iptables fixes 2011-08-26

iptables fixes 2011-08-26

[Jan Engelhardt]

The following changes since commit 4a56bcbd49ef20a0203017c15ab1cec9bb140d1a:

  libxt_hashlimit: observe new default gc-expire time when saving (2011-08-21 13:04:40 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables fixes

Fernando Luis Vázquez Cao (1):
      libxt_TOS: update linux kernel version list for backported fix

Jan Engelhardt (4):
      libxt_string: simplify hex output routine
      libxt_string: replace hex codes by char equivalents
      src: remove unused IPTABLES_MULTI define
      libxt_string: escape the escaping char too

 extensions/libxt_TOS.man        |    8 ++++----
 extensions/libxt_string.c       |   15 +++++----------
 iptables/Makefile.am            |    2 +-
 iptables/ip6tables-restore.c    |    4 ----
 iptables/ip6tables-save.c       |    4 ----
 iptables/ip6tables-standalone.c |    5 -----
 iptables/iptables-restore.c     |    5 -----
 iptables/iptables-save.c        |    5 -----
 iptables/iptables-standalone.c  |    5 -----
 iptables/iptables-xml.c         |    9 ---------
 tests/options-most.rules        |    4 ++++
 11 files changed, 14 insertions(+), 52 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/5] libxt_string: simplify hex output routine

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_string.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 257f5f8..365019f 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -230,13 +230,8 @@ print_hex_string(const char *str, const unsigned short int len)
 	unsigned int i;
 	/* start hex block */
 	printf(" \"|");
-	for (i=0; i < len; i++) {
-		/* see if we need to prepend a zero */
-		if ((unsigned char) str[i] <= 0x0F)
-			printf("0%x", (unsigned char) str[i]);
-		else
-			printf("%x", (unsigned char) str[i]);
-	}
+	for (i=0; i < len; i++)
+		printf("%02x", (unsigned char)str[i]);
 	/* close hex block */
 	printf("|\"");
 }
-- 
1.7.3.4

[PATCH 2/5] libxt_string: replace hex codes by char equivalents

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_string.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 365019f..472035f 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -218,7 +218,7 @@ is_hex_string(const char *str, const unsigned short int len)
 		if (! isprint(str[i]))
 			return 1;  /* string contains at least one non-printable char */
 	/* use hex output if the last char is a "\" */
-	if ((unsigned char) str[len-1] == 0x5c)
+	if (str[len-1] == '\\')
 		return 1;
 	return 0;
 }
@@ -242,8 +242,8 @@ print_string(const char *str, const unsigned short int len)
 	unsigned int i;
 	printf(" \"");
 	for (i=0; i < len; i++) {
-		if ((unsigned char) str[i] == 0x22)  /* escape any embedded quotes */
-			printf("%c", 0x5c);
+		if (str[i] == '\"')  /* escape any embedded quotes */
+			putchar('\\');
 		printf("%c", (unsigned char) str[i]);
 	}
 	printf("\"");  /* closing quote */
-- 
1.7.3.4

[PATCH 3/5] src: remove unused IPTABLES_MULTI define

[Jan Engelhardt]

This dead code has been lingering around since commit v1.4.5~7.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/Makefile.am            |    2 +-
 iptables/ip6tables-restore.c    |    4 ----
 iptables/ip6tables-save.c       |    4 ----
 iptables/ip6tables-standalone.c |    5 -----
 iptables/iptables-restore.c     |    5 -----
 iptables/iptables-save.c        |    5 -----
 iptables/iptables-standalone.c  |    5 -----
 iptables/iptables-xml.c         |    9 ---------
 8 files changed, 1 insertions(+), 38 deletions(-)

diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index a068278..addb159 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -15,7 +15,7 @@ libxtables_la_LIBADD  =
 endif
 
 xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
-xtables_multi_CFLAGS   = ${AM_CFLAGS} -DIPTABLES_MULTI
+xtables_multi_CFLAGS   = ${AM_CFLAGS}
 xtables_multi_LDFLAGS  = -rdynamic
 xtables_multi_LDADD    = ../extensions/libext.a
 if ENABLE_STATIC
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index ae147d5..985744d 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -113,11 +113,7 @@ static void free_argv(void) {
 		free(newargv[i]);
 }
 
-#ifdef IPTABLES_MULTI
 int ip6tables_restore_main(int argc, char *argv[])
-#else
-int main(int argc, char *argv[])
-#endif
 {
 	struct ip6tc_handle *handle = NULL;
 	char buffer[10240];
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index 39a3325..ad0e70f 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -131,11 +131,7 @@ static int do_output(const char *tablename)
  * :Chain name POLICY packets bytes
  * rule
  */
-#ifdef IPTABLES_MULTI
 int ip6tables_save_main(int argc, char *argv[])
-#else
-int main(int argc, char *argv[])
-#endif
 {
 	const char *tablename = NULL;
 	int c;
diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
index 9d8d5a0..6b82935 100644
--- a/iptables/ip6tables-standalone.c
+++ b/iptables/ip6tables-standalone.c
@@ -37,13 +37,8 @@
 #include <ip6tables.h>
 #include "ip6tables-multi.h"
 
-#ifdef IPTABLES_MULTI
 int
 ip6tables_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
 {
 	int ret;
 	char *table = "filter";
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 1cb833c..d0bd79a 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -113,13 +113,8 @@ static void free_argv(void) {
 		free(newargv[i]);
 }
 
-#ifdef IPTABLES_MULTI
 int
 iptables_restore_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
 {
 	struct iptc_handle *handle = NULL;
 	char buffer[10240];
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 7542bdc..73fba12 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -129,13 +129,8 @@ static int do_output(const char *tablename)
  * :Chain name POLICY packets bytes
  * rule
  */
-#ifdef IPTABLES_MULTI
 int
 iptables_save_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
 {
 	const char *tablename = NULL;
 	int c;
diff --git a/iptables/iptables-standalone.c b/iptables/iptables-standalone.c
index 87f1d31..1ebec33 100644
--- a/iptables/iptables-standalone.c
+++ b/iptables/iptables-standalone.c
@@ -38,13 +38,8 @@
 #include <iptables.h>
 #include "iptables-multi.h"
 
-#ifdef IPTABLES_MULTI
 int
 iptables_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
 {
 	int ret;
 	char *table = "filter";
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 502b2d9..4ecddcb 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -23,10 +23,6 @@
 #define DEBUGP(x, args...)
 #endif
 
-#ifndef IPTABLES_MULTI
-int line = 0;
-#endif
-
 struct xtables_globals iptables_xml_globals = {
 	.option_offset = 0,
 	.program_version = IPTABLES_VERSION,
@@ -617,13 +613,8 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
 	do_rule_part(NULL, NULL, 1, argc, argv, argvattr);
 }
 
-#ifdef IPTABLES_MULTI
 int
 iptables_xml_main(int argc, char *argv[])
-#else
-int
-main(int argc, char *argv[])
-#endif
 {
 	char buffer[10240];
 	int c;
-- 
1.7.3.4

[PATCH 4/5] libxt_string: escape the escaping char too

[Jan Engelhardt]

References: http://bugzilla.netfilter.org/show_bug.cgi?id=740
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_string.c |    2 +-
 tests/options-most.rules  |    4 ++++
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 472035f..fb15980 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -242,7 +242,7 @@ print_string(const char *str, const unsigned short int len)
 	unsigned int i;
 	printf(" \"");
 	for (i=0; i < len; i++) {
-		if (str[i] == '\"')  /* escape any embedded quotes */
+		if (str[i] == '\"' || str[i] == '\\')
 			putchar('\\');
 		printf("%c", (unsigned char) str[i]);
 	}
diff --git a/tests/options-most.rules b/tests/options-most.rules
index e54eb12..ae28b82 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -128,6 +128,10 @@
 -A matches
 -A matches -m statistic --mode nth ! --every 5 --packet 2
 -A matches
+-A matches -m string --hex-string "action=|5C22|http|3A|" --algo bm
+-A matches
+-A matches -m string --hex-string "action=|5C|http|3A|" --algo bm
+-A matches
 -A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
 -A matches
 -A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
-- 
1.7.3.4

[PATCH 5/5] libxt_TOS: update linux kernel version list for backported fix

[Jan Engelhardt]

From: Fernando Luis Vázquez Cao <fernando@oss.ntt.co.jp>

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_TOS.man |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_TOS.man b/extensions/libxt_TOS.man
index f989674..58118ec 100644
--- a/extensions/libxt_TOS.man
+++ b/extensions/libxt_TOS.man
@@ -28,9 +28,9 @@ Binary XOR the TOS value with \fIbits\fP. (Mnemonic for \fB\-\-set\-tos\fP
 \fIbits\fP\fB/0\fP. See NOTE below.)
 .PP
 NOTE: In Linux kernels up to and including 2.6.38, with the exception of
-longterm releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug
-whereby IPv6 TOS mangling does not behave as documented and differs from the
-IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs
-to be inverted before applying it to the original TOS field. However, the
+longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
+a bug whereby IPv6 TOS mangling does not behave as documented and differs from
+the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
+needs to be inverted before applying it to the original TOS field. However, the
 aformentioned kernels forgo the inversion which breaks --set-tos and its
 mnemonics.
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables fixes 2011-08-26

[Jan Engelhardt]

On Friday 2011-08-26 15:15, Jan Engelhardt wrote:

>
>The following changes since commit 4a56bcbd49ef20a0203017c15ab1cec9bb140d1a:
>
>  libxt_hashlimit: observe new default gc-expire time when saving (2011-08-21 13:04:40 +0200)
>
>are available in the git repository at:
>  git://dev.medozas.de/iptables fixes
>
>Fernando Luis Vázquez Cao (1):
>      libxt_TOS: update linux kernel version list for backported fix
>
>Jan Engelhardt (4):
>      libxt_string: simplify hex output routine
>      libxt_string: replace hex codes by char equivalents
>      src: remove unused IPTABLES_MULTI define
>      libxt_string: escape the escaping char too

Automerged after 96-hour timeout.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html