Jan Engelhardt [Sun, 18 Sep 2011 13:06:05 +0000 (15:06 +0200)]
build: restore build order of modules
iptables(exe) requires libext.a, but extensions/ require libxtables.la
(in iptables/). This circular dependency does not work out, so
separate libxtables into its own directory and put it in front.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 27 Aug 2011 09:12:49 +0000 (11:12 +0200)]
libiptc: combine common types
Make an xt_chainlabel type out of ipt_chainlabel and ip6t_chainlabel,
and add backward-API #defines. The ABI naturally does not change
either, so no soversion bump.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 11 Sep 2011 15:24:26 +0000 (17:24 +0200)]
libiptc: resolve compile failure
CC libip4tc.lo
In file included from libip4tc.c:118:0:
libiptc.c:70:8: error: redefinition of "struct xt_error_target"
../include/linux/netfilter/x_tables.h:69:8: note: originally defined here
Remove libiptc's duplicate definition and substitute names.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 8 Sep 2011 15:08:37 +0000 (17:08 +0200)]
build: sort file list before build
Manpage subsections are already sorted for obvious reasons. Since
$(wildcard) can actually return results unordered (just what the OS
can do) do the sorting with the .o file list too, for developer
comfort.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 3 Sep 2011 12:27:55 +0000 (14:27 +0200)]
iptables: move kernel version find routing into libxtables
That way, the remaining unreferenced symbols that do appear in
libipt_DNAT and libipt_SNAT as part of the new check can be resolved,
and the ugly -rdynamic hack can finally be removed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Tom Eastep [Thu, 18 Aug 2011 22:11:16 +0000 (15:11 -0700)]
libxt_conntrack: improve error message on parsing violation
Tom Eastep noted:
$ iptables -A foo -m conntrack --ctorigdstport 22
iptables v1.4.12: conntrack rev 2 does not support port ranges
Try `iptables -h' or 'iptables --help' for more information.
Commit v1.4.12-41-g1ad6407 takes care of the actual cause of the bug,
but let's include Tom's patch nevertheless for the better error
message in case one actually does specify a range with rev 2.
References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 27 Aug 2011 15:59:52 +0000 (17:59 +0200)]
xtoptions: fill in fallback value for nvals
Parsing for libxt_conntrack rev 2 is done by using rev 2's option
structure, which specifies XTTYPE_PORT, and using rev 3's parser
skeleton, which uses cb->nvals. Reading cb->nvals when not using
XTTYPE_PORTRC (or any other multi-value type) is undefined behavior.
Make it defined. Since XTTYPE_NONE is the only type that can take
void, nvals logically ought to be 1.
References: http://marc.info/?l=netfilter-devel&m=131370592105298&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 11:04:38 +0000 (13:04 +0200)]
libxt_hashlimit: observe new default gc-expire time when saving
Since a while, --htable-gc-expire defaults to the chosen time quantum
instead of 10 fixed seconds, which leads the expiry value to be always
printed, which is redundant.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 10:27:06 +0000 (12:27 +0200)]
libxt_physdev: restore inversion support
Bug origin is in commit v1.4.11~26^2~4.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 10:25:06 +0000 (12:25 +0200)]
libxt_owner: restore inversion support
Bug origin is in commit v1.4.11~16^2~7.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 09:41:13 +0000 (11:41 +0200)]
libip6t_frag: restore inversion support
--fraglen also was not printed since v1.4.11~26^2~22.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 08:06:18 +0000 (10:06 +0200)]
libxt_conntrack: fix --ctproto 0 output
First, we are missing XTOPT_PUT when trying to use XTOPT_POINTER.
(Next commit will flag this.) Furthermore, l4proto is of type
uint16_t, while XTTYPE_PROTOCOL wants a uint8_t so the idea would not
work => revert v1.4.12~1^2.
Bug goes back to v1.4.12~1^2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 06:52:56 +0000 (08:52 +0200)]
libxt_dscp: restore inversion support
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:39:21 +0000 (09:39 +0200)]
libxt_dccp: fix random output of ! on --dccp-option
dccp-option tests info->typemask, but it really should look at
info->invflags instead.
This bug goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:15:20 +0000 (09:15 +0200)]
libxt_dccp: provide man pages options in short help too
This omission goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:12:27 +0000 (09:12 +0200)]
libxt_dccp: spell out option name on save
This glitch goes back to commit v1.3.4~11.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:08:04 +0000 (09:08 +0200)]
libxt_dccp: fix deprecated intrapositional ordering of !
This bug goes back to v1.4.3~63.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 21 Aug 2011 07:05:31 +0000 (09:05 +0200)]
libxt_dccp: restore missing XTOPT_INVERT tags for options
This regression goes back to v1.4.11~19^2.
References: Dave Täht via netfilter-devel on 2011-08-20 14:40:11 -0700
References: <CAA93jw6mpDL6rLXM+9SpAhafkDdKoSfhAxU8UM87vUqjuzjYJw@mail.gmail.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 20 Aug 2011 16:26:48 +0000 (18:26 +0200)]
libxt_tcp: always print the mask parts
0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 8 Aug 2011 00:38:41 +0000 (02:38 +0200)]
libipq: add pkgconfig file
This is just to make sure that projects (still) using it do so with
the right cflags, e.g. for when the include file ends up in a
non-standard location due to ./configure having been called with
--include=/somewhere/else.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 1 Aug 2011 18:22:04 +0000 (20:22 +0200)]
build: strengthen check for overlong lladdr components
ethermac[i] > UINT8_MAX is quite pointless, because ethermac[i] is
just uint8_t. To catch values that are not in the range "00"-"ff", use
a string length check (end-arg>2). I am willingly using 2 there,
because no one is going to specify an Ethernet LL address as
"0x00:0x24:0xbe:0xc2:0x7f:0x16" -- because it is always interpreted as
hexadecimal anyway even without the 0x prefix.
xtoptions.c: In function "xtopt_parse_ethermac":
xtoptions.c:760:3: warning: comparison is always false due to limited range of data type
xtoptions.c:766:2: warning: comparison is always false due to limited range of data type
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sat, 9 Jul 2011 14:01:18 +0000 (16:01 +0200)]
libxtables: properly reject empty hostnames
An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Martin F. Krafft [Tue, 22 Sep 2009 19:07:13 +0000 (21:07 +0200)]
iptables-apply: select default rule file depending on call name
ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.
References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 24 Jun 2011 18:16:48 +0000 (20:16 +0200)]
build: attempt to fix building under Linux 2.4
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:02 +0000 (15:26 +0200)]
iptables: Coverity: RESOURCE_LEAK
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:00 +0000 (15:26 +0200)]
iptables: Coverity: VARARGS
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:25:57 +0000 (15:25 +0200)]
iptables: Coverity: NEGATIVE_RETURNS
libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
projects / thirdparty / iptables.git / log
