Hello community,
here is the log from the commit of package iptables for openSUSE:Factory checked in at 2012-08-04 09:16:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/iptables (Old)
and /work/SRC/openSUSE:Factory/.iptables.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iptables", Maintainer is "VCizek@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/iptables/iptables.changes 2012-05-29 11:39:04.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.iptables.new/iptables.changes 2012-08-04 09:16:56.000000000 +0200
@@ -1,0 +2,7 @@
+Tue Jul 31 12:08:07 UTC 2012 - jengelh@inai.de
+
+- Update to new upstream release 1.4.15
+* libxt_recent: add --mask netmask
+* libxt_hashlimit: add support for byte-based operation
+
+-------------------------------------------------------------------
Old:
----
iptables-1.4.14.tar.bz2
iptables-1.4.14.tar.bz2.sig
New:
----
iptables-1.4.15.tar.bz2
iptables-1.4.15.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ iptables.spec ++++++
--- /var/tmp/diff_new_pack.UD4tZF/_old 2012-08-04 09:16:59.000000000 +0200
+++ /var/tmp/diff_new_pack.UD4tZF/_new 2012-08-04 09:16:59.000000000 +0200
@@ -20,7 +20,7 @@
%define lname_ipq libipq0
%define lname_iptc libiptc0
%define lname_xt libxtables7
-Version: 1.4.14
+Version: 1.4.15
Release: 0
Summary: IP Packet Filter Administration utilities
License: GPL-2.0+
@@ -46,9 +46,14 @@
BuildRequires: pkgconfig >= 0.21
%if 0%{?suse_version}
BuildRequires: fdupes
+%endif
+%if 0%{?suse_version} >= 1140
BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0
%endif
-%if 0%{?fedora} || 0%{?rhel}
+%if 0%{?suse_version} && 0%{?suse_version} <= 1110
+BuildRequires: libnfnetlink-devel >= 1.0.0
+%endif
+%if 0%{?fedora_version} || 0%{?centos_version} || 0%{?rhel_version}
BuildRequires: libnfnetlink-devel >= 1.0.0
%endif
++++++ iptables-1.4.14.tar.bz2 -> iptables-1.4.15.tar.bz2 ++++++
++++ 2683 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/build-aux/compile new/iptables-1.4.15/build-aux/compile
--- old/iptables-1.4.14/build-aux/compile 2012-05-26 18:45:19.000000000 +0200
+++ new/iptables-1.4.15/build-aux/compile 2012-07-31 12:45:36.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
# Wrapper for compilers which do not understand '-c -o'.
-scriptversion=2012-01-04.17; # UTC
+scriptversion=2012-03-05.13; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009, 2010, 2012 Free
# Software Foundation, Inc.
@@ -79,6 +79,48 @@
esac
}
+# func_cl_dashL linkdir
+# Make cl look for libraries in LINKDIR
+func_cl_dashL ()
+{
+ func_file_conv "$1"
+ if test -z "$lib_path"; then
+ lib_path=$file
+ else
+ lib_path="$lib_path;$file"
+ fi
+ linker_opts="$linker_opts -LIBPATH:$file"
+}
+
+# func_cl_dashl library
+# Do a library search-path lookup for cl
+func_cl_dashl ()
+{
+ lib=$1
+ found=no
+ save_IFS=$IFS
+ IFS=';'
+ for dir in $lib_path $LIB
+ do
+ IFS=$save_IFS
+ if $shared && test -f "$dir/$lib.dll.lib"; then
+ found=yes
+ lib=$dir/$lib.dll.lib
+ break
+ fi
+ if test -f "$dir/$lib.lib"; then
+ found=yes
+ lib=$dir/$lib.lib
+ break
+ fi
+ done
+ IFS=$save_IFS
+
+ if test "$found" != yes; then
+ lib=$lib.lib
+ fi
+}
+
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
@@ -109,43 +151,34 @@
;;
esac
;;
+ -I)
+ eat=1
+ func_file_conv "$2" mingw
+ set x "$@" -I"$file"
+ shift
+ ;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
+ -l)
+ eat=1
+ func_cl_dashl "$2"
+ set x "$@" "$lib"
+ shift
+ ;;
-l*)
- lib=${1#-l}
- found=no
- save_IFS=$IFS
- IFS=';'
- for dir in $lib_path $LIB
- do
- IFS=$save_IFS
- if $shared && test -f "$dir/$lib.dll.lib"; then
- found=yes
- set x "$@" "$dir/$lib.dll.lib"
- break
- fi
- if test -f "$dir/$lib.lib"; then
- found=yes
- set x "$@" "$dir/$lib.lib"
- break
- fi
- done
- IFS=$save_IFS
-
- test "$found" != yes && set x "$@" "$lib.lib"
+ func_cl_dashl "${1#-l}"
+ set x "$@" "$lib"
shift
;;
+ -L)
+ eat=1
+ func_cl_dashL "$2"
+ ;;
-L*)
- func_file_conv "${1#-L}"
- if test -z "$lib_path"; then
- lib_path=$file
- else
- lib_path="$lib_path;$file"
- fi
- linker_opts="$linker_opts -LIBPATH:$file"
+ func_cl_dashL "${1#-L}"
;;
-static)
shared=false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/configure.ac new/iptables-1.4.15/configure.ac
--- old/iptables-1.4.14/configure.ac 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/configure.ac 2012-07-31 12:44:36.000000000 +0200
@@ -1,9 +1,9 @@
-AC_INIT([iptables], [1.4.14])
+AC_INIT([iptables], [1.4.15])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=7
-libxtables_vage=0
+libxtables_vcurrent=8
+libxtables_vage=1
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_HMARK.c new/iptables-1.4.15/extensions/libxt_HMARK.c
--- old/iptables-1.4.14/extensions/libxt_HMARK.c 1970-01-01 01:00:00.000000000 +0100
+++ new/iptables-1.4.15/extensions/libxt_HMARK.c 2012-07-31 12:44:36.000000000 +0200
@@ -0,0 +1,450 @@
+/*
+ * (C) 2012 by Hans Schillstrom
+ * (C) 2012 by Pablo Neira Ayuso
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Description: shared library add-on to iptables to add HMARK target support
+ *
+ * Initial development by Hans Schillstrom. Pablo's improvements to this piece
+ * of software has been sponsored by Sophos Astaro http://www.sophos.com.
+ */
+
+#include
+#include
+#include
+
+#include "xtables.h"
+#include
+
+static void HMARK_help(void)
+{
+ printf(
+"HMARK target options, i.e. modify hash calculation by:\n"
+" --hmark-tuple [src|dst|sport|dport|spi|proto|ct][,...]\n"
+" --hmark-mod value nfmark modulus value\n"
+" --hmark-offset value Last action add value to nfmark\n\n"
+" --hmark-rnd Random see for hashing\n"
+" Alternatively, fine tuning of what will be included in hash calculation\n"
+" --hmark-src-prefix length Source address mask CIDR prefix\n"
+" --hmark-dst-prefix length Dest address mask CIDR prefix\n"
+" --hmark-sport-mask value Mask src port with value\n"
+" --hmark-dport-mask value Mask dst port with value\n"
+" --hmark-spi-mask value For esp and ah AND spi with value\n"
+" --hmark-sport value OR src port with value\n"
+" --hmark-dport value OR dst port with value\n"
+" --hmark-spi value For esp and ah OR spi with value\n"
+" --hmark-proto-mask value Mask Protocol with value\n");
+}
+
+#define hi struct xt_hmark_info
+
+enum {
+ O_HMARK_SADDR_MASK,
+ O_HMARK_DADDR_MASK,
+ O_HMARK_SPI,
+ O_HMARK_SPI_MASK,
+ O_HMARK_SPORT,
+ O_HMARK_DPORT,
+ O_HMARK_SPORT_MASK,
+ O_HMARK_DPORT_MASK,
+ O_HMARK_PROTO_MASK,
+ O_HMARK_RND,
+ O_HMARK_MODULUS,
+ O_HMARK_OFFSET,
+ O_HMARK_CT,
+ O_HMARK_TYPE,
+};
+
+#define HMARK_OPT_PKT_MASK \
+ ((1 << O_HMARK_SADDR_MASK) | \
+ (1 << O_HMARK_DADDR_MASK) | \
+ (1 << O_HMARK_SPI_MASK) | \
+ (1 << O_HMARK_SPORT_MASK) | \
+ (1 << O_HMARK_DPORT_MASK) | \
+ (1 << O_HMARK_PROTO_MASK) | \
+ (1 << O_HMARK_SPI_MASK) | \
+ (1 << O_HMARK_SPORT) | \
+ (1 << O_HMARK_DPORT) | \
+ (1 << O_HMARK_SPI))
+
+static const struct xt_option_entry HMARK_opts[] = {
+ { .name = "hmark-tuple",
+ .type = XTTYPE_STRING,
+ .id = O_HMARK_TYPE,
+ },
+ { .name = "hmark-src-prefix",
+ .type = XTTYPE_PLENMASK,
+ .id = O_HMARK_SADDR_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, src_mask)
+ },
+ { .name = "hmark-dst-prefix",
+ .type = XTTYPE_PLENMASK,
+ .id = O_HMARK_DADDR_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, dst_mask)
+ },
+ { .name = "hmark-sport-mask",
+ .type = XTTYPE_UINT16,
+ .id = O_HMARK_SPORT_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.src)
+ },
+ { .name = "hmark-dport-mask",
+ .type = XTTYPE_UINT16,
+ .id = O_HMARK_DPORT_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.p16.dst)
+ },
+ { .name = "hmark-spi-mask",
+ .type = XTTYPE_UINT32,
+ .id = O_HMARK_SPI_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_mask.v32)
+ },
+ { .name = "hmark-sport",
+ .type = XTTYPE_UINT16,
+ .id = O_HMARK_SPORT,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.src)
+ },
+ { .name = "hmark-dport",
+ .type = XTTYPE_UINT16,
+ .id = O_HMARK_DPORT,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.p16.dst)
+ },
+ { .name = "hmark-spi",
+ .type = XTTYPE_UINT32,
+ .id = O_HMARK_SPI,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, port_set.v32)
+ },
+ { .name = "hmark-proto-mask",
+ .type = XTTYPE_UINT16,
+ .id = O_HMARK_PROTO_MASK,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, proto_mask)
+ },
+ { .name = "hmark-rnd",
+ .type = XTTYPE_UINT32,
+ .id = O_HMARK_RND,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, hashrnd)
+ },
+ { .name = "hmark-mod",
+ .type = XTTYPE_UINT32,
+ .id = O_HMARK_MODULUS,
+ .min = 1,
+ .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(hi, hmodulus)
+ },
+ { .name = "hmark-offset",
+ .type = XTTYPE_UINT32,
+ .id = O_HMARK_OFFSET,
+ .flags = XTOPT_PUT, XTOPT_POINTER(hi, hoffset)
+ },
+ XTOPT_TABLEEND,
+};
+
+static int
+hmark_parse(const char *type, size_t len, struct xt_hmark_info *info,
+ unsigned int *xflags)
+{
+ if (strncasecmp(type, "ct", len) == 0) {
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
+ *xflags |= (1 << O_HMARK_CT);
+ } else if (strncasecmp(type, "src", len) == 0) {
+ memset(&info->src_mask, 0xff, sizeof(info->src_mask));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
+ *xflags |= (1 << O_HMARK_SADDR_MASK);
+ } else if (strncasecmp(type, "dst", len) == 0) {
+ memset(&info->dst_mask, 0xff, sizeof(info->dst_mask));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
+ *xflags |= (1 << O_HMARK_DADDR_MASK);
+ } else if (strncasecmp(type, "sport", len) == 0) {
+ memset(&info->port_mask.p16.src, 0xff,
+ sizeof(info->port_mask.p16.src));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
+ *xflags |= (1 << O_HMARK_SPORT_MASK);
+ } else if (strncasecmp(type, "dport", len) == 0) {
+ memset(&info->port_mask.p16.dst, 0xff,
+ sizeof(info->port_mask.p16.dst));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
+ *xflags |= (1 << O_HMARK_DPORT_MASK);
+ } else if (strncasecmp(type, "proto", len) == 0) {
+ memset(&info->proto_mask, 0xff, sizeof(info->proto_mask));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
+ *xflags |= (1 << O_HMARK_PROTO_MASK);
+ } else if (strncasecmp(type, "spi", len) == 0) {
+ memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32));
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
+ *xflags |= (1 << O_HMARK_SPI_MASK);
+ } else
+ return 0;
+
+ return 1;
+}
+
+static void
+hmark_parse_type(struct xt_option_call *cb)
+{
+ const char *arg = cb->arg;
+ struct xt_hmark_info *info = cb->data;
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg ||
+ !hmark_parse(arg, comma-arg, info, &cb->xflags))
+ xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
+ arg = comma+1;
+ }
+ if (!*arg)
+ xtables_error(PARAMETER_PROBLEM, "\"--hmark-tuple\" requires "
+ "a list of types with no "
+ "spaces, e.g. "
+ "src,dst,sport,dport,proto");
+ if (strlen(arg) == 0 ||
+ !hmark_parse(arg, strlen(arg), info, &cb->xflags))
+ xtables_error(PARAMETER_PROBLEM, "Bad type \"%s\"", arg);
+}
+
+static void HMARK_parse(struct xt_option_call *cb, int plen)
+{
+ struct xt_hmark_info *info = cb->data;
+
+ xtables_option_parse(cb);
+
+ switch (cb->entry->id) {
+ case O_HMARK_TYPE:
+ hmark_parse_type(cb);
+ break;
+ case O_HMARK_SADDR_MASK:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
+ break;
+ case O_HMARK_DADDR_MASK:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
+ break;
+ case O_HMARK_SPI:
+ info->port_set.v32 = htonl(cb->val.u32);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI);
+ break;
+ case O_HMARK_SPORT:
+ info->port_set.p16.src = htons(cb->val.u16);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT);
+ break;
+ case O_HMARK_DPORT:
+ info->port_set.p16.dst = htons(cb->val.u16);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT);
+ break;
+ case O_HMARK_SPORT_MASK:
+ info->port_mask.p16.src = htons(cb->val.u16);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
+ break;
+ case O_HMARK_DPORT_MASK:
+ info->port_mask.p16.dst = htons(cb->val.u16);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
+ break;
+ case O_HMARK_SPI_MASK:
+ info->port_mask.v32 = htonl(cb->val.u32);
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
+ break;
+ case O_HMARK_PROTO_MASK:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
+ break;
+ case O_HMARK_RND:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_RND);
+ break;
+ case O_HMARK_MODULUS:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_MODULUS);
+ break;
+ case O_HMARK_OFFSET:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_OFFSET);
+ break;
+ case O_HMARK_CT:
+ info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
+ break;
+ }
+ cb->xflags |= (1 << cb->entry->id);
+}
+
+static void HMARK_ip4_parse(struct xt_option_call *cb)
+{
+ HMARK_parse(cb, 32);
+}
+static void HMARK_ip6_parse(struct xt_option_call *cb)
+{
+ HMARK_parse(cb, 128);
+}
+
+static void HMARK_check(struct xt_fcheck_call *cb)
+{
+ if (!(cb->xflags & (1 << O_HMARK_MODULUS)))
+ xtables_error(PARAMETER_PROBLEM, "--hmark-mod is mandatory");
+ if (!(cb->xflags & (1 << O_HMARK_RND)))
+ xtables_error(PARAMETER_PROBLEM, "--hmark-rnd is mandatory");
+ if (cb->xflags & (1 << O_HMARK_SPI_MASK) &&
+ (cb->xflags & ((1 << O_HMARK_SPORT_MASK) |
+ (1 << O_HMARK_DPORT_MASK))))
+ xtables_error(PARAMETER_PROBLEM, "you cannot use "
+ "--hmark-spi-mask and --hmark-?port-mask,"
+ "at the same time");
+ if (!((cb->xflags & HMARK_OPT_PKT_MASK) ||
+ cb->xflags & (1 << O_HMARK_CT)))
+ xtables_error(PARAMETER_PROBLEM, "you have to specify "
+ "--hmark-tuple at least");
+}
+
+static void HMARK_print(const struct xt_hmark_info *info)
+{
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
+ printf("sport-mask 0x%x ", htons(info->port_mask.p16.src));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
+ printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
+ printf("spi-mask 0x%x ", htonl(info->port_mask.v32));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
+ printf("sport 0x%x ", htons(info->port_set.p16.src));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
+ printf("dport 0x%x ", htons(info->port_set.p16.dst));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
+ printf("spi 0x%x ", htonl(info->port_set.v32));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
+ printf("proto-mask 0x%x ", info->proto_mask);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
+ printf("rnd 0x%x ", info->hashrnd);
+}
+
+static void HMARK_ip6_print(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_hmark_info *info =
+ (const struct xt_hmark_info *)target->data;
+
+ printf(" HMARK ");
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
+ printf("mod %u ", info->hmodulus);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
+ printf("+ 0x%x ", info->hoffset);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
+ printf("ct, ");
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
+ printf("src-prefix %s ",
+ xtables_ip6mask_to_numeric(&info->src_mask.in6) + 1);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
+ printf("dst-prefix %s ",
+ xtables_ip6mask_to_numeric(&info->dst_mask.in6) + 1);
+ HMARK_print(info);
+}
+static void HMARK_ip4_print(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_hmark_info *info =
+ (const struct xt_hmark_info *)target->data;
+
+ printf(" HMARK ");
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
+ printf("mod %u ", info->hmodulus);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
+ printf("+ 0x%x ", info->hoffset);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
+ printf("ct, ");
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
+ printf("src-prefix %u ",
+ xtables_ipmask_to_cidr(&info->src_mask.in));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
+ printf("dst-prefix %u ",
+ xtables_ipmask_to_cidr(&info->dst_mask.in));
+ HMARK_print(info);
+}
+
+static void HMARK_save(const struct xt_hmark_info *info)
+{
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
+ printf(" --hmark-sport-mask 0x%04x",
+ htons(info->port_mask.p16.src));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
+ printf(" --hmark-dport-mask 0x%04x",
+ htons(info->port_mask.p16.dst));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
+ printf(" --hmark-spi-mask 0x%08x",
+ htonl(info->port_mask.v32));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
+ printf(" --hmark-sport 0x%04x",
+ htons(info->port_set.p16.src));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
+ printf(" --hmark-dport 0x%04x",
+ htons(info->port_set.p16.dst));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
+ printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32));
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
+ printf(" --hmark-proto-mask 0x%02x", info->proto_mask);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
+ printf(" --hmark-rnd 0x%08x", info->hashrnd);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
+ printf(" --hmark-mod %u", info->hmodulus);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
+ printf(" --hmark-offset %u", info->hoffset);
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
+ printf(" --hmark-tuple ct");
+}
+
+static void HMARK_ip6_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_hmark_info *info =
+ (const struct xt_hmark_info *)target->data;
+ int ret;
+
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
+ ret = xtables_ip6mask_to_cidr(&info->src_mask.in6);
+ printf(" --hmark-src-prefix %d", ret);
+ }
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
+ ret = xtables_ip6mask_to_cidr(&info->dst_mask.in6);
+ printf(" --hmark-dst-prefix %d", ret);
+ }
+ HMARK_save(info);
+}
+
+static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_hmark_info *info =
+ (const struct xt_hmark_info *)target->data;
+ int ret;
+
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
+ ret = xtables_ipmask_to_cidr(&info->src_mask.in);
+ printf(" --hmark-src-prefix %d", ret);
+ }
+ if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
+ ret = xtables_ipmask_to_cidr(&info->dst_mask.in);
+ printf(" --hmark-dst-prefix %d", ret);
+ }
+ HMARK_save(info);
+}
+
+static struct xtables_target mark_tg_reg[] = {
+ {
+ .family = NFPROTO_IPV4,
+ .name = "HMARK",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_hmark_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
+ .help = HMARK_help,
+ .print = HMARK_ip4_print,
+ .save = HMARK_ip4_save,
+ .x6_parse = HMARK_ip4_parse,
+ .x6_fcheck = HMARK_check,
+ .x6_options = HMARK_opts,
+ },
+ {
+ .family = NFPROTO_IPV6,
+ .name = "HMARK",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_hmark_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_hmark_info)),
+ .help = HMARK_help,
+ .print = HMARK_ip6_print,
+ .save = HMARK_ip6_save,
+ .x6_parse = HMARK_ip6_parse,
+ .x6_fcheck = HMARK_check,
+ .x6_options = HMARK_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_HMARK.man new/iptables-1.4.15/extensions/libxt_HMARK.man
--- old/iptables-1.4.14/extensions/libxt_HMARK.man 1970-01-01 01:00:00.000000000 +0100
+++ new/iptables-1.4.15/extensions/libxt_HMARK.man 2012-07-31 12:44:36.000000000 +0200
@@ -0,0 +1,60 @@
+Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
+packet selector at choice. You have also to specify the mark range and,
+optionally, the offset to start from. ICMP error messages are inspected
+and used to calculate the hashing.
+.PP
+Existing options are:
+.TP
+\fB\-\-hmark\-tuple\fP tuple\fI\fP
+Possible tuple members are:
+.B src
+meaning source address (IPv4, IPv6 address),
+.B dst
+meaning destination address (IPv4, IPv6 address),
+.B sport
+meaning source port (TCP, UDP, UDPlite, SCTP, DCCP),
+.B dport
+meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP),
+.B spi
+meaning Security Parameter Index (AH, ESP), and
+.B ct
+meaning the usage of the conntrack tuple instead of the packet selectors.
+.TP
+\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP
+Modulus for hash calculation (to limit the range of possible marks)
+.TP
+\fB\-\-hmark\-offset\fP \fIvalue\fP
+Offset to start marks from.
+.TP
+For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom
+prefixes and masks:
+.TP
+\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP
+The source address mask in CIDR notation.
+.TP
+\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP
+The destination address mask in CIDR notation.
+.TP
+\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP
+A 16 bit source port mask in hexadecimal.
+.TP
+\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP
+A 16 bit destination port mask in hexadecimal.
+.TP
+\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP
+A 32 bit field with spi mask.
+.TP
+\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP
+An 8 bit field with layer 4 protocol number.
+.TP
+\fB\-\-hmark\-rnd\fP \fIvalue\fP
+A 32 bit random custom value to feed hash calculation.
+.PP
+\fIExamples:\fP
+.PP
+iptables \-t mangle \-A PREROUTING \-m state \-\-state NEW
+ \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
+\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
+.PP
+iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
+\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_devgroup.man new/iptables-1.4.15/extensions/libxt_devgroup.man
--- old/iptables-1.4.14/extensions/libxt_devgroup.man 1970-01-01 01:00:00.000000000 +0100
+++ new/iptables-1.4.15/extensions/libxt_devgroup.man 2012-07-31 12:44:36.000000000 +0200
@@ -0,0 +1,7 @@
+Match device group of a packets incoming/outgoing interface.
+.TP
+[\fB!\fP] \fB\-\-src\-group\fP \fIname\fP
+Match device group of incoming device
+.TP
+[\fB!\fP] \fB\-\-dst\-group\fP \fIname\fP
+Match device group of outgoing device
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_hashlimit.c new/iptables-1.4.15/extensions/libxt_hashlimit.c
--- old/iptables-1.4.14/extensions/libxt_hashlimit.c 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/extensions/libxt_hashlimit.c 2012-07-31 12:44:36.000000000 +0200
@@ -20,6 +20,10 @@
#include
#define XT_HASHLIMIT_BURST 5
+#define XT_HASHLIMIT_BURST_MAX 10000
+
+#define XT_HASHLIMIT_BYTE_EXPIRE 15
+#define XT_HASHLIMIT_BYTE_EXPIRE_BURST 60
/* miliseconds */
#define XT_HASHLIMIT_GCINTERVAL 1000
@@ -59,6 +63,7 @@
O_HTABLE_MAX,
O_HTABLE_GCINT,
O_HTABLE_EXPIRE,
+ F_BURST = 1 << O_BURST,
F_UPTO = 1 << O_UPTO,
F_ABOVE = 1 << O_ABOVE,
F_HTABLE_EXPIRE = 1 << O_HTABLE_EXPIRE,
@@ -90,7 +95,7 @@
{.name = "hashlimit", .id = O_UPTO, .excl = F_ABOVE,
.type = XTTYPE_STRING},
{.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32,
- .min = 1, .max = 10000, .flags = XTOPT_PUT,
+ .min = 1, .max = XT_HASHLIMIT_BURST_MAX, .flags = XTOPT_PUT,
XTOPT_POINTER(s, cfg.burst)},
{.name = "hashlimit-htable-size", .id = O_HTABLE_SIZE,
.type = XTTYPE_UINT32, .flags = XTOPT_PUT,
@@ -122,9 +127,7 @@
.type = XTTYPE_STRING, .flags = XTOPT_INVERT}, /* old name */
{.name = "hashlimit-srcmask", .id = O_SRCMASK, .type = XTTYPE_PLEN},
{.name = "hashlimit-dstmask", .id = O_DSTMASK, .type = XTTYPE_PLEN},
- {.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_UINT32,
- .min = 1, .max = 10000, .flags = XTOPT_PUT,
- XTOPT_POINTER(s, cfg.burst)},
+ {.name = "hashlimit-burst", .id = O_BURST, .type = XTTYPE_STRING},
{.name = "hashlimit-htable-size", .id = O_HTABLE_SIZE,
.type = XTTYPE_UINT32, .flags = XTOPT_PUT,
XTOPT_POINTER(s, cfg.size)},
@@ -144,6 +147,82 @@
};
#undef s
+static uint32_t cost_to_bytes(uint32_t cost)
+{
+ uint32_t r;
+
+ r = cost ? UINT32_MAX / cost : UINT32_MAX;
+ r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
+ return r;
+}
+
+static uint64_t bytes_to_cost(uint32_t bytes)
+{
+ uint32_t r = bytes >> XT_HASHLIMIT_BYTE_SHIFT;
+ return UINT32_MAX / (r+1);
+}
+
+static uint32_t get_factor(int chr)
+{
+ switch (chr) {
+ case 'm': return 1024 * 1024;
+ case 'k': return 1024;
+ }
+ return 1;
+}
+
+static void burst_error(void)
+{
+ xtables_error(PARAMETER_PROBLEM, "bad value for option "
+ "\"--hashlimit-burst\", or out of range (1-%u).", XT_HASHLIMIT_BURST_MAX);
+}
+
+static uint32_t parse_burst(const char *burst, struct xt_hashlimit_mtinfo1 *info)
+{
+ uintmax_t v;
+ char *end;
+
+ if (!xtables_strtoul(burst, &end, &v, 1, UINT32_MAX) ||
+ (*end == 0 && v > XT_HASHLIMIT_BURST_MAX))
+ burst_error();
+
+ v *= get_factor(*end);
+ if (v > UINT32_MAX)
+ xtables_error(PARAMETER_PROBLEM, "bad value for option "
+ "\"--hashlimit-burst\", value \"%s\" too large "
+ "(max %umb).", burst, UINT32_MAX/1024/1024);
+ return v;
+}
+
+static bool parse_bytes(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud)
+{
+ unsigned int factor = 1;
+ uint64_t tmp;
+ int r;
+ const char *mode = strstr(rate, "b/s");
+ if (!mode || mode == rate)
+ return false;
+
+ mode--;
+ r = atoi(rate);
+ if (r == 0)
+ return false;
+
+ factor = get_factor(*mode);
+ tmp = (uint64_t) r * factor;
+ if (tmp > UINT32_MAX)
+ xtables_error(PARAMETER_PROBLEM,
+ "Rate value too large \"%llu\" (max %u)\n",
+ (unsigned long long)tmp, UINT32_MAX);
+
+ *val = bytes_to_cost(tmp);
+ if (*val == 0)
+ xtables_error(PARAMETER_PROBLEM, "Rate too high \"%s\"\n", rate);
+
+ ud->mult = XT_HASHLIMIT_BYTE_EXPIRE;
+ return true;
+}
+
static
int parse_rate(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud)
{
@@ -265,17 +344,24 @@
xtables_option_parse(cb);
switch (cb->entry->id) {
+ case O_BURST:
+ info->cfg.burst = parse_burst(cb->arg, info);
+ break;
case O_UPTO:
if (cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
+ if (parse_bytes(cb->arg, &info->cfg.avg, cb->udata))
+ info->cfg.mode |= XT_HASHLIMIT_BYTES;
+ else if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-upto", cb->arg);
break;
case O_ABOVE:
if (!cb->invert)
info->cfg.mode |= XT_HASHLIMIT_INVERT;
- if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
+ if (parse_bytes(cb->arg, &info->cfg.avg, cb->udata))
+ info->cfg.mode |= XT_HASHLIMIT_BYTES;
+ else if (!parse_rate(cb->arg, &info->cfg.avg, cb->udata))
xtables_param_act(XTF_BAD_VALUE, "hashlimit",
"--hashlimit-above", cb->arg);
break;
@@ -315,6 +401,24 @@
"You have to specify --hashlimit");
if (!(cb->xflags & F_HTABLE_EXPIRE))
info->cfg.expire = udata->mult * 1000; /* from s to msec */
+
+ if (info->cfg.mode & XT_HASHLIMIT_BYTES) {
+ uint32_t burst = 0;
+ if (cb->xflags & F_BURST) {
+ if (info->cfg.burst < cost_to_bytes(info->cfg.avg))
+ xtables_error(PARAMETER_PROBLEM,
+ "burst cannot be smaller than %ub", cost_to_bytes(info->cfg.avg));
+
+ burst = info->cfg.burst;
+ burst /= cost_to_bytes(info->cfg.avg);
+ if (info->cfg.burst % cost_to_bytes(info->cfg.avg))
+ burst++;
+ if (!(cb->xflags & F_HTABLE_EXPIRE))
+ info->cfg.expire = XT_HASHLIMIT_BYTE_EXPIRE_BURST * 1000;
+ }
+ info->cfg.burst = burst;
+ } else if (info->cfg.burst > XT_HASHLIMIT_BURST_MAX)
+ burst_error();
}
static const struct rates
@@ -340,6 +444,41 @@
return rates[i-1].mult / XT_HASHLIMIT_SCALE * 1000;
}
+static const struct {
+ const char *name;
+ uint32_t thresh;
+} units[] = {
+ { "m", 1024 * 1024 },
+ { "k", 1024 },
+ { "", 1 },
+};
+
+static uint32_t print_bytes(uint32_t avg, uint32_t burst, const char *prefix)
+{
+ unsigned int i;
+ unsigned long long r;
+
+ r = cost_to_bytes(avg);
+
+ for (i = 0; i < ARRAY_SIZE(units) -1; ++i)
+ if (r >= units[i].thresh &&
+ bytes_to_cost(r & ~(units[i].thresh - 1)) == avg)
+ break;
+ printf(" %llu%sb/s", r/units[i].thresh, units[i].name);
+
+ if (burst == 0)
+ return XT_HASHLIMIT_BYTE_EXPIRE * 1000;
+
+ r *= burst;
+ printf(" %s", prefix);
+ for (i = 0; i < ARRAY_SIZE(units) -1; ++i)
+ if (r >= units[i].thresh)
+ break;
+
+ printf("burst %llu%sb", r / units[i].thresh, units[i].name);
+ return XT_HASHLIMIT_BYTE_EXPIRE_BURST * 1000;
+}
+
static void print_mode(unsigned int mode, char separator)
{
bool prevmode = false;
@@ -398,8 +537,13 @@
fputs(" limit: above", stdout);
else
fputs(" limit: up to", stdout);
- quantum = print_rate(info->cfg.avg);
- printf(" burst %u", info->cfg.burst);
+
+ if (info->cfg.mode & XT_HASHLIMIT_BYTES) {
+ quantum = print_bytes(info->cfg.avg, info->cfg.burst, "");
+ } else {
+ quantum = print_rate(info->cfg.avg);
+ printf(" burst %u", info->cfg.burst);
+ }
if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
fputs(" mode", stdout);
@@ -449,7 +593,7 @@
fputs(" --hashlimit-mode", stdout);
print_mode(r->cfg.mode, ',');
-
+
printf(" --hashlimit-name %s", r->name);
if (r->cfg.size)
@@ -471,8 +615,13 @@
fputs(" --hashlimit-above", stdout);
else
fputs(" --hashlimit-upto", stdout);
- quantum = print_rate(info->cfg.avg);
- printf(" --hashlimit-burst %u", info->cfg.burst);
+
+ if (info->cfg.mode & XT_HASHLIMIT_BYTES) {
+ quantum = print_bytes(info->cfg.avg, info->cfg.burst, "--hashlimit-");
+ } else {
+ quantum = print_rate(info->cfg.avg);
+ printf(" --hashlimit-burst %u", info->cfg.burst);
+ }
if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT |
XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_hashlimit.man new/iptables-1.4.15/extensions/libxt_hashlimit.man
--- old/iptables-1.4.14/extensions/libxt_hashlimit.man 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/extensions/libxt_hashlimit.man 2012-07-31 12:44:36.000000000 +0200
@@ -2,14 +2,15 @@
\fBlimit\fP match) for a group of connections using a \fBsingle\fP iptables
rule. Grouping can be done per-hostgroup (source and/or destination address)
and/or per-port. It gives you the ability to express "\fIN\fP packets per time
-quantum per group" (see below for some examples).
+quantum per group" or "\fIN\fP bytes per seconds" (see below for some examples).
.PP
A hash limit option (\fB\-\-hashlimit\-upto\fP, \fB\-\-hashlimit\-above\fP) and
\fB\-\-hashlimit\-name\fP are required.
.TP
\fB\-\-hashlimit\-upto\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
-Match if the rate is below or equal to \fIamount\fP/quantum. It is specified as
-a number, with an optional time quantum suffix; the default is 3/hour.
+Match if the rate is below or equal to \fIamount\fP/quantum. It is specified either as
+a number, with an optional time quantum suffix (the default is 3/hour), or as
+\fIamount\fPb/second (number of bytes per second).
.TP
\fB\-\-hashlimit\-above\fP \fIamount\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
Match if the rate is above \fIamount\fP/quantum.
@@ -17,7 +18,9 @@
\fB\-\-hashlimit\-burst\fP \fIamount\fP
Maximum initial number of packets to match: this number gets recharged by one
every time the limit specified above is not reached, up to this number; the
-default is 5.
+default is 5. When byte-based rate matching is requested, this option specifies
+the amount of bytes that can exceed the given rate. This option should be used
+with caution -- if the entry expires, the burst value is reset too.
.TP
\fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
A comma-separated list of objects to take into consideration. If no
@@ -63,3 +66,11 @@
"10000 packets per minute for every /28 subnet (groups of 8 addresses)
in 10.0.0.0/8" =>
\-s 10.0.0.8 \-\-hashlimit\-mask 28 \-\-hashlimit\-upto 10000/min
+.TP
+matching bytes per second
+"flows exceeding 512kbyte/s" =>
+\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s
+.TP
+matching bytes per second
+"hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching"
+\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_recent.c new/iptables-1.4.15/extensions/libxt_recent.c
--- old/iptables-1.4.14/extensions/libxt_recent.c 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/extensions/libxt_recent.c 2012-07-31 12:44:36.000000000 +0200
@@ -16,6 +16,7 @@
O_NAME,
O_RSOURCE,
O_RDEST,
+ O_MASK,
F_SET = 1 << O_SET,
F_RCHECK = 1 << O_RCHECK,
F_UPDATE = 1 << O_UPDATE,
@@ -25,7 +26,7 @@
};
#define s struct xt_recent_mtinfo
-static const struct xt_option_entry recent_opts[] = {
+static const struct xt_option_entry recent_opts_v0[] = {
{.name = "set", .id = O_SET, .type = XTTYPE_NONE,
.excl = F_ANY_OP, .flags = XTOPT_INVERT},
{.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
@@ -50,6 +51,32 @@
};
#undef s
+#define s struct xt_recent_mtinfo_v1
+static const struct xt_option_entry recent_opts_v1[] = {
+ {.name = "set", .id = O_SET, .type = XTTYPE_NONE,
+ .excl = F_ANY_OP, .flags = XTOPT_INVERT},
+ {.name = "rcheck", .id = O_RCHECK, .type = XTTYPE_NONE,
+ .excl = F_ANY_OP, .flags = XTOPT_INVERT},
+ {.name = "update", .id = O_UPDATE, .type = XTTYPE_NONE,
+ .excl = F_ANY_OP, .flags = XTOPT_INVERT},
+ {.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
+ .excl = F_ANY_OP, .flags = XTOPT_INVERT},
+ {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
+ {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
+ {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
+ .excl = F_SET | F_REMOVE},
+ {.name = "name", .id = O_NAME, .type = XTTYPE_STRING,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, name)},
+ {.name = "rsource", .id = O_RSOURCE, .type = XTTYPE_NONE},
+ {.name = "rdest", .id = O_RDEST, .type = XTTYPE_NONE},
+ {.name = "mask", .id = O_MASK, .type = XTTYPE_HOST,
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, mask)},
+ XTOPT_TABLEEND,
+};
+#undef s
+
static void recent_help(void)
{
printf(
@@ -74,18 +101,28 @@
" --name name Name of the recent list to be used. DEFAULT used if none given.\n"
" --rsource Match/Save the source address of each packet in the recent list table (default).\n"
" --rdest Match/Save the destination address of each packet in the recent list table.\n"
+" --mask netmask Netmask that will be applied to this recent list.\n"
"xt_recent by: Stephen Frost . http://snowman.net/projects/ipt_recent/\n");
}
-static void recent_init(struct xt_entry_match *match)
+enum {
+ XT_RECENT_REV_0 = 0,
+ XT_RECENT_REV_1,
+};
+
+static void recent_init(struct xt_entry_match *match, unsigned int rev)
{
- struct xt_recent_mtinfo *info = (void *)(match)->data;
+ struct xt_recent_mtinfo *info = (struct xt_recent_mtinfo *)match->data;
+ struct xt_recent_mtinfo_v1 *info_v1 =
+ (struct xt_recent_mtinfo_v1 *)match->data;
strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
/* even though XT_RECENT_NAME_LEN is currently defined as 200,
* better be safe, than sorry */
info->name[XT_RECENT_NAME_LEN-1] = '\0';
info->side = XT_RECENT_SOURCE;
+ if (rev == XT_RECENT_REV_1)
+ memset(&info_v1->mask, 0xFF, sizeof(info_v1->mask));
}
static void recent_parse(struct xt_option_call *cb)
@@ -131,8 +168,6 @@
static void recent_check(struct xt_fcheck_call *cb)
{
- struct xt_recent_mtinfo *info = cb->data;
-
if (!(cb->xflags & F_ANY_OP))
xtables_error(PARAMETER_PROBLEM,
"recent: you must specify one of `--set', `--rcheck' "
@@ -140,9 +175,9 @@
}
static void recent_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
+ unsigned int family)
{
- const struct xt_recent_mtinfo *info = (const void *)match->data;
+ const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
if (info->invert)
printf(" !");
@@ -167,11 +202,23 @@
printf(" side: source");
if (info->side == XT_RECENT_DEST)
printf(" side: dest");
+
+ switch(family) {
+ case NFPROTO_IPV4:
+ printf(" mask: %s",
+ xtables_ipaddr_to_numeric(&info->mask.in));
+ break;
+ case NFPROTO_IPV6:
+ printf(" mask: %s",
+ xtables_ip6addr_to_numeric(&info->mask.in6));
+ break;
+ }
}
-static void recent_save(const void *ip, const struct xt_entry_match *match)
+static void recent_save(const void *ip, const struct xt_entry_match *match,
+ unsigned int family)
{
- const struct xt_recent_mtinfo *info = (const void *)match->data;
+ const struct xt_recent_mtinfo_v1 *info = (const void *)match->data;
if (info->invert)
printf(" !");
@@ -191,28 +238,116 @@
if (info->check_set & XT_RECENT_TTL)
printf(" --rttl");
if(info->name) printf(" --name %s",info->name);
+
+ switch(family) {
+ case NFPROTO_IPV4:
+ printf(" --mask %s",
+ xtables_ipaddr_to_numeric(&info->mask.in));
+ break;
+ case NFPROTO_IPV6:
+ printf(" --mask %s",
+ xtables_ip6addr_to_numeric(&info->mask.in6));
+ break;
+ }
+
if (info->side == XT_RECENT_SOURCE)
printf(" --rsource");
if (info->side == XT_RECENT_DEST)
printf(" --rdest");
}
-static struct xtables_match recent_mt_reg = {
- .name = "recent",
- .version = XTABLES_VERSION,
- .family = NFPROTO_UNSPEC,
- .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
- .help = recent_help,
- .init = recent_init,
- .x6_parse = recent_parse,
- .x6_fcheck = recent_check,
- .print = recent_print,
- .save = recent_save,
- .x6_options = recent_opts,
+static void recent_init_v0(struct xt_entry_match *match)
+{
+ recent_init(match, XT_RECENT_REV_0);
+}
+
+static void recent_init_v1(struct xt_entry_match *match)
+{
+ recent_init(match, XT_RECENT_REV_1);
+}
+
+static void recent_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ recent_save(ip, match, NFPROTO_UNSPEC);
+}
+
+static void recent_save_v4(const void *ip, const struct xt_entry_match *match)
+{
+ recent_save(ip, match, NFPROTO_IPV4);
+}
+
+static void recent_save_v6(const void *ip, const struct xt_entry_match *match)
+{
+ recent_save(ip, match, NFPROTO_IPV6);
+}
+
+static void recent_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ recent_print(ip, match, NFPROTO_UNSPEC);
+}
+
+static void recent_print_v4(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ recent_print(ip, match, NFPROTO_IPV4);
+}
+
+static void recent_print_v6(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ recent_print(ip, match, NFPROTO_IPV6);
+}
+
+static struct xtables_match recent_mt_reg[] = {
+ {
+ .name = "recent",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+ .help = recent_help,
+ .init = recent_init_v0,
+ .x6_parse = recent_parse,
+ .x6_fcheck = recent_check,
+ .print = recent_print_v0,
+ .save = recent_save_v0,
+ .x6_options = recent_opts_v0,
+ },
+ {
+ .name = "recent",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
+ .help = recent_help,
+ .init = recent_init_v1,
+ .x6_parse = recent_parse,
+ .x6_fcheck = recent_check,
+ .print = recent_print_v4,
+ .save = recent_save_v4,
+ .x6_options = recent_opts_v1,
+ },
+ {
+ .name = "recent",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo_v1)),
+ .help = recent_help,
+ .init = recent_init_v1,
+ .x6_parse = recent_parse,
+ .x6_fcheck = recent_check,
+ .print = recent_print_v6,
+ .save = recent_save_v6,
+ .x6_options = recent_opts_v1,
+ },
};
void _init(void)
{
- xtables_register_match(&recent_mt_reg);
+ xtables_register_matches(recent_mt_reg, ARRAY_SIZE(recent_mt_reg));
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/extensions/libxt_recent.man new/iptables-1.4.15/extensions/libxt_recent.man
--- old/iptables-1.4.14/extensions/libxt_recent.man 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/extensions/libxt_recent.man 2012-07-31 12:44:36.000000000 +0200
@@ -24,6 +24,9 @@
\fB\-\-rdest\fP
Match/save the destination address of each packet in the recent list table.
.TP
+\fB\-\-mask\fPnetmask
+Netmask that will be applied to this recent list.
+.TP
[\fB!\fP] \fB\-\-rcheck\fP
Check if the source address of the packet is currently in the list.
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/include/linux/netfilter/xt_HMARK.h new/iptables-1.4.15/include/linux/netfilter/xt_HMARK.h
--- old/iptables-1.4.14/include/linux/netfilter/xt_HMARK.h 1970-01-01 01:00:00.000000000 +0100
+++ new/iptables-1.4.15/include/linux/netfilter/xt_HMARK.h 2012-07-31 12:44:36.000000000 +0200
@@ -0,0 +1,50 @@
+#ifndef XT_HMARK_H_
+#define XT_HMARK_H_
+
+#include
+
+enum {
+ XT_HMARK_SADDR_MASK,
+ XT_HMARK_DADDR_MASK,
+ XT_HMARK_SPI,
+ XT_HMARK_SPI_MASK,
+ XT_HMARK_SPORT,
+ XT_HMARK_DPORT,
+ XT_HMARK_SPORT_MASK,
+ XT_HMARK_DPORT_MASK,
+ XT_HMARK_PROTO_MASK,
+ XT_HMARK_RND,
+ XT_HMARK_MODULUS,
+ XT_HMARK_OFFSET,
+ XT_HMARK_CT,
+ XT_HMARK_METHOD_L3,
+ XT_HMARK_METHOD_L3_4,
+};
+#define XT_HMARK_FLAG(flag) (1 << flag)
+
+union hmark_ports {
+ struct {
+ __u16 src;
+ __u16 dst;
+ } p16;
+ struct {
+ __be16 src;
+ __be16 dst;
+ } b16;
+ __u32 v32;
+ __be32 b32;
+};
+
+struct xt_hmark_info {
+ union nf_inet_addr src_mask;
+ union nf_inet_addr dst_mask;
+ union hmark_ports port_mask;
+ union hmark_ports port_set;
+ __u32 flags;
+ __u16 proto_mask;
+ __u32 hashrnd;
+ __u32 hmodulus;
+ __u32 hoffset; /* Mark offset to start from */
+};
+
+#endif /* XT_HMARK_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/include/linux/netfilter/xt_hashlimit.h new/iptables-1.4.15/include/linux/netfilter/xt_hashlimit.h
--- old/iptables-1.4.14/include/linux/netfilter/xt_hashlimit.h 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/include/linux/netfilter/xt_hashlimit.h 2012-07-31 12:44:36.000000000 +0200
@@ -6,7 +6,10 @@
/* timings are in milliseconds. */
#define XT_HASHLIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
- seconds, or one every 59 hours. */
+ seconds, or one packet every 59 hours. */
+
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
@@ -17,6 +20,7 @@
XT_HASHLIMIT_HASH_SIP = 1 << 2,
XT_HASHLIMIT_HASH_SPT = 1 << 3,
XT_HASHLIMIT_INVERT = 1 << 4,
+ XT_HASHLIMIT_BYTES = 1 << 5,
};
struct hashlimit_cfg {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/include/linux/netfilter/xt_recent.h new/iptables-1.4.15/include/linux/netfilter/xt_recent.h
--- old/iptables-1.4.14/include/linux/netfilter/xt_recent.h 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/include/linux/netfilter/xt_recent.h 2012-07-31 12:44:36.000000000 +0200
@@ -32,4 +32,14 @@
__u8 side;
};
+struct xt_recent_mtinfo_v1 {
+ __u32 seconds;
+ __u32 hit_count;
+ __u8 check_set;
+ __u8 invert;
+ char name[XT_RECENT_NAME_LEN];
+ __u8 side;
+ union nf_inet_addr mask;
+};
+
#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/include/xtables.h.in new/iptables-1.4.15/include/xtables.h.in
--- old/iptables-1.4.14/include/xtables.h.in 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/include/xtables.h.in 2012-07-31 12:44:36.000000000 +0200
@@ -442,6 +442,7 @@
extern const char *xtables_ipmask_to_numeric(const struct in_addr *);
extern struct in_addr *xtables_numeric_to_ipaddr(const char *);
extern struct in_addr *xtables_numeric_to_ipmask(const char *);
+extern int xtables_ipmask_to_cidr(const struct in_addr *);
extern void xtables_ipparse_any(const char *, struct in_addr **,
struct in_addr *, unsigned int *);
extern void xtables_ipparse_multiple(const char *, struct in_addr **,
@@ -451,6 +452,7 @@
extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *);
extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *);
extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *);
+extern int xtables_ip6mask_to_cidr(const struct in6_addr *);
extern void xtables_ip6parse_any(const char *, struct in6_addr **,
struct in6_addr *, unsigned int *);
extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/iptables/ip6tables-restore.c new/iptables-1.4.15/iptables/ip6tables-restore.c
--- old/iptables-1.4.14/iptables/ip6tables-restore.c 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/iptables/ip6tables-restore.c 2012-07-31 12:44:36.000000000 +0200
@@ -329,6 +329,7 @@
char *curchar;
int quote_open, escaped;
size_t param_len;
+ char param_buffer[1024];
/* reset the newargv */
newargc = 0;
@@ -379,8 +380,6 @@
param_len = 0;
for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];
-
if (quote_open) {
if (escaped) {
param_buffer[param_len++] = *curchar;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/iptables/iptables-restore.c new/iptables-1.4.15/iptables/iptables-restore.c
--- old/iptables-1.4.14/iptables/iptables-restore.c 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/iptables/iptables-restore.c 2012-07-31 12:44:36.000000000 +0200
@@ -329,6 +329,7 @@
char *curchar;
int quote_open, escaped;
size_t param_len;
+ char param_buffer[1024];
/* reset the newargv */
newargc = 0;
@@ -379,8 +380,6 @@
param_len = 0;
for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];
-
if (quote_open) {
if (escaped) {
param_buffer[param_len++] = *curchar;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/libxtables/xtables.c new/iptables-1.4.15/libxtables/xtables.c
--- old/iptables-1.4.14/libxtables/xtables.c 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/libxtables/xtables.c 2012-07-31 12:44:36.000000000 +0200
@@ -1133,28 +1133,43 @@
return xtables_ipaddr_to_numeric(addr);
}
-const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
+int xtables_ipmask_to_cidr(const struct in_addr *mask)
{
- static char buf[20];
uint32_t maskaddr, bits;
int i;
maskaddr = ntohl(mask->s_addr);
-
+ /* shortcut for /32 networks */
if (maskaddr == 0xFFFFFFFFL)
- /* we don't want to see "/32" */
- return "";
+ return 32;
i = 32;
bits = 0xFFFFFFFEL;
while (--i >= 0 && maskaddr != bits)
bits <<= 1;
if (i >= 0)
- sprintf(buf, "/%d", i);
- else
+ return i;
+
+ /* this mask cannot be converted to CIDR notation */
+ return -1;
+}
+
+const char *xtables_ipmask_to_numeric(const struct in_addr *mask)
+{
+ static char buf[20];
+ uint32_t cidr;
+
+ cidr = xtables_ipmask_to_cidr(mask);
+ if (cidr < 0) {
/* mask was not a decent combination of 1's and 0's */
sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
+ return buf;
+ } else if (cidr == 32) {
+ /* we don't want to see "/32" */
+ return "";
+ }
+ sprintf(buf, "/%d", cidr);
return buf;
}
@@ -1465,7 +1480,7 @@
return xtables_ip6addr_to_numeric(addr);
}
-static int ip6addr_prefix_length(const struct in6_addr *k)
+int xtables_ip6mask_to_cidr(const struct in6_addr *k)
{
unsigned int bits = 0;
uint32_t a, b, c, d;
@@ -1492,7 +1507,7 @@
const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
{
static char buf[50+2];
- int l = ip6addr_prefix_length(addrp);
+ int l = xtables_ip6mask_to_cidr(addrp);
if (l == -1) {
strcpy(buf, "/");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/m4/libtool.m4 new/iptables-1.4.15/m4/libtool.m4
--- old/iptables-1.4.14/m4/libtool.m4 2012-05-26 18:45:16.000000000 +0200
+++ new/iptables-1.4.15/m4/libtool.m4 2012-07-31 12:45:33.000000000 +0200
@@ -2512,17 +2512,6 @@
esac
;;
-gnu*)
- version_type=linux # correct to gnu/linux during the next big refactor
- need_lib_prefix=no
- need_version=no
- library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
- soname_spec='${libname}${release}${shared_ext}$major'
- shlibpath_var=LD_LIBRARY_PATH
- shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
- ;;
-
haiku*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
@@ -2639,7 +2628,7 @@
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
@@ -3255,10 +3244,6 @@
fi
;;
-gnu*)
- lt_cv_deplibs_check_method=pass_all
- ;;
-
haiku*)
lt_cv_deplibs_check_method=pass_all
;;
@@ -3297,7 +3282,7 @@
;;
# This must be glibc/ELF.
-linux* | k*bsd*-gnu | kopensolaris*-gnu)
+linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
lt_cv_deplibs_check_method=pass_all
;;
@@ -4049,7 +4034,7 @@
;;
esac
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
KCC*)
# KAI C++ Compiler
@@ -4348,7 +4333,7 @@
_LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
# old Intel for x86_64 which still supported -KPIC.
ecc*)
@@ -6241,9 +6226,6 @@
_LT_TAGVAR(ld_shlibs, $1)=yes
;;
- gnu*)
- ;;
-
haiku*)
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
_LT_TAGVAR(link_all_deplibs, $1)=yes
@@ -6405,7 +6387,7 @@
_LT_TAGVAR(inherit_rpath, $1)=yes
;;
- linux* | k*bsd*-gnu | kopensolaris*-gnu)
+ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
KCC*)
# Kuck and Associates, Inc. (KAI) C++ Compiler
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/iptables-1.4.14/tests/options-most.rules new/iptables-1.4.15/tests/options-most.rules
--- old/iptables-1.4.14/tests/options-most.rules 2012-05-26 18:44:33.000000000 +0200
+++ new/iptables-1.4.15/tests/options-most.rules 2012-07-31 12:44:36.000000000 +0200
@@ -96,6 +96,9 @@
-A matches -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 --hashlimit-name mini2
-A matches -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-name mini3
-A matches -m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini4
+-A matches -m hashlimit --hashlimit-upto 4kb/s --hashlimit-burst 400kb --hashlimit-name mini5
+-A matches -m hashlimit --hashlimit-upto 10mb/s --hashlimit-name mini6
+-A matches -m hashlimit --hashlimit-upto 123456b/s --hashlimit-burst 1mb --hashlimit-name mini7
-A matches
-A matches -m hbh ! --hbh-len 5
-A matches
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org