From 6e70f46f2a146bb7c657f71724c999147a5925dc Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 24 Mar 2009 13:08:24 +0100 Subject: iptables: refer to dmesg if we hit EINVAL With this patch, iptables refers to dmesg for further troubleshooting if we hit EINVAL. Signed-off-by: Pablo Neira Ayuso --- ip6tables-standalone.c | 14 ++++++++++---- iptables-standalone.c | 11 ++++++++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c index c0ca6459..649ac3d8 100644 --- a/ip6tables-standalone.c +++ b/ip6tables-standalone.c @@ -68,10 +68,16 @@ main(int argc, char *argv[]) ip6tc_free(handle); } - if (!ret) - fprintf(stderr, "ip6tables: %s. " - "Run `dmesg' for more information.\n", - ip6tc_strerror(errno)); + if (!ret) { + if (errno == EINVAL) { + fprintf(stderr, "ip6tables: %s. " + "Run `dmesg' for more information.\n", + ip6tc_strerror(errno)); + } else { + fprintf(stderr, "ip6tables: %s.\n", + ip6tc_strerror(errno)); + } + } exit(!ret); } diff --git a/iptables-standalone.c b/iptables-standalone.c index 208f71d7..91853884 100644 --- a/iptables-standalone.c +++ b/iptables-standalone.c @@ -69,9 +69,14 @@ main(int argc, char *argv[]) } if (!ret) { - fprintf(stderr, "iptables: %s. " - "Run `dmesg' for more information.\n", - iptc_strerror(errno)); + if (errno == EINVAL) { + fprintf(stderr, "iptables: %s. " + "Run `dmesg' for more information.\n", + iptc_strerror(errno)); + } else { + fprintf(stderr, "iptables: %s.\n", + iptc_strerror(errno)); + } if (errno == EAGAIN) { exit(RESOURCE_PROBLEM); } -- cgit v1.2.3 From ed7925b77010dd17531ea0424b49d2b72af4add9 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 24 Mar 2009 22:26:25 +0100 Subject: libxt_tcpmss: fix an inversion while parsing --mss Signed-off-by: Jan Engelhardt --- extensions/libxt_tcpmss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c index 43a4a0d8..46529f97 100644 --- a/extensions/libxt_tcpmss.c +++ b/extensions/libxt_tcpmss.c @@ -26,7 +26,7 @@ parse_tcp_mssvalue(const char *mssvalue) { unsigned int mssvaluenum; - if (!xtables_strtoui(mssvalue, NULL, &mssvaluenum, 0, UINT16_MAX)) + if (xtables_strtoui(mssvalue, NULL, &mssvaluenum, 0, UINT16_MAX)) return mssvaluenum; xtables_error(PARAMETER_PROBLEM, -- cgit v1.2.3 From cdf51d0183213c4bcac9ef4818155c1d3fbb897e Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 24 Mar 2009 22:35:10 +0100 Subject: iptables-multi: support "iptables-static" as a callable name iptables multi-purpose version: unknown applet name iptables-static Signed-off-by: Jan Engelhardt --- ip6tables-multi.c | 3 ++- iptables-multi.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ip6tables-multi.c b/ip6tables-multi.c index 0bcfaced..3313bfdc 100644 --- a/ip6tables-multi.c +++ b/ip6tables-multi.c @@ -16,7 +16,8 @@ int main(int argc, char **argv) { } else { progname = basename(argv[0]); - if (!strcmp(progname, "ip6tables")) + if (!strcmp(progname, "ip6tables") || + strcmp(progname, "ip6tables-static") == 0) return ip6tables_main(argc, argv); if (!strcmp(progname, "ip6tables-save")) diff --git a/iptables-multi.c b/iptables-multi.c index 7ade3335..28c1737c 100644 --- a/iptables-multi.c +++ b/iptables-multi.c @@ -17,7 +17,8 @@ int main(int argc, char **argv) { } else { progname = basename(argv[0]); - if (!strcmp(progname, "iptables")) + if (!strcmp(progname, "iptables") || + strcmp(progname, "iptables-static") == 0) return iptables_main(argc, argv); if (!strcmp(progname, "iptables-save")) -- cgit v1.2.3 From c4edfa63eda06f02cc5bc1a65d366c55bd2eda30 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 30 Mar 2009 00:44:46 +0200 Subject: libxtables: reorder .version member When the structure's layout changes, as it did between v1.4.1 and v1.4.2, trying to compare the version string makes iptables segfault while it tries to determine whether the module is compatible in the first place. By moving the member to a known offset in the struct and keeping it there, objects (both iptables and 3rd party) compiled from this commit onwards will avoid the segfault. Signed-off-by: Jan Engelhardt --- configure.ac | 2 +- include/xtables.h.in | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 87f693f8..656bd372 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_INIT([iptables], [1.4.3.1]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=1 +libxtables_vcurrent=2 libxtables_vage=0 AC_CONFIG_HEADERS([config.h]) diff --git a/include/xtables.h.in b/include/xtables.h.in index d86276e7..a399f90f 100644 --- a/include/xtables.h.in +++ b/include/xtables.h.in @@ -37,6 +37,12 @@ struct in_addr; /* Include file for additions: new matches and targets. */ struct xtables_match { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + */ + const char *version; + struct xtables_match *next; const char *name; @@ -46,8 +52,6 @@ struct xtables_match u_int16_t family; - const char *version; - /* Size of match data. */ size_t size; @@ -93,8 +97,15 @@ struct xtables_match struct xtables_target { + /* + * ABI/API version this module requires. Must be first member, + * as the rest of this struct may be subject to ABI changes. + */ + const char *version; + struct xtables_target *next; + const char *name; /* Revision of target (0 by default). */ @@ -102,7 +113,6 @@ struct xtables_target u_int16_t family; - const char *version; /* Size of target data. */ size_t size; -- cgit v1.2.3 From c7f70f1b16ac9395bb13d1832b5c83b09594224f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 30 Mar 2009 01:28:44 +0200 Subject: build: do not run ldconfig for DESTDIR installations Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt --- Makefile.am | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index c0181d49..30994746 100644 --- a/Makefile.am +++ b/Makefile.am @@ -111,7 +111,6 @@ tarball: config.status: extensions/GNUmakefile.in \ include/xtables.h.in include/iptables/internal.h.in -# ldconfig may fail when we are not root (as is the case in build systems) -# so add appropriate protection that it does not let `make` fail. +# Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: - -/sbin/ldconfig || :; + -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; -- cgit v1.2.3 From 8e58613df53f5f83e8ab92dec61d8065c68d967d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Apr 2009 22:28:34 +0200 Subject: build: add configure option to disable ip6tables This also skips building the IPv6 extensions. It does not #ifdef out all code however, I think that would make it too ugly. Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt --- Makefile.am | 11 ++++++++--- configure.ac | 4 ++++ extensions/GNUmakefile.in | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index 30994746..a6b726c5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -85,11 +85,16 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ CLEANFILES = iptables.8 ip6tables.8 if ENABLE_STATIC -sbin_PROGRAMS += iptables-static ip6tables-static +sbin_PROGRAMS += iptables-static +if ENABLE_IPV6 +sbin_PROGRAMS += ip6tables-static +endif endif if ENABLE_SHARED -sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save \ - ip6tables ip6tables-multi ip6tables-restore ip6tables-save +sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save +if ENABLE_IPV6 +sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save +endif endif iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man diff --git a/configure.ac b/configure.ac index 656bd372..eefcdac9 100644 --- a/configure.ac +++ b/configure.ac @@ -31,6 +31,9 @@ AC_ARG_WITH([xtlibdir], [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), [xtlibdir="$withval"], [xtlibdir="${libexecdir}/xtables"]) +AC_ARG_ENABLE([ipv6], + AS_HELP_STRING([--disable-ipv6], [Do not build ip6tables]), + [enable_ipv6="$enableval"], [enable_ipv6="yes"]) AC_ARG_ENABLE([devel], AS_HELP_STRING([--enable-devel], [Install Xtables development headers]), @@ -51,6 +54,7 @@ AC_SUBST([blacklist_modules]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"]) +AM_CONDITIONAL([ENABLE_IPV6], [test "$enable_ipv6" = "yes"]) AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 256ac08e..17dd5af7 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -36,7 +36,7 @@ endif # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c)) pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c)) -pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c)) +@ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c)) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) -- cgit v1.2.3 From a094eb0f2a57592b6f3cf42fdbb9d49fead2d57c Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Apr 2009 22:37:49 +0200 Subject: build: add configure option to disable ipv4 iptables This patch complements the previous one. Signed-off-by: Jan Engelhardt --- Makefile.am | 4 ++++ configure.ac | 4 ++++ extensions/GNUmakefile.in | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index a6b726c5..fd99098f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -85,13 +85,17 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ CLEANFILES = iptables.8 ip6tables.8 if ENABLE_STATIC +if ENABLE_IPV4 sbin_PROGRAMS += iptables-static +endif if ENABLE_IPV6 sbin_PROGRAMS += ip6tables-static endif endif if ENABLE_SHARED +if ENABLE_IPV4 sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save +endif if ENABLE_IPV6 sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save endif diff --git a/configure.ac b/configure.ac index eefcdac9..152ad592 100644 --- a/configure.ac +++ b/configure.ac @@ -31,6 +31,9 @@ AC_ARG_WITH([xtlibdir], [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), [xtlibdir="$withval"], [xtlibdir="${libexecdir}/xtables"]) +AC_ARG_ENABLE([ipv4], + AS_HELP_STRING([--disable-ipv4], [Do not build iptables]), + [enable_ipv4="$enableval"], [enable_ipv4="yes"]) AC_ARG_ENABLE([ipv6], AS_HELP_STRING([--disable-ipv6], [Do not build ip6tables]), [enable_ipv6="$enableval"], [enable_ipv6="yes"]) @@ -54,6 +57,7 @@ AC_SUBST([blacklist_modules]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"]) +AM_CONDITIONAL([ENABLE_IPV4], [test "$enable_ipv4" = "yes"]) AM_CONDITIONAL([ENABLE_IPV6], [test "$enable_ipv6" = "yes"]) AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 17dd5af7..66a4f46a 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -35,7 +35,7 @@ endif # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c)) -pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c)) +@ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c)) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c)) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) -- cgit v1.2.3 From 9c0fa7d8c84dc2478bd36d31b328b697fbe4d0af Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 3 Apr 2009 22:40:35 +0200 Subject: libxtables: provide IPv6 zero address variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit µClibc may not provide the in6addr_any variable when IPv6 is disabled. So just provide it ourselves. Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569 Signed-off-by: Jan Engelhardt --- xtables.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xtables.c b/xtables.c index 044603f9..a01d4ea0 100644 --- a/xtables.c +++ b/xtables.c @@ -1367,6 +1367,7 @@ static struct in6_addr *parse_ip6mask(char *mask) void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp, struct in6_addr *maskp, unsigned int *naddrs) { + static const struct in6_addr zero_addr; struct in6_addr *addrp; unsigned int i, j, k, n; char buf[256], *p; @@ -1382,7 +1383,7 @@ void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp, memcpy(maskp, addrp, sizeof(*maskp)); /* if a null mask is given, the name is ignored, like in "any/0" */ - if (memcmp(maskp, &in6addr_any, sizeof(in6addr_any)) == 0) + if (memcmp(maskp, &zero_addr, sizeof(zero_addr)) == 0) strcpy(buf, "::"); addrp = *addrpp = ip6parse_hostnetwork(buf, naddrs); -- cgit v1.2.3 From b1d968c30dde563c2738fdacb723c18232fb5ccb Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 4 Apr 2009 13:28:40 +0200 Subject: iptables: print negation extrapositioned This patch combines the two referenced ones by Peter. I did a quick extra audit to spot and fix the missing ip6tables parts. (People like to forget ip6tables it seems.) Extension modules were, to the best of my knowledge, already audited in v1.4.3-rc1-10-gcea9f71. Reported-by: Yar Odin References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2 References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt --- ip6tables.c | 12 ++++++------ iptables.c | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ip6tables.c b/ip6tables.c index 54366b05..35067f8b 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -1006,7 +1006,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask, if (mask[0] == 0) return; - printf("-%c %s", letter, invert ? "! " : ""); + printf("%s-%c ", invert ? "! " : "", letter); for (i = 0; i < IFNAMSIZ; i++) { if (mask[i] != 0) { @@ -1033,19 +1033,19 @@ static void print_proto(u_int16_t proto, int invert) struct protoent *pent = getprotobynumber(proto); if (pent) { - printf("-p %s%s ", + printf("%s-p %s ", invertstr, pent->p_name); return; } for (i = 0; xtables_chain_protos[i].name != NULL; ++i) if (xtables_chain_protos[i].num == proto) { - printf("-p %s%s ", + printf("%s-p %s ", invertstr, xtables_chain_protos[i].name); return; } - printf("-p %s%u ", invertstr, proto); + printf("%s-p %u ", invertstr, proto); } } @@ -1081,9 +1081,9 @@ static void print_ip(char *prefix, const struct in6_addr *ip, const struct in6_a if (l == 0 && !invert) return; - printf("%s %s%s", - prefix, + printf("%s%s %s", invert ? "! " : "", + prefix, inet_ntop(AF_INET6, ip, buf, sizeof buf)); if (l == -1) diff --git a/iptables.c b/iptables.c index 3449decd..649baf4c 100644 --- a/iptables.c +++ b/iptables.c @@ -1006,18 +1006,18 @@ static void print_proto(u_int16_t proto, int invert) struct protoent *pent = getprotobynumber(proto); if (pent) { - printf("-p %s%s ", invertstr, pent->p_name); + printf("%s-p %s ", invertstr, pent->p_name); return; } for (i = 0; xtables_chain_protos[i].name != NULL; ++i) if (xtables_chain_protos[i].num == proto) { - printf("-p %s%s ", + printf("%s-p %s ", invertstr, xtables_chain_protos[i].name); return; } - printf("-p %s%u ", invertstr, proto); + printf("%s-p %u ", invertstr, proto); } } @@ -1039,7 +1039,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask, if (mask[0] == 0) return; - printf("-%c %s", letter, invert ? "! " : ""); + printf("%s-%c ", invert ? "! " : "", letter); for (i = 0; i < IFNAMSIZ; i++) { if (mask[i] != 0) { @@ -1089,9 +1089,9 @@ static void print_ip(char *prefix, u_int32_t ip, u_int32_t mask, int invert) if (!mask && !ip && !invert) return; - printf("%s %s%u.%u.%u.%u", - prefix, + printf("%s%s %u.%u.%u.%u", invert ? "! " : "", + prefix, IP_PARTS(ip)); if (mask == 0xFFFFFFFFU) { -- cgit v1.2.3