diff -Nru iptables-1.4.4/aclocal.m4 iptables-1.4.10/aclocal.m4 --- iptables-1.4.4/aclocal.m4 2009-06-16 14:42:54.000000000 +0000 +++ iptables-1.4.10/aclocal.m4 2010-10-29 14:40:37.000000000 +0000 @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.9.6 -*- Autoconf -*- +# generated automatically by aclocal 1.11.1 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005 Free Software Foundation, Inc. +# 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,7 +11,173 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -# Copyright (C) 2002, 2003, 2005 Free Software Foundation, Inc. +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],, +[m4_warning([this file was generated for autoconf 2.65. +You have another version of autoconf. It may work, but is not guaranteed to. +If you have problems, you may need to regenerate the build system entirely. +To do so, use the procedure documented by the package, typically `autoreconf'.])]) + +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 1 (pkg-config-0.24) +# +# Copyright © 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility]) +AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path]) +AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path]) + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi +fi[]dnl +])# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +# only at the first occurence in configure.ac, so if the first place +# it's called might be skipped (such as if it is within an "if", you +# have to call PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_default([$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) + +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +m4_define([_PKG_CONFIG], +[if test -n "$$1"; then + pkg_cv_[]$1="$$1" + elif test -n "$PKG_CONFIG"; then + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + else + pkg_failed=untried +fi[]dnl +])# _PKG_CONFIG + +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])# _PKG_SHORT_ERRORS_SUPPORTED + + +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl + +pkg_failed=no +AC_MSG_CHECKING([for $1]) + +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) + +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + AC_MSG_RESULT([no]) + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD + + m4_default([$4], [AC_MSG_ERROR( +[Package requirements ($2) were not met: + +$$1_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT])dnl + ]) +elif test $pkg_failed = untried; then + AC_MSG_RESULT([no]) + m4_default([$4], [AC_MSG_FAILURE( +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT + +To get pkg-config, see .])dnl + ]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + $3 +fi[]dnl +])# PKG_CHECK_MODULES + +# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -21,14 +187,31 @@ # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been # generated from the m4 files accompanying Automake X.Y. -AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version="1.9"]) +# (This private macro should not be called outside this file.) +AC_DEFUN([AM_AUTOMAKE_VERSION], +[am__api_version='1.11' +dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to +dnl require some minimum version. Point them to the right macro. +m4_if([$1], [1.11.1], [], + [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl +]) + +# _AM_AUTOCONF_VERSION(VERSION) +# ----------------------------- +# aclocal traces this macro to find the Autoconf version. +# This is a private macro too. Using m4_define simplifies +# the logic in aclocal, which can simply ignore this definition. +m4_define([_AM_AUTOCONF_VERSION], []) # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- -# Call AM_AUTOMAKE_VERSION so it can be traced. -# This function is AC_REQUIREd by AC_INIT_AUTOMAKE. +# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. +# This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], - [AM_AUTOMAKE_VERSION([1.9.6])]) +[AM_AUTOMAKE_VERSION([1.11.1])dnl +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- @@ -85,14 +268,14 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005 +# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 7 +# serial 9 # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- @@ -101,8 +284,11 @@ [AC_PREREQ(2.52)dnl ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl -AC_SUBST([$1_TRUE]) -AC_SUBST([$1_FALSE]) +AC_SUBST([$1_TRUE])dnl +AC_SUBST([$1_FALSE])dnl +_AM_SUBST_NOTMAKE([$1_TRUE])dnl +_AM_SUBST_NOTMAKE([$1_FALSE])dnl +m4_define([_AM_COND_VALUE_$1], [$2])dnl if $2; then $1_TRUE= $1_FALSE='#' @@ -116,15 +302,14 @@ Usually this means the macro was only invoked conditionally.]]) fi])]) - -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 8 +# serial 10 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, @@ -152,6 +337,7 @@ ifelse([$1], CC, [depcc="$CC" am_compiler_list=], [$1], CXX, [depcc="$CXX" am_compiler_list=], [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'], + [$1], UPC, [depcc="$UPC" am_compiler_list=], [$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'], [depcc="$$1" am_compiler_list=]) @@ -180,6 +366,16 @@ if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` fi + am__universal=false + m4_case([$1], [CC], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac], + [CXX], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac]) + for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and @@ -197,7 +393,17 @@ done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested @@ -207,18 +413,23 @@ break fi ;; + msvisualcpp | msvcmsys) + # This compiler won't grok `-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; none) break ;; esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message @@ -269,61 +480,74 @@ AMDEPBACKSLASH='\' fi AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) -AC_SUBST([AMDEPBACKSLASH]) +AC_SUBST([AMDEPBACKSLASH])dnl +_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl ]) # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -#serial 3 +#serial 5 # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], -[for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # So let's grep whole file. - if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then - dirpart=`AS_DIRNAME("$mf")` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`AS_DIRNAME(["$file"])` - AS_MKDIR_P([$dirpart/$fdir]) - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" +[{ + # Autoconf 2.62 quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`AS_DIRNAME("$mf")` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`AS_DIRNAME(["$file"])` + AS_MKDIR_P([$dirpart/$fdir]) + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done done -done +} ])# _AM_OUTPUT_DEPENDENCY_COMMANDS @@ -342,14 +566,14 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 -# Free Software Foundation, Inc. +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, +# 2005, 2006, 2008, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 12 +# serial 16 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -366,16 +590,20 @@ # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], -[AC_PREREQ([2.58])dnl +[AC_PREREQ([2.62])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl -# test to see if srcdir already configured -if test "`cd $srcdir && pwd`" != "`pwd`" && - test -f $srcdir/config.status; then - AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) + fi fi # test whether we have cygpath @@ -395,6 +623,9 @@ AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl +dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. +m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,, + [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl @@ -410,8 +641,8 @@ AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) -AM_PROG_INSTALL_SH -AM_PROG_INSTALL_STRIP +AC_REQUIRE([AM_PROG_INSTALL_SH])dnl +AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AM_PROG_MKDIR_P])dnl # We need awk for the "check" target. The system "awk" is bad on # some platforms. @@ -419,20 +650,37 @@ AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], - [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], - [_AM_PROG_TAR([v7])])]) + [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], + [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], - [_AM_DEPENDENCIES(CC)], - [define([AC_PROG_CC], - defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl + [_AM_DEPENDENCIES(CC)], + [define([AC_PROG_CC], + defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], - [_AM_DEPENDENCIES(CXX)], - [define([AC_PROG_CXX], - defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl + [_AM_DEPENDENCIES(CXX)], + [define([AC_PROG_CXX], + defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl +AC_PROVIDE_IFELSE([AC_PROG_OBJC], + [_AM_DEPENDENCIES(OBJC)], + [define([AC_PROG_OBJC], + defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl ]) +_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl +dnl The `parallel-tests' driver may need to know about EXEEXT, so add the +dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro +dnl is hooked onto _AC_COMPILER_EXEEXT early, see below. +AC_CONFIG_COMMANDS_PRE(dnl +[m4_provide_if([_AM_COMPILER_EXEEXT], + [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl ]) +dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not +dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further +dnl mangled by Autoconf and run in a shell conditional statement. +m4_define([_AC_COMPILER_EXEEXT], +m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) + # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header @@ -443,18 +691,19 @@ # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. +_am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $1 | $1:* ) + $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) +echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -465,7 +714,14 @@ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -install_sh=${install_sh-"$am_aux_dir/install-sh"} +if test x"${install_sh}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; + *) + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac +fi AC_SUBST(install_sh)]) # Copyright (C) 2003, 2005 Free Software Foundation, Inc. @@ -491,13 +747,13 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 +# serial 4 # AM_MAKE_INCLUDE() # ----------------- @@ -506,7 +762,7 @@ [am_make=${MAKE-make} cat > confinc << 'END' am__doit: - @echo done + @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. @@ -516,24 +772,24 @@ _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# We grep out `Entering directory' and `Leaving directory' -# messages which can occur if `w' ends up in MAKEFLAGS. -# In particular we don't look at `^make:' because GNU make might -# be invoked under some other name (usually "gmake"), in which -# case it prints its new name instead of `make'. -if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then - am__include=include - am__quote= - _am_result=GNU -fi +# Ignore all kinds of additional output from `make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf - if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then - am__include=.include - am__quote="\"" - _am_result=BSD - fi + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac fi AC_SUBST([am__include]) AC_SUBST([am__quote]) @@ -541,13 +797,14 @@ rm -f confinc confmf ]) -# Copyright (C) 1999, 2000, 2001, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008 +# Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 +# serial 6 # AM_PROG_CC_C_O # -------------- @@ -555,11 +812,13 @@ AC_DEFUN([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC_C_O])dnl AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([compile])dnl # FIXME: we rely on the cache variable name because # there is no other way. set dummy $CC -ac_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']` -if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then +am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']` +eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o +if test "$am_t" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. @@ -567,18 +826,22 @@ # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi +dnl Make sure AC_PROG_CC is never called again, or it will override our +dnl setting of CC. +m4_define([AC_PROG_CC], + [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])]) ]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2005 +# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 +# serial 6 # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ @@ -594,7 +857,15 @@ # If it does, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +AC_REQUIRE_AUX_FILE([missing])dnl +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " @@ -604,7 +875,7 @@ fi ]) -# Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. +# Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -612,70 +883,33 @@ # AM_PROG_MKDIR_P # --------------- -# Check whether `mkdir -p' is supported, fallback to mkinstalldirs otherwise. -# -# Automake 1.8 used `mkdir -m 0755 -p --' to ensure that directories -# created by `make install' are always world readable, even if the -# installer happens to have an overly restrictive umask (e.g. 077). -# This was a mistake. There are at least two reasons why we must not -# use `-m 0755': -# - it causes special bits like SGID to be ignored, -# - it may be too restrictive (some setups expect 775 directories). -# -# Do not use -m 0755 and let people choose whatever they expect by -# setting umask. -# -# We cannot accept any implementation of `mkdir' that recognizes `-p'. -# Some implementations (such as Solaris 8's) are not thread-safe: if a -# parallel make tries to run `mkdir -p a/b' and `mkdir -p a/c' -# concurrently, both version can detect that a/ is missing, but only -# one can create it and the other will error out. Consequently we -# restrict ourselves to GNU make (using the --version option ensures -# this.) +# Check for `mkdir -p'. AC_DEFUN([AM_PROG_MKDIR_P], -[if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then - # We used to keeping the `.' as first argument, in order to - # allow $(mkdir_p) to be used without argument. As in - # $(mkdir_p) $(somedir) - # where $(somedir) is conditionally defined. However this is wrong - # for two reasons: - # 1. if the package is installed by a user who cannot write `.' - # make install will fail, - # 2. the above comment should most certainly read - # $(mkdir_p) $(DESTDIR)$(somedir) - # so it does not work when $(somedir) is undefined and - # $(DESTDIR) is not. - # To support the latter case, we have to write - # test -z "$(somedir)" || $(mkdir_p) $(DESTDIR)$(somedir), - # so the `.' trick is pointless. - mkdir_p='mkdir -p --' -else - # On NextStep and OpenStep, the `mkdir' command does not - # recognize any option. It will interpret all options as - # directories to create, and then abort because `.' already - # exists. - for d in ./-p ./--version; - do - test -d $d && rmdir $d - done - # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists. - if test -f "$ac_aux_dir/mkinstalldirs"; then - mkdir_p='$(mkinstalldirs)' - else - mkdir_p='$(install_sh) -d' - fi -fi -AC_SUBST([mkdir_p])]) +[AC_PREREQ([2.60])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl +dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, +dnl while keeping a definition of mkdir_p for backward compatibility. +dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile. +dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of +dnl Makefile.ins that do not define MKDIR_P, so we do our own +dnl adjustment using top_builddir (which is defined more often than +dnl MKDIR_P). +AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl +case $mkdir_p in + [[\\/$]]* | ?:[[\\/]]*) ;; + */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; +esac +]) # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 3 +# serial 4 # _AM_MANGLE_OPTION(NAME) # ----------------------- @@ -692,7 +926,7 @@ # ---------------------------------- # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], -[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) +[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- @@ -702,14 +936,14 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005 +# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 +# serial 5 # AM_SANITY_CHECK # --------------- @@ -718,16 +952,29 @@ # Just in case sleep 1 echo timestamp > conftest.file +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[[\\\"\#\$\&\'\`$am_lf]]*) + AC_MSG_ERROR([unsafe absolute working directory name]);; +esac +case $srcdir in + *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) + AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);; +esac + # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` + set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$[*]" != "X $srcdir/configure conftest.file" \ @@ -777,9 +1024,28 @@ if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi -INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s" +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) +# Copyright (C) 2006, 2008 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 2 + +# _AM_SUBST_NOTMAKE(VARIABLE) +# --------------------------- +# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. +# This macro is traced by Automake. +AC_DEFUN([_AM_SUBST_NOTMAKE]) + +# AM_SUBST_NOTMAKE(VARIABLE) +# --------------------------- +# Public sister of _AM_SUBST_NOTMAKE. +AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) + # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004, 2005 Free Software Foundation, Inc. @@ -876,6 +1142,7 @@ AC_SUBST([am__untar]) ]) # _AM_PROG_TAR +m4_include([m4/ax_check_linker_flags.m4]) m4_include([m4/libtool.m4]) m4_include([m4/ltoptions.m4]) m4_include([m4/ltsugar.m4]) diff -Nru iptables-1.4.4/COMMIT_NOTES iptables-1.4.10/COMMIT_NOTES --- iptables-1.4.4/COMMIT_NOTES 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/COMMIT_NOTES 2010-10-29 14:37:22.000000000 +0000 @@ -11,5 +11,9 @@ - If you touch any parts of libxtables (xtables.c, include/xtables.h.in), make sure the so-version is updated _appropriately_ (i.e. read the - libtool manual about Versioning:: first if need be) in configure.ac. + libtool manual about Versioning:: first, if need be) in configure.ac. Adding fields to a struct always entails a vcurrent bump. + + - Check, whether a bump (vcurrent,vage) has already been made since the + last release (no more than one per release), e.g.: + git log v1.4.4.. configure.ac diff -Nru iptables-1.4.4/compile iptables-1.4.10/compile --- iptables-1.4.4/compile 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/compile 2010-10-29 14:40:40.000000000 +0000 @@ -1,9 +1,10 @@ #! /bin/sh # Wrapper for compilers which do not understand `-c -o'. -scriptversion=2005-05-14.22 +scriptversion=2009-10-06.20; # UTC -# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc. +# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software +# Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -17,8 +18,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -103,13 +103,13 @@ fi # Name of file we expect compiler to create. -cofile=`echo "$cfile" | sed -e 's|^.*/||' -e 's/\.c$/.o/'` +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` # Create the lock directory. -# Note: use `[/.-]' here to ensure that we don't use the same name +# Note: use `[/\\:.-]' here to ensure that we don't use the same name # that we are using for the .o file. Also, base the name on the expected # object file name, since that is what matters with a parallel build. -lockdir=`echo "$cofile" | sed -e 's|[/.-]|_|g'`.d +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d while true; do if mkdir "$lockdir" >/dev/null 2>&1; then break @@ -124,9 +124,9 @@ ret=$? if test -f "$cofile"; then - mv "$cofile" "$ofile" + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" elif test -f "${cofile}bj"; then - mv "${cofile}bj" "$ofile" + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" fi rmdir "$lockdir" @@ -138,5 +138,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff -Nru iptables-1.4.4/config.guess iptables-1.4.10/config.guess --- iptables-1.4.4/config.guess 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/config.guess 2010-10-29 14:40:40.000000000 +0000 @@ -1,10 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 # Free Software Foundation, Inc. -timestamp='2008-01-23' +timestamp='2009-12-30' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,16 +27,16 @@ # the same distribution terms that you use for the rest of that program. -# Originally written by Per Bothner . -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# Originally written by Per Bothner. Please send patches (context +# diff format) to and include a ChangeLog +# entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and # exits with 0. Otherwise, it exits with 1. # -# The plan is that this can be called by configure scripts if you -# don't specify an explicit build system type. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD me=`echo "$0" | sed -e 's,.*/,,'` @@ -56,8 +56,9 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, -2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free +Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -170,7 +171,7 @@ arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null + | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? @@ -324,14 +325,33 @@ case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; + s390x:SunOS:*:*) + echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + echo i386-pc-auroraux${UNAME_RELEASE} + exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + eval $set_cc_for_build + SUN_ARCH="i386" + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH="x86_64" + fi + fi + echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize @@ -640,7 +660,7 @@ # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | - grep __LP64__ >/dev/null + grep -q __LP64__ then HP_ARCH="hppa2.0w" else @@ -791,12 +811,12 @@ i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; - *:Interix*:[3456]*) + *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; - EM64T | authenticamd) + authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) @@ -806,6 +826,9 @@ [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we @@ -835,6 +858,20 @@ i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ @@ -857,6 +894,17 @@ frv:Linux:*:*) echo frv-unknown-linux-gnu exit ;; + i*86:Linux:*:*) + LIBC=gnu + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; @@ -866,74 +914,33 @@ m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - mips:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips - #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } - ;; - mips64:Linux:*:*) + mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU - #undef mips64 - #undef mips64el + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el + CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 + CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) echo or32-unknown-linux-gnu exit ;; - ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu - exit ;; - ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu + padre:Linux:*:*) + echo sparc-unknown-linux-gnu exit ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; - EV56) UNAME_MACHINE=alphaev56 ;; - PCA56) UNAME_MACHINE=alphapca56 ;; - PCA57) UNAME_MACHINE=alphapca56 ;; - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; - esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level @@ -943,8 +950,11 @@ *) echo hppa-unknown-linux-gnu ;; esac exit ;; - parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux @@ -967,69 +977,6 @@ xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - i*86:Linux:*:*) - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. cd to the root directory to prevent - # problems with other programs or directories called `ld' in the path. - # Set LC_ALL=C to ensure ld outputs messages in English. - ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ - | sed -ne '/supported targets:/!d - s/[ ][ ]*/ /g - s/.*supported targets: *// - s/ .*// - p'` - case "$ld_supported_targets" in - elf32-i386) - TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" - ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit ;; - coff-i386) - echo "${UNAME_MACHINE}-pc-linux-gnucoff" - exit ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit ;; - esac - # Determine whether the default compiler is a.out or elf - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #ifdef __ELF__ - # ifdef __GLIBC__ - # if __GLIBC__ >= 2 - LIBC=gnu - # else - LIBC=gnulibc1 - # endif - # else - LIBC=gnulibc1 - # endif - #else - #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) - LIBC=gnu - #else - LIBC=gnuaout - #endif - #endif - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^LIBC/{ - s: ::g - p - }'`" - test x"${LIBC}" != x && { - echo "${UNAME_MACHINE}-pc-linux-${LIBC}" - exit - } - test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } - ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both @@ -1058,7 +1005,7 @@ i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) @@ -1102,8 +1049,11 @@ pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. - echo i386-pc-msdosdjgpp + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configury will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 @@ -1141,6 +1091,16 @@ 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; @@ -1153,7 +1113,7 @@ rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) @@ -1216,6 +1176,9 @@ BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + echo i586-pc-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1243,6 +1206,16 @@ *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown case $UNAME_PROCESSOR in + i386) + eval $set_cc_for_build + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + UNAME_PROCESSOR="x86_64" + fi + fi ;; unknown) UNAME_PROCESSOR=powerpc ;; esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} @@ -1324,6 +1297,9 @@ i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 diff -Nru iptables-1.4.4/config.h.in iptables-1.4.10/config.h.in --- iptables-1.4.4/config.h.in 2009-06-16 14:42:56.000000000 +0000 +++ iptables-1.4.10/config.h.in 2010-10-29 14:40:39.000000000 +0000 @@ -52,6 +52,9 @@ /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME +/* Define to the home page for this package. */ +#undef PACKAGE_URL + /* Define to the version of this package. */ #undef PACKAGE_VERSION diff -Nru iptables-1.4.4/config.sub iptables-1.4.10/config.sub --- iptables-1.4.4/config.sub 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/config.sub 2010-10-29 14:40:40.000000000 +0000 @@ -1,10 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 # Free Software Foundation, Inc. -timestamp='2008-01-16' +timestamp='2010-01-22' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -32,13 +32,16 @@ # Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. +# diff and a properly formatted GNU ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD + # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. @@ -72,8 +75,9 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, -2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free +Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -122,6 +126,7 @@ case $maybe_os in nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ + kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` @@ -148,10 +153,13 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray) + -apple | -axis | -knuth | -cray | -microblaze) os= basic_machine=$1 ;; + -bluegene*) + os=-cnk + ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 @@ -249,13 +257,16 @@ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore | mep \ + | maxq | mb | microblaze | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ - | mips64vr | mips64vrel \ + | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ @@ -268,6 +279,7 @@ | mipsisa64sr71k | mipsisa64sr71kel \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | moxie \ | mt \ | msp430 \ | nios | nios2 \ @@ -276,20 +288,22 @@ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ + | rx \ | score \ - | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ + | ubicom32 \ | v850 | v850e \ | we32k \ | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ - | z8k) + | z8k | z80) basic_machine=$basic_machine-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12) + m6811 | m68hc11 | m6812 | m68hc12 | picochip) # Motorola 68HC11/12. basic_machine=$basic_machine-unknown os=-none @@ -329,14 +343,17 @@ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ - | mips64vr-* | mips64vrel-* \ + | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ + | mips64r5900-* | mips64r5900el-* \ + | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ @@ -357,21 +374,23 @@ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ - | romp-* | rs6000-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tile-* | tilegx-* \ | tron-* \ + | ubicom32-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ - | z8k-*) + | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) @@ -439,6 +458,10 @@ basic_machine=m68k-apollo os=-bsd ;; + aros) + basic_machine=i386-pc + os=-aros + ;; aux) basic_machine=m68k-apple os=-aux @@ -455,10 +478,18 @@ basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; c90) basic_machine=c90-cray os=-unicos ;; + cegcc) + basic_machine=arm-unknown + os=-cegcc + ;; convex-c1) basic_machine=c1-convex os=-bsd @@ -526,6 +557,10 @@ basic_machine=m88k-motorola os=-sysv3 ;; + dicos) + basic_machine=i686-pc + os=-dicos + ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp @@ -699,6 +734,9 @@ basic_machine=ns32k-utek os=-sysv ;; + microblaze) + basic_machine=microblaze-xilinx + ;; mingw32) basic_machine=i386-pc os=-mingw32 @@ -1049,6 +1087,11 @@ basic_machine=tic6x-unknown os=-coff ;; + # This must be matched before tile*. + tilegx*) + basic_machine=tilegx-unknown + os=-linux-gnu + ;; tile*) basic_machine=tile-unknown os=-linux-gnu @@ -1128,6 +1171,10 @@ basic_machine=z8k-unknown os=-sim ;; + z80-*-coff) + basic_machine=z80-unknown + os=-sim + ;; none) basic_machine=none-none os=-none @@ -1166,7 +1213,7 @@ we32k) basic_machine=we32k-att ;; - sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele) + sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) @@ -1216,6 +1263,9 @@ # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. + -auroraux) + os=-auroraux + ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; @@ -1236,10 +1286,11 @@ # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* \ + | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ @@ -1248,7 +1299,7 @@ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* \ + | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ @@ -1258,7 +1309,7 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1388,6 +1439,11 @@ -zvmoe) os=-zvmoe ;; + -dicos*) + os=-dicos + ;; + -nacl*) + ;; -none) ;; *) @@ -1585,7 +1641,7 @@ -sunos*) vendor=sun ;; - -aix*) + -cnk*|-aix*) vendor=ibm ;; -beos*) diff -Nru iptables-1.4.4/configure iptables-1.4.10/configure --- iptables-1.4.4/configure 2009-06-16 14:42:55.000000000 +0000 +++ iptables-1.4.10/configure 2010-10-29 14:40:38.000000000 +0000 @@ -1,18 +1,22 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.63 for iptables 1.4.4. +# Generated by GNU Autoconf 2.65 for iptables 1.4.10. +# # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# +# # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which @@ -20,23 +24,15 @@ alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else - case `(set -o) 2>/dev/null` in - *posix*) set -o posix ;; + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; esac - fi - - -# PATH needs CR -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - as_nl=' ' export as_nl @@ -44,7 +40,13 @@ as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else @@ -55,7 +57,7 @@ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; - case $arg in + case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; @@ -78,13 +80,6 @@ } fi -# Support unset when possible. -if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi - # IFS # We need space, tab and new line, in precisely that order. Quoting is @@ -94,15 +89,15 @@ IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. -case $0 in +case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done IFS=$as_save_IFS ;; @@ -114,12 +109,16 @@ fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - { (exit 1); exit 1; } + exit 1 fi -# Work around bugs in pre-3.0 UWIN ksh. -for as_var in ENV MAIL MAILPATH -do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' @@ -131,330 +130,299 @@ LANGUAGE=C export LANGUAGE -# Required to use basename. -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi - -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi - - -# Name of the executable. -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - # CDPATH. -$as_unset CDPATH - +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH if test "x$CONFIG_SHELL" = x; then - if (eval ":") 2>/dev/null; then - as_have_required=yes + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST else - as_have_required=no + case \`(set -o) 2>/dev/null\` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac fi - - if test $as_have_required = yes && (eval ": -(as_func_return () { - (exit \$1) -} -as_func_success () { - as_func_return 0 -} -as_func_failure () { - as_func_return 1 -} -as_func_ret_success () { - return 0 -} -as_func_ret_failure () { - return 1 -} +" + as_required="as_fn_return () { (exit \$1); } +as_fn_success () { as_fn_return 0; } +as_fn_failure () { as_fn_return 1; } +as_fn_ret_success () { return 0; } +as_fn_ret_failure () { return 1; } exitcode=0 -if as_func_success; then - : -else - exitcode=1 - echo as_func_success failed. -fi - -if as_func_failure; then - exitcode=1 - echo as_func_failure succeeded. -fi - -if as_func_ret_success; then - : -else - exitcode=1 - echo as_func_ret_success failed. -fi - -if as_func_ret_failure; then - exitcode=1 - echo as_func_ret_failure succeeded. -fi - -if ( set x; as_func_ret_success y && test x = \"\$1\" ); then - : +as_fn_success || { exitcode=1; echo as_fn_success failed.; } +as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : + +else + exitcode=1; echo positional parameters were not saved. +fi +test x\$exitcode = x0 || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && + test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 +test \$(( 1 + 1 )) = 2 || exit 1" + if (eval "$as_required") 2>/dev/null; then : + as_have_required=yes else - exitcode=1 - echo positional parameters were not saved. + as_have_required=no fi + if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : -test \$exitcode = 0) || { (exit 1); exit 1; } - -( - as_lineno_1=\$LINENO - as_lineno_2=\$LINENO - test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" && - test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; } -") 2> /dev/null; then - : else - as_candidate_shells= - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - case $as_dir in + as_found=: + case $as_dir in #( /*) for as_base in sh bash ksh sh5; do - as_candidate_shells="$as_candidate_shells $as_dir/$as_base" + # Try only shells that exist, to save several forks. + as_shell=$as_dir/$as_base + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : + CONFIG_SHELL=$as_shell as_have_required=yes + if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : + break 2 +fi +fi done;; esac + as_found=false done +$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : + CONFIG_SHELL=$SHELL as_have_required=yes +fi; } IFS=$as_save_IFS - for as_shell in $as_candidate_shells $SHELL; do - # Try only shells that exist, to save several forks. - if { test -f "$as_shell" || test -f "$as_shell.exe"; } && - { ("$as_shell") 2> /dev/null <<\_ASEOF -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in - *posix*) set -o posix ;; -esac - -fi - - -: -_ASEOF -}; then - CONFIG_SHELL=$as_shell - as_have_required=yes - if { "$as_shell" 2> /dev/null <<\_ASEOF -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in - *posix*) set -o posix ;; -esac - -fi - - -: -(as_func_return () { - (exit $1) -} -as_func_success () { - as_func_return 0 -} -as_func_failure () { - as_func_return 1 -} -as_func_ret_success () { - return 0 -} -as_func_ret_failure () { - return 1 -} - -exitcode=0 -if as_func_success; then - : -else - exitcode=1 - echo as_func_success failed. -fi - -if as_func_failure; then - exitcode=1 - echo as_func_failure succeeded. -fi - -if as_func_ret_success; then - : -else - exitcode=1 - echo as_func_ret_success failed. -fi - -if as_func_ret_failure; then - exitcode=1 - echo as_func_ret_failure succeeded. -fi - -if ( set x; as_func_ret_success y && test x = "$1" ); then - : -else - exitcode=1 - echo positional parameters were not saved. -fi - -test $exitcode = 0) || { (exit 1); exit 1; } - -( - as_lineno_1=$LINENO - as_lineno_2=$LINENO - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; } - -_ASEOF -}; then - break -fi - -fi - - done - - if test "x$CONFIG_SHELL" != x; then - for as_var in BASH_ENV ENV - do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var - done + if test "x$CONFIG_SHELL" != x; then : + # We cannot yet assume a decent shell, so we have to provide a + # neutralization value for shells without unset; and this also + # works around shells that cannot unset nonexistent variables. + BASH_ENV=/dev/null + ENV=/dev/null + (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV export CONFIG_SHELL exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} fi - - if test $as_have_required = no; then - echo This script requires a shell more modern than all the - echo shells that I found on your system. Please install a - echo modern shell, or manually run the script under such a - echo shell if you do have one. - { (exit 1); exit 1; } + if test x$as_have_required = xno; then : + $as_echo "$0: This script requires a shell more modern than all" + $as_echo "$0: the shells that I found on your system." + if test x${ZSH_VERSION+set} = xset ; then + $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" + $as_echo "$0: be upgraded to zsh 4.3.4 or later." + else + $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, +$0: including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." + fi + exit 1 fi - - fi - fi +SHELL=${CONFIG_SHELL-/bin/sh} +export SHELL +# Unset more variables known to interfere with behavior of common tools. +CLICOLOR_FORCE= GREP_OPTIONS= +unset CLICOLOR_FORCE GREP_OPTIONS +## --------------------- ## +## M4sh Shell Functions. ## +## --------------------- ## +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir" -(eval "as_func_return () { - (exit \$1) -} -as_func_success () { - as_func_return 0 -} -as_func_failure () { - as_func_return 1 -} -as_func_ret_success () { - return 0 -} -as_func_ret_failure () { - return 1 -} -exitcode=0 -if as_func_success; then - : +} # as_fn_mkdir_p +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' else - exitcode=1 - echo as_func_success failed. -fi + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append -if as_func_failure; then - exitcode=1 - echo as_func_failure succeeded. -fi +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith -if as_func_ret_success; then - : + +# as_fn_error ERROR [LINENO LOG_FD] +# --------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with status $?, using 1 if that was 0. +as_fn_error () +{ + as_status=$?; test $as_status -eq 0 && as_status=1 + if test "$3"; then + as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3 + fi + $as_echo "$as_me: error: $1" >&2 + as_fn_exit $as_status +} # as_fn_error + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr else - exitcode=1 - echo as_func_ret_success failed. + as_expr=false fi -if as_func_ret_failure; then - exitcode=1 - echo as_func_ret_failure succeeded. +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false fi -if ( set x; as_func_ret_success y && test x = \"\$1\" ); then - : +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname else - exitcode=1 - echo positional parameters were not saved. + as_dirname=false fi -test \$exitcode = 0") || { - echo No shell found that supports shell functions. - echo Please tell bug-autoconf@gnu.org about your system, - echo including any error possibly output before this message. - echo This can help us improve future autoconf versions. - echo Configuration will now proceed without shell functions. -} +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits - as_lineno_1=$LINENO - as_lineno_2=$LINENO - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { - - # Create $as_me.lineno as a copy of $as_myself, but with $LINENO - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line after each line using $LINENO; the second 'sed' - # does the real work. The second script uses 'N' to pair each - # line-number line with the line containing $LINENO, and appends - # trailing '-' during substitution so that $LINENO is not a special - # case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # scripts with optimization help from Paolo Bonzini. Blame Lee - # E. McMahon (1931-1989) for sed's syntax. :-) + as_lineno_1=$LINENO as_lineno_1a=$LINENO + as_lineno_2=$LINENO as_lineno_2a=$LINENO + eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && + test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { + # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= @@ -471,8 +439,7 @@ s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || - { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 - { (exit 1); exit 1; }; } + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the @@ -482,29 +449,18 @@ exit } - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi - ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in +case `echo -n x` in #((((( -n*) - case `echo 'x\c'` in + case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. - *) ECHO_C='\c';; + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then @@ -534,7 +490,7 @@ rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then - as_mkdir_p=: + as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false @@ -553,10 +509,10 @@ if test -d "$1"; then test -d "$1/."; else - case $1 in + case $1 in #( -*)set "./$1";; esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( ???[sx]*):;;*)false;;esac;fi '\'' sh ' @@ -571,7 +527,6 @@ - # Check that we are running under the correct shell. SHELL=${CONFIG_SHELL-/bin/sh} @@ -720,7 +675,8 @@ -exec 7<&0 &1 +test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, Linux) returns a bogus exit status, @@ -738,14 +694,14 @@ subdirs= MFLAGS= MAKEFLAGS= -SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='iptables' PACKAGE_TARNAME='iptables' -PACKAGE_VERSION='1.4.4' -PACKAGE_STRING='iptables 1.4.4' +PACKAGE_VERSION='1.4.10' +PACKAGE_STRING='iptables 1.4.10' PACKAGE_BUGREPORT='' +PACKAGE_URL='' # Factoring default headers for most tests. ac_includes_default="\ @@ -783,21 +739,33 @@ # include #endif" -ac_subst_vars='LTLIBOBJS +ac_subst_vars='am__EXEEXT_FALSE +am__EXEEXT_TRUE +LTLIBOBJS LIBOBJS libxtables_vmajor libxtables_vage libxtables_vcurrent +pkgdatadir pkgconfigdir xtlibdir ksourcedir kbuilddir kinclude_CFLAGS regular_CFLAGS +HAVE_LIBNFNETLINK_FALSE +HAVE_LIBNFNETLINK_TRUE +libnfnetlink_LIBS +libnfnetlink_CFLAGS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG ENABLE_LIBIPQ_FALSE ENABLE_LIBIPQ_TRUE ENABLE_DEVEL_FALSE ENABLE_DEVEL_TRUE +ENABLE_LARGEFILE_FALSE +ENABLE_LARGEFILE_TRUE ENABLE_IPV6_FALSE ENABLE_IPV6_TRUE ENABLE_IPV4_FALSE @@ -807,6 +775,7 @@ ENABLE_STATIC_FALSE ENABLE_STATIC_TRUE blacklist_modules +libiptc_LDFLAGS2 CPP OTOOL64 OTOOL @@ -858,6 +827,7 @@ SET_MAKE AWK mkdir_p +MKDIR_P INSTALL_STRIP_PROGRAM STRIP install_sh @@ -869,6 +839,7 @@ VERSION PACKAGE CYGPATH_W +am__isrc INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM @@ -902,6 +873,7 @@ program_transform_name prefix exec_prefix +PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION @@ -925,6 +897,7 @@ with_xtlibdir enable_ipv4 enable_ipv6 +enable_largefile enable_devel enable_libipq with_pkgconfigdir @@ -937,7 +910,12 @@ LDFLAGS LIBS CPPFLAGS -CPP' +CPP +PKG_CONFIG +PKG_CONFIG_PATH +PKG_CONFIG_LIBDIR +libnfnetlink_CFLAGS +libnfnetlink_LIBS' # Initialize some variables set by options. @@ -1046,8 +1024,7 @@ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 - { (exit 1); exit 1; }; } + as_fn_error "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1073,8 +1050,7 @@ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 - { (exit 1); exit 1; }; } + as_fn_error "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1278,8 +1254,7 @@ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 - { (exit 1); exit 1; }; } + as_fn_error "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1295,8 +1270,7 @@ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 - { (exit 1); exit 1; }; } + as_fn_error "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in @@ -1326,17 +1300,17 @@ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; - -*) { $as_echo "$as_me: error: unrecognized option: $ac_option -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; } + -*) as_fn_error "unrecognized option: \`$ac_option' +Try \`$0 --help' for more information." ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. - expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && - { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2 - { (exit 1); exit 1; }; } + case $ac_envvar in #( + '' | [0-9]* | *[!_$as_cr_alnum]* ) + as_fn_error "invalid variable name: \`$ac_envvar'" ;; + esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; @@ -1353,15 +1327,13 @@ if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` - { $as_echo "$as_me: error: missing argument to $ac_option" >&2 - { (exit 1); exit 1; }; } + as_fn_error "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; - fatal) { $as_echo "$as_me: error: unrecognized options: $ac_unrecognized_opts" >&2 - { (exit 1); exit 1; }; } ;; + fatal) as_fn_error "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi @@ -1384,8 +1356,7 @@ [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac - { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 - { (exit 1); exit 1; }; } + as_fn_error "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' @@ -1415,11 +1386,9 @@ ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || - { $as_echo "$as_me: error: working directory cannot be determined" >&2 - { (exit 1); exit 1; }; } + as_fn_error "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || - { $as_echo "$as_me: error: pwd does not report name of working directory" >&2 - { (exit 1); exit 1; }; } + as_fn_error "pwd does not report name of working directory" # Find the source files, if location was not specified. @@ -1458,13 +1427,11 @@ fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." - { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 - { (exit 1); exit 1; }; } + as_fn_error "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( - cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2 - { (exit 1); exit 1; }; } + cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then @@ -1490,7 +1457,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures iptables 1.4.4 to adapt to many kinds of systems. +\`configure' configures iptables 1.4.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1560,7 +1527,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of iptables 1.4.4:";; + short | recursive ) echo "Configuration of iptables 1.4.10:";; esac cat <<\_ACEOF @@ -1577,6 +1544,7 @@ --disable-libtool-lock avoid locking (might break parallel builds) --disable-ipv4 Do not build iptables --disable-ipv6 Do not build ip6tables + --disable-largefile Do not build largefile support --enable-devel Install Xtables development headers --enable-libipq Build and install libipq @@ -1588,13 +1556,13 @@ --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-kernel=PATH Path to kernel source/build directory --with-kbuild=PATH Path to kernel build directory - [/lib/modules/CURRENT/build] + [[/lib/modules/CURRENT/build]] --with-ksource=PATH Path to kernel source directory - [/lib/modules/CURRENT/source] + [[/lib/modules/CURRENT/source]] --with-xtlibdir=PATH Path where to install Xtables extensions - [LIBEXECDIR/xtables] + [[LIBEXECDIR/xtables]] --with-pkgconfigdir=PATH - Path to the pkgconfig directory [LIBDIR/pkgconfig] + Path to the pkgconfig directory [[LIBDIR/pkgconfig]] Some influential environment variables: CC C compiler command @@ -1602,13 +1570,23 @@ LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l - CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor + PKG_CONFIG path to pkg-config utility + PKG_CONFIG_PATH + directories to add to pkg-config's search path + PKG_CONFIG_LIBDIR + path overriding pkg-config's built-in search path + libnfnetlink_CFLAGS + C compiler flags for libnfnetlink, overriding pkg-config + libnfnetlink_LIBS + linker flags for libnfnetlink, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. +Report bugs to the package provider. _ACEOF ac_status=$? fi @@ -1671,22 +1649,373 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -iptables configure 1.4.4 -generated by GNU Autoconf 2.63 +iptables configure 1.4.10 +generated by GNU Autoconf 2.65 -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +Copyright (C) 2009 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi + +## ------------------------ ## +## Autoconf initialization. ## +## ------------------------ ## + +# ac_fn_c_try_compile LINENO +# -------------------------- +# Try to compile conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext + if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + as_fn_set_status $ac_retval + +} # ac_fn_c_try_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + +# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists and can be compiled using the include files in +# INCLUDES, setting the cache variable VAR accordingly. +ac_fn_c_check_header_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + +} # ac_fn_c_check_header_compile + +# ac_fn_c_try_cpp LINENO +# ---------------------- +# Try to preprocess conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_cpp () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + as_fn_set_status $ac_retval + +} # ac_fn_c_try_cpp + +# ac_fn_c_try_run LINENO +# ---------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes +# that executables *can* be run. +ac_fn_c_try_run () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then : + ac_retval=0 +else + $as_echo "$as_me: program exited with status $ac_status" >&5 + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=$ac_status +fi + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + as_fn_set_status $ac_retval + +} # ac_fn_c_try_run + +# ac_fn_c_check_func LINENO FUNC VAR +# ---------------------------------- +# Tests whether FUNC exists, setting the cache variable VAR accordingly +ac_fn_c_check_func () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Define $2 to an innocuous variant, in case declares $2. + For example, HP-UX 11i declares gettimeofday. */ +#define $2 innocuous_$2 + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $2 (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $2 + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $2 (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$2 || defined __stub___$2 +choke me +#endif + +int +main () +{ +return $2 (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + +} # ac_fn_c_check_func + +# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists, giving a warning if it cannot be compiled using +# the include files in INCLUDES and setting the cache variable VAR +# accordingly. +ac_fn_c_check_header_mongrel () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 +$as_echo_n "checking $2 usability... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_header_compiler=yes +else + ac_header_compiler=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 +$as_echo_n "checking $2 presence... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <$2> +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + ac_header_preproc=yes +else + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( + yes:no: ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} + ;; + no:yes:* ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=\$ac_header_compiler" +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +fi + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + +} # ac_fn_c_check_header_mongrel cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by iptables $as_me 1.4.4, which was -generated by GNU Autoconf 2.63. Invocation command line was +It was created by iptables $as_me 1.4.10, which was +generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -1722,8 +2051,8 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - $as_echo "PATH: $as_dir" -done + $as_echo "PATH: $as_dir" + done IFS=$as_save_IFS } >&5 @@ -1760,9 +2089,9 @@ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in - 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; + 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) - ac_configure_args1="$ac_configure_args1 '$ac_arg'" + as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else @@ -1778,13 +2107,13 @@ -* ) ac_must_keep_next=true ;; esac fi - ac_configure_args="$ac_configure_args '$ac_arg'" + as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done -$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; } -$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; } +{ ac_configure_args0=; unset ac_configure_args0;} +{ ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there @@ -1809,13 +2138,13 @@ case $ac_val in #( *${as_nl}*) case $ac_var in #( - *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) $as_unset $ac_var ;; + *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done @@ -1887,39 +2216,41 @@ exit $exit_status ' 0 for ac_signal in 1 2 13 15; do - trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal + trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h +$as_echo "/* confdefs.h */" > confdefs.h + # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF - cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF - cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF - cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF - cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF +cat >>confdefs.h <<_ACEOF +#define PACKAGE_URL "$PACKAGE_URL" +_ACEOF + # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. @@ -1937,8 +2268,8 @@ for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue - if test -r "$ac_site_file"; then - { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" @@ -1946,10 +2277,10 @@ done if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special - # files actually), so we avoid doing that. - if test -f "$cache_file"; then - { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5 + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; @@ -1957,7 +2288,7 @@ esac fi else - { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi @@ -1972,11 +2303,11 @@ eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) - { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) - { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; @@ -1986,65 +2317,42 @@ ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then - { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else - { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi - { $as_echo "$as_me:$LINENO: former value: \`$ac_old_val'" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} - { $as_echo "$as_me:$LINENO: current value: \`$ac_new_val'" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in - *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; - esac - fi -done -if $ac_cache_corrupted; then - { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} - { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 -$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} - { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 -$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} - { (exit 1); exit 1; }; } -fi - - - - - - - - - - - - - - - - - - - - - - - - + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) as_fn_append ac_configure_args " '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + as_fn_error "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +fi +## -------------------- ## +## Main body of script. ## +## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -2055,7 +2363,7 @@ # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=2 +libxtables_vcurrent=5 libxtables_vage=0 ac_config_headers="$ac_config_headers config.h" @@ -2063,24 +2371,16 @@ ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do - if test -f "$ac_dir/install-sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f "$ac_dir/install.sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - elif test -f "$ac_dir/shtool"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/shtool install -c" - break - fi + for ac_t in install-sh install.sh shtool; do + if test -f "$ac_dir/$ac_t"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/$ac_t -c" + break 2 + fi + done done if test -z "$ac_aux_dir"; then - { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5 -$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 fi # These three variables are undocumented and unsupported, @@ -2106,10 +2406,10 @@ # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. -{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then -if test "${ac_cv_path_install+set}" = set; then +if test "${ac_cv_path_install+set}" = set; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -2117,11 +2417,11 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in - ./ | .// | /cC/* | \ + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in #(( + ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ - ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ + ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. @@ -2158,7 +2458,7 @@ ;; esac -done + done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir @@ -2174,7 +2474,7 @@ INSTALL=$ac_install_sh fi fi -{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. @@ -2185,22 +2485,36 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' -am__api_version="1.9" -{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5 +am__api_version='1.11' + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Just in case sleep 1 echo timestamp > conftest.file +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[\\\"\#\$\&\'\`$am_lf]*) + as_fn_error "unsafe absolute working directory name" "$LINENO" 5;; +esac +case $srcdir in + *[\\\"\#\$\&\'\`$am_lf\ \ ]*) + as_fn_error "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;; +esac + # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. - set X `ls -t $srcdir/configure conftest.file` + set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$*" != "X $srcdir/configure conftest.file" \ @@ -2210,11 +2524,8 @@ # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". - { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail. Make sure there is not a broken -alias in your environment" >&5 -$as_echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken -alias in your environment" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "ls -t appears to fail. Make sure there is not a broken +alias in your environment" "$LINENO" 5 fi test "$2" = conftest.file @@ -2223,13 +2534,10 @@ # Ok. : else - { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files! -Check your system clock" >&5 -$as_echo "$as_me: error: newly created file is older than distributed files! -Check your system clock" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "newly created file is older than distributed files! +Check your system clock" "$LINENO" 5 fi -{ $as_echo "$as_me:$LINENO: result: yes" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" @@ -2244,181 +2552,32 @@ # expand $ac_aux_dir to an absolute path am_aux_dir=`cd $ac_aux_dir && pwd` -test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " else am_missing_run= - { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} fi -if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then - # We used to keeping the `.' as first argument, in order to - # allow $(mkdir_p) to be used without argument. As in - # $(mkdir_p) $(somedir) - # where $(somedir) is conditionally defined. However this is wrong - # for two reasons: - # 1. if the package is installed by a user who cannot write `.' - # make install will fail, - # 2. the above comment should most certainly read - # $(mkdir_p) $(DESTDIR)$(somedir) - # so it does not work when $(somedir) is undefined and - # $(DESTDIR) is not. - # To support the latter case, we have to write - # test -z "$(somedir)" || $(mkdir_p) $(DESTDIR)$(somedir), - # so the `.' trick is pointless. - mkdir_p='mkdir -p --' -else - # On NextStep and OpenStep, the `mkdir' command does not - # recognize any option. It will interpret all options as - # directories to create, and then abort because `.' already - # exists. - for d in ./-p ./--version; - do - test -d $d && rmdir $d - done - # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists. - if test -f "$ac_aux_dir/mkinstalldirs"; then - mkdir_p='$(mkinstalldirs)' - else - mkdir_p='$(install_sh) -d' - fi -fi - -for ac_prog in gawk mawk nawk awk -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AWK+set}" = set; then - $as_echo_n "(cached) " >&6 -else - if test -n "$AWK"; then - ac_cv_prog_AWK="$AWK" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_AWK="$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done -done -IFS=$as_save_IFS - -fi -fi -AWK=$ac_cv_prog_AWK -if test -n "$AWK"; then - { $as_echo "$as_me:$LINENO: result: $AWK" >&5 -$as_echo "$AWK" >&6; } -else - { $as_echo "$as_me:$LINENO: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$AWK" && break -done - -{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5 -$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } -set x ${MAKE-make} -ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` -if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.make <<\_ACEOF -SHELL = /bin/sh -all: - @echo '@@@%%%=$(MAKE)=@@@%%%' -_ACEOF -# GNU make sometimes prints "make[1]: Entering...", which would confuse us. -case `${MAKE-make} -f conftest.make 2>/dev/null` in - *@@@%%%=?*=@@@%%%*) - eval ac_cv_prog_make_${ac_make}_set=yes;; +if test x"${install_sh}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) - eval ac_cv_prog_make_${ac_make}_set=no;; -esac -rm -f conftest.make -fi -if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then - { $as_echo "$as_me:$LINENO: result: yes" >&5 -$as_echo "yes" >&6; } - SET_MAKE= -else - { $as_echo "$as_me:$LINENO: result: no" >&5 -$as_echo "no" >&6; } - SET_MAKE="MAKE=${MAKE-make}" -fi - -rm -rf .tst 2>/dev/null -mkdir .tst 2>/dev/null -if test -d .tst; then - am__leading_dot=. -else - am__leading_dot=_ -fi -rmdir .tst 2>/dev/null - -# test to see if srcdir already configured -if test "`cd $srcdir && pwd`" != "`pwd`" && - test -f $srcdir/config.status; then - { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5 -$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} - { (exit 1); exit 1; }; } -fi - -# test whether we have cygpath -if test -z "$CYGPATH_W"; then - if (cygpath --version) >/dev/null 2>/dev/null; then - CYGPATH_W='cygpath -w' - else - CYGPATH_W=echo - fi + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac fi - -# Define the identity of the package. - PACKAGE='iptables' - VERSION='1.4.4' - - -cat >>confdefs.h <<_ACEOF -#define PACKAGE "$PACKAGE" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define VERSION "$VERSION" -_ACEOF - -# Some tools Automake needs. - -ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} - - -AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} - - -AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} - - -AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} - - -MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} - -install_sh=${install_sh-"$am_aux_dir/install-sh"} - # Installed binaries are usually stripped using `strip' when the user # run `make install-strip'. However `strip' might not be the right # tool to use in cross-compilation environments, therefore Automake @@ -2427,9 +2586,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then +if test "${ac_cv_prog_STRIP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -2440,24 +2599,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then - { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2467,9 +2626,9 @@ ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -2480,44 +2639,224 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_STRIP" = x; then + STRIP=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + STRIP=$ac_ct_STRIP + fi +else + STRIP="$ac_cv_prog_STRIP" +fi + +fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 +$as_echo_n "checking for a thread-safe mkdir -p... " >&6; } +if test -z "$MKDIR_P"; then + if test "${ac_cv_path_mkdir+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in mkdir gmkdir; do + for ac_exec_ext in '' $ac_executable_extensions; do + { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue + case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( + 'mkdir (GNU coreutils) '* | \ + 'mkdir (coreutils) '* | \ + 'mkdir (fileutils) '4.1*) + ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext + break 3;; + esac + done + done + done +IFS=$as_save_IFS + +fi + + test -d ./--version && rmdir ./--version + if test "${ac_cv_path_mkdir+set}" = set; then + MKDIR_P="$ac_cv_path_mkdir -p" + else + # As a last resort, use the slow shell script. Don't cache a + # value for MKDIR_P within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + MKDIR_P="$ac_install_sh -d" + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 +$as_echo "$MKDIR_P" >&6; } + +mkdir_p="$MKDIR_P" +case $mkdir_p in + [\\/$]* | ?:[\\/]*) ;; + */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; +esac + +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_AWK+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 +$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } +set x ${MAKE-make} +ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` +if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then : + $as_echo_n "(cached) " >&6 +else + cat >conftest.make <<\_ACEOF +SHELL = /bin/sh +all: + @echo '@@@%%%=$(MAKE)=@@@%%%' +_ACEOF +# GNU make sometimes prints "make[1]: Entering...", which would confuse us. +case `${MAKE-make} -f conftest.make 2>/dev/null` in + *@@@%%%=?*=@@@%%%*) + eval ac_cv_prog_make_${ac_make}_set=yes;; + *) + eval ac_cv_prog_make_${ac_make}_set=no;; +esac +rm -f conftest.make +fi +if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + SET_MAKE= +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } + SET_MAKE="MAKE=${MAKE-make}" fi - if test "x$ac_ct_STRIP" = x; then - STRIP=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - STRIP=$ac_ct_STRIP - fi +rm -rf .tst 2>/dev/null +mkdir .tst 2>/dev/null +if test -d .tst; then + am__leading_dot=. else - STRIP="$ac_cv_prog_STRIP" + am__leading_dot=_ +fi +rmdir .tst 2>/dev/null + +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + am__isrc=' -I$(srcdir)' + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + as_fn_error "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 + fi fi +# test whether we have cygpath +if test -z "$CYGPATH_W"; then + if (cygpath --version) >/dev/null 2>/dev/null; then + CYGPATH_W='cygpath -w' + else + CYGPATH_W=echo + fi fi -INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s" + + +# Define the identity of the package. + PACKAGE='iptables' + VERSION='1.4.10' + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE "$PACKAGE" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define VERSION "$VERSION" +_ACEOF + +# Some tools Automake needs. + +ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} + + +AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} + + +AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} + + +AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} + + +MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # We need awk for the "check" target. The system "awk" is bad on # some platforms. @@ -2539,9 +2878,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then +if test "${ac_cv_prog_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -2552,24 +2891,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:$LINENO: result: $CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2579,9 +2918,9 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -2592,24 +2931,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2618,7 +2957,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -2632,9 +2971,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then +if test "${ac_cv_prog_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -2645,24 +2984,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:$LINENO: result: $CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2672,9 +3011,9 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then +if test "${ac_cv_prog_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -2686,18 +3025,18 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then @@ -2716,10 +3055,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:$LINENO: result: $CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2731,9 +3070,9 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_CC+set}" = set; then +if test "${ac_cv_prog_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then @@ -2744,24 +3083,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then - { $as_echo "$as_me:$LINENO: result: $CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2775,9 +3114,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_CC+set}" = set; then +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then @@ -2788,24 +3127,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -2818,7 +3157,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -2829,57 +3168,37 @@ fi -test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: no acceptable C compiler found in \$PATH -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } +as_fn_error "no acceptable C compiler found in \$PATH +See \`config.log' for more details." "$LINENO" 5; } # Provide some information about the compiler. -$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 +$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 -{ (ac_try="$ac_compiler --version >&5" +for ac_option in --version -v -V -qversion; do + { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler --version >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -v >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler -v >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } -{ (ac_try="$ac_compiler -V >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compiler -V >&5") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compiler $ac_option >&5") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + sed '10a\ +... rest of stderr output deleted ... + 10q' conftest.err >conftest.er1 + cat conftest.er1 >&5 + fi + rm -f conftest.er1 conftest.err + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } +done -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -2895,8 +3214,8 @@ # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. -{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 -$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: @@ -2912,17 +3231,17 @@ done rm -f $ac_rmfiles -if { (ac_try="$ac_link_default" +if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, @@ -2939,7 +3258,7 @@ # certainly right. break;; *.* ) - if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi @@ -2958,84 +3277,42 @@ else ac_file='' fi - -{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 -$as_echo "$ac_file" >&6; } -if test -z "$ac_file"; then - $as_echo "$as_me: failed program was:" >&5 +if test -z "$ac_file"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: C compiler cannot create executables -See \`config.log' for more details." >&2;} - { (exit 77); exit 77; }; }; } +{ as_fn_set_status 77 +as_fn_error "C compiler cannot create executables +See \`config.log' for more details." "$LINENO" 5; }; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } fi - +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5 -$as_echo_n "checking whether the C compiler works... " >&6; } -# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 -# If not cross compiling, check that we can run a simple program. -if test "$cross_compiling" != yes; then - if { ac_try='./$ac_file' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } - fi - fi -fi -{ $as_echo "$as_me:$LINENO: result: yes" >&5 -$as_echo "yes" >&6; } - rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 -$as_echo_n "checking whether we are cross compiling... " >&6; } -{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 -$as_echo "$cross_compiling" >&6; } - -{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } -if { (ac_try="$ac_link" +if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with @@ -3050,32 +3327,83 @@ esac done else - { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } +as_fn_error "cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." "$LINENO" 5; } fi - -rm -f conftest$ac_cv_exeext -{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 +rm -f conftest conftest$ac_cv_exeext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT -{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } -if test "${ac_cv_objext+set}" = set; then +if test "${ac_cv_objext+set}" = set; then : $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3087,17 +3415,17 @@ } _ACEOF rm -f conftest.o conftest.obj -if { (ac_try="$ac_compile" +if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in @@ -3110,31 +3438,23 @@ $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 -{ { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } +as_fn_error "cannot compute suffix of object files: cannot compile +See \`config.log' for more details." "$LINENO" 5; } fi - rm -f conftest.$ac_cv_objext conftest.$ac_ext fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT -{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -if test "${ac_cv_c_compiler_gnu+set}" = set; then +if test "${ac_cv_c_compiler_gnu+set}" = set; then : $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3148,37 +3468,16 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then +if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_compiler_gnu=no + ac_compiler_gnu=no fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes @@ -3187,20 +3486,16 @@ fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS -{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } -if test "${ac_cv_prog_cc_g+set}" = set; then +if test "${ac_cv_prog_cc_g+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3211,35 +3506,11 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then +if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - CFLAGS="" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + CFLAGS="" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3250,36 +3521,12 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - : -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +if ac_fn_c_try_compile "$LINENO"; then : - ac_c_werror_flag=$ac_save_c_werror_flag +else + ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3290,42 +3537,17 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then +if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS @@ -3342,18 +3564,14 @@ CFLAGS= fi fi -{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if test "${ac_cv_prog_cc_c89+set}" = set; then +if test "${ac_cv_prog_cc_c89+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include @@ -3410,32 +3628,9 @@ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" - rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then + if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done @@ -3446,17 +3641,19 @@ # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) - { $as_echo "$as_me:$LINENO: result: none needed" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) - { $as_echo "$as_me:$LINENO: result: unsupported" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" - { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac +if test "x$ac_cv_prog_cc_c89" != xno; then : +fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -3471,54 +3668,52 @@ am_make=${MAKE-make} cat > confinc << 'END' am__doit: - @echo done + @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. -{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 $as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# We grep out `Entering directory' and `Leaving directory' -# messages which can occur if `w' ends up in MAKEFLAGS. -# In particular we don't look at `^make:' because GNU make might -# be invoked under some other name (usually "gmake"), in which -# case it prints its new name instead of `make'. -if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then - am__include=include - am__quote= - _am_result=GNU -fi +# Ignore all kinds of additional output from `make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf - if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then - am__include=.include - am__quote="\"" - _am_result=BSD - fi + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac fi -{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 $as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. -if test "${enable_dependency_tracking+set}" = set; then +if test "${enable_dependency_tracking+set}" = set; then : enableval=$enable_dependency_tracking; fi if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' -fi - - -if test "x$enable_dependency_tracking" != xno; then +fi + if test "x$enable_dependency_tracking" != xno; then AMDEP_TRUE= AMDEP_FALSE='#' else @@ -3528,12 +3723,11 @@ - depcc="$CC" am_compiler_list= -{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } -if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then +if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then @@ -3559,6 +3753,11 @@ if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi + am__universal=false + case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac + for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and @@ -3576,7 +3775,17 @@ done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested @@ -3586,18 +3795,23 @@ break fi ;; + msvisualcpp | msvcmsys) + # This compiler won't grok `-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; none) break ;; esac - # We check with `-c' and `-o' for the sake of the "dashmstdout" - # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. if depmode=$depmode \ - source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ - $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && - grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message @@ -3621,13 +3835,11 @@ fi fi -{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type - - -if + if test "x$enable_dependency_tracking" != xno \ && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then am__fastdepCC_TRUE= @@ -3639,22 +3851,18 @@ if test "x$CC" != xcc; then - { $as_echo "$as_me:$LINENO: checking whether $CC and cc understand -c and -o together" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5 $as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; } else - { $as_echo "$as_me:$LINENO: checking whether cc understands -c and -o together" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5 $as_echo_n "checking whether cc understands -c and -o together... " >&6; } fi set dummy $CC; ac_cc=`$as_echo "$2" | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` -if { as_var=ac_cv_prog_cc_${ac_cc}_c_o; eval "test \"\${$as_var+set}\" = set"; }; then +if { as_var=ac_cv_prog_cc_${ac_cc}_c_o; eval "test \"\${$as_var+set}\" = set"; }; then : $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -3670,63 +3878,63 @@ # existing .o file with -o, though they will create one. ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5' rm -f conftest2.* -if { (case "(($ac_try" in +if { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - test -f conftest2.$ac_objext && { (case "(($ac_try" in + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && + test -f conftest2.$ac_objext && { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then eval ac_cv_prog_cc_${ac_cc}_c_o=yes if test "x$CC" != xcc; then # Test first that cc exists at all. if { ac_try='cc -c conftest.$ac_ext >&5' - { (case "(($ac_try" in + { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5' rm -f conftest2.* - if { (case "(($ac_try" in + if { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - test -f conftest2.$ac_objext && { (case "(($ac_try" in + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && + test -f conftest2.$ac_objext && { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then # cc works too. : @@ -3743,23 +3951,22 @@ fi if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then - { $as_echo "$as_me:$LINENO: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } -cat >>confdefs.h <<\_ACEOF -#define NO_MINUS_C_MINUS_O 1 -_ACEOF +$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h fi # FIXME: we rely on the cache variable name because # there is no other way. set dummy $CC -ac_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` -if eval "test \"`echo '$ac_cv_prog_cc_'${ac_cc}_c_o`\" != yes"; then +am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` +eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o +if test "$am_t" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. @@ -3768,8 +3975,9 @@ CC="$am_aux_dir/compile $CC" fi + # Check whether --enable-static was given. -if test "${enable_static+set}" = set; then +if test "${enable_static+set}" = set; then : enableval=$enable_static; p=${PACKAGE-default} case $enableval in yes) enable_static=yes ;; @@ -3801,14 +4009,14 @@ case `pwd` in *\ * | *\ *) - { $as_echo "$as_me:$LINENO: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 $as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;; esac -macro_version='2.2.6' -macro_revision='1.3012' +macro_version='2.2.6b' +macro_revision='1.3017' @@ -3826,35 +4034,27 @@ # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || - { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 -$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 -{ $as_echo "$as_me:$LINENO: checking build system type" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } -if test "${ac_cv_build+set}" = set; then +if test "${ac_cv_build+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && - { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 -$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || - { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 -$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; -*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 -$as_echo "$as_me: error: invalid value of canonical build" >&2;} - { (exit 1); exit 1; }; };; +*) as_fn_error "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' @@ -3870,28 +4070,24 @@ case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac -{ $as_echo "$as_me:$LINENO: checking host system type" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } -if test "${ac_cv_host+set}" = set; then +if test "${ac_cv_host+set}" = set; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || - { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 -$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; -*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 -$as_echo "$as_me: error: invalid value of canonical host" >&2;} - { (exit 1); exit 1; }; };; +*) as_fn_error "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' @@ -3907,9 +4103,9 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac -{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } -if test "${ac_cv_path_SED+set}" = set; then +if test "${ac_cv_path_SED+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ @@ -3917,7 +4113,7 @@ ac_script="$ac_script$as_nl$ac_script" done echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed - $as_unset ac_script || ac_script= + { ac_script=; unset ac_script;} if test -z "$SED"; then ac_path_SED_found=false # Loop through the user's path and test for each of PROGNAME-LIST @@ -3926,7 +4122,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in sed gsed; do + for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue @@ -3946,7 +4142,7 @@ $as_echo '' >> "conftest.nl" "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - ac_count=`expr $ac_count + 1` + as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_SED_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_SED="$ac_path_SED" @@ -3961,19 +4157,17 @@ $ac_path_SED_found && break 3 done done -done + done IFS=$as_save_IFS if test -z "$ac_cv_path_SED"; then - { { $as_echo "$as_me:$LINENO: error: no acceptable sed could be found in \$PATH" >&5 -$as_echo "$as_me: error: no acceptable sed could be found in \$PATH" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "no acceptable sed could be found in \$PATH" "$LINENO" 5 fi else ac_cv_path_SED=$SED fi fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_SED" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 $as_echo "$ac_cv_path_SED" >&6; } SED="$ac_cv_path_SED" rm -f conftest.sed @@ -3991,9 +4185,9 @@ -{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } -if test "${ac_cv_path_GREP+set}" = set; then +if test "${ac_cv_path_GREP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then @@ -4004,7 +4198,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in grep ggrep; do + for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue @@ -4024,7 +4218,7 @@ $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - ac_count=`expr $ac_count + 1` + as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" @@ -4039,26 +4233,24 @@ $ac_path_GREP_found && break 3 done done -done + done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then - { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 -$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" -{ $as_echo "$as_me:$LINENO: checking for egrep" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } -if test "${ac_cv_path_EGREP+set}" = set; then +if test "${ac_cv_path_EGREP+set}" = set; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 @@ -4072,7 +4264,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in egrep; do + for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue @@ -4092,7 +4284,7 @@ $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - ac_count=`expr $ac_count + 1` + as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" @@ -4107,12 +4299,10 @@ $ac_path_EGREP_found && break 3 done done -done + done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then - { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 -$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP @@ -4120,14 +4310,14 @@ fi fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" -{ $as_echo "$as_me:$LINENO: checking for fgrep" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5 $as_echo_n "checking for fgrep... " >&6; } -if test "${ac_cv_path_FGREP+set}" = set; then +if test "${ac_cv_path_FGREP+set}" = set; then : $as_echo_n "(cached) " >&6 else if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 @@ -4141,7 +4331,7 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_prog in fgrep; do + for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue @@ -4161,7 +4351,7 @@ $as_echo 'FGREP' >> "conftest.nl" "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - ac_count=`expr $ac_count + 1` + as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_FGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_FGREP="$ac_path_FGREP" @@ -4176,12 +4366,10 @@ $ac_path_FGREP_found && break 3 done done -done + done IFS=$as_save_IFS if test -z "$ac_cv_path_FGREP"; then - { { $as_echo "$as_me:$LINENO: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 -$as_echo "$as_me: error: no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_FGREP=$FGREP @@ -4189,7 +4377,7 @@ fi fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_FGREP" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5 $as_echo "$ac_cv_path_FGREP" >&6; } FGREP="$ac_cv_path_FGREP" @@ -4215,7 +4403,7 @@ # Check whether --with-gnu-ld was given. -if test "${with_gnu_ld+set}" = set; then +if test "${with_gnu_ld+set}" = set; then : withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes else with_gnu_ld=no @@ -4224,7 +4412,7 @@ ac_prog=ld if test "$GCC" = yes; then # Check if gcc -print-prog-name=ld gives a path. - { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5 $as_echo_n "checking for ld used by $CC... " >&6; } case $host in *-*-mingw*) @@ -4254,13 +4442,13 @@ ;; esac elif test "$with_gnu_ld" = yes; then - { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5 $as_echo_n "checking for GNU ld... " >&6; } else - { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 $as_echo_n "checking for non-GNU ld... " >&6; } fi -if test "${lt_cv_path_LD+set}" = set; then +if test "${lt_cv_path_LD+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -z "$LD"; then @@ -4291,18 +4479,16 @@ LD="$lt_cv_path_LD" if test -n "$LD"; then - { $as_echo "$as_me:$LINENO: result: $LD" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LD" >&5 $as_echo "$LD" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi -test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5 -$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;} - { (exit 1); exit 1; }; } -{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5 +test -z "$LD" && as_fn_error "no acceptable ld found in \$PATH" "$LINENO" 5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } -if test "${lt_cv_prog_gnu_ld+set}" = set; then +if test "${lt_cv_prog_gnu_ld+set}" = set; then : $as_echo_n "(cached) " >&6 else # I'd rather use --version here, but apparently some GNU lds only accept -v. @@ -4315,7 +4501,7 @@ ;; esac fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_gnu_ld" >&5 $as_echo "$lt_cv_prog_gnu_ld" >&6; } with_gnu_ld=$lt_cv_prog_gnu_ld @@ -4327,9 +4513,9 @@ -{ $as_echo "$as_me:$LINENO: checking for BSD- or MS-compatible name lister (nm)" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5 $as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } -if test "${lt_cv_path_NM+set}" = set; then +if test "${lt_cv_path_NM+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$NM"; then @@ -4376,7 +4562,7 @@ : ${lt_cv_path_NM=no} fi fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5 $as_echo "$lt_cv_path_NM" >&6; } if test "$lt_cv_path_NM" != "no"; then NM="$lt_cv_path_NM" @@ -4387,9 +4573,9 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DUMPBIN+set}" = set; then +if test "${ac_cv_prog_DUMPBIN+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$DUMPBIN"; then @@ -4400,24 +4586,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi DUMPBIN=$ac_cv_prog_DUMPBIN if test -n "$DUMPBIN"; then - { $as_echo "$as_me:$LINENO: result: $DUMPBIN" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5 $as_echo "$DUMPBIN" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -4431,9 +4617,9 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then +if test "${ac_cv_prog_ac_ct_DUMPBIN+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DUMPBIN"; then @@ -4444,24 +4630,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN if test -n "$ac_ct_DUMPBIN"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_DUMPBIN" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5 $as_echo "$ac_ct_DUMPBIN" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -4474,7 +4660,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -4494,44 +4680,44 @@ -{ $as_echo "$as_me:$LINENO: checking the name lister ($NM) interface" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5 $as_echo_n "checking the name lister ($NM) interface... " >&6; } -if test "${lt_cv_nm_interface+set}" = set; then +if test "${lt_cv_nm_interface+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:4504: $ac_compile\"" >&5) + (eval echo "\"\$as_me:4690: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:4507: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:4693: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:4510: output\"" >&5) + (eval echo "\"\$as_me:4696: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" fi rm -f conftest* fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_nm_interface" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5 $as_echo "$lt_cv_nm_interface" >&6; } -{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 $as_echo_n "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then - { $as_echo "$as_me:$LINENO: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 $as_echo "no, using $LN_S" >&6; } fi # find the maximum length of command line arguments -{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5 $as_echo_n "checking the maximum length of command line arguments... " >&6; } -if test "${lt_cv_sys_max_cmd_len+set}" = set; then +if test "${lt_cv_sys_max_cmd_len+set}" = set; then : $as_echo_n "(cached) " >&6 else i=0 @@ -4649,10 +4835,10 @@ fi if test -n $lt_cv_sys_max_cmd_len ; then - { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5 $as_echo "$lt_cv_sys_max_cmd_len" >&6; } else - { $as_echo "$as_me:$LINENO: result: none" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5 $as_echo "none" >&6; } fi max_cmd_len=$lt_cv_sys_max_cmd_len @@ -4666,7 +4852,7 @@ : ${MV="mv -f"} : ${RM="rm -f"} -{ $as_echo "$as_me:$LINENO: checking whether the shell understands some XSI constructs" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands some XSI constructs" >&5 $as_echo_n "checking whether the shell understands some XSI constructs... " >&6; } # Try some XSI features xsi_shell=no @@ -4676,17 +4862,17 @@ && eval 'test $(( 1 + 1 )) -eq 2 \ && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ && xsi_shell=yes -{ $as_echo "$as_me:$LINENO: result: $xsi_shell" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $xsi_shell" >&5 $as_echo "$xsi_shell" >&6; } -{ $as_echo "$as_me:$LINENO: checking whether the shell understands \"+=\"" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the shell understands \"+=\"" >&5 $as_echo_n "checking whether the shell understands \"+=\"... " >&6; } lt_shell_append=no ( foo=bar; set foo baz; eval "$1+=\$2" && test "$foo" = barbaz ) \ >/dev/null 2>&1 \ && lt_shell_append=yes -{ $as_echo "$as_me:$LINENO: result: $lt_shell_append" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_shell_append" >&5 $as_echo "$lt_shell_append" >&6; } @@ -4721,14 +4907,14 @@ -{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 $as_echo_n "checking for $LD option to reload object files... " >&6; } -if test "${lt_cv_ld_reload_flag+set}" = set; then +if test "${lt_cv_ld_reload_flag+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_reload_flag='-r' fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5 $as_echo "$lt_cv_ld_reload_flag" >&6; } reload_flag=$lt_cv_ld_reload_flag case $reload_flag in @@ -4757,9 +4943,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OBJDUMP+set}" = set; then +if test "${ac_cv_prog_OBJDUMP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then @@ -4770,24 +4956,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then - { $as_echo "$as_me:$LINENO: result: $OBJDUMP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 $as_echo "$OBJDUMP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -4797,9 +4983,9 @@ ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then +if test "${ac_cv_prog_ac_ct_OBJDUMP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then @@ -4810,24 +4996,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OBJDUMP="objdump" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_OBJDUMP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 $as_echo "$ac_ct_OBJDUMP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -4836,7 +5022,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -4856,9 +5042,9 @@ -{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5 $as_echo_n "checking how to recognize dependent libraries... " >&6; } -if test "${lt_cv_deplibs_check_method+set}" = set; then +if test "${lt_cv_deplibs_check_method+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_file_magic_cmd='$MAGIC_CMD' @@ -4973,7 +5159,7 @@ ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -5052,7 +5238,7 @@ esac fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5 $as_echo "$lt_cv_deplibs_check_method" >&6; } file_magic_cmd=$lt_cv_file_magic_cmd deplibs_check_method=$lt_cv_deplibs_check_method @@ -5072,9 +5258,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_AR+set}" = set; then +if test "${ac_cv_prog_AR+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$AR"; then @@ -5085,24 +5271,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AR="${ac_tool_prefix}ar" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi AR=$ac_cv_prog_AR if test -n "$AR"; then - { $as_echo "$as_me:$LINENO: result: $AR" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 $as_echo "$AR" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5112,9 +5298,9 @@ ac_ct_AR=$AR # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_AR+set}" = set; then +if test "${ac_cv_prog_ac_ct_AR+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AR"; then @@ -5125,24 +5311,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_AR="ar" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 $as_echo "$ac_ct_AR" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5151,7 +5337,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -5177,9 +5363,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_STRIP+set}" = set; then +if test "${ac_cv_prog_STRIP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then @@ -5190,24 +5376,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then - { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5217,9 +5403,9 @@ ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then @@ -5230,24 +5416,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5256,7 +5442,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -5276,9 +5462,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_RANLIB+set}" = set; then +if test "${ac_cv_prog_RANLIB+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then @@ -5289,24 +5475,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then - { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5316,9 +5502,9 @@ ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then @@ -5329,24 +5515,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5355,7 +5541,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -5433,9 +5619,9 @@ # Check for command to grab the raw symbol name followed by C symbol from nm. -{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5 $as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } -if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then +if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then : $as_echo_n "(cached) " >&6 else @@ -5551,18 +5737,18 @@ int main(){nm_test_var='a';nm_test_func();return(0);} _LT_EOF - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then # Now try to grab the symbols. nlist=conftest.nm - if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5 (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s "$nlist"; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -5615,11 +5801,11 @@ lt_save_CFLAGS="$CFLAGS" LIBS="conftstm.$ac_objext" CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag" - if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext}; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s conftest${ac_exeext}; then pipe_works=yes fi LIBS="$lt_save_LIBS" @@ -5653,10 +5839,10 @@ lt_cv_sys_global_symbol_to_cdecl= fi if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then - { $as_echo "$as_me:$LINENO: result: failed" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 $as_echo "failed" >&6; } else - { $as_echo "$as_me:$LINENO: result: ok" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } fi @@ -5683,7 +5869,7 @@ # Check whether --enable-libtool-lock was given. -if test "${enable_libtool_lock+set}" = set; then +if test "${enable_libtool_lock+set}" = set; then : enableval=$enable_libtool_lock; fi @@ -5695,11 +5881,11 @@ ia64-*-hpux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then case `/usr/bin/file conftest.$ac_objext` in *ELF-32*) HPUX_IA64_MODE="32" @@ -5713,12 +5899,12 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 5716 "configure"' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + echo '#line 5902 "configure"' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then if test "$lt_cv_prog_gnu_ld" = yes; then case `/usr/bin/file conftest.$ac_objext` in *32-bit*) @@ -5752,11 +5938,11 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then case `/usr/bin/file conftest.o` in *32-bit*) case $host in @@ -5805,9 +5991,9 @@ # On SCO OpenServer 5, we need -belf to get full-featured binaries. SAVE_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -belf" - { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5 $as_echo_n "checking whether the C compiler needs -belf... " >&6; } -if test "${lt_cv_cc_needs_belf+set}" = set; then +if test "${lt_cv_cc_needs_belf+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_ext=c @@ -5816,11 +6002,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -5831,38 +6013,13 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : lt_cv_cc_needs_belf=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - lt_cv_cc_needs_belf=no + lt_cv_cc_needs_belf=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -5870,7 +6027,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5 $as_echo "$lt_cv_cc_needs_belf" >&6; } if test x"$lt_cv_cc_needs_belf" != x"yes"; then # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf @@ -5880,11 +6037,11 @@ sparc*-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in @@ -5910,9 +6067,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_DSYMUTIL+set}" = set; then +if test "${ac_cv_prog_DSYMUTIL+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$DSYMUTIL"; then @@ -5923,24 +6080,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi DSYMUTIL=$ac_cv_prog_DSYMUTIL if test -n "$DSYMUTIL"; then - { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5 $as_echo "$DSYMUTIL" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5950,9 +6107,9 @@ ac_ct_DSYMUTIL=$DSYMUTIL # Extract the first word of "dsymutil", so it can be a program name with args. set dummy dsymutil; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then +if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_DSYMUTIL"; then @@ -5963,24 +6120,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL if test -n "$ac_ct_DSYMUTIL"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5 $as_echo "$ac_ct_DSYMUTIL" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -5989,7 +6146,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6002,9 +6159,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. set dummy ${ac_tool_prefix}nmedit; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_NMEDIT+set}" = set; then +if test "${ac_cv_prog_NMEDIT+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$NMEDIT"; then @@ -6015,24 +6172,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi NMEDIT=$ac_cv_prog_NMEDIT if test -n "$NMEDIT"; then - { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5 $as_echo "$NMEDIT" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6042,9 +6199,9 @@ ac_ct_NMEDIT=$NMEDIT # Extract the first word of "nmedit", so it can be a program name with args. set dummy nmedit; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then +if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_NMEDIT"; then @@ -6055,24 +6212,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_NMEDIT="nmedit" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT if test -n "$ac_ct_NMEDIT"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5 $as_echo "$ac_ct_NMEDIT" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6081,7 +6238,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6094,9 +6251,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args. set dummy ${ac_tool_prefix}lipo; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_LIPO+set}" = set; then +if test "${ac_cv_prog_LIPO+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$LIPO"; then @@ -6107,24 +6264,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi LIPO=$ac_cv_prog_LIPO if test -n "$LIPO"; then - { $as_echo "$as_me:$LINENO: result: $LIPO" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5 $as_echo "$LIPO" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6134,9 +6291,9 @@ ac_ct_LIPO=$LIPO # Extract the first word of "lipo", so it can be a program name with args. set dummy lipo; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then +if test "${ac_cv_prog_ac_ct_LIPO+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_LIPO"; then @@ -6147,24 +6304,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_LIPO="lipo" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO if test -n "$ac_ct_LIPO"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_LIPO" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5 $as_echo "$ac_ct_LIPO" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6173,7 +6330,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6186,9 +6343,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args. set dummy ${ac_tool_prefix}otool; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL+set}" = set; then +if test "${ac_cv_prog_OTOOL+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL"; then @@ -6199,24 +6356,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi OTOOL=$ac_cv_prog_OTOOL if test -n "$OTOOL"; then - { $as_echo "$as_me:$LINENO: result: $OTOOL" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5 $as_echo "$OTOOL" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6226,9 +6383,9 @@ ac_ct_OTOOL=$OTOOL # Extract the first word of "otool", so it can be a program name with args. set dummy otool; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then +if test "${ac_cv_prog_ac_ct_OTOOL+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL"; then @@ -6239,24 +6396,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL="otool" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL if test -n "$ac_ct_OTOOL"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5 $as_echo "$ac_ct_OTOOL" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6265,7 +6422,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6278,9 +6435,9 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args. set dummy ${ac_tool_prefix}otool64; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_OTOOL64+set}" = set; then +if test "${ac_cv_prog_OTOOL64+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$OTOOL64"; then @@ -6291,24 +6448,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi OTOOL64=$ac_cv_prog_OTOOL64 if test -n "$OTOOL64"; then - { $as_echo "$as_me:$LINENO: result: $OTOOL64" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5 $as_echo "$OTOOL64" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6318,9 +6475,9 @@ ac_ct_OTOOL64=$OTOOL64 # Extract the first word of "otool64", so it can be a program name with args. set dummy otool64; ac_word=$2 -{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then +if test "${ac_cv_prog_ac_ct_OTOOL64+set}" = set; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OTOOL64"; then @@ -6331,24 +6488,24 @@ do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do + for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL64="otool64" - $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done -done + done IFS=$as_save_IFS fi fi ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64 if test -n "$ac_ct_OTOOL64"; then - { $as_echo "$as_me:$LINENO: result: $ac_ct_OTOOL64" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5 $as_echo "$ac_ct_OTOOL64" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -6357,7 +6514,7 @@ else case $cross_compiling:$ac_tool_warned in yes:) -{ $as_echo "$as_me:$LINENO: WARNING: using cross tools not prefixed with host triplet" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac @@ -6393,9 +6550,9 @@ - { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5 $as_echo_n "checking for -single_module linker flag... " >&6; } -if test "${lt_cv_apple_cc_single_mod+set}" = set; then +if test "${lt_cv_apple_cc_single_mod+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_apple_cc_single_mod=no @@ -6420,22 +6577,18 @@ rm -f conftest.* fi fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 $as_echo "$lt_cv_apple_cc_single_mod" >&6; } - { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } -if test "${lt_cv_ld_exported_symbols_list+set}" = set; then +if test "${lt_cv_ld_exported_symbols_list+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_ld_exported_symbols_list=no save_LDFLAGS=$LDFLAGS echo "_main" > conftest.sym LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -6446,42 +6599,17 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : lt_cv_ld_exported_symbols_list=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - lt_cv_ld_exported_symbols_list=no + lt_cv_ld_exported_symbols_list=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } case $host_os in rhapsody* | darwin1.[012]) @@ -6523,14 +6651,14 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then - if test "${ac_cv_prog_CPP+set}" = set; then + if test "${ac_cv_prog_CPP+set}" = set; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded @@ -6545,11 +6673,7 @@ # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include @@ -6558,78 +6682,34 @@ #endif Syntax error _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - : -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +if ac_fn_c_try_cpp "$LINENO"; then : +else # Broken: fails on valid input. continue fi - rm -f conftest.err conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then +if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Passes both tests. ac_preproc_ok=: break fi - rm -f conftest.err conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then +if $ac_preproc_ok; then : break fi @@ -6641,7 +6721,7 @@ else ac_cv_prog_CPP=$CPP fi -{ $as_echo "$as_me:$LINENO: result: $CPP" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes @@ -6652,11 +6732,7 @@ # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include @@ -6665,87 +6741,40 @@ #endif Syntax error _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - : -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 +if ac_fn_c_try_cpp "$LINENO"; then : +else # Broken: fails on valid input. continue fi - rm -f conftest.err conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then +if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - # Passes both tests. ac_preproc_ok=: break fi - rm -f conftest.err conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.err conftest.$ac_ext -if $ac_preproc_ok; then - : +if $ac_preproc_ok; then : + else - { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -{ { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details." >&5 -$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details." >&2;} - { (exit 1); exit 1; }; }; } +as_fn_error "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." "$LINENO" 5; } fi ac_ext=c @@ -6755,16 +6784,12 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } -if test "${ac_cv_header_stdc+set}" = set; then +if test "${ac_cv_header_stdc+set}" = set; then : $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include @@ -6779,48 +6804,23 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then +if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_header_stdc=no + ac_cv_header_stdc=no fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "memchr" >/dev/null 2>&1; then - : + $EGREP "memchr" >/dev/null 2>&1; then : + else ac_cv_header_stdc=no fi @@ -6830,18 +6830,14 @@ if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "free" >/dev/null 2>&1; then - : + $EGREP "free" >/dev/null 2>&1; then : + else ac_cv_header_stdc=no fi @@ -6851,14 +6847,10 @@ if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then + if test "$cross_compiling" = yes; then : : else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include @@ -6881,122 +6873,38 @@ for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) - return 2; - return 0; -} -_ACEOF -rm -f conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - : -else - $as_echo "$as_me: program exited with status $ac_status" >&5 -$as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -( exit $ac_status ) -ac_cv_header_stdc=no -fi -rm -rf conftest.dSYM -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext -fi - - -fi -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5 -$as_echo "$ac_cv_header_stdc" >&6; } -if test $ac_cv_header_stdc = yes; then - -cat >>confdefs.h <<\_ACEOF -#define STDC_HEADERS 1 -_ACEOF - -fi - -# On IRIX 5.3, sys/types and inttypes.h are conflicting. - - - - - - - - - -for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ - inttypes.h stdint.h unistd.h -do -as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 -$as_echo_n "checking for $ac_header... " >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default - -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - eval "$as_ac_Header=yes" + return 2; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + ac_cv_header_stdc=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi - eval "$as_ac_Header=no" fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then + +$as_echo "#define STDC_HEADERS 1" >>confdefs.h -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -ac_res=`eval 'as_val=${'$as_ac_Header'} - $as_echo "$as_val"'` - { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -as_val=`eval 'as_val=${'$as_ac_Header'} - $as_echo "$as_val"'` - if test "x$as_val" = x""yes; then + +# On IRIX 5.3, sys/types and inttypes.h are conflicting. +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +eval as_val=\$$as_ac_Header + if test "x$as_val" = x""yes; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF @@ -7006,62 +6914,13 @@ done - for ac_header in dlfcn.h -do -as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 -$as_echo_n "checking for $ac_header... " >&6; } -if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default - -#include <$ac_header> -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - eval "$as_ac_Header=yes" -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - eval "$as_ac_Header=no" -fi - -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -ac_res=`eval 'as_val=${'$as_ac_Header'} - $as_echo "$as_val"'` - { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -as_val=`eval 'as_val=${'$as_ac_Header'} - $as_echo "$as_val"'` - if test "x$as_val" = x""yes; then +do : + ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default +" +if test "x$ac_cv_header_dlfcn_h" = x""yes; then : cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +#define HAVE_DLFCN_H 1 _ACEOF fi @@ -7081,7 +6940,7 @@ # Check whether --enable-shared was given. -if test "${enable_shared+set}" = set; then +if test "${enable_shared+set}" = set; then : enableval=$enable_shared; p=${PACKAGE-default} case $enableval in yes) enable_shared=yes ;; @@ -7114,7 +6973,7 @@ # Check whether --with-pic was given. -if test "${with_pic+set}" = set; then +if test "${with_pic+set}" = set; then : withval=$with_pic; pic_mode="$withval" else pic_mode=default @@ -7130,7 +6989,7 @@ # Check whether --enable-fast-install was given. -if test "${enable_fast_install+set}" = set; then +if test "${enable_fast_install+set}" = set; then : enableval=$enable_fast_install; p=${PACKAGE-default} case $enableval in yes) enable_fast_install=yes ;; @@ -7211,9 +7070,9 @@ setopt NO_GLOB_SUBST fi -{ $as_echo "$as_me:$LINENO: checking for objdir" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5 $as_echo_n "checking for objdir... " >&6; } -if test "${lt_cv_objdir+set}" = set; then +if test "${lt_cv_objdir+set}" = set; then : $as_echo_n "(cached) " >&6 else rm -f .libs 2>/dev/null @@ -7226,7 +7085,7 @@ fi rmdir .libs 2>/dev/null fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5 $as_echo "$lt_cv_objdir" >&6; } objdir=$lt_cv_objdir @@ -7319,9 +7178,9 @@ case $deplibs_check_method in file_magic*) if test "$file_magic_cmd" = '$MAGIC_CMD'; then - { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5 $as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -7372,10 +7231,10 @@ MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then - { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -7385,9 +7244,9 @@ if test -z "$lt_cv_path_MAGIC_CMD"; then if test -n "$ac_tool_prefix"; then - { $as_echo "$as_me:$LINENO: checking for file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5 $as_echo_n "checking for file... " >&6; } -if test "${lt_cv_path_MAGIC_CMD+set}" = set; then +if test "${lt_cv_path_MAGIC_CMD+set}" = set; then : $as_echo_n "(cached) " >&6 else case $MAGIC_CMD in @@ -7438,10 +7297,10 @@ MAGIC_CMD="$lt_cv_path_MAGIC_CMD" if test -n "$MAGIC_CMD"; then - { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 $as_echo "$MAGIC_CMD" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi @@ -7522,9 +7381,9 @@ if test "$GCC" = yes; then lt_prog_compiler_no_builtin_flag=' -fno-builtin' - { $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } -if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then +if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_rtti_exceptions=no @@ -7540,11 +7399,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7543: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7402: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7547: \$? = $ac_status" >&5 + echo "$as_me:7406: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7557,7 +7416,7 @@ $RM conftest* fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 $as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; } if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then @@ -7577,7 +7436,7 @@ lt_prog_compiler_pic= lt_prog_compiler_static= -{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 $as_echo_n "checking for $compiler option to produce PIC... " >&6; } if test "$GCC" = yes; then @@ -7709,7 +7568,7 @@ lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -7849,7 +7708,7 @@ lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" ;; esac -{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5 $as_echo "$lt_prog_compiler_pic" >&6; } @@ -7861,9 +7720,9 @@ # Check to make sure the PIC flag actually works. # if test -n "$lt_prog_compiler_pic"; then - { $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 $as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } -if test "${lt_cv_prog_compiler_pic_works+set}" = set; then +if test "${lt_cv_prog_compiler_pic_works+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_pic_works=no @@ -7879,11 +7738,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7882: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7741: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7886: \$? = $ac_status" >&5 + echo "$as_me:7745: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7896,7 +7755,7 @@ $RM conftest* fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5 $as_echo "$lt_cv_prog_compiler_pic_works" >&6; } if test x"$lt_cv_prog_compiler_pic_works" = xyes; then @@ -7920,9 +7779,9 @@ # Check to make sure the static flag actually works. # wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" -{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5 $as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } -if test "${lt_cv_prog_compiler_static_works+set}" = set; then +if test "${lt_cv_prog_compiler_static_works+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_static_works=no @@ -7948,7 +7807,7 @@ LDFLAGS="$save_LDFLAGS" fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5 $as_echo "$lt_cv_prog_compiler_static_works" >&6; } if test x"$lt_cv_prog_compiler_static_works" = xyes; then @@ -7963,9 +7822,9 @@ - { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then +if test "${lt_cv_prog_compiler_c_o+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -7984,11 +7843,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7987: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7846: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7991: \$? = $ac_status" >&5 + echo "$as_me:7850: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8010,7 +7869,7 @@ $RM conftest* fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } @@ -8018,9 +7877,9 @@ - { $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 $as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } -if test "${lt_cv_prog_compiler_c_o+set}" = set; then +if test "${lt_cv_prog_compiler_c_o+set}" = set; then : $as_echo_n "(cached) " >&6 else lt_cv_prog_compiler_c_o=no @@ -8039,11 +7898,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8042: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7901: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8046: \$? = $ac_status" >&5 + echo "$as_me:7905: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8065,7 +7924,7 @@ $RM conftest* fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 $as_echo "$lt_cv_prog_compiler_c_o" >&6; } @@ -8074,7 +7933,7 @@ hard_links="nottested" if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then # do not overwrite the value of need_locks provided by the user - { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5 $as_echo_n "checking if we can lock with hard links... " >&6; } hard_links=yes $RM conftest* @@ -8082,10 +7941,10 @@ touch conftest.a ln conftest.a conftest.b 2>&5 || hard_links=no ln conftest.a conftest.b 2>/dev/null && hard_links=no - { $as_echo "$as_me:$LINENO: result: $hard_links" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5 $as_echo "$hard_links" >&6; } if test "$hard_links" = no; then - { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5 $as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;} need_locks=warn fi @@ -8098,7 +7957,7 @@ - { $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5 $as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; } runpath_var= @@ -8182,6 +8041,7 @@ fi supports_anon_versioning=no case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... @@ -8273,7 +8133,7 @@ archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; - gnu* | linux* | tpf* | k*bsd*-gnu) + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in @@ -8544,11 +8404,7 @@ allow_undefined_flag='-berok' # Determine the default libpath from the value encoded in an # empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -8559,27 +8415,7 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : lt_aix_libpath_sed=' /Import File Strings/,/^$/ { @@ -8593,16 +8429,9 @@ if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" @@ -8615,11 +8444,7 @@ else # Determine the default libpath from the value encoded in an # empty executable. - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -8630,27 +8455,7 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : lt_aix_libpath_sed=' /Import File Strings/,/^$/ { @@ -8664,16 +8469,9 @@ if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` fi -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" @@ -8885,42 +8683,16 @@ # implicitly export all symbols. save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" - cat >conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ int foo(void) {} _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS="$save_LDFLAGS" else archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' @@ -9176,7 +8948,7 @@ fi fi -{ $as_echo "$as_me:$LINENO: result: $ld_shlibs" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5 $as_echo "$ld_shlibs" >&6; } test "$ld_shlibs" = no && can_build_shared=no @@ -9213,16 +8985,16 @@ # Test whether the compiler implicitly links with -lc since on some # systems, -lgcc has to come before -lc. If gcc already passes -lc # to ld, don't add -lc before -lgcc. - { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } $RM conftest* echo "$lt_simple_compile_test_code" > conftest.$ac_ext - if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } 2>conftest.err; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } 2>conftest.err; then soname=conftest lib=conftest libobjs=conftest.$ac_objext @@ -9236,11 +9008,11 @@ libname=conftest lt_save_allow_undefined_flag=$allow_undefined_flag allow_undefined_flag= - if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } then archive_cmds_need_lc=no else @@ -9251,7 +9023,7 @@ cat conftest.err 1>&5 fi $RM conftest* - { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5 $as_echo "$archive_cmds_need_lc" >&6; } ;; esac @@ -9415,7 +9187,7 @@ - { $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5 $as_echo_n "checking dynamic linker characteristics... " >&6; } if test "$GCC" = yes; then @@ -9823,7 +9595,7 @@ ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux need_lib_prefix=no need_version=no @@ -9837,11 +9609,7 @@ save_libdir=$libdir eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -9852,41 +9620,13 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then - if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then +if ac_fn_c_try_link "$LINENO"; then : + if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then : shlibpath_overrides_runpath=yes fi - -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LDFLAGS=$save_LDFLAGS libdir=$save_libdir @@ -10110,7 +9850,7 @@ dynamic_linker=no ;; esac -{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5 $as_echo "$dynamic_linker" >&6; } test "$dynamic_linker" = no && can_build_shared=no @@ -10212,7 +9952,7 @@ - { $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5 $as_echo_n "checking how to hardcode library paths into programs... " >&6; } hardcode_action= if test -n "$hardcode_libdir_flag_spec" || @@ -10237,7 +9977,7 @@ # directories. hardcode_action=unsupported fi -{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5 $as_echo "$hardcode_action" >&6; } if test "$hardcode_action" = relink || @@ -10282,18 +10022,14 @@ darwin*) # if libdl is installed we need to link against it - { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then +if test "${ac_cv_lib_dl_dlopen+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -10311,43 +10047,18 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_dl_dlopen=no + ac_cv_lib_dl_dlopen=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else @@ -10360,262 +10071,61 @@ ;; *) - { $as_echo "$as_me:$LINENO: checking for shl_load" >&5 -$as_echo_n "checking for shl_load... " >&6; } -if test "${ac_cv_func_shl_load+set}" = set; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -/* Define shl_load to an innocuous variant, in case declares shl_load. - For example, HP-UX 11i declares gettimeofday. */ -#define shl_load innocuous_shl_load - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char shl_load (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef shl_load - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_shl_load || defined __stub___shl_load -choke me -#endif - -int -main () -{ -return shl_load (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then - ac_cv_func_shl_load=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_func_shl_load=no -fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5 -$as_echo "$ac_cv_func_shl_load" >&6; } -if test "x$ac_cv_func_shl_load" = x""yes; then + ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" +if test "x$ac_cv_func_shl_load" = x""yes; then : lt_cv_dlopen="shl_load" else - { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 $as_echo_n "checking for shl_load in -ldld... " >&6; } -if test "${ac_cv_lib_dld_shl_load+set}" = set; then +if test "${ac_cv_lib_dld_shl_load+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char shl_load (); -int -main () -{ -return shl_load (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then - ac_cv_lib_dld_shl_load=yes -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_dld_shl_load=no -fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5 -$as_echo "$ac_cv_lib_dld_shl_load" >&6; } -if test "x$ac_cv_lib_dld_shl_load" = x""yes; then - lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" -else - { $as_echo "$as_me:$LINENO: checking for dlopen" >&5 -$as_echo_n "checking for dlopen... " >&6; } -if test "${ac_cv_func_dlopen+set}" = set; then - $as_echo_n "(cached) " >&6 -else - cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -/* Define dlopen to an innocuous variant, in case declares dlopen. - For example, HP-UX 11i declares gettimeofday. */ -#define dlopen innocuous_dlopen - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char dlopen (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef dlopen /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus -extern "C" -#endif -char dlopen (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_dlopen || defined __stub___dlopen -choke me +extern "C" #endif - +char shl_load (); int main () { -return dlopen (); +return shl_load (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then - ac_cv_func_dlopen=yes +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dld_shl_load=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_func_dlopen=no + ac_cv_lib_dld_shl_load=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5 -$as_echo "$ac_cv_func_dlopen" >&6; } -if test "x$ac_cv_func_dlopen" = x""yes; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 +$as_echo "$ac_cv_lib_dld_shl_load" >&6; } +if test "x$ac_cv_lib_dld_shl_load" = x""yes; then : + lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld" +else + ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen" +if test "x$ac_cv_func_dlopen" = x""yes; then : lt_cv_dlopen="dlopen" else - { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } -if test "${ac_cv_lib_dl_dlopen+set}" = set; then +if test "${ac_cv_lib_dl_dlopen+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -10633,57 +10143,28 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_dl_dlopen=no + ac_cv_lib_dl_dlopen=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = x""yes; then +if test "x$ac_cv_lib_dl_dlopen" = x""yes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl" else - { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 $as_echo_n "checking for dlopen in -lsvld... " >&6; } -if test "${ac_cv_lib_svld_dlopen+set}" = set; then +if test "${ac_cv_lib_svld_dlopen+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsvld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -10701,57 +10182,28 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_svld_dlopen=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_svld_dlopen=no + ac_cv_lib_svld_dlopen=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 $as_echo "$ac_cv_lib_svld_dlopen" >&6; } -if test "x$ac_cv_lib_svld_dlopen" = x""yes; then +if test "x$ac_cv_lib_svld_dlopen" = x""yes; then : lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" else - { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 $as_echo_n "checking for dld_link in -ldld... " >&6; } -if test "${ac_cv_lib_dld_dld_link+set}" = set; then +if test "${ac_cv_lib_dld_dld_link+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldld $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. @@ -10769,43 +10221,18 @@ return 0; } _ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then +if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dld_dld_link=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_dld_dld_link=no + ac_cv_lib_dld_dld_link=no fi - -rm -rf conftest.dSYM -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 $as_echo "$ac_cv_lib_dld_dld_link" >&6; } -if test "x$ac_cv_lib_dld_dld_link" = x""yes; then +if test "x$ac_cv_lib_dld_dld_link" = x""yes; then : lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld" fi @@ -10844,9 +10271,9 @@ save_LIBS="$LIBS" LIBS="$lt_cv_dlopen_libs $LIBS" - { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5 $as_echo_n "checking whether a program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self+set}" = set; then +if test "${lt_cv_dlopen_self+set}" = set; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : @@ -10855,7 +10282,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10858 "configure" +#line 10285 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10914,11 +10341,11 @@ return status; } _LT_EOF - if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then (./conftest; exit; ) >&5 2>/dev/null lt_status=$? case x$lt_status in @@ -10935,14 +10362,14 @@ fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5 $as_echo "$lt_cv_dlopen_self" >&6; } if test "x$lt_cv_dlopen_self" = xyes; then wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" - { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5 $as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } -if test "${lt_cv_dlopen_self_static+set}" = set; then +if test "${lt_cv_dlopen_self_static+set}" = set; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : @@ -10951,7 +10378,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10954 "configure" +#line 10381 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11010,11 +10437,11 @@ return status; } _LT_EOF - if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 (eval $ac_link) 2>&5 ac_status=$? - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s conftest${ac_exeext} 2>/dev/null; then (./conftest; exit; ) >&5 2>/dev/null lt_status=$? case x$lt_status in @@ -11031,7 +10458,7 @@ fi -{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5 $as_echo "$lt_cv_dlopen_self_static" >&6; } fi @@ -11070,12 +10497,12 @@ striplib= old_striplib= -{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5 $as_echo_n "checking whether stripping libraries is possible... " >&6; } if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" test -z "$striplib" && striplib="$STRIP --strip-unneeded" - { $as_echo "$as_me:$LINENO: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else # FIXME - insert some real tests, host_os isn't really good enough @@ -11084,15 +10511,15 @@ if test -n "$STRIP" ; then striplib="$STRIP -x" old_striplib="$STRIP -S" - { $as_echo "$as_me:$LINENO: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi ;; *) - { $as_echo "$as_me:$LINENO: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } ;; esac @@ -11110,12 +10537,12 @@ # Report which library types will actually be built - { $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5 $as_echo_n "checking if libtool supports shared libraries... " >&6; } - { $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5 $as_echo "$can_build_shared" >&6; } - { $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5 $as_echo_n "checking whether to build shared libraries... " >&6; } test "$can_build_shared" = "no" && enable_shared=no @@ -11136,14 +10563,14 @@ fi ;; esac - { $as_echo "$as_me:$LINENO: result: $enable_shared" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5 $as_echo "$enable_shared" >&6; } - { $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5 $as_echo_n "checking whether to build static libraries... " >&6; } # Make sure either enable_shared or enable_static is yes. test "$enable_shared" = yes || enable_static=yes - { $as_echo "$as_me:$LINENO: result: $enable_static" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5 $as_echo "$enable_static" >&6; } @@ -11181,204 +10608,139 @@ # Check whether --with-kernel was given. -if test "${with_kernel+set}" = set; then +if test "${with_kernel+set}" = set; then : withval=$with_kernel; kbuilddir="$withval"; ksourcedir="$withval"; fi # Check whether --with-kbuild was given. -if test "${with_kbuild+set}" = set; then +if test "${with_kbuild+set}" = set; then : withval=$with_kbuild; kbuilddir="$withval" fi # Check whether --with-ksource was given. -if test "${with_ksource+set}" = set; then +if test "${with_ksource+set}" = set; then : withval=$with_ksource; ksourcedir="$withval" fi # Check whether --with-xtlibdir was given. -if test "${with_xtlibdir+set}" = set; then +if test "${with_xtlibdir+set}" = set; then : withval=$with_xtlibdir; xtlibdir="$withval" else xtlibdir="${libexecdir}/xtables" fi # Check whether --enable-ipv4 was given. -if test "${enable_ipv4+set}" = set; then +if test "${enable_ipv4+set}" = set; then : enableval=$enable_ipv4; enable_ipv4="$enableval" else enable_ipv4="yes" fi # Check whether --enable-ipv6 was given. -if test "${enable_ipv6+set}" = set; then +if test "${enable_ipv6+set}" = set; then : enableval=$enable_ipv6; enable_ipv6="$enableval" else enable_ipv6="yes" fi +# Check whether --enable-largefile was given. +if test "${enable_largefile+set}" = set; then : + enableval=$enable_largefile; enable_largefile="$enableval" +else + enable_largefile="yes"; + largefile_cflags='-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64' +fi + # Check whether --enable-devel was given. -if test "${enable_devel+set}" = set; then +if test "${enable_devel+set}" = set; then : enableval=$enable_devel; enable_devel="$enableval" else enable_devel="yes" fi # Check whether --enable-libipq was given. -if test "${enable_libipq+set}" = set; then +if test "${enable_libipq+set}" = set; then : enableval=$enable_libipq; fi # Check whether --with-pkgconfigdir was given. -if test "${with_pkgconfigdir+set}" = set; then +if test "${with_pkgconfigdir+set}" = set; then : withval=$with_pkgconfigdir; pkgconfigdir="$withval" else pkgconfigdir='${libdir}/pkgconfig' fi -if test "${ac_cv_header_linux_dccp_h+set}" = set; then - { $as_echo "$as_me:$LINENO: checking for linux/dccp.h" >&5 -$as_echo_n "checking for linux/dccp.h... " >&6; } -if test "${ac_cv_header_linux_dccp_h+set}" = set; then +libiptc_LDFLAGS2=""; +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--no-as-needed" >&5 +$as_echo_n "checking whether the linker accepts -Wl,--no-as-needed... " >&6; } +if test "${ax_cv_linker_flags__Wl___no_as_needed+set}" = set; then : $as_echo_n "(cached) " >&6 -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_linux_dccp_h" >&5 -$as_echo "$ac_cv_header_linux_dccp_h" >&6; } -else - # Is the header compilable? -{ $as_echo "$as_me:$LINENO: checking linux/dccp.h usability" >&5 -$as_echo_n "checking linux/dccp.h usability... " >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -$ac_includes_default -#include -_ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then - ac_header_compiler=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - ac_header_compiler=no -fi + ax_save_FLAGS=$LDFLAGS + LDFLAGS="-Wl,--no-as-needed" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -$as_echo "$ac_header_compiler" >&6; } +int +main () +{ -# Is the header present? -{ $as_echo "$as_me:$LINENO: checking linux/dccp.h presence" >&5 -$as_echo_n "checking linux/dccp.h presence... " >&6; } -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ -#include + ; + return 0; +} _ACEOF -if { (ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" -$as_echo "$ac_try_echo") >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then - ac_header_preproc=yes +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_linker_flags__Wl___no_as_needed=yes else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 + ax_cv_linker_flags__Wl___no_as_needed=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_save_FLAGS +fi - ac_header_preproc=no +eval ax_check_linker_flags=$ax_cv_linker_flags__Wl___no_as_needed +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_check_linker_flags" >&5 +$as_echo "$ax_check_linker_flags" >&6; } +if test "x$ax_check_linker_flags" = xyes; then + libiptc_LDFLAGS2="-Wl,--no-as-needed" +else + : fi -rm -f conftest.err conftest.$ac_ext -{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -$as_echo "$ac_header_preproc" >&6; } -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in - yes:no: ) - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: accepted by the compiler, rejected by the preprocessor!" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: accepted by the compiler, rejected by the preprocessor!" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: proceeding with the compiler's result" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: proceeding with the compiler's result" >&2;} - ac_header_preproc=yes - ;; - no:yes:* ) - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: present but cannot be compiled" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: present but cannot be compiled" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: check for missing prerequisite headers?" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: check for missing prerequisite headers?" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: see the Autoconf documentation" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: see the Autoconf documentation" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: section \"Present But Cannot Be Compiled\"" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: section \"Present But Cannot Be Compiled\"" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: proceeding with the preprocessor's result" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: proceeding with the preprocessor's result" >&2;} - { $as_echo "$as_me:$LINENO: WARNING: linux/dccp.h: in the future, the compiler will take precedence" >&5 -$as_echo "$as_me: WARNING: linux/dccp.h: in the future, the compiler will take precedence" >&2;} - ;; -esac -{ $as_echo "$as_me:$LINENO: checking for linux/dccp.h" >&5 -$as_echo_n "checking for linux/dccp.h... " >&6; } -if test "${ac_cv_header_linux_dccp_h+set}" = set; then - $as_echo_n "(cached) " >&6 -else - ac_cv_header_linux_dccp_h=$ac_header_preproc -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_linux_dccp_h" >&5 -$as_echo "$ac_cv_header_linux_dccp_h" >&6; } +blacklist_modules=""; -fi +ac_fn_c_check_header_mongrel "$LINENO" "linux/dccp.h" "ac_cv_header_linux_dccp_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_dccp_h" = x""yes; then : +fi -blacklist_modules=""; if test "$ac_cv_header_linux_dccp_h" != "yes"; then blacklist_modules="$blacklist_modules dccp"; fi; +ac_fn_c_check_header_mongrel "$LINENO" "linux/ip_vs.h" "ac_cv_header_linux_ip_vs_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_ip_vs_h" = x""yes; then : + +fi + + +if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then + blacklist_modules="$blacklist_modules ipvs"; +fi; -if test "$enable_static" = "yes"; then + if test "$enable_static" = "yes"; then ENABLE_STATIC_TRUE= ENABLE_STATIC_FALSE='#' else @@ -11386,9 +10748,7 @@ ENABLE_STATIC_FALSE= fi - - -if test "$enable_shared" = "yes"; then + if test "$enable_shared" = "yes"; then ENABLE_SHARED_TRUE= ENABLE_SHARED_FALSE='#' else @@ -11396,9 +10756,7 @@ ENABLE_SHARED_FALSE= fi - - -if test "$enable_ipv4" = "yes"; then + if test "$enable_ipv4" = "yes"; then ENABLE_IPV4_TRUE= ENABLE_IPV4_FALSE='#' else @@ -11406,38 +10764,237 @@ ENABLE_IPV4_FALSE= fi + if test "$enable_ipv6" = "yes"; then + ENABLE_IPV6_TRUE= + ENABLE_IPV6_FALSE='#' +else + ENABLE_IPV6_TRUE='#' + ENABLE_IPV6_FALSE= +fi + + if test "$enable_largefile" = "yes"; then + ENABLE_LARGEFILE_TRUE= + ENABLE_LARGEFILE_FALSE='#' +else + ENABLE_LARGEFILE_TRUE='#' + ENABLE_LARGEFILE_FALSE= +fi + + if test "$enable_devel" = "yes"; then + ENABLE_DEVEL_TRUE= + ENABLE_DEVEL_FALSE='#' +else + ENABLE_DEVEL_TRUE='#' + ENABLE_DEVEL_FALSE= +fi + + if test "$enable_libipq" = "yes"; then + ENABLE_LIBIPQ_TRUE= + ENABLE_LIBIPQ_FALSE='#' +else + ENABLE_LIBIPQ_TRUE='#' + ENABLE_LIBIPQ_FALSE= +fi + + + + + + + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_PKG_CONFIG+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi +fi + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 +$as_echo_n "checking for libnfnetlink... " >&6; } + +if test -n "$libnfnetlink_CFLAGS"; then + pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$libnfnetlink_LIBS"; then + pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + -if test "$enable_ipv6" = "yes"; then - ENABLE_IPV6_TRUE= - ENABLE_IPV6_FALSE='#' +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes else - ENABLE_IPV6_TRUE='#' - ENABLE_IPV6_FALSE= + _pkg_short_errors_supported=no fi + if test $_pkg_short_errors_supported = yes; then + libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1` + else + libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$libnfnetlink_PKG_ERRORS" >&5 - - -if test "$enable_devel" = "yes"; then - ENABLE_DEVEL_TRUE= - ENABLE_DEVEL_FALSE='#' + nfnetlink=0 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + nfnetlink=0 else - ENABLE_DEVEL_TRUE='#' - ENABLE_DEVEL_FALSE= + libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS + libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + nfnetlink=1 fi - - - -if test "$enable_libipq" = "yes"; then - ENABLE_LIBIPQ_TRUE= - ENABLE_LIBIPQ_FALSE='#' + if test "$nfnetlink" = 1; then + HAVE_LIBNFNETLINK_TRUE= + HAVE_LIBNFNETLINK_FALSE='#' else - ENABLE_LIBIPQ_TRUE='#' - ENABLE_LIBIPQ_FALSE= + HAVE_LIBNFNETLINK_TRUE='#' + HAVE_LIBNFNETLINK_FALSE= fi -regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \ +regular_CFLAGS="${largefile_cflags} \ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ -Winline -pipe \ @@ -11449,6 +11006,8 @@ if [ -n "$ksourcedir" ]; then kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include"; fi; +pkgdatadir='${datadir}/xtables'; + @@ -11461,7 +11020,7 @@ libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); -ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile libipq/Makefile include/xtables.h include/iptables/internal.h libiptc.pc xtables.pc" +ac_config_files="$ac_config_files Makefile extensions/GNUmakefile include/Makefile libipq/Makefile utils/Makefile include/xtables.h include/iptables/internal.h libiptc.pc xtables.pc" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -11490,13 +11049,13 @@ case $ac_val in #( *${as_nl}*) case $ac_var in #( - *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: cache variable $ac_var contains a newline" >&5 + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) $as_unset $ac_var ;; + *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done @@ -11504,8 +11063,8 @@ (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \). + # `set' does not quote correctly, so add quotes: double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" @@ -11528,11 +11087,11 @@ if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then test "x$cache_file" != "x/dev/null" && - { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} cat confcache >$cache_file else - { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi @@ -11552,78 +11111,71 @@ ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. - ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" - ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' + as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" + as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs + if test -n "$EXEEXT"; then + am__EXEEXT_TRUE= + am__EXEEXT_FALSE='#' +else + am__EXEEXT_TRUE='#' + am__EXEEXT_FALSE= +fi + if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"AMDEP\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_STATIC_TRUE}" && test -z "${ENABLE_STATIC_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_STATIC\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_STATIC\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_STATIC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_SHARED_TRUE}" && test -z "${ENABLE_SHARED_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_SHARED\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_SHARED\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_SHARED\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_IPV4_TRUE}" && test -z "${ENABLE_IPV4_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_IPV4\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_IPV4\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_IPV4\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_IPV6_TRUE}" && test -z "${ENABLE_IPV6_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_IPV6\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_IPV6\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_IPV6\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${ENABLE_LARGEFILE_TRUE}" && test -z "${ENABLE_LARGEFILE_FALSE}"; then + as_fn_error "conditional \"ENABLE_LARGEFILE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_DEVEL_TRUE}" && test -z "${ENABLE_DEVEL_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_DEVEL\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_DEVEL\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_DEVEL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_LIBIPQ_TRUE}" && test -z "${ENABLE_LIBIPQ_FALSE}"; then - { { $as_echo "$as_me:$LINENO: error: conditional \"ENABLE_LIBIPQ\" was never defined. -Usually this means the macro was only invoked conditionally." >&5 -$as_echo "$as_me: error: conditional \"ENABLE_LIBIPQ\" was never defined. -Usually this means the macro was only invoked conditionally." >&2;} - { (exit 1); exit 1; }; } + as_fn_error "conditional \"ENABLE_LIBIPQ\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_LIBNFNETLINK_TRUE}" && test -z "${HAVE_LIBNFNETLINK_FALSE}"; then + as_fn_error "conditional \"HAVE_LIBNFNETLINK\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi : ${CONFIG_STATUS=./config.status} ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} -cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +as_write_fail=0 +cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. @@ -11633,17 +11185,18 @@ debug=false ac_cs_recheck=false ac_cs_silent=false -SHELL=\${CONFIG_SHELL-$SHELL} -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -## --------------------- ## -## M4sh Initialization. ## -## --------------------- ## +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which @@ -11651,23 +11204,15 @@ alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else - case `(set -o) 2>/dev/null` in - *posix*) set -o posix ;; + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; esac - fi - - -# PATH needs CR -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - as_nl=' ' export as_nl @@ -11675,7 +11220,13 @@ as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else @@ -11686,7 +11237,7 @@ as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; - case $arg in + case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; @@ -11709,13 +11260,6 @@ } fi -# Support unset when possible. -if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then - as_unset=unset -else - as_unset=false -fi - # IFS # We need space, tab and new line, in precisely that order. Quoting is @@ -11725,15 +11269,15 @@ IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. -case $0 in +case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break -done + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done IFS=$as_save_IFS ;; @@ -11745,12 +11289,16 @@ fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - { (exit 1); exit 1; } + exit 1 fi -# Work around bugs in pre-3.0 UWIN ksh. -for as_var in ENV MAIL MAILPATH -do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' @@ -11762,7 +11310,89 @@ LANGUAGE=C export LANGUAGE -# Required to use basename. +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + + +# as_fn_error ERROR [LINENO LOG_FD] +# --------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with status $?, using 1 if that was 0. +as_fn_error () +{ + as_status=$?; test $as_status -eq 0 && as_status=1 + if test "$3"; then + as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3 + fi + $as_echo "$as_me: error: $1" >&2 + as_fn_exit $as_status +} # as_fn_error + + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr @@ -11776,8 +11406,12 @@ as_basename=false fi +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi -# Name of the executable. as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ @@ -11797,76 +11431,25 @@ } s/.*/./; q'` -# CDPATH. -$as_unset CDPATH - - - - as_lineno_1=$LINENO - as_lineno_2=$LINENO - test "x$as_lineno_1" != "x$as_lineno_2" && - test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { - - # Create $as_me.lineno as a copy of $as_myself, but with $LINENO - # uniformly replaced by the line number. The first 'sed' inserts a - # line-number line after each line using $LINENO; the second 'sed' - # does the real work. The second script uses 'N' to pair each - # line-number line with the line containing $LINENO, and appends - # trailing '-' during substitution so that $LINENO is not a special - # case at line end. - # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the - # scripts with optimization help from Paolo Bonzini. Blame Lee - # E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= - ' <$as_myself | - sed ' - s/[$]LINENO.*/&-/ - t lineno - b - :lineno - N - :loop - s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ - t loop - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || - { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 - { (exit 1); exit 1; }; } - - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). - . "./$as_me.lineno" - # Exit status is that of the last command. - exit -} - - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in +case `echo -n x` in #((((( -n*) - case `echo 'x\c'` in + case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. - *) ECHO_C='\c';; + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then @@ -11895,8 +11478,56 @@ rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir" + + +} # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then - as_mkdir_p=: + as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false @@ -11915,10 +11546,10 @@ if test -d "$1"; then test -d "$1/."; else - case $1 in + case $1 in #( -*)set "./$1";; esac; - case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( ???[sx]*):;;*)false;;esac;fi '\'' sh ' @@ -11933,13 +11564,19 @@ exec 6>&1 +## ----------------------------------- ## +## Main body of $CONFIG_STATUS script. ## +## ----------------------------------- ## +_ASEOF +test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 -# Save the log message, to keep $[0] and so on meaningful, and to +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by iptables $as_me 1.4.4, which was -generated by GNU Autoconf 2.63. Invocation command line was +This file was extended by iptables $as_me 1.4.10, which was +generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -11971,13 +11608,15 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ -\`$as_me' instantiates files from templates according to the -current configuration. +\`$as_me' instantiates files and other configuration actions +from templates according to the current configuration. Unless the files +and actions are specified as TAGs, all are instantiated by default. -Usage: $0 [OPTION]... [FILE]... +Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit + --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files @@ -11996,22 +11635,24 @@ Configuration commands: $config_commands -Report bugs to ." +Report bugs to the package provider." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -iptables config.status 1.4.4 -configured by $0, generated by GNU Autoconf 2.63, - with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" +iptables config.status 1.4.10 +configured by $0, generated by GNU Autoconf 2.65, + with options \\"\$ac_cs_config\\" -Copyright (C) 2008 Free Software Foundation, Inc. +Copyright (C) 2009 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' +MKDIR_P='$MKDIR_P' AWK='$AWK' test -n "\$AWK" || AWK=awk _ACEOF @@ -12040,6 +11681,8 @@ ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) @@ -12047,20 +11690,19 @@ case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac - CONFIG_FILES="$CONFIG_FILES '$ac_optarg'" + as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac - CONFIG_HEADERS="$CONFIG_HEADERS '$ac_optarg'" + as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header - { $as_echo "$as_me: error: ambiguous option: $1 -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; };; + as_fn_error "ambiguous option: \`$1' +Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ @@ -12068,11 +11710,10 @@ ac_cs_silent=: ;; # This is an error. - -*) { $as_echo "$as_me: error: unrecognized option: $1 -Try \`$0 --help' for more information." >&2 - { (exit 1); exit 1; }; } ;; + -*) as_fn_error "unrecognized option: \`$1' +Try \`$0 --help' for more information." ;; - *) ac_config_targets="$ac_config_targets $1" + *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac @@ -12385,14 +12026,13 @@ "extensions/GNUmakefile") CONFIG_FILES="$CONFIG_FILES extensions/GNUmakefile" ;; "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;; "libipq/Makefile") CONFIG_FILES="$CONFIG_FILES libipq/Makefile" ;; + "utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;; "include/xtables.h") CONFIG_FILES="$CONFIG_FILES include/xtables.h" ;; "include/iptables/internal.h") CONFIG_FILES="$CONFIG_FILES include/iptables/internal.h" ;; "libiptc.pc") CONFIG_FILES="$CONFIG_FILES libiptc.pc" ;; "xtables.pc") CONFIG_FILES="$CONFIG_FILES xtables.pc" ;; - *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 -$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;} - { (exit 1); exit 1; }; };; + *) as_fn_error "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done @@ -12419,7 +12059,7 @@ trap 'exit_status=$? { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status ' 0 - trap '{ (exit 1); exit 1; }' 1 2 13 15 + trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. @@ -12430,11 +12070,7 @@ { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") -} || -{ - $as_echo "$as_me: cannot create a temporary directory in ." >&2 - { (exit 1); exit 1; } -} +} || as_fn_error "cannot create a temporary directory in ." "$LINENO" 5 # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. @@ -12442,10 +12078,16 @@ if test -n "$CONFIG_FILES"; then -ac_cr=' ' +ac_cr=`echo X | tr X '\015'` +# On cygwin, bash can eat \r inside `` if the user requested igncr. +# But we know of no other shell where ac_cr would be empty at this +# point, so we can use a bashism as a fallback. +if test "x$ac_cr" = x; then + eval ac_cr=\$\'\\r\' +fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then - ac_cs_awk_cr='\\r' + ac_cs_awk_cr='\r' else ac_cs_awk_cr=$ac_cr fi @@ -12459,24 +12101,18 @@ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || - { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 -$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || - { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 -$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then - { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 -$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi @@ -12498,7 +12134,7 @@ t delim :nl h -s/\(.\{148\}\).*/\1/ +s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p @@ -12512,7 +12148,7 @@ t nl :delim h -s/\(.\{148\}\).*/\1/ +s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p @@ -12565,9 +12201,7 @@ else cat fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ - || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5 -$as_echo "$as_me: error: could not setup config files machinery" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove $(srcdir), @@ -12608,9 +12242,7 @@ if test -z "$ac_t"; then break elif $ac_last_try; then - { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_HEADERS" >&5 -$as_echo "$as_me: error: could not make $CONFIG_HEADERS" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi @@ -12695,9 +12327,7 @@ _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - { { $as_echo "$as_me:$LINENO: error: could not setup config headers machinery" >&5 -$as_echo "$as_me: error: could not setup config headers machinery" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" @@ -12710,9 +12340,7 @@ esac case $ac_mode$ac_tag in :[FHL]*:*);; - :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: invalid tag $ac_tag" >&5 -$as_echo "$as_me: error: invalid tag $ac_tag" >&2;} - { (exit 1); exit 1; }; };; + :L* | :C*:*) as_fn_error "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac @@ -12740,12 +12368,10 @@ [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || - { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 -$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;} - { (exit 1); exit 1; }; };; + as_fn_error "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac - ac_file_inputs="$ac_file_inputs '$ac_f'" + as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't @@ -12756,7 +12382,7 @@ `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" - { $as_echo "$as_me:$LINENO: creating $ac_file" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. @@ -12769,9 +12395,7 @@ case $ac_tag in *:-:* | *:-) cat >"$tmp/stdin" \ - || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 -$as_echo "$as_me: error: could not create $ac_file" >&2;} - { (exit 1); exit 1; }; } ;; + || as_fn_error "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac @@ -12799,47 +12423,7 @@ q } s/.*/./; q'` - { as_dir="$ac_dir" - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 -$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} - { (exit 1); exit 1; }; }; } + as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in @@ -12885,13 +12469,17 @@ [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac + ac_MKDIR_P=$MKDIR_P + case $MKDIR_P in + [\\/$]* | ?:[\\/]* ) ;; + */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; + esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= - ac_sed_dataroot=' /datarootdir/ { p @@ -12901,12 +12489,11 @@ /@docdir@/p /@infodir@/p /@localedir@/p -/@mandir@/p -' +/@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) - { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 @@ -12916,7 +12503,7 @@ s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g - s&\\\${datarootdir}&$datarootdir&g' ;; + s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF @@ -12941,17 +12528,16 @@ s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t +s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ - || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 -$as_echo "$as_me: error: could not create $ac_file" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && - { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined." >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined." >&2;} @@ -12961,9 +12547,7 @@ -) cat "$tmp/out" && rm -f "$tmp/out";; *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; esac \ - || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 -$as_echo "$as_me: error: could not create $ac_file" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not create $ac_file" "$LINENO" 5 ;; :H) # @@ -12974,42 +12558,37 @@ $as_echo "/* $configure_input */" \ && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" } >"$tmp/config.h" \ - || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 -$as_echo "$as_me: error: could not create $ac_file" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then - { $as_echo "$as_me:$LINENO: $ac_file is unchanged" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$tmp/config.h" "$ac_file" \ - || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 -$as_echo "$as_me: error: could not create $ac_file" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \ - || { { $as_echo "$as_me:$LINENO: error: could not create -" >&5 -$as_echo "$as_me: error: could not create -" >&2;} - { (exit 1); exit 1; }; } + || as_fn_error "could not create -" "$LINENO" 5 fi # Compute "$ac_file"'s index in $config_headers. +_am_arg="$ac_file" _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - "$ac_file" | "$ac_file":* ) + $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for "$ac_file"" >`$as_dirname -- "$ac_file" || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$ac_file" | +echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || +$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$_am_arg" : 'X\(//\)[^/]' \| \ + X"$_am_arg" : 'X\(//\)$' \| \ + X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$_am_arg" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q @@ -13029,24 +12608,35 @@ s/.*/./; q'`/stamp-h$_am_stamp_count ;; - :C) { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5 + :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac case $ac_file$ac_mode in - "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do - # Strip MF so we end up with the name of the file. - mf=`echo "$mf" | sed -e 's/:.*$//'` - # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but - # some people rename them; so instead we look at the file content. - # Grep'ing the first line is not enough: some people post-process - # each Makefile.in and add a new line on top of each file to say so. - # So let's grep whole file. - if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then - dirpart=`$as_dirname -- "$mf" || + "depfiles":C) test x"$AMDEP_TRUE" != x"" || { + # Autoconf 2.62 quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`$as_dirname -- "$mf" || $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$mf" : 'X\(//\)[^/]' \| \ X"$mf" : 'X\(//\)$' \| \ @@ -13069,28 +12659,28 @@ q } s/.*/./; q'` - else - continue - fi - # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. - DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` - test -z "$DEPDIR" && continue - am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue - am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` - # Find all dependency output files, they are included files with - # $(DEPDIR) in their names. We invoke sed twice because it is the - # simplest approach to changing $(DEPDIR) to its actual value in the - # expansion. - for file in `sed -n " - s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do - # Make sure the directory exists. - test -f "$dirpart/$file" && continue - fdir=`$as_dirname -- "$file" || + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`$as_dirname -- "$file" || $as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$file" : 'X\(//\)[^/]' \| \ X"$file" : 'X\(//\)$' \| \ @@ -13113,51 +12703,12 @@ q } s/.*/./; q'` - { as_dir=$dirpart/$fdir - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break + as_dir=$dirpart/$fdir; as_fn_mkdir_p + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 -$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} - { (exit 1); exit 1; }; }; } - # echo "creating $dirpart/$file" - echo '# dummy' > "$dirpart/$file" done -done +} ;; "libtool":C) @@ -13799,15 +13350,12 @@ done # for ac_tag -{ (exit 0); exit 0; } +as_fn_exit 0 _ACEOF -chmod +x $CONFIG_STATUS ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || - { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5 -$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;} - { (exit 1); exit 1; }; } + as_fn_error "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. @@ -13828,10 +13376,10 @@ exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. - $ac_cs_success || { (exit 1); exit 1; } + $ac_cs_success || as_fn_exit $? fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then - { $as_echo "$as_me:$LINENO: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi diff -Nru iptables-1.4.4/configure.ac iptables-1.4.10/configure.ac --- iptables-1.4.4/configure.ac 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/configure.ac 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,8 @@ -AC_INIT([iptables], [1.4.4]) +AC_INIT([iptables], [1.4.10]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=2 +libxtables_vcurrent=5 libxtables_vage=0 AC_CONFIG_HEADERS([config.h]) @@ -37,6 +37,11 @@ AC_ARG_ENABLE([ipv6], AS_HELP_STRING([--disable-ipv6], [Do not build ip6tables]), [enable_ipv6="$enableval"], [enable_ipv6="yes"]) +AC_ARG_ENABLE([largefile], + AS_HELP_STRING([--disable-largefile], [Do not build largefile support]), + [enable_largefile="$enableval"], + [enable_largefile="yes"; + largefile_cflags='-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64']) AC_ARG_ENABLE([devel], AS_HELP_STRING([--enable-devel], [Install Xtables development headers]), @@ -47,22 +52,38 @@ [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) -AC_CHECK_HEADER([linux/dccp.h]) +libiptc_LDFLAGS2=""; +AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed], + [libiptc_LDFLAGS2="-Wl,--no-as-needed"]) +AC_SUBST([libiptc_LDFLAGS2]) blacklist_modules=""; + +AC_CHECK_HEADER([linux/dccp.h]) if test "$ac_cv_header_linux_dccp_h" != "yes"; then blacklist_modules="$blacklist_modules dccp"; fi; + +AC_CHECK_HEADER([linux/ip_vs.h]) +if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then + blacklist_modules="$blacklist_modules ipvs"; +fi; + AC_SUBST([blacklist_modules]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) AM_CONDITIONAL([ENABLE_SHARED], [test "$enable_shared" = "yes"]) AM_CONDITIONAL([ENABLE_IPV4], [test "$enable_ipv4" = "yes"]) AM_CONDITIONAL([ENABLE_IPV6], [test "$enable_ipv6" = "yes"]) +AM_CONDITIONAL([ENABLE_LARGEFILE], [test "$enable_largefile" = "yes"]) AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) -regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \ +PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], + [nfnetlink=1], [nfnetlink=0]) +AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) + +regular_CFLAGS="${largefile_cflags} \ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ -Winline -pipe \ @@ -74,6 +95,7 @@ if [[ -n "$ksourcedir" ]]; then kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include"; fi; +pkgdatadir='${datadir}/xtables'; AC_SUBST([regular_CFLAGS]) AC_SUBST([kinclude_CFLAGS]) @@ -81,12 +103,13 @@ AC_SUBST([ksourcedir]) AC_SUBST([xtlibdir]) AC_SUBST([pkgconfigdir]) +AC_SUBST([pkgdatadir]) AC_SUBST([libxtables_vcurrent]) AC_SUBST([libxtables_vage]) libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); AC_SUBST([libxtables_vmajor]) AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile - libipq/Makefile + libipq/Makefile utils/Makefile include/xtables.h include/iptables/internal.h libiptc.pc xtables.pc]) AC_OUTPUT diff -Nru iptables-1.4.4/debian/builddir.mk iptables-1.4.10/debian/builddir.mk --- iptables-1.4.4/debian/builddir.mk 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/builddir.mk 2009-11-28 17:03:22.000000000 +0000 @@ -1,7 +1,5 @@ -export QUILT_PATCH_DIR=debian/patch - BUILD_DIR := debian/build -BUILD_DIR_TARGETS := build install patch unpatch +BUILD_DIR_TARGETS := build install $(BUILD_DIR_TARGETS): builddir $(MAKE) -f debian/rules -C $(BUILD_DIR) $@ USE_BUILD_DIR=TRUE @@ -9,11 +7,12 @@ cp_excludes := .pc debian cp_targets = $(filter-out $(cp_excludes),$(wildcard *)) + builddir: tarcopy tarcopy: debian/stamp-tarcopy debian/stamp-tarcopy: mkdir -p $(BUILD_DIR) - tar cf - $(cp_targets) | tar xvf - -C $(BUILD_DIR) + tar cf - $(cp_targets) | tar xf - -C $(BUILD_DIR) ln -sv $(CURDIR)/debian $(BUILD_DIR) touch $@ diff -Nru iptables-1.4.4/debian/changelog iptables-1.4.10/debian/changelog --- iptables-1.4.4/debian/changelog 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/changelog 2011-06-15 19:19:54.000000000 +0000 @@ -1,3 +1,133 @@ +iptables (1.4.10-1ubuntu1~lucid0) lucid; urgency=low + + * Backport from Ubuntu natty to Ubuntu lucid. + + -- Daniel Baumann Wed, 15 Jun 2011 21:19:54 +0200 + +iptables (1.4.10-1ubuntu1) natty; urgency=low + + [ Lorenzo De Liso ] + * Merge from debian unstable (LP: #671652), remaining changes: + - Don't fail to run iptables-save if iptables module isn't loaded. + - Revert changes between 1.4.1.1-3 and 1.4.1.1-4, thus bringing back + the howtos. + - Added linuxdoc-tools to Build-Depends + - Modified debian/iptables{,-dev}.install to match DM syntax + (removed debian/tmp) + - Added -fno-strict-aliasing -Werror switches to regular_CFLAGS + for catching errors early + - Removed unused TC_NUM_RULES() and TC_GET_RULE() + * debian/patches/03-compilation-error.patch: updated + * debian/patches/0600-makefile_jedi_handwaving.patch: updated + * Dropped changes: + - debian/patches/0902-docs-version-reference.diff: modifies files inside + the debian/ directory and hence is not needed + + [ Jamie Strandboge ] + * debian/patches/9000-howtos.patch: + - combine 0102-howtos.patch and 0103-sgml_errors.patch into this patch + and apply after the Debian patches for easier maintenance + - add DEP-3 comments + * debian/patches/9001-build-libipq_pic.la.patch: + - Build libipq_pic.la with -fPIC + - add DEP-3 comments + * debian/iptables-dev.install: install lib/*.la in usr/lib + * merge debian/patches/9002-xt_recent-reap.patch: + - support for the xt_recent filter --reap switch (refreshed and updated) + - add DEP-3 comments + * debian/patches/9003-compilation-error.patch: + - renamed 03-compilation-error.patch as 9003-compilation-error.patch + - apply after Debian patches for easier maintenance + - add DEP-3 comments + * debian/iptables.doc-base.{nat|packet-filter}: update for 2.6 + * Dropped changes: + - Replaced ipt_DSCP.h by xpt_DSCP.h in ipt_ECN.h and ipt_echn.h (applied + upstream) + - 9001-build-libipq_pic.a.patch (using la instead) + + -- Jamie Strandboge Fri, 12 Nov 2010 15:58:40 -0600 + +iptables (1.4.10-1) unstable; urgency=low + + * New upstream release + + -- Laurence J. Lane Fri, 29 Oct 2010 12:29:39 -0400 + +iptables (1.4.9-1) unstable; urgency=low + + * New upstream release + * remove extra iptables-xml.8. Reported by David Prevot. Thanks. + Closes: #590619 + + -- Laurence J. Lane Sat, 07 Aug 2010 18:24:17 -0400 + +iptables (1.4.8-3) unstable; urgency=low + + * added missing iptables-xml symlink and man page. Reported by Carl + Fürstenberg and others. Closes: #589059 + + -- Laurence J. Lane Fri, 16 Jul 2010 16:56:20 -0400 + +iptables (1.4.8-2) unstable; urgency=low + + * rebuild with clean source tree, Closes: #582448 + * updated upstream changelog to 1.4.8 + + -- Laurence J. Lane Sat, 12 Jun 2010 13:26:16 -0400 + +iptables (1.4.8-1) unstable; urgency=low + + * New upstream release + * Fixed iptables-apply DEFAULT_FILE variable. Problem reported by + fixed by StalkR. Thanks. Closes: #582448 + * Added versioned build dependency on libtool. Problem reported by Pawel + Rozanski and Flavio Silveir. Thanks. Closes: #567066 + + -- Laurence J. Lane Mon, 31 May 2010 08:44:28 -0400 + +iptables (1.4.6-2) unstable; urgency=low + + * corrected debian changelog entry for 1.4.6-1 + * updated upstream changelog. Problem reported by Klaus Ethgen. Thanks. + Closes: 561236 + + -- Laurence J. Lane Sun, 20 Dec 2009 16:09:02 -0500 + +iptables (1.4.6-1) unstable; urgency=low + + * New upstream release + * Fixes ignored mask with replace rule. Reported by Hugh McDonald and + and fixed upstream. Thanks. Closes: #560910 + * Fixes single ip address use with iprange. Reported by Sergey Kovalev + and fixed upstream. Thanks. Closes: #547139 + * Fixes TCP MSS clamp documentation. Reported and fixed by Tim Small. + Added upstream. Thanks. Closes: #551272 + + -- Laurence J. Lane Mon, 14 Dec 2009 12:45:24 -0500 + +iptables (1.4.5-1) unstable; urgency=low + + * New upstream release + * Bumped Standards Version to 3.8.3 + * Moved to source format 3.0 (quilt) + * s/macthes/matches/ in iptables(8). Reported by Trent W. Buck and + fixed upstream. Closes: #539101 + * s/packages/package in iptables-dev descrition. Reported by Pascal + De Vuyst. Thanks. Closes: #557369 + * Fixed iptables-apply default rule problem reported by StalkR. Fixed + upstream. Thanks. Closes: #547734 + + -- Laurence J. Lane Sat, 28 Nov 2009 16:41:04 -0500 + +iptables (1.4.4-2ubuntu3) maverick; urgency=low + + * Replaced ipt_DSCP.h by xpt_DSCP.h in ipt_ECN.h and ipt_echn.h (LP: #600195) + * Added -fno-strict-aliasing -Werror switches to regular_CFLAGS for catching + errors early + * Removed unused TC_NUM_RULES() and TC_GET_RULE() + + -- Surbhi Palande Wed, 14 Jul 2010 12:30:38 +0300 + iptables (1.4.4-2ubuntu2) lucid; urgency=low * Added support for the xt_recent filter --reap switch. This @@ -161,7 +291,7 @@ Feldgendler. Thanks. closes: #509386 * -multi bins were included in buildd generated packages. Reported by Alexey Feldgendler. closes: 509385 - * added missing iptables.xslt. Reported by Carl Fürstenberg. Thanks. + * added missing iptables.xslt. Reported by Carl Fürstenberg. Thanks. closes: #501615. -- Laurence J. Lane Fri, 02 Jan 2009 17:19:08 -0500 @@ -410,7 +540,7 @@ + adds support port range match to libip6t_multiport + adds endian annotation types to fix compilation for kernels > 2.6.18 - * ipv6 updates in SVN by Rémi Denis-Courmont fixes the ip6tables port + * ipv6 updates in SVN by Rémi Denis-Courmont fixes the ip6tables port range bug reported by Alexander Dreweke. Thanks. closes: #329775 * debian/control: added info about missing kernel extensions * bumped standards version to 3.7.2, no changes @@ -477,7 +607,7 @@ mport, nth, osf, pool, psd, quota, random, time * replaced debian/copyright GPL paste with stubs * updated debian/copyright source URLs - * Thanks for the invaluable help Rémi Denis-Courmont. + * Thanks for the invaluable help Rémi Denis-Courmont. -- Laurence J. Lane Sun, 20 Aug 2006 21:29:33 -0400 @@ -1284,4 +1414,3 @@ * Initial release. -- Christoph Lameter Sun, 26 Mar 2000 18:49:18 -0800 - diff -Nru iptables-1.4.4/debian/control iptables-1.4.10/debian/control --- iptables-1.4.4/debian/control 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/control 2010-11-12 21:51:01.000000000 +0000 @@ -1,12 +1,13 @@ Source: iptables Section: net Priority: important -Maintainer: Ubuntu Core Developers +Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Laurence J. Lane -Build-Depends: debhelper (>>7.0), quilt, autoconf, automake, linuxdoc-tools, libtool -Standards-Version: 3.8.2 +Build-Depends: debhelper (>>7.0), autoconf, automake, linuxdoc-tools, libtool (>=2.2.6), libnfnetlink-dev +Standards-Version: 3.8.3 Homepage: http://www.netfilter.org/ + Package: iptables Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} @@ -29,6 +30,6 @@ Section: devel Description: iptables development files iptables is used to setup, maintain, and inspect the tables of - packet filter rules in the Linux kernel. This packages contains + packet filter rules in the Linux kernel. This package contains the available library (libipq, libiptc, libxtables), header, documentation and related files for iptables development. diff -Nru iptables-1.4.4/debian/iptables-dev.install iptables-1.4.10/debian/iptables-dev.install --- iptables-1.4.4/debian/iptables-dev.install 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables-dev.install 2010-11-12 22:22:43.000000000 +0000 @@ -1,7 +1,7 @@ -howtos/netfilter*html usr/share/doc/iptables-dev/html usr/include usr/share/man/man3 lib/lib*.so -lib/*.a usr/lib -#lib/*.la usr/lib +#lib/*.a usr/lib +lib/*.la usr/lib lib/pkgconfig usr/lib +howtos/netfilter*html usr/share/doc/iptables-dev/html diff -Nru iptables-1.4.4/debian/iptables.dirs iptables-1.4.10/debian/iptables.dirs --- iptables-1.4.4/debian/iptables.dirs 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/bin diff -Nru iptables-1.4.4/debian/iptables.doc-base.nat iptables-1.4.10/debian/iptables.doc-base.nat --- iptables-1.4.4/debian/iptables.doc-base.nat 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.doc-base.nat 2010-11-12 22:23:09.000000000 +0000 @@ -1,9 +1,9 @@ Document: nat -Title: Linux 2.4 NAT HOWTO +Title: Linux 2.4/2.6 NAT HOWTO Author: Rusty Russell -Abstract: This document describes how to do masquerading, transparent - proxying, port forwarding, and other forms of Network Address - Translations with the 2.4+ Linux Kernels. +Abstract: This document describes how to do masquerading, transparent + proxying, port forwarding, and other forms of Network Address + Translations with the 2.6+ Linux Kernels. Section: Help/HOWTO Format: HTML diff -Nru iptables-1.4.4/debian/iptables.doc-base.packet-filter iptables-1.4.10/debian/iptables.doc-base.packet-filter --- iptables-1.4.4/debian/iptables.doc-base.packet-filter 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.doc-base.packet-filter 2010-11-12 22:23:28.000000000 +0000 @@ -1,8 +1,8 @@ Document: packet-filter -Title: Linux 2.4 Packet Filtering HOWTO +Title: Linux 2.4/2.6 Packet Filtering HOWTO Author: Rusty Russell -Abstract: This document describes how to use iptables to filter - IP packets for the 2.4+ Linux kernels. +Abstract: This document describes how to use iptables to filter + IP packets for the 2.6+ Linux kernels. Section: Help/HOWTO Format: HTML diff -Nru iptables-1.4.4/debian/iptables.install iptables-1.4.10/debian/iptables.install --- iptables-1.4.4/debian/iptables.install 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.install 2010-11-12 22:18:52.000000000 +0000 @@ -1,10 +1,9 @@ -howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html usr/sbin/* sbin -usr/bin/* usr/sbin lib/xtables lib/libxtables.so.* -lib/libiptc.so.* +lib/lib*.so.* usr/share/man/man8 usr/share/man -iptables-apply usr/sbin iptables-apply.8 usr/share/man/man8 +iptables-apply usr/sbin iptables.xslt usr/share/iptables +howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html diff -Nru iptables-1.4.4/debian/iptables.links iptables-1.4.10/debian/iptables.links --- iptables-1.4.4/debian/iptables.links 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.links 2010-08-07 22:22:49.000000000 +0000 @@ -1,2 +1,3 @@ /usr/sbin/iptables-apply /usr/sbin/ip6tables-apply /usr/share/man/man8/iptables-apply.8.gz /usr/share/man/man8/ip6tables-apply.8.gz +/sbin/iptables-multi /usr/bin/iptables-xml diff -Nru iptables-1.4.4/debian/iptables.lintian-overrides iptables-1.4.10/debian/iptables.lintian-overrides --- iptables-1.4.4/debian/iptables.lintian-overrides 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/iptables.lintian-overrides 2010-08-07 23:03:05.000000000 +0000 @@ -1 +1,2 @@ -iptables: package-name-doesnt-match-sonames libiptc0 libxtables2 +iptables: package-name-doesnt-match-sonames libip4tc0 libip6tc0 libipq0 libiptc0 libxtables5 + diff -Nru iptables-1.4.4/debian/patch/0101-changelog.patch iptables-1.4.10/debian/patch/0101-changelog.patch --- iptables-1.4.4/debian/patch/0101-changelog.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0101-changelog.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,2334 +0,0 @@ -Author: ljlane -Description: iptables source doesn't include a changelog. - This is an amalgamation of external changelog files taken - from ftp.netfilter.org. - -Index: b/Changelog -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/Changelog 2009-06-18 14:48:32.736987531 -0400 -@@ -0,0 +1,2324 @@ -+iptables v1.4.4 Changelog: -+====================================================================== -+Changes from 1.4.3.2: -+ -+ -+Frank Tobin (1): -+ libxt_tcp: fix a manpage syntax typo -+ -+Ian Bruce (1): -+ libxt_tcp: manpage corrections and suggestions -+ -+Jan Engelhardt (15): -+ Add new COMMIT_NOTES document -+ xtables: use extern "C" -+ extensions: add const qualifiers in print/save functions -+ iptables: replace open-coded sizeof by ARRAY_SIZE -+ addrtype: fix one manpage type -+ manpages: do not include v4-only modules in ip6tables manpage -+ libip6t_policy: remove redundant functions -+ policy: use direct xt_policy_info instead of ipt/ip6t -+ policy: merge ipv6 and ipv4 variant -+ build: fix manpage collection -+ extensions: use NFPROTO_UNSPEC for .family field -+ DNAT/SNAT: add manpage documentation for --persistent flag -+ extensions: remove redundant casts -+ iptables: close open file descriptors -+ manpages: markup corrections -+ -+Jozsef Kadlecsik (1): -+ Updated set/SET match and target to support multiple ipset protocols. -+ -+Pablo Neira Ayuso (2): -+ extensions: add `cluster' match support -+ xtables: fix segfault if incorrect protocol name is used -+ -+Patrick McHardy (3): -+ SNAT/DNAT: add support for persistent multi-range NAT mappings -+ Merge branch 'stable' of git://dev.medozas.de/iptables -+ Bump version -+ -+kd6lvw (1): -+ libxt_connlimit: initialize v6_mask -+ -+ -+ -+iptables v1.4.3.2 Changelog: -+====================================================================== -+Changes from 1.4.3.1: -+ -+ -+Jan Engelhardt (12): -+ libxt_tcpmss: fix an inversion while parsing --mss -+ iptables-multi: support "iptables-static" as a callable name -+ libxtables: reorder .version member -+ build: do not run ldconfig for DESTDIR installations -+ build: add configure option to disable ip6tables -+ build: add configure option to disable ipv4 iptables -+ libxtables: provide IPv6 zero address variable -+ iptables: print negation extrapositioned -+ Merge commit 'v1.4.3' -+ Merge branch 'plus' -+ CLASSIFY: document non-standard interpretation behavior -+ libxt_conntrack: properly output negation symbol -+ -+Pablo Neira Ayuso (1): -+ build: bump version to 1.4.3.2 -+ -+ -+iptables v1.4.3.1 Changelog: -+====================================================================== -+Changes from 1.4.3: -+ -+ -+Jan Engelhardt (2): -+ iptables-save: minor corrections to the manpage markup -+ libxt_hashlimit: add missing space for iptables-save output -+ -+Pablo Neira Ayuso (2): -+ build: bump version to 1.4.3.1 -+ iptables: refer to dmesg if we hit EINVAL -+ -+Peter Volkov (2): -+ libxtables: fix compile error due to incomplete change -+ build: fix linker issue when LDFLAGS contains --as-needed -+ -+ -+ -+iptables v1.4.3 Changelog: -+====================================================================== -+Changes from 1.4.2: -+ -+ -+Bart De Schuymer (1): -+ man: fix physdev manpage -+ -+Christian Perle (1): -+ libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff -+ -+Christoph Paasch (1): -+ libiptc: avoid compile warnings for iptc_insert_chain -+ -+Daniel Drake (1): -+ libxt_owner: add more spaces to output -+ -+Eric Leblond (1): -+ xt_NFLOG: Set default NFLOG qthreshold to 0 -+ -+Jamal Hadi Salim (12): -+ libxtables: Introduce global params structuring -+ libxtables: define xtables_free_opts() -+ libxtables: Add exit_error cb to xtables_globals -+ libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals -+ libxtables: Replace direct exit_error() calls inside libxtables -+ libxtables: simple aliasing macro for exit_error -+ libxtables: set names of programs -+ libxtables: add xtables_set_revision -+ libxtables: make iptables and ip6tables use xtables_free_opts -+ libxtables: consolidate merge_options into xtables_merge_options -+ libxtables: consolidate init calls into one function -+ libxtables: general follow-up cleanup -+ -+Jan Engelhardt (84): -+ Move libipt_recent to libxt_recent -+ libxt_recent: add IPv6 support -+ manpage: use separate paragraphs for command syntax -+ manpage: explain what rule-specification is -+ libiptc: remove typedef indirection -+ libiptc: remove indirections -+ libiptc: remove unused iptc_get_raw_socket and iptc_check_packet -+ libiptc: use hex output for hookmask -+ libxt_conntrack: respect -n option during ruledump -+ libiptc: make sockfd a per-handle thing -+ libxt_conntrack: dump ctdir -+ src: reuse the global modprobe_program variable -+ src: use NFPROTO_ constants -+ src: remove inclusion of iptables.h -+ doc: fix a typo in libip6t_REJECT.man -+ libiptc: guard chain index allocation for different malloc implementations -+ src: remove unused include files -+ iptables-save: output ! in position according to manpage -+ rateest: guard against segfault -+ env: augment deprecation notice -+ build: resolve autotools suggestions -+ doc: put iptables version into manpage -+ doc: resynchronize markup in iptables,ip6tables.8.in -+ doc: escape minus sign in manpages -+ build: use regular = assignments in Makefile -+ build: remove non-portable rule -+ doc: escape minus sign in manpage (2) -+ doc: augment ICMP manpage by type/code syntax -+ src: remove redundant returns at end of void-returning functions -+ src: remove redundant casts -+ libxt_owner: use correct UID/GID boundaries -+ extensions: use UINT_MAX constants over open-coded bits (1/2) -+ extensions: use UINT_MAX constants over open-coded numbers (2/2) -+ libxtables: prefix/order - fw_xalloc -+ libxtables: prefix/order - modprobe and xtables.ko loading -+ libxtables: prefix/order - match/target loading -+ libxtables: prefix/order - libdir -+ libxtables: prefix/order - strtoui -+ libxtables: prefix/order - program_name -+ libxtables: prefix/order - param_act -+ libxtables: prefix/order - ipaddr/ipmask to ascii output -+ libxtables: prefix/order - ascii to ipaddr/ipmask input -+ libxtables: prefix - misc functions -+ libxtables: prefix - parse and escaped output func -+ libxtables: prefix/order - move check_inverse to xtables.c -+ libxtables: prefix/order - move parse_protocol to xtables.c -+ libbxtables: prefix names and order it #1 -+ libxtables: prefix names and order it #2 -+ libxtables: prefix names and order #3 -+ libxtables: move afinfo around -+ Merge branch 'origin/master' -+ libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable -+ build: move -ldl to proper LDADD -+ libxtables: remove unused XT_LIB_DIR macro -+ libxtables: decouple non-xtables parts from header -+ src: remove iptables_rule_match indirection macro -+ src: remove unused ipt_tryload macro -+ libxtables: move compat defines to xtables.c -+ src: consolidate duplicate code in iptables/internal.h -+ libxtables: use const for vars holding literals -+ libxt_string: fix undefined behavior/incorrect patlen calculation -+ libxtables: flush before fork -+ libipq: add missing doc for NF_ values -+ build: restructure Makefile for include/ directory -+ libipq: fix compile error -+ build: remove unneeded -ldl from iptables_xml_LDADD -+ libiptc: make library available as a shared library -+ build: trigger reconfigure when extensions/GNUmakefile.in changes -+ doc: do not put IPv4 doc into ip6tables.8 -+ doc: resynchronize manpage with in-code help -+ libxtables: inline and remove unused OPTION_OFFSET macro -+ libxtables: prefix exit_error to xtables_error -+ extensions: remove unwanted/add needed includes for IPv6 exts -+ extensions: remove unwanted/add needed includes for IPv4 exts -+ libxt_policy: use bounded strtoui -+ include: resynchronize headers with 2.6.29-rc5 -+ extensions: add missing limits.h include -+ iptables: turn deprecation warning into enforcing mode -+ Merge commit 'nf/master' -+ libxt_connbytes: minor manpage adustments -+ libxt_connbytes: document nf_ct_acct behavior -+ libxtables: add -I/-L flags to pkgconfig files -+ libxt_comment: output quotes must be escaped in -+ iptables-save: module loading corrections -+ -+Jesper Dangaard Brouer (3): -+ libiptc: fix chain rename bug in libiptc -+ libiptc: fix whitespaces and typos -+ libiptc: give credits to my self -+ -+Jirí Moravec (1): -+ libxt_TOS: fix compilation error -+ -+KOVACS Krisztian (2): -+ Add iptables support for the TPROXY target -+ Add iptables support for the socket match -+ -+Marc Fournier (1): -+ doc: fix option typo in libxt_multiport -+ -+Pablo Neira Ayuso (5): -+ iptables: fix error reporting with wrong/missing arguments -+ state: report spaces in the state list parsing -+ iptables: refer to dmesg when we hit error -+ string: fix wrong pattern length calculation -+ iptables: fix broken options-merging during libxtables rework -+ -+Patrick McHardy (5): -+ Add SCTP/DCCP support to NAT targets -+ Bump version to 1.4.3-rc1 -+ Merge branch 'master' of git://dev.medozas.de/iptables -+ Merge branch 'master' of git://dev.medozas.de/iptables -+ Bump version to 1.4.3 -+ -+Shaul Karl (1): -+ doc: fix one layout issue in iptables-restore.8 -+ -+Stephen Hemminger (1): -+ iptables: Add limits.h to get INT_MIN, INT_MAX, ... -+ -+Thomas Jarosch (2): -+ Fix compile error in libxt_iprange.c using gcc 4.3.2 -+ Fix compile warnings using gcc 4.3.2 -+ -+ -+iptables v1.4.2 Changelog: -+====================================================================== -+Changes from 1.4.2-rc1: -+ -+Jan Engelhard (1): -+ build: fix iptables-static build -+ -+Jan Engelhardt (26): -+ build: do not install ip{,6}tables.h -+ Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables -+ manpages: name and markup fixes -+ src: remove dependency on libiptc headers -+ src: drop libiptc from installation -+ iptables-restore: fix segmentation fault with -tanything -+ libxt_recent: do not allow both --set and --rttl -+ Put xtables.c into its own library, libxtables.so -+ manpages: correct erroneous markup -+ physdev: remove extra space in output -+ Warn about use of DROP in nat table -+ Synchronize invert flag order with manpages -+ build: fix dependency tracking for xtables.h.in -+ build: fix initext.c dependency -+ manpages: add missing --rsource,--rdest options to libxt_recent.man -+ manpages: add missing rateest documentation -+ manpages: add missing rateest match documentation -+ libxt_mac: flatten casts in libxt_mac -+ libxt_iprange: fix option names -+ src: use regular includes -+ src: Update comments -+ build: prepare make tarball for git 1.6.0 -+ libxt_recent: do allow --rttl for --update -+ src: update comments part II -+ build: run ldconfig on `make install` -+ doc: remove mentions of NAT in ip6tables manpage -+ -+Jesper Dangaard Brouer (1): -+ libiptc: remove old fixme -+ -+Pablo Sebastian Greco (1): -+ mark: fix invalid iptables-save output -+ -+Patrick McHardy (2): -+ manpages: fix another typo in tcp manpage -+ v1.4.2 -+ -+Phil Oester (3): -+ iptables-save: fix hashlimit output -+ libxt_dscp: fix save of negated dscp match rules -+ src: Missing limits.h includes -+ -+WANG Cong (1): -+ manpages: Fix a typo in tcp man page -+ -+ -+ -+iptables v1.4.1-rc1 Changelog: -+====================================================================== -+Changes from 1.4.0: -+ -+Peter Warasin: -+ Fix CONNMARK mask initialisation -+ -+Jesper Dangaard Brouer: -+ Inline functions iptcc_is_builtin() and set_changed() -+ Introduce a counter for number of user defined chains -+ Solving scalability issue: for chain list "name" searching -+ -+Patrick McHardy: -+ Add RATEEST target extension -+ Add rateest match extension -+ Remove obsolete file -+ Add netfilter.h -+ Remove compiler.h inclusions -+ Retry ruleset dump when kernel returns EAGAIN -+ -+Pablo Neira Ayuso: -+ Cleanup several code wraparounds -+ Check for malloc() return value in merge_opts() -+ Check for merge_opts() return value -+ -+Jan Engelhardt: -+ Converts the iptables build infrastructure to autotools -+ Introduce strtonum() -+ Introduce common error messages -+ Add libxt_owner -+ Add libxt_tos -+ Add libxt_TOS -+ Add libxt_MARK r2 -+ Add libxt_connmark r1 -+ Print warning when dlopen fails -+ Add libxt_conntrack r0 -+ Bunch o' renames -+ Rename overlapping function names -+ Add more libxt_hashlimit checks -+ Add libxt_mark r1 -+ Add libxt_iprange r0 -+ Add libxt_iprange r1 -+ Give preference to iptables header files -+ Build adjustments -+ Add libxt_CONNMARK revision 1 -+ Add libxt_conntrack revision 1 -+ libxt_owner: UID/GID range support -+ Fix compilation of iptables-static build -+ Correct the family member value of libxt_mark revision 1 -+ Makefile: add a "tarball" target -+ Drop -W from CFLAGS and some tiny code cleanups -+ Fix -Wshadow warnings and clean up xt_sctp.h -+ Update the libxt_owner manpage with the UID/GID-range feature -+ Fix all remaining warnings (missing declarations, missing prototypes) -+ xtables.h: move non-exported parts to internal.h -+ Add support for xt_hashlimit match revision 1 -+ Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR -+ manpages: fix broken markup (missing close tags) -+ manpages: grammar and spelling -+ manpages: update to reflect fine-grained control -+ configure: split --enable-libipq from --enable-devel -+ Import iptables-apply -+ Add all necessary header files - compilation fix for various cases -+ Install libiptc header files because xtables.h depends on it -+ iptables: use C99 lists for struct options -+ RATEEST: add manpage -+ Implement AF_UNSPEC as a wildcard for extensions -+ Combine ipt and ip6t manpages -+ Resolve warnings on 64-bit compile -+ Wrap dlopen code into NO_SHARED_LIBS -+ Remove support for compilation of conditional extensions -+ Resolve libipt_set warnings -+ Update documentation about building the package -+ configure.ac: AC_SUBST must be separate -+ Dynamically create xtables.h.in with version -+ configure.ac: remove already-defined variables -+ Remove old functions, constants -+ Properly initialize revision for ip6tables targets -+ Makefile.am: use PACKAGE_TARNAME -+ iptables out-of-tree build directory -+ -+Sven Schnelle: -+ Add libxt_TCPOPTSTRIP -+ -+Max Kellermann: -+ Fix REDIRECT manpage -+ Whitespace cleanup -+ Use size_t -+ Escape strings -+ Unescape parameters -+ Allow empty strings in argument parser -+ Fix gcc warnings -+ -+Naohiro Ooiwa: -+ Fix define value of SCTP chunk type -+ -+Filippo Zangheri: -+ Remove useless white spaces from iptables-xml manpages -+ -+James King: -+ libxt_iprange: Fix IP validation logic -+ -+Shan Wei: -+ iptables-save: remove unnecessary code -+ -+Henrik Nordstrom: -+ Make iptables-restore usable over a pipe -+ Add support for --set-counters to iptables -P -+ iptables --list-rules command -+ iptables --list chain rulenum -+ Make --set-counters (-c) accept comma separated counters -+ -+Jamie Strandboge: -+ Fix ip6tables dest address printing -+ -+ -+ -+iptables v1.4.1.1 Changelog -+===================================================================== -+ -+Henrik Nordstrom (1): -+ iptables: fix printing of line numbers with --line-numbers arg -+ -+Jan Engelhardt (3): -+ ip6tables: fix printing of ipv6 network masks -+ build: fix `make install` when --disable-shared is used -+ iprange: kernel flags were not set -+ -+Patrick McHardy (1): -+ v1.4.1.1 -+ -+ -+ -+iptables v1.4.1 Changelog -+====================================================================== -+ -+Filippo Zangheri (1): -+ removes useless white spaces from iptables-xml manpages. -+ -+Gáspár Lajos (1): -+ iptables: use C99 lists for struct options -+ -+Henrik Nordstrom (5): -+ Make iptables-restore usable over a pipe -+ Add support for --set-counters to iptables -P -+ iptables --list-rules command -+ iptables --list chain rulenum -+ Make --set-counters (-c) accept comma separated counters -+ -+James King (1): -+ [IPTABLES]: libxt_iprange: Fix IP validation logic -+ -+Jamie Strandboge (1): -+ fix ip6tables dest address printing -+ -+Jan Engelhardt (55): -+ Converts the iptables build infrastructure to autotools. -+ Introduce strtonum(), which works like string_to_number(), but passes -+ common error messages -+ libxt_owner -+ libxt_tos -+ libxt_TOS -+ libxt_MARK r2 -+ libxt_connmark r1 -+ print warning when dlopen fails -+ libxt_conntrack r0 -+ bunch o' renames -+ rename overlapping function names -+ libxt_hashlimit checks -+ libxt_mark r1 -+ libxt_iprange r0 -+ libxt_iprange r1 -+ Give preference to iptables header files -+ Build adjustments -+ libxt_CONNMARK revision 1 -+ [IPTABLES]: libxt_conntrack revision 1 -+ [IPTABLES]: libxt_owner: UID/GID range support -+ Fix compilation of iptables-static build -+ Correct the family member value of libxt_mark revision 1 -+ Makefile: add a "tarball" target -+ Drop -W from CFLAGS and some tiny code cleanups -+ Fix -Wshadow warnings and clean up xt_sctp.h -+ Update the libxt_owner manpage with the UID/GID-range feature -+ Fix all remaining warnings (missing declarations, missing prototypes) -+ xtables.h: move non-exported parts to internal.h -+ Add support for xt_hashlimit match revision 1 -+ Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR -+ manpages: fix broken markup (missing close tags) -+ manpages: grammar and spelling -+ manpages: update to reflect fine-grained control -+ configure: split --enable-libipq from --enable-devel -+ Add all necessary header files - compilation fix for various cases -+ Install libiptc header files because xtables.h depends on it -+ RATEEST: add manpage -+ Implement AF_UNSPEC as a wildcard for extensions -+ Combine ipt and ip6t manpages -+ Resolve warnings on 64-bit compile -+ Wrap dlopen code into NO_SHARED_LIBS -+ Remove support for compilation of conditional extensions -+ Resolve libipt_set warnings -+ Update documentation about building the package -+ configure.ac: AC_SUBST must be separate -+ Dynamically create xtables.h.in with version -+ configure.ac: remove already-defined variables -+ Remove old functions, constants -+ Makefile.am: use PACKAGE_TARNAME -+ iptables out-of-tree build directory -+ Update .gitignore -+ build: check for missing feature files -+ libxt_owner: add spaces to output -+ manpage updates -+ -+Jesper Dangaard Brouer (3): -+ Inline functions iptcc_is_builtin() and set_changed(). -+ Introduce a counter for number of user defined chains. -+ Solving scalability issue: for chain list "name" searching. -+ -+Kristof Provost (1): -+ REDIRECT: Allow symbolic port in REDIRECT --to-port -+ -+Laszlo Attila Toth (1): -+ addrtype match: added revision 1 -+ -+Lutz Jaenicke (1): -+ Fix iptables-save output of libxt_owner match -+ -+Martin F. Krafft (1): -+ Import iptables-apply -+ -+Max Kellermann (7): -+ Fix REDIRECT manpage -+ whitespace cleanup -+ use size_t -+ escape strings -+ unescape parameters -+ allow empty strings in argument parser -+ fix gcc warnings -+ -+Naohiro Ooiwa (1): -+ Fix define value of SCTP chunk type. -+ -+Pablo Neira Ayuso (2): -+ - cleanup several code wraparounds -+ bump iptables version to prepare 1.4.1 release -+ -+Patrick McHardy (16): -+ Add RATEEST target extension -+ Add rateest match extension -+ Remove obsolete file -+ Add netfilter.h -+ Remove compiler.h inclusions. -+ Retry ruleset dump when kernel returns EAGAIN. -+ Properly initialize revision for ip6tables targets -+ Bump version to 1.4.1-rc1 -+ iptables 1.4.1-rc2 -+ manpages: consistent syntax -+ Resync header files with kernel -+ Bump version -+ libiptc: move variable definitions to head of function -+ iptables-xml: sparse fixes -+ sparse warning fixes: integer used as pointer -+ v1.4.1 -+ -+Peter Warasin (1): -+ Fix CONNMARK mask initialisation -+ -+Shan Wei (1): -+ iptables-save:remove unnecessary code. -+ -+Sven Schnelle (1): -+ libxt_TCPOPTSTRIP -+ -+Thomas Jacob (1): -+ Don't assume /bin/sh is bash -+ -+Thomas Jarosch (1): -+ Add xtables version defines. -+ -+Yasuyuki Kozakai (1): -+ Use s6_addr32 to access bits in int6_addr instead of incompatible name -+ -+ -+ -+iptables v1.4.0 Changelog -+====================================================================== -+Changes from 1.4.0rc1: -+ -+- Don't use dlfcn.h if NO_SHARED_LIBS is defined -+ [ Mike Frysinger ] -+ -+- Fix showing help text for matches/targets with revision as user -+ [ Patrick McHardy ] -+ -+- Print warnings to stderr -+ [ Max Kellermann ] -+ -+- Fix sscanf type errors -+ [ Patrick McHardy ] -+ -+- Always print mask in iptables-save -+ [ Jan Engelhardt ] -+ -+- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names -+ [ Victor Stinner ] -+ -+- Adds --table to iptables-restore -+ [ Peter Warasin ] -+ -+- Make DO_MULTI=1 work for ip6tables* binaries -+ [ Hann-huei Chiou ] -+ -+- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing -+warnings -+ [ Patrick McHardy ] -+ -+- Introducing libxt_*.man files. Sorted matches and modules -+ [ Laszlo Attila Toth ] -+ -+- Install ip6tables-{save,restore} manpages -+ [ Patrick McHardy ] -+ -+- Performance optimization in sorting chain during pull-out -+ [ Jesper Dangaard Brouer ] -+ -+- Fix sockfd use accounting for kernels without autoloading -+ [ Patrick McHardy ] -+ -+- use -+ [ Jan Engelhardt ] -+ -+- Fix make/compile error for iptables-1.4.0rc1 -+ [ Jesper Dangaard Brouer ] -+ -+- Fix for --random option in DNAT and REDIRECT -+ [ Tom Eastep ] -+ -+- Document xt_statistic -+ [ Stefano Sabatini ] -+ -+- sctp: fix - mistake to pass a pointer where array is required -+ [ Li Zefan ] -+ -+- Fix connlimit output for inverted --connlimit-above: ! > is <=, not < -+ [ Patrick McHardy ] -+ -+- Add NFLOG manpage -+ [ Patrick McHardy ] -+ -+- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 -+ [ Yasuyuki Kozakai ] -+ -+- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man -+ [ Yasuyuki Kozakai ] -+ -+- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 -+ [ Yasuyuki Kozakai ] -+ -+- fix check_inverse() call -+ [ Jan Engelhardt ] -+ -+- Bump version to 1.4.0 final -+ [ Pablo Neira Ayuso ] -+ -+ -+ -+iptables v1.4.0rc1 Changelog -+====================================================================== -+Changes from 1.3.8: -+ -+- Add support for generic xtables infrastructure (improved IPv6 support!) -+ [ Yasuyuki Kozakai ] -+ -+- Deletes empty ->final_check() functions -+ [ Jan Engelhardt ] -+ -+- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes -+ [ Patrick McHardy ] -+ -+- Remove last vestiges of NFC -+ [ Peter Riley ] -+ -+- Make @msg argument a const char *, just like printf -+ [ Jan Engelhardt ] -+ -+- Makes it possible to omit extra_opts of matches/targets if unnecessary -+ [ Jan Engelhardt ] -+ -+- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets -+ [ Patrick McHardy] -+ -+- Introduces DEST_IPT_LIBDIR in Makefile -+ [ Yasuyuki Kozakai ] -+ -+- Change default KERNEL_DIR location and add KBUILD_OUTPUT -+ [ Sven Wegener ] -+ -+- Removes obsolete KERNEL_64_USERSPACE_32 definitions -+ [ Yasuyuki Kozakai ] -+ -+- Fix unused function warning -+ [ Patrick McHardy ] -+ -+ -+ -+iptables v1.3.8 Changelog -+====================================================================== -+ -+- Fix build error of conntrack match -+ [Yasuyuki Kozakai] -+ -+- Remove whitespace in ip6tables.c -+ [Yasuyuki Kozakai] -+ -+- `-p all' and `-p 0' should be allowed in ip6tables -+ [Yasuyuki Kozakai] -+ -+- hashlimit doc update -+ [Jan Engelhardt] -+ -+- add --random option to DNAT and REDIRECT -+ [Patrick McHardy] -+ -+- Makefile uses POSIX conform directory check -+ [Roy Marples] -+ -+- Fix missing newlines in iptables-save/restore output -+ [Pavol Rusnak] -+ -+- Update quota manpage for SMP -+ [Phil Oester] -+ -+- Output for unspecified proto is `all' instead of `0' -+ [Phil Oester] -+ -+- Fix iptables-save with --random option -+ [Patrick McHardy] -+ -+- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs -+ [Patrick McHardy] -+ -+- Remove libnsl from LDLIBS -+ [Patrick McHardy] -+ -+- Fix problem with iptables-restore and quotes -+ [Pablo Neira Ayuso] -+ -+- Remove unnecessary includes -+ [Patrick McHardy] -+ -+- Fix --modprobe parameter -+ [Maurice van der Pot] -+ -+- ip6tables-restore should output error of modprobe after failed to load -+ [Yasuyuki Kozakai] -+ -+- Add random option to SNAT -+ [Eric Leblond] -+ -+- Fix missing space in error message -+ [Patrick McHardy] -+ -+- Fixes for manpages of tcp, udp, and icmp{,6} -+ [Yasuyuki Kozakai] -+ -+- Add ip6tables mh extension -+ [Masahide Nakamura] -+ -+- Fix tcpmss manpage -+ [Patrick McHardy] -+ -+- Add ip6tables TCPMSS extension -+ [Arnaud Ebalard] -+ -+- Add UDPLITE multiport support -+ [Patrick McHardy] -+ -+- Fix missing space in ruleset listing -+ [Patrick McHardy] -+ -+- Remove extensions for unmaintained/obsolete patchlets -+ [Patrick McHardy] -+ -+- Fix greedy debug grep -+ [Patrick McHardy] -+ -+- Fix type in manpage -+ [Thomas Aktaia] -+ -+- Fix compile/install error for iptables-xml with DO_MULTI=1 -+ [Lutz Jaenicke] -+ -+ -+ -+iptables v1.3.7 Changelog -+====================================================================== -+ -+Bugs fixed since 1.3.6: -+ -+- Fix compilation error with linux 2.6.19 -+ [ Patrick McHardy ] -+ -+- Fix LOG target segfault with --log-prefix "" -+ [ Mike Frysinger, Bugzilla #516 ] -+ -+- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET} -+ [ Yasuyuki KOZAKAI ] -+ -+- Fix -E (rename) in iptables/ip6tables -+ [ Krzysztof Piotr Oledzki ] -+ -+- Fix /etc/network usage -+ [ Pablo Neira ] -+ -+- Fix iptables-save not printing -s/-d ! 0/0 -+ [ Patrick McHardy ] -+ -+- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length -+ [ Daniel De Graaf ] -+ -+New features since 1.3.6: -+ -+- Add revision support for ip6tables -+ [ R?mi Denis-Courmont ] -+ -+- Add port range support for ip6tables multiport match -+ [ R?mi Denis-Courmont ] -+ -+- Add sctp match extension for ip6tables -+ [ Patrick McHardy ] -+ -+- Add iptables-xml tool -+ [ Amin Azez ] -+ -+- Add hashlimit support for ip6tables (needs kernel > 2.6.19) -+ [ Patrick McHardy ] -+ -+- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source -+ [ Patrick McHardy ] -+ -+- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) -+ [ Patrick McHardy ] -+ -+ -+ -+iptables v1.3.6 Changelog -+====================================================================== -+ -+Bugs fixed since 1.3.5: -+ -+- Fix segfault on loading of invalid counters in ip[6]tables-restore -+ [ Bugzilla #437, Olaf Rempel ] -+ -+- Fix double-free if a single match is used multiple times within a single rule -+ [ Bugzilla #440, Harald Welte ] -+ -+- Don't try to resolve "-p all" using getprotoent() -+ [ Bugzilla #446, Harald Welte ] -+ -+- Refuse never matching protocol specifications for ip6tables -+ [ Yasuyuki Kozakai ] -+ -+- Fix iptables-save output of osf match -+ [ Daniel De Graaf ] -+ -+- Fix esp/connbytes detection with newer kernels (x_tables) -+ [ Harald Welte ] -+ -+- Fix loading of IPCMv6 match shared library -+ [ Yasuyuki Kozakai ] -+ -+- Refuse invalid esp match SPI ranges -+ [ Yasuyuki Kozakai ] -+ -+- Fix out-of-bounds memory access when the unsupported "check" command was used -+ [ Bugzilla #463, Larry Stefani, Harald Welte ] -+ -+- Fix out-of-bounds memory access when the "-c" option was used -+ [ Bugzilla #462, Larry Stefani, Harald Welte ] -+ -+- Fix "Unknown error 4294967295" message -+ [ Bugzilla #460, Patrick McHardy ] -+ -+- Use lower-case letters for realm match output -+ [ Simon Lodal ] -+ -+- Fix example in connlimit manpage -+ [ Phil Oester ] -+ -+- Refuse IP addresses as arguments to REDIRECT target -+ [ Bugzilla #482, Phil Oester ] -+ -+- Fix set match negation -+ [ Jozsef Kadlecsik ] -+ -+- Fix some compiler warnings -+ [ Bugzilla #457, Phil Oester ] -+ -+- Refuse port ranges in ip6tables multiport match -+ [ Bugzilla #451, Phil Oester ] -+ -+- Force user to specify --ipcmv6-type if ipcmv6 match is used -+ [ Bugzilla #461, Yasuyuki Kozakai ] -+ -+- Fix libiptc symbol clash -+ [ Bugzilla #456, Phil Oester ] -+ -+- Remove "hoho" message -+ [ Pierre-Yves Ritschard ] -+ -+- Handle CIDR notation more sanely -+ [ Bugzilla #422, Phil Oester ] -+ -+- Fix chain reference increment bug -+ [ Jesper Brouer ] -+ -+- Fix counter clearing for policy counters -+ [ Bugzilla #502, Andy Gay ] -+ -+- Remove warnings about interface names with non-alphanumeric characters -+ [ Patrick McHardy ] -+ -+New features since 1.3.5: -+ -+- Support multiple matches of the same type within a single rule -+ [ Jozsef Kadlecsik ] -+ -+- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) -+ [ Patrick McHardy ] -+ -+- SELinux SECMARK target (needs kernel >= 2.6.18) -+ [ James Morris ] -+ -+- SELinux CONNSECMARK target (needs kernel >= 2.6.18) -+ [ James Morris ] -+ -+- Add documentation for DNAT target : syntax -+ [ Evan Miller ] -+ -+- Add new exit value to indicate concurrency issues -+ [ Jesper Dangaard Brouer ] -+ -+- Use gcc to build shared objects -+ [ Bugzilla #454, Phil Oester ] -+ -+- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) -+ [ Phil Oester ] -+ -+- Update MARK target documentation to include --and-mask/--or-mask -+ [ Eric Leblond ] -+ -+- Add support for statistic match (needs kernel >= 2.6.18) -+ [ Patrick McHardy ] -+ -+- Optionally read realm values from /etc/iproute2/rt_realms -+ [ Simon Lodal ] -+ -+iptables v1.3.5 Changelog -+====================================================================== -+This version requires kernel >= 2.4.0 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.4: -+ -+- Fix conntrack --ctproto option in iptables-save -+ [ Phil Oester ] -+ -+- Fix string match '--from' option in iptables-save -+ [ Michael Rash ] -+ -+- Fix option parser of ttl match -+ [ Patrick McHardy ] -+ -+- Get rid of gcc-4 warnings -+ [ Patrick McHardy ] -+ -+- Fix spelling of 'address' in DNAT/SNAT manpage section -+ [ MJ Anthony ] -+ -+- Fix 'tcp-rst' parsing in REJECT target -+ [ Torsten Hilbrich ] -+ -+- Fix probing for supported revisions -+ [ Jones Desougi ] -+ -+- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO -+ [ Harald Welte ] -+ -+- Only set revisions on real targets, not on jumps -+ [ Pablo Neira ] -+ -+- Fix memory leak in TC_COMMIT() of libiptc -+ [ Markus Sundberg ] -+ -+- Correctly propagate errors of setsockopt to calling function -+ [ Harald Welte ] -+ -+- Fix connbytes match iptables-save -+ [ Unknown ] -+ -+- Fix sctp match compilation against recent kernel headers -+ [ Harald Welte ] -+ -+- Fix conntrack match compilation against 2.4.0 kernel headers -+ [ Harald Welte ] -+ -+Changes from 1.3.4: -+ -+- Add support for ip6tables connmark match and target -+ [ Harald Welte ] -+ -+- Add support for ip6tables state match -+ [ Harald Welte ] -+ -+- Add support for new policy ip[6]tables match -+ [ Patrick McHardy ] -+ -+- Major manpage update -+ [ Yasuyuki Kozakai ] -+ -+- Remove ippool support, it has been deprecated by ipset long time ago -+ [ Harald Welte ] -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.3.4 Changelog -+====================================================================== -+This version requires kernel >= 2.4.0 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.3: -+ -+- Fix parsing of NFQUEUE queue numbers -+ [ Eric Leblond ] -+ -+- Add documentation of --queue-num parameter to NFQUEUE manpage -+ [ Eric Leblond ] -+ -+- Fix 'hash-init' parameter of CLUSTERIP target -+ [ KOVACS Krisztian ] -+ -+- Fix CONNMARK match and target: Marks are now always 32bit -+ [ Deti Fliegl ] -+ -+- Print error message when multiple "--to" DNAT/SNAT args are used -+ with kernel >= 2.6.10 -+ [ Phil Oester ] -+ -+- Fix compilation of connbytes match with 2.6.14 kernel -+ [ Harald Welte ] -+ -+- Fix address inversion of conntrack match -+ [ Tom Eastep ] -+ -+- Fix sorting of chain names -+ [ Robert de Barth ] -+ -+Changes from 1.3.2: -+ -+- Add support for DCCP port and type matching -+ [ Harald Welte ] -+ -+- Add support for new in-kernel string match -+ [ Pablo Neira ] -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.3.3 Changelog -+====================================================================== -+This version requires kernel >= 2.4.0 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.2: -+ -+- Fix use-after-free in merge_options() -+ [ Markus Sundberg ] -+ -+- Fix support for SNAT and DNAT to ICMP ID ranges -+ [ Patrick McHardy ] -+ -+Changes from 1.3.2: -+ -+- Add support for new NFQUEUE targets for IPv4 and IPv6 -+ [ Harald Welte ] -+ -+- Minor manpage updates -+ [ Harald Welte ] -+ -+- Fix numberous gcc-4 warnings throughout the code -+ [ Harald Welte ] -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.3.2 Changelog -+====================================================================== -+This version requires kernel >= 2.4.0 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.1: -+ -+- Fix TCPLAG version -+ [ Torsten Luettgert ] -+ -+- More error checking in SET target -+ [ Michal Pokrywka ] -+ -+- Fix optflags value for OPT_LINENUMBERS -+ [ Jonas Berlin ] -+ -+- Allow NULL init function in ip6tables plugins -+ [ Jonas Berlin ] -+ -+- Don't allow newlines in LOG prefix -+ [ Phil Oester ] -+ -+- Introduce ip_conntrack_old_tuple to userspace header copy -+ [ Pablo Neira ] -+ -+- Fix connbytes command line parsing bug -+ [ Piotrek Kaczmarek ] -+ -+- Ignore unknown arguments in libipt_ULOG -+ [ Patrick McHardy ] -+ -+- Correct error in multiport manpage wrt. "--ports" -+ [ Rusty Russell ] -+ -+- Fix CONNMARK save/restore -+ [ Tom Eastep, Pawel Sikora ] -+ -+- Make sure chain name doesn't start with '!' -+ [ Yasuyuki Kozakai ] -+ -+- Prevent user to specify negative ports in SNAT/DNAT -+ [ Yasuyuki Kozakai ] -+ -+- Fix deletion of targets where kernel size != userspace size -+ [ Pablo Neira ] -+ -+- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner -+ [ Harald Welte ] -+ -+Changes from 1.3.1: -+ -+- Add ``--log-uid'' option to ip6t_LOG target -+ [ Patrick McHardy ] -+ -+- Improve REDIRECT manpage -+ [ Jonas Berlin ] -+ -+- Add a number of missing manpage snippets -+ [ Jonas Berlin ] -+ -+- Include FIN bit in mask of "--syn" bits -+ [ Harald Welte ] -+ -+- Release previously merged options from merge_opts(), reduces memory-usage of -+ ipt ables-restore dramatically -+ [ Pablo Neira ] -+ -+- OSF: changes to support connector notifications -+ [ Evgeniy Polyakov ] -+ -+- Reduce code replication of parse_interface() -+ [ Yasuyuki Kozakai ] -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.3.1 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.0: -+ -+- Fix CLUSTERIP rule deletion -+ [ Pablo Neira ] -+ -+- Fix libip6t_random compilation -+ [ Harald Welte ] -+ -+- Fix CONNMARK on 32bit userspace / 64bit kernel archs -+ [ Pablo Neira ] -+ -+Changes from 1.3.0: -+ -+- remove bogus NFC_* stuff in iptables -+ [ Pablo Neira ] -+ -+- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order -+ [ Olaf Rempel ] -+ -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.3.0 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs fixed from 1.3.0rc1: -+ -+- Fix realm match save/restore issue -+ [ Harald Welte ] -+ -+- Fix hashlimit rule deletion from userspace -+ [ Samuel Jean ] -+ -+- Fix hashlimit parameter handling / iptables-save -+ [ Nikolai Malykh ] -+ -+- Fix multiport inversion -+ [ Phil Oester ] -+ -+Bugs fixed from 1.2.11: -+ -+- Fix compilation on systems where /bin/sh != bash -+ [ Jozsef Kadlecsik ] -+ -+- Fix setting lib_dir in ip*tables-{save,restore} -+ [ Martin Josefsson ] -+ -+- Fix module-autoloading in certain cases -+ [ Harald Welte ] -+ -+- libipt_TTL: limit range of valid TTL to 0-255 -+ [ Maciej Soltysiak ] -+ -+- libip6t_HL: limit range of valid HL to 0-255 -+ [ Maciej Soltysiak ] -+ -+- libip{6}t_limit: Fix half-working limit invert check -+ [ Phil Oester ] -+ -+- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters -+ [ Harald Welte ] -+ -+- libipt_conntrack: Fix typo -+ [ Phil Oester ] -+ -+- libipt_dstlimit: Fix half-working invert check -+ [ Phil Oester ] -+ -+- libipt_helper: Prevent user from using --helper multiple times -+ [ Nicolas Bouliane ] -+ -+- libipt_iprange: Print error message if --dst-range used twice -+ [ Nicolas Bouliane ] -+ -+- libipt_nth: Fix help message syntax -+ [ Harald Welte ] -+ -+- libipt_psd: Fix option parsing -+ [ Pablo Neira ] -+ -+- libipt_random: Fix help message syntax -+ [ Harald Welte ] -+ -+- libipt_realm: Fix inversion of options -+ [ Simon Lodal ] -+ -+- libipt_time: Fix C++ style delayed variable definition -+ [ Olivier Clerget ] -+ -+- libipt_time: Print message about time match not adhering daylight saving -+ [ Phil Oester ] -+ -+- libipt_tos: Print Error message if --tos is specified twice -+ [ Nicolas Bouliane ] -+ -+- libipt_ttl: Cleanup ttl option parsing -+ [ Phil Oester ] -+ -+- libipt_u32: Fix option parsing -+ [ Piotr Gasid'o ] -+ -+ -+Changes from 1.2.11: -+ -+- libiptc: complete rewrite for performance reasons -+ [ Harald Welte, Martin Josefsson ] -+ -+- introduce "DO_MULTI=1" mode to build a muilti-call binary -+ [ Bastiaan Bakker ] -+ -+- code cleanup, use C99 initializers -+ [ Harald Welte, Pablo Neira ] -+ -+- Extension revision number support (if kernel supports the getsockopts). -+ [ Rusty Russell ] -+ -+- Don't need ipt_entry_target()/ip6t_entry_target(). -+ [ Rusty Russell ] -+ -+- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. -+ [ Rusty Russell ] -+ -+- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables -+ [ Rusty Russell ] -+ -+- Add manpage section about 'raw' table -+ [ Harald Welte ] -+ -+ -+- libip{6}t_ROUTE: add ROUTE --tee mode -+ [ Patrick Schaaf ] -+ -+- libip{6}t_multiport: Print Error message when `!' is used -+ [ Patrick McHardy, Phil Oester ] -+ -+- New libip6t_physdev Match -+ [ Bart De Schuymer ] -+ -+- libipt_CLUSTERIP: Fix compiler warning about const -+ [ Harald Welte ] -+ -+- libipt_DNAT: Print Error message if `:' is used for port range -+- libipt_SNAT: Print Error message if `:' is used for port range -+ [ Phil Oester ] -+ -+- libipt_LOG: Add --log-uid option -+ [ John Lange ] -+ -+- libipt_MARK: add bitwise operators -+ [ Henrik Nordstrom, Rusty Russell ] -+ -+- libipt_SET: Update to ipset2 -+ [ Jozsef Kadlecsik ] -+ -+- libipt_account: Update to 0.1.16 -+ [ Piotr Gasid'o ] -+ -+- New libipt_comment Match -+ [ Brad Fisher ] -+ -+- New libipt_hashlimit Match, supersedes dstlimit -+ [ Harald Welte ] -+ -+- libipt_ttl: Use string_to_number() -+ [ Rusty Russell ] -+ -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) -+ -+ -+iptables v1.2.11 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+ -+Bugx Fixed from 1.2.10: -+ -+- fix compilation on systems where /bin/sh != bash -+ [ Jozsef Kadlecsik ] -+ -+Bugs Fixed from 1.2.9: -+ -+- physdev match: fix new structure layout for kernel > 2.6.0-test8 -+ [ Bart De Schuymer ] -+ -+- Better 64bit / 32bit split architecture detection -+- IPv6 LOG target: Fix compiler warnings on 64bit -+- LOG target: Fix compiler warnings on 64bit -+- IPv6 MARK target: Use full 64bit mark on 64bit archs -+- MARK target: Use full 64bit mark on 64bit archs -+- SAME target: Fix 64bit/32bit splitarch problems -+- ULOG target: Fix 64bit/32bit splitarch problems -+- conntrack match: Fix 64bit/32bit splitarch problem -+- IPv6 limit match: Fix 64bit/32bit splitarch problem -+- limit match: Fix 64bit/32bit splitarch problem -+- IPv6 mark match: Use full 64bit mark on 64bit archs -+- mark match: Use full 64bit mark on 64bit archs -+- owner match: Fix compiler warnings on 64bit -+ [ Martin Jofsefsson ] -+ -+- connbytes match: Fix signedness / unsigned issue -+ [ Martin Josefsson ] -+ -+- connlimit match: Fix '/0' netmask -+ [ David Ahern ] -+ -+- ipv6 owner match: fix possibly not zero terminated string -+- helper match: fix possibly not zero terminated string -+- recent match: fix possibly not zero terminated string -+ [ Karsten Desler ] -+ -+- ICMP match: fix '--icmp-type any' case -+ [ Harald Welte ] -+ -+- CONNMARK target: major update (add mark/mask matching) -+ [ Henrik Nordstrom ] -+ -+- DSCP target: Fix cosmetic help message problem -+ [ Maciej Soltysiak ] -+ -+- string match: Fix iptables-save/restore for ascii strings with spaces -+ [ Michael Rash ] -+ -+- ip(6)tables-restore: Make sure matches are used in the same order -+ [ Martin Josefsson ] -+ -+- ip(6)tables-restore: Fix '--verbose' option -+- ip(6)tables-restore: Add '--test' option -+- ip(6)tables-restore: Complain about missing 'COMMIT' -+ [ Martin Josefsson ] -+ -+- ip(6)tables-restore: Allow embedding of quote character in quoted strings -+ [ Michael Rash ] -+ -+- libipq: Protect against spoofed queue messages (check if sender is kernel) -+ [ Harald Welte ] -+ -+ -+Changes from 1.2.9: -+ -+- time match: add 'datestart' and 'datestop' parameters -+ [ Fabrice Marie ] -+ -+- modular manpage build, depending on actually compiled-in features -+ [ Henrik Nordstrom ] -+ -+- additional documentation in manpage snippets formerly missing -+ [ Harald Welte ] -+ -+- support new CLUSTERIP Target -+ [ Harald Welte ] -+ -+- support new account match -+ [ Piotr Gasid'o ] -+ -+- support new connrate match -+ [ Nuuti Kotivuori ] -+ -+- support new dstlimit match -+ [ Harald Welte ] -+ -+- support new 'set' match / 'SET' target -+ [ Jozsef Kadlecsik ] -+ -+- osf match: add support for netlink reporting -+ [ Evgeniy Polyakov ] -+ -+- new SCTP protocol match -+ [ Kiran Kumar ] -+ -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic/) -+ -+Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, -+distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) -+ -+ -+iptables v1.2.10 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.9: -+ -+- physdev match: fix new structure layout for kernel > 2.6.0-test8 -+ [ Bart De Schuymer ] -+ -+- Better 64bit / 32bit split architecture detection -+- IPv6 LOG target: Fix compiler warnings on 64bit -+- LOG target: Fix compiler warnings on 64bit -+- IPv6 MARK target: Use full 64bit mark on 64bit archs -+- MARK target: Use full 64bit mark on 64bit archs -+- SAME target: Fix 64bit/32bit splitarch problems -+- ULOG target: Fix 64bit/32bit splitarch problems -+- conntrack match: Fix 64bit/32bit splitarch problem -+- IPv6 limit match: Fix 64bit/32bit splitarch problem -+- limit match: Fix 64bit/32bit splitarch problem -+- IPv6 mark match: Use full 64bit mark on 64bit archs -+- mark match: Use full 64bit mark on 64bit archs -+- owner match: Fix compiler warnings on 64bit -+ [ Martin Jofsefsson ] -+ -+- connbytes match: Fix signedness / unsigned issue -+ [ Martin Josefsson ] -+ -+- connlimit match: Fix '/0' netmask -+ [ David Ahern ] -+ -+- ipv6 owner match: fix possibly not zero terminated string -+- helper match: fix possibly not zero terminated string -+- recent match: fix possibly not zero terminated string -+ [ Karsten Desler ] -+ -+- ICMP match: fix '--icmp-type any' case -+ [ Harald Welte ] -+ -+- CONNMARK target: major update (add mark/mask matching) -+ [ Henrik Nordstrom ] -+ -+- DSCP target: Fix cosmetic help message problem -+ [ Maciej Soltysiak ] -+ -+- string match: Fix iptables-save/restore for ascii strings with spaces -+ [ Michael Rash ] -+ -+- ip(6)tables-restore: Make sure matches are used in the same order -+ [ Martin Josefsson ] -+ -+- ip(6)tables-restore: Fix '--verbose' option -+- ip(6)tables-restore: Add '--test' option -+- ip(6)tables-restore: Complain about missing 'COMMIT' -+ [ Martin Josefsson ] -+ -+- ip(6)tables-restore: Allow embedding of quote character in quoted strings -+ [ Michael Rash ] -+ -+- libipq: Protect against spoofed queue messages (check if sender is kernel) -+ [ Harald Welte ] -+ -+ -+Changes from 1.2.9: -+ -+- time match: add 'datestart' and 'datestop' parameters -+ [ Fabrice Marie ] -+ -+- modular manpage build, depending on actually compiled-in features -+ [ Henrik Nordstrom ] -+ -+- additional documentation in manpage snippets formerly missing -+ [ Harald Welte ] -+ -+- support new CLUSTERIP Target -+ [ Harald Welte ] -+ -+- support new account match -+ [ Piotr Gasid'o ] -+ -+- support new connrate match -+ [ Nuuti Kotivuori ] -+ -+- support new dstlimit match -+ [ Harald Welte ] -+ -+- support new 'set' match / 'SET' target -+ [ Jozsef Kadlecsik ] -+ -+- osf match: add support for netlink reporting -+ [ Evgeniy Polyakov ] -+ -+- new SCTP protocol match -+ [ Kiran Kumar ] -+ -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic/) -+ -+Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, -+distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) -+ -+ -+iptables v1.2.9 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.8: -+ -+- ip(6)tables-save/restore: fix memory leaks -+ [ Harald Welte, Martin Josefsson ] -+- ip6tables: fix printout of odd length netmasks -+ [ Mikko Markus Torni ] -+- condition match: fix iptables-save -+ [ Stephane Ouellette ] -+- fuzzy match: fix ip(6)tables-save -+ [ Hime Aguiar e Oliveira Jr. ] -+- mac match: fix ip(6)tables-save if used inverted (!) -+ [ David Zambonini, Martin Josefsson ] -+- ip6tables udp match: check for invalid port ranges -+ [ Thomas Poehnitz ] -+- LOG target: fix iptables-save (save loglevel numerically) -+ [ Thomas Woerner ] -+- mport match: fix iptables-save (save numerically) -+ [ Thomas Woerner ] -+- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures -+ [ Ryan Veety ] -+- libip6tc: fix ipv6_prefix_length endianness bugs -+ [ Mikko Markus Torni ] -+- MASQUERADE target: don't accept negative port numbers -+ [ Yasuyuki Kozakai ] -+- physdev match: fix new structure layout for kernel > 2.6.0-test8 -+ [ Bart De Schuymer ] -+ -+Changes from 1.2.8: -+ -+- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP -+ [ Harald Welte ] -+- libip(6)tc: Speedup due to inceremental chain cache updates -+ [ Harald Welte ] -+- recent match: Update to version 0.3.1 that was submitted to the kernel -+ [ Stephen Frost ] -+- physdev match: add --physdev-is-{in,out,bridge} option -+ [ Bart de Schuymer ] -+- REJECT target: add support for ICMP administratively prohibited -+ [ Maciej Soltysiak ] -+- conntrack match: add suport for CONFIRMED / unconfirmed state -+ [ Harald Welte ] -+- ROUTE target: new option: continue traversal -+ [ Cedric de Launois ] -+- varios cosmetic cleanups -+ [ Stephane Ouellette ] -+- iptables/libiptc: add support for the new 'raw' table -+ [ Jozsef Kadlecsik ] -+ -+Please note: Since version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic/) -+ -+ -+iptables v1.2.8 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.7a: -+ -+- fix ip6tables-save function of 'length' match -+ [ Gerry Skerbitz ] -+- fix ip6tables-save function of 'mac' match -+ [ Kristian Gronfeldt Sorensen ] -+- fix iptables-save function of 'ULOG' target -+ [ Jimmy Hedman ] -+- fix iptables-save function of 'conntrack' match -+ [ Lutz Pressler ] -+- fix iptables-save function of 'length' match -+ [ Gerry Skerbitz ] -+- fix iptables-save function of 'mac' match -+ [ Kristian Gronfeldt Sorense ] -+- fix iptables-save function of 'mark' match -+ [ Harald Welte ] -+- fix iptables-save function of 'owner' match -+ [ Costa Tsaousis ] -+- fix iptables-save function of 'pool' match -+ [ Oskar Berggren ] -+- fix iptables-save function of 'tcpmss' match -+ [ Michael Schwendt ] -+- fix iptables-save function of 'tos' match -+ [ Harald Welte ] -+- fix save/print function of 'connmark' match -+ [ Harald Welte ] -+- fix error message when invalid TCP flag is specified with 'tcp' match -+ [ Aaron Sethman ] -+ -+Changes from 1.2.7a: -+ -+- updated version of the ROUTE target -+ [ Cedric de Launois ] -+- updated version of the 'recent' match -+ [ Stephen Frost ] -+- update the RPC conntrack match, extend it to support filtering on procedures -+ [ Ian (Larry) Latter ] -+- add support for hexstrings to the 'string' match -+ [ Michael Rash ] -+- have iptables-restore print the line number in case of an error -+ [ Illes Marci ] -+- big iptables.8 manpage update -+ [ Herve Eychenne ] -+- print loglevel human-readable in ip6tables 'LOG' target -+ [ Michael Schwendt ] -+- print loglevel human-readable in 'LOG' target -+ [ Michael Schwendt ] -+- remove bogus code from 'ecn' match -+ [ Stephane Ouellette ] -+- be more specific in help message of 'helper' match -+ [ Herve Eychenne ] -+- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead -+ of 'any' -+ [ Harald Welte ] -+- fix iptables rename-chain option -+ [ Maciej Soltysiak ] -+- remove libipulog from iptables since it is distributed with ulogd -+ [ Harald Welte ] -+- support new ip6tables 'HL' target -+ [ Maciej Soltysiak ] -+- support new ip6tables 'condition' match -+ [ Stephane Ouellette ] -+- support new ip6tables 'fuzzy' match -+ [ Maciej Soltysiak ] -+- support new ip6tables 'hoplimit' match -+ [ Maciej Soltysiak ] -+- support new iptables 'CLASSIFY' target -+ [ unknown ] -+- support new iptables TARPIT target -+ [ Aaron Hopkins ] -+- support new iptables 'condition' match -+ [ Stephane Ouellette ] -+- support new iptables 'fuzzy' match -+ [ Hime Junior ] -+- support new iptables 'physdev' match (for 2.5.x bridging) -+ [ Bart de Schumyer ] -+- support new iptables 'u32' match (based on u32 tc filter) -+ [ Don Cohen ] -+ -+Please note: As of version 1.2.7a, patch-o-matic is now no longer part of -+iptables but rather distributed as a seperate package -+(ftp://ftp.netfilter.org/pupatch-o-matic/) -+ -+ -+iptables v1.2.7a (== fixed 1.2.7) Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.6a: -+ -+- fix compiler warning in userspace support for ipv6 REJECT target -+ [ Fabrice Marie ] -+- check for invalid portranges in tcp+udp helper (e.g. 2000:100) -+ [ Thomas Poehnitz ] -+- fix save save/restore functions of ip6tables tcp/udp extension -+ [ Harald Welte / Andras Kis-Szabo ] -+- check for invalid (out of range) nfmark values in MARK target -+ [ Alexey ??? ] -+- fix save function of MASQUERADE userspace support -+ [ A. van Schie ] -+- compile fixes for userspace suppot of experimental POOL target -+ [ ? ] -+- fix save function of userspace support for ah and esp match -+ [ ? ] -+- fix static build (NO_SHARED_LIBS) -+ [ Roberto Nibali ] -+- fix save/restore function of userspace support for mport match -+ [ Bob Hockney ] -+- update manpages to reflect recent changes -+ [ Herve Eychenne, Harald Welte ] -+- remove all remnants of the 'check' option -+ [ ? ] -+ -+ -+Changes from 1.2.6a: -+ -+- patch-o-matic is now no longer part of iptables but rather distributed -+ as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) -+ [ Harald Welte ] -+- userspace support for dscp match and target -+ [ Harald Welte ] -+- userspace supprot for ecn match and target -+ [ Harald Welte ] -+- userspace support for helper match -+ [ Martin Josefsson ] -+- userspace supprot for conntrack match -+ [ Marc Boucher ] -+- userspace support for pkttype match -+ [ Martin Ludvig ] -+- userspace support for experimental ROUTE target -+ [ Cédric de Launois ] -+- userspace support for experimental ipv6 ahesp match -+ [ Andras Kis-Szabo ] -+- userspace support for experimental ipv6 option header match -+ [ Andras Kis-Szabo ] -+- userspace support for experimental ipv6 routing header match -+ [ Andras Kis-Szabo ] -+- add matching of process name to userspace support of owner match -+ [ Marc Boucher ] -+- new version of userspace support for 'recent' match -+ [ Stephen Frost ] -+ -+ -+iptables v1.2.6a (== fixed 1.2.6) Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.5: -+ -+- Fix iptables segfault problem when using `!' without argument -+ [ Dionis Papavramidis, Harald Welte ] -+- Fix PSD match for psd-delay-threshold > 100 -+ [ Steven Coenen, Dennis Koslowski ] -+- ip6tables alignment fixes -+ [ Andreas Herrmann ] -+- patch-o-matic: -+ - Fix NAT-related bug in TCP window tracking code -+ [ Jozsef Kadlecsik ] -+ - Fix support for DNAT of locally-originated connections (NAT in -+ LOCAL_OUT) -+ [ Henrik Nordstrom, Harald Welte ] -+ - Fix string match (is now SMP safe) -+ [ Gianni Tedesco ] -+ - Fix TFTP conntrack/nat helper (now also catches first packet) -+ [ Magnus Boden ] -+ -+Changes from 1.2.5: -+ -+- Added global PREFIX makefile variable for all paths -+ [ Harald Welte ] -+- If compiled without any COPT_FLAGS, debugging is disabled. To enable -+ debugging, use -DIPTC_DEBUG -+ [ Harald Welte ] -+- New ip6tables-restore and ip6tables-save manpage -+ [ Andras Kis-Szabo ] -+- Sync ip6tables-restore and ip6tables-save with iptables-restore -+ [ Andras Kis-Szabo ] -+- Sync ip6tables with iptables -+ [ Andras Kis-Szabo ] -+- mangle table attaches now to all five netfilter hooks -+ [ Brad Chapman, Harald Welte ] -+- iptables and ip6tables manpage updates -+ [ Herve Eychenne ] -+- patch-o-matic program now supports removal of already-applied patches -+ [ Bob Hockney ] -+- patch-o-matic program now supports patches to the userspace extensions -+ [ Fabrice Marie ] -+- patch-o-matic: -+ - Extend recent match to support multiple recent lists -+ [ Stephen Frost ] -+ - New GRE and PPTP connection tracking and NAT helper -+ [ Harald Welte ] -+ - New CONNMARK target for marking all packets within one connection -+ [ Henrik Nordstrom ] -+ - New conntrack match, enables matching on more conntrack informatin -+ than state -+ [ Marc Boucher ] -+ - New DSCP match and target (DSCP header field obsoletes TOS) -+ [ Harald Welte ] -+ - New owner match extension: Match on process name -+ [ Marc Boucher ] -+ - Add support for bitwise AND / OR manipulation on nfmark -+ [ Fabrice Marie ] -+ - New experimental patch for disabling TCP connection tracking pickup -+ [ Harald Welte ] -+ - Add support for SACK in all NAT helpers -+ [ Harald Welte ] -+ - Make eggdrop botnet connection tracking support work with eggdrop -+ v1.6.x -+ [ Magnus Sandin ] -+ - Add support to REJECT for sending icmp-unreachable messages -+ from a fake source address -+ [ Fabrice Marie ] -+ - Add support for ntalk2 to talk NAT helper -+ [ Jozsef Kadlecsik ] -+ - Big update to newnat patch -+ [ Jozsef Kadlecsik, Paul P Komkoff ] -+ -+iptables v1.2.6 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel >= 2.4.18 -+ -+Bugs Fixed from 1.2.5: -+ -+- Fix iptables segfault problem when using `!' without argument -+ [ Dionis Papavramidis, Harald Welte ] -+- Fix PSD match for psd-delay-threshold > 100 -+ [ Steven Coenen, Dennis Koslowski ] -+- ip6tables alignment fixes -+ [ Andreas Herrmann ] -+- patch-o-matic: -+ - Fix NAT-related bug in TCP window tracking code -+ [ Jozsef Kadlecsik ] -+ - Fix support for DNAT of locally-originated connections (NAT in -+ LOCAL_OUT) -+ [ Henrik Nordstrom, Harald Welte ] -+ - Fix string match (is now SMP safe) -+ [ Gianni Tedesco ] -+ - Fix TFTP conntrack/nat helper (now also catches first packet) -+ [ Magnus Boden ] -+ -+Changes from 1.2.5: -+ -+- Added global PREFIX makefile variable for all paths -+ [ Harald Welte ] -+- If compiled without any COPT_FLAGS, debugging is disabled. To enable -+ debugging, use -DIPTC_DEBUG -+ [ Harald Welte ] -+- New ip6tables-restore and ip6tables-save manpage -+ [ Andras Kis-Szabo ] -+- Sync ip6tables-restore and ip6tables-save with iptables-restore -+ [ Andras Kis-Szabo ] -+- Sync ip6tables with iptables -+ [ Andras Kis-Szabo ] -+- mangle table attaches now to all five netfilter hooks -+ [ Brad Chapman, Harald Welte ] -+- iptables and ip6tables manpage updates -+ [ Herve Eychenne ] -+- patch-o-matic program now supports removal of already-applied patches -+ [ Bob Hockney ] -+- patch-o-matic program now supports patches to the userspace extensions -+ [ Fabrice Marie ] -+- patch-o-matic: -+ - Extend recent match to support multiple recent lists -+ [ Stephen Frost ] -+ - New GRE and PPTP connection tracking and NAT helper -+ [ Harald Welte ] -+ - New CONNMARK target for marking all packets within one connection -+ [ Henrik Nordstrom ] -+ - New conntrack match, enables matching on more conntrack informatin -+ than state -+ [ Marc Boucher ] -+ - New DSCP match and target (DSCP header field obsoletes TOS) -+ [ Harald Welte ] -+ - New owner match extension: Match on process name -+ [ Marc Boucher ] -+ - Add support for bitwise AND / OR manipulation on nfmark -+ [ Fabrice Marie ] -+ - New experimental patch for disabling TCP connection tracking pickup -+ [ Harald Welte ] -+ - Add support for SACK in all NAT helpers -+ [ Harald Welte ] -+ - Make eggdrop botnet connection tracking support work with eggdrop -+ v1.6.x -+ [ Magnus Sandin ] -+ - Add support to REJECT for sending icmp-unreachable messages -+ from a fake source address -+ [ Fabrice Marie ] -+ - Add support for ntalk2 to talk NAT helper -+ [ Jozsef Kadlecsik ] -+ - Big update to newnat patch -+ [ Jozsef Kadlecsik, Paul P Komkoff ] -+ -+ -+iptables v1.2.5 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel > 2.4.14 -+ -+Bugs Fixed from 1.2.4: -+ -+- make iptables-restore accept --table as well as -t option -+ [ Andreas Ferber ] -+- make iptables-restore -v / --verbose option work -+ [ Marc Boucher ] -+- fix iptables-save problems with saving "ppp+" style interface wildcards -+ [ Harald Welte ] -+- make iptables accept '_' and '.' in interface names -+ [ Harald Welte ] -+- Kernel bugfixes in patch-o-matic: -+ - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the -+ address of the IRC server -+ [ Bob Hockney ] -+ - Fix potential Oops in TOS target module -+ [ Edward Killips ] -+ - Fix problem when raw socket has cloned skb while netfilter doing -+ payload modification -+ [ Rusty Russell ] -+ - Fix memory leak in ipchains redirect code -+ [ Rusty Russell ] -+ - Fix reintroduced ECN problem with unclean match -+ [ Guillaume Morin ] -+ - Fix MAC adress match problem with small udp packets -+ [ Harald Welte ] -+ -+Changes from 1.2.4: -+ -+- Whole patch-o-matic system restructured - now supports multiple patch -+ repositories (submitted, pending, base, extra, newnat). -+ [ Jozsef Kadlecsik ] -+- Add IPv6 support to the QUEUE target and libipq -+ [ Fernando Anton / James Morris ] -+- New patch-o-matic patches: -+ -New IPV4OPTSSTRIP target to strip IP options -+ [ Fabrice Marie ] -+ - New ipv6header match to match IPv6 header options -+ [ Brad Chapman / Andras Kis-Szabo ] -+ - New helper match to match RELATED connections on their conntrack -+ helper -+ [ Martin Josefsson ] -+ - New quota match to have fixed IP quotas -+ [ Sam Johnston ] -+ - New recent match to match recently seen packets -+ [ Stephen Frost ] -+ -+ -+iptables v1.2.4 Changelog -+====================================================================== -+This version requires kernel >= 2.4.4 -+This version recommends kernel > 2.4.9 -+ -+Bugs Fixed from 1.2.3: -+ -+- make iptables-restore print error message instead of segfault when -+ processing broken / wrong input. -+ [ ] -+- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target -+ [ ] -+- fix iptables-save problems when saving MIRROR rules -+ [ Harald Welte ] -+- fix IPv6 ICMP problems [ ] -+- fix TTL increment in TTL target [ ] -+- Kernel bugfixes in patch-o-matic: -+ - Fix printing of inner-packet in ICMP error messages (LOG target) -+ [ ] -+ - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] -+ - fix undiscovered REJECT checkentry() bug (alignment) -+ [ Bert Hubert] -+ -+Changes from 1.2.3: -+ -+- New "make most-of-pom" feature for application of non-confliction -+ patches. This should be used instead of "make patch-o-matic" by most -+ users. -+ [ Harald Welte ] -+- iptables-save and iptables-restore now included in the default install; -+ They are n - longer experimental for quite some time. -+ [ Harald Welte ] -+- synchronize ip6tables-save/restore with iptables-save/restore -+ [ Harald Welte ] -+- more precise save() function for ipt_limit rates -+ [ ] -+- new improved version of nth-match. Added support for multiple counters, -+ added support for matching on individual packets in the counter cycle -+ [ Richard Wagner ] -+- added manpage for ip6tables -+ [ ] -+- updated libipq documentation -+ [ ] -+- added timeout t - libipq recv function -+ [ ] -+- New patch-o-matic patches: -+ - New random match -+ [ ] -+ - New ftp-fxp patch, imposes security risk but some people need it -sigh* -+ [ Magnus Sandin ] -+ - New H323 conntrack + nat modules -+ [ Jozsef Kadlecsik ] -+ - New version of tcp-window tracking patch, includes sysctl() -+ changeable timeouts -+ [ Jozsef Kadlecsik ] -+ -+ -+iptables v1.2.3 Changelog -+====================================================================== -+This version requires kernel 2.4.4 or above. -+This version recommends kernel 2.4.9 or above. -+ -+Bugs Fixed from 1.2.2: -+ -+- fix ICMPv6 support for IPv6 -+ [ Kis-Szab - Andras ] -+- fix problems with REJECT and iptables-restore / iptables-save -+ [ Harald Welte ] -+- fix possible string overflow in psd match -+ [ Dennis Koslowski ] -+- fix string match compile problems -+ [ Gianni Tedesc - ] -+- support interfaces with '_' (underscore) in device names -+ [ Harald Welte ] -+- support rules without target in iptables-save -+ [ Emmanuel Fleury ] -+- correct handling of "eth+" type interface names in iptables-save/restore -+ [ Harald Welte ] -+- d - incremental checksumming when altering TTL in TTL target -+ [ Harald Welte ] -+- fix no-srr case in ipv4options match -+ [ Fabrice Marie ] -+- Kernel bugfixes in patch-o-matic: -+ - Fix unexported ip6_table symbols [ Brad Chapman ] -+ - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald -+ Welte, Fabian Melzow ] -+ - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) -+ [ Guillaume Morin ] -+ -+Changes from 1.2.2: -+ -+- New "make most-of-pom" feature for application of non-confliction -+ patches. This should be used instead of "make patch-o-matic" by most -+ users. -+ [ Harald Welte ] -+- support for statically linking iptables, without need for .s - plugins -+ [ David McCullough ] -+- support for multiple ranges in SAME target -+ [ Martin Josefsson ] -+- support for router alert options in ipv4options match -+ [ Fabrice Marie ] -+- modprobe() modules when doing iptables-restore -+ [ Andries van Schie ] -+- remove obsolete fragment matching code in IPv6 -+ [ Kis-Szab - Andras ] -+- add support for dns hostnames t - IPv6 code -+ [ Kis-Szab - Andras ] -+- New patch-o-matic patches: -+ - New multiport (mport) match -+ [ Andreas Ferber ] -+ - New nth match for matching every n-th packet -+ [ Fabrice Marie ] -+ - New realm match for matchin the routing realm -+ [ Sampsa Ranta ] -+ - New ctnetlink patch for manipulation of conntrack from userspace -+ [ Jay Schulist ] -+ - New REJECT Target for IPv6 -+ [ Harald Welte ] -+ - New length match for IPv6 -+ [ Imran Patel ] -+ - New multiport (mport) match for IPv6 -+ [ Andreas Ferber] -+ -+ -+iptables v1.2.1 Changelog -+====================================================================== -+This version requires kernel 2.4.0 or above. -+ -+Bugs Fixed from 1.2: -+ -+- Missing quotes around log-prefix -+ [ Bart Theunissen ] -+- Bug in save function of string match -+ [ Gianni Tedesc - ] -+- ip6tables.c string buffer size fixes -+ [ Andras Kis-Szab - ] -+- dependency problem with iptables-save / iptables-restore -+ [ Harald Welte ] -+- strtok problem with iptables-save / iptables-restore -+ [ Harald Welte ] -+- Problems with tcp/udp extension and multiple calls of do_command() -+ [ Sven Koch ] -+- Kernel bugfixes in patch-o-matic: -+ - Updated rpc-record patch to work with 2.4.0 -+ [ Marc Boucher ] -+ - New ftp-pasv patch for fixing PASV detection with some ftpd's -+ [ Erik Hensema ] -+ - Fix checksum calculation of TOS target -+ [ Rusty Russell ] -+ -+Changes from 1.2: -+ -+- New `pending-patches' target -+ [ Rusty Russell ] -+- build all shared library extensions regardless of kernel tree -+ [ Rusty Russell ] -+- New counter-restore functions for iptables -+ [ Harald Welte ] -+- Added libiptc and libipulog t - `devel' Makefile target -+ [ Harald Welte ] -+- Ported iptables-save/restore t - IPv6 -+ [ Andras Kis-Szab - ] -+- Updated ULOG target (now in-kernel accumulation [= higher performance]) -+ [ Harald Welte ] -+- Added fxp support t - ftp-multi patch -+ [ Magnus Sandin ] -+- Implemented Boyer Moore Sublinear search algorithm for string match -+ [ Gianni Tedesc - ] -+- Fixed tcp-window-tracking incompatibility with NAT helpers -+ [ Harald Welte ] -+- New patch-o-matic patches: -+ - New generic sequence number offset API for nat helpers -+ [ Harald Welte ] -+ - New psd (port-scan-detection) match -+ [ Dennis Koslowski, Markus Henning ] -+ - New NETLINK target for old ipchains -o behaviour -+ [ Gianni Tedesc - ] -+ - New SAME target as a special case of SNAT -+ [ Martin Josefsson ] -+ - Ported LOG target to IPv6 -+ [ Jan Rekorajski ] -+ - Ported owner, limit, mac and multiport match to IPv6 -+ [ Jan Rekorajski ] -+ -+ -+iptables v1.2.2 Changelog -+====================================================================== -+This version requires kernel 2.4.1 or above. -+This version recommends kernel 2.4.4 or above. -+ -+Bugs Fixed from 1.2.1a: -+ -+- fixes for SAME Target -+ [ Martin Josefsson ] -+- fixes for iplimit match in combination with iptables-save/-restore -+ [ Gerd Knorr ] -+- fix for TCP match in combination with iptables-save/-restore -+ [ Ian Lynagh ] -+- iptables-restore now deals correclty with spaces in --log-prefix -+ [ Harald Welte ] -+- fix in 'isapplied' script. It used t - give false negatives -+ [ Harald Welte ] -+- fix in BALANCE target, target now uses full ip address range -+ [ Martin Josefsson ] -+- fix for NETLINK target, was sending wrong interface name -+ [ Gianni Tedesc - ] -+- fix for collision of ftp and irc NAT helpers -+ [ Harald Welte ] -+- ip6tables brought in sync with iptables -+ [ Kis-Szab - Andras ] -+- Kernel bugfixes in patch-o-matic: -+ - Fix possible security vulnerability in ip_conntrack_ftp -+ [ Cristian - Lincoln Mattos, James Morris and Rusty ] -+ -+Changes from 1.2.1a: -+ -+- libiptc should now be usable from C++ applications -+ [ Fabrice MAURIE ] -+- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch -+ [ Rusty Russell ] -+- lots of old pre-2.4.1 patches now combined in 2.4.1.patch -+ [ Rusty Russel ] -+- IRC conntrack + nat cleanup -+ [ Harald Welte ] -+- string match cleanup -+ [ Gianni Tedesc - ] -+- ULOG cleanup, new version. Fixes 'unable t - send nflink' bug -+ [ Harald Welte ] -+- New patch-o-matic patches: -+ - New NETMAP Target for mapping whole networks 1:1 to other addresses -+ [ Svenning Soerensen ] -+ - New length Target for matching packet length -+ [ James Morris ] -+ - New ipv4options match for matching IPv4 header options -+ [ Fabrice MARIE ] -+ - New IPv6 agr match for matching IPv6 global aggregatable unicast -+ adresses -+ [ Andras Kis-Szab - ] -+ - New pkttype match for matching link-layer multicast / broadcast -+ packets -+ [ Michal Ludvig ] -+ - New time match for matching the packet's receive time -+ [ Fabrice MARIE ] -+ - New talk conntack + NAT helper module -+ [ Jozsef Kadlecsik ] -+ -+ -+iptables v1.2 Changelog -+====================================================================== -+This version requires 2.4.0-test9 or above. -+ -+Bugs Fixed from 1.1.2: -+ -+- Now default installs int - /usr/local/sbin, not /usr/local/bin. -+- Only does IPv6 compilation on libc6. -+- More header fixes for weird header combos. -+- ip6tables now refers t - "icmpv6" protocol, not "icmp". -+ [ Harald Welte ] -+- IPPROTO_ESP and AH defined in iptables for primitive headers. -+- iptables multiple-DNS resolve fixed -+ [ Harald Welte, Rusty ] -+- Kernel bugfixes in patch-o-matic: -+ - IPv6 netfilter fixes -+ [ Harald Welte ] -+ - Masquerade with fwmark routing fix -+ - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. -+ - NAT overlap fix -+ - PPC/Sparc mangle table fix. -+ -+Changes from 1.1.2: -+ -+- New `install-devel' target -+ [ James Morris ] -+- libipq now has man pages! -+ [ James Morris ] -+- iptables-save and iptables-restore added (with man pages!) -+ [ Harald Welte ] -+- iptables now inserts modules if CONFIG_KMOD or --modprobe -+ [ Harald Welte, Rusty ] -+- New `experimental' and `install-experimental' targets. -+- `--reject-with=echo-reply' removed in anticipation of the removal of -+ kernel support. -+- ttl match enhancements (greater or less than tests) -+ [ Harald Welte ] -+- Reworked patch-o-matic interface, t - force reading of help. -+- patch-o-matic updated for new 2.4 Makefiles -+ [ Daniel Stone, Harald Welte ] -+- patch-o-matic now supports non-IPv4 netfilter patches -+ [ Harald Welte ] -+- New patch-o-matic patches: -+ - eggdrop bot connection tracking -+ [ Magnus Sandin ] -+ - FTOS target for full ToS mangling. -+ [ Matthew G. Marsh ] -+ - BALANCE target for simple load-balancing. -+ - iplimit match for limiting number of connections. -+ [ Gerd Knorr ] -+ - IPv6 MARK target -+ [ Harald Welte ] -+ - IPv6 mark match -+ [ Harald Welte ] -+ -+ -+iptables v1.1.2 Changelog -+====================================================================== -+This version requires 2.4.0-test9 or above. -+ -+Bugs Fixed from 1.1.1: -+ -+- Adding rules on UltraSparc now works -+- string_to_number now handles overflow -+ [ Jan Echternach ] -+- Bug when using ridiculous rule numbers fixed -+ -+Changes from 1.1.1: -+ -+- patch-o-matic system added: -+ - TTL alteration and ttl matching support -- Harald Welte -+ - AH/ESP matching support -- Yon Uriarte -+ - DROPPED table support -- Rusty -+ - ftp-multi patch for non-standard ftp servers -- Harald Welte -+ - IRC connection tracking & NAT -- Harald Welte -+ - pool match and POOL target -- Patrick -+ - RPC recording patch -- Marcelo Barbosa Lima -+ - SNMP NAT support -- James Morris -+ - string match for looking in packet's data -- Emmanuel Roger -+ - tcp-MSS target for altering MSS -- Marc Boucher -+ - ULOG target for advanced logging -- Harald Welte -+- Minor const cleanups -+ [ Jan Echternach ] -+- iptables.8 updates -+ [ Harald Welte, Rusty ] -+- Better warnings for non-existant matches/missing libraries -+ [ Harald Welte ] -+- Improved isapplied script diff -Nru iptables-1.4.4/debian/patch/0102-howtos.patch iptables-1.4.10/debian/patch/0102-howtos.patch --- iptables-1.4.4/debian/patch/0102-howtos.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0102-howtos.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,5742 +0,0 @@ -Index: b/howtos/NAT-HOWTO.sgml -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/howtos/NAT-HOWTO.sgml 2008-07-12 09:31:16.487122996 -0400 -@@ -0,0 +1,609 @@ -+ -+ -+ -+ -+ -+ -+
-+ -+ -+ -+Linux 2.4 NAT HOWTO -+<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> -+<date>$Revision: 1.18 $ $Date: 2002/01/14 09:35:13 $ -+<abstract> -+This document describes how to do masquerading, transparent proxying, -+port forwarding, and other forms of Network Address Translations with -+the 2.4 Linux Kernels. -+</abstract> -+ -+<!-- Table of contents --> -+<toc> -+ -+<!-- Begin the document --> -+ -+<sect>Introduction<label id="intro"> -+ -+<p> -+Welcome, gentle reader. -+ -+<p> -+You are about to delve into the fascinating (and sometimes horrid) -+world of NAT: Network Address Translation, and this HOWTO is going to -+be your somewhat accurate guide to the 2.4 Linux Kernel and beyond. -+ -+<p>In Linux 2.4, an infrastructure for mangling packets was -+introduced, called `netfilter'. A layer on top of this provides NAT, -+completely reimplemented from previous kernels. -+ -+<p>(C) 2000 Paul `Rusty' Russell. Licensed under the GNU GPL. -+ -+<sect>Where is the official Web Site and List? -+ -+<p>There are three official sites: -+<itemize> -+<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. -+<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. -+<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. -+</itemize> -+ -+<p>You can reach all of them using round-robin DNS via -+<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> -+ -+<p>For the official netfilter mailing list, see -+<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. -+ -+<sect1>What is Network Address Translation? -+ -+<p> -+Normally, packets on a network travel from their source (such as your -+home computer) to their destination (such as www.gnumonks.org) -+through many different links: about 19 from where I am in Australia. -+None of these links really alter your packet: they just send it -+onward. -+ -+<p> -+If one of these links were to do NAT, then they would alter the source -+or destinations of the packet as it passes through. As you can -+imagine, this is not how the system was designed to work, and hence -+NAT is always something of a crock. Usually the link doing NAT will -+remember how it mangled a packet, and when a reply packet passes -+through the other way, it will do the reverse mangling on that reply -+packet, so everything works. -+ -+<sect1>Why Would I Want To Do NAT? -+ -+<p>In a perfect world, you wouldn't. Meanwhile, the main reasons are: -+ -+<descrip> -+<tag/Modem Connections To The Internet/ Most ISPs give you a single IP -+address when you dial up to them. You can send out packets with any -+source address you want, but only replies to packets with this source -+IP address will return to you. If you want to use multiple different -+machines (such as a home network) to connect to the Internet through -+this one link, you'll need NAT. -+ -+<p>This is by far the most common use of NAT today, commonly known as -+`masquerading' in the Linux world. I call this SNAT, because you -+change the <bf>source</bf> address of the first packet. -+ -+<tag/Multiple Servers/ Sometimes you want to change where packets -+heading into your network will go. Frequently this is because (as -+above), you have only one IP address, but you want people to be able -+to get into the boxes behind the one with the `real' IP address. If -+you rewrite the destination of incoming packets, you can manage this. -+This type of NAT was called port-forwarding under previous versions of -+Linux. -+ -+<p>A common variation of this is load-sharing, where the mapping -+ranges over a set of machines, fanning packets out to them. If you're -+doing this on a serious scale, you may want to look at -+ -+<url url="http://linuxvirtualserver.org/" name="Linux Virtual Server">. -+ -+<tag/Transparent Proxying/ Sometimes you want to pretend that each -+packet which passes through your Linux box is destined for a program -+on the Linux box itself. This is used to make transparent proxies: a -+proxy is a program which stands between your network and the outside -+world, shuffling communication between the two. The transparent part -+is because your network won't even know it's talking to a proxy, -+unless of course, the proxy doesn't work. -+ -+<p>Squid can be configured to work this way, and it is called -+redirection or transparent proxying under previous Linux versions. -+</descrip> -+ -+<sect>The Two Types of NAT -+ -+<p>I divide NAT into two different types: <bf>Source NAT</bf> (SNAT) -+and <bf>Destination NAT</bf> (DNAT). -+ -+<p>Source NAT is when you alter the source address of the first -+packet: i.e. you are changing where the connection is coming from. -+Source NAT is always done post-routing, just before the packet goes -+out onto the wire. Masquerading is a specialized form of SNAT. -+ -+<p>Destination NAT is when you alter the destination address of the -+first packet: i.e. you are changing where the connection is going to. -+Destination NAT is always done before routing, when the packet first -+comes off the wire. Port forwarding, load sharing, and transparent -+proxying are all forms of DNAT. -+ -+<sect>Quick Translation From 2.0 and 2.2 Kernels -+ -+<p>Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to -+2.2 (ipchains) transition. There's good and bad news. -+ -+<p>Firstly, you can simply use ipchains and ipfwadm as before. To do -+this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel -+modules found in the latest netfilter distribution. These are -+mutually exclusive (you have been warned), and should not be combined -+with any other netfilter modules. -+ -+<p>Once one of these modules is installed, you can use ipchains and -+ipfwadm as normal, with the following differences: -+ -+<itemize> -+<item> Setting the masquerading timeouts with ipchains -M -S, or -+ ipfwadm -M -s does nothing. Since the timeouts are longer for -+ the new NAT infrastructure, this should not matter. -+ -+<item> The init_seq, delta and previous_delta fields in the verbose -+ masquerade listing are always zero. -+ -+<item> Zeroing and listing the counters at the same time `-Z -L' does -+ not work any more: the counters will not be zeroed. -+ -+<item> The backward compatibility layer doesn't scale very well for -+ large numbers of connections: don't use it for your corporate -+ gateway! -+</itemize> -+ -+Hackers may also notice: -+ -+<itemize> -+<item> You can now bind to ports 61000-65095 even if you're -+ masquerading. The masquerading code used to assume anything -+ in this range was fair game, so programs couldn't use it. -+ -+<item> The (undocumented) `getsockname' hack, which transparent proxy -+ programs could use to find out the real destinations of -+ connections no longer works. -+ -+<item> The (undocumented) bind-to-foreign-address hack is also not -+ implemented; this was used to complete the illusion of -+ transparent proxying. -+ -+</itemize> -+ -+<sect1> I just want masquerading! Help! -+ -+<p>This is what most people want. If you have a dynamically allocated -+IP PPP dialup (if you don't know, this is you), you simply want to -+tell your box that all packets coming from your internal network -+should be made to look like they are coming from the PPP dialup box. -+ -+<tscreen><verb> -+# Load the NAT module (this pulls in all the others). -+modprobe iptable_nat -+ -+# In the NAT table (-t nat), Append a rule (-A) after routing -+# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to -+# MASQUERADE the connection (-j MASQUERADE). -+iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -+ -+# Turn on IP forwarding -+echo 1 > /proc/sys/net/ipv4/ip_forward -+</verb></tscreen> -+ -+Note that you are not doing any packet filtering here: for that, see -+the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'. -+ -+<sect1> What about ipmasqadm? -+ -+<p>This is a much more niche user base, so I didn't worry about -+backward compatibility as much. You can simply use `iptables -t nat' -+to do port forwarding. So for example, in Linux 2.2 you might have -+done: -+ -+<tscreen><verb> -+# Linux 2.2 -+# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80 -+ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 -+</verb></tscreen> -+ -+Now you would do: -+ -+<tscreen><verb> -+# Linux 2.4 -+# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that -+# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080) -+# have their destination mapped (-j DNAT) to 192.168.1.1, port 80 -+# (--to 192.168.1.1:80). -+iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \ -+ -j DNAT --to 192.168.1.1:80 -+</verb></tscreen> -+ -+<sect>Controlling What To NAT -+ -+<p>You need to create NAT rules which tell the kernel what connections -+to change, and how to change them. To do this, we use the very -+versatile <tt>iptables</tt> tool, and tell it to alter the NAT table by -+specifying the `-t nat' option. -+ -+<p>The table of NAT rules contains three lists called `chains': each -+rule is examined in order until one matches. The two chains are -+called PREROUTING (for Destination NAT, as packets first come in), and -+POSTROUTING (for Source NAT, as packets leave). The third (OUTPUT) -+will be ignored here. -+ -+<p>The following diagram would illustrate it quite well if I had any -+artistic talent: -+ -+<tscreen><verb> -+ _____ _____ -+ / \ / \ -+ PREROUTING -->[Routing ]----------------->POSTROUTING-----> -+ \D-NAT/ [Decision] \S-NAT/ -+ | ^ -+ | | -+ | | -+ | | -+ | | -+ | | -+ | | -+ --------> Local Process ------ -+</verb></tscreen> -+ -+At each of the points above, when a packet passes we look up what -+connection it is associated with. If it's a new connection, we look -+up the corresponding chain in the NAT table to see what to do with it. -+The answer it gives will apply to all future packets on that -+connection. -+ -+<sect1>Simple Selection using iptables -+ -+<p><tt>iptables</tt> takes a number of standard options as listed -+below. All the double-dash options can be abbreviated, as long as -+<tt>iptables</tt> can still tell them apart from the other possible -+options. If your kernel has iptables support as a module, you'll need -+to load the ip_tables.o module first: `insmod ip_tables'. -+ -+<p>The most important option here is the table selection option, `-t'. -+For all NAT operations, you will want to use `-t nat' for the NAT -+table. The second most important option to use is `-A' to append a -+new rule at the end of the chain (e.g. `-A POSTROUTING'), or `-I' to -+insert one at the beginning (e.g. `-I PREROUTING'). -+ -+<p>You can specify the source (`-s' or `--source') and destination -+(`-d' or `--destination') of the packets you want to NAT. These -+options can be followed by a single IP address (e.g. 192.168.1.1), a -+name (e.g. www.gnumonks.org), or a network address -+(e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0). -+ -+<p>You can specify the incoming (`-i' or `--in-interface') or outgoing -+(`-o' or `--out-interface') interface to match, but which you can -+specify depends on which chain you are putting the rule into: at -+PREROUTING you can only select incoming interface, and at POSTROUTING -+you can only select outgoing interface. If you use the -+wrong one, <tt>iptables</tt> will give an error. -+ -+<sect1>Finer Points Of Selecting What Packets To Mangle -+ -+<p>I said above that you can specify a source and destination address. -+If you omit the source address option, then any source address will -+do. If you omit the destination address option, then any destination -+address will do. -+ -+<p>You can also indicate a specific protocol (`-p' or `--protocol'), -+such as TCP or UDP; only packets of this protocol will match the rule. -+The main reason for doing this is that specifying a protocol of tcp or -+udp then allows extra options: specifically the `--source-port' and -+`--destination-port' options (abbreviated as `--sport' and `--dport'). -+ -+<p>These options allow you to specify that only packets with a certain -+source and destination port will match the rule. This is useful for -+redirecting web requests (TCP port 80 or 8080) and leaving other -+packets alone. -+ -+<p>These options must follow the `-p' option (which has a side-effect -+of loading the shared library extension for that protocol). You can -+use port numbers, or a name from the /etc/services file. -+ -+<p>All the different qualities you can select a packet by are detailed -+in painful detail in the manual page (<tt>man iptables</tt>). -+ -+<sect>Saying How To Mangle The Packets -+ -+<p>So now we know how to select the packets we want to mangle. To -+complete our rule, we need to tell the kernel exactly what we want it -+to do to the packets. -+ -+<sect1>Source NAT -+ -+<p>You want to do Source NAT; change the source address of connections -+to something different. This is done in the POSTROUTING chain, just -+before it is finally sent out; this is an important detail, since it -+means that anything else on the Linux box itself (routing, packet -+filtering) will see the packet unchanged. It also means that the `-o' -+(outgoing interface) option can be used. -+ -+<p>Source NAT is specified using `-j SNAT', and the `--to-source' -+option specifies an IP address, a range of IP addresses, and an -+optional port or range of ports (for UDP and TCP protocols only). -+ -+<tscreen><verb> -+## Change source addresses to 1.2.3.4. -+# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 -+ -+## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 -+# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 -+ -+## Change source addresses to 1.2.3.4, ports 1-1023 -+# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 -+</verb></tscreen> -+ -+<sect2>Masquerading -+ -+<p>There is a specialized case of Source NAT called masquerading: it -+should only be used for dynamically-assigned IP addresses, such as -+standard dialups (for static IP addresses, use SNAT above). -+ -+<p>You don't need to put in the source address explicitly with -+masquerading: it will use the source address of the interface the -+packet is going out from. But more importantly, if the link goes -+down, the connections (which are now lost anyway) are forgotten, -+meaning fewer glitches when connection comes back up with a new IP -+address. -+ -+<tscreen><verb> -+## Masquerade everything out ppp0. -+# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -+</verb></tscreen> -+ -+<sect1>Destination NAT -+ -+<p>This is done in the PREROUTING chain, just as the packet comes in; -+this means that anything else on the Linux box itself (routing, packet -+filtering) will see the packet going to its `real' destination. It -+also means that the `-i' (incoming interface) option can be used. -+ -+<p>Destination NAT is specified using `-j DNAT', and the -+`--to-destination' option specifies an IP address, a range of IP -+addresses, and an optional port or range of ports (for UDP and TCP -+protocols only). -+ -+<tscreen><verb> -+## Change destination addresses to 5.6.7.8 -+# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 -+ -+## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. -+# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 -+ -+## Change destination addresses of web traffic to 5.6.7.8, port 8080. -+# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -+ -j DNAT --to 5.6.7.8:8080 -+</verb></tscreen> -+ -+<sect2>Redirection -+ -+<p>There is a specialized case of Destination NAT called redirection: -+it is a simple convenience which is exactly equivalent to doing DNAT -+to the address of the incoming interface. -+ -+<tscreen><verb> -+## Send incoming port-80 web traffic to our squid (transparent) proxy -+# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -+ -j REDIRECT --to-port 3128 -+</verb></tscreen> -+ -+Note that squid needs to be configured to know it's a transparent proxy! -+ -+<sect1>Mappings In Depth -+ -+<p>There are some subtleties to NAT which most people will never have -+to deal with. They are documented here for the curious. -+ -+<sect2>Selection Of Multiple Addresses in a Range -+ -+<p>If a range of IP addresses is given, the IP address to use is -+chosen based on the least currently used IP for connections the -+machine knows about. This gives primitive load-balancing. -+ -+<sect2>Creating Null NAT Mappings -+ -+<p>You can use the `-j ACCEPT' target to let a connection through -+without any NAT taking place. -+ -+<sect2>Standard NAT Behavior -+ -+<p>The default behavior is to alter the connection as little as -+possible, within the constraints of the rule given by the user. This -+means we won't remap ports unless we have to. -+ -+<sect2>Implicit Source Port Mapping -+ -+<p>Even when no NAT is requested for a connection, source port -+translation may occur implicitly, if another connection has been -+mapped over the new one. Consider the case of masquerading, which -+is rather common: -+ -+<enum> -+<item> A web connection is established by a box 192.1.1.1 from port -+ 1024 to www.netscape.com port 80. -+ -+<item> This is masqueraded by the masquerading box to use its source -+ IP address (1.2.3.4). -+ -+<item> The masquerading box tries to make a web connection to -+ www.netscape.com port 80 from 1.2.3.4 (its external interface -+ address) port 1024. -+ -+<item> The NAT code will alter the source port of the second -+ connection to 1025, so that the two don't clash. -+</enum> -+ -+<p>When this implicit source mapping occurs, ports are divided into -+three classes: -+<itemize> -+<item> Ports below 512 -+<item> Ports between 512 and 1023 -+<item> Ports 1024 and above. -+</itemize> -+ -+A port will never be implicitly mapped into a different class. -+ -+<sect2>What Happens When NAT Fails -+ -+<p>If there is no way to uniquely map a connection as the user -+requests, it will be dropped. This also applies to packets which -+could not be classified as part of any connection, because they are -+malformed, or the box is out of memory, etc. -+ -+<sect2>Multiple Mappings, Overlap and Clashes -+ -+<p>You can have NAT rules which map packets onto the same range; the -+NAT code is clever enough to avoid clashes. Hence having two rules -+which map the source address 192.168.1.1 and 192.168.1.2 respectively -+onto 1.2.3.4 is fine. -+ -+<p>Furthermore, you can map over real, used IP addresses, as long as -+those addresses pass through the mapping box as well. So if you have -+an assigned network (1.2.3.0/24), but have one internal network using -+those addresses and one using the Private Internet Addresses -+192.168.1.0/24, you can simply NAT the 192.168.1.0/24 source addresses -+onto the 1.2.3.0 network, without fear of clashing: -+ -+<tscreen><verb> -+# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -+ -j SNAT --to 1.2.3.0/24 -+</verb></tscreen> -+ -+<p>The same logic applies to addresses used by the NAT box itself: -+this is how masquerading works (by sharing the interface address -+between masqueraded packets and `real' packets coming from the box -+itself). -+ -+<p>Moreover, you can map the same packets onto many different targets, -+and they will be shared. For example, if you don't want to map -+anything over 1.2.3.5, you could do: -+ -+<tscreen><verb> -+# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -+ -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254 -+</verb></tscreen> -+ -+<sect2>Altering the Destination of Locally-Generated Connections -+ -+<p>The NAT code allows you to insert DNAT rules in the OUTPUT chain, -+but this is not fully supported in 2.4 (it can be, but it requires a -+new configuration option, some testing, and a fair bit of coding, so -+unless someone contracts Rusty to write it, I wouldn't expect it -+soon). -+ -+<p>The current limitation is that you can only change the destination -+to the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other -+machine, otherwise the replies won't be translated correctly. -+ -+<sect>Special Protocols -+ -+<p>Some protocols do not like being NAT'ed. For each of these -+protocols, two extensions must be written; one for the connection -+tracking of the protocol, and one for the actual NAT. -+ -+<p>Inside the netfilter distribution, there are currently modules for -+ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into -+your kernel (or you compile them in permanently), then doing any kind -+of NAT on ftp connections should work. If you don't, then you can -+only use passive ftp, and even that might not work reliably if you're -+doing more than simple Source NAT. -+ -+<sect>Caveats on NAT -+ -+<p>If you are doing NAT on a connection, all packets passing -+<bf>both</bf> ways (in and out of the network) must pass through the -+NAT'ed box, otherwise it won't work reliably. In particular, the -+connection tracking code reassembles fragments, which means that not -+only will connection tracking not be reliable, but your packets may -+not get through at all, as fragments will be withheld. -+ -+<sect>Source NAT and Routing -+ -+<p>If you are doing SNAT, you will want to make sure that every -+machine the SNAT'ed packets goes to will send replies back to the NAT -+box. For example, if you are mapping some outgoing packets onto the -+source address 1.2.3.4, then the outside router must know that it is -+to send reply packets (which will have <bf>destination</bf> 1.2.3.4) -+back to this box. This can be done in the following ways: -+ -+<enum> -+<item> If you are doing SNAT onto the box's own address (for which -+ routing and everything already works), you don't need to do -+ anything. -+ -+<item> If you are doing SNAT onto an unused address on the local LAN -+ (for example, you're mapping onto 1.2.3.99, a free IP on your -+ 1.2.3.0/24 network), your NAT box will need to respond to ARP -+ requests for that address as well as its own: the easiest way -+ to do this is create an IP alias, e.g.: -+<tscreen><verb> -+# ip address add 1.2.3.99 dev eth0 -+</verb></tscreen> -+ -+<item> If you are doing SNAT onto a completely different address, you -+ will have to ensure that the machines the SNAT packets will hit -+ will route this address back to the NAT box. This is already -+ achieved if the NAT box is their default gateway, otherwise you -+ will need to advertise a route (if running a routing protocol) -+ or manually add routes to each machine involved. -+</enum> -+ -+<sect>Destination NAT Onto the Same Network -+ -+<p>If you are doing port forwarding back onto the same network, you -+need to make sure that both future packets and reply packets pass -+through the NAT box (so they can be altered). The NAT code will now -+(since 2.4.0-test6), block the outgoing ICMP redirect which is -+produced when the NAT'ed packet heads out the same interface it came -+in on, but the receiving server will still try to reply directly to -+the client (which won't recognize the reply). -+ -+<p>The classic case is that internal staff try to access your `public' -+web server, which is actually DNAT'ed from the public address -+(1.2.3.4) to an internal machine (192.168.1.1), like so: -+ -+<tscreen><verb> -+# iptables -t nat -A PREROUTING -d 1.2.3.4 \ -+ -p tcp --dport 80 -j DNAT --to 192.168.1.1 -+</verb></tscreen> -+ -+<p>One way is to run an internal DNS server which knows the real -+(internal) IP address of your public web site, and forward all other -+requests to an external DNS server. This means that the logging on -+your web server will show the internal IP addresses correctly. -+ -+<p>The other way is to have the NAT box also map the source IP address -+to its own for these connections, fooling the server into replying -+through it. In this example, we would do the following (assuming the -+internal IP address of the NAT box is 192.168.1.250): -+ -+<tscreen><verb> -+# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ -+ -p tcp --dport 80 -j SNAT --to 192.168.1.250 -+</verb></tscreen> -+ -+Because the <bf>PREROUTING</bf> rule gets run first, the packets will -+already be destined for the internal web server: we can tell which -+ones are internally sourced by the source IP addresses. -+ -+<sect>Thanks -+ -+<p>Thanks first to WatchGuard, and David Bonn, who believed in the -+netfilter idea enough to support me while I worked on it. -+ -+<p>And to everyone else who put up with my ranting as I learnt about -+the ugliness of NAT, especially those who read my diary. -+ -+<p>Rusty. -+</article> -Index: b/howtos/netfilter-extensions-HOWTO.sgml -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/howtos/netfilter-extensions-HOWTO.sgml 2008-07-12 09:31:16.488121917 -0400 -@@ -0,0 +1,1781 @@ -+<!doctype linuxdoc system> -+ -+<!-- This is the Netfilter Extensions HOWTO. -+ --> -+ -+<article> -+ -+<!-- Title information --> -+ -+<title>Netfilter Extensions HOWTO -+Fabrice MARIE <fabrice@netfilter.org>, mailing list netfilter-devel@lists.samba.org -+$Revision: 1.28 $ -+ -+This document describes how to install and use current iptables extensions for netfilter. -+ -+ -+ -+ -+ -+ -+ -+Introduction
-Index: b/howtos/netfilter-hacking-HOWTO.sgml -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/howtos/netfilter-hacking-HOWTO.sgml 2008-07-12 09:31:16.490121756 -0400 -@@ -0,0 +1,1978 @@ -+ -+ -+ -+ -+ -+ -+
-+ -+ -+ -+Linux netfilter Hacking HOWTO -+<author>Rusty Russell and Harald Welte, mailing list <tt>netfilter@lists.samba.org</tt> -+<date>$Revision: 1.14 $ $Date: 2002/07/02 04:07:19 $ -+<abstract> -+This document describes the netfilter architecture for Linux, how to -+hack it, and some of the major systems which sit on top of it, such as -+packet filtering, connection tracking and Network Address Translation. -+</abstract> -+ -+<!-- Table of contents --> -+<toc> -+ -+<!-- Begin the document --> -+ -+<sect>Introduction<label id="intro"> -+ -+<p> -+Hi guys. -+ -+<p> -+This document is a journey; some parts are well-traveled, and in -+other areas you will find yourself almost alone. The best advice I -+can give you is to grab a large, cozy mug of coffee or hot chocolate, -+get into a comfortable chair, and absorb the contents before venturing -+out into the sometimes dangerous world of network hacking. -+ -+<p>For more understanding of the use of the infrastructure on top of -+the netfilter framework, I recommend reading the Packet Filtering -+HOWTO and the NAT HOWTO. For information on kernel programming I -+suggest Rusty's Unreliable Guide to Kernel Hacking and Rusty's -+Unreliable Guide to Kernel Locking. -+ -+<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. -+ -+<sect1>What is netfilter? -+ -+<p> -+netfilter is a framework for packet mangling, outside the normal -+Berkeley socket interface. It has four parts. Firstly, each protocol -+defines "hooks" (IPv4 defines 5) which are well-defined points in a -+packet's traversal of that protocol stack. At each of these points, -+the protocol will call the netfilter framework with the packet and the -+hook number. -+ -+<p> -+Secondly, parts of the kernel can register to listen to the different -+hooks for each protocol. So when a packet is passed to the netfilter -+framework, it checks to see if anyone has registered for that protocol -+and hook; if so, they each get a chance to examine (and possibly -+alter) the packet in order, then discard the packet -+(<tt>NF_DROP</tt>), allow it to pass (<tt>NF_ACCEPT</tt>), tell -+netfilter to forget about the packet (<tt>NF_STOLEN</tt>), or ask -+netfilter to queue the packet for userspace (<tt>NF_QUEUE</tt>). -+ -+<p> -+The third part is that packets that have been queued are collected (by -+the ip_queue driver) for sending to userspace; these packets are -+handled asynchronously. -+ -+<p> -+The final part consists of cool comments in the code and -+documentation. This is instrumental for any experimental project. -+The netfilter motto is (stolen shamelessly from Cort Dougan): -+ -+<tscreen><verb> -+ ``So... how is this better than KDE?'' -+</verb></tscreen> -+ -+<p>(This motto narrowly edged out `Whip me, beat me, make me use -+ipchains'). -+ -+<p> -+In addition to this raw framework, various modules have been written -+which provide functionality similar to previous (pre-netfilter) -+kernels, in particular, an extensible NAT system, and an extensible -+packet filtering system (iptables). -+ -+<sect1>What's wrong with what we had in 2.0 and 2.2? -+ -+<p> -+<enum> -+<item>No infrastructure established for passing packet to userspace: -+<itemize> -+<item>Kernel coding is hard -+<item>Kernel coding must be done in C/C++ -+<item>Dynamic filtering policies do not belong in kernel -+<item> 2.2 introduced copying packets to userspace via netlink, but -+ reinjecting packets is slow, and subject to `sanity' checks. -+ For example, reinjecting packet claiming to come from an -+ existing interface is not possible. -+</itemize> -+ -+<item>Transparent proxying is a crock: -+ -+<itemize> -+ -+<item> We look up <bf>every</bf> packet to see if there is a socket -+bound to that address -+ -+<item> Root is allowed to bind to foreign addresses -+ -+<item> Can't redirect locally-generated packets -+ -+<item> REDIRECT doesn't handle UDP replies: redirecting UDP named -+packets to 1153 doesn't work because some clients don't like replies -+coming from anything other than port 53. -+ -+<item> REDIRECT doesn't coordinate with tcp/udp port allocation: a -+user may get a port shadowed by a REDIRECT rule. -+ -+<item>Has been broken at least twice during 2.1 series. -+ -+<item>Code is extremely intrusive. Consider the stats on the number -+of #ifdef CONFIG_IP_TRANSPARENT_PROXY in 2.2.1: 34 occurrences in 11 -+files. Compare this with CONFIG_IP_FIREWALL, which has 10 occurrences -+in 5 files. -+</itemize> -+ -+<item>Creating packet filter rules independent of interface addresses -+ is not possible: -+ -+<itemize> -+<item>Must know local interface addresses to distinguish -+locally-generated or locally-terminating packets from through -+packets. -+ -+<item>Even that is not enough in cases of redirection or -+masquerading. -+ -+<item>Forward chain only has information on outgoing interface, -+meaning you have to figure where a packet came from using knowledge of -+the network topography. -+</itemize> -+ -+<item>Masquerading is tacked onto packet filtering:<p> -+ Interactions between packet filtering and masquerading make firewalling -+ complex: -+<itemize> -+<item>At input filtering, reply packets appear to be destined for box itself -+<item>At forward filtering, demasqueraded packets are not seen at all -+<item>At output filtering, packets appear to come from local box -+</itemize> -+ -+<item>TOS manipulation, redirect, ICMP unreachable and mark (which can -+effect port forwarding, routing, and QoS) are tacked onto packet -+filter code as well. -+ -+<item>ipchains code is neither modular, nor extensible (eg. MAC -+address filtering, options filtering, etc). -+ -+<item>Lack of sufficient infrastructure has led to a profusion of -+different techniques: -+<itemize> -+<item>Masquerading, plus per-protocol modules -+<item>Fast static NAT by routing code (doesn't have per-protocol handling) -+<item>Port forwarding, redirect, auto forwarding -+<item>The Linux NAT and Virtual Server Projects. -+</itemize> -+ -+<item>Incompatibility between CONFIG_NET_FASTROUTE and packet filtering: -+<itemize> -+<item>Forwarded packets traverse three chains anyway -+<item>No way to tell if these chains can be bypassed -+</itemize> -+ -+<item>Inspection of packets dropped due to routing protection -+(eg. Source Address Verification) not possible. -+ -+<item>No way of atomically reading counters on packet filter rules. -+ -+<item>CONFIG_IP_ALWAYS_DEFRAG is a compile-time option, making life -+difficult for distributions who want one general-purpose kernel. -+ -+</enum> -+ -+<sect1>Who are you? -+ -+<p> -+I'm the only one foolish enough to do this. As ipchains co-author and -+current Linux Kernel IP Firewall maintainer, I see many of the -+problems that people have with the current system, as well as getting -+exposure to what they are trying to do. -+ -+<sect1>Why does it crash? -+ -+<p> -+Woah! You should have seen it <bf>last</bf> week! -+ -+<p> -+Because I'm not as great a programmer as we might all wish, and I -+certainly haven't tested all scenarios, because of lack of time, -+equipment and/or inspiration. I do have a testsuite, which I -+encourage you to contribute to. -+ -+<sect>Where Can I Get The Latest? -+ -+<p>There is a CVS server on netfilter.org which contains the latest -+HOWTOs, userspace tools and testsuite. For casual browsing, you -+can use the -+<url url="http://cvs.netfilter.org/" name="Web Interface">. -+ -+To grab the latest sources, you can do the following: -+ -+<enum> -+<item> Log in to the netfilter CVS server anonymously: -+<tscreen><verb> -+cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login -+</verb></tscreen> -+<item> When it asks you for a password type `cvs'. -+<item> Check out the code using: -+<tscreen><verb> -+# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace -+</verb></tscreen> -+<item> To update to the latest version, use -+<tscreen><verb> -+cvs update -d -P -+</verb></tscreen> -+</enum> -+ -+<sect>Netfilter Architecture -+ -+<p>Netfilter is merely a series of hooks in various points in a -+protocol stack (at this stage, IPv4, IPv6 and DECnet). The -+(idealized) IPv4 traversal diagram looks like the following: -+ -+<tscreen><verb> -+A Packet Traversing the Netfilter System: -+ -+ --->[1]--->[ROUTE]--->[3]--->[4]---> -+ | ^ -+ | | -+ | [ROUTE] -+ v | -+ [2] [5] -+ | ^ -+ | | -+ v | -+</verb></tscreen><label id="netfilter-traversal"> -+ -+On the left is where packets come in: having passed the simple sanity -+checks (i.e., not truncated, IP checksum OK, not a promiscuous receive), -+they are passed to the netfilter framework's NF_IP_PRE_ROUTING [1] hook. -+ -+<p> -+Next they enter the routing code, which decides whether the packet is -+destined for another interface, or a local process. The routing code -+may drop packets that are unroutable. -+ -+<p> -+If it's destined for the box itself, the netfilter framework is called -+again for the NF_IP_LOCAL_IN [2] hook, before being passed to the -+process (if any). -+ -+<p> -+If it's destined to pass to another interface instead, the netfilter -+framework is called for the NF_IP_FORWARD [3] hook. -+ -+<p> -+The packet then passes a final netfilter hook, the NF_IP_POST_ROUTING -+[4] hook, before being put on the wire again. -+ -+<p> -+The NF_IP_LOCAL_OUT [5] hook is called for packets that are created -+locally. Here you can see that routing occurs after this hook is -+called: in fact, the routing code is called first (to figure out the -+source IP address and some IP options): if you want to alter the -+routing, you must alter the `skb->dst' field yourself, as is done in -+the NAT code. -+ -+<sect1>Netfilter Base -+<p> -+Now we have an example of netfilter for IPv4, you can see when each -+hook is activated. This is the essence of netfilter. -+ -+<p> -+Kernel modules can register to listen at any of these hooks. A module -+that registers a function must specify the priority of the function -+within the hook; then when that netfilter hook is called from the core -+networking code, each module registered at that point is called in the -+order of priorites, and is free to manipulate the packet. The -+module can then tell netfilter to do one of five things: -+ -+<enum> -+<item> NF_ACCEPT: continue traversal as normal. -+<item> NF_DROP: drop the packet; don't continue traversal. -+<item> NF_STOLEN: I've taken over the packet; don't continue traversal. -+<item> NF_QUEUE: queue the packet (usually for userspace handling). -+<item> NF_REPEAT: call this hook again. -+</enum> -+ -+<p> -+The other parts of netfilter (handling queued packets, cool comments) -+will be covered in the kernel section later. -+ -+<p> -+Upon this foundation, we can build fairly complex packet -+manipulations, as shown in the next two sections. -+ -+<sect1>Packet Selection: IP Tables -+<p> -+A packet selection system called IP Tables has been built over the -+netfilter framework. It is a direct descendent of ipchains (that came -+from ipfwadm, that came from BSD's ipfw IIRC), with extensibility. -+Kernel modules can register a new table, and ask for a packet to -+traverse a given table. This packet selection method is used for -+packet filtering (the `filter' table), Network Address Translation -+(the `nat' table) and general pre-route packet mangling (the `mangle' -+table). -+ -+<p>The hooks that are registered with netfilter are as follows (with -+the functions in each hook in the order that they are actually -+called): -+ -+<tscreen><verb> -+ -+ --->PRE------>[ROUTE]--->FWD---------->POST------> -+ Conntrack | Mangle ^ Mangle -+ Mangle | Filter | NAT (Src) -+ NAT (Dst) | | Conntrack -+ (QDisc) | [ROUTE] -+ v | -+ IN Filter OUT Conntrack -+ | Conntrack ^ Mangle -+ | Mangle | NAT (Dst) -+ v | Filter -+</verb></tscreen> -+ -+<sect2>Packet Filtering -+ -+<p> -+This table, `filter', should never alter packets: only filter them. -+ -+<p> -+One of the advantages of iptables filter over ipchains is that it is -+small and fast, and it hooks into netfilter at the NF_IP_LOCAL_IN, -+NF_IP_FORWARD and NF_IP_LOCAL_OUT points. This means that for any -+given packet, there is one (and only one) possible place to filter it. -+This makes things much simpler for users than ipchains was. Also, the -+fact that the netfilter framework provides both the input and output -+interfaces for the NF_IP_FORWARD hook means that many kinds of -+filtering are far simpler. -+ -+<p> -+Note: I have ported the kernel portions of both ipchains and ipfwadm -+as modules on top of netfilter, enabling the use of the old ipfwadm -+and ipchains userspace tools without requiring an upgrade. -+ -+<sect2>NAT -+ -+<p> -+This is the realm of the `nat' table, which is fed packets from two -+netfilter hooks: for non-local packets, the NF_IP_PRE_ROUTING and -+NF_IP_POST_ROUTING hooks are perfect for destination and source -+alterations respectively. If CONFIG_IP_NF_NAT_LOCAL is defined, the -+hooks NF_IP_LOCAL_OUT and NF_IP_LOCAL_IN are used for altering the -+destination of local packets. -+ -+<p> -+This table is slightly different from the `filter' table, in that only -+the first packet of a new connection will traverse the table: the -+result of this traversal is then applied to all future packets in the -+same connection. -+ -+<sect3>Masquerading, Port Forwarding, Transparent Proxying -+ -+<p>I divide NAT into Source NAT (where the first packet has its source -+altered), and Destination NAT (the first packet has its destination -+altered). -+ -+<p>Masquerading is a special form of Source NAT: port forwarding and -+transparent proxying are special forms of Destination NAT. These are -+now all done using the NAT framework, rather than being independent -+entities. -+ -+<sect2>Packet Mangling -+ -+<p>The packet mangling table (the `mangle' table) is used for actual -+changing of packet information. Example applications are the TOS and -+TCPMSS targets. The mangle table hooks into all five netfilter hooks. -+(please note this changed with kernel 2.4.18. Previous kernels didn't -+have mangle attached to all hooks) -+ -+<sect1>Connection Tracking -+<p> -+Connection tracking is fundamental to NAT, but it is implemented as a -+separate module; this allows an extension to the packet filtering code -+to simply and cleanly use connection tracking (the `state' module). -+ -+<sect1>Other Additions -+ -+<p>The new flexibility provides both the opportunity to do really -+funky things, but for people to write enhancements or complete -+replacements that can be mixed and matched. -+ -+<sect>Information for Programmers -+ -+<p>I'll let you in on a secret: my pet hamster did all the coding. I -+was just a channel, a `front' if you will, in my pet's grand plan. -+So, don't blame me if there are bugs. Blame the cute, furry one. -+ -+<sect1>Understanding ip_tables -+ -+<p>iptables simply provides a named array of rules in memory (hence -+the name `iptables'), and such information as where packets from each -+hook should begin traversal. After a table is registered, userspace -+can read and replace its contents using getsockopt() and setsockopt(). -+ -+<p>iptables does not register with any netfilter hooks: it relies on -+other modules to do that and feed it the packets as appropriate; a -+module must register the netfilter hooks and ip_tables separately, and -+provide the mechanism to call ip_tables when the hook is reached. -+ -+<sect2> ip_tables Data Structures -+ -+<p>For convenience, the same data structure is used to represent a -+rule by userspace and within the kernel, although a few fields are -+only used inside the kernel. -+ -+<p>Each rule consists of the following parts: -+<enum> -+<item> A `struct ipt_entry'. -+<item> Zero or more `struct ipt_entry_match' structures, each with a -+ variable amount (0 or more bytes) of data appended to it. -+<item> A `struct ipt_entry_target' structure, with a variable amount -+ (0 or more bytes) of data appended to it. -+</enum> -+ -+The variable nature of the rule gives a huge amount of flexibility for -+extensions, as we'll see, especially as each match or target can carry -+an arbitrary amount of data. This does create a few traps, however: -+we have to watch out for alignment. We do this by ensuring that the -+`ipt_entry', `ipt_entry_match' and `ipt_entry_target' structures are -+conveniently sized, and that all data is rounded up to the maximal -+alignment of the machine using the IPT_ALIGN() macro. -+ -+<p> -+The `struct ipt_entry' has the following fields: -+<enum> -+<item> A `struct ipt_ip' part, containing the specifications for the -+IP header that it is to match. -+ -+<item> An `nf_cache' bitfield showing what parts of the packet this -+rule examined. -+ -+<item> A `target_offset' field indicating the offset from the -+beginning of this rule where the ipt_entry_target structure begins. -+This should always be aligned correctly (with the IPT_ALIGN macro). -+ -+<item> A `next_offset' field indicating the total size of this rule, -+including the matches and target. This should also be aligned -+correctly using the IPT_ALIGN macro. -+ -+<item> A `comefrom' field used by the kernel to track packet -+traversal. -+ -+<item> A `struct ipt_counters' field containing the packet and byte -+counters for packets which matched this rule. -+</enum> -+ -+<p> -+The `struct ipt_entry_match' and `struct ipt_entry_target' are very -+similar, in that they contain a total (IPT_ALIGN'ed) length field -+(`match_size' and `target_size' respectively) and a union holding the -+name of the match or target (for userspace), and a pointer (for the -+kernel). -+ -+<p> -+Because of the tricky nature of the rule data structure, some helper -+routines are provided: -+ -+<descrip> -+<tag>ipt_get_target()</tag> This inline function returns a pointer to -+the target of a rule. -+ -+<tag>IPT_MATCH_ITERATE()</tag> This macro calls the given function for -+every match in the given rule. The function's first argument is the -+`struct ipt_match_entry', and other arguments (if any) are those -+supplied to the IPT_MATCH_ITERATE() macro. The function must return -+either zero for the iteration to continue, or a non-zero value to -+stop. -+ -+<tag>IPT_ENTRY_ITERATE()</tag> This function takes a pointer to an -+entry, the total size of the table of entries, and a function to call. -+The functions first argument is the `struct ipt_entry', and other -+arguments (if any) are those supplied to the IPT_ENTRY_ITERATE() -+macro. The function must return either zero for the iteration to -+continue, or a non-zero value to stop. -+</descrip> -+ -+<sect2>ip_tables From Userspace -+ -+<p>Userspace has four operations: it can read the current table, read -+the info (hook positions and size of table), replace the table (and -+grab the old counters), and add in new counters. -+ -+<p>This allows any atomic operation to be simulated by userspace: this -+is done by the libiptc library, which provides convenience -+"add/delete/replace" semantics for programs. -+ -+<p>Because these tables are transferred into kernel space, alignment -+becomes an issue for machines which have different userspace and -+kernelspace type rules (eg. Sparc64 with 32-bit userland). These -+cases are handled by overriding the definition of IPT_ALIGN for these -+platforms in `libiptc.h'. -+ -+<sect2> ip_tables Use And Traversal -+ -+<p>The kernel starts traversing at the location indicated by the -+particular hook. That rule is examined, if the `struct ipt_ip' -+elements match, each `struct ipt_entry_match' is checked in turn (the -+match function associated with that match is called). If the match -+function returns 0, iteration stops on that rule. If it sets the -+`hotdrop' parameter to 1, the packet will also be immediately dropped -+(this is used for some suspicious packets, such as in the tcp match -+function). -+ -+<p>If the iteration continues to the end, the counters are -+incremented, the `struct ipt_entry_target' is examined: if it's a -+standard target, the `verdict' field is read (negative means a packet -+verdict, positive means an offset to jump to). If the answer is -+positive and the offset is not that of the next rule, the `back' -+variable is set, and the previous `back' value is placed in that -+rule's `comefrom' field. -+ -+<p>For non-standard targets, the target function is called: it returns -+a verdict (non-standard targets can't jump, as this would break the -+static loop-detection code). The verdict can be IPT_CONTINUE, to -+continue on to the next rule. -+ -+<sect1>Extending iptables -+ -+<p>Because I'm lazy, <tt>iptables</tt> is fairly extensible. This is -+basically a scam to palm off work onto other people, which is what -+Open Source is all about (cf. Free Software, which as RMS would say, -+is about freedom, and I was sitting in one of his talks when I wrote -+this). -+ -+<p>Extending <tt>iptables</tt> potentially involves two parts: -+extending the kernel, by writing a new module, and possibly extending -+the userspace program <tt>iptables</tt>, by writing a new shared -+library. -+ -+<sect2>The Kernel -+ -+<p>Writing a kernel module itself is fairly simple, as you can see -+from the examples. One thing to be aware of is that your code must be -+re-entrant: there can be one packet coming in from userspace, while -+another arrives on an interrupt. In fact in SMP there can be one -+packet on an interrupt per CPU in 2.3.4 and above. -+ -+<p> -+The functions you need to know about are: -+ -+<descrip> -+<tag>init_module()</tag> This is the entry-point of the module. It -+returns a negative error number, or 0 if it successfully registers -+itself with netfilter. -+ -+<tag>cleanup_module()</tag> This is the exit point of the module; it -+should unregister itself with netfilter. -+ -+<tag>ipt_register_match()</tag> This is used to register a new match -+type. You hand it a `struct ipt_match', which is usually declared as -+a static (file-scope) variable. -+ -+<tag>ipt_register_target()</tag> This is used to register a new -+type. You hand it a `struct ipt_target', which is usually declared as -+a static (file-scope) variable. -+ -+<tag>ipt_unregister_target()</tag> Used to unregister your target. -+ -+<tag>ipt_unregister_match()</tag> Used to unregister your match. -+</descrip> -+ -+<p>One warning about doing tricky things (such as providing counters) -+in the extra space in your new match or target. On SMP machines, the -+entire table is duplicated using memcpy for each CPU: if you really -+want to keep central information, you should see the method used in -+the `limit' match. -+ -+<sect3>New Match Functions -+ -+<p>New match functions are usually written as a standalone module. -+It's possible to have these modules extensible in turn, although it's -+usually not necessary. One way would be to use the netfilter -+framework's `nf_register_sockopt' function to allows users to talk to -+your module directly. Another way would be to export symbols for -+other modules to register themselves, the same way netfilter and -+ip_tables do. -+ -+<p>The core of your new match function is the struct ipt_match which -+it passes to `ipt_register_match()'. This structure has the following -+fields: -+ -+<descrip> -+<tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. -+ -+<tag>name</tag> This field is the name of the match function, as -+referred to by userspace. The name should match the name of the -+module (i.e., if the name is "mac", the module must be "ipt_mac.o") for -+auto-loading to work. -+ -+<tag>match</tag> This field is a pointer to a match function, which -+takes the skb, the in and out device pointers (one of which may be -+NULL, depending on the hook), a pointer to the match data in the rule -+that is worked on (the structure that was prepared in userspace), the -+IP offset (non-zero means -+a non-head fragment), a pointer to the protocol header (i.e., just -+past the IP header), the length of the data (ie. the packet length -+minus the IP header length) and finally a pointer to a `hotdrop' -+variable. It should return non-zero if the packet matches, and can -+set `hotdrop' to 1 if it returns 0, to indicate that the packet must -+be dropped immediately. -+ -+<tag>checkentry</tag> This field is a pointer to a function which -+checks the specifications for a rule; if this returns 0, then the rule -+will not be accepted from the user. For example, the "tcp" match type -+will only accept tcp packets, and so if the `struct ipt_ip' part of -+the rule does not specify that the protocol must be tcp, a zero is -+returned. The tablename argument allows your match to control what -+tables it can be used in, and the `hook_mask' is a bitmask of hooks -+this rule may be called from: if your match does not make sense from -+some netfilter hooks, you can avoid that here. -+ -+<tag>destroy</tag> This field is a pointer to a function which is -+called when an entry using this match is deleted. This allows you to -+dynamically allocate resources in checkentry and clean them up here. -+ -+<tag>me</tag> This field is set to `THIS_MODULE', which gives a -+pointer to your module. It causes the usage-count to go up and down -+as rules of that type are created and destroyed. This prevents a user -+removing the module (and hence cleanup_module() being called) if a -+rule refers to it. -+</descrip> -+ -+<sect3>New Targets -+ -+<p>If your target alters the packet (ie. the headers or the body), it -+must call skb_unshare() to copy the packet in case it is cloned: -+otherwise any raw sockets which have a clone of the skbuff will see -+the alterations (ie. people will see wierd stuff happening in -+tcpdump). -+ -+<p>New targets are also usually written as a standalone module. The -+discussions under the above section on `New Match Functions' apply -+equally here. -+ -+<p>The core of your new target is the struct ipt_target that it -+passes to ipt_register_target(). This structure has the following -+fields: -+ -+ <descrip> -+ <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. -+ -+ <tag>name</tag> This field is the name of the target function, as -+ referred to by userspace. The name should match the name of the -+ module (i.e., if the name is "REJECT", the module must be -+ "ipt_REJECT.o") for auto-loading to work. -+ -+ <tag>target</tag> This is a pointer to the target function, which -+ takes the skbuff, the hook number, the input and output device -+ pointers (either of which may be NULL), a pointer to the target data, -+ and the position of the rule in the table. The target function may -+ return either IPT_CONTINUE (-1) if traversing should continue, or a -+ netfilter verdict (NF_DROP, NF_ACCEPT, NF_STOLEN etc.). -+ -+ <tag>checkentry</tag> This field is a pointer to a function which -+ checks the specifications for a rule; if this returns 0, then the -+ rule will not be accepted from the user. -+ -+ <tag>destroy</tag> This field is a pointer to a function which is -+ called when an entry using this target is deleted. This allows you -+ to dynamically allocate resources in checkentry and clean them up -+ here. -+ -+ <tag>me</tag> This field is set to `THIS_MODULE', which gives a -+ pointer to your module. It causes the usage-count to go up and down -+ as rules with this as a target are created and destroyed. This -+ prevents a user removing the module (and hence cleanup_module() being -+ called) if a rule refers to it. -+ </descrip> -+ -+<sect3>New Tables -+ -+<p>You can create a new table for your specific purpose if you wish. -+To do this, you call `ipt_register_table()', with a `struct -+ipt_table', which has the following fields: -+ -+ <descrip> -+ <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. -+ -+ <tag>name</tag> This field is the name of the table function, as -+ referred to by userspace. The name should match the name of the -+ module (i.e., if the name is "nat", the module must be -+ "iptable_nat.o") for auto-loading to work. -+ -+ <tag>table</tag> This is a fully-populated `struct ipt_replace', as -+ used by userspace to replace a table. The `counters' pointer should -+ be set to NULL. This data structure can be declared `__initdata' so -+ it is discarded after boot. -+ -+ <tag>valid_hooks</tag> This is a bitmask of the IPv4 netfilter hooks -+ you will enter the table with: this is used to check that those entry -+ points are valid, and to calculate the possible hooks for ipt_match -+ and ipt_target `checkentry()' functions. -+ -+ <tag>lock</tag> This is the read-write spinlock for the entire table; -+ initialize it to RW_LOCK_UNLOCKED. -+ -+ <tag>private</tag> This is used internally by the ip_tables code. -+ </descrip> -+ -+<sect2>Userspace Tool -+ -+<p>Now you've written your nice shiny kernel module, you may want to -+control the options on it from userspace. Rather than have a branched -+version of <tt>iptables</tt> for each extension, I use the very latest -+90's technology: furbies. Sorry, I mean shared libraries. -+ -+<p>New tables generally don't require any extension to -+<tt>iptables</tt>: the user just uses the `-t' option to make it use -+the new table. -+ -+<p>The shared library should have an `_init()' function, which will -+automatically be called upon loading: the moral equivalent of the -+kernel module's `init_module()' function. This should call -+`register_match()' or `register_target()', depending on whether your -+shared library provides a new match or a new target. -+ -+<p>You need to provide a shared library: this can be used to -+initialize part of the structure, or provide additional options. I -+now insist on a shared library even if it doesn't do anything, to -+reduce problem reports where the shares libraries are missing. -+ -+<p>There are useful functions described in the `iptables.h' header, -+especially: -+<descrip> -+<tag>check_inverse()</tag> checks if an argument is actually a `!', -+and if so, sets the `invert' flag if not already set. If it returns -+true, you should increment optind, as done in the examples. -+ -+<tag>string_to_number()</tag> converts a string into a number in the -+given range, returning -1 if it is malformed or out of range. -+`string_to_number' rely on `strtol' (see the manpage), meaning -+that a leading "0x" would make the number be in Hexadecimal base, a leading -+"0" would make it be in Octal base. -+ -+<tag>exit_error()</tag> should be called if an error is found. -+Usually the first argument is `PARAMETER_PROBLEM', meaning the user -+didn't use the command line correctly. -+</descrip> -+ -+<sect3>New Match Functions -+ -+<p>Your shared library's _init() function hands `register_match()' a -+pointer to a static `struct iptables_match', which has the following -+fields: -+ -+<descrip> -+<tag>next</tag> This pointer is used to make a linked list of matches -+(such as used for listing rules). It should be set to NULL initially. -+ -+<tag>name</tag> The name of the match function. This should match the -+library name (eg "tcp" for `libipt_tcp.so'). -+ -+<tag>version</tag> Usually set to the IPTABLES_VERSION macro: this is -+used to ensure that the <tt>iptables</tt> binary doesn't pick up the -+wrong shared libraries by mistake. -+ -+<tag>size</tag> The size of the match data for this match; you should -+use the IPT_ALIGN() macro to ensure it is correctly aligned. -+ -+<tag>userspacesize</tag> For some matches, the kernel changes some -+fields internally (the `limit' target is a case of this). This means -+that a simple `memcmp()' is insufficient to compare two rules -+(required for delete-matching-rule functionality). If this is the -+case, place all the fields which do not change at the start of the -+structure, and put the size of the unchanging fields here. Usually, -+however, this will be identical to the `size' field. -+ -+<tag>help</tag> A function which prints out the option synopsis. -+ -+<tag>init</tag> This can be used to initialize the extra space (if -+any) in the ipt_entry_match structure, and set any nfcache bits; if -+you are examining something not expressible using the contents of -+`linux/include/netfilter_ipv4.h', then simply OR in the NFC_UNKNOWN -+bit. It will be called before `parse()'. -+ -+<tag>parse</tag> This is called when an unrecognized option is seen on -+the command line: it should return non-zero if the option was indeed -+for your library. `invert' is true if a `!' has already been seen. -+The `flags' pointer is for the exclusive use of your match library, -+and is usually used to store a bitmask of options which have been -+specified. Make sure you adjust the nfcache field. You may extend -+the size of the `ipt_entry_match' structure by reallocating if -+necessary, but then you must ensure that the size is passed through -+the IPT_ALIGN macro. -+ -+<tag>final_check</tag> This is called after the command line has been -+parsed, and is handed the `flags' integer reserved for your library. -+This gives you a chance to check that any compulsory options have been -+specified, for example: call `exit_error()' if this is the case. -+ -+<tag>print</tag> This is used by the chain listing code to print (to -+standard output) the extra match information (if any) for a rule. The -+numeric flag is set if the user specified the `-n' flag. -+ -+<tag>save</tag> This is the reverse of parse: it is used by -+`iptables-save' to reproduce the options which created the rule. -+ -+<tag>extra_opts</tag> This is a NULL-terminated list of extra options -+which your library offers. This is merged with the current options -+and handed to getopt_long; see the man page for details. The return -+code for getopt_long becomes the first argument (`c') to your -+`parse()' function. -+</descrip> -+ -+There are extra elements at the end of this structure for use -+internally by <tt>iptables</tt>: you don't need to set them. -+ -+<sect3>New Targets -+ -+<p>Your shared library's _init() function hands `register_target()' it -+a pointer to a static `struct iptables_target', which has similar -+fields to the iptables_match structure detailed above. -+ -+<sect2>Using `libiptc' -+ -+<p><tt>libiptc</tt> is the iptables control library, designed for -+listing and manipulating rules in the iptables kernel module. While -+its current use is for the iptables program, it makes writing other -+tools fairly easy. You need to be root to use these functions. -+ -+<p>The kernel tables themselves are simply a table of rules, and a set -+of numbers representing entry points. Chain names ("INPUT", etc) are -+provided as an abstraction by the library. User defined chains are -+labelled by inserting an error node before the head of the -+user-defined chain, which contains the chain name in the extra data -+section of the target (the builtin chain positions are defined by the -+three table entry points). -+ -+<p>The following standard targets are supported: ACCEPT, DROP, QUEUE -+(which are translated to NF_ACCEPT, NF_DROP, and NF_QUEUE, -+respectively), RETURN (which is translated to a special IPT_RETURN -+value handled by ip_tables), and JUMP (which is translated from the -+chain name to an actual offset within the table). -+ -+<p>When `iptc_init()' is called, the table, including the counters, is -+read. This table is manipulated by the `iptc_insert_entry()', -+`iptc_replace_entry()', `iptc_append_entry()', `iptc_delete_entry()', -+`iptc_delete_num_entry()', `iptc_flush_entries()', -+`iptc_zero_entries()', `iptc_create_chain()' `iptc_delete_chain()', -+and `iptc_set_policy()' functions. -+ -+<p>The table changes are not written back until the `iptc_commit()' -+function is called. This means it is possible for two library users -+operating on the same chain to race each other; locking would be -+required to prevent this, and it is not currently done. -+ -+<p>There is no race with counters, however; counters are added back in -+to the kernel in such a way that counter increments between the -+reading and writing of the table still show up in the new table. -+ -+<p>There are various helper functions: -+ -+<descrip> -+<tag>iptc_first_chain()</tag> This function returns the first chain -+name in the table. -+ -+<tag>iptc_next_chain()</tag> This function returns the next chain name -+in the table: NULL means no more chains. -+ -+<tag>iptc_builtin()</tag> Returns true if the given chain name is the -+name of a builtin chain. -+ -+<tag>iptc_first_rule()</tag> This returns a pointer to the first rule -+in the given chain name: NULL for an empty chain. -+ -+<tag>iptc_next_rule()</tag> This returns a pointer to the next rule in -+the chain: NULL means the end of the chain. -+ -+<tag>iptc_get_target()</tag> This gets the target of the given rule. If -+it's an extended target, the name of that target is returned. If it's -+a jump to another chain, the name of that chain is returned. If it's -+a verdict (eg. DROP), that name is returned. If it has no target (an -+accounting-style rule), then the empty string is returned. -+ -+<p>Note that this function should be used instead of using the value -+of the `verdict' field of the ipt_entry structure directly, as it -+offers the above further interpretations of the standard verdict. -+ -+<tag>iptc_get_policy()</tag> This gets the policy of a builtin chain, -+and fills in the `counters' argument with the hit statistics on that -+policy. -+ -+<tag>iptc_strerror()</tag> This function returns a more meaningful -+explanation of a failure code in the iptc library. If a function -+fails, it will always set errno: this value can be passed to -+iptc_strerror() to yield an error message. -+</descrip> -+ -+<sect1>Understanding NAT -+ -+<p>Welcome to Network Address Translation in the kernel. Note that -+the infrastructure offered is designed more for completeness than raw -+efficiency, and that future tweaks may increase the efficiency -+markedly. For the moment I'm happy that it works at all. -+ -+<p>NAT is separated into connection tracking (which doesn't manipulate -+packets at all), and the NAT code itself. Connection tracking is also -+designed to be used by an iptables modules, so it makes subtle -+distinctions in states which NAT doesn't care about. -+ -+<sect2>Connection Tracking -+ -+<p>Connection tracking hooks into high-priority NF_IP_LOCAL_OUT and -+NF_IP_PRE_ROUTING hooks, in order to see packets before they enter the -+system. -+ -+<p>The nfct field in the skb is a pointer to inside the struct -+ip_conntrack, at one of the infos[] array. Hence we can tell the -+state of the skb by which element in this array it is pointing to: -+this pointer encodes both the state structure and the relationship of -+this skb to that state. -+ -+<p>The best way to extract the `nfct' field is to call -+`ip_conntrack_get()', which returns NULL if it's not set, or the -+connection pointer, and fills in ctinfo which describes the -+relationship of the packet to that connection. This enumerated type -+has several values: -+ -+<descrip> -+ -+<tag>IP_CT_ESTABLISHED</tag> The packet is part of an established -+connection, in the original direction. -+ -+<tag>IP_CT_RELATED</tag> The packet is related to the connection, and -+is passing in the original direction. -+ -+<tag>IP_CT_NEW</tag> The packet is trying to create a new connection -+(obviously, it is in the original direction). -+ -+<tag>IP_CT_ESTABLISHED + IP_CT_IS_REPLY</tag> The packet is part of an -+established connection, in the reply direction. -+ -+<tag>IP_CT_RELATED + IP_CT_IS_REPLY</tag> The packet is related to the -+connection, and is passing in the reply direction. -+</descrip> -+ -+Hence a reply packet can be identified by testing for >= -+IP_CT_IS_REPLY. -+ -+<sect1>Extending Connection Tracking/NAT -+ -+<p>These frameworks are designed to accommodate any number of protocols -+and different mapping types. Some of these mapping types might be -+quite specific, such as a load-balancing/fail-over mapping type. -+ -+<p>Internally, connection tracking converts a packet to a "tuple", -+representing the interesting parts of the packet, before searching for -+bindings or rules which match it. This tuple has a manipulatable -+part, and a non-manipulatable part; called "src" and "dst", as this is -+the view for the first packet in the Source NAT world (it'd be a reply -+packet in the Destination NAT world). The tuple for every packet in -+the same packet stream in that direction is the same. -+ -+<p>For example, a TCP packet's tuple contains the manipulatable part: -+source IP and source port, the non-manipulatable part: destination IP -+and the destination port. The manipulatable and non-manipulatable -+parts do not need to be the same type though; for example, an ICMP -+packet's tuple contains the manipulatable part: source IP and the ICMP -+id, and the non-manipulatable part: the destination IP and the ICMP -+type and code. -+ -+<p>Every tuple has an inverse, which is the tuple of the reply packets -+in the stream. For example, the inverse of an ICMP ping packet, icmp -+id 12345, from 192.168.1.1 to 1.2.3.4, is a ping-reply packet, icmp id -+12345, from 1.2.3.4 to 192.168.1.1. -+ -+<p>These tuples, represented by the `struct ip_conntrack_tuple', are used -+widely. In fact, together with the hook the packet came in on (which -+has an effect on the type of manipulation expected), and the device -+involved, this is the complete information on the packet. -+ -+<p>Most tuples are contained within a `struct -+ip_conntrack_tuple_hash', which adds a doubly linked list entry, and a -+pointer to the connection that the tuple belongs to. -+ -+<p>A connection is represented by the `struct ip_conntrack': it has -+two `struct ip_conntrack_tuple_hash' fields: one referring to the -+direction of the original packet (tuplehash[IP_CT_DIR_ORIGINAL]), and -+one referring to packets in the reply direction -+(tuplehash[IP_CT_DIR_REPLY]). -+ -+<p>Anyway, the first thing the NAT code does is to see if the -+connection tracking code managed to extract a tuple and find an -+existing connection, by looking at the skbuff's nfct field; this tells -+us if it's an attempt on a new connection, or if not, which direction -+it is in; in the latter case, then the manipulations determined -+previously for that connection are done. -+ -+<p>If it was the start of a new connection, we look for a rule for that -+tuple, using the standard iptables traversal mechanism, on the `nat' -+table. If a rule matches, it is used to initialize the manipulations -+for both that direction and the reply; the connection-tracking code is -+told that the reply it should expect has changed. Then, it's -+manipulated as above. -+ -+<p>If there is no rule, a `null' binding is created: this usually does -+not map the packet, but exists to ensure we don't map another stream -+over an existing one. Sometimes, the null binding cannot be created, -+because we have already mapped an existing stream over it, in which -+case the per-protocol manipulation may try to remap it, even though -+it's nominally a `null' binding. -+ -+<sect2>Standard NAT Targets -+ -+<p>NAT targets are like any other iptables target extensions, except -+they insist on being used only in the `nat' table. Both the SNAT and -+DNAT targets take a `struct ip_nat_multi_range' as their extra data; -+this is used to specify the range of addresses a mapping is allowed to -+bind into. A range element, `struct ip_nat_range' consists of an -+inclusive minimum and maximum IP address, and an inclusive maximum and -+minimum protocol-specific value (eg. TCP ports). There is also room -+for flags, which say whether the IP address can be mapped (sometimes -+we only want to map the protocol-specific part of a tuple, not the -+IP), and another to say that the protocol-specific part of the range -+is valid. -+ -+<p>A multi-range is an array of these `struct ip_nat_range' elements; -+this means that a range could be "1.1.1.1-1.1.1.2 ports 50-55 AND -+1.1.1.3 port 80". Each range element adds to the range (a union, for -+those who like set theory). -+ -+<sect2>New Protocols -+ -+<sect3> Inside The Kernel -+ -+<p>Implementing a new protocol first means deciding what the -+manipulatable and non-manipulatable parts of the tuple should be. -+Everything in the tuple has the property that it identifies the stream -+uniquely. The manipulatable part of the tuple is the part you can do -+NAT with: for TCP this is the source port, for ICMP it's the icmp ID; -+something to use as a "stream identifier". The non-manipulatable part -+is the rest of the packet that uniquely identifies the stream, but we -+can't play with (eg. TCP destination port, ICMP type). -+ -+<p>Once you've decided this, you can write an extension to the -+connection-tracking code in the directory, and go about populating the -+`ip_conntrack_protocol' structure which you need to pass to -+`ip_conntrack_register_protocol()'. -+ -+<p>The fields of `struct ip_conntrack_protocol' are: -+ -+<descrip> -+<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. -+ -+<tag>proto</tag> Your protocol number; see `/etc/protocols'. -+ -+<tag>name</tag> The name of your protocol. This is the name the user -+will see; it's usually best if it's the canonical name in -+`/etc/protocols'. -+ -+<tag>pkt_to_tuple</tag> The function which fills out the protocol -+specific parts of the tuple, given the packet. The `datah' pointer -+points to the start of your header (just past the IP header), and the -+datalen is the length of the packet. If the packet isn't long enough -+to contain the header information, return 0; datalen will always be -+at least 8 bytes though (enforced by framework). -+ -+<tag>invert_tuple</tag> This function is simply used to change the -+protocol-specific part of the tuple into the way a reply to that -+packet would look. -+ -+<tag>print_tuple</tag> This function is used to print out the -+protocol-specific part of a tuple; usually it's sprintf()'d into the -+buffer provided. The number of buffer characters used is returned. -+This is used to print the states for the /proc entry. -+ -+<tag>print_conntrack</tag> This function is used to print the private -+part of the conntrack structure, if any, also used for printing the -+states in /proc. -+ -+<tag>packet</tag> This function is called when a packet is seen which -+is part of an established connection. You get a pointer to the -+conntrack structure, the IP header, the length, and the ctinfo. You -+return a verdict for the packet (usually NF_ACCEPT), or -1 if the -+packet is not a valid part of the connection. You can delete the -+connection inside this function if you wish, but you must use the -+following idiom to avoid races (see ip_conntrack_proto_icmp.c): -+ -+<tscreen><verb> -+if (del_timer(&ct->timeout)) -+ ct->timeout.function((unsigned long)ct); -+</verb></tscreen> -+ -+<tag>new</tag> This function is called when a packet creates a -+connection for the first time; there is no ctinfo arg, since the first -+packet is of ctinfo IP_CT_NEW by definition. It returns 0 to fail to -+create the connection, or a connection timeout in jiffies. -+</descrip> -+ -+Once you've written and tested that you can track your new protocol, -+it's time to teach NAT how to translate it. This means writing a new -+module; an extension to the NAT code and go about populating the -+`ip_nat_protocol' structure which you need to pass to -+`ip_nat_protocol_register()'. -+ -+<descrip> -+<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. -+ -+<tag>name</tag> The name of your protocol. This is the name the user -+will see; it's best if it's the canonical name in `/etc/protocols' for -+userspace auto-loading, as we'll see later. -+ -+<tag>protonum</tag> Your protocol number; see `/etc/protocols'. -+ -+<tag>manip_pkt</tag> This is the other half of connection tracking's -+pkt_to_tuple function: you can think of it as "tuple_to_pkt". There -+are some differences though: you get a pointer to the start of the IP -+header, and the total packet length. This is because some protocols -+(UDP, TCP) need to know the IP header. You're given the -+ip_nat_tuple_manip field from the tuple (i.e., the "src" field), rather -+than the entire tuple, and the type of manipulation you are to -+perform. -+ -+<tag>in_range</tag> This function is used to tell if manipulatable -+part of the given tuple is in the given range. This function is a bit -+tricky: we're given the manipulation type which has been applied to -+the tuple, which tells us how to interpret the range (is it a source -+range or a destination range we're aiming for?). -+ -+<p>This function is used to check if an existing mapping puts us in -+the right range, and also to check if no manipulation is necessary at -+all. -+ -+<tag>unique_tuple</tag> This function is the core of NAT: given a -+tuple and a range, we're to alter the per-protocol part of the tuple -+to place it within the range, and make it unique. If we can't find an -+unused tuple in the range, return 0. We also get a pointer to the -+conntrack structure, which is required for ip_nat_used_tuple(). -+ -+<p>The usual approach is to simply iterate the per-protocol part of -+the tuple through the range, checking `ip_nat_used_tuple()' on it, -+until one returns false. -+ -+<p>Note that the null-mapping case has already been checked: it's -+either outside the range given, or already taken. -+ -+<p>If IP_NAT_RANGE_PROTO_SPECIFIED isn't set, it means that the user -+is doing NAT, not NAPT: do something sensible with the range. If no -+mapping is desirable (for example, within TCP, a destination mapping -+should not change the TCP port unless ordered to), return 0. -+ -+<tag>print</tag> Given a character buffer, a match tuple and a mask, -+write out the per-protocol parts and return the length of the buffer -+used. -+ -+<tag>print_range</tag> Given a character buffer and a range, write out -+the per-protocol part of the range, and return the length of the -+buffer used. This won't be called if the IP_NAT_RANGE_PROTO_SPECIFIED -+flag wasn't set for the range. -+</descrip> -+ -+<sect2>New NAT Targets -+ -+<p>This is the really interesting part. You can write new NAT targets -+which provide a new mapping type: two extra targets are provided in -+the default package: MASQUERADE and REDIRECT. These are fairly simple -+to illustrate the potential and power of writing a new NAT target. -+ -+<p>These are written just like any other iptables targets, but -+internally they will extract the connection and call -+`ip_nat_setup_info()'. -+ -+<sect2>Protocol Helpers -+ -+<p>Protocol helpers for connection tracking allow the connection -+tracking code to understand protocols which use multiple network -+connections (eg. FTP) and mark the `child' connections as being -+related to the initial connection, usually by reading the related -+address out of the data stream. -+ -+<p>Protocol helpers for NAT do two things: firstly allow the NAT code -+to manipulate the data stream to change the address contained within -+it, and secondly to perform NAT on the related connection when it -+comes in, based on the original connection. -+ -+<sect2>Connection Tracking Helper Modules -+ -+<sect3>Description -+<p> -+The duty of a connection tracking module is to specify which packets -+belong to an already established connection. The module has the -+following means to do that: -+ -+<itemize> -+<item>Tell netfilter which packets our module is interested in (most -+helpers operate on a particular port). -+ -+<item>Register a function with netfilter. This function is called for -+every packet which matches the criteria above. -+ -+<item>An `ip_conntrack_expect_related()' function which can be called -+from there to tell netfilter to expect related connections.</item> -+</itemize> -+ -+<p> -+If there is some additional work to be done at the time the first packet -+of the expected connection arrives, the module can register a callback -+function which is called at that time. -+ -+<sect3>Structures and Functions Available -+ -+<p>Your kernel module's init function has to call -+`ip_conntrack_helper_register()' with a pointer to a -+`struct ip_conntrack_helper'. This struct has the following fields: -+ -+<descrip> -+<tag>list</tag>This is the header for the linked list. Netfilter -+handles this list internally. Just initialize it with `{ NULL, NULL }'. -+ -+<tag>name</tag>This is a pointer to a string constant specifying the -+name of the protocol. ("ftp", "irc", ...) -+ -+<tag>flags</tag>A set of flags with one or more out of the following flgs: -+<itemize> -+<item>IP_CT_HELPER_F_REUSE_EXPECT</item>Reuse expectations if the limit (see -+`max_expected` below) is reached. -+</itemize> -+ -+<tag>me</tag>A pointer to the module structure of the helper. Intitialize this with the `THIS_MODULE' macro. -+ -+<tag>max_expected</tag>Maximum number of unconfirmed (outstanding) expectations. -+ -+<tag>timeout</tag>Timeout (in seconds) for each unconfirmed expectation. An expectation is deleted `timeout' seconds after the expectation was issued with the `ip_conntrack_expect_related()' function. -+ -+<tag>tuple</tag>This is a `struct ip_conntrack_tuple' which specifies -+the packets our conntrack helper module is interested in. -+ -+<tag>mask</tag>Again a `struct ip_conntrack_tuple'. This mask -+specifies which bits of <tt>tuple</tt> are valid. -+ -+<tag>help</tag>The function which netfilter should call for each -+packet matching tuple+mask -+</descrip> -+ -+<sect3>Example skeleton of a conntrack helper module -+<p> -+<tscreen><code> -+#define FOO_PORT 111 -+ -+static int foo_expectfn(struct ip_conntrack *new) -+{ -+ /* called when the first packet of an expected -+ connection arrives */ -+ -+ return 0; -+} -+ -+static int foo_help(const struct iphdr *iph, size_t len, -+ struct ip_conntrack *ct, -+ enum ip_conntrack_info ctinfo) -+{ -+ /* analyze the data passed on this connection and -+ decide how related packets will look like */ -+ -+ /* update per master-connection private data -+ (session state, ...) */ -+ ct->help.ct_foo_info = ... -+ -+ if (there_will_be_new_packets_related_to_this_connection) -+ { -+ struct ip_conntrack_expect exp; -+ -+ memset(&exp, 0, sizeof(exp)); -+ exp.t = tuple_specifying_related_packets; -+ exp.mask = mask_for_above_tuple; -+ exp.expectfn = foo_expectfn; -+ exp.seq = tcp_sequence_number_of_expectation_cause; -+ -+ /* per slave-connection private data */ -+ exp.help.exp_foo_info = ... -+ -+ ip_conntrack_expect_related(ct, &exp); -+ } -+ return NF_ACCEPT; -+} -+ -+static struct ip_conntrack_helper foo; -+ -+static int __init init(void) -+{ -+ memset(&foo, 0, sizeof(struct ip_conntrack_helper); -+ -+ foo.name = "foo"; -+ foo.flags = IP_CT_HELPER_F_REUSE_EXPECT; -+ foo.me = THIS_MODULE; -+ foo.max_expected = 1; /* one expectation at a time */ -+ foo.timeout = 0; /* expectation never expires */ -+ -+ /* we are interested in all TCP packets with destport 111 */ -+ foo.tuple.dst.protonum = IPPROTO_TCP; -+ foo.tuple.dst.u.tcp.port = htons(FOO_PORT); -+ foo.mask.dst.protonum = 0xFFFF; -+ foo.mask.dst.u.tcp.port = 0xFFFF; -+ foo.help = foo_help; -+ -+ return ip_conntrack_helper_register(&foo); -+} -+ -+static void __exit fini(void) -+{ -+ ip_conntrack_helper_unregister(&foo); -+} -+</code></tscreen> -+ -+ -+<sect2>NAT helper modules -+ -+<sect3>Description -+<p> -+NAT helper modules do some application specific NAT handling. Usually -+this includes on-the-fly manipulation of data: think about the PORT -+command in FTP, where the client tells the server which IP/port to -+connect to. Therefor an FTP helper module must replace the IP/port -+after the PORT command in the FTP control connection. -+ -+<p> -+If we are dealing with TCP, things get slightly more complicated. The -+reason is a possible change of the packet size (FTP example: the -+length of the string representing an IP/port tuple after the PORT -+command has changed). If we change the packet size, we have a syn/ack -+difference between left and right side of the NAT box. (i.e. if we had -+extended one packet by 4 octets, we have to add this offset to the TCP -+sequence number of each following packet). -+ -+<p> -+Special NAT handling of all related packets is required, too. Take as -+example again FTP, where all incoming packets of the DATA connection -+have to be NATed to the IP/port given by the client with the PORT -+command on the control connection, rather than going through the -+normal table lookup. -+ -+<itemize> -+<item>callback for the packet causing the related connection (foo_help) -+<item>callback for all related packets (foo_nat_expected) -+</itemize> -+ -+<sect3>Structures and Functions Available -+ -+<p>Your nat helper module's `init()' function calls -+`ip_nat_helper_register()' with a pointer to a `struct -+ip_nat_helper'. This struct has the following members: -+ -+<descrip> -+<tag>list</tag>Just again the list header for netfilters internal use. -+Initialize this with { NULL, NULL }. -+ -+<tag>name</tag>A pointer to a string constant with the protocol's name -+ -+<tag>flags</tag>A set out of zero, one or more of the following flags: -+<itemize> -+<item>IP_NAT_HELPER_F_ALWAYS</item>Call the NAT helper for every packet, -+not only for packets where conntrack has detected an expectation-cause. -+<item>IP_NAT_HELPER_F_STANDALONE</item>Tell the NAT core that this protocol -+doesn't have a conntrack helper, only a NAT helper. -+</itemize> -+ -+<tag>me</tag>A pointer to the module structure of the helper. Initialize -+this using the `THIS_MODULE' macro. -+ -+<tag>tuple</tag>a `struct ip_conntrack_tuple' describing which packets -+our NAT helper is interested in. -+ -+<tag>mask</tag>a `struct ip_conntrack_tuple', telling netfilter which -+bits of <tt>tuple</tt> are valid. -+ -+<tag>help</tag>The help function which is called for each packet -+matching tuple+mask. -+ -+<tag>expect</tag>The expect function which is called for every first -+packet of an expected connection. -+ -+</descrip> -+ -+This is very similar to writing a connection tracking helper. -+ -+<sect3>Example NAT helper module -+<p> -+<tscreen><code> -+#define FOO_PORT 111 -+ -+static int foo_nat_expected(struct sk_buff **pksb, -+ unsigned int hooknum, -+ struct ip_conntrack *ct, -+ struct ip_nat_info *info) -+/* called whenever the first packet of a related connection arrives. -+ params: pksb packet buffer -+ hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) -+ ct information about this (the related) connection -+ info &ct->nat.info -+ return value: Verdict (NF_ACCEPT, ...) -+{ -+ /* Change ip/port of the packet to the masqueraded -+ values (read from master->tuplehash), to map it the same way, -+ call ip_nat_setup_info, return NF_ACCEPT. */ -+ -+} -+ -+static int foo_help(struct ip_conntrack *ct, -+ struct ip_conntrack_expect *exp, -+ struct ip_nat_info *info, -+ enum ip_conntrack_info ctinfo, -+ unsigned int hooknum, -+ struct sk_buff **pksb) -+/* called for every packet where conntrack detected an expectation-cause -+ params: ct struct ip_conntrack of the master connection -+ exp struct ip_conntrack_expect of the expectation -+ caused by the conntrack helper for this protocol -+ info (STATE: related, new, established, ... ) -+ hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) -+ pksb packet buffer -+*/ -+{ -+ -+ /* extract information about future related packets (you can -+ share information with the connection tracking's foo_help). -+ Exchange address/port with masqueraded values, insert tuple -+ about related packets */ -+} -+ -+static struct ip_nat_helper hlpr; -+ -+static int __init(void) -+{ -+ int ret; -+ -+ memset(&hlpr, 0, sizeof(struct ip_nat_helper)); -+ hlpr.list = { NULL, NULL }; -+ hlpr.tuple.dst.protonum = IPPROTO_TCP; -+ hlpr.tuple.dst.u.tcp.port = htons(FOO_PORT); -+ hlpr.mask.dst.protonum = 0xFFFF; -+ hlpr.mask.dst.u.tcp.port = 0xFFFF; -+ hlpr.help = foo_help; -+ hlpr.expect = foo_nat_expect; -+ -+ ret = ip_nat_helper_register(hlpr); -+ -+ return ret; -+} -+ -+static void __exit(void) -+{ -+ ip_nat_helper_unregister(&hlpr); -+} -+</code></tscreen> -+ -+<sect1>Understanding Netfilter -+ -+<p>Netfilter is pretty simple, and is described fairly thoroughly in -+the previous sections. However, sometimes it's necessary to go -+beyond what the NAT or ip_tables infrastructure offers, or you may -+want to replace them entirely. -+ -+<p>One important issue for netfilter (well, in the future) is caching. -+Each skb has an `nfcache' field: a bitmask of what fields in the -+header were examined, and whether the packet was altered or not. The -+idea is that each hook off netfilter OR's in the bits relevant to it, -+so that we can later write a cache system which will be clever enough -+to realize when packets do not need to be passed through netfilter at -+all. -+ -+<p>The most important bits are NFC_ALTERED, meaning the packet was -+altered (this is already used for IPv4's NF_IP_LOCAL_OUT hook, to -+reroute altered packets), and NFC_UNKNOWN, which means caching should -+not be done because some property which cannot be expressed was -+examined. If in doubt, simply set the NFC_UNKNOWN flag on the skb's -+nfcache field inside your hook. -+ -+<sect1>Writing New Netfilter Modules -+ -+<sect2> Plugging Into Netfilter Hooks -+ -+<p> To receive/mangle packets inside the kernel, you can simply write -+a module which registers a "netfilter hook". This is basically an -+expression of interest at some given point; the actual points are -+protocol-specific, and defined in protocol-specific netfilter headers, -+such as "netfilter_ipv4.h". -+ -+<p> To register and unregister netfilter hooks, you use the functions -+`nf_register_hook' and `nf_unregister_hook'. These each take a -+pointer to a `struct nf_hook_ops', which you populate as follows: -+ -+<descrip> -+<tag>list</tag> Used to sew you into the linked list: set to '{ NULL, -+NULL }' -+ -+<tag>hook</tag> The function which is called when a packet hits this -+hook point. Your function must return NF_ACCEPT, NF_DROP or NF_QUEUE. -+If NF_ACCEPT, the next hook attached to that point will be called. If -+NF_DROP, the packet is dropped. If NF_QUEUE, it's queued. You -+receive a pointer to an skb pointer, so you can entirely replace the -+skb if you wish. -+ -+<tag>flush</tag> Currently unused: designed to pass on packet hits -+when the cache is flushed. May never be implemented: set it to NULL. -+ -+<tag>pf</tag> The protocol family, eg, `PF_INET' for IPv4. -+ -+<tag>hooknum</tag> The number of the hook you are interested in, eg -+`NF_IP_LOCAL_OUT'. -+</descrip> -+ -+<sect2> Processing Queued Packets -+ -+<p>This interface is currently used by ip_queue; you can register to -+handle queued packets for a given protocol. This has similar semantics -+to registering for a hook, except you can block processing the packet, -+and you only see packets for which a hook has replied `NF_QUEUE'. -+ -+<p>The two functions used to register interest in queued packets are -+`nf_register_queue_handler()' and `nf_unregister_queue_handler()'. The -+function you register will be called with the `void *' pointer you -+handed it to `nf_register_queue_handler()'. -+ -+<p> -+If no-one is registered to handle a protocol, then returning NF_QUEUE -+is equivalent to returning NF_DROP. -+ -+<p> -+Once you have registered interest in queued packets, they begin -+queueing. You can do whatever you want with them, but you must call -+`nf_reinject()' when you are finished with them (don't simply -+kfree_skb() them). When you reinject an skb, you hand it the skb, the -+`struct nf_info' which your queue handler was given, and a verdict: -+NF_DROP causes them to be dropped, NF_ACCEPT causes them to continue -+to iterate through the hooks, NF_QUEUE causes them to be queued again, -+and NF_REPEAT causes the hook which queued the packet to be consulted -+again (beware infinite loops). -+ -+<p>You can look inside the `struct nf_info' to get auxiliary -+information about the packet, such as the interfaces and hook it was -+on. -+ -+<sect2> Receiving Commands From Userspace -+ -+<p>It is common for netfilter components to want to interact with -+userspace. The method for doing this is by using the setsockopt -+mechanism. Note that each protocol must be modified to call -+nf_setsockopt() for setsockopt numbers it doesn't understand (and -+nf_getsockopt() for getsockopt numbers), and so far only IPv4, IPv6 -+and DECnet have been modified. -+ -+<p>Using a now-familiar technique, we register a `struct -+nf_sockopt_ops' using the nf_register_sockopt() call. The fields of -+this structure are as follows: -+ -+<descrip> -+<tag>list</tag> Used to sew it into the linked list: set to '{ NULL, -+NULL }'. -+ -+<tag>pf</tag> The protocol family you handle, eg. PF_INET. -+ -+<tag>set_optmin</tag> and -+<tag>set_optmax</tag> -+ -+These specify the (exclusive) range of setsockopt numbers handled. -+Hence using 0 and 0 means you have no setsockopt numbers. -+ -+<tag>set</tag> This is the function called when the user calls one of -+your setsockopts. You should check that they have NET_ADMIN -+capability within this function. -+ -+<tag>get_optmin</tag> and -+<tag>get_optmax</tag> -+ -+These specify the (exclusive) range of getsockopt numbers handled. -+Hence using 0 and 0 means you have no getsockopt numbers. -+ -+<tag>get</tag> This is the function called when the user calls one of -+your getsockopts. You should check that they have NET_ADMIN -+capability within this function. -+</descrip> -+ -+<p>The final two fields are used internally. -+ -+<sect1>Packet Handling in Userspace -+ -+<p>Using the libipq library and the `ip_queue' module, almost anything -+which can be done inside the kernel can now be done in userspace. -+This means that, with some speed penalty, you can develop your code -+entirely in userspace. Unless you are trying to filter large -+bandwidths, you should find this approach superior to in-kernel packet -+mangling. -+ -+<p>In the very early days of netfilter, I proved this by porting an -+embryonic version of iptables to userspace. Netfilter opens the doors -+for more people to write their own, fairly efficient netmangling -+modules, in whatever language they want. -+ -+<sect>Translating 2.0 and 2.2 Packet Filter Modules -+ -+<p>Look at the ip_fw_compat.c file for a simple layer which should -+make porting quite simple. -+ -+<sect>Netfilter Hooks for Tunnel Writers -+ -+<p>Authors of tunnel (or encapsulation) drivers should follow two -+simple rules for the 2.4 kernel (as do the drivers inside the kernel, -+like net/ipv4/ipip.c): -+ -+<itemize> -+<item> -+Release skb->nfct if you're going to make the packet unrecognisable -+(ie. decapsulating/encapsulating). You don't need to do this if you -+unwrap it into a *new* skb, but if you're going to do it in place, you -+must do this. -+ -+<p>Otherwise: the NAT code will use the old connection tracking -+information to mangle the packet, with bad consequences. -+ -+<item>Make sure the encapsulated packets go through the LOCAL_OUT -+hook, and decapsulated packets go through the PRE_ROUTING hook (most -+tunnels use ip_rcv(), which does this for you). -+ -+<p>Otherwise: the user will not be able to filter as they expect to with -+tunnels. -+</itemize> -+ -+<p>The canonical way to do the first is to insert code like the -+following before you wrap or unwrap the packet: -+ -+<tscreen><verb> -+ /* Tell the netfilter framework that this packet is not the -+ same as the one before! */ -+#ifdef CONFIG_NETFILTER -+ nf_conntrack_put(skb->nfct); -+ skb->nfct = NULL; -+#ifdef CONFIG_NETFILTER_DEBUG -+ skb->nf_debug = 0; -+#endif -+#endif -+</verb></tscreen> -+ -+<p>Usually, all you need to do for the second, is to find where the -+newly encapsulated packet goes into "ip_send()", and replace it with -+something like: -+ -+<tscreen><verb> -+ /* Send "new" packet from local host */ -+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, ip_send); -+</verb></tscreen> -+ -+<p> Following these rules means that the person setting up the packet -+filtering rules on the tunnel box will see something like the -+following sequence for a packet being tunnelled: -+ -+<enum> -+<item> FORWARD hook: normal packet (from eth0 -> tunl0) -+<item> LOCAL_OUT hook: encapsulated packet (to eth1). -+</enum> -+ -+And for the reply packet: -+<enum> -+<item> LOCAL_IN hook: encapsulated reply packet (from eth1) -+<item> FORWARD hook: reply packet (from eth1 -> eth0). -+</enum> -+ -+<sect>The Test Suite -+ -+<p>Within the CVS repository lives a test suite: the more the test -+suite covers, the greater confidence you can have that changes to the -+code hasn't quietly broken something. Trivial tests are at least as -+important as tricky tests: it's the trivial tests which simplify the -+complex tests (since you know the basics work fine before the complex -+test gets run). -+ -+<p>The tests are simple: they are just shell scripts under the -+testsuite/ subdirectory which are supposed to succeed. The scripts -+are run in alphabetical order, so `01test' is run before `02test'. -+Currently there are 5 test directories: -+ -+<descrip> -+<tag>00netfilter/</tag> General netfilter framework tests. -+<tag>01iptables/</tag> iptables tests. -+<tag>02conntrack/</tag> connection tracking tests. -+<tag>03NAT/</tag> NAT tests -+<tag>04ipchains-compat/</tag> ipchains/ipfwadm compatibility tests -+</descrip> -+ -+Inside the testsuite/ directory is a script called `test.sh'. It -+configures two dummy interfaces (tap0 and tap1), turns forwarding on, -+and removes all netfilter modules. Then it runs through the -+directories above and runs each of their test.sh scripts until one -+fails. This script takes two optional arguments: `-v' meaning to -+print out each test as it proceeds, and an optional test name: if this -+is given, it will skip over all tests until this one is found. -+ -+<sect1>Writing a Test -+ -+<p>Create a new file in the appropriate directory: try to number your -+test so that it gets run at the right time. For example, in order to -+test ICMP reply tracking (02conntrack/02reply.sh), we need to first -+check that outgoing ICMPs are tracked properly -+(02conntrack/01simple.sh). -+ -+<p>It's usually better to create many small files, each of which -+covers one area, because it helps to isolate problems immediately for -+people running the testsuite. -+ -+<p>If something goes wrong in the test, simply do an `exit 1', which -+causes failure; if it's something you expect may fail, you should -+print a unique message. Your test should end with `exit 0' if -+everything goes OK. You should check the success of <bf>every</bf> -+command, either using `set -e' at the top of the script, or -+appending `|| exit 1' to the end of each command. -+ -+<p>The helper functions `load_module' and `remove_module' can be used -+to load modules: you should never rely on autoloading in the testsuite -+unless that is what you are specifically testing. -+ -+<sect1>Variables And Environment -+ -+<p>You have two play interfaces: tap0 and tap1. Their interface -+addresses are in variables <tt>$TAP0</tt> and <tt>$TAP1</tt> -+respectively. They both have netmasks of 255.255.255.0; their -+networks are in $TAP0NET and $TAP1NET respectively. -+ -+<p>There is an empty temporary file in $TMPFILE. It is deleted at the -+end of your test. -+ -+<p>Your script will be run from the testsuite/ directory, wherever it -+is. Hence you should access tools (such as iptables) using path -+starting with `../userspace'. -+ -+<p>Your script can print out more information if $VERBOSE is set -+(meaning that the user specified `-v' on the command line). -+ -+<sect1>Useful Tools -+ -+<p> -+There are several useful testsuite tools in the "tools" subdirectory: -+each one exits with a non-zero exit status if there is a problem. -+ -+<sect2>gen_ip -+ -+<p>You can generate IP packets using `gen_ip', which outputs an IP -+packet to standard input. You can feed packets in the tap0 and tap1 -+by sending standard output to /dev/tap0 and /dev/tap1 (these are -+created upon first running the testsuite if they don't exist). -+ -+<p>gen_ip is a simplistic program which is currently very fussy about -+its argument order. First are the general optional arguments: -+ -+<descrip> -+ -+<tag>FRAG=offset,length</tag> Generate the packet, then turn it into a -+ fragment at the following offset and length. -+ -+<tag>MF</tag> Set the `More Fragments' bit on the packet. -+ -+<tag>MAC=xx:xx:xx:xx:xx:xx</tag> Set the source MAC address on the -+ packet. -+ -+<tag>TOS=tos</tag> Set the TOS field on the packet (0 to 255). -+ -+</descrip> -+ -+Next come the compulsory arguments: -+ -+<descrip> -+<tag>source ip</tag> Source IP address of the packet. -+ -+<tag>dest ip</tag> Destination IP address of the packet. -+ -+<tag>length</tag> Total length of the packet, including headers. -+ -+<tag>protocol</tag> Protocol number of the packet, eg 17 = UDP. -+ -+</descrip> -+ -+Then the arguments depend on the protocol: for UDP (17), they are the -+source and destination port numbers. For ICMP (1), they are the type -+and code of the ICMP message: if the type is 0 or 8 (ping-reply or -+ping), then two additional arguments (the ID and sequence fields) are -+required. For TCP, the source and destination ports, and flags -+("SYN", "SYN/ACK", "ACK", "RST" or "FIN") are required. There are -+three optional arguments: "OPT=" followed by a comma-separated list of -+options, "SYN=" followed by a sequence number, and "ACK=" followed by -+a sequence number. Finally, the optional argument "DATA" indicates -+that the payload of the TCP packet is to be filled with the contents -+of standard input. -+ -+<sect2>rcv_ip -+ -+<p>You can see IP packets using `rcv_ip', which prints out the command -+line as close as possible to the original value fed to gen_ip -+(fragments are the exception). -+ -+<p>This is extremely useful for analyzing packets. It takes two -+compulsory arguments: -+ -+<descrip> -+<tag>wait time</tag> The maximum time in seconds to wait for a packet -+ from standard input. -+ -+<tag>iterations</tag> The number of packets to receive. -+</descrip> -+ -+There is one optional argument, "DATA", which causes the payload of a -+TCP packet to be printed on standard output after the packet header. -+ -+<p>The standard way to use `rcv_ip' in a shell script is as follows: -+ -+<verb> -+# Set up job control, so we can use & in shell scripts. -+set -m -+ -+# Wait two seconds for one packet from tap0 -+../tools/rcv_ip 2 1 < /dev/tap0 > $TMPFILE & -+ -+# Make sure that rcv_ip has started running. -+sleep 1 -+ -+# Send a ping packet -+../tools/gen_ip $TAP1NET.2 $TAP0NET.2 100 1 8 0 55 57 > /dev/tap1 || exit 1 -+ -+# Wait for rcv_ip, -+if wait %../tools/rcv_ip; then : -+else -+ echo rcv_ip failed: -+ cat $TMPFILE -+ exit 1 -+fi -+</verb> -+ -+<sect2>gen_err -+ -+<p>This program takes a packet (as generated by gen_ip, for example) -+on standard input, and turns it into an ICMP error. -+ -+<p>It takes three arguments: a source IP address, a type and a code. -+The destination IP address will be set to the source IP address of the -+packet fed in standard input. -+ -+<sect2>local_ip -+ -+<p>This takes a packet from standard input and injects it into the -+system from a raw socket. This give the appearance of a -+locally-generated packet (as separate from feeding a packet in one of -+the ethertap devices, which looks like a remotely-generated packet). -+ -+<sect1>Random Advice -+ -+<p>All the tools assume they can do everything in one read or write: -+this is true for the ethertap devices, but might not be true if you're -+doing something tricky with pipes. -+ -+<p>dd can be used to cut packets: dd has an obs (output block size) -+option which can be used to make it output the packet in a single -+write. -+ -+<p>Test for success first: eg. testing that packets are successfully -+blocked. First test that packets pass through normally, <bf>then</bf> -+test that some packets are blocked. Otherwise an unrelated failure -+could be stopping the packets... -+ -+<p>Try to write exact tests, not `throw random stuff and see what -+happens' tests. If an exact test goes wrong, it's a useful thing to -+know. If a random test goes wrong once, it doesn't help much. -+ -+<p>If a test fails without a message, you can add `-x' to the top line -+of the script (ie. `#! /bin/sh -x') to see what commands it's running. -+ -+<p>If a test fails randomly, check for random network traffic -+interfering (try downing all your external interfaces). Sitting on -+the same network as Andrew Tridgell, I tend to get plagued by Windows -+broadcasts, for example. -+ -+<sect>Motivation -+ -+<p>As I was developing ipchains, I realized (in one of those -+blinding-flash-while-waiting-for-entree moments in a Chinese -+restaurant in Sydney) that packet filtering was being done in the -+wrong place. I can't find it now, but I remember sending mail to Alan -+Cox, who kind of said `why don't you finish what you're doing, first, -+even though you're probably right'. In the short term, pragmatism was -+to win over The Right Thing. -+ -+<p>After I finished ipchains, which was initially going to be a minor -+modification of the kernel part of ipfwadm, and turned into a larger -+rewrite, and wrote the HOWTO, I became aware of just how much -+confusion there is in the wider Linux community about issues like -+packet filtering, masquerading, port forwarding and the like. -+ -+<p>This is the joy of doing your own support: you get a closer feel -+for what the users are trying to do, and what they are struggling -+with. Free software is most rewarding when it's in the hands of the -+most users (that's the point, right?), and that means making it easy. -+The architecture, not the documentation, was the key flaw. -+ -+<p>So I had the experience, with the ipchains code, and a good idea of -+what people out there were doing. There were only two problems. -+ -+<p>Firstly, I didn't want to get back into security. Being a security -+consultant is a constant moral tug-of-war between your conscience and -+your wallet. At a fundamental level, you are selling the feeling of -+security, which is at odds with actual security. Maybe working in a -+military setting, where they understand security, it'd be different. -+ -+<p>The second problem is that newbie users aren't the only concern; an -+increasing number of large companies and ISPs are using this stuff. I -+needed reliable input from that class of users if it was to scale to -+tomorrow's home users. -+ -+<p>These problems were resolved, when I ran into David Bonn, of -+WatchGuard fame, at Usenix in July 1998. They were looking for a -+Linux kernel coder; in the end we agreed that I'd head across to their -+Seattle offices for a month and we'd see if we could hammer out an -+agreement whereby they'd sponsor my new code, and my current support -+efforts. The rate we agreed on was more than I asked, so I didn't -+take a pay cut. This means I don't have to even think about external -+conslutting for a while. -+ -+<p>Exposure to WatchGuard gave me exposure to the large clients I -+need, and being independent from them allowed me to support all users -+(eg. WatchGuard competitors) equally. -+ -+<p>So I could have simply written netfilter, ported ipchains over the -+top, and been done with it. Unfortunately, that would leave all the -+masquerading code in the kernel: making masquerading independent from -+filtering is the one of the major wins point of moving the packet -+filtering points, but to do that masquerading also needed to be moved -+over to the netfilter framework as well. -+ -+<p>Also, my experience with ipfwadm's `interface-address' feature (the -+one I removed in ipchains) had taught me that there was no hope of -+simply ripping out the masquerading code and expecting someone who -+needed it to do the work of porting it onto netfilter for me. -+ -+<p>So I needed to have at least as many features as the current code; -+preferably a few more, to encourage niche users to become early -+adopters. This means replacing transparent proxying (gladly!), -+masquerading and port forwarding. In other words, a complete NAT layer. -+ -+<p>Even if I had decided to port the existing masquerading layer, -+instead of writing a generic NAT system, the masquerading code was -+showing its age, and lack of maintenance. See, there was no -+masquerading maintainer, and it shows. It seems that serious users -+generally don't use masquerading, and there aren't many home users up -+to the task of doing maintenance. Brave people like Juan Ciarlante -+were doing fixes, but it had reached to the stage (being extended over -+and over) that a rewrite was needed. -+ -+<p>Please note that I wasn't the person to do a NAT rewrite: I didn't -+use masquerading any more, and I'd not studied the existing code at -+the time. That's probably why it took me longer than it should have. -+But the result is fairly good, in my opinion, and I sure as hell -+learned a lot. No doubt the second version will be even better, once -+we see how people use it. -+ -+<sect>Thanks -+ -+<p>Thanks to those who helped, expecially Harald Welte for writing the -+Protocol Helpers section. -+</article> -Index: b/howtos/packet-filtering-HOWTO.sgml -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/howtos/packet-filtering-HOWTO.sgml 2008-07-12 09:31:16.491121753 -0400 -@@ -0,0 +1,1339 @@ -+<!doctype linuxdoc system> -+ -+<!-- This is the Linux Packet Filtering HOWTO. -+ --> -+ -+<!-- $Id: packet-filtering-HOWTO.sgml,v 1.26 2002/01/24 13:42:53 laforge Exp $ --> -+ -+<article> -+ -+<!-- Title information --> -+ -+<title>Linux 2.4 Packet Filtering HOWTO -+<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> -+<date>$Revision: 1.26 $ $Date: 2002/01/24 13:42:53 $ -+<abstract> -+This document describes how to use iptables to filter out bad packets -+for the 2.4 Linux kernels. -+</abstract> -+ -+<!-- Table of contents --> -+<toc> -+ -+<!-- Begin the document --> -+ -+<sect>Introduction<label id="intro"> -+ -+<p> -+Welcome, gentle reader. -+ -+<p> -+It is assumed you know what an IP address, a network address, a -+netmask, routing and DNS are. If not, I recommend that you read the -+Network Concepts HOWTO. -+ -+<p> -+This HOWTO flips between a gentle introduction (which will leave you -+feeling warm and fuzzy now, but unprotected in the Real World) and raw -+full-disclosure (which would leave all but the hardiest souls -+confused, paranoid and seeking heavy weaponry). -+ -+<p> -+Your network is not <bf>secure</bf>. The problem of allowing rapid, -+convenient communication while restricting its use to good, and not -+evil intents is congruent to other intractable problems such as -+allowing free speech while disallowing a call of ``Fire!'' in a -+crowded theater. It will not be solved in the space of this HOWTO. -+ -+<p> -+So only you can decide where the compromise will be. I will try to -+instruct you in the use of some of the tools available and some -+vulnerabilities to be aware of, in the hope that you will use them for -+good, and not evil purposes. Another equivalent problem. -+ -+<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. -+ -+<sect>Where is the official Web Site? Is there a Mailing List? -+ -+<p>There are three official sites: -+<itemize> -+<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. -+<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. -+<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. -+</itemize> -+<p> You can reach all of them using round-robin DNS via -+<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> -+ -+<p>For the official netfilter mailing list, see -+<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. -+ -+<sect>So What's A Packet Filter? -+ -+<p> -+A packet filter is a piece of software which looks at the -+<em>header</em> of packets as they pass through, and decides the fate -+of the entire packet. It might decide to <bf>DROP</bf> the packet -+(i.e., discard the packet as if it had never received it), -+<bf>ACCEPT</bf> the packet (i.e., let the packet go through), or -+something more complicated. -+ -+<p> -+Under Linux, packet filtering is built into the kernel (as a kernel -+module, or built right in), and there are a few trickier things we can -+do with packets, but the general principle of looking at the headers -+and deciding the fate of the packet is still there. -+ -+<sect1>Why Would I Want to Packet Filter? -+ -+<p> -+Control. Security. Watchfulness. -+ -+<p> -+<descrip> -+<tag/Control:/ when you are using a Linux box to connect your internal -+network to another network (say, the Internet) you have an opportunity -+to allow certain types of traffic, and disallow others. For example, -+the header of a packet contains the destination address of the packet, -+so you can prevent packets going to a certain part of the outside -+network. As another example, I use Netscape to access the Dilbert -+archives. There are advertisements from doubleclick.net on the page, -+and Netscape wastes my time by cheerfully downloading them. -+Telling the packet filter not to allow any packets to or from the -+addresses owned by doubleclick.net solves that problem (there are -+better ways of doing this though: see Junkbuster). -+ -+<tag/Security:/ when your Linux box is the only thing between the -+chaos of the Internet and your nice, orderly network, it's nice to -+know you can restrict what comes tromping in your door. For example, -+you might allow anything to go out from your network, but you might be -+worried about the well-known `Ping of Death' coming in from malicious -+outsiders. As another example, you might not want outsiders -+telnetting to your Linux box, even though all your accounts have -+passwords. Maybe you want (like most people) to be an observer on the -+Internet, and not a server (willing or otherwise). Simply don't let -+anyone connect in, by having the packet filter reject incoming packets -+used to set up connections. -+ -+<tag/Watchfulness:/ sometimes a badly configured machine on the local -+network will decide to spew packets to the outside world. It's nice -+to tell the packet filter to let you know if anything abnormal occurs; -+maybe you can do something about it, or maybe you're just curious by -+nature. -+</descrip> -+ -+<sect1>How Do I Packet Filter Under Linux?<label id="filter-linux"> -+ -+<p>Linux kernels have had packet filtering since the 1.1 series. The -+first generation, based on ipfw from BSD, was ported by Alan Cox in -+late 1994. This was enhanced by Jos Vos and others for Linux 2.0; the -+userspace tool `ipfwadm' controlled the kernel filtering rules. In -+mid-1998, for Linux 2.2, I reworked the kernel quite heavily, with the -+help of Michael Neuling, and introduced the userspace tool `ipchains'. -+Finally, the fourth-generation tool, `iptables', and another kernel -+rewrite occurred in mid-1999 for Linux 2.4. It is this iptables which -+this HOWTO concentrates on. -+ -+<p> -+You need a kernel which has the netfilter infrastructure in it: -+netfilter is a general framework inside the Linux kernel which other -+things (such as the iptables module) can plug into. This means you -+need kernel 2.3.15 or beyond, and answer `Y' to CONFIG_NETFILTER in -+the kernel configuration. -+ -+<p> -+The tool <tt>iptables</tt> talks to the kernel and tells it what -+packets to filter. Unless you are a programmer, or overly curious, -+this is how you will control the packet filtering. -+ -+<sect2> iptables -+ -+<p> -+The <tt>iptables</tt> tool inserts and deletes rules from the kernel's -+packet filtering table. This means that whatever you set up, it will -+be lost upon reboot; see <ref id="permanent" name="Making Rules -+Permanent"> for how to make sure they are restored the next time Linux -+is booted. -+ -+<p> -+<tt>iptables</tt> is a replacement for <tt>ipfwadm</tt> and -+<tt>ipchains</tt>: see -+<ref id="oldstyle" name="Using ipchains and ipfwadm"> for how to painlessly -+avoid using iptables if you're using one of those tools. -+ -+<sect2> Making Rules Permanent<label id="permanent"> -+ -+<p>Your current firewall setup is stored in the kernel, and thus will -+be lost on reboot. You can try the iptables-save and iptables-restore -+scripts to save them to, and restore them from a file. -+ -+<p>The other way is to put the commands required to set up your rules -+in an initialization script. Make sure you do something intelligent -+if one of the commands should fail (usually `exec /sbin/sulogin'). -+ -+<sect>Who the hell are you, and why are you playing with my kernel? -+ -+<p> -+I'm Rusty Russell; the Linux IP Firewall maintainer and just another -+working coder who happened to be in the right place at the right time. -+I wrote ipchains (see <ref id="filter-linux" name="How Do I Packet -+Filter Under Linux?"> above for due credit to the people who did the -+actual work), and learnt enough to get packet filtering right this -+time. I hope. -+ -+<p> -+<url url="http://www.watchguard.com" name="WatchGuard">, an excellent -+firewall company who sell the really nice plug-in Firebox, offered to -+pay me to do nothing, so I could spend all my time writing this stuff, -+and maintaining my previous stuff. I predicted 6 months, and it took -+12, but I felt by the end that it had been done Right. Many rewrites, -+a hard-drive crash, a laptop being stolen, a couple of corrupted -+filesystems and one broken screen later, here it is. -+ -+<p> -+While I'm here, I want to clear up some people's misconceptions: I am -+no kernel guru. I know this, because my kernel work has brought me -+into contact with some of them: David S. Miller, Alexey Kuznetsov, -+Andi Kleen, Alan Cox. However, they're all busy doing the deep magic, -+leaving me to wade in the shallow end where it's safe. -+ -+<!-- This is probably no longer true; somewhere in writing all this -+kernel code and documentation I seem to have picked up a fair number -+of kernel tricks. But I'm still nowhere near as clever as I think I -+am. --> -+ -+<sect> Rusty's Really Quick Guide To Packet Filtering -+ -+<p> -+Most people just have a single PPP connection to the Internet, and -+don't want anyone coming back into their network, or the firewall: -+ -+<tscreen><verb> -+## Insert connection-tracking modules (not needed if built into kernel). -+# insmod ip_conntrack -+# insmod ip_conntrack_ftp -+ -+## Create chain which blocks new connections, except if coming from inside. -+# iptables -N block -+# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT -+# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT -+# iptables -A block -j DROP -+ -+## Jump to that chain from INPUT and FORWARD chains. -+# iptables -A INPUT -j block -+# iptables -A FORWARD -j block -+</verb></tscreen> -+ -+<sect> How Packets Traverse The Filters -+ -+<p> -+The kernel starts with three lists of rules in the `filter' table; -+these lists are called <bf>firewall chains</bf> or just -+<bf>chains</bf>. The three chains are called <bf>INPUT</bf>, -+<bf>OUTPUT</bf> and <bf>FORWARD</bf>. -+ -+<p> -+For ASCII-art fans, the chains are arranged like so: <bf>(Note: this -+is a very different arrangement from the 2.0 and 2.2 kernels!)</bf> -+ -+<verb> -+ _____ -+Incoming / \ Outgoing -+ -->[Routing ]--->|FORWARD|-------> -+ [Decision] \_____/ ^ -+ | | -+ v ____ -+ ___ / \ -+ / \ |OUTPUT| -+ |INPUT| \____/ -+ \___/ ^ -+ | | -+ ----> Local Process ---- -+</verb> -+ -+<p>The three circles represent the three chains mentioned above. When -+a packet reaches a circle in the diagram, that chain is examined to -+decide the fate of the packet. If the chain says to DROP the packet, -+it is killed there, but if the chain says to ACCEPT the packet, it -+continues traversing the diagram. -+ -+<p> -+A chain is a checklist of <bf>rules</bf>. Each rule says `if the packet -+header looks like this, then here's what to do with the packet'. If -+the rule doesn't match the packet, then the next rule in the chain is -+consulted. Finally, if there are no more rules to consult, then the -+kernel looks at the chain <bf>policy</bf> to decide what to do. In a -+security-conscious system, this policy usually tells the kernel to -+DROP the packet. -+ -+<p> -+<enum> -+<item>When a packet comes in (say, through the Ethernet card) the kernel -+first looks at the destination of the packet: this is called -+`routing'. -+ -+<item>If it's destined for this box, the packet passes downwards -+in the diagram, to the INPUT chain. If it passes this, any processes -+waiting for that packet will receive it. -+ -+<item>Otherwise, if the kernel does not have forwarding enabled, or it -+doesn't know how to forward the packet, the packet is dropped. If -+forwarding is enabled, and the packet is destined for another network -+interface (if you have another one), then the packet goes rightwards -+on our diagram to the FORWARD chain. If it is ACCEPTed, it will be -+sent out. -+ -+<item>Finally, a program running on the box can send network packets. -+These packets pass through the OUTPUT chain immediately: if it says -+ACCEPT, then the packet continues out to whatever interface it is -+destined for. -+</enum> -+ -+<sect>Using iptables -+ -+<p> -+iptables has a fairly detailed manual page (<tt>man iptables</tt>), -+and if you need more detail on particulars. Those of you familiar -+with ipchains may simply want to look at <ref id="Appendix-A" -+name="Differences Between iptables and ipchains">; they are very -+similar. -+ -+<p> -+There are several different things you can do with <tt>iptables</tt>. -+You start with three built-in chains <tt>INPUT</tt>, <tt>OUTPUT</tt> -+and <tt>FORWARD</tt> which you can't delete. Let's look at the -+operations to manage whole chains: -+ -+<enum> -+<item> Create a new chain (-N). -+<item> Delete an empty chain (-X). -+<item> Change the policy for a built-in chain. (-P). -+<item> List the rules in a chain (-L). -+<item> Flush the rules out of a chain (-F). -+<item> Zero the packet and byte counters on all rules in a chain (-Z). -+</enum> -+ -+There are several ways to manipulate rules inside a chain: -+ -+<enum> -+<item> Append a new rule to a chain (-A). -+<item> Insert a new rule at some position in a chain (-I). -+<item> Replace a rule at some position in a chain (-R). -+<item> Delete a rule at some position in a chain, or the first that matches (-D). -+</enum> -+ -+<sect1> What You'll See When Your Computer Starts Up -+ -+<p> -+iptables may be a module, called (`iptable_filter.o'), which should be -+automatically loaded when you first run <tt>iptables</tt>. It can -+also be built into the kernel permenantly. -+ -+<p>Before any iptables commands have been run (be careful: some -+distributions will run iptables in their initialization scripts), -+there will be no rules in any of the built-in chains (`INPUT', -+`FORWARD' and `OUTPUT'), all the chains will have a policy of ACCEPT. -+You can alter the default policy of the FORWARD chain by providing the -+`forward=0' option to the iptable_filter module. -+ -+<sect1> Operations on a Single Rule -+ -+<p> -+This is the bread-and-butter of packet filtering; manipulating rules. -+Most commonly, you will probably use the append (-A) and delete (-D) -+commands. The others (-I for insert and -R for replace) are simple -+extensions of these concepts. -+ -+<p> -+Each rule specifies a set of conditions the packet must meet, and what -+to do if it meets them (a `target'). For example, you might want to -+drop all ICMP packets coming from the IP address 127.0.0.1. So in -+this case our conditions are that the protocol must be ICMP and that -+the source address must be 127.0.0.1. Our target is `DROP'. -+ -+<p> -+127.0.0.1 is the `loopback' interface, which you will have even if you -+have no real network connection. You can use the `ping' program to -+generate such packets (it simply sends an ICMP type 8 (echo request) -+which all cooperative hosts should obligingly respond to with an ICMP -+type 0 (echo reply) packet). This makes it useful for testing. -+ -+<tscreen><verb> -+# ping -c 1 127.0.0.1 -+PING 127.0.0.1 (127.0.0.1): 56 data bytes -+64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms -+ -+--- 127.0.0.1 ping statistics --- -+1 packets transmitted, 1 packets received, 0% packet loss -+round-trip min/avg/max = 0.2/0.2/0.2 ms -+# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP -+# ping -c 1 127.0.0.1 -+PING 127.0.0.1 (127.0.0.1): 56 data bytes -+ -+--- 127.0.0.1 ping statistics --- -+1 packets transmitted, 0 packets received, 100% packet loss -+# -+</verb></tscreen> -+ -+You can see here that the first ping succeeds (the `-c 1' tells ping -+to only send a single packet). -+ -+<p> -+Then we append (-A) to the `INPUT' chain, a rule specifying that for -+packets from 127.0.0.1 (`-s 127.0.0.1') with protocol ICMP (`-p icmp') -+we should jump to DROP (`-j DROP'). -+ -+<p> -+Then we test our rule, using the second ping. There will be a pause -+before the program gives up waiting for a response that will never -+come. -+ -+<p> -+We can delete the rule in one of two ways. Firstly, since we know -+that it is the only rule in the input chain, we can use a numbered -+delete, as in: -+<tscreen><verb> -+ # iptables -D INPUT 1 -+ # -+</verb></tscreen> -+To delete rule number 1 in the INPUT chain. -+ -+<p> -+The second way is to mirror the -A command, but replacing the -A with -+-D. This is useful when you have a complex chain of rules and you -+don't want to have to count them to figure out that it's rule 37 that -+you want to get rid of. In this case, we would use: -+<tscreen><verb> -+ # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP -+ # -+</verb></tscreen> -+The syntax of -D must have exactly the same options as the -A (or -I -+or -R) command. If there are multiple identical rules in the same -+chain, only the first will be deleted. -+ -+<sect1>Filtering Specifications -+ -+<p> -+We have seen the use of `-p' to specify protocol, and `-s' to specify -+source address, but there are other options we can use to specify -+packet characteristics. What follows is an exhaustive compendium. -+ -+<sect2>Specifying Source and Destination IP Addresses -+ -+<p> -+Source (`-s', `--source' or `--src') and destination (`-d', -+`--destination' or `--dst') IP addresses can be specified in four -+ways. The most common way is to use the full name, such as -+`localhost' or `www.linuxhq.com'. The second way is to specify the IP -+address such as `127.0.0.1'. -+ -+<p> -+The third and fourth ways allow specification of a group of IP -+addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. -+These both specify any IP address from 199.95.207.0 to 199.95.207.255 -+inclusive; the digits after the `/' tell which parts of the IP address -+are significant. `/32' or `/255.255.255.255' is the default (match -+all of the IP address). To specify any IP address at all `/0' can be -+used, like so: -+<tscreen><verb> -+ [ NOTE: `-s 0/0' is redundant here. ] -+ # iptables -A INPUT -s 0/0 -j DROP -+ # -+</verb></tscreen> -+ -+This is rarely used, as the effect above is the same as not specifying -+the `-s' option at all. -+ -+<sect2>Specifying Inversion -+ -+<p> -+Many flags, including the `-s' (or `--source') and `-d' -+(`--destination') flags can have their arguments preceded by `!' -+(pronounced `not') to match addresses NOT equal to the ones given. -+For example. `-s ! localhost' matches any packet <bf>not</bf> coming -+from localhost. -+ -+<sect2>Specifying Protocol -+ -+<p> -+The protocol can be specified with the `-p' (or `--protocol') flag. -+Protocol can be a number (if you know the numeric protocol values for -+IP) or a name for the special cases of `TCP', `UDP' or `ICMP'. Case -+doesn't matter, so `tcp' works as well as `TCP'. -+ -+<p> -+The protocol name can be prefixed by a `!', to invert it, such as `-p -+! TCP' to specify packets which are <bf>not</bf> TCP. -+ -+<sect2>Specifying an Interface -+ -+<p> -+The `-i' (or `--in-interface') and `-o' (or `--out-interface') options -+specify the name of an <bf>interface</bf> to match. An interface is -+the physical device the packet came in on (`-i') or is going out on -+(`-o'). You can use the <tt>ifconfig</tt> command to list the -+interfaces which are `up' (i.e., working at the moment). -+ -+<p> -+Packets traversing the <tt>INPUT</tt> chain don't have an output -+interface, so any rule using `-o' in this chain will never match. -+Similarly, packets traversing the <tt>OUTPUT</tt> chain don't have an -+input interface, so any rule using `-i' in this chain will never match. -+ -+<p>Only packets traversing the <tt>FORWARD</tt> chain have both an -+input and output interface. -+ -+<p> -+It is perfectly legal to specify an interface that currently does not -+exist; the rule will not match anything until the interface comes up. -+This is extremely useful for dial-up PPP links (usually interface -+<tt>ppp0</tt>) and the like. -+ -+<p> -+As a special case, an interface name ending with a `+' will match all -+interfaces (whether they currently exist or not) which begin with that -+string. For example, to specify a rule which matches all PPP -+interfaces, the <tt>-i ppp+</tt> option would be used. -+ -+<p> -+The interface name can be preceded by a `!' with spaces around it, to -+match a packet which does <bf>not</bf> match the specified -+interface(s), eg <tt>-i ! ppp+</tt>. -+ -+<sect2>Specifying Fragments -+ -+<p> -+Sometimes a packet is too large to fit down a wire all at once. When -+this happens, the packet is divided into <bf>fragments</bf>, and sent -+as multiple packets. The other end reassembles these fragments to -+reconstruct the whole packet. -+ -+<p> -+The problem with fragments is that the initial fragment has the -+complete header fields (IP + TCP, UDP and ICMP) to examine, but -+subsequent packets only have a subset of the headers (IP without the -+additional protocol fields). Thus looking inside subsequent fragments -+for protocol headers (such as is done by the TCP, UDP and ICMP -+extensions) is not possible. -+ -+<p> -+If you are doing connection tracking or NAT, then all fragments will -+get merged back together before they reach the packet filtering code, -+so you need never worry about fragments. -+ -+<p> -+Please also note that in the INPUT chain of the filter table (or any other -+table hooking into the NF_IP_LOCAL_IN hook) is traversed after -+defragmentation of the core IP stack. -+ -+<p> -+Otherwise, it is important to understand how fragments get treated by -+the filtering rules. Any filtering rule that asks for information we -+don't have will <em>not</em> match. This means that the first fragment is -+treated like any other packet. Second and further fragments won't be. -+Thus a rule <tt>-p TCP --sport www</tt> (specifying a source port of -+`www') will never match a fragment (other than the first fragment). -+Neither will the opposite rule <tt>-p TCP --sport ! www</tt>. -+ -+<p> -+However, you can specify a rule specifically for second and further -+fragments, using the `-f' (or `--fragment') flag. It is also legal to -+specify that a rule does <em>not</em> apply to second and further -+fragments, by preceding the `-f' with ` ! '. -+ -+<p> -+Usually it is regarded as safe to let second and further fragments -+through, since filtering will effect the first fragment, and thus -+prevent reassembly on the target host; however, bugs have been known -+to allow crashing of machines simply by sending fragments. Your call. -+ -+<p> -+Note for network-heads: malformed packets (TCP, UDP and ICMP packets -+too short for the firewalling code to read the ports or ICMP code and -+type) are dropped when such examinations are attempted. So are TCP -+fragments starting at position 8. -+ -+<p> -+As an example, the following rule will drop any fragments going to -+192.168.1.1: -+ -+<tscreen><verb> -+# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP -+# -+</verb></tscreen> -+ -+<sect2>Extensions to iptables: New Matches -+ -+<p><tt>iptables</tt> is <bf>extensible</bf>, meaning that both the -+kernel and the iptables tool can be extended to provide new features. -+ -+<p>Some of these extensions are standard, and other are more exotic. -+Extensions can be made by other people and distributed separately for -+niche users. -+ -+<p>Kernel extensions normally live in the kernel module subdirectory, -+such as /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter. They are demand loaded if your -+kernel was compiled with CONFIG_KMOD set, so you should not need to -+manually insert them. -+ -+<p>Extensions to the iptables program are shared libraries which -+usually live in /usr/local/lib/, although a distribution -+would put them in /lib/iptables or /usr/lib/iptables. -+ -+<p>Extensions come in two types: new targets, and new matches (we'll -+talk about new targets a little later). Some protocols automatically -+offer new tests: currently these are TCP, UDP and ICMP as shown below. -+ -+<p>For these you will be able to specify the new tests on the command -+line after the `-p' option, which will load the extension. For -+explicit new tests, use the `-m' option to load the extension, after -+which the extended options will be available. -+ -+<p>To get help on an extension, use the option to load it (`-p', `-j' or -+`-m') followed by `-h' or `--help', eg: -+<tscreen><verb> -+# iptables -p tcp --help -+# -+</verb></tscreen> -+ -+<sect3>TCP Extensions -+ -+<p> -+The TCP extensions are automatically loaded if `-p tcp' is specified. -+It provides the following options (none of which match fragments). -+ -+<p> -+<descrip> -+<tag>--tcp-flags</tag> Followed by an optional `!', then two strings -+of flags, allows you to filter on specific TCP flags. The first -+string of flags is the mask: a list of flags you want to examine. The -+second string of flags tells which one(s) should be set. For example, -+ -+<tscreen><verb> -+# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP -+</verb></tscreen> -+ -+This indicates that all flags should be examined (`ALL' is synonymous -+with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set. -+There is also an argument `NONE' meaning no flags. -+ -+<tag>--syn</tag> Optionally preceded by a `!', this is shorthand -+ for `--tcp-flags SYN,RST,ACK SYN'. -+ -+<tag>--source-port</tag> followed by an optional `!', then either a -+single TCP port, or a range of ports. Ports can be port names, as -+listed in /etc/services, or numeric. Ranges are either two port names -+separated by a `:', or (to specify greater than or equal to a given -+port) a port with a `:' appended, or (to specify less than or equal to -+a given port), a port preceded by a `:'. -+ -+<tag>--sport</tag> is synonymous with `--source-port'. -+ -+<tag>--destination-port</tag> and <tag>--dport</tag> are the same as -+above, only they specify the destination, rather than source, port to -+match. -+ -+<tag>--tcp-option</tag> followed by an optional `!' and a number, -+matches a packet with a TCP option equaling that number. A packet -+which does not have a complete TCP header is dropped automatically if -+an attempt is made to examine its TCP options. -+</descrip> -+ -+<sect4>An Explanation of TCP Flags -+ -+<p> -+It is sometimes useful to allow TCP connections in one direction, but -+not the other. For example, you might want to allow connections to an -+external WWW server, but not connections from that server. -+ -+<p> -+The naive approach would be to block TCP packets coming from the -+server. Unfortunately, TCP connections require packets going in both -+directions to work at all. -+ -+<p> -+The solution is to block only the packets used to request a -+connection. These packets are called <bf>SYN</bf> packets (ok, -+technically they're packets with the SYN flag set, and the RST and ACK -+flags cleared, but we call them SYN packets for short). By -+disallowing only these packets, we can stop attempted connections in -+their tracks. -+ -+<p> -+The `--syn' flag is used for this: it is only valid for rules which -+specify TCP as their protocol. For example, to specify TCP connection -+attempts from 192.168.1.1: -+<tscreen><verb> -+-p TCP -s 192.168.1.1 --syn -+</verb></tscreen> -+ -+<p> -+This flag can be inverted by preceding it with a `!', which means -+every packet other than the connection initiation. -+ -+<sect3>UDP Extensions -+ -+<p> -+These extensions are automatically loaded if `-p udp' is specified. -+It provides the options `--source-port', `--sport', -+`--destination-port' and `--dport' as detailed for TCP above. -+ -+<sect3>ICMP Extensions -+ -+<p> -+This extension is automatically loaded if `-p icmp' is specified. It -+provides only one new option: -+ -+<p> -+<descrip> -+<tag>--icmp-type</tag> followed by an optional `!', then either an -+icmp type name (eg `host-unreachable'), or a numeric type (eg. `3'), -+or a numeric type and code separated by a `/' (eg. `3/3'). A list -+of available icmp type names is given using `-p icmp --help'. -+</descrip> -+ -+<sect3>Other Match Extensions -+ -+<p> -+The other extensions in the netfilter package are demonstration -+extensions, which (if installed) can be invoked with the `-m' option. -+ -+<descrip> -+<tag>mac</tag> This module must be explicitly specified with `-m mac' -+or `--match mac'. It is used for matching incoming packet's source -+Ethernet (MAC) address, and thus only useful for packets traversing -+the PREROUTING and INPUT chains. It provides only one option: -+ -+ <descrip> -+ <tag>--mac-source</tag> followed by an optional `!', then an -+ ethernet address in colon-separated hexbyte notation, eg -+ `--mac-source 00:60:08:91:CC:B7'. -+ </descrip> -+ -+<tag>limit</tag> This module must be explicitly specified with `-m -+limit' or `--match limit'. It is used to restrict the rate of -+matches, such as for suppressing log messages. It will only match a -+given number of times per second (by default 3 matches per hour, -+with a burst of 5). It takes two optional arguments: -+ -+ <descrip> -+ <tag>--limit</tag> followed by a number; specifies the maximum -+ average number of matches to allow per second. The number can -+ specify units explicitly, using `/second', `/minute', `/hour' or -+ `/day', or parts of them (so `5/second' is the same as `5/s'). -+ -+ <tag>--limit-burst</tag> followed by a number, indicating the -+ maximum burst before the above limit kicks in. -+ </descrip> -+ -+This match can often be used with the LOG target to do rate-limited -+logging. To understand how it works, let's look at the following -+rule, which logs packets with the default limit parameters: -+ -+<tscreen><verb> -+# iptables -A FORWARD -m limit -j LOG -+</verb></tscreen> -+ -+The first time this rule is reached, the packet will be logged; in -+fact, since the default burst is 5, the first five packets will be -+logged. After this, it will be twenty minutes before a packet will be -+logged from this rule, regardless of how many packets reach it. Also, -+every twenty minutes which passes without matching a packet, one of -+the burst will be regained; if no packets hit the rule for 100 -+minutes, the burst will be fully recharged; back where we started. -+ -+<p>Note: you cannot currently create a rule with a recharge time -+greater than about 59 hours, so if you set an average rate of one per -+day, then your burst rate must be less than 3. -+ -+<p>You can also use this module to avoid various denial of service -+attacks (DoS) with a faster rate to increase responsiveness. -+ -+<p>Syn-flood protection: -+<tscreen><verb> -+# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT -+</verb></tscreen> -+ -+Furtive port scanner: -+<tscreen><verb> -+# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT -+</verb></tscreen> -+ -+Ping of death: -+<tscreen><verb> -+# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT -+</verb></tscreen> -+ -+This module works like a "hysteresis door", as shown in the graph -+below. -+ -+<tscreen><verb> -+ rate (pkt/s) -+ ^ .---. -+ | / DoS \ -+ | / \ -+Edge of DoS -|.....:.........\....................... -+ = (limit * | /: \ -+limit-burst) | / : \ .-. -+ | / : \ / \ -+ | / : \ / \ -+End of DoS -|/....:..............:.../.......\..../. -+ = limit | : :`-' `--' -+-------------+-----+--------------+------------------> time (s) -+ LOGIC => Match | Didn't Match | Match -+</verb></tscreen> -+ -+Say we say match one packet per second with a five packet -+burst, but packets start coming in at four per second, for three -+seconds, then start again in another three seconds. -+<tscreen><verb> -+ -+ -+ <--Flood 1--> <---Flood 2---> -+ -+Total ^ Line __-- YNNN -+Packets| Rate __-- YNNN -+ | mum __-- YNNN -+ 10 | Maxi __-- Y -+ | __-- Y -+ | __-- Y -+ | __-- YNNN -+ |- YNNN -+ 5 | Y -+ | Y Key: Y -> Matched Rule -+ | Y N -> Didn't Match Rule -+ | Y -+ |Y -+ 0 +--------------------------------------------------> Time (seconds) -+ 0 1 2 3 4 5 6 7 8 9 10 11 12 -+</verb></tscreen> -+ -+You can see that the first five packets are allowed to exceed the one -+packet per second, then the limiting kicks in. If there is a pause, -+another burst is allowed but not past the maximum rate set by the -+rule (1 packet per second after the burst is used). -+ -+<tag>owner</tag> -+This module attempts to match various characteristics of the packet -+creator, for locally-generated packets. It is only valid in the -+OUTPUT chain, and even then some packets (such as ICMP ping responses) -+may have no owner, and hence never match. -+ -+<descrip> -+ <tag>--uid-owner userid</tag> -+Matches if the packet was created by a process with the given -+effective (numerical) user id. -+ <tag>--gid-owner groupid</tag> -+Matches if the packet was created by a process with the given -+effective (numerical) group id. -+ <tag>--pid-owner processid</tag> -+Matches if the packet was created by a process with the given -+process id. -+ <tag>--sid-owner sessionid</tag> -+Matches if the packet was created by a process in the given session -+group. -+</descrip> -+ -+<tag>unclean</tag> This experimental module must be explicitly -+specified with `-m unclean or `--match unclean'. It does various -+random sanity checks on packets. This module has not been audited, -+and should not be used as a security device (it probably makes things -+worse, since it may well have bugs itself). It provides no options. -+</descrip> -+ -+<sect3>The State Match -+ -+<p>The most useful match criterion is supplied by the `state' -+extension, which interprets the connection-tracking analysis of the -+`ip_conntrack' module. This is highly recommended. -+ -+<p>Specifying `-m state' allows an additional `--state' option, which -+is a comma-separated list of states to match (the `!' flag indicates -+<bf>not</bf> to match those states). These states are: -+ -+<descrip> -+<tag>NEW</tag> A packet which creates a new connection. -+ -+<tag>ESTABLISHED</tag> A packet which belongs to an existing -+connection (i.e., a reply packet, or outgoing packet on a connection -+which has seen replies). -+ -+<tag>RELATED</tag> A packet which is related to, but not part of, an -+existing connection, such as an ICMP error, or (with the FTP module -+inserted), a packet establishing an ftp data connection. -+ -+<tag>INVALID</tag> A packet which could not be identified for some -+reason: this includes running out of memory and ICMP errors which -+don't correspond to any known connection. Generally these packets -+should be dropped. -+</descrip> -+ -+An example of this powerful match extension would be: -+<tscreen><verb> -+# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP -+</verb></tscreen> -+ -+<sect1>Target Specifications -+ -+<p>Now we know what examinations we can do on a packet, we need a way -+of saying what to do to the packets which match our tests. This is -+called a rule's <bf>target</bf>. -+ -+<p>There are two very simple built-in targets: DROP and ACCEPT. We've -+already met them. If a rule matches a packet and its target is one of -+these two, no further rules are consulted: the packet's fate has been -+decided. -+ -+<p>There are two types of targets other than the built-in ones: -+extensions and user-defined chains. -+ -+<sect2>User-defined chains -+ -+<p> -+One powerful feature which <tt>iptables</tt> inherits from -+<tt>ipchains</tt> is the ability for the user to create new chains, in -+addition to the three built-in ones (INPUT, FORWARD and OUTPUT). By -+convention, user-defined chains are lower-case to distinguish them -+(we'll describe how to create new user-defined chains below in <ref -+id="chain-ops" name="Operations on an Entire Chain">). -+ -+<p> -+When a packet matches a rule whose target is a user-defined chain, the -+packet begins traversing the rules in that user-defined chain. If -+that chain doesn't decide the fate of the packet, then once traversal -+on that chain has finished, traversal resumes on the next rule in the -+current chain. -+ -+<p> -+Time for more ASCII art. Consider two (silly) chains: <tt>INPUT</tt> (the -+built-in chain) and <tt>test</tt> (a user-defined chain). -+ -+<tscreen><verb> -+ `INPUT' `test' -+ ---------------------------- ---------------------------- -+ | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 | -+ |--------------------------| |--------------------------| -+ | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 | -+ |--------------------------| ---------------------------- -+ | Rule3: -p UDP -j DROP | -+ ---------------------------- -+</verb></tscreen> -+ -+<p> -+Consider a TCP packet coming from 192.168.1.1, going to 1.2.3.4. It -+enters the <tt>INPUT</tt> chain, and gets tested against Rule1 - no match. -+Rule2 matches, and its target is <tt>test</tt>, so the next rule examined -+is the start of <tt>test</tt>. Rule1 in <tt>test</tt> matches, but doesn't -+specify a target, so the next rule is examined, Rule2. This doesn't -+match, so we have reached the end of the chain. We return to the -+<tt>INPUT</tt> chain, where we had just examined Rule2, so we now examine -+Rule3, which doesn't match either. -+ -+<p> -+So the packet path is: -+<tscreen><verb> -+ v __________________________ -+ `INPUT' | / `test' v -+ ------------------------|--/ -----------------------|---- -+ | Rule1 | /| | Rule1 | | -+ |-----------------------|/-| |----------------------|---| -+ | Rule2 / | | Rule2 | | -+ |--------------------------| -----------------------v---- -+ | Rule3 /--+___________________________/ -+ ------------------------|--- -+ v -+</verb></tscreen> -+ -+<p>User-defined chains can jump to other user-defined chains (but -+don't make loops: your packets will be dropped if they're found to -+be in a loop). -+ -+<sect2>Extensions to iptables: New Targets -+ -+<p>The other type of extension is a target. A target extension -+consists of a kernel module, and an optional extension to -+<tt>iptables</tt> to provide new command line options. There are -+several extensions in the default netfilter distribution: -+ -+<descrip> -+<tag>LOG</tag> This module provides kernel logging of matching -+packets. It provides these additional options: -+ <descrip> -+ <tag>--log-level</tag> Followed by a level number or name. Valid -+ names are (case-insensitive) `debug', `info', `notice', `warning', -+ `err', `crit', `alert' and `emerg', corresponding to numbers 7 -+ through 0. See the man page for syslog.conf for an explanation of -+ these levels. The default is `warning'. -+ -+ <tag>--log-prefix</tag> Followed by a string of up to 29 characters, -+ this message is sent at the start of the log message, to allow it to -+ be uniquely identified. -+ </descrip> -+ -+ This module is most useful after a limit match, so you don't flood -+ your logs. -+ -+<tag>REJECT</tag> This module has the same effect as `DROP', except -+that the sender is sent an ICMP `port unreachable' error message. -+Note that the ICMP error message is not sent if (see RFC 1122): -+ -+<itemize> -+<item> The packet being filtered was an ICMP error message in the -+first place, or some unknown ICMP type. -+ -+<item> The packet being filtered was a non-head fragment. -+ -+<item> We've sent too many ICMP error messages to that destination -+recently (see /proc/sys/net/ipv4/icmp_ratelimit). -+</itemize> -+ -+REJECT also takes a `--reject-with' optional argument which alters the -+reply packet used: see the manual page. -+</descrip> -+ -+<sect2>Special Built-In Targets -+ -+<p>There are two special built-in targets: <tt>RETURN</tt> and -+<tt>QUEUE</tt>. -+ -+<p><tt>RETURN</tt> has the same effect of falling off the end of a -+chain: for a rule in a built-in chain, the policy of the chain is -+executed. For a rule in a user-defined chain, the traversal continues -+at the previous chain, just after the rule which jumped to this chain. -+ -+<p><tt>QUEUE</tt> is a special target, which queues the packet for -+userspace processing. For this to be useful, two further components are -+required: -+ -+<itemize> -+<item>a "queue handler", which deals with the actual mechanics of -+passing packets between the kernel and userspace; and -+<item>a userspace application to receive, possibly manipulate, and -+issue verdicts on packets. -+</itemize> -+The standard queue handler for IPv4 iptables is the ip_queue module, -+which is distributed with the kernel and marked as experimental. -+<p> -+The following is a quick example of how to use iptables to queue packets -+for userspace processing: -+<tscreen><verb> -+# modprobe iptable_filter -+# modprobe ip_queue -+# iptables -A OUTPUT -p icmp -j QUEUE -+</verb></tscreen> -+With this rule, locally generated outgoing ICMP packets (as created with, -+say, ping) are passed to the ip_queue module, which then attempts to deliver -+the packets to a userspace application. If no userspace application is -+waiting, the packets are dropped. -+ -+<p>To write a userspace application, use the libipq API. This is -+distributed with iptables. Example code may be found in the testsuite -+tools (e.g. redirect.c) in CVS. -+ -+<p>The status of ip_queue may be checked via: -+<tscreen><verb> -+/proc/net/ip_queue -+</verb></tscreen> -+The maximum length of the queue (i.e. the number packets delivered -+to userspace with no verdict issued back) may be controlled via: -+<tscreen><verb> -+/proc/sys/net/ipv4/ip_queue_maxlen -+</verb></tscreen> -+The default value for the maximum queue length is 1024. Once this limit -+is reached, new packets will be dropped until the length of the queue falls -+below the limit again. Nice protocols such as TCP interpret dropped packets -+as congestion, and will hopefully back off when the queue fills up. However, -+it may take some experimenting to determine an ideal maximum queue length -+for a given situation if the default value is too small. -+ -+<sect1>Operations on an Entire Chain<label id="chain-ops"> -+ -+<p> -+A very useful feature of <tt>iptables</tt> is the ability to group -+related rules into chains. You can call the chains whatever you want, -+but I recommend using lower-case letters to avoid confusion with the -+built-in chains and targets. Chain names can be up to 31 letters -+long. -+ -+<sect2>Creating a New Chain -+ -+<p> -+Let's create a new chain. Because I am such an imaginative fellow, -+I'll call it <tt>test</tt>. We use the `-N' or `--new-chain' options: -+ -+<tscreen><verb> -+# iptables -N test -+# -+</verb></tscreen> -+ -+<p> -+It's that simple. Now you can put rules in it as detailed above. -+ -+<sect2>Deleting a Chain -+ -+<p> -+Deleting a chain is simple as well, using the `-X' or `--delete-chain' -+options. Why `-X'? Well, all the good letters were taken. -+ -+<tscreen><verb> -+# iptables -X test -+# -+</verb></tscreen> -+ -+<p> -+There are a couple of restrictions to deleting chains: they must be -+empty (see <ref id="flushing" name="Flushing a Chain"> below) and they -+must not be the target of any rule. You can't delete any of the three -+built-in chains. -+ -+<p> -+If you don't specify a chain, then <em>all</em> user-defined chains -+will be deleted, if possible. -+ -+<sect2> Flushing a Chain<label id="flushing"> -+ -+<p> -+There is a simple way of emptying all rules out of a chain, using the -+`-F' (or `--flush') commands. -+ -+<tscreen><verb> -+# iptables -F FORWARD -+# -+</verb></tscreen> -+ -+<p> -+If you don't specify a chain, then <em>all</em> chains will be flushed. -+ -+<sect2>Listing a Chain -+ -+<p> -+You can list all the rules in a chain by using the `-L' (or `--list') -+command. -+ -+<p> -+The `refcnt' listed for each user-defined chain is the number of rules -+which have that chain as their target. This must be zero (and the -+chain be empty) before this chain can be deleted. -+ -+<p> -+If the chain name is omitted, all chains are listed, even empty ones. -+ -+<p> -+There are three options which can accompany `-L'. The `-n' (numeric) -+option is very useful as it prevents <tt>iptables</tt> from trying to -+lookup the IP addresses, which (if you are using DNS like most people) -+will cause large delays if your DNS is not set up properly, or you -+have filtered out DNS requests. It also causes TCP and UDP ports to -+be printed out as numbers rather than names. -+ -+<p> -+The `-v' options shows you all the details of the rules, such as the -+the packet and byte counters, the TOS comparisons, and the interfaces. -+Otherwise these values are omitted. -+ -+<p> -+Note that the packet and byte counters are printed out using the -+suffixes `K', `M' or `G' for 1000, 1,000,000 and 1,000,000,000 -+respectively. Using the `-x' (expand numbers) flag as well prints the -+full numbers, no matter how large they are. -+ -+<sect2>Resetting (Zeroing) Counters -+ -+<p> -+It is useful to be able to reset the counters. This can be done with -+the `-Z' (or `--zero') option. -+ -+<p> -+Consider the following: -+ -+<tscreen><verb> -+# iptables -L FORWARD -+# iptables -Z FORWARD -+# -+</verb></tscreen> -+ -+In the above example, some packets could pass through between the `-L' -+and `-Z' commands. For this reason, you can use the `-L' and `-Z' -+<em>together</em>, to reset the counters while reading them. -+ -+<sect2>Setting Policy<label id="policy"> -+ -+<p> -+We glossed over what happens when a packet hits the end of a built-in -+chain when we discussed how a packet walks through chains earlier. In -+this case, the <bf>policy</bf> of the chain determines the fate of the -+packet. Only built-in chains (<tt>INPUT</tt>, <tt>OUTPUT</tt> and -+<tt>FORWARD</tt>) have policies, because if a packet falls off the end -+of a user-defined chain, traversal resumes at the previous chain. -+ -+<p> -+The policy can be either <tt>ACCEPT</tt> or <tt>DROP</tt>, for -+example: -+ -+<tscreen><verb> -+# iptables -P FORWARD DROP -+# -+</verb></tscreen> -+ -+<sect> Using ipchains and ipfwadm<label id="oldstyle"> -+ -+<p> There are modules in the netfilter distribution called ipchains.o -+and ipfwadm.o. Insert one of these in your kernel (NOTE: they are -+incompatible with ip_tables.o!). Then you can use ipchains or ipfwadm -+just like the good old days. -+ -+<p> This will be supported for some time yet. I think a reasonable -+formula is 2 * [notice of replacement - initial stable release], -+beyond the date that a stable release of the replacement is available. -+This means that support will probably be dropped in Linux 2.6 or 2.8. -+ -+<sect> Mixing NAT and Packet Filtering -+ -+<p> -+It's common to want to do Network Address Translation (see the NAT -+HOWTO) and packet filtering. The good news is that they mix extremely -+well. -+ -+<p>You design your packet filtering completely ignoring any NAT you -+are doing. The sources and destinations seen by the packet filter -+will be the `real' sources and destinations. For example, if you are -+doing DNAT to send any connections to 1.2.3.4 port 80 through to -+10.1.1.1 port 8080, the packet filter would see packets going to -+10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80. -+Similarly, you can ignore masquerading: packets will seem to come from -+their real internal IP addresses (say 10.1.1.1), and replies will seem -+to go back there. -+ -+<p>You can use the `state' match extension without making the packet -+filter do any extra work, since NAT requires connection tracking -+anyway. To enhance the simple masquerading example in the NAT HOWTO -+to disallow any new connections from coming in the ppp0 interface, you -+would do this: -+ -+<tscreen><verb> -+# Masquerade out ppp0 -+iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -+ -+# Disallow NEW and INVALID incoming or forwarded packets from ppp0. -+iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP -+iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP -+ -+# Turn on IP forwarding -+echo 1 > /proc/sys/net/ipv4/ip_forward -+</verb></tscreen> -+ -+<sect> Differences Between iptables and ipchains<label id="Appendix-A"> -+ -+<p> -+<itemize> -+<item> Firstly, the names of the built-in chains have changed from -+lower case to UPPER case, because the INPUT and OUTPUT chains now only -+get locally-destined and locally-generated packets. They used to see -+all incoming and all outgoing packets respectively. -+ -+<item> The `-i' flag now means the incoming interface, and only works -+in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT -+chains that used `-i' should be changed to `-o'. -+ -+<item> TCP and UDP ports now need to be spelled out with the -+--source-port or --sport (or --destination-port/--dport) options, and -+must be placed after the `-p tcp' or `-p udp' options, as this loads -+the TCP or UDP extensions respectively. -+ -+<item> The TCP -y flag is now --syn, and must be after `-p tcp'. -+ -+<item> The DENY target is now DROP, finally. -+ -+<item> Zeroing single chains while listing them works. -+ -+<item> Zeroing built-in chains also clears policy counters. -+ -+<item> Listing chains gives you the counters as an atomic snapshot. -+ -+<item> REJECT and LOG are now extended targets, meaning they are -+separate kernel modules. -+ -+<item> Chain names can be up to 31 characters. -+ -+<item> MASQ is now MASQUERADE and uses a different syntax. REDIRECT, -+while keeping the same name, has also undergone a syntax change. See -+the NAT-HOWTO for more information on how to configure both of these. -+ -+<item> The -o option is no longer used to direct packets to the userspace -+device (see -i above). Packets are now sent to userspace via the QUEUE -+target. -+ -+<item> Probably heaps of other things I forgot. -+</itemize> -+ -+<sect> Advice on Packet Filter Design -+ -+<p> -+Common wisdom in the computer security arena is to block everything, -+then open up holes as neccessary. This is usually phrased `that which -+is not explicitly allowed is prohibited'. I recommend this approach -+if security is your maximal concern. -+ -+<p>Do not run any services you do not need to, even if you think you -+have blocked access to them. -+ -+<p>If you are creating a dedicated firewall, start by running nothing, -+and blocking all packets, then add services and let packets through as -+required. -+ -+<p>I recommend security in depth: combine tcp-wrappers (for -+connections to the packet filter itself), proxies (for connections -+passing through the packet filter), route verification and packet -+filtering. Route verification is where a packet which comes from an -+unexpected interface is dropped: for example, if your internal network -+has addresses 10.1.1.0/24, and a packet with that source address comes -+in your external interface, it will be dropped. This can be enabled -+for one interface (ppp0) like so: -+ -+<tscreen><verb> -+# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter -+# -+</verb></tscreen> -+ -+Or for all existing and future interfaces like this: -+ -+<tscreen><verb> -+# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do -+# echo 1 > $f -+# done -+# -+</verb></tscreen> -+ -+Debian does this by default where possible. If you have asymmetric -+routing (ie. you expect packets coming in from strange directions), -+you will want to disable this filtering on those interfaces. -+ -+<p>Logging is useful when setting up a firewall if something isn't -+working, but on a production firewall, always combine it with the -+`limit' match, to prevent someone from flooding your logs. -+ -+<p>I highly recommend connection tracking for secure systems: it -+introduces some overhead, as all connections are tracked, but is very -+useful for controlling access to your networks. You may need to load -+the `ip_conntrack.o' module if your kernel does not load modules -+automatically, and it's not built into the kernel. If you want to -+accurately track complex protocols, you'll need to load the -+appropriate helper module (eg. `ip_conntrack_ftp.o'). -+ -+<tscreen><verb> -+# iptables -N no-conns-from-ppp0 -+# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT -+# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT -+# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:" -+# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:" -+# iptables -A no-conns-from-ppp0 -j DROP -+ -+# iptables -A INPUT -j no-conns-from-ppp0 -+# iptables -A FORWARD -j no-conns-from-ppp0 -+</verb></tscreen> -+ -+<p>Building a good firewall is beyond the scope of this HOWTO, but my -+advice is `always be minimalist'. See the Security HOWTO for more -+information on testing and probing your box. -+ -+</article> -+ -Index: b/howtos/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ b/howtos/Makefile 2008-07-12 09:33:21.861247272 -0400 -@@ -0,0 +1,10 @@ -+all: -+ for i in *.sgml; do sgml2html $$i; done -+ -+install: -+ for i in *.html; do install -D -m 0644 $$i ${DESTDIR}/howtos/$$i; done -+ -+clean: -+ -rm *.html -+ -+.PHONY: all clean install diff -Nru iptables-1.4.4/debian/patch/0103-sgml_errors.patch iptables-1.4.10/debian/patch/0103-sgml_errors.patch --- iptables-1.4.4/debian/patch/0103-sgml_errors.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0103-sgml_errors.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -Index: b/howtos/netfilter-hacking-HOWTO.sgml -=================================================================== ---- a/howtos/netfilter-hacking-HOWTO.sgml 2008-07-11 13:06:59.722197714 -0400 -+++ b/howtos/netfilter-hacking-HOWTO.sgml 2008-07-11 13:07:05.651197672 -0400 -@@ -1236,8 +1236,8 @@ - - <tag>flags</tag>A set of flags with one or more out of the following flgs: - <itemize> --<item>IP_CT_HELPER_F_REUSE_EXPECT</item>Reuse expectations if the limit (see --`max_expected` below) is reached. -+<item>IP_CT_HELPER_F_REUSE_EXPECT : Reuse expectations if the limit (see -+`max_expected` below) is reached.</item> - </itemize> - - <tag>me</tag>A pointer to the module structure of the helper. Intitialize this with the `THIS_MODULE' macro. -@@ -1372,10 +1372,10 @@ - - <tag>flags</tag>A set out of zero, one or more of the following flags: - <itemize> --<item>IP_NAT_HELPER_F_ALWAYS</item>Call the NAT helper for every packet, --not only for packets where conntrack has detected an expectation-cause. --<item>IP_NAT_HELPER_F_STANDALONE</item>Tell the NAT core that this protocol --doesn't have a conntrack helper, only a NAT helper. -+<item>IP_NAT_HELPER_F_ALWAYS : Call the NAT helper for every packet, -+not only for packets where conntrack has detected an expectation-cause.</item> -+<item>IP_NAT_HELPER_F_STANDALONE : Tell the NAT core that this protocol -+doesn't have a conntrack helper, only a NAT helper.</item> - </itemize> - - <tag>me</tag>A pointer to the module structure of the helper. Initialize diff -Nru iptables-1.4.4/debian/patch/0200-prcedence_TOS.man.patch iptables-1.4.10/debian/patch/0200-prcedence_TOS.man.patch --- iptables-1.4.4/debian/patch/0200-prcedence_TOS.man.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0200-prcedence_TOS.man.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Author: ljlane -Description: esacped apostrophes in man page for this lintian warning: - W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz 1823: warning: `precedence'' not defined - - -Index: b/extensions/libxt_TOS.man -=================================================================== ---- a/extensions/libxt_TOS.man 2009-03-25 16:50:32.801338397 -0400 -+++ b/extensions/libxt_TOS.man 2009-03-25 16:50:45.886316101 -0400 -@@ -1,5 +1,5 @@ - This module sets the Type of Service field in the IPv4 header (including the --'precedence' bits) or the Priority field in the IPv6 header. Note that TOS -+\'precedence\' bits) or the Priority field in the IPv6 header. Note that TOS - shares the same bits as DSCP and ECN. The TOS target is only valid in the - \fBmangle\fR table. - .TP diff -Nru iptables-1.4.4/debian/patch/0201-help_iptables.patch iptables-1.4.10/debian/patch/0201-help_iptables.patch --- iptables-1.4.4/debian/patch/0201-help_iptables.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0201-help_iptables.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -Author: ljlane -Description: extraneous slash caused this lintian warning: - W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz 220: cannot use newline as a starting delimiter - - -Index: b/iptables.8.in -=================================================================== ---- a/iptables.8.in 2009-03-25 16:56:36.857213399 -0400 -+++ b/iptables.8.in 2009-03-25 16:57:06.740337882 -0400 -@@ -217,7 +217,7 @@ - Rename the user specified chain to the user supplied name. This is - cosmetic, and has no effect on the structure of the table. - .TP --\fB\-\h\fP -+\fB\-h\fP - Help. - Give a (currently very brief) description of the command syntax. - .SS PARAMETERS diff -Nru iptables-1.4.4/debian/patch/0202-hyphen_escaping.man.patch iptables-1.4.10/debian/patch/0202-hyphen_escaping.man.patch --- iptables-1.4.4/debian/patch/0202-hyphen_escaping.man.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0202-hyphen_escaping.man.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,231 +0,0 @@ -Author: ljlane -Description: Escape hyphens in libipq man pages. Addresses lintian warnings such as: - I: iptables: hyphen-used-as-minus-sign usr/share/man/man8/iptables.8.gz:440 - -Index: b/libipq/ipq_create_handle.3 -=================================================================== ---- a/libipq/ipq_create_handle.3 2009-03-25 18:17:36.707926273 -0400 -+++ b/libipq/ipq_create_handle.3 2009-03-25 19:53:09.386094650 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_create_handle, ipq_destroy_handle - create and destroy libipq handles. -+ipq_create_handle, ipq_destroy_handle \- create and destroy libipq handles. - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -@@ -65,7 +65,7 @@ - .B ipq_destroy_handle - returns zero. - .br --On failure, -1 is returned. -+On failure, \-1 is returned. - .SH ERRORS - On failure, a descriptive error message will be available - via the -Index: b/libipq/ipq_errstr.3 -=================================================================== ---- a/libipq/ipq_errstr.3 2009-03-25 18:17:36.716926411 -0400 -+++ b/libipq/ipq_errstr.3 2009-03-25 19:53:09.386094650 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_errstr, ipq_perror - libipq error handling routines -+ipq_errstr, ipq_perror \- libipq error handling routines - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -Index: b/libipq/ipq_message_type.3 -=================================================================== ---- a/libipq/ipq_message_type.3 2009-03-25 18:17:36.744926164 -0400 -+++ b/libipq/ipq_message_type.3 2009-03-25 19:53:09.386094650 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_message_type, ipq_get_packet, ipq_getmsgerr - query queue messages -+ipq_message_type, ipq_get_packet, ipq_getmsgerr \- query queue messages - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -Index: b/iptables-xml.8 -=================================================================== ---- a/iptables-xml.8 2009-03-25 18:17:36.782926972 -0400 -+++ b/iptables-xml.8 2009-03-25 19:53:09.404176950 -0400 -@@ -21,7 +21,7 @@ - .SH NAME - iptables-xml \- Convert iptables-save format to XML - .SH SYNOPSIS --.BR "iptables-xml " "[-c] [-v]" -+.BR "iptables-xml " "[\-c] [\-v]" - .br - .SH DESCRIPTION - .PP -@@ -42,7 +42,7 @@ - - .PP - iptables-xml does a mechanistic conversion to a very expressive xml --format; the only semantic considerations are for -g and -j targets in -+format; the only semantic considerations are for \-g and \-j targets in - order to discriminate between <call> <goto> and <nane-of-target> as it - helps xml processing scripts if they can tell the difference between a - target like SNAT and another chain. -Index: b/iptables.8.in -=================================================================== ---- a/iptables.8.in 2009-03-25 19:53:07.752095031 -0400 -+++ b/iptables.8.in 2009-03-25 19:53:09.404176950 -0400 -@@ -23,7 +23,7 @@ - .\" - .\" - .SH NAME --iptables - administration tool for IPv4 packet filtering and NAT -+iptables \- administration tool for IPv4 packet filtering and NAT - .SH SYNOPSIS - \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-D\fP} \fIchain\fP \fIrule-specification\fP - .PP -Index: b/libipq/ipq_read.3 -=================================================================== ---- a/libipq/ipq_read.3 2009-03-25 18:17:36.755926371 -0400 -+++ b/libipq/ipq_read.3 2009-03-25 19:53:09.404176950 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_read - read queue messages from ip_queue and read into supplied buffer -+ipq_read \- read queue messages from ip_queue and read into supplied buffer - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -@@ -64,7 +64,7 @@ - .BR ipq_get_msgerr - functions to access the queue message in the buffer. - .SH RETURN VALUE --On failure, -1 is returned. -+On failure, \-1 is returned. - .br - On success, a non-zero positive value is returned when no timeout - value is specified. -Index: b/libipq/ipq_set_mode.3 -=================================================================== ---- a/libipq/ipq_set_mode.3 2009-03-25 18:17:36.761926153 -0400 -+++ b/libipq/ipq_set_mode.3 2009-03-25 19:53:09.404176950 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_set_mode - set the ip_queue queuing mode -+ipq_set_mode \- set the ip_queue queuing mode - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -@@ -68,7 +68,7 @@ - the ip_queue module does not know that a userspace application is ready to - communicate until it receives a message such as this. - .SH RETURN VALUE --On failure, -1 is returned. -+On failure, \-1 is returned. - .br - On success, a non-zero positive value is returned. - .SH ERRORS -Index: b/libipq/ipq_set_verdict.3 -=================================================================== ---- a/libipq/ipq_set_verdict.3 2009-03-25 18:17:36.766925888 -0400 -+++ b/libipq/ipq_set_verdict.3 2009-03-25 19:53:09.404176950 -0400 -@@ -20,7 +20,7 @@ - .\" - .\" - .SH NAME --ipq_set_verdict - issue verdict and optionally modified packet to kernel -+ipq_set_verdict \- issue verdict and optionally modified packet to kernel - .SH SYNOPSIS - .B #include <linux/netfilter.h> - .br -@@ -80,7 +80,7 @@ - The application is responsible for recalculating any packet checksums - when modifying packets. - .SH RETURN VALUE --On failure, -1 is returned. -+On failure, \-1 is returned. - .br - On success, a non-zero positive value is returned. - .SH ERRORS -Index: b/libipq/libipq.3 -=================================================================== ---- a/libipq/libipq.3 2009-03-25 18:17:36.774926139 -0400 -+++ b/libipq/libipq.3 2009-03-25 19:53:09.405094454 -0400 -@@ -51,7 +51,7 @@ - .br - # modprobe ip_queue - .br -- # iptables -A OUTPUT -p icmp -j QUEUE -+ # iptables \-A OUTPUT \-p icmp \-j QUEUE - .PP - will cause any locally generated ICMP packets (e.g. ping output) to - be sent to the ip_queue module, which will then attempt to deliver the -Index: b/ip6tables.8.in -=================================================================== ---- a/ip6tables.8.in 2009-03-25 18:17:36.793926226 -0400 -+++ b/ip6tables.8.in 2009-03-25 19:53:09.405094454 -0400 -@@ -25,7 +25,7 @@ - .\" - .\" - .SH NAME --ip6tables - IPv6 packet filter administration -+ip6tables \- IPv6 packet filter administration - .SH SYNOPSIS - \fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-D\fP} \fIchain - rule-specification\fP [\fIoptions...\fP] -Index: b/ip6tables-save.8 -=================================================================== ---- a/ip6tables-save.8 2009-03-25 18:17:36.799926232 -0400 -+++ b/ip6tables-save.8 2009-03-25 19:53:09.405094454 -0400 -@@ -19,7 +19,7 @@ - .\" - .\" - .SH NAME --ip6tables-save - dump iptables rules to stdout -+ip6tables-save \- dump iptables rules to stdout - .SH SYNOPSIS - \fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] - [\fB\-t\fP \fItable\fP -Index: b/iptables-save.8 -=================================================================== ---- a/iptables-save.8 2009-03-25 18:17:36.805926297 -0400 -+++ b/iptables-save.8 2009-03-25 19:53:09.405094454 -0400 -@@ -19,7 +19,7 @@ - .\" - .\" - .SH NAME --iptables-save - dump iptables rules to stdout -+iptables-save \- dump iptables rules to stdout - .SH SYNOPSIS - \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] - [\fB\-t\fP \fItable\fP] -Index: b/extensions/libxt_NFLOG.man -=================================================================== ---- a/extensions/libxt_NFLOG.man 2009-03-25 19:54:34.000219646 -0400 -+++ b/extensions/libxt_NFLOG.man 2009-03-25 19:54:42.725094369 -0400 -@@ -9,7 +9,7 @@ - non-terminating target, i.e. rule traversal continues at the next rule. - .TP - \fB\-\-nflog\-group\fP \fInlgroup\fP --The netlink group (1 - 2^32\-1) to which packets are (only applicable for -+The netlink group (1 \- 2^32\-1) to which packets are (only applicable for - nfnetlink_log). The default value is 0. - .TP - \fB\-\-nflog\-prefix\fP \fIprefix\fP -Index: b/extensions/libxt_connbytes.man -=================================================================== ---- a/extensions/libxt_connbytes.man 2009-03-25 19:53:32.460219599 -0400 -+++ b/extensions/libxt_connbytes.man 2009-03-25 19:53:45.251192185 -0400 -@@ -8,7 +8,7 @@ - scheduled using a lower priority band in traffic control. - .PP - The transferred bytes per connection can also be viewed through --`conntrack -L` and accessed via ctnetlink. -+`conntrack \-L` and accessed via ctnetlink. - .PP - NOTE that for connections which have no accounting information, the match will - always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls diff -Nru iptables-1.4.4/debian/patch/0600-makefile_jedi_handwaving.patch iptables-1.4.10/debian/patch/0600-makefile_jedi_handwaving.patch --- iptables-1.4.4/debian/patch/0600-makefile_jedi_handwaving.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0600-makefile_jedi_handwaving.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -Index: iptables-1.4.3.2-2ubuntu1/Makefile.am -=================================================================== ---- iptables-1.4.3.2-2ubuntu1.orig/Makefile.am 2009-05-06 02:05:21.000000000 -0500 -+++ iptables-1.4.3.2-2ubuntu1/Makefile.am 2009-05-06 02:06:18.000000000 -0500 -@@ -4,7 +4,7 @@ - AUTOMAKE_OPTIONS = foreign subdir-objects - - AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS} --SUBDIRS = extensions -+SUBDIRS = extensions howtos - if ENABLE_DEVEL - SUBDIRS += include - endif -@@ -123,3 +123,6 @@ - # Using if..fi avoids an ugly "error (ignored)" message :) - install-exec-hook: - -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; -+ -+test check: -+ echo "Are we on the air? Hello, Mom!" diff -Nru iptables-1.4.4/debian/patch/0901-build-libipq_pic.a.patch iptables-1.4.10/debian/patch/0901-build-libipq_pic.a.patch --- iptables-1.4.4/debian/patch/0901-build-libipq_pic.a.patch 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0901-build-libipq_pic.a.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -Index: iptables-1.4.3.2-2ubuntu1/libipq/Makefile.am -=================================================================== ---- iptables-1.4.3.2-2ubuntu1.orig/libipq/Makefile.am 2009-05-06 08:52:47.000000000 -0500 -+++ iptables-1.4.3.2-2ubuntu1/libipq/Makefile.am 2009-05-06 08:53:32.000000000 -0500 -@@ -2,8 +2,11 @@ - - AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include - -+libipq_pic_a_CFLAGS = -fPIC ${regular_CFLAGS} -I${top_builddir}/include -I ${top_srcdir}/include -+ - libipq_a_SOURCES = libipq.c --lib_LIBRARIES = libipq.a -+libipq_pic_a_SOURCES = libipq.c -+lib_LIBRARIES = libipq.a libipq_pic.a - man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ - ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ - ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ diff -Nru iptables-1.4.4/debian/patch/0902-docs-version-reference.diff iptables-1.4.10/debian/patch/0902-docs-version-reference.diff --- iptables-1.4.4/debian/patch/0902-docs-version-reference.diff 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/0902-docs-version-reference.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ -Index: iptables-1.4.1.1/debian/iptables.doc-base.nat -=================================================================== ---- iptables-1.4.1.1.orig/debian/iptables.doc-base.nat 2008-11-14 17:19:59.926553140 +0100 -+++ iptables-1.4.1.1/debian/iptables.doc-base.nat 2008-11-14 17:20:21.648947677 +0100 -@@ -1,5 +1,5 @@ - Document: nat --Title: Linux 2.4 NAT HOWTO -+Title: Linux 2.4/2.6 NAT HOWTO - Author: Rusty Russell - Abstract: This document describes how to do masquerading, transparent - proxying, port forwarding, and other forms of Network Address -Index: iptables-1.4.1.1/debian/iptables.doc-base.packet-filter -=================================================================== ---- iptables-1.4.1.1.orig/debian/iptables.doc-base.packet-filter 2008-11-14 17:19:59.990553103 +0100 -+++ iptables-1.4.1.1/debian/iptables.doc-base.packet-filter 2008-11-14 17:20:29.717551157 +0100 -@@ -1,5 +1,5 @@ - Document: packet-filter --Title: Linux 2.4 Packet Filtering HOWTO -+Title: Linux 2.4/2.6 Packet Filtering HOWTO - Author: Rusty Russell - Abstract: This document describes how to use iptables to filter - IP packets for the 2.4+ Linux kernels. diff -Nru iptables-1.4.4/debian/patch/1000-xt_recent.diff iptables-1.4.10/debian/patch/1000-xt_recent.diff --- iptables-1.4.4/debian/patch/1000-xt_recent.diff 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/1000-xt_recent.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,116 +0,0 @@ ---- iptables-1.4.4.orig/extensions/libxt_recent.man -+++ iptables-1.4.4/extensions/libxt_recent.man -@@ -38,6 +38,11 @@ - \fB\-\-update\fP. When used, this will narrow the match to only happen when the - address is in the list and was seen within the last given number of seconds. - .TP -+\fB\-\-reap\fP \fIreap\fP -+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this -+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP -+since the last packet was received. -+.TP - [\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP - This option must be used in conjunction with one of \fB\-\-rcheck\fP or - \fB\-\-update\fP. When used, this will narrow the match to only happen when the -only in patch2: -unchanged: ---- iptables-1.4.4.orig/extensions/libxt_recent.c -+++ iptables-1.4.4/extensions/libxt_recent.c -@@ -19,6 +19,7 @@ - { .name = "name", .has_arg = 1, .val = 208 }, - { .name = "rsource", .has_arg = 0, .val = 209 }, - { .name = "rdest", .has_arg = 0, .val = 210 }, -+ { .name = "reap", .has_arg = 0, .val = 211 }, - { .name = NULL } - }; - -@@ -36,6 +37,7 @@ - " --hitcount hits For check and update commands above.\n" - " Specifies that the match will only occur if source address seen hits times.\n" - " May be used in conjunction with the seconds option.\n" -+" --reap Remove entries that have expired. Can only be used with --seconds\n" - " --rttl For check and update commands above.\n" - " Specifies that the match will only occur if the source address and the TTL\n" - " match between this packet and the one which was set.\n" -@@ -62,6 +64,8 @@ - (XT_RECENT_SET | XT_RECENT_CHECK | \ - XT_RECENT_UPDATE | XT_RECENT_REMOVE) - -+#define XT_RECENT_SECONDS 1 << 31 -+ - static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) - { -@@ -114,6 +118,7 @@ - - case 204: - info->seconds = atoi(optarg); -+ *flags |= XT_RECENT_SECONDS; - break; - - case 205: -@@ -138,6 +143,11 @@ - info->side = XT_RECENT_DEST; - break; - -+ case 211: -+ info->check_set |= XT_RECENT_REAP; -+ *flags |= XT_RECENT_REAP; -+ break; -+ - default: - return 0; - } -@@ -156,6 +166,12 @@ - xtables_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -+ if ((flags & XT_RECENT_REAP) && -+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || -+ (!(flags & XT_RECENT_SECONDS)))) -+ xtables_error(PARAMETER_PROBLEM, -+ "recent: --reap may only be used with --rcheck or " -+ "--update and --seconds"); - } - - static void recent_print(const void *ip, const struct xt_entry_match *match, -@@ -184,6 +200,8 @@ - printf("side: source "); - if (info->side == XT_RECENT_DEST) - printf("side: dest"); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("reap "); - } - - static void recent_save(const void *ip, const struct xt_entry_match *match) -@@ -210,6 +228,8 @@ - printf("--rsource "); - if (info->side == XT_RECENT_DEST) - printf("--rdest "); -+ if (info->check_set & XT_RECENT_REAP) -+ printf("--reap "); - } - - static struct xtables_match recent_mt_reg = { -only in patch2: -unchanged: ---- iptables-1.4.4.orig/include/linux/netfilter/xt_recent.h -+++ iptables-1.4.4/include/linux/netfilter/xt_recent.h -@@ -7,6 +7,7 @@ - XT_RECENT_UPDATE = 1 << 2, - XT_RECENT_REMOVE = 1 << 3, - XT_RECENT_TTL = 1 << 4, -+ XT_RECENT_REAP = 1 << 5, - - XT_RECENT_SOURCE = 0, - XT_RECENT_DEST = 1, -@@ -14,6 +15,9 @@ - XT_RECENT_NAME_LEN = 200, - }; - -+/* Only allowed with --rcheck and --update */ -+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) -+ - struct xt_recent_mtinfo { - u_int32_t seconds; - u_int32_t hit_count; diff -Nru iptables-1.4.4/debian/patch/series iptables-1.4.10/debian/patch/series --- iptables-1.4.4/debian/patch/series 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/patch/series 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -0101-changelog.patch -0102-howtos.patch -0103-sgml_errors.patch -0200-prcedence_TOS.man.patch -0201-help_iptables.patch -0202-hyphen_escaping.man.patch -0600-makefile_jedi_handwaving.patch -0901-build-libipq_pic.a.patch -0902-docs-version-reference.diff -1000-xt_recent.diff diff -Nru iptables-1.4.4/debian/patches/0101-changelog.patch iptables-1.4.10/debian/patches/0101-changelog.patch --- iptables-1.4.4/debian/patches/0101-changelog.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/0101-changelog.patch 2010-08-07 22:28:46.000000000 +0000 @@ -0,0 +1,2539 @@ +Author: ljlane +Description: iptables source doesn't include a changelog. + This is an amalgamation of external changelog files taken + from ftp.netfilter.org. + +Index: b/Changelog +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ b/Changelog 2010-08-07 18:28:36.235965245 -0400 +@@ -0,0 +1,2529 @@ ++iptables v1.4.9 Changelog: ++====================================================================== ++Changes from 1.4.8: ++ ++ ++Adam Nielsen (1): ++ extensions: add the LED target ++ ++Eric Dumazet (1): ++ extensions: REDIRECT: add random help ++ ++Jan Engelhardt (10): ++ utils: add missing include flags to Makefile ++ doc: xt_string: correct copy-and-pasting in manpage ++ doc: xt_hashlimit: fix a typo ++ doc: xt_LED: nroff formatting requirements ++ includes: sync header files from Linux 2.6.35-rc1 ++ xtables: another try at chain name length checking ++ xtables: remove xtables_set_revision function ++ libxt_hashlimit: always print burst value ++ libxt_conntrack: do print netmask ++ xt_quota: also document negation ++ ++Jozsef Kadlecsik (1): ++ libxt_set: new revision added ++ ++Luciano Coelho (2): ++ extensions: libxt_rateest: fix typo in the man page ++ extensions: libxt_rateest: fix bps options for iptables-save ++ ++Patrick McHardy (5): ++ Revert "Revert "Merge branch 'iptables-next'"" ++ Merge branch 'master' of git://dev.medozas.de/iptables ++ Merge branch 'master' of git://dev.medozas.de/iptables ++ Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables ++ Bump version to 1.4.9 ++ ++Samuel Ortiz (1): ++ extensions: libxt_quota.c: Support option negation ++ ++Shan Wei (2): ++ xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension ++ xt_sctp: support FORWARD_TSN chunk type ++ ++ ++ ++iptables v1.4.8 Changelog: ++====================================================================== ++Changes from 1.4.7: ++ ++ ++Dmitry V. Levin (3): ++ extensions: REDIRECT: fix --to-ports parser ++ iptables: add noreturn attribute to exit_tryhelp() ++ extensions: MASQUERADE: fix --to-ports parser ++ ++Jan Engelhardt (9): ++ libxt_comment: avoid use of IPv4-specific examples ++ libxt_CT: add a manpage ++ iptables: correctly check for too-long chain/target/match names ++ doc: libxt_MARK: no longer restricted to mangle table ++ doc: remove claim that TCPMSS is limited to mangle ++ libxt_recent: add a missing space in output ++ doc: add manpage for libxt_osf ++ libxt_osf: import nfnl_osf program ++ extensions: add support for xt_TEE ++ ++Karl Hiramoto (1): ++ iptables: optionally disable largefile support ++ ++Pablo Neira Ayuso (1): ++ CT: fix --ctevents parsing ++ ++Patrick McHardy (7): ++ extensions: add CT extension ++ libxt_CT: print conntrack zone in ->print/->save ++ Merge branch 'master' of git://dev.medozas.de/iptables into iptables-next ++ xtables: fix compilation when debugging is enabled ++ Merge branch 'iptables-next' ++ Revert "Merge branch 'iptables-next'" ++ Bump version to 1.4.8 ++ ++Simon Lodal (1): ++ libxt_conntrack: document --ctstate UNTRACKED ++ ++Vincent Bernat (1): ++ iprange: fix xt_iprange v0 parsing ++ ++ ++ ++iptables v1.4.7 Changelog: ++====================================================================== ++Changes from 1.4.6: ++ ++ ++Dmitry V. Levin (1): ++ libip4tc: Add static qualifier to dump_entry() ++ ++Jan Engelhardt (8): ++ libipq: build as shared library ++ recent: reorder cases in code (cosmetic cleanup) ++ doc: fix recent manpage to reflect actual supported syntax ++ doc: fix limit manpage to reflect actual supported syntax ++ doc: mention requirement of additional packages for ipset ++ policy: fix error message showing wrong option ++ includes: header updates ++ Lift restrictions on interface names ++ ++Patrick McHardy (1): ++ iptables 1.4.7 ++ ++ ++ ++iptables v1.4.6 Changelog: ++====================================================================== ++Changes from 1.4.5: ++ ++ ++Jan Engelhardt (20): ++ iptables: manpage updates for augmented -Z syntax ++ doc: mention maximum mark size in manpages ++ Support for nommu arches ++ realm: remove static initializations ++ libiptc: remove unused functions ++ libiptc: avoid strict-aliasing warnings ++ iprange: do accept non-ranges for xt_iprange v1 ++ iprange: warn on reverse range ++ iprange: roll address parsing into a loop ++ iprange: do accept non-ranges for xt_iprange v1 (log) ++ iprange: warn on reverse range (log) ++ libiptc: fix wrong maptype of base chain counters on restore ++ iptables: fix undersized deletion mask creation ++ style: reduce indent in xtables_check_inverse ++ libxtables: hand argv to xtables_check_inverse ++ iptables/extensions: make bundled options work again ++ CONNMARK: print mark rules with mask 0xffffffff as set instead of xset ++ iptables: take masks into consideration for replace command ++ doc: explain experienced --hitcount limit ++ doc: name resolution clarification ++ ++Mohit Mehta (1): ++ iptables: expose option to zero packet/byte counters for a specific rule ++ ++Olaf Rempel (1): ++ build: restore --disable-ipv6 functionality on system w/o v6 headers ++ ++Patrick McHardy (7): ++ Merge branch 'zero' of git://dev.medozas.de/iptables ++ MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark ++ DNAT: fix incorrect check during parsing ++ extensions: add osf extension ++ conntrack: fix --expires parsing ++ Merge branch 'master' of git://dev.medozas.de/iptables ++ Bump version to v1.4.6 ++ ++Tim Small (1): ++ doc: update TCPMSS manpage with Linux 2.6.25 changes ++ ++sobtwmxt (1): ++ doc: fix typo in length manpage ++ ++ ++ ++iptables v1.4.5 Changelog: ++====================================================================== ++Changes from 1.4.4: ++ ++ ++Florian Westphal (1): ++ libxt_NFQUEUE: add new v1 version with queue-balance option ++ ++Jan Engelhardt (18): ++ xt_conntrack: revision 2 for enlarged state_mask member ++ libxt_helper: fix invalid passed option to check_inverse ++ libiptc: split v4 and v6 ++ extensions: collapse registration structures ++ iptables: allow for parse-less extensions ++ iptables: allow for help-less extensions ++ extensions: remove empty help and parse functions ++ xtables: add multi-registration functions ++ extensions: collapse data variables to use multi-reg calls ++ xtables: warn of missing version identifier in extensions ++ COMMIT_NOTES: notice to check for soversion bumps ++ build: order of dependent libs is sensitive ++ multi binary: allow subcommand via argv[1] ++ build: fix struct size mismatch ++ build: combine iptables-multi and iptables-static ++ build: build only iptables-multi ++ Merge branch 'stable' ++ manpages: more fixes to minuses, hyphens, dashes ++ ++Laurence J. Lane (1): ++ manpage: fix lintian warnings ++ ++Michael Granzow (1): ++ iptables: accept multiple IP address specifications for -s, -d ++ ++Patrick McHardy (2): ++ man: fix incorrect plural in libipt_set.man ++ Bump version number to 1.4.5 ++ ++Trent W. Buck (1): ++ ipt_set: fix a typo in the manpage ++ ++ ++iptables v1.4.4 Changelog: ++====================================================================== ++Changes from 1.4.3.2: ++ ++ ++Frank Tobin (1): ++ libxt_tcp: fix a manpage syntax typo ++ ++Ian Bruce (1): ++ libxt_tcp: manpage corrections and suggestions ++ ++Jan Engelhardt (15): ++ Add new COMMIT_NOTES document ++ xtables: use extern "C" ++ extensions: add const qualifiers in print/save functions ++ iptables: replace open-coded sizeof by ARRAY_SIZE ++ addrtype: fix one manpage type ++ manpages: do not include v4-only modules in ip6tables manpage ++ libip6t_policy: remove redundant functions ++ policy: use direct xt_policy_info instead of ipt/ip6t ++ policy: merge ipv6 and ipv4 variant ++ build: fix manpage collection ++ extensions: use NFPROTO_UNSPEC for .family field ++ DNAT/SNAT: add manpage documentation for --persistent flag ++ extensions: remove redundant casts ++ iptables: close open file descriptors ++ manpages: markup corrections ++ ++Jozsef Kadlecsik (1): ++ Updated set/SET match and target to support multiple ipset protocols. ++ ++Pablo Neira Ayuso (2): ++ extensions: add `cluster' match support ++ xtables: fix segfault if incorrect protocol name is used ++ ++Patrick McHardy (3): ++ SNAT/DNAT: add support for persistent multi-range NAT mappings ++ Merge branch 'stable' of git://dev.medozas.de/iptables ++ Bump version ++ ++kd6lvw (1): ++ libxt_connlimit: initialize v6_mask ++ ++ ++ ++iptables v1.4.3.2 Changelog: ++====================================================================== ++Changes from 1.4.3.1: ++ ++ ++Jan Engelhardt (12): ++ libxt_tcpmss: fix an inversion while parsing --mss ++ iptables-multi: support "iptables-static" as a callable name ++ libxtables: reorder .version member ++ build: do not run ldconfig for DESTDIR installations ++ build: add configure option to disable ip6tables ++ build: add configure option to disable ipv4 iptables ++ libxtables: provide IPv6 zero address variable ++ iptables: print negation extrapositioned ++ Merge commit 'v1.4.3' ++ Merge branch 'plus' ++ CLASSIFY: document non-standard interpretation behavior ++ libxt_conntrack: properly output negation symbol ++ ++Pablo Neira Ayuso (1): ++ build: bump version to 1.4.3.2 ++ ++ ++iptables v1.4.3.1 Changelog: ++====================================================================== ++Changes from 1.4.3: ++ ++ ++Jan Engelhardt (2): ++ iptables-save: minor corrections to the manpage markup ++ libxt_hashlimit: add missing space for iptables-save output ++ ++Pablo Neira Ayuso (2): ++ build: bump version to 1.4.3.1 ++ iptables: refer to dmesg if we hit EINVAL ++ ++Peter Volkov (2): ++ libxtables: fix compile error due to incomplete change ++ build: fix linker issue when LDFLAGS contains --as-needed ++ ++ ++ ++iptables v1.4.3 Changelog: ++====================================================================== ++Changes from 1.4.2: ++ ++ ++Bart De Schuymer (1): ++ man: fix physdev manpage ++ ++Christian Perle (1): ++ libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffff ++ ++Christoph Paasch (1): ++ libiptc: avoid compile warnings for iptc_insert_chain ++ ++Daniel Drake (1): ++ libxt_owner: add more spaces to output ++ ++Eric Leblond (1): ++ xt_NFLOG: Set default NFLOG qthreshold to 0 ++ ++Jamal Hadi Salim (12): ++ libxtables: Introduce global params structuring ++ libxtables: define xtables_free_opts() ++ libxtables: Add exit_error cb to xtables_globals ++ libxtables: Make ip6tables, iptables and iptables-xml use xtables_globals ++ libxtables: Replace direct exit_error() calls inside libxtables ++ libxtables: simple aliasing macro for exit_error ++ libxtables: set names of programs ++ libxtables: add xtables_set_revision ++ libxtables: make iptables and ip6tables use xtables_free_opts ++ libxtables: consolidate merge_options into xtables_merge_options ++ libxtables: consolidate init calls into one function ++ libxtables: general follow-up cleanup ++ ++Jan Engelhardt (84): ++ Move libipt_recent to libxt_recent ++ libxt_recent: add IPv6 support ++ manpage: use separate paragraphs for command syntax ++ manpage: explain what rule-specification is ++ libiptc: remove typedef indirection ++ libiptc: remove indirections ++ libiptc: remove unused iptc_get_raw_socket and iptc_check_packet ++ libiptc: use hex output for hookmask ++ libxt_conntrack: respect -n option during ruledump ++ libiptc: make sockfd a per-handle thing ++ libxt_conntrack: dump ctdir ++ src: reuse the global modprobe_program variable ++ src: use NFPROTO_ constants ++ src: remove inclusion of iptables.h ++ doc: fix a typo in libip6t_REJECT.man ++ libiptc: guard chain index allocation for different malloc implementations ++ src: remove unused include files ++ iptables-save: output ! in position according to manpage ++ rateest: guard against segfault ++ env: augment deprecation notice ++ build: resolve autotools suggestions ++ doc: put iptables version into manpage ++ doc: resynchronize markup in iptables,ip6tables.8.in ++ doc: escape minus sign in manpages ++ build: use regular = assignments in Makefile ++ build: remove non-portable rule ++ doc: escape minus sign in manpage (2) ++ doc: augment ICMP manpage by type/code syntax ++ src: remove redundant returns at end of void-returning functions ++ src: remove redundant casts ++ libxt_owner: use correct UID/GID boundaries ++ extensions: use UINT_MAX constants over open-coded bits (1/2) ++ extensions: use UINT_MAX constants over open-coded numbers (2/2) ++ libxtables: prefix/order - fw_xalloc ++ libxtables: prefix/order - modprobe and xtables.ko loading ++ libxtables: prefix/order - match/target loading ++ libxtables: prefix/order - libdir ++ libxtables: prefix/order - strtoui ++ libxtables: prefix/order - program_name ++ libxtables: prefix/order - param_act ++ libxtables: prefix/order - ipaddr/ipmask to ascii output ++ libxtables: prefix/order - ascii to ipaddr/ipmask input ++ libxtables: prefix - misc functions ++ libxtables: prefix - parse and escaped output func ++ libxtables: prefix/order - move check_inverse to xtables.c ++ libxtables: prefix/order - move parse_protocol to xtables.c ++ libbxtables: prefix names and order it #1 ++ libxtables: prefix names and order it #2 ++ libxtables: prefix names and order #3 ++ libxtables: move afinfo around ++ Merge branch 'origin/master' ++ libxtables: recognize IP6TABLES_LIB_DIR old-style environment variable ++ build: move -ldl to proper LDADD ++ libxtables: remove unused XT_LIB_DIR macro ++ libxtables: decouple non-xtables parts from header ++ src: remove iptables_rule_match indirection macro ++ src: remove unused ipt_tryload macro ++ libxtables: move compat defines to xtables.c ++ src: consolidate duplicate code in iptables/internal.h ++ libxtables: use const for vars holding literals ++ libxt_string: fix undefined behavior/incorrect patlen calculation ++ libxtables: flush before fork ++ libipq: add missing doc for NF_ values ++ build: restructure Makefile for include/ directory ++ libipq: fix compile error ++ build: remove unneeded -ldl from iptables_xml_LDADD ++ libiptc: make library available as a shared library ++ build: trigger reconfigure when extensions/GNUmakefile.in changes ++ doc: do not put IPv4 doc into ip6tables.8 ++ doc: resynchronize manpage with in-code help ++ libxtables: inline and remove unused OPTION_OFFSET macro ++ libxtables: prefix exit_error to xtables_error ++ extensions: remove unwanted/add needed includes for IPv6 exts ++ extensions: remove unwanted/add needed includes for IPv4 exts ++ libxt_policy: use bounded strtoui ++ include: resynchronize headers with 2.6.29-rc5 ++ extensions: add missing limits.h include ++ iptables: turn deprecation warning into enforcing mode ++ Merge commit 'nf/master' ++ libxt_connbytes: minor manpage adustments ++ libxt_connbytes: document nf_ct_acct behavior ++ libxtables: add -I/-L flags to pkgconfig files ++ libxt_comment: output quotes must be escaped in ++ iptables-save: module loading corrections ++ ++Jesper Dangaard Brouer (3): ++ libiptc: fix chain rename bug in libiptc ++ libiptc: fix whitespaces and typos ++ libiptc: give credits to my self ++ ++Jirí Moravec (1): ++ libxt_TOS: fix compilation error ++ ++KOVACS Krisztian (2): ++ Add iptables support for the TPROXY target ++ Add iptables support for the socket match ++ ++Marc Fournier (1): ++ doc: fix option typo in libxt_multiport ++ ++Pablo Neira Ayuso (5): ++ iptables: fix error reporting with wrong/missing arguments ++ state: report spaces in the state list parsing ++ iptables: refer to dmesg when we hit error ++ string: fix wrong pattern length calculation ++ iptables: fix broken options-merging during libxtables rework ++ ++Patrick McHardy (5): ++ Add SCTP/DCCP support to NAT targets ++ Bump version to 1.4.3-rc1 ++ Merge branch 'master' of git://dev.medozas.de/iptables ++ Merge branch 'master' of git://dev.medozas.de/iptables ++ Bump version to 1.4.3 ++ ++Shaul Karl (1): ++ doc: fix one layout issue in iptables-restore.8 ++ ++Stephen Hemminger (1): ++ iptables: Add limits.h to get INT_MIN, INT_MAX, ... ++ ++Thomas Jarosch (2): ++ Fix compile error in libxt_iprange.c using gcc 4.3.2 ++ Fix compile warnings using gcc 4.3.2 ++ ++ ++iptables v1.4.2 Changelog: ++====================================================================== ++Changes from 1.4.2-rc1: ++ ++Jan Engelhard (1): ++ build: fix iptables-static build ++ ++Jan Engelhardt (26): ++ build: do not install ip{,6}tables.h ++ Merge branch 'master' of vishnu.netfilter.org:/data/git/iptables ++ manpages: name and markup fixes ++ src: remove dependency on libiptc headers ++ src: drop libiptc from installation ++ iptables-restore: fix segmentation fault with -tanything ++ libxt_recent: do not allow both --set and --rttl ++ Put xtables.c into its own library, libxtables.so ++ manpages: correct erroneous markup ++ physdev: remove extra space in output ++ Warn about use of DROP in nat table ++ Synchronize invert flag order with manpages ++ build: fix dependency tracking for xtables.h.in ++ build: fix initext.c dependency ++ manpages: add missing --rsource,--rdest options to libxt_recent.man ++ manpages: add missing rateest documentation ++ manpages: add missing rateest match documentation ++ libxt_mac: flatten casts in libxt_mac ++ libxt_iprange: fix option names ++ src: use regular includes ++ src: Update comments ++ build: prepare make tarball for git 1.6.0 ++ libxt_recent: do allow --rttl for --update ++ src: update comments part II ++ build: run ldconfig on `make install` ++ doc: remove mentions of NAT in ip6tables manpage ++ ++Jesper Dangaard Brouer (1): ++ libiptc: remove old fixme ++ ++Pablo Sebastian Greco (1): ++ mark: fix invalid iptables-save output ++ ++Patrick McHardy (2): ++ manpages: fix another typo in tcp manpage ++ v1.4.2 ++ ++Phil Oester (3): ++ iptables-save: fix hashlimit output ++ libxt_dscp: fix save of negated dscp match rules ++ src: Missing limits.h includes ++ ++WANG Cong (1): ++ manpages: Fix a typo in tcp man page ++ ++ ++ ++iptables v1.4.1-rc1 Changelog: ++====================================================================== ++Changes from 1.4.0: ++ ++Peter Warasin: ++ Fix CONNMARK mask initialisation ++ ++Jesper Dangaard Brouer: ++ Inline functions iptcc_is_builtin() and set_changed() ++ Introduce a counter for number of user defined chains ++ Solving scalability issue: for chain list "name" searching ++ ++Patrick McHardy: ++ Add RATEEST target extension ++ Add rateest match extension ++ Remove obsolete file ++ Add netfilter.h ++ Remove compiler.h inclusions ++ Retry ruleset dump when kernel returns EAGAIN ++ ++Pablo Neira Ayuso: ++ Cleanup several code wraparounds ++ Check for malloc() return value in merge_opts() ++ Check for merge_opts() return value ++ ++Jan Engelhardt: ++ Converts the iptables build infrastructure to autotools ++ Introduce strtonum() ++ Introduce common error messages ++ Add libxt_owner ++ Add libxt_tos ++ Add libxt_TOS ++ Add libxt_MARK r2 ++ Add libxt_connmark r1 ++ Print warning when dlopen fails ++ Add libxt_conntrack r0 ++ Bunch o' renames ++ Rename overlapping function names ++ Add more libxt_hashlimit checks ++ Add libxt_mark r1 ++ Add libxt_iprange r0 ++ Add libxt_iprange r1 ++ Give preference to iptables header files ++ Build adjustments ++ Add libxt_CONNMARK revision 1 ++ Add libxt_conntrack revision 1 ++ libxt_owner: UID/GID range support ++ Fix compilation of iptables-static build ++ Correct the family member value of libxt_mark revision 1 ++ Makefile: add a "tarball" target ++ Drop -W from CFLAGS and some tiny code cleanups ++ Fix -Wshadow warnings and clean up xt_sctp.h ++ Update the libxt_owner manpage with the UID/GID-range feature ++ Fix all remaining warnings (missing declarations, missing prototypes) ++ xtables.h: move non-exported parts to internal.h ++ Add support for xt_hashlimit match revision 1 ++ Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR ++ manpages: fix broken markup (missing close tags) ++ manpages: grammar and spelling ++ manpages: update to reflect fine-grained control ++ configure: split --enable-libipq from --enable-devel ++ Import iptables-apply ++ Add all necessary header files - compilation fix for various cases ++ Install libiptc header files because xtables.h depends on it ++ iptables: use C99 lists for struct options ++ RATEEST: add manpage ++ Implement AF_UNSPEC as a wildcard for extensions ++ Combine ipt and ip6t manpages ++ Resolve warnings on 64-bit compile ++ Wrap dlopen code into NO_SHARED_LIBS ++ Remove support for compilation of conditional extensions ++ Resolve libipt_set warnings ++ Update documentation about building the package ++ configure.ac: AC_SUBST must be separate ++ Dynamically create xtables.h.in with version ++ configure.ac: remove already-defined variables ++ Remove old functions, constants ++ Properly initialize revision for ip6tables targets ++ Makefile.am: use PACKAGE_TARNAME ++ iptables out-of-tree build directory ++ ++Sven Schnelle: ++ Add libxt_TCPOPTSTRIP ++ ++Max Kellermann: ++ Fix REDIRECT manpage ++ Whitespace cleanup ++ Use size_t ++ Escape strings ++ Unescape parameters ++ Allow empty strings in argument parser ++ Fix gcc warnings ++ ++Naohiro Ooiwa: ++ Fix define value of SCTP chunk type ++ ++Filippo Zangheri: ++ Remove useless white spaces from iptables-xml manpages ++ ++James King: ++ libxt_iprange: Fix IP validation logic ++ ++Shan Wei: ++ iptables-save: remove unnecessary code ++ ++Henrik Nordstrom: ++ Make iptables-restore usable over a pipe ++ Add support for --set-counters to iptables -P ++ iptables --list-rules command ++ iptables --list chain rulenum ++ Make --set-counters (-c) accept comma separated counters ++ ++Jamie Strandboge: ++ Fix ip6tables dest address printing ++ ++ ++ ++iptables v1.4.1.1 Changelog ++===================================================================== ++ ++Henrik Nordstrom (1): ++ iptables: fix printing of line numbers with --line-numbers arg ++ ++Jan Engelhardt (3): ++ ip6tables: fix printing of ipv6 network masks ++ build: fix `make install` when --disable-shared is used ++ iprange: kernel flags were not set ++ ++Patrick McHardy (1): ++ v1.4.1.1 ++ ++ ++ ++iptables v1.4.1 Changelog ++====================================================================== ++ ++Filippo Zangheri (1): ++ removes useless white spaces from iptables-xml manpages. ++ ++Gáspár Lajos (1): ++ iptables: use C99 lists for struct options ++ ++Henrik Nordstrom (5): ++ Make iptables-restore usable over a pipe ++ Add support for --set-counters to iptables -P ++ iptables --list-rules command ++ iptables --list chain rulenum ++ Make --set-counters (-c) accept comma separated counters ++ ++James King (1): ++ [IPTABLES]: libxt_iprange: Fix IP validation logic ++ ++Jamie Strandboge (1): ++ fix ip6tables dest address printing ++ ++Jan Engelhardt (55): ++ Converts the iptables build infrastructure to autotools. ++ Introduce strtonum(), which works like string_to_number(), but passes ++ common error messages ++ libxt_owner ++ libxt_tos ++ libxt_TOS ++ libxt_MARK r2 ++ libxt_connmark r1 ++ print warning when dlopen fails ++ libxt_conntrack r0 ++ bunch o' renames ++ rename overlapping function names ++ libxt_hashlimit checks ++ libxt_mark r1 ++ libxt_iprange r0 ++ libxt_iprange r1 ++ Give preference to iptables header files ++ Build adjustments ++ libxt_CONNMARK revision 1 ++ [IPTABLES]: libxt_conntrack revision 1 ++ [IPTABLES]: libxt_owner: UID/GID range support ++ Fix compilation of iptables-static build ++ Correct the family member value of libxt_mark revision 1 ++ Makefile: add a "tarball" target ++ Drop -W from CFLAGS and some tiny code cleanups ++ Fix -Wshadow warnings and clean up xt_sctp.h ++ Update the libxt_owner manpage with the UID/GID-range feature ++ Fix all remaining warnings (missing declarations, missing prototypes) ++ xtables.h: move non-exported parts to internal.h ++ Add support for xt_hashlimit match revision 1 ++ Combine IP{,6}T_LIB_DIR into XTABLES_LIBDIR ++ manpages: fix broken markup (missing close tags) ++ manpages: grammar and spelling ++ manpages: update to reflect fine-grained control ++ configure: split --enable-libipq from --enable-devel ++ Add all necessary header files - compilation fix for various cases ++ Install libiptc header files because xtables.h depends on it ++ RATEEST: add manpage ++ Implement AF_UNSPEC as a wildcard for extensions ++ Combine ipt and ip6t manpages ++ Resolve warnings on 64-bit compile ++ Wrap dlopen code into NO_SHARED_LIBS ++ Remove support for compilation of conditional extensions ++ Resolve libipt_set warnings ++ Update documentation about building the package ++ configure.ac: AC_SUBST must be separate ++ Dynamically create xtables.h.in with version ++ configure.ac: remove already-defined variables ++ Remove old functions, constants ++ Makefile.am: use PACKAGE_TARNAME ++ iptables out-of-tree build directory ++ Update .gitignore ++ build: check for missing feature files ++ libxt_owner: add spaces to output ++ manpage updates ++ ++Jesper Dangaard Brouer (3): ++ Inline functions iptcc_is_builtin() and set_changed(). ++ Introduce a counter for number of user defined chains. ++ Solving scalability issue: for chain list "name" searching. ++ ++Kristof Provost (1): ++ REDIRECT: Allow symbolic port in REDIRECT --to-port ++ ++Laszlo Attila Toth (1): ++ addrtype match: added revision 1 ++ ++Lutz Jaenicke (1): ++ Fix iptables-save output of libxt_owner match ++ ++Martin F. Krafft (1): ++ Import iptables-apply ++ ++Max Kellermann (7): ++ Fix REDIRECT manpage ++ whitespace cleanup ++ use size_t ++ escape strings ++ unescape parameters ++ allow empty strings in argument parser ++ fix gcc warnings ++ ++Naohiro Ooiwa (1): ++ Fix define value of SCTP chunk type. ++ ++Pablo Neira Ayuso (2): ++ - cleanup several code wraparounds ++ bump iptables version to prepare 1.4.1 release ++ ++Patrick McHardy (16): ++ Add RATEEST target extension ++ Add rateest match extension ++ Remove obsolete file ++ Add netfilter.h ++ Remove compiler.h inclusions. ++ Retry ruleset dump when kernel returns EAGAIN. ++ Properly initialize revision for ip6tables targets ++ Bump version to 1.4.1-rc1 ++ iptables 1.4.1-rc2 ++ manpages: consistent syntax ++ Resync header files with kernel ++ Bump version ++ libiptc: move variable definitions to head of function ++ iptables-xml: sparse fixes ++ sparse warning fixes: integer used as pointer ++ v1.4.1 ++ ++Peter Warasin (1): ++ Fix CONNMARK mask initialisation ++ ++Shan Wei (1): ++ iptables-save:remove unnecessary code. ++ ++Sven Schnelle (1): ++ libxt_TCPOPTSTRIP ++ ++Thomas Jacob (1): ++ Don't assume /bin/sh is bash ++ ++Thomas Jarosch (1): ++ Add xtables version defines. ++ ++Yasuyuki Kozakai (1): ++ Use s6_addr32 to access bits in int6_addr instead of incompatible name ++ ++ ++ ++iptables v1.4.0 Changelog ++====================================================================== ++Changes from 1.4.0rc1: ++ ++- Don't use dlfcn.h if NO_SHARED_LIBS is defined ++ [ Mike Frysinger ] ++ ++- Fix showing help text for matches/targets with revision as user ++ [ Patrick McHardy ] ++ ++- Print warnings to stderr ++ [ Max Kellermann ] ++ ++- Fix sscanf type errors ++ [ Patrick McHardy ] ++ ++- Always print mask in iptables-save ++ [ Jan Engelhardt ] ++ ++- Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names ++ [ Victor Stinner ] ++ ++- Adds --table to iptables-restore ++ [ Peter Warasin ] ++ ++- Make DO_MULTI=1 work for ip6tables* binaries ++ [ Hann-huei Chiou ] ++ ++- Add ip6tables-{save,restore} to non-experimental target, fix strict aliasing ++warnings ++ [ Patrick McHardy ] ++ ++- Introducing libxt_*.man files. Sorted matches and modules ++ [ Laszlo Attila Toth ] ++ ++- Install ip6tables-{save,restore} manpages ++ [ Patrick McHardy ] ++ ++- Performance optimization in sorting chain during pull-out ++ [ Jesper Dangaard Brouer ] ++ ++- Fix sockfd use accounting for kernels without autoloading ++ [ Patrick McHardy ] ++ ++- use <linux/types.h> ++ [ Jan Engelhardt ] ++ ++- Fix make/compile error for iptables-1.4.0rc1 ++ [ Jesper Dangaard Brouer ] ++ ++- Fix for --random option in DNAT and REDIRECT ++ [ Tom Eastep ] ++ ++- Document xt_statistic ++ [ Stefano Sabatini ] ++ ++- sctp: fix - mistake to pass a pointer where array is required ++ [ Li Zefan ] ++ ++- Fix connlimit output for inverted --connlimit-above: ! > is <=, not < ++ [ Patrick McHardy ] ++ ++- Add NFLOG manpage ++ [ Patrick McHardy ] ++ ++- Move libipt_DSCP.man to libxt_DSCP.man for ip6tables.8 ++ [ Yasuyuki Kozakai ] ++ ++- Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.man ++ [ Yasuyuki Kozakai ] ++ ++- Moves libipt_CLASSYFY.man to libxt_CLASSYFY.man for ip6tables.8 ++ [ Yasuyuki Kozakai ] ++ ++- fix check_inverse() call ++ [ Jan Engelhardt ] ++ ++- Bump version to 1.4.0 final ++ [ Pablo Neira Ayuso ] ++ ++ ++ ++iptables v1.4.0rc1 Changelog ++====================================================================== ++Changes from 1.3.8: ++ ++- Add support for generic xtables infrastructure (improved IPv6 support!) ++ [ Yasuyuki Kozakai ] ++ ++- Deletes empty ->final_check() functions ++ [ Jan Engelhardt ] ++ ++- Fix sparse warnings: non-C99 array declaration, incorrect function prototypes ++ [ Patrick McHardy ] ++ ++- Remove last vestiges of NFC ++ [ Peter Riley ] ++ ++- Make @msg argument a const char *, just like printf ++ [ Jan Engelhardt ] ++ ++- Makes it possible to omit extra_opts of matches/targets if unnecessary ++ [ Jan Engelhardt ] ++ ++- Fix "iptables getsockopt failed strangely" when querying revisions for non-existant matches and targets ++ [ Patrick McHardy] ++ ++- Introduces DEST_IPT_LIBDIR in Makefile ++ [ Yasuyuki Kozakai ] ++ ++- Change default KERNEL_DIR location and add KBUILD_OUTPUT ++ [ Sven Wegener ] ++ ++- Removes obsolete KERNEL_64_USERSPACE_32 definitions ++ [ Yasuyuki Kozakai ] ++ ++- Fix unused function warning ++ [ Patrick McHardy ] ++ ++ ++ ++iptables v1.3.8 Changelog ++====================================================================== ++ ++- Fix build error of conntrack match ++ [Yasuyuki Kozakai] ++ ++- Remove whitespace in ip6tables.c ++ [Yasuyuki Kozakai] ++ ++- `-p all' and `-p 0' should be allowed in ip6tables ++ [Yasuyuki Kozakai] ++ ++- hashlimit doc update ++ [Jan Engelhardt] ++ ++- add --random option to DNAT and REDIRECT ++ [Patrick McHardy] ++ ++- Makefile uses POSIX conform directory check ++ [Roy Marples] ++ ++- Fix missing newlines in iptables-save/restore output ++ [Pavol Rusnak] ++ ++- Update quota manpage for SMP ++ [Phil Oester] ++ ++- Output for unspecified proto is `all' instead of `0' ++ [Phil Oester] ++ ++- Fix iptables-save with --random option ++ [Patrick McHardy] ++ ++- Remove unnecessary IP_NAT_RANGE_PROTO_RANDOM ifdefs ++ [Patrick McHardy] ++ ++- Remove libnsl from LDLIBS ++ [Patrick McHardy] ++ ++- Fix problem with iptables-restore and quotes ++ [Pablo Neira Ayuso] ++ ++- Remove unnecessary includes ++ [Patrick McHardy] ++ ++- Fix --modprobe parameter ++ [Maurice van der Pot] ++ ++- ip6tables-restore should output error of modprobe after failed to load ++ [Yasuyuki Kozakai] ++ ++- Add random option to SNAT ++ [Eric Leblond] ++ ++- Fix missing space in error message ++ [Patrick McHardy] ++ ++- Fixes for manpages of tcp, udp, and icmp{,6} ++ [Yasuyuki Kozakai] ++ ++- Add ip6tables mh extension ++ [Masahide Nakamura] ++ ++- Fix tcpmss manpage ++ [Patrick McHardy] ++ ++- Add ip6tables TCPMSS extension ++ [Arnaud Ebalard] ++ ++- Add UDPLITE multiport support ++ [Patrick McHardy] ++ ++- Fix missing space in ruleset listing ++ [Patrick McHardy] ++ ++- Remove extensions for unmaintained/obsolete patchlets ++ [Patrick McHardy] ++ ++- Fix greedy debug grep ++ [Patrick McHardy] ++ ++- Fix type in manpage ++ [Thomas Aktaia] ++ ++- Fix compile/install error for iptables-xml with DO_MULTI=1 ++ [Lutz Jaenicke] ++ ++ ++ ++iptables v1.3.7 Changelog ++====================================================================== ++ ++Bugs fixed since 1.3.6: ++ ++- Fix compilation error with linux 2.6.19 ++ [ Patrick McHardy ] ++ ++- Fix LOG target segfault with --log-prefix "" ++ [ Mike Frysinger, Bugzilla #516 ] ++ ++- Fix conflicting getsockopt optname values for IP6T_SO_GET_REVISION_{MATCH,TARGET} ++ [ Yasuyuki KOZAKAI ] ++ ++- Fix -E (rename) in iptables/ip6tables ++ [ Krzysztof Piotr Oledzki ] ++ ++- Fix /etc/network usage ++ [ Pablo Neira ] ++ ++- Fix iptables-save not printing -s/-d ! 0/0 ++ [ Patrick McHardy ] ++ ++- Fix ip6tables-save unnecessarily printing -s/-d options for zero prefix length ++ [ Daniel De Graaf ] ++ ++New features since 1.3.6: ++ ++- Add revision support for ip6tables ++ [ R?mi Denis-Courmont ] ++ ++- Add port range support for ip6tables multiport match ++ [ R?mi Denis-Courmont ] ++ ++- Add sctp match extension for ip6tables ++ [ Patrick McHardy ] ++ ++- Add iptables-xml tool ++ [ Amin Azez ] ++ ++- Add hashlimit support for ip6tables (needs kernel > 2.6.19) ++ [ Patrick McHardy ] ++ ++- Use /limodules/$(shell uname -r)/build instead of /usr/src/linux to look for kernel source ++ [ Patrick McHardy ] ++ ++- Add NFLOG target extension for iptables/ip6tables (needs kernel > 2.6.19) ++ [ Patrick McHardy ] ++ ++ ++ ++iptables v1.3.6 Changelog ++====================================================================== ++ ++Bugs fixed since 1.3.5: ++ ++- Fix segfault on loading of invalid counters in ip[6]tables-restore ++ [ Bugzilla #437, Olaf Rempel ] ++ ++- Fix double-free if a single match is used multiple times within a single rule ++ [ Bugzilla #440, Harald Welte ] ++ ++- Don't try to resolve "-p all" using getprotoent() ++ [ Bugzilla #446, Harald Welte ] ++ ++- Refuse never matching protocol specifications for ip6tables ++ [ Yasuyuki Kozakai ] ++ ++- Fix iptables-save output of osf match ++ [ Daniel De Graaf ] ++ ++- Fix esp/connbytes detection with newer kernels (x_tables) ++ [ Harald Welte ] ++ ++- Fix loading of IPCMv6 match shared library ++ [ Yasuyuki Kozakai ] ++ ++- Refuse invalid esp match SPI ranges ++ [ Yasuyuki Kozakai ] ++ ++- Fix out-of-bounds memory access when the unsupported "check" command was used ++ [ Bugzilla #463, Larry Stefani, Harald Welte ] ++ ++- Fix out-of-bounds memory access when the "-c" option was used ++ [ Bugzilla #462, Larry Stefani, Harald Welte ] ++ ++- Fix "Unknown error 4294967295" message ++ [ Bugzilla #460, Patrick McHardy ] ++ ++- Use lower-case letters for realm match output ++ [ Simon Lodal ] ++ ++- Fix example in connlimit manpage ++ [ Phil Oester ] ++ ++- Refuse IP addresses as arguments to REDIRECT target ++ [ Bugzilla #482, Phil Oester ] ++ ++- Fix set match negation ++ [ Jozsef Kadlecsik ] ++ ++- Fix some compiler warnings ++ [ Bugzilla #457, Phil Oester ] ++ ++- Refuse port ranges in ip6tables multiport match ++ [ Bugzilla #451, Phil Oester ] ++ ++- Force user to specify --ipcmv6-type if ipcmv6 match is used ++ [ Bugzilla #461, Yasuyuki Kozakai ] ++ ++- Fix libiptc symbol clash ++ [ Bugzilla #456, Phil Oester ] ++ ++- Remove "hoho" message ++ [ Pierre-Yves Ritschard ] ++ ++- Handle CIDR notation more sanely ++ [ Bugzilla #422, Phil Oester ] ++ ++- Fix chain reference increment bug ++ [ Jesper Brouer ] ++ ++- Fix counter clearing for policy counters ++ [ Bugzilla #502, Andy Gay ] ++ ++- Remove warnings about interface names with non-alphanumeric characters ++ [ Patrick McHardy ] ++ ++New features since 1.3.5: ++ ++- Support multiple matches of the same type within a single rule ++ [ Jozsef Kadlecsik ] ++ ++- DCCP/SCTP support for multiport match (needs kernel >= 2.6.18) ++ [ Patrick McHardy ] ++ ++- SELinux SECMARK target (needs kernel >= 2.6.18) ++ [ James Morris ] ++ ++- SELinux CONNSECMARK target (needs kernel >= 2.6.18) ++ [ James Morris ] ++ ++- Add documentation for DNAT target :<port> syntax ++ [ Evan Miller ] ++ ++- Add new exit value to indicate concurrency issues ++ [ Jesper Dangaard Brouer ] ++ ++- Use gcc to build shared objects ++ [ Bugzilla #454, Phil Oester ] ++ ++- Update quota match for version in current kernel, fix -D (needs kernel >= 2.6.18) ++ [ Phil Oester ] ++ ++- Update MARK target documentation to include --and-mask/--or-mask ++ [ Eric Leblond ] ++ ++- Add support for statistic match (needs kernel >= 2.6.18) ++ [ Patrick McHardy ] ++ ++- Optionally read realm values from /etc/iproute2/rt_realms ++ [ Simon Lodal ] ++ ++iptables v1.3.5 Changelog ++====================================================================== ++This version requires kernel >= 2.4.0 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.4: ++ ++- Fix conntrack --ctproto option in iptables-save ++ [ Phil Oester ] ++ ++- Fix string match '--from' option in iptables-save ++ [ Michael Rash ] ++ ++- Fix option parser of ttl match ++ [ Patrick McHardy ] ++ ++- Get rid of gcc-4 warnings ++ [ Patrick McHardy ] ++ ++- Fix spelling of 'address' in DNAT/SNAT manpage section ++ [ MJ Anthony ] ++ ++- Fix 'tcp-rst' parsing in REJECT target ++ [ Torsten Hilbrich ] ++ ++- Fix probing for supported revisions ++ [ Jones Desougi ] ++ ++- Fix compilation of iptables on [old] systems that don't have IPT_F_GOTO ++ [ Harald Welte ] ++ ++- Only set revisions on real targets, not on jumps ++ [ Pablo Neira ] ++ ++- Fix memory leak in TC_COMMIT() of libiptc ++ [ Markus Sundberg ] ++ ++- Correctly propagate errors of setsockopt to calling function ++ [ Harald Welte ] ++ ++- Fix connbytes match iptables-save ++ [ Unknown ] ++ ++- Fix sctp match compilation against recent kernel headers ++ [ Harald Welte ] ++ ++- Fix conntrack match compilation against 2.4.0 kernel headers ++ [ Harald Welte ] ++ ++Changes from 1.3.4: ++ ++- Add support for ip6tables connmark match and target ++ [ Harald Welte ] ++ ++- Add support for ip6tables state match ++ [ Harald Welte ] ++ ++- Add support for new policy ip[6]tables match ++ [ Patrick McHardy ] ++ ++- Major manpage update ++ [ Yasuyuki Kozakai ] ++ ++- Remove ippool support, it has been deprecated by ipset long time ago ++ [ Harald Welte ] ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.3.4 Changelog ++====================================================================== ++This version requires kernel >= 2.4.0 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.3: ++ ++- Fix parsing of NFQUEUE queue numbers ++ [ Eric Leblond ] ++ ++- Add documentation of --queue-num parameter to NFQUEUE manpage ++ [ Eric Leblond ] ++ ++- Fix 'hash-init' parameter of CLUSTERIP target ++ [ KOVACS Krisztian ] ++ ++- Fix CONNMARK match and target: Marks are now always 32bit ++ [ Deti Fliegl ] ++ ++- Print error message when multiple "--to" DNAT/SNAT args are used ++ with kernel >= 2.6.10 ++ [ Phil Oester ] ++ ++- Fix compilation of connbytes match with 2.6.14 kernel ++ [ Harald Welte ] ++ ++- Fix address inversion of conntrack match ++ [ Tom Eastep ] ++ ++- Fix sorting of chain names ++ [ Robert de Barth ] ++ ++Changes from 1.3.2: ++ ++- Add support for DCCP port and type matching ++ [ Harald Welte ] ++ ++- Add support for new in-kernel string match ++ [ Pablo Neira ] ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.3.3 Changelog ++====================================================================== ++This version requires kernel >= 2.4.0 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.2: ++ ++- Fix use-after-free in merge_options() ++ [ Markus Sundberg ] ++ ++- Fix support for SNAT and DNAT to ICMP ID ranges ++ [ Patrick McHardy ] ++ ++Changes from 1.3.2: ++ ++- Add support for new NFQUEUE targets for IPv4 and IPv6 ++ [ Harald Welte ] ++ ++- Minor manpage updates ++ [ Harald Welte ] ++ ++- Fix numberous gcc-4 warnings throughout the code ++ [ Harald Welte ] ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.3.2 Changelog ++====================================================================== ++This version requires kernel >= 2.4.0 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.1: ++ ++- Fix TCPLAG version ++ [ Torsten Luettgert ] ++ ++- More error checking in SET target ++ [ Michal Pokrywka ] ++ ++- Fix optflags value for OPT_LINENUMBERS ++ [ Jonas Berlin ] ++ ++- Allow NULL init function in ip6tables plugins ++ [ Jonas Berlin ] ++ ++- Don't allow newlines in LOG prefix ++ [ Phil Oester ] ++ ++- Introduce ip_conntrack_old_tuple to userspace header copy ++ [ Pablo Neira ] ++ ++- Fix connbytes command line parsing bug ++ [ Piotrek Kaczmarek ] ++ ++- Ignore unknown arguments in libipt_ULOG ++ [ Patrick McHardy ] ++ ++- Correct error in multiport manpage wrt. "--ports" ++ [ Rusty Russell ] ++ ++- Fix CONNMARK save/restore ++ [ Tom Eastep, Pawel Sikora ] ++ ++- Make sure chain name doesn't start with '!' ++ [ Yasuyuki Kozakai ] ++ ++- Prevent user to specify negative ports in SNAT/DNAT ++ [ Yasuyuki Kozakai ] ++ ++- Fix deletion of targets where kernel size != userspace size ++ [ Pablo Neira ] ++ ++- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner ++ [ Harald Welte ] ++ ++Changes from 1.3.1: ++ ++- Add ``--log-uid'' option to ip6t_LOG target ++ [ Patrick McHardy ] ++ ++- Improve REDIRECT manpage ++ [ Jonas Berlin ] ++ ++- Add a number of missing manpage snippets ++ [ Jonas Berlin ] ++ ++- Include FIN bit in mask of "--syn" bits ++ [ Harald Welte ] ++ ++- Release previously merged options from merge_opts(), reduces memory-usage of ++ ipt ables-restore dramatically ++ [ Pablo Neira ] ++ ++- OSF: changes to support connector notifications ++ [ Evgeniy Polyakov ] ++ ++- Reduce code replication of parse_interface() ++ [ Yasuyuki Kozakai ] ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.3.1 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.0: ++ ++- Fix CLUSTERIP rule deletion ++ [ Pablo Neira ] ++ ++- Fix libip6t_random compilation ++ [ Harald Welte ] ++ ++- Fix CONNMARK on 32bit userspace / 64bit kernel archs ++ [ Pablo Neira ] ++ ++Changes from 1.3.0: ++ ++- remove bogus NFC_* stuff in iptables ++ [ Pablo Neira ] ++ ++- libiptc: don't sort builtin chains, restores iptables-1.2.x sort order ++ [ Olaf Rempel ] ++ ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.3.0 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs fixed from 1.3.0rc1: ++ ++- Fix realm match save/restore issue ++ [ Harald Welte ] ++ ++- Fix hashlimit rule deletion from userspace ++ [ Samuel Jean ] ++ ++- Fix hashlimit parameter handling / iptables-save ++ [ Nikolai Malykh ] ++ ++- Fix multiport inversion ++ [ Phil Oester ] ++ ++Bugs fixed from 1.2.11: ++ ++- Fix compilation on systems where /bin/sh != bash ++ [ Jozsef Kadlecsik ] ++ ++- Fix setting lib_dir in ip*tables-{save,restore} ++ [ Martin Josefsson ] ++ ++- Fix module-autoloading in certain cases ++ [ Harald Welte ] ++ ++- libipt_TTL: limit range of valid TTL to 0-255 ++ [ Maciej Soltysiak ] ++ ++- libip6t_HL: limit range of valid HL to 0-255 ++ [ Maciej Soltysiak ] ++ ++- libip{6}t_limit: Fix half-working limit invert check ++ [ Phil Oester ] ++ ++- libipt_connbytes: Update to use the IP_CONNTRACK_ACCT counters ++ [ Harald Welte ] ++ ++- libipt_conntrack: Fix typo ++ [ Phil Oester ] ++ ++- libipt_dstlimit: Fix half-working invert check ++ [ Phil Oester ] ++ ++- libipt_helper: Prevent user from using --helper multiple times ++ [ Nicolas Bouliane ] ++ ++- libipt_iprange: Print error message if --dst-range used twice ++ [ Nicolas Bouliane ] ++ ++- libipt_nth: Fix help message syntax ++ [ Harald Welte ] ++ ++- libipt_psd: Fix option parsing ++ [ Pablo Neira ] ++ ++- libipt_random: Fix help message syntax ++ [ Harald Welte ] ++ ++- libipt_realm: Fix inversion of options ++ [ Simon Lodal ] ++ ++- libipt_time: Fix C++ style delayed variable definition ++ [ Olivier Clerget ] ++ ++- libipt_time: Print message about time match not adhering daylight saving ++ [ Phil Oester ] ++ ++- libipt_tos: Print Error message if --tos is specified twice ++ [ Nicolas Bouliane ] ++ ++- libipt_ttl: Cleanup ttl option parsing ++ [ Phil Oester ] ++ ++- libipt_u32: Fix option parsing ++ [ Piotr Gasid'o ] ++ ++ ++Changes from 1.2.11: ++ ++- libiptc: complete rewrite for performance reasons ++ [ Harald Welte, Martin Josefsson ] ++ ++- introduce "DO_MULTI=1" mode to build a muilti-call binary ++ [ Bastiaan Bakker ] ++ ++- code cleanup, use C99 initializers ++ [ Harald Welte, Pablo Neira ] ++ ++- Extension revision number support (if kernel supports the getsockopts). ++ [ Rusty Russell ] ++ ++- Don't need ipt_entry_target()/ip6t_entry_target(). ++ [ Rusty Russell ] ++ ++- Don't re-initialize libiptc/libip6t unless modprobe attempt succeeds. ++ [ Rusty Russell ] ++ ++- Implement IPTABLES_LIB_DIR and IP6TABLES_LIB_DIR environment variables ++ [ Rusty Russell ] ++ ++- Add manpage section about 'raw' table ++ [ Harald Welte ] ++ ++ ++- libip{6}t_ROUTE: add ROUTE --tee mode ++ [ Patrick Schaaf ] ++ ++- libip{6}t_multiport: Print Error message when `!' is used ++ [ Patrick McHardy, Phil Oester ] ++ ++- New libip6t_physdev Match ++ [ Bart De Schuymer ] ++ ++- libipt_CLUSTERIP: Fix compiler warning about const ++ [ Harald Welte ] ++ ++- libipt_DNAT: Print Error message if `:' is used for port range ++- libipt_SNAT: Print Error message if `:' is used for port range ++ [ Phil Oester ] ++ ++- libipt_LOG: Add --log-uid option ++ [ John Lange ] ++ ++- libipt_MARK: add bitwise operators ++ [ Henrik Nordstrom, Rusty Russell ] ++ ++- libipt_SET: Update to ipset2 ++ [ Jozsef Kadlecsik ] ++ ++- libipt_account: Update to 0.1.16 ++ [ Piotr Gasid'o ] ++ ++- New libipt_comment Match ++ [ Brad Fisher ] ++ ++- New libipt_hashlimit Match, supersedes dstlimit ++ [ Harald Welte ] ++ ++- libipt_ttl: Use string_to_number() ++ [ Rusty Russell ] ++ ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic-ng/snapshot) ++ ++ ++iptables v1.2.11 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++ ++Bugx Fixed from 1.2.10: ++ ++- fix compilation on systems where /bin/sh != bash ++ [ Jozsef Kadlecsik ] ++ ++Bugs Fixed from 1.2.9: ++ ++- physdev match: fix new structure layout for kernel > 2.6.0-test8 ++ [ Bart De Schuymer ] ++ ++- Better 64bit / 32bit split architecture detection ++- IPv6 LOG target: Fix compiler warnings on 64bit ++- LOG target: Fix compiler warnings on 64bit ++- IPv6 MARK target: Use full 64bit mark on 64bit archs ++- MARK target: Use full 64bit mark on 64bit archs ++- SAME target: Fix 64bit/32bit splitarch problems ++- ULOG target: Fix 64bit/32bit splitarch problems ++- conntrack match: Fix 64bit/32bit splitarch problem ++- IPv6 limit match: Fix 64bit/32bit splitarch problem ++- limit match: Fix 64bit/32bit splitarch problem ++- IPv6 mark match: Use full 64bit mark on 64bit archs ++- mark match: Use full 64bit mark on 64bit archs ++- owner match: Fix compiler warnings on 64bit ++ [ Martin Jofsefsson ] ++ ++- connbytes match: Fix signedness / unsigned issue ++ [ Martin Josefsson ] ++ ++- connlimit match: Fix '/0' netmask ++ [ David Ahern ] ++ ++- ipv6 owner match: fix possibly not zero terminated string ++- helper match: fix possibly not zero terminated string ++- recent match: fix possibly not zero terminated string ++ [ Karsten Desler ] ++ ++- ICMP match: fix '--icmp-type any' case ++ [ Harald Welte ] ++ ++- CONNMARK target: major update (add mark/mask matching) ++ [ Henrik Nordstrom ] ++ ++- DSCP target: Fix cosmetic help message problem ++ [ Maciej Soltysiak ] ++ ++- string match: Fix iptables-save/restore for ascii strings with spaces ++ [ Michael Rash ] ++ ++- ip(6)tables-restore: Make sure matches are used in the same order ++ [ Martin Josefsson ] ++ ++- ip(6)tables-restore: Fix '--verbose' option ++- ip(6)tables-restore: Add '--test' option ++- ip(6)tables-restore: Complain about missing 'COMMIT' ++ [ Martin Josefsson ] ++ ++- ip(6)tables-restore: Allow embedding of quote character in quoted strings ++ [ Michael Rash ] ++ ++- libipq: Protect against spoofed queue messages (check if sender is kernel) ++ [ Harald Welte ] ++ ++ ++Changes from 1.2.9: ++ ++- time match: add 'datestart' and 'datestop' parameters ++ [ Fabrice Marie ] ++ ++- modular manpage build, depending on actually compiled-in features ++ [ Henrik Nordstrom ] ++ ++- additional documentation in manpage snippets formerly missing ++ [ Harald Welte ] ++ ++- support new CLUSTERIP Target ++ [ Harald Welte ] ++ ++- support new account match ++ [ Piotr Gasid'o ] ++ ++- support new connrate match ++ [ Nuuti Kotivuori ] ++ ++- support new dstlimit match ++ [ Harald Welte ] ++ ++- support new 'set' match / 'SET' target ++ [ Jozsef Kadlecsik ] ++ ++- osf match: add support for netlink reporting ++ [ Evgeniy Polyakov ] ++ ++- new SCTP protocol match ++ [ Kiran Kumar ] ++ ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic/) ++ ++Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, ++distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) ++ ++ ++iptables v1.2.10 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.9: ++ ++- physdev match: fix new structure layout for kernel > 2.6.0-test8 ++ [ Bart De Schuymer ] ++ ++- Better 64bit / 32bit split architecture detection ++- IPv6 LOG target: Fix compiler warnings on 64bit ++- LOG target: Fix compiler warnings on 64bit ++- IPv6 MARK target: Use full 64bit mark on 64bit archs ++- MARK target: Use full 64bit mark on 64bit archs ++- SAME target: Fix 64bit/32bit splitarch problems ++- ULOG target: Fix 64bit/32bit splitarch problems ++- conntrack match: Fix 64bit/32bit splitarch problem ++- IPv6 limit match: Fix 64bit/32bit splitarch problem ++- limit match: Fix 64bit/32bit splitarch problem ++- IPv6 mark match: Use full 64bit mark on 64bit archs ++- mark match: Use full 64bit mark on 64bit archs ++- owner match: Fix compiler warnings on 64bit ++ [ Martin Jofsefsson ] ++ ++- connbytes match: Fix signedness / unsigned issue ++ [ Martin Josefsson ] ++ ++- connlimit match: Fix '/0' netmask ++ [ David Ahern ] ++ ++- ipv6 owner match: fix possibly not zero terminated string ++- helper match: fix possibly not zero terminated string ++- recent match: fix possibly not zero terminated string ++ [ Karsten Desler ] ++ ++- ICMP match: fix '--icmp-type any' case ++ [ Harald Welte ] ++ ++- CONNMARK target: major update (add mark/mask matching) ++ [ Henrik Nordstrom ] ++ ++- DSCP target: Fix cosmetic help message problem ++ [ Maciej Soltysiak ] ++ ++- string match: Fix iptables-save/restore for ascii strings with spaces ++ [ Michael Rash ] ++ ++- ip(6)tables-restore: Make sure matches are used in the same order ++ [ Martin Josefsson ] ++ ++- ip(6)tables-restore: Fix '--verbose' option ++- ip(6)tables-restore: Add '--test' option ++- ip(6)tables-restore: Complain about missing 'COMMIT' ++ [ Martin Josefsson ] ++ ++- ip(6)tables-restore: Allow embedding of quote character in quoted strings ++ [ Michael Rash ] ++ ++- libipq: Protect against spoofed queue messages (check if sender is kernel) ++ [ Harald Welte ] ++ ++ ++Changes from 1.2.9: ++ ++- time match: add 'datestart' and 'datestop' parameters ++ [ Fabrice Marie ] ++ ++- modular manpage build, depending on actually compiled-in features ++ [ Henrik Nordstrom ] ++ ++- additional documentation in manpage snippets formerly missing ++ [ Harald Welte ] ++ ++- support new CLUSTERIP Target ++ [ Harald Welte ] ++ ++- support new account match ++ [ Piotr Gasid'o ] ++ ++- support new connrate match ++ [ Nuuti Kotivuori ] ++ ++- support new dstlimit match ++ [ Harald Welte ] ++ ++- support new 'set' match / 'SET' target ++ [ Jozsef Kadlecsik ] ++ ++- osf match: add support for netlink reporting ++ [ Evgeniy Polyakov ] ++ ++- new SCTP protocol match ++ [ Kiran Kumar ] ++ ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic/) ++ ++Please also note: Since Kernel 2.6.x is out, we now use patch-o-matic-ng, ++distributed as seperate package: (ftp://ftp.netfilter.org/pupatch-o-matic-ng) ++ ++ ++iptables v1.2.9 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.8: ++ ++- ip(6)tables-save/restore: fix memory leaks ++ [ Harald Welte, Martin Josefsson ] ++- ip6tables: fix printout of odd length netmasks ++ [ Mikko Markus Torni ] ++- condition match: fix iptables-save ++ [ Stephane Ouellette ] ++- fuzzy match: fix ip(6)tables-save ++ [ Hime Aguiar e Oliveira Jr. ] ++- mac match: fix ip(6)tables-save if used inverted (!) ++ [ David Zambonini, Martin Josefsson ] ++- ip6tables udp match: check for invalid port ranges ++ [ Thomas Poehnitz ] ++- LOG target: fix iptables-save (save loglevel numerically) ++ [ Thomas Woerner ] ++- mport match: fix iptables-save (save numerically) ++ [ Thomas Woerner ] ++- libipq: fix ipq_id_t definition on 'real' 64bit/64bit architectures ++ [ Ryan Veety ] ++- libip6tc: fix ipv6_prefix_length endianness bugs ++ [ Mikko Markus Torni ] ++- MASQUERADE target: don't accept negative port numbers ++ [ Yasuyuki Kozakai ] ++- physdev match: fix new structure layout for kernel > 2.6.0-test8 ++ [ Bart De Schuymer ] ++ ++Changes from 1.2.8: ++ ++- build plugins for connlimit, iprange, realm, CLASSIFY, CONNMARK, NETMAP ++ [ Harald Welte ] ++- libip(6)tc: Speedup due to inceremental chain cache updates ++ [ Harald Welte ] ++- recent match: Update to version 0.3.1 that was submitted to the kernel ++ [ Stephen Frost ] ++- physdev match: add --physdev-is-{in,out,bridge} option ++ [ Bart de Schuymer ] ++- REJECT target: add support for ICMP administratively prohibited ++ [ Maciej Soltysiak ] ++- conntrack match: add suport for CONFIRMED / unconfirmed state ++ [ Harald Welte ] ++- ROUTE target: new option: continue traversal ++ [ Cedric de Launois ] ++- varios cosmetic cleanups ++ [ Stephane Ouellette ] ++- iptables/libiptc: add support for the new 'raw' table ++ [ Jozsef Kadlecsik ] ++ ++Please note: Since version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic/) ++ ++ ++iptables v1.2.8 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.7a: ++ ++- fix ip6tables-save function of 'length' match ++ [ Gerry Skerbitz ] ++- fix ip6tables-save function of 'mac' match ++ [ Kristian Gronfeldt Sorensen ] ++- fix iptables-save function of 'ULOG' target ++ [ Jimmy Hedman ] ++- fix iptables-save function of 'conntrack' match ++ [ Lutz Pressler ] ++- fix iptables-save function of 'length' match ++ [ Gerry Skerbitz ] ++- fix iptables-save function of 'mac' match ++ [ Kristian Gronfeldt Sorense ] ++- fix iptables-save function of 'mark' match ++ [ Harald Welte ] ++- fix iptables-save function of 'owner' match ++ [ Costa Tsaousis ] ++- fix iptables-save function of 'pool' match ++ [ Oskar Berggren ] ++- fix iptables-save function of 'tcpmss' match ++ [ Michael Schwendt ] ++- fix iptables-save function of 'tos' match ++ [ Harald Welte ] ++- fix save/print function of 'connmark' match ++ [ Harald Welte ] ++- fix error message when invalid TCP flag is specified with 'tcp' match ++ [ Aaron Sethman ] ++ ++Changes from 1.2.7a: ++ ++- updated version of the ROUTE target ++ [ Cedric de Launois ] ++- updated version of the 'recent' match ++ [ Stephen Frost ] ++- update the RPC conntrack match, extend it to support filtering on procedures ++ [ Ian (Larry) Latter ] ++- add support for hexstrings to the 'string' match ++ [ Michael Rash ] ++- have iptables-restore print the line number in case of an error ++ [ Illes Marci ] ++- big iptables.8 manpage update ++ [ Herve Eychenne ] ++- print loglevel human-readable in ip6tables 'LOG' target ++ [ Michael Schwendt ] ++- print loglevel human-readable in 'LOG' target ++ [ Michael Schwendt ] ++- remove bogus code from 'ecn' match ++ [ Stephane Ouellette ] ++- be more specific in help message of 'helper' match ++ [ Herve Eychenne ] ++- fix semantic problem that '-p icmp -m icmp' was matching icmp type 0 instead ++ of 'any' ++ [ Harald Welte ] ++- fix iptables rename-chain option ++ [ Maciej Soltysiak ] ++- remove libipulog from iptables since it is distributed with ulogd ++ [ Harald Welte ] ++- support new ip6tables 'HL' target ++ [ Maciej Soltysiak ] ++- support new ip6tables 'condition' match ++ [ Stephane Ouellette ] ++- support new ip6tables 'fuzzy' match ++ [ Maciej Soltysiak ] ++- support new ip6tables 'hoplimit' match ++ [ Maciej Soltysiak ] ++- support new iptables 'CLASSIFY' target ++ [ unknown ] ++- support new iptables TARPIT target ++ [ Aaron Hopkins ] ++- support new iptables 'condition' match ++ [ Stephane Ouellette ] ++- support new iptables 'fuzzy' match ++ [ Hime Junior ] ++- support new iptables 'physdev' match (for 2.5.x bridging) ++ [ Bart de Schumyer ] ++- support new iptables 'u32' match (based on u32 tc filter) ++ [ Don Cohen ] ++ ++Please note: As of version 1.2.7a, patch-o-matic is now no longer part of ++iptables but rather distributed as a seperate package ++(ftp://ftp.netfilter.org/pupatch-o-matic/) ++ ++ ++iptables v1.2.7a (== fixed 1.2.7) Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.6a: ++ ++- fix compiler warning in userspace support for ipv6 REJECT target ++ [ Fabrice Marie ] ++- check for invalid portranges in tcp+udp helper (e.g. 2000:100) ++ [ Thomas Poehnitz ] ++- fix save save/restore functions of ip6tables tcp/udp extension ++ [ Harald Welte / Andras Kis-Szabo ] ++- check for invalid (out of range) nfmark values in MARK target ++ [ Alexey ??? ] ++- fix save function of MASQUERADE userspace support ++ [ A. van Schie ] ++- compile fixes for userspace suppot of experimental POOL target ++ [ ? ] ++- fix save function of userspace support for ah and esp match ++ [ ? ] ++- fix static build (NO_SHARED_LIBS) ++ [ Roberto Nibali ] ++- fix save/restore function of userspace support for mport match ++ [ Bob Hockney ] ++- update manpages to reflect recent changes ++ [ Herve Eychenne, Harald Welte ] ++- remove all remnants of the 'check' option ++ [ ? ] ++ ++ ++Changes from 1.2.6a: ++ ++- patch-o-matic is now no longer part of iptables but rather distributed ++ as a seperate package (ftp://ftp.netfilter.org/pupatch-o-matic/) ++ [ Harald Welte ] ++- userspace support for dscp match and target ++ [ Harald Welte ] ++- userspace supprot for ecn match and target ++ [ Harald Welte ] ++- userspace support for helper match ++ [ Martin Josefsson ] ++- userspace supprot for conntrack match ++ [ Marc Boucher ] ++- userspace support for pkttype match ++ [ Martin Ludvig ] ++- userspace support for experimental ROUTE target ++ [ Cédric de Launois ] ++- userspace support for experimental ipv6 ahesp match ++ [ Andras Kis-Szabo ] ++- userspace support for experimental ipv6 option header match ++ [ Andras Kis-Szabo ] ++- userspace support for experimental ipv6 routing header match ++ [ Andras Kis-Szabo ] ++- add matching of process name to userspace support of owner match ++ [ Marc Boucher ] ++- new version of userspace support for 'recent' match ++ [ Stephen Frost ] ++ ++ ++iptables v1.2.6a (== fixed 1.2.6) Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.5: ++ ++- Fix iptables segfault problem when using `!' without argument ++ [ Dionis Papavramidis, Harald Welte ] ++- Fix PSD match for psd-delay-threshold > 100 ++ [ Steven Coenen, Dennis Koslowski ] ++- ip6tables alignment fixes ++ [ Andreas Herrmann ] ++- patch-o-matic: ++ - Fix NAT-related bug in TCP window tracking code ++ [ Jozsef Kadlecsik ] ++ - Fix support for DNAT of locally-originated connections (NAT in ++ LOCAL_OUT) ++ [ Henrik Nordstrom, Harald Welte ] ++ - Fix string match (is now SMP safe) ++ [ Gianni Tedesco ] ++ - Fix TFTP conntrack/nat helper (now also catches first packet) ++ [ Magnus Boden ] ++ ++Changes from 1.2.5: ++ ++- Added global PREFIX makefile variable for all paths ++ [ Harald Welte ] ++- If compiled without any COPT_FLAGS, debugging is disabled. To enable ++ debugging, use -DIPTC_DEBUG ++ [ Harald Welte ] ++- New ip6tables-restore and ip6tables-save manpage ++ [ Andras Kis-Szabo ] ++- Sync ip6tables-restore and ip6tables-save with iptables-restore ++ [ Andras Kis-Szabo ] ++- Sync ip6tables with iptables ++ [ Andras Kis-Szabo ] ++- mangle table attaches now to all five netfilter hooks ++ [ Brad Chapman, Harald Welte ] ++- iptables and ip6tables manpage updates ++ [ Herve Eychenne ] ++- patch-o-matic program now supports removal of already-applied patches ++ [ Bob Hockney ] ++- patch-o-matic program now supports patches to the userspace extensions ++ [ Fabrice Marie ] ++- patch-o-matic: ++ - Extend recent match to support multiple recent lists ++ [ Stephen Frost ] ++ - New GRE and PPTP connection tracking and NAT helper ++ [ Harald Welte ] ++ - New CONNMARK target for marking all packets within one connection ++ [ Henrik Nordstrom ] ++ - New conntrack match, enables matching on more conntrack informatin ++ than state ++ [ Marc Boucher ] ++ - New DSCP match and target (DSCP header field obsoletes TOS) ++ [ Harald Welte ] ++ - New owner match extension: Match on process name ++ [ Marc Boucher ] ++ - Add support for bitwise AND / OR manipulation on nfmark ++ [ Fabrice Marie ] ++ - New experimental patch for disabling TCP connection tracking pickup ++ [ Harald Welte ] ++ - Add support for SACK in all NAT helpers ++ [ Harald Welte ] ++ - Make eggdrop botnet connection tracking support work with eggdrop ++ v1.6.x ++ [ Magnus Sandin ] ++ - Add support to REJECT for sending icmp-unreachable messages ++ from a fake source address ++ [ Fabrice Marie ] ++ - Add support for ntalk2 to talk NAT helper ++ [ Jozsef Kadlecsik ] ++ - Big update to newnat patch ++ [ Jozsef Kadlecsik, Paul P Komkoff ] ++ ++iptables v1.2.6 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel >= 2.4.18 ++ ++Bugs Fixed from 1.2.5: ++ ++- Fix iptables segfault problem when using `!' without argument ++ [ Dionis Papavramidis, Harald Welte ] ++- Fix PSD match for psd-delay-threshold > 100 ++ [ Steven Coenen, Dennis Koslowski ] ++- ip6tables alignment fixes ++ [ Andreas Herrmann ] ++- patch-o-matic: ++ - Fix NAT-related bug in TCP window tracking code ++ [ Jozsef Kadlecsik ] ++ - Fix support for DNAT of locally-originated connections (NAT in ++ LOCAL_OUT) ++ [ Henrik Nordstrom, Harald Welte ] ++ - Fix string match (is now SMP safe) ++ [ Gianni Tedesco ] ++ - Fix TFTP conntrack/nat helper (now also catches first packet) ++ [ Magnus Boden ] ++ ++Changes from 1.2.5: ++ ++- Added global PREFIX makefile variable for all paths ++ [ Harald Welte ] ++- If compiled without any COPT_FLAGS, debugging is disabled. To enable ++ debugging, use -DIPTC_DEBUG ++ [ Harald Welte ] ++- New ip6tables-restore and ip6tables-save manpage ++ [ Andras Kis-Szabo ] ++- Sync ip6tables-restore and ip6tables-save with iptables-restore ++ [ Andras Kis-Szabo ] ++- Sync ip6tables with iptables ++ [ Andras Kis-Szabo ] ++- mangle table attaches now to all five netfilter hooks ++ [ Brad Chapman, Harald Welte ] ++- iptables and ip6tables manpage updates ++ [ Herve Eychenne ] ++- patch-o-matic program now supports removal of already-applied patches ++ [ Bob Hockney ] ++- patch-o-matic program now supports patches to the userspace extensions ++ [ Fabrice Marie ] ++- patch-o-matic: ++ - Extend recent match to support multiple recent lists ++ [ Stephen Frost ] ++ - New GRE and PPTP connection tracking and NAT helper ++ [ Harald Welte ] ++ - New CONNMARK target for marking all packets within one connection ++ [ Henrik Nordstrom ] ++ - New conntrack match, enables matching on more conntrack informatin ++ than state ++ [ Marc Boucher ] ++ - New DSCP match and target (DSCP header field obsoletes TOS) ++ [ Harald Welte ] ++ - New owner match extension: Match on process name ++ [ Marc Boucher ] ++ - Add support for bitwise AND / OR manipulation on nfmark ++ [ Fabrice Marie ] ++ - New experimental patch for disabling TCP connection tracking pickup ++ [ Harald Welte ] ++ - Add support for SACK in all NAT helpers ++ [ Harald Welte ] ++ - Make eggdrop botnet connection tracking support work with eggdrop ++ v1.6.x ++ [ Magnus Sandin ] ++ - Add support to REJECT for sending icmp-unreachable messages ++ from a fake source address ++ [ Fabrice Marie ] ++ - Add support for ntalk2 to talk NAT helper ++ [ Jozsef Kadlecsik ] ++ - Big update to newnat patch ++ [ Jozsef Kadlecsik, Paul P Komkoff ] ++ ++ ++iptables v1.2.5 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel > 2.4.14 ++ ++Bugs Fixed from 1.2.4: ++ ++- make iptables-restore accept --table as well as -t option ++ [ Andreas Ferber ] ++- make iptables-restore -v / --verbose option work ++ [ Marc Boucher ] ++- fix iptables-save problems with saving "ppp+" style interface wildcards ++ [ Harald Welte ] ++- make iptables accept '_' and '.' in interface names ++ [ Harald Welte ] ++- Kernel bugfixes in patch-o-matic: ++ - Fix IRC NAT srcaddr fix (we used to nat DCC connectios to the ++ address of the IRC server ++ [ Bob Hockney ] ++ - Fix potential Oops in TOS target module ++ [ Edward Killips ] ++ - Fix problem when raw socket has cloned skb while netfilter doing ++ payload modification ++ [ Rusty Russell ] ++ - Fix memory leak in ipchains redirect code ++ [ Rusty Russell ] ++ - Fix reintroduced ECN problem with unclean match ++ [ Guillaume Morin ] ++ - Fix MAC adress match problem with small udp packets ++ [ Harald Welte ] ++ ++Changes from 1.2.4: ++ ++- Whole patch-o-matic system restructured - now supports multiple patch ++ repositories (submitted, pending, base, extra, newnat). ++ [ Jozsef Kadlecsik ] ++- Add IPv6 support to the QUEUE target and libipq ++ [ Fernando Anton / James Morris ] ++- New patch-o-matic patches: ++ -New IPV4OPTSSTRIP target to strip IP options ++ [ Fabrice Marie ] ++ - New ipv6header match to match IPv6 header options ++ [ Brad Chapman / Andras Kis-Szabo ] ++ - New helper match to match RELATED connections on their conntrack ++ helper ++ [ Martin Josefsson ] ++ - New quota match to have fixed IP quotas ++ [ Sam Johnston ] ++ - New recent match to match recently seen packets ++ [ Stephen Frost ] ++ ++ ++iptables v1.2.4 Changelog ++====================================================================== ++This version requires kernel >= 2.4.4 ++This version recommends kernel > 2.4.9 ++ ++Bugs Fixed from 1.2.3: ++ ++- make iptables-restore print error message instead of segfault when ++ processing broken / wrong input. ++ [ ] ++- string_to_number fix in LOG, IPv6 LOG, TOS and FTOS target ++ [ ] ++- fix iptables-save problems when saving MIRROR rules ++ [ Harald Welte ] ++- fix IPv6 ICMP problems [ ] ++- fix TTL increment in TTL target [ ] ++- Kernel bugfixes in patch-o-matic: ++ - Fix printing of inner-packet in ICMP error messages (LOG target) ++ [ ] ++ - Decrement TTL when using MIRROR target at PRE_ROUTING [ ] ++ - fix undiscovered REJECT checkentry() bug (alignment) ++ [ Bert Hubert] ++ ++Changes from 1.2.3: ++ ++- New "make most-of-pom" feature for application of non-confliction ++ patches. This should be used instead of "make patch-o-matic" by most ++ users. ++ [ Harald Welte ] ++- iptables-save and iptables-restore now included in the default install; ++ They are n - longer experimental for quite some time. ++ [ Harald Welte ] ++- synchronize ip6tables-save/restore with iptables-save/restore ++ [ Harald Welte ] ++- more precise save() function for ipt_limit rates ++ [ ] ++- new improved version of nth-match. Added support for multiple counters, ++ added support for matching on individual packets in the counter cycle ++ [ Richard Wagner ] ++- added manpage for ip6tables ++ [ ] ++- updated libipq documentation ++ [ ] ++- added timeout t - libipq recv function ++ [ ] ++- New patch-o-matic patches: ++ - New random match ++ [ ] ++ - New ftp-fxp patch, imposes security risk but some people need it -sigh* ++ [ Magnus Sandin ] ++ - New H323 conntrack + nat modules ++ [ Jozsef Kadlecsik ] ++ - New version of tcp-window tracking patch, includes sysctl() ++ changeable timeouts ++ [ Jozsef Kadlecsik ] ++ ++ ++iptables v1.2.3 Changelog ++====================================================================== ++This version requires kernel 2.4.4 or above. ++This version recommends kernel 2.4.9 or above. ++ ++Bugs Fixed from 1.2.2: ++ ++- fix ICMPv6 support for IPv6 ++ [ Kis-Szab - Andras ] ++- fix problems with REJECT and iptables-restore / iptables-save ++ [ Harald Welte ] ++- fix possible string overflow in psd match ++ [ Dennis Koslowski ] ++- fix string match compile problems ++ [ Gianni Tedesc - ] ++- support interfaces with '_' (underscore) in device names ++ [ Harald Welte ] ++- support rules without target in iptables-save ++ [ Emmanuel Fleury ] ++- correct handling of "eth+" type interface names in iptables-save/restore ++ [ Harald Welte ] ++- d - incremental checksumming when altering TTL in TTL target ++ [ Harald Welte ] ++- fix no-srr case in ipv4options match ++ [ Fabrice Marie ] ++- Kernel bugfixes in patch-o-matic: ++ - Fix unexported ip6_table symbols [ Brad Chapman ] ++ - Decrement TTL in MIRROR target if used in FORWARD chain [ Harald ++ Welte, Fabian Melzow ] ++ - Replace SACKPERM TCP option with NOOP (instead of ENDOFOPT) ++ [ Guillaume Morin ] ++ ++Changes from 1.2.2: ++ ++- New "make most-of-pom" feature for application of non-confliction ++ patches. This should be used instead of "make patch-o-matic" by most ++ users. ++ [ Harald Welte ] ++- support for statically linking iptables, without need for .s - plugins ++ [ David McCullough ] ++- support for multiple ranges in SAME target ++ [ Martin Josefsson ] ++- support for router alert options in ipv4options match ++ [ Fabrice Marie ] ++- modprobe() modules when doing iptables-restore ++ [ Andries van Schie ] ++- remove obsolete fragment matching code in IPv6 ++ [ Kis-Szab - Andras ] ++- add support for dns hostnames t - IPv6 code ++ [ Kis-Szab - Andras ] ++- New patch-o-matic patches: ++ - New multiport (mport) match ++ [ Andreas Ferber ] ++ - New nth match for matching every n-th packet ++ [ Fabrice Marie ] ++ - New realm match for matchin the routing realm ++ [ Sampsa Ranta ] ++ - New ctnetlink patch for manipulation of conntrack from userspace ++ [ Jay Schulist ] ++ - New REJECT Target for IPv6 ++ [ Harald Welte ] ++ - New length match for IPv6 ++ [ Imran Patel ] ++ - New multiport (mport) match for IPv6 ++ [ Andreas Ferber] ++ ++ ++iptables v1.2.1 Changelog ++====================================================================== ++This version requires kernel 2.4.0 or above. ++ ++Bugs Fixed from 1.2: ++ ++- Missing quotes around log-prefix ++ [ Bart Theunissen ] ++- Bug in save function of string match ++ [ Gianni Tedesc - ] ++- ip6tables.c string buffer size fixes ++ [ Andras Kis-Szab - ] ++- dependency problem with iptables-save / iptables-restore ++ [ Harald Welte ] ++- strtok problem with iptables-save / iptables-restore ++ [ Harald Welte ] ++- Problems with tcp/udp extension and multiple calls of do_command() ++ [ Sven Koch ] ++- Kernel bugfixes in patch-o-matic: ++ - Updated rpc-record patch to work with 2.4.0 ++ [ Marc Boucher ] ++ - New ftp-pasv patch for fixing PASV detection with some ftpd's ++ [ Erik Hensema ] ++ - Fix checksum calculation of TOS target ++ [ Rusty Russell ] ++ ++Changes from 1.2: ++ ++- New `pending-patches' target ++ [ Rusty Russell ] ++- build all shared library extensions regardless of kernel tree ++ [ Rusty Russell ] ++- New counter-restore functions for iptables ++ [ Harald Welte ] ++- Added libiptc and libipulog t - `devel' Makefile target ++ [ Harald Welte ] ++- Ported iptables-save/restore t - IPv6 ++ [ Andras Kis-Szab - ] ++- Updated ULOG target (now in-kernel accumulation [= higher performance]) ++ [ Harald Welte ] ++- Added fxp support t - ftp-multi patch ++ [ Magnus Sandin ] ++- Implemented Boyer Moore Sublinear search algorithm for string match ++ [ Gianni Tedesc - ] ++- Fixed tcp-window-tracking incompatibility with NAT helpers ++ [ Harald Welte ] ++- New patch-o-matic patches: ++ - New generic sequence number offset API for nat helpers ++ [ Harald Welte ] ++ - New psd (port-scan-detection) match ++ [ Dennis Koslowski, Markus Henning ] ++ - New NETLINK target for old ipchains -o behaviour ++ [ Gianni Tedesc - ] ++ - New SAME target as a special case of SNAT ++ [ Martin Josefsson ] ++ - Ported LOG target to IPv6 ++ [ Jan Rekorajski ] ++ - Ported owner, limit, mac and multiport match to IPv6 ++ [ Jan Rekorajski ] ++ ++ ++iptables v1.2.2 Changelog ++====================================================================== ++This version requires kernel 2.4.1 or above. ++This version recommends kernel 2.4.4 or above. ++ ++Bugs Fixed from 1.2.1a: ++ ++- fixes for SAME Target ++ [ Martin Josefsson ] ++- fixes for iplimit match in combination with iptables-save/-restore ++ [ Gerd Knorr ] ++- fix for TCP match in combination with iptables-save/-restore ++ [ Ian Lynagh ] ++- iptables-restore now deals correclty with spaces in --log-prefix ++ [ Harald Welte ] ++- fix in 'isapplied' script. It used t - give false negatives ++ [ Harald Welte ] ++- fix in BALANCE target, target now uses full ip address range ++ [ Martin Josefsson ] ++- fix for NETLINK target, was sending wrong interface name ++ [ Gianni Tedesc - ] ++- fix for collision of ftp and irc NAT helpers ++ [ Harald Welte ] ++- ip6tables brought in sync with iptables ++ [ Kis-Szab - Andras ] ++- Kernel bugfixes in patch-o-matic: ++ - Fix possible security vulnerability in ip_conntrack_ftp ++ [ Cristian - Lincoln Mattos, James Morris and Rusty ] ++ ++Changes from 1.2.1a: ++ ++- libiptc should now be usable from C++ applications ++ [ Fabrice MAURIE ] ++- seqoffset-,ftp-security, ... patches are combined in 2.4.4.patch ++ [ Rusty Russell ] ++- lots of old pre-2.4.1 patches now combined in 2.4.1.patch ++ [ Rusty Russel ] ++- IRC conntrack + nat cleanup ++ [ Harald Welte ] ++- string match cleanup ++ [ Gianni Tedesc - ] ++- ULOG cleanup, new version. Fixes 'unable t - send nflink' bug ++ [ Harald Welte ] ++- New patch-o-matic patches: ++ - New NETMAP Target for mapping whole networks 1:1 to other addresses ++ [ Svenning Soerensen ] ++ - New length Target for matching packet length ++ [ James Morris ] ++ - New ipv4options match for matching IPv4 header options ++ [ Fabrice MARIE ] ++ - New IPv6 agr match for matching IPv6 global aggregatable unicast ++ adresses ++ [ Andras Kis-Szab - ] ++ - New pkttype match for matching link-layer multicast / broadcast ++ packets ++ [ Michal Ludvig ] ++ - New time match for matching the packet's receive time ++ [ Fabrice MARIE ] ++ - New talk conntack + NAT helper module ++ [ Jozsef Kadlecsik ] ++ ++ ++iptables v1.2 Changelog ++====================================================================== ++This version requires 2.4.0-test9 or above. ++ ++Bugs Fixed from 1.1.2: ++ ++- Now default installs int - /usr/local/sbin, not /usr/local/bin. ++- Only does IPv6 compilation on libc6. ++- More header fixes for weird header combos. ++- ip6tables now refers t - "icmpv6" protocol, not "icmp". ++ [ Harald Welte ] ++- IPPROTO_ESP and AH defined in iptables for primitive headers. ++- iptables multiple-DNS resolve fixed ++ [ Harald Welte, Rusty ] ++- Kernel bugfixes in patch-o-matic: ++ - IPv6 netfilter fixes ++ [ Harald Welte ] ++ - Masquerade with fwmark routing fix ++ - Dynamic hashsize optimization (NAT) + `hashsize=' module parameter. ++ - NAT overlap fix ++ - PPC/Sparc mangle table fix. ++ ++Changes from 1.1.2: ++ ++- New `install-devel' target ++ [ James Morris ] ++- libipq now has man pages! ++ [ James Morris ] ++- iptables-save and iptables-restore added (with man pages!) ++ [ Harald Welte ] ++- iptables now inserts modules if CONFIG_KMOD or --modprobe ++ [ Harald Welte, Rusty ] ++- New `experimental' and `install-experimental' targets. ++- `--reject-with=echo-reply' removed in anticipation of the removal of ++ kernel support. ++- ttl match enhancements (greater or less than tests) ++ [ Harald Welte ] ++- Reworked patch-o-matic interface, t - force reading of help. ++- patch-o-matic updated for new 2.4 Makefiles ++ [ Daniel Stone, Harald Welte ] ++- patch-o-matic now supports non-IPv4 netfilter patches ++ [ Harald Welte ] ++- New patch-o-matic patches: ++ - eggdrop bot connection tracking ++ [ Magnus Sandin ] ++ - FTOS target for full ToS mangling. ++ [ Matthew G. Marsh ] ++ - BALANCE target for simple load-balancing. ++ - iplimit match for limiting number of connections. ++ [ Gerd Knorr ] ++ - IPv6 MARK target ++ [ Harald Welte ] ++ - IPv6 mark match ++ [ Harald Welte ] ++ ++ ++iptables v1.1.2 Changelog ++====================================================================== ++This version requires 2.4.0-test9 or above. ++ ++Bugs Fixed from 1.1.1: ++ ++- Adding rules on UltraSparc now works ++- string_to_number now handles overflow ++ [ Jan Echternach ] ++- Bug when using ridiculous rule numbers fixed ++ ++Changes from 1.1.1: ++ ++- patch-o-matic system added: ++ - TTL alteration and ttl matching support -- Harald Welte ++ - AH/ESP matching support -- Yon Uriarte ++ - DROPPED table support -- Rusty ++ - ftp-multi patch for non-standard ftp servers -- Harald Welte ++ - IRC connection tracking & NAT -- Harald Welte ++ - pool match and POOL target -- Patrick ++ - RPC recording patch -- Marcelo Barbosa Lima ++ - SNMP NAT support -- James Morris ++ - string match for looking in packet's data -- Emmanuel Roger ++ - tcp-MSS target for altering MSS -- Marc Boucher ++ - ULOG target for advanced logging -- Harald Welte ++- Minor const cleanups ++ [ Jan Echternach ] ++- iptables.8 updates ++ [ Harald Welte, Rusty ] ++- Better warnings for non-existant matches/missing libraries ++ [ Harald Welte ] ++- Improved isapplied script diff -Nru iptables-1.4.4/debian/patches/0200-libxt_length_man_typo.patch iptables-1.4.10/debian/patches/0200-libxt_length_man_typo.patch --- iptables-1.4.4/debian/patches/0200-libxt_length_man_typo.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/0200-libxt_length_man_typo.patch 2009-11-28 17:58:59.000000000 +0000 @@ -0,0 +1,11 @@ +Index: b/extensions/libxt_length.man +=================================================================== +--- a/extensions/libxt_length.man 2009-11-28 12:55:48.104766607 -0500 ++++ b/extensions/libxt_length.man 2009-11-28 12:58:39.258651778 -0500 +@@ -1,5 +1,5 @@ + This module matches the length of the layer-3 payload (e.g. layer-4 packet) +-f a packet against a specific value ++of a packet against a specific value + or range of values. + .TP + [\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] diff -Nru iptables-1.4.4/debian/patches/0300-iptables-apply.patch iptables-1.4.10/debian/patches/0300-iptables-apply.patch --- iptables-1.4.4/debian/patches/0300-iptables-apply.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/0300-iptables-apply.patch 2010-06-12 17:25:23.000000000 +0000 @@ -0,0 +1,55 @@ + +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=547734 +iptables-apply uses /etc/network/iptables as default rulefile and so ip6tables-apply does + + +Index: b/iptables-apply +=================================================================== +--- a/iptables-apply 2010-05-21 06:48:13.000000000 -0400 ++++ b/iptables-apply 2010-06-12 13:25:20.321045229 -0400 +@@ -11,7 +11,6 @@ + VERSION=1.0 + + TIMEOUT=10 +-DEFAULT_FILE=/etc/network/iptables + + function blurb() + { +@@ -87,6 +86,19 @@ + shift + done + ++case "$PROGNAME" in ++ (*6*) ++ SAVE=ip6tables-save ++ RESTORE=ip6tables-restore ++ DEFAULT_FILE=/etc/network/ip6tables ++ ;; ++ (*) ++ SAVE=iptables-save ++ RESTORE=iptables-restore ++ DEFAULT_FILE=/etc/network/iptables ++ ;; ++esac ++ + FILE="${1:-$DEFAULT_FILE}"; + + if [[ -z "$FILE" ]]; then +@@ -99,17 +111,6 @@ + exit 2 + fi + +-case "${0##*/}" in +- (*6*) +- SAVE=ip6tables-save +- RESTORE=ip6tables-restore +- ;; +- (*) +- SAVE=iptables-save +- RESTORE=iptables-restore +- ;; +-esac +- + COMMANDS=(tempfile "$SAVE" "$RESTORE") + + for cmd in "${COMMANDS[@]}"; do diff -Nru iptables-1.4.4/debian/patches/0600-makefile_jedi_handwaving.patch iptables-1.4.10/debian/patches/0600-makefile_jedi_handwaving.patch --- iptables-1.4.4/debian/patches/0600-makefile_jedi_handwaving.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/0600-makefile_jedi_handwaving.patch 2010-11-12 21:51:28.000000000 +0000 @@ -0,0 +1,15 @@ +Author: ljlane +Descripton: Add test and check targets to make /usr/bin/dh happy. + +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am 2010-05-21 06:48:13.000000000 -0400 ++++ b/Makefile.am 2010-06-12 13:25:25.517044939 -0400 +@@ -99,3 +99,7 @@ + for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done; + for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done; ++ ++test check: ++ echo "Are we on the air? Hello, Mom!" ++ diff -Nru iptables-1.4.4/debian/patches/9000-howtos.patch iptables-1.4.10/debian/patches/9000-howtos.patch --- iptables-1.4.4/debian/patches/9000-howtos.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/9000-howtos.patch 2010-11-12 21:53:56.000000000 +0000 @@ -0,0 +1,5760 @@ +Author: Soren Hansen <soren@ubuntu.com> +Description: Revert changes between 1.4.1.1-3 and 1.4.1.1-4, thus bringing back + the howtos. +Forwarded: no + +Index: iptables-1.4.10/Makefile.am +=================================================================== +--- iptables-1.4.10.orig/Makefile.am 2010-11-12 15:53:17.000000000 -0600 ++++ iptables-1.4.10/Makefile.am 2010-11-12 15:53:22.000000000 -0600 +@@ -4,7 +4,7 @@ + AUTOMAKE_OPTIONS = foreign subdir-objects + + AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS} +-SUBDIRS = extensions ++SUBDIRS = extensions howtos + if ENABLE_DEVEL + SUBDIRS += include + endif +Index: iptables-1.4.10/howtos/Makefile +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ iptables-1.4.10/howtos/Makefile 2010-11-12 15:53:22.000000000 -0600 +@@ -0,0 +1,10 @@ ++all: ++ for i in *.sgml; do sgml2html $$i; done ++ ++install: ++ for i in *.html; do install -D -m 0644 $$i ${DESTDIR}/howtos/$$i; done ++ ++clean: ++ -rm *.html ++ ++.PHONY: all clean install +Index: iptables-1.4.10/howtos/NAT-HOWTO.sgml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ iptables-1.4.10/howtos/NAT-HOWTO.sgml 2010-11-12 15:53:22.000000000 -0600 +@@ -0,0 +1,609 @@ ++<!doctype linuxdoc system> ++ ++<!-- This is the Linux NAT HOWTO. ++ --> ++ ++<!-- $Id: NAT-HOWTO.sgml,v 1.18 2002/01/14 09:35:13 laforge Exp $ --> ++ ++<article> ++ ++<!-- Title information --> ++ ++<title>Linux 2.4 NAT HOWTO ++<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> ++<date>$Revision: 1.18 $ $Date: 2002/01/14 09:35:13 $ ++<abstract> ++This document describes how to do masquerading, transparent proxying, ++port forwarding, and other forms of Network Address Translations with ++the 2.4 Linux Kernels. ++</abstract> ++ ++<!-- Table of contents --> ++<toc> ++ ++<!-- Begin the document --> ++ ++<sect>Introduction<label id="intro"> ++ ++<p> ++Welcome, gentle reader. ++ ++<p> ++You are about to delve into the fascinating (and sometimes horrid) ++world of NAT: Network Address Translation, and this HOWTO is going to ++be your somewhat accurate guide to the 2.4 Linux Kernel and beyond. ++ ++<p>In Linux 2.4, an infrastructure for mangling packets was ++introduced, called `netfilter'. A layer on top of this provides NAT, ++completely reimplemented from previous kernels. ++ ++<p>(C) 2000 Paul `Rusty' Russell. Licensed under the GNU GPL. ++ ++<sect>Where is the official Web Site and List? ++ ++<p>There are three official sites: ++<itemize> ++<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. ++<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. ++<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. ++</itemize> ++ ++<p>You can reach all of them using round-robin DNS via ++<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> ++ ++<p>For the official netfilter mailing list, see ++<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. ++ ++<sect1>What is Network Address Translation? ++ ++<p> ++Normally, packets on a network travel from their source (such as your ++home computer) to their destination (such as www.gnumonks.org) ++through many different links: about 19 from where I am in Australia. ++None of these links really alter your packet: they just send it ++onward. ++ ++<p> ++If one of these links were to do NAT, then they would alter the source ++or destinations of the packet as it passes through. As you can ++imagine, this is not how the system was designed to work, and hence ++NAT is always something of a crock. Usually the link doing NAT will ++remember how it mangled a packet, and when a reply packet passes ++through the other way, it will do the reverse mangling on that reply ++packet, so everything works. ++ ++<sect1>Why Would I Want To Do NAT? ++ ++<p>In a perfect world, you wouldn't. Meanwhile, the main reasons are: ++ ++<descrip> ++<tag/Modem Connections To The Internet/ Most ISPs give you a single IP ++address when you dial up to them. You can send out packets with any ++source address you want, but only replies to packets with this source ++IP address will return to you. If you want to use multiple different ++machines (such as a home network) to connect to the Internet through ++this one link, you'll need NAT. ++ ++<p>This is by far the most common use of NAT today, commonly known as ++`masquerading' in the Linux world. I call this SNAT, because you ++change the <bf>source</bf> address of the first packet. ++ ++<tag/Multiple Servers/ Sometimes you want to change where packets ++heading into your network will go. Frequently this is because (as ++above), you have only one IP address, but you want people to be able ++to get into the boxes behind the one with the `real' IP address. If ++you rewrite the destination of incoming packets, you can manage this. ++This type of NAT was called port-forwarding under previous versions of ++Linux. ++ ++<p>A common variation of this is load-sharing, where the mapping ++ranges over a set of machines, fanning packets out to them. If you're ++doing this on a serious scale, you may want to look at ++ ++<url url="http://linuxvirtualserver.org/" name="Linux Virtual Server">. ++ ++<tag/Transparent Proxying/ Sometimes you want to pretend that each ++packet which passes through your Linux box is destined for a program ++on the Linux box itself. This is used to make transparent proxies: a ++proxy is a program which stands between your network and the outside ++world, shuffling communication between the two. The transparent part ++is because your network won't even know it's talking to a proxy, ++unless of course, the proxy doesn't work. ++ ++<p>Squid can be configured to work this way, and it is called ++redirection or transparent proxying under previous Linux versions. ++</descrip> ++ ++<sect>The Two Types of NAT ++ ++<p>I divide NAT into two different types: <bf>Source NAT</bf> (SNAT) ++and <bf>Destination NAT</bf> (DNAT). ++ ++<p>Source NAT is when you alter the source address of the first ++packet: i.e. you are changing where the connection is coming from. ++Source NAT is always done post-routing, just before the packet goes ++out onto the wire. Masquerading is a specialized form of SNAT. ++ ++<p>Destination NAT is when you alter the destination address of the ++first packet: i.e. you are changing where the connection is going to. ++Destination NAT is always done before routing, when the packet first ++comes off the wire. Port forwarding, load sharing, and transparent ++proxying are all forms of DNAT. ++ ++<sect>Quick Translation From 2.0 and 2.2 Kernels ++ ++<p>Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to ++2.2 (ipchains) transition. There's good and bad news. ++ ++<p>Firstly, you can simply use ipchains and ipfwadm as before. To do ++this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel ++modules found in the latest netfilter distribution. These are ++mutually exclusive (you have been warned), and should not be combined ++with any other netfilter modules. ++ ++<p>Once one of these modules is installed, you can use ipchains and ++ipfwadm as normal, with the following differences: ++ ++<itemize> ++<item> Setting the masquerading timeouts with ipchains -M -S, or ++ ipfwadm -M -s does nothing. Since the timeouts are longer for ++ the new NAT infrastructure, this should not matter. ++ ++<item> The init_seq, delta and previous_delta fields in the verbose ++ masquerade listing are always zero. ++ ++<item> Zeroing and listing the counters at the same time `-Z -L' does ++ not work any more: the counters will not be zeroed. ++ ++<item> The backward compatibility layer doesn't scale very well for ++ large numbers of connections: don't use it for your corporate ++ gateway! ++</itemize> ++ ++Hackers may also notice: ++ ++<itemize> ++<item> You can now bind to ports 61000-65095 even if you're ++ masquerading. The masquerading code used to assume anything ++ in this range was fair game, so programs couldn't use it. ++ ++<item> The (undocumented) `getsockname' hack, which transparent proxy ++ programs could use to find out the real destinations of ++ connections no longer works. ++ ++<item> The (undocumented) bind-to-foreign-address hack is also not ++ implemented; this was used to complete the illusion of ++ transparent proxying. ++ ++</itemize> ++ ++<sect1> I just want masquerading! Help! ++ ++<p>This is what most people want. If you have a dynamically allocated ++IP PPP dialup (if you don't know, this is you), you simply want to ++tell your box that all packets coming from your internal network ++should be made to look like they are coming from the PPP dialup box. ++ ++<tscreen><verb> ++# Load the NAT module (this pulls in all the others). ++modprobe iptable_nat ++ ++# In the NAT table (-t nat), Append a rule (-A) after routing ++# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to ++# MASQUERADE the connection (-j MASQUERADE). ++iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ++ ++# Turn on IP forwarding ++echo 1 > /proc/sys/net/ipv4/ip_forward ++</verb></tscreen> ++ ++Note that you are not doing any packet filtering here: for that, see ++the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'. ++ ++<sect1> What about ipmasqadm? ++ ++<p>This is a much more niche user base, so I didn't worry about ++backward compatibility as much. You can simply use `iptables -t nat' ++to do port forwarding. So for example, in Linux 2.2 you might have ++done: ++ ++<tscreen><verb> ++# Linux 2.2 ++# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80 ++ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 ++</verb></tscreen> ++ ++Now you would do: ++ ++<tscreen><verb> ++# Linux 2.4 ++# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that ++# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080) ++# have their destination mapped (-j DNAT) to 192.168.1.1, port 80 ++# (--to 192.168.1.1:80). ++iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \ ++ -j DNAT --to 192.168.1.1:80 ++</verb></tscreen> ++ ++<sect>Controlling What To NAT ++ ++<p>You need to create NAT rules which tell the kernel what connections ++to change, and how to change them. To do this, we use the very ++versatile <tt>iptables</tt> tool, and tell it to alter the NAT table by ++specifying the `-t nat' option. ++ ++<p>The table of NAT rules contains three lists called `chains': each ++rule is examined in order until one matches. The two chains are ++called PREROUTING (for Destination NAT, as packets first come in), and ++POSTROUTING (for Source NAT, as packets leave). The third (OUTPUT) ++will be ignored here. ++ ++<p>The following diagram would illustrate it quite well if I had any ++artistic talent: ++ ++<tscreen><verb> ++ _____ _____ ++ / \ / \ ++ PREROUTING -->[Routing ]----------------->POSTROUTING-----> ++ \D-NAT/ [Decision] \S-NAT/ ++ | ^ ++ | | ++ | | ++ | | ++ | | ++ | | ++ | | ++ --------> Local Process ------ ++</verb></tscreen> ++ ++At each of the points above, when a packet passes we look up what ++connection it is associated with. If it's a new connection, we look ++up the corresponding chain in the NAT table to see what to do with it. ++The answer it gives will apply to all future packets on that ++connection. ++ ++<sect1>Simple Selection using iptables ++ ++<p><tt>iptables</tt> takes a number of standard options as listed ++below. All the double-dash options can be abbreviated, as long as ++<tt>iptables</tt> can still tell them apart from the other possible ++options. If your kernel has iptables support as a module, you'll need ++to load the ip_tables.o module first: `insmod ip_tables'. ++ ++<p>The most important option here is the table selection option, `-t'. ++For all NAT operations, you will want to use `-t nat' for the NAT ++table. The second most important option to use is `-A' to append a ++new rule at the end of the chain (e.g. `-A POSTROUTING'), or `-I' to ++insert one at the beginning (e.g. `-I PREROUTING'). ++ ++<p>You can specify the source (`-s' or `--source') and destination ++(`-d' or `--destination') of the packets you want to NAT. These ++options can be followed by a single IP address (e.g. 192.168.1.1), a ++name (e.g. www.gnumonks.org), or a network address ++(e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0). ++ ++<p>You can specify the incoming (`-i' or `--in-interface') or outgoing ++(`-o' or `--out-interface') interface to match, but which you can ++specify depends on which chain you are putting the rule into: at ++PREROUTING you can only select incoming interface, and at POSTROUTING ++you can only select outgoing interface. If you use the ++wrong one, <tt>iptables</tt> will give an error. ++ ++<sect1>Finer Points Of Selecting What Packets To Mangle ++ ++<p>I said above that you can specify a source and destination address. ++If you omit the source address option, then any source address will ++do. If you omit the destination address option, then any destination ++address will do. ++ ++<p>You can also indicate a specific protocol (`-p' or `--protocol'), ++such as TCP or UDP; only packets of this protocol will match the rule. ++The main reason for doing this is that specifying a protocol of tcp or ++udp then allows extra options: specifically the `--source-port' and ++`--destination-port' options (abbreviated as `--sport' and `--dport'). ++ ++<p>These options allow you to specify that only packets with a certain ++source and destination port will match the rule. This is useful for ++redirecting web requests (TCP port 80 or 8080) and leaving other ++packets alone. ++ ++<p>These options must follow the `-p' option (which has a side-effect ++of loading the shared library extension for that protocol). You can ++use port numbers, or a name from the /etc/services file. ++ ++<p>All the different qualities you can select a packet by are detailed ++in painful detail in the manual page (<tt>man iptables</tt>). ++ ++<sect>Saying How To Mangle The Packets ++ ++<p>So now we know how to select the packets we want to mangle. To ++complete our rule, we need to tell the kernel exactly what we want it ++to do to the packets. ++ ++<sect1>Source NAT ++ ++<p>You want to do Source NAT; change the source address of connections ++to something different. This is done in the POSTROUTING chain, just ++before it is finally sent out; this is an important detail, since it ++means that anything else on the Linux box itself (routing, packet ++filtering) will see the packet unchanged. It also means that the `-o' ++(outgoing interface) option can be used. ++ ++<p>Source NAT is specified using `-j SNAT', and the `--to-source' ++option specifies an IP address, a range of IP addresses, and an ++optional port or range of ports (for UDP and TCP protocols only). ++ ++<tscreen><verb> ++## Change source addresses to 1.2.3.4. ++# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ++ ++## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 ++# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ++ ++## Change source addresses to 1.2.3.4, ports 1-1023 ++# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 ++</verb></tscreen> ++ ++<sect2>Masquerading ++ ++<p>There is a specialized case of Source NAT called masquerading: it ++should only be used for dynamically-assigned IP addresses, such as ++standard dialups (for static IP addresses, use SNAT above). ++ ++<p>You don't need to put in the source address explicitly with ++masquerading: it will use the source address of the interface the ++packet is going out from. But more importantly, if the link goes ++down, the connections (which are now lost anyway) are forgotten, ++meaning fewer glitches when connection comes back up with a new IP ++address. ++ ++<tscreen><verb> ++## Masquerade everything out ppp0. ++# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ++</verb></tscreen> ++ ++<sect1>Destination NAT ++ ++<p>This is done in the PREROUTING chain, just as the packet comes in; ++this means that anything else on the Linux box itself (routing, packet ++filtering) will see the packet going to its `real' destination. It ++also means that the `-i' (incoming interface) option can be used. ++ ++<p>Destination NAT is specified using `-j DNAT', and the ++`--to-destination' option specifies an IP address, a range of IP ++addresses, and an optional port or range of ports (for UDP and TCP ++protocols only). ++ ++<tscreen><verb> ++## Change destination addresses to 5.6.7.8 ++# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 ++ ++## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. ++# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 ++ ++## Change destination addresses of web traffic to 5.6.7.8, port 8080. ++# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ ++ -j DNAT --to 5.6.7.8:8080 ++</verb></tscreen> ++ ++<sect2>Redirection ++ ++<p>There is a specialized case of Destination NAT called redirection: ++it is a simple convenience which is exactly equivalent to doing DNAT ++to the address of the incoming interface. ++ ++<tscreen><verb> ++## Send incoming port-80 web traffic to our squid (transparent) proxy ++# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ ++ -j REDIRECT --to-port 3128 ++</verb></tscreen> ++ ++Note that squid needs to be configured to know it's a transparent proxy! ++ ++<sect1>Mappings In Depth ++ ++<p>There are some subtleties to NAT which most people will never have ++to deal with. They are documented here for the curious. ++ ++<sect2>Selection Of Multiple Addresses in a Range ++ ++<p>If a range of IP addresses is given, the IP address to use is ++chosen based on the least currently used IP for connections the ++machine knows about. This gives primitive load-balancing. ++ ++<sect2>Creating Null NAT Mappings ++ ++<p>You can use the `-j ACCEPT' target to let a connection through ++without any NAT taking place. ++ ++<sect2>Standard NAT Behavior ++ ++<p>The default behavior is to alter the connection as little as ++possible, within the constraints of the rule given by the user. This ++means we won't remap ports unless we have to. ++ ++<sect2>Implicit Source Port Mapping ++ ++<p>Even when no NAT is requested for a connection, source port ++translation may occur implicitly, if another connection has been ++mapped over the new one. Consider the case of masquerading, which ++is rather common: ++ ++<enum> ++<item> A web connection is established by a box 192.1.1.1 from port ++ 1024 to www.netscape.com port 80. ++ ++<item> This is masqueraded by the masquerading box to use its source ++ IP address (1.2.3.4). ++ ++<item> The masquerading box tries to make a web connection to ++ www.netscape.com port 80 from 1.2.3.4 (its external interface ++ address) port 1024. ++ ++<item> The NAT code will alter the source port of the second ++ connection to 1025, so that the two don't clash. ++</enum> ++ ++<p>When this implicit source mapping occurs, ports are divided into ++three classes: ++<itemize> ++<item> Ports below 512 ++<item> Ports between 512 and 1023 ++<item> Ports 1024 and above. ++</itemize> ++ ++A port will never be implicitly mapped into a different class. ++ ++<sect2>What Happens When NAT Fails ++ ++<p>If there is no way to uniquely map a connection as the user ++requests, it will be dropped. This also applies to packets which ++could not be classified as part of any connection, because they are ++malformed, or the box is out of memory, etc. ++ ++<sect2>Multiple Mappings, Overlap and Clashes ++ ++<p>You can have NAT rules which map packets onto the same range; the ++NAT code is clever enough to avoid clashes. Hence having two rules ++which map the source address 192.168.1.1 and 192.168.1.2 respectively ++onto 1.2.3.4 is fine. ++ ++<p>Furthermore, you can map over real, used IP addresses, as long as ++those addresses pass through the mapping box as well. So if you have ++an assigned network (1.2.3.0/24), but have one internal network using ++those addresses and one using the Private Internet Addresses ++192.168.1.0/24, you can simply NAT the 192.168.1.0/24 source addresses ++onto the 1.2.3.0 network, without fear of clashing: ++ ++<tscreen><verb> ++# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ ++ -j SNAT --to 1.2.3.0/24 ++</verb></tscreen> ++ ++<p>The same logic applies to addresses used by the NAT box itself: ++this is how masquerading works (by sharing the interface address ++between masqueraded packets and `real' packets coming from the box ++itself). ++ ++<p>Moreover, you can map the same packets onto many different targets, ++and they will be shared. For example, if you don't want to map ++anything over 1.2.3.5, you could do: ++ ++<tscreen><verb> ++# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ ++ -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254 ++</verb></tscreen> ++ ++<sect2>Altering the Destination of Locally-Generated Connections ++ ++<p>The NAT code allows you to insert DNAT rules in the OUTPUT chain, ++but this is not fully supported in 2.4 (it can be, but it requires a ++new configuration option, some testing, and a fair bit of coding, so ++unless someone contracts Rusty to write it, I wouldn't expect it ++soon). ++ ++<p>The current limitation is that you can only change the destination ++to the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other ++machine, otherwise the replies won't be translated correctly. ++ ++<sect>Special Protocols ++ ++<p>Some protocols do not like being NAT'ed. For each of these ++protocols, two extensions must be written; one for the connection ++tracking of the protocol, and one for the actual NAT. ++ ++<p>Inside the netfilter distribution, there are currently modules for ++ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into ++your kernel (or you compile them in permanently), then doing any kind ++of NAT on ftp connections should work. If you don't, then you can ++only use passive ftp, and even that might not work reliably if you're ++doing more than simple Source NAT. ++ ++<sect>Caveats on NAT ++ ++<p>If you are doing NAT on a connection, all packets passing ++<bf>both</bf> ways (in and out of the network) must pass through the ++NAT'ed box, otherwise it won't work reliably. In particular, the ++connection tracking code reassembles fragments, which means that not ++only will connection tracking not be reliable, but your packets may ++not get through at all, as fragments will be withheld. ++ ++<sect>Source NAT and Routing ++ ++<p>If you are doing SNAT, you will want to make sure that every ++machine the SNAT'ed packets goes to will send replies back to the NAT ++box. For example, if you are mapping some outgoing packets onto the ++source address 1.2.3.4, then the outside router must know that it is ++to send reply packets (which will have <bf>destination</bf> 1.2.3.4) ++back to this box. This can be done in the following ways: ++ ++<enum> ++<item> If you are doing SNAT onto the box's own address (for which ++ routing and everything already works), you don't need to do ++ anything. ++ ++<item> If you are doing SNAT onto an unused address on the local LAN ++ (for example, you're mapping onto 1.2.3.99, a free IP on your ++ 1.2.3.0/24 network), your NAT box will need to respond to ARP ++ requests for that address as well as its own: the easiest way ++ to do this is create an IP alias, e.g.: ++<tscreen><verb> ++# ip address add 1.2.3.99 dev eth0 ++</verb></tscreen> ++ ++<item> If you are doing SNAT onto a completely different address, you ++ will have to ensure that the machines the SNAT packets will hit ++ will route this address back to the NAT box. This is already ++ achieved if the NAT box is their default gateway, otherwise you ++ will need to advertise a route (if running a routing protocol) ++ or manually add routes to each machine involved. ++</enum> ++ ++<sect>Destination NAT Onto the Same Network ++ ++<p>If you are doing port forwarding back onto the same network, you ++need to make sure that both future packets and reply packets pass ++through the NAT box (so they can be altered). The NAT code will now ++(since 2.4.0-test6), block the outgoing ICMP redirect which is ++produced when the NAT'ed packet heads out the same interface it came ++in on, but the receiving server will still try to reply directly to ++the client (which won't recognize the reply). ++ ++<p>The classic case is that internal staff try to access your `public' ++web server, which is actually DNAT'ed from the public address ++(1.2.3.4) to an internal machine (192.168.1.1), like so: ++ ++<tscreen><verb> ++# iptables -t nat -A PREROUTING -d 1.2.3.4 \ ++ -p tcp --dport 80 -j DNAT --to 192.168.1.1 ++</verb></tscreen> ++ ++<p>One way is to run an internal DNS server which knows the real ++(internal) IP address of your public web site, and forward all other ++requests to an external DNS server. This means that the logging on ++your web server will show the internal IP addresses correctly. ++ ++<p>The other way is to have the NAT box also map the source IP address ++to its own for these connections, fooling the server into replying ++through it. In this example, we would do the following (assuming the ++internal IP address of the NAT box is 192.168.1.250): ++ ++<tscreen><verb> ++# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ ++ -p tcp --dport 80 -j SNAT --to 192.168.1.250 ++</verb></tscreen> ++ ++Because the <bf>PREROUTING</bf> rule gets run first, the packets will ++already be destined for the internal web server: we can tell which ++ones are internally sourced by the source IP addresses. ++ ++<sect>Thanks ++ ++<p>Thanks first to WatchGuard, and David Bonn, who believed in the ++netfilter idea enough to support me while I worked on it. ++ ++<p>And to everyone else who put up with my ranting as I learnt about ++the ugliness of NAT, especially those who read my diary. ++ ++<p>Rusty. ++</article> +Index: iptables-1.4.10/howtos/netfilter-extensions-HOWTO.sgml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ iptables-1.4.10/howtos/netfilter-extensions-HOWTO.sgml 2010-11-12 15:53:22.000000000 -0600 +@@ -0,0 +1,1781 @@ ++<!doctype linuxdoc system> ++ ++<!-- This is the Netfilter Extensions HOWTO. ++ --> ++ ++<article> ++ ++<!-- Title information --> ++ ++<title>Netfilter Extensions HOWTO ++Fabrice MARIE <fabrice@netfilter.org>, mailing list netfilter-devel@lists.samba.org ++$Revision: 1.28 $ ++ ++This document describes how to install and use current iptables extensions for netfilter. ++ ++ ++ ++ ++ ++ ++ ++Introduction
+Index: iptables-1.4.10/howtos/netfilter-hacking-HOWTO.sgml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ iptables-1.4.10/howtos/netfilter-hacking-HOWTO.sgml 2010-11-12 15:53:22.000000000 -0600 +@@ -0,0 +1,1978 @@ ++ ++ ++ ++ ++ ++ ++
++ ++ ++ ++Linux netfilter Hacking HOWTO ++<author>Rusty Russell and Harald Welte, mailing list <tt>netfilter@lists.samba.org</tt> ++<date>$Revision: 1.14 $ $Date: 2002/07/02 04:07:19 $ ++<abstract> ++This document describes the netfilter architecture for Linux, how to ++hack it, and some of the major systems which sit on top of it, such as ++packet filtering, connection tracking and Network Address Translation. ++</abstract> ++ ++<!-- Table of contents --> ++<toc> ++ ++<!-- Begin the document --> ++ ++<sect>Introduction<label id="intro"> ++ ++<p> ++Hi guys. ++ ++<p> ++This document is a journey; some parts are well-traveled, and in ++other areas you will find yourself almost alone. The best advice I ++can give you is to grab a large, cozy mug of coffee or hot chocolate, ++get into a comfortable chair, and absorb the contents before venturing ++out into the sometimes dangerous world of network hacking. ++ ++<p>For more understanding of the use of the infrastructure on top of ++the netfilter framework, I recommend reading the Packet Filtering ++HOWTO and the NAT HOWTO. For information on kernel programming I ++suggest Rusty's Unreliable Guide to Kernel Hacking and Rusty's ++Unreliable Guide to Kernel Locking. ++ ++<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. ++ ++<sect1>What is netfilter? ++ ++<p> ++netfilter is a framework for packet mangling, outside the normal ++Berkeley socket interface. It has four parts. Firstly, each protocol ++defines "hooks" (IPv4 defines 5) which are well-defined points in a ++packet's traversal of that protocol stack. At each of these points, ++the protocol will call the netfilter framework with the packet and the ++hook number. ++ ++<p> ++Secondly, parts of the kernel can register to listen to the different ++hooks for each protocol. So when a packet is passed to the netfilter ++framework, it checks to see if anyone has registered for that protocol ++and hook; if so, they each get a chance to examine (and possibly ++alter) the packet in order, then discard the packet ++(<tt>NF_DROP</tt>), allow it to pass (<tt>NF_ACCEPT</tt>), tell ++netfilter to forget about the packet (<tt>NF_STOLEN</tt>), or ask ++netfilter to queue the packet for userspace (<tt>NF_QUEUE</tt>). ++ ++<p> ++The third part is that packets that have been queued are collected (by ++the ip_queue driver) for sending to userspace; these packets are ++handled asynchronously. ++ ++<p> ++The final part consists of cool comments in the code and ++documentation. This is instrumental for any experimental project. ++The netfilter motto is (stolen shamelessly from Cort Dougan): ++ ++<tscreen><verb> ++ ``So... how is this better than KDE?'' ++</verb></tscreen> ++ ++<p>(This motto narrowly edged out `Whip me, beat me, make me use ++ipchains'). ++ ++<p> ++In addition to this raw framework, various modules have been written ++which provide functionality similar to previous (pre-netfilter) ++kernels, in particular, an extensible NAT system, and an extensible ++packet filtering system (iptables). ++ ++<sect1>What's wrong with what we had in 2.0 and 2.2? ++ ++<p> ++<enum> ++<item>No infrastructure established for passing packet to userspace: ++<itemize> ++<item>Kernel coding is hard ++<item>Kernel coding must be done in C/C++ ++<item>Dynamic filtering policies do not belong in kernel ++<item> 2.2 introduced copying packets to userspace via netlink, but ++ reinjecting packets is slow, and subject to `sanity' checks. ++ For example, reinjecting packet claiming to come from an ++ existing interface is not possible. ++</itemize> ++ ++<item>Transparent proxying is a crock: ++ ++<itemize> ++ ++<item> We look up <bf>every</bf> packet to see if there is a socket ++bound to that address ++ ++<item> Root is allowed to bind to foreign addresses ++ ++<item> Can't redirect locally-generated packets ++ ++<item> REDIRECT doesn't handle UDP replies: redirecting UDP named ++packets to 1153 doesn't work because some clients don't like replies ++coming from anything other than port 53. ++ ++<item> REDIRECT doesn't coordinate with tcp/udp port allocation: a ++user may get a port shadowed by a REDIRECT rule. ++ ++<item>Has been broken at least twice during 2.1 series. ++ ++<item>Code is extremely intrusive. Consider the stats on the number ++of #ifdef CONFIG_IP_TRANSPARENT_PROXY in 2.2.1: 34 occurrences in 11 ++files. Compare this with CONFIG_IP_FIREWALL, which has 10 occurrences ++in 5 files. ++</itemize> ++ ++<item>Creating packet filter rules independent of interface addresses ++ is not possible: ++ ++<itemize> ++<item>Must know local interface addresses to distinguish ++locally-generated or locally-terminating packets from through ++packets. ++ ++<item>Even that is not enough in cases of redirection or ++masquerading. ++ ++<item>Forward chain only has information on outgoing interface, ++meaning you have to figure where a packet came from using knowledge of ++the network topography. ++</itemize> ++ ++<item>Masquerading is tacked onto packet filtering:<p> ++ Interactions between packet filtering and masquerading make firewalling ++ complex: ++<itemize> ++<item>At input filtering, reply packets appear to be destined for box itself ++<item>At forward filtering, demasqueraded packets are not seen at all ++<item>At output filtering, packets appear to come from local box ++</itemize> ++ ++<item>TOS manipulation, redirect, ICMP unreachable and mark (which can ++effect port forwarding, routing, and QoS) are tacked onto packet ++filter code as well. ++ ++<item>ipchains code is neither modular, nor extensible (eg. MAC ++address filtering, options filtering, etc). ++ ++<item>Lack of sufficient infrastructure has led to a profusion of ++different techniques: ++<itemize> ++<item>Masquerading, plus per-protocol modules ++<item>Fast static NAT by routing code (doesn't have per-protocol handling) ++<item>Port forwarding, redirect, auto forwarding ++<item>The Linux NAT and Virtual Server Projects. ++</itemize> ++ ++<item>Incompatibility between CONFIG_NET_FASTROUTE and packet filtering: ++<itemize> ++<item>Forwarded packets traverse three chains anyway ++<item>No way to tell if these chains can be bypassed ++</itemize> ++ ++<item>Inspection of packets dropped due to routing protection ++(eg. Source Address Verification) not possible. ++ ++<item>No way of atomically reading counters on packet filter rules. ++ ++<item>CONFIG_IP_ALWAYS_DEFRAG is a compile-time option, making life ++difficult for distributions who want one general-purpose kernel. ++ ++</enum> ++ ++<sect1>Who are you? ++ ++<p> ++I'm the only one foolish enough to do this. As ipchains co-author and ++current Linux Kernel IP Firewall maintainer, I see many of the ++problems that people have with the current system, as well as getting ++exposure to what they are trying to do. ++ ++<sect1>Why does it crash? ++ ++<p> ++Woah! You should have seen it <bf>last</bf> week! ++ ++<p> ++Because I'm not as great a programmer as we might all wish, and I ++certainly haven't tested all scenarios, because of lack of time, ++equipment and/or inspiration. I do have a testsuite, which I ++encourage you to contribute to. ++ ++<sect>Where Can I Get The Latest? ++ ++<p>There is a CVS server on netfilter.org which contains the latest ++HOWTOs, userspace tools and testsuite. For casual browsing, you ++can use the ++<url url="http://cvs.netfilter.org/" name="Web Interface">. ++ ++To grab the latest sources, you can do the following: ++ ++<enum> ++<item> Log in to the netfilter CVS server anonymously: ++<tscreen><verb> ++cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login ++</verb></tscreen> ++<item> When it asks you for a password type `cvs'. ++<item> Check out the code using: ++<tscreen><verb> ++# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace ++</verb></tscreen> ++<item> To update to the latest version, use ++<tscreen><verb> ++cvs update -d -P ++</verb></tscreen> ++</enum> ++ ++<sect>Netfilter Architecture ++ ++<p>Netfilter is merely a series of hooks in various points in a ++protocol stack (at this stage, IPv4, IPv6 and DECnet). The ++(idealized) IPv4 traversal diagram looks like the following: ++ ++<tscreen><verb> ++A Packet Traversing the Netfilter System: ++ ++ --->[1]--->[ROUTE]--->[3]--->[4]---> ++ | ^ ++ | | ++ | [ROUTE] ++ v | ++ [2] [5] ++ | ^ ++ | | ++ v | ++</verb></tscreen><label id="netfilter-traversal"> ++ ++On the left is where packets come in: having passed the simple sanity ++checks (i.e., not truncated, IP checksum OK, not a promiscuous receive), ++they are passed to the netfilter framework's NF_IP_PRE_ROUTING [1] hook. ++ ++<p> ++Next they enter the routing code, which decides whether the packet is ++destined for another interface, or a local process. The routing code ++may drop packets that are unroutable. ++ ++<p> ++If it's destined for the box itself, the netfilter framework is called ++again for the NF_IP_LOCAL_IN [2] hook, before being passed to the ++process (if any). ++ ++<p> ++If it's destined to pass to another interface instead, the netfilter ++framework is called for the NF_IP_FORWARD [3] hook. ++ ++<p> ++The packet then passes a final netfilter hook, the NF_IP_POST_ROUTING ++[4] hook, before being put on the wire again. ++ ++<p> ++The NF_IP_LOCAL_OUT [5] hook is called for packets that are created ++locally. Here you can see that routing occurs after this hook is ++called: in fact, the routing code is called first (to figure out the ++source IP address and some IP options): if you want to alter the ++routing, you must alter the `skb->dst' field yourself, as is done in ++the NAT code. ++ ++<sect1>Netfilter Base ++<p> ++Now we have an example of netfilter for IPv4, you can see when each ++hook is activated. This is the essence of netfilter. ++ ++<p> ++Kernel modules can register to listen at any of these hooks. A module ++that registers a function must specify the priority of the function ++within the hook; then when that netfilter hook is called from the core ++networking code, each module registered at that point is called in the ++order of priorites, and is free to manipulate the packet. The ++module can then tell netfilter to do one of five things: ++ ++<enum> ++<item> NF_ACCEPT: continue traversal as normal. ++<item> NF_DROP: drop the packet; don't continue traversal. ++<item> NF_STOLEN: I've taken over the packet; don't continue traversal. ++<item> NF_QUEUE: queue the packet (usually for userspace handling). ++<item> NF_REPEAT: call this hook again. ++</enum> ++ ++<p> ++The other parts of netfilter (handling queued packets, cool comments) ++will be covered in the kernel section later. ++ ++<p> ++Upon this foundation, we can build fairly complex packet ++manipulations, as shown in the next two sections. ++ ++<sect1>Packet Selection: IP Tables ++<p> ++A packet selection system called IP Tables has been built over the ++netfilter framework. It is a direct descendent of ipchains (that came ++from ipfwadm, that came from BSD's ipfw IIRC), with extensibility. ++Kernel modules can register a new table, and ask for a packet to ++traverse a given table. This packet selection method is used for ++packet filtering (the `filter' table), Network Address Translation ++(the `nat' table) and general pre-route packet mangling (the `mangle' ++table). ++ ++<p>The hooks that are registered with netfilter are as follows (with ++the functions in each hook in the order that they are actually ++called): ++ ++<tscreen><verb> ++ ++ --->PRE------>[ROUTE]--->FWD---------->POST------> ++ Conntrack | Mangle ^ Mangle ++ Mangle | Filter | NAT (Src) ++ NAT (Dst) | | Conntrack ++ (QDisc) | [ROUTE] ++ v | ++ IN Filter OUT Conntrack ++ | Conntrack ^ Mangle ++ | Mangle | NAT (Dst) ++ v | Filter ++</verb></tscreen> ++ ++<sect2>Packet Filtering ++ ++<p> ++This table, `filter', should never alter packets: only filter them. ++ ++<p> ++One of the advantages of iptables filter over ipchains is that it is ++small and fast, and it hooks into netfilter at the NF_IP_LOCAL_IN, ++NF_IP_FORWARD and NF_IP_LOCAL_OUT points. This means that for any ++given packet, there is one (and only one) possible place to filter it. ++This makes things much simpler for users than ipchains was. Also, the ++fact that the netfilter framework provides both the input and output ++interfaces for the NF_IP_FORWARD hook means that many kinds of ++filtering are far simpler. ++ ++<p> ++Note: I have ported the kernel portions of both ipchains and ipfwadm ++as modules on top of netfilter, enabling the use of the old ipfwadm ++and ipchains userspace tools without requiring an upgrade. ++ ++<sect2>NAT ++ ++<p> ++This is the realm of the `nat' table, which is fed packets from two ++netfilter hooks: for non-local packets, the NF_IP_PRE_ROUTING and ++NF_IP_POST_ROUTING hooks are perfect for destination and source ++alterations respectively. If CONFIG_IP_NF_NAT_LOCAL is defined, the ++hooks NF_IP_LOCAL_OUT and NF_IP_LOCAL_IN are used for altering the ++destination of local packets. ++ ++<p> ++This table is slightly different from the `filter' table, in that only ++the first packet of a new connection will traverse the table: the ++result of this traversal is then applied to all future packets in the ++same connection. ++ ++<sect3>Masquerading, Port Forwarding, Transparent Proxying ++ ++<p>I divide NAT into Source NAT (where the first packet has its source ++altered), and Destination NAT (the first packet has its destination ++altered). ++ ++<p>Masquerading is a special form of Source NAT: port forwarding and ++transparent proxying are special forms of Destination NAT. These are ++now all done using the NAT framework, rather than being independent ++entities. ++ ++<sect2>Packet Mangling ++ ++<p>The packet mangling table (the `mangle' table) is used for actual ++changing of packet information. Example applications are the TOS and ++TCPMSS targets. The mangle table hooks into all five netfilter hooks. ++(please note this changed with kernel 2.4.18. Previous kernels didn't ++have mangle attached to all hooks) ++ ++<sect1>Connection Tracking ++<p> ++Connection tracking is fundamental to NAT, but it is implemented as a ++separate module; this allows an extension to the packet filtering code ++to simply and cleanly use connection tracking (the `state' module). ++ ++<sect1>Other Additions ++ ++<p>The new flexibility provides both the opportunity to do really ++funky things, but for people to write enhancements or complete ++replacements that can be mixed and matched. ++ ++<sect>Information for Programmers ++ ++<p>I'll let you in on a secret: my pet hamster did all the coding. I ++was just a channel, a `front' if you will, in my pet's grand plan. ++So, don't blame me if there are bugs. Blame the cute, furry one. ++ ++<sect1>Understanding ip_tables ++ ++<p>iptables simply provides a named array of rules in memory (hence ++the name `iptables'), and such information as where packets from each ++hook should begin traversal. After a table is registered, userspace ++can read and replace its contents using getsockopt() and setsockopt(). ++ ++<p>iptables does not register with any netfilter hooks: it relies on ++other modules to do that and feed it the packets as appropriate; a ++module must register the netfilter hooks and ip_tables separately, and ++provide the mechanism to call ip_tables when the hook is reached. ++ ++<sect2> ip_tables Data Structures ++ ++<p>For convenience, the same data structure is used to represent a ++rule by userspace and within the kernel, although a few fields are ++only used inside the kernel. ++ ++<p>Each rule consists of the following parts: ++<enum> ++<item> A `struct ipt_entry'. ++<item> Zero or more `struct ipt_entry_match' structures, each with a ++ variable amount (0 or more bytes) of data appended to it. ++<item> A `struct ipt_entry_target' structure, with a variable amount ++ (0 or more bytes) of data appended to it. ++</enum> ++ ++The variable nature of the rule gives a huge amount of flexibility for ++extensions, as we'll see, especially as each match or target can carry ++an arbitrary amount of data. This does create a few traps, however: ++we have to watch out for alignment. We do this by ensuring that the ++`ipt_entry', `ipt_entry_match' and `ipt_entry_target' structures are ++conveniently sized, and that all data is rounded up to the maximal ++alignment of the machine using the IPT_ALIGN() macro. ++ ++<p> ++The `struct ipt_entry' has the following fields: ++<enum> ++<item> A `struct ipt_ip' part, containing the specifications for the ++IP header that it is to match. ++ ++<item> An `nf_cache' bitfield showing what parts of the packet this ++rule examined. ++ ++<item> A `target_offset' field indicating the offset from the ++beginning of this rule where the ipt_entry_target structure begins. ++This should always be aligned correctly (with the IPT_ALIGN macro). ++ ++<item> A `next_offset' field indicating the total size of this rule, ++including the matches and target. This should also be aligned ++correctly using the IPT_ALIGN macro. ++ ++<item> A `comefrom' field used by the kernel to track packet ++traversal. ++ ++<item> A `struct ipt_counters' field containing the packet and byte ++counters for packets which matched this rule. ++</enum> ++ ++<p> ++The `struct ipt_entry_match' and `struct ipt_entry_target' are very ++similar, in that they contain a total (IPT_ALIGN'ed) length field ++(`match_size' and `target_size' respectively) and a union holding the ++name of the match or target (for userspace), and a pointer (for the ++kernel). ++ ++<p> ++Because of the tricky nature of the rule data structure, some helper ++routines are provided: ++ ++<descrip> ++<tag>ipt_get_target()</tag> This inline function returns a pointer to ++the target of a rule. ++ ++<tag>IPT_MATCH_ITERATE()</tag> This macro calls the given function for ++every match in the given rule. The function's first argument is the ++`struct ipt_match_entry', and other arguments (if any) are those ++supplied to the IPT_MATCH_ITERATE() macro. The function must return ++either zero for the iteration to continue, or a non-zero value to ++stop. ++ ++<tag>IPT_ENTRY_ITERATE()</tag> This function takes a pointer to an ++entry, the total size of the table of entries, and a function to call. ++The functions first argument is the `struct ipt_entry', and other ++arguments (if any) are those supplied to the IPT_ENTRY_ITERATE() ++macro. The function must return either zero for the iteration to ++continue, or a non-zero value to stop. ++</descrip> ++ ++<sect2>ip_tables From Userspace ++ ++<p>Userspace has four operations: it can read the current table, read ++the info (hook positions and size of table), replace the table (and ++grab the old counters), and add in new counters. ++ ++<p>This allows any atomic operation to be simulated by userspace: this ++is done by the libiptc library, which provides convenience ++"add/delete/replace" semantics for programs. ++ ++<p>Because these tables are transferred into kernel space, alignment ++becomes an issue for machines which have different userspace and ++kernelspace type rules (eg. Sparc64 with 32-bit userland). These ++cases are handled by overriding the definition of IPT_ALIGN for these ++platforms in `libiptc.h'. ++ ++<sect2> ip_tables Use And Traversal ++ ++<p>The kernel starts traversing at the location indicated by the ++particular hook. That rule is examined, if the `struct ipt_ip' ++elements match, each `struct ipt_entry_match' is checked in turn (the ++match function associated with that match is called). If the match ++function returns 0, iteration stops on that rule. If it sets the ++`hotdrop' parameter to 1, the packet will also be immediately dropped ++(this is used for some suspicious packets, such as in the tcp match ++function). ++ ++<p>If the iteration continues to the end, the counters are ++incremented, the `struct ipt_entry_target' is examined: if it's a ++standard target, the `verdict' field is read (negative means a packet ++verdict, positive means an offset to jump to). If the answer is ++positive and the offset is not that of the next rule, the `back' ++variable is set, and the previous `back' value is placed in that ++rule's `comefrom' field. ++ ++<p>For non-standard targets, the target function is called: it returns ++a verdict (non-standard targets can't jump, as this would break the ++static loop-detection code). The verdict can be IPT_CONTINUE, to ++continue on to the next rule. ++ ++<sect1>Extending iptables ++ ++<p>Because I'm lazy, <tt>iptables</tt> is fairly extensible. This is ++basically a scam to palm off work onto other people, which is what ++Open Source is all about (cf. Free Software, which as RMS would say, ++is about freedom, and I was sitting in one of his talks when I wrote ++this). ++ ++<p>Extending <tt>iptables</tt> potentially involves two parts: ++extending the kernel, by writing a new module, and possibly extending ++the userspace program <tt>iptables</tt>, by writing a new shared ++library. ++ ++<sect2>The Kernel ++ ++<p>Writing a kernel module itself is fairly simple, as you can see ++from the examples. One thing to be aware of is that your code must be ++re-entrant: there can be one packet coming in from userspace, while ++another arrives on an interrupt. In fact in SMP there can be one ++packet on an interrupt per CPU in 2.3.4 and above. ++ ++<p> ++The functions you need to know about are: ++ ++<descrip> ++<tag>init_module()</tag> This is the entry-point of the module. It ++returns a negative error number, or 0 if it successfully registers ++itself with netfilter. ++ ++<tag>cleanup_module()</tag> This is the exit point of the module; it ++should unregister itself with netfilter. ++ ++<tag>ipt_register_match()</tag> This is used to register a new match ++type. You hand it a `struct ipt_match', which is usually declared as ++a static (file-scope) variable. ++ ++<tag>ipt_register_target()</tag> This is used to register a new ++type. You hand it a `struct ipt_target', which is usually declared as ++a static (file-scope) variable. ++ ++<tag>ipt_unregister_target()</tag> Used to unregister your target. ++ ++<tag>ipt_unregister_match()</tag> Used to unregister your match. ++</descrip> ++ ++<p>One warning about doing tricky things (such as providing counters) ++in the extra space in your new match or target. On SMP machines, the ++entire table is duplicated using memcpy for each CPU: if you really ++want to keep central information, you should see the method used in ++the `limit' match. ++ ++<sect3>New Match Functions ++ ++<p>New match functions are usually written as a standalone module. ++It's possible to have these modules extensible in turn, although it's ++usually not necessary. One way would be to use the netfilter ++framework's `nf_register_sockopt' function to allows users to talk to ++your module directly. Another way would be to export symbols for ++other modules to register themselves, the same way netfilter and ++ip_tables do. ++ ++<p>The core of your new match function is the struct ipt_match which ++it passes to `ipt_register_match()'. This structure has the following ++fields: ++ ++<descrip> ++<tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. ++ ++<tag>name</tag> This field is the name of the match function, as ++referred to by userspace. The name should match the name of the ++module (i.e., if the name is "mac", the module must be "ipt_mac.o") for ++auto-loading to work. ++ ++<tag>match</tag> This field is a pointer to a match function, which ++takes the skb, the in and out device pointers (one of which may be ++NULL, depending on the hook), a pointer to the match data in the rule ++that is worked on (the structure that was prepared in userspace), the ++IP offset (non-zero means ++a non-head fragment), a pointer to the protocol header (i.e., just ++past the IP header), the length of the data (ie. the packet length ++minus the IP header length) and finally a pointer to a `hotdrop' ++variable. It should return non-zero if the packet matches, and can ++set `hotdrop' to 1 if it returns 0, to indicate that the packet must ++be dropped immediately. ++ ++<tag>checkentry</tag> This field is a pointer to a function which ++checks the specifications for a rule; if this returns 0, then the rule ++will not be accepted from the user. For example, the "tcp" match type ++will only accept tcp packets, and so if the `struct ipt_ip' part of ++the rule does not specify that the protocol must be tcp, a zero is ++returned. The tablename argument allows your match to control what ++tables it can be used in, and the `hook_mask' is a bitmask of hooks ++this rule may be called from: if your match does not make sense from ++some netfilter hooks, you can avoid that here. ++ ++<tag>destroy</tag> This field is a pointer to a function which is ++called when an entry using this match is deleted. This allows you to ++dynamically allocate resources in checkentry and clean them up here. ++ ++<tag>me</tag> This field is set to `THIS_MODULE', which gives a ++pointer to your module. It causes the usage-count to go up and down ++as rules of that type are created and destroyed. This prevents a user ++removing the module (and hence cleanup_module() being called) if a ++rule refers to it. ++</descrip> ++ ++<sect3>New Targets ++ ++<p>If your target alters the packet (ie. the headers or the body), it ++must call skb_unshare() to copy the packet in case it is cloned: ++otherwise any raw sockets which have a clone of the skbuff will see ++the alterations (ie. people will see wierd stuff happening in ++tcpdump). ++ ++<p>New targets are also usually written as a standalone module. The ++discussions under the above section on `New Match Functions' apply ++equally here. ++ ++<p>The core of your new target is the struct ipt_target that it ++passes to ipt_register_target(). This structure has the following ++fields: ++ ++ <descrip> ++ <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. ++ ++ <tag>name</tag> This field is the name of the target function, as ++ referred to by userspace. The name should match the name of the ++ module (i.e., if the name is "REJECT", the module must be ++ "ipt_REJECT.o") for auto-loading to work. ++ ++ <tag>target</tag> This is a pointer to the target function, which ++ takes the skbuff, the hook number, the input and output device ++ pointers (either of which may be NULL), a pointer to the target data, ++ and the position of the rule in the table. The target function may ++ return either IPT_CONTINUE (-1) if traversing should continue, or a ++ netfilter verdict (NF_DROP, NF_ACCEPT, NF_STOLEN etc.). ++ ++ <tag>checkentry</tag> This field is a pointer to a function which ++ checks the specifications for a rule; if this returns 0, then the ++ rule will not be accepted from the user. ++ ++ <tag>destroy</tag> This field is a pointer to a function which is ++ called when an entry using this target is deleted. This allows you ++ to dynamically allocate resources in checkentry and clean them up ++ here. ++ ++ <tag>me</tag> This field is set to `THIS_MODULE', which gives a ++ pointer to your module. It causes the usage-count to go up and down ++ as rules with this as a target are created and destroyed. This ++ prevents a user removing the module (and hence cleanup_module() being ++ called) if a rule refers to it. ++ </descrip> ++ ++<sect3>New Tables ++ ++<p>You can create a new table for your specific purpose if you wish. ++To do this, you call `ipt_register_table()', with a `struct ++ipt_table', which has the following fields: ++ ++ <descrip> ++ <tag>list</tag> This field is set to any junk, say `{ NULL, NULL }'. ++ ++ <tag>name</tag> This field is the name of the table function, as ++ referred to by userspace. The name should match the name of the ++ module (i.e., if the name is "nat", the module must be ++ "iptable_nat.o") for auto-loading to work. ++ ++ <tag>table</tag> This is a fully-populated `struct ipt_replace', as ++ used by userspace to replace a table. The `counters' pointer should ++ be set to NULL. This data structure can be declared `__initdata' so ++ it is discarded after boot. ++ ++ <tag>valid_hooks</tag> This is a bitmask of the IPv4 netfilter hooks ++ you will enter the table with: this is used to check that those entry ++ points are valid, and to calculate the possible hooks for ipt_match ++ and ipt_target `checkentry()' functions. ++ ++ <tag>lock</tag> This is the read-write spinlock for the entire table; ++ initialize it to RW_LOCK_UNLOCKED. ++ ++ <tag>private</tag> This is used internally by the ip_tables code. ++ </descrip> ++ ++<sect2>Userspace Tool ++ ++<p>Now you've written your nice shiny kernel module, you may want to ++control the options on it from userspace. Rather than have a branched ++version of <tt>iptables</tt> for each extension, I use the very latest ++90's technology: furbies. Sorry, I mean shared libraries. ++ ++<p>New tables generally don't require any extension to ++<tt>iptables</tt>: the user just uses the `-t' option to make it use ++the new table. ++ ++<p>The shared library should have an `_init()' function, which will ++automatically be called upon loading: the moral equivalent of the ++kernel module's `init_module()' function. This should call ++`register_match()' or `register_target()', depending on whether your ++shared library provides a new match or a new target. ++ ++<p>You need to provide a shared library: this can be used to ++initialize part of the structure, or provide additional options. I ++now insist on a shared library even if it doesn't do anything, to ++reduce problem reports where the shares libraries are missing. ++ ++<p>There are useful functions described in the `iptables.h' header, ++especially: ++<descrip> ++<tag>check_inverse()</tag> checks if an argument is actually a `!', ++and if so, sets the `invert' flag if not already set. If it returns ++true, you should increment optind, as done in the examples. ++ ++<tag>string_to_number()</tag> converts a string into a number in the ++given range, returning -1 if it is malformed or out of range. ++`string_to_number' rely on `strtol' (see the manpage), meaning ++that a leading "0x" would make the number be in Hexadecimal base, a leading ++"0" would make it be in Octal base. ++ ++<tag>exit_error()</tag> should be called if an error is found. ++Usually the first argument is `PARAMETER_PROBLEM', meaning the user ++didn't use the command line correctly. ++</descrip> ++ ++<sect3>New Match Functions ++ ++<p>Your shared library's _init() function hands `register_match()' a ++pointer to a static `struct iptables_match', which has the following ++fields: ++ ++<descrip> ++<tag>next</tag> This pointer is used to make a linked list of matches ++(such as used for listing rules). It should be set to NULL initially. ++ ++<tag>name</tag> The name of the match function. This should match the ++library name (eg "tcp" for `libipt_tcp.so'). ++ ++<tag>version</tag> Usually set to the IPTABLES_VERSION macro: this is ++used to ensure that the <tt>iptables</tt> binary doesn't pick up the ++wrong shared libraries by mistake. ++ ++<tag>size</tag> The size of the match data for this match; you should ++use the IPT_ALIGN() macro to ensure it is correctly aligned. ++ ++<tag>userspacesize</tag> For some matches, the kernel changes some ++fields internally (the `limit' target is a case of this). This means ++that a simple `memcmp()' is insufficient to compare two rules ++(required for delete-matching-rule functionality). If this is the ++case, place all the fields which do not change at the start of the ++structure, and put the size of the unchanging fields here. Usually, ++however, this will be identical to the `size' field. ++ ++<tag>help</tag> A function which prints out the option synopsis. ++ ++<tag>init</tag> This can be used to initialize the extra space (if ++any) in the ipt_entry_match structure, and set any nfcache bits; if ++you are examining something not expressible using the contents of ++`linux/include/netfilter_ipv4.h', then simply OR in the NFC_UNKNOWN ++bit. It will be called before `parse()'. ++ ++<tag>parse</tag> This is called when an unrecognized option is seen on ++the command line: it should return non-zero if the option was indeed ++for your library. `invert' is true if a `!' has already been seen. ++The `flags' pointer is for the exclusive use of your match library, ++and is usually used to store a bitmask of options which have been ++specified. Make sure you adjust the nfcache field. You may extend ++the size of the `ipt_entry_match' structure by reallocating if ++necessary, but then you must ensure that the size is passed through ++the IPT_ALIGN macro. ++ ++<tag>final_check</tag> This is called after the command line has been ++parsed, and is handed the `flags' integer reserved for your library. ++This gives you a chance to check that any compulsory options have been ++specified, for example: call `exit_error()' if this is the case. ++ ++<tag>print</tag> This is used by the chain listing code to print (to ++standard output) the extra match information (if any) for a rule. The ++numeric flag is set if the user specified the `-n' flag. ++ ++<tag>save</tag> This is the reverse of parse: it is used by ++`iptables-save' to reproduce the options which created the rule. ++ ++<tag>extra_opts</tag> This is a NULL-terminated list of extra options ++which your library offers. This is merged with the current options ++and handed to getopt_long; see the man page for details. The return ++code for getopt_long becomes the first argument (`c') to your ++`parse()' function. ++</descrip> ++ ++There are extra elements at the end of this structure for use ++internally by <tt>iptables</tt>: you don't need to set them. ++ ++<sect3>New Targets ++ ++<p>Your shared library's _init() function hands `register_target()' it ++a pointer to a static `struct iptables_target', which has similar ++fields to the iptables_match structure detailed above. ++ ++<sect2>Using `libiptc' ++ ++<p><tt>libiptc</tt> is the iptables control library, designed for ++listing and manipulating rules in the iptables kernel module. While ++its current use is for the iptables program, it makes writing other ++tools fairly easy. You need to be root to use these functions. ++ ++<p>The kernel tables themselves are simply a table of rules, and a set ++of numbers representing entry points. Chain names ("INPUT", etc) are ++provided as an abstraction by the library. User defined chains are ++labelled by inserting an error node before the head of the ++user-defined chain, which contains the chain name in the extra data ++section of the target (the builtin chain positions are defined by the ++three table entry points). ++ ++<p>The following standard targets are supported: ACCEPT, DROP, QUEUE ++(which are translated to NF_ACCEPT, NF_DROP, and NF_QUEUE, ++respectively), RETURN (which is translated to a special IPT_RETURN ++value handled by ip_tables), and JUMP (which is translated from the ++chain name to an actual offset within the table). ++ ++<p>When `iptc_init()' is called, the table, including the counters, is ++read. This table is manipulated by the `iptc_insert_entry()', ++`iptc_replace_entry()', `iptc_append_entry()', `iptc_delete_entry()', ++`iptc_delete_num_entry()', `iptc_flush_entries()', ++`iptc_zero_entries()', `iptc_create_chain()' `iptc_delete_chain()', ++and `iptc_set_policy()' functions. ++ ++<p>The table changes are not written back until the `iptc_commit()' ++function is called. This means it is possible for two library users ++operating on the same chain to race each other; locking would be ++required to prevent this, and it is not currently done. ++ ++<p>There is no race with counters, however; counters are added back in ++to the kernel in such a way that counter increments between the ++reading and writing of the table still show up in the new table. ++ ++<p>There are various helper functions: ++ ++<descrip> ++<tag>iptc_first_chain()</tag> This function returns the first chain ++name in the table. ++ ++<tag>iptc_next_chain()</tag> This function returns the next chain name ++in the table: NULL means no more chains. ++ ++<tag>iptc_builtin()</tag> Returns true if the given chain name is the ++name of a builtin chain. ++ ++<tag>iptc_first_rule()</tag> This returns a pointer to the first rule ++in the given chain name: NULL for an empty chain. ++ ++<tag>iptc_next_rule()</tag> This returns a pointer to the next rule in ++the chain: NULL means the end of the chain. ++ ++<tag>iptc_get_target()</tag> This gets the target of the given rule. If ++it's an extended target, the name of that target is returned. If it's ++a jump to another chain, the name of that chain is returned. If it's ++a verdict (eg. DROP), that name is returned. If it has no target (an ++accounting-style rule), then the empty string is returned. ++ ++<p>Note that this function should be used instead of using the value ++of the `verdict' field of the ipt_entry structure directly, as it ++offers the above further interpretations of the standard verdict. ++ ++<tag>iptc_get_policy()</tag> This gets the policy of a builtin chain, ++and fills in the `counters' argument with the hit statistics on that ++policy. ++ ++<tag>iptc_strerror()</tag> This function returns a more meaningful ++explanation of a failure code in the iptc library. If a function ++fails, it will always set errno: this value can be passed to ++iptc_strerror() to yield an error message. ++</descrip> ++ ++<sect1>Understanding NAT ++ ++<p>Welcome to Network Address Translation in the kernel. Note that ++the infrastructure offered is designed more for completeness than raw ++efficiency, and that future tweaks may increase the efficiency ++markedly. For the moment I'm happy that it works at all. ++ ++<p>NAT is separated into connection tracking (which doesn't manipulate ++packets at all), and the NAT code itself. Connection tracking is also ++designed to be used by an iptables modules, so it makes subtle ++distinctions in states which NAT doesn't care about. ++ ++<sect2>Connection Tracking ++ ++<p>Connection tracking hooks into high-priority NF_IP_LOCAL_OUT and ++NF_IP_PRE_ROUTING hooks, in order to see packets before they enter the ++system. ++ ++<p>The nfct field in the skb is a pointer to inside the struct ++ip_conntrack, at one of the infos[] array. Hence we can tell the ++state of the skb by which element in this array it is pointing to: ++this pointer encodes both the state structure and the relationship of ++this skb to that state. ++ ++<p>The best way to extract the `nfct' field is to call ++`ip_conntrack_get()', which returns NULL if it's not set, or the ++connection pointer, and fills in ctinfo which describes the ++relationship of the packet to that connection. This enumerated type ++has several values: ++ ++<descrip> ++ ++<tag>IP_CT_ESTABLISHED</tag> The packet is part of an established ++connection, in the original direction. ++ ++<tag>IP_CT_RELATED</tag> The packet is related to the connection, and ++is passing in the original direction. ++ ++<tag>IP_CT_NEW</tag> The packet is trying to create a new connection ++(obviously, it is in the original direction). ++ ++<tag>IP_CT_ESTABLISHED + IP_CT_IS_REPLY</tag> The packet is part of an ++established connection, in the reply direction. ++ ++<tag>IP_CT_RELATED + IP_CT_IS_REPLY</tag> The packet is related to the ++connection, and is passing in the reply direction. ++</descrip> ++ ++Hence a reply packet can be identified by testing for >= ++IP_CT_IS_REPLY. ++ ++<sect1>Extending Connection Tracking/NAT ++ ++<p>These frameworks are designed to accommodate any number of protocols ++and different mapping types. Some of these mapping types might be ++quite specific, such as a load-balancing/fail-over mapping type. ++ ++<p>Internally, connection tracking converts a packet to a "tuple", ++representing the interesting parts of the packet, before searching for ++bindings or rules which match it. This tuple has a manipulatable ++part, and a non-manipulatable part; called "src" and "dst", as this is ++the view for the first packet in the Source NAT world (it'd be a reply ++packet in the Destination NAT world). The tuple for every packet in ++the same packet stream in that direction is the same. ++ ++<p>For example, a TCP packet's tuple contains the manipulatable part: ++source IP and source port, the non-manipulatable part: destination IP ++and the destination port. The manipulatable and non-manipulatable ++parts do not need to be the same type though; for example, an ICMP ++packet's tuple contains the manipulatable part: source IP and the ICMP ++id, and the non-manipulatable part: the destination IP and the ICMP ++type and code. ++ ++<p>Every tuple has an inverse, which is the tuple of the reply packets ++in the stream. For example, the inverse of an ICMP ping packet, icmp ++id 12345, from 192.168.1.1 to 1.2.3.4, is a ping-reply packet, icmp id ++12345, from 1.2.3.4 to 192.168.1.1. ++ ++<p>These tuples, represented by the `struct ip_conntrack_tuple', are used ++widely. In fact, together with the hook the packet came in on (which ++has an effect on the type of manipulation expected), and the device ++involved, this is the complete information on the packet. ++ ++<p>Most tuples are contained within a `struct ++ip_conntrack_tuple_hash', which adds a doubly linked list entry, and a ++pointer to the connection that the tuple belongs to. ++ ++<p>A connection is represented by the `struct ip_conntrack': it has ++two `struct ip_conntrack_tuple_hash' fields: one referring to the ++direction of the original packet (tuplehash[IP_CT_DIR_ORIGINAL]), and ++one referring to packets in the reply direction ++(tuplehash[IP_CT_DIR_REPLY]). ++ ++<p>Anyway, the first thing the NAT code does is to see if the ++connection tracking code managed to extract a tuple and find an ++existing connection, by looking at the skbuff's nfct field; this tells ++us if it's an attempt on a new connection, or if not, which direction ++it is in; in the latter case, then the manipulations determined ++previously for that connection are done. ++ ++<p>If it was the start of a new connection, we look for a rule for that ++tuple, using the standard iptables traversal mechanism, on the `nat' ++table. If a rule matches, it is used to initialize the manipulations ++for both that direction and the reply; the connection-tracking code is ++told that the reply it should expect has changed. Then, it's ++manipulated as above. ++ ++<p>If there is no rule, a `null' binding is created: this usually does ++not map the packet, but exists to ensure we don't map another stream ++over an existing one. Sometimes, the null binding cannot be created, ++because we have already mapped an existing stream over it, in which ++case the per-protocol manipulation may try to remap it, even though ++it's nominally a `null' binding. ++ ++<sect2>Standard NAT Targets ++ ++<p>NAT targets are like any other iptables target extensions, except ++they insist on being used only in the `nat' table. Both the SNAT and ++DNAT targets take a `struct ip_nat_multi_range' as their extra data; ++this is used to specify the range of addresses a mapping is allowed to ++bind into. A range element, `struct ip_nat_range' consists of an ++inclusive minimum and maximum IP address, and an inclusive maximum and ++minimum protocol-specific value (eg. TCP ports). There is also room ++for flags, which say whether the IP address can be mapped (sometimes ++we only want to map the protocol-specific part of a tuple, not the ++IP), and another to say that the protocol-specific part of the range ++is valid. ++ ++<p>A multi-range is an array of these `struct ip_nat_range' elements; ++this means that a range could be "1.1.1.1-1.1.1.2 ports 50-55 AND ++1.1.1.3 port 80". Each range element adds to the range (a union, for ++those who like set theory). ++ ++<sect2>New Protocols ++ ++<sect3> Inside The Kernel ++ ++<p>Implementing a new protocol first means deciding what the ++manipulatable and non-manipulatable parts of the tuple should be. ++Everything in the tuple has the property that it identifies the stream ++uniquely. The manipulatable part of the tuple is the part you can do ++NAT with: for TCP this is the source port, for ICMP it's the icmp ID; ++something to use as a "stream identifier". The non-manipulatable part ++is the rest of the packet that uniquely identifies the stream, but we ++can't play with (eg. TCP destination port, ICMP type). ++ ++<p>Once you've decided this, you can write an extension to the ++connection-tracking code in the directory, and go about populating the ++`ip_conntrack_protocol' structure which you need to pass to ++`ip_conntrack_register_protocol()'. ++ ++<p>The fields of `struct ip_conntrack_protocol' are: ++ ++<descrip> ++<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. ++ ++<tag>proto</tag> Your protocol number; see `/etc/protocols'. ++ ++<tag>name</tag> The name of your protocol. This is the name the user ++will see; it's usually best if it's the canonical name in ++`/etc/protocols'. ++ ++<tag>pkt_to_tuple</tag> The function which fills out the protocol ++specific parts of the tuple, given the packet. The `datah' pointer ++points to the start of your header (just past the IP header), and the ++datalen is the length of the packet. If the packet isn't long enough ++to contain the header information, return 0; datalen will always be ++at least 8 bytes though (enforced by framework). ++ ++<tag>invert_tuple</tag> This function is simply used to change the ++protocol-specific part of the tuple into the way a reply to that ++packet would look. ++ ++<tag>print_tuple</tag> This function is used to print out the ++protocol-specific part of a tuple; usually it's sprintf()'d into the ++buffer provided. The number of buffer characters used is returned. ++This is used to print the states for the /proc entry. ++ ++<tag>print_conntrack</tag> This function is used to print the private ++part of the conntrack structure, if any, also used for printing the ++states in /proc. ++ ++<tag>packet</tag> This function is called when a packet is seen which ++is part of an established connection. You get a pointer to the ++conntrack structure, the IP header, the length, and the ctinfo. You ++return a verdict for the packet (usually NF_ACCEPT), or -1 if the ++packet is not a valid part of the connection. You can delete the ++connection inside this function if you wish, but you must use the ++following idiom to avoid races (see ip_conntrack_proto_icmp.c): ++ ++<tscreen><verb> ++if (del_timer(&ct->timeout)) ++ ct->timeout.function((unsigned long)ct); ++</verb></tscreen> ++ ++<tag>new</tag> This function is called when a packet creates a ++connection for the first time; there is no ctinfo arg, since the first ++packet is of ctinfo IP_CT_NEW by definition. It returns 0 to fail to ++create the connection, or a connection timeout in jiffies. ++</descrip> ++ ++Once you've written and tested that you can track your new protocol, ++it's time to teach NAT how to translate it. This means writing a new ++module; an extension to the NAT code and go about populating the ++`ip_nat_protocol' structure which you need to pass to ++`ip_nat_protocol_register()'. ++ ++<descrip> ++<tag>list</tag> Set it to '{ NULL, NULL }'; used to sew you into the list. ++ ++<tag>name</tag> The name of your protocol. This is the name the user ++will see; it's best if it's the canonical name in `/etc/protocols' for ++userspace auto-loading, as we'll see later. ++ ++<tag>protonum</tag> Your protocol number; see `/etc/protocols'. ++ ++<tag>manip_pkt</tag> This is the other half of connection tracking's ++pkt_to_tuple function: you can think of it as "tuple_to_pkt". There ++are some differences though: you get a pointer to the start of the IP ++header, and the total packet length. This is because some protocols ++(UDP, TCP) need to know the IP header. You're given the ++ip_nat_tuple_manip field from the tuple (i.e., the "src" field), rather ++than the entire tuple, and the type of manipulation you are to ++perform. ++ ++<tag>in_range</tag> This function is used to tell if manipulatable ++part of the given tuple is in the given range. This function is a bit ++tricky: we're given the manipulation type which has been applied to ++the tuple, which tells us how to interpret the range (is it a source ++range or a destination range we're aiming for?). ++ ++<p>This function is used to check if an existing mapping puts us in ++the right range, and also to check if no manipulation is necessary at ++all. ++ ++<tag>unique_tuple</tag> This function is the core of NAT: given a ++tuple and a range, we're to alter the per-protocol part of the tuple ++to place it within the range, and make it unique. If we can't find an ++unused tuple in the range, return 0. We also get a pointer to the ++conntrack structure, which is required for ip_nat_used_tuple(). ++ ++<p>The usual approach is to simply iterate the per-protocol part of ++the tuple through the range, checking `ip_nat_used_tuple()' on it, ++until one returns false. ++ ++<p>Note that the null-mapping case has already been checked: it's ++either outside the range given, or already taken. ++ ++<p>If IP_NAT_RANGE_PROTO_SPECIFIED isn't set, it means that the user ++is doing NAT, not NAPT: do something sensible with the range. If no ++mapping is desirable (for example, within TCP, a destination mapping ++should not change the TCP port unless ordered to), return 0. ++ ++<tag>print</tag> Given a character buffer, a match tuple and a mask, ++write out the per-protocol parts and return the length of the buffer ++used. ++ ++<tag>print_range</tag> Given a character buffer and a range, write out ++the per-protocol part of the range, and return the length of the ++buffer used. This won't be called if the IP_NAT_RANGE_PROTO_SPECIFIED ++flag wasn't set for the range. ++</descrip> ++ ++<sect2>New NAT Targets ++ ++<p>This is the really interesting part. You can write new NAT targets ++which provide a new mapping type: two extra targets are provided in ++the default package: MASQUERADE and REDIRECT. These are fairly simple ++to illustrate the potential and power of writing a new NAT target. ++ ++<p>These are written just like any other iptables targets, but ++internally they will extract the connection and call ++`ip_nat_setup_info()'. ++ ++<sect2>Protocol Helpers ++ ++<p>Protocol helpers for connection tracking allow the connection ++tracking code to understand protocols which use multiple network ++connections (eg. FTP) and mark the `child' connections as being ++related to the initial connection, usually by reading the related ++address out of the data stream. ++ ++<p>Protocol helpers for NAT do two things: firstly allow the NAT code ++to manipulate the data stream to change the address contained within ++it, and secondly to perform NAT on the related connection when it ++comes in, based on the original connection. ++ ++<sect2>Connection Tracking Helper Modules ++ ++<sect3>Description ++<p> ++The duty of a connection tracking module is to specify which packets ++belong to an already established connection. The module has the ++following means to do that: ++ ++<itemize> ++<item>Tell netfilter which packets our module is interested in (most ++helpers operate on a particular port). ++ ++<item>Register a function with netfilter. This function is called for ++every packet which matches the criteria above. ++ ++<item>An `ip_conntrack_expect_related()' function which can be called ++from there to tell netfilter to expect related connections.</item> ++</itemize> ++ ++<p> ++If there is some additional work to be done at the time the first packet ++of the expected connection arrives, the module can register a callback ++function which is called at that time. ++ ++<sect3>Structures and Functions Available ++ ++<p>Your kernel module's init function has to call ++`ip_conntrack_helper_register()' with a pointer to a ++`struct ip_conntrack_helper'. This struct has the following fields: ++ ++<descrip> ++<tag>list</tag>This is the header for the linked list. Netfilter ++handles this list internally. Just initialize it with `{ NULL, NULL }'. ++ ++<tag>name</tag>This is a pointer to a string constant specifying the ++name of the protocol. ("ftp", "irc", ...) ++ ++<tag>flags</tag>A set of flags with one or more out of the following flgs: ++<itemize> ++<item>IP_CT_HELPER_F_REUSE_EXPECT : Reuse expectations if the limit (see ++`max_expected` below) is reached.</item> ++</itemize> ++ ++<tag>me</tag>A pointer to the module structure of the helper. Intitialize this with the `THIS_MODULE' macro. ++ ++<tag>max_expected</tag>Maximum number of unconfirmed (outstanding) expectations. ++ ++<tag>timeout</tag>Timeout (in seconds) for each unconfirmed expectation. An expectation is deleted `timeout' seconds after the expectation was issued with the `ip_conntrack_expect_related()' function. ++ ++<tag>tuple</tag>This is a `struct ip_conntrack_tuple' which specifies ++the packets our conntrack helper module is interested in. ++ ++<tag>mask</tag>Again a `struct ip_conntrack_tuple'. This mask ++specifies which bits of <tt>tuple</tt> are valid. ++ ++<tag>help</tag>The function which netfilter should call for each ++packet matching tuple+mask ++</descrip> ++ ++<sect3>Example skeleton of a conntrack helper module ++<p> ++<tscreen><code> ++#define FOO_PORT 111 ++ ++static int foo_expectfn(struct ip_conntrack *new) ++{ ++ /* called when the first packet of an expected ++ connection arrives */ ++ ++ return 0; ++} ++ ++static int foo_help(const struct iphdr *iph, size_t len, ++ struct ip_conntrack *ct, ++ enum ip_conntrack_info ctinfo) ++{ ++ /* analyze the data passed on this connection and ++ decide how related packets will look like */ ++ ++ /* update per master-connection private data ++ (session state, ...) */ ++ ct->help.ct_foo_info = ... ++ ++ if (there_will_be_new_packets_related_to_this_connection) ++ { ++ struct ip_conntrack_expect exp; ++ ++ memset(&exp, 0, sizeof(exp)); ++ exp.t = tuple_specifying_related_packets; ++ exp.mask = mask_for_above_tuple; ++ exp.expectfn = foo_expectfn; ++ exp.seq = tcp_sequence_number_of_expectation_cause; ++ ++ /* per slave-connection private data */ ++ exp.help.exp_foo_info = ... ++ ++ ip_conntrack_expect_related(ct, &exp); ++ } ++ return NF_ACCEPT; ++} ++ ++static struct ip_conntrack_helper foo; ++ ++static int __init init(void) ++{ ++ memset(&foo, 0, sizeof(struct ip_conntrack_helper); ++ ++ foo.name = "foo"; ++ foo.flags = IP_CT_HELPER_F_REUSE_EXPECT; ++ foo.me = THIS_MODULE; ++ foo.max_expected = 1; /* one expectation at a time */ ++ foo.timeout = 0; /* expectation never expires */ ++ ++ /* we are interested in all TCP packets with destport 111 */ ++ foo.tuple.dst.protonum = IPPROTO_TCP; ++ foo.tuple.dst.u.tcp.port = htons(FOO_PORT); ++ foo.mask.dst.protonum = 0xFFFF; ++ foo.mask.dst.u.tcp.port = 0xFFFF; ++ foo.help = foo_help; ++ ++ return ip_conntrack_helper_register(&foo); ++} ++ ++static void __exit fini(void) ++{ ++ ip_conntrack_helper_unregister(&foo); ++} ++</code></tscreen> ++ ++ ++<sect2>NAT helper modules ++ ++<sect3>Description ++<p> ++NAT helper modules do some application specific NAT handling. Usually ++this includes on-the-fly manipulation of data: think about the PORT ++command in FTP, where the client tells the server which IP/port to ++connect to. Therefor an FTP helper module must replace the IP/port ++after the PORT command in the FTP control connection. ++ ++<p> ++If we are dealing with TCP, things get slightly more complicated. The ++reason is a possible change of the packet size (FTP example: the ++length of the string representing an IP/port tuple after the PORT ++command has changed). If we change the packet size, we have a syn/ack ++difference between left and right side of the NAT box. (i.e. if we had ++extended one packet by 4 octets, we have to add this offset to the TCP ++sequence number of each following packet). ++ ++<p> ++Special NAT handling of all related packets is required, too. Take as ++example again FTP, where all incoming packets of the DATA connection ++have to be NATed to the IP/port given by the client with the PORT ++command on the control connection, rather than going through the ++normal table lookup. ++ ++<itemize> ++<item>callback for the packet causing the related connection (foo_help) ++<item>callback for all related packets (foo_nat_expected) ++</itemize> ++ ++<sect3>Structures and Functions Available ++ ++<p>Your nat helper module's `init()' function calls ++`ip_nat_helper_register()' with a pointer to a `struct ++ip_nat_helper'. This struct has the following members: ++ ++<descrip> ++<tag>list</tag>Just again the list header for netfilters internal use. ++Initialize this with { NULL, NULL }. ++ ++<tag>name</tag>A pointer to a string constant with the protocol's name ++ ++<tag>flags</tag>A set out of zero, one or more of the following flags: ++<itemize> ++<item>IP_NAT_HELPER_F_ALWAYS : Call the NAT helper for every packet, ++not only for packets where conntrack has detected an expectation-cause.</item> ++<item>IP_NAT_HELPER_F_STANDALONE : Tell the NAT core that this protocol ++doesn't have a conntrack helper, only a NAT helper.</item> ++</itemize> ++ ++<tag>me</tag>A pointer to the module structure of the helper. Initialize ++this using the `THIS_MODULE' macro. ++ ++<tag>tuple</tag>a `struct ip_conntrack_tuple' describing which packets ++our NAT helper is interested in. ++ ++<tag>mask</tag>a `struct ip_conntrack_tuple', telling netfilter which ++bits of <tt>tuple</tt> are valid. ++ ++<tag>help</tag>The help function which is called for each packet ++matching tuple+mask. ++ ++<tag>expect</tag>The expect function which is called for every first ++packet of an expected connection. ++ ++</descrip> ++ ++This is very similar to writing a connection tracking helper. ++ ++<sect3>Example NAT helper module ++<p> ++<tscreen><code> ++#define FOO_PORT 111 ++ ++static int foo_nat_expected(struct sk_buff **pksb, ++ unsigned int hooknum, ++ struct ip_conntrack *ct, ++ struct ip_nat_info *info) ++/* called whenever the first packet of a related connection arrives. ++ params: pksb packet buffer ++ hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) ++ ct information about this (the related) connection ++ info &ct->nat.info ++ return value: Verdict (NF_ACCEPT, ...) ++{ ++ /* Change ip/port of the packet to the masqueraded ++ values (read from master->tuplehash), to map it the same way, ++ call ip_nat_setup_info, return NF_ACCEPT. */ ++ ++} ++ ++static int foo_help(struct ip_conntrack *ct, ++ struct ip_conntrack_expect *exp, ++ struct ip_nat_info *info, ++ enum ip_conntrack_info ctinfo, ++ unsigned int hooknum, ++ struct sk_buff **pksb) ++/* called for every packet where conntrack detected an expectation-cause ++ params: ct struct ip_conntrack of the master connection ++ exp struct ip_conntrack_expect of the expectation ++ caused by the conntrack helper for this protocol ++ info (STATE: related, new, established, ... ) ++ hooknum HOOK the call comes from (POST_ROUTING, PRE_ROUTING) ++ pksb packet buffer ++*/ ++{ ++ ++ /* extract information about future related packets (you can ++ share information with the connection tracking's foo_help). ++ Exchange address/port with masqueraded values, insert tuple ++ about related packets */ ++} ++ ++static struct ip_nat_helper hlpr; ++ ++static int __init(void) ++{ ++ int ret; ++ ++ memset(&hlpr, 0, sizeof(struct ip_nat_helper)); ++ hlpr.list = { NULL, NULL }; ++ hlpr.tuple.dst.protonum = IPPROTO_TCP; ++ hlpr.tuple.dst.u.tcp.port = htons(FOO_PORT); ++ hlpr.mask.dst.protonum = 0xFFFF; ++ hlpr.mask.dst.u.tcp.port = 0xFFFF; ++ hlpr.help = foo_help; ++ hlpr.expect = foo_nat_expect; ++ ++ ret = ip_nat_helper_register(hlpr); ++ ++ return ret; ++} ++ ++static void __exit(void) ++{ ++ ip_nat_helper_unregister(&hlpr); ++} ++</code></tscreen> ++ ++<sect1>Understanding Netfilter ++ ++<p>Netfilter is pretty simple, and is described fairly thoroughly in ++the previous sections. However, sometimes it's necessary to go ++beyond what the NAT or ip_tables infrastructure offers, or you may ++want to replace them entirely. ++ ++<p>One important issue for netfilter (well, in the future) is caching. ++Each skb has an `nfcache' field: a bitmask of what fields in the ++header were examined, and whether the packet was altered or not. The ++idea is that each hook off netfilter OR's in the bits relevant to it, ++so that we can later write a cache system which will be clever enough ++to realize when packets do not need to be passed through netfilter at ++all. ++ ++<p>The most important bits are NFC_ALTERED, meaning the packet was ++altered (this is already used for IPv4's NF_IP_LOCAL_OUT hook, to ++reroute altered packets), and NFC_UNKNOWN, which means caching should ++not be done because some property which cannot be expressed was ++examined. If in doubt, simply set the NFC_UNKNOWN flag on the skb's ++nfcache field inside your hook. ++ ++<sect1>Writing New Netfilter Modules ++ ++<sect2> Plugging Into Netfilter Hooks ++ ++<p> To receive/mangle packets inside the kernel, you can simply write ++a module which registers a "netfilter hook". This is basically an ++expression of interest at some given point; the actual points are ++protocol-specific, and defined in protocol-specific netfilter headers, ++such as "netfilter_ipv4.h". ++ ++<p> To register and unregister netfilter hooks, you use the functions ++`nf_register_hook' and `nf_unregister_hook'. These each take a ++pointer to a `struct nf_hook_ops', which you populate as follows: ++ ++<descrip> ++<tag>list</tag> Used to sew you into the linked list: set to '{ NULL, ++NULL }' ++ ++<tag>hook</tag> The function which is called when a packet hits this ++hook point. Your function must return NF_ACCEPT, NF_DROP or NF_QUEUE. ++If NF_ACCEPT, the next hook attached to that point will be called. If ++NF_DROP, the packet is dropped. If NF_QUEUE, it's queued. You ++receive a pointer to an skb pointer, so you can entirely replace the ++skb if you wish. ++ ++<tag>flush</tag> Currently unused: designed to pass on packet hits ++when the cache is flushed. May never be implemented: set it to NULL. ++ ++<tag>pf</tag> The protocol family, eg, `PF_INET' for IPv4. ++ ++<tag>hooknum</tag> The number of the hook you are interested in, eg ++`NF_IP_LOCAL_OUT'. ++</descrip> ++ ++<sect2> Processing Queued Packets ++ ++<p>This interface is currently used by ip_queue; you can register to ++handle queued packets for a given protocol. This has similar semantics ++to registering for a hook, except you can block processing the packet, ++and you only see packets for which a hook has replied `NF_QUEUE'. ++ ++<p>The two functions used to register interest in queued packets are ++`nf_register_queue_handler()' and `nf_unregister_queue_handler()'. The ++function you register will be called with the `void *' pointer you ++handed it to `nf_register_queue_handler()'. ++ ++<p> ++If no-one is registered to handle a protocol, then returning NF_QUEUE ++is equivalent to returning NF_DROP. ++ ++<p> ++Once you have registered interest in queued packets, they begin ++queueing. You can do whatever you want with them, but you must call ++`nf_reinject()' when you are finished with them (don't simply ++kfree_skb() them). When you reinject an skb, you hand it the skb, the ++`struct nf_info' which your queue handler was given, and a verdict: ++NF_DROP causes them to be dropped, NF_ACCEPT causes them to continue ++to iterate through the hooks, NF_QUEUE causes them to be queued again, ++and NF_REPEAT causes the hook which queued the packet to be consulted ++again (beware infinite loops). ++ ++<p>You can look inside the `struct nf_info' to get auxiliary ++information about the packet, such as the interfaces and hook it was ++on. ++ ++<sect2> Receiving Commands From Userspace ++ ++<p>It is common for netfilter components to want to interact with ++userspace. The method for doing this is by using the setsockopt ++mechanism. Note that each protocol must be modified to call ++nf_setsockopt() for setsockopt numbers it doesn't understand (and ++nf_getsockopt() for getsockopt numbers), and so far only IPv4, IPv6 ++and DECnet have been modified. ++ ++<p>Using a now-familiar technique, we register a `struct ++nf_sockopt_ops' using the nf_register_sockopt() call. The fields of ++this structure are as follows: ++ ++<descrip> ++<tag>list</tag> Used to sew it into the linked list: set to '{ NULL, ++NULL }'. ++ ++<tag>pf</tag> The protocol family you handle, eg. PF_INET. ++ ++<tag>set_optmin</tag> and ++<tag>set_optmax</tag> ++ ++These specify the (exclusive) range of setsockopt numbers handled. ++Hence using 0 and 0 means you have no setsockopt numbers. ++ ++<tag>set</tag> This is the function called when the user calls one of ++your setsockopts. You should check that they have NET_ADMIN ++capability within this function. ++ ++<tag>get_optmin</tag> and ++<tag>get_optmax</tag> ++ ++These specify the (exclusive) range of getsockopt numbers handled. ++Hence using 0 and 0 means you have no getsockopt numbers. ++ ++<tag>get</tag> This is the function called when the user calls one of ++your getsockopts. You should check that they have NET_ADMIN ++capability within this function. ++</descrip> ++ ++<p>The final two fields are used internally. ++ ++<sect1>Packet Handling in Userspace ++ ++<p>Using the libipq library and the `ip_queue' module, almost anything ++which can be done inside the kernel can now be done in userspace. ++This means that, with some speed penalty, you can develop your code ++entirely in userspace. Unless you are trying to filter large ++bandwidths, you should find this approach superior to in-kernel packet ++mangling. ++ ++<p>In the very early days of netfilter, I proved this by porting an ++embryonic version of iptables to userspace. Netfilter opens the doors ++for more people to write their own, fairly efficient netmangling ++modules, in whatever language they want. ++ ++<sect>Translating 2.0 and 2.2 Packet Filter Modules ++ ++<p>Look at the ip_fw_compat.c file for a simple layer which should ++make porting quite simple. ++ ++<sect>Netfilter Hooks for Tunnel Writers ++ ++<p>Authors of tunnel (or encapsulation) drivers should follow two ++simple rules for the 2.4 kernel (as do the drivers inside the kernel, ++like net/ipv4/ipip.c): ++ ++<itemize> ++<item> ++Release skb->nfct if you're going to make the packet unrecognisable ++(ie. decapsulating/encapsulating). You don't need to do this if you ++unwrap it into a *new* skb, but if you're going to do it in place, you ++must do this. ++ ++<p>Otherwise: the NAT code will use the old connection tracking ++information to mangle the packet, with bad consequences. ++ ++<item>Make sure the encapsulated packets go through the LOCAL_OUT ++hook, and decapsulated packets go through the PRE_ROUTING hook (most ++tunnels use ip_rcv(), which does this for you). ++ ++<p>Otherwise: the user will not be able to filter as they expect to with ++tunnels. ++</itemize> ++ ++<p>The canonical way to do the first is to insert code like the ++following before you wrap or unwrap the packet: ++ ++<tscreen><verb> ++ /* Tell the netfilter framework that this packet is not the ++ same as the one before! */ ++#ifdef CONFIG_NETFILTER ++ nf_conntrack_put(skb->nfct); ++ skb->nfct = NULL; ++#ifdef CONFIG_NETFILTER_DEBUG ++ skb->nf_debug = 0; ++#endif ++#endif ++</verb></tscreen> ++ ++<p>Usually, all you need to do for the second, is to find where the ++newly encapsulated packet goes into "ip_send()", and replace it with ++something like: ++ ++<tscreen><verb> ++ /* Send "new" packet from local host */ ++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, ip_send); ++</verb></tscreen> ++ ++<p> Following these rules means that the person setting up the packet ++filtering rules on the tunnel box will see something like the ++following sequence for a packet being tunnelled: ++ ++<enum> ++<item> FORWARD hook: normal packet (from eth0 -> tunl0) ++<item> LOCAL_OUT hook: encapsulated packet (to eth1). ++</enum> ++ ++And for the reply packet: ++<enum> ++<item> LOCAL_IN hook: encapsulated reply packet (from eth1) ++<item> FORWARD hook: reply packet (from eth1 -> eth0). ++</enum> ++ ++<sect>The Test Suite ++ ++<p>Within the CVS repository lives a test suite: the more the test ++suite covers, the greater confidence you can have that changes to the ++code hasn't quietly broken something. Trivial tests are at least as ++important as tricky tests: it's the trivial tests which simplify the ++complex tests (since you know the basics work fine before the complex ++test gets run). ++ ++<p>The tests are simple: they are just shell scripts under the ++testsuite/ subdirectory which are supposed to succeed. The scripts ++are run in alphabetical order, so `01test' is run before `02test'. ++Currently there are 5 test directories: ++ ++<descrip> ++<tag>00netfilter/</tag> General netfilter framework tests. ++<tag>01iptables/</tag> iptables tests. ++<tag>02conntrack/</tag> connection tracking tests. ++<tag>03NAT/</tag> NAT tests ++<tag>04ipchains-compat/</tag> ipchains/ipfwadm compatibility tests ++</descrip> ++ ++Inside the testsuite/ directory is a script called `test.sh'. It ++configures two dummy interfaces (tap0 and tap1), turns forwarding on, ++and removes all netfilter modules. Then it runs through the ++directories above and runs each of their test.sh scripts until one ++fails. This script takes two optional arguments: `-v' meaning to ++print out each test as it proceeds, and an optional test name: if this ++is given, it will skip over all tests until this one is found. ++ ++<sect1>Writing a Test ++ ++<p>Create a new file in the appropriate directory: try to number your ++test so that it gets run at the right time. For example, in order to ++test ICMP reply tracking (02conntrack/02reply.sh), we need to first ++check that outgoing ICMPs are tracked properly ++(02conntrack/01simple.sh). ++ ++<p>It's usually better to create many small files, each of which ++covers one area, because it helps to isolate problems immediately for ++people running the testsuite. ++ ++<p>If something goes wrong in the test, simply do an `exit 1', which ++causes failure; if it's something you expect may fail, you should ++print a unique message. Your test should end with `exit 0' if ++everything goes OK. You should check the success of <bf>every</bf> ++command, either using `set -e' at the top of the script, or ++appending `|| exit 1' to the end of each command. ++ ++<p>The helper functions `load_module' and `remove_module' can be used ++to load modules: you should never rely on autoloading in the testsuite ++unless that is what you are specifically testing. ++ ++<sect1>Variables And Environment ++ ++<p>You have two play interfaces: tap0 and tap1. Their interface ++addresses are in variables <tt>$TAP0</tt> and <tt>$TAP1</tt> ++respectively. They both have netmasks of 255.255.255.0; their ++networks are in $TAP0NET and $TAP1NET respectively. ++ ++<p>There is an empty temporary file in $TMPFILE. It is deleted at the ++end of your test. ++ ++<p>Your script will be run from the testsuite/ directory, wherever it ++is. Hence you should access tools (such as iptables) using path ++starting with `../userspace'. ++ ++<p>Your script can print out more information if $VERBOSE is set ++(meaning that the user specified `-v' on the command line). ++ ++<sect1>Useful Tools ++ ++<p> ++There are several useful testsuite tools in the "tools" subdirectory: ++each one exits with a non-zero exit status if there is a problem. ++ ++<sect2>gen_ip ++ ++<p>You can generate IP packets using `gen_ip', which outputs an IP ++packet to standard input. You can feed packets in the tap0 and tap1 ++by sending standard output to /dev/tap0 and /dev/tap1 (these are ++created upon first running the testsuite if they don't exist). ++ ++<p>gen_ip is a simplistic program which is currently very fussy about ++its argument order. First are the general optional arguments: ++ ++<descrip> ++ ++<tag>FRAG=offset,length</tag> Generate the packet, then turn it into a ++ fragment at the following offset and length. ++ ++<tag>MF</tag> Set the `More Fragments' bit on the packet. ++ ++<tag>MAC=xx:xx:xx:xx:xx:xx</tag> Set the source MAC address on the ++ packet. ++ ++<tag>TOS=tos</tag> Set the TOS field on the packet (0 to 255). ++ ++</descrip> ++ ++Next come the compulsory arguments: ++ ++<descrip> ++<tag>source ip</tag> Source IP address of the packet. ++ ++<tag>dest ip</tag> Destination IP address of the packet. ++ ++<tag>length</tag> Total length of the packet, including headers. ++ ++<tag>protocol</tag> Protocol number of the packet, eg 17 = UDP. ++ ++</descrip> ++ ++Then the arguments depend on the protocol: for UDP (17), they are the ++source and destination port numbers. For ICMP (1), they are the type ++and code of the ICMP message: if the type is 0 or 8 (ping-reply or ++ping), then two additional arguments (the ID and sequence fields) are ++required. For TCP, the source and destination ports, and flags ++("SYN", "SYN/ACK", "ACK", "RST" or "FIN") are required. There are ++three optional arguments: "OPT=" followed by a comma-separated list of ++options, "SYN=" followed by a sequence number, and "ACK=" followed by ++a sequence number. Finally, the optional argument "DATA" indicates ++that the payload of the TCP packet is to be filled with the contents ++of standard input. ++ ++<sect2>rcv_ip ++ ++<p>You can see IP packets using `rcv_ip', which prints out the command ++line as close as possible to the original value fed to gen_ip ++(fragments are the exception). ++ ++<p>This is extremely useful for analyzing packets. It takes two ++compulsory arguments: ++ ++<descrip> ++<tag>wait time</tag> The maximum time in seconds to wait for a packet ++ from standard input. ++ ++<tag>iterations</tag> The number of packets to receive. ++</descrip> ++ ++There is one optional argument, "DATA", which causes the payload of a ++TCP packet to be printed on standard output after the packet header. ++ ++<p>The standard way to use `rcv_ip' in a shell script is as follows: ++ ++<verb> ++# Set up job control, so we can use & in shell scripts. ++set -m ++ ++# Wait two seconds for one packet from tap0 ++../tools/rcv_ip 2 1 < /dev/tap0 > $TMPFILE & ++ ++# Make sure that rcv_ip has started running. ++sleep 1 ++ ++# Send a ping packet ++../tools/gen_ip $TAP1NET.2 $TAP0NET.2 100 1 8 0 55 57 > /dev/tap1 || exit 1 ++ ++# Wait for rcv_ip, ++if wait %../tools/rcv_ip; then : ++else ++ echo rcv_ip failed: ++ cat $TMPFILE ++ exit 1 ++fi ++</verb> ++ ++<sect2>gen_err ++ ++<p>This program takes a packet (as generated by gen_ip, for example) ++on standard input, and turns it into an ICMP error. ++ ++<p>It takes three arguments: a source IP address, a type and a code. ++The destination IP address will be set to the source IP address of the ++packet fed in standard input. ++ ++<sect2>local_ip ++ ++<p>This takes a packet from standard input and injects it into the ++system from a raw socket. This give the appearance of a ++locally-generated packet (as separate from feeding a packet in one of ++the ethertap devices, which looks like a remotely-generated packet). ++ ++<sect1>Random Advice ++ ++<p>All the tools assume they can do everything in one read or write: ++this is true for the ethertap devices, but might not be true if you're ++doing something tricky with pipes. ++ ++<p>dd can be used to cut packets: dd has an obs (output block size) ++option which can be used to make it output the packet in a single ++write. ++ ++<p>Test for success first: eg. testing that packets are successfully ++blocked. First test that packets pass through normally, <bf>then</bf> ++test that some packets are blocked. Otherwise an unrelated failure ++could be stopping the packets... ++ ++<p>Try to write exact tests, not `throw random stuff and see what ++happens' tests. If an exact test goes wrong, it's a useful thing to ++know. If a random test goes wrong once, it doesn't help much. ++ ++<p>If a test fails without a message, you can add `-x' to the top line ++of the script (ie. `#! /bin/sh -x') to see what commands it's running. ++ ++<p>If a test fails randomly, check for random network traffic ++interfering (try downing all your external interfaces). Sitting on ++the same network as Andrew Tridgell, I tend to get plagued by Windows ++broadcasts, for example. ++ ++<sect>Motivation ++ ++<p>As I was developing ipchains, I realized (in one of those ++blinding-flash-while-waiting-for-entree moments in a Chinese ++restaurant in Sydney) that packet filtering was being done in the ++wrong place. I can't find it now, but I remember sending mail to Alan ++Cox, who kind of said `why don't you finish what you're doing, first, ++even though you're probably right'. In the short term, pragmatism was ++to win over The Right Thing. ++ ++<p>After I finished ipchains, which was initially going to be a minor ++modification of the kernel part of ipfwadm, and turned into a larger ++rewrite, and wrote the HOWTO, I became aware of just how much ++confusion there is in the wider Linux community about issues like ++packet filtering, masquerading, port forwarding and the like. ++ ++<p>This is the joy of doing your own support: you get a closer feel ++for what the users are trying to do, and what they are struggling ++with. Free software is most rewarding when it's in the hands of the ++most users (that's the point, right?), and that means making it easy. ++The architecture, not the documentation, was the key flaw. ++ ++<p>So I had the experience, with the ipchains code, and a good idea of ++what people out there were doing. There were only two problems. ++ ++<p>Firstly, I didn't want to get back into security. Being a security ++consultant is a constant moral tug-of-war between your conscience and ++your wallet. At a fundamental level, you are selling the feeling of ++security, which is at odds with actual security. Maybe working in a ++military setting, where they understand security, it'd be different. ++ ++<p>The second problem is that newbie users aren't the only concern; an ++increasing number of large companies and ISPs are using this stuff. I ++needed reliable input from that class of users if it was to scale to ++tomorrow's home users. ++ ++<p>These problems were resolved, when I ran into David Bonn, of ++WatchGuard fame, at Usenix in July 1998. They were looking for a ++Linux kernel coder; in the end we agreed that I'd head across to their ++Seattle offices for a month and we'd see if we could hammer out an ++agreement whereby they'd sponsor my new code, and my current support ++efforts. The rate we agreed on was more than I asked, so I didn't ++take a pay cut. This means I don't have to even think about external ++conslutting for a while. ++ ++<p>Exposure to WatchGuard gave me exposure to the large clients I ++need, and being independent from them allowed me to support all users ++(eg. WatchGuard competitors) equally. ++ ++<p>So I could have simply written netfilter, ported ipchains over the ++top, and been done with it. Unfortunately, that would leave all the ++masquerading code in the kernel: making masquerading independent from ++filtering is the one of the major wins point of moving the packet ++filtering points, but to do that masquerading also needed to be moved ++over to the netfilter framework as well. ++ ++<p>Also, my experience with ipfwadm's `interface-address' feature (the ++one I removed in ipchains) had taught me that there was no hope of ++simply ripping out the masquerading code and expecting someone who ++needed it to do the work of porting it onto netfilter for me. ++ ++<p>So I needed to have at least as many features as the current code; ++preferably a few more, to encourage niche users to become early ++adopters. This means replacing transparent proxying (gladly!), ++masquerading and port forwarding. In other words, a complete NAT layer. ++ ++<p>Even if I had decided to port the existing masquerading layer, ++instead of writing a generic NAT system, the masquerading code was ++showing its age, and lack of maintenance. See, there was no ++masquerading maintainer, and it shows. It seems that serious users ++generally don't use masquerading, and there aren't many home users up ++to the task of doing maintenance. Brave people like Juan Ciarlante ++were doing fixes, but it had reached to the stage (being extended over ++and over) that a rewrite was needed. ++ ++<p>Please note that I wasn't the person to do a NAT rewrite: I didn't ++use masquerading any more, and I'd not studied the existing code at ++the time. That's probably why it took me longer than it should have. ++But the result is fairly good, in my opinion, and I sure as hell ++learned a lot. No doubt the second version will be even better, once ++we see how people use it. ++ ++<sect>Thanks ++ ++<p>Thanks to those who helped, expecially Harald Welte for writing the ++Protocol Helpers section. ++</article> +Index: iptables-1.4.10/howtos/packet-filtering-HOWTO.sgml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ iptables-1.4.10/howtos/packet-filtering-HOWTO.sgml 2010-11-12 15:53:22.000000000 -0600 +@@ -0,0 +1,1339 @@ ++<!doctype linuxdoc system> ++ ++<!-- This is the Linux Packet Filtering HOWTO. ++ --> ++ ++<!-- $Id: packet-filtering-HOWTO.sgml,v 1.26 2002/01/24 13:42:53 laforge Exp $ --> ++ ++<article> ++ ++<!-- Title information --> ++ ++<title>Linux 2.4 Packet Filtering HOWTO ++<author>Rusty Russell, mailing list <tt>netfilter@lists.samba.org</tt> ++<date>$Revision: 1.26 $ $Date: 2002/01/24 13:42:53 $ ++<abstract> ++This document describes how to use iptables to filter out bad packets ++for the 2.4 Linux kernels. ++</abstract> ++ ++<!-- Table of contents --> ++<toc> ++ ++<!-- Begin the document --> ++ ++<sect>Introduction<label id="intro"> ++ ++<p> ++Welcome, gentle reader. ++ ++<p> ++It is assumed you know what an IP address, a network address, a ++netmask, routing and DNS are. If not, I recommend that you read the ++Network Concepts HOWTO. ++ ++<p> ++This HOWTO flips between a gentle introduction (which will leave you ++feeling warm and fuzzy now, but unprotected in the Real World) and raw ++full-disclosure (which would leave all but the hardiest souls ++confused, paranoid and seeking heavy weaponry). ++ ++<p> ++Your network is not <bf>secure</bf>. The problem of allowing rapid, ++convenient communication while restricting its use to good, and not ++evil intents is congruent to other intractable problems such as ++allowing free speech while disallowing a call of ``Fire!'' in a ++crowded theater. It will not be solved in the space of this HOWTO. ++ ++<p> ++So only you can decide where the compromise will be. I will try to ++instruct you in the use of some of the tools available and some ++vulnerabilities to be aware of, in the hope that you will use them for ++good, and not evil purposes. Another equivalent problem. ++ ++<p>(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL. ++ ++<sect>Where is the official Web Site? Is there a Mailing List? ++ ++<p>There are three official sites: ++<itemize> ++<item>Thanks to <url url="http://netfilter.filewatcher.org/" name="Filewatcher">. ++<item>Thanks to <url url="http://netfilter.samba.org/" name="The Samba Team and SGI">. ++<item>Thanks to <url url="http://netfilter.gnumonks.org/" name="Harald Welte">. ++</itemize> ++<p> You can reach all of them using round-robin DNS via ++<url url="http://www.netfilter.org/"> and <url url="http://www.iptables.org/"> ++ ++<p>For the official netfilter mailing list, see ++<url url="http://www.netfilter.org/contact.html#list" name="netfilter List">. ++ ++<sect>So What's A Packet Filter? ++ ++<p> ++A packet filter is a piece of software which looks at the ++<em>header</em> of packets as they pass through, and decides the fate ++of the entire packet. It might decide to <bf>DROP</bf> the packet ++(i.e., discard the packet as if it had never received it), ++<bf>ACCEPT</bf> the packet (i.e., let the packet go through), or ++something more complicated. ++ ++<p> ++Under Linux, packet filtering is built into the kernel (as a kernel ++module, or built right in), and there are a few trickier things we can ++do with packets, but the general principle of looking at the headers ++and deciding the fate of the packet is still there. ++ ++<sect1>Why Would I Want to Packet Filter? ++ ++<p> ++Control. Security. Watchfulness. ++ ++<p> ++<descrip> ++<tag/Control:/ when you are using a Linux box to connect your internal ++network to another network (say, the Internet) you have an opportunity ++to allow certain types of traffic, and disallow others. For example, ++the header of a packet contains the destination address of the packet, ++so you can prevent packets going to a certain part of the outside ++network. As another example, I use Netscape to access the Dilbert ++archives. There are advertisements from doubleclick.net on the page, ++and Netscape wastes my time by cheerfully downloading them. ++Telling the packet filter not to allow any packets to or from the ++addresses owned by doubleclick.net solves that problem (there are ++better ways of doing this though: see Junkbuster). ++ ++<tag/Security:/ when your Linux box is the only thing between the ++chaos of the Internet and your nice, orderly network, it's nice to ++know you can restrict what comes tromping in your door. For example, ++you might allow anything to go out from your network, but you might be ++worried about the well-known `Ping of Death' coming in from malicious ++outsiders. As another example, you might not want outsiders ++telnetting to your Linux box, even though all your accounts have ++passwords. Maybe you want (like most people) to be an observer on the ++Internet, and not a server (willing or otherwise). Simply don't let ++anyone connect in, by having the packet filter reject incoming packets ++used to set up connections. ++ ++<tag/Watchfulness:/ sometimes a badly configured machine on the local ++network will decide to spew packets to the outside world. It's nice ++to tell the packet filter to let you know if anything abnormal occurs; ++maybe you can do something about it, or maybe you're just curious by ++nature. ++</descrip> ++ ++<sect1>How Do I Packet Filter Under Linux?<label id="filter-linux"> ++ ++<p>Linux kernels have had packet filtering since the 1.1 series. The ++first generation, based on ipfw from BSD, was ported by Alan Cox in ++late 1994. This was enhanced by Jos Vos and others for Linux 2.0; the ++userspace tool `ipfwadm' controlled the kernel filtering rules. In ++mid-1998, for Linux 2.2, I reworked the kernel quite heavily, with the ++help of Michael Neuling, and introduced the userspace tool `ipchains'. ++Finally, the fourth-generation tool, `iptables', and another kernel ++rewrite occurred in mid-1999 for Linux 2.4. It is this iptables which ++this HOWTO concentrates on. ++ ++<p> ++You need a kernel which has the netfilter infrastructure in it: ++netfilter is a general framework inside the Linux kernel which other ++things (such as the iptables module) can plug into. This means you ++need kernel 2.3.15 or beyond, and answer `Y' to CONFIG_NETFILTER in ++the kernel configuration. ++ ++<p> ++The tool <tt>iptables</tt> talks to the kernel and tells it what ++packets to filter. Unless you are a programmer, or overly curious, ++this is how you will control the packet filtering. ++ ++<sect2> iptables ++ ++<p> ++The <tt>iptables</tt> tool inserts and deletes rules from the kernel's ++packet filtering table. This means that whatever you set up, it will ++be lost upon reboot; see <ref id="permanent" name="Making Rules ++Permanent"> for how to make sure they are restored the next time Linux ++is booted. ++ ++<p> ++<tt>iptables</tt> is a replacement for <tt>ipfwadm</tt> and ++<tt>ipchains</tt>: see ++<ref id="oldstyle" name="Using ipchains and ipfwadm"> for how to painlessly ++avoid using iptables if you're using one of those tools. ++ ++<sect2> Making Rules Permanent<label id="permanent"> ++ ++<p>Your current firewall setup is stored in the kernel, and thus will ++be lost on reboot. You can try the iptables-save and iptables-restore ++scripts to save them to, and restore them from a file. ++ ++<p>The other way is to put the commands required to set up your rules ++in an initialization script. Make sure you do something intelligent ++if one of the commands should fail (usually `exec /sbin/sulogin'). ++ ++<sect>Who the hell are you, and why are you playing with my kernel? ++ ++<p> ++I'm Rusty Russell; the Linux IP Firewall maintainer and just another ++working coder who happened to be in the right place at the right time. ++I wrote ipchains (see <ref id="filter-linux" name="How Do I Packet ++Filter Under Linux?"> above for due credit to the people who did the ++actual work), and learnt enough to get packet filtering right this ++time. I hope. ++ ++<p> ++<url url="http://www.watchguard.com" name="WatchGuard">, an excellent ++firewall company who sell the really nice plug-in Firebox, offered to ++pay me to do nothing, so I could spend all my time writing this stuff, ++and maintaining my previous stuff. I predicted 6 months, and it took ++12, but I felt by the end that it had been done Right. Many rewrites, ++a hard-drive crash, a laptop being stolen, a couple of corrupted ++filesystems and one broken screen later, here it is. ++ ++<p> ++While I'm here, I want to clear up some people's misconceptions: I am ++no kernel guru. I know this, because my kernel work has brought me ++into contact with some of them: David S. Miller, Alexey Kuznetsov, ++Andi Kleen, Alan Cox. However, they're all busy doing the deep magic, ++leaving me to wade in the shallow end where it's safe. ++ ++<!-- This is probably no longer true; somewhere in writing all this ++kernel code and documentation I seem to have picked up a fair number ++of kernel tricks. But I'm still nowhere near as clever as I think I ++am. --> ++ ++<sect> Rusty's Really Quick Guide To Packet Filtering ++ ++<p> ++Most people just have a single PPP connection to the Internet, and ++don't want anyone coming back into their network, or the firewall: ++ ++<tscreen><verb> ++## Insert connection-tracking modules (not needed if built into kernel). ++# insmod ip_conntrack ++# insmod ip_conntrack_ftp ++ ++## Create chain which blocks new connections, except if coming from inside. ++# iptables -N block ++# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT ++# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT ++# iptables -A block -j DROP ++ ++## Jump to that chain from INPUT and FORWARD chains. ++# iptables -A INPUT -j block ++# iptables -A FORWARD -j block ++</verb></tscreen> ++ ++<sect> How Packets Traverse The Filters ++ ++<p> ++The kernel starts with three lists of rules in the `filter' table; ++these lists are called <bf>firewall chains</bf> or just ++<bf>chains</bf>. The three chains are called <bf>INPUT</bf>, ++<bf>OUTPUT</bf> and <bf>FORWARD</bf>. ++ ++<p> ++For ASCII-art fans, the chains are arranged like so: <bf>(Note: this ++is a very different arrangement from the 2.0 and 2.2 kernels!)</bf> ++ ++<verb> ++ _____ ++Incoming / \ Outgoing ++ -->[Routing ]--->|FORWARD|-------> ++ [Decision] \_____/ ^ ++ | | ++ v ____ ++ ___ / \ ++ / \ |OUTPUT| ++ |INPUT| \____/ ++ \___/ ^ ++ | | ++ ----> Local Process ---- ++</verb> ++ ++<p>The three circles represent the three chains mentioned above. When ++a packet reaches a circle in the diagram, that chain is examined to ++decide the fate of the packet. If the chain says to DROP the packet, ++it is killed there, but if the chain says to ACCEPT the packet, it ++continues traversing the diagram. ++ ++<p> ++A chain is a checklist of <bf>rules</bf>. Each rule says `if the packet ++header looks like this, then here's what to do with the packet'. If ++the rule doesn't match the packet, then the next rule in the chain is ++consulted. Finally, if there are no more rules to consult, then the ++kernel looks at the chain <bf>policy</bf> to decide what to do. In a ++security-conscious system, this policy usually tells the kernel to ++DROP the packet. ++ ++<p> ++<enum> ++<item>When a packet comes in (say, through the Ethernet card) the kernel ++first looks at the destination of the packet: this is called ++`routing'. ++ ++<item>If it's destined for this box, the packet passes downwards ++in the diagram, to the INPUT chain. If it passes this, any processes ++waiting for that packet will receive it. ++ ++<item>Otherwise, if the kernel does not have forwarding enabled, or it ++doesn't know how to forward the packet, the packet is dropped. If ++forwarding is enabled, and the packet is destined for another network ++interface (if you have another one), then the packet goes rightwards ++on our diagram to the FORWARD chain. If it is ACCEPTed, it will be ++sent out. ++ ++<item>Finally, a program running on the box can send network packets. ++These packets pass through the OUTPUT chain immediately: if it says ++ACCEPT, then the packet continues out to whatever interface it is ++destined for. ++</enum> ++ ++<sect>Using iptables ++ ++<p> ++iptables has a fairly detailed manual page (<tt>man iptables</tt>), ++and if you need more detail on particulars. Those of you familiar ++with ipchains may simply want to look at <ref id="Appendix-A" ++name="Differences Between iptables and ipchains">; they are very ++similar. ++ ++<p> ++There are several different things you can do with <tt>iptables</tt>. ++You start with three built-in chains <tt>INPUT</tt>, <tt>OUTPUT</tt> ++and <tt>FORWARD</tt> which you can't delete. Let's look at the ++operations to manage whole chains: ++ ++<enum> ++<item> Create a new chain (-N). ++<item> Delete an empty chain (-X). ++<item> Change the policy for a built-in chain. (-P). ++<item> List the rules in a chain (-L). ++<item> Flush the rules out of a chain (-F). ++<item> Zero the packet and byte counters on all rules in a chain (-Z). ++</enum> ++ ++There are several ways to manipulate rules inside a chain: ++ ++<enum> ++<item> Append a new rule to a chain (-A). ++<item> Insert a new rule at some position in a chain (-I). ++<item> Replace a rule at some position in a chain (-R). ++<item> Delete a rule at some position in a chain, or the first that matches (-D). ++</enum> ++ ++<sect1> What You'll See When Your Computer Starts Up ++ ++<p> ++iptables may be a module, called (`iptable_filter.o'), which should be ++automatically loaded when you first run <tt>iptables</tt>. It can ++also be built into the kernel permenantly. ++ ++<p>Before any iptables commands have been run (be careful: some ++distributions will run iptables in their initialization scripts), ++there will be no rules in any of the built-in chains (`INPUT', ++`FORWARD' and `OUTPUT'), all the chains will have a policy of ACCEPT. ++You can alter the default policy of the FORWARD chain by providing the ++`forward=0' option to the iptable_filter module. ++ ++<sect1> Operations on a Single Rule ++ ++<p> ++This is the bread-and-butter of packet filtering; manipulating rules. ++Most commonly, you will probably use the append (-A) and delete (-D) ++commands. The others (-I for insert and -R for replace) are simple ++extensions of these concepts. ++ ++<p> ++Each rule specifies a set of conditions the packet must meet, and what ++to do if it meets them (a `target'). For example, you might want to ++drop all ICMP packets coming from the IP address 127.0.0.1. So in ++this case our conditions are that the protocol must be ICMP and that ++the source address must be 127.0.0.1. Our target is `DROP'. ++ ++<p> ++127.0.0.1 is the `loopback' interface, which you will have even if you ++have no real network connection. You can use the `ping' program to ++generate such packets (it simply sends an ICMP type 8 (echo request) ++which all cooperative hosts should obligingly respond to with an ICMP ++type 0 (echo reply) packet). This makes it useful for testing. ++ ++<tscreen><verb> ++# ping -c 1 127.0.0.1 ++PING 127.0.0.1 (127.0.0.1): 56 data bytes ++64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms ++ ++--- 127.0.0.1 ping statistics --- ++1 packets transmitted, 1 packets received, 0% packet loss ++round-trip min/avg/max = 0.2/0.2/0.2 ms ++# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP ++# ping -c 1 127.0.0.1 ++PING 127.0.0.1 (127.0.0.1): 56 data bytes ++ ++--- 127.0.0.1 ping statistics --- ++1 packets transmitted, 0 packets received, 100% packet loss ++# ++</verb></tscreen> ++ ++You can see here that the first ping succeeds (the `-c 1' tells ping ++to only send a single packet). ++ ++<p> ++Then we append (-A) to the `INPUT' chain, a rule specifying that for ++packets from 127.0.0.1 (`-s 127.0.0.1') with protocol ICMP (`-p icmp') ++we should jump to DROP (`-j DROP'). ++ ++<p> ++Then we test our rule, using the second ping. There will be a pause ++before the program gives up waiting for a response that will never ++come. ++ ++<p> ++We can delete the rule in one of two ways. Firstly, since we know ++that it is the only rule in the input chain, we can use a numbered ++delete, as in: ++<tscreen><verb> ++ # iptables -D INPUT 1 ++ # ++</verb></tscreen> ++To delete rule number 1 in the INPUT chain. ++ ++<p> ++The second way is to mirror the -A command, but replacing the -A with ++-D. This is useful when you have a complex chain of rules and you ++don't want to have to count them to figure out that it's rule 37 that ++you want to get rid of. In this case, we would use: ++<tscreen><verb> ++ # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP ++ # ++</verb></tscreen> ++The syntax of -D must have exactly the same options as the -A (or -I ++or -R) command. If there are multiple identical rules in the same ++chain, only the first will be deleted. ++ ++<sect1>Filtering Specifications ++ ++<p> ++We have seen the use of `-p' to specify protocol, and `-s' to specify ++source address, but there are other options we can use to specify ++packet characteristics. What follows is an exhaustive compendium. ++ ++<sect2>Specifying Source and Destination IP Addresses ++ ++<p> ++Source (`-s', `--source' or `--src') and destination (`-d', ++`--destination' or `--dst') IP addresses can be specified in four ++ways. The most common way is to use the full name, such as ++`localhost' or `www.linuxhq.com'. The second way is to specify the IP ++address such as `127.0.0.1'. ++ ++<p> ++The third and fourth ways allow specification of a group of IP ++addresses, such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. ++These both specify any IP address from 199.95.207.0 to 199.95.207.255 ++inclusive; the digits after the `/' tell which parts of the IP address ++are significant. `/32' or `/255.255.255.255' is the default (match ++all of the IP address). To specify any IP address at all `/0' can be ++used, like so: ++<tscreen><verb> ++ [ NOTE: `-s 0/0' is redundant here. ] ++ # iptables -A INPUT -s 0/0 -j DROP ++ # ++</verb></tscreen> ++ ++This is rarely used, as the effect above is the same as not specifying ++the `-s' option at all. ++ ++<sect2>Specifying Inversion ++ ++<p> ++Many flags, including the `-s' (or `--source') and `-d' ++(`--destination') flags can have their arguments preceded by `!' ++(pronounced `not') to match addresses NOT equal to the ones given. ++For example. `-s ! localhost' matches any packet <bf>not</bf> coming ++from localhost. ++ ++<sect2>Specifying Protocol ++ ++<p> ++The protocol can be specified with the `-p' (or `--protocol') flag. ++Protocol can be a number (if you know the numeric protocol values for ++IP) or a name for the special cases of `TCP', `UDP' or `ICMP'. Case ++doesn't matter, so `tcp' works as well as `TCP'. ++ ++<p> ++The protocol name can be prefixed by a `!', to invert it, such as `-p ++! TCP' to specify packets which are <bf>not</bf> TCP. ++ ++<sect2>Specifying an Interface ++ ++<p> ++The `-i' (or `--in-interface') and `-o' (or `--out-interface') options ++specify the name of an <bf>interface</bf> to match. An interface is ++the physical device the packet came in on (`-i') or is going out on ++(`-o'). You can use the <tt>ifconfig</tt> command to list the ++interfaces which are `up' (i.e., working at the moment). ++ ++<p> ++Packets traversing the <tt>INPUT</tt> chain don't have an output ++interface, so any rule using `-o' in this chain will never match. ++Similarly, packets traversing the <tt>OUTPUT</tt> chain don't have an ++input interface, so any rule using `-i' in this chain will never match. ++ ++<p>Only packets traversing the <tt>FORWARD</tt> chain have both an ++input and output interface. ++ ++<p> ++It is perfectly legal to specify an interface that currently does not ++exist; the rule will not match anything until the interface comes up. ++This is extremely useful for dial-up PPP links (usually interface ++<tt>ppp0</tt>) and the like. ++ ++<p> ++As a special case, an interface name ending with a `+' will match all ++interfaces (whether they currently exist or not) which begin with that ++string. For example, to specify a rule which matches all PPP ++interfaces, the <tt>-i ppp+</tt> option would be used. ++ ++<p> ++The interface name can be preceded by a `!' with spaces around it, to ++match a packet which does <bf>not</bf> match the specified ++interface(s), eg <tt>-i ! ppp+</tt>. ++ ++<sect2>Specifying Fragments ++ ++<p> ++Sometimes a packet is too large to fit down a wire all at once. When ++this happens, the packet is divided into <bf>fragments</bf>, and sent ++as multiple packets. The other end reassembles these fragments to ++reconstruct the whole packet. ++ ++<p> ++The problem with fragments is that the initial fragment has the ++complete header fields (IP + TCP, UDP and ICMP) to examine, but ++subsequent packets only have a subset of the headers (IP without the ++additional protocol fields). Thus looking inside subsequent fragments ++for protocol headers (such as is done by the TCP, UDP and ICMP ++extensions) is not possible. ++ ++<p> ++If you are doing connection tracking or NAT, then all fragments will ++get merged back together before they reach the packet filtering code, ++so you need never worry about fragments. ++ ++<p> ++Please also note that in the INPUT chain of the filter table (or any other ++table hooking into the NF_IP_LOCAL_IN hook) is traversed after ++defragmentation of the core IP stack. ++ ++<p> ++Otherwise, it is important to understand how fragments get treated by ++the filtering rules. Any filtering rule that asks for information we ++don't have will <em>not</em> match. This means that the first fragment is ++treated like any other packet. Second and further fragments won't be. ++Thus a rule <tt>-p TCP --sport www</tt> (specifying a source port of ++`www') will never match a fragment (other than the first fragment). ++Neither will the opposite rule <tt>-p TCP --sport ! www</tt>. ++ ++<p> ++However, you can specify a rule specifically for second and further ++fragments, using the `-f' (or `--fragment') flag. It is also legal to ++specify that a rule does <em>not</em> apply to second and further ++fragments, by preceding the `-f' with ` ! '. ++ ++<p> ++Usually it is regarded as safe to let second and further fragments ++through, since filtering will effect the first fragment, and thus ++prevent reassembly on the target host; however, bugs have been known ++to allow crashing of machines simply by sending fragments. Your call. ++ ++<p> ++Note for network-heads: malformed packets (TCP, UDP and ICMP packets ++too short for the firewalling code to read the ports or ICMP code and ++type) are dropped when such examinations are attempted. So are TCP ++fragments starting at position 8. ++ ++<p> ++As an example, the following rule will drop any fragments going to ++192.168.1.1: ++ ++<tscreen><verb> ++# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP ++# ++</verb></tscreen> ++ ++<sect2>Extensions to iptables: New Matches ++ ++<p><tt>iptables</tt> is <bf>extensible</bf>, meaning that both the ++kernel and the iptables tool can be extended to provide new features. ++ ++<p>Some of these extensions are standard, and other are more exotic. ++Extensions can be made by other people and distributed separately for ++niche users. ++ ++<p>Kernel extensions normally live in the kernel module subdirectory, ++such as /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter. They are demand loaded if your ++kernel was compiled with CONFIG_KMOD set, so you should not need to ++manually insert them. ++ ++<p>Extensions to the iptables program are shared libraries which ++usually live in /usr/local/lib/, although a distribution ++would put them in /lib/iptables or /usr/lib/iptables. ++ ++<p>Extensions come in two types: new targets, and new matches (we'll ++talk about new targets a little later). Some protocols automatically ++offer new tests: currently these are TCP, UDP and ICMP as shown below. ++ ++<p>For these you will be able to specify the new tests on the command ++line after the `-p' option, which will load the extension. For ++explicit new tests, use the `-m' option to load the extension, after ++which the extended options will be available. ++ ++<p>To get help on an extension, use the option to load it (`-p', `-j' or ++`-m') followed by `-h' or `--help', eg: ++<tscreen><verb> ++# iptables -p tcp --help ++# ++</verb></tscreen> ++ ++<sect3>TCP Extensions ++ ++<p> ++The TCP extensions are automatically loaded if `-p tcp' is specified. ++It provides the following options (none of which match fragments). ++ ++<p> ++<descrip> ++<tag>--tcp-flags</tag> Followed by an optional `!', then two strings ++of flags, allows you to filter on specific TCP flags. The first ++string of flags is the mask: a list of flags you want to examine. The ++second string of flags tells which one(s) should be set. For example, ++ ++<tscreen><verb> ++# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP ++</verb></tscreen> ++ ++This indicates that all flags should be examined (`ALL' is synonymous ++with `SYN,ACK,FIN,RST,URG,PSH'), but only SYN and ACK should be set. ++There is also an argument `NONE' meaning no flags. ++ ++<tag>--syn</tag> Optionally preceded by a `!', this is shorthand ++ for `--tcp-flags SYN,RST,ACK SYN'. ++ ++<tag>--source-port</tag> followed by an optional `!', then either a ++single TCP port, or a range of ports. Ports can be port names, as ++listed in /etc/services, or numeric. Ranges are either two port names ++separated by a `:', or (to specify greater than or equal to a given ++port) a port with a `:' appended, or (to specify less than or equal to ++a given port), a port preceded by a `:'. ++ ++<tag>--sport</tag> is synonymous with `--source-port'. ++ ++<tag>--destination-port</tag> and <tag>--dport</tag> are the same as ++above, only they specify the destination, rather than source, port to ++match. ++ ++<tag>--tcp-option</tag> followed by an optional `!' and a number, ++matches a packet with a TCP option equaling that number. A packet ++which does not have a complete TCP header is dropped automatically if ++an attempt is made to examine its TCP options. ++</descrip> ++ ++<sect4>An Explanation of TCP Flags ++ ++<p> ++It is sometimes useful to allow TCP connections in one direction, but ++not the other. For example, you might want to allow connections to an ++external WWW server, but not connections from that server. ++ ++<p> ++The naive approach would be to block TCP packets coming from the ++server. Unfortunately, TCP connections require packets going in both ++directions to work at all. ++ ++<p> ++The solution is to block only the packets used to request a ++connection. These packets are called <bf>SYN</bf> packets (ok, ++technically they're packets with the SYN flag set, and the RST and ACK ++flags cleared, but we call them SYN packets for short). By ++disallowing only these packets, we can stop attempted connections in ++their tracks. ++ ++<p> ++The `--syn' flag is used for this: it is only valid for rules which ++specify TCP as their protocol. For example, to specify TCP connection ++attempts from 192.168.1.1: ++<tscreen><verb> ++-p TCP -s 192.168.1.1 --syn ++</verb></tscreen> ++ ++<p> ++This flag can be inverted by preceding it with a `!', which means ++every packet other than the connection initiation. ++ ++<sect3>UDP Extensions ++ ++<p> ++These extensions are automatically loaded if `-p udp' is specified. ++It provides the options `--source-port', `--sport', ++`--destination-port' and `--dport' as detailed for TCP above. ++ ++<sect3>ICMP Extensions ++ ++<p> ++This extension is automatically loaded if `-p icmp' is specified. It ++provides only one new option: ++ ++<p> ++<descrip> ++<tag>--icmp-type</tag> followed by an optional `!', then either an ++icmp type name (eg `host-unreachable'), or a numeric type (eg. `3'), ++or a numeric type and code separated by a `/' (eg. `3/3'). A list ++of available icmp type names is given using `-p icmp --help'. ++</descrip> ++ ++<sect3>Other Match Extensions ++ ++<p> ++The other extensions in the netfilter package are demonstration ++extensions, which (if installed) can be invoked with the `-m' option. ++ ++<descrip> ++<tag>mac</tag> This module must be explicitly specified with `-m mac' ++or `--match mac'. It is used for matching incoming packet's source ++Ethernet (MAC) address, and thus only useful for packets traversing ++the PREROUTING and INPUT chains. It provides only one option: ++ ++ <descrip> ++ <tag>--mac-source</tag> followed by an optional `!', then an ++ ethernet address in colon-separated hexbyte notation, eg ++ `--mac-source 00:60:08:91:CC:B7'. ++ </descrip> ++ ++<tag>limit</tag> This module must be explicitly specified with `-m ++limit' or `--match limit'. It is used to restrict the rate of ++matches, such as for suppressing log messages. It will only match a ++given number of times per second (by default 3 matches per hour, ++with a burst of 5). It takes two optional arguments: ++ ++ <descrip> ++ <tag>--limit</tag> followed by a number; specifies the maximum ++ average number of matches to allow per second. The number can ++ specify units explicitly, using `/second', `/minute', `/hour' or ++ `/day', or parts of them (so `5/second' is the same as `5/s'). ++ ++ <tag>--limit-burst</tag> followed by a number, indicating the ++ maximum burst before the above limit kicks in. ++ </descrip> ++ ++This match can often be used with the LOG target to do rate-limited ++logging. To understand how it works, let's look at the following ++rule, which logs packets with the default limit parameters: ++ ++<tscreen><verb> ++# iptables -A FORWARD -m limit -j LOG ++</verb></tscreen> ++ ++The first time this rule is reached, the packet will be logged; in ++fact, since the default burst is 5, the first five packets will be ++logged. After this, it will be twenty minutes before a packet will be ++logged from this rule, regardless of how many packets reach it. Also, ++every twenty minutes which passes without matching a packet, one of ++the burst will be regained; if no packets hit the rule for 100 ++minutes, the burst will be fully recharged; back where we started. ++ ++<p>Note: you cannot currently create a rule with a recharge time ++greater than about 59 hours, so if you set an average rate of one per ++day, then your burst rate must be less than 3. ++ ++<p>You can also use this module to avoid various denial of service ++attacks (DoS) with a faster rate to increase responsiveness. ++ ++<p>Syn-flood protection: ++<tscreen><verb> ++# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT ++</verb></tscreen> ++ ++Furtive port scanner: ++<tscreen><verb> ++# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT ++</verb></tscreen> ++ ++Ping of death: ++<tscreen><verb> ++# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ++</verb></tscreen> ++ ++This module works like a "hysteresis door", as shown in the graph ++below. ++ ++<tscreen><verb> ++ rate (pkt/s) ++ ^ .---. ++ | / DoS \ ++ | / \ ++Edge of DoS -|.....:.........\....................... ++ = (limit * | /: \ ++limit-burst) | / : \ .-. ++ | / : \ / \ ++ | / : \ / \ ++End of DoS -|/....:..............:.../.......\..../. ++ = limit | : :`-' `--' ++-------------+-----+--------------+------------------> time (s) ++ LOGIC => Match | Didn't Match | Match ++</verb></tscreen> ++ ++Say we say match one packet per second with a five packet ++burst, but packets start coming in at four per second, for three ++seconds, then start again in another three seconds. ++<tscreen><verb> ++ ++ ++ <--Flood 1--> <---Flood 2---> ++ ++Total ^ Line __-- YNNN ++Packets| Rate __-- YNNN ++ | mum __-- YNNN ++ 10 | Maxi __-- Y ++ | __-- Y ++ | __-- Y ++ | __-- YNNN ++ |- YNNN ++ 5 | Y ++ | Y Key: Y -> Matched Rule ++ | Y N -> Didn't Match Rule ++ | Y ++ |Y ++ 0 +--------------------------------------------------> Time (seconds) ++ 0 1 2 3 4 5 6 7 8 9 10 11 12 ++</verb></tscreen> ++ ++You can see that the first five packets are allowed to exceed the one ++packet per second, then the limiting kicks in. If there is a pause, ++another burst is allowed but not past the maximum rate set by the ++rule (1 packet per second after the burst is used). ++ ++<tag>owner</tag> ++This module attempts to match various characteristics of the packet ++creator, for locally-generated packets. It is only valid in the ++OUTPUT chain, and even then some packets (such as ICMP ping responses) ++may have no owner, and hence never match. ++ ++<descrip> ++ <tag>--uid-owner userid</tag> ++Matches if the packet was created by a process with the given ++effective (numerical) user id. ++ <tag>--gid-owner groupid</tag> ++Matches if the packet was created by a process with the given ++effective (numerical) group id. ++ <tag>--pid-owner processid</tag> ++Matches if the packet was created by a process with the given ++process id. ++ <tag>--sid-owner sessionid</tag> ++Matches if the packet was created by a process in the given session ++group. ++</descrip> ++ ++<tag>unclean</tag> This experimental module must be explicitly ++specified with `-m unclean or `--match unclean'. It does various ++random sanity checks on packets. This module has not been audited, ++and should not be used as a security device (it probably makes things ++worse, since it may well have bugs itself). It provides no options. ++</descrip> ++ ++<sect3>The State Match ++ ++<p>The most useful match criterion is supplied by the `state' ++extension, which interprets the connection-tracking analysis of the ++`ip_conntrack' module. This is highly recommended. ++ ++<p>Specifying `-m state' allows an additional `--state' option, which ++is a comma-separated list of states to match (the `!' flag indicates ++<bf>not</bf> to match those states). These states are: ++ ++<descrip> ++<tag>NEW</tag> A packet which creates a new connection. ++ ++<tag>ESTABLISHED</tag> A packet which belongs to an existing ++connection (i.e., a reply packet, or outgoing packet on a connection ++which has seen replies). ++ ++<tag>RELATED</tag> A packet which is related to, but not part of, an ++existing connection, such as an ICMP error, or (with the FTP module ++inserted), a packet establishing an ftp data connection. ++ ++<tag>INVALID</tag> A packet which could not be identified for some ++reason: this includes running out of memory and ICMP errors which ++don't correspond to any known connection. Generally these packets ++should be dropped. ++</descrip> ++ ++An example of this powerful match extension would be: ++<tscreen><verb> ++# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP ++</verb></tscreen> ++ ++<sect1>Target Specifications ++ ++<p>Now we know what examinations we can do on a packet, we need a way ++of saying what to do to the packets which match our tests. This is ++called a rule's <bf>target</bf>. ++ ++<p>There are two very simple built-in targets: DROP and ACCEPT. We've ++already met them. If a rule matches a packet and its target is one of ++these two, no further rules are consulted: the packet's fate has been ++decided. ++ ++<p>There are two types of targets other than the built-in ones: ++extensions and user-defined chains. ++ ++<sect2>User-defined chains ++ ++<p> ++One powerful feature which <tt>iptables</tt> inherits from ++<tt>ipchains</tt> is the ability for the user to create new chains, in ++addition to the three built-in ones (INPUT, FORWARD and OUTPUT). By ++convention, user-defined chains are lower-case to distinguish them ++(we'll describe how to create new user-defined chains below in <ref ++id="chain-ops" name="Operations on an Entire Chain">). ++ ++<p> ++When a packet matches a rule whose target is a user-defined chain, the ++packet begins traversing the rules in that user-defined chain. If ++that chain doesn't decide the fate of the packet, then once traversal ++on that chain has finished, traversal resumes on the next rule in the ++current chain. ++ ++<p> ++Time for more ASCII art. Consider two (silly) chains: <tt>INPUT</tt> (the ++built-in chain) and <tt>test</tt> (a user-defined chain). ++ ++<tscreen><verb> ++ `INPUT' `test' ++ ---------------------------- ---------------------------- ++ | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 | ++ |--------------------------| |--------------------------| ++ | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 | ++ |--------------------------| ---------------------------- ++ | Rule3: -p UDP -j DROP | ++ ---------------------------- ++</verb></tscreen> ++ ++<p> ++Consider a TCP packet coming from 192.168.1.1, going to 1.2.3.4. It ++enters the <tt>INPUT</tt> chain, and gets tested against Rule1 - no match. ++Rule2 matches, and its target is <tt>test</tt>, so the next rule examined ++is the start of <tt>test</tt>. Rule1 in <tt>test</tt> matches, but doesn't ++specify a target, so the next rule is examined, Rule2. This doesn't ++match, so we have reached the end of the chain. We return to the ++<tt>INPUT</tt> chain, where we had just examined Rule2, so we now examine ++Rule3, which doesn't match either. ++ ++<p> ++So the packet path is: ++<tscreen><verb> ++ v __________________________ ++ `INPUT' | / `test' v ++ ------------------------|--/ -----------------------|---- ++ | Rule1 | /| | Rule1 | | ++ |-----------------------|/-| |----------------------|---| ++ | Rule2 / | | Rule2 | | ++ |--------------------------| -----------------------v---- ++ | Rule3 /--+___________________________/ ++ ------------------------|--- ++ v ++</verb></tscreen> ++ ++<p>User-defined chains can jump to other user-defined chains (but ++don't make loops: your packets will be dropped if they're found to ++be in a loop). ++ ++<sect2>Extensions to iptables: New Targets ++ ++<p>The other type of extension is a target. A target extension ++consists of a kernel module, and an optional extension to ++<tt>iptables</tt> to provide new command line options. There are ++several extensions in the default netfilter distribution: ++ ++<descrip> ++<tag>LOG</tag> This module provides kernel logging of matching ++packets. It provides these additional options: ++ <descrip> ++ <tag>--log-level</tag> Followed by a level number or name. Valid ++ names are (case-insensitive) `debug', `info', `notice', `warning', ++ `err', `crit', `alert' and `emerg', corresponding to numbers 7 ++ through 0. See the man page for syslog.conf for an explanation of ++ these levels. The default is `warning'. ++ ++ <tag>--log-prefix</tag> Followed by a string of up to 29 characters, ++ this message is sent at the start of the log message, to allow it to ++ be uniquely identified. ++ </descrip> ++ ++ This module is most useful after a limit match, so you don't flood ++ your logs. ++ ++<tag>REJECT</tag> This module has the same effect as `DROP', except ++that the sender is sent an ICMP `port unreachable' error message. ++Note that the ICMP error message is not sent if (see RFC 1122): ++ ++<itemize> ++<item> The packet being filtered was an ICMP error message in the ++first place, or some unknown ICMP type. ++ ++<item> The packet being filtered was a non-head fragment. ++ ++<item> We've sent too many ICMP error messages to that destination ++recently (see /proc/sys/net/ipv4/icmp_ratelimit). ++</itemize> ++ ++REJECT also takes a `--reject-with' optional argument which alters the ++reply packet used: see the manual page. ++</descrip> ++ ++<sect2>Special Built-In Targets ++ ++<p>There are two special built-in targets: <tt>RETURN</tt> and ++<tt>QUEUE</tt>. ++ ++<p><tt>RETURN</tt> has the same effect of falling off the end of a ++chain: for a rule in a built-in chain, the policy of the chain is ++executed. For a rule in a user-defined chain, the traversal continues ++at the previous chain, just after the rule which jumped to this chain. ++ ++<p><tt>QUEUE</tt> is a special target, which queues the packet for ++userspace processing. For this to be useful, two further components are ++required: ++ ++<itemize> ++<item>a "queue handler", which deals with the actual mechanics of ++passing packets between the kernel and userspace; and ++<item>a userspace application to receive, possibly manipulate, and ++issue verdicts on packets. ++</itemize> ++The standard queue handler for IPv4 iptables is the ip_queue module, ++which is distributed with the kernel and marked as experimental. ++<p> ++The following is a quick example of how to use iptables to queue packets ++for userspace processing: ++<tscreen><verb> ++# modprobe iptable_filter ++# modprobe ip_queue ++# iptables -A OUTPUT -p icmp -j QUEUE ++</verb></tscreen> ++With this rule, locally generated outgoing ICMP packets (as created with, ++say, ping) are passed to the ip_queue module, which then attempts to deliver ++the packets to a userspace application. If no userspace application is ++waiting, the packets are dropped. ++ ++<p>To write a userspace application, use the libipq API. This is ++distributed with iptables. Example code may be found in the testsuite ++tools (e.g. redirect.c) in CVS. ++ ++<p>The status of ip_queue may be checked via: ++<tscreen><verb> ++/proc/net/ip_queue ++</verb></tscreen> ++The maximum length of the queue (i.e. the number packets delivered ++to userspace with no verdict issued back) may be controlled via: ++<tscreen><verb> ++/proc/sys/net/ipv4/ip_queue_maxlen ++</verb></tscreen> ++The default value for the maximum queue length is 1024. Once this limit ++is reached, new packets will be dropped until the length of the queue falls ++below the limit again. Nice protocols such as TCP interpret dropped packets ++as congestion, and will hopefully back off when the queue fills up. However, ++it may take some experimenting to determine an ideal maximum queue length ++for a given situation if the default value is too small. ++ ++<sect1>Operations on an Entire Chain<label id="chain-ops"> ++ ++<p> ++A very useful feature of <tt>iptables</tt> is the ability to group ++related rules into chains. You can call the chains whatever you want, ++but I recommend using lower-case letters to avoid confusion with the ++built-in chains and targets. Chain names can be up to 31 letters ++long. ++ ++<sect2>Creating a New Chain ++ ++<p> ++Let's create a new chain. Because I am such an imaginative fellow, ++I'll call it <tt>test</tt>. We use the `-N' or `--new-chain' options: ++ ++<tscreen><verb> ++# iptables -N test ++# ++</verb></tscreen> ++ ++<p> ++It's that simple. Now you can put rules in it as detailed above. ++ ++<sect2>Deleting a Chain ++ ++<p> ++Deleting a chain is simple as well, using the `-X' or `--delete-chain' ++options. Why `-X'? Well, all the good letters were taken. ++ ++<tscreen><verb> ++# iptables -X test ++# ++</verb></tscreen> ++ ++<p> ++There are a couple of restrictions to deleting chains: they must be ++empty (see <ref id="flushing" name="Flushing a Chain"> below) and they ++must not be the target of any rule. You can't delete any of the three ++built-in chains. ++ ++<p> ++If you don't specify a chain, then <em>all</em> user-defined chains ++will be deleted, if possible. ++ ++<sect2> Flushing a Chain<label id="flushing"> ++ ++<p> ++There is a simple way of emptying all rules out of a chain, using the ++`-F' (or `--flush') commands. ++ ++<tscreen><verb> ++# iptables -F FORWARD ++# ++</verb></tscreen> ++ ++<p> ++If you don't specify a chain, then <em>all</em> chains will be flushed. ++ ++<sect2>Listing a Chain ++ ++<p> ++You can list all the rules in a chain by using the `-L' (or `--list') ++command. ++ ++<p> ++The `refcnt' listed for each user-defined chain is the number of rules ++which have that chain as their target. This must be zero (and the ++chain be empty) before this chain can be deleted. ++ ++<p> ++If the chain name is omitted, all chains are listed, even empty ones. ++ ++<p> ++There are three options which can accompany `-L'. The `-n' (numeric) ++option is very useful as it prevents <tt>iptables</tt> from trying to ++lookup the IP addresses, which (if you are using DNS like most people) ++will cause large delays if your DNS is not set up properly, or you ++have filtered out DNS requests. It also causes TCP and UDP ports to ++be printed out as numbers rather than names. ++ ++<p> ++The `-v' options shows you all the details of the rules, such as the ++the packet and byte counters, the TOS comparisons, and the interfaces. ++Otherwise these values are omitted. ++ ++<p> ++Note that the packet and byte counters are printed out using the ++suffixes `K', `M' or `G' for 1000, 1,000,000 and 1,000,000,000 ++respectively. Using the `-x' (expand numbers) flag as well prints the ++full numbers, no matter how large they are. ++ ++<sect2>Resetting (Zeroing) Counters ++ ++<p> ++It is useful to be able to reset the counters. This can be done with ++the `-Z' (or `--zero') option. ++ ++<p> ++Consider the following: ++ ++<tscreen><verb> ++# iptables -L FORWARD ++# iptables -Z FORWARD ++# ++</verb></tscreen> ++ ++In the above example, some packets could pass through between the `-L' ++and `-Z' commands. For this reason, you can use the `-L' and `-Z' ++<em>together</em>, to reset the counters while reading them. ++ ++<sect2>Setting Policy<label id="policy"> ++ ++<p> ++We glossed over what happens when a packet hits the end of a built-in ++chain when we discussed how a packet walks through chains earlier. In ++this case, the <bf>policy</bf> of the chain determines the fate of the ++packet. Only built-in chains (<tt>INPUT</tt>, <tt>OUTPUT</tt> and ++<tt>FORWARD</tt>) have policies, because if a packet falls off the end ++of a user-defined chain, traversal resumes at the previous chain. ++ ++<p> ++The policy can be either <tt>ACCEPT</tt> or <tt>DROP</tt>, for ++example: ++ ++<tscreen><verb> ++# iptables -P FORWARD DROP ++# ++</verb></tscreen> ++ ++<sect> Using ipchains and ipfwadm<label id="oldstyle"> ++ ++<p> There are modules in the netfilter distribution called ipchains.o ++and ipfwadm.o. Insert one of these in your kernel (NOTE: they are ++incompatible with ip_tables.o!). Then you can use ipchains or ipfwadm ++just like the good old days. ++ ++<p> This will be supported for some time yet. I think a reasonable ++formula is 2 * [notice of replacement - initial stable release], ++beyond the date that a stable release of the replacement is available. ++This means that support will probably be dropped in Linux 2.6 or 2.8. ++ ++<sect> Mixing NAT and Packet Filtering ++ ++<p> ++It's common to want to do Network Address Translation (see the NAT ++HOWTO) and packet filtering. The good news is that they mix extremely ++well. ++ ++<p>You design your packet filtering completely ignoring any NAT you ++are doing. The sources and destinations seen by the packet filter ++will be the `real' sources and destinations. For example, if you are ++doing DNAT to send any connections to 1.2.3.4 port 80 through to ++10.1.1.1 port 8080, the packet filter would see packets going to ++10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80. ++Similarly, you can ignore masquerading: packets will seem to come from ++their real internal IP addresses (say 10.1.1.1), and replies will seem ++to go back there. ++ ++<p>You can use the `state' match extension without making the packet ++filter do any extra work, since NAT requires connection tracking ++anyway. To enhance the simple masquerading example in the NAT HOWTO ++to disallow any new connections from coming in the ppp0 interface, you ++would do this: ++ ++<tscreen><verb> ++# Masquerade out ppp0 ++iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ++ ++# Disallow NEW and INVALID incoming or forwarded packets from ppp0. ++iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP ++iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP ++ ++# Turn on IP forwarding ++echo 1 > /proc/sys/net/ipv4/ip_forward ++</verb></tscreen> ++ ++<sect> Differences Between iptables and ipchains<label id="Appendix-A"> ++ ++<p> ++<itemize> ++<item> Firstly, the names of the built-in chains have changed from ++lower case to UPPER case, because the INPUT and OUTPUT chains now only ++get locally-destined and locally-generated packets. They used to see ++all incoming and all outgoing packets respectively. ++ ++<item> The `-i' flag now means the incoming interface, and only works ++in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT ++chains that used `-i' should be changed to `-o'. ++ ++<item> TCP and UDP ports now need to be spelled out with the ++--source-port or --sport (or --destination-port/--dport) options, and ++must be placed after the `-p tcp' or `-p udp' options, as this loads ++the TCP or UDP extensions respectively. ++ ++<item> The TCP -y flag is now --syn, and must be after `-p tcp'. ++ ++<item> The DENY target is now DROP, finally. ++ ++<item> Zeroing single chains while listing them works. ++ ++<item> Zeroing built-in chains also clears policy counters. ++ ++<item> Listing chains gives you the counters as an atomic snapshot. ++ ++<item> REJECT and LOG are now extended targets, meaning they are ++separate kernel modules. ++ ++<item> Chain names can be up to 31 characters. ++ ++<item> MASQ is now MASQUERADE and uses a different syntax. REDIRECT, ++while keeping the same name, has also undergone a syntax change. See ++the NAT-HOWTO for more information on how to configure both of these. ++ ++<item> The -o option is no longer used to direct packets to the userspace ++device (see -i above). Packets are now sent to userspace via the QUEUE ++target. ++ ++<item> Probably heaps of other things I forgot. ++</itemize> ++ ++<sect> Advice on Packet Filter Design ++ ++<p> ++Common wisdom in the computer security arena is to block everything, ++then open up holes as neccessary. This is usually phrased `that which ++is not explicitly allowed is prohibited'. I recommend this approach ++if security is your maximal concern. ++ ++<p>Do not run any services you do not need to, even if you think you ++have blocked access to them. ++ ++<p>If you are creating a dedicated firewall, start by running nothing, ++and blocking all packets, then add services and let packets through as ++required. ++ ++<p>I recommend security in depth: combine tcp-wrappers (for ++connections to the packet filter itself), proxies (for connections ++passing through the packet filter), route verification and packet ++filtering. Route verification is where a packet which comes from an ++unexpected interface is dropped: for example, if your internal network ++has addresses 10.1.1.0/24, and a packet with that source address comes ++in your external interface, it will be dropped. This can be enabled ++for one interface (ppp0) like so: ++ ++<tscreen><verb> ++# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter ++# ++</verb></tscreen> ++ ++Or for all existing and future interfaces like this: ++ ++<tscreen><verb> ++# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do ++# echo 1 > $f ++# done ++# ++</verb></tscreen> ++ ++Debian does this by default where possible. If you have asymmetric ++routing (ie. you expect packets coming in from strange directions), ++you will want to disable this filtering on those interfaces. ++ ++<p>Logging is useful when setting up a firewall if something isn't ++working, but on a production firewall, always combine it with the ++`limit' match, to prevent someone from flooding your logs. ++ ++<p>I highly recommend connection tracking for secure systems: it ++introduces some overhead, as all connections are tracked, but is very ++useful for controlling access to your networks. You may need to load ++the `ip_conntrack.o' module if your kernel does not load modules ++automatically, and it's not built into the kernel. If you want to ++accurately track complex protocols, you'll need to load the ++appropriate helper module (eg. `ip_conntrack_ftp.o'). ++ ++<tscreen><verb> ++# iptables -N no-conns-from-ppp0 ++# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT ++# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT ++# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:" ++# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:" ++# iptables -A no-conns-from-ppp0 -j DROP ++ ++# iptables -A INPUT -j no-conns-from-ppp0 ++# iptables -A FORWARD -j no-conns-from-ppp0 ++</verb></tscreen> ++ ++<p>Building a good firewall is beyond the scope of this HOWTO, but my ++advice is `always be minimalist'. See the Security HOWTO for more ++information on testing and probing your box. ++ ++</article> ++ diff -Nru iptables-1.4.4/debian/patches/9001-build-libipq_pic.la.patch iptables-1.4.10/debian/patches/9001-build-libipq_pic.la.patch --- iptables-1.4.4/debian/patches/9001-build-libipq_pic.la.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/9001-build-libipq_pic.la.patch 2010-11-12 22:11:49.000000000 +0000 @@ -0,0 +1,22 @@ +Author: Soren Hansen <soren@ubuntu.com> +Description: Build a libipq_pic.a compiled with -fPIC (needed by other packages + to successfully build on AMD64). +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358637 + +Index: iptables-1.4.9/libipq/Makefile.am +=================================================================== +--- iptables-1.4.9.orig/libipq/Makefile.am 2010-09-14 11:28:18.000000000 -0500 ++++ iptables-1.4.9/libipq/Makefile.am 2010-09-14 11:34:09.000000000 -0500 +@@ -2,8 +2,11 @@ + + AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include + ++libipq_pic_la_CFLAGS = -fPIC ${regular_CFLAGS} -I${top_builddir}/include -I ${top_srcdir}/include ++ + libipq_la_SOURCES = libipq.c +-lib_LTLIBRARIES = libipq.la ++libipq_pic_la_SOURCES = libipq.c ++lib_LTLIBRARIES = libipq.la libipq_pic.la + man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ + ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ + ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ diff -Nru iptables-1.4.4/debian/patches/9002-xt_recent-reap.patch iptables-1.4.10/debian/patches/9002-xt_recent-reap.patch --- iptables-1.4.4/debian/patches/9002-xt_recent-reap.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/9002-xt_recent-reap.patch 2010-11-12 22:04:59.000000000 +0000 @@ -0,0 +1,100 @@ +Author: Tim Gardner <tim.gardner@canonical.com> +Description: Support for the xt_recent filter --reap switch +Forwarded: yes + +Index: iptables-1.4.10/extensions/libxt_recent.c +=================================================================== +--- iptables-1.4.10.orig/extensions/libxt_recent.c 2010-11-12 16:02:48.000000000 -0600 ++++ iptables-1.4.10/extensions/libxt_recent.c 2010-11-12 16:04:38.000000000 -0600 +@@ -20,6 +20,7 @@ + {.name = "name", .has_arg = true, .val = 208}, + {.name = "rsource", .has_arg = false, .val = 209}, + {.name = "rdest", .has_arg = false, .val = 210}, ++ {.name = "reap", .has_arg = false, .val = 211}, + XT_GETOPT_TABLEEND, + }; + +@@ -37,6 +38,7 @@ + " --hitcount hits For check and update commands above.\n" + " Specifies that the match will only occur if source address seen hits times.\n" + " May be used in conjunction with the seconds option.\n" ++" --reap Remove entries that have expired. Can only be used with --seconds\n" + " --rttl For check and update commands above.\n" + " Specifies that the match will only occur if the source address and the TTL\n" + " match between this packet and the one which was set.\n" +@@ -63,6 +65,8 @@ + (XT_RECENT_SET | XT_RECENT_CHECK | \ + XT_RECENT_UPDATE | XT_RECENT_REMOVE) + ++#define XT_RECENT_SECONDS 1 << 31 ++ + static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) + { +@@ -104,6 +108,7 @@ + + case 204: + info->seconds = atoi(optarg); ++ *flags |= XT_RECENT_SECONDS; + break; + + case 205: +@@ -139,6 +144,11 @@ + info->side = XT_RECENT_DEST; + break; + ++ case 211: ++ info->check_set |= XT_RECENT_REAP; ++ *flags |= XT_RECENT_REAP; ++ break; ++ + default: + return 0; + } +@@ -157,6 +167,12 @@ + xtables_error(PARAMETER_PROBLEM, + "recent: --rttl may only be used with --rcheck or " + "--update"); ++ if ((flags & XT_RECENT_REAP) && ++ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || ++ (!(flags & XT_RECENT_SECONDS)))) ++ xtables_error(PARAMETER_PROBLEM, ++ "recent: --reap may only be used with --rcheck or " ++ "--update and --seconds"); + } + + static void recent_print(const void *ip, const struct xt_entry_match *match, +@@ -185,6 +201,8 @@ + printf("side: source "); + if (info->side == XT_RECENT_DEST) + printf("side: dest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("reap "); + } + + static void recent_save(const void *ip, const struct xt_entry_match *match) +@@ -211,6 +229,8 @@ + printf("--rsource "); + if (info->side == XT_RECENT_DEST) + printf("--rdest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("--reap "); + } + + static struct xtables_match recent_mt_reg = { +Index: iptables-1.4.10/extensions/libxt_recent.man +=================================================================== +--- iptables-1.4.10.orig/extensions/libxt_recent.man 2010-11-12 16:02:48.000000000 -0600 ++++ iptables-1.4.10/extensions/libxt_recent.man 2010-11-12 16:02:51.000000000 -0600 +@@ -41,6 +41,11 @@ + \fB\-\-update\fP. When used, this will narrow the match to only happen when the + address is in the list and was seen within the last given number of seconds. + .TP ++\fB\-\-reap\fP \fIreap\fP ++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this ++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP ++since the last packet was received. ++.TP + \fB\-\-hitcount\fP \fIhits\fP + This option must be used in conjunction with one of \fB\-\-rcheck\fP or + \fB\-\-update\fP. When used, this will narrow the match to only happen when the diff -Nru iptables-1.4.4/debian/patches/9003-compilation-error.patch iptables-1.4.10/debian/patches/9003-compilation-error.patch --- iptables-1.4.4/debian/patches/9003-compilation-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/9003-compilation-error.patch 2010-11-12 22:01:41.000000000 +0000 @@ -0,0 +1,43 @@ +Author: Surbhi Palande <surbhi.palande@canonical.com> +Description: Add -fno-strict-aliasing -Werror switches to regular_CFLAGS for + catching errors early +Forwarded: no + +Index: iptables-1.4.10/configure +=================================================================== +--- iptables-1.4.10.orig/configure 2010-11-12 15:53:28.000000000 -0600 ++++ iptables-1.4.10/configure 2010-11-12 16:01:31.000000000 -0600 +@@ -10998,6 +10998,7 @@ + -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Winline -pipe \ ++ -fno-strict-aliasing -Werror\ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; + kinclude_CFLAGS=""; + if [ -n "$kbuilddir" ]; then +Index: iptables-1.4.10/libiptc/libip4tc.c +=================================================================== +--- iptables-1.4.10.orig/libiptc/libip4tc.c 2010-11-12 15:53:28.000000000 -0600 ++++ iptables-1.4.10/libiptc/libip4tc.c 2010-11-12 16:01:31.000000000 -0600 +@@ -93,8 +93,6 @@ + #define TC_FREE iptc_free + #define TC_COMMIT iptc_commit + #define TC_STRERROR iptc_strerror +-#define TC_NUM_RULES iptc_num_rules +-#define TC_GET_RULE iptc_get_rule + + #define TC_AF AF_INET + #define TC_IPPROTO IPPROTO_IP +Index: iptables-1.4.10/libiptc/libip6tc.c +=================================================================== +--- iptables-1.4.10.orig/libiptc/libip6tc.c 2010-11-12 15:53:28.000000000 -0600 ++++ iptables-1.4.10/libiptc/libip6tc.c 2010-11-12 16:01:31.000000000 -0600 +@@ -88,8 +88,6 @@ + #define TC_FREE ip6tc_free + #define TC_COMMIT ip6tc_commit + #define TC_STRERROR ip6tc_strerror +-#define TC_NUM_RULES ip6tc_num_rules +-#define TC_GET_RULE ip6tc_get_rule + + #define TC_AF AF_INET6 + #define TC_IPPROTO IPPROTO_IPV6 diff -Nru iptables-1.4.4/debian/patches/series iptables-1.4.10/debian/patches/series --- iptables-1.4.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/patches/series 2010-11-12 22:42:19.000000000 +0000 @@ -0,0 +1,7 @@ +0101-changelog.patch +0300-iptables-apply.patch +0600-makefile_jedi_handwaving.patch +9000-howtos.patch +9001-build-libipq_pic.la.patch +9002-xt_recent-reap.patch +9003-compilation-error.patch diff -Nru iptables-1.4.4/debian/rules iptables-1.4.10/debian/rules --- iptables-1.4.4/debian/rules 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/debian/rules 2010-07-08 21:37:14.000000000 +0000 @@ -1,44 +1,34 @@ #!/usr/bin/make -f -configure := --with-xtlibdir=/lib/xtables --enable-libipq \ - --enable-devel --libdir=/lib -install := --exclude=-multi +_shlibdeps := -a -Xlib/xtables +_configure := --with-xtlibdir=/lib/xtables \ + --enable-libipq --enable-devel --libdir=/lib %: dh $@ -binary binary-arch binary-indep: install +binary: binary-arch binary-indep +binary-arch binary-indep: install +binary-arch: + dh $@ --before dh_shlibdeps + dpkg-gensymbols -piptables + dh_shlibdeps $(_shlibdeps) + dh $@ --remaining ifneq ($(USE_BUILD_DIR),TRUE) - include debian/builddir.mk - else - -include /usr/share/quilt/quilt.make - -build: patch debian/stamp-build +build: debian/stamp-build debian/stamp-build: dh build --before dh_auto_configure autoreconf -fi - dh_auto_configure -- $(configure) - dh build --after dh_auto_configure + dh_auto_configure -- $(_configure) + dh build --remaining touch $@ - install: build debian/stamp-install debian/stamp-install: - dh install --before dh_install - dh_install $(install) - - #fixme# excluding the *-multi binaries fails on buildds - find debian/iptables/sbin -type f -name \*-multi | xargs -r rm -v - - find - - # BTS 509386 - mv debian/iptables/usr/sbin/iptables-xml debian/iptables/usr/bin - - dh install --after dh_install + install -v -D iptables-apply debian/tmp/usr/sbin/iptables-apply +# dh_makeshlibs + dh install touch $@ - endif diff -Nru iptables-1.4.4/debian/source/format iptables-1.4.10/debian/source/format --- iptables-1.4.4/debian/source/format 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/debian/source/format 2011-06-15 19:36:48.000000000 +0000 @@ -0,0 +1 @@ +3.0 (quilt) diff -Nru iptables-1.4.4/depcomp iptables-1.4.10/depcomp --- iptables-1.4.4/depcomp 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/depcomp 2010-10-29 14:40:40.000000000 +0000 @@ -1,9 +1,10 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2005-07-09.11 +scriptversion=2009-04-28.21; # UTC -# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc. +# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free +# Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,9 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program. If not, see <http://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -86,12 +85,34 @@ depmode=dashmstdout fi +cygpath_u="cygpath -u -f -" +if test "$depmode" = msvcmsys; then + # This is just like msvisualcpp but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u="sed s,\\\\\\\\,/,g" + depmode=msvisualcpp +fi + case "$depmode" in gcc3) ## gcc 3 implements dependency tracking that does exactly what ## we want. Yay! Note: for some reason libtool 1.4 doesn't like ## it if -MD -MP comes after the -MF stuff. Hmm. - "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" +## Unfortunately, FreeBSD c89 acceptance of flags depends upon +## the command line argument order; so add the flags where they +## appear in depend2.am. Note that the slowdown incurred here +## affects only configure: in makefiles, %FASTDEP% shortcuts this. + for arg + do + case $arg in + -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; + *) set fnord "$@" "$arg" ;; + esac + shift # fnord + shift # $arg + done + "$@" stat=$? if test $stat -eq 0; then : else @@ -178,14 +199,14 @@ ' < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ tr ' -' ' ' >> $depfile - echo >> $depfile +' ' ' >> "$depfile" + echo >> "$depfile" # The second pass generates a dummy entry for each header file. tr ' ' ' ' < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ - >> $depfile + >> "$depfile" else # The sourcefile does not contain any dependencies, so just # store a dummy comment line, to avoid errors with the Makefile @@ -201,34 +222,39 @@ # current directory. Also, the AIX compiler puts `$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. - stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'` - tmpdepfile="$stripped.u" + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` if test "$libtool" = yes; then + tmpdepfile1=$dir$base.u + tmpdepfile2=$base.u + tmpdepfile3=$dir.libs/$base.u "$@" -Wc,-M else + tmpdepfile1=$dir$base.u + tmpdepfile2=$dir$base.u + tmpdepfile3=$dir$base.u "$@" -M fi stat=$? - if test -f "$tmpdepfile"; then : - else - stripped=`echo "$stripped" | sed 's,^.*/,,'` - tmpdepfile="$stripped.u" - fi - if test $stat -eq 0; then : else - rm -f "$tmpdepfile" + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + do + test -f "$tmpdepfile" && break + done if test -f "$tmpdepfile"; then - outname="$stripped.o" # Each line is of the form `foo.o: dependent.h'. # Do two passes, one to just change these to # `$object: dependent.h' and one to simply `dependent.h:'. - sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile" - sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile" + sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" + # That's a tab and a space in the []. + sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" else # The sourcefile does not contain any dependencies, so just # store a dummy comment line, to avoid errors with the Makefile @@ -276,6 +302,51 @@ rm -f "$tmpdepfile" ;; +hp2) + # The "hp" stanza above does not work with aCC (C++) and HP's ia64 + # compilers, which have integrated preprocessors. The correct option + # to use with these is +Maked; it writes dependencies to a file named + # 'foo.d', which lands next to the object file, wherever that + # happens to be. + # Much of this is similar to the tru64 case; see comments there. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir.libs/$base.d + "$@" -Wc,+Maked + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + "$@" +Maked + fi + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile" + # Add `dependent.h:' lines. + sed -ne '2,${ + s/^ *// + s/ \\*$// + s/$/:/ + p + }' "$tmpdepfile" >> "$depfile" + else + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" "$tmpdepfile2" + ;; + tru64) # The Tru64 compiler uses -MD to generate dependencies as a side # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. @@ -288,13 +359,13 @@ if test "$libtool" = yes; then # With Tru64 cc, shared objects can also be used to make a - # static library. This mecanism is used in libtool 1.4 series to + # static library. This mechanism is used in libtool 1.4 series to # handle both shared and static libraries in a single compilation. # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d. # # With libtool 1.5 this exception was removed, and libtool now # generates 2 separate objects for the 2 libraries. These two - # compilations output dependencies in in $dir.libs/$base.o.d and + # compilations output dependencies in $dir.libs/$base.o.d and # in $dir$base.o.d. We have to check for both files, because # one of the two compilations can be disabled. We should prefer # $dir$base.o.d over $dir.libs/$base.o.d because the latter is @@ -345,7 +416,7 @@ # Remove the call to Libtool. if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift @@ -396,32 +467,39 @@ "$@" || exit $? # Remove any Libtool call if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift fi # X makedepend shift - cleared=no - for arg in "$@"; do + cleared=no eat=no + for arg + do case $cleared in no) set ""; shift cleared=yes ;; esac + if test $eat = yes; then + eat=no + continue + fi case "$arg" in -D*|-I*) set fnord "$@" "$arg"; shift ;; # Strip any option that makedepend may not understand. Remove # the object too, otherwise makedepend will parse it as a source file. + -arch) + eat=yes ;; -*|$object) ;; *) set fnord "$@" "$arg"; shift ;; esac done - obj_suffix="`echo $object | sed 's/^.*\././'`" + obj_suffix=`echo "$object" | sed 's/^.*\././'` touch "$tmpdepfile" ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" rm -f "$depfile" @@ -441,7 +519,7 @@ # Remove the call to Libtool. if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift @@ -479,13 +557,27 @@ msvisualcpp) # Important note: in order to support this mode, a compiler *must* - # always write the preprocessed file to stdout, regardless of -o, - # because we must use -o when running libtool. + # always write the preprocessed file to stdout. "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + IFS=" " for arg do case "$arg" in + -o) + shift + ;; + $object) + shift + ;; "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") set fnord "$@" shift @@ -498,16 +590,23 @@ ;; esac done - "$@" -E | - sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile" + "$@" -E 2>/dev/null | + sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" echo " " >> "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;; +msvcmsys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + none) exec "$@" ;; @@ -526,5 +625,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff -Nru iptables-1.4.4/extensions/GNUmakefile.in iptables-1.4.10/extensions/GNUmakefile.in --- iptables-1.4.4/extensions/GNUmakefile.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/GNUmakefile.in 2010-10-29 14:37:22.000000000 +0000 @@ -56,8 +56,8 @@ targets_install := @ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} @ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} -@ENABLE_SHARED_TRUE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} -@ENABLE_SHARED_TRUE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} .SECONDARY: diff -Nru iptables-1.4.4/extensions/libip6t_ah.c iptables-1.4.10/extensions/libip6t_ah.c --- iptables-1.4.4/extensions/libip6t_ah.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_ah.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add AH support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,10 +19,10 @@ } static const struct option ah_opts[] = { - { .name = "ahspi", .has_arg = 1, .val = '1' }, - { .name = "ahlen", .has_arg = 1, .val = '2' }, - { .name = "ahres", .has_arg = 0, .val = '3' }, - { .name = NULL } + {.name = "ahspi", .has_arg = true, .val = '1'}, + {.name = "ahlen", .has_arg = true, .val = '2'}, + {.name = "ahres", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -86,8 +87,8 @@ if (*flags & IP6T_AH_SPI) xtables_error(PARAMETER_PROBLEM, "Only one `--ahspi' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_ah_spis(argv[optind-1], ahinfo->spis); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_ah_spis(optarg, ahinfo->spis); if (invert) ahinfo->invflags |= IP6T_AH_INV_SPI; *flags |= IP6T_AH_SPI; @@ -96,8 +97,8 @@ if (*flags & IP6T_AH_LEN) xtables_error(PARAMETER_PROBLEM, "Only one `--ahlen' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - ahinfo->hdrlen = parse_ah_spi(argv[optind-1], "length"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + ahinfo->hdrlen = parse_ah_spi(optarg, "length"); if (invert) ahinfo->invflags |= IP6T_AH_INV_LEN; *flags |= IP6T_AH_LEN; diff -Nru iptables-1.4.4/extensions/libip6t_dst.c iptables-1.4.10/extensions/libip6t_dst.c --- iptables-1.4.4/extensions/libip6t_dst.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_dst.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Dst header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -22,10 +23,10 @@ } static const struct option dst_opts[] = { - { .name = "dst-len", .has_arg = 1, .val = '1' }, - { .name = "dst-opts", .has_arg = 1, .val = '2' }, - { .name = "dst-not-strict", .has_arg = 1, .val = '3' }, - { .name = NULL } + {.name = "dst-len", .has_arg = true, .val = '1'}, + {.name = "dst-opts", .has_arg = true, .val = '2'}, + {.name = "dst-not-strict", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -125,8 +126,8 @@ if (*flags & IP6T_OPTS_LEN) xtables_error(PARAMETER_PROBLEM, "Only one `--dst-len' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - optinfo->hdrlen = parse_opts_num(argv[optind-1], "length"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + optinfo->hdrlen = parse_opts_num(optarg, "length"); if (invert) optinfo->invflags |= IP6T_OPTS_INV_LEN; optinfo->flags |= IP6T_OPTS_LEN; @@ -136,11 +137,11 @@ if (*flags & IP6T_OPTS_OPTS) xtables_error(PARAMETER_PROBLEM, "Only one `--dst-opts' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, " '!' not allowed with `--dst-opts'"); - optinfo->optsnr = parse_options(argv[optind-1], optinfo->opts); + optinfo->optsnr = parse_options(optarg, optinfo->opts); optinfo->flags |= IP6T_OPTS_OPTS; *flags |= IP6T_OPTS_OPTS; break; diff -Nru iptables-1.4.4/extensions/libip6t_eui64.c iptables-1.4.10/extensions/libip6t_eui64.c --- iptables-1.4.4/extensions/libip6t_eui64.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_eui64.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,38 +1,12 @@ /* Shared library add-on to ip6tables to add EUI64 address checking support. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#if defined(__GLIBC__) && __GLIBC__ == 2 -#include <net/ethernet.h> -#else -#include <linux/if_ether.h> -#endif #include <xtables.h> -static void eui64_help(void) -{ - printf( -"eui64 match options:\n" -" This module hasn't got any option\n" -" This module checks for EUI64 IPv6 addresses\n"); -} - -static int eui64_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - static struct xtables_match eui64_mt6_reg = { .name = "eui64", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, .size = XT_ALIGN(sizeof(int)), .userspacesize = XT_ALIGN(sizeof(int)), - .help = eui64_help, - .parse = eui64_parse, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libip6t_frag.c iptables-1.4.10/extensions/libip6t_frag.c --- iptables-1.4.4/extensions/libip6t_frag.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_frag.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Fragmentation header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,13 +22,13 @@ } static const struct option frag_opts[] = { - { .name = "fragid", .has_arg = 1, .val = '1' }, - { .name = "fraglen", .has_arg = 1, .val = '2' }, - { .name = "fragres", .has_arg = 0, .val = '3' }, - { .name = "fragfirst", .has_arg = 0, .val = '4' }, - { .name = "fragmore", .has_arg = 0, .val = '5' }, - { .name = "fraglast", .has_arg = 0, .val = '6' }, - { .name = NULL } + {.name = "fragid", .has_arg = true, .val = '1'}, + {.name = "fraglen", .has_arg = true, .val = '2'}, + {.name = "fragres", .has_arg = false, .val = '3'}, + {.name = "fragfirst", .has_arg = false, .val = '4'}, + {.name = "fragmore", .has_arg = false, .val = '5'}, + {.name = "fraglast", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -94,8 +95,8 @@ if (*flags & IP6T_FRAG_IDS) xtables_error(PARAMETER_PROBLEM, "Only one `--fragid' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_frag_ids(argv[optind-1], fraginfo->ids); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_frag_ids(optarg, fraginfo->ids); if (invert) fraginfo->invflags |= IP6T_FRAG_INV_IDS; fraginfo->flags |= IP6T_FRAG_IDS; @@ -105,8 +106,8 @@ if (*flags & IP6T_FRAG_LEN) xtables_error(PARAMETER_PROBLEM, "Only one `--fraglen' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + fraginfo->hdrlen = parse_frag_id(optarg, "length"); if (invert) fraginfo->invflags |= IP6T_FRAG_INV_LEN; fraginfo->flags |= IP6T_FRAG_LEN; diff -Nru iptables-1.4.4/extensions/libip6t_hbh.c iptables-1.4.10/extensions/libip6t_hbh.c --- iptables-1.4.4/extensions/libip6t_hbh.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_hbh.c 2010-10-29 14:37:22.000000000 +0000 @@ -25,10 +25,10 @@ } static const struct option hbh_opts[] = { - { "hbh-len", 1, NULL, '1' }, - { "hbh-opts", 1, NULL, '2' }, - { "hbh-not-strict", 1, NULL, '3' }, - { .name = NULL } + {.name = "hbh-len", .has_arg = true, .val = '1'}, + {.name = "hbh-opts", .has_arg = true, .val = '2'}, + {.name = "hbh-not-strict", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -120,8 +120,8 @@ if (*flags & IP6T_OPTS_LEN) xtables_error(PARAMETER_PROBLEM, "Only one `--hbh-len' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - optinfo->hdrlen = parse_opts_num(argv[optind-1], "length"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + optinfo->hdrlen = parse_opts_num(optarg, "length"); if (invert) optinfo->invflags |= IP6T_OPTS_INV_LEN; optinfo->flags |= IP6T_OPTS_LEN; @@ -131,11 +131,11 @@ if (*flags & IP6T_OPTS_OPTS) xtables_error(PARAMETER_PROBLEM, "Only one `--hbh-opts' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, " '!' not allowed with `--hbh-opts'"); - optinfo->optsnr = parse_options(argv[optind-1], optinfo->opts); + optinfo->optsnr = parse_options(optarg, optinfo->opts); optinfo->flags |= IP6T_OPTS_OPTS; *flags |= IP6T_OPTS_OPTS; break; diff -Nru iptables-1.4.4/extensions/libip6t_hl.c iptables-1.4.10/extensions/libip6t_hl.c --- iptables-1.4.4/extensions/libip6t_hl.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_hl.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,7 +5,7 @@ * This program is released under the terms of GNU GPL * Cleanups by Stephane Ouellette <ouellettes@videotron.ca> */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -29,8 +29,8 @@ struct ip6t_hl_info *info = (struct ip6t_hl_info *) (*match)->data; u_int8_t value; - xtables_check_inverse(optarg, &invert, &optind, 0); - value = atoi(argv[optind-1]); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + value = atoi(optarg); if (*flags) xtables_error(PARAMETER_PROBLEM, @@ -116,11 +116,11 @@ } static const struct option hl_opts[] = { - { .name = "hl", .has_arg = 1, .val = '2' }, - { .name = "hl-eq", .has_arg = 1, .val = '2' }, - { .name = "hl-lt", .has_arg = 1, .val = '3' }, - { .name = "hl-gt", .has_arg = 1, .val = '4' }, - { .name = NULL } + {.name = "hl", .has_arg = true, .val = '2'}, + {.name = "hl-eq", .has_arg = true, .val = '2'}, + {.name = "hl-lt", .has_arg = true, .val = '3'}, + {.name = "hl-gt", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match hl_mt6_reg = { diff -Nru iptables-1.4.4/extensions/libip6t_HL.c iptables-1.4.10/extensions/libip6t_HL.c --- iptables-1.4.4/extensions/libip6t_HL.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_HL.c 2010-10-29 14:37:22.000000000 +0000 @@ -6,6 +6,7 @@ */ #include <getopt.h> +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -39,7 +40,7 @@ xtables_error(PARAMETER_PROBLEM, "HL: You must specify a value"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "HL: unexpected `!'"); @@ -131,10 +132,10 @@ } static const struct option HL_opts[] = { - { "hl-set", 1, NULL, '1' }, - { "hl-dec", 1, NULL, '2' }, - { "hl-inc", 1, NULL, '3' }, - { .name = NULL } + {.name = "hl-set", .has_arg = true, .val = '1'}, + {.name = "hl-dec", .has_arg = true, .val = '2'}, + {.name = "hl-inc", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct xtables_target hl_tg6_reg = { diff -Nru iptables-1.4.4/extensions/libip6t_icmp6.c iptables-1.4.10/extensions/libip6t_icmp6.c --- iptables-1.4.4/extensions/libip6t_icmp6.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_icmp6.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add ICMP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -84,8 +85,8 @@ } static const struct option icmp6_opts[] = { - { "icmpv6-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "icmpv6-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void @@ -158,8 +159,8 @@ if (*flags == 1) xtables_error(PARAMETER_PROBLEM, "icmpv6 match: only use --icmpv6-type once!"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_icmpv6(argv[optind-1], &icmpv6info->type, + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_icmpv6(optarg, &icmpv6info->type, icmpv6info->code); if (invert) icmpv6info->invflags |= IP6T_ICMP_INV; diff -Nru iptables-1.4.4/extensions/libip6t_ipv6header.c iptables-1.4.10/extensions/libip6t_ipv6header.c --- iptables-1.4.4/extensions/libip6t_ipv6header.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_ipv6header.c 2010-10-29 14:37:22.000000000 +0000 @@ -6,6 +6,7 @@ #include <getopt.h> #include <xtables.h> +#include <stdbool.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> @@ -140,9 +141,9 @@ } static const struct option ipv6header_opts[] = { - { "header", 1, NULL, '1' }, - { "soft", 0, NULL, '2' }, - { .name = NULL } + {.name = "header", .has_arg = true, .val = '1'}, + {.name = "soft", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void ipv6header_init(struct xt_entry_match *m) @@ -185,9 +186,9 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--header' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); - if (! (info->matchflags = parse_header(argv[optind-1])) ) + if (! (info->matchflags = parse_header(optarg)) ) xtables_error(PARAMETER_PROBLEM, "ip6t_ipv6header: cannot parse header names"); if (invert) diff -Nru iptables-1.4.4/extensions/libip6t_LOG.c iptables-1.4.10/extensions/libip6t_LOG.c --- iptables-1.4.4/extensions/libip6t_LOG.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_LOG.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add LOG support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,17 +26,19 @@ " --log-tcp-sequence Log TCP sequence numbers.\n" " --log-tcp-options Log TCP options.\n" " --log-ip-options Log IP options.\n" -" --log-uid Log UID owning the local socket.\n"); +" --log-uid Log UID owning the local socket.\n" +" --log-macdecode Decode MAC addresses and protocol.\n"); } static const struct option LOG_opts[] = { - { .name = "log-level", .has_arg = 1, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .val = '4' }, - { .name = NULL } + {.name = "log-level", .has_arg = true, .val = '!'}, + {.name = "log-prefix", .has_arg = true, .val = '#'}, + {.name = "log-tcp-sequence", .has_arg = false, .val = '1'}, + {.name = "log-tcp-options", .has_arg = false, .val = '2'}, + {.name = "log-ip-options", .has_arg = false, .val = '3'}, + {.name = "log-uid", .has_arg = false, .val = '4'}, + {.name = "log-macdecode", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void LOG_init(struct xt_entry_target *t) @@ -96,6 +99,7 @@ #define IP6T_LOG_OPT_TCPOPT 0x08 #define IP6T_LOG_OPT_IPOPT 0x10 #define IP6T_LOG_OPT_UID 0x20 +#define IP6T_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -108,7 +112,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --log-level twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --log-level"); @@ -121,7 +125,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --log-prefix twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --log-prefix"); @@ -179,6 +183,15 @@ *flags |= IP6T_LOG_OPT_UID; break; + case '5': + if (*flags & IP6T_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specify --log-macdecode twice"); + + loginfo->logflags |= IP6T_LOG_MACDECODE; + *flags |= IP6T_LOG_OPT_MACDECODE; + break; + default: return 0; } @@ -213,6 +226,8 @@ printf("ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IP6T_LOG_MASK)) printf("unknown-flags "); } @@ -240,6 +255,8 @@ printf("--log-ip-options "); if (loginfo->logflags & IP6T_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IP6T_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg6_reg = { diff -Nru iptables-1.4.4/extensions/libip6t_mh.c iptables-1.4.10/extensions/libip6t_mh.c --- iptables-1.4.4/extensions/libip6t_mh.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_mh.c 2010-10-29 14:37:22.000000000 +0000 @@ -11,6 +11,7 @@ * * Based on libip6t_{icmpv6,udp}.c */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -133,8 +134,8 @@ if (*flags & MH_TYPES) xtables_error(PARAMETER_PROBLEM, "Only one `--mh-type' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_mh_types(argv[optind-1], mhinfo->types); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_mh_types(optarg, mhinfo->types); if (invert) mhinfo->invflags |= IP6T_MH_INV_TYPE; *flags |= MH_TYPES; @@ -216,8 +217,8 @@ } static const struct option mh_opts[] = { - { "mh-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "mh-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match mh_mt6_reg = { diff -Nru iptables-1.4.4/extensions/libip6t_REJECT.c iptables-1.4.10/extensions/libip6t_REJECT.c --- iptables-1.4.4/extensions/libip6t_REJECT.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_REJECT.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * ported to IPv6 by Harald Welte <laforge@gnumonks.org> * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -61,8 +62,8 @@ } static const struct option REJECT_opts[] = { - { "reject-with", 1, NULL, '1' }, - { .name = NULL } + {.name = "reject-with", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void REJECT_init(struct xt_entry_target *t) @@ -83,7 +84,7 @@ switch(c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --reject-with"); for (i = 0; i < ARRAY_SIZE(reject_table); ++i) diff -Nru iptables-1.4.4/extensions/libip6t_rt.c iptables-1.4.10/extensions/libip6t_rt.c --- iptables-1.4.4/extensions/libip6t_rt.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libip6t_rt.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to ip6tables to add Routing header support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -28,13 +29,13 @@ } static const struct option rt_opts[] = { - { "rt-type", 1, NULL, '1' }, - { "rt-segsleft", 1, NULL, '2' }, - { "rt-len", 1, NULL, '3' }, - { "rt-0-res", 0, NULL, '4' }, - { "rt-0-addrs", 1, NULL, '5' }, - { "rt-0-not-strict", 0, NULL, '6' }, - { .name = NULL } + {.name = "rt-type", .has_arg = true, .val = '1'}, + {.name = "rt-segsleft", .has_arg = true, .val = '2'}, + {.name = "rt-len", .has_arg = true, .val = '3'}, + {.name = "rt-0-res", .has_arg = false, .val = '4'}, + {.name = "rt-0-addrs", .has_arg = true, .val = '5'}, + {.name = "rt-0-not-strict", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -158,8 +159,8 @@ if (*flags & IP6T_RT_TYP) xtables_error(PARAMETER_PROBLEM, "Only one `--rt-type' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - rtinfo->rt_type = parse_rt_num(argv[optind-1], "type"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + rtinfo->rt_type = parse_rt_num(optarg, "type"); if (invert) rtinfo->invflags |= IP6T_RT_INV_TYP; rtinfo->flags |= IP6T_RT_TYP; @@ -169,8 +170,8 @@ if (*flags & IP6T_RT_SGS) xtables_error(PARAMETER_PROBLEM, "Only one `--rt-segsleft' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_rt_segsleft(argv[optind-1], rtinfo->segsleft); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_rt_segsleft(optarg, rtinfo->segsleft); if (invert) rtinfo->invflags |= IP6T_RT_INV_SGS; rtinfo->flags |= IP6T_RT_SGS; @@ -180,8 +181,8 @@ if (*flags & IP6T_RT_LEN) xtables_error(PARAMETER_PROBLEM, "Only one `--rt-len' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - rtinfo->hdrlen = parse_rt_num(argv[optind-1], "length"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + rtinfo->hdrlen = parse_rt_num(optarg, "length"); if (invert) rtinfo->invflags |= IP6T_RT_INV_LEN; rtinfo->flags |= IP6T_RT_LEN; @@ -204,11 +205,11 @@ if ( !(*flags & IP6T_RT_TYP) || (rtinfo->rt_type != 0) || (rtinfo->invflags & IP6T_RT_INV_TYP) ) xtables_error(PARAMETER_PROBLEM, "`--rt-type 0' required before `--rt-0-addrs'"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, " '!' not allowed with `--rt-0-addrs'"); - rtinfo->addrnr = parse_addresses(argv[optind-1], rtinfo->addrs); + rtinfo->addrnr = parse_addresses(optarg, rtinfo->addrs); rtinfo->flags |= IP6T_RT_FST; *flags |= IP6T_RT_FST; break; diff -Nru iptables-1.4.4/extensions/libipt_addrtype.c iptables-1.4.10/extensions/libipt_addrtype.c --- iptables-1.4.4/extensions/libipt_addrtype.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_addrtype.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,7 +1,7 @@ /* Shared library add-on to iptables to add addrtype matching support * * This program is released under the terms of GNU GPL */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -106,8 +106,8 @@ if (*flags&IPT_ADDRTYPE_OPT_SRCTYPE) xtables_error(PARAMETER_PROBLEM, "addrtype: can't specify src-type twice"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->source); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_types(optarg, &info->source); if (invert) info->invert_source = 1; *flags |= IPT_ADDRTYPE_OPT_SRCTYPE; @@ -116,8 +116,8 @@ if (*flags&IPT_ADDRTYPE_OPT_DSTTYPE) xtables_error(PARAMETER_PROBLEM, "addrtype: can't specify dst-type twice"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->dest); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_types(optarg, &info->dest); if (invert) info->invert_dest = 1; *flags |= IPT_ADDRTYPE_OPT_DSTTYPE; @@ -141,8 +141,8 @@ if (*flags & IPT_ADDRTYPE_OPT_SRCTYPE) xtables_error(PARAMETER_PROBLEM, "addrtype: can't specify src-type twice"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->source); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_types(optarg, &info->source); if (invert) info->flags |= IPT_ADDRTYPE_INVERT_SOURCE; *flags |= IPT_ADDRTYPE_OPT_SRCTYPE; @@ -151,8 +151,8 @@ if (*flags & IPT_ADDRTYPE_OPT_DSTTYPE) xtables_error(PARAMETER_PROBLEM, "addrtype: can't specify dst-type twice"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_types(argv[optind-1], &info->dest); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_types(optarg, &info->dest); if (invert) info->flags |= IPT_ADDRTYPE_INVERT_DEST; *flags |= IPT_ADDRTYPE_OPT_DSTTYPE; @@ -304,57 +304,57 @@ } static const struct option addrtype_opts[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { .name = NULL } + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static const struct option addrtype_opts_v0[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { .name = NULL } + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, }; static const struct option addrtype_opts_v1[] = { - { "src-type", 1, NULL, '1' }, - { "dst-type", 1, NULL, '2' }, - { "limit-iface-in", 0, NULL, '3' }, - { "limit-iface-out", 0, NULL, '4' }, - { .name = NULL } -}; - -static struct xtables_match addrtype_mt_reg_v0 = { - .name = "addrtype", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), - .help = addrtype_help_v0, - .parse = addrtype_parse_v0, - .final_check = addrtype_check_v0, - .print = addrtype_print_v0, - .save = addrtype_save_v0, - .extra_opts = addrtype_opts_v0, + {.name = "src-type", .has_arg = true, .val = '1'}, + {.name = "dst-type", .has_arg = true, .val = '2'}, + {.name = "limit-iface-in", .has_arg = false, .val = '3'}, + {.name = "limit-iface-out", .has_arg = false, .val = '4'}, + XT_GETOPT_TABLEEND, }; -static struct xtables_match addrtype_mt_reg_v1 = { - .name = "addrtype", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), - .help = addrtype_help_v1, - .parse = addrtype_parse_v1, - .final_check = addrtype_check_v1, - .print = addrtype_print_v1, - .save = addrtype_save_v1, - .extra_opts = addrtype_opts_v1, - .revision = 1, +static struct xtables_match addrtype_mt_reg[] = { + { + .name = "addrtype", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info)), + .help = addrtype_help_v0, + .parse = addrtype_parse_v0, + .final_check = addrtype_check_v0, + .print = addrtype_print_v0, + .save = addrtype_save_v0, + .extra_opts = addrtype_opts_v0, + }, + { + .name = "addrtype", + .revision = 1, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_addrtype_info_v1)), + .help = addrtype_help_v1, + .parse = addrtype_parse_v1, + .final_check = addrtype_check_v1, + .print = addrtype_print_v1, + .save = addrtype_save_v1, + .extra_opts = addrtype_opts_v1, + }, }; void _init(void) { - xtables_register_match(&addrtype_mt_reg_v0); - xtables_register_match(&addrtype_mt_reg_v1); + xtables_register_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libipt_ah.c iptables-1.4.10/extensions/libipt_ah.c --- iptables-1.4.4/extensions/libipt_ah.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_ah.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add AH support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ } static const struct option ah_opts[] = { - { "ahspi", 1, NULL, '1' }, - { .name = NULL } + {.name = "ahspi", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -82,8 +83,8 @@ if (*flags & AH_SPI) xtables_error(PARAMETER_PROBLEM, "Only one `--ahspi' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_ah_spis(argv[optind-1], ahinfo->spis); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_ah_spis(optarg, ahinfo->spis); if (invert) ahinfo->invflags |= IPT_AH_INV_SPI; *flags |= AH_SPI; diff -Nru iptables-1.4.4/extensions/libipt_CLUSTERIP.c iptables-1.4.10/extensions/libipt_CLUSTERIP.c --- iptables-1.4.4/extensions/libipt_CLUSTERIP.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_CLUSTERIP.c 2010-10-29 14:37:22.000000000 +0000 @@ -3,6 +3,7 @@ * * Development of this code was funded by SuSE AG, http://www.suse.com/ */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -41,13 +42,13 @@ #define PARAM_HASHINIT 0x0020 static const struct option CLUSTERIP_opts[] = { - { "new", 0, NULL, '1' }, - { "hashmode", 1, NULL, '2' }, - { "clustermac", 1, NULL, '3' }, - { "total-nodes", 1, NULL, '4' }, - { "local-node", 1, NULL, '5' }, - { "hash-init", 1, NULL, '6' }, - { .name = NULL } + {.name = "new", .has_arg = false, .val = '1'}, + {.name = "hashmode", .has_arg = true, .val = '2'}, + {.name = "clustermac", .has_arg = true, .val = '3'}, + {.name = "total-nodes", .has_arg = true, .val = '4'}, + {.name = "local-node", .has_arg = true, .val = '5'}, + {.name = "hash-init", .has_arg = true, .val = '6'}, + XT_GETOPT_TABLEEND, }; static void diff -Nru iptables-1.4.4/extensions/libipt_DNAT.c iptables-1.4.10/extensions/libipt_DNAT.c --- iptables-1.4.4/extensions/libipt_DNAT.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_DNAT.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add destination-NAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -31,10 +32,10 @@ } static const struct option DNAT_opts[] = { - { "to-destination", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { "persistent", 0, NULL, '3' }, - { .name = NULL } + {.name = "to-destination", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + {.name = "persistent", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct ipt_natinfo * @@ -154,11 +155,11 @@ switch (c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --to-destination"); - if (*flags) { + if (*flags & IPT_DNAT_OPT_DEST) { if (!kernel_version) get_kernel_version(); if (kernel_version > LINUX_VERSION(2, 6, 10)) diff -Nru iptables-1.4.4/extensions/libipt_ecn.c iptables-1.4.10/extensions/libipt_ecn.c --- iptables-1.4.4/extensions/libipt_ecn.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_ecn.c 2010-10-29 14:37:22.000000000 +0000 @@ -7,6 +7,7 @@ * libipt_ecn.c borrowed heavily from libipt_dscp.c * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -25,10 +26,10 @@ } static const struct option ecn_opts[] = { - { .name = "ecn-tcp-cwr", .has_arg = 0, .val = 'F' }, - { .name = "ecn-tcp-ece", .has_arg = 0, .val = 'G' }, - { .name = "ecn-ip-ect", .has_arg = 1, .val = 'H' }, - { .name = NULL } + {.name = "ecn-tcp-cwr", .has_arg = false, .val = 'F'}, + {.name = "ecn-tcp-ece", .has_arg = false, .val = 'G'}, + {.name = "ecn-ip-ect", .has_arg = true, .val = 'H'}, + XT_GETOPT_TABLEEND, }; static int ecn_parse(int c, char **argv, int invert, unsigned int *flags, @@ -43,7 +44,7 @@ if (*flags & IPT_ECN_OP_MATCH_CWR) xtables_error(PARAMETER_PROBLEM, "ECN match: can only use parameter ONCE!"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); einfo->operation |= IPT_ECN_OP_MATCH_CWR; if (invert) einfo->invert |= IPT_ECN_OP_MATCH_CWR; @@ -54,7 +55,7 @@ if (*flags & IPT_ECN_OP_MATCH_ECE) xtables_error(PARAMETER_PROBLEM, "ECN match: can only use parameter ONCE!"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); einfo->operation |= IPT_ECN_OP_MATCH_ECE; if (invert) einfo->invert |= IPT_ECN_OP_MATCH_ECE; @@ -65,7 +66,7 @@ if (*flags & IPT_ECN_OP_MATCH_IP) xtables_error(PARAMETER_PROBLEM, "ECN match: can only use parameter ONCE!"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) einfo->invert |= IPT_ECN_OP_MATCH_IP; *flags |= IPT_ECN_OP_MATCH_IP; diff -Nru iptables-1.4.4/extensions/libipt_ECN.c iptables-1.4.10/extensions/libipt_ECN.c --- iptables-1.4.4/extensions/libipt_ECN.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_ECN.c 2010-10-29 14:37:22.000000000 +0000 @@ -8,6 +8,7 @@ * * $Id$ */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -32,11 +33,11 @@ static const struct option ECN_opts[] = { - { "ecn-tcp-remove", 0, NULL, 'F' }, - { "ecn-tcp-cwr", 1, NULL, 'G' }, - { "ecn-tcp-ece", 1, NULL, 'H' }, - { "ecn-ip-ect", 1, NULL, '9' }, - { .name = NULL } + {.name = "ecn-tcp-remove", .has_arg = false, .val = 'F'}, + {.name = "ecn-tcp-cwr", .has_arg = true, .val = 'G'}, + {.name = "ecn-tcp-ece", .has_arg = true, .val = 'H'}, + {.name = "ecn-ip-ect", .has_arg = true, .val = '9'}, + XT_GETOPT_TABLEEND, }; static int ECN_parse(int c, char **argv, int invert, unsigned int *flags, diff -Nru iptables-1.4.4/extensions/libipt_icmp.c iptables-1.4.10/extensions/libipt_icmp.c --- iptables-1.4.4/extensions/libipt_icmp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_icmp.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add ICMP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -108,8 +109,8 @@ } static const struct option icmp_opts[] = { - { "icmp-type", 1, NULL, '1' }, - { .name = NULL } + {.name = "icmp-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void @@ -183,8 +184,8 @@ if (*flags == 1) xtables_error(PARAMETER_PROBLEM, "icmp match: only use --icmp-type once!"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_icmp(argv[optind-1], &icmpinfo->type, + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_icmp(optarg, &icmpinfo->type, icmpinfo->code); if (invert) icmpinfo->invflags |= IPT_ICMP_INV; diff -Nru iptables-1.4.4/extensions/libipt_LOG.c iptables-1.4.10/extensions/libipt_LOG.c --- iptables-1.4.4/extensions/libipt_LOG.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_LOG.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add LOG support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,17 +26,19 @@ " --log-tcp-sequence Log TCP sequence numbers.\n\n" " --log-tcp-options Log TCP options.\n\n" " --log-ip-options Log IP options.\n\n" -" --log-uid Log UID owning the local socket.\n\n"); +" --log-uid Log UID owning the local socket.\n\n" +" --log-macdecode Decode MAC addresses and protocol.\n\n"); } static const struct option LOG_opts[] = { - { .name = "log-level", .has_arg = 1, .val = '!' }, - { .name = "log-prefix", .has_arg = 1, .val = '#' }, - { .name = "log-tcp-sequence", .has_arg = 0, .val = '1' }, - { .name = "log-tcp-options", .has_arg = 0, .val = '2' }, - { .name = "log-ip-options", .has_arg = 0, .val = '3' }, - { .name = "log-uid", .has_arg = 0, .val = '4' }, - { .name = NULL } + {.name = "log-level", .has_arg = true, .val = '!'}, + {.name = "log-prefix", .has_arg = true, .val = '#'}, + {.name = "log-tcp-sequence", .has_arg = false, .val = '1'}, + {.name = "log-tcp-options", .has_arg = false, .val = '2'}, + {.name = "log-ip-options", .has_arg = false, .val = '3'}, + {.name = "log-uid", .has_arg = false, .val = '4'}, + {.name = "log-macdecode", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void LOG_init(struct xt_entry_target *t) @@ -96,6 +99,7 @@ #define IPT_LOG_OPT_TCPOPT 0x08 #define IPT_LOG_OPT_IPOPT 0x10 #define IPT_LOG_OPT_UID 0x20 +#define IPT_LOG_OPT_MACDECODE 0x40 static int LOG_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) @@ -108,7 +112,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --log-level twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --log-level"); @@ -121,7 +125,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --log-prefix twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --log-prefix"); @@ -179,6 +183,14 @@ *flags |= IPT_LOG_OPT_UID; break; + case '5': + if (*flags & IPT_LOG_OPT_MACDECODE) + xtables_error(PARAMETER_PROBLEM, + "Can't specifiy --log-macdecode twice"); + + loginfo->logflags |= IPT_LOG_MACDECODE; + *flags |= IPT_LOG_OPT_MACDECODE; + break; default: return 0; } @@ -213,6 +225,8 @@ printf("ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("macdecode "); if (loginfo->logflags & ~(IPT_LOG_MASK)) printf("unknown-flags "); } @@ -242,6 +256,8 @@ printf("--log-ip-options "); if (loginfo->logflags & IPT_LOG_UID) printf("--log-uid "); + if (loginfo->logflags & IPT_LOG_MACDECODE) + printf("--log-macdecode "); } static struct xtables_target log_tg_reg = { diff -Nru iptables-1.4.4/extensions/libipt_MASQUERADE.c iptables-1.4.10/extensions/libipt_MASQUERADE.c --- iptables-1.4.4/extensions/libipt_MASQUERADE.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_MASQUERADE.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add masquerade support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -20,9 +21,9 @@ } static const struct option MASQUERADE_opts[] = { - { "to-ports", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { .name = NULL } + {.name = "to-ports", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void MASQUERADE_init(struct xt_entry_target *t) @@ -38,34 +39,34 @@ static void parse_ports(const char *arg, struct nf_nat_multi_range *mr) { - const char *dash; - int port; + char *end; + unsigned int port, maxport; mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - port = atoi(arg); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, "Port \"%s\" not valid\n", arg); + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX)) + xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); - dash = strchr(arg, '-'); - if (!dash) { + switch (*end) { + case '\0': mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htons(port); - } else { - int maxport; + return; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX)) + break; - maxport = atoi(dash + 1); - if (maxport == 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); if (maxport < port) - /* People are stupid. Present reader excepted. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", arg); + break; + mr->range[0].min.tcp.port = htons(port); mr->range[0].max.tcp.port = htons(maxport); + return; + default: + break; } + xtables_param_act(XTF_BAD_VALUE, "MASQUERADE", "--to-ports", arg); } static int MASQUERADE_parse(int c, char **argv, int invert, unsigned int *flags, @@ -91,7 +92,7 @@ xtables_error(PARAMETER_PROBLEM, "Need TCP, UDP, SCTP or DCCP with port specification"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --to-ports"); diff -Nru iptables-1.4.4/extensions/libipt_MIRROR.c iptables-1.4.10/extensions/libipt_MIRROR.c --- iptables-1.4.4/extensions/libipt_MIRROR.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_MIRROR.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,32 +1,12 @@ /* Shared library add-on to iptables to add MIRROR target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - #include <xtables.h> -static void MIRROR_help(void) -{ - printf("MIRROR target takes no options\n"); -} - -static int MIRROR_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target mirror_tg_reg = { .name = "MIRROR", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = MIRROR_help, - .parse = MIRROR_parse, - .print = NULL, - .save = NULL, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libipt_NETMAP.c iptables-1.4.10/extensions/libipt_NETMAP.c --- iptables-1.4.4/extensions/libipt_NETMAP.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_NETMAP.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,7 +1,7 @@ /* Shared library add-on to iptables to add static NAT support. Author: Svenning Soerensen <svenning@post5.tele.dk> */ - +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -13,8 +13,8 @@ #define MODULENAME "NETMAP" static const struct option NETMAP_opts[] = { - { "to", 1, NULL, '1' }, - { .name = NULL } + {.name = "to", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void NETMAP_help(void) @@ -117,7 +117,7 @@ switch (c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s", NETMAP_opts[0].name); diff -Nru iptables-1.4.4/extensions/libipt_realm.c iptables-1.4.10/extensions/libipt_realm.c --- iptables-1.4.4/extensions/libipt_realm.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_realm.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add realm matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -23,8 +24,8 @@ } static const struct option realm_opts[] = { - { "realm", 1, NULL, '1' }, - { .name = NULL } + {.name = "realm", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; struct realmname { @@ -35,10 +36,9 @@ }; /* array of realms from /etc/iproute2/rt_realms */ -static struct realmname *realms = NULL; +static struct realmname *realms; /* 1 if loading failed */ -static int rdberr = 0; - +static int rdberr; static void load_realms(void) { @@ -157,8 +157,8 @@ switch (c) { char *end; case '1': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); - end = optarg = argv[optind-1]; + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + end = optarg = optarg; realminfo->id = strtoul(optarg, &end, 0); if (end != optarg && (*end == '/' || *end == '\0')) { if (*end == '/') diff -Nru iptables-1.4.4/extensions/libipt_REDIRECT.c iptables-1.4.10/extensions/libipt_REDIRECT.c --- iptables-1.4.4/extensions/libipt_REDIRECT.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_REDIRECT.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add redirect support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,13 +18,14 @@ printf( "REDIRECT target options:\n" " --to-ports <port>[-<port>]\n" -" Port (range) to map to.\n"); +" Port (range) to map to.\n" +" [--random]\n"); } static const struct option REDIRECT_opts[] = { - { "to-ports", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { .name = NULL } + {.name = "to-ports", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static void REDIRECT_init(struct xt_entry_target *t) @@ -39,40 +41,36 @@ static void parse_ports(const char *arg, struct nf_nat_multi_range *mr) { - const char *dash; - int port; + char *end; + unsigned int port, maxport; mr->range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - if (strchr(arg, '.')) - xtables_error(PARAMETER_PROBLEM, "IP address not permitted\n"); + if (!xtables_strtoui(arg, &end, &port, 0, UINT16_MAX) && + (port = xtables_service_to_port(arg, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); - port = atoi(arg); - if (port == 0) - port = xtables_service_to_port(arg, NULL); - - if (port == 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, "Port \"%s\" not valid\n", arg); - - dash = strchr(arg, '-'); - if (!dash) { + switch (*end) { + case '\0': mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htons(port); - } else { - int maxport; + return; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && + (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) + break; - maxport = atoi(dash + 1); - if (maxport == 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", arg); + break; + mr->range[0].min.tcp.port = htons(port); mr->range[0].max.tcp.port = htons(maxport); + return; + default: + break; } + xtables_param_act(XTF_BAD_VALUE, "REDIRECT", "--to-ports", arg); } static int REDIRECT_parse(int c, char **argv, int invert, unsigned int *flags, @@ -98,7 +96,7 @@ xtables_error(PARAMETER_PROBLEM, "Need TCP, UDP, SCTP or DCCP with port specification"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --to-ports"); diff -Nru iptables-1.4.4/extensions/libipt_REJECT.c iptables-1.4.10/extensions/libipt_REJECT.c --- iptables-1.4.4/extensions/libipt_REJECT.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_REJECT.c 2010-10-29 14:37:22.000000000 +0000 @@ -2,6 +2,7 @@ * * (C) 2000 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -76,8 +77,8 @@ } static const struct option REJECT_opts[] = { - { "reject-with", 1, NULL, '1' }, - { .name = NULL } + {.name = "reject-with", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void REJECT_init(struct xt_entry_target *t) @@ -98,7 +99,7 @@ switch(c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --reject-with"); for (i = 0; i < limit; i++) { diff -Nru iptables-1.4.4/extensions/libipt_SAME.c iptables-1.4.10/extensions/libipt_SAME.c --- iptables-1.4.4/extensions/libipt_SAME.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_SAME.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add simple non load-balancing SNAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -25,10 +26,10 @@ } static const struct option SAME_opts[] = { - { "to", 1, NULL, '1' }, - { "nodst", 0, NULL, '2'}, - { "random", 0, NULL, '3' }, - { .name = NULL } + {.name = "to", .has_arg = true, .val = '1'}, + {.name = "nodst", .has_arg = false, .val = '2'}, + {.name = "random", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void SAME_init(struct xt_entry_target *t) @@ -92,7 +93,7 @@ "Too many ranges specified, maximum " "is %i ranges.\n", IPT_SAME_MAX_RANGE); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --to"); diff -Nru iptables-1.4.4/extensions/libipt_set.c iptables-1.4.10/extensions/libipt_set.c --- iptables-1.4.4/extensions/libipt_set.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_set.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,160 +0,0 @@ -/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> - * Patrick Schaaf <bof@bof.de> - * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -/* Shared library add-on to iptables to add IP set matching. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> -#include <errno.h> - -#include <xtables.h> -#include <linux/netfilter_ipv4/ipt_set.h> -#include "libipt_set.h" - -static void set_help(void) -{ - printf("set match options:\n" - " [!] --match-set name flags\n" - " 'name' is the set name from to match,\n" - " 'flags' are the comma separated list of\n" - " 'src' and 'dst' specifications.\n"); -} - -static const struct option set_opts[] = { - { .name = "match-set", .has_arg = true, .val = '1'}, - { .name = "set", .has_arg = true, .val = '2'}, - { .name = NULL } -}; - -static void set_init(struct xt_entry_match *match) -{ - struct ipt_set_info_match *info = - (struct ipt_set_info_match *) match->data; - - - memset(info, 0, sizeof(struct ipt_set_info_match)); - -} - -static int set_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - struct ipt_set_info_match *myinfo = - (struct ipt_set_info_match *) (*match)->data; - struct ipt_set_info *info = &myinfo->match_set; - - switch (c) { - case '2': -#if 0 - fprintf(stderr, - "--set option deprecated, please use --match-set\n"); -#endif - case '1': /* --match-set <set> <flag>[,<flag> */ - if (info->flags[0]) - xtables_error(PARAMETER_PROBLEM, - "--match-set can be specified only once"); - - xtables_check_inverse(optarg, &invert, &optind, 0); - if (invert) - info->flags[0] |= IPSET_MATCH_INV; - - if (!argv[optind] - || argv[optind][0] == '-' - || argv[optind][0] == '!') - xtables_error(PARAMETER_PROBLEM, - "--match-set requires two args."); - - if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1) - xtables_error(PARAMETER_PROBLEM, - "setname `%s' too long, max %d characters.", - argv[optind-1], IP_SET_MAXNAMELEN - 1); - - get_set_byname(argv[optind - 1], info); - parse_bindings(argv[optind], info); - DEBUGP("parse: set index %u\n", info->index); - optind++; - - *flags = 1; - break; - - default: - return 0; - } - - return 1; -} - -static void set_check(unsigned int flags) -{ - if (!flags) - xtables_error(PARAMETER_PROBLEM, - "You must specify `--match-set' with proper arguments"); - DEBUGP("final check OK\n"); -} - -static void -print_match(const char *prefix, const struct ipt_set_info *info) -{ - int i; - char setname[IP_SET_MAXNAMELEN]; - - get_set_byid(setname, info->index); - printf("%s%s %s", - (info->flags[0] & IPSET_MATCH_INV) ? "! " : "", - prefix, - setname); - for (i = 0; i < IP_SET_MAX_BINDINGS; i++) { - if (!info->flags[i]) - break; - printf("%s%s", - i == 0 ? " " : ",", - info->flags[i] & IPSET_SRC ? "src" : "dst"); - } - printf(" "); -} - -/* Prints out the matchinfo. */ -static void set_print(const void *ip, const struct xt_entry_match *match, - int numeric) -{ - const struct ipt_set_info_match *info = (const void *)match->data; - - print_match("match-set", &info->match_set); -} - -static void set_save(const void *ip, const struct xt_entry_match *match) -{ - const struct ipt_set_info_match *info = (const void *)match->data; - - print_match("--match-set", &info->match_set); -} - -static struct xtables_match set_mt_reg = { - .name = "set", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_set_info_match)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_set_info_match)), - .help = set_help, - .init = set_init, - .parse = set_parse, - .final_check = set_check, - .print = set_print, - .save = set_save, - .extra_opts = set_opts, -}; - -void _init(void) -{ - xtables_register_match(&set_mt_reg); -} diff -Nru iptables-1.4.4/extensions/libipt_SET.c iptables-1.4.10/extensions/libipt_SET.c --- iptables-1.4.4/extensions/libipt_SET.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_SET.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,164 +0,0 @@ -/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> - * Patrick Schaaf <bof@bof.de> - * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -/* Shared library add-on to iptables to add IP set mangling target. */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> -#include <ctype.h> - -#include <xtables.h> -#include <linux/netfilter_ipv4/ip_set.h> -#include <linux/netfilter_ipv4/ipt_set.h> -#include "libipt_set.h" - -static void SET_help(void) -{ - printf("SET target options:\n" - " --add-set name flags\n" - " --del-set name flags\n" - " add/del src/dst IP/port from/to named sets,\n" - " where flags are the comma separated list of\n" - " 'src' and 'dst' specifications.\n"); -} - -static const struct option SET_opts[] = { - { .name = "add-set", .has_arg = true, .val = '1'}, - { .name = "del-set", .has_arg = true, .val = '2'}, - { .name = NULL } -}; - -static void SET_init(struct xt_entry_target *target) -{ - struct ipt_set_info_target *info = - (struct ipt_set_info_target *) target->data; - - memset(info, 0, sizeof(struct ipt_set_info_target)); - info->add_set.index = - info->del_set.index = IP_SET_INVALID_ID; - -} - -static void -parse_target(char **argv, int invert, unsigned int *flags, - struct ipt_set_info *info, const char *what) -{ - if (info->flags[0]) - xtables_error(PARAMETER_PROBLEM, - "--%s can be specified only once", what); - - if (xtables_check_inverse(optarg, &invert, NULL, 0)) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --%s", what); - - if (!argv[optind] - || argv[optind][0] == '-' || argv[optind][0] == '!') - xtables_error(PARAMETER_PROBLEM, - "--%s requires two args.", what); - - if (strlen(argv[optind-1]) > IP_SET_MAXNAMELEN - 1) - xtables_error(PARAMETER_PROBLEM, - "setname `%s' too long, max %d characters.", - argv[optind-1], IP_SET_MAXNAMELEN - 1); - - get_set_byname(argv[optind - 1], info); - parse_bindings(argv[optind], info); - optind++; - - *flags = 1; -} - -static int SET_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - struct ipt_set_info_target *myinfo = - (struct ipt_set_info_target *) (*target)->data; - - switch (c) { - case '1': /* --add-set <set> <flags> */ - parse_target(argv, invert, flags, - &myinfo->add_set, "add-set"); - break; - case '2': /* --del-set <set>[:<flags>] <flags> */ - parse_target(argv, invert, flags, - &myinfo->del_set, "del-set"); - break; - - default: - return 0; - } - return 1; -} - -static void SET_check(unsigned int flags) -{ - if (!flags) - xtables_error(PARAMETER_PROBLEM, - "You must specify either `--add-set' or `--del-set'"); -} - -static void -print_target(const char *prefix, const struct ipt_set_info *info) -{ - int i; - char setname[IP_SET_MAXNAMELEN]; - - if (info->index == IP_SET_INVALID_ID) - return; - get_set_byid(setname, info->index); - printf("%s %s", prefix, setname); - for (i = 0; i < IP_SET_MAX_BINDINGS; i++) { - if (!info->flags[i]) - break; - printf("%s%s", - i == 0 ? " " : ",", - info->flags[i] & IPSET_SRC ? "src" : "dst"); - } - printf(" "); -} - -static void SET_print(const void *ip, const struct xt_entry_target *target, - int numeric) -{ - const struct ipt_set_info_target *info = (const void *)target->data; - - print_target("add-set", &info->add_set); - print_target("del-set", &info->del_set); -} - -static void SET_save(const void *ip, const struct xt_entry_target *target) -{ - const struct ipt_set_info_target *info = (const void *)target->data; - - print_target("--add-set", &info->add_set); - print_target("--del-set", &info->del_set); -} - -static struct xtables_target set_tg_reg = { - .name = "SET", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_set_info_target)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_set_info_target)), - .help = SET_help, - .init = SET_init, - .parse = SET_parse, - .final_check = SET_check, - .print = SET_print, - .save = SET_save, - .extra_opts = SET_opts, -}; - -void _init(void) -{ - xtables_register_target(&set_tg_reg); -} diff -Nru iptables-1.4.4/extensions/libipt_set.h iptables-1.4.10/extensions/libipt_set.h --- iptables-1.4.4/extensions/libipt_set.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_set.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,119 +0,0 @@ -#ifndef _LIBIPT_SET_H -#define _LIBIPT_SET_H - -#include <unistd.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <errno.h> - -#ifdef DEBUG -#define DEBUGP(x, args...) fprintf(stderr, x, ## args) -#else -#define DEBUGP(x, args...) -#endif - -static void -parse_bindings(const char *opt_arg, struct ipt_set_info *info) -{ - char *saved = strdup(opt_arg); - char *ptr, *tmp = saved; - int i = 0; - - while (i < (IP_SET_MAX_BINDINGS - 1) && tmp != NULL) { - ptr = strsep(&tmp, ","); - if (strncmp(ptr, "src", 3) == 0) - info->flags[i++] |= IPSET_SRC; - else if (strncmp(ptr, "dst", 3) == 0) - info->flags[i++] |= IPSET_DST; - else - xtables_error(PARAMETER_PROBLEM, - "You must spefify (the comma separated list of) 'src' or 'dst'."); - } - - if (tmp) - xtables_error(PARAMETER_PROBLEM, - "Can't follow bindings deeper than %i.", - IP_SET_MAX_BINDINGS - 1); - - free(saved); -} - -static int get_version(unsigned *version) -{ - int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); - struct ip_set_req_version req_version; - socklen_t size = sizeof(req_version); - - if (sockfd < 0) - xtables_error(OTHER_PROBLEM, - "Can't open socket to ipset.\n"); - - req_version.op = IP_SET_OP_VERSION; - res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size); - if (res != 0) - xtables_error(OTHER_PROBLEM, - "Kernel module ip_set is not loaded in.\n"); - - *version = req_version.version; - - return sockfd; -} - -static void get_set_byname(const char *setname, struct ipt_set_info *info) -{ - struct ip_set_req_get_set req; - socklen_t size = sizeof(struct ip_set_req_get_set); - int res, sockfd; - - sockfd = get_version(&req.version); - req.op = IP_SET_OP_GET_BYNAME; - strncpy(req.set.name, setname, IP_SET_MAXNAMELEN); - req.set.name[IP_SET_MAXNAMELEN - 1] = '\0'; - res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size); - close(sockfd); - - if (res != 0) - xtables_error(OTHER_PROBLEM, - "Problem when communicating with ipset, errno=%d.\n", - errno); - if (size != sizeof(struct ip_set_req_get_set)) - xtables_error(OTHER_PROBLEM, - "Incorrect return size from kernel during ipset lookup, " - "(want %zu, got %zu)\n", - sizeof(struct ip_set_req_get_set), (size_t)size); - if (req.set.index == IP_SET_INVALID_ID) - xtables_error(PARAMETER_PROBLEM, - "Set %s doesn't exist.\n", setname); - - info->index = req.set.index; -} - -static void get_set_byid(char * setname, ip_set_id_t idx) -{ - struct ip_set_req_get_set req; - socklen_t size = sizeof(struct ip_set_req_get_set); - int res, sockfd; - - sockfd = get_version(&req.version); - req.op = IP_SET_OP_GET_BYINDEX; - req.set.index = idx; - res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size); - close(sockfd); - - if (res != 0) - xtables_error(OTHER_PROBLEM, - "Problem when communicating with ipset, errno=%d.\n", - errno); - if (size != sizeof(struct ip_set_req_get_set)) - xtables_error(OTHER_PROBLEM, - "Incorrect return size from kernel during ipset lookup, " - "(want %zu, got %zu)\n", - sizeof(struct ip_set_req_get_set), (size_t)size); - if (req.set.name[0] == '\0') - xtables_error(PARAMETER_PROBLEM, - "Set id %i in kernel doesn't exist.\n", idx); - - strncpy(setname, req.set.name, IP_SET_MAXNAMELEN); -} - -#endif /*_LIBIPT_SET_H*/ diff -Nru iptables-1.4.4/extensions/libipt_set.man iptables-1.4.10/extensions/libipt_set.man --- iptables-1.4.4/extensions/libipt_set.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_set.man 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -This modules macthes IP sets which can be defined by ipset(8). -.TP -[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... -where flags are the comma separated list of -.BR "src" -and/or -.BR "dst" -specifications and there can be no more than six of them. Hence the command -.IP - iptables \-A FORWARD \-m set \-\-match\-set test src,dst -.IP -will match packets, for which (if the set type is ipportmap) the source -address and destination port pair can be found in the specified set. If -the set type of the specified set is single dimension (for example ipmap), -then the command will match packets for which the source address can be -found in the specified set. -.PP -The option \fB\-\-match\-set\fR can be replaced by \fB\-\-set\fR if that does -not clash with an option of other extensions. diff -Nru iptables-1.4.4/extensions/libipt_SET.man iptables-1.4.10/extensions/libipt_SET.man --- iptables-1.4.4/extensions/libipt_SET.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_SET.man 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -This modules adds and/or deletes entries from IP sets which can be defined -by ipset(8). -.TP -\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -add the address(es)/port(s) of the packet to the sets -.TP -\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -delete the address(es)/port(s) of the packet from the sets -.IP -where flags are -.BR "src" -and/or -.BR "dst" -specifications and there can be no more than six of them. diff -Nru iptables-1.4.4/extensions/libipt_SNAT.c iptables-1.4.10/extensions/libipt_SNAT.c --- iptables-1.4.4/extensions/libipt_SNAT.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_SNAT.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add source-NAT support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -31,10 +32,10 @@ } static const struct option SNAT_opts[] = { - { "to-source", 1, NULL, '1' }, - { "random", 0, NULL, '2' }, - { "persistent", 0, NULL, '3' }, - { .name = NULL } + {.name = "to-source", .has_arg = true, .val = '1'}, + {.name = "random", .has_arg = false, .val = '2'}, + {.name = "persistent", .has_arg = false, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct ipt_natinfo * @@ -154,7 +155,7 @@ switch (c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --to-source"); diff -Nru iptables-1.4.4/extensions/libipt_ttl.c iptables-1.4.10/extensions/libipt_ttl.c --- iptables-1.4.4/extensions/libipt_ttl.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_ttl.c 2010-10-29 14:37:22.000000000 +0000 @@ -4,7 +4,7 @@ * $Id$ * * This program is released under the terms of GNU GPL */ - +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -28,7 +28,7 @@ struct ipt_ttl_info *info = (struct ipt_ttl_info *) (*match)->data; unsigned int value; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); switch (c) { case '2': @@ -139,11 +139,11 @@ } static const struct option ttl_opts[] = { - { "ttl", 1, NULL, '2' }, - { "ttl-eq", 1, NULL, '2'}, - { "ttl-lt", 1, NULL, '3'}, - { "ttl-gt", 1, NULL, '4'}, - { .name = NULL } + {.name = "ttl", .has_arg = true, .val = '2'}, + {.name = "ttl-eq", .has_arg = true, .val = '2'}, + {.name = "ttl-lt", .has_arg = true, .val = '3'}, + {.name = "ttl-gt", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xtables_match ttl_mt_reg = { diff -Nru iptables-1.4.4/extensions/libipt_TTL.c iptables-1.4.10/extensions/libipt_TTL.c --- iptables-1.4.4/extensions/libipt_TTL.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_TTL.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * * This program is distributed under the terms of GNU GPL */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -39,7 +40,7 @@ xtables_error(PARAMETER_PROBLEM, "TTL: You must specify a value"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "TTL: unexpected `!'"); @@ -131,10 +132,10 @@ } static const struct option TTL_opts[] = { - { "ttl-set", 1, NULL, '1' }, - { "ttl-dec", 1, NULL, '2' }, - { "ttl-inc", 1, NULL, '3' }, - { .name = NULL } + {.name = "ttl-set", .has_arg = true, .val = '1'}, + {.name = "ttl-dec", .has_arg = true, .val = '2'}, + {.name = "ttl-inc", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static struct xtables_target ttl_tg_reg = { diff -Nru iptables-1.4.4/extensions/libipt_ULOG.c iptables-1.4.10/extensions/libipt_ULOG.c --- iptables-1.4.4/extensions/libipt_ULOG.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_ULOG.c 2010-10-29 14:37:22.000000000 +0000 @@ -9,6 +9,7 @@ * * libipt_ULOG.c,v 1.7 2001/01/30 11:55:02 laforge Exp */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -42,11 +43,11 @@ } static const struct option ULOG_opts[] = { - {"ulog-nlgroup", 1, NULL, '!'}, - {"ulog-prefix", 1, NULL, '#'}, - {"ulog-cprange", 1, NULL, 'A'}, - {"ulog-qthreshold", 1, NULL, 'B'}, - { .name = NULL } + {.name = "ulog-nlgroup", .has_arg = true, .val = '!'}, + {.name = "ulog-prefix", .has_arg = true, .val = '#'}, + {.name = "ulog-cprange", .has_arg = true, .val = 'A'}, + {.name = "ulog-qthreshold", .has_arg = true, .val = 'B'}, + XT_GETOPT_TABLEEND, }; static void ULOG_init(struct xt_entry_target *t) @@ -76,7 +77,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --ulog-nlgroup twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --ulog-nlgroup"); group_d = atoi(optarg); @@ -94,7 +95,7 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify --ulog-prefix twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --ulog-prefix"); diff -Nru iptables-1.4.4/extensions/libipt_unclean.c iptables-1.4.10/extensions/libipt_unclean.c --- iptables-1.4.4/extensions/libipt_unclean.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libipt_unclean.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,28 +1,12 @@ /* Shared library add-on to iptables for unclean. */ -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> #include <xtables.h> -static void unclean_help(void) -{ - printf("unclean match takes no options\n"); -} - -static int unclean_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - static struct xtables_match unclean_mt_reg = { .name = "unclean", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = unclean_help, - .parse = unclean_parse, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libxt_CHECKSUM.c iptables-1.4.10/extensions/libxt_CHECKSUM.c --- iptables-1.4.4/extensions/libxt_CHECKSUM.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CHECKSUM.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,97 @@ +/* Shared library add-on to xtables for CHECKSUM + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 by Red Hat, Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This program is distributed under the terms of GNU GPL v2, 1991 + * + * libxt_CHECKSUM.c borrowed some bits from libipt_ECN.c + */ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <xtables.h> +#include <linux/netfilter/xt_CHECKSUM.h> + +static void CHECKSUM_help(void) +{ + printf( +"CHECKSUM target options\n" +" --checksum-fill Fill in packet checksum.\n"); +} + +static const struct option CHECKSUM_opts[] = { + {.name = "checksum-fill", .has_arg = false, .val = 'F'}, + XT_GETOPT_TABLEEND, +}; + +static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_CHECKSUM_info *einfo + = (struct xt_CHECKSUM_info *)(*target)->data; + + switch (c) { + case 'F': + xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill", + *flags & XT_CHECKSUM_OP_FILL); + einfo->operation = XT_CHECKSUM_OP_FILL; + *flags |= XT_CHECKSUM_OP_FILL; + break; + default: + return 0; + } + + return 1; +} + +static void CHECKSUM_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "CHECKSUM target: Parameter --checksum-fill is required"); +} + +static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + printf("CHECKSUM "); + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("fill "); +} + +static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_CHECKSUM_info *einfo = + (const struct xt_CHECKSUM_info *)target->data; + + if (einfo->operation & XT_CHECKSUM_OP_FILL) + printf("--checksum-fill "); +} + +static struct xtables_target checksum_tg_reg = { + .name = "CHECKSUM", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)), + .help = CHECKSUM_help, + .parse = CHECKSUM_parse, + .final_check = CHECKSUM_check, + .print = CHECKSUM_print, + .save = CHECKSUM_save, + .extra_opts = CHECKSUM_opts, +}; + +void _init(void) +{ + xtables_register_target(&checksum_tg_reg); +} diff -Nru iptables-1.4.4/extensions/libxt_CHECKSUM.man iptables-1.4.10/extensions/libxt_CHECKSUM.man --- iptables-1.4.4/extensions/libxt_CHECKSUM.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CHECKSUM.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,8 @@ +This target allows to selectively work around broken/old applications. +It can only be used in the mangle table. +.TP +\fB\-\-checksum\-fill\fP +Compute and fill in the checksum in a packet that lacks a checksum. +This is particularly useful, if you need to work around old applications +such as dhcp clients, that do not work well with checksum offloads, +but don't want to disable checksum offload in your device. diff -Nru iptables-1.4.4/extensions/libxt_CLASSIFY.c iptables-1.4.10/extensions/libxt_CLASSIFY.c --- iptables-1.4.4/extensions/libxt_CLASSIFY.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CLASSIFY.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add CLASSIFY target support. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -19,8 +20,8 @@ } static const struct option CLASSIFY_opts[] = { - { "set-class", 1, NULL, '1' }, - { .name = NULL } + {.name = "set-class", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int CLASSIFY_string_to_priority(const char *s, unsigned int *p) diff -Nru iptables-1.4.4/extensions/libxt_cluster.c iptables-1.4.10/extensions/libxt_cluster.c --- iptables-1.4.4/extensions/libxt_cluster.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_cluster.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,11 +39,11 @@ }; static const struct option cluster_opts[] = { - { "cluster-total-nodes", 1, NULL, CLUSTER_OPT_TOTAL_NODES }, - { "cluster-local-node", 1, NULL, CLUSTER_OPT_LOCAL_NODE }, - { "cluster-local-nodemask", 1, NULL, CLUSTER_OPT_NODE_MASK }, - { "cluster-hash-seed", 1, NULL, CLUSTER_OPT_HASH_SEED }, - { .name = NULL } + {.name = "cluster-total-nodes", .has_arg = true, .val = CLUSTER_OPT_TOTAL_NODES}, + {.name = "cluster-local-node", .has_arg = true, .val = CLUSTER_OPT_LOCAL_NODE}, + {.name = "cluster-local-nodemask", .has_arg = true, .val = CLUSTER_OPT_NODE_MASK}, + {.name = "cluster-hash-seed", .has_arg = true, .val = CLUSTER_OPT_HASH_SEED}, + XT_GETOPT_TABLEEND, }; static int @@ -80,7 +81,7 @@ "`--cluster-local-nodemask' and " "`--cluster-local-node'"); } - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (!xtables_strtoui(optarg, NULL, &num, 1, XT_CLUSTER_NODES_MAX)) { @@ -105,7 +106,7 @@ "`--cluster-local-nodemask' and " "`--cluster-local-node'"); } - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (!xtables_strtoui(optarg, NULL, &num, 1, XT_CLUSTER_NODES_MAX)) { diff -Nru iptables-1.4.4/extensions/libxt_comment.c iptables-1.4.10/extensions/libxt_comment.c --- iptables-1.4.4/extensions/libxt_comment.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_comment.c 2010-10-29 14:37:22.000000000 +0000 @@ -6,6 +6,7 @@ * 2004-05-12: Brad Fisher <brad@info-link.net> * Port to patch-o-matic-ng */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -22,8 +23,8 @@ } static const struct option comment_opts[] = { - { "comment", 1, NULL, '1' }, - { .name = NULL } + {.name = "comment", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void @@ -46,12 +47,12 @@ switch (c) { case '1': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) { xtables_error(PARAMETER_PROBLEM, "Sorry, you can't have an inverted comment"); } - parse_comment(argv[optind-1], commentinfo); + parse_comment(optarg, commentinfo); *flags = 1; break; @@ -89,21 +90,7 @@ } static struct xtables_match comment_match = { - .family = NFPROTO_IPV4, - .name = "comment", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_comment_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_comment_info)), - .help = comment_help, - .parse = comment_parse, - .final_check = comment_check, - .print = comment_print, - .save = comment_save, - .extra_opts = comment_opts, -}; - -static struct xtables_match comment_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "comment", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_comment_info)), @@ -119,5 +106,4 @@ void _init(void) { xtables_register_match(&comment_match); - xtables_register_match(&comment_match6); } diff -Nru iptables-1.4.4/extensions/libxt_comment.man iptables-1.4.10/extensions/libxt_comment.man --- iptables-1.4.4/extensions/libxt_comment.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_comment.man 2010-10-29 14:37:22.000000000 +0000 @@ -3,4 +3,4 @@ \fB\-\-comment\fP \fIcomment\fP .TP Example: -iptables \-A INPUT \-s 192.168.0.0/16 \-m comment \-\-comment "A privatized IP block" +iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN" diff -Nru iptables-1.4.4/extensions/libxt_connbytes.c iptables-1.4.10/extensions/libxt_connbytes.c --- iptables-1.4.4/extensions/libxt_connbytes.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connbytes.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add byte tracking support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,10 +19,10 @@ } static const struct option connbytes_opts[] = { - { "connbytes", 1, NULL, '1' }, - { "connbytes-dir", 1, NULL, '2' }, - { "connbytes-mode", 1, NULL, '3' }, - { .name = NULL } + {.name = "connbytes", .has_arg = true, .val = '1'}, + {.name = "connbytes-dir", .has_arg = true, .val = '2'}, + {.name = "connbytes-mode", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void @@ -52,10 +53,10 @@ switch (c) { case '1': - if (xtables_check_inverse(optarg, &invert, &optind, 0)) + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) optind++; - parse_range(argv[optind-1], sinfo); + parse_range(optarg, sinfo); if (invert) { i = sinfo->count.from; sinfo->count.from = sinfo->count.to; @@ -180,21 +181,7 @@ } static struct xtables_match connbytes_match = { - .family = NFPROTO_IPV4, - .name = "connbytes", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connbytes_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)), - .help = connbytes_help, - .parse = connbytes_parse, - .final_check = connbytes_check, - .print = connbytes_print, - .save = connbytes_save, - .extra_opts = connbytes_opts, -}; - -static struct xtables_match connbytes_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "connbytes", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_connbytes_info)), @@ -210,5 +197,4 @@ void _init(void) { xtables_register_match(&connbytes_match); - xtables_register_match(&connbytes_match6); } diff -Nru iptables-1.4.4/extensions/libxt_connbytes.man iptables-1.4.10/extensions/libxt_connbytes.man --- iptables-1.4.4/extensions/libxt_connbytes.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connbytes.man 2010-10-29 14:37:22.000000000 +0000 @@ -8,7 +8,7 @@ scheduled using a lower priority band in traffic control. .PP The transferred bytes per connection can also be viewed through -`conntrack -L` and accessed via ctnetlink. +`conntrack \-L` and accessed via ctnetlink. .PP NOTE that for connections which have no accounting information, the match will always return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls diff -Nru iptables-1.4.4/extensions/libxt_connlimit.c iptables-1.4.10/extensions/libxt_connlimit.c --- iptables-1.4.4/extensions/libxt_connlimit.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connlimit.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add connection limit support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -18,9 +19,9 @@ } static const struct option connlimit_opts[] = { - {"connlimit-above", 1, NULL, 'A'}, - {"connlimit-mask", 1, NULL, 'M'}, - { .name = NULL } + {.name = "connlimit-above", .has_arg = true, .val = 'A'}, + {.name = "connlimit-mask", .has_arg = true, .val = 'M'}, + XT_GETOPT_TABLEEND, }; static void connlimit_init(struct xt_entry_match *match) @@ -65,8 +66,8 @@ xtables_error(PARAMETER_PROBLEM, "--connlimit-above may be given only once"); *flags |= 0x1; - xtables_check_inverse(optarg, &invert, &optind, 0); - info->limit = strtoul(argv[optind-1], NULL, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + info->limit = strtoul(optarg, NULL, 0); info->inverse = invert; break; case 'M': @@ -75,7 +76,7 @@ "--connlimit-mask may be given only once"); *flags |= 0x2; - i = strtoul(argv[optind-1], &err, 0); + i = strtoul(optarg, &err, 0); if (family == NFPROTO_IPV6) { if (i > 128 || *err != '\0') xtables_error(PARAMETER_PROBLEM, @@ -179,38 +180,38 @@ count_bits6(info->v6_mask)); } -static struct xtables_match connlimit_match = { - .name = "connlimit", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), - .userspacesize = offsetof(struct xt_connlimit_info, data), - .help = connlimit_help, - .init = connlimit_init, - .parse = connlimit_parse4, - .final_check = connlimit_check, - .print = connlimit_print4, - .save = connlimit_save4, - .extra_opts = connlimit_opts, -}; - -static struct xtables_match connlimit_match6 = { - .name = "connlimit", - .family = NFPROTO_IPV6, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), - .userspacesize = offsetof(struct xt_connlimit_info, data), - .help = connlimit_help, - .init = connlimit_init, - .parse = connlimit_parse6, - .final_check = connlimit_check, - .print = connlimit_print6, - .save = connlimit_save6, - .extra_opts = connlimit_opts, +static struct xtables_match connlimit_mt_reg[] = { + { + .name = "connlimit", + .family = NFPROTO_IPV4, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = connlimit_help, + .init = connlimit_init, + .parse = connlimit_parse4, + .final_check = connlimit_check, + .print = connlimit_print4, + .save = connlimit_save4, + .extra_opts = connlimit_opts, + }, + { + .name = "connlimit", + .family = NFPROTO_IPV6, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connlimit_info)), + .userspacesize = offsetof(struct xt_connlimit_info, data), + .help = connlimit_help, + .init = connlimit_init, + .parse = connlimit_parse6, + .final_check = connlimit_check, + .print = connlimit_print6, + .save = connlimit_save6, + .extra_opts = connlimit_opts, + }, }; void _init(void) { - xtables_register_match(&connlimit_match); - xtables_register_match(&connlimit_match6); + xtables_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_connlimit.man iptables-1.4.10/extensions/libxt_connlimit.man --- iptables-1.4.4/extensions/libxt_connlimit.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connlimit.man 2010-10-29 14:37:22.000000000 +0000 @@ -2,7 +2,7 @@ client IP address (or client address block). .TP [\fB!\fP] \fB\-\-connlimit\-above\fP \fIn\fP -Match if the number of existing connections is (not) above \fIn\fR. +Match if the number of existing connections is (not) above \fIn\fP. .TP \fB\-\-connlimit\-mask\fP \fIprefix_length\fP Group hosts using the prefix length. For IPv4, this must be a number between diff -Nru iptables-1.4.4/extensions/libxt_connmark.c iptables-1.4.10/extensions/libxt_connmark.c --- iptables-1.4.4/extensions/libxt_connmark.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connmark.c 2010-10-29 14:37:22.000000000 +0000 @@ -19,6 +19,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -28,6 +29,11 @@ #include <xtables.h> #include <linux/netfilter/xt_connmark.h> +struct xt_connmark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + enum { F_MARK = 1 << 0, }; @@ -41,7 +47,7 @@ static const struct option connmark_mt_opts[] = { {.name = "mark", .has_arg = true, .val = '1'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int @@ -82,7 +88,7 @@ switch (c) { char *end; case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); markinfo->mark = strtoul(optarg, &end, 0); markinfo->mask = 0xffffffffUL; @@ -163,70 +169,38 @@ print_mark(info->mark, info->mask); } -static struct xtables_match connmark_mt_reg_v0 = { - .family = NFPROTO_IPV4, - .name = "connmark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), - .help = connmark_mt_help, - .parse = connmark_parse, - .final_check = connmark_mt_check, - .print = connmark_print, - .save = connmark_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt6_reg_v0 = { - .family = NFPROTO_IPV6, - .name = "connmark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), - .help = connmark_mt_help, - .parse = connmark_parse, - .final_check = connmark_mt_check, - .print = connmark_print, - .save = connmark_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt_reg = { - .version = XTABLES_VERSION, - .name = "connmark", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .help = connmark_mt_help, - .parse = connmark_mt_parse, - .final_check = connmark_mt_check, - .print = connmark_mt_print, - .save = connmark_mt_save, - .extra_opts = connmark_mt_opts, -}; - -static struct xtables_match connmark_mt6_reg = { - .version = XTABLES_VERSION, - .name = "connmark", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), - .help = connmark_mt_help, - .parse = connmark_mt_parse, - .final_check = connmark_mt_check, - .print = connmark_mt_print, - .save = connmark_mt_save, - .extra_opts = connmark_mt_opts, +static struct xtables_match connmark_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "connmark", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connmark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_info)), + .help = connmark_mt_help, + .parse = connmark_parse, + .final_check = connmark_mt_check, + .print = connmark_print, + .save = connmark_save, + .extra_opts = connmark_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "connmark", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_mtinfo1)), + .help = connmark_mt_help, + .parse = connmark_mt_parse, + .final_check = connmark_mt_check, + .print = connmark_mt_print, + .save = connmark_mt_save, + .extra_opts = connmark_mt_opts, + }, }; void _init(void) { - xtables_register_match(&connmark_mt_reg_v0); - xtables_register_match(&connmark_mt6_reg_v0); - xtables_register_match(&connmark_mt_reg); - xtables_register_match(&connmark_mt6_reg); + xtables_register_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_CONNMARK.c iptables-1.4.10/extensions/libxt_CONNMARK.c --- iptables-1.4.4/extensions/libxt_CONNMARK.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CONNMARK.c 2010-10-29 14:37:22.000000000 +0000 @@ -19,6 +19,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -28,6 +29,12 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_CONNMARK.h> +struct xt_connmark_target_info { + unsigned long mark; + unsigned long mask; + u_int8_t mode; +}; + enum { F_MARK = 1 << 0, F_SR_MARK = 1 << 1, @@ -43,11 +50,11 @@ } static const struct option CONNMARK_opts[] = { - { "set-mark", 1, NULL, '1' }, - { "save-mark", 0, NULL, '2' }, - { "restore-mark", 0, NULL, '3' }, - { "mask", 1, NULL, '4' }, - { .name = NULL } + {.name = "set-mark", .has_arg = true, .val = '1'}, + {.name = "save-mark", .has_arg = false, .val = '2'}, + {.name = "restore-mark", .has_arg = false, .val = '3'}, + {.name = "mask", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static const struct option connmark_tg_opts[] = { @@ -61,7 +68,7 @@ {.name = "ctmask", .has_arg = true, .val = 'c'}, {.name = "nfmask", .has_arg = true, .val = 'n'}, {.name = "mask", .has_arg = true, .val = 'm'}, - {.name = NULL}, + XT_GETOPT_TABLEEND, }; static void connmark_tg_help(void) @@ -312,6 +319,8 @@ printf("CONNMARK or 0x%x ", info->ctmark); else if (info->ctmask == 0) printf("CONNMARK xor 0x%x ", info->ctmark); + else if (info->ctmask == 0xFFFFFFFFU) + printf("CONNMARK set 0x%x ", info->ctmark); else printf("CONNMARK xset 0x%x/0x%x ", info->ctmark, info->ctmask); @@ -398,74 +407,40 @@ } } -static struct xtables_target connmark_target = { - .family = NFPROTO_IPV4, - .name = "CONNMARK", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .help = CONNMARK_help, - .init = CONNMARK_init, - .parse = CONNMARK_parse, - .final_check = connmark_tg_check, - .print = CONNMARK_print, - .save = CONNMARK_save, - .extra_opts = CONNMARK_opts, -}; - -static struct xtables_target connmark_target6 = { - .family = NFPROTO_IPV6, - .name = "CONNMARK", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), - .help = CONNMARK_help, - .init = CONNMARK_init, - .parse = CONNMARK_parse, - .final_check = connmark_tg_check, - .print = CONNMARK_print, - .save = CONNMARK_save, - .extra_opts = CONNMARK_opts, -}; - -static struct xtables_target connmark_tg_reg = { - .version = XTABLES_VERSION, - .name = "CONNMARK", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .help = connmark_tg_help, - .init = connmark_tg_init, - .parse = connmark_tg_parse, - .final_check = connmark_tg_check, - .print = connmark_tg_print, - .save = connmark_tg_save, - .extra_opts = connmark_tg_opts, -}; - -static struct xtables_target connmark_tg6_reg = { - .version = XTABLES_VERSION, - .name = "CONNMARK", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), - .help = connmark_tg_help, - .init = connmark_tg_init, - .parse = connmark_tg_parse, - .final_check = connmark_tg_check, - .print = connmark_tg_print, - .save = connmark_tg_save, - .extra_opts = connmark_tg_opts, +static struct xtables_target connmark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "CONNMARK", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_connmark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_target_info)), + .help = CONNMARK_help, + .init = CONNMARK_init, + .parse = CONNMARK_parse, + .final_check = connmark_tg_check, + .print = CONNMARK_print, + .save = CONNMARK_save, + .extra_opts = CONNMARK_opts, + }, + { + .version = XTABLES_VERSION, + .name = "CONNMARK", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo1)), + .help = connmark_tg_help, + .init = connmark_tg_init, + .parse = connmark_tg_parse, + .final_check = connmark_tg_check, + .print = connmark_tg_print, + .save = connmark_tg_save, + .extra_opts = connmark_tg_opts, + }, }; void _init(void) { - xtables_register_target(&connmark_target); - xtables_register_target(&connmark_target6); - xtables_register_target(&connmark_tg_reg); - xtables_register_target(&connmark_tg6_reg); + xtables_register_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_connmark.man iptables-1.4.10/extensions/libxt_connmark.man --- iptables-1.4.4/extensions/libxt_connmark.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_connmark.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,5 +1,5 @@ This module matches the netfilter mark field associated with a connection -(which can be set using the \fBCONNMARK\fR target below). +(which can be set using the \fBCONNMARK\fP target below). .TP [\fB!\fP] \fB\-\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] Matches packets in connections with the given mark value (if a mask is diff -Nru iptables-1.4.4/extensions/libxt_CONNMARK.man iptables-1.4.10/extensions/libxt_CONNMARK.man --- iptables-1.4.4/extensions/libxt_CONNMARK.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CONNMARK.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,7 +1,8 @@ -This module sets the netfilter mark value associated with a connection. +This module sets the netfilter mark value associated with a connection. The +mark is 32 bits wide. .TP \fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zero out the bits given by \fImask\fR and XOR \fIvalue\fR into the ctmark. +Zero out the bits given by \fImask\fP and XOR \fIvalue\fP into the ctmark. .TP \fB\-\-save\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] Copy the packet mark (nfmark) to the connection mark (ctmark) using the given @@ -9,18 +10,18 @@ .IP ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) .IP -i.e. \fIctmask\fR defines what bits to clear and \fInfmask\fR what bits of the -nfmark to XOR into the ctmark. \fIctmask\fR and \fInfmask\fR default to +i.e. \fIctmask\fP defines what bits to clear and \fInfmask\fP what bits of the +nfmark to XOR into the ctmark. \fIctmask\fP and \fInfmask\fP default to 0xFFFFFFFF. .TP \fB\-\-restore\-mark\fP [\fB\-\-nfmask\fP \fInfmask\fP] [\fB\-\-ctmask\fP \fIctmask\fP] Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: .IP -nfmark = (nfmark & ~\fInfmask\fR) ^ (ctmark & \fIctmask\fR); +nfmark = (nfmark & ~\fInfmask\fP) ^ (ctmark & \fIctmask\fP); .IP -i.e. \fInfmask\fR defines what bits to clear and \fIctmask\fR what bits of the -ctmark to XOR into the nfmark. \fIctmask\fR and \fInfmask\fR default to +i.e. \fInfmask\fP defines what bits to clear and \fIctmask\fP what bits of the +ctmark to XOR into the nfmark. \fIctmask\fP and \fInfmask\fP default to 0xFFFFFFFF. .IP \fB\-\-restore\-mark\fP is only valid in the \fBmangle\fP table. @@ -28,16 +29,16 @@ The following mnemonics are available for \fB\-\-set\-xmark\fP: .TP \fB\-\-and\-mark\fP \fIbits\fP -Binary AND the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-mark\fP \fIbits\fP -Binary OR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-mark\fP \fIbits\fP -Binary XOR the ctmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the ctmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/0\fP.) .TP \fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] Set the connection mark. If a mask is specified then only those bits set in the @@ -49,4 +50,4 @@ .TP \fB\-\-restore\-mark\fP [\fB\-\-mask\fP \fImask\fP] Copy the ctmark to the nfmark. If a mask is specified, only those bits are -copied. This is only valid in the \fBmangle\fR table. +copied. This is only valid in the \fBmangle\fP table. diff -Nru iptables-1.4.4/extensions/libxt_CONNSECMARK.c iptables-1.4.10/extensions/libxt_CONNSECMARK.c --- iptables-1.4.4/extensions/libxt_CONNSECMARK.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CONNSECMARK.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -23,9 +24,9 @@ } static const struct option CONNSECMARK_opts[] = { - { "save", 0, NULL, '1' }, - { "restore", 0, NULL, '2' }, - { .name = NULL } + {.name = "save", .has_arg = false, .val = '1'}, + {.name = "restore", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static int @@ -107,22 +108,7 @@ } static struct xtables_target connsecmark_target = { - .family = NFPROTO_IPV4, - .name = "CONNSECMARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_connsecmark_target_info)), - .parse = CONNSECMARK_parse, - .help = CONNSECMARK_help, - .final_check = CONNSECMARK_check, - .print = CONNSECMARK_print, - .save = CONNSECMARK_save, - .extra_opts = CONNSECMARK_opts, -}; - -static struct xtables_target connsecmark_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "CONNSECMARK", .version = XTABLES_VERSION, .revision = 0, @@ -139,5 +125,4 @@ void _init(void) { xtables_register_target(&connsecmark_target); - xtables_register_target(&connsecmark_target6); } diff -Nru iptables-1.4.4/extensions/libxt_conntrack.c iptables-1.4.10/extensions/libxt_conntrack.c --- iptables-1.4.4/extensions/libxt_conntrack.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_conntrack.c 2010-10-29 14:37:22.000000000 +0000 @@ -12,6 +12,7 @@ #include <getopt.h> #include <netdb.h> #include <stdbool.h> +#include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -21,6 +22,39 @@ #include <linux/netfilter/nf_conntrack_common.h> #include <arpa/inet.h> +struct ip_conntrack_old_tuple { + struct { + __be32 ip; + union { + __u16 all; + } u; + } src; + + struct { + __be32 ip; + union { + __u16 all; + } u; + + /* The protocol. */ + __u16 protonum; + } dst; +}; + +struct xt_conntrack_info { + unsigned int statemask, statusmask; + + struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; + struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; + + unsigned long expires_min, expires_max; + + /* Flags word */ + u_int8_t flags; + /* Inverse flags */ + u_int8_t invflags; +}; + static void conntrack_mt_help(void) { printf( @@ -54,7 +88,7 @@ {.name = "ctrepldst", .has_arg = true, .val = '6'}, {.name = "ctstatus", .has_arg = true, .val = '7'}, {.name = "ctexpire", .has_arg = true, .val = '8'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option conntrack_mt_opts[] = { @@ -115,7 +149,7 @@ } static bool -conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state, +conntrack_ps_state(struct xt_conntrack_mtinfo2 *info, const char *state, size_t z) { if (strncasecmp(state, "INVALID", z) == 0) @@ -138,7 +172,7 @@ } static void -conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg) +conntrack_ps_states(struct xt_conntrack_mtinfo2 *info, const char *arg) { const char *comma; @@ -189,7 +223,7 @@ } static bool -conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status, +conntrack_ps_status(struct xt_conntrack_mtinfo2 *info, const char *status, size_t z) { if (strncasecmp(status, "NONE", z) == 0) @@ -208,7 +242,7 @@ } static void -conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg) +conntrack_ps_statuses(struct xt_conntrack_mtinfo2 *info, const char *arg) { const char *comma; @@ -263,7 +297,7 @@ } static void -conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s) +conntrack_ps_expires(struct xt_conntrack_mtinfo2 *info, const char *s) { unsigned int min, max; char *end; @@ -272,7 +306,7 @@ xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); max = min; if (*end == ':') - if (!xtables_strtoui(s, &end, &max, 0, UINT32_MAX)) + if (!xtables_strtoui(end + 1, &end, &max, 0, UINT32_MAX)) xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); if (*end != '\0') xtables_param_act(XTF_BAD_VALUE, "conntrack", "--expires", s); @@ -297,9 +331,9 @@ switch (c) { case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); - parse_states(argv[optind-1], sinfo); + parse_states(optarg, sinfo); if (invert) { sinfo->invflags |= XT_CONNTRACK_STATE; } @@ -307,16 +341,16 @@ break; case '2': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if(invert) sinfo->invflags |= XT_CONNTRACK_PROTO; /* Canonicalize into lower case */ - for (protocol = argv[optind-1]; *protocol; protocol++) + for (protocol = optarg; *protocol; protocol++) *protocol = tolower(*protocol); - protocol = argv[optind-1]; + protocol = optarg; sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = xtables_parse_protocol(protocol); @@ -329,12 +363,12 @@ break; case '3': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) sinfo->invflags |= XT_CONNTRACK_ORIGSRC; - xtables_ipparse_any(argv[optind-1], &addrs, + xtables_ipparse_any(optarg, &addrs, &sinfo->sipmsk[IP_CT_DIR_ORIGINAL], &naddrs); if(naddrs > 1) @@ -349,12 +383,12 @@ break; case '4': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) sinfo->invflags |= XT_CONNTRACK_ORIGDST; - xtables_ipparse_any(argv[optind-1], &addrs, + xtables_ipparse_any(optarg, &addrs, &sinfo->dipmsk[IP_CT_DIR_ORIGINAL], &naddrs); if(naddrs > 1) @@ -369,12 +403,12 @@ break; case '5': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) sinfo->invflags |= XT_CONNTRACK_REPLSRC; - xtables_ipparse_any(argv[optind-1], &addrs, + xtables_ipparse_any(optarg, &addrs, &sinfo->sipmsk[IP_CT_DIR_REPLY], &naddrs); if(naddrs > 1) @@ -389,12 +423,12 @@ break; case '6': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) sinfo->invflags |= XT_CONNTRACK_REPLDST; - xtables_ipparse_any(argv[optind-1], &addrs, + xtables_ipparse_any(optarg, &addrs, &sinfo->dipmsk[IP_CT_DIR_REPLY], &naddrs); if(naddrs > 1) @@ -409,9 +443,9 @@ break; case '7': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); - parse_statuses(argv[optind-1], sinfo); + parse_statuses(optarg, sinfo); if (invert) { sinfo->invflags |= XT_CONNTRACK_STATUS; } @@ -419,9 +453,9 @@ break; case '8': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); - parse_expires(argv[optind-1], sinfo); + parse_expires(optarg, sinfo); if (invert) { sinfo->invflags |= XT_CONNTRACK_EXPIRES; } @@ -437,10 +471,9 @@ } static int -conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags, - struct xt_entry_match **match) +conntrack_mt_parse(int c, bool invert, unsigned int *flags, + struct xt_conntrack_mtinfo2 *info) { - struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; unsigned int port; char *p; @@ -543,10 +576,9 @@ } static int -conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) +conntrack_mt4_parse(int c, bool invert, unsigned int *flags, + struct xt_conntrack_mtinfo2 *info) { - struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; struct in_addr *addr = NULL; unsigned int naddrs = 0; @@ -605,7 +637,7 @@ default: - return conntrack_mt_parse(c, argv, invert, flags, match); + return conntrack_mt_parse(c, invert, flags, info); } *flags = info->match_flags; @@ -613,10 +645,9 @@ } static int -conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) +conntrack_mt6_parse(int c, bool invert, unsigned int *flags, + struct xt_conntrack_mtinfo2 *info) { - struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; struct in6_addr *addr = NULL; unsigned int naddrs = 0; @@ -675,13 +706,62 @@ default: - return conntrack_mt_parse(c, argv, invert, flags, match); + return conntrack_mt_parse(c, invert, flags, info); } *flags = info->match_flags; return true; } +#define cinfo_transform(r, l) \ + do { \ + memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \ + (r)->state_mask = (l)->state_mask; \ + (r)->status_mask = (l)->status_mask; \ + } while (false); + +static int +conntrack1_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; + struct xt_conntrack_mtinfo2 up; + + cinfo_transform(&up, info); + if (!conntrack_mt4_parse(c, invert, flags, &up)) + return false; + cinfo_transform(info, &up); + return true; +} + +static int +conntrack1_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data; + struct xt_conntrack_mtinfo2 up; + + cinfo_transform(&up, info); + if (!conntrack_mt6_parse(c, invert, flags, &up)) + return false; + cinfo_transform(info, &up); + return true; +} + +static int +conntrack2_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return conntrack_mt4_parse(c, invert, flags, (void *)(*match)->data); +} + +static int +conntrack2_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return conntrack_mt6_parse(c, invert, flags, (void *)(*match)->data); +} + static void conntrack_mt_check(unsigned int flags) { if (flags == 0) @@ -762,9 +842,13 @@ return; } if (numeric) - printf("%s ", xtables_ipaddr_to_numeric(&addr->in)); + printf("%s%s ", + xtables_ipaddr_to_numeric(&addr->in), + xtables_ipmask_to_numeric(&mask->in)); else - printf("%s ", xtables_ipaddr_to_anyname(&addr->in)); + printf("%s%s ", + xtables_ipaddr_to_anyname(&addr->in), + xtables_ipmask_to_numeric(&mask->in)); } else if (family == NFPROTO_IPV6) { if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && addr->ip6[2] == 0 && addr->ip6[3] == 0) { @@ -772,9 +856,13 @@ return; } if (numeric) - printf("%s ", xtables_ip6addr_to_numeric(&addr->in6)); + printf("%s%s ", + xtables_ip6addr_to_numeric(&addr->in6), + xtables_ip6mask_to_numeric(&mask->in6)); else - printf("%s ", xtables_ip6addr_to_anyname(&addr->in6)); + printf("%s%s ", + xtables_ip6addr_to_anyname(&addr->in6), + xtables_ip6mask_to_numeric(&mask->in6)); } } @@ -894,7 +982,7 @@ } static void -conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix, +conntrack_dump(const struct xt_conntrack_mtinfo2 *info, const char *prefix, unsigned int family, bool numeric) { if (info->match_flags & XT_CONNTRACK_STATE) { @@ -1004,6 +1092,28 @@ } static void +conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_conntrack_mtinfo1 *info = (void *)match->data; + struct xt_conntrack_mtinfo2 up; + + cinfo_transform(&up, info); + conntrack_dump(&up, "", NFPROTO_IPV4, numeric); +} + +static void +conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_conntrack_mtinfo1 *info = (void *)match->data; + struct xt_conntrack_mtinfo2 up; + + cinfo_transform(&up, info); + conntrack_dump(&up, "", NFPROTO_IPV6, numeric); +} + +static void conntrack_mt_print(const void *ip, const struct xt_entry_match *match, int numeric) { @@ -1034,54 +1144,100 @@ conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true); } -static struct xtables_match conntrack_match = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), - .help = conntrack_mt_help, - .parse = conntrack_parse, - .final_check = conntrack_mt_check, - .print = conntrack_print, - .save = conntrack_save, - .extra_opts = conntrack_mt_opts_v0, -}; +static void +conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_conntrack_mtinfo1 *info = (void *)match->data; + struct xt_conntrack_mtinfo2 up; -static struct xtables_match conntrack_mt_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .help = conntrack_mt_help, - .parse = conntrack_mt4_parse, - .final_check = conntrack_mt_check, - .print = conntrack_mt_print, - .save = conntrack_mt_save, - .extra_opts = conntrack_mt_opts, -}; + cinfo_transform(&up, info); + conntrack_dump(&up, "--", NFPROTO_IPV4, true); +} + +static void +conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_conntrack_mtinfo1 *info = (void *)match->data; + struct xt_conntrack_mtinfo2 up; + + cinfo_transform(&up, info); + conntrack_dump(&up, "--", NFPROTO_IPV6, true); +} -static struct xtables_match conntrack_mt6_reg = { - .version = XTABLES_VERSION, - .name = "conntrack", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), - .help = conntrack_mt_help, - .parse = conntrack_mt6_parse, - .final_check = conntrack_mt_check, - .print = conntrack_mt6_print, - .save = conntrack_mt6_save, - .extra_opts = conntrack_mt_opts, +static struct xtables_match conntrack_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)), + .help = conntrack_mt_help, + .parse = conntrack_parse, + .final_check = conntrack_mt_check, + .print = conntrack_print, + .save = conntrack_save, + .extra_opts = conntrack_mt_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack1_mt4_parse, + .final_check = conntrack_mt_check, + .print = conntrack1_mt4_print, + .save = conntrack1_mt4_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)), + .help = conntrack_mt_help, + .parse = conntrack1_mt6_parse, + .final_check = conntrack_mt_check, + .print = conntrack1_mt6_print, + .save = conntrack1_mt6_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 2, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = conntrack_mt_help, + .parse = conntrack2_mt4_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt_print, + .save = conntrack_mt_save, + .extra_opts = conntrack_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "conntrack", + .revision = 2, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)), + .help = conntrack_mt_help, + .parse = conntrack2_mt6_parse, + .final_check = conntrack_mt_check, + .print = conntrack_mt6_print, + .save = conntrack_mt6_save, + .extra_opts = conntrack_mt_opts, + }, }; void _init(void) { - xtables_register_match(&conntrack_match); - xtables_register_match(&conntrack_mt_reg); - xtables_register_match(&conntrack_mt6_reg); + xtables_register_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_conntrack.man iptables-1.4.10/extensions/libxt_conntrack.man --- iptables-1.4.4/extensions/libxt_conntrack.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_conntrack.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,36 +1,36 @@ This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection. .TP -[\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP -\fIstatelist\fR is a comma separated list of the connection states to match. +[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP +\fIstatelist\fP is a comma separated list of the connection states to match. Possible states are listed below. .TP -[\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP +[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP Layer-4 protocol to match (by number or name) .TP -[\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] .TP -[\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] Match against original/reply source/destination address .TP -[\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP .TP -[\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP +[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. .TP -[\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP -\fIstatuslist\fR is a comma separated list of the connection statuses to match. +[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP +\fIstatuslist\fP is a comma separated list of the connection statuses to match. Possible statuses are listed below. .TP -[\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] +[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] Match remaining lifetime in seconds against given value or range of values (inclusive) .TP @@ -40,42 +40,46 @@ .PP States for \fB\-\-ctstate\fP: .TP -\fBINVALID\fR +\fBINVALID\fP meaning that the packet is associated with no known connection .TP -\fBNEW\fR +\fBNEW\fP meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and .TP -\fBESTABLISHED\fR +\fBESTABLISHED\fP meaning that the packet is associated with a connection which has seen packets in both directions, .TP -\fBRELATED\fR +\fBRELATED\fP meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. .TP -\fBSNAT\fR +\fBUNTRACKED\fP +meaning that the packet is not tracked at all, which happens if you use +the NOTRACK target in raw table. +.TP +\fBSNAT\fP A virtual state, matching if the original source address differs from the reply destination. .TP -\fBDNAT\fR +\fBDNAT\fP A virtual state, matching if the original destination differs from the reply source. .PP Statuses for \fB\-\-ctstatus\fP: .TP -\fBNONE\fR +\fBNONE\fP None of the below. .TP -\fBEXPECTED\fR +\fBEXPECTED\fP This is an expected connection (i.e. a conntrack helper set it up) .TP -\fBSEEN_REPLY\fR +\fBSEEN_REPLY\fP Conntrack has seen packets in both directions. .TP -\fBASSURED\fR +\fBASSURED\fP Conntrack entry should never be early-expired. .TP -\fBCONFIRMED\fR +\fBCONFIRMED\fP Connection is confirmed: originating packet has left box. diff -Nru iptables-1.4.4/extensions/libxt_cpu.c iptables-1.4.10/extensions/libxt_cpu.c --- iptables-1.4.4/extensions/libxt_cpu.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_cpu.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,99 @@ +/* Shared library add-on to iptables to add CPU match support. */ +#include <stdbool.h> +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter/xt_cpu.h> + +static void cpu_help(void) +{ + printf( +"cpu match options:\n" +"[!] --cpu number Match CPU number\n"); +} + +static const struct option cpu_opts[] = { + {.name = "cpu", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, +}; + +static void +parse_cpu(const char *s, struct xt_cpu_info *info) +{ + unsigned int cpu; + char *end; + + if (!xtables_strtoui(s, &end, &cpu, 0, UINT32_MAX)) + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + if (*end != '\0') + xtables_param_act(XTF_BAD_VALUE, "cpu", "--cpu", s); + + info->cpu = cpu; +} + +static int +cpu_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_cpu_info *cpuinfo = (struct xt_cpu_info *)(*match)->data; + + switch (c) { + case '1': + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_cpu(optarg, cpuinfo); + if (invert) + cpuinfo->invert = 1; + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void cpu_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify `--cpu'"); +} + +static void +cpu_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("cpu %s%u ", info->invert ? "! ":"", info->cpu); +} + +static void cpu_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_cpu_info *info = (void *)match->data; + + printf("%s--cpu %u ", info->invert ? "! ":"", info->cpu); +} + +static struct xtables_match cpu_match = { + .family = NFPROTO_UNSPEC, + .name = "cpu", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_cpu_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_cpu_info)), + .help = cpu_help, + .parse = cpu_parse, + .final_check = cpu_check, + .print = cpu_print, + .save = cpu_save, + .extra_opts = cpu_opts, +}; + +void _init(void) +{ + xtables_register_match(&cpu_match); +} diff -Nru iptables-1.4.4/extensions/libxt_cpu.man iptables-1.4.10/extensions/libxt_cpu.man --- iptables-1.4.4/extensions/libxt_cpu.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_cpu.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,15 @@ +.TP +[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP +Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1 +Can be used in combination with RPS (Remote Packet Steering) or +multiqueue NICs to spread network traffic on different queues. +.PP +Example: +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0 +\-j REDIRECT \-\-to\-port 8080 +.PP +iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1 +\-j REDIRECT \-\-to\-port 8081 +.PP +Available since Linux 2.6.36. diff -Nru iptables-1.4.4/extensions/libxt_CT.c iptables-1.4.10/extensions/libxt_CT.c --- iptables-1.4.4/extensions/libxt_CT.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CT.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,193 @@ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <stddef.h> +#include <getopt.h> +#include <xtables.h> +#include <linux/netfilter/nf_conntrack_common.h> +#include <linux/netfilter/xt_CT.h> + +static void ct_help(void) +{ + printf( +"CT target options:\n" +" --notrack Don't track connection\n" +" --helper name Use conntrack helper 'name' for connection\n" +" --ctevents event[,event...] Generate specified conntrack events for connection\n" +" --expevents event[,event...] Generate specified expectation events for connection\n" +" --zone ID Assign/Lookup connection in zone ID\n" + ); +} + +enum ct_options { + CT_OPT_NOTRACK = 0x1, + CT_OPT_HELPER = 0x2, + CT_OPT_CTEVENTS = 0x4, + CT_OPT_EXPEVENTS = 0x8, + CT_OPT_ZONE = 0x10, +}; + +static const struct option ct_opts[] = { + {.name = "notrack", .has_arg = false, .val = CT_OPT_NOTRACK}, + {.name = "helper", .has_arg = true, .val = CT_OPT_HELPER}, + {.name = "ctevents", .has_arg = true, .val = CT_OPT_CTEVENTS}, + {.name = "expevents", .has_arg = true, .val = CT_OPT_EXPEVENTS}, + {.name = "zone", .has_arg = true, .val = CT_OPT_ZONE}, + XT_GETOPT_TABLEEND, +}; + +struct event_tbl { + const char *name; + unsigned int event; +}; + +static const struct event_tbl ct_event_tbl[] = { + { "new", IPCT_NEW }, + { "related", IPCT_RELATED }, + { "destroy", IPCT_DESTROY }, + { "reply", IPCT_REPLY }, + { "assured", IPCT_ASSURED }, + { "protoinfo", IPCT_PROTOINFO }, + { "helper", IPCT_HELPER }, + { "mark", IPCT_MARK }, + { "natseqinfo", IPCT_NATSEQADJ }, + { "secmark", IPCT_SECMARK }, +}; + +static const struct event_tbl exp_event_tbl[] = { + { "new", IPEXP_NEW }, +}; + +static uint32_t ct_parse_events(const struct event_tbl *tbl, unsigned int size, + const char *events) +{ + char str[strlen(events) + 1], *e = str, *t; + unsigned int mask = 0, i; + + strcpy(str, events); + while ((t = strsep(&e, ","))) { + for (i = 0; i < size; i++) { + if (strcmp(t, tbl[i].name)) + continue; + mask |= 1 << tbl[i].event; + break; + } + + if (i == size) + xtables_error(PARAMETER_PROBLEM, "Unknown event type \"%s\"", t); + } + + return mask; +} + +static void ct_print_events(const char *pfx, const struct event_tbl *tbl, + unsigned int size, uint32_t mask) +{ + const char *sep = ""; + unsigned int i; + + printf("%s ", pfx); + for (i = 0; i < size; i++) { + if (mask & (1 << tbl[i].event)) { + printf("%s%s", sep, tbl[i].name); + sep = ","; + } + } + printf(" "); +} + +static int ct_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_ct_target_info *info = (struct xt_ct_target_info *)(*target)->data; + unsigned int zone; + + switch (c) { + case CT_OPT_NOTRACK: + xtables_param_act(XTF_ONLY_ONCE, "CT", "--notrack", *flags & CT_OPT_NOTRACK); + info->flags |= XT_CT_NOTRACK; + break; + case CT_OPT_HELPER: + xtables_param_act(XTF_ONLY_ONCE, "CT", "--helper", *flags & CT_OPT_HELPER); + strncpy(info->helper, optarg, sizeof(info->helper)); + info->helper[sizeof(info->helper) - 1] = '\0'; + break; + case CT_OPT_CTEVENTS: + xtables_param_act(XTF_ONLY_ONCE, "CT", "--ctevents", *flags & CT_OPT_CTEVENTS); + info->ct_events = ct_parse_events(ct_event_tbl, ARRAY_SIZE(ct_event_tbl), optarg); + break; + case CT_OPT_EXPEVENTS: + xtables_param_act(XTF_ONLY_ONCE, "CT", "--expevents", *flags & CT_OPT_EXPEVENTS); + info->exp_events = ct_parse_events(exp_event_tbl, ARRAY_SIZE(exp_event_tbl), optarg); + break; + case CT_OPT_ZONE: + xtables_param_act(XTF_ONLY_ONCE, "CT", "--zone", *flags & CT_OPT_ZONE); + if (!xtables_strtoui(optarg, NULL, &zone, 0, UINT16_MAX)) + xtables_error(PARAMETER_PROBLEM, "Bad zone value \"%s\"", optarg); + info->zone = zone; + break; + default: + return 0; + } + + *flags |= c; + return 1; +} + +static void ct_print(const void *ip, const struct xt_entry_target *target, int numeric) +{ + const struct xt_ct_target_info *info = + (const struct xt_ct_target_info *)target->data; + + printf("CT "); + if (info->flags & XT_CT_NOTRACK) + printf("notrack "); + if (info->helper[0]) + printf("helper %s ", info->helper); + if (info->ct_events) + ct_print_events("ctevents", ct_event_tbl, + ARRAY_SIZE(ct_event_tbl), info->ct_events); + if (info->exp_events) + ct_print_events("expevents", exp_event_tbl, + ARRAY_SIZE(exp_event_tbl), info->exp_events); + if (info->zone) + printf("zone %u ", info->zone); +} + +static void ct_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_ct_target_info *info = + (const struct xt_ct_target_info *)target->data; + + if (info->flags & XT_CT_NOTRACK) + printf("--notrack "); + if (info->helper[0]) + printf("--helper %s ", info->helper); + if (info->ct_events) + ct_print_events("--ctevents", ct_event_tbl, + ARRAY_SIZE(ct_event_tbl), info->ct_events); + if (info->exp_events) + ct_print_events("--expevents", exp_event_tbl, + ARRAY_SIZE(exp_event_tbl), info->exp_events); + if (info->zone) + printf("--zone %u ", info->zone); +} + +static struct xtables_target ct_target = { + .family = NFPROTO_UNSPEC, + .name = "CT", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), + .userspacesize = offsetof(struct xt_ct_target_info, ct), + .help = ct_help, + .parse = ct_parse, + .print = ct_print, + .save = ct_save, + .extra_opts = ct_opts, +}; + +void _init(void) +{ + xtables_register_target(&ct_target); +} diff -Nru iptables-1.4.4/extensions/libxt_CT.man iptables-1.4.10/extensions/libxt_CT.man --- iptables-1.4.4/extensions/libxt_CT.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_CT.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,25 @@ +The CT target allows to set parameters for a packet or its associated +connection. The target attaches a "template" connection tracking entry to +the packet, which is then used by the conntrack core when initializing +a new ct entry. This target is thus only valid in the "raw" table. +.TP +\fB\-\-notrack\fP +Disables connection tracking for this packet. +.TP +\fB\-\-helper\fP \fIname\fP +Use the helper identified by \fIname\fP for the connection. This is more +flexible than loading the conntrack helper modules with preset ports. +.TP +\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...] +Only generate the specified conntrack events for this connection. Possible +event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP, +\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to +the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark). +.TP +\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...] +Only generate the specified expectation events for this connection. +Possible event types are: \fBnew\fP. +.TP +\fB\-\-zone\fP \fIid\fP +Assign this packet to zone \fIid\fP and only have lookups done in that zone. +By default, packets have zone 0. diff -Nru iptables-1.4.4/extensions/libxt_dccp.c iptables-1.4.10/extensions/libxt_dccp.c --- iptables-1.4.4/extensions/libxt_dccp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_dccp.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * This program is distributed under the terms of GNU GPL v2, 1991 * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -43,13 +44,13 @@ } static const struct option dccp_opts[] = { - { .name = "source-port", .has_arg = 1, .val = '1' }, - { .name = "sport", .has_arg = 1, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .val = '2' }, - { .name = "dport", .has_arg = 1, .val = '2' }, - { .name = "dccp-types", .has_arg = 1, .val = '3' }, - { .name = "dccp-option", .has_arg = 1, .val = '4' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, + {.name = "dccp-types", .has_arg = true, .val = '3'}, + {.name = "dccp-option", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static void @@ -140,8 +141,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); einfo->flags |= XT_DCCP_SRC_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_dccp_ports(argv[optind-1], einfo->spts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_dccp_ports(optarg, einfo->spts); if (invert) einfo->invflags |= XT_DCCP_SRC_PORTS; *flags |= XT_DCCP_SRC_PORTS; @@ -152,8 +153,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); einfo->flags |= XT_DCCP_DEST_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_dccp_ports(argv[optind-1], einfo->dpts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_dccp_ports(optarg, einfo->dpts); if (invert) einfo->invflags |= XT_DCCP_DEST_PORTS; *flags |= XT_DCCP_DEST_PORTS; @@ -164,8 +165,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--dccp-types' allowed"); einfo->flags |= XT_DCCP_TYPE; - xtables_check_inverse(optarg, &invert, &optind, 0); - einfo->typemask = parse_dccp_types(argv[optind-1]); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + einfo->typemask = parse_dccp_types(optarg); if (invert) einfo->invflags |= XT_DCCP_TYPE; *flags |= XT_DCCP_TYPE; @@ -176,8 +177,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--dccp-option' allowed"); einfo->flags |= XT_DCCP_OPTION; - xtables_check_inverse(optarg, &invert, &optind, 0); - einfo->option = parse_dccp_option(argv[optind-1]); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + einfo->option = parse_dccp_option(optarg); if (invert) einfo->invflags |= XT_DCCP_OPTION; *flags |= XT_DCCP_OPTION; @@ -336,21 +337,7 @@ static struct xtables_match dccp_match = { .name = "dccp", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_dccp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)), - .help = dccp_help, - .init = dccp_init, - .parse = dccp_parse, - .print = dccp_print, - .save = dccp_save, - .extra_opts = dccp_opts, -}; - -static struct xtables_match dccp_match6 = { - .name = "dccp", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_dccp_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_dccp_info)), @@ -365,5 +352,4 @@ void _init(void) { xtables_register_match(&dccp_match); - xtables_register_match(&dccp_match6); } diff -Nru iptables-1.4.4/extensions/libxt_dscp.c iptables-1.4.10/extensions/libxt_dscp.c --- iptables-1.4.4/extensions/libxt_dscp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_dscp.c 2010-10-29 14:37:22.000000000 +0000 @@ -12,6 +12,7 @@ * http://www.iana.org/assignments/dscp-registry * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,9 +39,9 @@ } static const struct option dscp_opts[] = { - { "dscp", 1, NULL, 'F' }, - { "dscp-class", 1, NULL, 'G' }, - { .name = NULL } + {.name = "dscp", .has_arg = true, .val = 'F'}, + {.name = "dscp-class", .has_arg = true, .val = 'G'}, + XT_GETOPT_TABLEEND, }; static void @@ -82,8 +83,8 @@ if (*flags) xtables_error(PARAMETER_PROBLEM, "DSCP match: Only use --dscp ONCE!"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_dscp(argv[optind-1], dinfo); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_dscp(optarg, dinfo); if (invert) dinfo->invert = 1; *flags = 1; @@ -93,8 +94,8 @@ if (*flags) xtables_error(PARAMETER_PROBLEM, "DSCP match: Only use --dscp-class ONCE!"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_class(argv[optind - 1], dinfo); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_class(optarg, dinfo); if (invert) dinfo->invert = 1; *flags = 1; @@ -131,21 +132,7 @@ } static struct xtables_match dscp_match = { - .family = NFPROTO_IPV4, - .name = "dscp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_dscp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)), - .help = dscp_help, - .parse = dscp_parse, - .final_check = dscp_check, - .print = dscp_print, - .save = dscp_save, - .extra_opts = dscp_opts, -}; - -static struct xtables_match dscp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "dscp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_dscp_info)), @@ -161,5 +148,4 @@ void _init(void) { xtables_register_match(&dscp_match); - xtables_register_match(&dscp_match6); } diff -Nru iptables-1.4.4/extensions/libxt_DSCP.c iptables-1.4.10/extensions/libxt_DSCP.c --- iptables-1.4.4/extensions/libxt_DSCP.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_DSCP.c 2010-10-29 14:37:22.000000000 +0000 @@ -9,6 +9,7 @@ * * --set-class added by Iain Barnes */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,9 +39,9 @@ } static const struct option DSCP_opts[] = { - { "set-dscp", 1, NULL, 'F' }, - { "set-dscp-class", 1, NULL, 'G' }, - { .name = NULL } + {.name = "set-dscp", .has_arg = true, .val = 'F'}, + {.name = "set-dscp-class", .has_arg = true, .val = 'G'}, + XT_GETOPT_TABLEEND, }; static void @@ -130,21 +131,7 @@ } static struct xtables_target dscp_target = { - .family = NFPROTO_IPV4, - .name = "DSCP", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_DSCP_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_DSCP_info)), - .help = DSCP_help, - .parse = DSCP_parse, - .final_check = DSCP_check, - .print = DSCP_print, - .save = DSCP_save, - .extra_opts = DSCP_opts, -}; - -static struct xtables_target dscp_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "DSCP", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_DSCP_info)), @@ -160,5 +147,4 @@ void _init(void) { xtables_register_target(&dscp_target); - xtables_register_target(&dscp_target6); } diff -Nru iptables-1.4.4/extensions/libxt_esp.c iptables-1.4.10/extensions/libxt_esp.c --- iptables-1.4.4/extensions/libxt_esp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_esp.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add ESP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -19,8 +20,8 @@ } static const struct option esp_opts[] = { - { "espspi", 1, NULL, '1' }, - { .name = NULL } + {.name = "espspi", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int32_t @@ -88,8 +89,8 @@ if (*flags & ESP_SPI) xtables_error(PARAMETER_PROBLEM, "Only one `--espspi' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_esp_spis(argv[optind-1], espinfo->spis); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_esp_spis(optarg, espinfo->spis); if (invert) espinfo->invflags |= XT_ESP_INV_SPI; *flags |= ESP_SPI; @@ -149,21 +150,7 @@ } static struct xtables_match esp_match = { - .family = NFPROTO_IPV4, - .name = "esp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_esp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_esp)), - .help = esp_help, - .init = esp_init, - .parse = esp_parse, - .print = esp_print, - .save = esp_save, - .extra_opts = esp_opts, -}; - -static struct xtables_match esp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "esp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_esp)), @@ -180,5 +167,4 @@ _init(void) { xtables_register_match(&esp_match); - xtables_register_match(&esp_match6); } diff -Nru iptables-1.4.4/extensions/libxt_hashlimit.c iptables-1.4.10/extensions/libxt_hashlimit.c --- iptables-1.4.4/extensions/libxt_hashlimit.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_hashlimit.c 2010-10-29 14:37:22.000000000 +0000 @@ -67,15 +67,15 @@ } static const struct option hashlimit_opts[] = { - { "hashlimit", 1, NULL, '%' }, - { "hashlimit-burst", 1, NULL, '$' }, - { "hashlimit-htable-size", 1, NULL, '&' }, - { "hashlimit-htable-max", 1, NULL, '*' }, - { "hashlimit-htable-gcinterval", 1, NULL, '(' }, - { "hashlimit-htable-expire", 1, NULL, ')' }, - { "hashlimit-mode", 1, NULL, '_' }, - { "hashlimit-name", 1, NULL, '"' }, - { .name = NULL } + {.name = "hashlimit", .has_arg = true, .val = '%'}, + {.name = "hashlimit-burst", .has_arg = true, .val = '$'}, + {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'}, + {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'}, + {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('}, + {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, + {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, + {.name = "hashlimit-name", .has_arg = true, .val = '"'}, + XT_GETOPT_TABLEEND, }; static const struct option hashlimit_mt_opts[] = { @@ -91,7 +91,7 @@ {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, {.name = "hashlimit-name", .has_arg = true, .val = '"'}, - {}, + XT_GETOPT_TABLEEND, }; static @@ -219,7 +219,7 @@ case '%': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit", *flags & PARAM_LIMIT); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!parse_rate(optarg, &r->cfg.avg)) xtables_error(PARAMETER_PROBLEM, "bad rate `%s'", optarg); @@ -229,7 +229,7 @@ case '$': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-burst", *flags & PARAM_BURST); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, 10000)) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-burst `%s'", optarg); @@ -239,7 +239,7 @@ case '&': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size", *flags & PARAM_SIZE); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-htable-size: `%s'", optarg); @@ -249,7 +249,7 @@ case '*': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max", *flags & PARAM_MAX); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-htable-max: `%s'", optarg); @@ -260,7 +260,7 @@ xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-gcinterval", *flags & PARAM_GCINTERVAL); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-htable-gcinterval: `%s'", @@ -272,7 +272,7 @@ case ')': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-expire", *flags & PARAM_EXPIRE); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-htable-expire: `%s'", optarg); @@ -283,7 +283,7 @@ case '_': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-mode", *flags & PARAM_MODE); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (parse_mode(&r->cfg.mode, optarg) < 0) xtables_error(PARAMETER_PROBLEM, "bad --hashlimit-mode: `%s'\n", optarg); @@ -292,7 +292,7 @@ case '"': xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-name", *flags & PARAM_NAME); - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (strlen(optarg) == 0) xtables_error(PARAMETER_PROBLEM, "Zero-length name?"); strncpy(r->name, optarg, sizeof(r->name)); @@ -591,8 +591,7 @@ const struct xt_hashlimit_info *r = (const void *)match->data; fputs("--hashlimit ", stdout); print_rate(r->cfg.avg); - if (r->cfg.burst != XT_HASHLIMIT_BURST) - printf("--hashlimit-burst %u ", r->cfg.burst); + printf("--hashlimit-burst %u ", r->cfg.burst); fputs("--hashlimit-mode ", stdout); print_mode(r->cfg.mode, ','); @@ -617,8 +616,7 @@ else fputs("--hashlimit-upto ", stdout); print_rate(info->cfg.avg); - if (info->cfg.burst != XT_HASHLIMIT_BURST) - printf("--hashlimit-burst %u ", info->cfg.burst); + printf("--hashlimit-burst %u ", info->cfg.burst); if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) { @@ -659,74 +657,55 @@ hashlimit_mt_save(info, 128); } -static struct xtables_match hashlimit_match = { - .family = NFPROTO_IPV4, - .name = "hashlimit", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), - .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), - .help = hashlimit_help, - .init = hashlimit_init, - .parse = hashlimit_parse, - .final_check = hashlimit_check, - .print = hashlimit_print, - .save = hashlimit_save, - .extra_opts = hashlimit_opts, -}; - -static struct xtables_match hashlimit_match6 = { - .family = NFPROTO_IPV6, - .name = "hashlimit", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), - .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), - .help = hashlimit_help, - .init = hashlimit_init, - .parse = hashlimit_parse, - .final_check = hashlimit_check, - .print = hashlimit_print, - .save = hashlimit_save, - .extra_opts = hashlimit_opts, -}; - -static struct xtables_match hashlimit_mt_reg = { - .version = XTABLES_VERSION, - .name = "hashlimit", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), - .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), - .help = hashlimit_mt_help, - .init = hashlimit_mt4_init, - .parse = hashlimit_mt4_parse, - .final_check = hashlimit_mt_check, - .print = hashlimit_mt4_print, - .save = hashlimit_mt4_save, - .extra_opts = hashlimit_mt_opts, -}; - -static struct xtables_match hashlimit_mt6_reg = { - .version = XTABLES_VERSION, - .name = "hashlimit", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), - .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), - .help = hashlimit_mt_help, - .init = hashlimit_mt6_init, - .parse = hashlimit_mt6_parse, - .final_check = hashlimit_mt_check, - .print = hashlimit_mt6_print, - .save = hashlimit_mt6_save, - .extra_opts = hashlimit_mt_opts, +static struct xtables_match hashlimit_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "hashlimit", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), + .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), + .help = hashlimit_help, + .init = hashlimit_init, + .parse = hashlimit_parse, + .final_check = hashlimit_check, + .print = hashlimit_print, + .save = hashlimit_save, + .extra_opts = hashlimit_opts, + }, + { + .version = XTABLES_VERSION, + .name = "hashlimit", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), + .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), + .help = hashlimit_mt_help, + .init = hashlimit_mt4_init, + .parse = hashlimit_mt4_parse, + .final_check = hashlimit_mt_check, + .print = hashlimit_mt4_print, + .save = hashlimit_mt4_save, + .extra_opts = hashlimit_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "hashlimit", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), + .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), + .help = hashlimit_mt_help, + .init = hashlimit_mt6_init, + .parse = hashlimit_mt6_parse, + .final_check = hashlimit_mt_check, + .print = hashlimit_mt6_print, + .save = hashlimit_mt6_save, + .extra_opts = hashlimit_mt_opts, + }, }; void _init(void) { - xtables_register_match(&hashlimit_match); - xtables_register_match(&hashlimit_match6); - xtables_register_match(&hashlimit_mt_reg); - xtables_register_match(&hashlimit_mt6_reg); + xtables_register_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_hashlimit.man iptables-1.4.10/extensions/libxt_hashlimit.man --- iptables-1.4.4/extensions/libxt_hashlimit.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_hashlimit.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,13 +1,13 @@ -\fBhashlimit\fR uses hash buckets to express a rate limiting match (like the -\fBlimit\fR match) for a group of connections using a \fBsingle\fR iptables +\fBhashlimit\fP uses hash buckets to express a rate limiting match (like the +\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables rule. Grouping can be done per-hostgroup (source and/or destination address) -and/or per-port. It gives you the ability to express "\fIN\fR packets per time +and/or per-port. It gives you the ability to express "\fIN\fP packets per time quantum per group": .TP matching on source host "1000 packets per second for every host in 192.168.0.0/16" .TP -matching on source prot +matching on source port "100 packets per second for every service of 192.168.1.1" .TP matching on subnet @@ -17,11 +17,11 @@ \fB\-\-hashlimit\-name\fP are required. .TP \fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] -Match if the rate is below or equal to \fIamount\fR/quantum. It is specified as +Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as a number, with an optional time quantum suffix; the default is 3/hour. .TP \fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] -Match if the rate is above \fIamount\fR/quantum. +Match if the rate is above \fIamount\fP/quantum. .TP \fB\-\-hashlimit\-burst\fP \fIamount\fP Maximum initial number of packets to match: this number gets recharged by one @@ -36,7 +36,7 @@ \fB\-\-hashlimit\-srcmask\fP \fIprefix\fP When \-\-hashlimit\-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be -subject to hashlimit. \fIprefix\fR must be between (inclusive) 0 and 32. Note +subject to hashlimit. \fIprefix\fP must be between (inclusive) 0 and 32. Note that \-\-hashlimit\-srcmask 0 is basically doing the same thing as not specifying srcip for \-\-hashlimit\-mode, but is technically more expensive. .TP diff -Nru iptables-1.4.4/extensions/libxt_helper.c iptables-1.4.10/extensions/libxt_helper.c --- iptables-1.4.4/extensions/libxt_helper.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_helper.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add related packet matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -16,8 +17,8 @@ } static const struct option helper_opts[] = { - { "helper", 1, NULL, '1' }, - { .name = NULL } + {.name = "helper", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int @@ -31,7 +32,7 @@ if (*flags) xtables_error(PARAMETER_PROBLEM, "helper match: Only use --helper ONCE!"); - xtables_check_inverse(optarg, &invert, &invert, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); strncpy(info->name, optarg, 29); info->name[29] = '\0'; if (invert) @@ -69,20 +70,7 @@ } static struct xtables_match helper_match = { - .family = NFPROTO_IPV4, - .name = "helper", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_helper_info)), - .help = helper_help, - .parse = helper_parse, - .final_check = helper_check, - .print = helper_print, - .save = helper_save, - .extra_opts = helper_opts, -}; - -static struct xtables_match helper_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "helper", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_helper_info)), @@ -97,5 +85,4 @@ void _init(void) { xtables_register_match(&helper_match); - xtables_register_match(&helper_match6); } diff -Nru iptables-1.4.4/extensions/libxt_IDLETIMER.c iptables-1.4.10/extensions/libxt_IDLETIMER.c --- iptables-1.4.4/extensions/libxt_IDLETIMER.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_IDLETIMER.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,138 @@ +/* + * Shared library add-on for iptables to add IDLETIMER support. + * + * Copyright (C) 2010 Nokia Corporation. All rights reserved. + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + */ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <stddef.h> + +#include <xtables.h> +#include <linux/netfilter/xt_IDLETIMER.h> + +enum { + IDLETIMER_TG_OPT_TIMEOUT = 1 << 0, + IDLETIMER_TG_OPT_LABEL = 1 << 1, +}; + +static const struct option idletimer_tg_opts[] = { + {.name = "timeout", .has_arg = true, .val = 't'}, + {.name = "label", .has_arg = true, .val = 'l'}, + XT_GETOPT_TABLEEND, +}; + +static void idletimer_tg_help(void) +{ + printf( +"IDLETIMER target options:\n" +" --timeout time Timeout until the notification is sent (in seconds)\n" +" --label string Unique rule identifier\n" +"\n"); +} + +static int idletimer_tg_parse(int c, char **argv, int invert, + unsigned int *flags, + const void *entry, + struct xt_entry_target **target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *)(*target)->data; + + switch (c) { + case 't': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--timeout", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + info->timeout = atoi(optarg); + *flags |= IDLETIMER_TG_OPT_TIMEOUT; + break; + + case 'l': + xtables_param_act(XTF_ONLY_ONCE, "IDLETIMER", "--label", + *flags & IDLETIMER_TG_OPT_TIMEOUT); + + if (strlen(optarg) > MAX_IDLETIMER_LABEL_SIZE - 1) + xtables_param_act(XTF_BAD_VALUE, "IDLETIMER", "--label", + optarg); + + strcpy(info->label, optarg); + *flags |= IDLETIMER_TG_OPT_LABEL; + break; + + default: + return false; + } + + return true; +} + +static void idletimer_tg_final_check(unsigned int flags) +{ + if (!(flags & IDLETIMER_TG_OPT_TIMEOUT)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--timeout parameter required"); + if (!(flags & IDLETIMER_TG_OPT_LABEL)) + xtables_error(PARAMETER_PROBLEM, "IDLETIMER target: " + "--label parameter required"); +} + +static void idletimer_tg_print(const void *ip, + const struct xt_entry_target *target, + int numeric) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("timeout:%u ", info->timeout); + printf("label:%s ", info->label); +} + +static void idletimer_tg_save(const void *ip, + const struct xt_entry_target *target) +{ + struct idletimer_tg_info *info = + (struct idletimer_tg_info *) target->data; + + printf("--timeout %u ", info->timeout); + printf("--label %s ", info->label); +} + +static struct xtables_target idletimer_tg_reg = { + .family = NFPROTO_UNSPEC, + .name = "IDLETIMER", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct idletimer_tg_info)), + .userspacesize = offsetof(struct idletimer_tg_info, timer), + .help = idletimer_tg_help, + .parse = idletimer_tg_parse, + .final_check = idletimer_tg_final_check, + .print = idletimer_tg_print, + .save = idletimer_tg_save, + .extra_opts = idletimer_tg_opts, +}; + +void _init(void) +{ + xtables_register_target(&idletimer_tg_reg); +} diff -Nru iptables-1.4.4/extensions/libxt_IDLETIMER.man iptables-1.4.10/extensions/libxt_IDLETIMER.man --- iptables-1.4.4/extensions/libxt_IDLETIMER.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_IDLETIMER.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,20 @@ +This target can be used to identify when interfaces have been idle for a +certain period of time. Timers are identified by labels and are created when +a rule is set with a new label. The rules also take a timeout value (in +seconds) as an option. If more than one rule uses the same timer label, the +timer will be restarted whenever any of the rules get a hit. One entry for +each timer is created in sysfs. This attribute contains the timer remaining +for the timer to expire. The attributes are located under the xt_idletimer +class: +.PP +/sys/class/xt_idletimer/timers/<label> +.PP +When the timer expires, the target module sends a sysfs notification to the +userspace, which can then decide what to do (eg. disconnect to save power). +.TP +\fB\-\-timeout\fP \fIamount\fP +This is the time in seconds that will trigger the notification. +.TP +\fB\-\-label\fP \fIstring\fP +This is a unique identifier for the timer. The maximum length for the +label string is 27 characters. diff -Nru iptables-1.4.4/extensions/libxt_iprange.c iptables-1.4.10/extensions/libxt_iprange.c --- iptables-1.4.4/extensions/libxt_iprange.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_iprange.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add IP range matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -9,7 +10,19 @@ #include <xtables.h> #include <linux/netfilter.h> #include <linux/netfilter/xt_iprange.h> -#include <linux/netfilter_ipv4/ipt_iprange.h> + +struct ipt_iprange { + /* Inclusive: network order. */ + __be32 min_ip, max_ip; +}; + +struct ipt_iprange_info { + struct ipt_iprange src; + struct ipt_iprange dst; + + /* Flags from above */ + u_int8_t flags; +}; enum { F_SRCIP = 1 << 0, @@ -20,47 +33,69 @@ { printf( "iprange match options:\n" -"[!] --src-range ip-ip Match source IP in the specified range\n" -"[!] --dst-range ip-ip Match destination IP in the specified range\n"); +"[!] --src-range ip[-ip] Match source IP in the specified range\n" +"[!] --dst-range ip[-ip] Match destination IP in the specified range\n"); } static const struct option iprange_mt_opts[] = { {.name = "src-range", .has_arg = true, .val = '1'}, {.name = "dst-range", .has_arg = true, .val = '2'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void -parse_iprange(char *arg, struct ipt_iprange *range) +iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range, + uint8_t family, const char *optname) +{ + const char *spec[2] = {from, to}; + struct in6_addr *ia6; + struct in_addr *ia4; + unsigned int i; + + memset(range, 0, sizeof(union nf_inet_addr) * 2); + + if (family == NFPROTO_IPV6) { + for (i = 0; i < ARRAY_SIZE(spec); ++i) { + ia6 = xtables_numeric_to_ip6addr(spec[i]); + if (ia6 == NULL) + xtables_param_act(XTF_BAD_VALUE, "iprange", + optname, spec[i]); + range[i].in6 = *ia6; + } + } else { + for (i = 0; i < ARRAY_SIZE(spec); ++i) { + ia4 = xtables_numeric_to_ipaddr(spec[i]); + if (ia4 == NULL) + xtables_param_act(XTF_BAD_VALUE, "iprange", + optname, spec[i]); + range[i].in = *ia4; + } + } +} + +static void iprange_parse_range(char *arg, union nf_inet_addr *range, + u_int8_t family, const char *optname) { char *dash; - const struct in_addr *ip; dash = strchr(arg, '-'); - if (dash != NULL) - *dash = '\0'; - - ip = xtables_numeric_to_ipaddr(arg); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "iprange match: Bad IP address \"%s\"\n", - arg); - range->min_ip = ip->s_addr; - - if (dash != NULL) { - ip = xtables_numeric_to_ipaddr(dash+1); - if (!ip) - xtables_error(PARAMETER_PROBLEM, "iprange match: Bad IP address \"%s\"\n", - dash+1); - range->max_ip = ip->s_addr; - } else { - range->max_ip = range->min_ip; + if (dash == NULL) { + iprange_parse_spec(arg, arg, range, family, optname); + return; } + + *dash = '\0'; + iprange_parse_spec(arg, dash + 1, range, family, optname); + if (memcmp(&range[0], &range[1], sizeof(*range)) > 0) + fprintf(stderr, "xt_iprange: range %s-%s is reversed and " + "will never match\n", arg, dash + 1); } static int iprange_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { struct ipt_iprange_info *info = (struct ipt_iprange_info *)(*match)->data; + union nf_inet_addr range[2]; switch (c) { case '1': @@ -70,11 +105,12 @@ *flags |= IPRANGE_SRC; info->flags |= IPRANGE_SRC; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->flags |= IPRANGE_SRC_INV; - parse_iprange(optarg, &info->src); - + iprange_parse_range(optarg, range, NFPROTO_IPV4, "--src-range"); + info->src.min_ip = range[0].ip; + info->src.max_ip = range[1].ip; break; case '2': @@ -84,12 +120,13 @@ *flags |= IPRANGE_DST; info->flags |= IPRANGE_DST; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->flags |= IPRANGE_DST_INV; - parse_iprange(optarg, &info->dst); - + iprange_parse_range(optarg, range, NFPROTO_IPV4, "--dst-range"); + info->dst.min_ip = range[0].ip; + info->dst.max_ip = range[1].ip; break; default: @@ -103,23 +140,11 @@ const void *entry, struct xt_entry_match **match) { struct xt_iprange_mtinfo *info = (void *)(*match)->data; - const struct in_addr *ia; - char *end; switch (c) { case '1': /* --src-range */ - end = strchr(optarg, '-'); - if (end == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", optarg); - *end = '\0'; - ia = xtables_numeric_to_ipaddr(optarg); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", optarg); - memcpy(&info->src_min.in, ia, sizeof(*ia)); - ia = xtables_numeric_to_ipaddr(end+1); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", end + 1); - memcpy(&info->src_max.in, ia, sizeof(*ia)); + iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV4, + "--src-range"); info->flags |= IPRANGE_SRC; if (invert) info->flags |= IPRANGE_SRC_INV; @@ -127,18 +152,8 @@ return true; case '2': /* --dst-range */ - end = strchr(optarg, '-'); - if (end == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", optarg); - *end = '\0'; - ia = xtables_numeric_to_ipaddr(optarg); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", optarg); - memcpy(&info->dst_min.in, ia, sizeof(*ia)); - ia = xtables_numeric_to_ipaddr(end + 1); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", end + 1); - memcpy(&info->dst_max.in, ia, sizeof(*ia)); + iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV4, + "--dst-range"); info->flags |= IPRANGE_DST; if (invert) info->flags |= IPRANGE_DST_INV; @@ -153,23 +168,11 @@ const void *entry, struct xt_entry_match **match) { struct xt_iprange_mtinfo *info = (void *)(*match)->data; - const struct in6_addr *ia; - char *end; switch (c) { case '1': /* --src-range */ - end = strchr(optarg, '-'); - if (end == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", optarg); - *end = '\0'; - ia = xtables_numeric_to_ip6addr(optarg); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", optarg); - memcpy(&info->src_min.in, ia, sizeof(*ia)); - ia = xtables_numeric_to_ip6addr(end+1); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--src-range", end + 1); - memcpy(&info->src_max.in, ia, sizeof(*ia)); + iprange_parse_range(optarg, &info->src_min, NFPROTO_IPV6, + "--src-range"); info->flags |= IPRANGE_SRC; if (invert) info->flags |= IPRANGE_SRC_INV; @@ -177,18 +180,8 @@ return true; case '2': /* --dst-range */ - end = strchr(optarg, '-'); - if (end == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", optarg); - *end = '\0'; - ia = xtables_numeric_to_ip6addr(optarg); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", optarg); - memcpy(&info->dst_min.in, ia, sizeof(*ia)); - ia = xtables_numeric_to_ip6addr(end + 1); - if (ia == NULL) - xtables_param_act(XTF_BAD_VALUE, "iprange", "--dst-range", end + 1); - memcpy(&info->dst_max.in, ia, sizeof(*ia)); + iprange_parse_range(optarg, &info->dst_min, NFPROTO_IPV6, + "--dst-range"); info->flags |= IPRANGE_DST; if (invert) info->flags |= IPRANGE_DST_INV; @@ -344,54 +337,52 @@ } } -static struct xtables_match iprange_match = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_iprange_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)), - .help = iprange_mt_help, - .parse = iprange_parse, - .final_check = iprange_mt_check, - .print = iprange_print, - .save = iprange_save, - .extra_opts = iprange_mt_opts, -}; - -static struct xtables_match iprange_mt_reg = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .help = iprange_mt_help, - .parse = iprange_mt4_parse, - .final_check = iprange_mt_check, - .print = iprange_mt4_print, - .save = iprange_mt4_save, - .extra_opts = iprange_mt_opts, -}; - -static struct xtables_match iprange_mt6_reg = { - .version = XTABLES_VERSION, - .name = "iprange", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), - .help = iprange_mt_help, - .parse = iprange_mt6_parse, - .final_check = iprange_mt_check, - .print = iprange_mt6_print, - .save = iprange_mt6_save, - .extra_opts = iprange_mt_opts, +static struct xtables_match iprange_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_iprange_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_iprange_info)), + .help = iprange_mt_help, + .parse = iprange_parse, + .final_check = iprange_mt_check, + .print = iprange_print, + .save = iprange_save, + .extra_opts = iprange_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .help = iprange_mt_help, + .parse = iprange_mt4_parse, + .final_check = iprange_mt_check, + .print = iprange_mt4_print, + .save = iprange_mt4_save, + .extra_opts = iprange_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "iprange", + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_iprange_mtinfo)), + .help = iprange_mt_help, + .parse = iprange_mt6_parse, + .final_check = iprange_mt_check, + .print = iprange_mt6_print, + .save = iprange_mt6_save, + .extra_opts = iprange_mt_opts, + }, }; void _init(void) { - xtables_register_match(&iprange_match); - xtables_register_match(&iprange_mt_reg); - xtables_register_match(&iprange_mt6_reg); + xtables_register_matches(iprange_mt_reg, ARRAY_SIZE(iprange_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_iprange.man iptables-1.4.10/extensions/libxt_iprange.man --- iptables-1.4.4/extensions/libxt_iprange.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_iprange.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,7 +1,7 @@ This matches on a given arbitrary range of IP addresses. .TP -[\fB!\fR] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +[\fB!\fP] \fB\-\-src\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] Match source IP in the specified range. .TP -[\fB!\fR] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] +[\fB!\fP] \fB\-\-dst\-range\fP \fIfrom\fP[\fB\-\fP\fIto\fP] Match destination IP in the specified range. diff -Nru iptables-1.4.4/extensions/libxt_ipvs.c iptables-1.4.10/extensions/libxt_ipvs.c --- iptables-1.4.4/extensions/libxt_ipvs.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_ipvs.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,366 @@ +/* + * Shared library add-on to iptables to add IPVS matching. + * + * Detailed doc is in the kernel module source net/netfilter/xt_ipvs.c + * + * Author: Hannes Eder <heder@google.com> + */ +#include <sys/types.h> +#include <assert.h> +#include <ctype.h> +#include <errno.h> +#include <getopt.h> +#include <netdb.h> +#include <stdbool.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <xtables.h> +#include <linux/ip_vs.h> +#include <linux/netfilter/xt_ipvs.h> + +static const struct option ipvs_mt_opts[] = { + { .name = "ipvs", .has_arg = false, .val = '0' }, + { .name = "vproto", .has_arg = true, .val = '1' }, + { .name = "vaddr", .has_arg = true, .val = '2' }, + { .name = "vport", .has_arg = true, .val = '3' }, + { .name = "vdir", .has_arg = true, .val = '4' }, + { .name = "vmethod", .has_arg = true, .val = '5' }, + { .name = "vportctl", .has_arg = true, .val = '6' }, + XT_GETOPT_TABLEEND, +}; + +static void ipvs_mt_help(void) +{ + printf( +"IPVS match options:\n" +"[!] --ipvs packet belongs to an IPVS connection\n" +"\n" +"Any of the following options implies --ipvs (even negated)\n" +"[!] --vproto protocol VIP protocol to match; by number or name,\n" +" e.g. \"tcp\"\n" +"[!] --vaddr address[/mask] VIP address to match\n" +"[!] --vport port VIP port to match; by number or name,\n" +" e.g. \"http\"\n" +" --vdir {ORIGINAL|REPLY} flow direction of packet\n" +"[!] --vmethod {GATE|IPIP|MASQ} IPVS forwarding method used\n" +"[!] --vportctl port VIP port of the controlling connection to\n" +" match, e.g. 21 for FTP\n" + ); +} + +static void ipvs_mt_parse_addr_and_mask(const char *arg, + union nf_inet_addr *address, + union nf_inet_addr *mask, + unsigned int family) +{ + struct in_addr *addr = NULL; + struct in6_addr *addr6 = NULL; + unsigned int naddrs = 0; + + if (family == NFPROTO_IPV4) { + xtables_ipparse_any(arg, &addr, &mask->in, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in, addr, sizeof(*addr)); + } else if (family == NFPROTO_IPV6) { + xtables_ip6parse_any(arg, &addr6, &mask->in6, &naddrs); + if (naddrs > 1) + xtables_error(PARAMETER_PROBLEM, + "multiple IP addresses not allowed"); + if (naddrs == 1) + memcpy(&address->in6, addr6, sizeof(*addr6)); + } else { + /* Hu? */ + assert(false); + } +} + +/* Function which parses command options; returns true if it ate an option */ +static int ipvs_mt_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match, + unsigned int family) +{ + struct xt_ipvs_mtinfo *data = (void *)(*match)->data; + char *p = NULL; + u_int8_t op = 0; + + if ('0' <= c && c <= '6') { + static const int ops[] = { + XT_IPVS_IPVS_PROPERTY, + XT_IPVS_PROTO, + XT_IPVS_VADDR, + XT_IPVS_VPORT, + XT_IPVS_DIR, + XT_IPVS_METHOD, + XT_IPVS_VPORTCTL + }; + op = ops[c - '0']; + } else + return 0; + + if (*flags & op & XT_IPVS_ONCE_MASK) + goto multiple_use; + + switch (c) { + case '0': /* --ipvs */ + /* Nothing to do here. */ + break; + + case '1': /* --vproto */ + /* Canonicalize into lower case */ + for (p = optarg; *p != '\0'; ++p) + *p = tolower(*p); + + data->l4proto = xtables_parse_protocol(optarg); + break; + + case '2': /* --vaddr */ + ipvs_mt_parse_addr_and_mask(optarg, &data->vaddr, + &data->vmask, family); + break; + + case '3': /* --vport */ + data->vport = htons(xtables_parse_port(optarg, "tcp")); + break; + + case '4': /* --vdir */ + xtables_param_act(XTF_NO_INVERT, "ipvs", "--vdir", invert); + if (strcasecmp(optarg, "ORIGINAL") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert &= ~XT_IPVS_DIR; + } else if (strcasecmp(optarg, "REPLY") == 0) { + data->bitmask |= XT_IPVS_DIR; + data->invert |= XT_IPVS_DIR; + } else { + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vdir", optarg); + } + break; + + case '5': /* --vmethod */ + if (strcasecmp(optarg, "GATE") == 0) + data->fwd_method = IP_VS_CONN_F_DROUTE; + else if (strcasecmp(optarg, "IPIP") == 0) + data->fwd_method = IP_VS_CONN_F_TUNNEL; + else if (strcasecmp(optarg, "MASQ") == 0) + data->fwd_method = IP_VS_CONN_F_MASQ; + else + xtables_param_act(XTF_BAD_VALUE, + "ipvs", "--vmethod", optarg); + break; + + case '6': /* --vportctl */ + data->vportctl = htons(xtables_parse_port(optarg, "tcp")); + break; + + default: + /* Hu? How did we come here? */ + assert(false); + return 0; + } + + if (op & XT_IPVS_ONCE_MASK) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + xtables_error(PARAMETER_PROBLEM, + "! --ipvs cannot be together with" + " other options"); + data->bitmask |= XT_IPVS_IPVS_PROPERTY; + } + + data->bitmask |= op; + if (invert) + data->invert |= op; + *flags |= op; + return 1; + +multiple_use: + xtables_error(PARAMETER_PROBLEM, + "multiple use of the same IPVS option is not allowed"); +} + +static int ipvs_mt4_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV4); +} + +static int ipvs_mt6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + return ipvs_mt_parse(c, argv, invert, flags, entry, match, + NFPROTO_IPV6); +} + +static void ipvs_mt_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, + "IPVS: At least one option is required"); +} + +/* Shamelessly copied from libxt_conntrack.c */ +static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) +{ + char buf[BUFSIZ]; + + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); + else + strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); + strcat(buf, xtables_ipmask_to_numeric(&mask->in)); + printf("%s ", buf); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { + printf("anywhere "); + return; + } + if (numeric) + strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); + else + strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); + strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); + printf("%s ", buf); + } +} + +static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, + unsigned int family, bool numeric, const char *prefix) +{ + if (data->bitmask == XT_IPVS_IPVS_PROPERTY) { + if (data->invert & XT_IPVS_IPVS_PROPERTY) + printf("! "); + printf("%sipvs ", prefix); + } + + if (data->bitmask & XT_IPVS_PROTO) { + if (data->invert & XT_IPVS_PROTO) + printf("! "); + printf("%sproto %u ", prefix, data->l4proto); + } + + if (data->bitmask & XT_IPVS_VADDR) { + if (data->invert & XT_IPVS_VADDR) + printf("! "); + + printf("%svaddr ", prefix); + ipvs_mt_dump_addr(&data->vaddr, &data->vmask, family, numeric); + } + + if (data->bitmask & XT_IPVS_VPORT) { + if (data->invert & XT_IPVS_VPORT) + printf("! "); + + printf("%svport %u ", prefix, ntohs(data->vport)); + } + + if (data->bitmask & XT_IPVS_DIR) { + if (data->invert & XT_IPVS_DIR) + printf("%svdir REPLY ", prefix); + else + printf("%svdir ORIGINAL ", prefix); + } + + if (data->bitmask & XT_IPVS_METHOD) { + if (data->invert & XT_IPVS_METHOD) + printf("! "); + + printf("%svmethod ", prefix); + switch (data->fwd_method) { + case IP_VS_CONN_F_DROUTE: + printf("GATE "); + break; + case IP_VS_CONN_F_TUNNEL: + printf("IPIP "); + break; + case IP_VS_CONN_F_MASQ: + printf("MASQ "); + break; + default: + /* Hu? */ + printf("UNKNOWN "); + break; + } + } + + if (data->bitmask & XT_IPVS_VPORTCTL) { + if (data->invert & XT_IPVS_VPORTCTL) + printf("! "); + + printf("%svportctl %u ", prefix, ntohs(data->vportctl)); + } +} + +static void ipvs_mt4_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, numeric, ""); +} + +static void ipvs_mt6_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, numeric, ""); +} + +static void ipvs_mt4_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV4, true, "--"); +} + +static void ipvs_mt6_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ipvs_mtinfo *data = (const void *)match->data; + ipvs_mt_dump(ip, data, NFPROTO_IPV6, true, "--"); +} + +static struct xtables_match ipvs_matches_reg[] = { + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt4_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt4_print, + .save = ipvs_mt4_save, + .extra_opts = ipvs_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "ipvs", + .revision = 0, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ipvs_mtinfo)), + .help = ipvs_mt_help, + .parse = ipvs_mt6_parse, + .final_check = ipvs_mt_check, + .print = ipvs_mt6_print, + .save = ipvs_mt6_save, + .extra_opts = ipvs_mt_opts, + }, +}; + +void _init(void) +{ + xtables_register_matches(ipvs_matches_reg, + ARRAY_SIZE(ipvs_matches_reg)); +} diff -Nru iptables-1.4.4/extensions/libxt_ipvs.man iptables-1.4.10/extensions/libxt_ipvs.man --- iptables-1.4.4/extensions/libxt_ipvs.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_ipvs.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,24 @@ +Match IPVS connection properties. +.TP +[\fB!\fP] \fB\-\-ipvs\fP +packet belongs to an IPVS connection +.TP +Any of the following options implies \-\-ipvs (even negated) +.TP +[\fB!\fP] \fB\-\-vproto\fP \fIprotocol\fP +VIP protocol to match; by number or name, e.g. "tcp" +.TP +[\fB!\fP] \fB\-\-vaddr\fP \fIaddress\fP[\fB/\fP\fImask\fP] +VIP address to match +.TP +[\fB!\fP] \fB\-\-vport\fP \fIport\fP +VIP port to match; by number or name, e.g. "http" +.TP +\fB\-\-vdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +flow direction of packet +.TP +[\fB!\fP] \fB\-\-vmethod\fP {\fBGATE\fP|\fBIPIP\fP|\fBMASQ\fP} +IPVS forwarding method used +.TP +[\fB!\fP] \fB\-\-vportctl\fP \fIport\fP +VIP port of the controlling connection to match, e.g. 21 for FTP diff -Nru iptables-1.4.4/extensions/libxt_LED.c iptables-1.4.10/extensions/libxt_LED.c --- iptables-1.4.4/extensions/libxt_LED.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_LED.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,155 @@ +/* + * libxt_LED.c - shared library add-on to iptables to add customized LED + * trigger support. + * + * (C) 2008 Adam Nielsen <a.nielsen@shikadi.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <stddef.h> + +#include <xtables.h> + +#include <linux/netfilter/xt_LED.h> + +static const struct option LED_opts[] = { + {.name = "led-trigger-id", .has_arg = true, .val = 'i'}, + {.name = "led-delay", .has_arg = true, .val = 'd'}, + {.name = "led-always-blink", .has_arg = false, .val = 'a'}, + XT_GETOPT_TABLEEND, +}; + +static void LED_help(void) +{ + printf( +"LED target options:\n" +"--led-trigger-id name suffix for led trigger name\n" +"--led-delay ms leave the LED on for this number of\n" +" milliseconds after triggering.\n" +"--led-always-blink blink on arriving packets, even if\n" +" the LED is already on.\n" + ); +} + +static int LED_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_led_info *led = (void *)(*target)->data; + + switch (c) { + case 'i': + xtables_param_act(XTF_NO_INVERT, "LED", + "--led-trigger-id", invert); + if (strlen("netfilter-") + strlen(optarg) > sizeof(led->id)) + xtables_error(PARAMETER_PROBLEM, + "--led-trigger-id must be 16 chars or less"); + if (optarg[0] == '\0') + xtables_error(PARAMETER_PROBLEM, + "--led-trigger-id cannot be blank"); + + /* "netfilter-" + 16 char id == 26 == sizeof(led->id) */ + strcpy(led->id, "netfilter-"); + strcat(led->id, optarg); + *flags = 1; + return true; + + case 'd': + xtables_param_act(XTF_NO_INVERT, "LED", "--led-delay", invert); + if (strncasecmp(optarg, "inf", 3) == 0) + led->delay = -1; + else + led->delay = strtoul(optarg, NULL, 0); + + return true; + + case 'a': + if (!invert) + led->always_blink = 1; + return true; + } + return false; +} + +static void LED_final_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, + "--led-trigger-id must be specified"); +} + +static void LED_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_led_info *led = (void *)target->data; + const char *id = led->id + strlen("netfilter-"); /* trim off prefix */ + + printf("led-trigger-id:\""); + /* Escape double quotes and backslashes in the ID */ + while (*id != '\0') { + if (*id == '"' || *id == '\\') + printf("\\"); + printf("%c", *id++); + } + printf("\" "); + + if (led->delay == -1) + printf("led-delay:inf "); + else + printf("led-delay:%dms ", led->delay); + + if (led->always_blink) + printf("led-always-blink "); +} + +static void LED_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_led_info *led = (void *)target->data; + const char *id = led->id + strlen("netfilter-"); /* trim off prefix */ + + printf("--led-trigger-id \""); + /* Escape double quotes and backslashes in the ID */ + while (*id != '\0') { + if (*id == '"' || *id == '\\') + printf("\\"); + printf("%c", *id++); + } + printf("\" "); + + /* Only print the delay if it's not zero (the default) */ + if (led->delay > 0) + printf("--led-delay %d ", led->delay); + else if (led->delay == -1) + printf("--led-delay inf "); + + /* Only print always_blink if it's not set to the default */ + if (led->always_blink) + printf("--led-always-blink "); +} + +static struct xtables_target led_tg_reg = { + .version = XTABLES_VERSION, + .name = "LED", + .family = PF_UNSPEC, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_led_info)), + .userspacesize = offsetof(struct xt_led_info, internal_data), + .help = LED_help, + .parse = LED_parse, + .final_check = LED_final_check, + .extra_opts = LED_opts, + .print = LED_print, + .save = LED_save, +}; + +void _init(void) +{ + xtables_register_target(&led_tg_reg); +} diff -Nru iptables-1.4.4/extensions/libxt_LED.man iptables-1.4.10/extensions/libxt_LED.man --- iptables-1.4.4/extensions/libxt_LED.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_LED.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,30 @@ +This creates an LED-trigger that can then be attached to system indicator +lights, to blink or illuminate them when certain packets pass through the +system. One example might be to light up an LED for a few minutes every time +an SSH connection is made to the local machine. The following options control +the trigger behavior: +.TP +\fB\-\-led\-trigger\-id\fP \fIname\fP +This is the name given to the LED trigger. The actual name of the trigger +will be prefixed with "netfilter-". +.TP +\fB\-\-led-delay\fP \fIms\fP +This indicates how long (in milliseconds) the LED should be left illuminated +when a packet arrives before being switched off again. The default is 0 +(blink as fast as possible.) The special value \fIinf\fP can be given to +leave the LED on permanently once activated. (In this case the trigger will +need to be manually detached and reattached to the LED device to switch it +off again.) +.TP +\fB\-\-led\-always\-blink\fP +Always make the LED blink on packet arrival, even if the LED is already on. +This allows notification of new packets even with long delay values (which +otherwise would result in a silent prolonging of the delay time.) +.TP +Example: +.TP +Create an LED trigger for incoming SSH traffic: +iptables \-A INPUT \-p tcp \-\-dport 22 \-j LED \-\-led\-trigger\-id ssh +.TP +Then attach the new trigger to an LED: +echo netfilter\-ssh >/sys/class/leds/\fIledname\fP/trigger diff -Nru iptables-1.4.4/extensions/libxt_length.c iptables-1.4.10/extensions/libxt_length.c --- iptables-1.4.4/extensions/libxt_length.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_length.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add packet length matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ } static const struct option length_opts[] = { - { "length", 1, NULL, '1' }, - { .name = NULL } + {.name = "length", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int16_t @@ -70,8 +71,8 @@ xtables_error(PARAMETER_PROBLEM, "length: `--length' may only be " "specified once"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_lengths(argv[optind-1], info); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_lengths(optarg, info); if (invert) info->invert = 1; *flags = 1; diff -Nru iptables-1.4.4/extensions/libxt_length.man iptables-1.4.10/extensions/libxt_length.man --- iptables-1.4.4/extensions/libxt_length.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_length.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,5 +1,5 @@ This module matches the length of the layer-3 payload (e.g. layer-4 packet) -f a packet against a specific value +of a packet against a specific value or range of values. .TP [\fB!\fP] \fB\-\-length\fP \fIlength\fP[\fB:\fP\fIlength\fP] diff -Nru iptables-1.4.4/extensions/libxt_limit.c iptables-1.4.10/extensions/libxt_limit.c --- iptables-1.4.4/extensions/libxt_limit.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_limit.c 2010-10-29 14:37:22.000000000 +0000 @@ -3,7 +3,7 @@ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> * Hervé Eychenne <rv@wallfire.org> */ - +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -29,9 +29,9 @@ } static const struct option limit_opts[] = { - { "limit", 1, NULL, '%' }, - { "limit-burst", 1, NULL, '$' }, - { .name = NULL } + {.name = "limit", .has_arg = true, .val = '%'}, + {.name = "limit-burst", .has_arg = true, .val = '$'}, + XT_GETOPT_TABLEEND, }; static @@ -94,14 +94,14 @@ switch(c) { case '%': - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!parse_rate(optarg, &r->avg)) xtables_error(PARAMETER_PROBLEM, "bad rate `%s'", optarg); break; case '$': - if (xtables_check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; if (!xtables_strtoui(optarg, NULL, &num, 0, 10000)) xtables_error(PARAMETER_PROBLEM, "bad --limit-burst `%s'", optarg); diff -Nru iptables-1.4.4/extensions/libxt_limit.man iptables-1.4.10/extensions/libxt_limit.man --- iptables-1.4.4/extensions/libxt_limit.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_limit.man 2010-10-29 14:37:22.000000000 +0000 @@ -4,7 +4,7 @@ .B LOG target to give limited logging, for example. .TP -[\fB!\fP] \fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] +\fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP] Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour. diff -Nru iptables-1.4.4/extensions/libxt_mac.c iptables-1.4.10/extensions/libxt_mac.c --- iptables-1.4.4/extensions/libxt_mac.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_mac.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add MAC address support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,8 +22,8 @@ } static const struct option mac_opts[] = { - { "mac-source", 1, NULL, '1' }, - { .name = NULL } + {.name = "mac-source", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void @@ -57,8 +58,8 @@ switch (c) { case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_mac(argv[optind-1], macinfo); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_mac(optarg, macinfo); if (invert) macinfo->invert = 1; *flags = 1; @@ -112,21 +113,7 @@ } static struct xtables_match mac_match = { - .family = NFPROTO_IPV4, - .name = "mac", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_mac_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mac_info)), - .help = mac_help, - .parse = mac_parse, - .final_check = mac_check, - .print = mac_print, - .save = mac_save, - .extra_opts = mac_opts, -}; - -static struct xtables_match mac_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "mac", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_mac_info)), @@ -142,5 +129,4 @@ void _init(void) { xtables_register_match(&mac_match); - xtables_register_match(&mac_match6); } diff -Nru iptables-1.4.4/extensions/libxt_mark.c iptables-1.4.10/extensions/libxt_mark.c --- iptables-1.4.4/extensions/libxt_mark.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_mark.c 2010-10-29 14:37:22.000000000 +0000 @@ -9,6 +9,11 @@ #include <xtables.h> #include <linux/netfilter/xt_mark.h> +struct xt_mark_info { + unsigned long mark, mask; + u_int8_t invert; +}; + enum { F_MARK = 1 << 0, }; @@ -22,7 +27,7 @@ static const struct option mark_mt_opts[] = { {.name = "mark", .has_arg = true, .val = '1'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int mark_mt_parse(int c, char **argv, int invert, unsigned int *flags, @@ -62,7 +67,7 @@ switch (c) { char *end; case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); markinfo->mark = strtoul(optarg, &end, 0); if (*end == '/') { markinfo->mask = strtoul(end+1, &end, 0); @@ -143,38 +148,38 @@ print_mark(info->mark, info->mask); } -static struct xtables_match mark_match = { - .family = NFPROTO_UNSPEC, - .name = "mark", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_mark_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)), - .help = mark_mt_help, - .parse = mark_parse, - .final_check = mark_mt_check, - .print = mark_print, - .save = mark_save, - .extra_opts = mark_mt_opts, -}; - -static struct xtables_match mark_mt_reg = { - .version = XTABLES_VERSION, - .name = "mark", - .revision = 1, - .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), - .help = mark_mt_help, - .parse = mark_mt_parse, - .final_check = mark_mt_check, - .print = mark_mt_print, - .save = mark_mt_save, - .extra_opts = mark_mt_opts, +static struct xtables_match mark_mt_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "mark", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_mark_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_info)), + .help = mark_mt_help, + .parse = mark_parse, + .final_check = mark_mt_check, + .print = mark_print, + .save = mark_save, + .extra_opts = mark_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "mark", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_mtinfo1)), + .help = mark_mt_help, + .parse = mark_mt_parse, + .final_check = mark_mt_check, + .print = mark_mt_print, + .save = mark_mt_save, + .extra_opts = mark_mt_opts, + }, }; void _init(void) { - xtables_register_match(&mark_match); - xtables_register_match(&mark_mt_reg); + xtables_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_MARK.c iptables-1.4.10/extensions/libxt_MARK.c --- iptables-1.4.4/extensions/libxt_MARK.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_MARK.c 2010-10-29 14:37:22.000000000 +0000 @@ -9,6 +9,23 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_MARK.h> +/* Version 0 */ +struct xt_mark_target_info { + unsigned long mark; +}; + +/* Version 1 */ +enum { + XT_MARK_SET=0, + XT_MARK_AND, + XT_MARK_OR, +}; + +struct xt_mark_target_info_v1 { + unsigned long mark; + u_int8_t mode; +}; + enum { F_MARK = 1 << 0, }; @@ -23,10 +40,10 @@ } static const struct option MARK_opts[] = { - { "set-mark", 1, NULL, '1' }, - { "and-mark", 1, NULL, '2' }, - { "or-mark", 1, NULL, '3' }, - { .name = NULL } + {.name = "set-mark", .has_arg = true, .val = '1'}, + {.name = "and-mark", .has_arg = true, .val = '2'}, + {.name = "or-mark", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static const struct option mark_tg_opts[] = { @@ -35,7 +52,7 @@ {.name = "and-mark", .has_arg = true, .val = '&'}, {.name = "or-mark", .has_arg = true, .val = '|'}, {.name = "xor-mark", .has_arg = true, .val = '^'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void mark_tg_help(void) @@ -247,6 +264,8 @@ printf("MARK or 0x%x ", info->mark); else if (info->mask == 0) printf("MARK xor 0x%x ", info->mark); + else if (info->mask == 0xffffffffU) + printf("MARK set 0x%x ", info->mark); else printf("MARK xset 0x%x/0x%x ", info->mark, info->mask); } @@ -277,70 +296,52 @@ printf("--set-xmark 0x%x/0x%x ", info->mark, info->mask); } -static struct xtables_target mark_target_v0 = { - .family = NFPROTO_IPV4, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .help = MARK_help, - .parse = MARK_parse_v0, - .final_check = MARK_check, - .print = MARK_print_v0, - .save = MARK_save_v0, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_target_v1 = { - .family = NFPROTO_IPV4, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), - .help = MARK_help, - .parse = MARK_parse_v1, - .final_check = MARK_check, - .print = MARK_print_v1, - .save = MARK_save_v1, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_target6_v0 = { - .family = NFPROTO_IPV6, - .name = "MARK", - .version = XTABLES_VERSION, - .revision = 0, - .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), - .help = MARK_help, - .parse = MARK_parse_v0, - .final_check = MARK_check, - .print = MARK_print_v0, - .save = MARK_save_v0, - .extra_opts = MARK_opts, -}; - -static struct xtables_target mark_tg_reg_v2 = { - .version = XTABLES_VERSION, - .name = "MARK", - .revision = 2, - .family = NFPROTO_UNSPEC, - .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), - .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), - .help = mark_tg_help, - .parse = mark_tg_parse, - .final_check = mark_tg_check, - .print = mark_tg_print, - .save = mark_tg_save, - .extra_opts = mark_tg_opts, +static struct xtables_target mark_tg_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "MARK", + .version = XTABLES_VERSION, + .revision = 0, + .size = XT_ALIGN(sizeof(struct xt_mark_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info)), + .help = MARK_help, + .parse = MARK_parse_v0, + .final_check = MARK_check, + .print = MARK_print_v0, + .save = MARK_save_v0, + .extra_opts = MARK_opts, + }, + { + .family = NFPROTO_IPV4, + .name = "MARK", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_target_info_v1)), + .help = MARK_help, + .parse = MARK_parse_v1, + .final_check = MARK_check, + .print = MARK_print_v1, + .save = MARK_save_v1, + .extra_opts = MARK_opts, + }, + { + .version = XTABLES_VERSION, + .name = "MARK", + .revision = 2, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mark_tginfo2)), + .help = mark_tg_help, + .parse = mark_tg_parse, + .final_check = mark_tg_check, + .print = mark_tg_print, + .save = mark_tg_save, + .extra_opts = mark_tg_opts, + }, }; void _init(void) { - xtables_register_target(&mark_target_v0); - xtables_register_target(&mark_target_v1); - xtables_register_target(&mark_target6_v0); - xtables_register_target(&mark_tg_reg_v2); + xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_MARK.man iptables-1.4.10/extensions/libxt_MARK.man --- iptables-1.4.4/extensions/libxt_MARK.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_MARK.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,25 +1,27 @@ This target is used to set the Netfilter mark value associated with the packet. -The target can only be used in the \fBmangle\fR table. It can, for example, be -used in conjunction with routing based on fwmark (needs iproute2). +It can, for example, be used in conjunction with routing based on fwmark (needs +iproute2). If you plan on doing so, note that the mark needs to be set in the +PREROUTING chain of the mangle table to affect routing. +The mark field is 32 bits wide. .TP \fB\-\-set\-xmark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the packet -mark ("nfmark"). If \fImask\fR is omitted, 0xFFFFFFFF is assumed. +Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the packet +mark ("nfmark"). If \fImask\fP is omitted, 0xFFFFFFFF is assumed. .TP \fB\-\-set\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and ORs \fIvalue\fR into the packet -mark. If \fImask\fR is omitted, 0xFFFFFFFF is assumed. +Zeroes out the bits given by \fImask\fP and ORs \fIvalue\fP into the packet +mark. If \fImask\fP is omitted, 0xFFFFFFFF is assumed. .PP The following mnemonics are available: .TP \fB\-\-and\-mark\fP \fIbits\fP -Binary AND the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-mark\fP \fIbits\fP -Binary OR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-mark\fP \fIbits\fP -Binary XOR the nfmark with \fIbits\fR. (Mnemonic for \fB\-\-set\-xmark\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the nfmark with \fIbits\fP. (Mnemonic for \fB\-\-set\-xmark\fP +\fIbits\fP\fB/0\fP.) diff -Nru iptables-1.4.4/extensions/libxt_multiport.c iptables-1.4.10/extensions/libxt_multiport.c --- iptables-1.4.4/extensions/libxt_multiport.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_multiport.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add multiple TCP port support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -44,12 +45,12 @@ } static const struct option multiport_opts[] = { - { "source-ports", 1, NULL, '1' }, - { "sports", 1, NULL, '1' }, /* synonym */ - { "destination-ports", 1, NULL, '2' }, - { "dports", 1, NULL, '2' }, /* synonym */ - { "ports", 1, NULL, '3' }, - { .name = NULL } + {.name = "source-ports", .has_arg = true, .val = '1'}, + {.name = "sports", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-ports", .has_arg = true, .val = '2'}, + {.name = "dports", .has_arg = true, .val = '2'}, /* synonym */ + {.name = "ports", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static char * @@ -164,25 +165,25 @@ switch (c) { case '1': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - multiinfo->count = parse_multi_ports(argv[optind-1], + multiinfo->count = parse_multi_ports(optarg, multiinfo->ports, proto); multiinfo->flags = XT_MULTIPORT_SOURCE; break; case '2': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - multiinfo->count = parse_multi_ports(argv[optind-1], + multiinfo->count = parse_multi_ports(optarg, multiinfo->ports, proto); multiinfo->flags = XT_MULTIPORT_DESTINATION; break; case '3': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - multiinfo->count = parse_multi_ports(argv[optind-1], + multiinfo->count = parse_multi_ports(optarg, multiinfo->ports, proto); multiinfo->flags = XT_MULTIPORT_EITHER; break; @@ -231,23 +232,23 @@ switch (c) { case '1': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); + parse_multi_ports_v1(optarg, multiinfo, proto); multiinfo->flags = XT_MULTIPORT_SOURCE; break; case '2': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); + parse_multi_ports_v1(optarg, multiinfo, proto); multiinfo->flags = XT_MULTIPORT_DESTINATION; break; case '3': - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); proto = check_proto(pnum, invflags); - parse_multi_ports_v1(argv[optind-1], multiinfo, proto); + parse_multi_ports_v1(optarg, multiinfo, proto); multiinfo->flags = XT_MULTIPORT_EITHER; break; @@ -509,71 +510,67 @@ __multiport_save_v1(match, ip->proto); } -static struct xtables_match multiport_match = { - .family = NFPROTO_IPV4, - .name = "multiport", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_multiport)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), - .help = multiport_help, - .parse = multiport_parse, - .final_check = multiport_check, - .print = multiport_print, - .save = multiport_save, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match6 = { - .family = NFPROTO_IPV6, - .name = "multiport", - .revision = 0, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_multiport)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), - .help = multiport_help, - .parse = multiport_parse6, - .final_check = multiport_check, - .print = multiport_print6, - .save = multiport_save6, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match_v1 = { - .family = NFPROTO_IPV4, - .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .help = multiport_help_v1, - .parse = multiport_parse_v1, - .final_check = multiport_check, - .print = multiport_print_v1, - .save = multiport_save_v1, - .extra_opts = multiport_opts, -}; - -static struct xtables_match multiport_match6_v1 = { - .family = NFPROTO_IPV6, - .name = "multiport", - .version = XTABLES_VERSION, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), - .help = multiport_help_v1, - .parse = multiport_parse6_v1, - .final_check = multiport_check, - .print = multiport_print6_v1, - .save = multiport_save6_v1, - .extra_opts = multiport_opts, +static struct xtables_match multiport_mt_reg[] = { + { + .family = NFPROTO_IPV4, + .name = "multiport", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_multiport)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), + .help = multiport_help, + .parse = multiport_parse, + .final_check = multiport_check, + .print = multiport_print, + .save = multiport_save, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV6, + .name = "multiport", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_multiport)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), + .help = multiport_help, + .parse = multiport_parse6, + .final_check = multiport_check, + .print = multiport_print6, + .save = multiport_save6, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV4, + .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .help = multiport_help_v1, + .parse = multiport_parse_v1, + .final_check = multiport_check, + .print = multiport_print_v1, + .save = multiport_save_v1, + .extra_opts = multiport_opts, + }, + { + .family = NFPROTO_IPV6, + .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_multiport_v1)), + .help = multiport_help_v1, + .parse = multiport_parse6_v1, + .final_check = multiport_check, + .print = multiport_print6_v1, + .save = multiport_save6_v1, + .extra_opts = multiport_opts, + }, }; void _init(void) { - xtables_register_match(&multiport_match); - xtables_register_match(&multiport_match6); - xtables_register_match(&multiport_match_v1); - xtables_register_match(&multiport_match6_v1); + xtables_register_matches(multiport_mt_reg, ARRAY_SIZE(multiport_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_NFLOG.c iptables-1.4.10/extensions/libxt_NFLOG.c --- iptables-1.4.4/extensions/libxt_NFLOG.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_NFLOG.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -15,11 +16,11 @@ }; static const struct option NFLOG_opts[] = { - { "nflog-group", 1, NULL, NFLOG_GROUP }, - { "nflog-prefix", 1, NULL, NFLOG_PREFIX }, - { "nflog-range", 1, NULL, NFLOG_RANGE }, - { "nflog-threshold", 1, NULL, NFLOG_THRESHOLD }, - { .name = NULL } + {.name = "nflog-group", .has_arg = true, .val = NFLOG_GROUP}, + {.name = "nflog-prefix", .has_arg = true, .val = NFLOG_PREFIX}, + {.name = "nflog-range", .has_arg = true, .val = NFLOG_RANGE}, + {.name = "nflog-threshold", .has_arg = true, .val = NFLOG_THRESHOLD}, + XT_GETOPT_TABLEEND, }; static void NFLOG_help(void) @@ -51,7 +52,7 @@ if (*flags & NFLOG_GROUP) xtables_error(PARAMETER_PROBLEM, "Can't specify --nflog-group twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --nflog-group"); @@ -65,7 +66,7 @@ if (*flags & NFLOG_PREFIX) xtables_error(PARAMETER_PROBLEM, "Can't specify --nflog-prefix twice"); - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --nflog-prefix"); @@ -139,21 +140,7 @@ } static struct xtables_target nflog_target = { - .family = NFPROTO_IPV4, - .name = "NFLOG", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_nflog_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_nflog_info)), - .help = NFLOG_help, - .init = NFLOG_init, - .parse = NFLOG_parse, - .print = NFLOG_print, - .save = NFLOG_save, - .extra_opts = NFLOG_opts, -}; - -static struct xtables_target nflog_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "NFLOG", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_nflog_info)), @@ -169,5 +156,4 @@ void _init(void) { xtables_register_target(&nflog_target); - xtables_register_target(&nflog_target6); } diff -Nru iptables-1.4.4/extensions/libxt_NFLOG.man iptables-1.4.10/extensions/libxt_NFLOG.man --- iptables-1.4.4/extensions/libxt_NFLOG.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_NFLOG.man 2010-10-29 14:37:22.000000000 +0000 @@ -9,7 +9,7 @@ non-terminating target, i.e. rule traversal continues at the next rule. .TP \fB\-\-nflog\-group\fP \fInlgroup\fP -The netlink group (1 - 2^32\-1) to which packets are (only applicable for +The netlink group (1 \- 2^32\-1) to which packets are (only applicable for nfnetlink_log). The default value is 0. .TP \fB\-\-nflog\-prefix\fP \fIprefix\fP diff -Nru iptables-1.4.4/extensions/libxt_NFQUEUE.c iptables-1.4.10/extensions/libxt_NFQUEUE.c --- iptables-1.4.4/extensions/libxt_NFQUEUE.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_NFQUEUE.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * This program is distributed under the terms of GNU GPL v2, 1991 * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -23,21 +24,33 @@ ); } +static void NFQUEUE_help_v1(void) +{ + NFQUEUE_help(); + printf( +" --queue-balance first:last Balance flows between queues <value> to <value>.\n"); +} + static const struct option NFQUEUE_opts[] = { - { "queue-num", 1, NULL, 'F' }, - { .name = NULL } + {.name = "queue-num", .has_arg = true, .val = 'F'}, + {.name = "queue-balance", .has_arg = true, .val = 'B'}, + XT_GETOPT_TABLEEND, }; +static void exit_badqueue(const char *s) +{ + xtables_error(PARAMETER_PROBLEM, "Invalid queue number `%s'\n", s); +} + static void parse_num(const char *s, struct xt_NFQ_info *tinfo) { unsigned int num; - + if (!xtables_strtoui(s, NULL, &num, 0, UINT16_MAX)) - xtables_error(PARAMETER_PROBLEM, - "Invalid queue number `%s'\n", s); + exit_badqueue(s); - tinfo->queuenum = num & 0xffff; + tinfo->queuenum = num; } static int @@ -54,6 +67,53 @@ "Only use --queue-num ONCE!"); parse_num(optarg, tinfo); break; + case 'B': + xtables_error(PARAMETER_PROBLEM, "NFQUEUE target: " + "--queue-balance not supported (kernel too old?)"); + default: + return 0; + } + + return 1; +} + +static int +NFQUEUE_parse_v1(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_NFQ_info_v1 *info = (void *)(*target)->data; + char *colon; + unsigned int firstqueue, lastqueue; + + switch (c) { + case 'F': /* fallthrough */ + case 'B': + if (*flags) + xtables_error(PARAMETER_PROBLEM, "NFQUEUE target: " + "Only use --queue-num ONCE!"); + + if (!xtables_strtoui(optarg, &colon, &firstqueue, 0, UINT16_MAX)) + exit_badqueue(optarg); + + info->queuenum = firstqueue; + + if (c == 'F') { + if (*colon) + exit_badqueue(optarg); + break; + } + + if (*colon != ':') + xtables_error(PARAMETER_PROBLEM, "Bad range \"%s\"", optarg); + + if (!xtables_strtoui(colon + 1, NULL, &lastqueue, 1, UINT16_MAX)) + exit_badqueue(optarg); + + if (firstqueue >= lastqueue) + xtables_error(PARAMETER_PROBLEM, "%u should be less than %u", + firstqueue, lastqueue); + info->queues_total = lastqueue - firstqueue + 1; + break; default: return 0; } @@ -69,6 +129,20 @@ printf("NFQUEUE num %u", tinfo->queuenum); } +static void NFQUEUE_print_v1(const void *ip, + const struct xt_entry_target *target, int numeric) +{ + const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data; + unsigned int last = tinfo->queues_total; + + if (last > 1) { + last += tinfo->queuenum - 1; + printf("NFQUEUE balance %u:%u", tinfo->queuenum, last); + } else { + printf("NFQUEUE num %u", tinfo->queuenum); + } +} + static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target) { const struct xt_NFQ_info *tinfo = @@ -77,8 +151,27 @@ printf("--queue-num %u ", tinfo->queuenum); } +static void NFQUEUE_save_v1(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data; + unsigned int last = tinfo->queues_total; + + if (last > 1) { + last += tinfo->queuenum - 1; + printf("--queue-balance %u:%u ", tinfo->queuenum, last); + } else { + printf("--queue-num %u ", tinfo->queuenum); + } +} + +static void NFQUEUE_init_v1(struct xt_entry_target *t) +{ + struct xt_NFQ_info_v1 *tinfo = (void *)t->data; + tinfo->queues_total = 1; +} + static struct xtables_target nfqueue_target = { - .family = NFPROTO_IPV4, + .family = NFPROTO_UNSPEC, .name = "NFQUEUE", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_NFQ_info)), @@ -90,21 +183,23 @@ .extra_opts = NFQUEUE_opts }; -static struct xtables_target nfqueue_target6 = { - .family = NFPROTO_IPV6, +static struct xtables_target nfqueue_target_v1 = { + .family = NFPROTO_UNSPEC, + .revision = 1, .name = "NFQUEUE", .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_NFQ_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info)), - .help = NFQUEUE_help, - .parse = NFQUEUE_parse, - .print = NFQUEUE_print, - .save = NFQUEUE_save, + .size = XT_ALIGN(sizeof(struct xt_NFQ_info_v1)), + .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info_v1)), + .help = NFQUEUE_help_v1, + .init = NFQUEUE_init_v1, + .parse = NFQUEUE_parse_v1, + .print = NFQUEUE_print_v1, + .save = NFQUEUE_save_v1, .extra_opts = NFQUEUE_opts, }; void _init(void) { xtables_register_target(&nfqueue_target); - xtables_register_target(&nfqueue_target6); + xtables_register_target(&nfqueue_target_v1); } diff -Nru iptables-1.4.4/extensions/libxt_NFQUEUE.man iptables-1.4.10/extensions/libxt_NFQUEUE.man --- iptables-1.4.4/extensions/libxt_NFQUEUE.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_NFQUEUE.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,12 +1,18 @@ This target is an extension of the QUEUE target. As opposed to QUEUE, it allows you to put a packet into any specific queue, identified by its 16-bit queue -number. -.TP -\fB\-\-queue\-num\fP \fIvalue\fP -This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0. -.PP +number. It can only be used with Kernel versions 2.6.14 or later, since it requires the .B nfnetlink_queue -kernel support. +kernel support. The \fBqueue-balance\fP option was added in Linux 2.6.31. +.TP +\fB\-\-queue\-num\fP \fIvalue\fP +This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0. +.PP +.TP +\fB\-\-queue\-balance\fP \fIvalue\fP\fB:\fP\fIvalue\fP +This specifies a range of queues to use. Packets are then balanced across the given queues. +This is useful for multicore systems: start multiple instances of the userspace program on +queues x, x+1, .. x+n and use "\-\-queue\-balance \fIx\fP\fB:\fP\fIx+n\fP". +Packets belonging to the same connection are put into the same nfqueue. diff -Nru iptables-1.4.4/extensions/libxt_NOTRACK.c iptables-1.4.10/extensions/libxt_NOTRACK.c --- iptables-1.4.4/extensions/libxt_NOTRACK.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_NOTRACK.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,46 +1,15 @@ /* Shared library add-on to iptables to add NOTRACK target support. */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <getopt.h> - #include <xtables.h> -#include <linux/netfilter/x_tables.h> - -static void NOTRACK_help(void) -{ - printf("NOTRACK target takes no options\n"); -} - -static int -NOTRACK_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} static struct xtables_target notrack_target = { - .family = NFPROTO_IPV4, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), - .help = NOTRACK_help, - .parse = NOTRACK_parse, -}; - -static struct xtables_target notrack_target6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "NOTRACK", .version = XTABLES_VERSION, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = NOTRACK_help, - .parse = NOTRACK_parse, }; void _init(void) { xtables_register_target(¬rack_target); - xtables_register_target(¬rack_target6); } diff -Nru iptables-1.4.4/extensions/libxt_osf.c iptables-1.4.10/extensions/libxt_osf.c --- iptables-1.4.4/extensions/libxt_osf.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_osf.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,155 @@ +/* + * Copyright (c) 2003+ Evgeniy Polyakov <zbr@ioremap.net> + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * xtables interface for OS fingerprint matching module. + */ +#include <stdbool.h> +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <ctype.h> + +#include <linux/types.h> + +#include <xtables.h> + +#include <netinet/ip.h> +#include <netinet/tcp.h> + +#include <linux/netfilter/xt_osf.h> + +static void osf_help(void) +{ + printf("OS fingerprint match options:\n" + "[!] --genre string Match a OS genre by passive fingerprinting.\n" + "--ttl level Use some TTL check extensions to determine OS:\n" + " 0 true ip and fingerprint TTL comparison. Works for LAN.\n" + " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n" + " 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n" + "--log level Log determined genres into dmesg even if they do not match desired one:\n" + " 0 log all matched or unknown signatures.\n" + " 1 log only first one.\n" + " 2 log all known matched signatures.\n" + ); +} + + +static const struct option osf_opts[] = { + {.name = "genre", .has_arg = true, .val = '1'}, + {.name = "ttl", .has_arg = true, .val = '2'}, + {.name = "log", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, +}; + + +static void osf_parse_string(const char *s, struct xt_osf_info *info) +{ + if (strlen(s) < MAXGENRELEN) + strcpy(info->genre, s); + else + xtables_error(PARAMETER_PROBLEM, + "Genre string too long `%s' [%zd], max=%d", + s, strlen(s), MAXGENRELEN); +} + +static int osf_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, + struct xt_entry_match **match) +{ + struct xt_osf_info *info = (struct xt_osf_info *)(*match)->data; + + switch(c) { + case '1': /* --genre */ + if (*flags & XT_OSF_GENRE) + xtables_error(PARAMETER_PROBLEM, + "Can't specify multiple genre parameter"); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + osf_parse_string(argv[optind-1], info); + if (invert) + info->flags |= XT_OSF_INVERT; + info->len=strlen(info->genre); + *flags |= XT_OSF_GENRE; + break; + case '2': /* --ttl */ + if (*flags & XT_OSF_TTL) + xtables_error(PARAMETER_PROBLEM, + "Can't specify multiple ttl parameter"); + *flags |= XT_OSF_TTL; + info->flags |= XT_OSF_TTL; + if (!xtables_strtoui(argv[optind-1], NULL, &info->ttl, 0, 2)) + xtables_error(PARAMETER_PROBLEM, "TTL parameter is too big"); + break; + case '3': /* --log */ + if (*flags & XT_OSF_LOG) + xtables_error(PARAMETER_PROBLEM, + "Can't specify multiple log parameter"); + *flags |= XT_OSF_LOG; + if (!xtables_strtoui(argv[optind-1], NULL, &info->loglevel, 0, 2)) + xtables_error(PARAMETER_PROBLEM, "Log level parameter is too big"); + info->flags |= XT_OSF_LOG; + break; + default: + return 0; + } + + return 1; +} + +static void osf_final_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "OS fingerprint match: You must specify `--genre'"); +} + +static void osf_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_osf_info *info = (const struct xt_osf_info*) match->data; + + printf("OS fingerprint match %s%s ", (info->flags & XT_OSF_INVERT) ? "! " : "", info->genre); +} + +static void osf_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_osf_info *info = (const struct xt_osf_info*) match->data; + + printf("--genre %s%s ", (info->flags & XT_OSF_INVERT) ? "! ": "", info->genre); +} + +static struct xtables_match osf_match = { + .name = "osf", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_osf_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_osf_info)), + .help = osf_help, + .parse = osf_parse, + .print = osf_print, + .final_check = osf_final_check, + .save = osf_save, + .extra_opts = osf_opts, + .family = NFPROTO_IPV4 +}; + +void _init(void) +{ + xtables_register_match(&osf_match); +} diff -Nru iptables-1.4.4/extensions/libxt_osf.man iptables-1.4.10/extensions/libxt_osf.man --- iptables-1.4.4/extensions/libxt_osf.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_osf.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,45 @@ +The osf module does passive operating system fingerprinting. This modules +compares some data (Window Size, MSS, options and their order, TTL, DF, +and others) from packets with the SYN bit set. +.TP +[\fB!\fP] \fB\-\-genre\fP \fIstring\fP +Match an operating system genre by using a passive fingerprinting. +.TP +\fB\-\-ttl\fP \fIlevel\fP +Do additional TTL checks on the packet to determine the operating system. +\fIlevel\fP can be one of the following values: +.IP \(bu 4 +0 - True IP address and fingerprint TTL comparison. This generally works for +LANs. +.IP \(bu 4 +1 - Check if the IP header's TTL is less than the fingerprint one. Works for +globally-routable addresses. +.IP \(bu 4 +2 - Do not compare the TTL at all. +.TP +\fB\-\-log\fP \fIlevel\fP +Log determined genres into dmesg even if they do not match the desired one. +\fIlevel\fP can be one of the following values: +.IP \(bu 4 +0 - Log all matched or unknown signatures +.IP \(bu 4 +1 - Log only the first one +.IP \(bu 4 +2 - Log all known matched signatures +.PP +You may find something like this in syslog: +.PP +Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> +11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 +.PP +OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load +fingerprints from a file, use: +.PP +\fBnfnl_osf -f /usr/share/xtables/pf.os\fP +.PP +To remove them again, +.PP +\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP +.PP +The fingerprint database can be downlaoded from +http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . diff -Nru iptables-1.4.4/extensions/libxt_owner.c iptables-1.4.10/extensions/libxt_owner.c --- iptables-1.4.4/extensions/libxt_owner.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_owner.c 2010-10-29 14:37:22.000000000 +0000 @@ -16,8 +16,38 @@ #include <xtables.h> #include <linux/netfilter/xt_owner.h> -#include <linux/netfilter_ipv4/ipt_owner.h> -#include <linux/netfilter_ipv6/ip6t_owner.h> + +/* match and invert flags */ +enum { + IPT_OWNER_UID = 0x01, + IPT_OWNER_GID = 0x02, + IPT_OWNER_PID = 0x04, + IPT_OWNER_SID = 0x08, + IPT_OWNER_COMM = 0x10, + IP6T_OWNER_UID = IPT_OWNER_UID, + IP6T_OWNER_GID = IPT_OWNER_GID, + IP6T_OWNER_PID = IPT_OWNER_PID, + IP6T_OWNER_SID = IPT_OWNER_SID, + IP6T_OWNER_COMM = IPT_OWNER_COMM, +}; + +struct ipt_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + char comm[16]; + u_int8_t match, invert; /* flags */ +}; + +struct ip6t_owner_info { + uid_t uid; + gid_t gid; + pid_t pid; + pid_t sid; + char comm[16]; + u_int8_t match, invert; /* flags */ +}; /* * Note: "UINT32_MAX - 1" is used in the code because -1 is a reserved @@ -83,7 +113,7 @@ #ifdef IPT_OWNER_COMM {.name = "cmd-owner", .has_arg = true, .val = 'c'}, #endif - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option owner_mt6_opts_v0[] = { @@ -91,14 +121,14 @@ {.name = "gid-owner", .has_arg = true, .val = 'g'}, {.name = "pid-owner", .has_arg = true, .val = 'p'}, {.name = "sid-owner", .has_arg = true, .val = 's'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option owner_mt_opts[] = { {.name = "uid-owner", .has_arg = true, .val = 'u'}, {.name = "gid-owner", .has_arg = true, .val = 'g'}, {.name = "socket-exists", .has_arg = false, .val = 'k'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int @@ -533,70 +563,52 @@ owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false); } -static struct xtables_match owner_mt_reg_v0 = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct ipt_owner_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)), - .help = owner_mt_help_v0, - .parse = owner_mt_parse_v0, - .final_check = owner_mt_check, - .print = owner_mt_print_v0, - .save = owner_mt_save_v0, - .extra_opts = owner_mt_opts_v0, -}; - -static struct xtables_match owner_mt6_reg_v0 = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct ip6t_owner_info)), - .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)), - .help = owner_mt6_help_v0, - .parse = owner_mt6_parse_v0, - .final_check = owner_mt_check, - .print = owner_mt6_print_v0, - .save = owner_mt6_save_v0, - .extra_opts = owner_mt6_opts_v0, -}; - -static struct xtables_match owner_mt_reg = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .help = owner_mt_help, - .parse = owner_mt_parse, - .final_check = owner_mt_check, - .print = owner_mt_print, - .save = owner_mt_save, - .extra_opts = owner_mt_opts, -}; - -static struct xtables_match owner_mt6_reg = { - .version = XTABLES_VERSION, - .name = "owner", - .revision = 1, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), - .help = owner_mt_help, - .parse = owner_mt_parse, - .final_check = owner_mt_check, - .print = owner_mt_print, - .save = owner_mt_save, - .extra_opts = owner_mt_opts, +static struct xtables_match owner_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct ipt_owner_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)), + .help = owner_mt_help_v0, + .parse = owner_mt_parse_v0, + .final_check = owner_mt_check, + .print = owner_mt_print_v0, + .save = owner_mt_save_v0, + .extra_opts = owner_mt_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 0, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct ip6t_owner_info)), + .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)), + .help = owner_mt6_help_v0, + .parse = owner_mt6_parse_v0, + .final_check = owner_mt_check, + .print = owner_mt6_print_v0, + .save = owner_mt6_save_v0, + .extra_opts = owner_mt6_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "owner", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), + .help = owner_mt_help, + .parse = owner_mt_parse, + .final_check = owner_mt_check, + .print = owner_mt_print, + .save = owner_mt_save, + .extra_opts = owner_mt_opts, + }, }; void _init(void) { - xtables_register_match(&owner_mt_reg_v0); - xtables_register_match(&owner_mt6_reg_v0); - xtables_register_match(&owner_mt_reg); - xtables_register_match(&owner_mt6_reg); + xtables_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_physdev.c iptables-1.4.10/extensions/libxt_physdev.c --- iptables-1.4.4/extensions/libxt_physdev.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_physdev.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add bridge port matching support. */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -24,12 +25,12 @@ } static const struct option physdev_opts[] = { - { "physdev-in", 1, NULL, '1' }, - { "physdev-out", 1, NULL, '2' }, - { "physdev-is-in", 0, NULL, '3' }, - { "physdev-is-out", 0, NULL, '4' }, - { "physdev-is-bridged", 0, NULL, '5' }, - { .name = NULL } + {.name = "physdev-in", .has_arg = true, .val = '1'}, + {.name = "physdev-out", .has_arg = true, .val = '2'}, + {.name = "physdev-is-in", .has_arg = false, .val = '3'}, + {.name = "physdev-is-out", .has_arg = false, .val = '4'}, + {.name = "physdev-is-bridged", .has_arg = false, .val = '5'}, + XT_GETOPT_TABLEEND, }; static int @@ -43,8 +44,8 @@ case '1': if (*flags & XT_PHYSDEV_OP_IN) goto multiple_use; - xtables_check_inverse(optarg, &invert, &optind, 0); - xtables_parse_interface(argv[optind-1], info->physindev, + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + xtables_parse_interface(optarg, info->physindev, (unsigned char *)info->in_mask); if (invert) info->invert |= XT_PHYSDEV_OP_IN; @@ -55,8 +56,8 @@ case '2': if (*flags & XT_PHYSDEV_OP_OUT) goto multiple_use; - xtables_check_inverse(optarg, &invert, &optind, 0); - xtables_parse_interface(argv[optind-1], info->physoutdev, + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + xtables_parse_interface(optarg, info->physoutdev, (unsigned char *)info->out_mask); if (invert) info->invert |= XT_PHYSDEV_OP_OUT; @@ -67,7 +68,7 @@ case '3': if (*flags & XT_PHYSDEV_OP_ISIN) goto multiple_use; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->bitmask |= XT_PHYSDEV_OP_ISIN; if (invert) info->invert |= XT_PHYSDEV_OP_ISIN; @@ -77,7 +78,7 @@ case '4': if (*flags & XT_PHYSDEV_OP_ISOUT) goto multiple_use; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->bitmask |= XT_PHYSDEV_OP_ISOUT; if (invert) info->invert |= XT_PHYSDEV_OP_ISOUT; @@ -87,7 +88,7 @@ case '5': if (*flags & XT_PHYSDEV_OP_BRIDGED) goto multiple_use; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) info->invert |= XT_PHYSDEV_OP_BRIDGED; *flags |= XT_PHYSDEV_OP_BRIDGED; @@ -161,21 +162,7 @@ } static struct xtables_match physdev_match = { - .family = NFPROTO_IPV4, - .name = "physdev", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_physdev_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_physdev_info)), - .help = physdev_help, - .parse = physdev_parse, - .final_check = physdev_check, - .print = physdev_print, - .save = physdev_save, - .extra_opts = physdev_opts, -}; - -static struct xtables_match physdev_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "physdev", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_physdev_info)), @@ -191,5 +178,4 @@ void _init(void) { xtables_register_match(&physdev_match); - xtables_register_match(&physdev_match6); } diff -Nru iptables-1.4.4/extensions/libxt_pkttype.c iptables-1.4.10/extensions/libxt_pkttype.c --- iptables-1.4.4/extensions/libxt_pkttype.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_pkttype.c 2010-10-29 14:37:22.000000000 +0000 @@ -4,6 +4,7 @@ * * Michal Ludvig <michal@logix.cz> */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -61,8 +62,8 @@ } static const struct option pkttype_opts[] = { - {"pkt-type", 1, NULL, '1'}, - { .name = NULL } + {.name = "pkt-type", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void parse_pkttype(const char *pkttype, struct xt_pkttype_info *info) @@ -87,8 +88,8 @@ switch(c) { case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_pkttype(argv[optind-1], info); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_pkttype(optarg, info); if(invert) info->invert=1; *flags=1; diff -Nru iptables-1.4.4/extensions/libxt_policy.c iptables-1.4.10/extensions/libxt_policy.c --- iptables-1.4.4/extensions/libxt_policy.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_policy.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add policy support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -42,53 +43,55 @@ { { .name = "dir", - .has_arg = 1, + .has_arg = true, .val = '1', }, { .name = "pol", - .has_arg = 1, + .has_arg = true, .val = '2', }, { .name = "strict", + .has_arg = false, .val = '3' }, { .name = "reqid", - .has_arg = 1, + .has_arg = true, .val = '4', }, { .name = "spi", - .has_arg = 1, + .has_arg = true, .val = '5' }, { .name = "tunnel-src", - .has_arg = 1, + .has_arg = true, .val = '6' }, { .name = "tunnel-dst", - .has_arg = 1, + .has_arg = true, .val = '7' }, { .name = "proto", - .has_arg = 1, + .has_arg = true, .val = '8' }, { .name = "mode", - .has_arg = 1, + .has_arg = true, .val = '9' }, { .name = "next", + .has_arg = false, .val = 'a' }, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int parse_direction(char *s) @@ -118,7 +121,7 @@ xtables_error(PARAMETER_PROBLEM, "policy match: invalid mode \"%s\"", s); } -static int policy_parse(int c, int invert, unsigned int *flags, +static int policy_parse(int c, char **argv, int invert, unsigned int *flags, struct xt_policy_info *info, uint8_t family) { struct xt_policy_elem *e = &info->pol[info->len]; @@ -127,7 +130,7 @@ unsigned int naddr = 0, num; int mode; - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); switch (c) { case '1': @@ -269,14 +272,14 @@ static int policy4_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { - return policy_parse(c, invert, flags, (void *)(*match)->data, + return policy_parse(c, argv, invert, flags, (void *)(*match)->data, NFPROTO_IPV4); } static int policy6_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { - return policy_parse(c, invert, flags, (void *)(*match)->data, + return policy_parse(c, argv, invert, flags, (void *)(*match)->data, NFPROTO_IPV6); } @@ -292,7 +295,7 @@ if (!(info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT))) xtables_error(PARAMETER_PROBLEM, - "policy match: neither --in nor --out specified"); + "policy match: neither --dir in nor --dir out specified"); if (info->flags & XT_POLICY_MATCH_NONE) { if (info->flags & XT_POLICY_MATCH_STRICT) @@ -478,36 +481,36 @@ } } -static struct xtables_match policy_mt_reg = { - .name = "policy", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_policy_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), - .help = policy_help, - .parse = policy4_parse, - .final_check = policy_check, - .print = policy4_print, - .save = policy4_save, - .extra_opts = policy_opts, -}; - -static struct xtables_match policy_mt6_reg = { - .name = "policy", - .version = XTABLES_VERSION, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_policy_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), - .help = policy_help, - .parse = policy6_parse, - .final_check = policy_check, - .print = policy6_print, - .save = policy6_save, - .extra_opts = policy_opts, +static struct xtables_match policy_mt_reg[] = { + { + .name = "policy", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_policy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), + .help = policy_help, + .parse = policy4_parse, + .final_check = policy_check, + .print = policy4_print, + .save = policy4_save, + .extra_opts = policy_opts, + }, + { + .name = "policy", + .version = XTABLES_VERSION, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_policy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_policy_info)), + .help = policy_help, + .parse = policy6_parse, + .final_check = policy_check, + .print = policy6_print, + .save = policy6_save, + .extra_opts = policy_opts, + }, }; void _init(void) { - xtables_register_match(&policy_mt_reg); - xtables_register_match(&policy_mt6_reg); + xtables_register_matches(policy_mt_reg, ARRAY_SIZE(policy_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_quota.c iptables-1.4.10/extensions/libxt_quota.c --- iptables-1.4.4/extensions/libxt_quota.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_quota.c 2010-10-29 14:37:22.000000000 +0000 @@ -3,6 +3,7 @@ * * Sam Johnston <samj@samj.net> */ +#include <stdbool.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> @@ -12,14 +13,14 @@ #include <linux/netfilter/xt_quota.h> static const struct option quota_opts[] = { - {"quota", 1, NULL, '1'}, - { .name = NULL } + {.name = "quota", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static void quota_help(void) { printf("quota match options:\n" - " --quota quota quota (bytes)\n"); + "[!] --quota quota quota (bytes)\n"); } static void @@ -60,11 +61,15 @@ switch (c) { case '1': - if (xtables_check_inverse(optarg, &invert, NULL, 0)) + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) xtables_error(PARAMETER_PROBLEM, "quota: unexpected '!'"); if (!parse_quota(optarg, &info->quota)) xtables_error(PARAMETER_PROBLEM, "bad quota: '%s'", optarg); + + if (invert) + info->flags |= XT_QUOTA_INVERT; + break; default: @@ -78,7 +83,7 @@ .name = "quota", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof (struct xt_quota_info)), - .userspacesize = offsetof(struct xt_quota_info, quota), + .userspacesize = offsetof(struct xt_quota_info, master), .help = quota_help, .parse = quota_parse, .print = quota_print, diff -Nru iptables-1.4.4/extensions/libxt_quota.man iptables-1.4.10/extensions/libxt_quota.man --- iptables-1.4.4/extensions/libxt_quota.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_quota.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,5 @@ Implements network quotas by decrementing a byte counter with each packet. .TP -\fB\-\-quota\fP \fIbytes\fP +[\fB!\fP] \fB\-\-quota\fP \fIbytes\fP The quota in bytes. -.P diff -Nru iptables-1.4.4/extensions/libxt_rateest.c iptables-1.4.10/extensions/libxt_rateest.c --- iptables-1.4.4/extensions/libxt_rateest.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_rateest.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -40,20 +41,20 @@ }; static const struct option rateest_opts[] = { - { "rateest1", 1, NULL, OPT_RATEEST1 }, - { "rateest", 1, NULL, OPT_RATEEST1 }, /* alias for absolute mode */ - { "rateest2", 1, NULL, OPT_RATEEST2 }, - { "rateest-bps1", 0, NULL, OPT_RATEEST_BPS1 }, - { "rateest-pps1", 0, NULL, OPT_RATEEST_PPS1 }, - { "rateest-bps2", 0, NULL, OPT_RATEEST_BPS2 }, - { "rateest-pps2", 0, NULL, OPT_RATEEST_PPS2 }, - { "rateest-bps", 0, NULL, OPT_RATEEST_BPS2 }, /* alias for absolute mode */ - { "rateest-pps", 0, NULL, OPT_RATEEST_PPS2 }, /* alias for absolute mode */ - { "rateest-delta", 0, NULL, OPT_RATEEST_DELTA }, - { "rateest-lt", 0, NULL, OPT_RATEEST_LT }, - { "rateest-gt", 0, NULL, OPT_RATEEST_GT }, - { "rateest-eq", 0, NULL, OPT_RATEEST_EQ }, - { .name = NULL } + {.name = "rateest1", .has_arg = true, .val = OPT_RATEEST1}, + {.name = "rateest", .has_arg = true, .val = OPT_RATEEST1}, /* alias for absolute mode */ + {.name = "rateest2", .has_arg = true, .val = OPT_RATEEST2}, + {.name = "rateest-bps1", .has_arg = false, .val = OPT_RATEEST_BPS1}, + {.name = "rateest-pps1", .has_arg = false, .val = OPT_RATEEST_PPS1}, + {.name = "rateest-bps2", .has_arg = false, .val = OPT_RATEEST_BPS2}, + {.name = "rateest-pps2", .has_arg = false, .val = OPT_RATEEST_PPS2}, + {.name = "rateest-bps", .has_arg = false, .val = OPT_RATEEST_BPS2}, /* alias for absolute mode */ + {.name = "rateest-pps", .has_arg = false, .val = OPT_RATEEST_PPS2}, /* alias for absolute mode */ + {.name = "rateest-delta", .has_arg = false, .val = OPT_RATEEST_DELTA}, + {.name = "rateest-lt", .has_arg = false, .val = OPT_RATEEST_LT}, + {.name = "rateest-gt", .has_arg = false, .val = OPT_RATEEST_GT}, + {.name = "rateest-eq", .has_arg = false, .val = OPT_RATEEST_EQ}, + XT_GETOPT_TABLEEND, }; /* Copied from iproute. See http://physics.nist.gov/cuu/Units/binary.html */ @@ -79,7 +80,7 @@ { "GBps", 8000000000. }, { "TiBps", 8.*1024.*1024.*1024.*1024. }, { "TBps", 8000000000000. }, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static int @@ -118,7 +119,7 @@ switch (c) { case OPT_RATEEST1: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -132,7 +133,7 @@ break; case OPT_RATEEST2: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest can't be inverted"); @@ -147,7 +148,7 @@ break; case OPT_RATEEST_BPS1: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -171,7 +172,7 @@ break; case OPT_RATEEST_PPS1: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -196,7 +197,7 @@ break; case OPT_RATEEST_BPS2: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-bps can't be inverted"); @@ -220,7 +221,7 @@ break; case OPT_RATEEST_PPS2: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-pps can't be inverted"); @@ -245,7 +246,7 @@ break; case OPT_RATEEST_DELTA: - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (invert) xtables_error(PARAMETER_PROBLEM, "rateest: rateest-delta can't be inverted"); @@ -259,7 +260,7 @@ break; case OPT_RATEEST_EQ: - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, @@ -272,7 +273,7 @@ break; case OPT_RATEEST_LT: - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, @@ -285,7 +286,7 @@ break; case OPT_RATEEST_GT: - xtables_check_inverse(argv[optind-1], &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (*flags & (1 << c)) xtables_error(PARAMETER_PROBLEM, @@ -419,9 +420,11 @@ } else { printf("--rateest %s ", info->name1); if (info->flags & XT_RATEEST_MATCH_BPS) { - printf("--rateest-bps "); - rateest_print_mode(info, "--rateest-"); + printf("--rateest-bps1 "); + rateest_print_rate(info->bps1, 0); + printf("--rateest-bps2 "); rateest_print_rate(info->bps2, 0); + rateest_print_mode(info, "--rateest-"); } if (info->flags & XT_RATEEST_MATCH_PPS) { printf("--rateest-pps "); diff -Nru iptables-1.4.4/extensions/libxt_RATEEST.c iptables-1.4.10/extensions/libxt_RATEEST.c --- iptables-1.4.4/extensions/libxt_RATEEST.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_RATEEST.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -31,10 +32,10 @@ }; static const struct option RATEEST_opts[] = { - { "rateest-name", 1, NULL, RATEEST_OPT_NAME }, - { "rateest-interval", 1, NULL, RATEEST_OPT_INTERVAL }, - { "rateest-ewmalog", 1, NULL, RATEEST_OPT_EWMALOG }, - { .name = NULL }, + {.name = "rateest-name", .has_arg = true, .val = RATEEST_OPT_NAME}, + {.name = "rateest-interval", .has_arg = true, .val = RATEEST_OPT_INTERVAL}, + {.name = "rateest-ewmalog", .has_arg = true, .val = RATEEST_OPT_EWMALOG}, + XT_GETOPT_TABLEEND, }; /* Copied from iproute */ diff -Nru iptables-1.4.4/extensions/libxt_rateest.man iptables-1.4.10/extensions/libxt_rateest.man --- iptables-1.4.4/extensions/libxt_rateest.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_rateest.man 2010-10-29 14:37:22.000000000 +0000 @@ -11,14 +11,14 @@ \fB\-\-rateest\-delta\fP Compare difference(s) to given rate(s) .TP -\fB\-\-rateest1\-bps\fP \fIvalue\fP +\fB\-\-rateest\-bps1\fP \fIvalue\fP .TP -\fB\-\-rateest2\-bps\fP \fIvalue\fP +\fB\-\-rateest\-bps2\fP \fIvalue\fP Compare bytes per second. .TP -\fB\-\-rateest1\-pps\fP \fIvalue\fP +\fB\-\-rateest\-pps1\fP \fIvalue\fP .TP -\fB\-\-rateest2\-pps\fP \fIvalue\fP +\fB\-\-rateest\-pps2\fP \fIvalue\fP Compare packets per second. .TP [\fB!\fP] \fB\-\-rateest\-lt\fP diff -Nru iptables-1.4.4/extensions/libxt_recent.c iptables-1.4.10/extensions/libxt_recent.c --- iptables-1.4.4/extensions/libxt_recent.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_recent.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add recent matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -9,17 +10,17 @@ #include <linux/netfilter/xt_recent.h> static const struct option recent_opts[] = { - { .name = "set", .has_arg = 0, .val = 201 }, - { .name = "rcheck", .has_arg = 0, .val = 202 }, - { .name = "update", .has_arg = 0, .val = 203 }, - { .name = "seconds", .has_arg = 1, .val = 204 }, - { .name = "hitcount", .has_arg = 1, .val = 205 }, - { .name = "remove", .has_arg = 0, .val = 206 }, - { .name = "rttl", .has_arg = 0, .val = 207 }, - { .name = "name", .has_arg = 1, .val = 208 }, - { .name = "rsource", .has_arg = 0, .val = 209 }, - { .name = "rdest", .has_arg = 0, .val = 210 }, - { .name = NULL } + {.name = "set", .has_arg = false, .val = 201}, + {.name = "rcheck", .has_arg = false, .val = 202}, + {.name = "update", .has_arg = false, .val = 203}, + {.name = "seconds", .has_arg = true, .val = 204}, + {.name = "hitcount", .has_arg = true, .val = 205}, + {.name = "remove", .has_arg = false, .val = 206}, + {.name = "rttl", .has_arg = false, .val = 207}, + {.name = "name", .has_arg = true, .val = 208}, + {.name = "rsource", .has_arg = false, .val = 209}, + {.name = "rdest", .has_arg = false, .val = 210}, + XT_GETOPT_TABLEEND, }; static void recent_help(void) @@ -73,7 +74,7 @@ xtables_error(PARAMETER_PROBLEM, "recent: only one of `--set', `--rcheck' " "`--update' or `--remove' may be set"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->check_set |= XT_RECENT_SET; if (invert) info->invert = 1; *flags |= XT_RECENT_SET; @@ -84,7 +85,7 @@ xtables_error(PARAMETER_PROBLEM, "recent: only one of `--set', `--rcheck' " "`--update' or `--remove' may be set"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->check_set |= XT_RECENT_CHECK; if(invert) info->invert = 1; *flags |= XT_RECENT_CHECK; @@ -95,31 +96,31 @@ xtables_error(PARAMETER_PROBLEM, "recent: only one of `--set', `--rcheck' " "`--update' or `--remove' may be set"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->check_set |= XT_RECENT_UPDATE; if (invert) info->invert = 1; *flags |= XT_RECENT_UPDATE; break; + case 204: + info->seconds = atoi(optarg); + break; + + case 205: + info->hit_count = atoi(optarg); + break; + case 206: if (*flags & RECENT_CMDS) xtables_error(PARAMETER_PROBLEM, "recent: only one of `--set', `--rcheck' " "`--update' or `--remove' may be set"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); info->check_set |= XT_RECENT_REMOVE; if (invert) info->invert = 1; *flags |= XT_RECENT_REMOVE; break; - case 204: - info->seconds = atoi(optarg); - break; - - case 205: - info->hit_count = atoi(optarg); - break; - case 207: info->check_set |= XT_RECENT_TTL; *flags |= XT_RECENT_TTL; @@ -183,7 +184,7 @@ if (info->side == XT_RECENT_SOURCE) printf("side: source "); if (info->side == XT_RECENT_DEST) - printf("side: dest"); + printf("side: dest "); } static void recent_save(const void *ip, const struct xt_entry_match *match) @@ -215,7 +216,7 @@ static struct xtables_match recent_mt_reg = { .name = "recent", .version = XTABLES_VERSION, - .family = NFPROTO_IPV4, + .family = NFPROTO_UNSPEC, .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), .help = recent_help, @@ -227,24 +228,7 @@ .extra_opts = recent_opts, }; -static struct xtables_match recent_mt6_reg = { - .version = XTABLES_VERSION, - .name = "recent", - .revision = 0, - .family = NFPROTO_IPV6, - .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), - .help = recent_help, - .init = recent_init, - .parse = recent_parse, - .final_check = recent_check, - .print = recent_print, - .save = recent_save, - .extra_opts = recent_opts, -}; - void _init(void) { xtables_register_match(&recent_mt_reg); - xtables_register_match(&recent_mt6_reg); } diff -Nru iptables-1.4.4/extensions/libxt_recent.man iptables-1.4.10/extensions/libxt_recent.man --- iptables-1.4.4/extensions/libxt_recent.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_recent.man 2010-10-29 14:37:22.000000000 +0000 @@ -4,15 +4,18 @@ For example, you can create a "badguy" list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them. +.PP +\fB\-\-set\fP, \fB\-\-rcheck\fP, \fB\-\-update\fP and \fB\-\-remove\fP are +mutually exclusive. .TP \fB\-\-name\fP \fIname\fP Specify the list to use for the commands. If no name is given then -\fBDEFAULT\fR will be used. +\fBDEFAULT\fP will be used. .TP -[\fB!\fR] \fB\-\-set\fP +[\fB!\fP] \fB\-\-set\fP This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will -always return success (or failure if \fB!\fR is passed in). +always return success (or failure if \fB!\fP is passed in). .TP \fB\-\-rsource\fP Match/save the source address of each packet in the recent list table. This @@ -21,30 +24,32 @@ \fB\-\-rdest\fP Match/save the destination address of each packet in the recent list table. .TP -[\fB!\fR] \fB\-\-rcheck\fP +[\fB!\fP] \fB\-\-rcheck\fP Check if the source address of the packet is currently in the list. .TP -[\fB!\fR] \fB\-\-update\fP +[\fB!\fP] \fB\-\-update\fP Like \fB\-\-rcheck\fP, except it will update the "last seen" timestamp if it matches. .TP -[\fB!\fR] \fB\-\-remove\fP +[\fB!\fP] \fB\-\-remove\fP Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned. .TP -[\fB!\fR] \fB\-\-seconds\fP \fIseconds\fP +\fB\-\-seconds\fP \fIseconds\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. .TP -[\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP +\fB\-\-hitcount\fP \fIhits\fP This option must be used in conjunction with one of \fB\-\-rcheck\fP or \fB\-\-update\fP. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with \fB\-\-seconds\fP to create an even narrower match requiring a certain number of hits within a specific -time frame. +time frame. The maximum value for the hitcount parameter is given by the +"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this +value on the command line will cause the rule to be rejected. .TP \fB\-\-rttl\fP This option may only be used in conjunction with one of \fB\-\-rcheck\fP or @@ -63,37 +68,37 @@ Steve's ipt_recent website (http://snowman.net/projects/ipt_recent/) also has some examples of usage. .PP -\fB/proc/net/xt_recent/*\fR are the current lists of addresses and information +\fB/proc/net/xt_recent/*\fP are the current lists of addresses and information about each entry of each list. .PP -Each file in \fB/proc/net/xt_recent/\fR can be read from to see the current +Each file in \fB/proc/net/xt_recent/\fP can be read from to see the current list or written two using the following commands to modify the list: .TP -\fBecho +\fR\fIaddr\fR\fB >/proc/net/xt_recent/DEFAULT\fR -to add \fIaddr\fR to the DEFAULT list +\fBecho +\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP +to add \fIaddr\fP to the DEFAULT list .TP \fBecho \-\fP\fIaddr\fP\fB >/proc/net/xt_recent/DEFAULT\fP -to remove \fIaddr\fR from the DEFAULT list +to remove \fIaddr\fP from the DEFAULT list .TP -\fBecho / >/proc/net/xt_recent/DEFAULT\fR +\fBecho / >/proc/net/xt_recent/DEFAULT\fP to flush the DEFAULT list (remove all entries). .PP The module itself accepts parameters, defaults shown: .TP -\fBip_list_tot\fR=\fI100\fR +\fBip_list_tot\fP=\fI100\fP Number of addresses remembered per table. .TP -\fBip_pkt_list_tot\fR=\fI20\fR +\fBip_pkt_list_tot\fP=\fI20\fP Number of packets per address remembered. .TP -\fBip_list_hash_size\fR=\fI0\fR +\fBip_list_hash_size\fP=\fI0\fP Hash table size. 0 means to calculate it based on ip_list_tot, default: 512. .TP -\fBip_list_perms\fR=\fI0644\fR +\fBip_list_perms\fP=\fI0644\fP Permissions for /proc/net/xt_recent/* files. .TP -\fBip_list_uid\fR=\fI0\fR +\fBip_list_uid\fP=\fI0\fP Numerical UID for ownership of /proc/net/xt_recent/* files. .TP -\fBip_list_gid\fR=\fI0\fR +\fBip_list_gid\fP=\fI0\fP Numerical GID for ownership of /proc/net/xt_recent/* files. diff -Nru iptables-1.4.4/extensions/libxt_sctp.c iptables-1.4.10/extensions/libxt_sctp.c --- iptables-1.4.4/extensions/libxt_sctp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_sctp.c 2010-10-29 14:37:22.000000000 +0000 @@ -7,6 +7,7 @@ * libipt_ecn.c borrowed heavily from libipt_dscp.c * */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -51,16 +52,16 @@ " --dport ...\n" "[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" " chunktypes are present\n" -"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK ALL NONE\n"); +"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); } static const struct option sctp_opts[] = { - { .name = "source-port", .has_arg = 1, .val = '1' }, - { .name = "sport", .has_arg = 1, .val = '1' }, - { .name = "destination-port", .has_arg = 1, .val = '2' }, - { .name = "dport", .has_arg = 1, .val = '2' }, - { .name = "chunk-types", .has_arg = 1, .val = '3' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, + {.name = "chunk-types", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; static void @@ -97,7 +98,7 @@ /*'ALL' and 'NONE' will be treated specially. */ static const struct sctp_chunk_names sctp_chunk_names[] -= { { .name = "DATA", .chunk_type = 0, .valid_flags = "-----UBE"}, += { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, @@ -114,6 +115,7 @@ { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, + { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, }; static void @@ -257,8 +259,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); einfo->flags |= XT_SCTP_SRC_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->spts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_sctp_ports(optarg, einfo->spts); if (invert) einfo->invflags |= XT_SCTP_SRC_PORTS; *flags |= XT_SCTP_SRC_PORTS; @@ -269,8 +271,8 @@ xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); einfo->flags |= XT_SCTP_DEST_PORTS; - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_sctp_ports(argv[optind-1], einfo->dpts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_sctp_ports(optarg, einfo->dpts); if (invert) einfo->invflags |= XT_SCTP_DEST_PORTS; *flags |= XT_SCTP_DEST_PORTS; @@ -280,7 +282,7 @@ if (*flags & XT_SCTP_CHUNK_TYPES) xtables_error(PARAMETER_PROBLEM, "Only one `--chunk-types' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') @@ -288,7 +290,7 @@ "--chunk-types requires two args"); einfo->flags |= XT_SCTP_CHUNK_TYPES; - parse_sctp_chunks(einfo, argv[optind-1], argv[optind]); + parse_sctp_chunks(einfo, optarg, argv[optind]); if (invert) einfo->invflags |= XT_SCTP_CHUNK_TYPES; optind++; @@ -496,21 +498,7 @@ static struct xtables_match sctp_match = { .name = "sctp", - .family = NFPROTO_IPV4, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_sctp_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), - .help = sctp_help, - .init = sctp_init, - .parse = sctp_parse, - .print = sctp_print, - .save = sctp_save, - .extra_opts = sctp_opts, -}; - -static struct xtables_match sctp_match6 = { - .name = "sctp", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_sctp_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_sctp_info)), @@ -525,5 +513,4 @@ void _init(void) { xtables_register_match(&sctp_match); - xtables_register_match(&sctp_match6); } diff -Nru iptables-1.4.4/extensions/libxt_sctp.man iptables-1.4.10/extensions/libxt_sctp.man --- iptables-1.4.4/extensions/libxt_sctp.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_sctp.man 2010-10-29 14:37:22.000000000 +0000 @@ -7,11 +7,11 @@ The flag letter in upper case indicates that the flag is to match if set, in the lower case indicates to match if unset. -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN chunk type available flags .br -DATA U B E u b e +DATA I U B E i u b e .br ABORT T t .br diff -Nru iptables-1.4.4/extensions/libxt_SECMARK.c iptables-1.4.10/extensions/libxt_SECMARK.c --- iptables-1.4.4/extensions/libxt_SECMARK.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_SECMARK.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -22,8 +23,8 @@ } static const struct option SECMARK_opts[] = { - { "selctx", 1, NULL, '1' }, - { .name = NULL } + {.name = "selctx", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int SECMARK_parse(int c, char **argv, int invert, unsigned int *flags, diff -Nru iptables-1.4.4/extensions/libxt_SECMARK.man iptables-1.4.10/extensions/libxt_SECMARK.man --- iptables-1.4.4/extensions/libxt_SECMARK.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_SECMARK.man 2010-10-29 14:37:22.000000000 +0000 @@ -2,6 +2,6 @@ packet for use by security subsystems such as SELinux. It is only valid in the .B mangle -table. +table. The mark is 32 bits wide. .TP \fB\-\-selctx\fP \fIsecurity_context\fP diff -Nru iptables-1.4.4/extensions/libxt_set.c iptables-1.4.10/extensions/libxt_set.c --- iptables-1.4.4/extensions/libxt_set.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_set.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,251 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> + * Martin Josefsson <gandalf@wlug.westbo.se> + * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* Shared library add-on to iptables to add IP set matching. */ +#include <stdbool.h> +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <ctype.h> +#include <errno.h> + +#include <xtables.h> +#include <linux/netfilter/xt_set.h> +#include "libxt_set.h" + +static void +set_help(void) +{ + printf("set match options:\n" + " [!] --match-set name flags\n" + " 'name' is the set name from to match,\n" + " 'flags' are the comma separated list of\n" + " 'src' and 'dst' specifications.\n"); +} + +static const struct option set_opts[] = { + {.name = "match-set", .has_arg = true, .val = '1'}, + {.name = "set", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, +}; + +static void +set_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify `--match-set' with proper arguments"); +} + +static int +set_parse_v0(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_set_info_match_v0 *myinfo = + (struct xt_set_info_match_v0 *) (*match)->data; + struct xt_set_info_v0 *info = &myinfo->match_set; + + switch (c) { + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); + case '1': /* --match-set <set> <flag>[,<flag> */ + if (info->u.flags[0]) + xtables_error(PARAMETER_PROBLEM, + "--match-set can be specified only once"); + + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + if (invert) + info->u.flags[0] |= IPSET_MATCH_INV; + + if (!argv[optind] + || argv[optind][0] == '-' + || argv[optind][0] == '!') + xtables_error(PARAMETER_PROBLEM, + "--match-set requires two args."); + + if (strlen(optarg) > IPSET_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "setname `%s' too long, max %d characters.", + optarg, IPSET_MAXNAMELEN - 1); + + get_set_byname(optarg, (struct xt_set_info *)info); + parse_dirs_v0(argv[optind], info); + DEBUGP("parse: set index %u\n", info->index); + optind++; + + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void +print_match_v0(const char *prefix, const struct xt_set_info_v0 *info) +{ + int i; + char setname[IPSET_MAXNAMELEN]; + + get_set_byid(setname, info->index); + printf("%s%s %s", + (info->u.flags[0] & IPSET_MATCH_INV) ? "! " : "", + prefix, + setname); + for (i = 0; i < IPSET_DIM_MAX; i++) { + if (!info->u.flags[i]) + break; + printf("%s%s", + i == 0 ? " " : ",", + info->u.flags[i] & IPSET_SRC ? "src" : "dst"); + } + printf(" "); +} + +/* Prints out the matchinfo. */ +static void +set_print_v0(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_set_info_match_v0 *info = (const void *)match->data; + + print_match_v0("match-set", &info->match_set); +} + +static void +set_save_v0(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_set_info_match_v0 *info = (const void *)match->data; + + print_match_v0("--match-set", &info->match_set); +} + +static int +set_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_set_info_match *myinfo = + (struct xt_set_info_match *) (*match)->data; + struct xt_set_info *info = &myinfo->match_set; + + switch (c) { + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); + case '1': /* --match-set <set> <flag>[,<flag> */ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, + "--match-set can be specified only once"); + + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + if (invert) + info->flags |= IPSET_INV_MATCH; + + if (!argv[optind] + || argv[optind][0] == '-' + || argv[optind][0] == '!') + xtables_error(PARAMETER_PROBLEM, + "--match-set requires two args."); + + if (strlen(optarg) > IPSET_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "setname `%s' too long, max %d characters.", + optarg, IPSET_MAXNAMELEN - 1); + + get_set_byname(optarg, info); + parse_dirs(argv[optind], info); + DEBUGP("parse: set index %u\n", info->index); + optind++; + + *flags = 1; + break; + + default: + return 0; + } + + return 1; +} + +static void +print_match(const char *prefix, const struct xt_set_info *info) +{ + int i; + char setname[IPSET_MAXNAMELEN]; + + get_set_byid(setname, info->index); + printf("%s%s %s", + (info->flags & IPSET_INV_MATCH) ? "! " : "", + prefix, + setname); + for (i = 1; i <= info->dim; i++) { + printf("%s%s", + i == 1 ? " " : ",", + info->flags & (1 << i) ? "src" : "dst"); + } + printf(" "); +} + +/* Prints out the matchinfo. */ +static void +set_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_set_info_match *info = (const void *)match->data; + + print_match("match-set", &info->match_set); +} + +static void +set_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_set_info_match *info = (const void *)match->data; + + print_match("--match-set", &info->match_set); +} + +static struct xtables_match set_mt_reg[] = { + { + .name = "set", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_set_info_match_v0)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v0)), + .help = set_help, + .parse = set_parse_v0, + .final_check = set_check, + .print = set_print_v0, + .save = set_save_v0, + .extra_opts = set_opts, + }, + { + .name = "set", + .revision = 1, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_set_info_match)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match)), + .help = set_help, + .parse = set_parse, + .final_check = set_check, + .print = set_print, + .save = set_save, + .extra_opts = set_opts, + }, +}; + +void _init(void) +{ + xtables_register_matches(set_mt_reg, ARRAY_SIZE(set_mt_reg)); +} diff -Nru iptables-1.4.4/extensions/libxt_SET.c iptables-1.4.10/extensions/libxt_SET.c --- iptables-1.4.4/extensions/libxt_SET.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_SET.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,287 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> + * Patrick Schaaf <bof@bof.de> + * Martin Josefsson <gandalf@wlug.westbo.se> + * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* Shared library add-on to iptables to add IP set mangling target. */ +#include <stdbool.h> +#include <stdio.h> +#include <netdb.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> +#include <ctype.h> + +#include <xtables.h> +#include <linux/netfilter/xt_set.h> +#include "libxt_set.h" + +static void +set_target_help(void) +{ + printf("SET target options:\n" + " --add-set name flags\n" + " --del-set name flags\n" + " add/del src/dst IP/port from/to named sets,\n" + " where flags are the comma separated list of\n" + " 'src' and 'dst' specifications.\n"); +} + +static const struct option set_target_opts[] = { + {.name = "add-set", .has_arg = true, .val = '1'}, + {.name = "del-set", .has_arg = true, .val = '2'}, + XT_GETOPT_TABLEEND, +}; + +static void +set_target_check(unsigned int flags) +{ + if (!flags) + xtables_error(PARAMETER_PROBLEM, + "You must specify either `--add-set' or `--del-set'"); +} + +static void +set_target_init_v0(struct xt_entry_target *target) +{ + struct xt_set_info_target_v0 *info = + (struct xt_set_info_target_v0 *) target->data; + + info->add_set.index = + info->del_set.index = IPSET_INVALID_ID; + +} + +static void +parse_target_v0(char **argv, int invert, unsigned int *flags, + struct xt_set_info_v0 *info, const char *what) +{ + if (info->u.flags[0]) + xtables_error(PARAMETER_PROBLEM, + "--%s can be specified only once", what); + + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --%s", what); + + if (!argv[optind] + || argv[optind][0] == '-' || argv[optind][0] == '!') + xtables_error(PARAMETER_PROBLEM, + "--%s requires two args.", what); + + if (strlen(optarg) > IPSET_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "setname `%s' too long, max %d characters.", + optarg, IPSET_MAXNAMELEN - 1); + + get_set_byname(optarg, (struct xt_set_info *)info); + parse_dirs_v0(argv[optind], info); + optind++; + + *flags = 1; +} + +static int +set_target_parse_v0(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_set_info_target_v0 *myinfo = + (struct xt_set_info_target_v0 *) (*target)->data; + + switch (c) { + case '1': /* --add-set <set> <flags> */ + parse_target_v0(argv, invert, flags, + &myinfo->add_set, "add-set"); + break; + case '2': /* --del-set <set>[:<flags>] <flags> */ + parse_target_v0(argv, invert, flags, + &myinfo->del_set, "del-set"); + break; + + default: + return 0; + } + return 1; +} + +static void +print_target_v0(const char *prefix, const struct xt_set_info_v0 *info) +{ + int i; + char setname[IPSET_MAXNAMELEN]; + + if (info->index == IPSET_INVALID_ID) + return; + get_set_byid(setname, info->index); + printf("%s %s", prefix, setname); + for (i = 0; i < IPSET_DIM_MAX; i++) { + if (!info->u.flags[i]) + break; + printf("%s%s", + i == 0 ? " " : ",", + info->u.flags[i] & IPSET_SRC ? "src" : "dst"); + } + printf(" "); +} + +static void +set_target_print_v0(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_set_info_target_v0 *info = (const void *)target->data; + + print_target_v0("add-set", &info->add_set); + print_target_v0("del-set", &info->del_set); +} + +static void +set_target_save_v0(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_set_info_target_v0 *info = (const void *)target->data; + + print_target_v0("--add-set", &info->add_set); + print_target_v0("--del-set", &info->del_set); +} + +static void +set_target_init(struct xt_entry_target *target) +{ + struct xt_set_info_target *info = + (struct xt_set_info_target *) target->data; + + info->add_set.index = + info->del_set.index = IPSET_INVALID_ID; + +} + +static void +parse_target(char **argv, int invert, unsigned int *flags, + struct xt_set_info *info, const char *what) +{ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, + "--%s can be specified only once", what); + + if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --%s", what); + + if (!argv[optind] + || argv[optind][0] == '-' || argv[optind][0] == '!') + xtables_error(PARAMETER_PROBLEM, + "--%s requires two args.", what); + + if (strlen(optarg) > IPSET_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "setname `%s' too long, max %d characters.", + optarg, IPSET_MAXNAMELEN - 1); + + get_set_byname(optarg, info); + parse_dirs(argv[optind], info); + optind++; + + *flags = 1; +} + +static int +set_target_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_set_info_target *myinfo = + (struct xt_set_info_target *) (*target)->data; + + switch (c) { + case '1': /* --add-set <set> <flags> */ + parse_target(argv, invert, flags, + &myinfo->add_set, "add-set"); + break; + case '2': /* --del-set <set>[:<flags>] <flags> */ + parse_target(argv, invert, flags, + &myinfo->del_set, "del-set"); + break; + + default: + return 0; + } + return 1; +} + +static void +print_target(const char *prefix, const struct xt_set_info *info) +{ + int i; + char setname[IPSET_MAXNAMELEN]; + + if (info->index == IPSET_INVALID_ID) + return; + get_set_byid(setname, info->index); + printf("%s %s", prefix, setname); + for (i = 1; i <= IPSET_DIM_MAX; i++) { + printf("%s%s", + i == 1 ? " " : ",", + info->flags & (1 << i) ? "src" : "dst"); + } + printf(" "); +} + +static void +set_target_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_set_info_target *info = (const void *)target->data; + + print_target("add-set", &info->add_set); + print_target("del-set", &info->del_set); +} + +static void +set_target_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_set_info_target *info = (const void *)target->data; + + print_target("--add-set", &info->add_set); + print_target("--del-set", &info->del_set); +} + +static struct xtables_target set_tg_reg[] = { + { + .name = "SET", + .revision = 0, + .version = XTABLES_VERSION, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_set_info_target_v0)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target_v0)), + .help = set_target_help, + .init = set_target_init_v0, + .parse = set_target_parse_v0, + .final_check = set_target_check, + .print = set_target_print_v0, + .save = set_target_save_v0, + .extra_opts = set_target_opts, + }, + { + .name = "SET", + .revision = 1, + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_set_info_target)), + .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_target)), + .help = set_target_help, + .init = set_target_init, + .parse = set_target_parse, + .final_check = set_target_check, + .print = set_target_print, + .save = set_target_save, + .extra_opts = set_target_opts, + }, +}; + +void _init(void) +{ + xtables_register_targets(set_tg_reg, ARRAY_SIZE(set_tg_reg)); +} diff -Nru iptables-1.4.4/extensions/libxt_set.h iptables-1.4.10/extensions/libxt_set.h --- iptables-1.4.4/extensions/libxt_set.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_set.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,147 @@ +#ifndef _LIBXT_SET_H +#define _LIBXT_SET_H + +#include <unistd.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <errno.h> + +#ifdef DEBUG +#define DEBUGP(x, args...) fprintf(stderr, x , ## args) +#else +#define DEBUGP(x, args...) +#endif + +static int +get_version(unsigned *version) +{ + int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + struct ip_set_req_version req_version; + socklen_t size = sizeof(req_version); + + if (sockfd < 0) + xtables_error(OTHER_PROBLEM, + "Can't open socket to ipset.\n"); + + req_version.op = IP_SET_OP_VERSION; + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size); + if (res != 0) + xtables_error(OTHER_PROBLEM, + "Kernel module xt_set is not loaded in.\n"); + + *version = req_version.version; + + return sockfd; +} + +static void +get_set_byid(char *setname, ip_set_id_t idx) +{ + struct ip_set_req_get_set req; + socklen_t size = sizeof(struct ip_set_req_get_set); + int res, sockfd; + + sockfd = get_version(&req.version); + req.op = IP_SET_OP_GET_BYINDEX; + req.set.index = idx; + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size); + close(sockfd); + + if (res != 0) + xtables_error(OTHER_PROBLEM, + "Problem when communicating with ipset, errno=%d.\n", + errno); + if (size != sizeof(struct ip_set_req_get_set)) + xtables_error(OTHER_PROBLEM, + "Incorrect return size from kernel during ipset lookup, " + "(want %zu, got %zu)\n", + sizeof(struct ip_set_req_get_set), (size_t)size); + if (req.set.name[0] == '\0') + xtables_error(PARAMETER_PROBLEM, + "Set with index %i in kernel doesn't exist.\n", idx); + + strncpy(setname, req.set.name, IPSET_MAXNAMELEN); +} + +static void +get_set_byname(const char *setname, struct xt_set_info *info) +{ + struct ip_set_req_get_set req; + socklen_t size = sizeof(struct ip_set_req_get_set); + int res, sockfd; + + sockfd = get_version(&req.version); + req.op = IP_SET_OP_GET_BYNAME; + strncpy(req.set.name, setname, IPSET_MAXNAMELEN); + req.set.name[IPSET_MAXNAMELEN - 1] = '\0'; + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req, &size); + close(sockfd); + + if (res != 0) + xtables_error(OTHER_PROBLEM, + "Problem when communicating with ipset, errno=%d.\n", + errno); + if (size != sizeof(struct ip_set_req_get_set)) + xtables_error(OTHER_PROBLEM, + "Incorrect return size from kernel during ipset lookup, " + "(want %zu, got %zu)\n", + sizeof(struct ip_set_req_get_set), (size_t)size); + if (req.set.index == IPSET_INVALID_ID) + xtables_error(PARAMETER_PROBLEM, + "Set %s doesn't exist.\n", setname); + + info->index = req.set.index; +} + +static void +parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) +{ + char *saved = strdup(opt_arg); + char *ptr, *tmp = saved; + int i = 0; + + while (i < (IPSET_DIM_MAX - 1) && tmp != NULL) { + ptr = strsep(&tmp, ","); + if (strncmp(ptr, "src", 3) == 0) + info->u.flags[i++] |= IPSET_SRC; + else if (strncmp(ptr, "dst", 3) == 0) + info->u.flags[i++] |= IPSET_DST; + else + xtables_error(PARAMETER_PROBLEM, + "You must spefify (the comma separated list of) 'src' or 'dst'."); + } + + if (tmp) + xtables_error(PARAMETER_PROBLEM, + "Can't be more src/dst options than %i.", + IPSET_DIM_MAX - 1); + + free(saved); +} + +static void +parse_dirs(const char *opt_arg, struct xt_set_info *info) +{ + char *saved = strdup(opt_arg); + char *ptr, *tmp = saved; + int i = 0; + + while (i < (IPSET_DIM_MAX - 1) && tmp != NULL) { + info->dim++; + ptr = strsep(&tmp, ","); + if (strncmp(ptr, "src", 3) == 0) + info->flags |= (1 << info->dim); + else if (strncmp(ptr, "dst", 3) != 0) + xtables_error(PARAMETER_PROBLEM, + "You must spefify (the comma separated list of) 'src' or 'dst'."); + } + + if (tmp) + xtables_error(PARAMETER_PROBLEM, + "Can't be more src/dst options than %i.", + IPSET_DIM_MAX - 1); + + free(saved); +} + +#endif /*_LIBXT_SET_H*/ diff -Nru iptables-1.4.4/extensions/libxt_set.man iptables-1.4.10/extensions/libxt_set.man --- iptables-1.4.4/extensions/libxt_set.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_set.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,23 @@ +This module matches IP sets which can be defined by ipset(8). +.TP +[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... +where flags are the comma separated list of +.BR "src" +and/or +.BR "dst" +specifications and there can be no more than six of them. Hence the command +.IP + iptables \-A FORWARD \-m set \-\-match\-set test src,dst +.IP +will match packets, for which (if the set type is ipportmap) the source +address and destination port pair can be found in the specified set. If +the set type of the specified set is single dimension (for example ipmap), +then the command will match packets for which the source address can be +found in the specified set. +.PP +The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does +not clash with an option of other extensions. +.PP +Use of -m set requires that ipset kernel support is provided. As standard +kernels do not ship this currently, the ipset or Xtables-addons package needs +to be installed. diff -Nru iptables-1.4.4/extensions/libxt_SET.man iptables-1.4.10/extensions/libxt_SET.man --- iptables-1.4.4/extensions/libxt_SET.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_SET.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,18 @@ +This modules adds and/or deletes entries from IP sets which can be defined +by ipset(8). +.TP +\fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] +add the address(es)/port(s) of the packet to the sets +.TP +\fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] +delete the address(es)/port(s) of the packet from the sets +.IP +where flags are +.BR "src" +and/or +.BR "dst" +specifications and there can be no more than six of them. +.PP +Use of -j SET requires that ipset kernel support is provided. As standard +kernels do not ship this currently, the ipset or Xtables-addons package needs +to be installed. diff -Nru iptables-1.4.4/extensions/libxt_socket.c iptables-1.4.10/extensions/libxt_socket.c --- iptables-1.4.4/extensions/libxt_socket.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_socket.c 2010-10-29 14:37:22.000000000 +0000 @@ -3,34 +3,14 @@ * * Copyright (C) 2007 BalaBit IT Ltd. */ -#include <stdio.h> -#include <getopt.h> #include <xtables.h> -static void socket_mt_help(void) -{ - printf("socket v%s has no options\n\n", XTABLES_VERSION); -} - -static int socket_mt_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - return 0; -} - -static void socket_mt_check(unsigned int flags) -{ -} - static struct xtables_match socket_mt_reg = { .name = "socket", .version = XTABLES_VERSION, .family = NFPROTO_IPV4, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .parse = socket_mt_parse, - .final_check = socket_mt_check, - .help = socket_mt_help, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libxt_standard.c iptables-1.4.10/extensions/libxt_standard.c --- iptables-1.4.4/extensions/libxt_standard.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_standard.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,10 +1,5 @@ /* Shared library add-on to iptables for standard target support. */ #include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <limits.h> -#include <getopt.h> #include <xtables.h> static void standard_help(void) @@ -14,12 +9,6 @@ "(If target is DROP, ACCEPT, RETURN or nothing)\n"); } -static int standard_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target standard_target = { .family = NFPROTO_UNSPEC, .name = "standard", @@ -27,7 +16,6 @@ .size = XT_ALIGN(sizeof(int)), .userspacesize = XT_ALIGN(sizeof(int)), .help = standard_help, - .parse = standard_parse, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libxt_state.c iptables-1.4.10/extensions/libxt_state.c --- iptables-1.4.4/extensions/libxt_state.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_state.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add state tracking support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -22,8 +23,8 @@ } static const struct option state_opts[] = { - { "state", 1, NULL, '1' }, - { .name = NULL } + {.name = "state", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static int @@ -71,9 +72,9 @@ switch (c) { case '1': - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); - state_parse_states(argv[optind-1], sinfo); + state_parse_states(optarg, sinfo); if (invert) sinfo->statemask = ~sinfo->statemask; *flags = 1; @@ -139,21 +140,7 @@ } static struct xtables_match state_match = { - .family = NFPROTO_IPV4, - .name = "state", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_state_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_state_info)), - .help = state_help, - .parse = state_parse, - .final_check = state_final_check, - .print = state_print, - .save = state_save, - .extra_opts = state_opts, -}; - -static struct xtables_match state_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "state", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_state_info)), @@ -169,5 +156,4 @@ void _init(void) { xtables_register_match(&state_match); - xtables_register_match(&state_match6); } diff -Nru iptables-1.4.4/extensions/libxt_state.man iptables-1.4.10/extensions/libxt_state.man --- iptables-1.4.4/extensions/libxt_state.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_state.man 2010-10-29 14:37:22.000000000 +0000 @@ -19,3 +19,6 @@ meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. +.B UNTRACKED +meaning that the packet is not tracked at all, which happens if you use +the NOTRACK target in raw table. diff -Nru iptables-1.4.4/extensions/libxt_statistic.c iptables-1.4.10/extensions/libxt_statistic.c --- iptables-1.4.4/extensions/libxt_statistic.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_statistic.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,3 +1,4 @@ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,11 +22,11 @@ } static const struct option statistic_opts[] = { - { "mode", 1, NULL, '1' }, - { "probability", 1, NULL, '2' }, - { "every", 1, NULL, '3' }, - { "packet", 1, NULL, '4' }, - { .name = NULL } + {.name = "mode", .has_arg = true, .val = '1'}, + {.name = "probability", .has_arg = true, .val = '2'}, + {.name = "every", .has_arg = true, .val = '3'}, + {.name = "packet", .has_arg = true, .val = '4'}, + XT_GETOPT_TABLEEND, }; static struct xt_statistic_info *global_info; diff -Nru iptables-1.4.4/extensions/libxt_string.c iptables-1.4.10/extensions/libxt_string.c --- iptables-1.4.4/extensions/libxt_string.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_string.c 2010-10-29 14:37:22.000000000 +0000 @@ -21,6 +21,7 @@ * ipt_string_info. */ #define _GNU_SOURCE 1 +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -44,13 +45,13 @@ } static const struct option string_opts[] = { - { "from", 1, NULL, '1' }, - { "to", 1, NULL, '2' }, - { "algo", 1, NULL, '3' }, - { "string", 1, NULL, '4' }, - { "hex-string", 1, NULL, '5' }, - { "icase", 0, NULL, '6' }, - { .name = NULL } + {.name = "from", .has_arg = true, .val = '1'}, + {.name = "to", .has_arg = true, .val = '2'}, + {.name = "algo", .has_arg = true, .val = '3'}, + {.name = "string", .has_arg = true, .val = '4'}, + {.name = "hex-string", .has_arg = true, .val = '5'}, + {.name = "icase", .has_arg = false, .val = '6'}, + XT_GETOPT_TABLEEND, }; static void string_init(struct xt_entry_match *m) @@ -202,8 +203,8 @@ if (*flags & STRING) xtables_error(PARAMETER_PROBLEM, "Can't specify multiple --string"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_string(argv[optind-1], stringinfo); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_string(optarg, stringinfo); if (invert) { if (revision == 0) stringinfo->u.v0.invert = 1; @@ -218,8 +219,8 @@ xtables_error(PARAMETER_PROBLEM, "Can't specify multiple --hex-string"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_hex_string(argv[optind-1], stringinfo); /* sets length */ + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_hex_string(optarg, stringinfo); /* sets length */ if (invert) { if (revision == 0) stringinfo->u.v0.invert = 1; @@ -350,40 +351,40 @@ } -static struct xtables_match string_match = { - .name = "string", - .revision = 0, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_string_info)), - .userspacesize = offsetof(struct xt_string_info, config), - .help = string_help, - .init = string_init, - .parse = string_parse, - .final_check = string_check, - .print = string_print, - .save = string_save, - .extra_opts = string_opts, -}; - -static struct xtables_match string_match_v1 = { - .name = "string", - .revision = 1, - .family = NFPROTO_UNSPEC, - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_string_info)), - .userspacesize = offsetof(struct xt_string_info, config), - .help = string_help, - .init = string_init, - .parse = string_parse, - .final_check = string_check, - .print = string_print, - .save = string_save, - .extra_opts = string_opts, +static struct xtables_match string_mt_reg[] = { + { + .name = "string", + .revision = 0, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_string_info)), + .userspacesize = offsetof(struct xt_string_info, config), + .help = string_help, + .init = string_init, + .parse = string_parse, + .final_check = string_check, + .print = string_print, + .save = string_save, + .extra_opts = string_opts, + }, + { + .name = "string", + .revision = 1, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_string_info)), + .userspacesize = offsetof(struct xt_string_info, config), + .help = string_help, + .init = string_init, + .parse = string_parse, + .final_check = string_check, + .print = string_print, + .save = string_save, + .extra_opts = string_opts, + }, }; void _init(void) { - xtables_register_match(&string_match); - xtables_register_match(&string_match_v1); + xtables_register_matches(string_mt_reg, ARRAY_SIZE(string_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_string.man iptables-1.4.10/extensions/libxt_string.man --- iptables-1.4.4/extensions/libxt_string.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_string.man 2010-10-29 14:37:22.000000000 +0000 @@ -7,7 +7,9 @@ Set the offset from which it starts looking for any matching. If not passed, default is 0. .TP \fB\-\-to\fP \fIoffset\fP -Set the offset from which it starts looking for any matching. If not passed, default is the packet size. +Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 +(counting from 0) is the last one that is scanned. +If not passed, default is the packet size. .TP [\fB!\fP] \fB\-\-string\fP \fIpattern\fP Matches the given pattern. diff -Nru iptables-1.4.4/extensions/libxt_tcp.c iptables-1.4.10/extensions/libxt_tcp.c --- iptables-1.4.4/extensions/libxt_tcp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_tcp.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add TCP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -26,14 +27,14 @@ } static const struct option tcp_opts[] = { - { "source-port", 1, NULL, '1' }, - { "sport", 1, NULL, '1' }, /* synonym */ - { "destination-port", 1, NULL, '2' }, - { "dport", 1, NULL, '2' }, /* synonym */ - { "syn", 0, NULL, '3' }, - { "tcp-flags", 1, NULL, '4' }, - { "tcp-option", 1, NULL, '5' }, - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, /* synonym */ + {.name = "syn", .has_arg = false, .val = '3'}, + {.name = "tcp-flags", .has_arg = true, .val = '4'}, + {.name = "tcp-option", .has_arg = true, .val = '5'}, + XT_GETOPT_TABLEEND, }; static void @@ -147,8 +148,8 @@ if (*flags & TCP_SRC_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->spts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_tcp_ports(optarg, tcpinfo->spts); if (invert) tcpinfo->invflags |= XT_TCP_INV_SRCPT; *flags |= TCP_SRC_PORTS; @@ -158,8 +159,8 @@ if (*flags & TCP_DST_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_tcp_ports(argv[optind-1], tcpinfo->dpts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_tcp_ports(optarg, tcpinfo->dpts); if (invert) tcpinfo->invflags |= XT_TCP_INV_DSTPT; *flags |= TCP_DST_PORTS; @@ -179,14 +180,14 @@ xtables_error(PARAMETER_PROBLEM, "Only one of `--syn' or `--tcp-flags' " " allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, "--tcp-flags requires two args."); - parse_tcp_flags(tcpinfo, argv[optind-1], argv[optind], + parse_tcp_flags(tcpinfo, optarg, argv[optind], invert); optind++; *flags |= TCP_FLAGS; @@ -196,8 +197,8 @@ if (*flags & TCP_OPTION) xtables_error(PARAMETER_PROBLEM, "Only one `--tcp-option' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_tcp_option(argv[optind-1], &tcpinfo->option); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_tcp_option(optarg, &tcpinfo->option); if (invert) tcpinfo->invflags |= XT_TCP_INV_OPTION; *flags |= TCP_OPTION; @@ -375,21 +376,7 @@ } static struct xtables_match tcp_match = { - .family = NFPROTO_IPV4, - .name = "tcp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tcp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcp)), - .help = tcp_help, - .init = tcp_init, - .parse = tcp_parse, - .print = tcp_print, - .save = tcp_save, - .extra_opts = tcp_opts, -}; - -static struct xtables_match tcp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "tcp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_tcp)), @@ -406,5 +393,4 @@ _init(void) { xtables_register_match(&tcp_match); - xtables_register_match(&tcp_match6); } diff -Nru iptables-1.4.4/extensions/libxt_tcpmss.c iptables-1.4.10/extensions/libxt_tcpmss.c --- iptables-1.4.4/extensions/libxt_tcpmss.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_tcpmss.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add tcp MSS matching support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -17,8 +18,8 @@ } static const struct option tcpmss_opts[] = { - { "mss", 1, NULL, '1' }, - { .name = NULL } + {.name = "mss", .has_arg = true, .val = '1'}, + XT_GETOPT_TABLEEND, }; static u_int16_t @@ -65,8 +66,8 @@ if (*flags) xtables_error(PARAMETER_PROBLEM, "Only one `--mss' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_tcp_mssvalues(argv[optind-1], + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_tcp_mssvalues(optarg, &mssinfo->mss_min, &mssinfo->mss_max); if (invert) mssinfo->invert = 1; @@ -109,21 +110,7 @@ } static struct xtables_match tcpmss_match = { - .family = NFPROTO_IPV4, - .name = "tcpmss", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), - .help = tcpmss_help, - .parse = tcpmss_parse, - .final_check = tcpmss_check, - .print = tcpmss_print, - .save = tcpmss_save, - .extra_opts = tcpmss_opts, -}; - -static struct xtables_match tcpmss_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "tcpmss", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_tcpmss_match_info)), @@ -139,5 +126,4 @@ void _init(void) { xtables_register_match(&tcpmss_match); - xtables_register_match(&tcpmss_match6); } diff -Nru iptables-1.4.4/extensions/libxt_TCPMSS.c iptables-1.4.10/extensions/libxt_TCPMSS.c --- iptables-1.4.4/extensions/libxt_TCPMSS.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TCPMSS.c 2010-10-29 14:37:22.000000000 +0000 @@ -2,6 +2,7 @@ * * Copyright (c) 2000 Marc Boucher */ +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -36,9 +37,9 @@ } static const struct option TCPMSS_opts[] = { - { "set-mss", 1, NULL, '1' }, - { "clamp-mss-to-pmtu", 0, NULL, '2' }, - { .name = NULL } + {.name = "set-mss", .has_arg = true, .val = '1'}, + {.name = "clamp-mss-to-pmtu", .has_arg = false, .val = '2'}, + XT_GETOPT_TABLEEND, }; static int __TCPMSS_parse(int c, char **argv, int invert, unsigned int *flags, diff -Nru iptables-1.4.4/extensions/libxt_TCPMSS.man iptables-1.4.10/extensions/libxt_TCPMSS.man --- iptables-1.4.4/extensions/libxt_TCPMSS.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TCPMSS.man 2010-10-29 14:37:22.000000000 +0000 @@ -4,10 +4,7 @@ Of course, it can only be used in conjunction with \fB\-p tcp\fP. -It is only valid in the -.BR mangle -table. -.br +.PP This target is used to overcome criminally braindead ISPs or servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" packets. The symptoms of this @@ -34,9 +31,17 @@ \-j TCPMSS \-\-clamp\-mss\-to\-pmtu .TP \fB\-\-set\-mss\fP \fIvalue\fP -Explicitly set MSS option to specified value. +Explicitly sets MSS option to specified value. If the MSS of the packet is +already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux +2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. .TP \fB\-\-clamp\-mss\-to\-pmtu\fP Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). +This may not function as desired where asymmetric routes with differing +path MTU exist \(em the kernel uses the path MTU which it would use to send +packets from itself to the source and destination IP addresses. Prior to +Linux 2.6.25, only the path MTU to the destination IP address was +considered by this option; subsequent kernels also consider the path MTU +to the source IP address. .PP These options are mutually exclusive. diff -Nru iptables-1.4.4/extensions/libxt_TCPOPTSTRIP.c iptables-1.4.10/extensions/libxt_TCPOPTSTRIP.c --- iptables-1.4.4/extensions/libxt_TCPOPTSTRIP.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TCPOPTSTRIP.c 2010-10-29 14:37:22.000000000 +0000 @@ -28,7 +28,7 @@ static const struct option tcpoptstrip_tg_opts[] = { {.name = "strip-options", .has_arg = true, .val = 's'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct tcp_optionmap tcp_optionmap[] = { @@ -38,7 +38,7 @@ {"sack", "Selective ACK", TCPOPT_SACK}, {"timestamp", "Timestamp", TCPOPT_TIMESTAMP}, {"md5", "MD5 signature", TCPOPT_MD5SIG}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tcpoptstrip_tg_help(void) @@ -180,22 +180,7 @@ static struct xtables_target tcpoptstrip_tg_reg = { .version = XTABLES_VERSION, .name = "TCPOPTSTRIP", - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), - .help = tcpoptstrip_tg_help, - .init = tcpoptstrip_tg_init, - .parse = tcpoptstrip_tg_parse, - .final_check = tcpoptstrip_tg_check, - .print = tcpoptstrip_tg_print, - .save = tcpoptstrip_tg_save, - .extra_opts = tcpoptstrip_tg_opts, -}; - -static struct xtables_target tcpoptstrip_tg6_reg = { - .version = XTABLES_VERSION, - .name = "TCPOPTSTRIP", - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .size = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), .userspacesize = XT_ALIGN(sizeof(struct xt_tcpoptstrip_target_info)), .help = tcpoptstrip_tg_help, @@ -210,5 +195,4 @@ void _init(void) { xtables_register_target(&tcpoptstrip_tg_reg); - xtables_register_target(&tcpoptstrip_tg6_reg); } diff -Nru iptables-1.4.4/extensions/libxt_TEE.c iptables-1.4.10/extensions/libxt_TEE.c --- iptables-1.4.4/extensions/libxt_TEE.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TEE.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,202 @@ +/* + * "TEE" target extension for iptables + * Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007 + * Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2010 + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License; either + * version 2 of the License, or any later version, as published by the + * Free Software Foundation. + */ +#include <sys/socket.h> +#include <getopt.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <arpa/inet.h> +#include <net/if.h> +#include <netinet/in.h> + +#include <xtables.h> +#include <linux/netfilter.h> +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter/xt_TEE.h> + +enum { + FLAG_GATEWAY = 1 << 0, + FLAG_OIF = 1 << 1, +}; + +static const struct option tee_tg_opts[] = { + {.name = "gateway", .has_arg = true, .val = 'g'}, + {.name = "oif", .has_arg = true, .val = 'o'}, + {NULL}, +}; + +static void tee_tg_help(void) +{ + printf( +"TEE target options:\n" +" --gateway IPADDR Route packet via the gateway given by address\n" +" --oif NAME Include oif in route calculation\n" +"\n"); +} + +static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tee_tginfo *info = (void *)(*target)->data; + const struct in_addr *ia; + + switch (c) { + case 'g': + if (*flags & FLAG_GATEWAY) + xtables_error(PARAMETER_PROBLEM, + "Cannot specify --gateway more than once"); + + ia = xtables_numeric_to_ipaddr(optarg); + if (ia == NULL) + xtables_error(PARAMETER_PROBLEM, + "Invalid IP address %s", optarg); + + memcpy(&info->gw, ia, sizeof(*ia)); + *flags |= FLAG_GATEWAY; + return true; + case 'o': + if (*flags & FLAG_OIF) + xtables_error(PARAMETER_PROBLEM, + "Cannot specify --oif more than once"); + if (strlen(optarg) >= sizeof(info->oif)) + xtables_error(PARAMETER_PROBLEM, + "oif name too long"); + strcpy(info->oif, optarg); + *flags |= FLAG_OIF; + return true; + } + + return false; +} + +static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tee_tginfo *info = (void *)(*target)->data; + const struct in6_addr *ia; + + switch (c) { + case 'g': + if (*flags & FLAG_GATEWAY) + xtables_error(PARAMETER_PROBLEM, + "Cannot specify --gateway more than once"); + + ia = xtables_numeric_to_ip6addr(optarg); + if (ia == NULL) + xtables_error(PARAMETER_PROBLEM, + "Invalid IP address %s", optarg); + + memcpy(&info->gw, ia, sizeof(*ia)); + *flags |= FLAG_GATEWAY; + return true; + case 'o': + if (*flags & FLAG_OIF) + xtables_error(PARAMETER_PROBLEM, + "Cannot specify --oif more than once"); + if (strlen(optarg) >= sizeof(info->oif)) + xtables_error(PARAMETER_PROBLEM, + "oif name too long"); + strcpy(info->oif, optarg); + *flags |= FLAG_OIF; + return true; + } + + return false; +} + +static void tee_tg_check(unsigned int flags) +{ + if (flags == 0) + xtables_error(PARAMETER_PROBLEM, "TEE target: " + "--gateway parameter required"); +} + +static void tee_tg_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tee_tginfo *info = (const void *)target->data; + + if (numeric) + printf("TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in)); + else + printf("TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in)); + if (*info->oif != '\0') + printf("oif=%s ", info->oif); +} + +static void tee_tg6_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tee_tginfo *info = (const void *)target->data; + + if (numeric) + printf("TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6)); + else + printf("TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6)); + if (*info->oif != '\0') + printf("oif=%s ", info->oif); +} + +static void tee_tg_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tee_tginfo *info = (const void *)target->data; + + printf("--gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in)); + if (*info->oif != '\0') + printf("--oif %s ", info->oif); +} + +static void tee_tg6_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tee_tginfo *info = (const void *)target->data; + + printf("--gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6)); + if (*info->oif != '\0') + printf("--oif %s ", info->oif); +} + +static struct xtables_target tee_tg_reg = { + .name = "TEE", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)), + .help = tee_tg_help, + .parse = tee_tg_parse, + .final_check = tee_tg_check, + .print = tee_tg_print, + .save = tee_tg_save, + .extra_opts = tee_tg_opts, +}; + +static struct xtables_target tee_tg6_reg = { + .name = "TEE", + .version = XTABLES_VERSION, + .revision = 1, + .family = NFPROTO_IPV6, + .size = XT_ALIGN(sizeof(struct xt_tee_tginfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)), + .help = tee_tg_help, + .parse = tee_tg6_parse, + .final_check = tee_tg_check, + .print = tee_tg6_print, + .save = tee_tg6_save, + .extra_opts = tee_tg_opts, +}; + +void _init(void) +{ + xtables_register_target(&tee_tg_reg); + xtables_register_target(&tee_tg6_reg); +} diff -Nru iptables-1.4.4/extensions/libxt_TEE.man iptables-1.4.10/extensions/libxt_TEE.man --- iptables-1.4.4/extensions/libxt_TEE.man 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TEE.man 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,12 @@ +The \fBTEE\fP target will clone a packet and redirect this clone to another +machine on the \fBlocal\fP network segment. In other words, the nexthop +must be the target, or you will have to configure the nexthop to forward it +further if so desired. +.TP +\fB\-\-gateway\fP \fIipaddr\fP +Send the cloned packet to the host reachable at the given IP address. +Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid. +.PP +To forward all incoming traffic on eth0 to an Network Layer logging box: +.PP +\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1 diff -Nru iptables-1.4.4/extensions/libxt_time.c iptables-1.4.10/extensions/libxt_time.c --- iptables-1.4.4/extensions/libxt_time.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_time.c 2010-10-29 14:37:22.000000000 +0000 @@ -38,15 +38,15 @@ }; static const struct option time_opts[] = { - {"datestart", true, NULL, 'D'}, - {"datestop", true, NULL, 'E'}, - {"timestart", true, NULL, 'X'}, - {"timestop", true, NULL, 'Y'}, - {"weekdays", true, NULL, 'w'}, - {"monthdays", true, NULL, 'm'}, - {"localtz", false, NULL, 'l'}, - {"utc", false, NULL, 'u'}, - { .name = NULL } + {.name = "datestart", .has_arg = true, .val = 'D'}, + {.name = "datestop", .has_arg = true, .val = 'E'}, + {.name = "timestart", .has_arg = true, .val = 'X'}, + {.name = "timestop", .has_arg = true, .val = 'Y'}, + {.name = "weekdays", .has_arg = true, .val = 'w'}, + {.name = "monthdays", .has_arg = true, .val = 'm'}, + {.name = "localtz", .has_arg = false, .val = 'l'}, + {.name = "utc", .has_arg = false, .val = 'u'}, + XT_GETOPT_TABLEEND, }; static void time_help(void) diff -Nru iptables-1.4.4/extensions/libxt_time.man iptables-1.4.10/extensions/libxt_time.man --- iptables-1.4.4/extensions/libxt_time.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_time.man 2010-10-29 14:37:22.000000000 +0000 @@ -19,19 +19,19 @@ 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. .TP -[\fB!\fR] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +[\fB!\fP] \fB\-\-monthdays\fP \fIday\fP[\fB,\fP\fIday\fP...] .IP -Only match on the given days of the month. Possible values are \fB1\fR -to \fB31\fR. Note that specifying \fB31\fR will of course not match +Only match on the given days of the month. Possible values are \fB1\fP +to \fB31\fP. Note that specifying \fB31\fP will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February. .TP -[\fB!\fR] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] +[\fB!\fP] \fB\-\-weekdays\fP \fIday\fP[\fB,\fP\fIday\fP...] .IP -Only match on the given weekdays. Possible values are \fBMon\fR, \fBTue\fR, -\fBWed\fR, \fBThu\fR, \fBFri\fR, \fBSat\fR, \fBSun\fR, or values from \fB1\fR -to \fB7\fR, respectively. You may also use two-character variants (\fBMo\fP, -\fBTu\fR, etc.). +Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP, +\fBWed\fP, \fBThu\fP, \fBFri\fP, \fBSat\fP, \fBSun\fP, or values from \fB1\fP +to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP, +\fBTu\fP, etc.). .TP \fB\-\-utc\fP .IP diff -Nru iptables-1.4.4/extensions/libxt_tos.c iptables-1.4.10/extensions/libxt_tos.c --- iptables-1.4.4/extensions/libxt_tos.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_tos.c 2010-10-29 14:37:22.000000000 +0000 @@ -13,16 +13,20 @@ #include <xtables.h> #include <linux/netfilter/xt_dscp.h> -#include <linux/netfilter_ipv4/ipt_tos.h> #include "tos_values.c" +struct ipt_tos_info { + u_int8_t tos; + u_int8_t invert; +}; + enum { FLAG_TOS = 1 << 0, }; static const struct option tos_mt_opts[] = { {.name = "tos", .has_arg = true, .val = 't'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tos_mt_help(void) @@ -137,54 +141,38 @@ printf("--tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask); } -static struct xtables_match tos_mt_reg_v0 = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV4, - .revision = 0, - .size = XT_ALIGN(sizeof(struct ipt_tos_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)), - .help = tos_mt_help, - .parse = tos_mt_parse_v0, - .final_check = tos_mt_check, - .print = tos_mt_print_v0, - .save = tos_mt_save_v0, - .extra_opts = tos_mt_opts, -}; - -static struct xtables_match tos_mt_reg = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV4, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .help = tos_mt_help, - .parse = tos_mt_parse, - .final_check = tos_mt_check, - .print = tos_mt_print, - .save = tos_mt_save, - .extra_opts = tos_mt_opts, -}; - -static struct xtables_match tos_mt6_reg = { - .version = XTABLES_VERSION, - .name = "tos", - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), - .help = tos_mt_help, - .parse = tos_mt_parse, - .final_check = tos_mt_check, - .print = tos_mt_print, - .save = tos_mt_save, - .extra_opts = tos_mt_opts, +static struct xtables_match tos_mt_reg[] = { + { + .version = XTABLES_VERSION, + .name = "tos", + .family = NFPROTO_IPV4, + .revision = 0, + .size = XT_ALIGN(sizeof(struct ipt_tos_info)), + .userspacesize = XT_ALIGN(sizeof(struct ipt_tos_info)), + .help = tos_mt_help, + .parse = tos_mt_parse_v0, + .final_check = tos_mt_check, + .print = tos_mt_print_v0, + .save = tos_mt_save_v0, + .extra_opts = tos_mt_opts, + }, + { + .version = XTABLES_VERSION, + .name = "tos", + .family = NFPROTO_UNSPEC, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_tos_match_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_match_info)), + .help = tos_mt_help, + .parse = tos_mt_parse, + .final_check = tos_mt_check, + .print = tos_mt_print, + .save = tos_mt_save, + .extra_opts = tos_mt_opts, + }, }; void _init(void) { - xtables_register_match(&tos_mt_reg_v0); - xtables_register_match(&tos_mt_reg); - xtables_register_match(&tos_mt6_reg); + xtables_register_matches(tos_mt_reg, ARRAY_SIZE(tos_mt_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_TOS.c iptables-1.4.10/extensions/libxt_TOS.c --- iptables-1.4.4/extensions/libxt_TOS.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TOS.c 2010-10-29 14:37:22.000000000 +0000 @@ -5,6 +5,7 @@ * Contact: Jan Engelhardt <jengelh@computergmbh.de> */ #include <getopt.h> +#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -12,16 +13,19 @@ #include <xtables.h> #include <linux/netfilter/xt_DSCP.h> -#include <linux/netfilter_ipv4/ipt_TOS.h> #include "tos_values.c" +struct ipt_tos_target_info { + u_int8_t tos; +}; + enum { FLAG_TOS = 1 << 0, }; static const struct option tos_tg_opts_v0[] = { {.name = "set-tos", .has_arg = true, .val = '='}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static const struct option tos_tg_opts[] = { @@ -29,7 +33,7 @@ {.name = "and-tos", .has_arg = true, .val = '&'}, {.name = "or-tos", .has_arg = true, .val = '|'}, {.name = "xor-tos", .has_arg = true, .val = '^'}, - { .name = NULL } + XT_GETOPT_TABLEEND, }; static void tos_tg_help_v0(void) @@ -205,54 +209,38 @@ printf("--set-tos 0x%02x/0x%02x ", info->tos_value, info->tos_mask); } -static struct xtables_target tos_tg_reg_v0 = { - .version = XTABLES_VERSION, - .name = "TOS", - .revision = 0, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help_v0, - .parse = tos_tg_parse_v0, - .final_check = tos_tg_check, - .print = tos_tg_print_v0, - .save = tos_tg_save_v0, - .extra_opts = tos_tg_opts_v0, -}; - -static struct xtables_target tos_tg_reg = { - .version = XTABLES_VERSION, - .name = "TOS", - .revision = 1, - .family = NFPROTO_IPV4, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help, - .parse = tos_tg_parse, - .final_check = tos_tg_check, - .print = tos_tg_print, - .save = tos_tg_save, - .extra_opts = tos_tg_opts, -}; - -static struct xtables_target tos_tg6_reg = { - .version = XTABLES_VERSION, - .name = "TOS", - .family = NFPROTO_IPV6, - .revision = 1, - .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), - .help = tos_tg_help, - .parse = tos_tg_parse, - .final_check = tos_tg_check, - .print = tos_tg_print, - .save = tos_tg_save, - .extra_opts = tos_tg_opts, +static struct xtables_target tos_tg_reg[] = { + { + .version = XTABLES_VERSION, + .name = "TOS", + .revision = 0, + .family = NFPROTO_IPV4, + .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .help = tos_tg_help_v0, + .parse = tos_tg_parse_v0, + .final_check = tos_tg_check, + .print = tos_tg_print_v0, + .save = tos_tg_save_v0, + .extra_opts = tos_tg_opts_v0, + }, + { + .version = XTABLES_VERSION, + .name = "TOS", + .revision = 1, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tos_target_info)), + .help = tos_tg_help, + .parse = tos_tg_parse, + .final_check = tos_tg_check, + .print = tos_tg_print, + .save = tos_tg_save, + .extra_opts = tos_tg_opts, + }, }; void _init(void) { - xtables_register_target(&tos_tg_reg_v0); - xtables_register_target(&tos_tg_reg); - xtables_register_target(&tos_tg6_reg); + xtables_register_targets(tos_tg_reg, ARRAY_SIZE(tos_tg_reg)); } diff -Nru iptables-1.4.4/extensions/libxt_TOS.man iptables-1.4.10/extensions/libxt_TOS.man --- iptables-1.4.4/extensions/libxt_TOS.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TOS.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,11 +1,11 @@ This module sets the Type of Service field in the IPv4 header (including the -'precedence' bits) or the Priority field in the IPv6 header. Note that TOS +"precedence" bits) or the Priority field in the IPv6 header. Note that TOS shares the same bits as DSCP and ECN. The TOS target is only valid in the -\fBmangle\fR table. +\fBmangle\fP table. .TP \fB\-\-set\-tos\fP \fIvalue\fP[\fB/\fP\fImask\fP] -Zeroes out the bits given by \fImask\fR and XORs \fIvalue\fR into the -TOS/Priority field. If \fImask\fR is omitted, 0xFF is assumed. +Zeroes out the bits given by \fImask\fP and XORs \fIvalue\fP into the +TOS/Priority field. If \fImask\fP is omitted, 0xFF is assumed. .TP \fB\-\-set\-tos\fP \fIsymbol\fP You can specify a symbolic name when using the TOS target for IPv4. It implies @@ -15,13 +15,13 @@ The following mnemonics are available: .TP \fB\-\-and\-tos\fP \fIbits\fP -Binary AND the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos -0/\fR\fIinvbits\fR, where \fIinvbits\fR is the binary negation of \fIbits\fR.) +Binary AND the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos +0/\fP\fIinvbits\fP, where \fIinvbits\fP is the binary negation of \fIbits\fP.) .TP \fB\-\-or\-tos\fP \fIbits\fP -Binary OR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fR\fB/\fR\fIbits\fR.) +Binary OR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP +\fIbits\fP\fB/\fP\fIbits\fP.) .TP \fB\-\-xor\-tos\fP \fIbits\fP -Binary XOR the TOS value with \fIbits\fR. (Mnemonic for \fB\-\-set\-tos\fP -\fIbits\fR\fB/0\fR.) +Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP +\fIbits\fP\fB/0\fP.) diff -Nru iptables-1.4.4/extensions/libxt_TPROXY.c iptables-1.4.10/extensions/libxt_TPROXY.c --- iptables-1.4.4/extensions/libxt_TPROXY.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TPROXY.c 2010-10-29 14:37:22.000000000 +0000 @@ -15,10 +15,10 @@ #include <linux/netfilter/xt_TPROXY.h> static const struct option tproxy_tg_opts[] = { - { .name = "on-port", .has_arg = 1, .val = '1'}, - { .name = "on-ip", .has_arg = 1, .val = '2'}, - { .name = "tproxy-mark", .has_arg = 1, .val = '3'}, - {NULL}, + {.name = "on-port", .has_arg = true, .val = '1'}, + {.name = "on-ip", .has_arg = true, .val = '2'}, + {.name = "tproxy-mark", .has_arg = true, .val = '3'}, + XT_GETOPT_TABLEEND, }; enum { diff -Nru iptables-1.4.4/extensions/libxt_TPROXY.man iptables-1.4.10/extensions/libxt_TPROXY.man --- iptables-1.4.4/extensions/libxt_TPROXY.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TPROXY.man 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,4 @@ -This target is only valid in the \fBmangle\fR table, in the \fBPREROUTING\fR +This target is only valid in the \fBmangle\fP table, in the \fBPREROUTING\fP chain and user-defined chains which are only called from this chain. It redirects the packet to a local socket without changing the packet header in any way. It can also change the mark value which can then be used in advanced diff -Nru iptables-1.4.4/extensions/libxt_TRACE.c iptables-1.4.10/extensions/libxt_TRACE.c --- iptables-1.4.4/extensions/libxt_TRACE.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_TRACE.c 2010-10-29 14:37:22.000000000 +0000 @@ -7,25 +7,12 @@ #include <xtables.h> #include <linux/netfilter/x_tables.h> -static void TRACE_help(void) -{ - printf("TRACE target takes no options\n"); -} - -static int TRACE_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_target **target) -{ - return 0; -} - static struct xtables_target trace_target = { .family = NFPROTO_UNSPEC, .name = "TRACE", .version = XTABLES_VERSION, .size = XT_ALIGN(0), .userspacesize = XT_ALIGN(0), - .help = TRACE_help, - .parse = TRACE_parse, }; void _init(void) diff -Nru iptables-1.4.4/extensions/libxt_u32.c iptables-1.4.10/extensions/libxt_u32.c --- iptables-1.4.4/extensions/libxt_u32.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_u32.c 2010-10-29 14:37:22.000000000 +0000 @@ -15,6 +15,7 @@ #include <errno.h> #include <getopt.h> #include <netdb.h> +#include <stdbool.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -23,8 +24,8 @@ #include <linux/netfilter/xt_u32.h> static const struct option u32_opts[] = { - {"u32", 1, NULL, 'u'}, - { .name = NULL } + {.name = "u32", .has_arg = true, .val = 'u'}, + XT_GETOPT_TABLEEND, }; static void u32_help(void) @@ -107,7 +108,7 @@ struct xt_u32 *data = (void *)(*match)->data; unsigned int testind = 0, locind = 0, valind = 0; struct xt_u32_test *ct = &data->tests[testind]; /* current test */ - char *arg = argv[optind-1]; /* the argument string */ + char *arg = optarg; /* the argument string */ char *start = arg; int state = 0; diff -Nru iptables-1.4.4/extensions/libxt_u32.man iptables-1.4.10/extensions/libxt_u32.man --- iptables-1.4.4/extensions/libxt_u32.man 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_u32.man 2010-10-29 14:37:22.000000000 +0000 @@ -11,22 +11,22 @@ .IP range := number | number ":" number .PP -a single number, \fIn\fR, is interpreted the same as \fIn:n\fR. \fIn:m\fR is -interpreted as the range of numbers \fB>=n\fR and \fB<=m\fR. +a single number, \fIn\fP, is interpreted the same as \fIn:n\fP. \fIn:m\fP is +interpreted as the range of numbers \fB>=n\fP and \fB<=m\fP. .IP "" 4 location := number | location operator number .IP "" 4 operator := "&" | "<<" | ">>" | "@" .PP -The operators \fB&\fR, \fB<<\fR, \fB>>\fR and \fB&&\fR mean the same as in C. -The \fB=\fR is really a set membership operator and the value syntax describes -a set. The \fB@\fR operator is what allows moving to the next header and is +The operators \fB&\fP, \fB<<\fP, \fB>>\fP and \fB&&\fP mean the same as in C. +The \fB=\fP is really a set membership operator and the value syntax describes +a set. The \fB@\fP operator is what allows moving to the next header and is described further below. .PP There are currently some artificial implementation limits on the size of the tests: .IP " *" -no more than 10 of "\fB=\fR" (and 9 "\fB&&\fR"s) in the u32 argument +no more than 10 of "\fB=\fP" (and 9 "\fB&&\fP"s) in the u32 argument .IP " *" no more than 10 ranges (and 9 commas) per value .IP " *" @@ -35,7 +35,7 @@ To describe the meaning of location, imagine the following machine that interprets it. There are three registers: .IP -A is of type \fBchar *\fR, initially the address of the IP header +A is of type \fBchar *\fP, initially the address of the IP header .IP B and C are unsigned 32 bit integers, initially zero .PP @@ -81,28 +81,28 @@ .IP \-\-u32 "\fB6 & 0xFF = 1 &&\fP ... .IP -read bytes 6-9, use \fB&\fR to throw away bytes 6-8 and compare the result to +read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to 1. Next test that it is not a fragment. (If so, it might be part of such a packet but we cannot always tell.) N.B.: This test is generally needed if you want to match anything beyond the IP header. The last 6 bits of byte 6 and all of byte 7 are 0 iff this is a complete packet (not a fragment). Alternatively, you can allow first fragments by only testing the last 5 bits of byte 6. .IP - ... \fB4 & 0x3FFF = 0 &&\fR ... + ... \fB4 & 0x3FFF = 0 &&\fP ... .IP Last test: the first byte past the IP header (the type) is 0. This is where we have to use the @syntax. The length of the IP header (IHL) in 32 bit words is stored in the right half of byte 0 of the IP header itself. .IP - ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fR" + ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP" .IP -The first 0 means read bytes 0-3, \fB>>22\fR means shift that 22 bits to the +The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the right. Shifting 24 bits would give the first byte, so only 22 bits is four -times that plus a few more bits. \fB&3C\fR then eliminates the two extra bits +times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits on the right and the first four bits of the first byte. For instance, if IHL=5, then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in -binary) xxxx0101 yyzzzzzz, \fB>>22\fR gives the 10 bit value xxxx0101yy and -\fB&3C\fR gives 010100. \fB@\fR means to use this number as a new offset into +binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and +\fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into the packet, and read four bytes starting from there. This is the first 4 bytes of the ICMP payload, of which byte 0 is the ICMP type. Therefore, we simply shift the value 24 to the right to throw out all but the first byte and compare @@ -118,12 +118,12 @@ .IP Next, test that it is not a fragment (same as above). .IP - ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fR" + ... \fB0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 8 = 1,2,5,8\fP" .IP -\fB0>>22&3C\fR as above computes the number of bytes in the IP header. \fB@\fR +\fB0>>22&3C\fP as above computes the number of bytes in the IP header. \fB@\fP makes this the new offset into the packet, which is the start of the TCP header. The length of the TCP header (again in 32 bit words) is the left half -of byte 12 of the TCP header. The \fB12>>26&3C\fR computes this length in bytes +of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes (similar to the IP header before). "@" makes this the new offset, which is the start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and -\fB=\fR checks whether the result is any of 1, 2, 5 or 8. +\fB=\fP checks whether the result is any of 1, 2, 5 or 8. diff -Nru iptables-1.4.4/extensions/libxt_udp.c iptables-1.4.10/extensions/libxt_udp.c --- iptables-1.4.4/extensions/libxt_udp.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/libxt_udp.c 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,5 @@ /* Shared library add-on to iptables to add UDP support. */ +#include <stdbool.h> #include <stdio.h> #include <netdb.h> #include <string.h> @@ -21,11 +22,11 @@ } static const struct option udp_opts[] = { - { "source-port", 1, NULL, '1' }, - { "sport", 1, NULL, '1' }, /* synonym */ - { "destination-port", 1, NULL, '2' }, - { "dport", 1, NULL, '2' }, /* synonym */ - { .name = NULL } + {.name = "source-port", .has_arg = true, .val = '1'}, + {.name = "sport", .has_arg = true, .val = '1'}, /* synonym */ + {.name = "destination-port", .has_arg = true, .val = '2'}, + {.name = "dport", .has_arg = true, .val = '2'}, /* synonym */ + XT_GETOPT_TABLEEND, }; static void @@ -72,8 +73,8 @@ if (*flags & UDP_SRC_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--source-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->spts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_udp_ports(optarg, udpinfo->spts); if (invert) udpinfo->invflags |= XT_UDP_INV_SRCPT; *flags |= UDP_SRC_PORTS; @@ -83,8 +84,8 @@ if (*flags & UDP_DST_PORTS) xtables_error(PARAMETER_PROBLEM, "Only one `--destination-port' allowed"); - xtables_check_inverse(optarg, &invert, &optind, 0); - parse_udp_ports(argv[optind-1], udpinfo->dpts); + xtables_check_inverse(optarg, &invert, &optind, 0, argv); + parse_udp_ports(optarg, udpinfo->dpts); if (invert) udpinfo->invflags |= XT_UDP_INV_DSTPT; *flags |= UDP_DST_PORTS; @@ -191,21 +192,7 @@ } static struct xtables_match udp_match = { - .family = NFPROTO_IPV4, - .name = "udp", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_udp)), - .userspacesize = XT_ALIGN(sizeof(struct xt_udp)), - .help = udp_help, - .init = udp_init, - .parse = udp_parse, - .print = udp_print, - .save = udp_save, - .extra_opts = udp_opts, -}; - -static struct xtables_match udp_match6 = { - .family = NFPROTO_IPV6, + .family = NFPROTO_UNSPEC, .name = "udp", .version = XTABLES_VERSION, .size = XT_ALIGN(sizeof(struct xt_udp)), @@ -222,5 +209,4 @@ _init(void) { xtables_register_match(&udp_match); - xtables_register_match(&udp_match6); } diff -Nru iptables-1.4.4/extensions/tos_values.c iptables-1.4.10/extensions/tos_values.c --- iptables-1.4.4/extensions/tos_values.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/extensions/tos_values.c 2010-10-29 14:37:22.000000000 +0000 @@ -3,6 +3,10 @@ #include <stdio.h> #include <linux/ip.h> +#ifndef IPTOS_NORMALSVC +# define IPTOS_NORMALSVC 0 +#endif + struct tos_value_mask { uint8_t value, mask; }; @@ -16,7 +20,7 @@ {IPTOS_RELIABILITY, "Maximize-Reliability"}, {IPTOS_MINCOST, "Minimize-Cost"}, {IPTOS_NORMALSVC, "Normal-Service"}, - { .name = NULL } + {}, }; /* diff -Nru iptables-1.4.4/include/linux/kernel.h iptables-1.4.10/include/linux/kernel.h --- iptables-1.4.4/include/linux/kernel.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/kernel.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,62 @@ +#ifndef _LINUX_KERNEL_H +#define _LINUX_KERNEL_H + +/* + * 'kernel.h' contains some often-used function prototypes etc + */ +#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) +#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + + + +#define SI_LOAD_SHIFT 16 +struct sysinfo { + long uptime; /* Seconds since boot */ + unsigned long loads[3]; /* 1, 5, and 15 minute load averages */ + unsigned long totalram; /* Total usable main memory size */ + unsigned long freeram; /* Available memory size */ + unsigned long sharedram; /* Amount of shared memory */ + unsigned long bufferram; /* Memory used by buffers */ + unsigned long totalswap; /* Total swap space size */ + unsigned long freeswap; /* swap space still available */ + unsigned short procs; /* Number of current processes */ + unsigned short pad; /* explicit padding for m68k */ + unsigned long totalhigh; /* Total high memory size */ + unsigned long freehigh; /* Available high memory size */ + unsigned int mem_unit; /* Memory unit size in bytes */ + char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */ +}; + +/* Force a compilation error if condition is true */ +#define BUILD_BUG_ON(condition) ((void)BUILD_BUG_ON_ZERO(condition)) + +/* Force a compilation error if condition is constant and true */ +#define MAYBE_BUILD_BUG_ON(cond) ((void)sizeof(char[1 - 2 * !!(cond)])) + +/* Force a compilation error if a constant expression is not a power of 2 */ +#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \ + BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0)) + +/* Force a compilation error if condition is true, but also produce a + result (of value 0 and type size_t), so the expression can be used + e.g. in a structure initializer (or where-ever else comma expressions + aren't permitted). */ +#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); })) +#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); })) + +/* Trap pasters of __FUNCTION__ at compile-time */ +#define __FUNCTION__ (__func__) + +/* This helps us to avoid #ifdef CONFIG_NUMA */ +#ifdef CONFIG_NUMA +#define NUMA_BUILD 1 +#else +#define NUMA_BUILD 0 +#endif + +/* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */ +#ifdef CONFIG_FTRACE_MCOUNT_RECORD +# define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD +#endif + +#endif diff -Nru iptables-1.4.4/include/linux/netfilter/nf_conntrack_common.h iptables-1.4.10/include/linux/netfilter/nf_conntrack_common.h --- iptables-1.4.4/include/linux/netfilter/nf_conntrack_common.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/nf_conntrack_common.h 2010-10-29 14:37:22.000000000 +0000 @@ -3,8 +3,7 @@ /* Connection state tracking for netfilter. This is separated from, but required by, the NAT layer; it can also be used by an iptables extension. */ -enum ip_conntrack_info -{ +enum ip_conntrack_info { /* Part of an established connection (either direction). */ IP_CT_ESTABLISHED, @@ -73,76 +72,28 @@ /* Connection has fixed timeout. */ IPS_FIXED_TIMEOUT_BIT = 10, IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT), + + /* Conntrack is a template */ + IPS_TEMPLATE_BIT = 11, + IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT), }; -/* Connection tracking event bits */ -enum ip_conntrack_events -{ - /* New conntrack */ - IPCT_NEW_BIT = 0, - IPCT_NEW = (1 << IPCT_NEW_BIT), - - /* Expected connection */ - IPCT_RELATED_BIT = 1, - IPCT_RELATED = (1 << IPCT_RELATED_BIT), - - /* Destroyed conntrack */ - IPCT_DESTROY_BIT = 2, - IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), - - /* Timer has been refreshed */ - IPCT_REFRESH_BIT = 3, - IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), - - /* Status has changed */ - IPCT_STATUS_BIT = 4, - IPCT_STATUS = (1 << IPCT_STATUS_BIT), - - /* Update of protocol info */ - IPCT_PROTOINFO_BIT = 5, - IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), - - /* Volatile protocol info */ - IPCT_PROTOINFO_VOLATILE_BIT = 6, - IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), - - /* New helper for conntrack */ - IPCT_HELPER_BIT = 7, - IPCT_HELPER = (1 << IPCT_HELPER_BIT), - - /* Update of helper info */ - IPCT_HELPINFO_BIT = 8, - IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), - - /* Volatile helper info */ - IPCT_HELPINFO_VOLATILE_BIT = 9, - IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), - - /* NAT info */ - IPCT_NATINFO_BIT = 10, - IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), - - /* Counter highest bit has been set, unused */ - IPCT_COUNTER_FILLING_BIT = 11, - IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), - - /* Mark is set */ - IPCT_MARK_BIT = 12, - IPCT_MARK = (1 << IPCT_MARK_BIT), - - /* NAT sequence adjustment */ - IPCT_NATSEQADJ_BIT = 13, - IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), - - /* Secmark is set */ - IPCT_SECMARK_BIT = 14, - IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), +/* Connection tracking event types */ +enum ip_conntrack_events { + IPCT_NEW, /* new conntrack */ + IPCT_RELATED, /* related conntrack */ + IPCT_DESTROY, /* destroyed conntrack */ + IPCT_REPLY, /* connection has seen two-way traffic */ + IPCT_ASSURED, /* connection status has changed to assured */ + IPCT_PROTOINFO, /* protocol information has changed */ + IPCT_HELPER, /* new helper has been set */ + IPCT_MARK, /* new mark has been set */ + IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ + IPCT_SECMARK, /* new security mark has been set */ }; enum ip_conntrack_expect_events { - IPEXP_NEW_BIT = 0, - IPEXP_NEW = (1 << IPEXP_NEW_BIT), + IPEXP_NEW, /* new expectation */ }; - #endif /* _NF_CONNTRACK_COMMON_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/x_tables.h iptables-1.4.10/include/linux/netfilter/x_tables.h --- iptables-1.4.4/include/linux/netfilter/x_tables.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/x_tables.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,54 +1,53 @@ #ifndef _X_TABLES_H #define _X_TABLES_H +#include <linux/kernel.h> +#include <linux/types.h> #define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 #define XT_TABLE_MAXNAMELEN 32 -struct xt_entry_match -{ +struct xt_entry_match { union { struct { - u_int16_t match_size; + __u16 match_size; /* Used by userspace */ - char name[XT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; } user; struct { - u_int16_t match_size; + __u16 match_size; /* Used inside the kernel */ struct xt_match *match; } kernel; /* Total length */ - u_int16_t match_size; + __u16 match_size; } u; unsigned char data[0]; }; -struct xt_entry_target -{ +struct xt_entry_target { union { struct { - u_int16_t target_size; + __u16 target_size; /* Used by userspace */ - char name[XT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; } user; struct { - u_int16_t target_size; + __u16 target_size; /* Used inside the kernel */ struct xt_target *target; } kernel; /* Total length */ - u_int16_t target_size; + __u16 target_size; } u; unsigned char data[0]; @@ -62,19 +61,16 @@ }, \ } -struct xt_standard_target -{ +struct xt_standard_target { struct xt_entry_target target; int verdict; }; /* The argument to IPT_SO_GET_REVISION_*. Returns highest revision * kernel supports, if >= revision. */ -struct xt_get_revision -{ - char name[XT_FUNCTION_MAXNAMELEN-1]; - - u_int8_t revision; +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; }; /* CONTINUE verdict for targets */ @@ -88,16 +84,14 @@ * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my * personal pleasure to remove it -HW */ -struct _xt_align -{ - u_int8_t u8; - u_int16_t u16; - u_int32_t u32; - u_int64_t u64; +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; }; -#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) \ - & ~(__alignof__(struct _xt_align)-1)) +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) /* Standard return verdict, or do jump. */ #define XT_STANDARD_TARGET "" @@ -107,14 +101,12 @@ #define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) #define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) -struct xt_counters -{ - u_int64_t pcnt, bcnt; /* Packet and byte counters */ +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ }; /* The argument to IPT_SO_ADD_COUNTERS. */ -struct xt_counters_info -{ +struct xt_counters_info { /* Which table. */ char name[XT_TABLE_MAXNAMELEN]; @@ -170,4 +162,19 @@ XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + #endif /* _X_TABLES_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_CHECKSUM.h iptables-1.4.10/include/linux/netfilter/xt_CHECKSUM.h --- iptables-1.4.4/include/linux/netfilter/xt_CHECKSUM.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_CHECKSUM.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,18 @@ +/* Header file for iptables ipt_CHECKSUM target + * + * (C) 2002 by Harald Welte <laforge@gnumonks.org> + * (C) 2010 Red Hat Inc + * Author: Michael S. Tsirkin <mst@redhat.com> + * + * This software is distributed under GNU GPL v2, 1991 +*/ +#ifndef _IPT_CHECKSUM_TARGET_H +#define _IPT_CHECKSUM_TARGET_H + +#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */ + +struct xt_CHECKSUM_info { + __u8 operation; /* bitset of operations */ +}; + +#endif /* _IPT_CHECKSUM_TARGET_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_CLASSIFY.h iptables-1.4.10/include/linux/netfilter/xt_CLASSIFY.h --- iptables-1.4.4/include/linux/netfilter/xt_CLASSIFY.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_CLASSIFY.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,10 @@ #ifndef _XT_CLASSIFY_H #define _XT_CLASSIFY_H +#include <linux/types.h> + struct xt_classify_target_info { - u_int32_t priority; + __u32 priority; }; #endif /*_XT_CLASSIFY_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_connbytes.h iptables-1.4.10/include/linux/netfilter/xt_connbytes.h --- iptables-1.4.4/include/linux/netfilter/xt_connbytes.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_connbytes.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_CONNBYTES_H #define _XT_CONNBYTES_H +#include <linux/types.h> + enum xt_connbytes_what { XT_CONNBYTES_PKTS, XT_CONNBYTES_BYTES, @@ -13,13 +15,12 @@ XT_CONNBYTES_DIR_BOTH, }; -struct xt_connbytes_info -{ +struct xt_connbytes_info { struct { aligned_u64 from; /* count to be matched */ aligned_u64 to; /* count to be matched */ } count; - u_int8_t what; /* ipt_connbytes_what */ - u_int8_t direction; /* ipt_connbytes_direction */ + __u8 what; /* ipt_connbytes_what */ + __u8 direction; /* ipt_connbytes_direction */ }; #endif diff -Nru iptables-1.4.4/include/linux/netfilter/xt_connmark.h iptables-1.4.10/include/linux/netfilter/xt_connmark.h --- iptables-1.4.4/include/linux/netfilter/xt_connmark.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_connmark.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_CONNMARK_H #define _XT_CONNMARK_H +#include <linux/types.h> + /* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> * by Henrik Nordstrom <hno@marasystems.com> * @@ -10,14 +12,20 @@ * (at your option) any later version. */ -struct xt_connmark_info { - unsigned long mark, mask; - u_int8_t invert; +enum { + XT_CONNMARK_SET = 0, + XT_CONNMARK_SAVE, + XT_CONNMARK_RESTORE +}; + +struct xt_connmark_tginfo1 { + __u32 ctmark, ctmask, nfmask; + __u8 mode; }; struct xt_connmark_mtinfo1 { - u_int32_t mark, mask; - u_int8_t invert; + __u32 mark, mask; + __u8 invert; }; #endif /*_XT_CONNMARK_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_CONNMARK.h iptables-1.4.10/include/linux/netfilter/xt_CONNMARK.h --- iptables-1.4.4/include/linux/netfilter/xt_CONNMARK.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_CONNMARK.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,30 +1,6 @@ #ifndef _XT_CONNMARK_H_target #define _XT_CONNMARK_H_target -/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> - * by Henrik Nordstrom <hno@marasystems.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ - -enum { - XT_CONNMARK_SET = 0, - XT_CONNMARK_SAVE, - XT_CONNMARK_RESTORE -}; - -struct xt_connmark_target_info { - unsigned long mark; - unsigned long mask; - u_int8_t mode; -}; - -struct xt_connmark_tginfo1 { - u_int32_t ctmark, ctmask, nfmask; - u_int8_t mode; -}; +#include <linux/netfilter/xt_connmark.h> #endif /*_XT_CONNMARK_H_target*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_CONNSECMARK.h iptables-1.4.10/include/linux/netfilter/xt_CONNSECMARK.h --- iptables-1.4.4/include/linux/netfilter/xt_CONNSECMARK.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_CONNSECMARK.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,13 +1,15 @@ #ifndef _XT_CONNSECMARK_H_target #define _XT_CONNSECMARK_H_target +#include <linux/types.h> + enum { CONNSECMARK_SAVE = 1, CONNSECMARK_RESTORE, }; struct xt_connsecmark_target_info { - u_int8_t mode; + __u8 mode; }; #endif /*_XT_CONNSECMARK_H_target */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_conntrack.h iptables-1.4.10/include/linux/netfilter/xt_conntrack.h --- iptables-1.4.4/include/linux/netfilter/xt_conntrack.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_conntrack.h 2010-10-29 14:37:22.000000000 +0000 @@ -32,53 +32,30 @@ XT_CONNTRACK_DIRECTION = 1 << 12, }; -/* This is exposed to userspace, so remains frozen in time. */ -struct ip_conntrack_old_tuple -{ - struct { - __be32 ip; - union { - __u16 all; - } u; - } src; - - struct { - __be32 ip; - union { - __u16 all; - } u; - - /* The protocol. */ - __u16 protonum; - } dst; -}; - -struct xt_conntrack_info -{ - unsigned int statemask, statusmask; - - struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX]; - struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; - - unsigned long expires_min, expires_max; - - /* Flags word */ - u_int8_t flags; - /* Inverse flags */ - u_int8_t invflags; +struct xt_conntrack_mtinfo1 { + union nf_inet_addr origsrc_addr, origsrc_mask; + union nf_inet_addr origdst_addr, origdst_mask; + union nf_inet_addr replsrc_addr, replsrc_mask; + union nf_inet_addr repldst_addr, repldst_mask; + __u32 expires_min, expires_max; + __u16 l4proto; + __be16 origsrc_port, origdst_port; + __be16 replsrc_port, repldst_port; + __u16 match_flags, invert_flags; + __u8 state_mask, status_mask; }; -struct xt_conntrack_mtinfo1 { +struct xt_conntrack_mtinfo2 { union nf_inet_addr origsrc_addr, origsrc_mask; union nf_inet_addr origdst_addr, origdst_mask; union nf_inet_addr replsrc_addr, replsrc_mask; union nf_inet_addr repldst_addr, repldst_mask; - u_int32_t expires_min, expires_max; - u_int16_t l4proto; + __u32 expires_min, expires_max; + __u16 l4proto; __be16 origsrc_port, origdst_port; __be16 replsrc_port, repldst_port; - u_int16_t match_flags, invert_flags; - u_int8_t state_mask, status_mask; + __u16 match_flags, invert_flags; + __u16 state_mask, status_mask; }; #endif /*_XT_CONNTRACK_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_cpu.h iptables-1.4.10/include/linux/netfilter/xt_cpu.h --- iptables-1.4.4/include/linux/netfilter/xt_cpu.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_cpu.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,11 @@ +#ifndef _XT_CPU_H +#define _XT_CPU_H + +#include <linux/types.h> + +struct xt_cpu_info { + __u32 cpu; + __u32 invert; +}; + +#endif /*_XT_CPU_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_CT.h iptables-1.4.10/include/linux/netfilter/xt_CT.h --- iptables-1.4.4/include/linux/netfilter/xt_CT.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_CT.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,17 @@ +#ifndef _XT_CT_H +#define _XT_CT_H + +#define XT_CT_NOTRACK 0x1 + +struct xt_ct_target_info { + u_int16_t flags; + u_int16_t zone; + u_int32_t ct_events; + u_int32_t exp_events; + char helper[16]; + + /* Used internally by the kernel */ + struct nf_conn *ct __attribute__((aligned(8))); +}; + +#endif /* _XT_CT_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_dccp.h iptables-1.4.10/include/linux/netfilter/xt_dccp.h --- iptables-1.4.4/include/linux/netfilter/xt_dccp.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_dccp.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_DCCP_H_ #define _XT_DCCP_H_ +#include <linux/types.h> + #define XT_DCCP_SRC_PORTS 0x01 #define XT_DCCP_DEST_PORTS 0x02 #define XT_DCCP_TYPE 0x04 @@ -9,14 +11,14 @@ #define XT_DCCP_VALID_FLAGS 0x0f struct xt_dccp_info { - u_int16_t dpts[2]; /* Min, Max */ - u_int16_t spts[2]; /* Min, Max */ + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ - u_int16_t flags; - u_int16_t invflags; + __u16 flags; + __u16 invflags; - u_int16_t typemask; - u_int8_t option; + __u16 typemask; + __u8 option; }; #endif /* _XT_DCCP_H_ */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_dscp.h iptables-1.4.10/include/linux/netfilter/xt_dscp.h --- iptables-1.4.4/include/linux/netfilter/xt_dscp.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_dscp.h 2010-10-29 14:37:22.000000000 +0000 @@ -10,20 +10,22 @@ #ifndef _XT_DSCP_H #define _XT_DSCP_H +#include <linux/types.h> + #define XT_DSCP_MASK 0xfc /* 11111100 */ #define XT_DSCP_SHIFT 2 #define XT_DSCP_MAX 0x3f /* 00111111 */ /* match info */ struct xt_dscp_info { - u_int8_t dscp; - u_int8_t invert; + __u8 dscp; + __u8 invert; }; struct xt_tos_match_info { - u_int8_t tos_mask; - u_int8_t tos_value; - u_int8_t invert; + __u8 tos_mask; + __u8 tos_value; + __u8 invert; }; #endif /* _XT_DSCP_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_DSCP.h iptables-1.4.10/include/linux/netfilter/xt_DSCP.h --- iptables-1.4.4/include/linux/netfilter/xt_DSCP.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_DSCP.h 2010-10-29 14:37:22.000000000 +0000 @@ -11,15 +11,16 @@ #ifndef _XT_DSCP_TARGET_H #define _XT_DSCP_TARGET_H #include <linux/netfilter/xt_dscp.h> +#include <linux/types.h> /* target info */ struct xt_DSCP_info { - u_int8_t dscp; + __u8 dscp; }; struct xt_tos_target_info { - u_int8_t tos_value; - u_int8_t tos_mask; + __u8 tos_value; + __u8 tos_mask; }; #endif /* _XT_DSCP_TARGET_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_esp.h iptables-1.4.10/include/linux/netfilter/xt_esp.h --- iptables-1.4.4/include/linux/netfilter/xt_esp.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_esp.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,10 +1,11 @@ #ifndef _XT_ESP_H #define _XT_ESP_H -struct xt_esp -{ - u_int32_t spis[2]; /* Security Parameter Index */ - u_int8_t invflags; /* Inverse flags */ +#include <linux/types.h> + +struct xt_esp { + __u32 spis[2]; /* Security Parameter Index */ + __u8 invflags; /* Inverse flags */ }; /* Values for "invflags" field in struct xt_esp. */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_hashlimit.h iptables-1.4.10/include/linux/netfilter/xt_hashlimit.h --- iptables-1.4.4/include/linux/netfilter/xt_hashlimit.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_hashlimit.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_HASHLIMIT_H #define _XT_HASHLIMIT_H +#include <linux/types.h> + /* timings are in milliseconds. */ #define XT_HASHLIMIT_SCALE 10000 /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 @@ -18,15 +20,15 @@ }; struct hashlimit_cfg { - u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* user specified */ - u_int32_t size; /* how many buckets */ - u_int32_t max; /* max number of entries */ - u_int32_t gc_interval; /* gc interval */ - u_int32_t expire; /* when do entries expire? */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ }; struct xt_hashlimit_info { @@ -42,17 +44,17 @@ }; struct hashlimit_cfg1 { - u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* user specified */ - u_int32_t size; /* how many buckets */ - u_int32_t max; /* max number of entries */ - u_int32_t gc_interval; /* gc interval */ - u_int32_t expire; /* when do entries expire? */ + __u32 size; /* how many buckets */ + __u32 max; /* max number of entries */ + __u32 gc_interval; /* gc interval */ + __u32 expire; /* when do entries expire? */ - u_int8_t srcmask, dstmask; + __u8 srcmask, dstmask; }; struct xt_hashlimit_mtinfo1 { diff -Nru iptables-1.4.4/include/linux/netfilter/xt_IDLETIMER.h iptables-1.4.10/include/linux/netfilter/xt_IDLETIMER.h --- iptables-1.4.4/include/linux/netfilter/xt_IDLETIMER.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_IDLETIMER.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,45 @@ +/* + * linux/include/linux/netfilter/xt_IDLETIMER.h + * + * Header file for Xtables timer target module. + * + * Copyright (C) 2004, 2010 Nokia Corporation + * Written by Timo Teras <ext-timo.teras@nokia.com> + * + * Converted to x_tables and forward-ported to 2.6.34 + * by Luciano Coelho <luciano.coelho@nokia.com> + * + * Contact: Luciano Coelho <luciano.coelho@nokia.com> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + +#ifndef _XT_IDLETIMER_H +#define _XT_IDLETIMER_H + +#include <linux/types.h> + +#define MAX_IDLETIMER_LABEL_SIZE 28 + +struct idletimer_tg_info { + __u32 timeout; + + char label[MAX_IDLETIMER_LABEL_SIZE]; + + /* for kernel module internal use only */ + struct idletimer_tg *timer __attribute((aligned(8))); +}; + +#endif diff -Nru iptables-1.4.4/include/linux/netfilter/xt_iprange.h iptables-1.4.10/include/linux/netfilter/xt_iprange.h --- iptables-1.4.4/include/linux/netfilter/xt_iprange.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_iprange.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _LINUX_NETFILTER_XT_IPRANGE_H #define _LINUX_NETFILTER_XT_IPRANGE_H 1 +#include <linux/types.h> + enum { IPRANGE_SRC = 1 << 0, /* match source IP address */ IPRANGE_DST = 1 << 1, /* match destination IP address */ @@ -11,7 +13,7 @@ struct xt_iprange_mtinfo { union nf_inet_addr src_min, src_max; union nf_inet_addr dst_min, dst_max; - u_int8_t flags; + __u8 flags; }; #endif /* _LINUX_NETFILTER_XT_IPRANGE_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_ipvs.h iptables-1.4.10/include/linux/netfilter/xt_ipvs.h --- iptables-1.4.4/include/linux/netfilter/xt_ipvs.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_ipvs.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,27 @@ +#ifndef _XT_IPVS_H +#define _XT_IPVS_H + +enum { + XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */ + XT_IPVS_PROTO = 1 << 1, + XT_IPVS_VADDR = 1 << 2, + XT_IPVS_VPORT = 1 << 3, + XT_IPVS_DIR = 1 << 4, + XT_IPVS_METHOD = 1 << 5, + XT_IPVS_VPORTCTL = 1 << 6, + XT_IPVS_MASK = (1 << 7) - 1, + XT_IPVS_ONCE_MASK = XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY +}; + +struct xt_ipvs_mtinfo { + union nf_inet_addr vaddr, vmask; + __be16 vport; + __u8 l4proto; + __u8 fwd_method; + __be16 vportctl; + + __u8 invert; + __u8 bitmask; +}; + +#endif /* _XT_IPVS_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_LED.h iptables-1.4.10/include/linux/netfilter/xt_LED.h --- iptables-1.4.4/include/linux/netfilter/xt_LED.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_LED.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,15 @@ +#ifndef _XT_LED_H +#define _XT_LED_H + +#include <linux/types.h> + +struct xt_led_info { + char id[27]; /* Unique ID for this trigger in the LED class */ + __u8 always_blink; /* Blink even if the LED is already on */ + __u32 delay; /* Delay until LED is switched off after trigger */ + + /* Kernel data used in the module */ + void *internal_data __attribute__((aligned(8))); +}; + +#endif /* _XT_LED_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_length.h iptables-1.4.10/include/linux/netfilter/xt_length.h --- iptables-1.4.4/include/linux/netfilter/xt_length.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_length.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,9 +1,11 @@ #ifndef _XT_LENGTH_H #define _XT_LENGTH_H +#include <linux/types.h> + struct xt_length_info { - u_int16_t min, max; - u_int8_t invert; + __u16 min, max; + __u8 invert; }; #endif /*_XT_LENGTH_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_limit.h iptables-1.4.10/include/linux/netfilter/xt_limit.h --- iptables-1.4.4/include/linux/netfilter/xt_limit.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_limit.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,21 +1,24 @@ #ifndef _XT_RATE_H #define _XT_RATE_H +#include <linux/types.h> + /* timings are in milliseconds. */ #define XT_LIMIT_SCALE 10000 +struct xt_limit_priv; + /* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 seconds, or one every 59 hours. */ struct xt_rateinfo { - u_int32_t avg; /* Average secs between packets * scale */ - u_int32_t burst; /* Period multiplier for upper limit. */ + __u32 avg; /* Average secs between packets * scale */ + __u32 burst; /* Period multiplier for upper limit. */ /* Used internally by the kernel */ - unsigned long prev; - u_int32_t credit; - u_int32_t credit_cap, cost; + unsigned long prev; /* moved to xt_limit_priv */ + __u32 credit; /* moved to xt_limit_priv */ + __u32 credit_cap, cost; - /* Ugly, ugly fucker. */ - struct xt_rateinfo *master; + struct xt_limit_priv *master; }; #endif /*_XT_RATE_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_mark.h iptables-1.4.10/include/linux/netfilter/xt_mark.h --- iptables-1.4.4/include/linux/netfilter/xt_mark.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_mark.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,14 +1,15 @@ #ifndef _XT_MARK_H #define _XT_MARK_H -struct xt_mark_info { - unsigned long mark, mask; - u_int8_t invert; +#include <linux/types.h> + +struct xt_mark_tginfo2 { + __u32 mark, mask; }; struct xt_mark_mtinfo1 { - u_int32_t mark, mask; - u_int8_t invert; + __u32 mark, mask; + __u8 invert; }; #endif /*_XT_MARK_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_MARK.h iptables-1.4.10/include/linux/netfilter/xt_MARK.h --- iptables-1.4.4/include/linux/netfilter/xt_MARK.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_MARK.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,25 +1,6 @@ #ifndef _XT_MARK_H_target #define _XT_MARK_H_target -/* Version 0 */ -struct xt_mark_target_info { - unsigned long mark; -}; - -/* Version 1 */ -enum { - XT_MARK_SET=0, - XT_MARK_AND, - XT_MARK_OR, -}; - -struct xt_mark_target_info_v1 { - unsigned long mark; - u_int8_t mode; -}; - -struct xt_mark_tginfo2 { - u_int32_t mark, mask; -}; +#include <linux/netfilter/xt_mark.h> #endif /*_XT_MARK_H_target */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_multiport.h iptables-1.4.10/include/linux/netfilter/xt_multiport.h --- iptables-1.4.4/include/linux/netfilter/xt_multiport.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_multiport.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,9 @@ #ifndef _XT_MULTIPORT_H #define _XT_MULTIPORT_H -enum xt_multiport_flags -{ +#include <linux/types.h> + +enum xt_multiport_flags { XT_MULTIPORT_SOURCE, XT_MULTIPORT_DESTINATION, XT_MULTIPORT_EITHER @@ -11,20 +12,18 @@ #define XT_MULTI_PORTS 15 /* Must fit inside union xt_matchinfo: 16 bytes */ -struct xt_multiport -{ - u_int8_t flags; /* Type of comparison */ - u_int8_t count; /* Number of ports */ - u_int16_t ports[XT_MULTI_PORTS]; /* Ports */ +struct xt_multiport { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ }; -struct xt_multiport_v1 -{ - u_int8_t flags; /* Type of comparison */ - u_int8_t count; /* Number of ports */ - u_int16_t ports[XT_MULTI_PORTS]; /* Ports */ - u_int8_t pflags[XT_MULTI_PORTS]; /* Port flags */ - u_int8_t invert; /* Invert flag */ +struct xt_multiport_v1 { + __u8 flags; /* Type of comparison */ + __u8 count; /* Number of ports */ + __u16 ports[XT_MULTI_PORTS]; /* Ports */ + __u8 pflags[XT_MULTI_PORTS]; /* Port flags */ + __u8 invert; /* Invert flag */ }; #endif /*_XT_MULTIPORT_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_NFLOG.h iptables-1.4.10/include/linux/netfilter/xt_NFLOG.h --- iptables-1.4.4/include/linux/netfilter/xt_NFLOG.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_NFLOG.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,17 +1,19 @@ #ifndef _XT_NFLOG_TARGET #define _XT_NFLOG_TARGET +#include <linux/types.h> + #define XT_NFLOG_DEFAULT_GROUP 0x1 -#define XT_NFLOG_DEFAULT_THRESHOLD 1 +#define XT_NFLOG_DEFAULT_THRESHOLD 0 #define XT_NFLOG_MASK 0x0 struct xt_nflog_info { - u_int32_t len; - u_int16_t group; - u_int16_t threshold; - u_int16_t flags; - u_int16_t pad; + __u32 len; + __u16 group; + __u16 threshold; + __u16 flags; + __u16 pad; char prefix[64]; }; diff -Nru iptables-1.4.4/include/linux/netfilter/xt_NFQUEUE.h iptables-1.4.10/include/linux/netfilter/xt_NFQUEUE.h --- iptables-1.4.4/include/linux/netfilter/xt_NFQUEUE.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_NFQUEUE.h 2010-10-29 14:37:22.000000000 +0000 @@ -8,9 +8,16 @@ #ifndef _XT_NFQ_TARGET_H #define _XT_NFQ_TARGET_H +#include <linux/types.h> + /* target info */ struct xt_NFQ_info { - u_int16_t queuenum; + __u16 queuenum; +}; + +struct xt_NFQ_info_v1 { + __u16 queuenum; + __u16 queues_total; }; #endif /* _XT_NFQ_TARGET_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_osf.h iptables-1.4.10/include/linux/netfilter/xt_osf.h --- iptables-1.4.4/include/linux/netfilter/xt_osf.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_osf.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru> + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#ifndef _XT_OSF_H +#define _XT_OSF_H + +#include <linux/types.h> + +#define MAXGENRELEN 32 + +#define XT_OSF_GENRE (1<<0) +#define XT_OSF_TTL (1<<1) +#define XT_OSF_LOG (1<<2) +#define XT_OSF_INVERT (1<<3) + +#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */ +#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */ +#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ + +#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */ +#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */ +#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */ + +struct xt_osf_info { + char genre[MAXGENRELEN]; + __u32 len; + __u32 flags; + __u32 loglevel; + __u32 ttl; +}; + +/* + * Wildcard MSS (kind of). + * It is used to implement a state machine for the different wildcard values + * of the MSS and window sizes. + */ +struct xt_osf_wc { + __u32 wc; + __u32 val; +}; + +/* + * This struct represents IANA options + * http://www.iana.org/assignments/tcp-parameters + */ +struct xt_osf_opt { + __u16 kind, length; + struct xt_osf_wc wc; +}; + +struct xt_osf_user_finger { + struct xt_osf_wc wss; + + __u8 ttl, df; + __u16 ss, mss; + __u16 opt_num; + + char genre[MAXGENRELEN]; + char version[MAXGENRELEN]; + char subtype[MAXGENRELEN]; + + /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ + struct xt_osf_opt opt[MAX_IPOPTLEN]; +}; + +struct xt_osf_nlmsg { + struct xt_osf_user_finger f; + struct iphdr ip; + struct tcphdr tcp; +}; + +/* Defines for IANA option kinds */ + +enum iana_options { + OSFOPT_EOL = 0, /* End of options */ + OSFOPT_NOP, /* NOP */ + OSFOPT_MSS, /* Maximum segment size */ + OSFOPT_WSO, /* Window scale option */ + OSFOPT_SACKP, /* SACK permitted */ + OSFOPT_SACK, /* SACK */ + OSFOPT_ECHO, + OSFOPT_ECHOREPLY, + OSFOPT_TS, /* Timestamp option */ + OSFOPT_POCP, /* Partial Order Connection Permitted */ + OSFOPT_POSP, /* Partial Order Service Profile */ + + /* Others are not used in the current OSF */ + OSFOPT_EMPTY = 255, +}; + +/* + * Initial window size option state machine: multiple of mss, mtu or + * plain numeric value. Can also be made as plain numeric value which + * is not a multiple of specified value. + */ +enum xt_osf_window_size_options { + OSF_WSS_PLAIN = 0, + OSF_WSS_MSS, + OSF_WSS_MTU, + OSF_WSS_MODULO, + OSF_WSS_MAX, +}; + +/* + * Add/remove fingerprint from the kernel. + */ +enum xt_osf_msg_types { + OSF_MSG_ADD, + OSF_MSG_REMOVE, + OSF_MSG_MAX, +}; + +enum xt_osf_attr_type { + OSF_ATTR_UNSPEC, + OSF_ATTR_FINGER, + OSF_ATTR_MAX, +}; + +#endif /* _XT_OSF_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_owner.h iptables-1.4.10/include/linux/netfilter/xt_owner.h --- iptables-1.4.4/include/linux/netfilter/xt_owner.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_owner.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_OWNER_MATCH_H #define _XT_OWNER_MATCH_H +#include <linux/types.h> + enum { XT_OWNER_UID = 1 << 0, XT_OWNER_GID = 1 << 1, @@ -8,9 +10,9 @@ }; struct xt_owner_match_info { - u_int32_t uid_min, uid_max; - u_int32_t gid_min, gid_max; - u_int8_t match, invert; + __u32 uid_min, uid_max; + __u32 gid_min, gid_max; + __u8 match, invert; }; #endif /* _XT_OWNER_MATCH_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_physdev.h iptables-1.4.10/include/linux/netfilter/xt_physdev.h --- iptables-1.4.4/include/linux/netfilter/xt_physdev.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_physdev.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_PHYSDEV_H #define _XT_PHYSDEV_H +#include <linux/types.h> + #define XT_PHYSDEV_OP_IN 0x01 #define XT_PHYSDEV_OP_OUT 0x02 @@ -14,8 +16,8 @@ char in_mask[IFNAMSIZ]; char physoutdev[IFNAMSIZ]; char out_mask[IFNAMSIZ]; - u_int8_t invert; - u_int8_t bitmask; + __u8 invert; + __u8 bitmask; }; #endif /*_XT_PHYSDEV_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_policy.h iptables-1.4.10/include/linux/netfilter/xt_policy.h --- iptables-1.4.4/include/linux/netfilter/xt_policy.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_policy.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,25 +1,24 @@ #ifndef _XT_POLICY_H #define _XT_POLICY_H +#include <linux/types.h> + #define XT_POLICY_MAX_ELEM 4 -enum xt_policy_flags -{ +enum xt_policy_flags { XT_POLICY_MATCH_IN = 0x1, XT_POLICY_MATCH_OUT = 0x2, XT_POLICY_MATCH_NONE = 0x4, XT_POLICY_MATCH_STRICT = 0x8, }; -enum xt_policy_modes -{ +enum xt_policy_modes { XT_POLICY_MODE_TRANSPORT, XT_POLICY_MODE_TUNNEL }; -struct xt_policy_spec -{ - u_int8_t saddr:1, +struct xt_policy_spec { + __u8 saddr:1, daddr:1, proto:1, mode:1, @@ -27,14 +26,12 @@ reqid:1; }; -union xt_policy_addr -{ +union xt_policy_addr { struct in_addr a4; struct in6_addr a6; }; -struct xt_policy_elem -{ +struct xt_policy_elem { union { struct { union xt_policy_addr saddr; @@ -44,19 +41,18 @@ }; }; __be32 spi; - u_int32_t reqid; - u_int8_t proto; - u_int8_t mode; + __u32 reqid; + __u8 proto; + __u8 mode; struct xt_policy_spec match; struct xt_policy_spec invert; }; -struct xt_policy_info -{ +struct xt_policy_info { struct xt_policy_elem pol[XT_POLICY_MAX_ELEM]; - u_int16_t flags; - u_int16_t len; + __u16 flags; + __u16 len; }; #endif /* _XT_POLICY_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_quota.h iptables-1.4.10/include/linux/netfilter/xt_quota.h --- iptables-1.4.4/include/linux/netfilter/xt_quota.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_quota.h 2010-10-29 14:37:22.000000000 +0000 @@ -6,13 +6,15 @@ }; #define XT_QUOTA_MASK 0x1 +struct xt_quota_priv; + struct xt_quota_info { u_int32_t flags; u_int32_t pad; + aligned_u64 quota; /* Used internally by the kernel */ - aligned_u64 quota; - struct xt_quota_info *master; + struct xt_quota_priv *master; }; #endif /* _XT_QUOTA_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_rateest.h iptables-1.4.10/include/linux/netfilter/xt_rateest.h --- iptables-1.4.4/include/linux/netfilter/xt_rateest.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_rateest.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_RATEEST_MATCH_H #define _XT_RATEEST_MATCH_H +#include <linux/types.h> + enum xt_rateest_match_flags { XT_RATEEST_MATCH_INVERT = 1<<0, XT_RATEEST_MATCH_ABS = 1<<1, @@ -20,12 +22,12 @@ struct xt_rateest_match_info { char name1[IFNAMSIZ]; char name2[IFNAMSIZ]; - u_int16_t flags; - u_int16_t mode; - u_int32_t bps1; - u_int32_t pps1; - u_int32_t bps2; - u_int32_t pps2; + __u16 flags; + __u16 mode; + __u32 bps1; + __u32 pps1; + __u32 bps2; + __u32 pps2; /* Used internally by the kernel */ struct xt_rateest *est1 __attribute__((aligned(8))); diff -Nru iptables-1.4.4/include/linux/netfilter/xt_RATEEST.h iptables-1.4.10/include/linux/netfilter/xt_RATEEST.h --- iptables-1.4.4/include/linux/netfilter/xt_RATEEST.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_RATEEST.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,10 +1,12 @@ #ifndef _XT_RATEEST_TARGET_H #define _XT_RATEEST_TARGET_H +#include <linux/types.h> + struct xt_rateest_target_info { char name[IFNAMSIZ]; - int8_t interval; - u_int8_t ewma_log; + __s8 interval; + __u8 ewma_log; /* Used internally by the kernel */ struct xt_rateest *est __attribute__((aligned(8))); diff -Nru iptables-1.4.4/include/linux/netfilter/xt_realm.h iptables-1.4.10/include/linux/netfilter/xt_realm.h --- iptables-1.4.4/include/linux/netfilter/xt_realm.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_realm.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,10 +1,12 @@ #ifndef _XT_REALM_H #define _XT_REALM_H +#include <linux/types.h> + struct xt_realm_info { - u_int32_t id; - u_int32_t mask; - u_int8_t invert; + __u32 id; + __u32 mask; + __u8 invert; }; #endif /* _XT_REALM_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_recent.h iptables-1.4.10/include/linux/netfilter/xt_recent.h --- iptables-1.4.4/include/linux/netfilter/xt_recent.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_recent.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,12 +1,15 @@ #ifndef _LINUX_NETFILTER_XT_RECENT_H #define _LINUX_NETFILTER_XT_RECENT_H 1 +#include <linux/types.h> + enum { XT_RECENT_CHECK = 1 << 0, XT_RECENT_SET = 1 << 1, XT_RECENT_UPDATE = 1 << 2, XT_RECENT_REMOVE = 1 << 3, XT_RECENT_TTL = 1 << 4, + XT_RECENT_REAP = 1 << 5, XT_RECENT_SOURCE = 0, XT_RECENT_DEST = 1, @@ -14,13 +17,19 @@ XT_RECENT_NAME_LEN = 200, }; +/* Only allowed with --rcheck and --update */ +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) + +#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ + XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) + struct xt_recent_mtinfo { - u_int32_t seconds; - u_int32_t hit_count; - u_int8_t check_set; - u_int8_t invert; + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; char name[XT_RECENT_NAME_LEN]; - u_int8_t side; + __u8 side; }; #endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_sctp.h iptables-1.4.10/include/linux/netfilter/xt_sctp.h --- iptables-1.4.4/include/linux/netfilter/xt_sctp.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_sctp.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_SCTP_H_ #define _XT_SCTP_H_ +#include <linux/types.h> + #define XT_SCTP_SRC_PORTS 0x01 #define XT_SCTP_DEST_PORTS 0x02 #define XT_SCTP_CHUNK_TYPES 0x04 @@ -8,49 +10,49 @@ #define XT_SCTP_VALID_FLAGS 0x07 struct xt_sctp_flag_info { - u_int8_t chunktype; - u_int8_t flag; - u_int8_t flag_mask; + __u8 chunktype; + __u8 flag; + __u8 flag_mask; }; #define XT_NUM_SCTP_FLAGS 4 struct xt_sctp_info { - u_int16_t dpts[2]; /* Min, Max */ - u_int16_t spts[2]; /* Min, Max */ + __u16 dpts[2]; /* Min, Max */ + __u16 spts[2]; /* Min, Max */ - u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */ + __u32 chunkmap[256 / sizeof (__u32)]; /* Bit mask of chunks to be matched according to RFC 2960 */ #define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */ #define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */ #define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */ - u_int32_t chunk_match_type; + __u32 chunk_match_type; struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS]; int flag_count; - u_int32_t flags; - u_int32_t invflags; + __u32 flags; + __u32 invflags; }; #define bytes(type) (sizeof(type) * 8) #define SCTP_CHUNKMAP_SET(chunkmap, type) \ do { \ - (chunkmap)[type / bytes(u_int32_t)] |= \ - 1 << (type % bytes(u_int32_t)); \ + (chunkmap)[type / bytes(__u32)] |= \ + 1 << (type % bytes(__u32)); \ } while (0) #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ do { \ - (chunkmap)[type / bytes(u_int32_t)] &= \ - ~(1 << (type % bytes(u_int32_t))); \ + (chunkmap)[type / bytes(__u32)] &= \ + ~(1 << (type % bytes(__u32))); \ } while (0) #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ ({ \ - ((chunkmap)[type / bytes (u_int32_t)] & \ - (1 << (type % bytes (u_int32_t)))) ? 1: 0; \ + ((chunkmap)[type / bytes (__u32)] & \ + (1 << (type % bytes (__u32)))) ? 1: 0; \ }) #define SCTP_CHUNKMAP_RESET(chunkmap) \ @@ -65,7 +67,7 @@ #define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \ __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap)) static __inline__ bool -__sctp_chunkmap_is_clear(const u_int32_t *chunkmap, unsigned int n) +__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n) { unsigned int i; for (i = 0; i < n; ++i) @@ -77,7 +79,7 @@ #define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \ __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap)) static __inline__ bool -__sctp_chunkmap_is_all_set(const u_int32_t *chunkmap, unsigned int n) +__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n) { unsigned int i; for (i = 0; i < n; ++i) diff -Nru iptables-1.4.4/include/linux/netfilter/xt_SECMARK.h iptables-1.4.10/include/linux/netfilter/xt_SECMARK.h --- iptables-1.4.4/include/linux/netfilter/xt_SECMARK.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_SECMARK.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_SECMARK_H_target #define _XT_SECMARK_H_target +#include <linux/types.h> + /* * This is intended for use by various security subsystems (but not * at the same time). @@ -12,12 +14,12 @@ #define SECMARK_SELCTX_MAX 256 struct xt_secmark_target_selinux_info { - u_int32_t selsid; + __u32 selsid; char selctx[SECMARK_SELCTX_MAX]; }; struct xt_secmark_target_info { - u_int8_t mode; + __u8 mode; union { struct xt_secmark_target_selinux_info sel; } u; diff -Nru iptables-1.4.4/include/linux/netfilter/xt_set.h iptables-1.4.10/include/linux/netfilter/xt_set.h --- iptables-1.4.4/include/linux/netfilter/xt_set.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_set.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,110 @@ +#ifndef _XT_SET_H +#define _XT_SET_H + +/* The protocol version */ +#define IPSET_PROTOCOL 5 + +/* The max length of strings including NUL: set and type identifiers */ +#define IPSET_MAXNAMELEN 32 + +/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t + * and IPSET_INVALID_ID if you want to increase the max number of sets. + */ +typedef uint16_t ip_set_id_t; + +#define IPSET_INVALID_ID 65535 + +enum ip_set_dim { + IPSET_DIM_ZERO = 0, + IPSET_DIM_ONE, + IPSET_DIM_TWO, + IPSET_DIM_THREE, + /* Max dimension in elements. + * If changed, new revision of iptables match/target is required. + */ + IPSET_DIM_MAX = 6, +}; + +/* Option flags for kernel operations */ +enum ip_set_kopt { + IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), + IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), + IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), + IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), +}; + +/* Interface to iptables/ip6tables */ + +#define SO_IP_SET 83 + +union ip_set_name_index { + char name[IPSET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned op; + unsigned version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned op; + unsigned version; +}; + +/* Revision 0 interface: backward compatible with netfilter/iptables */ + +/* + * Option flags for kernel operations (xt_set_info_v0) + */ +#define IPSET_SRC 0x01 /* Source match/add */ +#define IPSET_DST 0x02 /* Destination match/add */ +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ + +struct xt_set_info_v0 { + ip_set_id_t index; + union { + u_int32_t flags[IPSET_DIM_MAX + 1]; + struct { + u_int32_t __flags[IPSET_DIM_MAX]; + u_int8_t dim; + u_int8_t flags; + } compat; + } u; +}; + +/* match and target infos */ +struct xt_set_info_match_v0 { + struct xt_set_info_v0 match_set; +}; + +struct xt_set_info_target_v0 { + struct xt_set_info_v0 add_set; + struct xt_set_info_v0 del_set; +}; + +/* Revision 1: current interface to netfilter/iptables */ + +struct xt_set_info { + ip_set_id_t index; + u_int8_t dim; + u_int8_t flags; +}; + +/* match and target infos */ +struct xt_set_info_match { + struct xt_set_info match_set; +}; + +struct xt_set_info_target { + struct xt_set_info add_set; + struct xt_set_info del_set; +}; + +#endif /*_XT_SET_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_state.h iptables-1.4.10/include/linux/netfilter/xt_state.h --- iptables-1.4.4/include/linux/netfilter/xt_state.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_state.h 2010-10-29 14:37:22.000000000 +0000 @@ -6,8 +6,7 @@ #define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1)) -struct xt_state_info -{ +struct xt_state_info { unsigned int statemask; }; #endif /*_XT_STATE_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_statistic.h iptables-1.4.10/include/linux/netfilter/xt_statistic.h --- iptables-1.4.4/include/linux/netfilter/xt_statistic.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_statistic.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_STATISTIC_H #define _XT_STATISTIC_H +#include <linux/types.h> + enum xt_statistic_mode { XT_STATISTIC_MODE_RANDOM, XT_STATISTIC_MODE_NTH, @@ -13,21 +15,22 @@ }; #define XT_STATISTIC_MASK 0x1 +struct xt_statistic_priv; + struct xt_statistic_info { - u_int16_t mode; - u_int16_t flags; + __u16 mode; + __u16 flags; union { struct { - u_int32_t probability; + __u32 probability; } random; struct { - u_int32_t every; - u_int32_t packet; - /* Used internally by the kernel */ - u_int32_t count; + __u32 every; + __u32 packet; + __u32 count; /* unused */ } nth; } u; - struct xt_statistic_info *master __attribute__((aligned(8))); + struct xt_statistic_priv *master __attribute__((aligned(8))); }; #endif /* _XT_STATISTIC_H */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_string.h iptables-1.4.10/include/linux/netfilter/xt_string.h --- iptables-1.4.4/include/linux/netfilter/xt_string.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_string.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef _XT_STRING_H #define _XT_STRING_H +#include <linux/types.h> + #define XT_STRING_MAX_PATTERN_SIZE 128 #define XT_STRING_MAX_ALGO_NAME_SIZE 16 @@ -9,20 +11,19 @@ XT_STRING_FLAG_IGNORECASE = 0x02 }; -struct xt_string_info -{ - u_int16_t from_offset; - u_int16_t to_offset; +struct xt_string_info { + __u16 from_offset; + __u16 to_offset; char algo[XT_STRING_MAX_ALGO_NAME_SIZE]; char pattern[XT_STRING_MAX_PATTERN_SIZE]; - u_int8_t patlen; + __u8 patlen; union { struct { - u_int8_t invert; + __u8 invert; } v0; struct { - u_int8_t flags; + __u8 flags; } v1; } u; diff -Nru iptables-1.4.4/include/linux/netfilter/xt_tcpmss.h iptables-1.4.10/include/linux/netfilter/xt_tcpmss.h --- iptables-1.4.4/include/linux/netfilter/xt_tcpmss.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_tcpmss.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,9 +1,11 @@ #ifndef _XT_TCPMSS_MATCH_H #define _XT_TCPMSS_MATCH_H +#include <linux/types.h> + struct xt_tcpmss_match_info { - u_int16_t mss_min, mss_max; - u_int8_t invert; + __u16 mss_min, mss_max; + __u8 invert; }; #endif /*_XT_TCPMSS_MATCH_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_TCPMSS.h iptables-1.4.10/include/linux/netfilter/xt_TCPMSS.h --- iptables-1.4.4/include/linux/netfilter/xt_TCPMSS.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_TCPMSS.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,10 @@ #ifndef _XT_TCPMSS_H #define _XT_TCPMSS_H +#include <linux/types.h> + struct xt_tcpmss_info { - u_int16_t mss; + __u16 mss; }; #define XT_TCPMSS_CLAMP_PMTU 0xffff diff -Nru iptables-1.4.4/include/linux/netfilter/xt_tcpudp.h iptables-1.4.10/include/linux/netfilter/xt_tcpudp.h --- iptables-1.4.4/include/linux/netfilter/xt_tcpudp.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_tcpudp.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,15 +1,16 @@ #ifndef _XT_TCPUDP_H #define _XT_TCPUDP_H +#include <linux/types.h> + /* TCP matching stuff */ -struct xt_tcp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t option; /* TCP Option iff non-zero*/ - u_int8_t flg_mask; /* TCP flags mask byte */ - u_int8_t flg_cmp; /* TCP flags compare byte */ - u_int8_t invflags; /* Inverse flags */ +struct xt_tcp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 option; /* TCP Option iff non-zero*/ + __u8 flg_mask; /* TCP flags mask byte */ + __u8 flg_cmp; /* TCP flags compare byte */ + __u8 invflags; /* Inverse flags */ }; /* Values for "inv" field in struct ipt_tcp. */ @@ -20,11 +21,10 @@ #define XT_TCP_INV_MASK 0x0F /* All possible flags. */ /* UDP matching stuff */ -struct xt_udp -{ - u_int16_t spts[2]; /* Source port range. */ - u_int16_t dpts[2]; /* Destination port range. */ - u_int8_t invflags; /* Inverse flags */ +struct xt_udp { + __u16 spts[2]; /* Source port range. */ + __u16 dpts[2]; /* Destination port range. */ + __u8 invflags; /* Inverse flags */ }; /* Values for "invflags" field in struct ipt_udp. */ diff -Nru iptables-1.4.4/include/linux/netfilter/xt_TEE.h iptables-1.4.10/include/linux/netfilter/xt_TEE.h --- iptables-1.4.4/include/linux/netfilter/xt_TEE.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter/xt_TEE.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,12 @@ +#ifndef _XT_TEE_TARGET_H +#define _XT_TEE_TARGET_H + +struct xt_tee_tginfo { + union nf_inet_addr gw; + char oif[16]; + + /* used internally by the kernel */ + struct xt_tee_priv *priv __attribute__((aligned(8))); +}; + +#endif /* _XT_TEE_TARGET_H */ diff -Nru iptables-1.4.4/include/linux/netfilter.h iptables-1.4.10/include/linux/netfilter.h --- iptables-1.4.4/include/linux/netfilter.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,6 +1,8 @@ #ifndef __LINUX_NETFILTER_H #define __LINUX_NETFILTER_H +#include <linux/types.h> + /* Responses from hook functions. */ #define NF_DROP 0 diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ip_set.h iptables-1.4.10/include/linux/netfilter_ipv4/ip_set.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ip_set.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,498 +0,0 @@ -#ifndef _IP_SET_H -#define _IP_SET_H - -/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> - * Patrick Schaaf <bof@bof.de> - * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#if 0 -#define IP_SET_DEBUG -#endif - -/* - * A sockopt of such quality has hardly ever been seen before on the open - * market! This little beauty, hardly ever used: above 64, so it's - * traditionally used for firewalling, not touched (even once!) by the - * 2.0, 2.2 and 2.4 kernels! - * - * Comes with its own certificate of authenticity, valid anywhere in the - * Free world! - * - * Rusty, 19.4.2000 - */ -#define SO_IP_SET 83 - -/* - * Heavily modify by Joakim Axelsson 08.03.2002 - * - Made it more modulebased - * - * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004 - * - bindings added - * - in order to "deal with" backward compatibility, renamed to ipset - */ - -/* - * Used so that the kernel module and ipset-binary can match their versions - */ -#define IP_SET_PROTOCOL_VERSION 2 - -#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */ - -/* Lets work with our own typedef for representing an IP address. - * We hope to make the code more portable, possibly to IPv6... - * - * The representation works in HOST byte order, because most set types - * will perform arithmetic operations and compare operations. - * - * For now the type is an uint32_t. - * - * Make sure to ONLY use the functions when translating and parsing - * in order to keep the host byte order and make it more portable: - * parse_ip() - * parse_mask() - * parse_ipandmask() - * ip_tostring() - * (Joakim: where are they???) - */ - -typedef uint32_t ip_set_ip_t; - -/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t - * and IP_SET_INVALID_ID if you want to increase the max number of sets. - */ -typedef uint16_t ip_set_id_t; - -#define IP_SET_INVALID_ID 65535 - -/* How deep we follow bindings */ -#define IP_SET_MAX_BINDINGS 6 - -/* - * Option flags for kernel operations (ipt_set_info) - */ -#define IPSET_SRC 0x01 /* Source match/add */ -#define IPSET_DST 0x02 /* Destination match/add */ -#define IPSET_MATCH_INV 0x04 /* Inverse matching */ - -/* - * Set features - */ -#define IPSET_TYPE_IP 0x01 /* IP address type of set */ -#define IPSET_TYPE_PORT 0x02 /* Port type of set */ -#define IPSET_DATA_SINGLE 0x04 /* Single data storage */ -#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */ - -/* Reserved keywords */ -#define IPSET_TOKEN_DEFAULT ":default:" -#define IPSET_TOKEN_ALL ":all:" - -/* SO_IP_SET operation constants, and their request struct types. - * - * Operation ids: - * 0-99: commands with version checking - * 100-199: add/del/test/bind/unbind - * 200-299: list, save, restore - */ - -/* Single shot operations: - * version, create, destroy, flush, rename and swap - * - * Sets are identified by name. - */ - -#define IP_SET_REQ_STD \ - unsigned op; \ - unsigned version; \ - char name[IP_SET_MAXNAMELEN] - -#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */ -struct ip_set_req_create { - IP_SET_REQ_STD; - char typename[IP_SET_MAXNAMELEN]; -}; - -#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */ -struct ip_set_req_std { - IP_SET_REQ_STD; -}; - -#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */ -/* Uses ip_set_req_std */ - -#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */ -/* Uses ip_set_req_create */ - -#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */ -/* Uses ip_set_req_create */ - -union ip_set_name_index { - char name[IP_SET_MAXNAMELEN]; - ip_set_id_t index; -}; - -#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ -struct ip_set_req_get_set { - unsigned op; - unsigned version; - union ip_set_name_index set; -}; - -#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ -/* Uses ip_set_req_get_set */ - -#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ -struct ip_set_req_version { - unsigned op; - unsigned version; -}; - -/* Double shots operations: - * add, del, test, bind and unbind. - * - * First we query the kernel to get the index and type of the target set, - * then issue the command. Validity of IP is checked in kernel in order - * to minimalize sockopt operations. - */ - -/* Get minimal set data for add/del/test/bind/unbind IP */ -#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */ -struct ip_set_req_adt_get { - unsigned op; - unsigned version; - union ip_set_name_index set; - char typename[IP_SET_MAXNAMELEN]; -}; - -#define IP_SET_REQ_BYINDEX \ - unsigned op; \ - ip_set_id_t index; - -struct ip_set_req_adt { - IP_SET_REQ_BYINDEX; -}; - -#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */ -/* Uses ip_set_req_adt, with type specific addage */ - -#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */ -/* Uses ip_set_req_adt, with type specific addage */ - -#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */ -/* Uses ip_set_req_adt, with type specific addage */ - -#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */ -/* Uses ip_set_req_bind, with type specific addage */ -struct ip_set_req_bind { - IP_SET_REQ_BYINDEX; - char binding[IP_SET_MAXNAMELEN]; -}; - -#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */ -/* Uses ip_set_req_bind, with type speficic addage - * index = 0 means unbinding for all sets */ - -#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */ -/* Uses ip_set_req_bind, with type specific addage */ - -/* Multiple shots operations: list, save, restore. - * - * - check kernel version and query the max number of sets - * - get the basic information on all sets - * and size required for the next step - * - get actual set data: header, data, bindings - */ - -/* Get max_sets and the index of a queried set - */ -#define IP_SET_OP_MAX_SETS 0x00000020 -struct ip_set_req_max_sets { - unsigned op; - unsigned version; - ip_set_id_t max_sets; /* max_sets */ - ip_set_id_t sets; /* real number of sets */ - union ip_set_name_index set; /* index of set if name used */ -}; - -/* Get the id and name of the sets plus size for next step */ -#define IP_SET_OP_LIST_SIZE 0x00000201 -#define IP_SET_OP_SAVE_SIZE 0x00000202 -struct ip_set_req_setnames { - unsigned op; - ip_set_id_t index; /* set to list/save */ - size_t size; /* size to get setdata/bindings */ - /* followed by sets number of struct ip_set_name_list */ -}; - -struct ip_set_name_list { - char name[IP_SET_MAXNAMELEN]; - char typename[IP_SET_MAXNAMELEN]; - ip_set_id_t index; - ip_set_id_t id; -}; - -/* The actual list operation */ -#define IP_SET_OP_LIST 0x00000203 -struct ip_set_req_list { - IP_SET_REQ_BYINDEX; - /* sets number of struct ip_set_list in reply */ -}; - -struct ip_set_list { - ip_set_id_t index; - ip_set_id_t binding; - u_int32_t ref; - size_t header_size; /* Set header data of header_size */ - size_t members_size; /* Set members data of members_size */ - size_t bindings_size; /* Set bindings data of bindings_size */ -}; - -struct ip_set_hash_list { - ip_set_ip_t ip; - ip_set_id_t binding; -}; - -/* The save operation */ -#define IP_SET_OP_SAVE 0x00000204 -/* Uses ip_set_req_list, in the reply replaced by - * sets number of struct ip_set_save plus a marker - * ip_set_save followed by ip_set_hash_save structures. - */ -struct ip_set_save { - ip_set_id_t index; - ip_set_id_t binding; - size_t header_size; /* Set header data of header_size */ - size_t members_size; /* Set members data of members_size */ -}; - -/* At restoring, ip == 0 means default binding for the given set: */ -struct ip_set_hash_save { - ip_set_ip_t ip; - ip_set_id_t id; - ip_set_id_t binding; -}; - -/* The restore operation */ -#define IP_SET_OP_RESTORE 0x00000205 -/* Uses ip_set_req_setnames followed by ip_set_restore structures - * plus a marker ip_set_restore, followed by ip_set_hash_save - * structures. - */ -struct ip_set_restore { - char name[IP_SET_MAXNAMELEN]; - char typename[IP_SET_MAXNAMELEN]; - ip_set_id_t index; - size_t header_size; /* Create data of header_size */ - size_t members_size; /* Set members data of members_size */ -}; - -static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b) -{ - return 4 * ((((b - a + 8) / 8) + 3) / 4); -} - -#ifdef __KERNEL__ - -#define ip_set_printk(format, args...) \ - do { \ - printk("%s: %s: ", __FILE__, __FUNCTION__); \ - printk(format "\n" , ## args); \ - } while (0) - -#if defined(IP_SET_DEBUG) -#define DP(format, args...) \ - do { \ - printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\ - printk(format "\n" , ## args); \ - } while (0) -#define IP_SET_ASSERT(x) \ - do { \ - if (!(x)) \ - printk("IP_SET_ASSERT: %s:%i(%s)\n", \ - __FILE__, __LINE__, __FUNCTION__); \ - } while (0) -#else -#define DP(format, args...) -#define IP_SET_ASSERT(x) -#endif - -struct ip_set; - -/* - * The ip_set_type definition - one per set type, e.g. "ipmap". - * - * Each individual set has a pointer, set->type, going to one - * of these structures. Function pointers inside the structure implement - * the real behaviour of the sets. - * - * If not mentioned differently, the implementation behind the function - * pointers of a set_type, is expected to return 0 if ok, and a negative - * errno (e.g. -EINVAL) on error. - */ -struct ip_set_type { - struct list_head list; /* next in list of set types */ - - /* test for IP in set (kernel: iptables -m set src|dst) - * return 0 if not in set, 1 if in set. - */ - int (*testip_kernel) (struct ip_set *set, - const struct sk_buff * skb, - ip_set_ip_t *ip, - const u_int32_t *flags, - unsigned char index); - - /* test for IP in set (userspace: ipset -T set IP) - * return 0 if not in set, 1 if in set. - */ - int (*testip) (struct ip_set *set, - const void *data, size_t size, - ip_set_ip_t *ip); - - /* - * Size of the data structure passed by when - * adding/deletin/testing an entry. - */ - size_t reqsize; - - /* Add IP into set (userspace: ipset -A set IP) - * Return -EEXIST if the address is already in the set, - * and -ERANGE if the address lies outside the set bounds. - * If the address was not already in the set, 0 is returned. - */ - int (*addip) (struct ip_set *set, - const void *data, size_t size, - ip_set_ip_t *ip); - - /* Add IP into set (kernel: iptables ... -j SET set src|dst) - * Return -EEXIST if the address is already in the set, - * and -ERANGE if the address lies outside the set bounds. - * If the address was not already in the set, 0 is returned. - */ - int (*addip_kernel) (struct ip_set *set, - const struct sk_buff * skb, - ip_set_ip_t *ip, - const u_int32_t *flags, - unsigned char index); - - /* remove IP from set (userspace: ipset -D set --entry x) - * Return -EEXIST if the address is NOT in the set, - * and -ERANGE if the address lies outside the set bounds. - * If the address really was in the set, 0 is returned. - */ - int (*delip) (struct ip_set *set, - const void *data, size_t size, - ip_set_ip_t *ip); - - /* remove IP from set (kernel: iptables ... -j SET --entry x) - * Return -EEXIST if the address is NOT in the set, - * and -ERANGE if the address lies outside the set bounds. - * If the address really was in the set, 0 is returned. - */ - int (*delip_kernel) (struct ip_set *set, - const struct sk_buff * skb, - ip_set_ip_t *ip, - const u_int32_t *flags, - unsigned char index); - - /* new set creation - allocated type specific items - */ - int (*create) (struct ip_set *set, - const void *data, size_t size); - - /* retry the operation after successfully tweaking the set - */ - int (*retry) (struct ip_set *set); - - /* set destruction - free type specific items - * There is no return value. - * Can be called only when child sets are destroyed. - */ - void (*destroy) (struct ip_set *set); - - /* set flushing - reset all bits in the set, or something similar. - * There is no return value. - */ - void (*flush) (struct ip_set *set); - - /* Listing: size needed for header - */ - size_t header_size; - - /* Listing: Get the header - * - * Fill in the information in "data". - * This function is always run after list_header_size() under a - * writelock on the set. Therefor is the length of "data" always - * correct. - */ - void (*list_header) (const struct ip_set *set, - void *data); - - /* Listing: Get the size for the set members - */ - int (*list_members_size) (const struct ip_set *set); - - /* Listing: Get the set members - * - * Fill in the information in "data". - * This function is always run after list_member_size() under a - * writelock on the set. Therefor is the length of "data" always - * correct. - */ - void (*list_members) (const struct ip_set *set, - void *data); - - char typename[IP_SET_MAXNAMELEN]; - unsigned char features; - int protocol_version; - - /* Set this to THIS_MODULE if you are a module, otherwise NULL */ - struct module *me; -}; - -extern int ip_set_register_set_type(struct ip_set_type *set_type); -extern void ip_set_unregister_set_type(struct ip_set_type *set_type); - -/* A generic ipset */ -struct ip_set { - char name[IP_SET_MAXNAMELEN]; /* the name of the set */ - rwlock_t lock; /* lock for concurrency control */ - ip_set_id_t id; /* set id for swapping */ - ip_set_id_t binding; /* default binding for the set */ - atomic_t ref; /* in kernel and in hash references */ - struct ip_set_type *type; /* the set types */ - void *data; /* pooltype specific data */ -}; - -/* Structure to bind set elements to sets */ -struct ip_set_hash { - struct list_head list; /* list of clashing entries in hash */ - ip_set_ip_t ip; /* ip from set */ - ip_set_id_t id; /* set id */ - ip_set_id_t binding; /* set we bind the element to */ -}; - -/* register and unregister set references */ -extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]); -extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id); -extern void ip_set_put(ip_set_id_t id); - -/* API for iptables set match, and SET target */ -extern void ip_set_addip_kernel(ip_set_id_t id, - const struct sk_buff *skb, - const u_int32_t *flags); -extern void ip_set_delip_kernel(ip_set_id_t id, - const struct sk_buff *skb, - const u_int32_t *flags); -extern int ip_set_testip_kernel(ip_set_id_t id, - const struct sk_buff *skb, - const u_int32_t *flags); - -#endif /* __KERNEL__ */ - -#endif /*_IP_SET_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ip_tables.h iptables-1.4.10/include/linux/netfilter_ipv4/ip_tables.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ip_tables.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ip_tables.h 2010-10-29 14:37:22.000000000 +0000 @@ -70,8 +70,7 @@ /* This structure defines each of the firewall rules. Consists of 3 parts which are 1) general IP header stuff 2) match specific stuff 3) the target to perform if the rule matches */ -struct ipt_entry -{ +struct ipt_entry { struct ipt_ip ip; /* Mark with fields that we care about. */ @@ -129,8 +128,7 @@ #define IPT_UDP_INV_MASK XT_UDP_INV_MASK /* ICMP matching stuff */ -struct ipt_icmp -{ +struct ipt_icmp { u_int8_t type; /* type to match */ u_int8_t code[2]; /* range of code */ u_int8_t invflags; /* Inverse flags */ @@ -140,8 +138,7 @@ #define IPT_ICMP_INV 0x01 /* Invert the sense of type/code test */ /* The argument to IPT_SO_GET_INFO */ -struct ipt_getinfo -{ +struct ipt_getinfo { /* Which table: caller fills this in. */ char name[IPT_TABLE_MAXNAMELEN]; @@ -163,8 +160,7 @@ }; /* The argument to IPT_SO_SET_REPLACE. */ -struct ipt_replace -{ +struct ipt_replace { /* Which table. */ char name[IPT_TABLE_MAXNAMELEN]; @@ -198,8 +194,7 @@ #define ipt_counters_info xt_counters_info /* The argument to IPT_SO_GET_ENTRIES. */ -struct ipt_get_entries -{ +struct ipt_get_entries { /* Which table: user fills this in. */ char name[IPT_TABLE_MAXNAMELEN]; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ah.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ah.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ah.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ah.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,7 @@ #ifndef _IPT_AH_H #define _IPT_AH_H -struct ipt_ah -{ +struct ipt_ah { u_int32_t spis[2]; /* Security Parameter Index */ u_int8_t invflags; /* Inverse flags */ }; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ecn.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ecn.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ecn.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ecn.h 2010-10-29 14:37:22.000000000 +0000 @@ -8,9 +8,9 @@ */ #ifndef _IPT_ECN_H #define _IPT_ECN_H -#include <linux/netfilter_ipv4/ipt_dscp.h> +#include <linux/netfilter/xt_dscp.h> -#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) +#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) #define IPT_ECN_OP_MATCH_IP 0x01 #define IPT_ECN_OP_MATCH_ECE 0x10 diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ECN.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ECN.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_ECN.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_ECN.h 2010-10-29 14:37:22.000000000 +0000 @@ -8,9 +8,9 @@ */ #ifndef _IPT_ECN_TARGET_H #define _IPT_ECN_TARGET_H -#include <linux/netfilter_ipv4/ipt_DSCP.h> +#include <linux/netfilter/xt_DSCP.h> -#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK) +#define IPT_ECN_IP_MASK (~XT_DSCP_MASK) #define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */ #define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_iprange.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_iprange.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_iprange.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_iprange.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -#ifndef _IPT_IPRANGE_H -#define _IPT_IPRANGE_H - -#include <linux/types.h> -#include <linux/netfilter/xt_iprange.h> - -struct ipt_iprange { - /* Inclusive: network order. */ - __be32 min_ip, max_ip; -}; - -struct ipt_iprange_info -{ - struct ipt_iprange src; - struct ipt_iprange dst; - - /* Flags from above */ - u_int8_t flags; -}; - -#endif /* _IPT_IPRANGE_H */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_LOG.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_LOG.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_LOG.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_LOG.h 2010-10-29 14:37:22.000000000 +0000 @@ -7,7 +7,8 @@ #define IPT_LOG_IPOPT 0x04 /* Log IP options */ #define IPT_LOG_UID 0x08 /* Log UID owning local socket */ #define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -#define IPT_LOG_MASK 0x1f +#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IPT_LOG_MASK 0x2f struct ipt_log_info { unsigned char level; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_owner.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_owner.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_owner.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_owner.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -#ifndef _IPT_OWNER_H -#define _IPT_OWNER_H - -/* match and invert flags */ -#define IPT_OWNER_UID 0x01 -#define IPT_OWNER_GID 0x02 -#define IPT_OWNER_PID 0x04 -#define IPT_OWNER_SID 0x08 -#define IPT_OWNER_COMM 0x10 - -struct ipt_owner_info { - uid_t uid; - gid_t gid; - pid_t pid; - pid_t sid; - char comm[16]; - u_int8_t match, invert; /* flags */ -}; - -#endif /*_IPT_OWNER_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_policy.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_policy.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_policy.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -#ifndef _IPT_POLICY_H -#define _IPT_POLICY_H - -#include <linux/netfilter/xt_policy.h> - -#define IPT_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM - -/* ipt_policy_flags */ -#define IPT_POLICY_MATCH_IN XT_POLICY_MATCH_IN -#define IPT_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT -#define IPT_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE -#define IPT_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT - -/* ipt_policy_modes */ -#define IPT_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT -#define IPT_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL - -#define ipt_policy_spec xt_policy_spec -#define ipt_policy_addr xt_policy_addr -#define ipt_policy_elem xt_policy_elem -#define ipt_policy_info xt_policy_info - -#endif /* _IPT_POLICY_H */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_SAME.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_SAME.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_SAME.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_SAME.h 2010-10-29 14:37:22.000000000 +0000 @@ -5,8 +5,7 @@ #define IPT_SAME_NODST 0x01 -struct ipt_same_info -{ +struct ipt_same_info { unsigned char info; u_int32_t rangesize; u_int32_t ipnum; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_set.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_set.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_set.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_set.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -#ifndef _IPT_SET_H -#define _IPT_SET_H - -#include <linux/netfilter_ipv4/ip_set.h> - -struct ipt_set_info { - ip_set_id_t index; - u_int32_t flags[IP_SET_MAX_BINDINGS + 1]; -}; - -/* match info */ -struct ipt_set_info_match { - struct ipt_set_info match_set; -}; - -struct ipt_set_info_target { - struct ipt_set_info add_set; - struct ipt_set_info del_set; -}; - -#endif /*_IPT_SET_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_tos.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_tos.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_tos.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_tos.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -#ifndef _IPT_TOS_H -#define _IPT_TOS_H - -struct ipt_tos_info { - u_int8_t tos; - u_int8_t invert; -}; - -#ifndef IPTOS_NORMALSVC -#define IPTOS_NORMALSVC 0 -#endif - -#endif /*_IPT_TOS_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4/ipt_TOS.h iptables-1.4.10/include/linux/netfilter_ipv4/ipt_TOS.h --- iptables-1.4.4/include/linux/netfilter_ipv4/ipt_TOS.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4/ipt_TOS.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -#ifndef _IPT_TOS_H_target -#define _IPT_TOS_H_target - -#ifndef IPTOS_NORMALSVC -#define IPTOS_NORMALSVC 0 -#endif - -struct ipt_tos_target_info { - u_int8_t tos; -}; - -#endif /*_IPT_TOS_H_target*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv4.h iptables-1.4.10/include/linux/netfilter_ipv4.h --- iptables-1.4.4/include/linux/netfilter_ipv4.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv4.h 2010-10-29 14:37:22.000000000 +0000 @@ -58,6 +58,7 @@ NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_FILTER = 0, + NF_IP_PRI_SECURITY = 50, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6_tables.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6_tables.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6_tables.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6_tables.h 2010-10-29 14:37:22.000000000 +0000 @@ -82,8 +82,7 @@ /* This structure defines each of the firewall rules. Consists of 3 parts which are 1) general IP header stuff 2) match specific stuff 3) the target to perform if the rule matches */ -struct ip6t_entry -{ +struct ip6t_entry { struct ip6t_ip6 ipv6; /* Mark with fields that we care about. */ @@ -105,20 +104,17 @@ }; /* Standard entry */ -struct ip6t_standard -{ +struct ip6t_standard { struct ip6t_entry entry; struct ip6t_standard_target target; }; -struct ip6t_error_target -{ +struct ip6t_error_target { struct ip6t_entry_target target; char errorname[IP6T_FUNCTION_MAXNAMELEN]; }; -struct ip6t_error -{ +struct ip6t_error { struct ip6t_entry entry; struct ip6t_error_target target; }; @@ -189,8 +185,7 @@ #define IP6T_UDP_INV_MASK XT_UDP_INV_MASK /* ICMP matching stuff */ -struct ip6t_icmp -{ +struct ip6t_icmp { u_int8_t type; /* type to match */ u_int8_t code[2]; /* range of code */ u_int8_t invflags; /* Inverse flags */ @@ -200,8 +195,7 @@ #define IP6T_ICMP_INV 0x01 /* Invert the sense of type/code test */ /* The argument to IP6T_SO_GET_INFO */ -struct ip6t_getinfo -{ +struct ip6t_getinfo { /* Which table: caller fills this in. */ char name[IP6T_TABLE_MAXNAMELEN]; @@ -223,8 +217,7 @@ }; /* The argument to IP6T_SO_SET_REPLACE. */ -struct ip6t_replace -{ +struct ip6t_replace { /* Which table. */ char name[IP6T_TABLE_MAXNAMELEN]; @@ -258,8 +251,7 @@ #define ip6t_counters_info xt_counters_info /* The argument to IP6T_SO_GET_ENTRIES. */ -struct ip6t_get_entries -{ +struct ip6t_get_entries { /* Which table: user fills this in. */ char name[IP6T_TABLE_MAXNAMELEN]; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_ah.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_ah.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_ah.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_ah.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,7 @@ #ifndef _IP6T_AH_H #define _IP6T_AH_H -struct ip6t_ah -{ +struct ip6t_ah { u_int32_t spis[2]; /* Security Parameter Index */ u_int32_t hdrlen; /* Header Length */ u_int8_t hdrres; /* Test of the Reserved Filed */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_frag.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_frag.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_frag.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_frag.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,8 +1,7 @@ #ifndef _IP6T_FRAG_H #define _IP6T_FRAG_H -struct ip6t_frag -{ +struct ip6t_frag { u_int32_t ids[2]; /* Security Parameter Index */ u_int32_t hdrlen; /* Header Length */ u_int8_t flags; /* */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_ipv6header.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_ipv6header.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_ipv6header.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_ipv6header.h 2010-10-29 14:37:22.000000000 +0000 @@ -8,8 +8,7 @@ #ifndef __IPV6HEADER_H #define __IPV6HEADER_H -struct ip6t_ipv6header_info -{ +struct ip6t_ipv6header_info { u_int8_t matchflags; u_int8_t invflags; u_int8_t modeflag; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_LOG.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_LOG.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_LOG.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_LOG.h 2010-10-29 14:37:22.000000000 +0000 @@ -7,7 +7,8 @@ #define IP6T_LOG_IPOPT 0x04 /* Log IP options */ #define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ #define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ -#define IP6T_LOG_MASK 0x1f +#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define IP6T_LOG_MASK 0x2f struct ip6t_log_info { unsigned char level; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_mh.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_mh.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_mh.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_mh.h 2010-10-29 14:37:22.000000000 +0000 @@ -2,8 +2,7 @@ #define _IP6T_MH_H /* MH matching stuff */ -struct ip6t_mh -{ +struct ip6t_mh { u_int8_t types[2]; /* MH type range */ u_int8_t invflags; /* Inverse flags */ }; diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_opts.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_opts.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_opts.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_opts.h 2010-10-29 14:37:22.000000000 +0000 @@ -3,8 +3,7 @@ #define IP6T_OPTS_OPTSNR 16 -struct ip6t_opts -{ +struct ip6t_opts { u_int32_t hdrlen; /* Header Length */ u_int8_t flags; /* */ u_int8_t invflags; /* Inverse flags */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_owner.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_owner.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_owner.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_owner.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -#ifndef _IP6T_OWNER_H -#define _IP6T_OWNER_H - -/* match and invert flags */ -#define IP6T_OWNER_UID 0x01 -#define IP6T_OWNER_GID 0x02 -#define IP6T_OWNER_PID 0x04 -#define IP6T_OWNER_SID 0x08 - -struct ip6t_owner_info { - uid_t uid; - gid_t gid; - pid_t pid; - pid_t sid; - u_int8_t match, invert; /* flags */ -}; - -#endif /*_IPT_OWNER_H*/ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_policy.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_policy.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_policy.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -#ifndef _IP6T_POLICY_H -#define _IP6T_POLICY_H - -#include <linux/netfilter/xt_policy.h> - -#define IP6T_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM - -/* ip6t_policy_flags */ -#define IP6T_POLICY_MATCH_IN XT_POLICY_MATCH_IN -#define IP6T_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT -#define IP6T_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE -#define IP6T_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT - -/* ip6t_policy_modes */ -#define IP6T_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT -#define IP6T_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL - -#define ip6t_policy_spec xt_policy_spec -#define ip6t_policy_addr xt_policy_addr -#define ip6t_policy_elem xt_policy_elem -#define ip6t_policy_info xt_policy_info - -#endif /* _IP6T_POLICY_H */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_rt.h iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_rt.h --- iptables-1.4.4/include/linux/netfilter_ipv6/ip6t_rt.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6/ip6t_rt.h 2010-10-29 14:37:22.000000000 +0000 @@ -5,8 +5,7 @@ #define IP6T_RT_HOPS 16 -struct ip6t_rt -{ +struct ip6t_rt { u_int32_t rt_type; /* Routing Type */ u_int32_t segsleft[2]; /* Segments Left */ u_int32_t hdrlen; /* Header Length */ diff -Nru iptables-1.4.4/include/linux/netfilter_ipv6.h iptables-1.4.10/include/linux/netfilter_ipv6.h --- iptables-1.4.4/include/linux/netfilter_ipv6.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/netfilter_ipv6.h 2010-10-29 14:37:22.000000000 +0000 @@ -57,26 +57,17 @@ enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, NF_IP6_PRI_CONNTRACK_DEFRAG = -400, + NF_IP6_PRI_RAW = -300, NF_IP6_PRI_SELINUX_FIRST = -225, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_MANGLE = -150, NF_IP6_PRI_NAT_DST = -100, NF_IP6_PRI_FILTER = 0, + NF_IP6_PRI_SECURITY = 50, NF_IP6_PRI_NAT_SRC = 100, NF_IP6_PRI_SELINUX_LAST = 225, NF_IP6_PRI_LAST = INT_MAX, }; -#ifdef CONFIG_NETFILTER -extern int ip6_route_me_harder(struct sk_buff *skb); -extern __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, - unsigned int dataoff, u_int8_t protocol); - -extern int ipv6_netfilter_init(void); -extern void ipv6_netfilter_fini(void); -#else /* CONFIG_NETFILTER */ -static __inline__ int ipv6_netfilter_init(void) { return 0; } -static __inline__ void ipv6_netfilter_fini(void) { return; } -#endif /* CONFIG_NETFILTER */ #endif /*__LINUX_IP6_NETFILTER_H*/ diff -Nru iptables-1.4.4/include/linux/types.h iptables-1.4.10/include/linux/types.h --- iptables-1.4.4/include/linux/types.h 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/linux/types.h 2010-10-29 14:37:22.000000000 +0000 @@ -1,133 +1,12 @@ #ifndef _LINUX_TYPES_H #define _LINUX_TYPES_H - -#include <linux/posix_types.h> #include <asm/types.h> -#ifndef __KERNEL_STRICT_NAMES - -typedef __u32 __kernel_dev_t; - -typedef __kernel_fd_set fd_set; -typedef __kernel_dev_t dev_t; -typedef __kernel_ino_t ino_t; -typedef __kernel_mode_t mode_t; -typedef __kernel_nlink_t nlink_t; -typedef __kernel_off_t off_t; -typedef __kernel_pid_t pid_t; -typedef __kernel_daddr_t daddr_t; -typedef __kernel_key_t key_t; -typedef __kernel_suseconds_t suseconds_t; -typedef __kernel_timer_t timer_t; -typedef __kernel_clockid_t clockid_t; -typedef __kernel_mqd_t mqd_t; - -typedef __kernel_uid_t uid_t; -typedef __kernel_gid_t gid_t; - -#if defined(__GNUC__) -typedef __kernel_loff_t loff_t; -#endif - -/* - * The following typedefs are also protected by individual ifdefs for - * historical reasons: - */ -#ifndef _SIZE_T -#define _SIZE_T -typedef __kernel_size_t size_t; -#endif - -#ifndef _SSIZE_T -#define _SSIZE_T -typedef __kernel_ssize_t ssize_t; -#endif - -#ifndef _PTRDIFF_T -#define _PTRDIFF_T -typedef __kernel_ptrdiff_t ptrdiff_t; -#endif - -#ifndef _TIME_T -#define _TIME_T -typedef __kernel_time_t time_t; -#endif - -#ifndef _CLOCK_T -#define _CLOCK_T -typedef __kernel_clock_t clock_t; -#endif - -#ifndef _CADDR_T -#define _CADDR_T -typedef __kernel_caddr_t caddr_t; -#endif - -/* bsd */ -typedef unsigned char u_char; -typedef unsigned short u_short; -typedef unsigned int u_int; -typedef unsigned long u_long; - -/* sysv */ -typedef unsigned char unchar; -typedef unsigned short ushort; -typedef unsigned int uint; -typedef unsigned long ulong; - -#ifndef __BIT_TYPES_DEFINED__ -#define __BIT_TYPES_DEFINED__ - -typedef __u8 u_int8_t; -typedef __s8 int8_t; -typedef __u16 u_int16_t; -typedef __s16 int16_t; -typedef __u32 u_int32_t; -typedef __s32 int32_t; - -#endif /* !(__BIT_TYPES_DEFINED__) */ - -typedef __u8 uint8_t; -typedef __u16 uint16_t; -typedef __u32 uint32_t; - -#if defined(__GNUC__) -typedef __u64 uint64_t; -typedef __u64 u_int64_t; -typedef __s64 int64_t; -#endif - -/* this is a special 64bit data type that is 8-byte aligned */ -#define aligned_u64 __u64 __attribute__((aligned(8))) -#define aligned_be64 __be64 __attribute__((aligned(8))) -#define aligned_le64 __le64 __attribute__((aligned(8))) - -/** - * The type used for indexing onto a disc or disc partition. - * - * Linux always considers sectors to be 512 bytes long independently - * of the devices real block size. - * - * blkcnt_t is the type of the inode's block count. - */ -#ifdef CONFIG_LBD -typedef u64 sector_t; -typedef u64 blkcnt_t; -#else -typedef unsigned long sector_t; -typedef unsigned long blkcnt_t; -#endif +#ifndef __ASSEMBLY__ -/* - * The type of an index into the pagecache. Use a #define so asm/types.h - * can override it. - */ -#ifndef pgoff_t -#define pgoff_t unsigned long -#endif +#include <linux/posix_types.h> -#endif /* __KERNEL_STRICT_NAMES */ /* * Below are truly Linux-specific types that should never collide with @@ -155,5 +34,5 @@ typedef __u16 __bitwise __sum16; typedef __u32 __bitwise __wsum; - +#endif /* __ASSEMBLY__ */ #endif /* _LINUX_TYPES_H */ diff -Nru iptables-1.4.4/include/Makefile.in iptables-1.4.10/include/Makefile.in --- iptables-1.4.4/include/Makefile.in 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/include/Makefile.in 2010-10-29 14:40:40.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.9.6 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,15 +17,11 @@ # -*- Makefile -*- -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -44,15 +41,16 @@ $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ $(srcdir)/xtables.h.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = xtables.h +CONFIG_CLEAN_VPATH_FILES = SOURCES = DIST_SOURCES = am__include_HEADERS_DIST = libipq/libipq.h @@ -61,17 +59,29 @@ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" -includeHEADERS_INSTALL = $(INSTALL_HEADER) -nobase_includeHEADERS_INSTALL = $(install_sh_DATA) HEADERS = $(include_HEADERS) $(nobase_include_HEADERS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +pkgdatadir = @pkgdatadir@ ACLOCAL = @ACLOCAL@ -AMDEP_FALSE = @AMDEP_FALSE@ -AMDEP_TRUE = @AMDEP_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ @@ -92,21 +102,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ -ENABLE_DEVEL_FALSE = @ENABLE_DEVEL_FALSE@ -ENABLE_DEVEL_TRUE = @ENABLE_DEVEL_TRUE@ -ENABLE_IPV4_FALSE = @ENABLE_IPV4_FALSE@ -ENABLE_IPV4_TRUE = @ENABLE_IPV4_TRUE@ -ENABLE_IPV6_FALSE = @ENABLE_IPV6_FALSE@ -ENABLE_IPV6_TRUE = @ENABLE_IPV6_TRUE@ -ENABLE_LIBIPQ_FALSE = @ENABLE_LIBIPQ_FALSE@ -ENABLE_LIBIPQ_TRUE = @ENABLE_LIBIPQ_TRUE@ -ENABLE_SHARED_FALSE = @ENABLE_SHARED_FALSE@ -ENABLE_SHARED_TRUE = @ENABLE_SHARED_TRUE@ -ENABLE_STATIC_FALSE = @ENABLE_STATIC_FALSE@ -ENABLE_STATIC_TRUE = @ENABLE_STATIC_TRUE@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ @@ -120,6 +119,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ @@ -131,18 +131,24 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ -am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -155,6 +161,7 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ @@ -174,6 +181,9 @@ ksourcedir = @ksourcedir@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@ +libnfnetlink_CFLAGS = @libnfnetlink_CFLAGS@ +libnfnetlink_LIBS = @libnfnetlink_LIBS@ libxtables_vage = @libxtables_vage@ libxtables_vcurrent = @libxtables_vcurrent@ libxtables_vmajor = @libxtables_vmajor@ @@ -191,8 +201,12 @@ regular_CFLAGS = @regular_CFLAGS@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ include_HEADERS = $(am__append_1) nobase_include_HEADERS = xtables.h libiptc/ipt_kernel_headers.h \ @@ -204,14 +218,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu include/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu include/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu include/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu include/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -229,6 +243,7 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): xtables.h: $(top_builddir)/config.status $(srcdir)/xtables.h.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ @@ -237,120 +252,129 @@ clean-libtool: -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: install-includeHEADERS: $(include_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @list='$(include_HEADERS)'; for p in $$list; do \ + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ done uninstall-includeHEADERS: @$(NORMAL_UNINSTALL) - @list='$(include_HEADERS)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(includedir)" && rm -f $$files install-nobase_includeHEADERS: $(nobase_include_HEADERS) @$(NORMAL_INSTALL) - test -z "$(includedir)" || $(mkdir_p) "$(DESTDIR)$(includedir)" - @$(am__vpath_adj_setup) \ - list='$(nobase_include_HEADERS)'; for p in $$list; do \ - if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - $(am__vpath_adj) \ - echo " $(nobase_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \ - $(nobase_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \ + test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)" + @list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \ + $(am__nobase_list) | while read dir files; do \ + xfiles=; for file in $$files; do \ + if test -f "$$file"; then xfiles="$$xfiles $$file"; \ + else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \ + test -z "$$xfiles" || { \ + test "x$$dir" = x. || { \ + echo "$(MKDIR_P) '$(DESTDIR)$(includedir)/$$dir'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)/$$dir"; }; \ + echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(includedir)/$$dir'"; \ + $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(includedir)/$$dir" || exit $$?; }; \ done uninstall-nobase_includeHEADERS: @$(NORMAL_UNINSTALL) - @$(am__vpath_adj_setup) \ - list='$(nobase_include_HEADERS)'; for p in $$list; do \ - $(am__vpath_adj) \ - echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \ - rm -f "$(DESTDIR)$(includedir)/$$f"; \ - done + @list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \ + $(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(includedir)" && rm -f $$files ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/libipq $(distdir)/libiptc - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -359,7 +383,7 @@ all-am: Makefile $(HEADERS) installdirs: for dir in "$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am @@ -381,6 +405,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -391,8 +416,7 @@ distclean: distclean-am -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-libtool \ - distclean-tags +distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-am @@ -400,18 +424,38 @@ html: html-am +html-am: + info: info-am info-am: install-data-am: install-includeHEADERS install-nobase_includeHEADERS +install-dvi: install-dvi-am + +install-dvi-am: + install-exec-am: +install-html: install-html-am + +install-html-am: + install-info: install-info-am +install-info-am: + install-man: +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -430,22 +474,26 @@ ps-am: -uninstall-am: uninstall-includeHEADERS uninstall-info-am \ - uninstall-nobase_includeHEADERS +uninstall-am: uninstall-includeHEADERS uninstall-nobase_includeHEADERS + +.MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-libtool ctags distclean distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-data \ - install-data-am install-exec install-exec-am \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am \ install-includeHEADERS install-info install-info-am \ - install-man install-nobase_includeHEADERS install-strip \ + install-man install-nobase_includeHEADERS install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-includeHEADERS uninstall-info-am \ + uninstall-am uninstall-includeHEADERS \ uninstall-nobase_includeHEADERS + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru iptables-1.4.4/include/xtables.h.in iptables-1.4.10/include/xtables.h.in --- iptables-1.4.4/include/xtables.h.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/include/xtables.h.in 2010-10-29 14:37:22.000000000 +0000 @@ -90,9 +90,7 @@ unsigned int option_offset; struct xt_entry_match *m; unsigned int mflags; -#ifdef NO_SHARED_LIBS unsigned int loaded; /* simulate loading so options are merged properly */ -#endif }; struct xtables_target @@ -152,9 +150,7 @@ struct xt_entry_target *t; unsigned int tflags; unsigned int used; -#ifdef NO_SHARED_LIBS unsigned int loaded; /* simulate loading so options are merged properly */ -#endif }; struct xtables_rule_match { @@ -203,6 +199,8 @@ void (*exit_err)(enum xtables_exittype status, const char *msg, ...) __attribute__((noreturn, format(printf,2,3))); }; +#define XT_GETOPT_TABLEEND {NULL} + #ifdef __cplusplus extern "C" { #endif @@ -215,11 +213,11 @@ extern void xtables_set_nfproto(uint8_t); extern void *xtables_calloc(size_t, size_t); extern void *xtables_malloc(size_t); +extern void *xtables_realloc(void *, size_t); extern int xtables_insmod(const char *, const char *, bool); extern int xtables_load_ko(const char *, bool); extern int xtables_set_params(struct xtables_globals *xtp); -extern void xtables_set_revision(char *name, u_int8_t revision); extern void xtables_free_opts(int reset_offset); extern struct option *xtables_merge_options(struct option *oldopts, const struct option *newopts, unsigned int *option_offset); @@ -232,7 +230,9 @@ /* Your shared library should call one of these. */ extern void xtables_register_match(struct xtables_match *me); +extern void xtables_register_matches(struct xtables_match *, unsigned int); extern void xtables_register_target(struct xtables_target *me); +extern void xtables_register_targets(struct xtables_target *, unsigned int); extern bool xtables_strtoul(const char *, char **, unsigned long *, unsigned long, unsigned long); @@ -247,7 +247,7 @@ #define aligned_u64 u_int64_t __attribute__((aligned(8))) int xtables_check_inverse(const char option[], int *invert, - int *my_optind, int argc); + int *my_optind, int argc, char **argv); extern struct xtables_globals *xt_params; #define xtables_error (xt_params->exit_err) @@ -260,6 +260,8 @@ extern struct in_addr *xtables_numeric_to_ipmask(const char *); extern void xtables_ipparse_any(const char *, struct in_addr **, struct in_addr *, unsigned int *); +extern void xtables_ipparse_multiple(const char *, struct in_addr **, + struct in_addr **, unsigned int *); extern struct in6_addr *xtables_numeric_to_ip6addr(const char *); extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *); @@ -267,6 +269,8 @@ extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *); extern void xtables_ip6parse_any(const char *, struct in6_addr **, struct in6_addr *, unsigned int *); +extern void xtables_ip6parse_multiple(const char *, struct in6_addr **, + struct in6_addr **, unsigned int *); /** * Print the specified value to standard output, quoting dangerous @@ -274,7 +278,7 @@ */ extern void xtables_save_string(const char *value); -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) # ifdef _INIT # undef _init # define _init _INIT diff -Nru iptables-1.4.4/INSTALL iptables-1.4.10/INSTALL --- iptables-1.4.4/INSTALL 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/INSTALL 2010-10-29 14:37:22.000000000 +0000 @@ -41,18 +41,22 @@ It is enabled by default. +--enable-static + + Produce additional binaries, iptables-static/ip6tables-static, + which have all shipped extensions compiled in. + +--disable-shared + + Produce binaries that have dynamic loading of extensions disabled. + This implies --enable-static. + (See some details below.) + --enable-libipq This option causes libipq to be installed into ${libdir} and ${includedir}. ---enable-static - - Enable building single standalone multipurpose binaries, - (iptables-static and ip6tables-static), which contain every - extension compiled-in (and does not support additional - extensions). - --with-ksource= Xtables does not depend on kernel headers anymore, but you can @@ -74,7 +78,22 @@ These have the core (iptables), -save, -restore and -xml code compiled into one binary, but extensions remain as modules. -If you want to build a statically linked version of the iptables binary, -without the need for loading the plugins at runtime (e.g. for an -embedded device or router-on-a-disk), you can use the --enable-static -configure flag. + +Static and shared +================= + +Basically there are three configuration modes defined: + + --disable-static --enable-shared (this is the default) + + Build a binary that relies upon dynamic loading of extensions. + + --enable-static --enable-shared + + Build a binary that has the shipped extensions built-in, but + is still capable of loading additional extensions. + + --enable-static --disable-shared + + Shipped extensions are built-in, and dynamic loading is + deactivated. diff -Nru iptables-1.4.4/install-sh iptables-1.4.10/install-sh --- iptables-1.4.4/install-sh 2009-06-16 14:42:56.000000000 +0000 +++ iptables-1.4.10/install-sh 2010-10-29 14:40:40.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2005-05-14.22 +scriptversion=2009-04-28.21; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -39,38 +39,68 @@ # when there is no Makefile. # # This script is compatible with the BSD install script, but was written -# from scratch. It can only install one file at a time, a restriction -# shared with many OS's install programs. +# from scratch. + +nl=' +' +IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" +doit=${DOITPROG-} +if test -z "$doit"; then + doit_exec=exec +else + doit_exec=$doit +fi -# put in absolute paths if you don't have them in your path; or use env. vars. +# Put in absolute file names if you don't have them in your path; +# or use environment vars. -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" +chgrpprog=${CHGRPPROG-chgrp} +chmodprog=${CHMODPROG-chmod} +chownprog=${CHOWNPROG-chown} +cmpprog=${CMPPROG-cmp} +cpprog=${CPPROG-cp} +mkdirprog=${MKDIRPROG-mkdir} +mvprog=${MVPROG-mv} +rmprog=${RMPROG-rm} +stripprog=${STRIPPROG-strip} + +posix_glob='?' +initialize_posix_glob=' + test "$posix_glob" != "?" || { + if (set -f) 2>/dev/null; then + posix_glob= + else + posix_glob=: + fi + } +' + +posix_mkdir= + +# Desired mode of installed file. +mode=0755 -chmodcmd="$chmodprog 0755" -chowncmd= chgrpcmd= -stripcmd= +chmodcmd=$chmodprog +chowncmd= +mvcmd=$mvprog rmcmd="$rmprog -f" -mvcmd="$mvprog" +stripcmd= + src= dst= dir_arg= -dstarg= +dst_arg= + +copy_on_change=false no_target_directory= -usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE +usage="\ +Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... @@ -80,81 +110,86 @@ In the 4th, create DIRECTORIES. Options: --c (ignored) --d create directories instead of installing files. --g GROUP $chgrpprog installed files to GROUP. --m MODE $chmodprog installed files to MODE. --o USER $chownprog installed files to USER. --s $stripprog installed files. --t DIRECTORY install into DIRECTORY. --T report an error if DSTFILE is a directory. ---help display this help and exit. ---version display version info and exit. + --help display this help and exit. + --version display version info and exit. + + -c (ignored) + -C install only if different (preserve the last data modification time) + -d create directories instead of installing files. + -g GROUP $chgrpprog installed files to GROUP. + -m MODE $chmodprog installed files to MODE. + -o USER $chownprog installed files to USER. + -s $stripprog installed files. + -t DIRECTORY install into DIRECTORY. + -T report an error if DSTFILE is a directory. Environment variables override the default commands: - CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG + RMPROG STRIPPROG " -while test -n "$1"; do +while test $# -ne 0; do case $1 in - -c) shift - continue;; + -c) ;; - -d) dir_arg=true - shift - continue;; + -C) copy_on_change=true;; + + -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; + shift;; --help) echo "$usage"; exit $?;; - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; + -m) mode=$2 + case $mode in + *' '* | *' '* | *' +'* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -s) stripcmd=$stripprog - shift - continue;; - - -t) dstarg=$2 - shift - shift - continue;; - - -T) no_target_directory=true - shift - continue;; + shift;; + + -s) stripcmd=$stripprog;; + + -t) dst_arg=$2 + shift;; + + -T) no_target_directory=true;; --version) echo "$0 $scriptversion"; exit $?;; - *) # When -d is used, all remaining arguments are directories to create. - # When -t is used, the destination is already specified. - test -n "$dir_arg$dstarg" && break - # Otherwise, the last argument is the destination. Remove it from $@. - for arg - do - if test -n "$dstarg"; then - # $@ is not empty: it contains at least $arg. - set fnord "$@" "$dstarg" - shift # fnord - fi - shift # arg - dstarg=$arg - done + --) shift break;; + + -*) echo "$0: invalid option: $1" >&2 + exit 1;; + + *) break;; esac + shift done -if test -z "$1"; then +if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then + # When -d is used, all remaining arguments are directories to create. + # When -t is used, the destination is already specified. + # Otherwise, the last argument is the destination. Remove it from $@. + for arg + do + if test -n "$dst_arg"; then + # $@ is not empty: it contains at least $arg. + set fnord "$@" "$dst_arg" + shift # fnord + fi + shift # arg + dst_arg=$arg + done +fi + +if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 @@ -164,24 +199,47 @@ exit 0 fi +if test -z "$dir_arg"; then + trap '(exit $?); exit' 1 2 13 15 + + # Set umask so as not to create temps with too-generous modes. + # However, 'strip' requires both read and write access to temps. + case $mode in + # Optimize common cases. + *644) cp_umask=133;; + *755) cp_umask=22;; + + *[0-7]) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw='% 200' + fi + cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; + *) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw=,u+rw + fi + cp_umask=$mode$u_plus_rw;; + esac +fi + for src do # Protect names starting with `-'. case $src in - -*) src=./$src ;; + -*) src=./$src;; esac if test -n "$dir_arg"; then dst=$src - src= - - if test -d "$dst"; then - mkdircmd=: - chmodcmd= - else - mkdircmd=$mkdirprog - fi + dstdir=$dst + test -d "$dstdir" + dstdir_status=$? else + # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. @@ -190,71 +248,199 @@ exit 1 fi - if test -z "$dstarg"; then + if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi - dst=$dstarg + dst=$dst_arg # Protect names starting with `-'. case $dst in - -*) dst=./$dst ;; + -*) dst=./$dst;; esac # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test -n "$no_target_directory"; then - echo "$0: $dstarg: Is a directory" >&2 + echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi - dst=$dst/`basename "$src"` + dstdir=$dst + dst=$dstdir/`basename "$src"` + dstdir_status=0 + else + # Prefer dirname, but fall back on a substitute if dirname fails. + dstdir=` + (dirname "$dst") 2>/dev/null || + expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$dst" : 'X\(//\)[^/]' \| \ + X"$dst" : 'X\(//\)$' \| \ + X"$dst" : 'X\(/\)' \| . 2>/dev/null || + echo X"$dst" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q' + ` + + test -d "$dstdir" + dstdir_status=$? fi fi - # This sed command emulates the dirname command. - dstdir=`echo "$dst" | sed -e 's,/*$,,;s,[^/]*$,,;s,/*$,,;s,^$,.,'` - - # Make sure that the destination directory exists. + obsolete_mkdir_used=false - # Skip lots of stat calls in the usual case. - if test ! -d "$dstdir"; then - defaultIFS=' - ' - IFS="${IFS-$defaultIFS}" - - oIFS=$IFS - # Some sh's can't handle IFS=/ for some reason. - IFS='%' - set x `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'` - shift - IFS=$oIFS + if test $dstdir_status != 0; then + case $posix_mkdir in + '') + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi + + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 + + if (umask $mkdir_umask && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writeable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + ls_ld_tmpdir=`ls -ld "$tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/d" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + fi + trap '' 0;; + esac;; + esac - pathcomp= + if + $posix_mkdir && ( + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + ) + then : + else - while test $# -ne 0 ; do - pathcomp=$pathcomp$1 + # The umask is ridiculous, or mkdir does not conform to POSIX, + # or it failed possibly due to a race condition. Create the + # directory the slow way, step by step, checking for races as we go. + + case $dstdir in + /*) prefix='/';; + -*) prefix='./';; + *) prefix='';; + esac + + eval "$initialize_posix_glob" + + oIFS=$IFS + IFS=/ + $posix_glob set -f + set fnord $dstdir shift - if test ! -d "$pathcomp"; then - $mkdirprog "$pathcomp" - # mkdir can fail with a `File exist' error in case several - # install-sh are creating the directory concurrently. This - # is OK. - test -d "$pathcomp" || exit + $posix_glob set +f + IFS=$oIFS + + prefixes= + + for d + do + test -z "$d" && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ + done + + if test -n "$prefixes"; then + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true fi - pathcomp=$pathcomp/ - done + fi fi if test -n "$dir_arg"; then - $doit $mkdircmd "$dst" \ - && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \ - && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \ - && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \ - && { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; } - + { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && + { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || + test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else - dstfile=`basename "$dst"` # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ @@ -262,10 +448,9 @@ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 - trap '(exit $?); exit' 1 2 13 15 # Copy the file name to the temp name. - $doit $cpprog "$src" "$dsttmp" && + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # @@ -273,51 +458,63 @@ # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # - { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \ - && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \ - && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \ - && { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } && - - # Now rename the file to the real destination. - { $doit $mvcmd -f "$dsttmp" "$dstdir/$dstfile" 2>/dev/null \ - || { - # The rename failed, perhaps because mv can't rename something else - # to itself, or perhaps because mv is so ancient that it does not - # support -f. - - # Now remove or move aside any old file at destination location. - # We try this two ways since rm can't unlink itself on some - # systems and the destination file might be busy for other - # reasons. In this case, the final cleanup might fail but the new - # file should still install successfully. - { - if test -f "$dstdir/$dstfile"; then - $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \ - || $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \ - || { - echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2 - (exit 1); exit 1 - } - else - : - fi - } && - - # Now rename the file to the real destination. - $doit $mvcmd "$dsttmp" "$dstdir/$dstfile" - } - } - fi || { (exit 1); exit 1; } -done + { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && + { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && + { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && + + # If -C, don't bother to copy if it wouldn't change the file. + if $copy_on_change && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + + eval "$initialize_posix_glob" && + $posix_glob set -f && + set X $old && old=:$2:$4:$5:$6 && + set X $new && new=:$2:$4:$5:$6 && + $posix_glob set +f && + + test "$old" = "$new" && + $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 + then + rm -f "$dsttmp" + else + # Rename the file to the real destination. + $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || -# The final little trick to "correctly" pass the exit status to the exit trap. -{ - (exit 0); exit 0 -} + # The rename failed, perhaps because mv can't rename something else + # to itself, or perhaps because mv is so ancient that it does not + # support -f. + { + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" + } + fi || exit 1 + + trap '' 0 + fi +done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff -Nru iptables-1.4.4/ip6tables.8.in iptables-1.4.10/ip6tables.8.in --- iptables-1.4.4/ip6tables.8.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables.8.in 2010-10-29 14:37:22.000000000 +0000 @@ -1,4 +1,4 @@ -.TH IP6TABLES 8 "" "@PACKAGE_AND_VERSION@" "@PACKAGE_AND_VERSION@" +.TH IP6TABLES 8 "" "iptables 1.4.4" "iptables 1.4.4" .\" .\" Man page written by Andras Kis-Szabo <kisza@sch.bme.hu> .\" It is based on iptables man page. @@ -25,7 +25,7 @@ .\" .\" .SH NAME -ip6tables - IPv6 packet filter administration +ip6tables \(em IPv6 packet filter administration .SH SYNOPSIS \fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-D\fP} \fIchain rule-specification\fP [\fIoptions...\fP] @@ -42,7 +42,7 @@ \fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]] .PP \fBip6tables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} -[\fIchain\fP] [\fIoptions...\fP] +[\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP] .PP \fBip6tables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP .PP @@ -175,15 +175,16 @@ .TP \fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP] Print all rules in the selected chain. If no chain is selected, all -chains are printed like ip6tables\-save. Like every other ip6tables command, +chains are printed like ip6tables-save. Like every other ip6tables command, it applies to the specified table (filter is the default). .TP \fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one. .TP -\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP] -Zero the packet and byte counters in all chains. It is legal to +\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]] +Zero the packet and byte counters in all chains, or only the given chain, +or only the given rule in a chain. It is legal to specify the \fB\-L\fP, \fB\-\-list\fP (list) option as well, to see the counters immediately before they are @@ -239,15 +240,20 @@ .TP [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP] Source specification. -\fIAddress\fP can be either a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IPv6 address (with \fB/\fP\fImask\fP), or a plain IPv6 address. -(the network name isn't supported now). +\fIAddress\fP can be either be a hostname, +a network IP address (with \fB/\fP\fImask\fP), or a plain IP address. +Names will be resolved once only, before the rule is submitted to the kernel. +Please note that specifying any name to be resolved with a remote query such as +DNS is a really bad idea. +(Resolving network names is not supported at this time.) The \fImask\fP is a plain number, specifying the number of 1's at the left side of the network mask. A "!" argument before the address specification inverts the sense of the address. The flag \fB\-\-src\fP is an alias for this option. +Multiple addresses can be specified, but this will \fBexpand to multiple +rules\fP (when adding with \-A), or will cause multiple rules to be +deleted (with \-D). .TP [\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP] Destination specification. diff -Nru iptables-1.4.4/ip6tables.c iptables-1.4.10/ip6tables.c --- iptables-1.4.4/ip6tables.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables.c 2010-10-29 14:37:22.000000000 +0000 @@ -43,6 +43,7 @@ #include <sys/types.h> #include <sys/socket.h> #include "ip6tables-multi.h" +#include "xshared.h" #ifndef TRUE #define TRUE 1 @@ -80,9 +81,10 @@ #define CMD_SET_POLICY 0x0400U #define CMD_RENAME_CHAIN 0x0800U #define CMD_LIST_RULES 0x1000U -#define NUMBER_OF_CMD 14 +#define CMD_ZERO_NUM 0x2000U +#define NUMBER_OF_CMD 15 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', - 'N', 'X', 'P', 'E', 'S' }; + 'Z', 'N', 'X', 'P', 'E', 'S' }; #define OPT_NONE 0x00000U #define OPT_NUMERIC 0x00001U @@ -171,6 +173,7 @@ /*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x'}, /*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x'}, /*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x'}, +/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x'}, /*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'}, /*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'}, /*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' '}, @@ -221,7 +224,7 @@ return NULL; } -static void +static void __attribute__((noreturn)) exit_tryhelp(int status) { if (line != -1) @@ -235,9 +238,6 @@ static void exit_printhelp(struct xtables_rule_match *matches) { - struct xtables_rule_match *matchp = NULL; - struct xtables_target *t = NULL; - printf("%s v%s\n\n" "Usage: %s -[AD] chain rule-specification [options]\n" " %s -I chain [rulenum] rule-specification [options]\n" @@ -269,7 +269,8 @@ " --list-rules -S [chain [rulenum]]\n" " Print the rules in a chain or all chains\n" " --flush -F [chain] Delete all rules in chain or all chains\n" -" --zero -Z [chain] Zero counters in chain or all chains\n" +" --zero -Z [chain [rulenum]]\n" +" Zero counters in chain or all chains\n" " --new -N chain Create a new user-defined chain\n" " --delete-chain\n" " -X [chain] Delete a user-defined chain\n" @@ -281,9 +282,9 @@ "Options:\n" "[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" -"[!] --source -s address[/mask]\n" +"[!] --source -s address[/mask][,...]\n" " source specification\n" -"[!] --destination -d address[/mask]\n" +"[!] --destination -d address[/mask][,...]\n" " destination specification\n" "[!] --in-interface -i input name[+]\n" " network interface name ([+] for wildcard)\n" @@ -307,19 +308,7 @@ " --set-counters PKTS BYTES set the counter during insert/append\n" "[!] --version -V print package version.\n"); - /* Print out any special helps. A user might like to be able to add a --help - to the commandline, and see expected results. So we call help for all - specified matches & targets */ - for (t = xtables_targets; t; t = t->next) { - if (t->used) { - printf("\n"); - t->help(); - } - } - for (matchp = matches; matchp; matchp = matchp->next) { - printf("\n"); - matchp->match->help(); - } + print_extension_helps(xtables_targets, matches); exit(0); } @@ -467,10 +456,10 @@ xtables_error(PARAMETER_PROBLEM, "Invalid target name (too short)"); - if (strlen(targetname)+1 > sizeof(ip6t_chainlabel)) + if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, "Invalid target name `%s' (%u chars max)", - targetname, (unsigned int)sizeof(ip6t_chainlabel)-1); + targetname, XT_EXTENSION_MAXNAMELEN - 1); for (ptr = targetname; *ptr; ptr++) if (isspace(*ptr)) @@ -740,8 +729,10 @@ struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle) { @@ -750,8 +741,10 @@ for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_append_entry(chain, fw, handle); @@ -765,13 +758,15 @@ replace_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, unsigned int rulenum, - const struct in6_addr *saddr, - const struct in6_addr *daddr, + const struct in6_addr *saddr, const struct in6_addr *smask, + const struct in6_addr *daddr, const struct in6_addr *dmask, int verbose, struct ip6tc_handle *handle) { fw->ipv6.src = *saddr; fw->ipv6.dst = *daddr; + fw->ipv6.smsk = *smask; + fw->ipv6.dmsk = *dmask; if (verbose) print_firewall_line(fw, handle); @@ -784,8 +779,10 @@ unsigned int rulenum, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle) { @@ -794,8 +791,10 @@ for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_insert_entry(chain, fw, rulenum, handle); @@ -806,7 +805,8 @@ } static unsigned char * -make_delete_mask(struct ip6t_entry *fw, struct xtables_rule_match *matches) +make_delete_mask(struct xtables_rule_match *matches, + const struct xtables_target *target) { /* Establish mask for comparison */ unsigned int size; @@ -819,7 +819,7 @@ mask = xtables_calloc(1, size + IP6T_ALIGN(sizeof(struct ip6t_entry_target)) - + xtables_targets->size); + + target->size); memset(mask, 0xFF, sizeof(struct ip6t_entry)); mptr = mask + sizeof(struct ip6t_entry); @@ -833,7 +833,7 @@ memset(mptr, 0xFF, IP6T_ALIGN(sizeof(struct ip6t_entry_target)) - + xtables_targets->userspacesize); + + target->userspacesize); return mask; } @@ -843,21 +843,26 @@ struct ip6t_entry *fw, unsigned int nsaddrs, const struct in6_addr saddrs[], + const struct in6_addr smasks[], unsigned int ndaddrs, const struct in6_addr daddrs[], + const struct in6_addr dmasks[], int verbose, struct ip6tc_handle *handle, - struct xtables_rule_match *matches) + struct xtables_rule_match *matches, + const struct xtables_target *target) { unsigned int i, j; int ret = 1; unsigned char *mask; - mask = make_delete_mask(fw, matches); + mask = make_delete_mask(matches, target); for (i = 0; i < nsaddrs; i++) { fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; for (j = 0; j < ndaddrs; j++) { fw->ipv6.dst = daddrs[j]; + fw->ipv6.dmsk = dmasks[j]; if (verbose) print_firewall_line(fw, handle); ret &= ip6tc_delete_entry(chain, fw, mask, handle); @@ -1291,9 +1296,9 @@ int invert = 0; unsigned int nsaddrs = 0, ndaddrs = 0; struct in6_addr *saddrs = NULL, *daddrs = NULL; + struct in6_addr *smasks = NULL, *dmasks = NULL; int c, verbose = 0; - unsigned i; const char *chain = NULL; const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; const char *policy = NULL, *newname = NULL; @@ -1378,8 +1383,8 @@ break; case 'L': - add_command(&command, CMD_LIST, CMD_ZERO, - invert); + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, invert); if (optarg) chain = optarg; else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') @@ -1390,8 +1395,8 @@ break; case 'S': - add_command(&command, CMD_LIST_RULES, CMD_ZERO, - invert); + add_command(&command, CMD_LIST_RULES, + CMD_ZERO | CMD_ZERO_NUM, invert); if (optarg) chain = optarg; else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') @@ -1417,6 +1422,11 @@ else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') chain = argv[optind++]; + if (optind < argc && argv[optind][0] != '-' + && argv[optind][0] != '!') { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } break; case 'N': @@ -1484,15 +1494,15 @@ * Option selection */ case 'p': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_PROTOCOL, &fw.ipv6.invflags, invert); /* Canonicalize into lower case */ - for (protocol = argv[optind-1]; *protocol; protocol++) + for (protocol = optarg; *protocol; protocol++) *protocol = tolower(*protocol); - protocol = argv[optind-1]; + protocol = optarg; fw.ipv6.proto = xtables_parse_protocol(protocol); fw.ipv6.flags |= IP6T_F_PROTO; @@ -1510,17 +1520,17 @@ break; case 's': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_SOURCE, &fw.ipv6.invflags, invert); - shostnetworkmask = argv[optind-1]; + shostnetworkmask = optarg; break; case 'd': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_DESTINATION, &fw.ipv6.invflags, invert); - dhostnetworkmask = argv[optind-1]; + dhostnetworkmask = optarg; break; #ifdef IP6T_F_GOTO @@ -1548,8 +1558,7 @@ target->t = xtables_calloc(1, size); target->t->u.target_size = size; strcpy(target->t->u.user.name, jumpto); - xtables_set_revision(target->t->u.user.name, - target->revision); + target->t->u.user.revision = target->revision; if (target->init != NULL) target->init(target->t); opts = xtables_merge_options(opts, @@ -1563,19 +1572,19 @@ case 'i': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_VIANAMEIN, &fw.ipv6.invflags, invert); - xtables_parse_interface(argv[optind-1], + xtables_parse_interface(optarg, fw.ipv6.iniface, fw.ipv6.iniface_mask); break; case 'o': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_VIANAMEOUT, &fw.ipv6.invflags, invert); - xtables_parse_interface(argv[optind-1], + xtables_parse_interface(optarg, fw.ipv6.outiface, fw.ipv6.outiface_mask); break; @@ -1601,7 +1610,7 @@ m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); - xtables_set_revision(m->m->u.user.name, m->revision); + m->m->u.user.revision = m->revision; if (m->init != NULL) m->init(m->m); if (m != m->next) @@ -1687,13 +1696,14 @@ exit_tryhelp(2); default: - if (!target - || !(target->parse(c - target->option_offset, + if (target == NULL || target->parse == NULL || + !target->parse(c - target->option_offset, argv, invert, &target->tflags, - &fw, &target->t))) { + &fw, &target->t)) { for (matchp = matches; matchp; matchp = matchp->next) { - if (matchp->completed) + if (matchp->completed || + matchp->match->parse == NULL) continue; if (matchp->match->parse(c - matchp->match->option_offset, argv, invert, @@ -1748,8 +1758,7 @@ m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); - xtables_set_revision(m->m->u.user.name, - m->revision); + m->m->u.user.revision = m->revision; if (m->init != NULL) m->init(m->m); @@ -1811,12 +1820,12 @@ } if (shostnetworkmask) - xtables_ip6parse_any(shostnetworkmask, &saddrs, - &fw.ipv6.smsk, &nsaddrs); + xtables_ip6parse_multiple(shostnetworkmask, &saddrs, + &smasks, &nsaddrs); if (dhostnetworkmask) - xtables_ip6parse_any(dhostnetworkmask, &daddrs, - &fw.ipv6.dmsk, &ndaddrs); + xtables_ip6parse_multiple(dhostnetworkmask, &daddrs, + &dmasks, &ndaddrs); if ((nsaddrs > 1 || ndaddrs > 1) && (fw.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP))) @@ -1829,10 +1838,10 @@ generic_opt_check(command, options); - if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN) + if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %i chars)", - chain, IP6T_FUNCTION_MAXNAMELEN); + "chain name `%s' too long (must be under %u chars)", + chain, XT_EXTENSION_MAXNAMELEN); /* only allocate handle if we weren't called with a handle */ if (!*handle) @@ -1921,27 +1930,30 @@ switch (command) { case CMD_APPEND: ret = append_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; case CMD_DELETE: ret = delete_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, - *handle, matches); + *handle, matches, target); break; case CMD_DELETE_NUM: ret = ip6tc_delete_num_entry(chain, rulenum - 1, *handle); break; case CMD_REPLACE: ret = replace_entry(chain, e, rulenum - 1, - saddrs, daddrs, options&OPT_VERBOSE, - *handle); + saddrs, smasks, daddrs, dmasks, + options&OPT_VERBOSE, *handle); break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; @@ -1951,8 +1963,12 @@ case CMD_ZERO: ret = zero_entries(chain, options&OPT_VERBOSE, *handle); break; + case CMD_ZERO_NUM: + ret = ip6tc_zero_counter(chain, rulenum, *handle); + break; case CMD_LIST: case CMD_LIST|CMD_ZERO: + case CMD_LIST|CMD_ZERO_NUM: ret = list_entries(chain, rulenum, options&OPT_VERBOSE, @@ -1963,9 +1979,12 @@ if (ret && (command & CMD_ZERO)) ret = zero_entries(chain, options&OPT_VERBOSE, *handle); + if (ret && (command & CMD_ZERO_NUM)) + ret = ip6tc_zero_counter(chain, rulenum, *handle); break; case CMD_LIST_RULES: case CMD_LIST_RULES|CMD_ZERO: + case CMD_LIST_RULES|CMD_ZERO_NUM: ret = list_rules(chain, rulenum, options&OPT_VERBOSE, @@ -1973,6 +1992,8 @@ if (ret && (command & CMD_ZERO)) ret = zero_entries(chain, options&OPT_VERBOSE, *handle); + if (ret && (command & CMD_ZERO_NUM)) + ret = ip6tc_zero_counter(chain, rulenum, *handle); break; case CMD_NEW_CHAIN: ret = ip6tc_create_chain(chain, *handle); @@ -2001,12 +2022,10 @@ e = NULL; } - for (i = 0; i < nsaddrs; i++) - free(&saddrs[i]); - - for (i = 0; i < ndaddrs; i++) - free(&daddrs[i]); - + free(saddrs); + free(smasks); + free(daddrs); + free(dmasks); xtables_free_opts(1); return ret; diff -Nru iptables-1.4.4/ip6tables-multi.c iptables-1.4.10/ip6tables-multi.c --- iptables-1.4.4/ip6tables-multi.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-multi.c 2010-10-29 14:37:22.000000000 +0000 @@ -7,26 +7,39 @@ int ip6tables_save_main(int argc, char **argv); int ip6tables_restore_main(int argc, char **argv); -int main(int argc, char **argv) { - char *progname; +int main(int argc, char **argv) +{ + char *progname; - if (argc == 0) { - fprintf(stderr, "no argv[0]?"); - exit(1); - } else { - progname = basename(argv[0]); - - if (!strcmp(progname, "ip6tables") || - strcmp(progname, "ip6tables-static") == 0) - return ip6tables_main(argc, argv); - - if (!strcmp(progname, "ip6tables-save")) - return ip6tables_save_main(argc, argv); - - if (!strcmp(progname, "ip6tables-restore")) - return ip6tables_restore_main(argc, argv); - - fprintf(stderr, "ip6tables multi-purpose version: unknown applet name %s\n", progname); - exit(1); - } + if (argc < 1) { + fprintf(stderr, "ERROR: This should not happen.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "ip6tables") == 0) + return ip6tables_main(argc, argv); + if (strcmp(progname, "ip6tables-save") == 0) + return ip6tables_save_main(argc, argv); + if (strcmp(progname, "ip6tables-restore") == 0) + return ip6tables_restore_main(argc, argv); + + ++argv; + --argc; + if (argc < 1) { + fprintf(stderr, "ERROR: No subcommand given.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "main") == 0) + return ip6tables_main(argc, argv); + if (strcmp(progname, "save") == 0) + return ip6tables_save_main(argc, argv); + if (strcmp(progname, "restore") == 0) + return ip6tables_restore_main(argc, argv); + + fprintf(stderr, "ip6tables multi-purpose version: " + "unknown subcommand \"%s\"\n", progname); + exit(EXIT_FAILURE); } diff -Nru iptables-1.4.4/ip6tables-restore.8 iptables-1.4.10/ip6tables-restore.8 --- iptables-1.4.4/ip6tables-restore.8 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-restore.8 2010-10-29 14:37:22.000000000 +0000 @@ -19,10 +19,9 @@ .\" .\" .SH NAME -ip6tables-restore \- Restore IPv6 Tables +ip6tables-restore \(em Restore IPv6 Tables .SH SYNOPSIS -.BR "ip6tables-restore " "[-c] [-n]" -.br +\fBip6tables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] .SH DESCRIPTION .PP .B ip6tables-restore @@ -44,7 +43,7 @@ .br Andras Kis-Szabo <kisza@sch.bme.hu> .SH SEE ALSO -.BR ip6tables-save "(8), " ip6tables "(8) " +\fBip6tables\-save\fP(8), \fBip6tables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff -Nru iptables-1.4.4/ip6tables-restore.c iptables-1.4.10/ip6tables-restore.c --- iptables-1.4.4/ip6tables-restore.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-restore.c 2010-10-29 14:37:22.000000000 +0000 @@ -137,7 +137,7 @@ ip6tables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif @@ -253,6 +253,12 @@ exit(1); } + if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s' " + "(%u chars max)", + chain, XT_EXTENSION_MAXNAMELEN - 1); + if (ip6tc_builtin(chain, handle) <= 0) { if (noflush && ip6tc_is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); diff -Nru iptables-1.4.4/ip6tables-save.8 iptables-1.4.10/ip6tables-save.8 --- iptables-1.4.4/ip6tables-save.8 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-save.8 2010-10-29 14:37:22.000000000 +0000 @@ -19,7 +19,7 @@ .\" .\" .SH NAME -ip6tables-save - dump iptables rules to stdout +ip6tables-save \(em dump iptables rules to stdout .SH SYNOPSIS \fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP @@ -46,7 +46,7 @@ .br Andras Kis-Szabo <kisza@sch.bme.hu> .SH SEE ALSO -.BR ip6tables-restore "(8), " ip6tables "(8) " +\fBip6tables\-restore\fP(8), \fBip6tables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff -Nru iptables-1.4.4/ip6tables-save.c iptables-1.4.10/ip6tables-save.c --- iptables-1.4.4/ip6tables-save.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-save.c 2010-10-29 14:37:22.000000000 +0000 @@ -148,7 +148,7 @@ ip6tables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff -Nru iptables-1.4.4/ip6tables-standalone.c iptables-1.4.10/ip6tables-standalone.c --- iptables-1.4.4/ip6tables-standalone.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/ip6tables-standalone.c 2010-10-29 14:37:22.000000000 +0000 @@ -58,7 +58,7 @@ exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff -Nru iptables-1.4.4/iptables.8.in iptables-1.4.10/iptables.8.in --- iptables-1.4.4/iptables.8.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables.8.in 2010-10-29 14:37:22.000000000 +0000 @@ -23,7 +23,7 @@ .\" .\" .SH NAME -iptables - administration tool for IPv4 packet filtering and NAT +iptables \(em administration tool for IPv4 packet filtering and NAT .SH SYNOPSIS \fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-A\fP|\fB\-D\fP} \fIchain\fP \fIrule-specification\fP .PP @@ -35,7 +35,7 @@ .PP \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-S\fP [\fIchain\fP [\fIrulenum\fP]] .PP -\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP] [\fIoptions...\fP] +\fBiptables\fP [\fB\-t\fP \fItable\fP] {\fB\-F\fP|\fB\-L\fP|\fB\-Z\fP} [\fIchain\fP [\fIrulenum\fP]] [\fIoptions...\fP] .PP \fBiptables\fP [\fB\-t\fP \fItable\fP] \fB\-N\fP \fIchain\fP .PP @@ -182,15 +182,16 @@ .TP \fB\-S\fP, \fB\-\-list\-rules\fP [\fIchain\fP] Print all rules in the selected chain. If no chain is selected, all -chains are printed like iptables\-save. Like every other iptables command, +chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default). .TP \fB\-F\fP, \fB\-\-flush\fP [\fIchain\fP] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one. .TP -\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP] -Zero the packet and byte counters in all chains. It is legal to +\fB\-Z\fP, \fB\-\-zero\fP [\fIchain\fP [\fIrulenum\fP]] +Zero the packet and byte counters in all chains, or only the given chain, +or only the given rule in a chain. It is legal to specify the \fB\-L\fP, \fB\-\-list\fP (list) option as well, to see the counters immediately before they are @@ -217,7 +218,7 @@ Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on the structure of the table. .TP -\fB\-\h\fP +\fB\-h\fP Help. Give a (currently very brief) description of the command syntax. .SS PARAMETERS @@ -236,19 +237,24 @@ will match with all protocols and is taken as default when this option is omitted. .TP -[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] Source specification. \fIAddress\fP -can be either a network name, a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IP address (with \fB/\fP\fImask\fP), or a plain IP address. +can be either a network name, a hostname, a network IP address (with +\fB/\fP\fImask\fP), or a plain IP address. Hostnames will +be resolved once only, before the rule is submitted to the kernel. +Please note that specifying any name to be resolved with a remote query such as +DNS is a really bad idea. The \fImask\fP can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP. A "!" argument before the address specification inverts the sense of the address. The flag \fB\-\-src\fP is an alias for this option. +Multiple addresses can be specified, but this will \fBexpand to multiple +rules\fP (when adding with \-A), or will cause multiple rules to be +deleted (with \-D). .TP -[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP] +[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] Destination specification. See the description of the \fB\-s\fP (source) flag for a detailed description of the syntax. The flag diff -Nru iptables-1.4.4/iptables.c iptables-1.4.10/iptables.c --- iptables-1.4.4/iptables.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables.c 2010-10-29 14:37:22.000000000 +0000 @@ -40,6 +40,7 @@ #include <xtables.h> #include <fcntl.h> #include <sys/utsname.h> +#include "xshared.h" #ifndef TRUE #define TRUE 1 @@ -77,9 +78,10 @@ #define CMD_SET_POLICY 0x0400U #define CMD_RENAME_CHAIN 0x0800U #define CMD_LIST_RULES 0x1000U -#define NUMBER_OF_CMD 14 +#define CMD_ZERO_NUM 0x2000U +#define NUMBER_OF_CMD 15 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', - 'N', 'X', 'P', 'E', 'S' }; + 'Z', 'N', 'X', 'P', 'E', 'S' }; #define OPT_NONE 0x00000U #define OPT_NUMERIC 0x00001U @@ -171,6 +173,7 @@ /*LIST*/ {' ','x','x','x','x',' ',' ','x','x','x',' ','x'}, /*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, /*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, +/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, /*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, /*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'}, /*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x','x',' '}, @@ -234,7 +237,7 @@ IPT_DOTTED_MASK }; -static void +static void __attribute__((noreturn)) exit_tryhelp(int status) { if (line != -1) @@ -248,9 +251,6 @@ static void exit_printhelp(struct xtables_rule_match *matches) { - struct xtables_rule_match *matchp = NULL; - struct xtables_target *t = NULL; - printf("%s v%s\n\n" "Usage: %s -[AD] chain rule-specification [options]\n" " %s -I chain [rulenum] rule-specification [options]\n" @@ -282,7 +282,8 @@ " --list-rules -S [chain [rulenum]]\n" " Print the rules in a chain or all chains\n" " --flush -F [chain] Delete all rules in chain or all chains\n" -" --zero -Z [chain] Zero counters in chain or all chains\n" +" --zero -Z [chain [rulenum]]\n" +" Zero counters in chain or all chains\n" " --new -N chain Create a new user-defined chain\n" " --delete-chain\n" " -X [chain] Delete a user-defined chain\n" @@ -294,9 +295,9 @@ "Options:\n" "[!] --proto -p proto protocol: by number or name, eg. `tcp'\n" -"[!] --source -s address[/mask]\n" +"[!] --source -s address[/mask][...]\n" " source specification\n" -"[!] --destination -d address[/mask]\n" +"[!] --destination -d address[/mask][...]\n" " destination specification\n" "[!] --in-interface -i input name[+]\n" " network interface name ([+] for wildcard)\n" @@ -320,19 +321,7 @@ " --set-counters PKTS BYTES set the counter during insert/append\n" "[!] --version -V print package version.\n"); - /* Print out any special helps. A user might like to be able - to add a --help to the commandline, and see expected - results. So we call help for all specified matches & targets */ - for (t = xtables_targets; t ;t = t->next) { - if (t->used) { - printf("\n"); - t->help(); - } - } - for (matchp = matches; matchp; matchp = matchp->next) { - printf("\n"); - matchp->match->help(); - } + print_extension_helps(xtables_targets, matches); exit(0); } @@ -471,10 +460,10 @@ xtables_error(PARAMETER_PROBLEM, "Invalid target name (too short)"); - if (strlen(targetname)+1 > sizeof(ipt_chainlabel)) + if (strlen(targetname) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, "Invalid target name `%s' (%u chars max)", - targetname, (unsigned int)sizeof(ipt_chainlabel)-1); + targetname, XT_EXTENSION_MAXNAMELEN - 1); for (ptr = targetname; *ptr; ptr++) if (isspace(*ptr)) @@ -742,8 +731,10 @@ struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle) { @@ -752,8 +743,10 @@ for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_append_entry(chain, fw, handle); @@ -767,13 +760,15 @@ replace_entry(const ipt_chainlabel chain, struct ipt_entry *fw, unsigned int rulenum, - const struct in_addr *saddr, - const struct in_addr *daddr, + const struct in_addr *saddr, const struct in_addr *smask, + const struct in_addr *daddr, const struct in_addr *dmask, int verbose, struct iptc_handle *handle) { fw->ip.src.s_addr = saddr->s_addr; fw->ip.dst.s_addr = daddr->s_addr; + fw->ip.smsk.s_addr = smask->s_addr; + fw->ip.dmsk.s_addr = dmask->s_addr; if (verbose) print_firewall_line(fw, handle); @@ -786,8 +781,10 @@ unsigned int rulenum, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle) { @@ -796,8 +793,10 @@ for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_insert_entry(chain, fw, rulenum, handle); @@ -808,7 +807,8 @@ } static unsigned char * -make_delete_mask(struct ipt_entry *fw, struct xtables_rule_match *matches) +make_delete_mask(struct xtables_rule_match *matches, + const struct xtables_target *target) { /* Establish mask for comparison */ unsigned int size; @@ -821,7 +821,7 @@ mask = xtables_calloc(1, size + IPT_ALIGN(sizeof(struct ipt_entry_target)) - + xtables_targets->size); + + target->size); memset(mask, 0xFF, sizeof(struct ipt_entry)); mptr = mask + sizeof(struct ipt_entry); @@ -835,7 +835,7 @@ memset(mptr, 0xFF, IPT_ALIGN(sizeof(struct ipt_entry_target)) - + xtables_targets->userspacesize); + + target->userspacesize); return mask; } @@ -845,21 +845,26 @@ struct ipt_entry *fw, unsigned int nsaddrs, const struct in_addr saddrs[], + const struct in_addr smasks[], unsigned int ndaddrs, const struct in_addr daddrs[], + const struct in_addr dmasks[], int verbose, struct iptc_handle *handle, - struct xtables_rule_match *matches) + struct xtables_rule_match *matches, + const struct xtables_target *target) { unsigned int i, j; int ret = 1; unsigned char *mask; - mask = make_delete_mask(fw, matches); + mask = make_delete_mask(matches, target); for (i = 0; i < nsaddrs; i++) { fw->ip.src.s_addr = saddrs[i].s_addr; + fw->ip.smsk.s_addr = smasks[i].s_addr; for (j = 0; j < ndaddrs; j++) { fw->ip.dst.s_addr = daddrs[j].s_addr; + fw->ip.dmsk.s_addr = dmasks[j].s_addr; if (verbose) print_firewall_line(fw, handle); ret &= iptc_delete_entry(chain, fw, mask, handle); @@ -1313,7 +1318,8 @@ struct ipt_entry fw, *e = NULL; int invert = 0; unsigned int nsaddrs = 0, ndaddrs = 0; - struct in_addr *saddrs = NULL, *daddrs = NULL; + struct in_addr *saddrs = NULL, *smasks = NULL; + struct in_addr *daddrs = NULL, *dmasks = NULL; int c, verbose = 0; const char *chain = NULL; @@ -1400,8 +1406,8 @@ break; case 'L': - add_command(&command, CMD_LIST, CMD_ZERO, - invert); + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, invert); if (optarg) chain = optarg; else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') @@ -1412,8 +1418,8 @@ break; case 'S': - add_command(&command, CMD_LIST_RULES, CMD_ZERO, - invert); + add_command(&command, CMD_LIST_RULES, + CMD_ZERO|CMD_ZERO_NUM, invert); if (optarg) chain = optarg; else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') @@ -1439,6 +1445,11 @@ else if (optind < argc && argv[optind][0] != '-' && argv[optind][0] != '!') chain = argv[optind++]; + if (optind < argc && argv[optind][0] != '-' + && argv[optind][0] != '!') { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } break; case 'N': @@ -1506,15 +1517,15 @@ * Option selection */ case 'p': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_PROTOCOL, &fw.ip.invflags, invert); /* Canonicalize into lower case */ - for (protocol = argv[optind-1]; *protocol; protocol++) + for (protocol = optarg; *protocol; protocol++) *protocol = tolower(*protocol); - protocol = argv[optind-1]; + protocol = optarg; fw.ip.proto = xtables_parse_protocol(protocol); if (fw.ip.proto == 0 @@ -1524,17 +1535,17 @@ break; case 's': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_SOURCE, &fw.ip.invflags, invert); - shostnetworkmask = argv[optind-1]; + shostnetworkmask = optarg; break; case 'd': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_DESTINATION, &fw.ip.invflags, invert); - dhostnetworkmask = argv[optind-1]; + dhostnetworkmask = optarg; break; #ifdef IPT_F_GOTO @@ -1562,8 +1573,7 @@ target->t = xtables_calloc(1, size); target->t->u.target_size = size; strcpy(target->t->u.user.name, jumpto); - xtables_set_revision(target->t->u.user.name, - target->revision); + target->t->u.user.revision = target->revision; if (target->init != NULL) target->init(target->t); opts = xtables_merge_options(opts, @@ -1577,19 +1587,19 @@ case 'i': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_VIANAMEIN, &fw.ip.invflags, invert); - xtables_parse_interface(argv[optind-1], + xtables_parse_interface(optarg, fw.ip.iniface, fw.ip.iniface_mask); break; case 'o': - xtables_check_inverse(optarg, &invert, &optind, argc); + xtables_check_inverse(optarg, &invert, &optind, argc, argv); set_option(&options, OPT_VIANAMEOUT, &fw.ip.invflags, invert); - xtables_parse_interface(argv[optind-1], + xtables_parse_interface(optarg, fw.ip.outiface, fw.ip.outiface_mask); break; @@ -1621,7 +1631,7 @@ m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); - xtables_set_revision(m->m->u.user.name, m->revision); + m->m->u.user.revision = m->revision; if (m->init != NULL) m->init(m->m); if (m != m->next) { @@ -1714,13 +1724,14 @@ exit_tryhelp(2); default: - if (!target - || !(target->parse(c - target->option_offset, + if (target == NULL || target->parse == NULL || + !target->parse(c - target->option_offset, argv, invert, &target->tflags, - &fw, &target->t))) { + &fw, &target->t)) { for (matchp = matches; matchp; matchp = matchp->next) { - if (matchp->completed) + if (matchp->completed || + matchp->match->parse == NULL) continue; if (matchp->match->parse(c - matchp->match->option_offset, argv, invert, @@ -1775,8 +1786,7 @@ m->m = xtables_calloc(1, size); m->m->u.match_size = size; strcpy(m->m->u.user.name, m->name); - xtables_set_revision(m->m->u.user.name, - m->revision); + m->m->u.user.revision = m->revision; if (m->init != NULL) m->init(m->m); @@ -1848,12 +1858,12 @@ } if (shostnetworkmask) - xtables_ipparse_any(shostnetworkmask, &saddrs, - &fw.ip.smsk, &nsaddrs); + xtables_ipparse_multiple(shostnetworkmask, &saddrs, + &smasks, &nsaddrs); if (dhostnetworkmask) - xtables_ipparse_any(dhostnetworkmask, &daddrs, - &fw.ip.dmsk, &ndaddrs); + xtables_ipparse_multiple(dhostnetworkmask, &daddrs, + &dmasks, &ndaddrs); if ((nsaddrs > 1 || ndaddrs > 1) && (fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) @@ -1866,10 +1876,10 @@ generic_opt_check(command, options); - if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN) + if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, - "chain name `%s' too long (must be under %i chars)", - chain, IPT_FUNCTION_MAXNAMELEN); + "chain name `%s' too long (must be under %u chars)", + chain, XT_EXTENSION_MAXNAMELEN); /* only allocate handle if we weren't called with a handle */ if (!*handle) @@ -1935,8 +1945,7 @@ target->t->u.target_size = size; strcpy(target->t->u.user.name, jumpto); if (!iptc_is_chain(jumpto, *handle)) - xtables_set_revision(target->t->u.user.name, - target->revision); + target->t->u.user.revision = target->revision; if (target->init != NULL) target->init(target->t); } @@ -1961,27 +1970,30 @@ switch (command) { case CMD_APPEND: ret = append_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; case CMD_DELETE: ret = delete_entry(chain, e, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, - *handle, matches); + *handle, matches, target); break; case CMD_DELETE_NUM: ret = iptc_delete_num_entry(chain, rulenum - 1, *handle); break; case CMD_REPLACE: ret = replace_entry(chain, e, rulenum - 1, - saddrs, daddrs, options&OPT_VERBOSE, - *handle); + saddrs, smasks, daddrs, dmasks, + options&OPT_VERBOSE, *handle); break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, - nsaddrs, saddrs, ndaddrs, daddrs, + nsaddrs, saddrs, smasks, + ndaddrs, daddrs, dmasks, options&OPT_VERBOSE, *handle); break; @@ -1991,8 +2003,12 @@ case CMD_ZERO: ret = zero_entries(chain, options&OPT_VERBOSE, *handle); break; + case CMD_ZERO_NUM: + ret = iptc_zero_counter(chain, rulenum, *handle); + break; case CMD_LIST: case CMD_LIST|CMD_ZERO: + case CMD_LIST|CMD_ZERO_NUM: ret = list_entries(chain, rulenum, options&OPT_VERBOSE, @@ -2003,9 +2019,12 @@ if (ret && (command & CMD_ZERO)) ret = zero_entries(chain, options&OPT_VERBOSE, *handle); + if (ret && (command & CMD_ZERO_NUM)) + ret = iptc_zero_counter(chain, rulenum, *handle); break; case CMD_LIST_RULES: case CMD_LIST_RULES|CMD_ZERO: + case CMD_LIST_RULES|CMD_ZERO_NUM: ret = list_rules(chain, rulenum, options&OPT_VERBOSE, @@ -2013,6 +2032,8 @@ if (ret && (command & CMD_ZERO)) ret = zero_entries(chain, options&OPT_VERBOSE, *handle); + if (ret && (command & CMD_ZERO_NUM)) + ret = iptc_zero_counter(chain, rulenum, *handle); break; case CMD_NEW_CHAIN: ret = iptc_create_chain(chain, *handle); @@ -2042,7 +2063,9 @@ } free(saddrs); + free(smasks); free(daddrs); + free(dmasks); xtables_free_opts(1); return ret; diff -Nru iptables-1.4.4/iptables-multi.c iptables-1.4.10/iptables-multi.c --- iptables-1.4.4/iptables-multi.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-multi.c 2010-10-29 14:37:22.000000000 +0000 @@ -8,29 +8,43 @@ int iptables_restore_main(int argc, char **argv); int iptables_xml_main(int argc, char **argv); -int main(int argc, char **argv) { - char *progname; +int main(int argc, char **argv) +{ + char *progname; - if (argc == 0) { - fprintf(stderr, "no argv[0]?"); - exit(1); - } else { - progname = basename(argv[0]); - - if (!strcmp(progname, "iptables") || - strcmp(progname, "iptables-static") == 0) - return iptables_main(argc, argv); - - if (!strcmp(progname, "iptables-save")) - return iptables_save_main(argc, argv); - - if (!strcmp(progname, "iptables-restore")) - return iptables_restore_main(argc, argv); - - if (!strcmp(progname, "iptables-xml")) - return iptables_xml_main(argc, argv); - - fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname); - exit(1); - } + if (argc < 1) { + fprintf(stderr, "ERROR: This should not happen.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "iptables") == 0) + return iptables_main(argc, argv); + if (strcmp(progname, "iptables-save") == 0) + return iptables_save_main(argc, argv); + if (strcmp(progname, "iptables-restore") == 0) + return iptables_restore_main(argc, argv); + if (strcmp(progname, "iptables-xml") == 0) + return iptables_xml_main(argc, argv); + + ++argv; + --argc; + if (argc < 1) { + fprintf(stderr, "ERROR: No subcommand given.\n"); + exit(EXIT_FAILURE); + } + + progname = basename(argv[0]); + if (strcmp(progname, "main") == 0) + return iptables_main(argc, argv); + if (strcmp(progname, "save") == 0) + return iptables_save_main(argc, argv); + if (strcmp(progname, "restore") == 0) + return iptables_restore_main(argc, argv); + if (strcmp(progname, "xml") == 0) + return iptables_xml_main(argc, argv); + + fprintf(stderr, "iptables multi-purpose version: " + "unknown subcommand \"%s\"\n", progname); + exit(EXIT_FAILURE); } diff -Nru iptables-1.4.4/iptables-restore.8 iptables-1.4.10/iptables-restore.8 --- iptables-1.4.4/iptables-restore.8 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-restore.8 2010-10-29 14:37:22.000000000 +0000 @@ -19,10 +19,9 @@ .\" .\" .SH NAME -iptables-restore \- Restore IP Tables +iptables-restore \(em Restore IP Tables .SH SYNOPSIS -.BR "iptables-restore " "[-c] [-n]" -.br +\fBiptables\-restore\fP [\fB\-c\fP] [\fB\-n\fP] .SH DESCRIPTION .PP .B iptables-restore @@ -41,7 +40,7 @@ .SH AUTHOR Harald Welte <laforge@gnumonks.org> .SH SEE ALSO -.BR iptables-save "(8), " iptables "(8) " +\fBiptables\-save\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff -Nru iptables-1.4.4/iptables-restore.c iptables-1.4.10/iptables-restore.c --- iptables-1.4.4/iptables-restore.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-restore.c 2010-10-29 14:37:22.000000000 +0000 @@ -140,7 +140,7 @@ iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif @@ -259,6 +259,12 @@ exit(1); } + if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s' " + "(%u chars max)", + chain, XT_EXTENSION_MAXNAMELEN - 1); + if (iptc_builtin(chain, handle) <= 0) { if (noflush && iptc_is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); diff -Nru iptables-1.4.4/iptables-save.8 iptables-1.4.10/iptables-save.8 --- iptables-1.4.4/iptables-save.8 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-save.8 2010-10-29 14:37:22.000000000 +0000 @@ -19,7 +19,7 @@ .\" .\" .SH NAME -iptables-save - dump iptables rules to stdout +iptables-save \(em dump iptables rules to stdout .SH SYNOPSIS \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] [\fB\-t\fP \fItable\fP] @@ -44,7 +44,7 @@ .SH AUTHOR Harald Welte <laforge@gnumonks.org> .SH SEE ALSO -.BR iptables-restore "(8), " iptables "(8) " +\fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff -Nru iptables-1.4.4/iptables-save.c iptables-1.4.10/iptables-save.c --- iptables-1.4.4/iptables-save.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-save.c 2010-10-29 14:37:22.000000000 +0000 @@ -148,7 +148,7 @@ iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff -Nru iptables-1.4.4/iptables-standalone.c iptables-1.4.10/iptables-standalone.c --- iptables-1.4.4/iptables-standalone.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-standalone.c 2010-10-29 14:37:22.000000000 +0000 @@ -58,7 +58,7 @@ iptables_globals.program_version); exit(1); } -#ifdef NO_SHARED_LIBS +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); #endif diff -Nru iptables-1.4.4/iptables-xml.8 iptables-1.4.10/iptables-xml.8 --- iptables-1.4.4/iptables-xml.8 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-xml.8 2010-10-29 14:37:22.000000000 +0000 @@ -19,10 +19,9 @@ .\" .\" .SH NAME -iptables-xml \- Convert iptables-save format to XML +iptables-xml \(em Convert iptables-save format to XML .SH SYNOPSIS -.BR "iptables-xml " "[-c] [-v]" -.br +\fBiptables\-xml\fP [\fB\-c\fP] [\fB\-v\fP] .SH DESCRIPTION .PP .B iptables-xml @@ -42,7 +41,7 @@ .PP iptables-xml does a mechanistic conversion to a very expressive xml -format; the only semantic considerations are for -g and -j targets in +format; the only semantic considerations are for \-g and \-j targets in order to discriminate between <call> <goto> and <nane-of-target> as it helps xml processing scripts if they can tell the difference between a target like SNAT and another chain. @@ -85,5 +84,4 @@ .SH AUTHOR Sam Liddicott <azez@ufomechanic.net> .SH SEE ALSO -.BR iptables-save "(8), " iptables-restore "(8), " iptables "(8) " -.PP +\fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8) diff -Nru iptables-1.4.4/iptables-xml.c iptables-1.4.10/iptables-xml.c --- iptables-1.4.4/iptables-xml.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/iptables-xml.c 2010-10-29 14:37:22.000000000 +0000 @@ -64,7 +64,7 @@ static int parse_counters(char *string, struct ipt_counters *ctr) { - u_int64_t *pcnt, *bcnt; + __u64 *pcnt, *bcnt; if (string != NULL) { pcnt = &ctr->pcnt; diff -Nru iptables-1.4.4/libipq/ipq_create_handle.3 iptables-1.4.10/libipq/ipq_create_handle.3 --- iptables-1.4.4/libipq/ipq_create_handle.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_create_handle.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_create_handle, ipq_destroy_handle - create and destroy libipq handles. +ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles. .SH SYNOPSIS .B #include <linux/netfilter.h> .br @@ -65,7 +65,7 @@ .B ipq_destroy_handle returns zero. .br -On failure, -1 is returned. +On failure, \-1 is returned. .SH ERRORS On failure, a descriptive error message will be available via the diff -Nru iptables-1.4.4/libipq/ipq_errstr.3 iptables-1.4.10/libipq/ipq_errstr.3 --- iptables-1.4.4/libipq/ipq_errstr.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_errstr.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_errstr, ipq_perror - libipq error handling routines +ipq_errstr, ipq_perror \(em libipq error handling routines .SH SYNOPSIS .B #include <linux/netfilter.h> .br diff -Nru iptables-1.4.4/libipq/ipq_message_type.3 iptables-1.4.10/libipq/ipq_message_type.3 --- iptables-1.4.4/libipq/ipq_message_type.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_message_type.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_message_type, ipq_get_packet, ipq_getmsgerr - query queue messages +ipq_message_type, ipq_get_packet, ipq_getmsgerr \(em query queue messages .SH SYNOPSIS .B #include <linux/netfilter.h> .br diff -Nru iptables-1.4.4/libipq/ipq_read.3 iptables-1.4.10/libipq/ipq_read.3 --- iptables-1.4.4/libipq/ipq_read.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_read.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_read - read queue messages from ip_queue and read into supplied buffer +ipq_read \(em read queue messages from ip_queue and read into supplied buffer .SH SYNOPSIS .B #include <linux/netfilter.h> .br @@ -64,7 +64,7 @@ .BR ipq_get_msgerr functions to access the queue message in the buffer. .SH RETURN VALUE -On failure, -1 is returned. +On failure, \-1 is returned. .br On success, a non-zero positive value is returned when no timeout value is specified. diff -Nru iptables-1.4.4/libipq/ipq_set_mode.3 iptables-1.4.10/libipq/ipq_set_mode.3 --- iptables-1.4.4/libipq/ipq_set_mode.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_set_mode.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_set_mode - set the ip_queue queuing mode +ipq_set_mode \(em set the ip_queue queuing mode .SH SYNOPSIS .B #include <linux/netfilter.h> .br @@ -68,7 +68,7 @@ the ip_queue module does not know that a userspace application is ready to communicate until it receives a message such as this. .SH RETURN VALUE -On failure, -1 is returned. +On failure, \-1 is returned. .br On success, a non-zero positive value is returned. .SH ERRORS diff -Nru iptables-1.4.4/libipq/ipq_set_verdict.3 iptables-1.4.10/libipq/ipq_set_verdict.3 --- iptables-1.4.4/libipq/ipq_set_verdict.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/ipq_set_verdict.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -ipq_set_verdict - issue verdict and optionally modified packet to kernel +ipq_set_verdict \(em issue verdict and optionally modified packet to kernel .SH SYNOPSIS .B #include <linux/netfilter.h> .br @@ -80,7 +80,7 @@ The application is responsible for recalculating any packet checksums when modifying packets. .SH RETURN VALUE -On failure, -1 is returned. +On failure, \-1 is returned. .br On success, a non-zero positive value is returned. .SH ERRORS diff -Nru iptables-1.4.4/libipq/libipq.3 iptables-1.4.10/libipq/libipq.3 --- iptables-1.4.4/libipq/libipq.3 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libipq/libipq.3 2010-10-29 14:37:22.000000000 +0000 @@ -20,7 +20,7 @@ .\" .\" .SH NAME -libipq \- iptables userspace packet queuing library. +libipq \(em iptables userspace packet queuing library. .SH SYNOPSIS .B #include <linux/netfilter.h> .br @@ -51,7 +51,7 @@ .br # modprobe ip_queue .br - # iptables -A OUTPUT -p icmp -j QUEUE + # iptables \-A OUTPUT \-p icmp \-j QUEUE .PP will cause any locally generated ICMP packets (e.g. ping output) to be sent to the ip_queue module, which will then attempt to deliver the diff -Nru iptables-1.4.4/libipq/Makefile.am iptables-1.4.10/libipq/Makefile.am --- iptables-1.4.4/libipq/Makefile.am 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/libipq/Makefile.am 2010-10-29 14:37:22.000000000 +0000 @@ -2,8 +2,8 @@ AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -libipq_a_SOURCES = libipq.c -lib_LIBRARIES = libipq.a +libipq_la_SOURCES = libipq.c +lib_LTLIBRARIES = libipq.la man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ diff -Nru iptables-1.4.4/libipq/Makefile.in iptables-1.4.10/libipq/Makefile.in --- iptables-1.4.4/libipq/Makefile.in 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/libipq/Makefile.in 2010-10-29 14:40:40.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.9.6 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,15 +17,11 @@ # -*- Makefile -*- -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -41,51 +38,65 @@ subdir = libipq DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" -libLIBRARIES_INSTALL = $(INSTALL_DATA) -LIBRARIES = $(lib_LIBRARIES) -ARFLAGS = cru -libipq_a_AR = $(AR) $(ARFLAGS) -libipq_a_LIBADD = -am_libipq_a_OBJECTS = libipq.$(OBJEXT) -libipq_a_OBJECTS = $(am_libipq_a_OBJECTS) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) +LTLIBRARIES = $(lib_LTLIBRARIES) +libipq_la_LIBADD = +am_libipq_la_OBJECTS = libipq.lo +libipq_la_OBJECTS = $(am_libipq_la_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libipq_a_SOURCES) -DIST_SOURCES = $(libipq_a_SOURCES) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libipq_la_SOURCES) +DIST_SOURCES = $(libipq_la_SOURCES) man3dir = $(mandir)/man3 NROFF = nroff MANS = $(man_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +pkgdatadir = @pkgdatadir@ ACLOCAL = @ACLOCAL@ -AMDEP_FALSE = @AMDEP_FALSE@ -AMDEP_TRUE = @AMDEP_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ @@ -106,21 +117,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ -ENABLE_DEVEL_FALSE = @ENABLE_DEVEL_FALSE@ -ENABLE_DEVEL_TRUE = @ENABLE_DEVEL_TRUE@ -ENABLE_IPV4_FALSE = @ENABLE_IPV4_FALSE@ -ENABLE_IPV4_TRUE = @ENABLE_IPV4_TRUE@ -ENABLE_IPV6_FALSE = @ENABLE_IPV6_FALSE@ -ENABLE_IPV6_TRUE = @ENABLE_IPV6_TRUE@ -ENABLE_LIBIPQ_FALSE = @ENABLE_LIBIPQ_FALSE@ -ENABLE_LIBIPQ_TRUE = @ENABLE_LIBIPQ_TRUE@ -ENABLE_SHARED_FALSE = @ENABLE_SHARED_FALSE@ -ENABLE_SHARED_TRUE = @ENABLE_SHARED_TRUE@ -ENABLE_STATIC_FALSE = @ENABLE_STATIC_FALSE@ -ENABLE_STATIC_TRUE = @ENABLE_STATIC_TRUE@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ @@ -134,6 +134,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ @@ -145,18 +146,24 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ -am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -169,6 +176,7 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ @@ -188,6 +196,9 @@ ksourcedir = @ksourcedir@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@ +libnfnetlink_CFLAGS = @libnfnetlink_CFLAGS@ +libnfnetlink_LIBS = @libnfnetlink_LIBS@ libxtables_vage = @libxtables_vage@ libxtables_vcurrent = @libxtables_vcurrent@ libxtables_vmajor = @libxtables_vmajor@ @@ -205,12 +216,16 @@ regular_CFLAGS = @regular_CFLAGS@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include -libipq_a_SOURCES = libipq.c -lib_LIBRARIES = libipq.a +libipq_la_SOURCES = libipq.c +lib_LTLIBRARIES = libipq.la man_MANS = ipq_create_handle.3 ipq_destroy_handle.3 ipq_errstr.3 \ ipq_get_msgerr.3 ipq_get_packet.3 ipq_message_type.3 \ ipq_perror.3 ipq_read.3 ipq_set_mode.3 ipq_set_verdict.3 \ @@ -224,14 +239,14 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu libipq/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu libipq/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu libipq/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu libipq/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -249,39 +264,40 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -install-libLIBRARIES: $(lib_LIBRARIES) +$(am__aclocal_m4_deps): +install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(libLIBRARIES_INSTALL) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(libLIBRARIES_INSTALL) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ - else :; fi; \ - done - @$(POST_INSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - p=$(am__strip_dir) \ - echo " $(RANLIB) '$(DESTDIR)$(libdir)/$$p'"; \ - $(RANLIB) "$(DESTDIR)$(libdir)/$$p"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } -uninstall-libLIBRARIES: +uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(lib_LIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done -clean-libLIBRARIES: - -test -z "$(lib_LIBRARIES)" || rm -f $(lib_LIBRARIES) -libipq.a: $(libipq_a_OBJECTS) $(libipq_a_DEPENDENCIES) - -rm -f libipq.a - $(libipq_a_AR) libipq.a $(libipq_a_OBJECTS) $(libipq_a_LIBADD) - $(RANLIB) libipq.a +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libipq.la: $(libipq_la_OBJECTS) $(libipq_la_DEPENDENCIES) + $(LINK) -rpath $(libdir) $(libipq_la_OBJECTS) $(libipq_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -289,25 +305,25 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libipq.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libipq.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -317,137 +333,146 @@ clean-libtool: -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man3: $(man3_MANS) $(man_MANS) +install-man3: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)" - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ + test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)" + @list=''; test -n "$(man3dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.3[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \ + done; } + uninstall-man3: @$(NORMAL_UNINSTALL) - @list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.3*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 3*) ;; \ - *) ext='3' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man3dir)/$$inst"; \ - done + @list=''; test -n "$(man3dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.3[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man3dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am -all-am: Makefile $(LIBRARIES) $(MANS) +all-am: Makefile $(LTLIBRARIES) $(MANS) installdirs: for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am @@ -469,20 +494,21 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libLIBRARIES clean-libtool \ +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags + distclean-tags dvi: dvi-am @@ -490,18 +516,38 @@ html: html-am +html-am: + info: info-am info-am: install-data-am: install-man -install-exec-am: install-libLIBRARIES +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: install-info: install-info-am +install-info-am: + install-man: install-man3 +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -522,22 +568,27 @@ ps-am: -uninstall-am: uninstall-info-am uninstall-libLIBRARIES uninstall-man +uninstall-am: uninstall-libLTLIBRARIES uninstall-man uninstall-man: uninstall-man3 +.MAKE: install-am install-strip + .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libLIBRARIES clean-libtool ctags distclean \ + clean-libLTLIBRARIES clean-libtool ctags distclean \ distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libLIBRARIES install-man install-man3 install-strip \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-libLTLIBRARIES install-man install-man3 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-libLIBRARIES uninstall-man uninstall-man3 + tags uninstall uninstall-am uninstall-libLTLIBRARIES \ + uninstall-man uninstall-man3 + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -Nru iptables-1.4.4/libiptc/libip4tc.c iptables-1.4.10/libiptc/libip4tc.c --- iptables-1.4.4/libiptc/libip4tc.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libiptc/libip4tc.c 2010-10-29 14:37:22.000000000 +0000 @@ -124,8 +124,8 @@ #define IP_PARTS(n) IP_PARTS_NATIVE(ntohl(n)) -int -dump_entry(STRUCT_ENTRY *e, struct iptc_handle *const handle) +static int +dump_entry(struct ipt_entry *e, struct iptc_handle *const handle) { size_t i; STRUCT_ENTRY_TARGET *t; @@ -154,7 +154,8 @@ t = GET_TARGET(e); printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size); if (strcmp(t->u.user.name, STANDARD_TARGET) == 0) { - int pos = *(int *)t->data; + const unsigned char *data = t->data; + int pos = *(const int *)data; if (pos < 0) printf("verdict=%s\n", pos == -NF_ACCEPT-1 ? "NF_ACCEPT" diff -Nru iptables-1.4.4/libiptc/libip6tc.c iptables-1.4.10/libiptc/libip6tc.c --- iptables-1.4.4/libiptc/libip6tc.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libiptc/libip6tc.c 2010-10-29 14:37:22.000000000 +0000 @@ -185,7 +185,8 @@ t = ip6t_get_target(e); printf("Target name: `%s' [%u]\n", t->u.user.name, t->u.target_size); if (strcmp(t->u.user.name, IP6T_STANDARD_TARGET) == 0) { - int pos = *(int *)t->data; + const unsigned char *data = t->data; + int pos = *(const int *)data; if (pos < 0) printf("verdict=%s\n", pos == -NF_ACCEPT-1 ? "NF_ACCEPT" diff -Nru iptables-1.4.4/libiptc/libiptc.c iptables-1.4.10/libiptc/libiptc.c --- iptables-1.4.4/libiptc/libiptc.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libiptc/libiptc.c 2010-10-29 14:37:22.000000000 +0000 @@ -816,18 +816,20 @@ * to be called from specific places within the parser */ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num) { + const unsigned char *data; + if (h->chain_iterator_cur) { /* policy rule is last rule */ struct rule_head *pr = (struct rule_head *) h->chain_iterator_cur->rules.prev; /* save verdict */ - h->chain_iterator_cur->verdict = - *(int *)GET_TARGET(pr->entry)->data; + data = GET_TARGET(pr->entry)->data; + h->chain_iterator_cur->verdict = *(const int *)data; /* save counter and counter_map information */ h->chain_iterator_cur->counter_map.maptype = - COUNTER_MAP_NORMAL_MAP; + COUNTER_MAP_ZEROED; h->chain_iterator_cur->counter_map.mappos = num-1; memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, sizeof(h->chain_iterator_cur->counters)); @@ -1563,45 +1565,6 @@ return r->entry; } -/* How many rules in this chain? */ -static unsigned int -TC_NUM_RULES(const char *chain, struct xtc_handle *handle) -{ - struct chain_head *c; - iptc_fn = TC_NUM_RULES; - CHECK(handle); - - c = iptcc_find_label(chain, handle); - if (!c) { - errno = ENOENT; - return (unsigned int)-1; - } - - return c->num_rules; -} - -static const STRUCT_ENTRY * -TC_GET_RULE(const char *chain, unsigned int n, struct xtc_handle *handle) -{ - struct chain_head *c; - struct rule_head *r; - - iptc_fn = TC_GET_RULE; - - CHECK(handle); - - c = iptcc_find_label(chain, handle); - if (!c) { - errno = ENOENT; - return NULL; - } - - r = iptcc_get_rule_num(c, n); - if (!r) - return NULL; - return r->entry; -} - /* Returns a pointer to the target name of this position. */ static const char *standard_target_map(int verdict) { @@ -1634,6 +1597,7 @@ { STRUCT_ENTRY *e = (STRUCT_ENTRY *)ce; struct rule_head *r = container_of(e, struct rule_head, entry[0]); + const unsigned char *data; iptc_fn = TC_GET_TARGET; @@ -1647,7 +1611,8 @@ return r->jump->name; break; case IPTCC_R_STANDARD: - spos = *(int *)GET_TARGET(e)->data; + data = GET_TARGET(e)->data; + spos = *(const int *)data; DEBUGP("r=%p, spos=%d'\n", r, spos); return standard_target_map(spos); break; diff -Nru iptables-1.4.4/libiptc.pc.in iptables-1.4.10/libiptc.pc.in --- iptables-1.4.4/libiptc.pc.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/libiptc.pc.in 2010-10-29 14:37:22.000000000 +0000 @@ -8,4 +8,5 @@ Description: iptables ruleset ADT and kernel interface Version: @PACKAGE_VERSION@ Libs: -L${libdir} -liptc +Libs.private: -lip4tc -lip6tc Cflags: -I${includedir} diff -Nru iptables-1.4.4/ltmain.sh iptables-1.4.10/ltmain.sh --- iptables-1.4.4/ltmain.sh 2009-06-16 14:42:50.000000000 +0000 +++ iptables-1.4.10/ltmain.sh 2010-10-29 14:40:34.000000000 +0000 @@ -1,6 +1,6 @@ # Generated from ltmain.m4sh. -# ltmain.sh (GNU libtool) 2.2.6 +# ltmain.sh (GNU libtool) 2.2.6b # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc. @@ -65,7 +65,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.2.6 Debian-2.2.6a-4 +# $progname: (GNU libtool) 2.2.6b Debian-2.2.6b-2 # automake: $automake_version # autoconf: $autoconf_version # @@ -73,9 +73,9 @@ PROGRAM=ltmain.sh PACKAGE=libtool -VERSION="2.2.6 Debian-2.2.6a-4" +VERSION="2.2.6b Debian-2.2.6b-2" TIMESTAMP="" -package_revision=1.3012 +package_revision=1.3017 # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then diff -Nru iptables-1.4.4/m4/ax_check_linker_flags.m4 iptables-1.4.10/m4/ax_check_linker_flags.m4 --- iptables-1.4.4/m4/ax_check_linker_flags.m4 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/m4/ax_check_linker_flags.m4 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,78 @@ +#http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_check_linker_flags.m4 +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_linker_flags.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINKER_FLAGS(FLAGS, [ACTION-SUCCESS], [ACTION-FAILURE]) +# +# DESCRIPTION +# +# Check whether the given linker FLAGS work with the current language's +# linker, or whether they give an error. +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# NOTE: Based on AX_CHECK_COMPILER_FLAGS. +# +# LICENSE +# +# Copyright (c) 2009 Mike Frysinger <vapier@gentoo.org> +# Copyright (c) 2009 Steven G. Johnson <stevenj@alum.mit.edu> +# Copyright (c) 2009 Matteo Frigo +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see <http://www.gnu.org/licenses/>. +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 6 + +AC_DEFUN([AX_CHECK_LINKER_FLAGS], +[AC_MSG_CHECKING([whether the linker accepts $1]) +dnl Some hackery here since AC_CACHE_VAL can't handle a non-literal varname: +AS_LITERAL_IF([$1], + [AC_CACHE_VAL(AS_TR_SH(ax_cv_linker_flags_[$1]), [ + ax_save_FLAGS=$LDFLAGS + LDFLAGS="$1" + AC_LINK_IFELSE([AC_LANG_PROGRAM()], + AS_TR_SH(ax_cv_linker_flags_[$1])=yes, + AS_TR_SH(ax_cv_linker_flags_[$1])=no) + LDFLAGS=$ax_save_FLAGS])], + [ax_save_FLAGS=$LDFLAGS + LDFLAGS="$1" + AC_LINK_IFELSE([AC_LANG_PROGRAM()], + eval AS_TR_SH(ax_cv_linker_flags_[$1])=yes, + eval AS_TR_SH(ax_cv_linker_flags_[$1])=no) + LDFLAGS=$ax_save_FLAGS]) +eval ax_check_linker_flags=$AS_TR_SH(ax_cv_linker_flags_[$1]) +AC_MSG_RESULT($ax_check_linker_flags) +if test "x$ax_check_linker_flags" = xyes; then + m4_default([$2], :) +else + m4_default([$3], :) +fi +])dnl AX_CHECK_LINKER_FLAGS diff -Nru iptables-1.4.4/m4/libtool.m4 iptables-1.4.10/m4/libtool.m4 --- iptables-1.4.4/m4/libtool.m4 2009-06-16 14:42:50.000000000 +0000 +++ iptables-1.4.10/m4/libtool.m4 2010-10-29 14:40:34.000000000 +0000 @@ -2445,7 +2445,7 @@ ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux need_lib_prefix=no need_version=no @@ -3084,7 +3084,7 @@ ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -3705,7 +3705,7 @@ ;; esac ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # KAI C++ Compiler @@ -3989,7 +3989,7 @@ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -4285,6 +4285,7 @@ fi supports_anon_versioning=no case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... @@ -4376,7 +4377,7 @@ _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; - gnu* | linux* | tpf* | k*bsd*-gnu) + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in @@ -5860,7 +5861,7 @@ _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler diff -Nru iptables-1.4.4/m4/ltversion.m4 iptables-1.4.10/m4/ltversion.m4 --- iptables-1.4.4/m4/ltversion.m4 2009-06-16 14:42:50.000000000 +0000 +++ iptables-1.4.10/m4/ltversion.m4 2010-10-29 14:40:34.000000000 +0000 @@ -9,15 +9,15 @@ # Generated from ltversion.in. -# serial 3012 ltversion.m4 +# serial 3017 ltversion.m4 # This file is part of GNU Libtool -m4_define([LT_PACKAGE_VERSION], [2.2.6]) -m4_define([LT_PACKAGE_REVISION], [1.3012]) +m4_define([LT_PACKAGE_VERSION], [2.2.6b]) +m4_define([LT_PACKAGE_REVISION], [1.3017]) AC_DEFUN([LTVERSION_VERSION], -[macro_version='2.2.6' -macro_revision='1.3012' +[macro_version='2.2.6b' +macro_revision='1.3017' _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) _LT_DECL(, macro_revision, 0) ]) diff -Nru iptables-1.4.4/Makefile.am iptables-1.4.10/Makefile.am --- iptables-1.4.4/Makefile.am 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/Makefile.am 2010-10-29 14:37:22.000000000 +0000 @@ -11,94 +11,66 @@ if ENABLE_LIBIPQ SUBDIRS += libipq endif +if HAVE_LIBNFNETLINK +SUBDIRS += utils +endif lib_LTLIBRARIES = # libiptc -lib_LTLIBRARIES += libiptc/libiptc.la -libiptc_libiptc_la_SOURCES = libiptc/libip4tc.c libiptc/libip6tc.c -libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 +lib_LTLIBRARIES += libiptc/libip4tc.la libiptc/libip6tc.la libiptc/libiptc.la +libiptc_libiptc_la_SOURCES = +libiptc_libiptc_la_LIBADD = libiptc/libip4tc.la libiptc/libip6tc.la +libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} +libiptc_libip4tc_la_SOURCES = libiptc/libip4tc.c +libiptc_libip4tc_la_LDFLAGS = -version-info 0:0:0 +libiptc_libip6tc_la_SOURCES = libiptc/libip6tc.c +libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} lib_LTLIBRARIES += libxtables.la libxtables_la_SOURCES = xtables.c libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} +if ENABLE_SHARED +libxtables_la_CFLAGS = ${AM_CFLAGS} libxtables_la_LIBADD = -ldl +else +libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1 +libxtables_la_LIBADD = +endif -# iptables, dynamic -iptables_SOURCES = iptables-standalone.c iptables.c -iptables_LDFLAGS = -rdynamic -iptables_LDADD = libiptc/libiptc.la extensions/libext4.a libxtables.la -lm - -iptables_xml_LDADD = libxtables.la iptables_multi_SOURCES = iptables-multi.c iptables-save.c \ iptables-restore.c iptables-xml.c \ - iptables-standalone.c iptables.c + iptables-standalone.c iptables.c xshared.c iptables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -iptables_multi_LDFLAGS = ${iptables_LDFLAGS} -iptables_multi_LDADD = ${iptables_LDADD} - -iptables_restore_SOURCES = iptables-restore.c iptables.c -iptables_restore_LDFLAGS = ${iptables_LDFLAGS} -iptables_restore_LDADD = ${iptables_LDADD} - -iptables_save_SOURCES = iptables-save.c iptables.c -iptables_save_LDFLAGS = ${iptables_LDFLAGS} -iptables_save_LDADD = ${iptables_LDADD} - -# iptables-multi, semi-static -iptables_static_SOURCES = ${iptables_multi_SOURCES} xtables.c -iptables_static_CFLAGS = ${iptables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -iptables_static_LDADD = libiptc/libiptc.la extensions/libext4.a -lm - -iptables_xml_SOURCES = iptables-xml.c - -# ip6tables, dynamic -ip6tables_SOURCES = ip6tables-standalone.c ip6tables.c -ip6tables_LDFLAGS = -rdynamic -ip6tables_LDADD = libiptc/libiptc.la extensions/libext6.a libxtables.la -lm +if ENABLE_STATIC +iptables_multi_CFLAGS += -DALL_INCLUSIVE +endif +iptables_multi_LDFLAGS = -rdynamic +iptables_multi_LDADD = libiptc/libip4tc.la extensions/libext4.a libxtables.la -lm ip6tables_multi_SOURCES = ip6tables-multi.c ip6tables-save.c \ ip6tables-restore.c ip6tables-standalone.c \ - ip6tables.c + ip6tables.c xshared.c ip6tables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -ip6tables_multi_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_multi_LDADD = ${ip6tables_LDADD} - -ip6tables_restore_SOURCES = ip6tables-restore.c ip6tables.c -ip6tables_restore_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_restore_LDADD = ${ip6tables_LDADD} - -ip6tables_save_SOURCES = ip6tables-save.c ip6tables.c -ip6tables_save_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_save_LDADD = ${ip6tables_LDADD} - -# iptables-multi, semi-static -ip6tables_static_SOURCES = ${ip6tables_multi_SOURCES} xtables.c -ip6tables_static_CFLAGS = ${ip6tables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -ip6tables_static_LDADD = libiptc/libiptc.la extensions/libext6.a -lm +if ENABLE_STATIC +ip6tables_multi_CFLAGS += -DALL_INCLUSIVE +endif +ip6tables_multi_LDFLAGS = -rdynamic +ip6tables_multi_LDADD = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm -bin_PROGRAMS = iptables-xml sbin_PROGRAMS = -noinst_PROGRAMS = man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.8 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 CLEANFILES = iptables.8 ip6tables.8 -if ENABLE_STATIC if ENABLE_IPV4 -sbin_PROGRAMS += iptables-static +sbin_PROGRAMS += iptables-multi +v4_bin_links = iptables-xml +v4_sbin_links = iptables iptables-restore iptables-save endif if ENABLE_IPV6 -sbin_PROGRAMS += ip6tables-static -endif -endif -if ENABLE_SHARED -if ENABLE_IPV4 -sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save -endif -if ENABLE_IPV6 -sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save -endif +sbin_PROGRAMS += ip6tables-multi +v6_sbin_links = ip6tables ip6tables-restore ip6tables-save endif iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man @@ -123,3 +95,7 @@ # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; + ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; + for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done; + for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done; diff -Nru iptables-1.4.4/Makefile.in iptables-1.4.10/Makefile.in --- iptables-1.4.4/Makefile.in 2009-06-16 14:42:57.000000000 +0000 +++ iptables-1.4.10/Makefile.in 2010-10-29 14:40:40.000000000 +0000 @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.9.6 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -18,15 +19,11 @@ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = . +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -42,14 +39,13 @@ host_triplet = @host@ @ENABLE_DEVEL_TRUE@am__append_1 = include @ENABLE_LIBIPQ_TRUE@am__append_2 = libipq -bin_PROGRAMS = iptables-xml$(EXEEXT) -sbin_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) $(am__EXEEXT_3) \ - $(am__EXEEXT_4) -noinst_PROGRAMS = -@ENABLE_IPV4_TRUE@@ENABLE_STATIC_TRUE@am__append_3 = iptables-static -@ENABLE_IPV6_TRUE@@ENABLE_STATIC_TRUE@am__append_4 = ip6tables-static -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@am__append_5 = iptables iptables-multi iptables-restore iptables-save -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@am__append_6 = ip6tables ip6tables-multi ip6tables-restore ip6tables-save +@HAVE_LIBNFNETLINK_TRUE@am__append_3 = utils +@ENABLE_STATIC_TRUE@am__append_4 = -DALL_INCLUSIVE +@ENABLE_STATIC_TRUE@am__append_5 = -DALL_INCLUSIVE +sbin_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) +@ENABLE_IPV4_TRUE@am__append_6 = iptables-multi +@ENABLE_IPV6_TRUE@am__append_7 = ip6tables-multi +subdir = . DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/libiptc.pc.in $(srcdir)/xtables.pc.in \ @@ -58,174 +54,177 @@ $(top_srcdir)/include/iptables/internal.h.in COPYING INSTALL \ compile config.guess config.sub depcomp install-sh ltmain.sh \ missing -subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ - configure.lineno configure.status.lineno + configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_HEADER = config.h CONFIG_CLEAN_FILES = extensions/GNUmakefile \ include/iptables/internal.h libiptc.pc xtables.pc +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; -am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \ - "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" \ - "$(DESTDIR)$(pkgconfigdir)" -libLTLIBRARIES_INSTALL = $(INSTALL) +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libiptc_libiptc_la_LIBADD = +libiptc_libip4tc_la_LIBADD = am__dirstamp = $(am__leading_dot)dirstamp -am_libiptc_libiptc_la_OBJECTS = libiptc/libip4tc.lo \ - libiptc/libip6tc.lo +am_libiptc_libip4tc_la_OBJECTS = libiptc/libip4tc.lo +libiptc_libip4tc_la_OBJECTS = $(am_libiptc_libip4tc_la_OBJECTS) +libiptc_libip4tc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libiptc_libip4tc_la_LDFLAGS) $(LDFLAGS) -o $@ +libiptc_libip6tc_la_LIBADD = +am_libiptc_libip6tc_la_OBJECTS = libiptc/libip6tc.lo +libiptc_libip6tc_la_OBJECTS = $(am_libiptc_libip6tc_la_OBJECTS) +libiptc_libip6tc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libiptc_libip6tc_la_LDFLAGS) $(LDFLAGS) -o $@ +libiptc_libiptc_la_DEPENDENCIES = libiptc/libip4tc.la \ + libiptc/libip6tc.la +am_libiptc_libiptc_la_OBJECTS = libiptc_libiptc_la_OBJECTS = $(am_libiptc_libiptc_la_OBJECTS) +libiptc_libiptc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libiptc_libiptc_la_LDFLAGS) $(LDFLAGS) -o $@ libxtables_la_DEPENDENCIES = -am_libxtables_la_OBJECTS = xtables.lo +am_libxtables_la_OBJECTS = libxtables_la-xtables.lo libxtables_la_OBJECTS = $(am_libxtables_la_OBJECTS) -binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -@ENABLE_IPV4_TRUE@@ENABLE_STATIC_TRUE@am__EXEEXT_1 = iptables-static$(EXEEXT) -@ENABLE_IPV6_TRUE@@ENABLE_STATIC_TRUE@am__EXEEXT_2 = ip6tables-static$(EXEEXT) -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@am__EXEEXT_3 = \ -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@ iptables$(EXEEXT) \ -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@ iptables-multi$(EXEEXT) \ -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@ iptables-restore$(EXEEXT) \ -@ENABLE_IPV4_TRUE@@ENABLE_SHARED_TRUE@ iptables-save$(EXEEXT) -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@am__EXEEXT_4 = \ -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@ ip6tables$(EXEEXT) \ -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@ ip6tables-multi$(EXEEXT) \ -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@ ip6tables-restore$(EXEEXT) \ -@ENABLE_IPV6_TRUE@@ENABLE_SHARED_TRUE@ ip6tables-save$(EXEEXT) -sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) -PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS) -am_ip6tables_OBJECTS = ip6tables-standalone.$(OBJEXT) \ - ip6tables.$(OBJEXT) -ip6tables_OBJECTS = $(am_ip6tables_OBJECTS) -ip6tables_DEPENDENCIES = libiptc/libiptc.la extensions/libext6.a \ - libxtables.la +libxtables_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libxtables_la_CFLAGS) \ + $(CFLAGS) $(libxtables_la_LDFLAGS) $(LDFLAGS) -o $@ +@ENABLE_IPV4_TRUE@am__EXEEXT_1 = iptables-multi$(EXEEXT) +@ENABLE_IPV6_TRUE@am__EXEEXT_2 = ip6tables-multi$(EXEEXT) +PROGRAMS = $(sbin_PROGRAMS) am_ip6tables_multi_OBJECTS = \ ip6tables_multi-ip6tables-multi.$(OBJEXT) \ ip6tables_multi-ip6tables-save.$(OBJEXT) \ ip6tables_multi-ip6tables-restore.$(OBJEXT) \ ip6tables_multi-ip6tables-standalone.$(OBJEXT) \ - ip6tables_multi-ip6tables.$(OBJEXT) + ip6tables_multi-ip6tables.$(OBJEXT) \ + ip6tables_multi-xshared.$(OBJEXT) ip6tables_multi_OBJECTS = $(am_ip6tables_multi_OBJECTS) -am__DEPENDENCIES_1 = libiptc/libiptc.la extensions/libext6.a \ - libxtables.la -ip6tables_multi_DEPENDENCIES = $(am__DEPENDENCIES_1) -am_ip6tables_restore_OBJECTS = ip6tables-restore.$(OBJEXT) \ - ip6tables.$(OBJEXT) -ip6tables_restore_OBJECTS = $(am_ip6tables_restore_OBJECTS) -ip6tables_restore_DEPENDENCIES = $(am__DEPENDENCIES_1) -am_ip6tables_save_OBJECTS = ip6tables-save.$(OBJEXT) \ - ip6tables.$(OBJEXT) -ip6tables_save_OBJECTS = $(am_ip6tables_save_OBJECTS) -ip6tables_save_DEPENDENCIES = $(am__DEPENDENCIES_1) -am__objects_1 = ip6tables_static-ip6tables-multi.$(OBJEXT) \ - ip6tables_static-ip6tables-save.$(OBJEXT) \ - ip6tables_static-ip6tables-restore.$(OBJEXT) \ - ip6tables_static-ip6tables-standalone.$(OBJEXT) \ - ip6tables_static-ip6tables.$(OBJEXT) -am_ip6tables_static_OBJECTS = $(am__objects_1) \ - ip6tables_static-xtables.$(OBJEXT) -ip6tables_static_OBJECTS = $(am_ip6tables_static_OBJECTS) -ip6tables_static_DEPENDENCIES = libiptc/libiptc.la \ - extensions/libext6.a -am_iptables_OBJECTS = iptables-standalone.$(OBJEXT) iptables.$(OBJEXT) -iptables_OBJECTS = $(am_iptables_OBJECTS) -iptables_DEPENDENCIES = libiptc/libiptc.la extensions/libext4.a \ - libxtables.la +ip6tables_multi_DEPENDENCIES = libiptc/libip6tc.la \ + extensions/libext6.a libxtables.la +ip6tables_multi_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ip6tables_multi_CFLAGS) \ + $(CFLAGS) $(ip6tables_multi_LDFLAGS) $(LDFLAGS) -o $@ am_iptables_multi_OBJECTS = iptables_multi-iptables-multi.$(OBJEXT) \ iptables_multi-iptables-save.$(OBJEXT) \ iptables_multi-iptables-restore.$(OBJEXT) \ iptables_multi-iptables-xml.$(OBJEXT) \ iptables_multi-iptables-standalone.$(OBJEXT) \ - iptables_multi-iptables.$(OBJEXT) + iptables_multi-iptables.$(OBJEXT) \ + iptables_multi-xshared.$(OBJEXT) iptables_multi_OBJECTS = $(am_iptables_multi_OBJECTS) -am__DEPENDENCIES_2 = libiptc/libiptc.la extensions/libext4.a \ +iptables_multi_DEPENDENCIES = libiptc/libip4tc.la extensions/libext4.a \ libxtables.la -iptables_multi_DEPENDENCIES = $(am__DEPENDENCIES_2) -am_iptables_restore_OBJECTS = iptables-restore.$(OBJEXT) \ - iptables.$(OBJEXT) -iptables_restore_OBJECTS = $(am_iptables_restore_OBJECTS) -iptables_restore_DEPENDENCIES = $(am__DEPENDENCIES_2) -am_iptables_save_OBJECTS = iptables-save.$(OBJEXT) iptables.$(OBJEXT) -iptables_save_OBJECTS = $(am_iptables_save_OBJECTS) -iptables_save_DEPENDENCIES = $(am__DEPENDENCIES_2) -am__objects_2 = iptables_static-iptables-multi.$(OBJEXT) \ - iptables_static-iptables-save.$(OBJEXT) \ - iptables_static-iptables-restore.$(OBJEXT) \ - iptables_static-iptables-xml.$(OBJEXT) \ - iptables_static-iptables-standalone.$(OBJEXT) \ - iptables_static-iptables.$(OBJEXT) -am_iptables_static_OBJECTS = $(am__objects_2) \ - iptables_static-xtables.$(OBJEXT) -iptables_static_OBJECTS = $(am_iptables_static_OBJECTS) -iptables_static_DEPENDENCIES = libiptc/libiptc.la extensions/libext4.a -am_iptables_xml_OBJECTS = iptables-xml.$(OBJEXT) -iptables_xml_OBJECTS = $(am_iptables_xml_OBJECTS) -iptables_xml_DEPENDENCIES = libxtables.la -DEFAULT_INCLUDES = -I. -I$(srcdir) -I. +iptables_multi_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(iptables_multi_CFLAGS) \ + $(CFLAGS) $(iptables_multi_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(libiptc_libiptc_la_SOURCES) $(libxtables_la_SOURCES) \ - $(ip6tables_SOURCES) $(ip6tables_multi_SOURCES) \ - $(ip6tables_restore_SOURCES) $(ip6tables_save_SOURCES) \ - $(ip6tables_static_SOURCES) $(iptables_SOURCES) \ - $(iptables_multi_SOURCES) $(iptables_restore_SOURCES) \ - $(iptables_save_SOURCES) $(iptables_static_SOURCES) \ - $(iptables_xml_SOURCES) -DIST_SOURCES = $(libiptc_libiptc_la_SOURCES) $(libxtables_la_SOURCES) \ - $(ip6tables_SOURCES) $(ip6tables_multi_SOURCES) \ - $(ip6tables_restore_SOURCES) $(ip6tables_save_SOURCES) \ - $(ip6tables_static_SOURCES) $(iptables_SOURCES) \ - $(iptables_multi_SOURCES) $(iptables_restore_SOURCES) \ - $(iptables_save_SOURCES) $(iptables_static_SOURCES) \ - $(iptables_xml_SOURCES) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libiptc_libip4tc_la_SOURCES) \ + $(libiptc_libip6tc_la_SOURCES) $(libiptc_libiptc_la_SOURCES) \ + $(libxtables_la_SOURCES) $(ip6tables_multi_SOURCES) \ + $(iptables_multi_SOURCES) +DIST_SOURCES = $(libiptc_libip4tc_la_SOURCES) \ + $(libiptc_libip6tc_la_SOURCES) $(libiptc_libiptc_la_SOURCES) \ + $(libxtables_la_SOURCES) $(ip6tables_multi_SOURCES) \ + $(iptables_multi_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ - install-exec-recursive install-info-recursive \ - install-recursive installcheck-recursive installdirs-recursive \ - pdf-recursive ps-recursive uninstall-info-recursive \ - uninstall-recursive + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive man8dir = $(mandir)/man8 NROFF = nroff MANS = $(man_MANS) -pkgconfigDATA_INSTALL = $(INSTALL_DATA) DATA = $(pkgconfig_DATA) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir dist dist-all distcheck ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = extensions include libipq +DIST_SUBDIRS = extensions include libipq utils DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ - { test ! -d $(distdir) \ - || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \ - && rm -fr $(distdir); }; } + { test ! -d "$(distdir)" \ + || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ + && rm -fr "$(distdir)"; }; } +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best distuninstallcheck_listfiles = find . -type f -print distcleancheck_listfiles = find . -type f -print +pkgdatadir = @pkgdatadir@ ACLOCAL = @ACLOCAL@ -AMDEP_FALSE = @AMDEP_FALSE@ -AMDEP_TRUE = @AMDEP_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ @@ -246,21 +245,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ -ENABLE_DEVEL_FALSE = @ENABLE_DEVEL_FALSE@ -ENABLE_DEVEL_TRUE = @ENABLE_DEVEL_TRUE@ -ENABLE_IPV4_FALSE = @ENABLE_IPV4_FALSE@ -ENABLE_IPV4_TRUE = @ENABLE_IPV4_TRUE@ -ENABLE_IPV6_FALSE = @ENABLE_IPV6_FALSE@ -ENABLE_IPV6_TRUE = @ENABLE_IPV6_TRUE@ -ENABLE_LIBIPQ_FALSE = @ENABLE_LIBIPQ_FALSE@ -ENABLE_LIBIPQ_TRUE = @ENABLE_LIBIPQ_TRUE@ -ENABLE_SHARED_FALSE = @ENABLE_SHARED_FALSE@ -ENABLE_SHARED_TRUE = @ENABLE_SHARED_TRUE@ -ENABLE_STATIC_FALSE = @ENABLE_STATIC_FALSE@ -ENABLE_STATIC_TRUE = @ENABLE_STATIC_TRUE@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ @@ -274,6 +262,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ @@ -285,18 +274,24 @@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ -am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -309,6 +304,7 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ @@ -328,6 +324,9 @@ ksourcedir = @ksourcedir@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@ +libnfnetlink_CFLAGS = @libnfnetlink_CFLAGS@ +libnfnetlink_LIBS = @libnfnetlink_LIBS@ libxtables_vage = @libxtables_vage@ libxtables_vcurrent = @libxtables_vcurrent@ libxtables_vmajor = @libxtables_vmajor@ @@ -345,74 +344,56 @@ regular_CFLAGS = @regular_CFLAGS@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ xtlibdir = @xtlibdir@ ACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPTIONS = foreign subdir-objects AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS} -SUBDIRS = extensions $(am__append_1) $(am__append_2) +SUBDIRS = extensions $(am__append_1) $(am__append_2) $(am__append_3) # libiptc -lib_LTLIBRARIES = libiptc/libiptc.la libxtables.la -libiptc_libiptc_la_SOURCES = libiptc/libip4tc.c libiptc/libip6tc.c -libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 +lib_LTLIBRARIES = libiptc/libip4tc.la libiptc/libip6tc.la \ + libiptc/libiptc.la libxtables.la +libiptc_libiptc_la_SOURCES = +libiptc_libiptc_la_LIBADD = libiptc/libip4tc.la libiptc/libip6tc.la +libiptc_libiptc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} +libiptc_libip4tc_la_SOURCES = libiptc/libip4tc.c +libiptc_libip4tc_la_LDFLAGS = -version-info 0:0:0 +libiptc_libip6tc_la_SOURCES = libiptc/libip6tc.c +libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2} libxtables_la_SOURCES = xtables.c libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage} -libxtables_la_LIBADD = -ldl - -# iptables, dynamic -iptables_SOURCES = iptables-standalone.c iptables.c -iptables_LDFLAGS = -rdynamic -iptables_LDADD = libiptc/libiptc.la extensions/libext4.a libxtables.la -lm -iptables_xml_LDADD = libxtables.la +@ENABLE_SHARED_FALSE@libxtables_la_CFLAGS = ${AM_CFLAGS} -DNO_SHARED_LIBS=1 +@ENABLE_SHARED_TRUE@libxtables_la_CFLAGS = ${AM_CFLAGS} +@ENABLE_SHARED_FALSE@libxtables_la_LIBADD = +@ENABLE_SHARED_TRUE@libxtables_la_LIBADD = -ldl iptables_multi_SOURCES = iptables-multi.c iptables-save.c \ iptables-restore.c iptables-xml.c \ - iptables-standalone.c iptables.c + iptables-standalone.c iptables.c xshared.c -iptables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -iptables_multi_LDFLAGS = ${iptables_LDFLAGS} -iptables_multi_LDADD = ${iptables_LDADD} -iptables_restore_SOURCES = iptables-restore.c iptables.c -iptables_restore_LDFLAGS = ${iptables_LDFLAGS} -iptables_restore_LDADD = ${iptables_LDADD} -iptables_save_SOURCES = iptables-save.c iptables.c -iptables_save_LDFLAGS = ${iptables_LDFLAGS} -iptables_save_LDADD = ${iptables_LDADD} - -# iptables-multi, semi-static -iptables_static_SOURCES = ${iptables_multi_SOURCES} xtables.c -iptables_static_CFLAGS = ${iptables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -iptables_static_LDADD = libiptc/libiptc.la extensions/libext4.a -lm -iptables_xml_SOURCES = iptables-xml.c - -# ip6tables, dynamic -ip6tables_SOURCES = ip6tables-standalone.c ip6tables.c -ip6tables_LDFLAGS = -rdynamic -ip6tables_LDADD = libiptc/libiptc.la extensions/libext6.a libxtables.la -lm +iptables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI $(am__append_4) +iptables_multi_LDFLAGS = -rdynamic +iptables_multi_LDADD = libiptc/libip4tc.la extensions/libext4.a libxtables.la -lm ip6tables_multi_SOURCES = ip6tables-multi.c ip6tables-save.c \ ip6tables-restore.c ip6tables-standalone.c \ - ip6tables.c + ip6tables.c xshared.c -ip6tables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI -ip6tables_multi_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_multi_LDADD = ${ip6tables_LDADD} -ip6tables_restore_SOURCES = ip6tables-restore.c ip6tables.c -ip6tables_restore_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_restore_LDADD = ${ip6tables_LDADD} -ip6tables_save_SOURCES = ip6tables-save.c ip6tables.c -ip6tables_save_LDFLAGS = ${ip6tables_LDFLAGS} -ip6tables_save_LDADD = ${ip6tables_LDADD} - -# iptables-multi, semi-static -ip6tables_static_SOURCES = ${ip6tables_multi_SOURCES} xtables.c -ip6tables_static_CFLAGS = ${ip6tables_multi_CFLAGS} -DNO_SHARED_LIBS=1 -ip6tables_static_LDADD = libiptc/libiptc.la extensions/libext6.a -lm +ip6tables_multi_CFLAGS = ${AM_CFLAGS} -DIPTABLES_MULTI $(am__append_5) +ip6tables_multi_LDFLAGS = -rdynamic +ip6tables_multi_LDADD = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.8 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 CLEANFILES = iptables.8 ip6tables.8 +@ENABLE_IPV4_TRUE@v4_bin_links = iptables-xml +@ENABLE_IPV4_TRUE@v4_sbin_links = iptables iptables-restore iptables-save +@ENABLE_IPV6_TRUE@v6_sbin_links = ip6tables ip6tables-restore ip6tables-save pkgconfig_DATA = libiptc.pc xtables.pc all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -425,15 +406,15 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \ - cd $(srcdir) && $(AUTOMAKE) --foreign \ + echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ + $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ && exit 0; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --foreign Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -449,21 +430,22 @@ $(SHELL) ./config.status --recheck $(top_srcdir)/configure: $(am__configure_deps) - cd $(srcdir) && $(AUTOCONF) + $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) + $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) +$(am__aclocal_m4_deps): config.h: stamp-h1 @if test ! -f $@; then \ rm -f stamp-h1; \ - $(MAKE) stamp-h1; \ + $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \ else :; fi stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status config.h $(srcdir)/config.h.in: $(am__configure_deps) - cd $(top_srcdir) && $(AUTOHEADER) + ($(am__cd) $(top_srcdir) && $(AUTOHEADER)) rm -f stamp-h1 touch $@ @@ -479,21 +461,25 @@ cd $(top_builddir) && $(SHELL) ./config.status $@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)" - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ + test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \ - $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } uninstall-libLTLIBRARIES: @$(NORMAL_UNINSTALL) - @set -x; list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \ - $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \ + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ done clean-libLTLIBRARIES: @@ -505,115 +491,72 @@ rm -f "$${dir}/so_locations"; \ done libiptc/$(am__dirstamp): - @$(mkdir_p) libiptc + @$(MKDIR_P) libiptc @: > libiptc/$(am__dirstamp) libiptc/$(DEPDIR)/$(am__dirstamp): - @$(mkdir_p) libiptc/$(DEPDIR) + @$(MKDIR_P) libiptc/$(DEPDIR) @: > libiptc/$(DEPDIR)/$(am__dirstamp) libiptc/libip4tc.lo: libiptc/$(am__dirstamp) \ libiptc/$(DEPDIR)/$(am__dirstamp) +libiptc/libip4tc.la: $(libiptc_libip4tc_la_OBJECTS) $(libiptc_libip4tc_la_DEPENDENCIES) libiptc/$(am__dirstamp) + $(libiptc_libip4tc_la_LINK) -rpath $(libdir) $(libiptc_libip4tc_la_OBJECTS) $(libiptc_libip4tc_la_LIBADD) $(LIBS) libiptc/libip6tc.lo: libiptc/$(am__dirstamp) \ libiptc/$(DEPDIR)/$(am__dirstamp) +libiptc/libip6tc.la: $(libiptc_libip6tc_la_OBJECTS) $(libiptc_libip6tc_la_DEPENDENCIES) libiptc/$(am__dirstamp) + $(libiptc_libip6tc_la_LINK) -rpath $(libdir) $(libiptc_libip6tc_la_OBJECTS) $(libiptc_libip6tc_la_LIBADD) $(LIBS) libiptc/libiptc.la: $(libiptc_libiptc_la_OBJECTS) $(libiptc_libiptc_la_DEPENDENCIES) libiptc/$(am__dirstamp) - $(LINK) -rpath $(libdir) $(libiptc_libiptc_la_LDFLAGS) $(libiptc_libiptc_la_OBJECTS) $(libiptc_libiptc_la_LIBADD) $(LIBS) + $(libiptc_libiptc_la_LINK) -rpath $(libdir) $(libiptc_libiptc_la_OBJECTS) $(libiptc_libiptc_la_LIBADD) $(LIBS) libxtables.la: $(libxtables_la_OBJECTS) $(libxtables_la_DEPENDENCIES) - $(LINK) -rpath $(libdir) $(libxtables_la_LDFLAGS) $(libxtables_la_OBJECTS) $(libxtables_la_LIBADD) $(LIBS) -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ - else :; fi; \ - done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ - rm -f "$(DESTDIR)$(bindir)/$$f"; \ - done - -clean-binPROGRAMS: - @list='$(bin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done - -clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + $(libxtables_la_LINK) -rpath $(libdir) $(libxtables_la_OBJECTS) $(libxtables_la_LIBADD) $(LIBS) install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - if test -f $$p \ - || test -f $$p1 \ - ; then \ - f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ - else :; fi; \ - done + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ - rm -f "$(DESTDIR)$(sbindir)/$$f"; \ - done + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files clean-sbinPROGRAMS: - @list='$(sbin_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done -ip6tables$(EXEEXT): $(ip6tables_OBJECTS) $(ip6tables_DEPENDENCIES) - @rm -f ip6tables$(EXEEXT) - $(LINK) $(ip6tables_LDFLAGS) $(ip6tables_OBJECTS) $(ip6tables_LDADD) $(LIBS) + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list ip6tables-multi$(EXEEXT): $(ip6tables_multi_OBJECTS) $(ip6tables_multi_DEPENDENCIES) @rm -f ip6tables-multi$(EXEEXT) - $(LINK) $(ip6tables_multi_LDFLAGS) $(ip6tables_multi_OBJECTS) $(ip6tables_multi_LDADD) $(LIBS) -ip6tables-restore$(EXEEXT): $(ip6tables_restore_OBJECTS) $(ip6tables_restore_DEPENDENCIES) - @rm -f ip6tables-restore$(EXEEXT) - $(LINK) $(ip6tables_restore_LDFLAGS) $(ip6tables_restore_OBJECTS) $(ip6tables_restore_LDADD) $(LIBS) -ip6tables-save$(EXEEXT): $(ip6tables_save_OBJECTS) $(ip6tables_save_DEPENDENCIES) - @rm -f ip6tables-save$(EXEEXT) - $(LINK) $(ip6tables_save_LDFLAGS) $(ip6tables_save_OBJECTS) $(ip6tables_save_LDADD) $(LIBS) -ip6tables-static$(EXEEXT): $(ip6tables_static_OBJECTS) $(ip6tables_static_DEPENDENCIES) - @rm -f ip6tables-static$(EXEEXT) - $(LINK) $(ip6tables_static_LDFLAGS) $(ip6tables_static_OBJECTS) $(ip6tables_static_LDADD) $(LIBS) -iptables$(EXEEXT): $(iptables_OBJECTS) $(iptables_DEPENDENCIES) - @rm -f iptables$(EXEEXT) - $(LINK) $(iptables_LDFLAGS) $(iptables_OBJECTS) $(iptables_LDADD) $(LIBS) + $(ip6tables_multi_LINK) $(ip6tables_multi_OBJECTS) $(ip6tables_multi_LDADD) $(LIBS) iptables-multi$(EXEEXT): $(iptables_multi_OBJECTS) $(iptables_multi_DEPENDENCIES) @rm -f iptables-multi$(EXEEXT) - $(LINK) $(iptables_multi_LDFLAGS) $(iptables_multi_OBJECTS) $(iptables_multi_LDADD) $(LIBS) -iptables-restore$(EXEEXT): $(iptables_restore_OBJECTS) $(iptables_restore_DEPENDENCIES) - @rm -f iptables-restore$(EXEEXT) - $(LINK) $(iptables_restore_LDFLAGS) $(iptables_restore_OBJECTS) $(iptables_restore_LDADD) $(LIBS) -iptables-save$(EXEEXT): $(iptables_save_OBJECTS) $(iptables_save_DEPENDENCIES) - @rm -f iptables-save$(EXEEXT) - $(LINK) $(iptables_save_LDFLAGS) $(iptables_save_OBJECTS) $(iptables_save_LDADD) $(LIBS) -iptables-static$(EXEEXT): $(iptables_static_OBJECTS) $(iptables_static_DEPENDENCIES) - @rm -f iptables-static$(EXEEXT) - $(LINK) $(iptables_static_LDFLAGS) $(iptables_static_OBJECTS) $(iptables_static_LDADD) $(LIBS) -iptables-xml$(EXEEXT): $(iptables_xml_OBJECTS) $(iptables_xml_DEPENDENCIES) - @rm -f iptables-xml$(EXEEXT) - $(LINK) $(iptables_xml_LDFLAGS) $(iptables_xml_OBJECTS) $(iptables_xml_LDADD) $(LIBS) + $(iptables_multi_LINK) $(iptables_multi_OBJECTS) $(iptables_multi_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -625,402 +568,235 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables-restore.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables-save.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables-standalone.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-ip6tables-multi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-ip6tables-restore.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-ip6tables-save.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-ip6tables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-ip6tables-multi.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-ip6tables-restore.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-ip6tables-save.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-ip6tables-standalone.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-ip6tables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_static-xtables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables-restore.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables-save.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables-standalone.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables-xml.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ip6tables_multi-xshared.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables-multi.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables-restore.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables-save.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables-standalone.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables-xml.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-iptables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables-multi.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables-restore.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables-save.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables-standalone.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables-xml.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-iptables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_static-xtables.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xtables.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iptables_multi-xshared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxtables_la-xtables.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@libiptc/$(DEPDIR)/libip4tc.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@libiptc/$(DEPDIR)/libip6tc.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`; \ -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$$depbase.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$$depbase.Tpo" "$$depbase.Po"; else rm -f "$$depbase.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c -o $@ $< .c.obj: -@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`; \ -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$$depbase.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ -@am__fastdepCC_TRUE@ then mv -f "$$depbase.Tpo" "$$depbase.Po"; else rm -f "$$depbase.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`; \ -@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$$depbase.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$$depbase.Tpo" "$$depbase.Plo"; else rm -f "$$depbase.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +libxtables_la-xtables.lo: xtables.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libxtables_la_CFLAGS) $(CFLAGS) -MT libxtables_la-xtables.lo -MD -MP -MF $(DEPDIR)/libxtables_la-xtables.Tpo -c -o libxtables_la-xtables.lo `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libxtables_la-xtables.Tpo $(DEPDIR)/libxtables_la-xtables.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xtables.c' object='libxtables_la-xtables.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libxtables_la_CFLAGS) $(CFLAGS) -c -o libxtables_la-xtables.lo `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c + ip6tables_multi-ip6tables-multi.o: ip6tables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-multi.o -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo" -c -o ip6tables_multi-ip6tables-multi.o `test -f 'ip6tables-multi.c' || echo '$(srcdir)/'`ip6tables-multi.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-multi.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo -c -o ip6tables_multi-ip6tables-multi.o `test -f 'ip6tables-multi.c' || echo '$(srcdir)/'`ip6tables-multi.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-multi.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-multi.c' object='ip6tables_multi-ip6tables-multi.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-multi.o `test -f 'ip6tables-multi.c' || echo '$(srcdir)/'`ip6tables-multi.c ip6tables_multi-ip6tables-multi.obj: ip6tables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-multi.obj -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo" -c -o ip6tables_multi-ip6tables-multi.obj `if test -f 'ip6tables-multi.c'; then $(CYGPATH_W) 'ip6tables-multi.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-multi.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-multi.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo -c -o ip6tables_multi-ip6tables-multi.obj `if test -f 'ip6tables-multi.c'; then $(CYGPATH_W) 'ip6tables-multi.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-multi.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-multi.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-multi.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-multi.c' object='ip6tables_multi-ip6tables-multi.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-multi.obj `if test -f 'ip6tables-multi.c'; then $(CYGPATH_W) 'ip6tables-multi.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-multi.c'; fi` ip6tables_multi-ip6tables-save.o: ip6tables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-save.o -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo" -c -o ip6tables_multi-ip6tables-save.o `test -f 'ip6tables-save.c' || echo '$(srcdir)/'`ip6tables-save.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-save.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-save.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo -c -o ip6tables_multi-ip6tables-save.o `test -f 'ip6tables-save.c' || echo '$(srcdir)/'`ip6tables-save.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-save.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-save.c' object='ip6tables_multi-ip6tables-save.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-save.o `test -f 'ip6tables-save.c' || echo '$(srcdir)/'`ip6tables-save.c ip6tables_multi-ip6tables-save.obj: ip6tables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-save.obj -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo" -c -o ip6tables_multi-ip6tables-save.obj `if test -f 'ip6tables-save.c'; then $(CYGPATH_W) 'ip6tables-save.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-save.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-save.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-save.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo -c -o ip6tables_multi-ip6tables-save.obj `if test -f 'ip6tables-save.c'; then $(CYGPATH_W) 'ip6tables-save.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-save.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-save.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-save.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-save.c' object='ip6tables_multi-ip6tables-save.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-save.obj `if test -f 'ip6tables-save.c'; then $(CYGPATH_W) 'ip6tables-save.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-save.c'; fi` ip6tables_multi-ip6tables-restore.o: ip6tables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-restore.o -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo" -c -o ip6tables_multi-ip6tables-restore.o `test -f 'ip6tables-restore.c' || echo '$(srcdir)/'`ip6tables-restore.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-restore.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo -c -o ip6tables_multi-ip6tables-restore.o `test -f 'ip6tables-restore.c' || echo '$(srcdir)/'`ip6tables-restore.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-restore.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-restore.c' object='ip6tables_multi-ip6tables-restore.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-restore.o `test -f 'ip6tables-restore.c' || echo '$(srcdir)/'`ip6tables-restore.c ip6tables_multi-ip6tables-restore.obj: ip6tables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-restore.obj -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo" -c -o ip6tables_multi-ip6tables-restore.obj `if test -f 'ip6tables-restore.c'; then $(CYGPATH_W) 'ip6tables-restore.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-restore.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-restore.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo -c -o ip6tables_multi-ip6tables-restore.obj `if test -f 'ip6tables-restore.c'; then $(CYGPATH_W) 'ip6tables-restore.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-restore.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-restore.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-restore.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-restore.c' object='ip6tables_multi-ip6tables-restore.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-restore.obj `if test -f 'ip6tables-restore.c'; then $(CYGPATH_W) 'ip6tables-restore.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-restore.c'; fi` ip6tables_multi-ip6tables-standalone.o: ip6tables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-standalone.o -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo" -c -o ip6tables_multi-ip6tables-standalone.o `test -f 'ip6tables-standalone.c' || echo '$(srcdir)/'`ip6tables-standalone.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-standalone.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo -c -o ip6tables_multi-ip6tables-standalone.o `test -f 'ip6tables-standalone.c' || echo '$(srcdir)/'`ip6tables-standalone.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-standalone.c' object='ip6tables_multi-ip6tables-standalone.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-standalone.o `test -f 'ip6tables-standalone.c' || echo '$(srcdir)/'`ip6tables-standalone.c ip6tables_multi-ip6tables-standalone.obj: ip6tables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-standalone.obj -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo" -c -o ip6tables_multi-ip6tables-standalone.obj `if test -f 'ip6tables-standalone.c'; then $(CYGPATH_W) 'ip6tables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-standalone.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables-standalone.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo -c -o ip6tables_multi-ip6tables-standalone.obj `if test -f 'ip6tables-standalone.c'; then $(CYGPATH_W) 'ip6tables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-standalone.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Tpo $(DEPDIR)/ip6tables_multi-ip6tables-standalone.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-standalone.c' object='ip6tables_multi-ip6tables-standalone.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables-standalone.obj `if test -f 'ip6tables-standalone.c'; then $(CYGPATH_W) 'ip6tables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-standalone.c'; fi` ip6tables_multi-ip6tables.o: ip6tables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables.o -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo" -c -o ip6tables_multi-ip6tables.o `test -f 'ip6tables.c' || echo '$(srcdir)/'`ip6tables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables.Tpo -c -o ip6tables_multi-ip6tables.o `test -f 'ip6tables.c' || echo '$(srcdir)/'`ip6tables.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables.Tpo $(DEPDIR)/ip6tables_multi-ip6tables.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables.c' object='ip6tables_multi-ip6tables.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables.o `test -f 'ip6tables.c' || echo '$(srcdir)/'`ip6tables.c ip6tables_multi-ip6tables.obj: ip6tables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables.obj -MD -MP -MF "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo" -c -o ip6tables_multi-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo" "$(DEPDIR)/ip6tables_multi-ip6tables.Po"; else rm -f "$(DEPDIR)/ip6tables_multi-ip6tables.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-ip6tables.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-ip6tables.Tpo -c -o ip6tables_multi-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-ip6tables.Tpo $(DEPDIR)/ip6tables_multi-ip6tables.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables.c' object='ip6tables_multi-ip6tables.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi` -ip6tables_static-ip6tables-multi.o: ip6tables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-multi.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo" -c -o ip6tables_static-ip6tables-multi.o `test -f 'ip6tables-multi.c' || echo '$(srcdir)/'`ip6tables-multi.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-multi.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-multi.c' object='ip6tables_static-ip6tables-multi.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-multi.o `test -f 'ip6tables-multi.c' || echo '$(srcdir)/'`ip6tables-multi.c - -ip6tables_static-ip6tables-multi.obj: ip6tables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-multi.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo" -c -o ip6tables_static-ip6tables-multi.obj `if test -f 'ip6tables-multi.c'; then $(CYGPATH_W) 'ip6tables-multi.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-multi.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-multi.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-multi.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-multi.c' object='ip6tables_static-ip6tables-multi.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-multi.obj `if test -f 'ip6tables-multi.c'; then $(CYGPATH_W) 'ip6tables-multi.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-multi.c'; fi` - -ip6tables_static-ip6tables-save.o: ip6tables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-save.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo" -c -o ip6tables_static-ip6tables-save.o `test -f 'ip6tables-save.c' || echo '$(srcdir)/'`ip6tables-save.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-save.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-save.c' object='ip6tables_static-ip6tables-save.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-save.o `test -f 'ip6tables-save.c' || echo '$(srcdir)/'`ip6tables-save.c - -ip6tables_static-ip6tables-save.obj: ip6tables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-save.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo" -c -o ip6tables_static-ip6tables-save.obj `if test -f 'ip6tables-save.c'; then $(CYGPATH_W) 'ip6tables-save.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-save.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-save.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-save.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-save.c' object='ip6tables_static-ip6tables-save.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-save.obj `if test -f 'ip6tables-save.c'; then $(CYGPATH_W) 'ip6tables-save.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-save.c'; fi` - -ip6tables_static-ip6tables-restore.o: ip6tables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-restore.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo" -c -o ip6tables_static-ip6tables-restore.o `test -f 'ip6tables-restore.c' || echo '$(srcdir)/'`ip6tables-restore.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-restore.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-restore.c' object='ip6tables_static-ip6tables-restore.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-restore.o `test -f 'ip6tables-restore.c' || echo '$(srcdir)/'`ip6tables-restore.c - -ip6tables_static-ip6tables-restore.obj: ip6tables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-restore.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo" -c -o ip6tables_static-ip6tables-restore.obj `if test -f 'ip6tables-restore.c'; then $(CYGPATH_W) 'ip6tables-restore.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-restore.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-restore.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-restore.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-restore.c' object='ip6tables_static-ip6tables-restore.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-restore.obj `if test -f 'ip6tables-restore.c'; then $(CYGPATH_W) 'ip6tables-restore.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-restore.c'; fi` - -ip6tables_static-ip6tables-standalone.o: ip6tables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-standalone.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo" -c -o ip6tables_static-ip6tables-standalone.o `test -f 'ip6tables-standalone.c' || echo '$(srcdir)/'`ip6tables-standalone.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-standalone.c' object='ip6tables_static-ip6tables-standalone.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-standalone.o `test -f 'ip6tables-standalone.c' || echo '$(srcdir)/'`ip6tables-standalone.c - -ip6tables_static-ip6tables-standalone.obj: ip6tables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables-standalone.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo" -c -o ip6tables_static-ip6tables-standalone.obj `if test -f 'ip6tables-standalone.c'; then $(CYGPATH_W) 'ip6tables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-standalone.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables-standalone.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables-standalone.c' object='ip6tables_static-ip6tables-standalone.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables-standalone.obj `if test -f 'ip6tables-standalone.c'; then $(CYGPATH_W) 'ip6tables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables-standalone.c'; fi` - -ip6tables_static-ip6tables.o: ip6tables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables.Tpo" -c -o ip6tables_static-ip6tables.o `test -f 'ip6tables.c' || echo '$(srcdir)/'`ip6tables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables.c' object='ip6tables_static-ip6tables.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables.o `test -f 'ip6tables.c' || echo '$(srcdir)/'`ip6tables.c - -ip6tables_static-ip6tables.obj: ip6tables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-ip6tables.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-ip6tables.Tpo" -c -o ip6tables_static-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-ip6tables.Tpo" "$(DEPDIR)/ip6tables_static-ip6tables.Po"; else rm -f "$(DEPDIR)/ip6tables_static-ip6tables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ip6tables.c' object='ip6tables_static-ip6tables.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-ip6tables.obj `if test -f 'ip6tables.c'; then $(CYGPATH_W) 'ip6tables.c'; else $(CYGPATH_W) '$(srcdir)/ip6tables.c'; fi` - -ip6tables_static-xtables.o: xtables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-xtables.o -MD -MP -MF "$(DEPDIR)/ip6tables_static-xtables.Tpo" -c -o ip6tables_static-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-xtables.Tpo" "$(DEPDIR)/ip6tables_static-xtables.Po"; else rm -f "$(DEPDIR)/ip6tables_static-xtables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xtables.c' object='ip6tables_static-xtables.o' libtool=no @AMDEPBACKSLASH@ +ip6tables_multi-xshared.o: xshared.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-xshared.o -MD -MP -MF $(DEPDIR)/ip6tables_multi-xshared.Tpo -c -o ip6tables_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-xshared.Tpo $(DEPDIR)/ip6tables_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xshared.c' object='ip6tables_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c + +ip6tables_multi-xshared.obj: xshared.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -MT ip6tables_multi-xshared.obj -MD -MP -MF $(DEPDIR)/ip6tables_multi-xshared.Tpo -c -o ip6tables_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ip6tables_multi-xshared.Tpo $(DEPDIR)/ip6tables_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xshared.c' object='ip6tables_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c - -ip6tables_static-xtables.obj: xtables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -MT ip6tables_static-xtables.obj -MD -MP -MF "$(DEPDIR)/ip6tables_static-xtables.Tpo" -c -o ip6tables_static-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ip6tables_static-xtables.Tpo" "$(DEPDIR)/ip6tables_static-xtables.Po"; else rm -f "$(DEPDIR)/ip6tables_static-xtables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xtables.c' object='ip6tables_static-xtables.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_static_CFLAGS) $(CFLAGS) -c -o ip6tables_static-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ip6tables_multi_CFLAGS) $(CFLAGS) -c -o ip6tables_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` iptables_multi-iptables-multi.o: iptables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-multi.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-multi.Tpo" -c -o iptables_multi-iptables-multi.o `test -f 'iptables-multi.c' || echo '$(srcdir)/'`iptables-multi.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-multi.Tpo" "$(DEPDIR)/iptables_multi-iptables-multi.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-multi.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-multi.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-multi.Tpo -c -o iptables_multi-iptables-multi.o `test -f 'iptables-multi.c' || echo '$(srcdir)/'`iptables-multi.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-multi.Tpo $(DEPDIR)/iptables_multi-iptables-multi.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-multi.c' object='iptables_multi-iptables-multi.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-multi.o `test -f 'iptables-multi.c' || echo '$(srcdir)/'`iptables-multi.c iptables_multi-iptables-multi.obj: iptables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-multi.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-multi.Tpo" -c -o iptables_multi-iptables-multi.obj `if test -f 'iptables-multi.c'; then $(CYGPATH_W) 'iptables-multi.c'; else $(CYGPATH_W) '$(srcdir)/iptables-multi.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-multi.Tpo" "$(DEPDIR)/iptables_multi-iptables-multi.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-multi.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-multi.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-multi.Tpo -c -o iptables_multi-iptables-multi.obj `if test -f 'iptables-multi.c'; then $(CYGPATH_W) 'iptables-multi.c'; else $(CYGPATH_W) '$(srcdir)/iptables-multi.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-multi.Tpo $(DEPDIR)/iptables_multi-iptables-multi.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-multi.c' object='iptables_multi-iptables-multi.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-multi.obj `if test -f 'iptables-multi.c'; then $(CYGPATH_W) 'iptables-multi.c'; else $(CYGPATH_W) '$(srcdir)/iptables-multi.c'; fi` iptables_multi-iptables-save.o: iptables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-save.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-save.Tpo" -c -o iptables_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-save.Tpo" "$(DEPDIR)/iptables_multi-iptables-save.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-save.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-save.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-save.Tpo -c -o iptables_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-save.Tpo $(DEPDIR)/iptables_multi-iptables-save.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-save.c' object='iptables_multi-iptables-save.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c iptables_multi-iptables-save.obj: iptables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-save.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-save.Tpo" -c -o iptables_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-save.Tpo" "$(DEPDIR)/iptables_multi-iptables-save.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-save.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-save.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-save.Tpo -c -o iptables_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-save.Tpo $(DEPDIR)/iptables_multi-iptables-save.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-save.c' object='iptables_multi-iptables-save.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` iptables_multi-iptables-restore.o: iptables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-restore.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-restore.Tpo" -c -o iptables_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-restore.Tpo" "$(DEPDIR)/iptables_multi-iptables-restore.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-restore.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-restore.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-restore.Tpo -c -o iptables_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-restore.Tpo $(DEPDIR)/iptables_multi-iptables-restore.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-restore.c' object='iptables_multi-iptables-restore.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c iptables_multi-iptables-restore.obj: iptables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-restore.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-restore.Tpo" -c -o iptables_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-restore.Tpo" "$(DEPDIR)/iptables_multi-iptables-restore.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-restore.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-restore.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-restore.Tpo -c -o iptables_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-restore.Tpo $(DEPDIR)/iptables_multi-iptables-restore.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-restore.c' object='iptables_multi-iptables-restore.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` iptables_multi-iptables-xml.o: iptables-xml.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-xml.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-xml.Tpo" -c -o iptables_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-xml.Tpo" "$(DEPDIR)/iptables_multi-iptables-xml.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-xml.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-xml.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-xml.Tpo -c -o iptables_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-xml.Tpo $(DEPDIR)/iptables_multi-iptables-xml.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-xml.c' object='iptables_multi-iptables-xml.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c iptables_multi-iptables-xml.obj: iptables-xml.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-xml.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-xml.Tpo" -c -o iptables_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-xml.Tpo" "$(DEPDIR)/iptables_multi-iptables-xml.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-xml.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-xml.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-xml.Tpo -c -o iptables_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-xml.Tpo $(DEPDIR)/iptables_multi-iptables-xml.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-xml.c' object='iptables_multi-iptables-xml.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` iptables_multi-iptables-standalone.o: iptables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-standalone.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo" -c -o iptables_multi-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo" "$(DEPDIR)/iptables_multi-iptables-standalone.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-standalone.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-standalone.Tpo -c -o iptables_multi-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-standalone.Tpo $(DEPDIR)/iptables_multi-iptables-standalone.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-standalone.c' object='iptables_multi-iptables-standalone.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c iptables_multi-iptables-standalone.obj: iptables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-standalone.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo" -c -o iptables_multi-iptables-standalone.obj `if test -f 'iptables-standalone.c'; then $(CYGPATH_W) 'iptables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/iptables-standalone.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo" "$(DEPDIR)/iptables_multi-iptables-standalone.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables-standalone.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables-standalone.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables-standalone.Tpo -c -o iptables_multi-iptables-standalone.obj `if test -f 'iptables-standalone.c'; then $(CYGPATH_W) 'iptables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/iptables-standalone.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables-standalone.Tpo $(DEPDIR)/iptables_multi-iptables-standalone.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-standalone.c' object='iptables_multi-iptables-standalone.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables-standalone.obj `if test -f 'iptables-standalone.c'; then $(CYGPATH_W) 'iptables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/iptables-standalone.c'; fi` iptables_multi-iptables.o: iptables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables.o -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables.Tpo" -c -o iptables_multi-iptables.o `test -f 'iptables.c' || echo '$(srcdir)/'`iptables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables.Tpo" "$(DEPDIR)/iptables_multi-iptables.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables.o -MD -MP -MF $(DEPDIR)/iptables_multi-iptables.Tpo -c -o iptables_multi-iptables.o `test -f 'iptables.c' || echo '$(srcdir)/'`iptables.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables.Tpo $(DEPDIR)/iptables_multi-iptables.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables.c' object='iptables_multi-iptables.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables.o `test -f 'iptables.c' || echo '$(srcdir)/'`iptables.c iptables_multi-iptables.obj: iptables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables.obj -MD -MP -MF "$(DEPDIR)/iptables_multi-iptables.Tpo" -c -o iptables_multi-iptables.obj `if test -f 'iptables.c'; then $(CYGPATH_W) 'iptables.c'; else $(CYGPATH_W) '$(srcdir)/iptables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_multi-iptables.Tpo" "$(DEPDIR)/iptables_multi-iptables.Po"; else rm -f "$(DEPDIR)/iptables_multi-iptables.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-iptables.obj -MD -MP -MF $(DEPDIR)/iptables_multi-iptables.Tpo -c -o iptables_multi-iptables.obj `if test -f 'iptables.c'; then $(CYGPATH_W) 'iptables.c'; else $(CYGPATH_W) '$(srcdir)/iptables.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-iptables.Tpo $(DEPDIR)/iptables_multi-iptables.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables.c' object='iptables_multi-iptables.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-iptables.obj `if test -f 'iptables.c'; then $(CYGPATH_W) 'iptables.c'; else $(CYGPATH_W) '$(srcdir)/iptables.c'; fi` -iptables_static-iptables-multi.o: iptables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-multi.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-multi.Tpo" -c -o iptables_static-iptables-multi.o `test -f 'iptables-multi.c' || echo '$(srcdir)/'`iptables-multi.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-multi.Tpo" "$(DEPDIR)/iptables_static-iptables-multi.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-multi.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-multi.c' object='iptables_static-iptables-multi.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-multi.o `test -f 'iptables-multi.c' || echo '$(srcdir)/'`iptables-multi.c - -iptables_static-iptables-multi.obj: iptables-multi.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-multi.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-multi.Tpo" -c -o iptables_static-iptables-multi.obj `if test -f 'iptables-multi.c'; then $(CYGPATH_W) 'iptables-multi.c'; else $(CYGPATH_W) '$(srcdir)/iptables-multi.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-multi.Tpo" "$(DEPDIR)/iptables_static-iptables-multi.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-multi.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-multi.c' object='iptables_static-iptables-multi.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-multi.obj `if test -f 'iptables-multi.c'; then $(CYGPATH_W) 'iptables-multi.c'; else $(CYGPATH_W) '$(srcdir)/iptables-multi.c'; fi` - -iptables_static-iptables-save.o: iptables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-save.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-save.Tpo" -c -o iptables_static-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-save.Tpo" "$(DEPDIR)/iptables_static-iptables-save.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-save.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-save.c' object='iptables_static-iptables-save.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-save.o `test -f 'iptables-save.c' || echo '$(srcdir)/'`iptables-save.c - -iptables_static-iptables-save.obj: iptables-save.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-save.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-save.Tpo" -c -o iptables_static-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-save.Tpo" "$(DEPDIR)/iptables_static-iptables-save.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-save.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-save.c' object='iptables_static-iptables-save.obj' libtool=no @AMDEPBACKSLASH@ +iptables_multi-xshared.o: xshared.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-xshared.o -MD -MP -MF $(DEPDIR)/iptables_multi-xshared.Tpo -c -o iptables_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-xshared.Tpo $(DEPDIR)/iptables_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xshared.c' object='iptables_multi-xshared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-xshared.o `test -f 'xshared.c' || echo '$(srcdir)/'`xshared.c + +iptables_multi-xshared.obj: xshared.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -MT iptables_multi-xshared.obj -MD -MP -MF $(DEPDIR)/iptables_multi-xshared.Tpo -c -o iptables_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/iptables_multi-xshared.Tpo $(DEPDIR)/iptables_multi-xshared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xshared.c' object='iptables_multi-xshared.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-save.obj `if test -f 'iptables-save.c'; then $(CYGPATH_W) 'iptables-save.c'; else $(CYGPATH_W) '$(srcdir)/iptables-save.c'; fi` - -iptables_static-iptables-restore.o: iptables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-restore.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-restore.Tpo" -c -o iptables_static-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-restore.Tpo" "$(DEPDIR)/iptables_static-iptables-restore.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-restore.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-restore.c' object='iptables_static-iptables-restore.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-restore.o `test -f 'iptables-restore.c' || echo '$(srcdir)/'`iptables-restore.c - -iptables_static-iptables-restore.obj: iptables-restore.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-restore.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-restore.Tpo" -c -o iptables_static-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-restore.Tpo" "$(DEPDIR)/iptables_static-iptables-restore.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-restore.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-restore.c' object='iptables_static-iptables-restore.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-restore.obj `if test -f 'iptables-restore.c'; then $(CYGPATH_W) 'iptables-restore.c'; else $(CYGPATH_W) '$(srcdir)/iptables-restore.c'; fi` - -iptables_static-iptables-xml.o: iptables-xml.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-xml.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-xml.Tpo" -c -o iptables_static-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-xml.Tpo" "$(DEPDIR)/iptables_static-iptables-xml.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-xml.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-xml.c' object='iptables_static-iptables-xml.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-xml.o `test -f 'iptables-xml.c' || echo '$(srcdir)/'`iptables-xml.c - -iptables_static-iptables-xml.obj: iptables-xml.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-xml.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-xml.Tpo" -c -o iptables_static-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-xml.Tpo" "$(DEPDIR)/iptables_static-iptables-xml.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-xml.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-xml.c' object='iptables_static-iptables-xml.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-xml.obj `if test -f 'iptables-xml.c'; then $(CYGPATH_W) 'iptables-xml.c'; else $(CYGPATH_W) '$(srcdir)/iptables-xml.c'; fi` - -iptables_static-iptables-standalone.o: iptables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-standalone.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-standalone.Tpo" -c -o iptables_static-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-standalone.Tpo" "$(DEPDIR)/iptables_static-iptables-standalone.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-standalone.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-standalone.c' object='iptables_static-iptables-standalone.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-standalone.o `test -f 'iptables-standalone.c' || echo '$(srcdir)/'`iptables-standalone.c - -iptables_static-iptables-standalone.obj: iptables-standalone.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables-standalone.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables-standalone.Tpo" -c -o iptables_static-iptables-standalone.obj `if test -f 'iptables-standalone.c'; then $(CYGPATH_W) 'iptables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/iptables-standalone.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables-standalone.Tpo" "$(DEPDIR)/iptables_static-iptables-standalone.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables-standalone.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables-standalone.c' object='iptables_static-iptables-standalone.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables-standalone.obj `if test -f 'iptables-standalone.c'; then $(CYGPATH_W) 'iptables-standalone.c'; else $(CYGPATH_W) '$(srcdir)/iptables-standalone.c'; fi` - -iptables_static-iptables.o: iptables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables.o -MD -MP -MF "$(DEPDIR)/iptables_static-iptables.Tpo" -c -o iptables_static-iptables.o `test -f 'iptables.c' || echo '$(srcdir)/'`iptables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables.Tpo" "$(DEPDIR)/iptables_static-iptables.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables.c' object='iptables_static-iptables.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables.o `test -f 'iptables.c' || echo '$(srcdir)/'`iptables.c - -iptables_static-iptables.obj: iptables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-iptables.obj -MD -MP -MF "$(DEPDIR)/iptables_static-iptables.Tpo" -c -o iptables_static-iptables.obj `if test -f 'iptables.c'; then $(CYGPATH_W) 'iptables.c'; else $(CYGPATH_W) '$(srcdir)/iptables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-iptables.Tpo" "$(DEPDIR)/iptables_static-iptables.Po"; else rm -f "$(DEPDIR)/iptables_static-iptables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='iptables.c' object='iptables_static-iptables.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-iptables.obj `if test -f 'iptables.c'; then $(CYGPATH_W) 'iptables.c'; else $(CYGPATH_W) '$(srcdir)/iptables.c'; fi` - -iptables_static-xtables.o: xtables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-xtables.o -MD -MP -MF "$(DEPDIR)/iptables_static-xtables.Tpo" -c -o iptables_static-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-xtables.Tpo" "$(DEPDIR)/iptables_static-xtables.Po"; else rm -f "$(DEPDIR)/iptables_static-xtables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xtables.c' object='iptables_static-xtables.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-xtables.o `test -f 'xtables.c' || echo '$(srcdir)/'`xtables.c - -iptables_static-xtables.obj: xtables.c -@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -MT iptables_static-xtables.obj -MD -MP -MF "$(DEPDIR)/iptables_static-xtables.Tpo" -c -o iptables_static-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/iptables_static-xtables.Tpo" "$(DEPDIR)/iptables_static-xtables.Po"; else rm -f "$(DEPDIR)/iptables_static-xtables.Tpo"; exit 1; fi -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xtables.c' object='iptables_static-xtables.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_static_CFLAGS) $(CFLAGS) -c -o iptables_static-xtables.obj `if test -f 'xtables.c'; then $(CYGPATH_W) 'xtables.c'; else $(CYGPATH_W) '$(srcdir)/xtables.c'; fi` +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(iptables_multi_CFLAGS) $(CFLAGS) -c -o iptables_multi-xshared.obj `if test -f 'xshared.c'; then $(CYGPATH_W) 'xshared.c'; else $(CYGPATH_W) '$(srcdir)/xshared.c'; fi` mostlyclean-libtool: -rm -f *.lo @@ -1030,70 +806,65 @@ -rm -rf libiptc/.libs libiptc/_libs distclean-libtool: - -rm -f libtool -uninstall-info-am: -install-man8: $(man8_MANS) $(man_MANS) + -rm -f libtool config.lt +install-man8: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } install-pkgconfigDATA: $(pkgconfig_DATA) @$(NORMAL_INSTALL) - test -z "$(pkgconfigdir)" || $(mkdir_p) "$(DESTDIR)$(pkgconfigdir)" - @list='$(pkgconfig_DATA)'; for p in $$list; do \ + test -z "$(pkgconfigdir)" || $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ - f=$(am__strip_dir) \ - echo " $(pkgconfigDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(pkgconfigdir)/$$f'"; \ - $(pkgconfigDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(pkgconfigdir)/$$f"; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \ done uninstall-pkgconfigDATA: @$(NORMAL_UNINSTALL) - @list='$(pkgconfig_DATA)'; for p in $$list; do \ - f=$(am__strip_dir) \ - echo " rm -f '$(DESTDIR)$(pkgconfigdir)/$$f'"; \ - rm -f "$(DESTDIR)$(pkgconfigdir)/$$f"; \ - done + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(pkgconfigdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(pkgconfigdir)" && rm -f $$files # This directory's subdirectories are mostly independent; you can cd # into them and run `make' without going through this Makefile. @@ -1102,7 +873,7 @@ # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1119,16 +890,15 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" -mostlyclean-recursive clean-recursive distclean-recursive \ -maintainer-clean-recursive: - @failcom='exit 1'; \ +$(RECURSIVE_CLEAN_TARGETS): + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1154,16 +924,16 @@ else \ local_target="$$target"; \ fi; \ - (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) @@ -1171,14 +941,14 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ @@ -1190,93 +960,127 @@ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ - tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi $(am__remove_distdir) - mkdir $(distdir) - $(mkdir_p) $(distdir)/. $(distdir)/extensions $(distdir)/include $(distdir)/include/iptables $(distdir)/m4 - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + test -d "$(distdir)" || mkdir "$(distdir)" + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done - list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ - || $(mkdir_p) "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ - distdir=`$(am__cd) $(distdir) && pwd`; \ - top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ - (cd $$subdir && \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$$top_distdir" \ - distdir="$$distdir/$$subdir" \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done - -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ + -test -n "$(am__skip_mode_fix)" \ + || find "$(distdir)" -type d ! -perm -755 \ + -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ - ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \ - || chmod -R a+r $(distdir) + ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ + || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__remove_distdir) @@ -1285,6 +1089,14 @@ tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 $(am__remove_distdir) +dist-lzma: distdir + tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma + $(am__remove_distdir) + +dist-xz: distdir + tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz + $(am__remove_distdir) + dist-tarZ: distdir tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__remove_distdir) @@ -1308,13 +1120,17 @@ distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ - bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\ + bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ + *.tar.lzma*) \ + lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ + *.tar.xz*) \ + xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac @@ -1322,9 +1138,11 @@ mkdir $(distdir)/_build mkdir $(distdir)/_inst chmod a-w $(distdir) + test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ - && cd $(distdir)/_build \ + && am__cwd=`pwd` \ + && $(am__cd) $(distdir)/_build \ && ../configure --srcdir=.. --prefix="$$dc_install_base" \ $(DISTCHECK_CONFIGURE_FLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) \ @@ -1346,13 +1164,15 @@ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ - && $(MAKE) $(AM_MAKEFLAGS) distcleancheck + && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ + && cd "$$am__cwd" \ + || exit 1 $(am__remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ - sed -e '1{h;s/./=/g;p;x;}' -e '$${p;x;}' + sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: - @cd $(distuninstallcheck_dir) \ + @$(am__cd) '$(distuninstallcheck_dir)' \ && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ @@ -1372,12 +1192,10 @@ check-am: all-am check: check-recursive all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) config.h -install-binPROGRAMS: install-libLTLIBRARIES - installdirs: installdirs-recursive installdirs-am: - for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgconfigdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-recursive install-exec: install-exec-recursive @@ -1400,6 +1218,7 @@ distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -rm -f libiptc/$(DEPDIR)/$(am__dirstamp) -rm -f libiptc/$(am__dirstamp) @@ -1408,9 +1227,8 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive -clean-am: clean-binPROGRAMS clean-generic clean-libLTLIBRARIES \ - clean-libtool clean-noinstPROGRAMS clean-sbinPROGRAMS \ - mostlyclean-am +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ + clean-sbinPROGRAMS mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) @@ -1425,21 +1243,39 @@ html: html-recursive +html-am: + info: info-recursive info-am: install-data-am: install-man install-pkgconfigDATA -install-exec-am: install-binPROGRAMS install-libLTLIBRARIES \ - install-sbinPROGRAMS +install-dvi: install-dvi-recursive + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES install-sbinPROGRAMS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook +install-html: install-html-recursive + +install-html-am: install-info: install-info-recursive +install-info-am: + install-man: install-man8 +install-pdf: install-pdf-recursive + +install-pdf-am: + +install-ps: install-ps-recursive + +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-recursive @@ -1462,33 +1298,33 @@ ps-am: -uninstall-am: uninstall-binPROGRAMS uninstall-info-am \ - uninstall-libLTLIBRARIES uninstall-man uninstall-pkgconfigDATA \ - uninstall-sbinPROGRAMS - -uninstall-info: uninstall-info-recursive +uninstall-am: uninstall-libLTLIBRARIES uninstall-man \ + uninstall-pkgconfigDATA uninstall-sbinPROGRAMS uninstall-man: uninstall-man8 -.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am am--refresh check \ - check-am clean clean-binPROGRAMS clean-generic \ - clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ - clean-recursive clean-sbinPROGRAMS ctags ctags-recursive dist \ - dist-all dist-bzip2 dist-gzip dist-shar dist-tarZ dist-zip \ - distcheck distclean distclean-compile distclean-generic \ - distclean-hdr distclean-libtool distclean-recursive \ - distclean-tags distcleancheck distdir distuninstallcheck dvi \ - dvi-am html html-am info info-am install install-am \ - install-binPROGRAMS install-data install-data-am install-exec \ - install-exec-am install-exec-hook install-info install-info-am \ - install-libLTLIBRARIES install-man install-man8 \ - install-pkgconfigDATA install-sbinPROGRAMS install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic \ - maintainer-clean-recursive mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool mostlyclean-recursive \ - pdf pdf-am ps ps-am tags tags-recursive uninstall uninstall-am \ - uninstall-binPROGRAMS uninstall-info-am \ +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) all \ + ctags-recursive install-am install-exec-am install-strip \ + tags-recursive + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am am--refresh check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool clean-sbinPROGRAMS ctags \ + ctags-recursive dist dist-all dist-bzip2 dist-gzip dist-lzma \ + dist-shar dist-tarZ dist-xz dist-zip distcheck distclean \ + distclean-compile distclean-generic distclean-hdr \ + distclean-libtool distclean-tags distcleancheck distdir \ + distuninstallcheck dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-exec-hook \ + install-html install-html-am install-info install-info-am \ + install-libLTLIBRARIES install-man install-man8 install-pdf \ + install-pdf-am install-pkgconfigDATA install-ps install-ps-am \ + install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-recursive uninstall uninstall-am \ uninstall-libLTLIBRARIES uninstall-man uninstall-man8 \ uninstall-pkgconfigDATA uninstall-sbinPROGRAMS @@ -1513,6 +1349,11 @@ # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; + ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; + for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done; + for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done; + for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done; + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru iptables-1.4.4/missing iptables-1.4.10/missing --- iptables-1.4.4/missing 2009-06-16 14:42:56.000000000 +0000 +++ iptables-1.4.10/missing 2010-10-29 14:40:40.000000000 +0000 @@ -1,10 +1,10 @@ #! /bin/sh # Common stub for a few missing GNU programs while installing. -scriptversion=2005-06-08.21 +scriptversion=2009-04-28.21; # UTC -# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005 -# Free Software Foundation, Inc. +# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, +# 2008, 2009 Free Software Foundation, Inc. # Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify @@ -18,9 +18,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program. If not, see <http://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -33,6 +31,8 @@ fi run=: +sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' +sed_minuso='s/.* -o \([^ ]*\).*/\1/p' # In the cases where this matters, `missing' is being run in the # srcdir already. @@ -44,7 +44,7 @@ msg="missing on your system" -case "$1" in +case $1 in --run) # Try to run requested program, and just exit if it succeeds. run= @@ -77,6 +77,7 @@ aclocal touch file \`aclocal.m4' autoconf touch file \`configure' autoheader touch file \`config.h.in' + autom4te touch the output file, or create a stub one automake touch all \`Makefile.in' files bison create \`y.tab.[ch]', if possible, from existing .[ch] flex create \`lex.yy.c', if possible, from existing .c @@ -86,6 +87,9 @@ tar try tar, gnutar, gtar, then tar without non-portable flags yacc create \`y.tab.[ch]', if possible, from existing .[ch] +Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and +\`g' are ignored when checking the name. + Send bug reports to <bug-automake@gnu.org>." exit $? ;; @@ -103,15 +107,22 @@ esac +# normalize program name to check for. +program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + # Now exit if we have it, but it failed. Also exit now if we # don't have it and --version was passed (most likely to detect -# the program). -case "$1" in - lex|yacc) +# the program). This is about non-GNU programs, so use $1 not +# $program. +case $1 in + lex*|yacc*) # Not GNU programs, they don't have --version. ;; - tar) + tar*) if test -n "$run"; then echo 1>&2 "ERROR: \`tar' requires --run" exit 1 @@ -135,7 +146,7 @@ # If it does not exist, or fails to run (possibly an outdated version), # try to emulate it. -case "$1" in +case $program in aclocal*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if @@ -145,7 +156,7 @@ touch aclocal.m4 ;; - autoconf) + autoconf*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`${configure_ac}'. You might want to install the @@ -154,7 +165,7 @@ touch configure ;; - autoheader) + autoheader*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`acconfig.h' or \`${configure_ac}'. You might want @@ -164,7 +175,7 @@ test -z "$files" && files="config.h" touch_files= for f in $files; do - case "$f" in + case $f in *:*) touch_files="$touch_files "`echo "$f" | sed -e 's/^[^:]*://' -e 's/:.*//'`;; *) touch_files="$touch_files $f.in";; @@ -184,7 +195,7 @@ while read f; do touch "$f"; done ;; - autom4te) + autom4te*) echo 1>&2 "\ WARNING: \`$1' is needed, but is $msg. You might have modified some files without having the @@ -192,8 +203,8 @@ You can get \`$1' as part of \`Autoconf' from any GNU archive site." - file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'` - test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'` + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -f "$file"; then touch $file else @@ -207,80 +218,78 @@ fi ;; - bison|yacc) + bison*|yacc*) echo 1>&2 "\ WARNING: \`$1' $msg. You should only need it if you modified a \`.y' file. You may need the \`Bison' package in order for those modifications to take effect. You can get \`Bison' from any GNU archive site." rm -f y.tab.c y.tab.h - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.y) SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.c fi SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.h fi ;; esac fi - if [ ! -f y.tab.h ]; then + if test ! -f y.tab.h; then echo >y.tab.h fi - if [ ! -f y.tab.c ]; then + if test ! -f y.tab.c; then echo 'main() { return 0; }' >y.tab.c fi ;; - lex|flex) + lex*|flex*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a \`.l' file. You may need the \`Flex' package in order for those modifications to take effect. You can get \`Flex' from any GNU archive site." rm -f lex.yy.c - if [ $# -ne 1 ]; then + if test $# -ne 1; then eval LASTARG="\${$#}" - case "$LASTARG" in + case $LASTARG in *.l) SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if [ -f "$SRCFILE" ]; then + if test -f "$SRCFILE"; then cp "$SRCFILE" lex.yy.c fi ;; esac fi - if [ ! -f lex.yy.c ]; then + if test ! -f lex.yy.c; then echo 'main() { return 0; }' >lex.yy.c fi ;; - help2man) + help2man*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a dependency of a manual page. You may need the \`Help2man' package in order for those modifications to take effect. You can get \`Help2man' from any GNU archive site." - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` - if test -z "$file"; then - file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'` - fi - if [ -f "$file" ]; then + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then touch $file else test -z "$file" || exec >$file echo ".ab help2man is required to generate this page" - exit 1 + exit $? fi ;; - makeinfo) + makeinfo*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a \`.texi' or \`.texinfo' file, or any other file @@ -289,11 +298,17 @@ DU, IRIX). You might want to install the \`Texinfo' package or the \`GNU make' package. Grab either from any GNU archive site." # The file to touch is that specified with -o ... - file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -z "$file"; then # ... or it is the one specified with @setfilename ... infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $infile` + file=`sed -n ' + /^@setfilename/{ + s/.* \([^ ]*\) *$/\1/ + p + q + }' $infile` # ... or it is derived from the source name (dir/f.texi becomes f.info) test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info fi @@ -303,7 +318,7 @@ touch $file ;; - tar) + tar*) shift # We have already tried tar in the generic part. @@ -317,13 +332,13 @@ fi firstarg="$1" if shift; then - case "$firstarg" in + case $firstarg in *o*) firstarg=`echo "$firstarg" | sed s/o//` tar "$firstarg" "$@" && exit 0 ;; esac - case "$firstarg" in + case $firstarg in *h*) firstarg=`echo "$firstarg" | sed s/h//` tar "$firstarg" "$@" && exit 0 @@ -356,5 +371,6 @@ # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff -Nru iptables-1.4.4/.pc/.version iptables-1.4.10/.pc/.version --- iptables-1.4.4/.pc/.version 2011-06-15 19:36:48.000000000 +0000 +++ iptables-1.4.10/.pc/.version 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -2 diff -Nru iptables-1.4.4/release.sh iptables-1.4.10/release.sh --- iptables-1.4.4/release.sh 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/release.sh 2010-10-29 14:37:22.000000000 +0000 @@ -2,8 +2,8 @@ # set -e -VERSION=1.4.3-rc1 -PREV_VERSION=1.4.2 +VERSION=1.4.7 +PREV_VERSION=1.4.6 TMPDIR=/tmp/ipt-release IPTDIR="$TMPDIR/iptables-$VERSION" diff -Nru iptables-1.4.4/utils/.gitignore iptables-1.4.10/utils/.gitignore --- iptables-1.4.4/utils/.gitignore 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/utils/.gitignore 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1 @@ +/nfnl_osf diff -Nru iptables-1.4.4/utils/Makefile.am iptables-1.4.10/utils/Makefile.am --- iptables-1.4.4/utils/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/utils/Makefile.am 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,8 @@ +# -*- Makefile -*- + +AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include + +sbin_PROGRAMS = nfnl_osf +pkgdata_DATA = pf.os + +nfnl_osf_LDADD = -lnfnetlink diff -Nru iptables-1.4.4/utils/Makefile.in iptables-1.4.10/utils/Makefile.in --- iptables-1.4.4/utils/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/utils/Makefile.in 2010-10-29 14:40:40.000000000 +0000 @@ -0,0 +1,570 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# -*- Makefile -*- + + +VPATH = @srcdir@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +sbin_PROGRAMS = nfnl_osf$(EXEEXT) +subdir = utils +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_linker_flags.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(pkgdatadir)" +PROGRAMS = $(sbin_PROGRAMS) +nfnl_osf_SOURCES = nfnl_osf.c +nfnl_osf_OBJECTS = nfnl_osf.$(OBJEXT) +nfnl_osf_DEPENDENCIES = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = nfnl_osf.c +DIST_SOURCES = nfnl_osf.c +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +DATA = $(pkgdata_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +pkgdatadir = @pkgdatadir@ +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +blacklist_modules = @blacklist_modules@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +kbuilddir = @kbuilddir@ +kinclude_CFLAGS = @kinclude_CFLAGS@ +ksourcedir = @ksourcedir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libiptc_LDFLAGS2 = @libiptc_LDFLAGS2@ +libnfnetlink_CFLAGS = @libnfnetlink_CFLAGS@ +libnfnetlink_LIBS = @libnfnetlink_LIBS@ +libxtables_vage = @libxtables_vage@ +libxtables_vcurrent = @libxtables_vcurrent@ +libxtables_vmajor = @libxtables_vmajor@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgconfigdir = @pkgconfigdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +regular_CFLAGS = @regular_CFLAGS@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +xtlibdir = @xtlibdir@ +AM_CFLAGS = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include +pkgdata_DATA = pf.os +nfnl_osf_LDADD = -lnfnetlink +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu utils/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu utils/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +nfnl_osf$(EXEEXT): $(nfnl_osf_OBJECTS) $(nfnl_osf_DEPENDENCIES) + @rm -f nfnl_osf$(EXEEXT) + $(LINK) $(nfnl_osf_OBJECTS) $(nfnl_osf_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nfnl_osf.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-pkgdataDATA: $(pkgdata_DATA) + @$(NORMAL_INSTALL) + test -z "$(pkgdatadir)" || $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" + @list='$(pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgdatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \ + done + +uninstall-pkgdataDATA: + @$(NORMAL_UNINSTALL) + @list='$(pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(pkgdatadir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(pkgdatadir)" && rm -f $$files + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(pkgdatadir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pkgdataDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pkgdataDATA uninstall-sbinPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-sbinPROGRAMS ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pkgdataDATA install-ps \ + install-ps-am install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-pkgdataDATA \ + uninstall-sbinPROGRAMS + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru iptables-1.4.4/utils/nfnl_osf.c iptables-1.4.10/utils/nfnl_osf.c --- iptables-1.4.4/utils/nfnl_osf.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/utils/nfnl_osf.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,485 @@ +/* + * Copyright (c) 2005 Evgeniy Polyakov <johnpol@2ka.mxt.ru> + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/poll.h> +#include <sys/time.h> + +#include <arpa/inet.h> + +#include <ctype.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdarg.h> +#include <time.h> +#include <unistd.h> + +#include <netinet/ip.h> +#include <netinet/tcp.h> + +#include <linux/connector.h> +#include <linux/types.h> +#include <linux/netlink.h> +#include <linux/rtnetlink.h> +#include <linux/unistd.h> + +#include <libnfnetlink/libnfnetlink.h> + +#include <linux/netfilter/nfnetlink.h> +#include <linux/netfilter/xt_osf.h> + +#define OPTDEL ',' +#define OSFPDEL ':' +#define MAXOPTSTRLEN 128 + +#ifndef NIPQUAD +#define NIPQUAD(addr) \ + ((unsigned char *)&addr)[0], \ + ((unsigned char *)&addr)[1], \ + ((unsigned char *)&addr)[2], \ + ((unsigned char *)&addr)[3] +#endif + +static struct nfnl_handle *nfnlh; +static struct nfnl_subsys_handle *nfnlssh; + +static struct xt_osf_opt IANA_opts[] = { + { .kind = 0, .length = 1,}, + { .kind=1, .length=1,}, + { .kind=2, .length=4,}, + { .kind=3, .length=3,}, + { .kind=4, .length=2,}, + { .kind=5, .length=1,}, /* SACK length is not defined */ + { .kind=6, .length=6,}, + { .kind=7, .length=6,}, + { .kind=8, .length=10,}, + { .kind=9, .length=2,}, + { .kind=10, .length=3,}, + { .kind=11, .length=1,}, /* CC: Suppose 1 */ + { .kind=12, .length=1,}, /* the same */ + { .kind=13, .length=1,}, /* and here too */ + { .kind=14, .length=3,}, + { .kind=15, .length=1,}, /* TCP Alternate Checksum Data. Length is not defined */ + { .kind=16, .length=1,}, + { .kind=17, .length=1,}, + { .kind=18, .length=3,}, + { .kind=19, .length=18,}, + { .kind=20, .length=1,}, + { .kind=21, .length=1,}, + { .kind=22, .length=1,}, + { .kind=23, .length=1,}, + { .kind=24, .length=1,}, + { .kind=25, .length=1,}, + { .kind=26, .length=1,}, +}; + +static FILE *osf_log_stream; + +static void uloga(const char *f, ...) +{ + va_list ap; + + if (!osf_log_stream) + osf_log_stream = stdout; + + va_start(ap, f); + vfprintf(osf_log_stream, f, ap); + va_end(ap); + + fflush(osf_log_stream); +} + +static void ulog(const char *f, ...) +{ + char str[64]; + struct tm tm; + struct timeval tv; + va_list ap; + + if (!osf_log_stream) + osf_log_stream = stdout; + + gettimeofday(&tv, NULL); + localtime_r((time_t *)&tv.tv_sec, &tm); + strftime(str, sizeof(str), "%F %R:%S", &tm); + + fprintf(osf_log_stream, "%s.%lu %ld ", str, tv.tv_usec, syscall(__NR_gettid)); + + va_start(ap, f); + vfprintf(osf_log_stream, f, ap); + va_end(ap); + + fflush(osf_log_stream); +} + +#define ulog_err(f, a...) uloga(f ": %s [%d].\n", ##a, strerror(errno), errno) + +static char *xt_osf_strchr(char *ptr, char c) +{ + char *tmp; + + tmp = strchr(ptr, c); + if (tmp) + *tmp = '\0'; + + while (tmp && tmp + 1 && isspace(*(tmp + 1))) + tmp++; + + return tmp; +} + +static void xt_osf_parse_opt(struct xt_osf_opt *opt, __u16 *optnum, char *obuf, int olen) +{ + int i, op; + char *ptr, wc; + unsigned long val; + + ptr = &obuf[0]; + i = 0; + while (ptr != NULL && i < olen && *ptr != 0) { + val = 0; + op = 0; + wc = OSF_WSS_PLAIN; + switch (obuf[i]) { + case 'N': + op = OSFOPT_NOP; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + *ptr = '\0'; + ptr++; + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + case 'S': + op = OSFOPT_SACKP; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + *ptr = '\0'; + ptr++; + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + case 'T': + op = OSFOPT_TS; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + *ptr = '\0'; + ptr++; + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + case 'W': + op = OSFOPT_WSO; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + switch (obuf[i + 1]) { + case '%': + wc = OSF_WSS_MODULO; + break; + case 'S': + wc = OSF_WSS_MSS; + break; + case 'T': + wc = OSF_WSS_MTU; + break; + default: + wc = OSF_WSS_PLAIN; + break; + } + + *ptr = '\0'; + ptr++; + if (wc) + val = strtoul(&obuf[i + 2], NULL, 10); + else + val = strtoul(&obuf[i + 1], NULL, 10); + i += (int)(ptr - &obuf[i]); + + } else + i++; + break; + case 'M': + op = OSFOPT_MSS; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + if (obuf[i + 1] == '%') + wc = OSF_WSS_MODULO; + *ptr = '\0'; + ptr++; + if (wc) + val = strtoul(&obuf[i + 2], NULL, 10); + else + val = strtoul(&obuf[i + 1], NULL, 10); + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + case 'E': + op = OSFOPT_EOL; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + *ptr = '\0'; + ptr++; + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + default: + op = OSFOPT_EMPTY; + ptr = xt_osf_strchr(&obuf[i], OPTDEL); + if (ptr) { + ptr++; + i += (int)(ptr - &obuf[i]); + } else + i++; + break; + } + + if (op != OSFOPT_EMPTY) { + opt[*optnum].kind = IANA_opts[op].kind; + opt[*optnum].length = IANA_opts[op].length; + opt[*optnum].wc.wc = wc; + opt[*optnum].wc.val = val; + (*optnum)++; + } + } +} + +static int osf_load_line(char *buffer, int len, int del) +{ + int i, cnt = 0; + char obuf[MAXOPTSTRLEN]; + struct xt_osf_user_finger f; + char *pbeg, *pend; + char buf[NFNL_HEADER_LEN + NFA_LENGTH(sizeof(struct xt_osf_user_finger))]; + struct nlmsghdr *nmh = (struct nlmsghdr *) buf; + + memset(&f, 0, sizeof(struct xt_osf_user_finger)); + + ulog("Loading '%s'.\n", buffer); + + for (i = 0; i < len && buffer[i] != '\0'; ++i) { + if (buffer[i] == ':') + cnt++; + } + + if (cnt != 8) { + ulog("Wrong input line '%s': cnt: %d, must be 8, i: %d, must be %d.\n", buffer, cnt, i, len); + return -EINVAL; + } + + memset(obuf, 0, sizeof(obuf)); + + pbeg = buffer; + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + if (pbeg[0] == 'S') { + f.wss.wc = OSF_WSS_MSS; + if (pbeg[1] == '%') + f.wss.val = strtoul(&pbeg[2], NULL, 10); + else if (pbeg[1] == '*') + f.wss.val = 0; + else + f.wss.val = strtoul(&pbeg[1], NULL, 10); + } else if (pbeg[0] == 'T') { + f.wss.wc = OSF_WSS_MTU; + if (pbeg[1] == '%') + f.wss.val = strtoul(&pbeg[2], NULL, 10); + else if (pbeg[1] == '*') + f.wss.val = 0; + else + f.wss.val = strtoul(&pbeg[1], NULL, 10); + } else if (pbeg[0] == '%') { + f.wss.wc = OSF_WSS_MODULO; + f.wss.val = strtoul(&pbeg[1], NULL, 10); + } else if (isdigit(pbeg[0])) { + f.wss.wc = OSF_WSS_PLAIN; + f.wss.val = strtoul(&pbeg[0], NULL, 10); + } + + pbeg = pend + 1; + } + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + f.ttl = strtoul(pbeg, NULL, 10); + pbeg = pend + 1; + } + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + f.df = strtoul(pbeg, NULL, 10); + pbeg = pend + 1; + } + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + f.ss = strtoul(pbeg, NULL, 10); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + if (pbeg[0] == '@' || pbeg[0] == '*') + cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); + else + cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; + cnt = + snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); + pbeg = pend + 1; + } + + xt_osf_parse_opt(f.opt, &f.opt_num, obuf, sizeof(obuf)); + + memset(buf, 0, sizeof(buf)); + + if (del) + nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, NLM_F_REQUEST); + else + nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, NLM_F_REQUEST | NLM_F_CREATE); + + nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger)); + + return nfnl_talk(nfnlh, nmh, 0, 0, NULL, NULL, NULL); +} + +static int osf_load_entries(char *path, int del) +{ + FILE *inf; + int err = 0; + char buf[1024]; + + inf = fopen(path, "r"); + if (!inf) { + ulog_err("Failed to open file '%s'", path); + return -1; + } + + while(fgets(buf, sizeof(buf), inf)) { + int len; + + if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') + continue; + + len = strlen(buf) - 1; + + if (len <= 0) + continue; + + buf[len] = '\0'; + + err = osf_load_line(buf, len, del); + if (err) + break; + + memset(buf, 0, sizeof(buf)); + } + + fclose(inf); + return err; +} + +int main(int argc, char *argv[]) +{ + int ch, del = 0, err; + char *fingerprints = NULL; + + while ((ch = getopt(argc, argv, "f:dh")) != -1) { + switch (ch) { + case 'f': + fingerprints = optarg; + break; + case 'd': + del = 1; + break; + default: + fprintf(stderr, + "Usage: %s -f fingerprints -d <del rules> -h\n", + argv[0]); + return -1; + } + } + + if (!fingerprints) { + err = -ENOENT; + goto err_out_exit; + } + + nfnlh = nfnl_open(); + if (!nfnlh) { + err = -EINVAL; + ulog_err("Failed to create nfnl handler"); + goto err_out_exit; + } + +#ifndef NFNL_SUBSYS_OSF +#define NFNL_SUBSYS_OSF 5 +#endif + + nfnlssh = nfnl_subsys_open(nfnlh, NFNL_SUBSYS_OSF, OSF_MSG_MAX, 0); + if (!nfnlssh) { + err = -EINVAL; + ulog_err("Faied to create nfnl subsystem"); + goto err_out_close; + } + + err = osf_load_entries(fingerprints, del); + if (err) + goto err_out_close_subsys; + + nfnl_subsys_close(nfnlssh); + nfnl_close(nfnlh); + + return 0; + +err_out_close_subsys: + nfnl_subsys_close(nfnlssh); +err_out_close: + nfnl_close(nfnlh); +err_out_exit: + return err; +} diff -Nru iptables-1.4.4/utils/pf.os iptables-1.4.10/utils/pf.os --- iptables-1.4.4/utils/pf.os 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/utils/pf.os 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,687 @@ +# $OpenBSD: pf.os,v 1.20 2006/06/02 16:54:34 david Exp $ +# passive OS fingerprinting +# ------------------------- +# +# SYN signatures. Those signatures work for SYN packets only (duh!). +# +# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> +# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# +# This fingerprint database is adapted from Michal Zalewski's p0f passive +# operating system package. The last database sync was from a Nov 3 2003 +# p0f.fp. +# +# +# Each line in this file specifies a single fingerprint. Please read the +# information below carefully before attempting to append any signatures +# reported as UNKNOWN to this file to avoid mistakes. +# +# We use the following set metrics for fingerprinting: +# +# - Window size (WSS) - a highly OS dependent setting used for TCP/IP +# performance control (max. amount of data to be sent without ACK). +# Some systems use a fixed value for initial packets. On other +# systems, it is a multiple of MSS or MTU (MSS+40). In some rare +# cases, the value is just arbitrary. +# +# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number +# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' +# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the +# value of nn is not fixed (unlikely), just copy the Snn or Tnn token +# literally. If you know this device has a simple stack and a fixed +# MTU, you can however multiply S value by MSS, or T value by MSS+40, +# and put it instead of Snn or Tnn. +# +# If WSS otherwise looks like a fixed value (for example a multiple +# of two), or if you can confirm the value is fixed, please quote +# it literally. If there's no apparent pattern in WSS chosen, you +# should consider wildcarding this value. +# +# - Overall packet size - a function of all IP and TCP options and bugs. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Initial TTL - We check the actual TTL of a received packet. It can't +# be higher than the initial TTL, and also shouldn't be dramatically +# lower (maximum distance is defined as 40 hops). +# +# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. +# You need to determine the initial TTL. The best way to do it is to +# check the documentation for a remote system, or check its settings. +# A fairly good method is to simply round the observed TTL up to +# 32, 64, 128, or 255, but it should be noted that some obscure devices +# might not use round TTLs (in particular, some shoddy appliances use +# "original" initial TTL settings). If not sure, you can see how many +# hops you're away from the remote party with traceroute or mtr. +# +# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU +# discovery. Others do not bother. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f +# uses it to determine link type of the remote host. +# +# NEW SIGNATURE: Always wildcard this value, except for rare cases when +# you have an appliance with a fixed value, know the system supports only +# a very limited number of network interface types, or know the system +# is using a value it pulled out of nowhere. Specific unique MSS +# can be used to tell Google crawlbots from the rest of the population. +# +# - Window scaling (WSCALE) - this feature is used to scale WSS. +# It extends the size of a TCP/IP window to 32 bits. Some modern +# systems implement this feature. +# +# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set +# to zero or other low value. There's usually no need to wildcard this +# parameter. +# +# - Timestamp - some systems that implement timestamps set them to +# zero in the initial SYN. This case is detected and handled appropriately. +# +# - Selective ACK permitted - a flag set by systems that implement +# selective ACK functionality. +# +# - The sequence of TCP all options (MSS, window scaling, selective ACK +# permitted, timestamp, NOP). Other than the options previously +# discussed, p0f also checks for timestamp option (a silly +# extension to broadcast your uptime ;-), NOP options (used for +# header padding) and sackOK option (selective ACK feature). +# +# NEW SIGNATURE: Copy the sequence literally. +# +# To wildcard any value (except for initial TTL or TCP options), replace +# it with '*'. You can also use a modulo operator to match any values +# that divide by nnn - '%nnn'. +# +# Fingerprint entry format: +# +# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details +# +# wwww - window size (can be *, %nnn, Snn or Tnn). The special values +# "S" and "T" which are a multiple of MSS or a multiple of MTU +# respectively. +# ttt - initial TTL +# D - don't fragment bit (0 - not set, 1 - set) +# ss - overall SYN packet size +# OOO - option value and order specification (see below) +# OS - OS genre (Linux, Solaris, Windows) +# Version - OS Version (2.0.27 on x86, etc) +# Subtype - OS subtype or patchlevel (SP3, lo0) +# details - Generic OS details +# +# If OS genre starts with '*', p0f will not show distance, link type +# and timestamp data. It is useful for userland TCP/IP stacks of +# network scanners and so on, where many settings are randomized or +# bogus. +# +# If OS genre starts with @, it denotes an approximate hit for a group +# of operating systems (signature reporting still enabled in this case). +# Use this feature at the end of this file to catch cases for which +# you don't have a precise match, but can tell it's Windows or FreeBSD +# or whatnot by looking at, say, flag layout alone. +# +# Option block description is a list of comma or space separated +# options in the order they appear in the packet: +# +# N - NOP option +# Wnnn - window scaling option, value nnn (or * or %nnn) +# Mnnn - maximum segment size option, value nnn (or * or %nnn) +# S - selective ACK OK +# T - timestamp +# T0 - timestamp with a zero value +# +# To denote no TCP options, use a single '.'. +# +# Please report any additions to this file, or any inaccuracies or +# problems spotted, to the maintainers: lcamtuf@coredump.cx, +# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet +# capture of the relevant SYN packet(s) +# +# A test and submission page is available at +# http://lcamtuf.coredump.cx/p0f-help/ +# +# +# WARNING WARNING WARNING +# ----------------------- +# +# Do not add a system X as OS Y just because NMAP says so. It is often +# the case that X is a NAT firewall. While nmap is talking to the +# device itself, p0f is fingerprinting the guy behind the firewall +# instead. +# +# When in doubt, use common sense, don't add something that looks like +# a completely different system as Linux or FreeBSD or LinkSys router. +# Check DNS name, establish a connection to the remote host and look +# at SYN+ACK - does it look similar? +# +# Some users tweak their TCP/IP settings - enable or disable RFC1323 +# functionality, enable or disable timestamps or selective ACK, +# disable PMTU discovery, change MTU and so on. Always compare a new rule +# to other fingerprints for this system, and verify the system isn't +# "customized" before adding it. It is OK to add signature variants +# caused by a commonly used software (personal firewalls, security +# packages, etc), but it makes no sense to try to add every single +# possible /proc/sys/net/ipv4 tweak on Linux or so. +# +# KEEP IN MIND: Some packet firewalls configured to normalize outgoing +# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, +# normalize packets. Signatures will not correspond to the originating +# system (and probably not quite to the firewall either). +# +# NOTE: Try to keep this file in some reasonable order, from most to +# least likely systems. This will speed up operation. Also keep most +# generic and broad rules near the end. +# + +########################## +# Standard OS signatures # +########################## + +# ----------------- AIX --------------------- + +# AIX is first because its signatures are close to NetBSD, MacOS X and +# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... +# This is a shoddy hack, though. + +45046:64:0:44:M*: AIX:4.3::AIX 4.3 +16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier + +16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 + +# ----------------- Linux ------------------- + +# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support) +512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x +16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x + +# Endian snafu! Nelson says "ha-ha": +2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac +64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac + + +S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) + +S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) +S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer +S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7 +S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7 +S4:64:1:60:M*,S,T,N,W7: Linux:2.6:8:Linux 2.6.8 and newer (?) + +S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4) +S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 +S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) +S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) + +S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer +S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 +S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 + +# Popular cluster config scripts disable timestamps and +# selective ACK: +S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster + +# This needs to be investigated. On some systems, WSS +# is selected as a multiple of MTU instead of MSS. I got +# many submissions for this for many late versions of 2.4: +T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) + +# This happens only over loopback, but let's make folks happy: +32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) +S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) + +# Opera visitors: +16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) +32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) + +# Some fairly common mods: +S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps +S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps + + +# ----------------- FreeBSD ----------------- + +16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2 +16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2 +16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2 +16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) +57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9 + +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X) +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X) +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 + +# XXX need quirks support +# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1) +# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2) +# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3) +# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323) + +# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) + +# ----------------- NetBSD ------------------ + +16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 +65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) +16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 +16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) +65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) +65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF) +32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization) + +# ----------------- OpenBSD ----------------- + +16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) +16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.9::OpenBSD 3.0-3.9 +16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.9:no-df:OpenBSD 3.0-3.9 (scrub no-df) +57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.9::OpenBSD 3.3-3.9 +57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.9:no-df:OpenBSD 3.3-3.9 (scrub no-df) + +65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.9:opera:OpenBSD 3.0-3.9 (Opera) + +# ----------------- Solaris ----------------- + +S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 +S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 +S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 + +S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 +S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 +S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 +S44:255:1:44:M*: Solaris:2.7::Solaris 7 + +4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x + +S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta) +32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203 + +# ----------------- IRIX -------------------- + +49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 +61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 +49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) +49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) + +61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 +49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 + +49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27 + + +# ----------------- Tru64 ------------------- + +32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4) +32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 +8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) +61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) + +# ----------------- OpenVMS ----------------- + +6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) + +# ----------------- MacOS ------------------- + +# XXX Need EOL tcp opt support +# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic + +# XXX some of these use EOL too +16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP) +32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2 +65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4) +65535:64:1:64:M*,N,W0,N,N,T,S,E,E: MacOS:10::MacOS X + + +# ----------------- Windows ----------------- + +# Windows TCP/IP stack is a mess. For most recent XP, 2000 and +# even 98, the pathlevel, not the actual OS version, is more +# relevant to the signature. They share the same code, so it would +# seem. Luckily for us, almost all Windows 9x boxes have an +# awkward MSS of 536, which I use to tell one from another +# in most difficult cases. + +8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows) +S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95 +8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b + +# There were so many tweaking tools and so many stack versions for +# Windows 98 it is no longer possible to tell them from each other +# without some very serious research. Until then, there's an insane +# number of signatures, for your amusement: + +S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) +8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) +%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98 +%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98 +S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 +T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 +32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 +37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 +46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) +65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack) +S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 +S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 +S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 +T30:128:1:48:M*,N,N,S: Windows:98::Windows 98 +32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 +60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 +60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 + +# What's with 1414 on NT? +T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a +64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a +8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) + +# Windows XP and 2000. Most of the signatures that were +# either dubious or non-specific (no service pack data) +# were deleted and replaced with generics at the end. + +65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 +65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 +%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) +%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) +S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3 +S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3 +S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1 +S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1 +40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 + +S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+ +S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+ +S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 +S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3 +S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3 +64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3 +64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3 +32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4 +32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4 + +# Odds, ends, mods: + +S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco +S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco +65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone +16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm? +2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server + +44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?) +S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2 +32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS + + +# No need to be more specific, it passes: +# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk +# there is an equiv similar generic sig w/o the quirk + +# ----------------- HP/UX ------------------- + +32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 +32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 +32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 +32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 + +# Whoa. Hardcore WSS. +0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) + +# ----------------- RiscOS ------------------ + +# We don't yet support the ?12 TCP option +#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 +12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10 + +# XXX quirk +# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00 + + + +# ----------------- BSD/OS ------------------ + +# Once again, power of two WSS is also shared by MacOS X with DF set +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) + + +# ---------------- NewtonOS ----------------- + +4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 + +# ---------------- NeXTSTEP ----------------- + +S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3 +S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 + +# ------------------ BeOS ------------------- + +1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 +12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x + +# ------------------ OS/400 ----------------- + +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 +4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 + +# XXX quirk +# 28672:64:0:44:M1460:A:OS/390:? + +# ------------------ ULTRIX ----------------- + +16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 + +# ------------------- QNX ------------------- + +S16:64:0:44:M512: QNX:::QNX demodisk + +# ------------------ Novell ----------------- + +16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 +6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 +6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ? + +6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3 + + +# ----------------- SCO ------------------ +S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 +S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3 +S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0 + +# ------------------- DOS ------------------- + +2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 +T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro) + +# ------------------ OS/2 ------------------- + +S56:64:0:44:M512: OS/2:4::OS/2 4 +28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0 + +# ----------------- TOPS-20 ----------------- + +# Another hardcore MSS, one of the ACK leakers hunted down. +# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7 +0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7 + +# ----------------- FreeMiNT ---------------- + +S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari) + +# ------------------ AMIGA ------------------ + +# XXX TCP option 12 +# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack + +# ------------------ Plan9 ------------------ + +65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4 + +# ----------------- AMIGAOS ----------------- + +16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX + +########################################### +# Appliance / embedded / other signatures # +########################################### + +# ---------- Firewalls / routers ------------ + +S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) +S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) +4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x + +# XXX TCP option 12 +# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 +# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 + +S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50 + +8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway + +S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router + + + +# ------- Switches and other stuff ---------- + +4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc +S8:255:0:44:M*: Cisco:12008::Cisco 12008 +60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch +64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client + + +# ---------- Caches and whatnots ------------ + +S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache + +32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x +16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 +65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5 +65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow +8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 +20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1 + +65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1 +8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1 + +S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine + +27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) + +65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler +S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg + +16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) + +65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200 + +32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine + +# ----------- Embedded systems -------------- + +S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C +S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 +S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 +S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 +2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) +S29:255:0:44:M536: PalmOS:5::PalmOS 5.0 +16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie) +S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo) + +S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 + +8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?) +8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?) +S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?) +S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?) + + +# Perhaps S4? +5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 + +32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 + +S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 + +4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 +T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027) +S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?) + +S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 + +3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0 + +#################### +# Fancy signatures # +#################### + +1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) +2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) +3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) +4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) + +# Requires quirks support +# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1) +# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2) +# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3) +# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4) + +1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) +2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) +3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) +4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) + +32767:64:0:40:.: *NAST:::NASTsyn scan + +# Requires quirks support +# 12345:255:0:40:.:A:-p0f:sendsyn utility + + +##################################### +# Generic signatures - just in case # +##################################### + +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x + +*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) +*:128:1:48:M536,N,N,S: @Windows:98::Windows 98 +*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 +*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 + + diff -Nru iptables-1.4.4/xshared.c iptables-1.4.10/xshared.c --- iptables-1.4.4/xshared.c 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/xshared.c 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,31 @@ +#include <stdio.h> +#include <xtables.h> +#include "xshared.h" + +/* + * Print out any special helps. A user might like to be able to add a --help + * to the commandline, and see expected results. So we call help for all + * specified matches and targets. + */ +void print_extension_helps(const struct xtables_target *t, + const struct xtables_rule_match *m) +{ + for (; t != NULL; t = t->next) { + if (t->used) { + printf("\n"); + if (t->help == NULL) + printf("%s does not take any options\n", + t->name); + else + t->help(); + } + } + for (; m != NULL; m = m->next) { + printf("\n"); + if (m->match->help == NULL) + printf("%s does not take any options\n", + m->match->name); + else + m->match->help(); + } +} diff -Nru iptables-1.4.4/xshared.h iptables-1.4.10/xshared.h --- iptables-1.4.4/xshared.h 1970-01-01 00:00:00.000000000 +0000 +++ iptables-1.4.10/xshared.h 2010-10-29 14:37:22.000000000 +0000 @@ -0,0 +1,10 @@ +#ifndef IPTABLES_XSHARED_H +#define IPTABLES_XSHARED_H 1 + +struct xtables_rule_match; +struct xtables_target; + +extern void print_extension_helps(const struct xtables_target *, + const struct xtables_rule_match *); + +#endif /* IPTABLES_XSHARED_H */ diff -Nru iptables-1.4.4/xtables.c iptables-1.4.10/xtables.c --- iptables-1.4.4/xtables.c 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/xtables.c 2010-10-29 14:37:22.000000000 +0000 @@ -114,14 +114,6 @@ return merge; } -void xtables_set_revision(char *name, u_int8_t revision) -{ - /* Old kernel sources don't have ".revision" field, - * but we stole a byte from name. */ - name[XT_FUNCTION_MAXNAMELEN - 2] = '\0'; - name[XT_FUNCTION_MAXNAMELEN - 1] = revision; -} - /** * xtables_afinfo - protocol family dependent information * @kmod: kernel module basename (e.g. "ip_tables") @@ -271,6 +263,18 @@ return p; } +void *xtables_realloc(void *ptr, size_t size) +{ + void *p; + + if ((p = realloc(ptr, size)) == NULL) { + perror("ip[6]tables: realloc failed"); + exit(1); + } + + return p; +} + static char *get_modprobe(void) { int procfile; @@ -281,7 +285,7 @@ if (procfile < 0) return NULL; - ret = (char *) malloc(PROCFILE_BUFSIZ); + ret = malloc(PROCFILE_BUFSIZ); if (ret) { memset(ret, 0, PROCFILE_BUFSIZ); switch (read(procfile, ret, PROCFILE_BUFSIZ)) { @@ -319,7 +323,7 @@ */ fflush(stdout); - switch (fork()) { + switch (vfork()) { case 0: argv[0] = (char *)modprobe; argv[1] = (char *)modname; @@ -438,7 +442,7 @@ void xtables_parse_interface(const char *arg, char *vianame, unsigned char *mask) { - int vialen = strlen(arg); + unsigned int vialen = strlen(arg); unsigned int i; memset(mask, 0, IFNAMSIZ); @@ -450,7 +454,7 @@ " (%i)", arg, IFNAMSIZ-1); strcpy(vianame, arg); - if ((vialen == 0) || (vialen == 1 && vianame[0] == '+')) + if (vialen == 0) memset(mask, 0, IFNAMSIZ); else if (vianame[vialen - 1] == '+') { memset(mask, 0xFF, vialen - 1); @@ -461,12 +465,11 @@ memset(mask, 0xFF, vialen + 1); memset(mask + vialen + 1, 0, IFNAMSIZ - vialen - 1); for (i = 0; vianame[i]; i++) { - if (vianame[i] == ':' || - vianame[i] == '!' || - vianame[i] == '*') { + if (vianame[i] == '/' || + vianame[i] == ' ') { fprintf(stderr, "Warning: weird character in interface" - " `%s' (No aliases, :, ! or *).\n", + " `%s' ('/' and ' ' are not allowed by the kernel).\n", vianame); break; } @@ -534,6 +537,11 @@ struct xtables_match *ptr; const char *icmp6 = "icmp6"; + if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, + "Invalid match name \"%s\" (%u chars max)", + name, XT_EXTENSION_MAXNAMELEN - 1); + /* This is ugly as hell. Nonetheless, there is no way of changing * this without hurting backwards compatibility */ if ( (strcmp(name,"icmpv6") == 0) || @@ -712,6 +720,11 @@ { struct xtables_match **i, *old; + if (me->version == NULL) { + fprintf(stderr, "%s: match %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); + exit(1); + } if (strcmp(me->version, XTABLES_VERSION) != 0) { fprintf(stderr, "%s: match \"%s\" has version \"%s\", " "but \"%s\" is required.\n", @@ -720,8 +733,7 @@ exit(1); } - /* Revision field stole a char from name. */ - if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) { + if (strlen(me->name) >= XT_EXTENSION_MAXNAMELEN) { fprintf(stderr, "%s: target `%s' has invalid name\n", xt_params->program_name, me->name); exit(1); @@ -782,10 +794,22 @@ me->mflags = 0; } +void xtables_register_matches(struct xtables_match *match, unsigned int n) +{ + do { + xtables_register_match(&match[--n]); + } while (n > 0); +} + void xtables_register_target(struct xtables_target *me) { struct xtables_target *old; + if (me->version == NULL) { + fprintf(stderr, "%s: target %s<%u> is missing a version\n", + xt_params->program_name, me->name, me->revision); + exit(1); + } if (strcmp(me->version, XTABLES_VERSION) != 0) { fprintf(stderr, "%s: target \"%s\" has version \"%s\", " "but \"%s\" is required.\n", @@ -794,8 +818,7 @@ exit(1); } - /* Revision field stole a char from name. */ - if (strlen(me->name) >= XT_FUNCTION_MAXNAMELEN-1) { + if (strlen(me->name) >= XT_EXTENSION_MAXNAMELEN) { fprintf(stderr, "%s: target `%s' has invalid name\n", xt_params->program_name, me->name); exit(1); @@ -856,6 +879,13 @@ me->tflags = 0; } +void xtables_register_targets(struct xtables_target *target, unsigned int n) +{ + do { + xtables_register_target(&target[--n]); + } while (n > 0); +} + /** * xtables_param_act - act on condition * @status: a constant from enum xtables_exittype @@ -1133,6 +1163,86 @@ return &maskaddr; } +void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp, + struct in_addr **maskpp, unsigned int *naddrs) +{ + struct in_addr *addrp; + char buf[256], *p; + unsigned int len, i, j, n, count = 1; + const char *loop = name; + + while ((loop = strchr(loop, ',')) != NULL) { + ++count; + ++loop; /* skip ',' */ + } + + *addrpp = xtables_malloc(sizeof(struct in_addr) * count); + *maskpp = xtables_malloc(sizeof(struct in_addr) * count); + + loop = name; + + for (i = 0; i < count; ++i) { + if (loop == NULL) + break; + if (*loop == ',') + ++loop; + if (*loop == '\0') + break; + p = strchr(loop, ','); + if (p != NULL) + len = p - loop; + else + len = strlen(loop); + if (len == 0 || sizeof(buf) - 1 < len) + break; + + strncpy(buf, loop, len); + buf[len] = '\0'; + loop += len; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_ipmask(p + 1); + } else { + addrp = parse_ipmask(NULL); + } + memcpy(*maskpp + i, addrp, sizeof(*addrp)); + + /* if a null mask is given, the name is ignored, like in "any/0" */ + if ((*maskpp + i)->s_addr == 0) + /* + * A bit pointless to process multiple addresses + * in this case... + */ + strcpy(buf, "0.0.0.0"); + + addrp = ipparse_hostnetwork(buf, &n); + if (n > 1) { + count += n - 1; + *addrpp = xtables_realloc(*addrpp, + sizeof(struct in_addr) * count); + *maskpp = xtables_realloc(*maskpp, + sizeof(struct in_addr) * count); + for (j = 0; j < n; ++j) + /* for each new addr */ + memcpy(*addrpp + i + j, addrp + j, + sizeof(*addrp)); + for (j = 1; j < n; ++j) + /* for each new mask */ + memcpy(*maskpp + i + j, *maskpp + i, + sizeof(*addrp)); + i += n - 1; + } else { + memcpy(*addrpp + i, addrp, sizeof(*addrp)); + } + /* free what ipparse_hostnetwork had allocated: */ + free(addrp); + } + *naddrs = count; + for (i = 0; i < n; ++i) + (*addrpp+i)->s_addr &= (*maskpp+i)->s_addr; +} + + /** * xtables_ipparse_any - transform arbitrary name to in_addr * @@ -1296,7 +1406,7 @@ #ifdef DEBUG fprintf(stderr, "resolved: len=%d %s ", res->ai_addrlen, - ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)); + xtables_ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)); #endif /* Get the first element of the address-chain */ addr = xtables_malloc(sizeof(struct in6_addr)); @@ -1364,6 +1474,90 @@ return &maskaddr; } +void +xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp, + struct in6_addr **maskpp, unsigned int *naddrs) +{ + static const struct in6_addr zero_addr; + struct in6_addr *addrp; + char buf[256], *p; + unsigned int len, i, j, n, count = 1; + const char *loop = name; + + while ((loop = strchr(loop, ',')) != NULL) { + ++count; + ++loop; /* skip ',' */ + } + + *addrpp = xtables_malloc(sizeof(struct in6_addr) * count); + *maskpp = xtables_malloc(sizeof(struct in6_addr) * count); + + loop = name; + + for (i = 0; i < count /*NB: count can grow*/; ++i) { + if (loop == NULL) + break; + if (*loop == ',') + ++loop; + if (*loop == '\0') + break; + p = strchr(loop, ','); + if (p != NULL) + len = p - loop; + else + len = strlen(loop); + if (len == 0 || sizeof(buf) - 1 < len) + break; + + strncpy(buf, loop, len); + buf[len] = '\0'; + loop += len; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_ip6mask(p + 1); + } else { + addrp = parse_ip6mask(NULL); + } + memcpy(*maskpp + i, addrp, sizeof(*addrp)); + + /* if a null mask is given, the name is ignored, like in "any/0" */ + if (memcmp(*maskpp + i, &zero_addr, sizeof(zero_addr)) == 0) + strcpy(buf, "::"); + + addrp = ip6parse_hostnetwork(buf, &n); + /* ip6parse_hostnetwork only ever returns one IP + address (it exits if the resolution fails). + Therefore, n will always be 1 here. Leaving the + code below in anyway in case ip6parse_hostnetwork + is improved some day to behave like + ipparse_hostnetwork: */ + if (n > 1) { + count += n - 1; + *addrpp = xtables_realloc(*addrpp, + sizeof(struct in6_addr) * count); + *maskpp = xtables_realloc(*maskpp, + sizeof(struct in6_addr) * count); + for (j = 0; j < n; ++j) + /* for each new addr */ + memcpy(*addrpp + i + j, addrp + j, + sizeof(*addrp)); + for (j = 1; j < n; ++j) + /* for each new mask */ + memcpy(*maskpp + i + j, *maskpp + i, + sizeof(*addrp)); + i += n - 1; + } else { + memcpy(*addrpp + i, addrp, sizeof(*addrp)); + } + /* free what ip6parse_hostnetwork had allocated: */ + free(addrp); + } + *naddrs = count; + for (i = 0; i < n; ++i) + for (j = 0; j < 4; ++j) + (*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j]; +} + void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp, struct in6_addr *maskp, unsigned int *naddrs) { @@ -1443,27 +1637,28 @@ * Do not use in new code. */ int xtables_check_inverse(const char option[], int *invert, - int *my_optind, int argc) + int *my_optind, int argc, char **argv) { - if (option && strcmp(option, "!") == 0) { - fprintf(stderr, "Using intrapositioned negation " - "(`--option ! this`) is deprecated in favor of " - "extrapositioned (`! --option this`).\n"); + if (option == NULL || strcmp(option, "!") != 0) + return false; - if (*invert) - xt_params->exit_err(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - *invert = true; - if (my_optind != NULL) { - ++*my_optind; - if (argc && *my_optind > argc) - xt_params->exit_err(PARAMETER_PROBLEM, - "no argument following `!'"); - } + fprintf(stderr, "Using intrapositioned negation " + "(`--option ! this`) is deprecated in favor of " + "extrapositioned (`! --option this`).\n"); - return true; + if (*invert) + xt_params->exit_err(PARAMETER_PROBLEM, + "Multiple `!' flags not allowed"); + *invert = true; + if (my_optind != NULL) { + optarg = argv[*my_optind]; + ++*my_optind; + if (argc && *my_optind > argc) + xt_params->exit_err(PARAMETER_PROBLEM, + "no argument following `!'"); } - return false; + + return true; } const struct xtables_pprot xtables_chain_protos[] = { diff -Nru iptables-1.4.4/xtables.pc.in iptables-1.4.10/xtables.pc.in --- iptables-1.4.4/xtables.pc.in 2009-06-16 14:37:44.000000000 +0000 +++ iptables-1.4.10/xtables.pc.in 2010-10-29 14:37:22.000000000 +0000 @@ -10,3 +10,4 @@ Version: @PACKAGE_VERSION@ Cflags: -I${includedir} Libs: -L${libdir} -lxtables +Libs.private: -ldl