Hello community, here is the log from the commit of package iptables.1143 for openSUSE:12.2:Update checked in at 2012-12-06 16:17:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/iptables.1143 (Old) and /work/SRC/openSUSE:12.2:Update/.iptables.1143.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iptables.1143", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-11-30 12:21:47.308011256 +0100 +++ /work/SRC/openSUSE:12.2:Update/.iptables.1143.new/iptables.changes 2012-12-06 16:17:25.000000000 +0100 @@ -0,0 +1,682 @@ +------------------------------------------------------------------- +Tue Nov 27 14:52:12 UTC 2012 - [email protected] + +- Update iptables in openSUSE:12.2 (bnc#791300) to 1.4.16.3; this + resolves, among other things, http://bugs.debian.org/678499 + (gcc 4.7 exposed undefined behavior, causing --log-prefix to not + be correctly retained). + +------------------------------------------------------------------- +Wed Nov 14 13:16:30 UTC 2012 - [email protected] + +- run autogen.sh as Makefile.am was patched to compile iptables-batch + (bnc#785240) + +------------------------------------------------------------------- +Sat May 26 19:35:38 UTC 2012 - [email protected] + +- Update to new upstream release 1.4.14 +* Support for the new cttimeout infrastructure. This allows you to + attach specific timeout policies to flow via iptables CT target. + +------------------------------------------------------------------- +Tue Mar 27 13:29:31 UTC 2012 - [email protected] + +- Update to new upstream release 1.4.13 +* Add the rpfilter, nfacct and IPv6 ECN extensions + +------------------------------------------------------------------- +Mon Jan 2 21:30:38 UTC 2012 - [email protected] + +- Update to newer git snapshot (v1.4.12.2-28-g2117f2b, + but master branch), tag locally as 1.4.12.90. +* ships missing pkgconfig files, compile fix for libnfnetlink +* libxt_NFQUEUE: fix --queue-bypass ipt-save output +* libxt_connbytes: fix handling of --connbytes FROM +* libxt_recent: Add support for --reap option +- split iptables-devel into libiptc-devel and libxtables-devel + +------------------------------------------------------------------- +Wed Dec 28 09:50:23 UTC 2011 - [email protected] + +- iptables-apply-mktemp-fix.patch (bnc#730161) + +------------------------------------------------------------------- +Wed Nov 30 14:28:11 UTC 2011 - [email protected] + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Oct 4 23:01:57 UTC 2011 - [email protected] + +- Update to a newer git snapshot of the stable branch + (to v1.4.12.1-16-gd2b0eaa) +* resolve failure to load extensions that depend on libm.so +- rediff of iptables-batch due to fuzz +- relax runtime requires + +------------------------------------------------------------------- +Thu Sep 1 17:09:05 UTC 2011 - [email protected] + +- Update to new upstream release 1.4.12.1 +* regression fixes for the new (stricter) command-line parser +- restore --includedir= in spec file +- Put libxtables into its own subpackage so that one does not need + a lockstep update of iproute2 on a new iptables package +- Remove redundant fields (Autoreqprov defaults to on, License is + inherited from main package) + +------------------------------------------------------------------- +Sat Aug 13 01:39:38 CEST 2011 - [email protected] + +- include path is /usr/include + +------------------------------------------------------------------- +Mon Aug 8 00:42:53 UTC 2011 - [email protected] + +- Put include files into a separate directory to flag up missing + CFLAGS. libipq.pc will now be provided. +- Enable build of nfnl_osf, a tool to upload OS fingerprints to + the kernel for use with xt_osf. + +------------------------------------------------------------------- +Fri Jul 22 13:12:50 UTC 2011 - [email protected] + +- Update to new upstream release 1.4.12 +* Include lost match/target descriptions in manpage again +* libxt_LOG: fix ignorance of all but the last flag +* libxt_HL: restore hl-* option names +* libxt_hashlimit: use a more obvious expiry value by default +* libxt_RATEEST: fix find-and-delete of rules with -j RATEEST +* ipv4: restore negation for the -f option +* Reject empty host specifications (e.g. -s "") +* libxt_conntrack: restore network byteordering for ABI v1 & v2 +* Documentation updates + +------------------------------------------------------------------- +Wed Jun 8 10:20:57 UTC 2011 - [email protected] + +- Update to snapshot 1.4.11+git16 +* libxt_owner: restore inversion support +* option: fix ignored negation before implicit extension loading +* build: fix installation of symlinks +* build: fix absence of xml translator in IPv6-only builds +- Drop merged patches + +------------------------------------------------------------------- +Sun May 29 23:56:33 UTC 2011 - [email protected] + +- Update to new upstream release 1.4.11 +* stricter option parsing +* support for the current xt_SET target as contained in 2.6.39 +* support for the new xt_devgroup match +* support for the new xt_AUDIT target +* support for a new NFQUEUE bypass option, allowing to bypass the + queue if no userspace listener is present +* a new iptables option "-C" to check for existence of a rules +- Fixes on top +* allow negation of --uid-owner/--gid-owner again +* fix installation of symlinks +- Run spec-beautifier + +------------------------------------------------------------------- +Fri Oct 29 17:56:48 UTC 2010 - [email protected] + +- Update to new upstream release 1.4.10 +* this is the release for the Linux 2.6.36 kernel +* support for the cpu match, which can be used to improve cache + locality when running multiple server instances +* support for the IDLETIMER target, which can be used to notify + userspace of interfaces being idle +* support for the CHECKSUM target +* support for the ipvs match +* a fix for deletion of rules using the quota match + +------------------------------------------------------------------- +Mon Aug 9 07:21:28 UTC 2010 - [email protected] + +- update to new upstream release 1.4.9.1 + * fixes a compilation problem with static linking in the 1.4.9 + release + +------------------------------------------------------------------- +Wed Aug 4 09:56:11 UTC 2010 - [email protected] + +- update to new upstream release 1.4.9 + * this is the release for the Linux 2.6.35 kernel + * support for the LED target + * a new version of the set extension for the upcoming release + supporting IPv6 + * negation support for the quota match + * support for the SACK-IMMEDIATELY SCTP extension and + FORWARD_TSN chunk type in the sctp match + * documentation updates and various smaller bugfixes + +------------------------------------------------------------------- +Wed May 26 15:20:25 UTC 2010 - [email protected] + +- update to new upstream release 1.4.8 + * this is the release for the Linux 2.6.34 kernel + * add support for the new xt_CT extension + * import the nfnl_osf program required for proper operation + of the xt_osf extension + +------------------------------------------------------------------- +Sat Apr 24 11:38:18 UTC 2010 - [email protected] + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Mon Mar 1 15:43:30 UTC 2010 - [email protected] + +- update to new upstream release 1.4.7 + * libipq is built as a shared library + * removal of some restrictions on interface names + * documentation updates +- rebase and fix linking of iptables-batch +- fix libdir->libexecdir + +------------------------------------------------------------------- +Mon Feb 22 13:09:03 UTC 2010 - [email protected] + +- only run configure when needed +- use %_smp_mflags +- use newer git snapshot to fix compile error due to missing + ipt_DSCP.h in newer linux-glibc-devel (>= 2.6.32) + +------------------------------------------------------------------- +Wed Dec 30 13:01:52 UTC 2009 - [email protected] + +- fix bnc#561793 - do not include unclean module documentation + in iptables manpage + +------------------------------------------------------------------- +Tue Dec 22 18:09:11 CET 2009 - [email protected] + +- update specfile descriptions (bnc#553801) +- update to iptables 1.4.6: ++++ 485 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.iptables.1143.new/iptables.changes New: ---- iptables-1.4.16.3.tar.bz2 iptables-1.4.16.3.tar.bz2.sig iptables-apply-mktemp-fix.patch iptables-batch.patch iptables.changes iptables.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iptables.spec ++++++ # # spec file for package iptables # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: iptables %define lname_ipq libipq0 %define lname_iptc libiptc0 %define lname_xt libxtables9 Version: 1.4.16.3 Release: 0 Summary: IP Packet Filter Administration utilities License: GPL-2.0+ Group: Productivity/Networking/Security Url: http://netfilter.org/ #Git-Web: http://git.netfilter.org/ #Git-Clone: git://git.netfilter.org/iptables #DL-URL: http://netfilter.org/projects/iptables/files/ Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Patch1: iptables-batch.patch Patch2: iptables-apply-mktemp-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} BuildRequires: sgmltool %endif %if 0%{?fedora_version} || 0%{?centos_version} BuildRequires: sgml-common %endif #git#BuildRequires: autoconf, automake >= 1.10 BuildRequires: libtool BuildRequires: pkgconfig >= 0.21 %if 0%{?suse_version} BuildRequires: fdupes %endif %if 0%{?suse_version} >= 1140 BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 %endif %if 0%{?suse_version} && 0%{?suse_version} <= 1110 BuildRequires: libnfnetlink-devel >= 1.0.0 %endif %if 0%{?fedora_version} || 0%{?centos_version} || 0%{?rhel_version} BuildRequires: libnfnetlink-devel >= 1.0.0 %endif %description iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. This version requires kernel 2.4.0 or newer. %package -n %lname_ipq Summary: Library to interface with the (old) ip_queue kernel mechanism Group: System/Libraries %description -n %lname_ipq The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n libipq-devel Summary: Development files for the ip_queue kernel mechanism Group: Development/Libraries/C and C++ Requires: %lname_ipq = %version %description -n libipq-devel The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n %lname_iptc Summary: Library for low-level ruleset generation and parsing Group: System/Libraries %description -n %lname_iptc libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n libiptc-devel Summary: Development files for libiptc, a packet filter ruleset library Group: Development/Libraries/C and C++ Requires: %lname_iptc = %version # NOT adding Obsoletes/Provides: iptables-devel, because that one has # been split into _two_ new pkgs (libxtables-devel, libiptc-devel). # NOTE: Please use pkgconfig(...) symbols for BuildRequires. %description -n libiptc-devel libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n %lname_xt Summary: iptables extension interface Group: System/Libraries %description -n %lname_xt This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. iproute2's m_xt. %package -n libxtables-devel Summary: Libraries, Headers and Development Man Pages for iptables Group: Development/Libraries/C and C++ Requires: %lname_xt = %version %description -n libxtables-devel This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. Link your extension (iptables plugins) with $(pkg-config xtables --libs) and place the plugin in the directory given by $(pkg-config xtables --variable=xtlibdir). %prep %if 0%{?__xz:1} %setup -q %else tar -xf "%{S:0}" --use=bzip2; %setup -DTq %endif %patch -P 1 -P 2 -p1 %build # We have the iptables-batch patch, so always regenerate. if true || [ ! -e configure ]; then ./autogen.sh; fi # bnc#561793 - do not include unclean module in iptables manpage rm -f extensions/libipt_unclean.man # includedir is overriden on purpose to detect projects that # fail to include libxtables_CFLAGS %configure --includedir=%_includedir/%name-%version --enable-libipq make %{?_smp_mflags} %install make DESTDIR=%buildroot install # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ rm -f "%buildroot/%_libdir"/*.la; %if 0%{?suse_version} %fdupes %buildroot %endif %post -n %lname_ipq -p /sbin/ldconfig %postun -n %lname_ipq -p /sbin/ldconfig %post -n %lname_iptc -p /sbin/ldconfig %postun -n %lname_iptc -p /sbin/ldconfig %post -n %lname_xt -p /sbin/ldconfig %postun -n %lname_xt -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYING %doc %_mandir/man1/* %doc %_mandir/man8/* %_bindir/iptables-xml %_sbindir/iptables %_sbindir/iptables-apply %_sbindir/iptables-batch %_sbindir/iptables-restore %_sbindir/iptables-save %_sbindir/ip6tables %_sbindir/ip6tables-batch %_sbindir/ip6tables-restore %_sbindir/ip6tables-save %_sbindir/xtables-multi %_sbindir/nfnl_osf %_libdir/xtables %_datadir/xtables %files -n %lname_ipq %defattr(-,root,root) %_libdir/libipq.so.0* %files -n libipq-devel %defattr(-,root,root) %doc %_mandir/man3/libipq* %doc %_mandir/man3/ipq* %dir %_includedir/%name-%version %_includedir/%name-%version/libipq* %_libdir/libipq.so %_libdir/pkgconfig/libipq.pc %files -n %lname_iptc %defattr(-,root,root) %_libdir/libiptc.so.0* %_libdir/libip4tc.so.0* %_libdir/libip6tc.so.0* %files -n libiptc-devel %defattr(-,root,root) %dir %_includedir/%name-%version %_includedir/%name-%version/libiptc* %_libdir/libip*tc.so %_libdir/pkgconfig/libip*tc.pc %files -n %lname_xt %defattr(-,root,root) %_libdir/libxtables.so.9* %files -n libxtables-devel %defattr(-,root,root) %dir %_includedir/%name-%version %_includedir/%name-%version/xtables.h %_includedir/%name-%version/xtables-version.h %_libdir/libxtables.so %_libdir/pkgconfig/xtables.pc %changelog ++++++ iptables-apply-mktemp-fix.patch ++++++ Index: iptables-1.4.12.1+16/iptables/iptables-apply =================================================================== --- iptables-1.4.12.1+16.orig/iptables/iptables-apply +++ iptables-1.4.12.1+16/iptables/iptables-apply @@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then exit 2 fi -COMMANDS=(tempfile "$SAVE" "$RESTORE") +COMMANDS=(mktemp "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do if ! command -v $cmd >/dev/null; then @@ -122,7 +122,7 @@ done umask 0700 -TMPFILE=$(tempfile -p iptap) +TMPFILE=$(mktemp) trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 if ! "$SAVE" >"$TMPFILE"; then ++++++ iptables-batch.patch ++++++ --- iptables/Makefile.am | 10 iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 477 insertions(+), 1 deletion(-) Index: iptables-1.4.16.2/iptables/Makefile.am =================================================================== --- iptables-1.4.16.2.orig/iptables/Makefile.am +++ iptables-1.4.16.2/iptables/Makefile.am @@ -24,7 +24,15 @@ endif xtables_multi_SOURCES += xshared.c xtables_multi_LDADD += ../libxtables/libxtables.la -lm -sbin_PROGRAMS = xtables-multi +iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c +iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} +iptables_batch_LDADD = ${xtables_multi_LDADD} +ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c +ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T +ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} +ip6tables_batch_LDADD = ${xtables_multi_LDADD} + +sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 iptables-extensions.8 Index: iptables-1.4.16.2/iptables/iptables-batch.c =================================================================== --- /dev/null +++ iptables-1.4.16.2/iptables/iptables-batch.c @@ -0,0 +1,468 @@ +/* + * Author: Ludwig Nussel <[email protected]> + * Update for iptables 1.4.3.x: Petr Uzel <[email protected]> + * + * Based on the ipchains code by Paul Russell and Michael Neuling + * + * (C) 2000-2002 by the netfilter coreteam <[email protected]>: + * Paul 'Rusty' Russell <[email protected]> + * Marc Boucher <[email protected]> + * James Morris <[email protected]> + * Harald Welte <[email protected]> + * Jozsef Kadlecsik <[email protected]> + * + * iptables-batch -- iptables batch processor + * + * See the accompanying manual page iptables(8) for information + * about proper usage of this program. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <ctype.h> +#include <stdlib.h> +#include <errno.h> +#include <string.h> + +#ifdef IP6T +#include <ip6tables.h> +#else +#include <iptables.h> +#endif +#include <xtables.h> + +#ifdef IP6T +#define prog_name ip6tables_globals.program_name +#define prog_ver ip6tables_globals.program_version +#else +#define prog_name iptables_globals.program_name +#define prog_ver iptables_globals.program_version +#endif + +static char* errstr = NULL; + +static unsigned current_line = 0; + +static char* +skipspace(char* ptr) +{ + while(*ptr && isspace(*ptr)) + ++ptr; + return ptr; +} + +static char* +getliteral(char** ptr) +{ + char* start = *ptr; + char* p = start; + + while(*p && !isspace(*p)) + ++p; + + if(*p) + { + *p = '\0'; + ++p; + } + + *ptr = p; + return start; +} + +static char* +getstring(char** ptr) +{ + char* start = *ptr+1; // skip leading " + char* p = start; + char* o = start; + int backslash = 0; + int done = 0; + + while(*p && !done) + { + if(backslash) + { + backslash = 0; + // no escapes supported, just eat the backslash + *o++ = *p++; + } + else if(*p == '\\') + { + backslash = 1; + p++; + } + else if(*p == '"') + { + done = 1; + } + else + { + *o++ = *p++; + } + } + + if(done) + { + *o = '\0'; + *p = '\0'; + ++p; + *ptr = p; + } + else + { + errstr = "missing \" at end of string"; + start = NULL; + } + return start; +} + +// this is just a very basic method, not 100% shell compatible +static char* +getword(char** ptr) +{ + *ptr = skipspace(*ptr); + if(**ptr == '"') + return getstring(ptr); + return getliteral(ptr); +} + +// destructive +static int +tokenize(int* argc, char* argv[], size_t nargvsize, char* iline) +{ + char* ptr = skipspace(iline); + int ret = 0; + char* word; + + while(ptr && *ptr) + { + if(*ptr == '#') + break; + if(*argc >= nargvsize) + { + errstr = "too many arguments"; + ret = -1; + break; + } + word = getword(&ptr); + if(!word) + { + ret = -1; + break; + } + argv[(*argc)++] = word; + ++ret; + } + return ret; +} + +#ifdef DEBUG +static void +dumpargv(int argc, char* argv[]) +{ + int i; + for(i=0; i < argc; ++i) + { + printf("%s\"%s\"",i?" ":"", argv[i]); + } + puts(""); +} +#endif + +struct table_handle +{ + char* name; +#ifdef IP6T + struct ip6tc_handle *handle; +#else + struct iptc_handle *handle; +#endif +}; + +static struct table_handle* tables = NULL; +static unsigned num_tables; +struct table_handle* current_table; + +static void +alloc_tables(void) +{ + tables = realloc(tables, sizeof(struct table_handle) * num_tables); +} + +static void +set_current_table(const char* name) +{ + unsigned i; + + if(!strcmp(name, current_table->name)) // same as last time? + return; + + for(i = 0; i < num_tables; ++i) // find already known table + { + if(!strcmp(name, tables[i].name)) + { + current_table = &tables[i]; + return; + } + } + + // table name not known, create new + i = num_tables++; + alloc_tables(); + current_table = &tables[i]; + current_table->name = strdup(name); + current_table->handle = NULL; +} + +static int +find_table(int argc, char* argv[]) +{ + int i; + for(i = 0; i < argc; ++i) + { + if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table")) + { + ++i; + if(i >= argc) + { + fprintf(stderr, "line %d: missing table name after %s\n", + current_line, argv[i]); + return 0; + } + set_current_table(argv[i]); + return 1; + } + } + + // no -t specified + set_current_table("filter"); + + return 1; +} + +static int +do_iptables(int argc, char* argv[]) +{ + char *table = "filter"; + int ret = 0; + + if(!find_table(argc, argv)) + return 0; + +#ifdef IP6T + ret = do_command6(argc, argv, &table, ¤t_table->handle); + + if (!ret) + { + fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno)); + } + else + { + if(!table || strcmp(table, current_table->name)) + { + fprintf(stderr, "line %d: expected table %s, got %s\n", + current_line, current_table->name, table); + exit(1); + } + } +#else + ret = do_command4(argc, argv, &table, ¤t_table->handle); + + if (!ret) + { + fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno)); + } + else + { + if(!table || strcmp(table, current_table->name)) + { + fprintf(stderr, "line %d: expected table %s, got %s\n", + current_line, current_table->name, table); + exit(1); + } + } +#endif + + return ret; +} + +static int +do_commit(void) +{ + unsigned i; + int ret = 1; + + for(i = 0; i < num_tables; ++i) + { + if(tables[i].handle) + { +#ifdef IP6T + ret = ip6tc_commit(tables[i].handle); + if (!ret) + fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno)); + ip6tc_free(tables[i].handle); + tables[i].handle = NULL; +#else + ret = iptc_commit(tables[i].handle); + if (!ret) + fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno)); + iptc_free(tables[i].handle); + tables[i].handle = NULL; +#endif + } + } + + return ret; +} + +static void +help(void) +{ + fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name); + puts("Read iptables commands from FILE, commit them at EOF\n"); + puts("In addition to normal iptables calls the commands"); + puts("'commit' and 'exit' are understood."); + exit(0); +} + +int +main(int argc, char *argv[]) +{ + int ret = 1; + int c; + int numtok; + size_t llen = 0; + char* iline = NULL; + ssize_t r = -1; + int nargc = 0; + char* nargv[256]; + FILE* fp = stdin; + +#ifdef IP6T + prog_name = "ip6tables-batch"; +#else + prog_name = "iptables-batch"; +#endif + +#ifdef IP6T + c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); +#else + c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); +#endif + + if(c < 0) { + fprintf(stderr, "%s/%s Failed to initialize xtables\n", + prog_name, + prog_ver); + exit(1); + } + +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + if(argc > 1) + { + if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h")) + { + help(); + } + else if(strcmp(argv[1], "-")) + { + fp = fopen(argv[1], "r"); + if(!fp) + { + perror("fopen"); + exit(1); + } + } + } + + num_tables = 4; + alloc_tables(); + tables[0].name = "filter"; + tables[0].handle = NULL; + tables[1].name = "mangle"; + tables[1].handle = NULL; + tables[2].name = "nat"; + tables[2].handle = NULL; + tables[3].name = "raw"; + tables[3].handle = NULL; + current_table = &tables[0]; + + while((r = getline(&iline, &llen, fp)) != -1) + { + if(llen < 1 || !*iline) + continue; + if(iline[strlen(iline)-1] == '\n') + iline[strlen(iline) -1 ] = '\0'; + + ++current_line; + nargc = 0; + errstr = NULL; + numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline); + if(numtok == -1) + { + } + else if (numtok == 0) + { + continue; + } + else if(nargc < 1) + { + errstr = "insufficient number of arguments"; + } + + if(errstr) + { + fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr); + ret = 0; + break; + } + +#ifdef DEBUG + dumpargv(nargc, nargv); +#endif + +#ifdef IP6T + if(!strcmp(nargv[0], "ip6tables")) +#else + if(!strcmp(nargv[0], "iptables")) +#endif + { + ret = do_iptables(nargc, nargv); + if(!ret) break; + } + else if(!strcmp(nargv[0], "exit")) + { + break; + } + else if(!strcmp(nargv[0], "commit")) + { + /* do nothing - see bnc#500990, comment #16 */ + } + else + { + fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]); + } + } + + if(ret) + ret = do_commit(); + + exit(!ret); +} -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
