From 71886fbb48ef50e212c43f5d7dffbab86f9ae31c Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <shemminger@vyatta.com>
Date: Wed, 25 Feb 2009 08:25:17 +0100
Subject: iptables: Add limits.h to get INT_MIN, INT_MAX, ...

Fix build failure of iptables utilities on debian/ubuntu, maybe other distros.
The values INT_MIN and INT_MAX are used by many filters and these
are defined in limits.h
---
  patch against current iptables.git

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/xtables.h.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 3f556c1c..d86276e7 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -8,6 +8,7 @@
 
 #include <sys/socket.h> /* PF_* */
 #include <sys/types.h>
+#include <limits.h>
 #include <stdbool.h>
 #include <netinet/in.h>
 #include <net/if.h>
-- 
cgit v1.2.3


From 409f2a8e3b2706c8c6c5e345a4bc77fca8ad7105 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 2 Mar 2009 11:46:55 +0100
Subject: string: fix wrong pattern length calculation

This fixes a problem introduced in 37b4bde745698bf140d74e59a2561f34deeb8726
that leads to the wrong calculation of the pattern length in the
string match.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_string.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 5ea529e4..ba4b720a 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -64,9 +64,10 @@ static void string_init(struct xt_entry_match *m)
 static void
 parse_string(const char *s, struct xt_string_info *info)
 {	
+	/* xt_string does not need \0 at the end of the pattern */
 	if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
 		strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
-		info->patlen = strlen(s);
+		info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
 		return;
 	}
 	xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
@@ -75,7 +76,8 @@ parse_string(const char *s, struct xt_string_info *info)
 static void
 parse_algo(const char *s, struct xt_string_info *info)
 {
-	if (strlen(s) <= XT_STRING_MAX_ALGO_NAME_SIZE) {
+	/* xt_string needs \0 for algo name */
+	if (strlen(s) < XT_STRING_MAX_ALGO_NAME_SIZE) {
 		strncpy(info->algo, s, XT_STRING_MAX_ALGO_NAME_SIZE);
 		return;
 	}
@@ -208,8 +210,6 @@ string_parse(int c, char **argv, int invert, unsigned int *flags,
 			else
 				stringinfo->u.v1.flags |= XT_STRING_FLAG_INVERT;
 		}
-		stringinfo->patlen = strnlen((char *)&stringinfo->pattern,
-			sizeof(stringinfo->patlen));
 		*flags |= STRING;
 		break;
 
-- 
cgit v1.2.3


From f503cb8ad6360ca646e985f02c2eb0c4bfe8a2c8 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 3 Mar 2009 17:46:17 +0100
Subject: iptables: fix broken options-merging during libxtables rework

This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.

This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.

% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 ip6tables.c | 2 +-
 iptables.c  | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 87663ef3..54366b05 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -141,7 +141,6 @@ static struct option original_opts[] = {
  * magic number of -1 */
 int line = -1;
 
-static struct option *opts = original_opts;
 void ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 struct xtables_globals ip6tables_globals = {
 	.option_offset = 0,
@@ -194,6 +193,7 @@ static int inverse_for_options[NUMBER_OF_OPT] =
 /* -c */ 0,
 };
 
+#define opts ip6tables_globals.opts
 #define prog_name ip6tables_globals.program_name
 #define prog_vers ip6tables_globals.program_version
 /* A few hardcoded protocols for 'all' and in case the user has no
diff --git a/iptables.c b/iptables.c
index bd177c73..8e37beee 100644
--- a/iptables.c
+++ b/iptables.c
@@ -140,8 +140,6 @@ static struct option original_opts[] = {
  * magic number of -1 */
 int line = -1;
 
-static struct option *opts = original_opts;
-
 void iptables_exit_error(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3)));
 
 struct xtables_globals iptables_globals = {
@@ -196,6 +194,7 @@ static int inverse_for_options[NUMBER_OF_OPT] =
 /* -c */ 0,
 };
 
+#define opts iptables_globals.opts
 #define prog_name iptables_globals.program_name
 #define prog_vers iptables_globals.program_version
 
-- 
cgit v1.2.3