h 2007-05-31 12:46:26.000000000 +0200
8325 +#ifndef _IP6T_TCPMSS_H
8326 +#define _IP6T_TCPMSS_H
8328 +struct ip6t_tcpmss_info {
8332 +#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
8334 +#endif /*_IP6T_TCPMSS_H*/
8335 diff -x .svn -Nur iptables-1.3.7/ip6tables.8.in iptables-svn/ip6tables.8.in
8336 --- iptables-1.3.7/ip6tables.8.in 2006-12-04 12:15:20.000000000 +0100
8337 +++ iptables-svn/ip6tables.8.in 2007-05-31 12:46:31.000000000 +0200
8340 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, aswell as TTL match+target and libipulog.
8342 -The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
8343 -James Morris, Harald Welte and Rusty Russell.
8344 +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
8345 +Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
8346 +Harald Welte and Rusty Russell.
8348 ip6tables man page created by Andras Kis-Szabo, based on
8349 iptables man page written by Herve Eychenne <rv@wallfire.org>.
8350 diff -x .svn -Nur iptables-1.3.7/ip6tables.c iptables-svn/ip6tables.c
8351 --- iptables-1.3.7/ip6tables.c 2006-12-04 12:15:20.000000000 +0100
8352 +++ iptables-svn/ip6tables.c 2007-05-31 12:46:31.000000000 +0200
8353 @@ -219,14 +219,21 @@
8354 #define IPPROTO_AH 51
8358 +#define IPPROTO_MH 135
8361 static const struct pprot chain_protos[] = {
8362 { "tcp", IPPROTO_TCP },
8363 { "udp", IPPROTO_UDP },
8364 + { "udplite", IPPROTO_UDPLITE },
8365 { "icmpv6", IPPROTO_ICMPV6 },
8366 { "ipv6-icmp", IPPROTO_ICMPV6 },
8367 { "esp", IPPROTO_ESP },
8368 { "ah", IPPROTO_AH },
8369 + { "ipv6-mh", IPPROTO_MH },
8370 + { "mh", IPPROTO_MH },
8375 @@ -1120,7 +1127,7 @@
8376 strcpy(rev.name, name);
8377 rev.revision = revision;
8379 - load_ip6tables_ko(modprobe);
8380 + load_ip6tables_ko(modprobe, 1);
8382 max_rev = getsockopt(sockfd, IPPROTO_IPV6, opt, &rev, &s);
8384 @@ -1745,10 +1752,10 @@
8388 -int ip6tables_insmod(const char *modname, const char *modprobe)
8389 +int ip6tables_insmod(const char *modname, const char *modprobe, int quiet)
8396 /* If they don't explicitly set it, read out of kernel */
8397 @@ -1763,7 +1770,13 @@
8399 argv[0] = (char *)modprobe;
8400 argv[1] = (char *)modname;
8409 execv(argv[0], argv);
8411 /* not usually reached */
8412 @@ -1781,14 +1794,14 @@
8416 -int load_ip6tables_ko(const char *modprobe)
8417 +int load_ip6tables_ko(const char *modprobe, int quiet)
8419 static int loaded = 0;
8420 static int ret = -1;
8423 - ret = ip6tables_insmod("ip6_tables", modprobe);
8425 + ret = ip6tables_insmod("ip6_tables", modprobe, quiet);
8426 + loaded = (ret == 0);
8430 @@ -2349,7 +2362,7 @@
8431 *handle = ip6tc_init(*table);
8433 /* try to insmod the module if iptc_init failed */
8434 - if (!*handle && load_ip6tables_ko(modprobe) != -1)
8435 + if (!*handle && load_ip6tables_ko(modprobe, 0) != -1)
8436 *handle = ip6tc_init(*table);
8439 diff -x .svn -Nur iptables-1.3.7/ip6tables-restore.c iptables-svn/ip6tables-restore.c
8440 --- iptables-1.3.7/ip6tables-restore.c 2006-12-04 12:15:20.000000000 +0100
8441 +++ iptables-svn/ip6tables-restore.c 2007-05-31 12:46:31.000000000 +0200
8443 * Rusty Russell <rusty@linuxcare.com.au>
8444 * This code is distributed under the terms of GNU GPL v2
8446 - * $Id: ip6tables-restore.c 6460 2006-02-09 14:35:38Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org $
8447 + * $Id: ip6tables-restore.c 6828 2007-05-10 15:00:39Z /C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net $
8454 /* try to insmod the module if iptc_init failed */
8455 - ip6tables_insmod("ip6_tables", modprobe);
8456 + ip6tables_insmod("ip6_tables", modprobe, 0);
8457 handle = ip6tc_init(tablename);
8461 - exit_error(PARAMETER_PROBLEM, "%s: unable to initialize"
8462 + exit_error(PARAMETER_PROBLEM, "%s: unable to initialize "
8463 "table '%s'\n", program_name, tablename);
8469 -int parse_counters(char *string, struct ip6t_counters *ctr)
8470 +static int parse_counters(char *string, struct ip6t_counters *ctr)
8472 return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
8474 @@ -154,13 +154,13 @@
8475 if (optind == argc - 1) {
8476 in = fopen(argv[optind], "r");
8478 - fprintf(stderr, "Can't open %s: %s", argv[optind],
8479 + fprintf(stderr, "Can't open %s: %s\n", argv[optind],
8484 else if (optind < argc) {
8485 - fprintf(stderr, "Unknown arguments found on commandline");
8486 + fprintf(stderr, "Unknown arguments found on commandline\n");
8490 diff -x .svn -Nur iptables-1.3.7/ip6tables-save.c iptables-svn/ip6tables-save.c
8491 --- iptables-1.3.7/ip6tables-save.c 2006-12-04 12:15:20.000000000 +0100
8492 +++ iptables-svn/ip6tables-save.c 2007-05-31 12:46:31.000000000 +0200
8496 if (optind < argc) {
8497 - fprintf(stderr, "Unknown arguments found on commandline");
8498 + fprintf(stderr, "Unknown arguments found on commandline\n");
8502 diff -x .svn -Nur iptables-1.3.7/iptables.8.in iptables-svn/iptables.8.in
8503 --- iptables-1.3.7/iptables.8.in 2006-12-04 12:15:20.000000000 +0100
8504 +++ iptables-svn/iptables.8.in 2007-05-31 12:46:31.000000000 +0200
8507 Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as the TTL, DSCP, ECN matches and targets.
8509 -The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Jozsef Kadlecsik,
8510 -Patrick McHardy, James Morris, Harald Welte and Rusty Russell.
8511 +The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
8512 +Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
8513 +Harald Welte and Rusty Russell.
8515 Man page originally written by Herve Eychenne <rv@wallfire.org>.
8516 .\" .. and did I mention that we are incredibly cool people?
8517 diff -x .svn -Nur iptables-1.3.7/iptables.c iptables-svn/iptables.c
8518 --- iptables-1.3.7/iptables.c 2006-12-04 12:15:20.000000000 +0100
8519 +++ iptables-svn/iptables.c 2007-05-31 12:46:31.000000000 +0200
8520 @@ -227,10 +227,12 @@
8521 static const struct pprot chain_protos[] = {
8522 { "tcp", IPPROTO_TCP },
8523 { "udp", IPPROTO_UDP },
8524 + { "udplite", IPPROTO_UDPLITE },
8525 { "icmp", IPPROTO_ICMP },
8526 { "esp", IPPROTO_ESP },
8527 { "ah", IPPROTO_AH },
8528 { "sctp", IPPROTO_SCTP },
8533 @@ -1148,7 +1150,7 @@
8537 - load_iptables_ko(modprobe);
8538 + load_iptables_ko(modprobe, 1);
8540 strcpy(rev.name, name);
8541 rev.revision = revision;
8542 @@ -1812,10 +1814,10 @@
8546 -int iptables_insmod(const char *modname, const char *modprobe)
8547 +int iptables_insmod(const char *modname, const char *modprobe, int quiet)
8554 /* If they don't explicitly set it, read out of kernel */
8555 @@ -1830,7 +1832,13 @@
8557 argv[0] = (char *)modprobe;
8558 argv[1] = (char *)modname;
8567 execv(argv[0], argv);
8569 /* not usually reached */
8570 @@ -1848,14 +1856,14 @@
8574 -int load_iptables_ko(const char *modprobe)
8575 +int load_iptables_ko(const char *modprobe, int quiet)
8577 static int loaded = 0;
8578 static int ret = -1;
8581 - ret = iptables_insmod("ip_tables", NULL);
8583 + ret = iptables_insmod("ip_tables", modprobe, quiet);
8584 + loaded = (ret == 0);
8588 @@ -2441,7 +2449,7 @@
8589 *handle = iptc_init(*table);
8591 /* try to insmod the module if iptc_init failed */
8592 - if (!*handle && load_iptables_ko(modprobe) != -1)
8593 + if (!*handle && load_iptables_ko(modprobe, 0) != -1)
8594 *handle = iptc_init(*table);
8597 diff -x .svn -Nur iptables-1.3.7/iptables-multi.c iptables-svn/iptables-multi.c
8598 --- iptables-1.3.7/iptables-multi.c 2006-12-04 12:15:20.000000000 +0100
8599 +++ iptables-svn/iptables-multi.c 2007-05-31 12:46:31.000000000 +0200
8601 int iptables_main(int argc, char **argv);
8602 int iptables_save_main(int argc, char **argv);
8603 int iptables_restore_main(int argc, char **argv);
8604 +int iptables_xml_main(int argc, char **argv);
8606 int main(int argc, char **argv) {
8609 if (!strcmp(progname, "iptables-restore"))
8610 return iptables_restore_main(argc, argv);
8612 + if (!strcmp(progname, "iptables-xml"))
8613 + return iptables_xml_main(argc, argv);
8615 fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname);
8618 diff -x .svn -Nur iptables-1.3.7/iptables-restore.c iptables-svn/iptables-restore.c
8619 --- iptables-1.3.7/iptables-restore.c 2006-12-04 12:15:20.000000000 +0100
8620 +++ iptables-svn/iptables-restore.c 2007-05-31 12:46:31.000000000 +0200
8623 * This code is distributed under the terms of GNU GPL v2
8625 - * $Id: iptables-restore.c 6460 2006-02-09 14:35:38Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org $
8626 + * $Id: iptables-restore.c 6828 2007-05-10 15:00:39Z /C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net $
8633 /* try to insmod the module if iptc_init failed */
8634 - iptables_insmod("ip_tables", modprobe);
8635 + iptables_insmod("ip_tables", modprobe, 0);
8636 handle = iptc_init(tablename);
8640 - exit_error(PARAMETER_PROBLEM, "%s: unable to initialize"
8641 + exit_error(PARAMETER_PROBLEM, "%s: unable to initialize "
8642 "table '%s'\n", program_name, tablename);
8648 -int parse_counters(char *string, struct ipt_counters *ctr)
8649 +static int parse_counters(char *string, struct ipt_counters *ctr)
8651 return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
8653 @@ -157,13 +157,13 @@
8654 if (optind == argc - 1) {
8655 in = fopen(argv[optind], "r");
8657 - fprintf(stderr, "Can't open %s: %s", argv[optind],
8658 + fprintf(stderr, "Can't open %s: %s\n", argv[optind],
8663 else if (optind < argc) {
8664 - fprintf(stderr, "Unknown arguments found on commandline");
8665 + fprintf(stderr, "Unknown arguments found on commandline\n");
8673 - char *param_start, *curchar;
8678 /* reset the newargv */
8680 @@ -349,9 +350,11 @@
8681 * longer a real hacker, but I can live with that */
8684 - param_start = parsestart;
8687 for (curchar = parsestart; *curchar; curchar++) {
8688 + char param_buffer[1024];
8690 if (*curchar == '"') {
8691 /* quote_open cannot be true if there
8692 * was no previous character. Thus,
8693 @@ -360,30 +363,27 @@
8694 *(curchar-1) != '\\') {
8698 + } else if (!quote_open) {
8706 || * curchar == '\n') {
8707 - char param_buffer[1024];
8708 - int param_len = curchar-param_start;
8712 + param_buffer[param_len++] =
8723 - /* end of one parameter */
8724 - strncpy(param_buffer, param_start,
8726 - *(param_buffer+param_len) = '\0';
8728 + param_buffer[param_len] = '\0';
8730 /* check if table name specified */
8731 if (!strncmp(param_buffer, "-t", 3)
8732 @@ -395,9 +395,26 @@
8735 add_argv(param_buffer);
8736 - param_start += param_len + 1;
8739 - /* regular character, skip */
8740 + /* Skip backslash that escapes quote:
8741 + * the standard input does not require
8742 + * escaping. However, the output
8743 + * generated by iptables-save
8744 + * introduces bashlash to keep
8745 + * consistent with iptables
8748 + *curchar == '\\' &&
8749 + *(curchar+1) == '"')
8752 + /* regular character, copy to buffer */
8753 + param_buffer[param_len++] = *curchar;
8755 + if (param_len >= sizeof(param_buffer))
8756 + exit_error(PARAMETER_PROBLEM,
8757 + "Parameter too long!");
8761 diff -x .svn -Nur iptables-1.3.7/iptables-save.c iptables-svn/iptables-save.c
8762 --- iptables-1.3.7/iptables-save.c 2006-12-04 12:15:20.000000000 +0100
8763 +++ iptables-svn/iptables-save.c 2007-05-31 12:46:31.000000000 +0200
8767 if (optind < argc) {
8768 - fprintf(stderr, "Unknown arguments found on commandline");
8769 + fprintf(stderr, "Unknown arguments found on commandline\n");
8773 diff -x .svn -Nur iptables-1.3.7/iptables-xml.c iptables-svn/iptables-xml.c
8774 --- iptables-1.3.7/iptables-xml.c 2006-12-04 12:15:20.000000000 +0100
8775 +++ iptables-svn/iptables-xml.c 2007-05-31 12:46:31.000000000 +0200
8777 /* no need to link with iptables.o */
8778 const char *program_name;
8779 const char *program_version;
8783 -exit_error(enum exittype status, char *msg, ...)
8784 +#ifndef IPTABLES_MULTI
8786 +void exit_error(enum exittype status, char *msg, ...)
8791 /* On error paths, make sure that we don't leak memory */
8796 static void print_usage(const char *name, const char *version)
8797 __attribute__ ((noreturn));
8804 parse_counters(char *string, struct ipt_counters *ctr)
8809 #ifdef IPTABLES_MULTI
8811 -iptables_restore_main(int argc, char *argv[])
8812 +iptables_xml_main(int argc, char *argv[])
8815 main(int argc, char *argv[])
8816 diff -x .svn -Nur iptables-1.3.7/Makefile iptables-svn/Makefile
8817 --- iptables-1.3.7/Makefile 2006-12-04 12:16:01.000000000 +0100
8818 +++ iptables-svn/Makefile 2007-05-31 12:46:31.000000000 +0200
8820 # Generic test if arch wasn't found above
8821 ifneq ($(POINTERTEST),1)
8822 # Try to determine if kernel is 64bit and we are compiling for 32bit
8823 - ifeq ($(shell [ -a $(KERNEL_DIR)/include/asm ] && echo YES), YES)
8824 + ifeq ($(shell [ -d $(KERNEL_DIR)/include/asm ] && echo YES), YES)
8825 64bitkernel := $(shell echo -e "\#include <asm/types.h>\n\#if BITS_PER_LONG == 64\nkernel_is_64bits\n\#endif" | $(CC) $(CFLAGS) -D__KERNEL__ -E - | grep kernel_is_64bits)
8827 32bituser := $(shell echo -e "\#include <stdio.h>\n\#if !defined(__arch64__) && !defined(_LP64)\nuserspace_is_32bit\n\#endif" | $(CC) $(CFLAGS) -E - | grep userspace_is_32bit)
8832 -LDLIBS = -ldl -lnsl
8834 ifeq ($(DO_SELINUX), 1)
8838 $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
8840 ifeq ($(DO_MULTI), 1)
8841 -$(DESTDIR)$(BINDIR)/iptables-xml: iptables-xml
8842 +$(DESTDIR)$(BINDIR)/iptables-xml: iptables
8843 @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
8847 # -g -pg -DIPTC_DEBUG
8850 - @if echo $(CFLAGS) | egrep -e '-g|-pg|IPTC_DEBUG' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
8851 + @if echo $(CFLAGS) | egrep -e '(^|[[:space:]])(-g|-pg|-DIPTC_DEBUG)([[:space:]]|$)' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
8853 .PHONY: nowhitespace
projects / openwrt.git / blob