Jan Engelhardt [Sun, 11 Sep 2011 15:24:26 +0000 (17:24 +0200)]
libiptc: resolve compile failure
CC libip4tc.lo
In file included from libip4tc.c:118:0:
libiptc.c:70:8: error: redefinition of "struct xt_error_target"
../include/linux/netfilter/x_tables.h:69:8: note: originally defined here
Remove libiptc's duplicate definition and substitute names.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 8 Sep 2011 15:08:37 +0000 (17:08 +0200)]
build: sort file list before build
Manpage subsections are already sorted for obvious reasons. Since
$(wildcard) can actually return results unordered (just what the OS
can do) do the sorting with the .o file list too, for developer
comfort.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 3 Sep 2011 12:27:55 +0000 (14:27 +0200)]
iptables: move kernel version find routing into libxtables
That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Tom Eastep [Thu, 18 Aug 2011 22:11:16 +0000 (15:11 -0700)]
libxt_conntrack: improve error message on parsing violation
Tom Eastep noted:
$ iptables -A foo -m conntrack --ctorigdstport 22
iptables v1.4.12: conntrack rev 2 does not support port ranges
Try `iptables -h' or 'iptables --help' for more information.
Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
but let's include Tom's patch nevertheless for the better error
message in case one actually does specify a range with rev 2.
References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 27 Aug 2011 15:59:52 +0000 (17:59 +0200)]
xtoptions: fill in fallback value for nvals
Parsing for libxt_conntrack rev 2 is done by using rev 2's option
structure, which specifies XTTYPE_PORT, and using rev 3's parser
skeleton, which uses cb->nvals. Reading cb->nvals when not using
XTTYPE_PORTRC (or any other multi-value type) is undefined behavior.
Make it defined. Since XTTYPE_NONE is the only type that can take
void, nvals logically ought to be 1.
References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 11:04:38 +0000 (13:04 +0200)]
libxt_hashlimit: observe new default gc-expire time when saving
Since a while, --htable-gc-expire defaults to the chosen time quantum
instead of 10 fixed seconds, which leads the expiry value to be always
printed, which is redundant.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 10:27:06 +0000 (12:27 +0200)]
libxt_physdev: restore inversion support
Bug origin is in commit v1.4.11~26^2~4.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 10:25:06 +0000 (12:25 +0200)]
libxt_owner: restore inversion support
Bug origin is in commit v1.4.11~16^2~7.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 09:41:13 +0000 (11:41 +0200)]
libip6t_frag: restore inversion support
--fraglen also was not printed since v1.4.11~26^2~22.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 08:06:18 +0000 (10:06 +0200)]
libxt_conntrack: fix --ctproto 0 output
First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.
Bug goes back to v1.4.12~1^2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 06:52:56 +0000 (08:52 +0200)]
libxt_dscp: restore inversion support
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:39:21 +0000 (09:39 +0200)]
libxt_dccp: fix random output of ! on --dccp-option
dccp-option tests info->typemask, but it really should look at
info->invflags instead.
This bug goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:15:20 +0000 (09:15 +0200)]
libxt_dccp: provide man pages options in short help too
This omission goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:12:27 +0000 (09:12 +0200)]
libxt_dccp: spell out option name on save
This glitch goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:08:04 +0000 (09:08 +0200)]
libxt_dccp: fix deprecated intrapositional ordering of !
This bug goes back to v1.4.3~63.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:05:31 +0000 (09:05 +0200)]
libxt_dccp: restore missing XTOPT_INVERT tags for options
This regression goes back to v1.4.11~19^2.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 20 Aug 2011 16:26:48 +0000 (18:26 +0200)]
libxt_tcp: always print the mask parts
0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 8 Aug 2011 00:38:41 +0000 (02:38 +0200)]
libipq: add pkgconfig file
This is just to make sure that projects (still) using it do so with
the right cflags, e.g. for when the include file ends up in a
non-standard location due to ./configure having been called with
--include=/somewhere/else.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 1 Aug 2011 18:22:04 +0000 (20:22 +0200)]
build: strengthen check for overlong lladdr components
ethermac[i] > UINT8_MAX is quite pointless, because ethermac[i] is
just uint8_t. To catch values that are not in the range "00"-"ff", use
a string length check (end-arg>2). I am willingly using 2 there,
because no one is going to specify an Ethernet LL address as
"0x00:0x24:0xbe:0xc2:0x7f:0x16" -- because it is always interpreted as
hexadecimal anyway even without the 0x prefix.
xtoptions.c: In function "xtopt_parse_ethermac":
xtoptions.c:760:3: warning: comparison is always false due to limited range of data type
xtoptions.c:766:2: warning: comparison is always false due to limited range of data type
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 9 Jul 2011 14:01:18 +0000 (16:01 +0200)]
libxtables: properly reject empty hostnames
An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Martin F. Krafft [Tue, 22 Sep 2009 19:07:13 +0000 (21:07 +0200)]
iptables-apply: select default rule file depending on call name
ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.
References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 24 Jun 2011 18:16:48 +0000 (20:16 +0200)]
build: attempt to fix building under Linux 2.4
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:02 +0000 (15:26 +0200)]
iptables: Coverity: RESOURCE_LEAK
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:00 +0000 (15:26 +0200)]
iptables: Coverity: VARARGS
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:25:57 +0000 (15:25 +0200)]
iptables: Coverity: NEGATIVE_RETURNS
libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:25:55 +0000 (15:25 +0200)]
iptables: Coverity: DEADCODE
libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Wed, 22 Jun 2011 09:18:19 +0000 (11:18 +0200)]
libxt_hashlimit: use a more obvious expiry value by default
Due to the previous default expiry of 10 sec, "--hashlimit 1/min"
would allow matching up to 6/min if a properly timed. To do what the
user expects, the minimum expiry must equal the selected time quantum
however.
Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
doc: document IPv6 TOS mangling bug in old Linux kernels
In Linux kernels up to and including 2.6.38, with the exception of longterm
releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby
IPv6 TOS mangling does not behave as documented and differs from the IPv4
version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.
projects / thirdparty / iptables.git / log
