June 11 iptables pull

June 11 iptables pull

[Jan Engelhardt]

Hi,


a couple more fixes to the iptables proper. Please pull from
the "stable" branch at
	git://dev.medozas.de/iptables stable

to receive

Frank Tobin (1):
      libxt_tcp: fix a manpage syntax typo

Ian Bruce (1):
      libxt_tcp: manpage corrections and suggestions

Jan Engelhardt (2):
      iptables: close open file descriptors
      manpages: markup corrections

kd6lvw (1):
      libxt_connlimit: initialize v6_mask


 extensions/libxt_TCPMSS.man    |    5 ++---
 extensions/libxt_TPROXY.man    |    2 +-
 extensions/libxt_cluster.man   |   38 +++++++++++++++++++-------------------
 extensions/libxt_connlimit.c   |    4 +++-
 extensions/libxt_connlimit.man |    2 +-
 extensions/libxt_recent.man    |    4 ++--
 extensions/libxt_tcp.man       |    6 +++---
 ip6tables-restore.c            |    2 ++
 ip6tables-save.c               |    1 +
 iptables-restore.c             |    2 ++
 iptables-save.c                |    1 +
 iptables-xml.c                 |    2 ++
 12 files changed, 39 insertions(+), 30 deletions(-)

[PATCH 1/5] libxt_tcp: fix a manpage syntax typo

[Jan Engelhardt]

From: Frank Tobin <ftobin+netfilter@neverending.org>

Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_tcp.man |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man
index 8f39cdb..0a99cdf 100644
--- a/extensions/libxt_tcp.man
+++ b/extensions/libxt_tcp.man
@@ -12,7 +12,7 @@ The flag
 \fB\-\-sport\fP
 is a convenient alias for this option.
 .TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB,\fP\fIport\fP]
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
 Destination port or port range specification.  The flag
 \fB\-\-dport\fP
 is a convenient alias for this option.
-- 
1.6.3.1

[PATCH 2/5] libxt_tcp: manpage corrections and suggestions

[Jan Engelhardt]

From: Ian Bruce <ian_bruce@fastmail.net>

From: Ian Bruce <ian_bruce@fastmail.net>

The commit corrects some minor errors in the iptables(8) man page,
related to port ranges in the "tcp" module.

Reference: http://bugs.debian.org/531677
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_tcp.man |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man
index 0a99cdf..7a16118 100644
--- a/extensions/libxt_tcp.man
+++ b/extensions/libxt_tcp.man
@@ -4,10 +4,10 @@ provides the following options:
 [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
 Source port or port range specification. This can either be a service
 name or a port number. An inclusive range can also be specified,
-using the format \fIport\fP\fB:\fP\fIport\fP.
+using the format \fIfirst\fP\fB:\fP\fIlast\fP.
 If the first port is omitted, "0" is assumed; if the last is omitted,
 "65535" is assumed.
-If the second port is greater than the first they will be swapped.
+If the first port is greater than the second one they will be swapped.
 The flag
 \fB\-\-sport\fP
 is a convenient alias for this option.
-- 
1.6.3.1

[PATCH 3/5] libxt_connlimit: initialize v6_mask

[Jan Engelhardt]

From: kd6lvw <kd6lvw@yahoo.com>

When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the
code uses a left shift on v6_mask[n]. This requires v6_mask to be
filled with all one-bits beforehand, but this initialization was not
done.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=597
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_connlimit.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index f001a2e..403e7e6 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -26,7 +26,9 @@ static const struct option connlimit_opts[] = {
 static void connlimit_init(struct xt_entry_match *match)
 {
 	struct xt_connlimit_info *info = (void *)match->data;
-	info->v4_mask = 0xFFFFFFFFUL;
+
+	/* This will also initialize the v4 mask correctly */
+	memset(info->v6_mask, 0xFF, sizeof(info->v6_mask));
 }
 
 static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len)
-- 
1.6.3.1

[PATCH 4/5] iptables: close open file descriptors

[Jan Engelhardt]

Just for correctness, close some file descriptors that were opened.
(E.g. ip6tables-save reading from procfs files.)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables-restore.c |    2 ++
 ip6tables-save.c    |    1 +
 iptables-restore.c  |    2 ++
 iptables-save.c     |    1 +
 iptables-xml.c      |    2 ++
 5 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 1d5efea..06a82ae 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -454,5 +454,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
+	if (in != NULL)
+		fclose(in);
 	return 0;
 }
diff --git a/ip6tables-save.c b/ip6tables-save.c
index 97205c1..c59608f 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -54,6 +54,7 @@ static int for_each_table(int (*func)(const char *tablename))
 		ret &= func(tablename);
 	}
 
+	fclose(procfile);
 	return ret;
 }
 
diff --git a/iptables-restore.c b/iptables-restore.c
index 2a797cc..5108fda 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -459,5 +459,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
+	if (in != NULL)
+		fclose(in);
 	return 0;
 }
diff --git a/iptables-save.c b/iptables-save.c
index 6000b49..f63ee6b 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -52,6 +52,7 @@ static int for_each_table(int (*func)(const char *tablename))
 		ret &= func(tablename);
 	}
 
+	fclose(procfile);
 	return ret;
 }
 
diff --git a/iptables-xml.c b/iptables-xml.c
index e5d1941..daf4208 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -870,6 +870,8 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
+	if (in != NULL)
+		fclose(in);
 	printf("</iptables-rules>\n");
 	free_argv();
 
-- 
1.6.3.1

[PATCH 5/5] manpages: markup corrections

[Jan Engelhardt]

The manpage of xt_cluster and xt_recent had some unclosed tags.
Backslashes in commands are also not wanted because manpages are a
freeform, automatically-wrapped text.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_TCPMSS.man    |    5 ++---
 extensions/libxt_TPROXY.man    |    2 +-
 extensions/libxt_cluster.man   |   38 +++++++++++++++++++-------------------
 extensions/libxt_connlimit.man |    2 +-
 extensions/libxt_recent.man    |    4 ++--
 5 files changed, 25 insertions(+), 26 deletions(-)

diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
index 675fc5e..dbab918 100644
--- a/extensions/libxt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -29,10 +29,9 @@ ssh works fine, but scp hangs after initial handshaking.
 .PD
 Workaround: activate this option and add a rule to your firewall
 configuration like:
-.nf
- iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN \\
+.IP
+ iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
              \-j TCPMSS \-\-clamp\-mss\-to\-pmtu
-.fi
 .TP
 \fB\-\-set\-mss\fP \fIvalue\fP
 Explicitly set MSS option to specified value.
diff --git a/extensions/libxt_TPROXY.man b/extensions/libxt_TPROXY.man
index c087ebf..0129f84 100644
--- a/extensions/libxt_TPROXY.man
+++ b/extensions/libxt_TPROXY.man
@@ -13,7 +13,7 @@ rule also specifies \fB\-p tcp\fP or \fB\-p udp\fP.
 \fB\-\-on\-ip\fP \fIaddress\fP
 This specifies a destination address to use. By default the address is the IP
 address of the incoming interface. This is only valid if the rule also
-specifies \fB\-p tcp\fP or \fP\-p udp\fP.
+specifies \fB\-p tcp\fP or \fB\-p udp\fP.
 .TP
 \fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
 Marks packets with the given value/mask. The fwmark value set here can be used
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
index 6081be1..62ad71c 100644
--- a/extensions/libxt_cluster.man
+++ b/extensions/libxt_cluster.man
@@ -4,35 +4,35 @@ need of load-balancers.
 This match requires that all the nodes see the same packets. Thus, the cluster
 match decides if this node has to handle a packet given the following options:
 .TP
-\fB\-\-cluster\-total\-nodes \fInum\fP
+\fB\-\-cluster\-total\-nodes\fP \fInum\fP
 Set number of total nodes in cluster.
 .TP
-[\fB!\fP] \fB\-\-cluster\-local\-node \fInum\fP
+[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
 Set the local node number ID.
 .TP
-[\fB!\fP] \fB\-\-cluster\-local\-nodemask \fImask\fP
+[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
 Set the local node number ID mask. You can use this option instead
-of \fB\-\-cluster\-local\-node.
+of \fB\-\-cluster\-local\-node\fP.
 .TP
-\fB\-\-cluster\-hash\-seed \fIvalue\fP
+\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
 Set seed value of the Jenkins hash.
 .PP
 Example:
 .IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
 \-j MARK \-\-set-mark 0xffff
 .IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
 \-j MARK -\-set\-mark 0xffff
 .IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \
+iptables \-A PREROUTING \-t mangle \-i eth1
 \-m mark ! \-\-mark 0xffff \-j DROP
 .IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \
+iptables \-A PREROUTING \-t mangle \-i eth2
 \-m mark ! \-\-mark 0xffff \-j DROP
 .PP
 And the following commands to make all nodes see the same packets:
@@ -41,18 +41,18 @@ ip maddr add 01:00:5e:00:01:01 dev eth1
 .IP
 ip maddr add 01:00:5e:00:01:02 dev eth2
 .IP
-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
 \-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
 .IP
-arptables \-A INPUT \-i eth1 \-\-h-length 6 \
-\-\-destination-mac 01:00:5e:00:01:01 \
+arptables \-A INPUT \-i eth1 \-\-h-length 6
+\-\-destination-mac 01:00:5e:00:01:01
 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
 .IP
-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
 \-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
 .IP
-arptables \-A INPUT \-i eth2 \-\-h\-length 6 \
-\-\-destination\-mac 01:00:5e:00:01:02 \
+arptables \-A INPUT \-i eth2 \-\-h\-length 6
+\-\-destination\-mac 01:00:5e:00:01:02
 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
 .PP
 In the case of TCP connections, pickup facility has to be disabled
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index eb0832a..c85d768 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -21,7 +21,7 @@ network (24 bit netmask)
 iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
 \-\-connlimit\-mask 24 \-j REJECT
 .TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
+# limit the number of parallel HTTP requests to 16 for the link local network
 (ipv6)
 ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
 16 \-\-connlimit\-mask 64 \-j REJECT
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index e03d8ec..9d5a64e 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -33,12 +33,12 @@ Check if the source address of the packet is currently in the list and if so
 that address will be removed from the list and the rule will return true. If
 the address is not found, false is returned.
 .TP
-[\fB!\fR] \fB\-\-seconds \fIseconds\fP
+[\fB!\fR] \fB\-\-seconds\fP \fIseconds\fP
 This option must be used in conjunction with one of \fB\-\-rcheck\fP or
 \fB\-\-update\fP. When used, this will narrow the match to only happen when the
 address is in the list and was seen within the last given number of seconds.
 .TP
-[\fB!\fR] \fB\-\-hitcount \fIhits\fP
+[\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP
 This option must be used in conjunction with one of \fB\-\-rcheck\fP or
 \fB\-\-update\fP. When used, this will narrow the match to only happen when the
 address is in the list and packets had been received greater than or equal to
-- 
1.6.3.1

Re: June 11 iptables pull

[Patrick McHardy]

Jan Engelhardt wrote:
> a couple more fixes to the iptables proper. Please pull from
> the "stable" branch at
> 	git://dev.medozas.de/iptables stable

Pulled and pushed out again, thanks Jan.