Jan Engelhardt [Sat, 9 Jul 2011 14:01:18 +0000 (16:01 +0200)]
libxtables: properly reject empty hostnames
An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Martin F. Krafft [Tue, 22 Sep 2009 19:07:13 +0000 (21:07 +0200)]
iptables-apply: select default rule file depending on call name
ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.
References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Fri, 24 Jun 2011 18:16:48 +0000 (20:16 +0200)]
build: attempt to fix building under Linux 2.4
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:02 +0000 (15:26 +0200)]
iptables: Coverity: RESOURCE_LEAK
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:26:00 +0000 (15:26 +0200)]
iptables: Coverity: VARARGS
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:25:57 +0000 (15:25 +0200)]
iptables: Coverity: NEGATIVE_RETURNS
libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jiri Popelka [Fri, 10 Jun 2011 13:25:55 +0000 (15:25 +0200)]
iptables: Coverity: DEADCODE
libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Wed, 22 Jun 2011 09:18:19 +0000 (11:18 +0200)]
libxt_hashlimit: use a more obvious expiry value by default
Due to the previous default expiry of 10 sec, "--hashlimit 1/min"
would allow matching up to 6/min if a properly timed. To do what the
user expects, the minimum expiry must equal the selected time quantum
however.
Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
doc: document IPv6 TOS mangling bug in old Linux kernels
In Linux kernels up to and including 2.6.38, with the exception of longterm
releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby
IPv6 TOS mangling does not behave as documented and differs from the IPv4
version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.
Jan Engelhardt [Tue, 7 Jun 2011 20:20:13 +0000 (22:20 +0200)]
option: fix ignored negation before implicit extension loading
`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.
Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 7 Jun 2011 17:06:51 +0000 (19:06 +0200)]
tests: add some sample rulesets to test save-restore cycle
These rulesets use practically all options (I may have missed some)
for verification that the new Guided Option Parser would take the same
input as the old open-coded ones did. They might come in handy at some
point.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 29 May 2011 23:54:28 +0000 (01:54 +0200)]
doc: update GPL license text
The Open Build Service/rpmlint flagged the outdated address in the
license text :-)
iptables.x86_64: W: incorrect-fsf-address
/usr/share/doc/packages/iptables/COPYING
The Free Software Foundation address in this file seems to be outdated
or misspelled. Ask upstream to update the address, or if this is a
license file, possibly the entire file with a new copy available from
the FSF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Sun, 29 May 2011 23:39:54 +0000 (01:39 +0200)]
build: remove dead code parts
gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags
no-op code.
CC libiptc/libip4tc.lo
In file included from libiptc/libip4tc.c:118:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:113:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC xtables_multi-iptables-xml.o
iptables-xml.c: In function "do_rule_part":
iptables-xml.c:376:8: warning: variable "thisChain" set but not used
CC xtables_multi-ip6tables.o
ip6tables.c: In function "print_firewall":
ip6tables.c:552:10: warning: variable "flags" set but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Comparing against the kernel time zone has significant caveats. This
patch adds documentation about the issue, and makes --utc the default
setting for libxt_time.
Furthremore, throw a warning on using the "--localtz" option, to avoid
confusion with one's shell TZ environment variable, and rename it to
"--kerneltz" to be explicit about whose timezone will be used.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Mon, 23 May 2011 15:42:37 +0000 (17:42 +0200)]
libxt_time: always ignore libc timezone
Since xt_time is meant to work across many months, libc doing
automatic conversion from local time to UTC (during parse) is
unwanted, especially when --utc is specified. The same goes for
dumping.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 24 May 2011 21:50:29 +0000 (23:50 +0200)]
libxtables: have xtopt_parse_mint interpret partially-spec'd ranges
When ":n" or "n:" is specified, it will now be interpreted as "0:n"
and "n:<max>", respecitvely. nvals will always reflect the number of
(expanded) components. This restores the functionality of options that
take such partially-unspecified ranges.
This makes it possible to nuke the per-matchdata init functions of
some extensions and simply the extensions postparsing to the point
where it only needs to check for nvals==1 or ==2.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Lutz Jaenicke [Wed, 18 May 2011 13:11:47 +0000 (15:11 +0200)]
libipt_REDIRECT: "--to-ports" is not mandatory
The REDIRECT target can be called without the --to-ports option
being specified. From the manual page:
...without this, the destination port is never altered.
Signed-off-by: Lutz Jaenicke <ljaenicke@innominate.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Thu, 12 May 2011 22:15:45 +0000 (00:15 +0200)]
libipt_[SD]NAT: avoid false error about multiple destinations specified
iptables-restore v1.4.10: DNAT: Multiple --to-destination not supported
xtables_option_parse sets cb->xflags already, so that it cannot be
directly used to test whether an option is being used for the second
time. Thus use a private option/flag (X_TO_DEST/SRC) that is not under
the control of xtables_option_parse.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
projects / thirdparty / iptables.git / log
