diff options
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/Makefile.am | 4 | ||||
| -rw-r--r-- | iptables/ip6tables-restore.c | 3 | ||||
| -rw-r--r-- | iptables/ip6tables.8.in | 3 | ||||
| -rw-r--r-- | iptables/ip6tables.c | 9 | ||||
| -rwxr-xr-x | iptables/iptables-apply | 25 | ||||
| -rw-r--r-- | iptables/iptables-restore.c | 3 | ||||
| -rw-r--r-- | iptables/iptables-xml.c | 3 | ||||
| -rw-r--r-- | iptables/iptables.8.in | 3 | ||||
| -rw-r--r-- | iptables/iptables.c | 10 | ||||
| -rw-r--r-- | iptables/xshared.c | 33 | ||||
| -rw-r--r-- | iptables/xshared.h | 2 | ||||
| -rw-r--r-- | iptables/xtables.c | 20 | ||||
| -rw-r--r-- | iptables/xtoptions.c | 4 |
13 files changed, 82 insertions, 40 deletions
diff --git a/iptables/Makefile.am b/iptables/Makefile.am index 13cca9c6..a0682788 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -51,10 +51,10 @@ v6_sbin_links = ip6tables ip6tables-restore ip6tables-save endif iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches4.man' -e '/@TARGET@/ r ../extensions/targets4.man' $< >$@; ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man - ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@; + ${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r ../extensions/matches6.man' -e '/@TARGET@/ r ../extensions/targets6.man' $< >$@; pkgconfig_DATA = xtables.pc diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c index 420bc523..ae147d55 100644 --- a/iptables/ip6tables-restore.c +++ b/iptables/ip6tables-restore.c @@ -460,7 +460,6 @@ int main(int argc, char *argv[]) exit(1); } - if (in != NULL) - fclose(in); + fclose(in); return 0; } diff --git a/iptables/ip6tables.8.in b/iptables/ip6tables.8.in index 48ba18e1..20e271de 100644 --- a/iptables/ip6tables.8.in +++ b/iptables/ip6tables.8.in @@ -333,7 +333,8 @@ byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the \fB\-x\fP flag to change this). For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. +detailed information on the rule or rules to be printed. \fB\-v\fP may be +specified multiple times to possibly emit more detailed debug statements. .TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 4037acfb..d13744ca 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1288,8 +1288,7 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t->u.target_size = size; strcpy(cs->target->t->u.user.name, cs->jumpto); cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->init != NULL) - cs->target->init(cs->target->t); + xs_init_target(cs->target); if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts, cs->target->x6_options, @@ -1317,8 +1316,7 @@ static void command_match(struct iptables_command_state *cs) m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m == m->next) return; /* Merge options for non-cloned matches */ @@ -1839,8 +1837,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand cs.target->t = xtables_calloc(1, size); cs.target->t->u.target_size = size; strcpy(cs.target->t->u.user.name, cs.jumpto); - if (cs.target->init != NULL) - cs.target->init(cs.target->t); + xs_init_target(cs.target); } if (!cs.target) { diff --git a/iptables/iptables-apply b/iptables/iptables-apply index 5fec76b0..86b8d5a2 100755 --- a/iptables/iptables-apply +++ b/iptables/iptables-apply @@ -11,7 +11,6 @@ PROGNAME="${0##*/}"; VERSION=1.0 TIMEOUT=10 -DEFAULT_FILE=/etc/network/iptables function blurb() { @@ -87,6 +86,19 @@ for opt in $OPTS; do shift done +case "$PROGNAME" in + (*6*) + SAVE=ip6tables-save + RESTORE=ip6tables-restore + DEFAULT_FILE=/etc/network/ip6tables + ;; + (*) + SAVE=iptables-save + RESTORE=iptables-restore + DEFAULT_FILE=/etc/network/iptables + ;; +esac + FILE="${1:-$DEFAULT_FILE}"; if [[ -z "$FILE" ]]; then @@ -99,17 +111,6 @@ if [[ ! -r "$FILE" ]]; then exit 2 fi -case "${0##*/}" in - (*6*) - SAVE=ip6tables-save - RESTORE=ip6tables-restore - ;; - (*) - SAVE=iptables-save - RESTORE=iptables-restore - ;; -esac - COMMANDS=(tempfile "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index 26245997..1cb833c0 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -465,7 +465,6 @@ main(int argc, char *argv[]) exit(1); } - if (in != NULL) - fclose(in); + fclose(in); return 0; } diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c index 5aa638c0..502b2d96 100644 --- a/iptables/iptables-xml.c +++ b/iptables/iptables-xml.c @@ -865,8 +865,7 @@ main(int argc, char *argv[]) exit(1); } - if (in != NULL) - fclose(in); + fclose(in); printf("</iptables-rules>\n"); free_argv(); diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index d09bf7aa..3b717a11 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -332,7 +332,8 @@ byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the \fB\-x\fP flag to change this). For appending, insertion, deletion and replacement, this causes -detailed information on the rule or rules to be printed. +detailed information on the rule or rules to be printed. \fB\-v\fP may be +specified multiple times to possibly emit more detailed debug statements. .TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. diff --git a/iptables/iptables.c b/iptables/iptables.c index 4ae75419..477e8f1d 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1315,8 +1315,8 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t->u.target_size = size; strcpy(cs->target->t->u.user.name, cs->jumpto); cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->init != NULL) - cs->target->init(cs->target->t); + xs_init_target(cs->target); + if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(iptables_globals.orig_opts, opts, cs->target->x6_options, @@ -1344,8 +1344,7 @@ static void command_match(struct iptables_command_state *cs) m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m == m->next) return; /* Merge options for non-cloned matches */ @@ -1871,8 +1870,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl strcpy(cs.target->t->u.user.name, cs.jumpto); if (!iptc_is_chain(cs.jumpto, *handle)) cs.target->t->u.user.revision = cs.target->revision; - if (cs.target->init != NULL) - cs.target->init(cs.target->t); + xs_init_target(cs.target); } if (!cs.target) { diff --git a/iptables/xshared.c b/iptables/xshared.c index 0e3857bb..79da507d 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -145,8 +145,7 @@ int command_default(struct iptables_command_state *cs, m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); m->m->u.user.revision = m->revision; - if (m->init != NULL) - m->init(m->m); + xs_init_match(m); if (m->x6_options != NULL) gl->opts = xtables_options_xfrm(gl->orig_opts, @@ -207,3 +206,33 @@ int subcmd_main(int argc, char **argv, const struct subcommand *cb) fprintf(stderr, " * %s\n", cb->name); exit(EXIT_FAILURE); } + +void xs_init_target(struct xtables_target *target) +{ + if (target->udata_size != 0) { + free(target->udata); + target->udata = calloc(1, target->udata_size); + if (target->udata == NULL) + xtables_error(RESOURCE_PROBLEM, "malloc"); + } + if (target->init != NULL) + target->init(target->t); +} + +void xs_init_match(struct xtables_match *match) +{ + if (match->udata_size != 0) { + /* + * As soon as a subsequent instance of the same match + * is used, e.g. "-m time -m time", the first instance + * is no longer reachable anyway, so we can free udata. + * Same goes for target. + */ + free(match->udata); + match->udata = calloc(1, match->udata_size); + if (match->udata == NULL) + xtables_error(RESOURCE_PROBLEM, "malloc"); + } + if (match->init != NULL) + match->init(match->m); +} diff --git a/iptables/xshared.h b/iptables/xshared.h index b44a3a35..b804aafe 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -81,6 +81,8 @@ extern int command_default(struct iptables_command_state *, struct xtables_globals *); extern struct xtables_match *load_proto(struct iptables_command_state *); extern int subcmd_main(int, char **, const struct subcommand *); +extern void xs_init_target(struct xtables_target *); +extern void xs_init_match(struct xtables_match *); extern const struct xtables_afinfo *afinfo; diff --git a/iptables/xtables.c b/iptables/xtables.c index acfcf8bd..c4b1c2a8 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -15,6 +15,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#include "config.h" #include <ctype.h> #include <errno.h> #include <fcntl.h> @@ -32,7 +33,11 @@ #include <sys/types.h> #include <sys/wait.h> #include <arpa/inet.h> -#include <linux/magic.h> /* for PROC_SUPER_MAGIC */ +#if defined(HAVE_LINUX_MAGIC_H) +# include <linux/magic.h> /* for PROC_SUPER_MAGIC */ +#elif defined(HAVE_LINUX_PROC_FS_H) +# include <linux/proc_fs.h> /* Linux 2.4 */ +#endif #include <xtables.h> #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */ @@ -362,6 +367,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) /* not usually reached */ exit(1); case -1: + free(buf); return -1; default: /* parent */ @@ -1042,8 +1048,10 @@ void xtables_param_act(unsigned int status, const char *p1, ...) case XTF_ONLY_ONCE: p2 = va_arg(args, const char *); b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: \"%s\" option may only be specified once", p1, p2); @@ -1051,8 +1059,10 @@ void xtables_param_act(unsigned int status, const char *p1, ...) case XTF_NO_INVERT: p2 = va_arg(args, const char *); b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: \"%s\" option cannot be inverted", p1, p2); break; @@ -1065,8 +1075,10 @@ void xtables_param_act(unsigned int status, const char *p1, ...) break; case XTF_ONE_ACTION: b = va_arg(args, unsigned int); - if (!b) + if (!b) { + va_end(args); return; + } xt_params->exit_err(PARAMETER_PROBLEM, "%s: At most one action is possible", p1); break; diff --git a/iptables/xtoptions.c b/iptables/xtoptions.c index ac0601f2..1423724b 100644 --- a/iptables/xtoptions.c +++ b/iptables/xtoptions.c @@ -908,6 +908,7 @@ void xtables_option_tpcall(unsigned int c, char **argv, bool invert, cb.xflags = t->tflags; cb.target = &t->t; cb.xt_entry = fw; + cb.udata = t->udata; t->x6_parse(&cb); t->tflags = cb.xflags; } @@ -943,6 +944,7 @@ void xtables_option_mpcall(unsigned int c, char **argv, bool invert, cb.xflags = m->mflags; cb.match = &m->m; cb.xt_entry = fw; + cb.udata = m->udata; m->x6_parse(&cb); m->mflags = cb.xflags; } @@ -1028,6 +1030,7 @@ void xtables_option_tfcall(struct xtables_target *t) cb.ext_name = t->name; cb.data = t->t->data; cb.xflags = t->tflags; + cb.udata = t->udata; t->x6_fcheck(&cb); } else if (t->final_check != NULL) { t->final_check(t->tflags); @@ -1048,6 +1051,7 @@ void xtables_option_mfcall(struct xtables_match *m) cb.ext_name = m->name; cb.data = m->m->data; cb.xflags = m->mflags; + cb.udata = m->udata; m->x6_fcheck(&cb); } else if (m->final_check != NULL) { m->final_check(m->mflags); |