upgrade a few packages to newer versions (includes patch by kaloz) - preparation...
[openwrt/svn-archive/archive.git] / package / iptables / patches / 100-svn_r6848.patch
1 diff -x .svn -Nur iptables-1.3.7/extensions/.account-test iptables-svn/extensions/.account-test
2 --- iptables-1.3.7/extensions/.account-test 2006-12-04 12:15:19.000000000 +0100
3 +++ iptables-svn/extensions/.account-test 1970-01-01 01:00:00.000000000 +0100
4 @@ -1,3 +0,0 @@
5 -#!/bin/sh
6 -# True if account match patch is applied.
7 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_account.h ] && echo account
8 diff -x .svn -Nur iptables-1.3.7/extensions/.BALANCE-test iptables-svn/extensions/.BALANCE-test
9 --- iptables-1.3.7/extensions/.BALANCE-test 2006-12-04 12:15:19.000000000 +0100
10 +++ iptables-svn/extensions/.BALANCE-test 1970-01-01 01:00:00.000000000 +0100
11 @@ -1,2 +0,0 @@
12 -#! /bin/sh
13 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_BALANCE.c ] && echo BALANCE
14 diff -x .svn -Nur iptables-1.3.7/extensions/.childlevel-test iptables-svn/extensions/.childlevel-test
15 --- iptables-1.3.7/extensions/.childlevel-test 2006-12-04 12:15:19.000000000 +0100
16 +++ iptables-svn/extensions/.childlevel-test 1970-01-01 01:00:00.000000000 +0100
17 @@ -1,2 +0,0 @@
18 -#! /bin/sh
19 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_childlevel.h ] && echo childlevel
20 diff -x .svn -Nur iptables-1.3.7/extensions/.connrate-test iptables-svn/extensions/.connrate-test
21 --- iptables-1.3.7/extensions/.connrate-test 2006-12-04 12:15:20.000000000 +0100
22 +++ iptables-svn/extensions/.connrate-test 1970-01-01 01:00:00.000000000 +0100
23 @@ -1,2 +0,0 @@
24 -#! /bin/sh
25 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connrate.h ] && echo connrate
26 diff -x .svn -Nur iptables-1.3.7/extensions/.dstlimit-test iptables-svn/extensions/.dstlimit-test
27 --- iptables-1.3.7/extensions/.dstlimit-test 2006-12-04 12:15:19.000000000 +0100
28 +++ iptables-svn/extensions/.dstlimit-test 1970-01-01 01:00:00.000000000 +0100
29 @@ -1,2 +0,0 @@
30 -#! /bin/sh
31 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_dstlimit.c ] && echo dstlimit
32 diff -x .svn -Nur iptables-1.3.7/extensions/.FTOS-test iptables-svn/extensions/.FTOS-test
33 --- iptables-1.3.7/extensions/.FTOS-test 2006-12-04 12:15:20.000000000 +0100
34 +++ iptables-svn/extensions/.FTOS-test 1970-01-01 01:00:00.000000000 +0100
35 @@ -1,2 +0,0 @@
36 -#! /bin/sh
37 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_FTOS.h ] && echo FTOS
38 diff -x .svn -Nur iptables-1.3.7/extensions/.fuzzy-test iptables-svn/extensions/.fuzzy-test
39 --- iptables-1.3.7/extensions/.fuzzy-test 2006-12-04 12:15:20.000000000 +0100
40 +++ iptables-svn/extensions/.fuzzy-test 1970-01-01 01:00:00.000000000 +0100
41 @@ -1,2 +0,0 @@
42 -#! /bin/sh
43 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_fuzzy.h ] && echo fuzzy
44 diff -x .svn -Nur iptables-1.3.7/extensions/.fuzzy-test6 iptables-svn/extensions/.fuzzy-test6
45 --- iptables-1.3.7/extensions/.fuzzy-test6 2006-12-04 12:15:20.000000000 +0100
46 +++ iptables-svn/extensions/.fuzzy-test6 1970-01-01 01:00:00.000000000 +0100
47 @@ -1,2 +0,0 @@
48 -#!/bin/sh
49 -[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_fuzzy.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_fuzzy.h ] && echo fuzzy
50 diff -x .svn -Nur iptables-1.3.7/extensions/.IPMARK-test iptables-svn/extensions/.IPMARK-test
51 --- iptables-1.3.7/extensions/.IPMARK-test 2006-12-04 12:15:19.000000000 +0100
52 +++ iptables-svn/extensions/.IPMARK-test 1970-01-01 01:00:00.000000000 +0100
53 @@ -1,3 +0,0 @@
54 -#!/bin/sh
55 -# True if IPMARK patch is applied.
56 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
57 diff -x .svn -Nur iptables-1.3.7/extensions/.ipv4options-test iptables-svn/extensions/.ipv4options-test
58 --- iptables-1.3.7/extensions/.ipv4options-test 2006-12-04 12:15:19.000000000 +0100
59 +++ iptables-svn/extensions/.ipv4options-test 1970-01-01 01:00:00.000000000 +0100
60 @@ -1,3 +0,0 @@
61 -#!/bin/sh
62 -# True if ipv4options is applied.
63 -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
64 diff -x .svn -Nur iptables-1.3.7/extensions/.IPV4OPTSSTRIP-test iptables-svn/extensions/.IPV4OPTSSTRIP-test
65 --- iptables-1.3.7/extensions/.IPV4OPTSSTRIP-test 2006-12-04 12:15:19.000000000 +0100
66 +++ iptables-svn/extensions/.IPV4OPTSSTRIP-test 1970-01-01 01:00:00.000000000 +0100
67 @@ -1,3 +0,0 @@
68 -#!/bin/sh
69 -# True if IPV4OPTSSTRIP patch is applied.
70 -[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ] && echo IPV4OPTSSTRIP
71 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_eui64.man iptables-svn/extensions/libip6t_eui64.man
72 --- iptables-1.3.7/extensions/libip6t_eui64.man 2006-12-04 12:15:20.000000000 +0100
73 +++ iptables-svn/extensions/libip6t_eui64.man 2007-05-31 12:46:30.000000000 +0200
74 @@ -1,5 +1,5 @@
75 This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
76 -It compares the EUI-64 derived from the source MAC address in Ehternet frame
77 +It compares the EUI-64 derived from the source MAC address in Ethernet frame
78 with the lower 64 bits of the IPv6 source address. But "Universal/Local"
79 bit is not compared. This module doesn't match other link layer frame, and
80 is only valid in the
81 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_fuzzy.c iptables-svn/extensions/libip6t_fuzzy.c
82 --- iptables-1.3.7/extensions/libip6t_fuzzy.c 2006-12-04 12:15:20.000000000 +0100
83 +++ iptables-svn/extensions/libip6t_fuzzy.c 1970-01-01 01:00:00.000000000 +0100
84 @@ -1,156 +0,0 @@
85 -/*
86 - Shared library add-on to iptables to add match support for the fuzzy match.
87 -
88 - This file is distributed under the terms of the GNU General Public
89 - License (GPL). Copies of the GPL can be obtained from:
90 - ftp://prep.ai.mit.edu/pub/gnu/GPL
91 -
92 -2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
93 -2003-04-08 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
94 -2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
95 -the save function , thanks to information given by Jean-Francois Patenaude.
96 -
97 -*/
98 -
99 -#include <stdio.h>
100 -#include <netdb.h>
101 -#include <string.h>
102 -#include <stdlib.h>
103 -#include <syslog.h>
104 -#include <getopt.h>
105 -#include <ip6tables.h>
106 -#include <linux/netfilter_ipv6/ip6_tables.h>
107 -#include <linux/netfilter_ipv6/ip6t_fuzzy.h>
108 -
109 -
110 -static void
111 -help(void)
112 -{
113 - printf(
114 -"fuzzy v%s options:\n"
115 -" --lower-limit number (in packets per second)\n"
116 -" --upper-limit number\n"
117 -,IPTABLES_VERSION);
118 -};
119 -
120 -static struct option opts[] = {
121 - { .name = "lower-limit", .has_arg = 1, .flag = 0, .val = '1' },
122 - { .name = "upper-limit", .has_arg = 1, .flag = 0, .val = '2' },
123 - { .name = 0 }
124 -};
125 -
126 -/* Initialize data structures */
127 -static void
128 -init(struct ip6t_entry_match *m, unsigned int *nfcache)
129 -{
130 - struct ip6t_fuzzy_info *presentinfo = (struct ip6t_fuzzy_info *)(m)->data;
131 - /*
132 - * Default rates ( I'll improve this very soon with something based
133 - * on real statistics of the running machine ) .
134 - */
135 -
136 - presentinfo->minimum_rate = 1000;
137 - presentinfo->maximum_rate = 2000;
138 -}
139 -
140 -#define IP6T_FUZZY_OPT_MINIMUM 0x01
141 -#define IP6T_FUZZY_OPT_MAXIMUM 0x02
142 -
143 -static int
144 -parse(int c, char **argv, int invert, unsigned int *flags,
145 - const struct ip6t_entry *entry,
146 - unsigned int *nfcache,
147 - struct ip6t_entry_match **match)
148 -{
149 - struct ip6t_fuzzy_info *fuzzyinfo =
150 - (struct ip6t_fuzzy_info *)(*match)->data;
151 -
152 - u_int32_t num;
153 -
154 - switch (c) {
155 -
156 - case '1':
157 -
158 - if (invert)
159 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
160 -
161 - if (*flags & IP6T_FUZZY_OPT_MINIMUM)
162 - exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
163 -
164 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
165 - exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
166 -
167 - fuzzyinfo->minimum_rate = num ;
168 -
169 - *flags |= IP6T_FUZZY_OPT_MINIMUM;
170 -
171 - break;
172 -
173 - case '2':
174 -
175 - if (invert)
176 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
177 -
178 - if (*flags & IP6T_FUZZY_OPT_MAXIMUM)
179 - exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
180 -
181 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
182 - exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
183 -
184 - fuzzyinfo->maximum_rate = num;
185 -
186 - *flags |= IP6T_FUZZY_OPT_MAXIMUM;
187 -
188 - break ;
189 -
190 - default:
191 - return 0;
192 - }
193 - return 1;
194 -}
195 -
196 -static void final_check(unsigned int flags)
197 -{
198 -}
199 -
200 -static void
201 -print(const struct ip6t_ip6 *ipv6,
202 - const struct ip6t_entry_match *match,
203 - int numeric)
204 -{
205 - const struct ip6t_fuzzy_info *fuzzyinfo
206 - = (const struct ip6t_fuzzy_info *)match->data;
207 -
208 - printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",
209 - fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
210 -}
211 -
212 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
213 -static void
214 -save(const struct ip6t_ip6 *ipv6, const struct ip6t_entry_match *match)
215 -{
216 - const struct ip6t_fuzzy_info *fuzzyinfo
217 - = (const struct ip6t_fuzzy_info *)match->data;
218 -
219 - printf("--lower-limit %u --upper-limit %u ",
220 - fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
221 -}
222 -
223 -struct ip6tables_match fuzzy_match = {
224 - .name = "fuzzy",
225 - .version = IPTABLES_VERSION,
226 - .size = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
227 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
228 - .help = &help,
229 - .init = &init,
230 - .parse = &parse,
231 - .final_check = &final_check,
232 - .print = &print,
233 - .save = &save,
234 - .extra_opts = opts
235 -};
236 -
237 -void _init(void)
238 -{
239 - register_match6(&fuzzy_match);
240 -}
241 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_fuzzy.man iptables-svn/extensions/libip6t_fuzzy.man
242 --- iptables-1.3.7/extensions/libip6t_fuzzy.man 2006-12-04 12:15:20.000000000 +0100
243 +++ iptables-svn/extensions/libip6t_fuzzy.man 1970-01-01 01:00:00.000000000 +0100
244 @@ -1,7 +0,0 @@
245 -This module matches a rate limit based on a fuzzy logic controller [FLC]
246 -.TP
247 -.BI "--lower-limit " "number"
248 -Specifies the lower limit (in packets per second).
249 -.TP
250 -.BI "--upper-limit " "number"
251 -Specifies the upper limit (in packets per second).
252 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_icmp6.man iptables-svn/extensions/libip6t_icmp6.man
253 --- iptables-1.3.7/extensions/libip6t_icmp6.man 2006-12-04 12:15:19.000000000 +0100
254 +++ iptables-svn/extensions/libip6t_icmp6.man 2007-05-31 12:46:30.000000000 +0200
255 @@ -1,4 +1,4 @@
256 -This extension is loaded if `--protocol ipv6-icmp' or `--protocol icmpv6' is
257 +This extension can be used if `--protocol ipv6-icmp' or `--protocol icmpv6' is
258 specified. It provides the following option:
259 .TP
260 .BR "--icmpv6-type " "[!] \fItype\fP[/\fIcode\fP]|\fItypename\fP"
261 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_mh.c iptables-svn/extensions/libip6t_mh.c
262 --- iptables-1.3.7/extensions/libip6t_mh.c 1970-01-01 01:00:00.000000000 +0100
263 +++ iptables-svn/extensions/libip6t_mh.c 2007-05-31 12:46:30.000000000 +0200
264 @@ -0,0 +1,252 @@
265 +/* Shared library add-on to ip6tables to add mobility header support. */
266 +/*
267 + * Copyright (C)2006 USAGI/WIDE Project
268 + *
269 + * This program is free software; you can redistribute it and/or modify
270 + * it under the terms of the GNU General Public License version 2 as
271 + * published by the Free Software Foundation.
272 + *
273 + * Author:
274 + * Masahide NAKAMURA @USAGI <masahide.nakamura.cz@hitachi.com>
275 + *
276 + * Based on libip6t_{icmpv6,udp}.c
277 + */
278 +#include <stdio.h>
279 +#include <netdb.h>
280 +#include <string.h>
281 +#include <stdlib.h>
282 +#include <getopt.h>
283 +#include <ip6tables.h>
284 +#include <linux/netfilter_ipv6/ip6_tables.h>
285 +#include <linux/netfilter_ipv6/ip6t_mh.h>
286 +
287 +struct mh_name {
288 + const char *name;
289 + u_int8_t type;
290 +};
291 +
292 +static const struct mh_name mh_names[] = {
293 + { "binding-refresh-request", 0, },
294 + /* Alias */ { "brr", 0, },
295 + { "home-test-init", 1, },
296 + /* Alias */ { "hoti", 1, },
297 + { "careof-test-init", 2, },
298 + /* Alias */ { "coti", 2, },
299 + { "home-test", 3, },
300 + /* Alias */ { "hot", 3, },
301 + { "careof-test", 4, },
302 + /* Alias */ { "cot", 4, },
303 + { "binding-update", 5, },
304 + /* Alias */ { "bu", 5, },
305 + { "binding-acknowledgement", 6, },
306 + /* Alias */ { "ba", 6, },
307 + { "binding-error", 7, },
308 + /* Alias */ { "be", 7, },
309 +};
310 +
311 +static void print_types_all(void)
312 +{
313 + unsigned int i;
314 + printf("Valid MH types:");
315 +
316 + for (i = 0; i < sizeof(mh_names)/sizeof(struct mh_name); i++) {
317 + if (i && mh_names[i].type == mh_names[i-1].type)
318 + printf(" (%s)", mh_names[i].name);
319 + else
320 + printf("\n%s", mh_names[i].name);
321 + }
322 + printf("\n");
323 +}
324 +
325 +static void help(void)
326 +{
327 + printf(
328 +"MH v%s options:\n"
329 +" --mh-type [!] type[:type] match mh type\n",
330 +IPTABLES_VERSION);
331 + print_types_all();
332 +}
333 +
334 +static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
335 +{
336 + struct ip6t_mh *mhinfo = (struct ip6t_mh *)m->data;
337 +
338 + mhinfo->types[1] = 0xFF;
339 +}
340 +
341 +static unsigned int name_to_type(const char *name)
342 +{
343 + int namelen = strlen(name);
344 + unsigned int limit = sizeof(mh_names)/sizeof(struct mh_name);
345 + unsigned int match = limit;
346 + unsigned int i;
347 +
348 + for (i = 0; i < limit; i++) {
349 + if (strncasecmp(mh_names[i].name, name, namelen) == 0) {
350 + int len = strlen(mh_names[i].name);
351 + if (match == limit || len == namelen)
352 + match = i;
353 + }
354 + }
355 +
356 + if (match != limit) {
357 + return mh_names[match].type;
358 + } else {
359 + unsigned int number;
360 +
361 + if (string_to_number(name, 0, 255, &number) == -1)
362 + exit_error(PARAMETER_PROBLEM,
363 + "Invalid MH type `%s'\n", name);
364 + return number;
365 + }
366 +}
367 +
368 +static void parse_mh_types(const char *mhtype, u_int8_t *types)
369 +{
370 + char *buffer;
371 + char *cp;
372 +
373 + buffer = strdup(mhtype);
374 + if ((cp = strchr(buffer, ':')) == NULL)
375 + types[0] = types[1] = name_to_type(buffer);
376 + else {
377 + *cp = '\0';
378 + cp++;
379 +
380 + types[0] = buffer[0] ? name_to_type(buffer) : 0;
381 + types[1] = cp[0] ? name_to_type(cp) : 0xFF;
382 +
383 + if (types[0] > types[1])
384 + exit_error(PARAMETER_PROBLEM,
385 + "Invalid MH type range (min > max)");
386 + }
387 + free(buffer);
388 +}
389 +
390 +#define MH_TYPES 0x01
391 +
392 +static int parse(int c, char **argv, int invert, unsigned int *flags,
393 + const struct ip6t_entry *entry,
394 + unsigned int *nfcache,
395 + struct ip6t_entry_match **match)
396 +{
397 + struct ip6t_mh *mhinfo = (struct ip6t_mh *)(*match)->data;
398 +
399 + switch (c) {
400 + case '1':
401 + if (*flags & MH_TYPES)
402 + exit_error(PARAMETER_PROBLEM,
403 + "Only one `--mh-type' allowed");
404 + check_inverse(optarg, &invert, &optind, 0);
405 + parse_mh_types(argv[optind-1], mhinfo->types);
406 + if (invert)
407 + mhinfo->invflags |= IP6T_MH_INV_TYPE;
408 + *flags |= MH_TYPES;
409 + break;
410 +
411 + default:
412 + return 0;
413 + }
414 +
415 + return 1;
416 +}
417 +
418 +/* Final check; we don't care. */
419 +static void final_check(unsigned int flags)
420 +{
421 +}
422 +
423 +static const char *type_to_name(u_int8_t type)
424 +{
425 + unsigned int i;
426 +
427 + for (i = 0; i < sizeof(mh_names)/sizeof(struct mh_name); i++) {
428 + if (mh_names[i].type == type)
429 + return mh_names[i].name;
430 + }
431 +
432 + return NULL;
433 +}
434 +
435 +static void print_type(u_int8_t type, int numeric)
436 +{
437 + const char *name;
438 + if (numeric || !(name = type_to_name(type)))
439 + printf("%u", type);
440 + else
441 + printf("%s", name);
442 +}
443 +
444 +static void print_types(u_int8_t min, u_int8_t max, int invert, int numeric)
445 +{
446 + const char *inv = invert ? "!" : "";
447 +
448 + if (min != 0 || max != 0xFF || invert) {
449 + if (min == max) {
450 + printf("%s", inv);
451 + print_type(min, numeric);
452 + } else {
453 + printf("%s", inv);
454 + print_type(min, numeric);
455 + printf(":");
456 + print_type(max, numeric);
457 + }
458 + printf(" ");
459 + }
460 +}
461 +
462 +static void print(const struct ip6t_ip6 *ip,
463 + const struct ip6t_entry_match *match,
464 + int numeric)
465 +{
466 + const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
467 +
468 + printf("mh ");
469 + print_types(mhinfo->types[0], mhinfo->types[1],
470 + mhinfo->invflags & IP6T_MH_INV_TYPE,
471 + numeric);
472 + if (mhinfo->invflags & ~IP6T_MH_INV_MASK)
473 + printf("Unknown invflags: 0x%X ",
474 + mhinfo->invflags & ~IP6T_MH_INV_MASK);
475 +}
476 +
477 +static void save(const struct ip6t_ip6 *ip,
478 + const struct ip6t_entry_match *match)
479 +{
480 + const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
481 +
482 + if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
483 + return;
484 +
485 + if (mhinfo->invflags & IP6T_MH_INV_TYPE)
486 + printf("! ");
487 +
488 + if (mhinfo->types[0] != mhinfo->types[1])
489 + printf("--mh-type %u:%u ", mhinfo->types[0], mhinfo->types[1]);
490 + else
491 + printf("--mh-type %u ", mhinfo->types[0]);
492 +}
493 +
494 +static struct option opts[] = {
495 + { "mh-type", 1, 0, '1' },
496 + {0}
497 +};
498 +
499 +static struct ip6tables_match mh = {
500 + .name = "mh",
501 + .version = IPTABLES_VERSION,
502 + .size = IP6T_ALIGN(sizeof(struct ip6t_mh)),
503 + .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_mh)),
504 + .help = &help,
505 + .init = &init,
506 + .parse = &parse,
507 + .final_check = &final_check,
508 + .print = &print,
509 + .save = &save,
510 + .extra_opts = opts,
511 +};
512 +
513 +void _init(void)
514 +{
515 + register_match6(&mh);
516 +}
517 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_mh.man iptables-svn/extensions/libip6t_mh.man
518 --- iptables-1.3.7/extensions/libip6t_mh.man 1970-01-01 01:00:00.000000000 +0100
519 +++ iptables-svn/extensions/libip6t_mh.man 2007-05-31 12:46:30.000000000 +0200
520 @@ -0,0 +1,12 @@
521 +This extension is loaded if `--protocol ipv6-mh' or `--protocol mh' is
522 +specified. It provides the following option:
523 +.TP
524 +.BR "--mh-type " "[!] \fItype\fP[:\fItype\fP]"
525 +This allows specification of the Mobility Header(MH) type, which can be
526 +a numeric MH
527 +.IR type ,
528 +.IR type
529 +or one of the MH type names shown by the command
530 +.nf
531 + ip6tables -p ipv6-mh -h
532 +.fi
533 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_NFLOG.c iptables-svn/extensions/libip6t_NFLOG.c
534 --- iptables-1.3.7/extensions/libip6t_NFLOG.c 2006-12-04 12:15:20.000000000 +0100
535 +++ iptables-svn/extensions/libip6t_NFLOG.c 2007-05-31 12:46:30.000000000 +0200
536 @@ -35,7 +35,7 @@
537 {
538 struct xt_nflog_info *info = (struct xt_nflog_info *)t->data;
539
540 - info->group = XT_NFLOG_DEFAULT_GROUP;
541 + info->group = 0;
542 info->threshold = XT_NFLOG_DEFAULT_THRESHOLD;
543 }
544
545 @@ -56,10 +56,10 @@
546 "Unexpected `!' after --nflog-group");
547
548 n = atoi(optarg);
549 - if (n < 1 || n > 32)
550 + if (n < 0)
551 exit_error(PARAMETER_PROBLEM,
552 - "--nflog-group has to be between 1 and 32");
553 - info->group = 1 << (n - 1);
554 + "--nflog-group can not be negative");
555 + info->group = n;
556 break;
557 case NFLOG_PREFIX:
558 if (*flags & NFLOG_PREFIX)
559 @@ -118,8 +118,8 @@
560 {
561 if (info->prefix[0] != '\0')
562 printf("%snflog-prefix \"%s\" ", prefix, info->prefix);
563 - if (info->group != XT_NFLOG_DEFAULT_GROUP)
564 - printf("%snflog-group %u ", prefix, ffs(info->group));
565 + if (info->group)
566 + printf("%snflog-group %u ", prefix, info->group);
567 if (info->len)
568 printf("%snflog-range %u ", prefix, info->len);
569 if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
570 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_nth.c iptables-svn/extensions/libip6t_nth.c
571 --- iptables-1.3.7/extensions/libip6t_nth.c 2006-12-04 12:15:20.000000000 +0100
572 +++ iptables-svn/extensions/libip6t_nth.c 1970-01-01 01:00:00.000000000 +0100
573 @@ -1,229 +0,0 @@
574 -/*
575 - Shared library add-on to iptables to add match support for every Nth packet
576 -
577 - This file is distributed under the terms of the GNU General Public
578 - License (GPL). Copies of the GPL can be obtained from:
579 - ftp://prep.ai.mit.edu/pub/gnu/GPL
580 -
581 - 2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
582 - 2001-09-20 Richard Wagner (rwagner@cloudnet.com)
583 - * added support for multiple counters
584 - * added support for matching on individual packets
585 - in the counter cycle
586 -*/
587 -
588 -#include <stdio.h>
589 -#include <netdb.h>
590 -#include <string.h>
591 -#include <stdlib.h>
592 -#include <syslog.h>
593 -#include <getopt.h>
594 -#include <ip6tables.h>
595 -#include <linux/netfilter_ipv6/ip6_tables.h>
596 -#include <linux/netfilter_ipv6/ip6t_nth.h>
597 -
598 -
599 -/* Function which prints out usage message. */
600 -static void
601 -help(void)
602 -{
603 - printf(
604 -"nth v%s options:\n"
605 -" --every Nth Match every Nth packet\n"
606 -" [--counter] num Use counter 0-%u (default:0)\n"
607 -" [--start] num Initialize the counter at the number 'num'\n"
608 -" instead of 0. Must be between 0 and Nth-1\n"
609 -" [--packet] num Match on 'num' packet. Must be between 0\n"
610 -" and Nth-1.\n\n"
611 -" If --packet is used for a counter than\n"
612 -" there must be Nth number of --packet\n"
613 -" rules, covering all values between 0 and\n"
614 -" Nth-1 inclusively.\n",
615 -IPTABLES_VERSION, IP6T_NTH_NUM_COUNTERS-1);
616 -}
617 -
618 -static struct option opts[] = {
619 - { "every", 1, 0, '1' },
620 - { "start", 1, 0, '2' },
621 - { "counter", 1, 0, '3' },
622 - { "packet", 1, 0, '4' },
623 - { 0 }
624 -};
625 -
626 -#define IP6T_NTH_OPT_EVERY 0x01
627 -#define IP6T_NTH_OPT_NOT_EVERY 0x02
628 -#define IP6T_NTH_OPT_START 0x04
629 -#define IP6T_NTH_OPT_COUNTER 0x08
630 -#define IP6T_NTH_OPT_PACKET 0x10
631 -
632 -/* Function which parses command options; returns true if it
633 - ate an option */
634 -static int
635 -parse(int c, char **argv, int invert, unsigned int *flags,
636 - const struct ip6t_entry *entry,
637 - unsigned int *nfcache,
638 - struct ip6t_entry_match **match)
639 -{
640 - struct ip6t_nth_info *nthinfo = (struct ip6t_nth_info *)(*match)->data;
641 - unsigned int num;
642 -
643 - switch (c) {
644 - case '1':
645 - /* check for common mistakes... */
646 - if ((!invert) && (*flags & IP6T_NTH_OPT_EVERY))
647 - exit_error(PARAMETER_PROBLEM,
648 - "Can't specify --every twice");
649 - if (invert && (*flags & IP6T_NTH_OPT_NOT_EVERY))
650 - exit_error(PARAMETER_PROBLEM,
651 - "Can't specify ! --every twice");
652 - if ((!invert) && (*flags & IP6T_NTH_OPT_NOT_EVERY))
653 - exit_error(PARAMETER_PROBLEM,
654 - "Can't specify --every with ! --every");
655 - if (invert && (*flags & IP6T_NTH_OPT_EVERY))
656 - exit_error(PARAMETER_PROBLEM,
657 - "Can't specify ! --every with --every");
658 -
659 - /* Remember, this function will interpret a leading 0 to be
660 - Octal, a leading 0x to be hexdecimal... */
661 - if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
662 - exit_error(PARAMETER_PROBLEM,
663 - "bad --every `%s', must be between 2 and 100", optarg);
664 -
665 - /* assign the values */
666 - nthinfo->every = num-1;
667 - nthinfo->startat = 0;
668 - nthinfo->packet = 0xFF;
669 - if(!(*flags & IP6T_NTH_OPT_EVERY))
670 - {
671 - nthinfo->counter = 0;
672 - }
673 - if (invert)
674 - {
675 - *flags |= IP6T_NTH_OPT_NOT_EVERY;
676 - nthinfo->not = 1;
677 - }
678 - else
679 - {
680 - *flags |= IP6T_NTH_OPT_EVERY;
681 - nthinfo->not = 0;
682 - }
683 - break;
684 - case '2':
685 - /* check for common mistakes... */
686 - if (!((*flags & IP6T_NTH_OPT_EVERY) ||
687 - (*flags & IP6T_NTH_OPT_NOT_EVERY)))
688 - exit_error(PARAMETER_PROBLEM,
689 - "Can't specify --start before --every");
690 - if (invert)
691 - exit_error(PARAMETER_PROBLEM,
692 - "Can't specify with ! --start");
693 - if (*flags & IP6T_NTH_OPT_START)
694 - exit_error(PARAMETER_PROBLEM,
695 - "Can't specify --start twice");
696 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
697 - exit_error(PARAMETER_PROBLEM,
698 - "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
699 - *flags |= IP6T_NTH_OPT_START;
700 - nthinfo->startat = num;
701 - break;
702 - case '3':
703 - /* check for common mistakes... */
704 - if (invert)
705 - exit_error(PARAMETER_PROBLEM,
706 - "Can't specify with ! --counter");
707 - if (*flags & IP6T_NTH_OPT_COUNTER)
708 - exit_error(PARAMETER_PROBLEM,
709 - "Can't specify --counter twice");
710 - if (string_to_number(optarg, 0, IP6T_NTH_NUM_COUNTERS-1, &num) == -1)
711 - exit_error(PARAMETER_PROBLEM,
712 - "bad --counter `%s', must between 0 and %u", optarg, IP6T_NTH_NUM_COUNTERS-1);
713 - /* assign the values */
714 - *flags |= IP6T_NTH_OPT_COUNTER;
715 - nthinfo->counter = num;
716 - break;
717 - case '4':
718 - /* check for common mistakes... */
719 - if (!((*flags & IP6T_NTH_OPT_EVERY) ||
720 - (*flags & IP6T_NTH_OPT_NOT_EVERY)))
721 - exit_error(PARAMETER_PROBLEM,
722 - "Can't specify --packet before --every");
723 - if ((*flags & IP6T_NTH_OPT_NOT_EVERY))
724 - exit_error(PARAMETER_PROBLEM,
725 - "Can't specify --packet with ! --every");
726 - if (invert)
727 - exit_error(PARAMETER_PROBLEM,
728 - "Can't specify with ! --packet");
729 - if (*flags & IP6T_NTH_OPT_PACKET)
730 - exit_error(PARAMETER_PROBLEM,
731 - "Can't specify --packet twice");
732 - if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
733 - exit_error(PARAMETER_PROBLEM,
734 - "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
735 - *flags |= IP6T_NTH_OPT_PACKET;
736 - nthinfo->packet = num;
737 - break;
738 - default:
739 - return 0;
740 - }
741 - return 1;
742 -}
743 -
744 -/* Final check; nothing. */
745 -static void final_check(unsigned int flags)
746 -{
747 -}
748 -
749 -/* Prints out the targinfo. */
750 -static void
751 -print(const struct ip6t_ip6 *ip,
752 - const struct ip6t_entry_match *match,
753 - int numeric)
754 -{
755 - const struct ip6t_nth_info *nthinfo
756 - = (const struct ip6t_nth_info *)match->data;
757 -
758 - if (nthinfo->not == 1)
759 - printf(" !");
760 - printf("every %uth ", (nthinfo->every +1));
761 - if (nthinfo->counter != 0)
762 - printf("counter #%u ", (nthinfo->counter));
763 - if (nthinfo->packet != 0xFF)
764 - printf("packet #%u ", nthinfo->packet);
765 - if (nthinfo->startat != 0)
766 - printf("start at %u ", nthinfo->startat);
767 -}
768 -
769 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
770 -static void
771 -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
772 -{
773 - const struct ip6t_nth_info *nthinfo
774 - = (const struct ip6t_nth_info *)match->data;
775 -
776 - if (nthinfo->not == 1)
777 - printf("! ");
778 - printf("--every %u ", (nthinfo->every +1));
779 - printf("--counter %u ", (nthinfo->counter));
780 - if (nthinfo->startat != 0)
781 - printf("--start %u ", nthinfo->startat );
782 - if (nthinfo->packet != 0xFF)
783 - printf("--packet %u ", nthinfo->packet );
784 -}
785 -
786 -struct ip6tables_match nth = {
787 - .name = "nth",
788 - .version = IPTABLES_VERSION,
789 - .size = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
790 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
791 - .help = &help,
792 - .parse = &parse,
793 - .final_check = &final_check,
794 - .print = &print,
795 - .save = &save,
796 - .extra_opts = opts,
797 -};
798 -
799 -void _init(void)
800 -{
801 - register_match6(&nth);
802 -}
803 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_nth.man iptables-svn/extensions/libip6t_nth.man
804 --- iptables-1.3.7/extensions/libip6t_nth.man 2006-12-04 12:15:19.000000000 +0100
805 +++ iptables-svn/extensions/libip6t_nth.man 1970-01-01 01:00:00.000000000 +0100
806 @@ -1,14 +0,0 @@
807 -This module matches every `n'th packet
808 -.TP
809 -.BI "--every " "value"
810 -Match every `value' packet
811 -.TP
812 -.BI "[" "--counter " "num" "]"
813 -Use internal counter number `num'. Default is `0'.
814 -.TP
815 -.BI "[" "--start " "num" "]"
816 -Initialize the counter at the number `num' insetad of `0'. Most between `0'
817 -and `value'-1.
818 -.TP
819 -.BI "[" "--packet " "num" "]"
820 -Match on `num' packet. Most be between `0' and `value'-1.
821 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_random.c iptables-svn/extensions/libip6t_random.c
822 --- iptables-1.3.7/extensions/libip6t_random.c 2006-12-04 12:15:19.000000000 +0100
823 +++ iptables-svn/extensions/libip6t_random.c 1970-01-01 01:00:00.000000000 +0100
824 @@ -1,150 +0,0 @@
825 -/*
826 - Shared library add-on to iptables to add match support for random match.
827 -
828 - This file is distributed under the terms of the GNU General Public
829 - License (GPL). Copies of the GPL can be obtained from:
830 - ftp://prep.ai.mit.edu/pub/gnu/GPL
831 -
832 - 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
833 - 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 port.
834 -*/
835 -
836 -#include <stdio.h>
837 -#include <netdb.h>
838 -#include <string.h>
839 -#include <stdlib.h>
840 -#include <syslog.h>
841 -#include <getopt.h>
842 -#include <ip6tables.h>
843 -#include <linux/netfilter_ipv6/ip6_tables.h>
844 -#include <linux/netfilter_ipv6/ip6t_random.h>
845 -
846 -/**
847 - * The kernel random routing returns numbers between 0 and 255.
848 - * To ease the task of the user in choosing the probability
849 - * of matching, we want him to be able to use percentages.
850 - * Therefore we have to accept numbers in percentage here,
851 - * turn them into number between 0 and 255 for the kernel module,
852 - * and turn them back to percentages when we print/save
853 - * the rule.
854 - */
855 -
856 -
857 -/* Function which prints out usage message. */
858 -static void
859 -help(void)
860 -{
861 - printf(
862 -"random v%s options:\n"
863 -" [--average] percent The probability in percentage of the match\n"
864 -" If ommited, a probability of 50%% percent is set.\n"
865 -" Percentage must be within : 1 <= percent <= 99.\n\n",
866 -IPTABLES_VERSION);
867 -}
868 -
869 -static struct option opts[] = {
870 - { "average", 1, 0, '1' },
871 - { 0 }
872 -};
873 -
874 -/* Initialize the target. */
875 -static void
876 -init(struct ip6t_entry_match *m, unsigned int *nfcache)
877 -{
878 - struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
879 -
880 - /* We assign the average to be 50 which is our default value */
881 - /* 50 * 2.55 = 128 */
882 - randinfo->average = 128;
883 -}
884 -
885 -#define IP6T_RAND_OPT_AVERAGE 0x01
886 -
887 -/* Function which parses command options; returns true if it
888 - ate an option */
889 -static int
890 -parse(int c, char **argv, int invert, unsigned int *flags,
891 - const struct ip6t_entry *entry,
892 - unsigned int *nfcache,
893 - struct ip6t_entry_match **match)
894 -{
895 - struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(*match)->data;
896 - unsigned int num;
897 -
898 - switch (c) {
899 - case '1':
900 - /* check for common mistakes... */
901 - if (invert)
902 - exit_error(PARAMETER_PROBLEM,
903 - "Can't specify ! --average");
904 - if (*flags & IP6T_RAND_OPT_AVERAGE)
905 - exit_error(PARAMETER_PROBLEM,
906 - "Can't specify --average twice");
907 -
908 - /* Remember, this function will interpret a leading 0 to be
909 - Octal, a leading 0x to be hexdecimal... */
910 - if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
911 - exit_error(PARAMETER_PROBLEM,
912 - "bad --average `%s', must be between 1 and 99", optarg);
913 -
914 - /* assign the values */
915 - randinfo->average = (int)(num * 2.55);
916 - *flags |= IP6T_RAND_OPT_AVERAGE;
917 - break;
918 - default:
919 - return 0;
920 - }
921 - return 1;
922 -}
923 -
924 -/* Final check; nothing. */
925 -static void final_check(unsigned int flags)
926 -{
927 -}
928 -
929 -/* Prints out the targinfo. */
930 -static void
931 -print(const struct ip6t_ip6 *ip,
932 - const struct ip6t_entry_match *match,
933 - int numeric)
934 -{
935 - const struct ip6t_rand_info *randinfo
936 - = (const struct ip6t_rand_info *)match->data;
937 - div_t result = div((randinfo->average*100), 255);
938 - if (result.rem > 127) /* round up... */
939 - ++result.quot;
940 -
941 - printf(" random %u%% ", result.quot);
942 -}
943 -
944 -/* Saves the union ip6t_targinfo in parsable form to stdout. */
945 -static void
946 -save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
947 -{
948 - const struct ip6t_rand_info *randinfo
949 - = (const struct ip6t_rand_info *)match->data;
950 - div_t result = div((randinfo->average *100), 255);
951 - if (result.rem > 127) /* round up... */
952 - ++result.quot;
953 -
954 - printf("--average %u ", result.quot);
955 -}
956 -
957 -struct ip6tables_match rand_match = {
958 - .name = "random",
959 - .version = IPTABLES_VERSION,
960 - .size = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
961 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
962 - .help = &help,
963 - .init = &init,
964 - .parse = &parse,
965 - .final_check = &final_check,
966 - .print = &print,
967 - .save = &save,
968 - .extra_opts = opts,
969 -};
970 -
971 -void _init(void)
972 -{
973 - register_match6(&rand_match);
974 -}
975 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_random.man iptables-svn/extensions/libip6t_random.man
976 --- iptables-1.3.7/extensions/libip6t_random.man 2006-12-04 12:15:19.000000000 +0100
977 +++ iptables-svn/extensions/libip6t_random.man 1970-01-01 01:00:00.000000000 +0100
978 @@ -1,4 +0,0 @@
979 -This module randomly matches a certain percentage of all packets.
980 -.TP
981 -.BI "--average " "percent"
982 -Matches the given percentage. If omitted, a probability of 50% is set.
983 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_ROUTE.c iptables-svn/extensions/libip6t_ROUTE.c
984 --- iptables-1.3.7/extensions/libip6t_ROUTE.c 2006-12-04 12:15:20.000000000 +0100
985 +++ iptables-svn/extensions/libip6t_ROUTE.c 1970-01-01 01:00:00.000000000 +0100
986 @@ -1,240 +0,0 @@
987 -/* Shared library add-on to iptables to add ROUTE v6 target support.
988 - * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
989 - * v 1.1 2004/11/23
990 - */
991 -
992 -#include <stdio.h>
993 -#include <string.h>
994 -#include <stdlib.h>
995 -#include <getopt.h>
996 -#include <sys/types.h>
997 -#include <sys/socket.h>
998 -#include <arpa/inet.h>
999 -
1000 -#include <ip6tables.h>
1001 -#include <linux/netfilter_ipv6/ip6_tables.h>
1002 -#include <linux/netfilter_ipv6/ip6t_ROUTE.h>
1003 -
1004 -/* compile IP6T_ROUTE_TEE support even if kernel headers are unpatched */
1005 -#ifndef IP6T_ROUTE_TEE
1006 -#define IP6T_ROUTE_TEE 0x02
1007 -#endif
1008 -
1009 -/* Function which prints out usage message. */
1010 -static void
1011 -help(void)
1012 -{
1013 - printf(
1014 -"ROUTE target v%s options:\n"
1015 -" --oif \tifname \t\tRoute the packet through `ifname' network interface\n"
1016 -" --gw \tip \t\tRoute the packet via this gateway\n"
1017 -" --continue\t \t\tRoute packet and continue traversing the\n"
1018 -" \t \t\trules. Not valid with --iif or --tee.\n"
1019 -" --tee\t \t\tDuplicate packet, route the duplicate,\n"
1020 -" \t \t\tcontinue traversing with original packet.\n"
1021 -" \t \t\tNot valid with --iif or --continue.\n"
1022 -"\n",
1023 -"1.1");
1024 -}
1025 -
1026 -static struct option opts[] = {
1027 - { "oif", 1, 0, '1' },
1028 - { "iif", 1, 0, '2' },
1029 - { "gw", 1, 0, '3' },
1030 - { "continue", 0, 0, '4' },
1031 - { "tee", 0, 0, '5' },
1032 - { 0 }
1033 -};
1034 -
1035 -/* Initialize the target. */
1036 -static void
1037 -init(struct ip6t_entry_target *t, unsigned int *nfcache)
1038 -{
1039 - struct ip6t_route_target_info *route_info =
1040 - (struct ip6t_route_target_info*)t->data;
1041 -
1042 - route_info->oif[0] = '\0';
1043 - route_info->iif[0] = '\0';
1044 - route_info->gw[0] = 0;
1045 - route_info->gw[1] = 0;
1046 - route_info->gw[2] = 0;
1047 - route_info->gw[3] = 0;
1048 - route_info->flags = 0;
1049 -}
1050 -
1051 -
1052 -#define IP6T_ROUTE_OPT_OIF 0x01
1053 -#define IP6T_ROUTE_OPT_IIF 0x02
1054 -#define IP6T_ROUTE_OPT_GW 0x04
1055 -#define IP6T_ROUTE_OPT_CONTINUE 0x08
1056 -#define IP6T_ROUTE_OPT_TEE 0x10
1057 -
1058 -/* Function which parses command options; returns true if it
1059 - ate an option */
1060 -static int
1061 -parse(int c, char **argv, int invert, unsigned int *flags,
1062 - const struct ip6t_entry *entry,
1063 - struct ip6t_entry_target **target)
1064 -{
1065 - struct ip6t_route_target_info *route_info =
1066 - (struct ip6t_route_target_info*)(*target)->data;
1067 -
1068 - switch (c) {
1069 - case '1':
1070 - if (*flags & IP6T_ROUTE_OPT_OIF)
1071 - exit_error(PARAMETER_PROBLEM,
1072 - "Can't specify --oif twice");
1073 -
1074 - if (check_inverse(optarg, &invert, NULL, 0))
1075 - exit_error(PARAMETER_PROBLEM,
1076 - "Unexpected `!' after --oif");
1077 -
1078 - if (strlen(optarg) > sizeof(route_info->oif) - 1)
1079 - exit_error(PARAMETER_PROBLEM,
1080 - "Maximum interface name length %u",
1081 - sizeof(route_info->oif) - 1);
1082 -
1083 - strcpy(route_info->oif, optarg);
1084 - *flags |= IP6T_ROUTE_OPT_OIF;
1085 - break;
1086 -
1087 - case '2':
1088 - exit_error(PARAMETER_PROBLEM,
1089 - "--iif option not implemented");
1090 - break;
1091 -
1092 - case '3':
1093 - if (*flags & IP6T_ROUTE_OPT_GW)
1094 - exit_error(PARAMETER_PROBLEM,
1095 - "Can't specify --gw twice");
1096 -
1097 - if (check_inverse(optarg, &invert, NULL, 0))
1098 - exit_error(PARAMETER_PROBLEM,
1099 - "Unexpected `!' after --gw");
1100 -
1101 - if (!inet_pton(AF_INET6, optarg, (struct in6_addr*)&route_info->gw)) {
1102 - exit_error(PARAMETER_PROBLEM,
1103 - "Invalid IPv6 address %s",
1104 - optarg);
1105 - }
1106 -
1107 - *flags |= IP6T_ROUTE_OPT_GW;
1108 - break;
1109 -
1110 - case '4':
1111 - if (*flags & IP6T_ROUTE_OPT_CONTINUE)
1112 - exit_error(PARAMETER_PROBLEM,
1113 - "Can't specify --continue twice");
1114 - if (*flags & IP6T_ROUTE_OPT_TEE)
1115 - exit_error(PARAMETER_PROBLEM,
1116 - "Can't specify --continue AND --tee");
1117 -
1118 - route_info->flags |= IP6T_ROUTE_CONTINUE;
1119 - *flags |= IP6T_ROUTE_OPT_CONTINUE;
1120 -
1121 - break;
1122 -
1123 - case '5':
1124 - if (*flags & IP6T_ROUTE_OPT_TEE)
1125 - exit_error(PARAMETER_PROBLEM,
1126 - "Can't specify --tee twice");
1127 - if (*flags & IP6T_ROUTE_OPT_CONTINUE)
1128 - exit_error(PARAMETER_PROBLEM,
1129 - "Can't specify --tee AND --continue");
1130 -
1131 - route_info->flags |= IP6T_ROUTE_TEE;
1132 - *flags |= IP6T_ROUTE_OPT_TEE;
1133 -
1134 - break;
1135 -
1136 - default:
1137 - return 0;
1138 - }
1139 -
1140 - return 1;
1141 -}
1142 -
1143 -
1144 -static void
1145 -final_check(unsigned int flags)
1146 -{
1147 - if (!flags)
1148 - exit_error(PARAMETER_PROBLEM,
1149 - "ROUTE target: oif or gw option required");
1150 -}
1151 -
1152 -
1153 -/* Prints out the targinfo. */
1154 -static void
1155 -print(const struct ip6t_ip6 *ip,
1156 - const struct ip6t_entry_target *target,
1157 - int numeric)
1158 -{
1159 - const struct ip6t_route_target_info *route_info
1160 - = (const struct ip6t_route_target_info *)target->data;
1161 -
1162 - printf("ROUTE ");
1163 -
1164 - if (route_info->oif[0])
1165 - printf("oif:%s ", route_info->oif);
1166 -
1167 - if (route_info->gw[0]
1168 - || route_info->gw[1]
1169 - || route_info->gw[2]
1170 - || route_info->gw[3]) {
1171 - char address[INET6_ADDRSTRLEN];
1172 - printf("gw:%s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
1173 - }
1174 -
1175 - if (route_info->flags & IP6T_ROUTE_CONTINUE)
1176 - printf("continue");
1177 -
1178 - if (route_info->flags & IP6T_ROUTE_TEE)
1179 - printf("tee");
1180 -
1181 -}
1182 -
1183 -
1184 -static void save(const struct ip6t_ip6 *ip,
1185 - const struct ip6t_entry_target *target)
1186 -{
1187 - const struct ip6t_route_target_info *route_info
1188 - = (const struct ip6t_route_target_info *)target->data;
1189 -
1190 - if (route_info->oif[0])
1191 - printf("--oif %s ", route_info->oif);
1192 -
1193 - if (route_info->gw[0]
1194 - || route_info->gw[1]
1195 - || route_info->gw[2]
1196 - || route_info->gw[3]) {
1197 - char address[INET6_ADDRSTRLEN];
1198 - printf("--gw %s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
1199 - }
1200 -
1201 - if (route_info->flags & IP6T_ROUTE_CONTINUE)
1202 - printf("--continue ");
1203 -
1204 - if (route_info->flags & IP6T_ROUTE_TEE)
1205 - printf("--tee ");
1206 -}
1207 -
1208 -
1209 -static struct ip6tables_target route = {
1210 - .name = "ROUTE",
1211 - .version = IPTABLES_VERSION,
1212 - .size = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
1213 - .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
1214 - .help = &help,
1215 - .init = &init,
1216 - .parse = &parse,
1217 - .final_check = &final_check,
1218 - .print = &print,
1219 - .save = &save,
1220 - .extra_opts = opts,
1221 -};
1222 -
1223 -void _init(void)
1224 -{
1225 - register_target6(&route);
1226 -}
1227 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_ROUTE.man iptables-svn/extensions/libip6t_ROUTE.man
1228 --- iptables-1.3.7/extensions/libip6t_ROUTE.man 2006-12-04 12:15:20.000000000 +0100
1229 +++ iptables-svn/extensions/libip6t_ROUTE.man 1970-01-01 01:00:00.000000000 +0100
1230 @@ -1,15 +0,0 @@
1231 -This is used to explicitly override the core network stack's routing decision.
1232 -.B mangle
1233 -table.
1234 -.TP
1235 -.BI "--oif " "ifname"
1236 -Route the packet through `ifname' network interface
1237 -.TP
1238 -.BI "--gw " "IPv6_address"
1239 -Route the packet via this gateway
1240 -.TP
1241 -.BI "--continue "
1242 -Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
1243 -.TP
1244 -.BI "--tee "
1245 -Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--continue'
1246 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_state.c iptables-svn/extensions/libip6t_state.c
1247 --- iptables-1.3.7/extensions/libip6t_state.c 2006-12-04 12:15:19.000000000 +0100
1248 +++ iptables-svn/extensions/libip6t_state.c 2007-05-31 12:46:30.000000000 +0200
1249 @@ -5,7 +5,7 @@
1250 #include <stdlib.h>
1251 #include <getopt.h>
1252 #include <ip6tables.h>
1253 -#include <linux/netfilter_ipv4/ip_conntrack.h>
1254 +#include <linux/netfilter/nf_conntrack_common.h>
1255 #include <linux/netfilter_ipv4/ipt_state.h>
1256
1257 #ifndef IPT_STATE_UNTRACKED
1258 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_tcp.man iptables-svn/extensions/libip6t_tcp.man
1259 --- iptables-1.3.7/extensions/libip6t_tcp.man 2006-12-04 12:15:19.000000000 +0100
1260 +++ iptables-svn/extensions/libip6t_tcp.man 2007-05-31 12:46:30.000000000 +0200
1261 @@ -1,4 +1,4 @@
1262 -These extensions are loaded if `--protocol tcp' is specified. It
1263 +These extensions can be used if `--protocol tcp' is specified. It
1264 provides the following options:
1265 .TP
1266 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
1267 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TCPMSS.c iptables-svn/extensions/libip6t_TCPMSS.c
1268 --- iptables-1.3.7/extensions/libip6t_TCPMSS.c 1970-01-01 01:00:00.000000000 +0100
1269 +++ iptables-svn/extensions/libip6t_TCPMSS.c 2007-05-31 12:46:30.000000000 +0200
1270 @@ -0,0 +1,134 @@
1271 +/* Shared library add-on to iptables to add TCPMSS target support.
1272 + *
1273 + * Copyright (c) 2000 Marc Boucher
1274 +*/
1275 +#include <stdio.h>
1276 +#include <string.h>
1277 +#include <stdlib.h>
1278 +#include <getopt.h>
1279 +
1280 +#include <ip6tables.h>
1281 +#include <linux/netfilter_ipv6/ip6_tables.h>
1282 +#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
1283 +
1284 +struct mssinfo {
1285 + struct ip6t_entry_target t;
1286 + struct ip6t_tcpmss_info mss;
1287 +};
1288 +
1289 +/* Function which prints out usage message. */
1290 +static void
1291 +help(void)
1292 +{
1293 + printf(
1294 +"TCPMSS target v%s mutually-exclusive options:\n"
1295 +" --set-mss value explicitly set MSS option to specified value\n"
1296 +" --clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 60)\n",
1297 +IPTABLES_VERSION);
1298 +}
1299 +
1300 +static struct option opts[] = {
1301 + { "set-mss", 1, 0, '1' },
1302 + { "clamp-mss-to-pmtu", 0, 0, '2' },
1303 + { 0 }
1304 +};
1305 +
1306 +/* Initialize the target. */
1307 +static void
1308 +init(struct ip6t_entry_target *t, unsigned int *nfcache)
1309 +{
1310 +}
1311 +
1312 +/* Function which parses command options; returns true if it
1313 + ate an option */
1314 +static int
1315 +parse(int c, char **argv, int invert, unsigned int *flags,
1316 + const struct ip6t_entry *entry,
1317 + struct ip6t_entry_target **target)
1318 +{
1319 + struct ip6t_tcpmss_info *mssinfo
1320 + = (struct ip6t_tcpmss_info *)(*target)->data;
1321 +
1322 + switch (c) {
1323 + unsigned int mssval;
1324 +
1325 + case '1':
1326 + if (*flags)
1327 + exit_error(PARAMETER_PROBLEM,
1328 + "TCPMSS target: Only one option may be specified");
1329 + if (string_to_number(optarg, 0, 65535 - 60, &mssval) == -1)
1330 + exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg);
1331 +
1332 + mssinfo->mss = mssval;
1333 + *flags = 1;
1334 + break;
1335 +
1336 + case '2':
1337 + if (*flags)
1338 + exit_error(PARAMETER_PROBLEM,
1339 + "TCPMSS target: Only one option may be specified");
1340 + mssinfo->mss = IP6T_TCPMSS_CLAMP_PMTU;
1341 + *flags = 1;
1342 + break;
1343 +
1344 + default:
1345 + return 0;
1346 + }
1347 +
1348 + return 1;
1349 +}
1350 +
1351 +static void
1352 +final_check(unsigned int flags)
1353 +{
1354 + if (!flags)
1355 + exit_error(PARAMETER_PROBLEM,
1356 + "TCPMSS target: At least one parameter is required");
1357 +}
1358 +
1359 +/* Prints out the targinfo. */
1360 +static void
1361 +print(const struct ip6t_ip6 *ip6,
1362 + const struct ip6t_entry_target *target,
1363 + int numeric)
1364 +{
1365 + const struct ip6t_tcpmss_info *mssinfo =
1366 + (const struct ip6t_tcpmss_info *)target->data;
1367 + if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
1368 + printf("TCPMSS clamp to PMTU ");
1369 + else
1370 + printf("TCPMSS set %u ", mssinfo->mss);
1371 +}
1372 +
1373 +/* Saves the union ip6t_targinfo in parsable form to stdout. */
1374 +static void
1375 +save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
1376 +{
1377 + const struct ip6t_tcpmss_info *mssinfo =
1378 + (const struct ip6t_tcpmss_info *)target->data;
1379 +
1380 + if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
1381 + printf("--clamp-mss-to-pmtu ");
1382 + else
1383 + printf("--set-mss %u ", mssinfo->mss);
1384 +}
1385 +
1386 +static struct ip6tables_target mss = {
1387 + .next = NULL,
1388 + .name = "TCPMSS",
1389 + .version = IPTABLES_VERSION,
1390 + .size = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
1391 + .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
1392 + .help = &help,
1393 + .init = &init,
1394 + .parse = &parse,
1395 + .final_check = &final_check,
1396 + .print = &print,
1397 + .save = &save,
1398 + .extra_opts = opts
1399 +};
1400 +
1401 +void _init(void)
1402 +{
1403 + register_target6(&mss);
1404 +}
1405 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TCPMSS.man iptables-svn/extensions/libip6t_TCPMSS.man
1406 --- iptables-1.3.7/extensions/libip6t_TCPMSS.man 1970-01-01 01:00:00.000000000 +0100
1407 +++ iptables-svn/extensions/libip6t_TCPMSS.man 2007-05-31 12:46:30.000000000 +0200
1408 @@ -0,0 +1,42 @@
1409 +This target allows to alter the MSS value of TCP SYN packets, to control
1410 +the maximum size for that connection (usually limiting it to your
1411 +outgoing interface's MTU minus 60). Of course, it can only be used
1412 +in conjunction with
1413 +.BR "-p tcp" .
1414 +It is only valid in the
1415 +.BR mangle
1416 +table.
1417 +.br
1418 +This target is used to overcome criminally braindead ISPs or servers
1419 +which block ICMPv6 Packet Too Big packets or are unable to send them.
1420 +The symptoms of this problem are that everything works fine from your
1421 +Linux firewall/router, but machines behind it can never exchange large
1422 +packets:
1423 +.PD 0
1424 +.RS 0.1i
1425 +.TP 0.3i
1426 +1)
1427 +Web browsers connect, then hang with no data received.
1428 +.TP
1429 +2)
1430 +Small mail works fine, but large emails hang.
1431 +.TP
1432 +3)
1433 +ssh works fine, but scp hangs after initial handshaking.
1434 +.RE
1435 +.PD
1436 +Workaround: activate this option and add a rule to your firewall
1437 +configuration like:
1438 +.nf
1439 + ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
1440 + -j TCPMSS --clamp-mss-to-pmtu
1441 +.fi
1442 +.TP
1443 +.BI "--set-mss " "value"
1444 +Explicitly set MSS option to specified value.
1445 +.TP
1446 +.B "--clamp-mss-to-pmtu"
1447 +Automatically clamp MSS value to (path_MTU - 60).
1448 +.TP
1449 +These options are mutually exclusive.
1450 +
1451 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TRACE.c iptables-svn/extensions/libip6t_TRACE.c
1452 --- iptables-1.3.7/extensions/libip6t_TRACE.c 2006-12-04 12:15:19.000000000 +0100
1453 +++ iptables-svn/extensions/libip6t_TRACE.c 1970-01-01 01:00:00.000000000 +0100
1454 @@ -1,63 +0,0 @@
1455 -/* Shared library add-on to iptables to add TRACE target support. */
1456 -#include <stdio.h>
1457 -#include <string.h>
1458 -#include <stdlib.h>
1459 -#include <getopt.h>
1460 -
1461 -#include <ip6tables.h>
1462 -#include <linux/netfilter_ipv6/ip6_tables.h>
1463 -
1464 -/* Function which prints out usage message. */
1465 -static void
1466 -help(void)
1467 -{
1468 - printf(
1469 -"TRACE target v%s takes no options\n",
1470 -IPTABLES_VERSION);
1471 -}
1472 -
1473 -static struct option opts[] = {
1474 - { 0 }
1475 -};
1476 -
1477 -/* Initialize the target. */
1478 -static void
1479 -init(struct ip6t_entry_target *t, unsigned int *nfcache)
1480 -{
1481 -}
1482 -
1483 -/* Function which parses command options; returns true if it
1484 - ate an option */
1485 -static int
1486 -parse(int c, char **argv, int invert, unsigned int *flags,
1487 - const struct ip6t_entry *entry,
1488 - struct ip6t_entry_target **target)
1489 -{
1490 - return 0;
1491 -}
1492 -
1493 -static void
1494 -final_check(unsigned int flags)
1495 -{
1496 -}
1497 -
1498 -static
1499 -struct ip6tables_target trace
1500 -= { .next = NULL,
1501 - .name = "TRACE",
1502 - .version = IPTABLES_VERSION,
1503 - .size = IP6T_ALIGN(0),
1504 - .userspacesize = IP6T_ALIGN(0),
1505 - .help = &help,
1506 - .init = &init,
1507 - .parse = &parse,
1508 - .final_check = &final_check,
1509 - .print = NULL, /* print */
1510 - .save = NULL, /* save */
1511 - .extra_opts = opts
1512 -};
1513 -
1514 -void _init(void)
1515 -{
1516 - register_target6(&trace);
1517 -}
1518 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_TRACE.man iptables-svn/extensions/libip6t_TRACE.man
1519 --- iptables-1.3.7/extensions/libip6t_TRACE.man 2006-12-04 12:15:19.000000000 +0100
1520 +++ iptables-svn/extensions/libip6t_TRACE.man 1970-01-01 01:00:00.000000000 +0100
1521 @@ -1,3 +0,0 @@
1522 -This target has no options. It just turns on
1523 -.B packet tracing
1524 -for all packets that match this rule.
1525 diff -x .svn -Nur iptables-1.3.7/extensions/libip6t_udp.man iptables-svn/extensions/libip6t_udp.man
1526 --- iptables-1.3.7/extensions/libip6t_udp.man 2006-12-04 12:15:20.000000000 +0100
1527 +++ iptables-svn/extensions/libip6t_udp.man 2007-05-31 12:46:30.000000000 +0200
1528 @@ -1,4 +1,4 @@
1529 -These extensions are loaded if `--protocol udp' is specified. It
1530 +These extensions can be used if `--protocol udp' is specified. It
1531 provides the following options:
1532 .TP
1533 .BR "--source-port " "[!] \fIport\fP[:\fIport\fP]"
1534 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_account.c iptables-svn/extensions/libipt_account.c
1535 --- iptables-1.3.7/extensions/libipt_account.c 2006-12-04 12:15:19.000000000 +0100
1536 +++ iptables-svn/extensions/libipt_account.c 1970-01-01 01:00:00.000000000 +0100
1537 @@ -1,277 +0,0 @@
1538 -/*
1539 - * accounting match helper (libipt_account.c)
1540 - * (C) 2003,2004 by Piotr Gasid³o (quaker@barbara.eu.org)
1541 - *
1542 - * Version: 0.1.6
1543 - *
1544 - * This software is distributed under the terms of GNU GPL
1545 - */
1546 -
1547 -#include <stdio.h>
1548 -#include <stdlib.h>
1549 -#include <iptables.h>
1550 -#include <string.h>
1551 -#include <getopt.h>
1552 -
1553 -#include <linux/netfilter_ipv4/ipt_account.h>
1554 -
1555 -#ifndef HIPQUAD
1556 -#define HIPQUAD(addr) \
1557 - ((unsigned char *)&addr)[3], \
1558 - ((unsigned char *)&addr)[2], \
1559 - ((unsigned char *)&addr)[1], \
1560 - ((unsigned char *)&addr)[0]
1561 -#endif
1562 -
1563 -static void help(void) {
1564 - printf(
1565 - "account v%s options:\n"
1566 - "--aaddr network/netmask\n"
1567 - " defines network/netmask for which make statistics.\n"
1568 - "--aname name\n"
1569 - " defines name of list where statistics will be kept. If no is\n"
1570 - " specified DEFAULT will be used.\n"
1571 - "--ashort\n"
1572 - " table will colect only short statistics (only total counters\n"
1573 - " without splitting it into protocols.\n"
1574 - ,
1575 - IPTABLES_VERSION);
1576 -};
1577 -
1578 -static struct option opts[] = {
1579 - { .name = "aaddr", .has_arg = 1, .flag = NULL, .val = 201 },
1580 - { .name = "aname", .has_arg = 1, .flag = NULL, .val = 202 },
1581 - { .name = "ashort", .has_arg = 0, .flag = NULL, .val = 203 },
1582 - { .name = 0, .has_arg = 0, .flag = 0, .val = 0 }
1583 -};
1584 -
1585 -/* Helper functions for parse_network */
1586 -int parseip(const char *parameter, u_int32_t *ip) {
1587 -
1588 - char buffer[16], *bufferptr, *dot;
1589 - unsigned int i, shift, part;
1590 -
1591 - if (strlen(parameter) > 15)
1592 - return 0;
1593 -
1594 - strncpy(buffer, parameter, 15);
1595 - buffer[15] = 0;
1596 -
1597 - bufferptr = buffer;
1598 -
1599 - for (i = 0, shift = 24, *ip = 0; i < 3; i++, shift -= 8) {
1600 - /* no dot */
1601 - if ((dot = strchr(bufferptr, '.')) == NULL)
1602 - return 0;
1603 - /* not a number */
1604 - if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
1605 - return 0;
1606 - /* to big number */
1607 - if (part > 255)
1608 - return 0;
1609 - *ip |= part << shift;
1610 - bufferptr = dot + 1;
1611 - }
1612 - /* not a number */
1613 - if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0)
1614 - return 0;
1615 - /* to big number */
1616 - if (part > 255)
1617 - return 0;
1618 - *ip |= part;
1619 - return 1;
1620 -}
1621 -
1622 -static void parsenetwork(const char *parameter, u_int32_t *network) {
1623 - if (!parseip(parameter, network))
1624 - exit_error(PARAMETER_PROBLEM, "account: wrong ip in network");
1625 -}
1626 -
1627 -static void parsenetmaskasbits(const char *parameter, u_int32_t *netmask) {
1628 -
1629 - u_int32_t bits;
1630 -
1631 - if ((bits = strtol(parameter, (char **)NULL, 10)) < 0 || bits > 32)
1632 - exit_error(PARAMETER_PROBLEM, "account: wrong netmask");
1633 -
1634 - *netmask = 0xffffffff << (32 - bits);
1635 -}
1636 -
1637 -static void parsenetmaskasip(const char *parameter, u_int32_t *netmask) {
1638 - if (!parseip(parameter, netmask))
1639 - exit_error(PARAMETER_PROBLEM, "account: wrong ip in netmask");
1640 -}
1641 -
1642 -static void parsenetmask(const char *parameter, u_int32_t *netmask)
1643 -{
1644 - if (strchr(parameter, '.') != NULL)
1645 - parsenetmaskasip(parameter, netmask);
1646 - else
1647 - parsenetmaskasbits(parameter, netmask);
1648 -}
1649 -
1650 -static void parsenetworkandnetmask(const char *parameter, u_int32_t *network, u_int32_t *netmask)
1651 -{
1652 -
1653 - char buffer[32], *slash;
1654 -
1655 - if (strlen(parameter) > 31)
1656 - /* text is to long, even for 255.255.255.255/255.255.255.255 */
1657 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1658 -
1659 - strncpy(buffer, parameter, 31);
1660 - buffer[31] = 0;
1661 -
1662 - /* check whether netmask is given */
1663 - if ((slash = strchr(buffer, '/')) != NULL) {
1664 - parsenetmask(slash + 1, netmask);
1665 - *slash = 0;
1666 - } else
1667 - *netmask = 0xffffffff;
1668 - parsenetwork(buffer, network);
1669 -
1670 - if ((*network & *netmask) != *network)
1671 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1672 -}
1673 -
1674 -
1675 -/* Function gets network & netmask from argument after --aaddr */
1676 -static void parse_network(const char *parameter, struct t_ipt_account_info *info) {
1677 -
1678 - parsenetworkandnetmask(parameter, &info->network, &info->netmask);
1679 -
1680 -}
1681 -
1682 -/* validate netmask */
1683 -inline int valid_netmask(u_int32_t netmask) {
1684 - while (netmask & 0x80000000)
1685 - netmask <<= 1;
1686 - if (netmask != 0)
1687 - return 0;
1688 - return 1;
1689 -}
1690 -
1691 -/* validate network/netmask pair */
1692 -inline int valid_network_and_netmask(struct t_ipt_account_info *info) {
1693 - if (!valid_netmask(info->netmask))
1694 - return 0;
1695 - if ((info->network & info->netmask) != info->network)
1696 - return 0;
1697 - return 1;
1698 -}
1699 -
1700 -
1701 -
1702 -/* Function initializes match */
1703 -static void init(struct ipt_entry_match *match,
1704 - unsigned int *nfcache) {
1705 -
1706 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)(match)->data;
1707 -
1708 -
1709 - /* set default table name to DEFAULT */
1710 - strncpy(info->name, "DEFAULT", IPT_ACCOUNT_NAME_LEN);
1711 - info->shortlisting = 0;
1712 -
1713 -}
1714 -
1715 -/* Function parses match's arguments */
1716 -static int parse(int c, char **argv,
1717 - int invert,
1718 - unsigned int *flags,
1719 - const struct ipt_entry *entry,
1720 - unsigned int *nfcache,
1721 - struct ipt_entry_match **match) {
1722 -
1723 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)(*match)->data;
1724 -
1725 - switch (c) {
1726 -
1727 - /* --aaddr */
1728 - case 201:
1729 - parse_network(optarg, info);
1730 - if (!valid_network_and_netmask(info))
1731 - exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
1732 - *flags = 1;
1733 - break;
1734 -
1735 - /* --aname */
1736 - case 202:
1737 - if (strlen(optarg) < IPT_ACCOUNT_NAME_LEN)
1738 - strncpy(info->name, optarg, IPT_ACCOUNT_NAME_LEN);
1739 - else
1740 - exit_error(PARAMETER_PROBLEM, "account: Too long table name");
1741 - break;
1742 - /* --ashort */
1743 - case 203:
1744 - info->shortlisting = 1;
1745 - break;
1746 - default:
1747 - return 0;
1748 - }
1749 - return 1;
1750 -}
1751 -
1752 -/* Final check whether network/netmask was specified */
1753 -static void final_check(unsigned int flags) {
1754 - if (!flags)
1755 - exit_error(PARAMETER_PROBLEM, "account: You need specify '--aaddr' parameter");
1756 -}
1757 -
1758 -/* Function used for printing rule with account match for iptables -L */
1759 -static void print(const struct ipt_ip *ip,
1760 - const struct ipt_entry_match *match,
1761 - int numeric) {
1762 -
1763 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
1764 -
1765 - printf("account: ");
1766 - printf("network/netmask: ");
1767 - printf("%u.%u.%u.%u/%u.%u.%u.%u ",
1768 - HIPQUAD(info->network),
1769 - HIPQUAD(info->netmask)
1770 - );
1771 -
1772 - printf("name: %s ", info->name);
1773 - if (info->shortlisting)
1774 - printf("short-listing ");
1775 -}
1776 -
1777 -/* Function used for saving rule containing account match */
1778 -static void save(const struct ipt_ip *ip,
1779 - const struct ipt_entry_match *match) {
1780 -
1781 - struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
1782 -
1783 - printf("--aaddr ");
1784 - printf("%u.%u.%u.%u/%u.%u.%u.%u ",
1785 - HIPQUAD(info->network),
1786 - HIPQUAD(info->netmask)
1787 - );
1788 -
1789 - printf("--aname %s ", info->name);
1790 - if (info->shortlisting)
1791 - printf("--ashort ");
1792 -}
1793 -
1794 -static struct iptables_match account = {
1795 - .next = NULL,
1796 - .name = "account",
1797 - .version = IPTABLES_VERSION,
1798 - .size = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
1799 - .userspacesize = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
1800 - .help = &help,
1801 - .init = &init,
1802 - .parse = &parse,
1803 - .final_check = &final_check,
1804 - .print = &print,
1805 - .save = &save,
1806 - .extra_opts = opts
1807 -};
1808 -
1809 -/* Function which registers match */
1810 -void _init(void)
1811 -{
1812 - register_match(&account);
1813 -}
1814 -
1815 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_account.man iptables-svn/extensions/libipt_account.man
1816 --- iptables-1.3.7/extensions/libipt_account.man 2006-12-04 12:15:19.000000000 +0100
1817 +++ iptables-svn/extensions/libipt_account.man 1970-01-01 01:00:00.000000000 +0100
1818 @@ -1,47 +0,0 @@
1819 -Account traffic for all hosts in defined network/netmask.
1820 -
1821 -Features:
1822 -
1823 -- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
1824 -
1825 -- one iptables rule for all hosts in network/netmask
1826 -
1827 -- loading/saving counters (by reading/writting to procfs entries)
1828 -
1829 -.TP
1830 -.BI "--aaddr " "network/netmask"
1831 -defines network/netmask for which make statistics.
1832 -.TP
1833 -.BI "--aname " "name"
1834 -defines name of list where statistics will be kept. If no is
1835 -specified DEFAULT will be used.
1836 -.TP
1837 -.B "--ashort"
1838 -table will colect only short statistics (only total counters
1839 -without splitting it into protocols.
1840 -.P
1841 -Example usage:
1842 -
1843 -account traffic for/to 192.168.0.0/24 network into table mynetwork:
1844 -
1845 -# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
1846 -
1847 -account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
1848 -
1849 -# iptables -A INPUT -p tcp --dport 80
1850 - -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
1851 -
1852 -# iptables -A OUTPUT -p tcp --sport 80
1853 - -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
1854 -
1855 -read counters:
1856 -
1857 -# cat /proc/net/ipt_account/mynetwork
1858 -# cat /proc/net/ipt_account/mywwwserver
1859 -
1860 -set counters:
1861 -
1862 -# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
1863 -
1864 -Webpage:
1865 - http://www.barbara.eu.org/~quaker/ipt_account/
1866 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_BALANCE.c iptables-svn/extensions/libipt_BALANCE.c
1867 --- iptables-1.3.7/extensions/libipt_BALANCE.c 2006-12-04 12:15:20.000000000 +0100
1868 +++ iptables-svn/extensions/libipt_BALANCE.c 1970-01-01 01:00:00.000000000 +0100
1869 @@ -1,150 +0,0 @@
1870 -/* Shared library add-on to iptables to add simple load-balance support. */
1871 -#include <stdio.h>
1872 -#include <netdb.h>
1873 -#include <string.h>
1874 -#include <stdlib.h>
1875 -#include <getopt.h>
1876 -#include <iptables.h>
1877 -#include <linux/netfilter_ipv4/ip_tables.h>
1878 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
1879 -
1880 -#define BREAKUP_IP(x) (x)>>24, ((x)>>16) & 0xFF, ((x)>>8) & 0xFF, (x) & 0xFF
1881 -
1882 -/* Function which prints out usage message. */
1883 -static void
1884 -help(void)
1885 -{
1886 - printf(
1887 -"BALANCE v%s options:\n"
1888 -" --to-destination <ipaddr>-<ipaddr>\n"
1889 -" Addresses to map destination to.\n",
1890 -IPTABLES_VERSION);
1891 -}
1892 -
1893 -static struct option opts[] = {
1894 - { "to-destination", 1, 0, '1' },
1895 - { 0 }
1896 -};
1897 -
1898 -/* Initialize the target. */
1899 -static void
1900 -init(struct ipt_entry_target *t, unsigned int *nfcache)
1901 -{
1902 - struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
1903 -
1904 - /* Actually, it's 0, but it's ignored at the moment. */
1905 - mr->rangesize = 1;
1906 -
1907 -}
1908 -
1909 -/* Parses range of IPs */
1910 -static void
1911 -parse_to(char *arg, struct ip_nat_range *range)
1912 -{
1913 - char *dash;
1914 - struct in_addr *ip;
1915 -
1916 - range->flags |= IP_NAT_RANGE_MAP_IPS;
1917 - dash = strchr(arg, '-');
1918 - if (dash)
1919 - *dash = '\0';
1920 - else
1921 - exit_error(PARAMETER_PROBLEM, "Bad IP range `%s'\n", arg);
1922 -
1923 - ip = dotted_to_addr(arg);
1924 - if (!ip)
1925 - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
1926 - arg);
1927 - range->min_ip = ip->s_addr;
1928 - ip = dotted_to_addr(dash+1);
1929 - if (!ip)
1930 - exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
1931 - dash+1);
1932 - range->max_ip = ip->s_addr;
1933 -}
1934 -
1935 -/* Function which parses command options; returns true if it
1936 - ate an option */
1937 -static int
1938 -parse(int c, char **argv, int invert, unsigned int *flags,
1939 - const struct ipt_entry *entry,
1940 - struct ipt_entry_target **target)
1941 -{
1942 - struct ip_nat_multi_range *mr
1943 - = (struct ip_nat_multi_range *)(*target)->data;
1944 -
1945 - switch (c) {
1946 - case '1':
1947 - if (check_inverse(optarg, &invert, NULL, 0))
1948 - exit_error(PARAMETER_PROBLEM,
1949 - "Unexpected `!' after --to-destination");
1950 -
1951 - parse_to(optarg, &mr->range[0]);
1952 - *flags = 1;
1953 - return 1;
1954 -
1955 - default:
1956 - return 0;
1957 - }
1958 -}
1959 -
1960 -/* Final check; need --to-dest. */
1961 -static void final_check(unsigned int flags)
1962 -{
1963 - if (!flags)
1964 - exit_error(PARAMETER_PROBLEM,
1965 - "BALANCE needs --to-destination");
1966 -}
1967 -
1968 -/* Prints out the targinfo. */
1969 -static void
1970 -print(const struct ipt_ip *ip,
1971 - const struct ipt_entry_target *target,
1972 - int numeric)
1973 -{
1974 - struct ip_nat_multi_range *mr
1975 - = (struct ip_nat_multi_range *)target->data;
1976 - struct ip_nat_range *r = &mr->range[0];
1977 - struct in_addr a;
1978 -
1979 - a.s_addr = r->min_ip;
1980 -
1981 - printf("balance %s", addr_to_dotted(&a));
1982 - a.s_addr = r->max_ip;
1983 - printf("-%s ", addr_to_dotted(&a));
1984 -}
1985 -
1986 -/* Saves the union ipt_targinfo in parsable form to stdout. */
1987 -static void
1988 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
1989 -{
1990 - struct ip_nat_multi_range *mr
1991 - = (struct ip_nat_multi_range *)target->data;
1992 - struct ip_nat_range *r = &mr->range[0];
1993 - struct in_addr a;
1994 -
1995 - a.s_addr = r->min_ip;
1996 - printf("--to-destination %s", addr_to_dotted(&a));
1997 - a.s_addr = r->max_ip;
1998 - printf("-%s ", addr_to_dotted(&a));
1999 -}
2000 -
2001 -static struct iptables_target balance = {
2002 - .next = NULL,
2003 - .name = "BALANCE",
2004 - .version = IPTABLES_VERSION,
2005 - .size = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
2006 - .userspacesize = IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
2007 - .help = &help,
2008 - .init = &init,
2009 - .parse = &parse,
2010 - .final_check = &final_check,
2011 - .print = &print,
2012 - .save = &save,
2013 - .extra_opts = opts
2014 -};
2015 -
2016 -void _init(void)
2017 -{
2018 - register_target(&balance);
2019 -}
2020 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_BALANCE.man iptables-svn/extensions/libipt_BALANCE.man
2021 --- iptables-1.3.7/extensions/libipt_BALANCE.man 2006-12-04 12:15:20.000000000 +0100
2022 +++ iptables-svn/extensions/libipt_BALANCE.man 1970-01-01 01:00:00.000000000 +0100
2023 @@ -1,4 +0,0 @@
2024 -This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
2025 -.TP
2026 -.BI "--to-destination " "ipaddr-ipaddr"
2027 -Address range to round-robin over.
2028 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_childlevel.c iptables-svn/extensions/libipt_childlevel.c
2029 --- iptables-1.3.7/extensions/libipt_childlevel.c 2006-12-04 12:15:20.000000000 +0100
2030 +++ iptables-svn/extensions/libipt_childlevel.c 1970-01-01 01:00:00.000000000 +0100
2031 @@ -1,115 +0,0 @@
2032 -/*
2033 - Shared library add-on to iptables to add layer 7 matching support.
2034 -
2035 - http://l7-filter.sf.net
2036 -
2037 - By Matthew Strait <quadong@users.sf.net>, Dec 2003.
2038 -
2039 - This program is free software; you can redistribute it and/or
2040 - modify it under the terms of the GNU General Public License
2041 - as published by the Free Software Foundation; either version
2042 - 2 of the License, or (at your option) any later version.
2043 - http://www.gnu.org/licenses/gpl.txt
2044 -*/
2045 -
2046 -#define _GNU_SOURCE
2047 -#include <stdio.h>
2048 -#include <netdb.h>
2049 -#include <string.h>
2050 -#include <stdlib.h>
2051 -#include <getopt.h>
2052 -#include <ctype.h>
2053 -#include <dirent.h>
2054 -
2055 -#include <iptables.h>
2056 -#include <linux/netfilter_ipv4/ipt_childlevel.h>
2057 -
2058 -/* Function which prints out usage message. */
2059 -static void help(void)
2060 -{
2061 - printf(
2062 - "CHILDLEVEL match v%s options:\n"
2063 - "--level <n> : Match childlevel n (0 == master)\n",
2064 - IPTABLES_VERSION);
2065 - fputc('\n', stdout);
2066 -}
2067 -
2068 -static struct option opts[] = {
2069 - { .name = "level", .has_arg = 1, .flag = 0, .val = '1' },
2070 - { .name = 0 }
2071 -};
2072 -
2073 -/* Function which parses command options; returns true if it ate an option */
2074 -static int parse(int c, char **argv, int invert, unsigned int *flags,
2075 - const struct ipt_entry *entry, unsigned int *nfcache,
2076 - struct ipt_entry_match **match)
2077 -{
2078 - struct ipt_childlevel_info *childlevelinfo =
2079 - (struct ipt_childlevel_info *)(*match)->data;
2080 -
2081 - switch (c) {
2082 - case '1':
2083 - check_inverse(optarg, &invert, &optind, 0);
2084 - childlevelinfo->childlevel = atoi(argv[optind-1]);
2085 - if (invert)
2086 - childlevelinfo->invert = 1;
2087 - *flags = 1;
2088 - break;
2089 - default:
2090 - return 0;
2091 - }
2092 -
2093 - return 1;
2094 -}
2095 -
2096 -/* Final check; must have specified --level. */
2097 -static void final_check(unsigned int flags)
2098 -{
2099 - if (!flags)
2100 - exit_error(PARAMETER_PROBLEM,
2101 - "CHILDLEVEL match: You must specify `--level'");
2102 -}
2103 -
2104 -static void print_protocol(int n, int invert, int numeric)
2105 -{
2106 - fputs("childlevel ", stdout);
2107 - if (invert) fputc('!', stdout);
2108 - printf("%d ", n);
2109 -}
2110 -
2111 -/* Prints out the matchinfo. */
2112 -static void print(const struct ipt_ip *ip,
2113 - const struct ipt_entry_match *match,
2114 - int numeric)
2115 -{
2116 - printf("CHILDLEVEL ");
2117 -
2118 - print_protocol(((struct ipt_childlevel_info *)match->data)->childlevel,
2119 - ((struct ipt_childlevel_info *)match->data)->invert, numeric);
2120 -}
2121 -/* Saves the union ipt_matchinfo in parsable form to stdout. */
2122 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2123 -{
2124 - const struct ipt_childlevel_info *info =
2125 - (const struct ipt_childlevel_info*) match->data;
2126 -
2127 - printf("--childlevel %s%d ", (info->invert) ? "! ": "", info->childlevel);
2128 -}
2129 -
2130 -static struct iptables_match childlevel = {
2131 - .name = "childlevel",
2132 - .version = IPTABLES_VERSION,
2133 - .size = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
2134 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
2135 - .help = &help,
2136 - .parse = &parse,
2137 - .final_check = &final_check,
2138 - .print = &print,
2139 - .save = &save,
2140 - .extra_opts = opts
2141 -};
2142 -
2143 -void _init(void)
2144 -{
2145 - register_match(&childlevel);
2146 -}
2147 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_childlevel.man iptables-svn/extensions/libipt_childlevel.man
2148 --- iptables-1.3.7/extensions/libipt_childlevel.man 2006-12-04 12:15:19.000000000 +0100
2149 +++ iptables-svn/extensions/libipt_childlevel.man 1970-01-01 01:00:00.000000000 +0100
2150 @@ -1,5 +0,0 @@
2151 -This is an experimental module. It matches on whether the
2152 -packet is part of a master connection or one of its children (or grandchildren,
2153 -etc). For instance, most packets are level 0. FTP data transfer is level 1.
2154 -.TP
2155 -.BR "--childlevel " "[!] \fIlevel\fP"
2156 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connbytes.c iptables-svn/extensions/libipt_connbytes.c
2157 --- iptables-1.3.7/extensions/libipt_connbytes.c 2006-12-04 12:15:20.000000000 +0100
2158 +++ iptables-svn/extensions/libipt_connbytes.c 2007-05-31 12:46:30.000000000 +0200
2159 @@ -5,7 +5,7 @@
2160 #include <stdlib.h>
2161 #include <getopt.h>
2162 #include <iptables.h>
2163 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2164 +#include <linux/netfilter/nf_conntrack_common.h>
2165 #include <linux/netfilter_ipv4/ipt_connbytes.h>
2166
2167 /* Function which prints out usage message. */
2168 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connlimit.c iptables-svn/extensions/libipt_connlimit.c
2169 --- iptables-1.3.7/extensions/libipt_connlimit.c 2006-12-04 12:15:19.000000000 +0100
2170 +++ iptables-svn/extensions/libipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100
2171 @@ -1,132 +0,0 @@
2172 -/* Shared library add-on to iptables to add connection limit support. */
2173 -#include <stdio.h>
2174 -#include <netdb.h>
2175 -#include <string.h>
2176 -#include <stdlib.h>
2177 -#include <stddef.h>
2178 -#include <getopt.h>
2179 -#include <iptables.h>
2180 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2181 -#include <linux/netfilter_ipv4/ipt_connlimit.h>
2182 -
2183 -/* Function which prints out usage message. */
2184 -static void
2185 -help(void)
2186 -{
2187 - printf(
2188 -"connlimit v%s options:\n"
2189 -"[!] --connlimit-above n match if the number of existing tcp connections is (not) above n\n"
2190 -" --connlimit-mask n group hosts using mask\n"
2191 -"\n", IPTABLES_VERSION);
2192 -}
2193 -
2194 -static struct option opts[] = {
2195 - { "connlimit-above", 1, 0, '1' },
2196 - { "connlimit-mask", 1, 0, '2' },
2197 - {0}
2198 -};
2199 -
2200 -/* Function which parses command options; returns true if it
2201 - ate an option */
2202 -static int
2203 -parse(int c, char **argv, int invert, unsigned int *flags,
2204 - const struct ipt_entry *entry,
2205 - unsigned int *nfcache,
2206 - struct ipt_entry_match **match)
2207 -{
2208 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
2209 - int i;
2210 -
2211 - if (0 == (*flags & 2)) {
2212 - /* set default mask unless we've already seen a mask option */
2213 - info->mask = htonl(0xFFFFFFFF);
2214 - }
2215 -
2216 - switch (c) {
2217 - case '1':
2218 - check_inverse(optarg, &invert, &optind, 0);
2219 - info->limit = atoi(argv[optind-1]);
2220 - info->inverse = invert;
2221 - *flags |= 1;
2222 - break;
2223 -
2224 - case '2':
2225 - i = atoi(argv[optind-1]);
2226 - if ((i < 0) || (i > 32))
2227 - exit_error(PARAMETER_PROBLEM,
2228 - "--connlimit-mask must be between 0 and 32");
2229 -
2230 - if (i == 0)
2231 - info->mask = 0;
2232 - else
2233 - info->mask = htonl(0xFFFFFFFF << (32 - i));
2234 - *flags |= 2;
2235 - break;
2236 -
2237 - default:
2238 - return 0;
2239 - }
2240 -
2241 - return 1;
2242 -}
2243 -
2244 -/* Final check */
2245 -static void final_check(unsigned int flags)
2246 -{
2247 - if (!flags & 1)
2248 - exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
2249 -}
2250 -
2251 -static int
2252 -count_bits(u_int32_t mask)
2253 -{
2254 - int i, bits;
2255 -
2256 - for (bits = 0, i = 31; i >= 0; i--) {
2257 - if (mask & htonl((u_int32_t)1 << i)) {
2258 - bits++;
2259 - continue;
2260 - }
2261 - break;
2262 - }
2263 - return bits;
2264 -}
2265 -
2266 -/* Prints out the matchinfo. */
2267 -static void
2268 -print(const struct ipt_ip *ip,
2269 - const struct ipt_entry_match *match,
2270 - int numeric)
2271 -{
2272 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
2273 -
2274 - printf("#conn/%d %s %d ", count_bits(info->mask),
2275 - info->inverse ? "<" : ">", info->limit);
2276 -}
2277 -
2278 -/* Saves the matchinfo in parsable form to stdout. */
2279 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2280 -{
2281 - struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
2282 -
2283 - printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
2284 - printf("--connlimit-mask %d ",count_bits(info->mask));
2285 -}
2286 -
2287 -static struct iptables_match connlimit = {
2288 - .name = "connlimit",
2289 - .version = IPTABLES_VERSION,
2290 - .size = IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
2291 - .userspacesize = offsetof(struct ipt_connlimit_info,data),
2292 - .help = help,
2293 - .parse = parse,
2294 - .final_check = final_check,
2295 - .print = print,
2296 - .save = save,
2297 - .extra_opts = opts
2298 -};
2299 -
2300 -void _init(void)
2301 -{
2302 - register_match(&connlimit);
2303 -}
2304 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connlimit.man iptables-svn/extensions/libipt_connlimit.man
2305 --- iptables-1.3.7/extensions/libipt_connlimit.man 2006-12-04 12:15:19.000000000 +0100
2306 +++ iptables-svn/extensions/libipt_connlimit.man 1970-01-01 01:00:00.000000000 +0100
2307 @@ -1,21 +0,0 @@
2308 -Allows you to restrict the number of parallel TCP connections to a
2309 -server per client IP address (or address block).
2310 -.TP
2311 -[\fB!\fR] \fB--connlimit-above \fIn\fR
2312 -match if the number of existing tcp connections is (not) above n
2313 -.TP
2314 -.BI "--connlimit-mask " "bits"
2315 -group hosts using mask
2316 -.P
2317 -Examples:
2318 -.TP
2319 -# allow 2 telnet connections per client host
2320 -iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
2321 -.TP
2322 -# you can also match the other way around:
2323 -iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
2324 -.TP
2325 -# limit the nr of parallel http requests to 16 per class C sized \
2326 -network (24 bit netmask)
2327 -iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
2328 ---connlimit-mask 24 -j REJECT
2329 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_connrate.c iptables-svn/extensions/libipt_connrate.c
2330 --- iptables-1.3.7/extensions/libipt_connrate.c 2006-12-04 12:15:20.000000000 +0100
2331 +++ iptables-svn/extensions/libipt_connrate.c 2007-05-31 12:46:30.000000000 +0200
2332 @@ -13,7 +13,7 @@
2333 #include <stdlib.h>
2334 #include <getopt.h>
2335 #include <iptables.h>
2336 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2337 +#include <linux/netfilter/nf_conntrack_common.h>
2338 #include <linux/netfilter_ipv4/ipt_connrate.h>
2339
2340 /* Function which prints out usage message. */
2341 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_conntrack.c iptables-svn/extensions/libipt_conntrack.c
2342 --- iptables-1.3.7/extensions/libipt_conntrack.c 2006-12-04 12:15:19.000000000 +0100
2343 +++ iptables-svn/extensions/libipt_conntrack.c 2007-05-31 12:46:30.000000000 +0200
2344 @@ -9,7 +9,7 @@
2345 #include <getopt.h>
2346 #include <ctype.h>
2347 #include <iptables.h>
2348 -#include <linux/netfilter_ipv4/ip_conntrack.h>
2349 +#include <linux/netfilter/nf_conntrack_common.h>
2350 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
2351 /* For 64bit kernel / 32bit userspace */
2352 #include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
2353 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_DNAT.c iptables-svn/extensions/libipt_DNAT.c
2354 --- iptables-1.3.7/extensions/libipt_DNAT.c 2006-12-04 12:15:19.000000000 +0100
2355 +++ iptables-svn/extensions/libipt_DNAT.c 2007-05-31 12:46:30.000000000 +0200
2356 @@ -6,7 +6,10 @@
2357 #include <getopt.h>
2358 #include <iptables.h>
2359 #include <linux/netfilter_ipv4/ip_tables.h>
2360 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
2361 +#include <linux/netfilter/nf_nat.h>
2362 +
2363 +#define IPT_DNAT_OPT_DEST 0x1
2364 +#define IPT_DNAT_OPT_RANDOM 0x2
2365
2366 /* Dest NAT data consists of a multi-range, indicating where to map
2367 to. */
2368 @@ -24,12 +27,14 @@
2369 "DNAT v%s options:\n"
2370 " --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
2371 " Address to map destination to.\n"
2372 -" (You can use this more than once)\n\n",
2373 +"[--random]\n"
2374 +"\n",
2375 IPTABLES_VERSION);
2376 }
2377
2378 static struct option opts[] = {
2379 { "to-destination", 1, 0, '1' },
2380 + { "random", 0, 0, '2' },
2381 { 0 }
2382 };
2383
2384 @@ -163,9 +168,18 @@
2385 "Multiple --to-destination not supported");
2386 }
2387 *target = parse_to(optarg, portok, info);
2388 - *flags = 1;
2389 + /* WTF do we need this for?? */
2390 + if (*flags & IPT_DNAT_OPT_RANDOM)
2391 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
2392 + *flags |= IPT_DNAT_OPT_DEST;
2393 return 1;
2394
2395 + case '2':
2396 + if (*flags & IPT_DNAT_OPT_DEST) {
2397 + info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
2398 + *flags |= IPT_DNAT_OPT_RANDOM;
2399 + } else
2400 + *flags |= IPT_DNAT_OPT_RANDOM;
2401 default:
2402 return 0;
2403 }
2404 @@ -212,6 +226,8 @@
2405 for (i = 0; i < info->mr.rangesize; i++) {
2406 print_range(&info->mr.range[i]);
2407 printf(" ");
2408 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
2409 + printf("random ");
2410 }
2411 }
2412
2413 @@ -226,6 +242,8 @@
2414 printf("--to-destination ");
2415 print_range(&info->mr.range[i]);
2416 printf(" ");
2417 + if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
2418 + printf("--random ");
2419 }
2420 }
2421
2422 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_DNAT.man iptables-svn/extensions/libipt_DNAT.man
2423 --- iptables-1.3.7/extensions/libipt_DNAT.man 2006-12-04 12:15:20.000000000 +0100
2424 +++ iptables-svn/extensions/libipt_DNAT.man 2007-05-31 12:46:30.000000000 +0200
2425 @@ -20,12 +20,17 @@
2426 If no port range is specified, then the destination port will never be
2427 modified. If no IP address is specified then only the destination port
2428 will be modified.
2429 -.RS
2430 -.PP
2431 +
2432 In Kernels up to 2.6.10 you can add several --to-destination options. For
2433 those kernels, if you specify more than one destination address, either via an
2434 address range or multiple --to-destination options, a simple round-robin (one
2435 after another in cycle) load balancing takes place between these addresses.
2436 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
2437 anymore.
2438 -
2439 +.TP
2440 +.BR "--random"
2441 +If option
2442 +.B "--random"
2443 +is used then port mapping will be randomized (kernel >= 2.6.22).
2444 +.RS
2445 +.PP
2446 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_dstlimit.c iptables-svn/extensions/libipt_dstlimit.c
2447 --- iptables-1.3.7/extensions/libipt_dstlimit.c 2006-12-04 12:15:19.000000000 +0100
2448 +++ iptables-svn/extensions/libipt_dstlimit.c 1970-01-01 01:00:00.000000000 +0100
2449 @@ -1,340 +0,0 @@
2450 -/* iptables match extension for limiting packets per destination
2451 - *
2452 - * (C) 2003 by Harald Welte <laforge@netfilter.org>
2453 - *
2454 - * Development of this code was funded by Astaro AG, http://www.astaro.com/
2455 - *
2456 - * Based on ipt_limit.c by
2457 - * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
2458 - * Hervé Eychenne <rv@wallfire.org>
2459 - */
2460 -
2461 -#include <stdio.h>
2462 -#include <string.h>
2463 -#include <stdlib.h>
2464 -#include <getopt.h>
2465 -#include <iptables.h>
2466 -#include <stddef.h>
2467 -#include <linux/netfilter_ipv4/ip_tables.h>
2468 -#include <linux/netfilter_ipv4/ipt_dstlimit.h>
2469 -
2470 -#define IPT_DSTLIMIT_BURST 5
2471 -
2472 -/* miliseconds */
2473 -#define IPT_DSTLIMIT_GCINTERVAL 1000
2474 -#define IPT_DSTLIMIT_EXPIRE 10000
2475 -
2476 -/* Function which prints out usage message. */
2477 -static void
2478 -help(void)
2479 -{
2480 - printf(
2481 -"dstlimit v%s options:\n"
2482 -"--dstlimit <avg> max average match rate\n"
2483 -" [Packets per second unless followed by \n"
2484 -" /sec /minute /hour /day postfixes]\n"
2485 -"--dstlimit-mode <mode> mode\n"
2486 -" dstip\n"
2487 -" dstip-dstport\n"
2488 -" srcip-dstip\n"
2489 -" srcip-dstip-dstport\n"
2490 -"--dstlimit-name <name> name for /proc/net/ipt_dstlimit/\n"
2491 -"[--dstlimit-burst <num>] number to match in a burst, default %u\n"
2492 -"[--dstlimit-htable-size <num>] number of hashtable buckets\n"
2493 -"[--dstlimit-htable-max <num>] number of hashtable entries\n"
2494 -"[--dstlimit-htable-gcinterval] interval between garbage collection runs\n"
2495 -"[--dstlimit-htable-expire] after which time are idle entries expired?\n"
2496 -"\n", IPTABLES_VERSION, IPT_DSTLIMIT_BURST);
2497 -}
2498 -
2499 -static struct option opts[] = {
2500 - { "dstlimit", 1, 0, '%' },
2501 - { "dstlimit-burst", 1, 0, '$' },
2502 - { "dstlimit-htable-size", 1, 0, '&' },
2503 - { "dstlimit-htable-max", 1, 0, '*' },
2504 - { "dstlimit-htable-gcinterval", 1, 0, '(' },
2505 - { "dstlimit-htable-expire", 1, 0, ')' },
2506 - { "dstlimit-mode", 1, 0, '_' },
2507 - { "dstlimit-name", 1, 0, '"' },
2508 - { 0 }
2509 -};
2510 -
2511 -static
2512 -int parse_rate(const char *rate, u_int32_t *val)
2513 -{
2514 - const char *delim;
2515 - u_int32_t r;
2516 - u_int32_t mult = 1; /* Seconds by default. */
2517 -
2518 - delim = strchr(rate, '/');
2519 - if (delim) {
2520 - if (strlen(delim+1) == 0)
2521 - return 0;
2522 -
2523 - if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
2524 - mult = 1;
2525 - else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
2526 - mult = 60;
2527 - else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
2528 - mult = 60*60;
2529 - else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
2530 - mult = 24*60*60;
2531 - else
2532 - return 0;
2533 - }
2534 - r = atoi(rate);
2535 - if (!r)
2536 - return 0;
2537 -
2538 - /* This would get mapped to infinite (1/day is minimum they
2539 - can specify, so we're ok at that end). */
2540 - if (r / mult > IPT_DSTLIMIT_SCALE)
2541 - exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate);
2542 -
2543 - *val = IPT_DSTLIMIT_SCALE * mult / r;
2544 - return 1;
2545 -}
2546 -
2547 -/* Initialize the match. */
2548 -static void
2549 -init(struct ipt_entry_match *m, unsigned int *nfcache)
2550 -{
2551 - struct ipt_dstlimit_info *r = (struct ipt_dstlimit_info *)m->data;
2552 -
2553 - r->cfg.burst = IPT_DSTLIMIT_BURST;
2554 - r->cfg.gc_interval = IPT_DSTLIMIT_GCINTERVAL;
2555 - r->cfg.expire = IPT_DSTLIMIT_EXPIRE;
2556 -
2557 -}
2558 -
2559 -#define PARAM_LIMIT 0x00000001
2560 -#define PARAM_BURST 0x00000002
2561 -#define PARAM_MODE 0x00000004
2562 -#define PARAM_NAME 0x00000008
2563 -#define PARAM_SIZE 0x00000010
2564 -#define PARAM_MAX 0x00000020
2565 -#define PARAM_GCINTERVAL 0x00000040
2566 -#define PARAM_EXPIRE 0x00000080
2567 -
2568 -/* Function which parses command options; returns true if it
2569 - ate an option */
2570 -static int
2571 -parse(int c, char **argv, int invert, unsigned int *flags,
2572 - const struct ipt_entry *entry,
2573 - unsigned int *nfcache,
2574 - struct ipt_entry_match **match)
2575 -{
2576 - struct ipt_dstlimit_info *r =
2577 - (struct ipt_dstlimit_info *)(*match)->data;
2578 - unsigned int num;
2579 -
2580 - switch(c) {
2581 - case '%':
2582 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2583 - if (!parse_rate(optarg, &r->cfg.avg))
2584 - exit_error(PARAMETER_PROBLEM,
2585 - "bad rate `%s'", optarg);
2586 - *flags |= PARAM_LIMIT;
2587 - break;
2588 -
2589 - case '$':
2590 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2591 - if (string_to_number(optarg, 0, 10000, &num) == -1)
2592 - exit_error(PARAMETER_PROBLEM,
2593 - "bad --dstlimit-burst `%s'", optarg);
2594 - r->cfg.burst = num;
2595 - *flags |= PARAM_BURST;
2596 - break;
2597 - case '&':
2598 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2599 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2600 - exit_error(PARAMETER_PROBLEM,
2601 - "bad --dstlimit-htable-size: `%s'", optarg);
2602 - r->cfg.size = num;
2603 - *flags |= PARAM_SIZE;
2604 - break;
2605 - case '*':
2606 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2607 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2608 - exit_error(PARAMETER_PROBLEM,
2609 - "bad --dstlimit-htable-max: `%s'", optarg);
2610 - r->cfg.max = num;
2611 - *flags |= PARAM_MAX;
2612 - break;
2613 - case '(':
2614 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2615 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2616 - exit_error(PARAMETER_PROBLEM,
2617 - "bad --dstlimit-htable-gcinterval: `%s'",
2618 - optarg);
2619 - /* FIXME: not HZ dependent!! */
2620 - r->cfg.gc_interval = num;
2621 - *flags |= PARAM_GCINTERVAL;
2622 - break;
2623 - case ')':
2624 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2625 - if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
2626 - exit_error(PARAMETER_PROBLEM,
2627 - "bad --dstlimit-htable-expire: `%s'", optarg);
2628 - /* FIXME: not HZ dependent */
2629 - r->cfg.expire = num;
2630 - *flags |= PARAM_EXPIRE;
2631 - break;
2632 - case '_':
2633 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2634 - if (!strcmp(optarg, "dstip"))
2635 - r->cfg.mode = IPT_DSTLIMIT_HASH_DIP;
2636 - else if (!strcmp(optarg, "dstip-destport") ||
2637 - !strcmp(optarg, "dstip-dstport"))
2638 - r->cfg.mode = IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
2639 - else if (!strcmp(optarg, "srcip-dstip"))
2640 - r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP;
2641 - else if (!strcmp(optarg, "srcip-dstip-destport") ||
2642 - !strcmp(optarg, "srcip-dstip-dstport"))
2643 - r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
2644 - else
2645 - exit_error(PARAMETER_PROBLEM,
2646 - "bad --dstlimit-mode: `%s'\n", optarg);
2647 - *flags |= PARAM_MODE;
2648 - break;
2649 - case '"':
2650 - if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
2651 - if (strlen(optarg) == 0)
2652 - exit_error(PARAMETER_PROBLEM, "Zero-length name?");
2653 - strncpy(r->name, optarg, sizeof(r->name));
2654 - *flags |= PARAM_NAME;
2655 - break;
2656 - default:
2657 - return 0;
2658 - }
2659 -
2660 - if (invert)
2661 - exit_error(PARAMETER_PROBLEM,
2662 - "dstlimit does not support invert");
2663 -
2664 - return 1;
2665 -}
2666 -
2667 -/* Final check; nothing. */
2668 -static void final_check(unsigned int flags)
2669 -{
2670 - if (!(flags & PARAM_LIMIT))
2671 - exit_error(PARAMETER_PROBLEM,
2672 - "You have to specify --dstlimit");
2673 - if (!(flags & PARAM_MODE))
2674 - exit_error(PARAMETER_PROBLEM,
2675 - "You have to specify --dstlimit-mode");
2676 - if (!(flags & PARAM_NAME))
2677 - exit_error(PARAMETER_PROBLEM,
2678 - "You have to specify --dstlimit-name");
2679 -}
2680 -
2681 -static struct rates
2682 -{
2683 - const char *name;
2684 - u_int32_t mult;
2685 -} rates[] = { { "day", IPT_DSTLIMIT_SCALE*24*60*60 },
2686 - { "hour", IPT_DSTLIMIT_SCALE*60*60 },
2687 - { "min", IPT_DSTLIMIT_SCALE*60 },
2688 - { "sec", IPT_DSTLIMIT_SCALE } };
2689 -
2690 -static void print_rate(u_int32_t period)
2691 -{
2692 - unsigned int i;
2693 -
2694 - for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) {
2695 - if (period > rates[i].mult
2696 - || rates[i].mult/period < rates[i].mult%period)
2697 - break;
2698 - }
2699 -
2700 - printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
2701 -}
2702 -
2703 -/* Prints out the matchinfo. */
2704 -static void
2705 -print(const struct ipt_ip *ip,
2706 - const struct ipt_entry_match *match,
2707 - int numeric)
2708 -{
2709 - struct ipt_dstlimit_info *r =
2710 - (struct ipt_dstlimit_info *)match->data;
2711 - printf("limit: avg "); print_rate(r->cfg.avg);
2712 - printf("burst %u ", r->cfg.burst);
2713 - switch (r->cfg.mode) {
2714 - case (IPT_DSTLIMIT_HASH_DIP):
2715 - printf("mode dstip ");
2716 - break;
2717 - case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2718 - printf("mode dstip-dstport ");
2719 - break;
2720 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
2721 - printf("mode srcip-dstip ");
2722 - break;
2723 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2724 - printf("mode srcip-dstip-dstport ");
2725 - break;
2726 - }
2727 - if (r->cfg.size)
2728 - printf("htable-size %u ", r->cfg.size);
2729 - if (r->cfg.max)
2730 - printf("htable-max %u ", r->cfg.max);
2731 - if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
2732 - printf("htable-gcinterval %u ", r->cfg.gc_interval);
2733 - if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
2734 - printf("htable-expire %u ", r->cfg.expire);
2735 -}
2736 -
2737 -/* FIXME: Make minimalist: only print rate if not default --RR */
2738 -static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
2739 -{
2740 - struct ipt_dstlimit_info *r =
2741 - (struct ipt_dstlimit_info *)match->data;
2742 -
2743 - printf("--dstlimit "); print_rate(r->cfg.avg);
2744 - if (r->cfg.burst != IPT_DSTLIMIT_BURST)
2745 - printf("--dstlimit-burst %u ", r->cfg.burst);
2746 - switch (r->cfg.mode) {
2747 - case (IPT_DSTLIMIT_HASH_DIP):
2748 - printf("--mode dstip ");
2749 - break;
2750 - case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2751 - printf("--mode dstip-dstport ");
2752 - break;
2753 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
2754 - printf("--mode srcip-dstip ");
2755 - break;
2756 - case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
2757 - printf("--mode srcip-dstip-dstport ");
2758 - break;
2759 - }
2760 - if (r->cfg.size)
2761 - printf("--dstlimit-htable-size %u ", r->cfg.size);
2762 - if (r->cfg.max)
2763 - printf("--dstlimit-htable-max %u ", r->cfg.max);
2764 - if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
2765 - printf("--dstlimit-htable-gcinterval %u", r->cfg.gc_interval);
2766 - if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
2767 - printf("--dstlimit-htable-expire %u ", r->cfg.expire);
2768 -}
2769 -
2770 -static struct iptables_match dstlimit = {
2771 - .next = NULL,
2772 - .name = "dstlimit",
2773 - .version = IPTABLES_VERSION,
2774 - .size = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
2775 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
2776 - //offsetof(struct ipt_dstlimit_info, prev),
2777 - .help = &help,
2778 - .init = &init,
2779 - .parse = &parse,
2780 - .final_check = &final_check,
2781 - .print = &print,
2782 - .save = &save,
2783 - .extra_opts = opts
2784 -};
2785 -
2786 -void _init(void)
2787 -{
2788 - register_match(&dstlimit);
2789 -}
2790 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_dstlimit.man iptables-svn/extensions/libipt_dstlimit.man
2791 --- iptables-1.3.7/extensions/libipt_dstlimit.man 2006-12-04 12:15:20.000000000 +0100
2792 +++ iptables-svn/extensions/libipt_dstlimit.man 1970-01-01 01:00:00.000000000 +0100
2793 @@ -1,37 +0,0 @@
2794 -This module allows you to limit the packet per second (pps) rate on a per
2795 -destination IP or per destination port base. As opposed to the `limit' match,
2796 -every destination ip / destination port has it's own limit.
2797 -.TP
2798 -THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY ``hashlimit''
2799 -.TP
2800 -.BI "--dstlimit " "avg"
2801 -Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
2802 -.TP
2803 -.BI "--dstlimit-mode " "mode"
2804 -The limiting hashmode. Is the specified limit per
2805 -.B dstip, dstip-dstport
2806 -tuple,
2807 -.B srcip-dstip
2808 -tuple, or per
2809 -.B srcipdstip-dstport
2810 -tuple.
2811 -.TP
2812 -.BI "--dstlimit-name " "name"
2813 -Name for /proc/net/ipt_dstlimit/* file entry
2814 -.TP
2815 -.BI "[" "--dstlimit-burst " "burst" "]"
2816 -Number of packets to match in a burst. Default: 5
2817 -.TP
2818 -.BI "[" "--dstlimit-htable-size " "size" "]"
2819 -Number of buckets in the hashtable
2820 -.TP
2821 -.BI "[" "--dstlimit-htable-max " "max" "]"
2822 -Maximum number of entries in the hashtable
2823 -.TP
2824 -.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
2825 -Interval between garbage collection runs of the hashtable (in miliseconds).
2826 -Default is 1000 (1 second).
2827 -.TP
2828 -.BI "[" "--dstlimit-htable-expire " "time"
2829 -After which time are idle entries expired from hashtable (in miliseconds)?
2830 -Default is 10000 (10 seconds).
2831 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_FTOS.c iptables-svn/extensions/libipt_FTOS.c
2832 --- iptables-1.3.7/extensions/libipt_FTOS.c 2006-12-04 12:15:19.000000000 +0100
2833 +++ iptables-svn/extensions/libipt_FTOS.c 1970-01-01 01:00:00.000000000 +0100
2834 @@ -1,133 +0,0 @@
2835 -/* Shared library add-on to iptables for FTOS
2836 - *
2837 - * (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
2838 - *
2839 - * This program is distributed under the terms of GNU GPL v2, 1991
2840 - *
2841 - * libipt_FTOS.c borrowed heavily from libipt_TOS.c 11/09/2000
2842 - *
2843 - */
2844 -#include <stdio.h>
2845 -#include <string.h>
2846 -#include <stdlib.h>
2847 -#include <getopt.h>
2848 -
2849 -#include <iptables.h>
2850 -#include <linux/netfilter_ipv4/ip_tables.h>
2851 -#include <linux/netfilter_ipv4/ipt_FTOS.h>
2852 -
2853 -struct finfo {
2854 - struct ipt_entry_target t;
2855 - u_int8_t ftos;
2856 -};
2857 -
2858 -static void init(struct ipt_entry_target *t, unsigned int *nfcache)
2859 -{
2860 -}
2861 -
2862 -static void help(void)
2863 -{
2864 - printf(
2865 -"FTOS target options\n"
2866 -" --set-ftos value Set TOS field in packet header to value\n"
2867 -" This value can be in decimal (ex: 32)\n"
2868 -" or in hex (ex: 0x20)\n"
2869 -);
2870 -}
2871 -
2872 -static struct option opts[] = {
2873 - { "set-ftos", 1, 0, 'F' },
2874 - { 0 }
2875 -};
2876 -
2877 -static void
2878 -parse_ftos(const unsigned char *s, struct ipt_FTOS_info *finfo)
2879 -{
2880 - unsigned int ftos;
2881 -
2882 - if (string_to_number(s, 0, 255, &ftos) == -1)
2883 - exit_error(PARAMETER_PROBLEM,
2884 - "Invalid ftos `%s'\n", s);
2885 - finfo->ftos = (u_int8_t )ftos;
2886 - return;
2887 -}
2888 -
2889 -static int
2890 -parse(int c, char **argv, int invert, unsigned int *flags,
2891 - const struct ipt_entry *entry,
2892 - struct ipt_entry_target **target)
2893 -{
2894 - struct ipt_FTOS_info *finfo
2895 - = (struct ipt_FTOS_info *)(*target)->data;
2896 -
2897 - switch (c) {
2898 - case 'F':
2899 - if (*flags)
2900 - exit_error(PARAMETER_PROBLEM,
2901 - "FTOS target: Only use --set-ftos ONCE!");
2902 - parse_ftos(optarg, finfo);
2903 - *flags = 1;
2904 - break;
2905 -
2906 - default:
2907 - return 0;
2908 - }
2909 -
2910 - return 1;
2911 -}
2912 -
2913 -static void
2914 -final_check(unsigned int flags)
2915 -{
2916 - if (!flags)
2917 - exit_error(PARAMETER_PROBLEM,
2918 - "FTOS target: Parameter --set-ftos is required");
2919 -}
2920 -
2921 -static void
2922 -print_ftos(u_int8_t ftos, int numeric)
2923 -{
2924 - printf("0x%02x ", ftos);
2925 -}
2926 -
2927 -/* Prints out the targinfo. */
2928 -static void
2929 -print(const struct ipt_ip *ip,
2930 - const struct ipt_entry_target *target,
2931 - int numeric)
2932 -{
2933 - const struct ipt_FTOS_info *finfo =
2934 - (const struct ipt_FTOS_info *)target->data;
2935 - printf("TOS set ");
2936 - print_ftos(finfo->ftos, numeric);
2937 -}
2938 -
2939 -/* Saves the union ipt_targinfo in parsable form to stdout. */
2940 -static void
2941 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
2942 -{
2943 - const struct ipt_FTOS_info *finfo =
2944 - (const struct ipt_FTOS_info *)target->data;
2945 -
2946 - printf("--set-ftos 0x%02x ", finfo->ftos);
2947 -}
2948 -
2949 -static struct iptables_target ftos = {
2950 - .next = NULL,
2951 - .name = "FTOS",
2952 - .version = IPTABLES_VERSION,
2953 - .size = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
2954 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
2955 - .help = &help,
2956 - .init = &init,
2957 - .parse = &parse,
2958 - .final_check = &final_check,
2959 - .print = &print,
2960 - .save = &save,
2961 - .extra_opts = opts
2962 -};
2963 -
2964 -void _init(void)
2965 -{
2966 - register_target(&ftos);
2967 -}
2968 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_fuzzy.c iptables-svn/extensions/libipt_fuzzy.c
2969 --- iptables-1.3.7/extensions/libipt_fuzzy.c 2006-12-04 12:15:19.000000000 +0100
2970 +++ iptables-svn/extensions/libipt_fuzzy.c 1970-01-01 01:00:00.000000000 +0100
2971 @@ -1,158 +0,0 @@
2972 -/*
2973 - Shared library add-on to iptables to add match support for the fuzzy match.
2974 -
2975 - This file is distributed under the terms of the GNU General Public
2976 - License (GPL). Copies of the GPL can be obtained from:
2977 - ftp://prep.ai.mit.edu/pub/gnu/GPL
2978 -
2979 -2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
2980 -2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
2981 -the save function , thanks to information given by Jean-Francois Patenaude .
2982 -
2983 -*/
2984 -
2985 -#include <stdio.h>
2986 -#include <netdb.h>
2987 -#include <string.h>
2988 -#include <stdlib.h>
2989 -#include <syslog.h>
2990 -#include <getopt.h>
2991 -#include <iptables.h>
2992 -#include <linux/netfilter_ipv4/ip_tables.h>
2993 -#include <linux/netfilter_ipv4/ipt_fuzzy.h>
2994 -
2995 -
2996 -static void
2997 -help(void)
2998 -{
2999 - printf(
3000 -"fuzzy v%s options:\n"
3001 -" --lower-limit number (in packets per second)\n"
3002 -" --upper-limit number\n"
3003 -,IPTABLES_VERSION);
3004 -};
3005 -
3006 -static struct option opts[] = {
3007 - { "lower-limit", 1 , 0 , '1' } ,
3008 - { "upper-limit", 1 , 0 , '2' } ,
3009 - { 0 }
3010 -};
3011 -
3012 -/* Initialize data structures */
3013 -static void
3014 -init(struct ipt_entry_match *m, unsigned int *nfcache)
3015 -{
3016 - struct ipt_fuzzy_info *presentinfo = (struct ipt_fuzzy_info *)(m)->data;
3017 -
3018 - /*
3019 - * Default rates ( I'll improve this very soon with something based
3020 - * on real statistics of the running machine ) .
3021 - */
3022 -
3023 - presentinfo->minimum_rate = 1000;
3024 - presentinfo->maximum_rate = 2000;
3025 -}
3026 -
3027 -#define IPT_FUZZY_OPT_MINIMUM 0x01
3028 -#define IPT_FUZZY_OPT_MAXIMUM 0x02
3029 -
3030 -static int
3031 -parse(int c, char **argv, int invert, unsigned int *flags,
3032 - const struct ipt_entry *entry,
3033 - unsigned int *nfcache,
3034 - struct ipt_entry_match **match)
3035 -{
3036 -
3037 -struct ipt_fuzzy_info *fuzzyinfo = (struct ipt_fuzzy_info *)(*match)->data;
3038 -
3039 - u_int32_t num;
3040 -
3041 - switch (c) {
3042 -
3043 - case '1':
3044 -
3045 - if (invert)
3046 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
3047 -
3048 - if (*flags & IPT_FUZZY_OPT_MINIMUM)
3049 - exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
3050 -
3051 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
3052 - exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
3053 -
3054 - fuzzyinfo->minimum_rate = num ;
3055 -
3056 - *flags |= IPT_FUZZY_OPT_MINIMUM;
3057 -
3058 - break;
3059 -
3060 - case '2':
3061 -
3062 - if (invert)
3063 - exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
3064 -
3065 - if (*flags & IPT_FUZZY_OPT_MAXIMUM)
3066 - exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
3067 -
3068 - if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
3069 - exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
3070 -
3071 - fuzzyinfo->maximum_rate = num ;
3072 -
3073 - *flags |= IPT_FUZZY_OPT_MAXIMUM;
3074 -
3075 - break ;
3076 -
3077 - default:
3078 - return 0;
3079 - }
3080 - return 1;
3081 -}
3082 -
3083 -static void final_check(unsigned int flags)
3084 -{
3085 -}
3086 -
3087 -static void
3088 -print(const struct ipt_ip *ip,
3089 - const struct ipt_entry_match *match,
3090 - int numeric)
3091 -{
3092 - const struct ipt_fuzzy_info *fuzzyinfo
3093 - = (const struct ipt_fuzzy_info *)match->data;
3094 -
3095 - printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",fuzzyinfo->minimum_rate,fuzzyinfo->maximum_rate);
3096 -
3097 -}
3098 -
3099 -/* Saves the union ipt_targinfo in parsable form to stdout. */
3100 -static void
3101 -save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
3102 -{
3103 - const struct ipt_fuzzy_info *fuzzyinfo
3104 - = (const struct ipt_fuzzy_info *)match->data;
3105 -
3106 - printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
3107 - printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
3108 -
3109 -}
3110 -
3111 -static struct iptables_match fuzzy_match = {
3112 - .next = NULL,
3113 - .name = "fuzzy",
3114 - .version = IPTABLES_VERSION,
3115 - .size = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
3116 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
3117 - .help = &help,
3118 - .init = &init,
3119 - .parse = &parse,
3120 - .final_check = &final_check,
3121 - .print = &print,
3122 - .save = &save,
3123 - .extra_opts = opts
3124 -};
3125 -
3126 -void _init(void)
3127 -{
3128 - register_match(&fuzzy_match);
3129 -}
3130 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_fuzzy.man iptables-svn/extensions/libipt_fuzzy.man
3131 --- iptables-1.3.7/extensions/libipt_fuzzy.man 2006-12-04 12:15:19.000000000 +0100
3132 +++ iptables-svn/extensions/libipt_fuzzy.man 1970-01-01 01:00:00.000000000 +0100
3133 @@ -1,7 +0,0 @@
3134 -This module matches a rate limit based on a fuzzy logic controller [FLC]
3135 -.TP
3136 -.BI "--lower-limit " "number"
3137 -Specifies the lower limit (in packets per second).
3138 -.TP
3139 -.BI "--upper-limit " "number"
3140 -Specifies the upper limit (in packets per second).
3141 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_icmp.c iptables-svn/extensions/libipt_icmp.c
3142 --- iptables-1.3.7/extensions/libipt_icmp.c 2006-12-04 12:15:19.000000000 +0100
3143 +++ iptables-svn/extensions/libipt_icmp.c 2007-05-31 12:46:30.000000000 +0200
3144 @@ -281,7 +281,7 @@
3145 }
3146 }
3147
3148 -/* Final check; we don't care. */
3149 +/* Final check; we don't care. We can pass 0xFF to match any type */
3150 static void final_check(unsigned int flags)
3151 {
3152 }
3153 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_icmp.man iptables-svn/extensions/libipt_icmp.man
3154 --- iptables-1.3.7/extensions/libipt_icmp.man 2006-12-04 12:15:20.000000000 +0100
3155 +++ iptables-svn/extensions/libipt_icmp.man 2007-05-31 12:46:30.000000000 +0200
3156 @@ -1,4 +1,4 @@
3157 -This extension is loaded if `--protocol icmp' is specified. It
3158 +This extension can be used if `--protocol icmp' is specified. It
3159 provides the following option:
3160 .TP
3161 .BR "--icmp-type " "[!] \fItypename\fP"
3162 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPMARK.c iptables-svn/extensions/libipt_IPMARK.c
3163 --- iptables-1.3.7/extensions/libipt_IPMARK.c 2006-12-04 12:15:20.000000000 +0100
3164 +++ iptables-svn/extensions/libipt_IPMARK.c 1970-01-01 01:00:00.000000000 +0100
3165 @@ -1,168 +0,0 @@
3166 -/* Shared library add-on to iptables to add IPMARK target support.
3167 - * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
3168 - *
3169 - * based on original MARK target
3170 - *
3171 - * This program is distributed under the terms of GNU GPL
3172 - */
3173 -#include <stdio.h>
3174 -#include <string.h>
3175 -#include <stdlib.h>
3176 -#include <getopt.h>
3177 -
3178 -#include <iptables.h>
3179 -#include <linux/netfilter_ipv4/ip_tables.h>
3180 -#include <linux/netfilter_ipv4/ipt_IPMARK.h>
3181 -
3182 -#define IPT_ADDR_USED 1
3183 -#define IPT_AND_MASK_USED 2
3184 -#define IPT_OR_MASK_USED 4
3185 -
3186 -struct ipmarkinfo {
3187 - struct ipt_entry_target t;
3188 - struct ipt_ipmark_target_info ipmark;
3189 -};
3190 -
3191 -/* Function which prints out usage message. */
3192 -static void
3193 -help(void)
3194 -{
3195 - printf(
3196 -"IPMARK target v%s options:\n"
3197 -" --addr src/dst use source or destination ip address\n"
3198 -" --and-mask value logical AND ip address with this value becomes MARK\n"
3199 -" --or-mask value logical OR ip address with this value becomes MARK\n"
3200 -"\n",
3201 -IPTABLES_VERSION);
3202 -}
3203 -
3204 -static struct option opts[] = {
3205 - { "addr", 1, 0, '1' },
3206 - { "and-mask", 1, 0, '2' },
3207 - { "or-mask", 1, 0, '3' },
3208 - { 0 }
3209 -};
3210 -
3211 -/* Initialize the target. */
3212 -static void
3213 -init(struct ipt_entry_target *t, unsigned int *nfcache)
3214 -{
3215 - struct ipt_ipmark_target_info *ipmarkinfo =
3216 - (struct ipt_ipmark_target_info *)t->data;
3217 -
3218 - ipmarkinfo->andmask=0xffffffff;
3219 - ipmarkinfo->ormask=0;
3220 -
3221 -}
3222 -
3223 -/* Function which parses command options; returns true if it
3224 - ate an option */
3225 -static int
3226 -parse(int c, char **argv, int invert, unsigned int *flags,
3227 - const struct ipt_entry *entry,
3228 - struct ipt_entry_target **target)
3229 -{
3230 - struct ipt_ipmark_target_info *ipmarkinfo
3231 - = (struct ipt_ipmark_target_info *)(*target)->data;
3232 -
3233 - switch (c) {
3234 - char *end;
3235 - case '1':
3236 - if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
3237 - else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
3238 - else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
3239 - if (*flags & IPT_ADDR_USED)
3240 - exit_error(PARAMETER_PROBLEM,
3241 - "IPMARK target: Can't specify --addr twice");
3242 - *flags |= IPT_ADDR_USED;
3243 - break;
3244 -
3245 - case '2':
3246 - ipmarkinfo->andmask = strtoul(optarg, &end, 0);
3247 - if (*end != '\0' || end == optarg)
3248 - exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
3249 - if (*flags & IPT_AND_MASK_USED)
3250 - exit_error(PARAMETER_PROBLEM,
3251 - "IPMARK target: Can't specify --and-mask twice");
3252 - *flags |= IPT_AND_MASK_USED;
3253 - break;
3254 - case '3':
3255 - ipmarkinfo->ormask = strtoul(optarg, &end, 0);
3256 - if (*end != '\0' || end == optarg)
3257 - exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
3258 - if (*flags & IPT_OR_MASK_USED)
3259 - exit_error(PARAMETER_PROBLEM,
3260 - "IPMARK target: Can't specify --or-mask twice");
3261 - *flags |= IPT_OR_MASK_USED;
3262 - break;
3263 -
3264 - default:
3265 - return 0;
3266 - }
3267 -
3268 - return 1;
3269 -}
3270 -
3271 -static void
3272 -final_check(unsigned int flags)
3273 -{
3274 - if (!(flags & IPT_ADDR_USED))
3275 - exit_error(PARAMETER_PROBLEM,
3276 - "IPMARK target: Parameter --addr is required");
3277 - if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
3278 - exit_error(PARAMETER_PROBLEM,
3279 - "IPMARK target: Parameter --and-mask or --or-mask is required");
3280 -}
3281 -
3282 -/* Prints out the targinfo. */
3283 -static void
3284 -print(const struct ipt_ip *ip,
3285 - const struct ipt_entry_target *target,
3286 - int numeric)
3287 -{
3288 - const struct ipt_ipmark_target_info *ipmarkinfo =
3289 - (const struct ipt_ipmark_target_info *)target->data;
3290 -
3291 - if(ipmarkinfo->addr == IPT_IPMARK_SRC)
3292 - printf("IPMARK src");
3293 - else
3294 - printf("IPMARK dst");
3295 - printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
3296 -}
3297 -
3298 -/* Saves the union ipt_targinfo in parsable form to stdout. */
3299 -static void
3300 -save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
3301 -{
3302 - const struct ipt_ipmark_target_info *ipmarkinfo =
3303 - (const struct ipt_ipmark_target_info *)target->data;
3304 -
3305 - if(ipmarkinfo->addr == IPT_IPMARK_SRC)
3306 - printf("--addr=src ");
3307 - else
3308 - printf("--addr=dst ");
3309 - if(ipmarkinfo->andmask != 0xffffffff)
3310 - printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
3311 - if(ipmarkinfo->ormask != 0)
3312 - printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
3313 -}
3314 -
3315 -static struct iptables_target ipmark = {
3316 - .next = NULL,
3317 - .name = "IPMARK",
3318 - .version = IPTABLES_VERSION,
3319 - .size = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
3320 - .userspacesize = IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
3321 - .help = &help,
3322 - .init = &init,
3323 - .parse = &parse,
3324 - .final_check = &final_check,
3325 - .print = &print,
3326 - .save = &save,
3327 - .extra_opts = opts
3328 -};
3329 -
3330 -void _init(void)
3331 -{
3332 - register_target(&ipmark);
3333 -}
3334 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_IPMARK.man iptables-svn/extensions/libipt_IPMARK.man
3335 --- iptables-1.3.7/extensions/libipt_IPMARK.man 2006-12-04 12:15:19.000000000 +0100
3336 +++ iptables-svn/extensions/libipt_IPMARK.man 1970-01-01 01:00:00.000000000 +0100
3337 @@ -1,45 +0,0 @@
3338 -Allows you to mark a received packet basing on its IP address. This
3339 -can replace many mangle/mark entries with only one, if you use
3340 -firewall based classifier.
3341 -
3342 -This target is to be used inside the mangle table, in the PREROUTING,
3343 -POSTROUTING or FORWARD hooks.
3344 -.TP
3345 -.BI "--addr " "src/dst"
3346 -Use source or destination IP address.
3347 -.TP
3348 -.BI "--and-mask " "mask"
3349 -Perform bitwise `and' on the IP address and this mask.
3350 -.TP
3351 -.BI "--or-mask " "mask"
3352 -Perform bitwise `or' on the IP address and this mask.
3353 -.P
3354 -The order of IP address bytes is reversed to meet "human order of bytes":
3355 -192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
3356 -`or'.
3357 -
3358 -Examples:
3359 -
3360 -We create a queue for each user, the queue number is adequate
3361 -to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
3362 -are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
3363 -
3364 -We have one classifier rule:
3365 -.IP
3366 -tc filter add dev eth3 parent 1:0 protocol ip fw
3367 -.P
3368 -Earlier we had many rules just like below:
3369 -.IP
3370 -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
3371 ---set-mark 0x10502
3372 -.IP
3373 -iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
3374 ---set-mark 0x10503
3375 -.P
3376 -Using IPMARK target we can replace all the mangle/mark rules with only one:
3377 -.IP
3378 -iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
3379 ---and-mask=0xffff --or-mask=0x10000
3380 -.P
3381 -On the routers with hundreds of users there should be significant load
3382 -decrease (e.g. twice).
3383 diff -x .svn -Nur iptables-1.3.7/extensions/libipt_ipv4options.c iptables-svn/extensions/libipt_ipv4options.c
3384 --- iptables-1.3.7/extensions/libipt_ipv4options.c 2006-12-04 12:15:19.000000000 +0100
3385 +++ iptables-svn/extensions/libipt_ipv4options.c 1970-01-01 01:00:00.000000000 +0100
3386 @@ -1,311 +0,0 @@
3387 -/* Shared library add-on to iptables to add ipv4 options matching support. */
3388 -#include <stdio.h>
3389 -#include <netdb.h>
3390 -#include <string.h>
3391 -#include <stdlib.h>
3392 -#include <getopt.h>
3393 -
3394 -#include <iptables.h>
3395 -#include <linux/netfilter_ipv4/ipt_ipv4options.h>
3396 -
3397 -/* Function which prints out usage message. */
3398 -static void
3399 -help(void)
3400 -{
3401 - printf(
3402 -"ipv4options v%s options:\n"
3403 -" --ssrr (match strict source routing flag)\n"
3404 -" --lsrr (match loose source routing flag)\n"
3405 -" --no-srr (match packets with no source routing)\n\n"
3406 -" [!] --rr (match record route flag)\n\n"
3407 -" [!] --ts (match timestamp flag)\n\n"
3408 -" [!] --ra (match router-alert option)\n\n"
3409 -" [!] --any-opt (match any option or no option at all if used with '!')\n",
3410 -IPTABLES_VERSION);
3411 -}
3412 -
3413 -static struct option opts[] = {
3414 - { "ssrr", 0, 0, '1' },
3415 - { "lsrr", 0, 0, '2' },
3416 - { "no-srr", 0, 0, '3'},
3417 - { "rr", 0, 0, '4'},
3418 - { "ts", 0, 0, '5'},
3419 - { "ra", 0, 0, '6'},
3420 - { "any-opt", 0, 0, '7'},
3421 - {0}
3422 -};
3423 -
3424 -/* Function which parses command options; returns true if it
3425 - ate an option */
3426 -static int
3427 -parse(int c, char **argv, int invert, unsigned int *flags,
3428 - const struct ipt_entry *entry,
3429 - unsigned int *nfcache,
3430 - struct ipt_entry_match **match)
3431 -{
3432 - struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
3433 -
3434 - switch (c)
3435 - {
3436 - /* strict-source-routing */
3437 - case '1':
3438 - if (invert)
3439 - exit_error(PARAMETER_PROBLEM,
3440 - "ipv4options: unexpected `!' with --ssrr");
3441 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3442 - exit_error(PARAMETER_PROBLEM,
3443 - "Can't specify --ssrr twice");
3444 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3445 - exit_error(PARAMETER_PROBLEM,
3446 - "Can't specify --ssrr with --lsrr");
3447 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3448 - exit_error(PARAMETER_PROBLEM,
3449 - "Can't specify --ssrr with --no-srr");
3450 -
3451 - info->options |= IPT_IPV4OPTION_MATCH_SSRR;
3452 - *flags |= IPT_IPV4OPTION_MATCH_SSRR;
3453 - break;
3454 -
3455 - /* loose-source-routing */
3456 - case '2':
3457 - if (invert)
3458 - exit_error(PARAMETER_PROBLEM,
3459 - "ipv4options: unexpected `!' with --lsrr");
3460 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3461 - exit_error(PARAMETER_PROBLEM,
3462 - "Can't specify --lsrr twice");
3463 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3464 - exit_error(PARAMETER_PROBLEM,
3465 - "Can't specify --lsrr with --ssrr");
3466 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3467 - exit_error(PARAMETER_PROBLEM,
3468 - "Can't specify --lsrr with --no-srr");
3469 - info->options |= IPT_IPV4OPTION_MATCH_LSRR;
3470 - *flags |= IPT_IPV4OPTION_MATCH_LSRR;
3471 - break;
3472 -
3473 - /* no-source-routing */
3474 - case '3':
3475 - if (invert)
3476 - exit_error(PARAMETER_PROBLEM,
3477 - "ipv4options: unexpected `!' with --no-srr");
3478 - if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
3479 - exit_error(PARAMETER_PROBLEM,
3480 - "Can't specify --no-srr twice");
3481 - if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
3482 - exit_error(PARAMETER_PROBLEM,
3483 - "Can't specify --no-srr with --ssrr");
3484 - if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
3485 - exit_error(PARAMETER_PROBLEM,
3486 - "Can't specify --no-srr with --lsrr");
3487 - info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
3488 - *flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
3489 - break;
3490 -
3491 - /* record-route */
3492 - case '4':
3493 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
3494 - exit_error(PARAMETER_PROBLEM,
3495 - "Can't specify --rr twice");
3496 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
3497 - exit_error(PARAMETER_PROBLEM,
3498 - "Can't specify ! --rr twice");
3499 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
3500 - exit_error(PARAMETER_PROBLEM,
3501 - "Can't specify --rr with ! --rr");
3502 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
3503 - exit_error(PARAMETER_PROBLEM,
3504 - "Can't specify ! --rr with --rr");
3505 - if (invert) {
3506 - info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
3507 - *flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
3508 - }
3509 - else {
3510 - info->options |= IPT_IPV4OPTION_MATCH_RR;
3511 - *flags |= IPT_IPV4OPTION_MATCH_RR;
3512 - }
3513 - break;
3514 -
3515 - /* timestamp */
3516 - case '5':
3517 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
3518 - exit_error(PARAMETER_PROBLEM,
3519 - "Can't specify --ts twice");
3520 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
3521 - exit_error(PARAMETER_PROBLEM,
3522 - "Can't specify ! --ts twice");
3523 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
3524 - exit_error(PARAMETER_PROBLEM,
3525 - "Can't specify --ts with ! --ts");
3526 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
3527 - exit_error(PARAMETER_PROBLEM,
3528 - "Can't specify ! --ts with --ts");
3529 - if (invert) {
3530 - info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
3531 - *flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
3532 - }
3533 - else {
3534 - info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
3535 - *flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
3536 - }
3537 - break;
3538 -
3539 - /* router-alert */
3540 - case '6':
3541 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
3542 - exit_error(PARAMETER_PROBLEM,
3543 - "Can't specify --ra twice");
3544 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3545 - exit_error(PARAMETER_PROBLEM,
3546 - "Can't specify ! --rr twice");
3547 - if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3548 - exit_error(PARAMETER_PROBLEM,
3549 - "Can't specify --ra with ! --ra");
3550 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
3551 - exit_error(PARAMETER_PROBLEM,
3552 - "Can't specify ! --ra with --ra");
3553 - if (invert) {
3554 - info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
3555 - *flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
3556 - }
3557 - else {
3558 - info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
3559 - *flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
3560 - }
3561 - break;
3562 -
3563 - /* any option */
3564 - case '7' :
3565 - if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
3566 - exit_error(PARAMETER_PROBLEM,
3567 - "Can't specify --any-opt twice");
3568 - if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
3569 - exit_error(PARAMETER_PROBLEM,
3570 - "Can't specify ! --any-opt with --any-opt");
3571 - if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
3572 - exit_error(PARAMETER_PROBLEM,
3573 - "Can't specify ! --any-opt twice");
3574 - if ((!invert) &&
3575 - ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR) ||
3576 - (*flags & IPT_IPV4OPTION_DONT_MATCH_RR) ||
3577 - (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
3578 - (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
3579 - exit_error(PARAMETER_PROBLEM,
3580 - "Can't specify --any-opt with any other negative ipv4options match");
3581 - if (invert &&
3582 - ((*flags & IPT_IPV4OPTION_MATCH_LSRR) ||
3583 - (*flags & IPT_IPV4OPTION_MATCH_SSRR) ||
3584 - (*flags & IPT_IPV4OPTION_MATCH_RR) ||
3585 - (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
3586 - (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
3587 - exit_error(PARAMETER_PROBLEM,
3588 - "Can't specify ! --any-opt with any other positive ipv4options match");
3589 - if (invert) {
3590 - info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
3591 - *flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
3592 - }
3593 - else {
3594 - info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
3595 - *flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
3596 - }
3597 - break;
3598 -
3599 - default:
3600 - return 0;
3601 - }
3602 - return 1;
3603 -}
3604 -
3605 -static void
3606 -final_check(unsigned int flags)
3607 -{
3608 - if (flags == 0)
3609 - exit_error(PARAMETER_PROBLEM,
3610 - "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
3611 -}
3612 -
3613 -/* Prints out the matchinfo. */
3614 -static void
3615 -print(const struct ipt_ip *ip,
3616 - const struct ipt_entry_match *match,
3617 - int numeric)
3618 -{
3619 - struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
3620 -