[ANNOUNCE]: Release of iptables-1.4.3.1

[ANNOUNCE]: Release of iptables-1.4.3.1

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

The netfilter coreteam presents:

     iptables version 1.4.3.1

the iptables release for the 2.6.29 kernel. This version includes a
compilation fix and a couple of minor fixes:

- compilation error fix from Peter Volkov

- documentation update from Jan Engelhardt

- cleanup error reporting by myself.

Check out the Changelog for more details.

Remember that this release (and 1.4.3) starts enforcing the deprecation
of NAT filtering that was added in 1.4.2-rc1, filtering rules in the NAT
tables will cause an error instead of a warning from now on. Please make
sure your rulesets are update appropriately.

Version 1.4.3.1 can be obtained from:

http://www.netfilter.org/projects/iptables/downloads.html
ftp://ftp.netfilter.org/pub/iptables/
git://git.netfilter.org/iptables.git

On behalf of the Netfilter Core Team.
Happy firewalling!

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: changes-iptables-1.4.3.1.txt --]
[-- Type: text/plain, Size: 401 bytes --]

Jan Engelhardt (2):
      iptables-save: minor corrections to the manpage markup
      libxt_hashlimit: add missing space for iptables-save output

Pablo Neira Ayuso (2):
      build: bump version to 1.4.3.1
      iptables: refer to dmesg if we hit EINVAL

Peter Volkov (2):
      libxtables: fix compile error due to incomplete change
      build: fix linker issue when LDFLAGS contains --as-needed

Re: [ANNOUNCE]: Release of iptables-1.4.3.1

[Steven Jan Springl]

Is there a problem with mss in this release?

If I specify rule:

-A OUTPUT -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT

I get error:

        Invalid mss '1000' specified.

It appears that mss values less than 65536 are rejected, while values of 65536 
or greater are accepted. Is this not the wrong way around?

Regards

Steven.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ANNOUNCE]: Release of iptables-1.4.3.1

[Jan Engelhardt]

On Tuesday 2009-03-24 22:12, Steven Jan Springl wrote:

>Is there a problem with mss in this release?
>If I specify rule:
>-A OUTPUT -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT
>I get error:
>        Invalid mss '1000' specified.
>
>It appears that mss values less than 65536 are rejected, while values of 65536 
>or greater are accepted. Is this not the wrong way around?

Indeed. There is an uncommon coding pattern (compared to the rest of 
the iptables sources) in the function at hand. Patch below.

usually:
	if (!strtoui(...))
		you_fail;
	return ok;
libxt_tcpmss:
	if (strtoui(...))
		return ok;
	you_fail;

Pullable from the usual location at git://dev.medozas.de/iptables

Updating 6e70f46..ed7925b
Fast forward
 extensions/libxt_tcpmss.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

parent 6e70f46f2a146bb7c657f71724c999147a5925dc (v1.4.3.1)
commit ed7925b77010dd17531ea0424b49d2b72af4add9
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Tue Mar 24 22:26:25 2009 +0100

libxt_tcpmss: fix an inversion while parsing --mss

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_tcpmss.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index 43a4a0d..46529f9 100644
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -26,7 +26,7 @@ parse_tcp_mssvalue(const char *mssvalue)
 {
 	unsigned int mssvaluenum;
 
-	if (!xtables_strtoui(mssvalue, NULL, &mssvaluenum, 0, UINT16_MAX))
+	if (xtables_strtoui(mssvalue, NULL, &mssvaluenum, 0, UINT16_MAX))
 		return mssvaluenum;
 
 	xtables_error(PARAMETER_PROBLEM,
-- 
# Created with git-export-patch
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ANNOUNCE]: Release of iptables-1.4.3.1

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Tuesday 2009-03-24 22:12, Steven Jan Springl wrote:
> 
>> Is there a problem with mss in this release?
>> If I specify rule:
>> -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT
>> I get error:
>>         Invalid mss '1000' specified.
>>
>> It appears that mss values less than 65536 are rejected, while values of 65536 
>> or greater are accepted. Is this not the wrong way around?
> 
> Indeed. There is an uncommon coding pattern (compared to the rest of 
> the iptables sources) in the function at hand. Patch below.
> 
> usually:
> 	if (!strtoui(...))
> 		you_fail;
> 	return ok;
> libxt_tcpmss:
> 	if (strtoui(...))
> 		return ok;
> 	you_fail;
> 
> Pullable from the usual location at git://dev.medozas.de/iptables
> 
> Updating 6e70f46..ed7925b
> Fast forward
>  extensions/libxt_tcpmss.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> parent 6e70f46f2a146bb7c657f71724c999147a5925dc (v1.4.3.1)
> commit ed7925b77010dd17531ea0424b49d2b72af4add9
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date:   Tue Mar 24 22:26:25 2009 +0100
> 
> libxt_tcpmss: fix an inversion while parsing --mss
> 
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

Applied. Thanks. I guess that will have to release another 1.4.3.2 soon.
We needed more -rc before the final release I guess. I'm going to wait a
bit more to catch up more problems and then proceed.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ANNOUNCE]: Release of iptables-1.4.3.1

[Gabor Z. Papp]

Hello,

trying to compile 1.4.3.1 on Linux 2.4.37:

make  all-recursive
make[1]: Entering directory `/home/gzp/src/iptables-1.4.3.1'
Making all in extensions
make[2]: Entering directory `/home/gzp/src/iptables-1.4.3.1/extensions'
  GEN      initext4.c
  CC       initext4.o
  CC       libxt_CLASSIFY.o
  CC       libxt_CONNMARK.o
  CC       libxt_CONNSECMARK.o
  CC       libxt_DSCP.o
  CC       libxt_MARK.o
  CC       libxt_NFLOG.o
  CC       libxt_NFQUEUE.o
  CC       libxt_NOTRACK.o
  CC       libxt_RATEEST.o
  CC       libxt_SECMARK.o
  CC       libxt_TCPMSS.o
  CC       libxt_TCPOPTSTRIP.o
  CC       libxt_TOS.o
  CC       libxt_TPROXY.o
  CC       libxt_TRACE.o
  CC       libxt_comment.o
  CC       libxt_connbytes.o
  CC       libxt_connlimit.o
  CC       libxt_connmark.o
  CC       libxt_conntrack.o
  CC       libxt_dscp.o
  CC       libxt_esp.o
  CC       libxt_hashlimit.o
  CC       libxt_helper.o
  CC       libxt_iprange.o
  CC       libxt_length.o
  CC       libxt_limit.o
  CC       libxt_mac.o
  CC       libxt_mark.o
  CC       libxt_multiport.o
  CC       libxt_owner.o
  CC       libxt_physdev.o
  CC       libxt_pkttype.o
  CC       libxt_quota.o
  CC       libxt_rateest.o
  CC       libxt_recent.o
  CC       libxt_sctp.o
  CC       libxt_socket.o
  CC       libxt_standard.o
  CC       libxt_state.o
  CC       libxt_statistic.o
  CC       libxt_string.o
  CC       libxt_tcp.o
  CC       libxt_tcpmss.o
  CC       libxt_time.o
  CC       libxt_tos.o
  CC       libxt_u32.o
  CC       libxt_udp.o
  CC       libipt_CLUSTERIP.o
  CC       libipt_DNAT.o
  CC       libipt_ECN.o
  CC       libipt_LOG.o
  CC       libipt_MASQUERADE.o
  CC       libipt_MIRROR.o
  CC       libipt_NETMAP.o
  CC       libipt_REDIRECT.o
  CC       libipt_REJECT.o
  CC       libipt_SAME.o
  CC       libipt_SET.o
  CC       libipt_SNAT.o
  CC       libipt_TTL.o
  CC       libipt_ULOG.o
  CC       libipt_addrtype.o
  CC       libipt_ah.o
  CC       libipt_ecn.o
  CC       libipt_icmp.o
  CC       libipt_policy.o
  CC       libipt_realm.o
  CC       libipt_set.o
  CC       libipt_ttl.o
  CC       libipt_unclean.o
  AR       libext4.a
  GEN      initext6.c
  CC       initext6.o
  CC       libip6t_HL.o
  CC       libip6t_LOG.o
  CC       libip6t_REJECT.o
  CC       libip6t_ah.o
  CC       libip6t_dst.o
  CC       libip6t_eui64.o
  CC       libip6t_frag.o
  CC       libip6t_hbh.o
  CC       libip6t_hl.o
  CC       libip6t_icmp6.o
  CC       libip6t_ipv6header.o
  CC       libip6t_mh.o
  CC       libip6t_policy.o
  CC       libip6t_rt.o
  AR       libext6.a
  GEN      matches4.man
  GEN      matches6.man
  GEN      targets4.man
  GEN      targets6.man
make[2]: Leaving directory `/home/gzp/src/iptables-1.4.3.1/extensions'
Making all in include
make[2]: Entering directory `/home/gzp/src/iptables-1.4.3.1/include'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/gzp/src/iptables-1.4.3.1/include'
Making all in libipq
make[2]: Entering directory `/home/gzp/src/iptables-1.4.3.1/libipq'
gcc -DHAVE_CONFIG_H -I. -I..    -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes 	-Winline -pipe 	-DXTABLES_LIBDIR=\"/pkg/lib/xtables\" -DXTABLES_INTERNAL -I../include -I../include -g -O2 -MT libipq.o -MD -MP -MF .deps/libipq.Tpo -c -o libipq.o libipq.c
In file included from libipq.c:36:
../include/linux/netfilter.h:51: error: expected specifier-qualifier-list before '__be32'
make[2]: *** [libipq.o] Error 1
make[2]: Leaving directory `/home/gzp/src/iptables-1.4.3.1/libipq'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/gzp/src/iptables-1.4.3.1'
make: *** [all] Error 2

[patch] iptables-1.4.3.1: unabled to restore ! -s 192.168.1.0/24 match

[Peter Volkov]

[-- Attachment #1.1: Type: text/plain, Size: 445 bytes --]

Hi. We've received bug report about broken ! -s 192.168.1.0/24 match:
http://bugs.gentoo.org/264089

Steps to reproduce:
iptables -A INPUT -i eth0 ! --src 192.168.1.0/24
iptables-save > ruleset
iptables-restore < ruleset
Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).

Patch in attachment is supposed to fix this issue. Please, if it's
correct, apply.

-- 
Peter.

[-- Attachment #1.2: iptables-1.4.3.1-src-save-restore.patch --]
[-- Type: text/x-patch, Size: 829 bytes --]

commit ba8b9d5559050b17da5562b8be21854289937b3e
Author: Peter Volkov <pva@gentoo.org>
Date:   Sat Apr 4 13:33:59 2009 +0400

    Fix save of negated match (! -s 192.168.1.0/24)
    
    iptables-restore unabled to restore ! -s 192.168.1.0/24 match saved by
    iptables-save. This patch fixes ordering of output issued by print_ip.
    Reported at http://bugs.gentoo.org/264089, thank Yar Odin for report.

diff --git a/iptables.c b/iptables.c
index 3449dec..fe43ab0 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1089,9 +1089,9 @@ static void print_ip(char *prefix, u_int32_t ip, u_int32_t mask, int invert)
 	if (!mask && !ip && !invert)
 		return;
 
-	printf("%s %s%u.%u.%u.%u",
-		prefix,
+	printf("%s%s %u.%u.%u.%u",
 		invert ? "! " : "",
+		prefix,
 		IP_PARTS(ip));
 
 	if (mask == 0xFFFFFFFFU) {

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [patch] iptables-1.4.3.1: unabled to restore ! -s 192.168.1.0/24 match

[Jan Engelhardt]

On Saturday 2009-04-04 11:50, Peter Volkov wrote:

>Hi. We've received bug report about broken ! -s 192.168.1.0/24 match:
>http://bugs.gentoo.org/264089

I combined your two patches, added the missing ip6 parts and used
the default iptables spacing idioms.


Pablo: This is available through the 'plus' branch at 
git://dev.medozas.de/iptables.


parent 9c0fa7d8c84dc2478bd36d31b328b697fbe4d0af (v1.4.3.1-7-g9c0fa7d)
commit b1d968c30dde563c2738fdacb723c18232fb5ccb
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Sat Apr 4 13:28:40 2009 +0200

iptables: print negation extrapositioned

This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.

Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |   12 ++++++------
 iptables.c  |   12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 54366b0..35067f8 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1006,7 +1006,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
 	if (mask[0] == 0)
 		return;
 
-	printf("-%c %s", letter, invert ? "! " : "");
+	printf("%s-%c ", invert ? "! " : "", letter);
 
 	for (i = 0; i < IFNAMSIZ; i++) {
 		if (mask[i] != 0) {
@@ -1033,19 +1033,19 @@ static void print_proto(u_int16_t proto, int invert)
 
 		struct protoent *pent = getprotobynumber(proto);
 		if (pent) {
-			printf("-p %s%s ",
+			printf("%s-p %s ",
 			       invertstr, pent->p_name);
 			return;
 		}
 
 		for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
 			if (xtables_chain_protos[i].num == proto) {
-				printf("-p %s%s ",
+				printf("%s-p %s ",
 				       invertstr, xtables_chain_protos[i].name);
 				return;
 			}
 
-		printf("-p %s%u ", invertstr, proto);
+		printf("%s-p %u ", invertstr, proto);
 	}
 }
 
@@ -1081,9 +1081,9 @@ static void print_ip(char *prefix, const struct in6_addr *ip, const struct in6_a
 	if (l == 0 && !invert)
 		return;
 
-	printf("%s %s%s",
-		prefix,
+	printf("%s%s %s",
 		invert ? "! " : "",
+		prefix,
 		inet_ntop(AF_INET6, ip, buf, sizeof buf));
 
 	if (l == -1)
diff --git a/iptables.c b/iptables.c
index 3449dec..649baf4 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1006,18 +1006,18 @@ static void print_proto(u_int16_t proto, int invert)
 
 		struct protoent *pent = getprotobynumber(proto);
 		if (pent) {
-			printf("-p %s%s ", invertstr, pent->p_name);
+			printf("%s-p %s ", invertstr, pent->p_name);
 			return;
 		}
 
 		for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
 			if (xtables_chain_protos[i].num == proto) {
-				printf("-p %s%s ",
+				printf("%s-p %s ",
 				       invertstr, xtables_chain_protos[i].name);
 				return;
 			}
 
-		printf("-p %s%u ", invertstr, proto);
+		printf("%s-p %u ", invertstr, proto);
 	}
 }
 
@@ -1039,7 +1039,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
 	if (mask[0] == 0)
 		return;
 
-	printf("-%c %s", letter, invert ? "! " : "");
+	printf("%s-%c ", invert ? "! " : "", letter);
 
 	for (i = 0; i < IFNAMSIZ; i++) {
 		if (mask[i] != 0) {
@@ -1089,9 +1089,9 @@ static void print_ip(char *prefix, u_int32_t ip, u_int32_t mask, int invert)
 	if (!mask && !ip && !invert)
 		return;
 
-	printf("%s %s%u.%u.%u.%u",
-		prefix,
+	printf("%s%s %u.%u.%u.%u",
 		invert ? "! " : "",
+		prefix,
 		IP_PARTS(ip));
 
 	if (mask == 0xFFFFFFFFU) {
-- 
# Created with git-export-patch

Re: [patch] iptables-1.4.3.1: unabled to restore ! -s 192.168.1.0/24 match

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Saturday 2009-04-04 11:50, Peter Volkov wrote:
> 
>> Hi. We've received bug report about broken ! -s 192.168.1.0/24 match:
>> http://bugs.gentoo.org/264089
> 
> I combined your two patches, added the missing ip6 parts and used
> the default iptables spacing idioms.
> 
> Pablo: This is available through the 'plus' branch at 
> git://dev.medozas.de/iptables.

There's something in this pull that was not discussed at all:

commit a094eb0f2a57592b6f3cf42fdbb9d49fead2d57c
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Fri Apr 3 22:37:49 2009 +0200

    build: add configure option to disable ipv4 iptables

    This patch complements the previous one.

    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

I read the bugzilla log entry about the person who was requesting this.
This is fine but please, send more detailed reports on the changeset
that are in your tree.

Applied. Thanks Peter and Jan for the fixes.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [patch] iptables-1.4.3.1: unabled to restore ! -s 192.168.1.0/24 match

[Jan Engelhardt]

On Sunday 2009-04-05 12:23, Pablo Neira Ayuso wrote:
>Jan Engelhardt wrote:
>> On Saturday 2009-04-04 11:50, Peter Volkov wrote:
>> 
>>> Hi. We've received bug report about broken ! -s 192.168.1.0/24 match:
>>> http://bugs.gentoo.org/264089
>> 
>> I combined your two patches, added the missing ip6 parts and used
>> the default iptables spacing idioms.
>> 
>> Pablo: This is available through the 'plus' branch at 
>> git://dev.medozas.de/iptables.
>
>There's something in this pull that was not discussed at all:
>
>commit a094eb0f2a57592b6f3cf42fdbb9d49fead2d57c
>Author: Jan Engelhardt <jengelh@medozas.de>
>Date:   Fri Apr 3 22:37:49 2009 +0200
>
>    build: add configure option to disable ipv4 iptables

To my defense, this was previously posted at
http://marc.info/?l=netfilter-devel&m=123879253202869&w=2

It could have been a bit more detailed, I concur. Upping the
verbosity level by one on future pull requests.

>[...]
>This is fine but please, send more detailed reports on the changeset
>that are in your tree.

[patch] iptables-1.4.3.1: unabled to restore proto and iface negated matches

[Peter Volkov]

[-- Attachment #1.1: Type: text/plain, Size: 186 bytes --]

Hi. After previous fix I've reviewed sources a bit and found that
protocol and iface negated matches are broken in the same regard. Patch
in attachment fixes them too.

-- 
Peter.

[-- Attachment #1.2: iptables-1.4.3.1-proto-iface-save-restore.patch --]
[-- Type: text/x-patch, Size: 1603 bytes --]

commit a08db349d0be99a8ae8b4ab271489b42735f4404
Author: Peter Volkov <pva@gentoo.org>
Date:   Sat Apr 4 14:07:31 2009 +0400

    Fix restore of negated iface and proto matches
    
    Attemt to restore ruleset with ! -i iface or ! -p proto matches fail
    with the following error:
    
    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).
    
    This patch fixes this issue.

diff --git a/iptables.c b/iptables.c
index fe43ab0..392981f 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1002,22 +1002,22 @@ static void print_proto(u_int16_t proto, int invert)
 {
 	if (proto) {
 		unsigned int i;
-		const char *invertstr = invert ? "! " : "";
+		const char *invertstr = invert ? "!" : "";
 
 		struct protoent *pent = getprotobynumber(proto);
 		if (pent) {
-			printf("-p %s%s ", invertstr, pent->p_name);
+			printf("%s -p %s ", invertstr, pent->p_name);
 			return;
 		}
 
 		for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
 			if (xtables_chain_protos[i].num == proto) {
-				printf("-p %s%s ",
+				printf("%s -p %s ",
 				       invertstr, xtables_chain_protos[i].name);
 				return;
 			}
 
-		printf("-p %s%u ", invertstr, proto);
+		printf("%s -p %u ", invertstr, proto);
 	}
 }
 
@@ -1039,7 +1039,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
 	if (mask[0] == 0)
 		return;
 
-	printf("-%c %s", letter, invert ? "! " : "");
+	printf("%s -%c ", invert ? "!" : "", letter);
 
 	for (i = 0; i < IFNAMSIZ; i++) {
 		if (mask[i] != 0) {

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Negation bug.

[Steven Jan Springl]

If the following iptables rule is entered:

-A FORWARD  -p 6  -m conntrack  ! --ctorigdst 4.3.2.2  -j ACCEPT

If an iptables-save is then issued, the rule is listed but the "!" is missing.

Steven.

Re: Negation bug.

[Jan Engelhardt]

On Saturday 2009-04-04 22:00, Steven Jan Springl wrote:

>If the following iptables rule is entered:
>
>-A FORWARD  -p 6  -m conntrack  ! --ctorigdst 4.3.2.2  -j ACCEPT
>
>If an iptables-save is then issued, the rule is listed but the "!" is missing.

I added the following fix to the 'plus' branch, pending inclusion
(git://dev.medozas.de/iptables plus)

Thanks for the report!


parent c9ccba543b52cb443f110670420967ac6a41c302 (v1.4.3.1-12-gc9ccba5)
commit 093d5fc9d1826b8f0ccfbb3160c98a3c844d0273
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Sun Apr 5 00:05:30 2009 +0200

libxt_conntrack: properly output negation symbol

Because the wrong flag was checked, the "!" was either wrongly
printed, or not printed at all.
This was broken since v1.4.0-29-ga8ad34c.

Reported-by: Steven Jan Springl <steven@springl.ukfsn.org>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index a3fcafc..358b255 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -910,7 +910,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 	}
 
 	if (info->match_flags & XT_CONNTRACK_ORIGSRC) {
-		if (info->invert_flags & XT_CONNTRACK_PROTO)
+		if (info->invert_flags & XT_CONNTRACK_ORIGSRC)
 			printf("! ");
 		printf("%sctorigsrc ", prefix);
 		conntrack_dump_addr(&info->origsrc_addr, &info->origsrc_mask,
@@ -918,7 +918,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 	}
 
 	if (info->match_flags & XT_CONNTRACK_ORIGDST) {
-		if (info->invert_flags & XT_CONNTRACK_PROTO)
+		if (info->invert_flags & XT_CONNTRACK_ORIGDST)
 			printf("! ");
 		printf("%sctorigdst ", prefix);
 		conntrack_dump_addr(&info->origdst_addr, &info->origdst_mask,
@@ -926,7 +926,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 	}
 
 	if (info->match_flags & XT_CONNTRACK_REPLSRC) {
-		if (info->invert_flags & XT_CONNTRACK_PROTO)
+		if (info->invert_flags & XT_CONNTRACK_REPLSRC)
 			printf("! ");
 		printf("%sctreplsrc ", prefix);
 		conntrack_dump_addr(&info->replsrc_addr, &info->replsrc_mask,
@@ -934,7 +934,7 @@ conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
 	}
 
 	if (info->match_flags & XT_CONNTRACK_REPLDST) {
-		if (info->invert_flags & XT_CONNTRACK_PROTO)
+		if (info->invert_flags & XT_CONNTRACK_REPLDST)
 			printf("! ");
 		printf("%sctrepldst ", prefix);
 		conntrack_dump_addr(&info->repldst_addr, &info->repldst_mask,
-- 
# Created with git-export-patch