| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.
As a secondary goal, this reduces the number of static storage duration
variables in flight.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes a long-standing issue where host_to_ip6addr would only ever
examine/return the first item of the address chain returned by
getaddrinfo, instead of traversing the chain and copying each of them.
This has always been how host_to_ip6addr behaves, and all of the other
related IPv6 code is already written to handle multiple possible
addresses.
[Style fixups. Removal of redundant i<*naddrs check. -j.eng]
Signed-off-by: Wes Campaigne <westacular@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[To observe this issue, populate a hostname (DNS or local db)
with multiple adresses across multiple subnets (cf. prefixlen
below)
# e.g. /etc/hosts
127.0.0.2 lo-x
127.0.0.3 lo-x
127.0.1.4 lo-x
127.0.1.5 lo-x
127.0.2.6 lo-x
Then invoke xtables_ipparse_any by e.g. `-m conntrack
--ctorigsrc lo-x/24`. -j.eng]
This same block of code, apparently to detect if addresses are
identical after applying the mask, and to skip the duplicates and the
ones made redundant by the mask, has been present and unchanged from
as far back as I could find (circa iptables 1.2).
By inspection, it was wrong, and always has been: once the code finds
a duplicate, it will drop the rest of the array one by one as it
re-detects the same duplicate over and over. When the addresses came
from a single hostname lookup, and their order was random, then this
created unpredictable behaviour by iptables, which seem to ignore some
of those addresses at random times.
I suspect the original idea also involved a swap between the duplicate
and the address from the (current) end of the array, but a line of
code to do that seems to have never existed. I have finally added it.
(Well, as much as is needed: there does not need to be a full swap,
because we are just going to ignore the duplicate, pretend the array
is one shorter, and never look at the contents of the end again. So,
we can get away with just copying from the end.)
[Reword comment about shuffle: replace by mentioning tail copy to
replace dup. -j.eng]
Signed-off-by: Wes Campaigne <westacular@gmail.com>
|
| |
|
|
|
|
|
| |
host_to_ipaddr was unnecessarily asking for an array of length n^2 to
store just n addresses.
Signed-off-by: Wes Campaigne <westacular@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
[Split hunk from Wes's submission. Added commit message. -j.eng]
ai_protocol normally specifies the L4 protocol one wants to
specifically inquire about when a service (2nd parameter to
getaddrinfo) is specified. Such a service lookup would potentially
yield nothing, because there just is not any "mytunnel 2222/ipv6" in
/etc/services, since IPPROTO_IPV6 itself is not a protocol with a
concept of (port-based) services to begin with.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using -s "", the "n" variable in the code remains uninitialized
and usually scribbes beyond the end of the array.
Furthermore, "n" is just as big as entries in the last host lookup.
When specifying more than one item to -s, e.g. "-s host,host", "n" is
less than "count", and we are not masking the addresses at all
(leaving them at addr/32 resp. addr/128).
The issue goes back to the initial code from v1.4.5~21.
References: http://bugs.debian.org/611990
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: the call xtables_save_string("'") prints just a single quote,
not enclosed in double quoted and not escaped.
Steps to reproduce:
$ iptables -A foo -m comment --comment "'" -j ACCEPT
$ iptables-multi save|grep foo
-A foo -m comment --comment ' -j ACCEPT
The cause was the use of strcspn() to locate the first character which
justified quoting the string in double quotes. That however was
wrong, because the way strcspn() was called, it returned a pointer to
the first character that was not to be escaped, which did the right
thing most of the time, but not for strings consisting only of quote
characters. This patch changes strcspn() to strspn().
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
When inside ip6tables-restore, xtables_free_opts can be called
multiple times, especially when trying to exit with an error message
from outside do_command. So set it to NULL so that we do not attempt
to free a dangling pointer.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
ip6tables v1.4.8: Could not load match "osf":
/usr/lib/xtables/libip6t_osf.so: cannot open shared object file: No
such file or directory
Given that libxt_osf.so exists, a better error is now emitted.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=637
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
Signed-off-by: Li Yewang <lyw@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
libxt_recent's use of numeric values >200 always looked worrisome. Now
here is a validation routine for such.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.
Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.
One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.
References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
When going over this again, I noticed we happen to malloc too much.
That is no problem, but I felt moving the num_old adjustment upwards
makes things more clear, and also addresses the allocation.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
This just happened to cross my eye; there was no error, but fixing
this up saves a pitfall, and some memory.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* On the first call to getopt, opts was NULL, so long options would
not be recognized until a match/target was loaded.
Whacky getopt behavior:
* If the longopts parameter is NULL, getopt fails to recognize unknown
options, such that `iptables-multi main --append` will print a garbage
help message ("main needs an argument").
* If the longopts parameter is NULL on the first call, but not on
subsequent calls, it completely screws up option parsing, taking
the --dport in `iptables-multi main -A INPUT -p tcp --dport 1000`
as --destination instead, but not accepting "--destination 1.2.3.4"
either.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using `-m mark --mark 2 -m connmark --mark 2`, the user currently
gets an error about the (libxt_mark) --mark option being used twice.
This is because libxt_connmark's option table does not override any
previous options. This patch changes this behavior, since the current
behavior does not allow connmark's option to be used at all, which is
illogical.
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
Since iptables uses its own copies of the header files anyway where the
revision field is exposed, there is no reach to access name[] beyond its
size.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Since XT_EXTENSION_MAXNAMELEN is now available, make use of it
and clear the confusion.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Reported by yang.xuhui@jfsys.com.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
The kernel has few restrictions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
Commit 332e4acc (iptables: accept multiple IP address specifications
for -s, d) broke the --disable-ipv6 configure option.
> ./.libs/libxtables.so: undefined reference to `in6addr_any'
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
| |
Linux systems that lack a MMU cannot call fork(). Fortunately, the
only place in iptables that uses fork() follows it by an exec(), so
we can easily convert the code to vfork().
References: http://bugzilla.netfilter.org/show_bug.cgi?id=614
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Similar to the ones that are present in the kernel.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.
# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault that can be triggered if you use an
incorrect protocol, e.g.
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
Segmentation fault
With this patch:
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
iptables v1.4.3.2: unknown protocol `lala' specified
Try `iptables -h' or 'iptables --help' for more information
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
µClibc may not provide the in6addr_any variable when IPv6 is
disabled. So just provide it ourselves.
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Thanks to Stephen Hemminger for noticing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Kill program_name, program_version and xtables_program_name.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
| |
|
|
|
|
|
|
|
|
|
| |
Introduce xtables_init_all() which hides three calls xtables_init(),
xtables_set_nfproto(), and xtables_set_params(). Make
ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use
it.
I moved xtables_set_params around for readability reasons.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
| |
|
|
|
|
|
|
| |
Introduce xtables_merge_options() for re-use reasons. Apps can use it
instead of each defining their own merge_options(). Made iptables and
ip6tables use the new shared interface.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
| |
|
|
|
|
|
|
| |
The patch modifies xtables_globals to introduce orig_opts and
xtables_free_opts() to emulate what free_opts used to do. We also get
rid of the copies of free_opts() that iptables and ip6tables keep.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
| |
|
|
|
|
| |
Introduce xtables_set_revision() and make iptables and ip6tables use it.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
| |
|
|
|
| |
Reference: http://bugs.debian.org/514869
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Addendum to commit v1.4.3-rc1-41-g77f48c2 where the macro users
got moved.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Commit v1.4.3-rc1-47-g300e290 tried to consolidate the environment
variable presence checking code into xtables.c, but missed
adding IP6TABLES_LIB_DIR to libxtables.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rename xtables_globals exit_error cb to exit_err and introduce
a very simple aliasing macro to point to it.
convert iptables, ip6tables and iptables_xml to use it.
Note iptables_xml does not have to define its own exit_error()
since it can use the basic one provided.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace direct exit_error() calls inside libxtables with
xt_params->exit_error().
With this change; i can now compile the useless app:
-----
#include <xtables.h>
int main(int argc, char **argv) {
return 0;
}
----
with "gcc useless.c -lxtables -ldl"
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce exit_error() as part of xtables_globals structure.
When an application registers its xtables_globals definition
and does not specify its exit_error() it gets assigned a
basic version
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
