commit iptables.3448 for openSUSE:13.1:Update

Hello community, here is the log from the commit of package iptables.3448 for openSUSE:13.1:Update checked in at 2015-02-04 18:01:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/iptables.3448 (Old) and /work/SRC/openSUSE:13.1:Update/.iptables.3448.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "iptables.3448" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.iptables.3448.new/iptables.changes 2015-02-04 18:01:13.000000000 +0100 @@ -0,0 +1,754 @@ +------------------------------------------------------------------- +Thu Jan 22 13:34:42 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.4.21 +* Introduce a new revision for the set match with the counters support +* Add locking to prevent concurrent instances +* --nowildcard option for xt_socket, available since Linux kernel 3.11 +* SYNPROXY support, available since Linux kernel 3.12 +* Only convert netmasks to /prefixlen notation when representable + [bnc#914285] + +------------------------------------------------------------------- +Fri May 31 20:00:39 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.19.1 +* New connlabel and bpf matches +- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch, + 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch + (are upstream) + +------------------------------------------------------------------- +Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de + +- libxt_state.so symlink was not installed (bnc#815182); fix by + removing 0001-build-also-use-libtool-for-install-stage.patch, + removing 0001-build-do-not-dereference-symlinks-on-installation.patch, + adding 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch, + adding 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch + +------------------------------------------------------------------- +Wed Mar 20 08:22:20 UTC 2013 - cfarrell@suse.com + +- license update: GPL-2.0 and Artistic-2.0 + GPL version does not have ^or later^ due to inclusion of numerous GPL 2 + ^only^ files. Also, aggregation of Artistic-2.0 content + +------------------------------------------------------------------- +Mon Mar 4 21:42:12 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.4.18 +* documentation updates +- Create subpackage xtables-plugins, to aid packaging of xtadm +- Add 0001-build-do-not-dereference-symlinks-on-installation.patch + as a prerequisite for: +- Add 0001-build-also-use-libtool-for-install-stage.patch + to kill of undesired DT_RPATH entries + +------------------------------------------------------------------- +Tue Dec 25 22:47:56 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.17 +* libxt_time: add support to ignore day transition +* libxt_statistic: fix save output + +------------------------------------------------------------------- +Wed Nov 28 17:07:29 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature + +------------------------------------------------------------------- +Thu Nov 15 16:06:15 UTC 2012 - lnussel@suse.de + +- list all required binaries explicitly to make sure all of them are actually + compiled + +------------------------------------------------------------------- +Thu Nov 15 14:15:48 UTC 2012 - jengelh@inai.de + +- Always regenerate files due to SUSE's iptables-batch patch + +------------------------------------------------------------------- +Mon Oct 8 12:42:37 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.16.3 +* This release includes aliasing support which translates command + lines using obsolete extensions into new ones. The option parser + now flags illegal negative numbers in some more extensions. + A division by zero was resolved in libxt_limit as well. + +------------------------------------------------------------------- +Tue Jul 31 12:08:07 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.15 +* libxt_recent: add --mask netmask +* libxt_hashlimit: add support for byte-based operation + +------------------------------------------------------------------- +Sat May 26 19:35:38 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.4.14 +* Support for the new cttimeout infrastructure. This allows you to + attach specific timeout policies to flow via iptables CT target. + +------------------------------------------------------------------- +Tue Mar 27 13:29:31 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.4.13 +* Add the rpfilter, nfacct and IPv6 ECN extensions + +------------------------------------------------------------------- +Mon Jan 2 21:30:38 UTC 2012 - jengelh@medozas.de + +- Update to newer git snapshot (v1.4.12.2-28-g2117f2b, + but master branch), tag locally as 1.4.12.90. +* ships missing pkgconfig files, compile fix for libnfnetlink +* libxt_NFQUEUE: fix --queue-bypass ipt-save output +* libxt_connbytes: fix handling of --connbytes FROM +* libxt_recent: Add support for --reap option +- split iptables-devel into libiptc-devel and libxtables-devel + +------------------------------------------------------------------- +Wed Dec 28 09:50:23 UTC 2011 - puzel@suse.com + +- iptables-apply-mktemp-fix.patch (bnc#730161) + +------------------------------------------------------------------- +Wed Nov 30 14:28:11 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Tue Oct 4 23:01:57 UTC 2011 - jengelh@medozas.de + +- Update to a newer git snapshot of the stable branch + (to v1.4.12.1-16-gd2b0eaa) +* resolve failure to load extensions that depend on libm.so +- rediff of iptables-batch due to fuzz +- relax runtime requires + +------------------------------------------------------------------- +Thu Sep 1 17:09:05 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.12.1 +* regression fixes for the new (stricter) command-line parser +- restore --includedir= in spec file +- Put libxtables into its own subpackage so that one does not need + a lockstep update of iproute2 on a new iptables package +- Remove redundant fields (Autoreqprov defaults to on, License is + inherited from main package) + +------------------------------------------------------------------- +Sat Aug 13 01:39:38 CEST 2011 - draht@suse.de + +- include path is /usr/include + +------------------------------------------------------------------- +Mon Aug 8 00:42:53 UTC 2011 - jengelh@medozas.de + +- Put include files into a separate directory to flag up missing + CFLAGS. libipq.pc will now be provided. +- Enable build of nfnl_osf, a tool to upload OS fingerprints to + the kernel for use with xt_osf. + +------------------------------------------------------------------- +Fri Jul 22 13:12:50 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.12 +* Include lost match/target descriptions in manpage again +* libxt_LOG: fix ignorance of all but the last flag +* libxt_HL: restore hl-* option names +* libxt_hashlimit: use a more obvious expiry value by default +* libxt_RATEEST: fix find-and-delete of rules with -j RATEEST +* ipv4: restore negation for the -f option +* Reject empty host specifications (e.g. -s "") +* libxt_conntrack: restore network byteordering for ABI v1 & v2 +* Documentation updates + +------------------------------------------------------------------- +Wed Jun 8 10:20:57 UTC 2011 - jengelh@medozas.de + +- Update to snapshot 1.4.11+git16 +* libxt_owner: restore inversion support +* option: fix ignored negation before implicit extension loading +* build: fix installation of symlinks +* build: fix absence of xml translator in IPv6-only builds +- Drop merged patches + +------------------------------------------------------------------- +Sun May 29 23:56:33 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.11 +* stricter option parsing +* support for the current xt_SET target as contained in 2.6.39 +* support for the new xt_devgroup match +* support for the new xt_AUDIT target +* support for a new NFQUEUE bypass option, allowing to bypass the + queue if no userspace listener is present +* a new iptables option "-C" to check for existence of a rules +- Fixes on top +* allow negation of --uid-owner/--gid-owner again +* fix installation of symlinks +- Run spec-beautifier + +------------------------------------------------------------------- +Fri Oct 29 17:56:48 UTC 2010 - jengelh@medozas.de + +- Update to new upstream release 1.4.10 ++++ 557 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.iptables.3448.new/iptables.changes New: ---- iptables-1.4.21.tar.bz2 iptables-1.4.21.tar.bz2.sig iptables-apply-mktemp-fix.patch iptables-batch.patch iptables.changes iptables.keyring iptables.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iptables.spec ++++++ # # spec file for package iptables # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: iptables %define lname_ipq libipq0 %define lname_iptc libiptc0 %define lname_xt libxtables10 Version: 1.4.21 Release: 0 Summary: IP Packet Filter Administration utilities License: GPL-2.0 and Artistic-2.0 Group: Productivity/Networking/Security Url: http://netfilter.org/projects/iptables/ #Git-Web: http://git.netfilter.org/ #Git-Clone: git://git.netfilter.org/iptables #DL-URL: http://netfilter.org/projects/iptables/files/ Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?fedora_version} || 0%{?centos_version} BuildRequires: sgml-common %endif #git#BuildRequires: autoconf, automake >= 1.10 BuildRequires: libtool BuildRequires: pkgconfig >= 0.21 %if 0%{?suse_version} BuildRequires: fdupes %endif %if 0%{?suse_version} >= 1140 || 0%{?fedora_version} BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4 BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 %endif %if (0%{?suse_version} && 0%{?suse_version} <= 1110) || 0%{?centos_version} || 0%{?redhat_version} BuildRequires: libnetfilter_conntrack-devel >= 1.0.4 BuildRequires: libnfnetlink-devel >= 1.0.0 %endif Requires: xtables-plugins = %version %description iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. This version requires kernel 3.0 or newer. %package -n xtables-plugins Summary: Match and Target Extension plugins for iptables Group: Productivity/Networking/Security Conflicts: iptables < 1.4.18 %description -n xtables-plugins Match and Target Extension plugins for iptables. %package -n %lname_ipq Summary: Library to interface with the (old) ip_queue kernel mechanism Group: System/Libraries %description -n %lname_ipq The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n libipq-devel Summary: Development files for the ip_queue kernel mechanism Group: Development/Libraries/C and C++ Requires: %lname_ipq = %version %description -n libipq-devel The Netfilter project provides a mechanism (ip_queue) for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! %package -n %lname_iptc Summary: Library for low-level ruleset generation and parsing Group: System/Libraries %description -n %lname_iptc libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n libiptc-devel Summary: Development files for libiptc, a packet filter ruleset library Group: Development/Libraries/C and C++ Requires: %lname_iptc = %version %description -n libiptc-devel libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load new rulesets into the kernel. %package -n %lname_xt Summary: iptables extension interface Group: System/Libraries %description -n %lname_xt This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. iproute2's m_xt. %package -n libxtables-devel Summary: Libraries, Headers and Development Man Pages for iptables Group: Development/Libraries/C and C++ Requires: %lname_xt = %version %description -n libxtables-devel This library contains all the iptables code shared between iptables, ip6tables, their extensions, and for external integration for e.g. Link your extension (iptables plugins) with $(pkg-config xtables --libs) and place the plugin in the directory given by $(pkg-config xtables --variable=xtlibdir). %prep %setup -q %patch -P 3 -P 4 -p1 %build # We have the iptables-batch patch, so always regenerate. if true || [ ! -e configure ]; then ./autogen.sh; fi # bnc#561793 - do not include unclean module in iptables manpage rm -f extensions/libipt_unclean.man # includedir is overriden on purpose to detect projects that # fail to include libxtables_CFLAGS %configure --includedir="%_includedir/pkg/%name" --enable-libipq make %{?_smp_mflags} %install make DESTDIR=%buildroot install # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ rm -f "%buildroot/%_libdir"/*.la; %if 0%{?suse_version} %fdupes %buildroot/%_prefix %endif %post -n %lname_ipq -p /sbin/ldconfig %postun -n %lname_ipq -p /sbin/ldconfig %post -n %lname_iptc -p /sbin/ldconfig %postun -n %lname_iptc -p /sbin/ldconfig %post -n %lname_xt -p /sbin/ldconfig %postun -n %lname_xt -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYING %doc %_mandir/man1/ip* %doc %_mandir/man8/ip* %_bindir/iptables-xml %_sbindir/iptables %_sbindir/iptables-apply %_sbindir/iptables-batch %_sbindir/iptables-restore %_sbindir/iptables-save %_sbindir/ip6tables %_sbindir/ip6tables-batch %_sbindir/ip6tables-restore %_sbindir/ip6tables-save %_sbindir/xtables-multi %files -n xtables-plugins %defattr(-,root,root) %_libdir/xtables/ %_sbindir/nfnl_osf %_datadir/xtables/ %files -n %lname_ipq %defattr(-,root,root) %_libdir/libipq.so.0* %files -n libipq-devel %defattr(-,root,root) %doc %_mandir/man3/libipq* %doc %_mandir/man3/ipq* %dir %_includedir/pkg/%name/ %_includedir/pkg/%name/libipq* %_libdir/libipq.so %_libdir/pkgconfig/libipq.pc %files -n %lname_iptc %defattr(-,root,root) %_libdir/libiptc.so.0* %_libdir/libip4tc.so.0* %_libdir/libip6tc.so.0* %files -n libiptc-devel %defattr(-,root,root) %dir %_includedir/pkg/ %dir %_includedir/pkg/%name/ %_includedir/pkg/%name/libiptc* %_libdir/libip*tc.so %_libdir/pkgconfig/libip*tc.pc %files -n %lname_xt %defattr(-,root,root) %_libdir/libxtables.so.10* %files -n libxtables-devel %defattr(-,root,root) %dir %_includedir/pkg/ %dir %_includedir/pkg/%name/ %_includedir/pkg/%name/xtables.h %_includedir/pkg/%name/xtables-version.h %_libdir/libxtables.so %_libdir/pkgconfig/xtables.pc %changelog ++++++ iptables-apply-mktemp-fix.patch ++++++ Index: iptables-1.4.12.1+16/iptables/iptables-apply =================================================================== --- iptables-1.4.12.1+16.orig/iptables/iptables-apply +++ iptables-1.4.12.1+16/iptables/iptables-apply @@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then exit 2 fi -COMMANDS=(tempfile "$SAVE" "$RESTORE") +COMMANDS=(mktemp "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do if ! command -v $cmd >/dev/null; then @@ -122,7 +122,7 @@ done umask 0700 -TMPFILE=$(tempfile -p iptap) +TMPFILE=$(mktemp) trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 if ! "$SAVE" >"$TMPFILE"; then ++++++ iptables-batch.patch ++++++ --- iptables/Makefile.am | 10 iptables/iptables-batch.c | 468 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 477 insertions(+), 1 deletion(-) Index: iptables-1.4.20/iptables/Makefile.am =================================================================== --- iptables-1.4.20.orig/iptables/Makefile.am +++ iptables-1.4.20/iptables/Makefile.am @@ -24,7 +24,15 @@ endif xtables_multi_SOURCES += xshared.c xtables_multi_LDADD += ../libxtables/libxtables.la -lm -sbin_PROGRAMS = xtables-multi +iptables_batch_SOURCES = iptables-batch.c iptables.c xshared.c +iptables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} +iptables_batch_LDADD = ${xtables_multi_LDADD} +ip6tables_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c +ip6tables_batch_CFLAGS = ${AM_CFLAGS} -DIP6T +ip6tables_batch_LDFLAGS = ${xtables_multi_LDFLAGS} +ip6tables_batch_LDADD = ${xtables_multi_LDADD} + +sbin_PROGRAMS = xtables-multi iptables-batch ip6tables-batch man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ ip6tables-save.8 iptables-extensions.8 Index: iptables-1.4.20/iptables/iptables-batch.c =================================================================== --- /dev/null +++ iptables-1.4.20/iptables/iptables-batch.c @@ -0,0 +1,468 @@ +/* + * Author: Ludwig Nussel + * Update for iptables 1.4.3.x: Petr Uzel + * + * Based on the ipchains code by Paul Russell and Michael Neuling + * + * (C) 2000-2002 by the netfilter coreteam : + * Paul 'Rusty' Russell + * Marc Boucher + * James Morris + * Harald Welte + * Jozsef Kadlecsik + * + * iptables-batch -- iptables batch processor + * + * See the accompanying manual page iptables(8) for information + * about proper usage of this program. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include + +#ifdef IP6T +#include +#else +#include +#endif +#include + +#ifdef IP6T +#define prog_name ip6tables_globals.program_name +#define prog_ver ip6tables_globals.program_version +#else +#define prog_name iptables_globals.program_name +#define prog_ver iptables_globals.program_version +#endif + +static char* errstr = NULL; + +static unsigned current_line = 0; + +static char* +skipspace(char* ptr) +{ + while(*ptr && isspace(*ptr)) + ++ptr; + return ptr; +} + +static char* +getliteral(char** ptr) +{ + char* start = *ptr; + char* p = start; + + while(*p && !isspace(*p)) + ++p; + + if(*p) + { + *p = '\0'; + ++p; + } + + *ptr = p; + return start; +} + +static char* +getstring(char** ptr) +{ + char* start = *ptr+1; // skip leading " + char* p = start; + char* o = start; + int backslash = 0; + int done = 0; + + while(*p && !done) + { + if(backslash) + { + backslash = 0; + // no escapes supported, just eat the backslash + *o++ = *p++; + } + else if(*p == '\\') + { + backslash = 1; + p++; + } + else if(*p == '"') + { + done = 1; + } + else + { + *o++ = *p++; + } + } + + if(done) + { + *o = '\0'; + *p = '\0'; + ++p; + *ptr = p; + } + else + { + errstr = "missing \" at end of string"; + start = NULL; + } + return start; +} + +// this is just a very basic method, not 100% shell compatible +static char* +getword(char** ptr) +{ + *ptr = skipspace(*ptr); + if(**ptr == '"') + return getstring(ptr); + return getliteral(ptr); +} + +// destructive +static int +tokenize(int* argc, char* argv[], size_t nargvsize, char* iline) +{ + char* ptr = skipspace(iline); + int ret = 0; + char* word; + + while(ptr && *ptr) + { + if(*ptr == '#') + break; + if(*argc >= nargvsize) + { + errstr = "too many arguments"; + ret = -1; + break; + } + word = getword(&ptr); + if(!word) + { + ret = -1; + break; + } + argv[(*argc)++] = word; + ++ret; + } + return ret; +} + +#ifdef DEBUG +static void +dumpargv(int argc, char* argv[]) +{ + int i; + for(i=0; i < argc; ++i) + { + printf("%s\"%s\"",i?" ":"", argv[i]); + } + puts(""); +} +#endif + +struct table_handle +{ + char* name; +#ifdef IP6T + struct ip6tc_handle *handle; +#else + struct iptc_handle *handle; +#endif +}; + +static struct table_handle* tables = NULL; +static unsigned num_tables; +struct table_handle* current_table; + +static void +alloc_tables(void) +{ + tables = realloc(tables, sizeof(struct table_handle) * num_tables); +} + +static void +set_current_table(const char* name) +{ + unsigned i; + + if(!strcmp(name, current_table->name)) // same as last time? + return; + + for(i = 0; i < num_tables; ++i) // find already known table + { + if(!strcmp(name, tables[i].name)) + { + current_table = &tables[i]; + return; + } + } + + // table name not known, create new + i = num_tables++; + alloc_tables(); + current_table = &tables[i]; + current_table->name = strdup(name); + current_table->handle = NULL; +} + +static int +find_table(int argc, char* argv[]) +{ + int i; + for(i = 0; i < argc; ++i) + { + if(!strcmp(argv[i], "-t") || !strcmp(argv[i], "--table")) + { + ++i; + if(i >= argc) + { + fprintf(stderr, "line %d: missing table name after %s\n", + current_line, argv[i]); + return 0; + } + set_current_table(argv[i]); + return 1; + } + } + + // no -t specified + set_current_table("filter"); + + return 1; +} + +static int +do_iptables(int argc, char* argv[]) +{ + char *table = "filter"; + int ret = 0; + + if(!find_table(argc, argv)) + return 0; + +#ifdef IP6T + ret = do_command6(argc, argv, &table, ¤t_table->handle, true); + + if (!ret) + { + fprintf(stderr, "line %d: %s\n", current_line, ip6tc_strerror(errno)); + } + else + { + if(!table || strcmp(table, current_table->name)) + { + fprintf(stderr, "line %d: expected table %s, got %s\n", + current_line, current_table->name, table); + exit(1); + } + } +#else + ret = do_command4(argc, argv, &table, ¤t_table->handle, true); + + if (!ret) + { + fprintf(stderr, "line %d: %s\n", current_line, iptc_strerror(errno)); + } + else + { + if(!table || strcmp(table, current_table->name)) + { + fprintf(stderr, "line %d: expected table %s, got %s\n", + current_line, current_table->name, table); + exit(1); + } + } +#endif + + return ret; +} + +static int +do_commit(void) +{ + unsigned i; + int ret = 1; + + for(i = 0; i < num_tables; ++i) + { + if(tables[i].handle) + { +#ifdef IP6T + ret = ip6tc_commit(tables[i].handle); + if (!ret) + fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, ip6tc_strerror(errno)); + ip6tc_free(tables[i].handle); + tables[i].handle = NULL; +#else + ret = iptc_commit(tables[i].handle); + if (!ret) + fprintf(stderr, "commit failed on table %s: %s\n", tables[i].name, iptc_strerror(errno)); + iptc_free(tables[i].handle); + tables[i].handle = NULL; +#endif + } + } + + return ret; +} + +static void +help(void) +{ + fprintf(stderr, "Usage: %s [FILE]\n\n", prog_name); + puts("Read iptables commands from FILE, commit them at EOF\n"); + puts("In addition to normal iptables calls the commands"); + puts("'commit' and 'exit' are understood."); + exit(0); +} + +int +main(int argc, char *argv[]) +{ + int ret = 1; + int c; + int numtok; + size_t llen = 0; + char* iline = NULL; + ssize_t r = -1; + int nargc = 0; + char* nargv[256]; + FILE* fp = stdin; + +#ifdef IP6T + prog_name = "ip6tables-batch"; +#else + prog_name = "iptables-batch"; +#endif + +#ifdef IP6T + c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); +#else + c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); +#endif + + if(c < 0) { + fprintf(stderr, "%s/%s Failed to initialize xtables\n", + prog_name, + prog_ver); + exit(1); + } + +#ifdef NO_SHARED_LIBS + init_extensions(); +#endif + if(argc > 1) + { + if(!strcmp(argv[1], "--help") || !strcmp(argv[1], "-h")) + { + help(); + } + else if(strcmp(argv[1], "-")) + { + fp = fopen(argv[1], "r"); + if(!fp) + { + perror("fopen"); + exit(1); + } + } + } + + num_tables = 4; + alloc_tables(); + tables[0].name = "filter"; + tables[0].handle = NULL; + tables[1].name = "mangle"; + tables[1].handle = NULL; + tables[2].name = "nat"; + tables[2].handle = NULL; + tables[3].name = "raw"; + tables[3].handle = NULL; + current_table = &tables[0]; + + while((r = getline(&iline, &llen, fp)) != -1) + { + if(llen < 1 || !*iline) + continue; + if(iline[strlen(iline)-1] == '\n') + iline[strlen(iline) -1 ] = '\0'; + + ++current_line; + nargc = 0; + errstr = NULL; + numtok = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), iline); + if(numtok == -1) + { + } + else if (numtok == 0) + { + continue; + } + else if(nargc < 1) + { + errstr = "insufficient number of arguments"; + } + + if(errstr) + { + fprintf(stderr, "parse error in line %d: %s\n", current_line, errstr); + ret = 0; + break; + } + +#ifdef DEBUG + dumpargv(nargc, nargv); +#endif + +#ifdef IP6T + if(!strcmp(nargv[0], "ip6tables")) +#else + if(!strcmp(nargv[0], "iptables")) +#endif + { + ret = do_iptables(nargc, nargv); + if(!ret) break; + } + else if(!strcmp(nargv[0], "exit")) + { + break; + } + else if(!strcmp(nargv[0], "commit")) + { + /* do nothing - see bnc#500990, comment #16 */ + } + else + { + fprintf(stderr, "line %d: invalid command '%s'\n", current_line, nargv[0]); + } + } + + if(ret) + ret = do_commit(); + + exit(!ret); +} ++++++ iptables.keyring ++++++ pub 4096R/BB5F58CC 2010-10-21 [expires: 2015-10-20] uid Netfilter Core Team sub 4096R/04B92F5C 2010-10-21 [expires: 2015-10-20] -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D 8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by 43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk 3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/ VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd 6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8 Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu /j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi 46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+5 Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTn HnVoZIzGb8MD+MCe9jfm8Y+NLU0D71NpDDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1b hG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4/vg9mk53CU620bNgNJ1+F19s/eTw1231 pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweCkGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHU mAitCaZT9AIYDl4PHryckIzjgTdhK0PP92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD 20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EAr hk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY 0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdUpdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3a MXxV9m3jUq8hNdwc8vU1khr9kf+MWPonE0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMI ucV+2de/7zqxwa0Jh5VSD7SeKj7LznsAy9gi/AioYq4AKVTsigfyJlWpjOLeOvv7 z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHkrHXVwYR2yy7pEc1CstUN+uqXABEBAAGJ AiUEGAECAA8FAkzAS5ECGwwFCQlmAYAACgkQpBEfibtfWMyLqw/6A12S4bnLYaik ToKc13ywTUsHplbmlLOy2E/5ZMksdfuWjh9XTMR0nbXWnFULxGKTP00kA0yVpv/j beDY/qLzY2Yb0rROCQJjuWSLYuNW40+Hmh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k 2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5OFk3IFFnIGhScUz22V6meSaOEqiXLySg qh3lv7+XuGzoBjdy7dDm+SnbmK9lO1IqPsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+o fmxyViOX1GZShb1mGH0Aeo4jeYmDNLXapkoymC3HCIMctYDmuIw6QlgG8i1LRcFh VKMngLjZ17dl/w8gYOdkCsGIUBzvbFBhxuJnXMnFVyDxft/lorMAimH2kbjDn6qa H0uV8ILfFVe6gnKzanugmaSQjWzby/ARPhs6OYAXoIUv5MUVDgvTzVmTckWjVa1R kMm3eGmDSqoMxsPmarb80nkoFQMOPhJWlyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/ EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwLWqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO 9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5YSQoof6Pos58b3bkFn14m9gofwTqGzPh R4Vot9rRu5zrWdoCM4cRThpJyrjqBMs= =mRxL -----END PGP PUBLIC KEY BLOCK----- -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org