Hello community, here is the log from the commit of package iptables for openSUSE:Factory checked in at 2013-06-05 17:43:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iptables (Old) and /work/SRC/openSUSE:Factory/.iptables.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iptables" Changes: -------- --- /work/SRC/openSUSE:Factory/iptables/iptables.changes 2013-04-17 18:22:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.iptables.new/iptables.changes 2013-06-05 17:43:26.000000000 +0200 @@ -1,0 +2,9 @@ +Fri May 31 20:00:39 UTC 2013 - [email protected] + +- Update to new upstream release 1.4.19.1 +* New connlabel and bpf matches +- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch, + 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch + (are upstream) + +------------------------------------------------------------------- Old: ---- 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch iptables-1.4.18.tar.bz2 iptables-1.4.18.tar.bz2.sig New: ---- iptables-1.4.19.1.tar.bz2 iptables-1.4.19.1.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iptables.spec ++++++ --- /var/tmp/diff_new_pack.H6kBkV/_old 2013-06-05 17:43:27.000000000 +0200 +++ /var/tmp/diff_new_pack.H6kBkV/_new 2013-06-05 17:43:27.000000000 +0200 @@ -20,7 +20,7 @@ %define lname_ipq libipq0 %define lname_iptc libiptc0 %define lname_xt libxtables10 -Version: 1.4.18 +Version: 1.4.19.1 Release: 0 Summary: IP Packet Filter Administration utilities License: GPL-2.0 and Artistic-2.0 @@ -34,8 +34,6 @@ Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring -Patch1: 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch -Patch2: 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch @@ -148,7 +146,7 @@ %prep %{?gpg_verify: %gpg_verify %{S:2}} %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -p1 +%patch -P 3 -P 4 -p1 %build # We have the iptables-batch patch, so always regenerate. @@ -159,7 +157,7 @@ rm -f extensions/libipt_unclean.man # includedir is overriden on purpose to detect projects that # fail to include libxtables_CFLAGS -%configure --includedir=%_includedir/%name-%version --enable-libipq +%configure --includedir="%_includedir/pkg/%name" --enable-libipq make %{?_smp_mflags} %install @@ -201,9 +199,11 @@ %files -n xtables-plugins %defattr(-,root,root) -%_libdir/xtables +%dir %_sysconfdir/xtables/ +%config %_sysconfdir/xtables/*.conf +%_libdir/xtables/ %_sbindir/nfnl_osf -%_datadir/xtables +%_datadir/xtables/ %files -n %lname_ipq %defattr(-,root,root) @@ -213,8 +213,8 @@ %defattr(-,root,root) %doc %_mandir/man3/libipq* %doc %_mandir/man3/ipq* -%dir %_includedir/%name-%version -%_includedir/%name-%version/libipq* +%dir %_includedir/pkg/%name/ +%_includedir/pkg/%name/libipq* %_libdir/libipq.so %_libdir/pkgconfig/libipq.pc @@ -226,8 +226,9 @@ %files -n libiptc-devel %defattr(-,root,root) -%dir %_includedir/%name-%version -%_includedir/%name-%version/libiptc* +%dir %_includedir/pkg/ +%dir %_includedir/pkg/%name/ +%_includedir/pkg/%name/libiptc* %_libdir/libip*tc.so %_libdir/pkgconfig/libip*tc.pc @@ -237,9 +238,10 @@ %files -n libxtables-devel %defattr(-,root,root) -%dir %_includedir/%name-%version -%_includedir/%name-%version/xtables.h -%_includedir/%name-%version/xtables-version.h +%dir %_includedir/pkg/ +%dir %_includedir/pkg/%name/ +%_includedir/pkg/%name/xtables.h +%_includedir/pkg/%name/xtables-version.h %_libdir/libxtables.so %_libdir/pkgconfig/xtables.pc ++++++ iptables-1.4.18.tar.bz2 -> iptables-1.4.19.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/Makefile.am new/iptables-1.4.19.1/Makefile.am --- old/iptables-1.4.18/Makefile.am 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/Makefile.am 2013-05-29 15:48:30.000000000 +0200 @@ -10,9 +10,7 @@ if ENABLE_LIBIPQ SUBDIRS += libipq endif -if HAVE_LIBNFNETLINK SUBDIRS += utils -endif # Depends on libxtables: SUBDIRS += extensions # Depends on extensions/libext.a: @@ -26,5 +24,9 @@ tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; +install-data-hook: + @mkdir -p -m 755 $(DESTDIR)/etc/xtables/ || : + @test -f /etc/xtables/connlabel.conf || $(INSTALL) -m 644 etc/xtables/connlabel.conf $(DESTDIR)/etc/xtables/connlabel.conf || : + config.status: extensions/GNUmakefile.in \ include/xtables-version.h.in include/iptables/internal.h.in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/Makefile.in new/iptables-1.4.19.1/Makefile.in --- old/iptables-1.4.18/Makefile.in 2013-03-03 22:43:29.000000000 +0100 +++ new/iptables-1.4.19.1/Makefile.in 2013-05-29 15:50:11.000000000 +0200 @@ -53,7 +53,6 @@ host_triplet = @host@ @ENABLE_DEVEL_TRUE@am__append_1 = include @ENABLE_LIBIPQ_TRUE@am__append_2 = libipq -@HAVE_LIBNFNETLINK_TRUE@am__append_3 = utils subdir = . DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in $(srcdir)/config.h.in \ @@ -276,8 +275,8 @@ AUTOMAKE_OPTIONS = foreign subdir-objects # Depends on libxtables: # Depends on extensions/libext.a: -SUBDIRS = libiptc libxtables $(am__append_1) $(am__append_2) \ - $(am__append_3) extensions iptables +SUBDIRS = libiptc libxtables $(am__append_1) $(am__append_2) utils \ + extensions iptables all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -725,7 +724,8 @@ info-am: install-data-am: - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-recursive install-dvi-am: @@ -773,7 +773,8 @@ uninstall-am: .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all \ - ctags-recursive install-am install-strip tags-recursive + ctags-recursive install-am install-data-am install-strip \ + tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-generic \ @@ -782,14 +783,15 @@ dist-zip distcheck distclean distclean-generic distclean-hdr \ distclean-libtool distclean-tags distcleancheck distdir \ distuninstallcheck dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am tags tags-recursive uninstall uninstall-am + install install-am install-data install-data-am \ + install-data-hook install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am .PHONY: tarball @@ -800,6 +802,10 @@ tar -C /tmp -cjf ${PACKAGE_TARNAME}-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root ${PACKAGE_TARNAME}-${PACKAGE_VERSION}/; rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION}; +install-data-hook: + @mkdir -p -m 755 $(DESTDIR)/etc/xtables/ || : + @test -f /etc/xtables/connlabel.conf || $(INSTALL) -m 644 etc/xtables/connlabel.conf $(DESTDIR)/etc/xtables/connlabel.conf || : + config.status: extensions/GNUmakefile.in \ include/xtables-version.h.in include/iptables/internal.h.in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/build-aux/ltmain.sh new/iptables-1.4.19.1/build-aux/ltmain.sh --- old/iptables-1.4.18/build-aux/ltmain.sh 2013-03-03 22:43:24.000000000 +0100 +++ new/iptables-1.4.19.1/build-aux/ltmain.sh 2013-05-29 15:50:06.000000000 +0200 @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.1 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.2 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1.1" +VERSION="2.4.2 Debian-2.4.2-1.2" TIMESTAMP="" package_revision=1.3337 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/configure new/iptables-1.4.19.1/configure --- old/iptables-1.4.18/configure 2013-03-03 22:43:27.000000000 +0100 +++ new/iptables-1.4.19.1/configure 2013-05-29 15:50:09.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for iptables 1.4.18. +# Generated by GNU Autoconf 2.69 for iptables 1.4.19.1. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.4.18' -PACKAGE_STRING='iptables 1.4.18' +PACKAGE_VERSION='1.4.19.1' +PACKAGE_STRING='iptables 1.4.19.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -651,6 +651,8 @@ PKG_CONFIG_LIBDIR PKG_CONFIG_PATH PKG_CONFIG +ENABLE_BPFC_FALSE +ENABLE_BPFC_TRUE ENABLE_LIBIPQ_FALSE ENABLE_LIBIPQ_TRUE ENABLE_DEVEL_FALSE @@ -795,6 +797,7 @@ enable_largefile enable_devel enable_libipq +enable_bpf_compiler with_pkgconfigdir ' ac_precious_vars='build_alias @@ -1351,7 +1354,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.4.18 to adapt to many kinds of systems. +\`configure' configures iptables 1.4.19.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1421,7 +1424,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of iptables 1.4.18:";; + short | recursive ) echo "Configuration of iptables 1.4.19.1:";; esac cat <<\_ACEOF @@ -1441,6 +1444,7 @@ --disable-largefile Do not build largefile support --enable-devel Install Xtables development headers --enable-libipq Build and install libipq + --enable-bpf-compiler Build bpf compiler Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1545,7 +1549,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.4.18 +iptables configure 1.4.19.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2093,7 +2097,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.4.18, which was +It was created by iptables $as_me 1.4.19.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2916,7 +2920,7 @@ # Define the identity of the package. PACKAGE='iptables' - VERSION='1.4.18' + VERSION='1.4.19.1' cat >>confdefs.h <<_ACEOF @@ -5139,7 +5143,8 @@ ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -6675,7 +6680,14 @@ LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; ppc64-*linux*|powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" @@ -11867,6 +11879,11 @@ enableval=$enable_libipq; fi +# Check whether --enable-bpf-compiler was given. +if test "${enable_bpf_compiler+set}" = set; then : + enableval=$enable_bpf_compiler; enable_bpfc="yes" +fi + # Check whether --with-pkgconfigdir was given. if test "${with_pkgconfigdir+set}" = set; then : @@ -12051,6 +12068,14 @@ ENABLE_LIBIPQ_FALSE= fi + if test "$enable_bpfc" = "yes"; then + ENABLE_BPFC_TRUE= + ENABLE_BPFC_FALSE='#' +else + ENABLE_BPFC_TRUE='#' + ENABLE_BPFC_FALSE= +fi + @@ -12435,6 +12460,10 @@ as_fn_error $? "conditional \"ENABLE_LIBIPQ\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_BPFC_TRUE}" && test -z "${ENABLE_BPFC_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_BPFC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${HAVE_LIBNFNETLINK_TRUE}" && test -z "${HAVE_LIBNFNETLINK_FALSE}"; then as_fn_error $? "conditional \"HAVE_LIBNFNETLINK\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -12836,7 +12865,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.4.18, which was +This file was extended by iptables $as_me 1.4.19.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -12902,7 +12931,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.4.18 +iptables config.status 1.4.19.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/configure.ac new/iptables-1.4.19.1/configure.ac --- old/iptables-1.4.18/configure.ac 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/configure.ac 2013-05-29 15:48:30.000000000 +0200 @@ -1,5 +1,5 @@ -AC_INIT([iptables], [1.4.18]) +AC_INIT([iptables], [1.4.19.1]) # See libtool.info "Libtool's versioning system" libxtables_vcurrent=10 @@ -50,6 +50,9 @@ [enable_devel="$enableval"], [enable_devel="yes"]) AC_ARG_ENABLE([libipq], AS_HELP_STRING([--enable-libipq], [Build and install libipq])) +AC_ARG_ENABLE([bpf-compiler], + AS_HELP_STRING([--enable-bpf-compiler], [Build bpf compiler]), + [enable_bpfc="yes"]) AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) @@ -88,6 +91,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test "$enable_largefile" = "yes"]) AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) +AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"]) PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], [nfnetlink=1], [nfnetlink=0]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/etc/xtables/connlabel.conf new/iptables-1.4.19.1/etc/xtables/connlabel.conf --- old/iptables-1.4.18/etc/xtables/connlabel.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/etc/xtables/connlabel.conf 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,8 @@ +# example connlabel.conf mapping file. +# used by the "connlabel" match to translate names to their bit-value. +0 eth0-in +1 eth0-out +2 ppp-in +3 ppp-out +4 bulk-traffic +5 interactive diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/GNUmakefile.in new/iptables-1.4.19.1/extensions/GNUmakefile.in --- old/iptables-1.4.18/extensions/GNUmakefile.in 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/GNUmakefile.in 2013-05-29 15:48:30.000000000 +0200 @@ -33,7 +33,6 @@ AM_VERBOSE_CXXLD = @echo " CXXLD " $@; AM_VERBOSE_AR = @echo " AR " $@; AM_VERBOSE_GEN = @echo " GEN " $@; -AM_VERBOSE_NULL = @ endif # @@ -76,7 +75,7 @@ if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi; clean: - rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c; rm -f .*.d .*.dd; distclean: clean @@ -90,22 +89,18 @@ # # Shared libraries # -lib%.so: lib%.la - ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@ +lib%.so: lib%.oo + ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD}; -lib%.la: lib%.lo - ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir} - -lib%.lo: ${srcdir}/lib%.c - ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $< +lib%.oo: ${srcdir}/lib%.c + ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<; libxt_NOTRACK.so: libxt_CT.so - ${AM_VERBOSE_GEN} ln -fs $< $@ + ln -fs $< $@ libxt_state.so: libxt_conntrack.so - ${AM_VERBOSE_GEN} ln -fs $< $@ + ln -fs $< $@ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD -ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la xt_RATEEST_LIBADD = -lm xt_statistic_LIBADD = -lm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libip6t_DNPT.man new/iptables-1.4.19.1/extensions/libip6t_DNPT.man --- old/iptables-1.4.18/extensions/libip6t_DNPT.man 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libip6t_DNPT.man 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,30 @@ +Provides stateless destination IPv6-to-IPv6 Network Prefix Translation (as +described by RFC 6296). +.PP +You have to use this target in the +.B mangle +table, not in the +.B nat +table. It takes the following options: +.TP +\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength] +Set source prefix that you want to translate and length +.TP +\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength] +Set destination prefix that you want to use in the translation and length +.PP +You have to use the SNPT target to undo the translation. Example: +.IP +ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 +\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 +.IP +ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 +\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64 +.PP +You may need to enable IPv6 neighbor proxy: +.IP +sysctl -w net.ipv6.conf.all.proxy_ndp=1 +.PP +You also have to use the +.B NOTRACK +target to disable connection tracking for translated flows. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libip6t_NETMAP.c new/iptables-1.4.19.1/extensions/libip6t_NETMAP.c --- old/iptables-1.4.18/extensions/libip6t_NETMAP.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libip6t_NETMAP.c 2013-05-29 15:48:30.000000000 +0200 @@ -61,7 +61,7 @@ printf("%s", xtables_ip6addr_to_numeric(&a)); for (i = 0; i < 4; i++) a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]); - bits = ipv6_prefix_length(&a); + bits = xtables_ip6mask_to_cidr(&a); if (bits < 0) printf("/%s", xtables_ip6addr_to_numeric(&a)); else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libip6t_SNPT.man new/iptables-1.4.19.1/extensions/libip6t_SNPT.man --- old/iptables-1.4.18/extensions/libip6t_SNPT.man 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libip6t_SNPT.man 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,30 @@ +Provides stateless source IPv6-to-IPv6 Network Prefix Translation (as described +by RFC 6296). +.PP +You have to use this target in the +.B mangle +table, not in the +.B nat +table. It takes the following options: +.TP +\fB\-\-src\-pfx\fP [\fIprefix/\fP\fIlength] +Set source prefix that you want to translate and length +.TP +\fB\-\-dst\-pfx\fP [\fIprefix/\fP\fIlength] +Set destination prefix that you want to use in the translation and length +.PP +You have to use the DNPT target to undo the translation. Example: +.IP +ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 +\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 +.IP +ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 +\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64 +.PP +You may need to enable IPv6 neighbor proxy: +.IP +sysctl -w net.ipv6.conf.all.proxy_ndp=1 +.PP +You also have to use the +.B NOTRACK +target to disable connection tracking for translated flows. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libipt_SNAT.man new/iptables-1.4.19.1/extensions/libipt_SNAT.man --- old/iptables-1.4.18/extensions/libipt_SNAT.man 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libipt_SNAT.man 2013-05-29 15:48:30.000000000 +0200 @@ -2,7 +2,10 @@ .B nat table, in the .B POSTROUTING -chain. It specifies that the source address of the packet should be +and +.B INPUT +chains, and user-defined chains which are only called from those +chains. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: @@ -35,3 +38,9 @@ Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2. +.PP +Kernels prior to 2.6.36-rc1 don't have the ability to +.B SNAT +in the +.B INPUT +chain. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_NFQUEUE.man new/iptables-1.4.19.1/extensions/libxt_NFQUEUE.man --- old/iptables-1.4.18/extensions/libxt_NFQUEUE.man 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_NFQUEUE.man 2013-05-29 15:48:30.000000000 +0200 @@ -21,5 +21,5 @@ .TP \fB\-\-queue\-bypass\fP By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued -are dropped. When this option is used, the NFQUEUE rule is silently bypassed instead. The packet -will move on to the next rule. +are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet +will move on to the next table. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_bpf.c new/iptables-1.4.19.1/extensions/libxt_bpf.c --- old/iptables-1.4.18/extensions/libxt_bpf.c 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_bpf.c 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,152 @@ +/* + * Xtables BPF extension + * + * Written by Willem de Bruijn ([email protected]) + * Copyright Google, Inc. 2013 + * Licensed under the GNU General Public License version 2 (GPLv2) +*/ + +#include <linux/netfilter/xt_bpf.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> +#include <xtables.h> + +#define BCODE_FILE_MAX_LEN_B 1024 + +enum { + O_BCODE_STDIN = 0, +}; + +static void bpf_help(void) +{ + printf( +"bpf match options:\n" +"--bytecode <program> : a bpf program as generated by\n" +" `nfbpf_compiler RAW <filter>`\n"); +} + +static const struct xt_option_entry bpf_opts[] = { + {.name = "bytecode", .id = O_BCODE_STDIN, .type = XTTYPE_STRING}, + XTOPT_TABLEEND, +}; + +static void bpf_parse_string(struct xt_option_call *cb, const char *bpf_program, + const char separator) +{ + struct xt_bpf_info *bi = (void *) cb->data; + const char *token; + char sp; + int i; + + /* parse head: length. */ + if (sscanf(bpf_program, "%hu%c", &bi->bpf_program_num_elem, &sp) != 2 || + sp != separator) + xtables_error(PARAMETER_PROBLEM, + "bpf: error parsing program length"); + if (!bi->bpf_program_num_elem) + xtables_error(PARAMETER_PROBLEM, + "bpf: illegal zero length program"); + if (bi->bpf_program_num_elem > XT_BPF_MAX_NUM_INSTR) + xtables_error(PARAMETER_PROBLEM, + "bpf: number of instructions exceeds maximum"); + + /* parse instructions. */ + i = 0; + token = bpf_program; + while ((token = strchr(token, separator)) && (++token)[0]) { + if (i >= bi->bpf_program_num_elem) + xtables_error(PARAMETER_PROBLEM, + "bpf: real program length exceeds" + " the encoded length parameter"); + if (sscanf(token, "%hu %hhu %hhu %u,", + &bi->bpf_program[i].code, + &bi->bpf_program[i].jt, + &bi->bpf_program[i].jf, + &bi->bpf_program[i].k) != 4) + xtables_error(PARAMETER_PROBLEM, + "bpf: error at instr %d", i); + i++; + } + + if (i != bi->bpf_program_num_elem) + xtables_error(PARAMETER_PROBLEM, + "bpf: parsed program length is less than the" + " encoded length parameter"); +} + +static void bpf_parse(struct xt_option_call *cb) +{ + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_BCODE_STDIN: + bpf_parse_string(cb, cb->arg, ','); + break; + default: + xtables_error(PARAMETER_PROBLEM, "bpf: unknown option"); + } +} + +static void bpf_print_code(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_bpf_info *info = (void *) match->data; + int i; + + for (i = 0; i < info->bpf_program_num_elem-1; i++) + printf("%hu %hhu %hhu %u,", info->bpf_program[i].code, + info->bpf_program[i].jt, + info->bpf_program[i].jf, + info->bpf_program[i].k); + + printf("%hu %hhu %hhu %u", info->bpf_program[i].code, + info->bpf_program[i].jt, + info->bpf_program[i].jf, + info->bpf_program[i].k); +} + +static void bpf_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_bpf_info *info = (void *) match->data; + + printf(" --bytecode \"%hu,", info->bpf_program_num_elem); + bpf_print_code(ip, match); + printf("\""); +} + +static void bpf_fcheck(struct xt_fcheck_call *cb) +{ + if (!(cb->xflags & (1 << O_BCODE_STDIN))) + xtables_error(PARAMETER_PROBLEM, + "bpf: missing --bytecode parameter"); +} + +static void bpf_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf("match bpf "); + return bpf_print_code(ip, match); +} + +static struct xtables_match bpf_match = { + .family = NFPROTO_UNSPEC, + .name = "bpf", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_bpf_info)), + .userspacesize = XT_ALIGN(offsetof(struct xt_bpf_info, filter)), + .help = bpf_help, + .print = bpf_print, + .save = bpf_save, + .x6_parse = bpf_parse, + .x6_fcheck = bpf_fcheck, + .x6_options = bpf_opts, +}; + +void _init(void) +{ + xtables_register_match(&bpf_match); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_bpf.man new/iptables-1.4.19.1/extensions/libxt_bpf.man --- old/iptables-1.4.18/extensions/libxt_bpf.man 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_bpf.man 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,34 @@ +Match using Linux Socket Filter. Expects a BPF program in decimal format. This +is the format generated by the \fBnfbpf_compile\fP utility. +.TP +\fB\-\-bytecode\fP \fIcode\fP +Pass the BPF byte code format (described in the example below). +.PP +The code format is similar to the output of the tcpdump -ddd command: one line +that stores the number of instructions, followed by one line for each +instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal +notation. Fields encode the operation, jump offset if true, jump offset if +false and generic multiuse field 'K'. Comments are not supported. +.PP +For example, to read only packets matching 'ip proto 6', insert the following, +without the comments or trailing whitespace: +.IP +4 # number of instructions +.br +48 0 0 9 # load byte ip->proto +.br +21 0 1 6 # jump equal IPPROTO_TCP +.br +6 0 0 1 # return pass (non-zero) +.br +6 0 0 0 # return fail (zero) +.PP +You can pass this filter to the bpf match with the following command: +.IP +iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT +.PP +Or instead, you can invoke the nfbpf_compile utility. +.IP +iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT +.PP +You may want to learn more about BPF from FreeBSD's bpf(4) manpage. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_connlabel.c new/iptables-1.4.19.1/extensions/libxt_connlabel.c --- old/iptables-1.4.18/extensions/libxt_connlabel.c 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_connlabel.c 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,210 @@ +#include <errno.h> +#include <stdbool.h> +#include <string.h> +#include <stdio.h> +#include <stdint.h> +#include <xtables.h> +#include <linux/netfilter/xt_connlabel.h> + +enum { + O_LABEL = 0, + O_SET = 1, +}; + +#define CONNLABEL_CFG "/etc/xtables/connlabel.conf" + +static void connlabel_mt_help(void) +{ + puts( +"connlabel match options:\n" +"[!] --label name Match if label has been set on connection\n" +" --set Set label on connection"); +} + +static const struct xt_option_entry connlabel_mt_opts[] = { + {.name = "label", .id = O_LABEL, .type = XTTYPE_STRING, + .min = 1, .flags = XTOPT_MAND|XTOPT_INVERT}, + {.name = "set", .id = O_SET, .type = XTTYPE_NONE}, + XTOPT_TABLEEND, +}; + +static int +xtables_parse_connlabel_numerical(const char *s, char **end) +{ + uintmax_t value; + + if (!xtables_strtoul(s, end, &value, 0, XT_CONNLABEL_MAXBIT)) + return -1; + return value; +} + +static bool is_space_posix(int c) +{ + return c == ' ' || c == '\f' || c == '\r' || c == '\t' || c == '\v'; +} + +static char * trim_label(char *label) +{ + char *end; + + while (is_space_posix(*label)) + label++; + end = strchr(label, '\n'); + if (end) + *end = 0; + else + end = strchr(label, '\0'); + end--; + + while (is_space_posix(*end) && end > label) { + *end = 0; + end--; + } + + return *label ? label : NULL; +} + +static void +xtables_get_connlabel(uint16_t bit, char *buf, size_t len) +{ + FILE *fp = fopen(CONNLABEL_CFG, "r"); + char label[1024]; + char *end; + + if (!fp) + goto error; + + while (fgets(label, sizeof(label), fp)) { + int tmp; + + if (label[0] == '#') + continue; + tmp = xtables_parse_connlabel_numerical(label, &end); + if (tmp < 0 || tmp < (int) bit) + continue; + if (tmp > (int) bit) + break; + + end = trim_label(end); + if (!end) + continue; + snprintf(buf, len, "%s", end); + fclose(fp); + return; + } + fclose(fp); + error: + snprintf(buf, len, "%u", (unsigned int) bit); +} + + +static uint16_t xtables_parse_connlabel(const char *s) +{ + FILE *fp = fopen(CONNLABEL_CFG, "r"); + char label[1024]; + char *end; + int bit; + + if (!fp) + xtables_error(PARAMETER_PROBLEM, "label '%s': could not open '%s': %s", + s, CONNLABEL_CFG, strerror(errno)); + + while (fgets(label, sizeof(label), fp)) { + if (label[0] == '#' || !strstr(label, s)) + continue; + bit = xtables_parse_connlabel_numerical(label, &end); + if (bit < 0) + continue; + + end = trim_label(end); + if (!end) + continue; + if (strcmp(end, s) == 0) { + fclose(fp); + return bit; + } + } + fclose(fp); + xtables_error(PARAMETER_PROBLEM, "label '%s' not found in config file %s", + s, CONNLABEL_CFG); +} + +static void connlabel_mt_parse(struct xt_option_call *cb) +{ + struct xt_connlabel_mtinfo *info = cb->data; + int tmp; + + xtables_option_parse(cb); + + switch (cb->entry->id) { + case O_LABEL: + tmp = xtables_parse_connlabel_numerical(cb->arg, NULL); + info->bit = tmp < 0 ? xtables_parse_connlabel(cb->arg) : tmp; + + if (cb->invert) + info->options |= XT_CONNLABEL_OP_INVERT; + break; + case O_SET: + info->options |= XT_CONNLABEL_OP_SET; + break; + } + +} + +static void +connlabel_mt_print_op(const struct xt_connlabel_mtinfo *info, const char *prefix) +{ + if (info->options & XT_CONNLABEL_OP_SET) + printf(" %sset", prefix); +} + +static void +connlabel_mt_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_connlabel_mtinfo *info = (const void *)match->data; + char buf[1024]; + + printf(" connlabel"); + if (info->options & XT_CONNLABEL_OP_INVERT) + printf(" !"); + if (numeric) { + printf(" %u", info->bit); + } else { + xtables_get_connlabel(info->bit, buf, sizeof(buf)); + printf(" '%s'", buf); + } + connlabel_mt_print_op(info, ""); +} + +static void +connlabel_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_connlabel_mtinfo *info = (const void *)match->data; + char buf[1024]; + + if (info->options & XT_CONNLABEL_OP_INVERT) + printf(" !"); + + xtables_get_connlabel(info->bit, buf, sizeof(buf)); + printf(" --label \"%s\"", buf); + + connlabel_mt_print_op(info, "--"); +} + +static struct xtables_match connlabel_mt_reg = { + .family = NFPROTO_UNSPEC, + .name = "connlabel", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connlabel_mtinfo)), + .userspacesize = offsetof(struct xt_connlabel_mtinfo, bit), + .help = connlabel_mt_help, + .print = connlabel_mt_print, + .save = connlabel_mt_save, + .x6_parse = connlabel_mt_parse, + .x6_options = connlabel_mt_opts, +}; + +void _init(void) +{ + xtables_register_match(&connlabel_mt_reg); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_connlabel.man new/iptables-1.4.19.1/extensions/libxt_connlabel.man --- old/iptables-1.4.18/extensions/libxt_connlabel.man 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_connlabel.man 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,32 @@ +Module matches or adds connlabels to a connection. +connlabels are similar to connmarks, except labels are bit-based; i.e. +all labels may be attached to a flow at the same time. +Up to 128 unique labels are currently supported. +.TP +[\fB!\fP] \fB\-\-label\fP \fBname\fP +matches if label \fBname\fP has been set on a connection. +Instead of a name (which will be translated to a number, see EXAMPLE below), +a number may be used instead. Using a number always overrides connlabel.conf. +.TP +\fB\-\-set\fP +if the label has not been set on the connection, set it. +Note that setting a label can fail. This is because the kernel allocates the +conntrack label storage area when the connection is created, and it only +reserves the amount of memory required by the ruleset that exists at +the time the connection is created. +In this case, the match will fail (or succeed, in case \fB\-\-label\fP +option was negated). +.PP +Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file. +.PP +Example: +.IP +.nf +0 eth0-in +1 eth0-out +2 ppp-in +3 ppp-out +4 bulk-traffic +5 interactive +.fi +.PP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_conntrack.c new/iptables-1.4.19.1/extensions/libxt_conntrack.c --- old/iptables-1.4.18/extensions/libxt_conntrack.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_conntrack.c 2013-05-29 15:48:30.000000000 +0200 @@ -1037,15 +1037,15 @@ state_parse_state(const char *state, size_t len) { if (strncasecmp(state, "INVALID", len) == 0) - return XT_STATE_INVALID; + return XT_CONNTRACK_STATE_INVALID; else if (strncasecmp(state, "NEW", len) == 0) - return XT_STATE_BIT(IP_CT_NEW); + return XT_CONNTRACK_STATE_BIT(IP_CT_NEW); else if (strncasecmp(state, "ESTABLISHED", len) == 0) - return XT_STATE_BIT(IP_CT_ESTABLISHED); + return XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED); else if (strncasecmp(state, "RELATED", len) == 0) - return XT_STATE_BIT(IP_CT_RELATED); + return XT_CONNTRACK_STATE_BIT(IP_CT_RELATED); else if (strncasecmp(state, "UNTRACKED", len) == 0) - return XT_STATE_UNTRACKED; + return XT_CONNTRACK_STATE_UNTRACKED; return 0; } @@ -1115,23 +1115,23 @@ { const char *sep = ""; - if (statemask & XT_STATE_INVALID) { + if (statemask & XT_CONNTRACK_STATE_INVALID) { printf("%sINVALID", sep); sep = ","; } - if (statemask & XT_STATE_BIT(IP_CT_NEW)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { printf("%sNEW", sep); sep = ","; } - if (statemask & XT_STATE_BIT(IP_CT_RELATED)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { printf("%sRELATED", sep); sep = ","; } - if (statemask & XT_STATE_BIT(IP_CT_ESTABLISHED)) { + if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { printf("%sESTABLISHED", sep); sep = ","; } - if (statemask & XT_STATE_UNTRACKED) { + if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { printf("%sUNTRACKED", sep); sep = ","; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_multiport.man new/iptables-1.4.19.1/extensions/libxt_multiport.man --- old/iptables-1.4.18/extensions/libxt_multiport.man 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_multiport.man 2013-05-29 15:48:30.000000000 +0200 @@ -1,9 +1,8 @@ This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two -ports. It can only be used in conjunction with -\fB\-p tcp\fP -or -\fB\-p udp\fP. +ports. It can only be used in conjunction with one of the +following protocols: +\fBtcp\fP, \fBudp\fP, \fBudplite\fP, \fBdccp\fP and \fBsctp\fP. .TP [\fB!\fP] \fB\-\-source\-ports\fP,\fB\-\-sports\fP \fIport\fP[\fB,\fP\fIport\fP|\fB,\fP\fIport\fP\fB:\fP\fIport\fP]... Match if the source port is one of the given ports. The flag diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_osf.c new/iptables-1.4.19.1/extensions/libxt_osf.c --- old/iptables-1.4.18/extensions/libxt_osf.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_osf.c 2013-05-29 15:48:30.000000000 +0200 @@ -92,7 +92,14 @@ { const struct xt_osf_info *info = (const struct xt_osf_info*) match->data; - printf(" --genre %s%s", (info->flags & XT_OSF_INVERT) ? "! ": "", info->genre); + if (info->flags & XT_OSF_INVERT) + printf(" !"); + + printf(" --genre %s", info->genre); + if (info->flags & XT_OSF_TTL) + printf(" --ttl %u", info->ttl); + if (info->flags & XT_OSF_LOG) + printf(" --log %u", info->loglevel); } static struct xtables_match osf_match = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/extensions/libxt_recent.man new/iptables-1.4.19.1/extensions/libxt_recent.man --- old/iptables-1.4.18/extensions/libxt_recent.man 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/extensions/libxt_recent.man 2013-05-29 15:48:30.000000000 +0200 @@ -24,7 +24,7 @@ \fB\-\-rdest\fP Match/save the destination address of each packet in the recent list table. .TP -\fB\-\-mask\fPnetmask +\fB\-\-mask\fP \fInetmask\fP Netmask that will be applied to this recent list. .TP [\fB!\fP] \fB\-\-rcheck\fP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/include/libiptc/libip6tc.h new/iptables-1.4.19.1/include/libiptc/libip6tc.h --- old/iptables-1.4.18/include/libiptc/libip6tc.h 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/include/libiptc/libip6tc.h 2013-05-29 15:48:30.000000000 +0200 @@ -154,9 +154,6 @@ /* Translates errno numbers into more human-readable form than strerror. */ const char *ip6tc_strerror(int err); -/* Return prefix length, or -1 if not contiguous */ -int ipv6_prefix_length(const struct in6_addr *a); - extern void dump_entries6(struct xtc_handle *const); extern const struct xtc_ops ip6tc_ops; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/include/linux/netfilter/xt_bpf.h new/iptables-1.4.19.1/include/linux/netfilter/xt_bpf.h --- old/iptables-1.4.18/include/linux/netfilter/xt_bpf.h 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/include/linux/netfilter/xt_bpf.h 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,17 @@ +#ifndef _XT_BPF_H +#define _XT_BPF_H + +#include <linux/filter.h> +#include <linux/types.h> + +#define XT_BPF_MAX_NUM_INSTR 64 + +struct xt_bpf_info { + __u16 bpf_program_num_elem; + struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR]; + + /* only used in the kernel */ + struct sk_filter *filter __attribute__((aligned(8))); +}; + +#endif /*_XT_BPF_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/include/linux/netfilter/xt_connlabel.h new/iptables-1.4.19.1/include/linux/netfilter/xt_connlabel.h --- old/iptables-1.4.18/include/linux/netfilter/xt_connlabel.h 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/include/linux/netfilter/xt_connlabel.h 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,12 @@ +#include <linux/types.h> + +#define XT_CONNLABEL_MAXBIT 127 +enum xt_connlabel_mtopts { + XT_CONNLABEL_OP_INVERT = 1 << 0, + XT_CONNLABEL_OP_SET = 1 << 1, +}; + +struct xt_connlabel_mtinfo { + __u16 bit; + __u16 options; +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/iptables/ip6tables.c new/iptables-1.4.19.1/iptables/ip6tables.c --- old/iptables-1.4.18/iptables/ip6tables.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/iptables/ip6tables.c 2013-05-29 15:48:30.000000000 +0200 @@ -237,7 +237,7 @@ "Options:\n" " --ipv4 -4 Error (line is ignored by ip6tables-restore)\n" " --ipv6 -6 Nothing (line is ignored by iptables-restore)\n" -"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" +"[!] --protocol -p proto protocol: by number or name, eg. `tcp'\n" "[!] --source -s address[/mask][,...]\n" " source specification\n" "[!] --destination -d address[/mask][,...]\n" @@ -1022,7 +1022,7 @@ const struct in6_addr *mask, int invert) { char buf[51]; - int l = ipv6_prefix_length(mask); + int l = xtables_ip6mask_to_cidr(mask); if (l == 0 && !invert) return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/iptables/iptables.c new/iptables-1.4.19.1/iptables/iptables.c --- old/iptables-1.4.18/iptables/iptables.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/iptables/iptables.c 2013-05-29 15:48:30.000000000 +0200 @@ -231,7 +231,7 @@ "Options:\n" " --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n" " --ipv6 -6 Error (line is ignored by iptables-restore)\n" -"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" +"[!] --protocol -p proto protocol: by number or name, eg. `tcp'\n" "[!] --source -s address[/mask][...]\n" " source specification\n" "[!] --destination -d address[/mask][...]\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/libiptc/libip6tc.c new/iptables-1.4.19.1/libiptc/libip6tc.c --- old/iptables-1.4.18/libiptc/libip6tc.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/libiptc/libip6tc.c 2013-05-29 15:48:30.000000000 +0200 @@ -113,7 +113,7 @@ #define BIT6(a, l) \ ((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1) -int +static int ipv6_prefix_length(const struct in6_addr *a) { int l, i; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/libxtables/xtoptions.c new/iptables-1.4.19.1/libxtables/xtoptions.c --- old/iptables-1.4.18/libxtables/xtoptions.c 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/libxtables/xtoptions.c 2013-05-29 15:48:30.000000000 +0200 @@ -667,6 +667,33 @@ free(lo_arg); } +static int xtopt_parse_mask(struct xt_option_call *cb) +{ + struct addrinfo hints = {.ai_family = afinfo->family, + .ai_flags = AI_NUMERICHOST }; + struct addrinfo *res; + int ret; + + ret = getaddrinfo(cb->arg, NULL, &hints, &res); + if (ret < 0) + return 0; + + memcpy(&cb->val.hmask, xtables_sa_host(res->ai_addr, res->ai_family), + xtables_sa_hostlen(res->ai_family)); + + switch(afinfo->family) { + case AF_INET: + cb->val.hlen = xtables_ipmask_to_cidr(&cb->val.hmask.in); + break; + case AF_INET6: + cb->val.hlen = xtables_ip6mask_to_cidr(&cb->val.hmask.in6); + break; + } + + freeaddrinfo(res); + return 1; +} + /** * Parse an integer and ensure it is within the address family's prefix length * limits. The result is stored in @cb->val.hlen. @@ -677,12 +704,17 @@ unsigned int prefix_len = 128; /* happiness is a warm gcc */ cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128; - if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen)) + if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen)) { + /* Is this mask expressed in full format? e.g. 255.255.255.0 */ + if (xtopt_parse_mask(cb)) + return; + xt_params->exit_err(PARAMETER_PROBLEM, "%s: bad value for option \"--%s\", " - "or out of range (%u-%u).\n", + "neither a valid network mask " + "nor valid CIDR (%u-%u).\n", cb->ext_name, entry->name, 0, cb->val.hlen); - + } cb->val.hlen = prefix_len; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/m4/libtool.m4 new/iptables-1.4.19.1/m4/libtool.m4 --- old/iptables-1.4.18/m4/libtool.m4 2013-03-03 22:43:24.000000000 +0100 +++ new/iptables-1.4.19.1/m4/libtool.m4 2013-05-29 15:50:06.000000000 +0200 @@ -1324,7 +1324,14 @@ LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; ppc64-*linux*|powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" @@ -1688,7 +1695,8 @@ ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/utils/.gitignore new/iptables-1.4.19.1/utils/.gitignore --- old/iptables-1.4.18/utils/.gitignore 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/utils/.gitignore 2013-05-29 15:48:30.000000000 +0200 @@ -1 +1,2 @@ /nfnl_osf +/nfbpf_compile diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/utils/Makefile.am new/iptables-1.4.19.1/utils/Makefile.am --- old/iptables-1.4.18/utils/Makefile.am 2013-03-03 22:40:11.000000000 +0100 +++ new/iptables-1.4.19.1/utils/Makefile.am 2013-05-29 15:48:30.000000000 +0200 @@ -4,7 +4,17 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ -I${top_srcdir}/include ${libnfnetlink_CFLAGS} -sbin_PROGRAMS = nfnl_osf -pkgdata_DATA = pf.os +sbin_PROGRAMS = +pkgdata_DATA = -nfnl_osf_LDADD = -lnfnetlink +if HAVE_LIBNFNETLINK +sbin_PROGRAMS += nfnl_osf +pkgdata_DATA += pf.os + +nfnl_osf_LDADD = ${libnfnetlink_LIBS} +endif + +if ENABLE_BPFC +sbin_PROGRAMS += nfbpf_compile +nfbpf_compile_LDADD = -lpcap +endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/utils/Makefile.in new/iptables-1.4.19.1/utils/Makefile.in --- old/iptables-1.4.18/utils/Makefile.in 2013-03-03 22:43:29.000000000 +0100 +++ new/iptables-1.4.19.1/utils/Makefile.in 2013-05-29 15:50:11.000000000 +0200 @@ -53,7 +53,10 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -sbin_PROGRAMS = nfnl_osf$(EXEEXT) +sbin_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) +@HAVE_LIBNFNETLINK_TRUE@am__append_1 = nfnl_osf +@HAVE_LIBNFNETLINK_TRUE@am__append_2 = pf.os +@ENABLE_BPFC_TRUE@am__append_3 = nfbpf_compile subdir = utils DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -67,11 +70,17 @@ CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +@HAVE_LIBNFNETLINK_TRUE@am__EXEEXT_1 = nfnl_osf$(EXEEXT) +@ENABLE_BPFC_TRUE@am__EXEEXT_2 = nfbpf_compile$(EXEEXT) am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(pkgdatadir)" PROGRAMS = $(sbin_PROGRAMS) +nfbpf_compile_SOURCES = nfbpf_compile.c +nfbpf_compile_OBJECTS = nfbpf_compile.$(OBJEXT) +nfbpf_compile_DEPENDENCIES = nfnl_osf_SOURCES = nfnl_osf.c nfnl_osf_OBJECTS = nfnl_osf.$(OBJEXT) -nfnl_osf_DEPENDENCIES = +am__DEPENDENCIES_1 = +@HAVE_LIBNFNETLINK_TRUE@nfnl_osf_DEPENDENCIES = $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__depfiles_maybe = depfiles @@ -85,8 +94,8 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = nfnl_osf.c -DIST_SOURCES = nfnl_osf.c +SOURCES = nfbpf_compile.c nfnl_osf.c +DIST_SOURCES = nfbpf_compile.c nfnl_osf.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -259,8 +268,9 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ -I${top_srcdir}/include ${libnfnetlink_CFLAGS} -pkgdata_DATA = pf.os -nfnl_osf_LDADD = -lnfnetlink +pkgdata_DATA = $(am__append_2) +@HAVE_LIBNFNETLINK_TRUE@nfnl_osf_LDADD = ${libnfnetlink_LIBS} +@ENABLE_BPFC_TRUE@nfbpf_compile_LDADD = -lpcap all: all-am .SUFFIXES: @@ -341,6 +351,9 @@ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list +nfbpf_compile$(EXEEXT): $(nfbpf_compile_OBJECTS) $(nfbpf_compile_DEPENDENCIES) $(EXTRA_nfbpf_compile_DEPENDENCIES) + @rm -f nfbpf_compile$(EXEEXT) + $(LINK) $(nfbpf_compile_OBJECTS) $(nfbpf_compile_LDADD) $(LIBS) nfnl_osf$(EXEEXT): $(nfnl_osf_OBJECTS) $(nfnl_osf_DEPENDENCIES) $(EXTRA_nfnl_osf_DEPENDENCIES) @rm -f nfnl_osf$(EXEEXT) $(LINK) $(nfnl_osf_OBJECTS) $(nfnl_osf_LDADD) $(LIBS) @@ -351,6 +364,7 @@ distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nfbpf_compile.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nfnl_osf.Po@am__quote@ .c.o: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/iptables-1.4.18/utils/nfbpf_compile.c new/iptables-1.4.19.1/utils/nfbpf_compile.c --- old/iptables-1.4.18/utils/nfbpf_compile.c 1970-01-01 01:00:00.000000000 +0100 +++ new/iptables-1.4.19.1/utils/nfbpf_compile.c 2013-05-29 15:48:30.000000000 +0200 @@ -0,0 +1,55 @@ +/* + * BPF program compilation tool + * + * Generates decimal output, similar to `tcpdump -ddd ...`. + * Unlike tcpdump, will generate for any given link layer type. + * + * Written by Willem de Bruijn ([email protected]) + * Copyright Google, Inc. 2013 + * Licensed under the GNU General Public License version 2 (GPLv2) +*/ + +#include <pcap.h> +#include <stdio.h> + +int main(int argc, char **argv) +{ + struct bpf_program program; + struct bpf_insn *ins; + int i, dlt = DLT_RAW; + + if (argc < 2 || argc > 3) { + fprintf(stderr, "Usage: %s [link] '<program>'\n\n" + " link is a pcap linklayer type:\n" + " one of EN10MB, RAW, SLIP, ...\n\n" + "Examples: %s RAW 'tcp and greater 100'\n" + " %s EN10MB 'ip proto 47'\n'", + argv[0], argv[0], argv[0]); + return 1; + } + + if (argc == 3) { + dlt = pcap_datalink_name_to_val(argv[1]); + if (dlt == -1) { + fprintf(stderr, "Unknown datalinktype: %s\n", argv[1]); + return 1; + } + } + + if (pcap_compile_nopcap(65535, dlt, &program, argv[argc - 1], 1, + PCAP_NETMASK_UNKNOWN)) { + fprintf(stderr, "Compilation error\n"); + return 1; + } + + printf("%d,", program.bf_len); + ins = program.bf_insns; + for (i = 0; i < program.bf_len-1; ++ins, ++i) + printf("%u %u %u %u,", ins->code, ins->jt, ins->jf, ins->k); + + printf("%u %u %u %u\n", ins->code, ins->jt, ins->jf, ins->k); + + pcap_freecode(&program); + return 0; +} + -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
