summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--configure.ac16
-rw-r--r--extensions/GNUmakefile.in2
-rw-r--r--extensions/libip6t_REJECT.man7
-rw-r--r--extensions/libipt_REJECT.man6
-rw-r--r--extensions/libxt_LOG.man6
-rw-r--r--extensions/libxt_NFQUEUE.man13
-rw-r--r--extensions/libxt_SYNPROXY.c127
-rw-r--r--extensions/libxt_cluster.man5
-rw-r--r--extensions/libxt_conntrack.man4
-rw-r--r--extensions/libxt_hashlimit.man2
-rw-r--r--extensions/libxt_recent.c2
-rw-r--r--extensions/libxt_recent.man3
-rw-r--r--extensions/libxt_set.h52
-rw-r--r--extensions/libxt_socket.c62
-rw-r--r--extensions/libxt_socket.man21
-rw-r--r--extensions/libxt_string.man10
-rw-r--r--include/linux/netfilter/ipset/ip_set.h9
-rw-r--r--include/linux/netfilter/xt_SYNPROXY.h16
-rw-r--r--include/linux/netfilter/xt_socket.h7
-rw-r--r--include/xtables.h4
-rw-r--r--iptables/.gitignore1
-rw-r--r--iptables/Makefile.am2
-rw-r--r--iptables/ip6tables-restore.869
-rw-r--r--iptables/ip6tables-save.854
-rw-r--r--iptables/ip6tables-standalone.c2
-rw-r--r--iptables/ip6tables.81
-rw-r--r--iptables/ip6tables.8.in463
-rw-r--r--iptables/ip6tables.c42
-rw-r--r--iptables/iptables-apply.8.in (renamed from iptables/iptables-apply.8)2
-rw-r--r--iptables/iptables-restore.8.in (renamed from iptables/iptables-restore.8)24
-rw-r--r--iptables/iptables-save.8.in (renamed from iptables/iptables-save.8)17
-rw-r--r--iptables/iptables-xml.1.in (renamed from iptables/iptables-xml.1)2
-rw-r--r--iptables/iptables.8.in56
-rw-r--r--iptables/iptables.c42
-rw-r--r--libxtables/xtables.c4
-rw-r--r--utils/Makefile.am5
-rw-r--r--utils/nfsynproxy.c228
37 files changed, 695 insertions, 693 deletions
diff --git a/configure.ac b/configure.ac
index f8affedd..e83304c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
-AC_INIT([iptables], [1.4.20])
+AC_INIT([iptables], [1.4.21])
# See libtool.info "Libtool's versioning system"
libxtables_vcurrent=10
@@ -54,6 +54,9 @@ AC_ARG_ENABLE([libipq],
AC_ARG_ENABLE([bpf-compiler],
AS_HELP_STRING([--enable-bpf-compiler], [Build bpf compiler]),
[enable_bpfc="yes"], [enable_bpfc="no"])
+AC_ARG_ENABLE([nfsynproxy],
+ AS_HELP_STRING([--enable-nfsynproxy], [Build SYNPROXY configuration tool]),
+ [enable_nfsynproxy="yes"], [enable_nfsynproxy="no"])
AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
[Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]),
[pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig'])
@@ -102,9 +105,10 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test "$enable_largefile" = "yes"])
AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
+AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
-if test "x$enable_bpfc" = "xyes"; then
- AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler))
+if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
+ AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
fi
PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
@@ -155,8 +159,9 @@ AC_SUBST([libxtables_vmajor])
AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
iptables/Makefile iptables/xtables.pc
- iptables/iptables.8 iptables/ip6tables.8
- iptables/iptables-extensions.8.tmpl
+ iptables/iptables.8 iptables/iptables-extensions.8.tmpl
+ iptables/iptables-save.8 iptables/iptables-restore.8
+ iptables/iptables-apply.8 iptables/iptables-xml.1
libipq/Makefile libipq/libipq.pc
libiptc/Makefile libiptc/libiptc.pc
libiptc/libip4tc.pc libiptc/libip6tc.pc
@@ -176,6 +181,7 @@ Iptables Configuration:
IPQ support: ${enable_libipq}
Large file support: ${enable_largefile}
BPF utils support: ${enable_bpfc}
+ nfsynproxy util support: ${enable_nfsynproxy}
Build parameters:
Put plugins into executable (static): ${enable_static}
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 780e7150..52915725 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -21,7 +21,7 @@ regular_CPPFLAGS = @regular_CPPFLAGS@
kinclude_CPPFLAGS = @kinclude_CPPFLAGS@
AM_CFLAGS = ${regular_CFLAGS}
-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} @libnetfilter_conntrack_CFLAGS@
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_builddir} -I${top_srcdir}/include ${kinclude_CPPFLAGS} ${CPPFLAGS} @libnetfilter_conntrack_CFLAGS@
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
AM_LDFLAGS = @noundef_LDFLAGS@
diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man
index 2d09e050..0030a51f 100644
--- a/extensions/libip6t_REJECT.man
+++ b/extensions/libip6t_REJECT.man
@@ -18,10 +18,9 @@ The type given can be
\fBicmp6\-adm\-prohibited\fP,
\fBadm\-prohibited\fP,
\fBicmp6\-addr\-unreachable\fP,
-\fBaddr\-unreach\fP,
-\fBicmp6\-port\-unreachable\fP or
-\fBport\-unreach\fP
-which return the appropriate ICMPv6 error message (\fBport\-unreach\fP is
+\fBaddr\-unreach\fP, or
+\fBicmp6\-port\-unreachable\fP,
+which return the appropriate ICMPv6 error message (\fBicmp6\-port\-unreachable\fP is
the default). Finally, the option
\fBtcp\-reset\fP
can be used on rules which only match the TCP protocol: this causes a
diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man
index c419a85e..926da033 100644
--- a/extensions/libipt_REJECT.man
+++ b/extensions/libipt_REJECT.man
@@ -18,9 +18,9 @@ The type given can be
\fBicmp\-port\-unreachable\fP,
\fBicmp\-proto\-unreachable\fP,
\fBicmp\-net\-prohibited\fP,
-\fBicmp\-host\-prohibited\fP or
-\fBicmp\-admin\-prohibited\fP (*)
-which return the appropriate ICMP error message (\fBport\-unreachable\fP is
+\fBicmp\-host\-prohibited\fP, or
+\fBicmp\-admin\-prohibited\fP (*),
+which return the appropriate ICMP error message (\fBicmp\-port\-unreachable\fP is
the default). The option
\fBtcp\-reset\fP
can be used on rules which only match the TCP protocol: this causes a
diff --git a/extensions/libxt_LOG.man b/extensions/libxt_LOG.man
index 6d3a83a4..354edf4c 100644
--- a/extensions/libxt_LOG.man
+++ b/extensions/libxt_LOG.man
@@ -1,10 +1,8 @@
Turn on kernel logging of matching packets. When this option is set
for a rule, the Linux kernel will print some information on all
matching packets (like most IP/IPv6 header fields) via the kernel log
-(where it can be read with
-.I dmesg
-or
-.IR syslogd (8)).
+(where it can be read with \fIdmesg(1)\fP or read in the syslog).
+.PP
This is a "non-terminating target", i.e. rule traversal continues at
the next rule. So if you want to LOG the packets you refuse, use two
separate rules with the same matching criteria, first using target LOG
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 7a991291..1bfb7b84 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -1,11 +1,12 @@
-This target is an extension of the QUEUE target. As opposed to QUEUE, it allows
-you to put a packet into any specific queue, identified by its 16-bit queue
-number.
-It can only be used with Kernel versions 2.6.14 or later, since it requires
-the
+This target passes the packet to userspace using the
+\fBnfnetlink_queue\fP handler. The packet is put into the queue
+identified by its 16-bit queue number. Userspace can inspect
+and modify the packet if desired. Userspace must then drop or
+reinject the packet into the kernel. Please see libnetfilter_queue
+for details.
.B
nfnetlink_queue
-kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31,
+was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
\fBqueue-bypass\fP in 2.6.39.
.TP
\fB\-\-queue\-num\fP \fIvalue\fP
diff --git a/extensions/libxt_SYNPROXY.c b/extensions/libxt_SYNPROXY.c
new file mode 100644
index 00000000..475590ea
--- /dev/null
+++ b/extensions/libxt_SYNPROXY.c
@@ -0,0 +1,127 @@
+
+/*
+ * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <xtables.h>
+#include <linux/netfilter/xt_SYNPROXY.h>
+
+enum {
+ O_SACK_PERM = 0,
+ O_TIMESTAMP,
+ O_WSCALE,
+ O_MSS,
+ O_ECN,
+};
+
+static void SYNPROXY_help(void)
+{
+ printf(
+"SYNPROXY target options:\n"
+" --sack-perm Set SACK_PERM\n"
+" --timestamp Set TIMESTAMP\n"
+" --wscale value Set window scaling factor\n"
+" --mss value Set MSS value\n"
+" --ecn Set ECN\n");
+}
+
+static const struct xt_option_entry SYNPROXY_opts[] = {
+ {.name = "sack-perm", .id = O_SACK_PERM, .type = XTTYPE_NONE, },
+ {.name = "timestamp", .id = O_TIMESTAMP, .type = XTTYPE_NONE, },
+ {.name = "wscale", .id = O_WSCALE, .type = XTTYPE_UINT32, },
+ {.name = "mss", .id = O_MSS, .type = XTTYPE_UINT32, },
+ {.name = "ecn", .id = O_ECN, .type = XTTYPE_NONE, },
+ XTOPT_TABLEEND,
+};
+
+static void SYNPROXY_parse(struct xt_option_call *cb)
+{
+ struct xt_synproxy_info *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_SACK_PERM:
+ info->options |= XT_SYNPROXY_OPT_SACK_PERM;
+ break;
+ case O_TIMESTAMP:
+ info->options |= XT_SYNPROXY_OPT_TIMESTAMP;
+ break;
+ case O_WSCALE:
+ info->options |= XT_SYNPROXY_OPT_WSCALE;
+ info->wscale = cb->val.u32;
+ break;
+ case O_MSS:
+ info->options |= XT_SYNPROXY_OPT_MSS;
+ info->mss = cb->val.u32;
+ break;
+ case O_ECN:
+ info->options |= XT_SYNPROXY_OPT_ECN;
+ break;
+ }
+}
+
+static void SYNPROXY_check(struct xt_fcheck_call *cb)
+{
+}
+
+static void SYNPROXY_print(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_synproxy_info *info =
+ (const struct xt_synproxy_info *)target->data;
+
+ printf(" SYNPROXY ");
+ if (info->options & XT_SYNPROXY_OPT_SACK_PERM)
+ printf("sack-perm ");
+ if (info->options & XT_SYNPROXY_OPT_TIMESTAMP)
+ printf("timestamp ");
+ if (info->options & XT_SYNPROXY_OPT_WSCALE)
+ printf("wscale %u ", info->wscale);
+ if (info->options & XT_SYNPROXY_OPT_MSS)
+ printf("mss %u ", info->mss);
+ if (info->options & XT_SYNPROXY_OPT_ECN)
+ printf("ecn ");
+}
+
+static void SYNPROXY_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_synproxy_info *info =
+ (const struct xt_synproxy_info *)target->data;
+
+ if (info->options & XT_SYNPROXY_OPT_SACK_PERM)
+ printf(" --sack-perm");
+ if (info->options & XT_SYNPROXY_OPT_TIMESTAMP)
+ printf(" --timestamp");
+ if (info->options & XT_SYNPROXY_OPT_WSCALE)
+ printf(" --wscale %u", info->wscale);
+ if (info->options & XT_SYNPROXY_OPT_MSS)
+ printf(" --mss %u", info->mss);
+ if (info->options & XT_SYNPROXY_OPT_ECN)
+ printf(" --ecn");
+}
+
+static struct xtables_target synproxy_tg_reg = {
+ .family = NFPROTO_UNSPEC,
+ .name = "SYNPROXY",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_synproxy_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_synproxy_info)),
+ .help = SYNPROXY_help,
+ .print = SYNPROXY_print,
+ .save = SYNPROXY_save,
+ .x6_parse = SYNPROXY_parse,
+ .x6_fcheck = SYNPROXY_check,
+ .x6_options = SYNPROXY_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&synproxy_tg_reg);
+}
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
index 62ad71cc..94b4b205 100644
--- a/extensions/libxt_cluster.man
+++ b/extensions/libxt_cluster.man
@@ -55,6 +55,11 @@ arptables \-A INPUT \-i eth2 \-\-h\-length 6
\-\-destination\-mac 01:00:5e:00:01:02
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.PP
+\fBNOTE\fP: the arptables commands above use mainstream syntax. If you
+are using arptables-jf included in some RedHat, CentOS and Fedora
+versions, you will hit syntax errors. Therefore, you'll have to adapt
+these to the arptables-jf syntax to get them working.
+.PP
In the case of TCP connections, pickup facility has to be disabled
to avoid marking TCP ACK packets coming in the reply direction as
valid.
diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man
index 15fd1ddf..4b13f0f6 100644
--- a/extensions/libxt_conntrack.man
+++ b/extensions/libxt_conntrack.man
@@ -45,7 +45,7 @@ States for \fB\-\-ctstate\fP:
The packet is associated with no known connection.
.TP
\fBNEW\fP
-The packet has started a new connection, or otherwise associated
+The packet has started a new connection or otherwise associated
with a connection which has not seen packets in both directions.
.TP
\fBESTABLISHED\fP
@@ -54,7 +54,7 @@ in both directions.
.TP
\fBRELATED\fP
The packet is starting a new connection, but is associated with an
-existing connection, such as an FTP data transfer, or an ICMP error.
+existing connection, such as an FTP data transfer or an ICMP error.
.TP
\fBUNTRACKED\fP
The packet is not tracked at all, which happens if you explicitly untrack it
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index 17cb2b00..6aac3f28 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -65,7 +65,7 @@ matching on source port
matching on subnet
"10000 packets per minute for every /28 subnet (groups of 8 addresses)
in 10.0.0.0/8" =>
-\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
+\-s 10.0.0.0/8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
.TP
matching bytes per second
"flows exceeding 512kbyte/s" =>
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index b3510d99..e1801f1c 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -104,7 +104,7 @@ static void recent_help(void)
" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
" --rdest Match/Save the destination address of each packet in the recent list table.\n"
" --mask netmask Netmask that will be applied to this recent list.\n"
-"xt_recent by: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n");
+"xt_recent by: Stephen Frost <sfrost@snowman.net>.\n");
}
enum {
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index d9bd5d2a..419be257 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -73,9 +73,6 @@ iptables \-A FORWARD \-m recent \-\-name badguy \-\-rcheck \-\-seconds 60 \-j DR
.IP
iptables \-A FORWARD \-p tcp \-i eth0 \-\-dport 139 \-m recent \-\-name badguy \-\-set \-j DROP
.PP
-Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has
-some examples of usage.
-.PP
\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information
about each entry of each list.
.PP
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 47c3f5b6..5a1bdcf7 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -6,6 +6,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
+#include "../iptables/xshared.h"
#ifdef DEBUG
#define DEBUGP(x, args...) fprintf(stderr, x , ## args)
@@ -71,13 +72,13 @@ get_set_byid(char *setname, ip_set_id_t idx)
}
static void
-get_set_byname(const char *setname, struct xt_set_info *info)
+get_set_byname_only(const char *setname, struct xt_set_info *info,
+ int sockfd, unsigned int version)
{
- struct ip_set_req_get_set req;
+ struct ip_set_req_get_set req = { .version = version };
socklen_t size = sizeof(struct ip_set_req_get_set);
- int res, sockfd;
+ int res;
- sockfd = get_version(&req.version);
req.op = IP_SET_OP_GET_BYNAME;
strncpy(req.set.name, setname, IPSET_MAXNAMELEN);
req.set.name[IPSET_MAXNAMELEN - 1] = '\0';
@@ -101,6 +102,49 @@ get_set_byname(const char *setname, struct xt_set_info *info)
}
static void
+get_set_byname(const char *setname, struct xt_set_info *info)
+{
+ struct ip_set_req_get_set_family req;
+ socklen_t size = sizeof(struct ip_set_req_get_set_family);
+ int res, sockfd, version;
+
+ sockfd = get_version(&req.version);
+ version = req.version;
+ req.op = IP_SET_OP_GET_FNAME;
+ strncpy(req.set.name, setname, IPSET_MAXNAMELEN);
+ req.set.name[IPSET_MAXNAMELEN - 1] = '\0';
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size);
+
+ if (res != 0 && errno == EBADMSG)
+ /* Backward compatibility */
+ return get_set_byname_only(setname, info, sockfd, version);
+
+ close(sockfd);
+ if (res != 0)
+ xtables_error(OTHER_PROBLEM,
+ "Problem when communicating with ipset, errno=%d.\n",
+ errno);
+ if (size != sizeof(struct ip_set_req_get_set_family))
+ xtables_error(OTHER_PROBLEM,
+ "Incorrect return size from kernel during ipset lookup, "
+ "(want %zu, got %zu)\n",
+ sizeof(struct ip_set_req_get_set_family),
+ (size_t)size);
+ if (req.set.index == IPSET_INVALID_ID)
+ xtables_error(PARAMETER_PROBLEM,
+ "Set %s doesn't exist.\n", setname);
+ if (!(req.family == afinfo->family ||
+ req.family == NFPROTO_UNSPEC))
+ xtables_error(PARAMETER_PROBLEM,
+ "The protocol family of set %s is %s, "
+ "which is not applicable.\n",
+ setname,
+ req.family == NFPROTO_IPV4 ? "IPv4" : "IPv6");
+
+ info->index = req.set.index;
+}
+
+static void
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
{
char *saved = strdup(opt_arg);
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index 39016493..f19c2804 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -9,6 +9,7 @@
enum {
O_TRANSPARENT = 0,
+ O_NOWILDCARD = 1,
};
static const struct xt_option_entry socket_mt_opts[] = {
@@ -16,6 +17,12 @@ static const struct xt_option_entry socket_mt_opts[] = {
XTOPT_TABLEEND,
};
+static const struct xt_option_entry socket_mt_opts_v2[] = {
+ {.name = "transparent", .id = O_TRANSPARENT, .type = XTTYPE_NONE},
+ {.name = "nowildcard", .id = O_NOWILDCARD, .type = XTTYPE_NONE},
+ XTOPT_TABLEEND,
+};
+
static void socket_mt_help(void)
{
printf(
@@ -23,6 +30,14 @@ static void socket_mt_help(void)
" --transparent Ignore non-transparent sockets\n\n");
}
+static void socket_mt_help_v2(void)
+{
+ printf(
+ "socket match options:\n"
+ " --nowildcard Do not ignore LISTEN sockets bound on INADDR_ANY\n"
+ " --transparent Ignore non-transparent sockets\n\n");
+}
+
static void socket_mt_parse(struct xt_option_call *cb)
{
struct xt_socket_mtinfo1 *info = cb->data;
@@ -35,6 +50,21 @@ static void socket_mt_parse(struct xt_option_call *cb)
}
}
+static void socket_mt_parse_v2(struct xt_option_call *cb)
+{
+ struct xt_socket_mtinfo2 *info = cb->data;
+
+ xtables_option_parse(cb);
+ switch (cb->entry->id) {
+ case O_TRANSPARENT:
+ info->flags |= XT_SOCKET_TRANSPARENT;
+ break;
+ case O_NOWILDCARD:
+ info->flags |= XT_SOCKET_NOWILDCARD;
+ break;
+ }
+}
+
static void
socket_mt_save(const void *ip, const struct xt_entry_match *match)
{
@@ -52,6 +82,25 @@ socket_mt_print(const void *ip, const struct xt_entry_match *match,
socket_mt_save(ip, match);
}
+static void
+socket_mt_save_v2(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_socket_mtinfo2 *info = (const void *)match->data;
+
+ if (info->flags & XT_SOCKET_TRANSPARENT)
+ printf(" --transparent");
+ if (info->flags & XT_SOCKET_NOWILDCARD)
+ printf(" --nowildcard");
+}
+
+static void
+socket_mt_print_v2(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ printf(" socket");
+ socket_mt_save_v2(ip, match);
+}
+
static struct xtables_match socket_mt_reg[] = {
{
.name = "socket",
@@ -74,6 +123,19 @@ static struct xtables_match socket_mt_reg[] = {
.x6_parse = socket_mt_parse,
.x6_options = socket_mt_opts,
},
+ {
+ .name = "socket",
+ .revision = 2,
+ .family = NFPROTO_UNSPEC,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_socket_mtinfo2)),
+ .help = socket_mt_help_v2,
+ .print = socket_mt_print_v2,
+ .save = socket_mt_save_v2,
+ .x6_parse = socket_mt_parse_v2,
+ .x6_options = socket_mt_opts_v2,
+ },
};
void _init(void)
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index 41e8d674..2ef32cec 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -1,5 +1,22 @@
-This matches if an open socket can be found by doing a socket lookup on the
-packet.
+This matches if an open TCP/UDP socket can be found by doing a socket lookup on the
+packet. It matches if there is an established or non\-zero bound listening
+socket (possibly with a non\-local address). The lookup is performed using
+the \fBpacket\fP tuple of TCP/UDP packets, or the original TCP/UDP header
+\fBembedded\fP in an ICMP/ICPMv6 error packet.
.TP
\fB\-\-transparent\fP
Ignore non-transparent sockets.
+.TP
+\fB\-\-nowildcard\fP
+Do not ignore sockets bound to 'any' address.
+The socket match won't accept zero\-bound listeners by default, since
+then local services could intercept traffic that would otherwise be forwarded.
+This option therefore has security implications when used to match traffic being
+forwarded to redirect such packets to local machine with policy routing.
+When using the socket match to implement fully transparent
+proxies bound to non\-local addresses it is recommended to use the \-\-transparent
+option instead.
+.PP
+Example (assuming packets with mark 1 are delivered locally):
+.IP
+\-t mangle \-A PREROUTING \-m socket \-\-transparent \-j MARK \-\-set\-mark 1
diff --git a/extensions/libxt_string.man b/extensions/libxt_string.man
index b6b271d1..adc9c180 100644
--- a/extensions/libxt_string.man
+++ b/extensions/libxt_string.man
@@ -16,3 +16,13 @@ Matches the given pattern.
.TP
[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
Matches the given pattern in hex notation.
+.TP
+Examples:
+.IP
+# The string pattern can be used for simple text characters.
+.br
+iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
+.IP
+# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
+.br
+iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index eb9123e6..0dcf5ddf 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -250,6 +250,15 @@ struct ip_set_req_get_set {
#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
/* Uses ip_set_req_get_set */
+#define IP_SET_OP_GET_FNAME 0x00000008 /* Get set index and family */
+struct ip_set_req_get_set_family {
+ unsigned int op;
+ unsigned int version;
+ unsigned int family;
+ union ip_set_name_index set;
+};
+
+
#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
struct ip_set_req_version {
unsigned int op;
diff --git a/include/linux/netfilter/xt_SYNPROXY.h b/include/linux/netfilter/xt_SYNPROXY.h
new file mode 100644
index 00000000..2d59fbaa
--- /dev/null
+++ b/include/linux/netfilter/xt_SYNPROXY.h
@@ -0,0 +1,16 @@
+#ifndef _XT_SYNPROXY_H
+#define _XT_SYNPROXY_H
+
+#define XT_SYNPROXY_OPT_MSS 0x01
+#define XT_SYNPROXY_OPT_WSCALE 0x02
+#define XT_SYNPROXY_OPT_SACK_PERM 0x04
+#define XT_SYNPROXY_OPT_TIMESTAMP 0x08
+#define XT_SYNPROXY_OPT_ECN 0x10
+
+struct xt_synproxy_info {
+ __u8 options;
+ __u8 wscale;
+ __u16 mss;
+};
+
+#endif /* _XT_SYNPROXY_H */
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
index 26d7217b..6315e2ac 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/linux/netfilter/xt_socket.h
@@ -5,10 +5,17 @@
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
+ XT_SOCKET_NOWILDCARD = 1 << 1,
};
struct xt_socket_mtinfo1 {
__u8 flags;
};
+#define XT_SOCKET_FLAGS_V1 XT_SOCKET_TRANSPARENT
+
+struct xt_socket_mtinfo2 {
+ __u8 flags;
+};
+#define XT_SOCKET_FLAGS_V2 (XT_SOCKET_TRANSPARENT | XT_SOCKET_NOWILDCARD)
#endif /* _XT_SOCKET_H */
diff --git a/include/xtables.h b/include/xtables.h
index c35a6e6d..02172670 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -230,7 +230,7 @@ struct xtables_match
/* Size of match data. */
size_t size;
- /* Size of match data relevent for userspace comparison purposes */
+ /* Size of match data relevant for userspace comparison purposes */
size_t userspacesize;
/* Function which prints out usage message. */
@@ -308,7 +308,7 @@ struct xtables_target
/* Size of target data. */
size_t size;
- /* Size of target data relevent for userspace comparison purposes */
+ /* Size of target data relevant for userspace comparison purposes */
size_t userspacesize;
/* Function which prints out usage message. */
diff --git a/iptables/.gitignore b/iptables/.gitignore
index c9c31788..31baf7d7 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -1,5 +1,4 @@
/ip6tables
-/ip6tables.8
/ip6tables-save
/ip6tables-restore
/ip6tables-static
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index 501e8255..a4246eb3 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -28,7 +28,7 @@ sbin_PROGRAMS = xtables-multi
man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
ip6tables-save.8 iptables-extensions.8
-CLEANFILES = iptables.8 ip6tables.8
+CLEANFILES = iptables.8
vx_bin_links = iptables-xml
if ENABLE_IPV4
diff --git a/iptables/ip6tables-restore.8 b/iptables/ip6tables-restore.8
index dbe19daf..cf4ea3e7 100644
--- a/iptables/ip6tables-restore.8
+++ b/iptables/ip6tables-restore.8
@@ -1,68 +1 @@
-.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-restore \(em Restore IPv6 Tables
-.SH SYNOPSIS
-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
-[\fB\-T\fP \fIname\fP]
-.SH DESCRIPTION
-.PP
-.B ip6tables-restore
-is used to restore IPv6 Tables from data specified on STDIN. Use
-I/O redirection provided by your shell to read from a file
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-restore the values of all packet and byte counters
-.TP
-\fB\-h\fP, \fB\-\-help\fP
-Print a short option summary.
-.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-\fBip6tables-restore\fP flushes (deletes) all previous contents of the
-respective table.
-.TP
-\fB\-t\fP, \fB\-\-test\fP
-Only parse and construct the ruleset, but do not commit it.
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Print additional debug info during ruleset processing.
-.TP
-\fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, ip6tables-restore will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-T\fP, \fB\-\-table\fP \fIname\fP
-Restore only the named table even if the input stream contains other ones.
-.B ip6tables-restore
-flushes (deletes) all previous contents of the respective IPv6 Table.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-save\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
+.so man8/iptables-restore.8
diff --git a/iptables/ip6tables-save.8 b/iptables/ip6tables-save.8
index 457be821..182f55c1 100644
--- a/iptables/ip6tables-save.8
+++ b/iptables/ip6tables-save.8
@@ -1,53 +1 @@
-.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
-.\"
-.\" Man page written by Harald Welte <laforge@gnumonks.org>
-.\" It is based on the iptables man page.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables-save \(em dump iptables rules to stdout
-.SH SYNOPSIS
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP
-.SH DESCRIPTION
-.PP
-.B ip6tables-save
-is used to dump the contents of an IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
-.TP
-\fB\-M\fP \fImodprobe_program\fP
-Specify the path to the modprobe program. By default, iptables-save will
-inspect /proc/sys/kernel/modprobe to determine the executable's path.
-.TP
-\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
-.TP
-\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
-.SH BUGS
-None known as of iptables-1.2.1 release
-.SH AUTHORS
-Harald Welte <laforge@gnumonks.org>
-.br
-Andras Kis-Szabo <kisza@sch.bme.hu>
-.SH SEE ALSO
-\fBip6tables\-restore\fP(8), \fBip6tables\fP(8)
-.PP
-The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
-which details NAT, and the netfilter-hacking-HOWTO which details the
-internals.
+.so man8/iptables-save.8
diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
index 656e08d5..35d2d9a5 100644
--- a/iptables/ip6tables-standalone.c
+++ b/iptables/ip6tables-standalone.c
@@ -73,6 +73,8 @@ ip6tables_main(int argc, char *argv[])
fprintf(stderr, "ip6tables: %s.\n",
ip6tc_strerror(errno));
}
+ if (errno == EAGAIN)
+ exit(RESOURCE_PROBLEM);
}
exit(!ret);
diff --git a/iptables/ip6tables.8 b/iptables/ip6tables.8
new file mode 100644
index 00000000..0dee41ad
--- /dev/null
+++ b/iptables/ip6tables.8
@@ -0,0 +1 @@
+.so man8/iptables.8
diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in
deleted file mode 100644
index 5b2a7d76..00000000
--- a/iptables/ip6tables.8.in
+++ /dev/null
@@ -1,463 +0,0 @@
-.TH IP6TABLES 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
-.\"
-.\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu>
-.\" It is based on iptables man page.
-.\"
-.\" iptables page by Herve Eychenne <rv@wallfire.org>
-.\" It is based on ipchains man page.
-.\"
-.\" ipchains page by Paul ``Rusty'' Russell March 1997
-.\" Based on the original ipfwadm man page by Jos Vos <jos@xos.nl>
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation; either version 2 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program; if not, write to the Free Software
-.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ip6tables \(em IPv6 packet filter administration
-.SH SYNOPSIS
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
-\fIchain rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP]
-\fIrule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-R\fP \fIchain rulenum
-rule-specification\fP [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-D\fP \fIchain rulenum\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP}
-[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-X\fP [\fIchain\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-P\fP \fIchain target\fP
-[\fIoptions...\fP]
-.PP
-\fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-E\fP \fIold-chain-name new-chain-name\fP
-.SH DESCRIPTION
-\fBIp6tables\fP is used to set up, maintain, and inspect the
-tables of IPv6 packet
-filter rules in the Linux kernel. Several different tables
-may be defined. Each table contains a number of built-in
-chains and may also contain user-defined chains.
-.PP
-Each chain is a list of rules which can match a set of packets. Each
-rule specifies what to do with a packet that matches. This is called
-a `target', which may be a jump to a user-defined chain in the same
-table.
-.SH TARGETS
-A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
-it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
-.PP
-\fBACCEPT\fP means to let the packet through.
-\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
-\fBRETURN\fP means stop traversing this chain and resume at the next
-rule in the
-previous (calling) chain. If the end of a built-in chain is reached
-or a rule in a built-in chain with target \fBRETURN\fP
-is matched, the target specified by the chain policy determines the
-fate of the packet.
-.SH TABLES
-There are currently five independent tables (which tables are present
-at any time depends on the kernel configuration options and which
-modules are present).
-.TP
-\fB\-t\fP, \fB\-\-table\fP \fItable\fP
-This option specifies the packet matching table which the command
-should operate on. If the kernel is configured with automatic module
-loading, an attempt will be made to load the appropriate module for
-that table if it is not already there.
-
-The tables are as follows:
-.RS
-.TP .4i
-\fBfilter\fP:
-This is the default table (if no \-t option is passed). It contains
-the built-in chains \fBINPUT\fP (for packets destined to local sockets),
-\fBFORWARD\fP (for packets being routed through the box), and
-\fBOUTPUT\fP (for locally-generated packets).
-.TP
-\fBnat\fP:
-This table is consulted when a packet that creates a new
-connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
-(for altering packets as soon as they come in), \fBOUTPUT\fP
-(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out). Available since kernel 3.7.
-.TP
-\fBmangle\fP:
-This table is used for specialized packet alteration. Until kernel
-2.4.17 it had two built-in chains: \fBPREROUTING\fP
-(for altering incoming packets before routing) and \fBOUTPUT\fP
-(for altering locally-generated packets before routing).
-Since kernel 2.4.18, three other built-in chains are also supported:
-\fBINPUT\fP (for packets coming into the box itself), \fBFORWARD\fP
-(for altering packets being routed through the box), and \fBPOSTROUTING\fP
-(for altering packets as they are about to go out).
-.TP
-\fBraw\fP:
-This table is used mainly for configuring exemptions from connection
-tracking in combination with the NOTRACK target. It registers at the netfilter
-hooks with higher priority and is thus called before ip_conntrack, or any other
-IP tables. It provides the following built-in chains: \fBPREROUTING\fP
-(for packets arriving via any network interface) \fBOUTPUT\fP
-(for packets generated by local processes)
-.TP
-\fBsecurity\fP:
-This table is used for Mandatory Access Control (MAC) networking rules, such
-as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
-Mandatory Access Control is implemented by Linux Security Modules such as
-SELinux. The security table is called after the filter table, allowing any
-Discretionary Access Control (DAC) rules in the filter table to take effect
-before MAC rules. This table provides the following built-in chains:
-\fBINPUT\fP (for packets coming into the box itself),
-\fBOUTPUT\fP (for altering locally-generated packets before routing), and
-\fBFORWARD\fP (for altering packets being routed through the box).
-.RE
-.SH OPTIONS
-The options that are recognized by
-\fBip6tables\fP can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform. Only one of them
-can be specified on the command line unless otherwise specified
-below. For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-\fBip6tables\fP can differentiate it from all other options.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-C\fP, \fB\-\-check\fP \fIchain rule-specification\fP
-Check whether a rule matching the specification does exist in the
-selected chain. This command uses the same logic as \fB\-D\fP to
-find a matching entry, but does not alter the existing iptables
-configuration and uses its exit code to indicate success or failure.
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rule-specification\fP
-.ns
-.TP
-\fB\-D\fP, \fB\-\-delete\fP \fIchain rulenum\fP
-Delete one or more rules from the selected chain. There are two
-versions of this command: the rule can be specified as a number in the
-chain (starting at 1 for the first rule) or a rule to match.
-.TP
-\fB\-I\fP, \fB\-\-insert\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
-Insert one or more rules in the selected chain as the given rule
-number. So, if the rule number is 1, the rule or rules are inserted
-at the head of the chain. This is also the default if no rule number
-is specified.
-.TP
-\fB\-R\fP, \fB\-\-replace\fP \fIchain rulenum rule-specification\fP
-Replace a rule in the selected chain. If the source and/or
-destination names resolve to multiple addresses, the command will
-fail. Rules are numbered starting at 1.
-.TP
-\fB\-L\fP, \fB\-\-list\fP [\fIchain\fP]
-List all rules in the selected chain. If no chain is selected, all
-chains are listed. Like every other ip6tables command, it applies to the
-specified table (filter is the default).
-.IP ""
-Please note that it is often used with the \fB\-n\fP
-option, in order to avoid long reverse DNS lookups.
-It is legal to specify the \fB\-Z\fP
-(zero) option as well, in which case the chain(s) will be atomically
-listed and zeroed. The exact output is affected by the other
-arguments given. The exact rules are suppressed until you use
-.nf
- ip6tables \-L \-v
-.fi
-.TP
-\fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP]
-Print all rules in the selected chain. If no chain is selected, all
-chains are printed like ip6tables-save. Like every other ip6tables command,
-it applies to the specified table (filter is the default).
-.TP
-\fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP]
-Flush the selected chain (all the chains in the table if none is given).
-This is equivalent to deleting all the rules one by one.
-.TP
-\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]]
-Zero the packet and byte counters in all chains, or only the given chain,
-or only the given rule in a chain. It is legal to
-specify the
-\fB\-L\fP, \fB\-\-list\fP
-(list) option as well, to see the counters immediately before they are
-cleared. (See above.)
-.TP
-\fB\-N\fP, \fB\-\-new\-chain\fP \fIchain\fP
-Create a new user-defined chain by the given name. There must be no
-target of that name already.
-.TP
-\fB\-X\fP, \fB\-\-delete\-chain\fP [\fIchain\fP]
-Delete the optional user-defined chain specified. There must be no references
-to the chain. If there are, you must delete or replace the referring rules
-before the chain can be deleted. The chain must be empty, i.e. not contain
-any rules. If no argument is given, it will attempt to delete every
-non-builtin chain in the table.
-.TP
-\fB\-P\fP, \fB\-\-policy\fP \fIchain target\fP
-Set the policy for the chain to the given target. See the section \fBTARGETS\fP
-for the legal targets. Only built-in (non-user-defined) chains can have
-policies, and neither built-in nor user-defined chains can be policy
-targets.
-.TP
-\fB\-E\fP, \fB\-\-rename\-chain\fP \fIold\-chain new\-chain\fP
-Rename the user specified chain to the user supplied name. This is
-cosmetic, and has no effect on the structure of the table.
-.TP
-\fB\-A\fP, \fB\-\-append\fP \fIchain rule-specification\fP
-Append one or more rules to the end of the selected chain.
-When the source and/or destination names resolve to more than one
-address, a rule will be added for each possible address combination.
-.TP
-\fB\-h\fP
-Help.
-Give a (currently very brief) description of the command syntax.
-.SS PARAMETERS
-The following parameters make up a rule specification (as used in the
-add, delete, insert, replace and append commands).
-.TP
-\fB\-4\fP, \fB\-\-ipv4\fP
-If a rule using the \fB\-4\fP option is inserted with (and only with)
-ip6tables-restore, it will be silently ignored. Any other uses will throw an
-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-for use with both iptables-restore and ip6tables-restore.
-.TP
-\fB\-6\fP, \fB\-\-ipv6\fP
-This option has no effect in ip6tables and ip6tables-restore.
-.TP
-[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
-The protocol of the rule or of the packet to check.
-The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmpv6\fP, \fBesp\fP, \fBmh\fP or the special keyword "\fBall\fP",
-or it can be a numeric value, representing one of these protocols or a
-different one. A protocol name from /etc/protocols is also allowed.
-But IPv6 extension headers except \fBesp\fP are not allowed.
-\fBesp\fP and \fBipv6\-nonext\fP
-can be used with Kernel version 2.6.11 or later.
-A "!" argument before the protocol inverts the
-test. The number zero is equivalent to \fBall\fP, which means that you cannot
-test the protocol field for the value 0 directly. To match on a HBH header,
-even if it were the last, you cannot use \fB\-p 0\fP, but always need
-\fB\-m hbh\fP.
-"\fBall\fP"
-will match with all protocols and is taken as default when this
-option is omitted.
-.TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Source specification.
-\fIAddress\fP can be either be a hostname,
-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
-Names will be resolved once only, before the rule is submitted to the kernel.
-Please note that specifying any name to be resolved with a remote query such as
-DNS is a really bad idea.
-(Resolving network names is not supported at this time.)
-The \fImask\fP is a plain number,
-specifying the number of 1's at the left side of the network mask.
-A "!" argument before the address specification inverts the sense of
-the address. The flag \fB\-\-src\fP
-is an alias for this option.
-Multiple addresses can be specified, but this will \fBexpand to multiple
-rules\fP (when adding with \-A), or will cause multiple rules to be
-deleted (with \-D).
-.TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
-Destination specification.
-See the description of the \fB\-s\fP
-(source) flag for a detailed description of the syntax. The flag
-\fB\-\-dst\fP is an alias for this option.
-.TP
-\fB\-m\fP, \fB\-\-match\fP \fImatch\fP
-Specifies a match to use, that is, an extension module that tests for a
-specific property. The set of matches make up the condition under which a
-target is invoked. Matches are evaluated first to last as specified on the
-command line and work in short-circuit fashion, i.e. if one extension yields
-false, evaluation will stop.
-.TP
-\fB\-j\fP, \fB\-\-jump\fP \fItarget\fP
-This specifies the target of the rule; i.e., what to do if the packet
-matches it. The target can be a user-defined chain (other than the
-one this rule is in), one of the special builtin targets which decide
-the fate of the packet immediately, or an extension (see \fBEXTENSIONS\fP
-below). If this
-option is omitted in a rule (and \fB\-g\fP
-is not used), then matching the rule will have no
-effect on the packet's fate, but the counters on the rule will be
-incremented.
-.TP
-\fB\-g\fP, \fB\-\-goto\fP \fIchain\fP
-This specifies that the processing should continue in a user
-specified chain. Unlike the \-\-jump option return will not continue
-processing in this chain but instead in the chain that called us via
-\-\-jump.
-.TP
-[\fB!\fP] \fB\-i\fP, \fB\-\-in\-interface\fP \fIname\fP
-Name of an interface via which a packet was received (only for
-packets entering the \fBINPUT\fP, \fBFORWARD\fP and \fBPREROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.TP
-[\fB!\fP] \fB\-o\fP, \fB\-\-out\-interface\fP \fIname\fP
-Name of an interface via which a packet is going to be sent (for packets
-entering the \fBFORWARD\fP, \fBOUTPUT\fP and \fBPOSTROUTING\fP
-chains). When the "!" argument is used before the interface name, the
-sense is inverted. If the interface name ends in a "+", then any
-interface which begins with this name will match. If this option is
-omitted, any interface name will match.
-.\" Currently not supported (header-based)
-.\" .TP
-.\" [\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-.\" This means that the rule only refers to second and further fragments
-.\" of fragmented packets. Since there is no way to tell the source or
-.\" destination ports of such a packet (or ICMP type), such a packet will
-.\" not match any rules which specify them. When the "!" argument
-.\" precedes the "\-f" flag, the rule will only match head fragments, or
-.\" unfragmented packets.
-.TP
-\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
-This enables the administrator to initialize the packet and byte
-counters of a rule (during \fBINSERT\fP, \fBAPPEND\fP, \fBREPLACE\fP
-operations).
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-\fB\-v\fP, \fB\-\-verbose\fP
-Verbose output. This option makes the list command show the interface
-name, the rule options (if any), and the TOS masks. The packet and
-byte counters are also listed, with the suffix 'K', 'M' or 'G' for
-1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see
-the \fB\-x\fP flag to change this).
-For appending, insertion, deletion and replacement, this causes
-detailed information on the rule or rules to be printed. \fB\-v\fP may be
-specified multiple times to possibly emit more detailed debug statements.
-.TP
-\fB\-w\fP, \fB\-\-wait\fP
-Wait for the xtables lock.
-To prevent multiple instances of the program from running concurrently,
-an attempt will be made to obtain an exclusive lock at launch. By default,
-the program will exit if the lock cannot be obtained. This option will
-make the program wait until the exclusive lock can be obtained.
-.TP
-\fB\-n\fP, \fB\-\-numeric\fP
-Numeric output.
-IP addresses and port numbers will be printed in numeric format.
-By default, the program will try to display them as host names,
-network names, or services (whenever applicable).
-.TP
-\fB\-x\fP, \fB\-\-exact\fP
-Expand numbers.
-Display the exact value of the packet and byte counters,
-instead of only the rounded number in K's (multiples of 1000)
-M's (multiples of 1000K) or G's (multiples of 1000M). This option is
-only relevant for the \fB\-L\fP command.
-.TP
-\fB\-\-line\-numbers\fP
-When listing rules, add line numbers to the beginning of each rule,
-corresponding to that rule's position in the chain.
-.TP
-\fB\-\-modprobe=\fP\fIcommand\fP
-When adding or inserting rules into a chain, use \fIcommand\fP
-to load any necessary modules (targets, match extensions, etc).
-.SH MATCH EXTENSIONS
-.PP
-iptables can use extended packet matching and target modules.
-A list of these is available in the \fBiptables\-extensions\fP(8) manpage.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error. The exit code
-is 0 for correct functioning. Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? What's this? ;-)
-Well... the counters are not reliable on sparc64.
-.SH COMPATIBILITY WITH IPCHAINS
-This \fBip6tables\fP
-is very similar to ipchains by Rusty Russell. The main difference is
-that the chains \fBINPUT\fP and \fBOUTPUT\fP
-are only traversed for packets coming into the local host and
-originating from the local host respectively. Hence every packet only
-passes through one of the three chains (except loopback traffic, which
-involves both INPUT and OUTPUT chains); previously a forwarded packet
-would pass through all three.
-.PP
-The other main difference is that \fB\-i\fP refers to the input interface;
-\fB\-o\fP refers to the output interface, and both are available for packets
-entering the \fBFORWARD\fP chain.
-There are several other changes in ip6tables.
-.SH SEE ALSO
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBiptables\fP(8),
-\fBiptables\-apply\fP(8),
-\fBiptables\-extensions\fP(8),
-\fBiptables\-save\fP(8),
-\fBiptables\-restore\fP(8),
-\fBlibipq\fP(3).
-.PP
-The packet-filtering-HOWTO details iptables usage for
-packet filtering,
-the netfilter-extensions-HOWTO details the extensions that are
-not in the standard distribution,
-and the netfilter-hacking-HOWTO details the netfilter internals.
-.br
-See
-.BR "http://www.netfilter.org/" .
-.SH AUTHORS
-Rusty Russell wrote iptables, in early consultation with Michael
-Neuling.
-.PP
-Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet
-selection framework in iptables, then wrote the mangle table, the owner match,
-the mark stuff, and ran around doing cool stuff everywhere.
-.PP
-James Morris wrote the TOS target, and tos match.
-.PP
-Jozsef Kadlecsik wrote the REJECT target.
-.PP
-Harald Welte wrote the ULOG and NFQUEUE target, the new libiptc, as well as TTL match+target and libipulog.
-.PP
-The Netfilter Core Team is: Marc Boucher, Martin Josefsson, Yasuyuki Kozakai,
-Jozsef Kadlecsik, Patrick McHardy, James Morris, Pablo Neira Ayuso,
-Harald Welte and Rusty Russell.
-.PP
-ip6tables man page created by Andras Kis-Szabo, based on
-iptables man page written by Herve Eychenne <rv@wallfire.org>.
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
-.SH VERSION
-.PP
-This manual page applies to ip6tables @PACKAGE_VERSION@.
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 1fb33f6d..a5199d5e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -144,12 +144,12 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x'},
/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' '},
/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x'},
+/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x'},
};
@@ -387,6 +387,32 @@ parse_rulenumber(const char *rule)
return rulenum;
}
+static void
+parse_chain(const char *chainname)
+{
+ const char *ptr;
+
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name `%s' too long (must be under %u chars)",
+ chainname, XT_EXTENSION_MAXNAMELEN);
+
+ if (*chainname == '-' || *chainname == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name not allowed to start "
+ "with `%c'\n", *chainname);
+
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name may not clash "
+ "with target name\n");
+
+ for (ptr = chainname; *ptr; ptr++)
+ if (isspace(*ptr))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid chain name `%s'", chainname);
+}
+
static const char *
parse_target(const char *targetname)
{
@@ -1432,14 +1458,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'N':
- if (optarg && (*optarg == '-' || *optarg == '!'))
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *optarg);
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
+ parse_chain(optarg);
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
cs.invert);
chain = optarg;
@@ -1732,11 +1751,6 @@ int do_command6(int argc, char *argv[], char **table,
generic_opt_check(command, cs.options);
- if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chain, XT_EXTENSION_MAXNAMELEN);
-
/* Attempt to acquire the xtables lock */
if (!restore && !xtables_lock(wait)) {
fprintf(stderr, "Another app is currently holding the xtables lock. "
diff --git a/iptables/iptables-apply.8 b/iptables/iptables-apply.8.in
index 66eaf57a..cdc9c447 100644
--- a/iptables/iptables-apply.8
+++ b/iptables/iptables-apply.8.in
@@ -2,7 +2,7 @@
.\" Author: Martin F. Krafft
.\" Date: Jun 04, 2006
.\"
-.TH iptables\-apply 8 2006-06-04
+.TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
.\" disable hyphenation
.nh
.SH NAME
diff --git a/iptables/iptables-restore.8 b/iptables/iptables-restore.8.in
index 2b1d102c..feb57efa 100644
--- a/iptables/iptables-restore.8
+++ b/iptables/iptables-restore.8.in
@@ -1,4 +1,4 @@
-.TH IPTABLES-RESTORE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-RESTORE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
@@ -20,13 +20,19 @@
.\"
.SH NAME
iptables-restore \(em Restore IP Tables
+.P
+ip6tables-restore \(em Restore IPv6 Tables
.SH SYNOPSIS
\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
+.P
+\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP]
[\fB\-T\fP \fIname\fP]
.SH DESCRIPTION
.PP
.B iptables-restore
-is used to restore IP Tables from data specified on STDIN. Use
+and
+.B ip6tables-restore
+are used to restore IP and IPv6 Tables from data specified on STDIN. Use
I/O redirection provided by your shell to read from a file
.TP
\fB\-c\fR, \fB\-\-counters\fR
@@ -35,10 +41,9 @@ restore the values of all packet and byte counters
\fB\-h\fP, \fB\-\-help\fP
Print a short option summary.
.TP
-\fB\-n\fR, \fB\-\-noflush\fR
-don't flush the previous contents of the table. If not specified,
-.B iptables-restore
-flushes (deletes) all previous contents of the respective table.
+\fB\-n\fR, \fB\-\-noflush\fR
+don't flush the previous contents of the table. If not specified,
+both commands flush (delete) all previous contents of the respective table.
.TP
\fB\-t\fP, \fB\-\-test\fP
Only parse and construct the ruleset, but do not commit it.
@@ -54,8 +59,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path.
Restore only the named table even if the input stream contains other ones.
.SH BUGS
None known as of iptables-1.2.1 release
-.SH AUTHOR
-Harald Welte <laforge@gnumonks.org>
+.SH AUTHORS
+Harald Welte <laforge@gnumonks.org> wrote iptables-restore based on code
+from Rusty Russell.
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
\fBiptables\-save\fP(8), \fBiptables\fP(8)
.PP
diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8.in
index c2e0a949..5e939b1a 100644
--- a/iptables/iptables-save.8
+++ b/iptables/iptables-save.8.in
@@ -1,4 +1,4 @@
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-SAVE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
@@ -20,13 +20,20 @@
.\"
.SH NAME
iptables-save \(em dump iptables rules to stdout
+.P
+ip6tables-save \(em dump iptables rules to stdout
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
[\fB\-t\fP \fItable\fP]
+.P
+\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-t\fP \fItable\fP
.SH DESCRIPTION
.PP
.B iptables-save
-is used to dump the contents of an IP Table in easily parseable format
+and
+.B ip6tables-save
+are used to dump the contents of IP or IPv6 Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
.TP
\fB\-M\fP \fImodprobe_program\fP
@@ -41,8 +48,12 @@ restrict output to only one table. If not specified, output includes all
available tables.
.SH BUGS
None known as of iptables-1.2.1 release
-.SH AUTHOR
+.SH AUTHORS
Harald Welte <laforge@gnumonks.org>
+.br
+Rusty Russell <rusty@rustcorp.com.au>
+.br
+Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
\fBiptables\-restore\fP(8), \fBiptables\fP(8)
.PP
diff --git a/iptables/iptables-xml.1 b/iptables/iptables-xml.1.in
index 048c2cb8..7b7878f8 100644
--- a/iptables/iptables-xml.1
+++ b/iptables/iptables-xml.1.in
@@ -1,4 +1,4 @@
-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
+.TH IPTABLES-XML 1 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
.\"
.\" Man page written by Sam Liddicott <azez@ufomechanic.net>
.\" It is based on the iptables-save man page.
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 6f310039..155c97e9 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -23,10 +23,13 @@
.\"
.\"
.SH NAME
-iptables \(em administration tool for IPv4 packet filtering and NAT
+iptables/ip6tables \(em administration tool for IPv4/IPv6 packet filtering and NAT
.SH SYNOPSIS
\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
\fIchain\fP \fIrule-specification\fP
+.P
+\fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-C\fP|\fB\-D\fP}
+\fIchain rule-specification\fP
.PP
\fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-I\fP \fIchain\fP [\fIrulenum\fP] \fIrule-specification\fP
.PP
@@ -52,8 +55,8 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
.PP
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
.SH DESCRIPTION
-\fBIptables\fP is used to set up, maintain, and inspect the
-tables of IPv4 packet
+\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
+tables of IPv4 and IPv6 packet
filter rules in the Linux kernel. Several different tables
may be defined. Each table contains a number of built-in
chains and may also contain user-defined chains.
@@ -64,21 +67,14 @@ a `target', which may be a jump to a user-defined chain in the same
table.
.SH TARGETS
A firewall rule specifies criteria for a packet and a target. If the
-packet does not match, the next rule in the chain is the examined; if
+packet does not match, the next rule in the chain is examined; if
it does match, then the next rule is specified by the value of the
-target, which can be the name of a user-defined chain or one of the
-special values \fBACCEPT\fP, \fBDROP\fP, \fBQUEUE\fP or \fBRETURN\fP.
+target, which can be the name of a user-defined chain, one of the targets
+described in \fBiptables\-extensions\fP(8), or one of the
+special values \fBACCEPT\fP, \fBDROP\fP or \fBRETURN\fP.
.PP
\fBACCEPT\fP means to let the packet through.
\fBDROP\fP means to drop the packet on the floor.
-\fBQUEUE\fP means to pass the packet to userspace.
-(How the packet can be received
-by a userspace process differs by the particular queue handler. 2.4.x
-and 2.6.x kernels up to 2.6.13 include the \fBip_queue\fP
-queue handler. Kernels 2.6.14 and later additionally include the
-\fBnfnetlink_queue\fP queue handler. Packets with a target of QUEUE will be
-sent to queue number '0' in this case. Please also see the \fBNFQUEUE\fP
-target as described later in this man page.)
\fBRETURN\fP means stop traversing this chain and resume at the next
rule in the
previous (calling) chain. If the end of a built-in chain is reached
@@ -111,6 +107,7 @@ connection is encountered. It consists of three built-ins: \fBPREROUTING\fP
(for altering packets as soon as they come in), \fBOUTPUT\fP
(for altering locally-generated packets before routing), and \fBPOSTROUTING\fP
(for altering packets as they are about to go out).
+IPv6 NAT support is available since kernel 3.7.
.TP
\fBmangle\fP:
This table is used for specialized packet alteration. Until kernel
@@ -143,7 +140,7 @@ before MAC rules. This table provides the following built-in chains:
.RE
.SH OPTIONS
The options that are recognized by
-\fBiptables\fP can be divided into several different groups.
+\fBiptables\fP and \fBip6tables\fP can be divided into several different groups.
.SS COMMANDS
These options specify the desired action to perform. Only one of them
can be specified on the command line unless otherwise stated
@@ -245,23 +242,35 @@ add, delete, insert, replace and append commands).
.TP
\fB\-4\fP, \fB\-\-ipv4\fP
This option has no effect in iptables and iptables-restore.
+If a rule using the \fB\-4\fP option is inserted with (and only with)
+ip6tables-restore, it will be silently ignored. Any other uses will throw an
+error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+for use with both iptables-restore and ip6tables-restore.
.TP
\fB\-6\fP, \fB\-\-ipv6\fP
If a rule using the \fB\-6\fP option is inserted with (and only with)
iptables-restore, it will be silently ignored. Any other uses will throw an
error. This option allows to put both IPv4 and IPv6 rules in a single rule file
for use with both iptables-restore and ip6tables-restore.
+This option has no effect in ip6tables and ip6tables-restore.
.TP
[\fB!\fP] \fB\-p\fP, \fB\-\-protocol\fP \fIprotocol\fP
The protocol of the rule or of the packet to check.
The specified protocol can be one of \fBtcp\fP, \fBudp\fP, \fBudplite\fP,
-\fBicmp\fP, \fBesp\fP, \fBah\fP, \fBsctp\fP or the special keyword "\fBall\fP",
+\fBicmp\fP, \fBicmpv6\fP,\fBesp\fP, \fBah\fP, \fBsctp\fP, \fBmh\fP or the special keyword "\fBall\fP",
or it can be a numeric value, representing one of these protocols or a
different one. A protocol name from /etc/protocols is also allowed.
A "!" argument before the protocol inverts the
test. The number zero is equivalent to \fBall\fP. "\fBall\fP"
will match with all protocols and is taken as default when this
option is omitted.
+Note that, in ip6tables, IPv6 extension headers except \fBesp\fP are not allowed.
+\fBesp\fP and \fBipv6\-nonext\fP
+can be used with Kernel version 2.6.11 or later.
+The number zero is equivalent to \fBall\fP, which means that you cannot
+test the protocol field for the value 0 directly. To match on a HBH header,
+even if it were the last, you cannot use \fB\-p 0\fP, but always need
+\fB\-m hbh\fP.
.TP
[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
Source specification. \fIAddress\fP
@@ -271,9 +280,9 @@ be resolved once only, before the rule is submitted to the kernel.
Please note that specifying any name to be resolved with a remote query such as
DNS is a really bad idea.
The \fImask\fP
-can be either a network mask or a plain number,
+can be either an ipv4 network mask (for iptables) or a plain number,
specifying the number of 1's at the left side of the network mask.
-Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
+Thus, an iptables mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
A "!" argument before the address specification inverts the sense of
the address. The flag \fB\-\-src\fP is an alias for this option.
Multiple addresses can be specified, but this will \fBexpand to multiple
@@ -327,12 +336,13 @@ interface which begins with this name will match. If this option is
omitted, any interface name will match.
.TP
[\fB!\fP] \fB\-f\fP, \fB\-\-fragment\fP
-This means that the rule only refers to second and further fragments
+This means that the rule only refers to second and further IPv4 fragments
of fragmented packets. Since there is no way to tell the source or
destination ports of such a packet (or ICMP type), such a packet will
not match any rules which specify them. When the "!" argument
precedes the "\-f" flag, the rule will only match head fragments, or
-unfragmented packets.
+unfragmented packets. This option is IPv4 specific, it is not available
+in ip6tables.
.TP
\fB\-c\fP, \fB\-\-set\-counters\fP \fIpackets bytes\fP
This enables the administrator to initialize the packet and byte
@@ -420,10 +430,6 @@ There are several other changes in iptables.
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBiptables\-extensions\fP(8),
-\fBip6tables\fP(8),
-\fBip6tables\-save\fP(8),
-\fBip6tables\-restore\fP(8),
-\fBlibipq\fP(3).
.PP
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
@@ -458,4 +464,4 @@ Man page originally written by Herve Eychenne <rv@wallfire.org>.
.\" .. and most of all, modest ..
.SH VERSION
.PP
-This manual page applies to iptables @PACKAGE_VERSION@.
+This manual page applies to iptables/ip6tables @PACKAGE_AND_VERSION@.
diff --git a/iptables/iptables.c b/iptables/iptables.c
index fe18e1cc..5cd2596e 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -143,12 +143,12 @@ static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'},
/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'},
/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
+/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
};
@@ -373,6 +373,32 @@ parse_rulenumber(const char *rule)
return rulenum;
}
+static void
+parse_chain(const char *chainname)
+{
+ const char *ptr;
+
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name `%s' too long (must be under %u chars)",
+ chainname, XT_EXTENSION_MAXNAMELEN);
+
+ if (*chainname == '-' || *chainname == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name not allowed to start "
+ "with `%c'\n", *chainname);
+
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name may not clash "
+ "with target name\n");
+
+ for (ptr = chainname; *ptr; ptr++)
+ if (isspace(*ptr))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid chain name `%s'", chainname);
+}
+
static const char *
parse_target(const char *targetname)
{
@@ -1428,14 +1454,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'N':
- if (optarg && (*optarg == '-' || *optarg == '!'))
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *optarg);
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
+ parse_chain(optarg);
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
cs.invert);
chain = optarg;
@@ -1729,11 +1748,6 @@ int do_command4(int argc, char *argv[], char **table,
generic_opt_check(command, cs.options);
- if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chain, XT_EXTENSION_MAXNAMELEN);
-
/* Attempt to acquire the xtables lock */
if (!restore && !xtables_lock(wait)) {
fprintf(stderr, "Another app is currently holding the xtables lock. "
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ef5bc072..fb60c01b 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -578,8 +578,6 @@ static void *load_extension(const char *search_path, const char *af_prefix,
if (ptr != NULL)
return ptr;
- fprintf(stderr, "%s: no \"%s\" extension found for "
- "this protocol\n", path, name);
errno = ENOENT;
return NULL;
}
@@ -1243,7 +1241,7 @@ const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
uint32_t cidr;
cidr = xtables_ipmask_to_cidr(mask);
- if (cidr < 0) {
+ if (cidr == (unsigned int)-1) {
/* mask was not a decent combination of 1's and 0's */
sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
return buf;
diff --git a/utils/Makefile.am b/utils/Makefile.am
index c26aa640..c4192a9e 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -18,3 +18,8 @@ if ENABLE_BPFC
sbin_PROGRAMS += nfbpf_compile
nfbpf_compile_LDADD = -lpcap
endif
+
+if ENABLE_SYNCONF
+sbin_PROGRAMS += nfsynproxy
+nfsynproxy_LDADD = -lpcap
+endif
diff --git a/utils/nfsynproxy.c b/utils/nfsynproxy.c
new file mode 100644
index 00000000..baedc92c
--- /dev/null
+++ b/utils/nfsynproxy.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <getopt.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <pcap/pcap.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+static const char *iface = "lo";
+static uint16_t port;
+static const char *chain = "SYNPROXY";
+
+static int parse_packet(const char *host, const uint8_t *data)
+{
+ const struct iphdr *iph = (void *)data + 14;
+ const struct tcphdr *th = (void *)iph + iph->ihl * 4;
+ int length;
+ uint8_t *ptr;
+
+ if (!th->syn || !th->ack)
+ return 0;
+
+ printf("-A %s -d %s -p tcp --dport %u "
+ "-m state --state UNTRACKED,INVALID "
+ "-j SYNPROXY ", chain, host, port);
+
+ /* ECE && !CWR */
+ if (th->res2 == 0x1)
+ printf("--ecn ");
+
+ length = th->doff * 4 - sizeof(*th);
+ ptr = (uint8_t *)(th + 1);
+ while (length > 0) {
+ int opcode = *ptr++;
+ int opsize;
+
+ switch (opcode) {
+ case TCPOPT_EOL:
+ return 1;
+ case TCPOPT_NOP:
+ length--;
+ continue;
+ default:
+ opsize = *ptr++;
+ if (opsize < 2)
+ return 1;
+ if (opsize > length)
+ return 1;
+
+ switch (opcode) {
+ case TCPOPT_MAXSEG:
+ if (opsize == TCPOLEN_MAXSEG)
+ printf("--mss %u ", ntohs(*(uint16_t *)ptr));
+ break;
+ case TCPOPT_WINDOW:
+ if (opsize == TCPOLEN_WINDOW)
+ printf("--wscale %u ", *ptr);
+ break;
+ case TCPOPT_TIMESTAMP:
+ if (opsize == TCPOLEN_TIMESTAMP)
+ printf("--timestamp ");
+ break;
+ case TCPOPT_SACK_PERMITTED:
+ if (opsize == TCPOLEN_SACK_PERMITTED)
+ printf("--sack-perm ");
+ break;
+ }
+
+ ptr += opsize - 2;
+ length -= opsize;
+ }
+ }
+ printf("\n");
+ return 1;
+}
+
+static void probe_host(const char *host)
+{
+ struct sockaddr_in sin;
+ char pcap_errbuf[PCAP_ERRBUF_SIZE];
+ struct pcap_pkthdr pkthdr;
+ const uint8_t *data;
+ struct bpf_program fp;
+ pcap_t *ph;
+ int fd;
+
+ ph = pcap_create(iface, pcap_errbuf);
+ if (ph == NULL) {
+ perror("pcap_create");
+ goto err1;
+ }
+
+ if (pcap_setnonblock(ph, 1, pcap_errbuf) == -1) {
+ perror("pcap_setnonblock");
+ goto err2;
+ }
+
+ if (pcap_setfilter(ph, &fp) == -1) {
+ pcap_perror(ph, "pcap_setfilter");
+ goto err2;
+ }
+
+ if (pcap_activate(ph) != 0) {
+ pcap_perror(ph, "pcap_activate");
+ goto err2;
+ }
+
+ if (pcap_compile(ph, &fp, "src host 127.0.0.1 and tcp and src port 80",
+ 1, PCAP_NETMASK_UNKNOWN) == -1) {
+ pcap_perror(ph, "pcap_compile");
+ goto err2;
+ }
+
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ if (fd < 0) {
+ perror("socket");
+ goto err3;
+ }
+
+ memset(&sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+ sin.sin_port = htons(port);
+ sin.sin_addr.s_addr = inet_addr(host);
+
+ if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+ perror("connect");
+ goto err4;
+ }
+
+ for (;;) {
+ data = pcap_next(ph, &pkthdr);
+ if (data == NULL)
+ break;
+ if (parse_packet(host, data))
+ break;
+ }
+
+ close(fd);
+
+err4:
+ close(fd);
+err3:
+ pcap_freecode(&fp);
+err2:
+ pcap_close(ph);
+err1:
+ return;
+}
+
+enum {
+ OPT_HELP = 'h',
+ OPT_IFACE = 'i',
+ OPT_PORT = 'p',
+ OPT_CHAIN = 'c',
+};
+
+static const struct option options[] = {
+ { .name = "help", .has_arg = false, .val = OPT_HELP },
+ { .name = "iface", .has_arg = true, .val = OPT_IFACE },
+ { .name = "port" , .has_arg = true, .val = OPT_PORT },
+ { .name = "chain", .has_arg = true, .val = OPT_CHAIN },
+ { }
+};
+
+static void print_help(const char *name)
+{
+ printf("%s [ options ] address...\n"
+ "\n"
+ "Options:\n"
+ " -i/--iface Outbound interface\n"
+ " -p/--port Port number to probe\n"
+ " -c/--chain Chain name to use for rules\n"
+ " -h/--help Show this help\n",
+ name);
+}
+
+int main(int argc, char **argv)
+{
+ int optidx = 0, c;
+
+ for (;;) {
+ c = getopt_long(argc, argv, "hi:p:c:", options, &optidx);
+ if (c == -1)
+ break;
+
+ switch (c) {
+ case OPT_IFACE:
+ iface = optarg;
+ break;
+ case OPT_PORT:
+ port = atoi(optarg);
+ break;
+ case OPT_CHAIN:
+ chain = optarg;
+ break;
+ case OPT_HELP:
+ print_help(argv[0]);
+ exit(0);
+ case '?':
+ print_help(argv[0]);
+ exit(1);
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ while (argc > 0) {
+ probe_host(*argv);
+ argc--;
+ argv++;
+ }
+ return 0;
+}